BSides Delaware All Day Stream Track 1
Show transcript [en]
That's just coil. No, no, no, that's just coil of wire.
Go out there. That work? Test one, test one. You have a volume meter.
Good bad indifferent.
Just got the thumbs up, so I'm going to go ahead and begin. Hi, my name's David Schutz. I'm here to talk to you about 1PasswordInternals. Just how the hell does this crazy thing work anyway? We all know about passwords. Passwords are a pain in the neck. They've got to be strong. They've got to be unique. You can't reuse them across multiple sites because that's bad, which means you've got to remember them somehow. You can put them down in a little book and keep it on your shelf at home, or you can put it in a password manager. So that's why we have password managers. I'm talking about 1Password. It's a good system. I've liked it.
I've used it for a long time. A nice thing about them is they're very transparent, very open about how their system works. They have a lot of really good documentation online. They have some very helpful, friendly engineers in the support forums. They'll answer just about any questions you have, as long as it's technical. Obviously, if you go into business, that's different. But unfortunately, their documentation sometimes is a little vague and hand-wavy. Sometimes it's hand wavy sometimes it's oh shoot we haven't written this part yet, and it's been there for you know two years So I kind of started you know digging into this a little while ago Just to try and really understand it just
for my own benefit and for work And I think I finally got most of it nailed down I'm also kind of obsessive about crypto puzzles in a way. This is just a giant crypto puzzle for me But why do we even care about stuff like this? I mean it's it's a system it works people use it it sells well well I've got this sort of personal thing that I like to understand how things are working. I figure if you don't understand it, you can't really assess what risk it poses. There's an awful lot of black boxes in our tech today. Anybody that's got iCloud stuff, we more or less understand how that works, but it's
just kind of taking it on faith that it works properly. OnePassword is one of those where, like I said, they're very open. We can kind of dig for ourselves. But even with the documentation, I still like to verify. I kind of feel like... I don't really understand something until I'm able to build a tool that does it myself. Doesn't have to be a good tool, doesn't have to even be a useful tool. Just to be able to duplicate what's happening, that's when I know that I've definitely got it. And then the best way to really know that is to teach somebody else, so that's why I'm here. So there's a lot of topics. OnePassword, it's a huge system, it's really complicated in some ways, and it's really kind
of elegant in other ways. We'll talk about a few things in particular. how you're logging in, how vaults are shared, how you handle multiple accounts, things like that. The talk is fairly high level, but I do have some deep technical stuff thrown up there, but I'm not expecting people to really grok all the really crazy technical stuff just from listening to a slide for 30 seconds at a time. I do have an extensive series of blog posts that kind of goes into really deep technical details, and the idea there is I want to have enough information there that if somebody really wanted to go and do this themselves, that they could do it as well.
One thing I'm not going to do is compare this to other tools. There's lots of password managers out there. Some of them are really good. I've been using one password for close to 10 years. I've always liked it. It's what I use. I'm not going to spend a whole lot of time to do a formal review of other systems. Like I said, I'm here to figure out how the little crazy cryptos work. I'm not really here to compare one tool to another. If you really like another system, like LastPass or KeePass, or I'm not even sure what else is out there, Maybe this inspires you to do the same thing and do a talk next
year about how that system works. That'd be great to see. So we'll talk a little bit about some words and terms. Some of these are kind of specific to 1Password or how 1Password uses them. You've got your account, which is a group of password vaults, so just a group of places where you store passwords. So you might have a work account, you might have a home account, you might have a volunteer job that you do stuff with account. Vaults are where you keep your passwords, and they don't have to be passwords and one password. They can be notes, URLs, serial numbers, one-time password, token, things like that. But they're all just items that are stored
in the vault. The two things you'll hear a lot in here are the master password. That's what you type in when you unlock the client. And a secret key. Originally, they called this account key when they rolled out their cloud service. And it's a long string that you get, and you'll see a little bit more about that as we move on. And yes, I didn't say this up front, but we're really focusing on the cloud service, partially because that's kind of what they're moving towards in general. It's also the most useful in a family or a team or a work context. It's also, in a way, the scariest. You know, 20 years ago, if you
said, we're going to put all of our passwords on somebody else's server in the cloud, you'd say, you're crazy. But that's exactly what we're doing with this. And that's why a lot of people are scared is, well, shit, this is on somebody else's computer. Can I trust it? And again, that's why... looking into it like this. And they make it all work with cryptography. Like I said, I kind of like crypto puzzles. I'm a real cryptography dilettante. So I kind of understand enough to be dangerous, and I don't expect people here to be experts in any of these things, because I'm certainly not. Some quick terms that we'll just be tossing around a lot. AES, the Advanced Encryption Standard, is a symmetric key encryption. That means that you use
the same key to encrypt it and decrypt it. compared with public and private keys, in this case RSA, is a pair of keys and you can encrypt data with one key and decrypt it with the other. And that becomes very useful for parts of the system here. Their hash functions, I'll go a little bit more into how hash functions work. Then I'll talk a lot about key derivation functions as well. All of these things are used all throughout 1Password. You already understand why these are terrific? If not, despite what I just said about avoiding black boxes and wanting to understand how all the black boxes work, 3Ds of black boxes and just assume that they
work. Right now, it's just a larger picture that matters. If you want to go deeper into crypto, absolutely. It's a fun place. So, we've got a lot of content. It's actually a really simple system to understand. And yes, it really does need to be that complicated. So, we're not going to build everything from first principles here, because that would be insane. But let's start building a really simple password manager together. So the simplest thing you can do is just have a list. So you've got a Notes app on your iPhone. You put all your passwords in a list called Passwords. Hopefully your phone is at least locked. Maybe it's not. So that's a great way to do it, except that if somebody opens your phone,
they open the app, and now they've got your passwords. All right, so let's not use Notes app. Let's use an app that's dedicated to passwords, and we'll put a little passcode on the front of it. The data is still not encrypted. The passcode is just simply a number that's stored somewhere on the disk. So if a hacker gets hold of your device, they find where the passcode is, they can unlock the app. They find where the data is, they don't even care about the passcode, they can get your data. All right, so now let's encrypt the data. So how do we encrypt it? Well, you've already got a passcode, let's use that as the crypto
key. So now you type in the password, or actually here in my example, I'm not using that as a key here. We've got a key that's stored on the disk, you type in your password, it verifies the password, it gets the key, it decrypts the data. So now the hacker has to get up the encrypted data, And then if they can extract the key or your password, again, they've got everything. So far, none of these are really very good. So now let's actually encrypt the key. And we won't actually store the password on the disk. Now we're starting to get where it's reasonably good because a hacker could steal the encrypted data, but they can't
do anything with it without the key. They can steal the key, but in this case, in all my diagrams, a double box means it's encrypted. Mostly, I'm probably messed up on a couple slides, but in general the double box will mean it's encrypted. So in this case the key is encrypted. So yeah, somebody hacks your phone, they get the key, they get the data, but they can't do anything with it because they're both encrypted. So what you need to have is the password. So now the password isn't stored on the system, it's relying on the user to type it in, the password decrypts the key, the key decrypts the data, and now you've got it.
The problem with this approach is that passwords make really lousy encryption keys. root force passwords by picking a password, trying to see if it works. If it doesn't work, you'd pick another password, you try and see if that works, you keep going. A way that we measure how safe a password is is through entropy. In this case, it's, for example, the word password, which is just eight lowercase letters, if you assume that they're only coming from the alphabet of lowercase letters, it works out to about 38 bits of entropy, not a whole lot. a good encryption key should really be about 128 to 256 bits of entropy. So you can see the word password, all over case letters, is just no good. So that's where
we have ways to try and turn a password into a strong key. You can do that with lots of things. I mentioned hash functions earlier. Again, we're gonna see these all throughout. The hash function is basically a function that takes an arbitrary input and spits out consistently the fixed string of bits. What's important is that the output is completely unlike the input. It's indistinguishable from randomness. It's got to be consistent, so the same input should always produce the same output. And it needs to be irreversible, so you can't take a hash and go backwards. It's not encryption. It's a one-way function. And then also they're divergent, in that hashes of very similar text can be
totally different. And I'm trying to illustrate that here. We have three different words. We're hashing password0, password1, and just password. And you can see that in all but two nibbles so all but eight bits they're completely different and the text is very close but the the hashes are totally unlike each other so again hashes are consistent that's great but the problem with that is now two users that have the same password will have the same key but now if we go back to the the scenario where somebody steals the phone now they can possibly just go through a whole bunch of simple task, they might have a rainbow attack or some kind of another attack where they know what the ciphertext looks like, they just say, oh, this
ciphertext looks like this, that means the password is this. So what they do now, what we can do is we can add a salt. And what that is is a random string that you get added to the password that makes it more unique, that makes it a unique string. It's not a secret, it can't be a secret because the system needs to know what that salt is in order to eventually apply the salt to what the user types in at the keyboard. So now what we've got is you have a salt that's stored on the disk, you have a password, you type in the password, it takes the password and the salt together, runs them
through some kind of a thing, produces a key which then decrypts the data key, which then decrypts the data. It's starting to get a little bit more complicated, but it's a lot more secure than what we had on the last diagram. So far we're just talking about clients, your phone, your laptop. We've also, in this case, got a very strong cloud component. What about stuff on the server? Obviously you've still got to worry about things like password cracking even against the server. If somebody gets hold of the password list, they crack the passwords, now they can decrypt your faults, now boom, they've got all your bank accounts. One obvious thing is, okay, let's just make
a two-factor, use a two-factor authentication. That's great for authenticating. It doesn't really work for crypto because the key changes every 30 seconds. So you're never going to be able to decrypt your data if the key is constantly changing. So what AgileBits, the people who make one password did, is they added a concept called the secret key. In this case, now an attacker wants to attack things needs two secrets. They need the master key password you type in and they need the secret key. The secret key is that long crazy looking string there. And there's actually, there's multiple components to that that have specific meanings. We'll get to those in a minute. But this secret key itself is about 129 bits of entry. So this actually is a pretty strong
key just by itself. So there's a lot of ways that you can then mix that in with the password. You could, so now you've got a password, and then maybe you hash a password to get some kind of a key, and now you've got the secret key to make it a little bit more complicated. How do you pull those together? One thing you can do is you can just mathematically add those strings, express them as numbers, add them together. The problem there is that you might end up with a number that's bigger than you need. So in this case, because of addition, you get a carry bit, and you have that extra digit on the left. If you're only looking for so many digits, now you've got an extra
one. You could throw that away, but that might have cryptographically... pertinent implications. There are times when you do simple things like that and throw extra data away, it actually makes things significantly weaker because of some foible to how the algorithm works. You can also just glom them together one right after the other super fast, but now you've definitely got a big key. You can also use a logical exclusive OR operation which just takes them together into some sort of bit level mashing between them and you end up with a string that's the same length. That's what you do here, that's what's done in a lot of modern cryptography is the XORs. So now we have a secret key, there's that long string, we have the salt, and we
have the password. You put all those things together, it does some magic on it, it mashes it up in a galvanized tub, you end up with a key that you can then decrypt the data key, but now you can decrypt your password. This is great! We took a short password and now we have a 256-bit key. That's terrific, but you can still guess the password. Because everything that I said has turned a password that's short into a key, which is big, but it does it instantaneously. It's just a couple of quick hash operations and some exclusive oars and stuff. You can still brute force it. You've got the password, salt. If you have the password
and you have the salt, but you don't have the secret key, you can derive the first part and then you've got to brute force the secret key. That's going to be tough because the secret key I said was 128 bits. That's huge. You can't brute force that. But if you haven't protected the secret... And you've got that and you've got your salt, but you still need the user's password. Now you just proved for the password. Now we're back to the normal problems of pick a strong password. And that won't take much time at all because, again, the key derivation that they use here is super, super fast. So they slow it down by doing it
100,000 times. They still recommend a strong password.
And actually, their current recommendation is to use a four-word passphrase. But just to make sure that that's really strong enough, they actually started a competition in May where they had, they published a list of 18,000 individual words, just a dictionary of words. And they said, okay, we've got, I think, five different hashes that we generated by selecting three words from this list. Their recommendation is four. They said, we're gonna make these passwords only three words, and we wanna see if people can break it, because we wanna have an idea for whether the four word is really a sufficient recommendation or not. If they stuck with four words, and it is sufficient, then the password challenge would never be broken. That's kind of why they weakened it a little bit.
It started in May, and as of October 24th, somebody finally cracked one, and then literally just two days ago on Wednesday, I think the same team announced that they had cracked a second one. They haven't announced quite how they did it, what kind of rig they had, stuff like that, but it ended up taking a lot longer than the 1Password company thought it was gonna take. They actually ended up giving out some hints. They doubled the prize payout twice, and then they started giving little hints as to what the passwords were. They gave little hashing hints to try and help people speed it up a little bit. And so even with that, it still took them close to six months to crack the first
one. So if you figure that that six months and add a fourth word, you could multiply it by 18,000 times. Four words is probably pretty strong. All right. So let's pull all this together. We have a password, we have a salt, we have a secret key. You have an email, we didn't talk about that, but obviously if you've got a cloud-based account, you've got an email that's associated with it. Mix them all together and that creates a final key. They call this the two secret key derivation process because there's two secrets, the master password and the secret key. And so this is technically what it looks like and this is where it starts to get a little bit more deep. You have the password salt, which is going to
be unique to your account or probably unique I don't know if they were actually enforce that but it's a random number that's just assigned to your account when you when you create it they have a string that PBES 2G whatever that helps to describe the algorithm and then your email address they jam all those together through an HKDF function which is a special key derivation function results of that gets fed into a key derivation function which then gets joined up with the results of the secret key and you end up with the final master unlock key That HKDF step is the HMAC key derivation function. There's a specific RFC for it. It takes three parameters, and then this describes the different parts of the parameters. So for the
first part, you saw here the email address, the salt, and that algorithm name get kind of put together. The key is the salt. The salt is the email. The info is that extra bit there at the end. And then for the secret key, it's actually split into three components. The A3 is the version, which I guess... matches the version of their system, their algorithm. The account ID is the next bit, and that's the only part that Agile will retain. So if you call up and say, I'm having a problem with my account, they can say, oh, is it the account that starts with ASWWIB? And you say, yes, it is. You'll know you're talking about
the right account. If you don't have it, then you know you're not talking about the right account. And then the last, what, five groupings there is the actual secret.
So now we've got something that looks a little bit more like this. Your password... All those extra things all thrown into the two-secret key derivation. Decrypts the local key. Decrypts the data. I talked about the server a little bit, but I didn't really go into detail. So we do still need to protect logging into the server. And how are we supposed to do that? Well, again, we've got math. Lots of crypto. There's a really cool system called the Secure Remote Password Protocol, which implemented properly is reasonably strong. There's also some bugs that people have discovered over the years, and you have to be careful when you implement it. This is why I don't write crypto.
I find other people that have written crypto properly, and I use their tools instead. But basically, the way this works is there's five specialized functions, five specialized math equations. You take your password, call it X, and from F, from X, you pass it through a single function to get a verifier, and the verifier is what you send to the server. So you never even send your password to the server when you create the account, you just send the verifier. The verifier is kind of like a hash, it's easy to compute, but it's very difficult to go from the verifier backwards to the password. So the client, only the client ever sees your password. And so
the way it works is you take your password and some random data, run some function on it, the server takes the verifier they got, some other random data runs a function on it, They exchange the random datas with each other so each one knows the randomness that the other one picked. And then they do some more functions. And then the result, because of the math, should be that they both come up with the same number. If you both came up with the same number, then the client has proven that their password matches what was used to generate the verifier, and you're in. If you have the verifier, but like I said, you can't reverse it
to a password. And in this case, you can't calculate the second part because you need the password to get... the first part, and like I said, the math is all there. And here's the math if you want it, you can look it up on the slide later, or the Wikipedia article described it pretty well. It's neat if you just like math. But again, we need to have a strong password. So we've got the master password, we've got the secret key, together those make an incredibly strong password. We could just use that, I mean that's a 256-bit password. that's equivalent to 39 characters of the full 96 character principle ASCII. If you could reliably create passwords that are, utilize that full character space, that's a
pretty good password. So we've got that, we could just reuse that, but we shouldn't, because you shouldn't reuse passwords. Even though it would be reasonably safe, you still don't want to do that because then if something gets captured in the wrong place, now they've got access to that, you just don't want to do that. So what they do is they take the same process, the two-secret key derivation, they change the salt, they change a couple of other parameters, and use that to generate the verifier, or in this case, or not the verifier, this is the password, so this is sort of the replacement for your password that then gets turned into a verifier and sent up. But it's exactly the same as what they use for the master
key, only they change, they have a different salt, and they change the algorithm name to SRPG496. So these are the two secret key derivation again. Everything takes the master password. Your email address, it's got stored in the account when you create it. There's randomly generated salts, both for the password and for the SRP. And then you've got different names for the algorithms. Those are used to generate the final keys that you use for local vaults or for the server.
So on the server, there's a lot of features that are only available through the server. You can do most everything you want through the client, but there are a lot of account level features that are at the server. And again, I'm not really going into application level details, but I figured it's worth mentioning. On there, you can do things like you can manage who has access to what vaults. You can change your account password. There's billing things, because obviously it's a cloud service. You have to pay for it somehow. But the SRP can't be used to decrypt the vault. That's very important. the vault data that you have is encrypted with the first half of the whole system. You can't, even if you get the
SRP, even if you're able to regenerate that or steal that somehow, you still can't decrypt their data, which means that Agile Bits can't decrypt your data. They have no way of getting into it at all unless they have your password, which hopefully they don't. All right. So it's great to have just a password list. but if you're working in an organization, you're working in a team, you've all got to share access to the different servers, you might want to be able to share passwords with one another. How do we do that? You could create different lists. Everybody's got their own list. You log into different accounts. You can pull down those. Okay, that kind of works. We could take
a step backwards and think about how we might have done this in Victorian era. So imagine a wall full of small drawers. You've got a drawer. which has got little index cards in it, and each index card has a password. You get a new password, you write it down there, you put it in, you put it in the right space so you can find it easily. You close the drawer, you lock the drawer. Now, you're the only one with a key, your passwords are safe, nobody else can get into that drawer. We'll forget about the lockpick village upstairs. So now, if you've got passwords you wanna share with a team, you create a new drawer,
and you create three keys, one for you and one for your two team members, and you go and you give them the keys. All right, so, so far so good. What happens if somebody on your team isn't around when you generate the key? You can't just, when you create the new drawer, you can't just go and leave the key sitting on top of their desk. So what you do is you give everybody one of these little toy banks that has a coin slot on top and a combination lock in front. You go over to your team member's desk and you drop the key in the box. Now you've given them access to this drawer, but you haven't had to do anything other than just drop
through the slot. Then your coworkers can unlock the combination, get out the key, turn the key, open the drawer, and now they get access to the passwords. And let's say also you want to make sure you don't forget the combination. You write the combination down on a piece of paper, seal that in an envelope, stick that in the desk, and lock the desk. Now you've got a backup as well. So create a new vault. Again, you make a copy, go around, slip it in, slip in all the keys. So this is kind of what it looks like. You've got the combination written down, stored in an envelope, locked in your desk. It unlocks the key box, the key box contains the keys which open up
the drawers, which has the passwords. That's exactly how one password vaults work. In this case, the master password key, which is the master unlock key you get when you type in your thing, go through the whole two secret key derivation, that is equivalent to unlocking your desk, which gives you access to these vault keys, or key set keys, which is the combination. You unlock the key box, now you get the thing. So in this case, you've decrypted an AES key, which decrypts a private key, which decrypts individual vault keys, which are equivalent to what you did for the drawers, and now you can get the items. So it kind of looks like this, ultimately. It's starting to get a little bit weird, but
hopefully the analogy helps to make it a little bit more helpful. So again, I mentioned with the private and public key, way the private public keys work is if I encrypt something with somebody's public key only the person who holds the private key can then decrypt it so the public key is equivalent to the key slot you just throw a coin slot you drop the keys the key slot coin slot it's just like encrypting something with a public key you can give it to them but you can't get it out because you don't know the combination so that's how this is working with this you add somebody to new new vault you take the key
for the vault, encrypt it with that user's public key, and then send them that encrypted part. Now they can decrypt that using their private key and get access to the vault. So what happens if you forget your password? The administrators are all part of a special recovery group. So just like you can have all these different key boxes here, where's the one here? You might have one for David, one for Dom. Everybody's got their own ones. You might have some for Teams. There'll be another one just for admins that only admins have access to. It's not normally downloaded to their client, but they can get access to the contents of that through the server as they need to.
So basically, you need to reset your account. You go through the process. Eventually, the admin gets an email, says, hey, are they going through with this? And you say, yes, do this. And then all of a sudden, the admin now has access to
key that they can then decrypt and then re-encrypt with your new public key for the new account that you just set up. So basically the recovery isn't so much recovering an old account, it's nuking everything and starting from scratch, but because of the way the shared vaults work, they can get access to your data again and send it back to you. So not nuking the data, they're nuking all the keys.
So how does this deal with multiple accounts? one password so you have one password um and this is one of those things that that has always worked for me and I didn't really stop to think about it until I started down this path a few months ago and yeah how the hell does this do this so what happens is you have the primary account on your client so the first one you kind of set up when you when you set up the one password client becomes the primary as soon as you unlock that that can then unlock the other accounts so on the Mac What this does is it works with the master unlock key. Again, you type in your password, you get the
secret key. It runs through the two secret key derivation process. You get the MUC. The MUC decrypts your primary account vault, and then that goes ahead and decrypts some additional data that's stored for all the secondary accounts. So in another accounts table, there's a line for this account, a line for that account, a line for the other account. All those are encrypted with the MUC for the primary. Once you decrypt that, you get the master key for those second accounts. and the SRP key, so now those second accounts can reach out to the server, pull down updated versions of the vault. They've got the master key that can unlock the key sets, get to the
data. On Windows, it's a little bit different. On Windows, they don't store the secret key locally on the system like they do on the Mac. Instead, what they have is an encrypted master key structure in their database that then goes on and decrypts those individual account things. So Windows has this extra step at the beginning, and where you type in your password, it pulls a salt and a list count of iterations, runs through the password-based key derivation function to create another key that decrypts the master key, that decrypts a piece of data that includes the user's actual plain text secret key and plain text password. Those are then fed into the two secret key derivation process and creates a
master unlock key, and from there it goes on like the others.
Some low-level technical detail if you're interested. The master key structure tells you how many iterations there are and then how long your salt is, provides an actual salt. This is what derives the key that then decrypts the next part, which is an op data vault structure, which is just a format for storing encrypted data that one password uses throughout. Not super important to know that right now, but it's there if you want it. So basically, you type in your password, It does, again, the password-based key derivation function, only in this case it's using a different hash function associated with the SHA-512 hash. And then the iteration count varies with each computer. So if you set up your account and you unlock it
and it takes a couple seconds, great. If you move that account, that whole installation to a different computer, upgrade your computer, whatever, and you move your data over and you unlock it and it takes a half second, it says, oh, that's too fast. second is too fast we're going to change this it will re-encrypt the master key with a higher iteration count such that it always takes about a second to unlock they want to make sure that that's not something people could brute force so you type in your master password it pulls the information from the EMK structure drives another key that then decrypts the payload which contains a master key and a signature key
on the signature helps to verify that the master key hasn't been tampered with and then that goes on decrypts the account data and the accounts tab table and then goes on to get the actual data so now we've got multiple accounts this is kind of readable it's not really readable on the screen though so on the windows you have your unlock password derives the master key which then decrypts an account information blob contains the actual password and secret key for each account that uses the two as see to secret key process decrypts the key set which then goes down decrypts all the data defaults and then that can also decrypt the next account which is the same thing and
so on on the Mac you'd go straight to the two secret process it then decrypts the first key set which can then decrypt the second account data which then decrypt the second key set etc etc so all that just brings us back to where we started Everything that's on here we've now talked about. It's a simpler view there. Which again just kind of puts it all together in one place. The Windows password unlocks certain data which contains information that is just simply provided by the user on the Mac. Which then drives master keys which unlocks the primary account and unlocks the key set for the next account and so on.
Moving away from the microphone to cough doesn't help when the microphone is clipped to your lapel. So where is everything kept? This is, again, I kind of went down this path to sort of assess risk. The question we were trying to answer is, so what happens if somebody gets your master password, what can they get? And the answer to that was, I think everything, but I'm not sure. And so that's when I kind of started going down and digging. And so that's where I found out where everything was stored. On the Mac, all your data is stored in SQLite database, stored in your library. The secret key is actually stored in the system keychain. And then the master password obviously is in your memory and you type that in.
On Windows, the vaults are stored. I was supposed to go and find out exactly where that is. I haven't really used Windows extensively for years and years. So I'm not sure I could have even answered that question clearly, but there's sort of the equivalent to library on Windows boxes where you've got sort of all your application data that's stored. It's down in there. And there it's, again, a SQLite password database. It's a little bit different. The secret key is not stored anywhere else. It's stored encrypted in the vault along with the master password. You have a different unlock password that probably will, in practice, be the same as the master password. But you type in a password, it then decrypts those other things for the vault
and goes on from there. And then web browsers are a little bit different. Web browsers don't store the data locally. They don't store the vaults locally. So once you've authenticated the system, it sent the SRP off to the server, comes back, says, OK, you've got all these vaults. OK, tell me what's in this vault. Says, OK, here's the vault. You decrypt it locally. So all the encryption decryptions happening in the browser. But one important thing that I did figure out is that when you log in using the browser, there's a little button, you know, remember this computer sort of thing. And usually that's just cookies and whatnot. In this case, when you select that, it also stores your secret key in the browser's local data storage. So
that's great because you don't have to find a piece of paper that's got the secret key and type in that long A3-XYZP whatever sort of string. But it's bad in that if anybody can access your browser cache, they can extract it. It's stored in there encrypted, but because this is before you've done any password stuff, there's no, it's a fixed key that's dedicated to the application. The key is actually the SHA-256 hash of the string obfuscation isn't encryption but it doesn't hurt. So it's there.
Is there a timeout for the browser because sometimes it seems like it's creating the secret key. I don't know if there is or not. It might be that maybe you just didn't click the remember this computer. Or maybe it does time out after a certain amount of time, I'm not sure. I really don't use the browser interface except to do the account level things, you know, like managing vaults and stuff like that. But that is something that we were concerned about because, again, you know, the question was that we had presented to me was, you know, what happens if a machine is popped and they can key log your master password? Well, if they're on
the box and they've got the password, then they can eventually get access to the secret key and eventually get access to everything. So the secret there is just make sure your box doesn't get popped. So to wrap up some of these details here, we've talked about the secret key. The main thing for that is it really gives the resilience to password breaches of the server. The master password is what you use to unlock everything. You don't actually send the password over the wire to the server when you're unlocking at the cloud level. It's doing secure remote password. And even the password, quote unquote, that you use to authenticate to the server, even though you're not sending it, isn't your actual password you type in. It's
again a derived password of 256-bit strength. There's shared vaults that you can then share with other people. There's a recovery function that your team organizers, admins can use to help you recover passwords that have been lost or your account access, which then you can get back to your vaults. If you delete something from a vault, I don't think there's anything you can do about it. There's a whole lot of other features in one password that I didn't touch on. There's watchtower, which is a nice thing that it actually has a server interface that it can talk to and say, hey, tell me what the latest breaches are. So you can say, oh, you've got an
account at such and such. Did you know they were breached on such and such a day? And it looks like your password was last changed before that day, so this password may be at risk. There's another variant of that where the service, it's a third-party service, not one that they run, And I apologize for not remembering it. It's an outgrowth of have I been pwned, but I don't remember the name of the secondary service that does this. But they actually take all the pwned passwords that are found and they build their own database and you can hash your password locally and then take the first, I think, five characters to hash and say, hey, send me any hashes that match this. And they'll send you back, it's about
100 hashes or so typically. And if any of those match the one you've got, then you know that they've got the password you just found. That's a way to say, hey, this password you've got for... account, that service hasn't been breached, but what you think is a strong password has been seen on some other password lists, which means that it's now on dictionaries that hackers will use, so now you might want to change that password too. So watchtower's a nice feature. Travel mode, actually, you go into the web client and you can say, I'm traveling, and it basically deletes your vaults from your devices. They all still exist in the cloud, but they're gone for your devices. So if you're going through customs at a hostile country,
then they can look at your phone and there's no passwords on your phone. It's just not there. And then as soon as you're done, you click travel modes off, the vaults come back. And it's fast. I mean, I literally tried that, and then I went back over here and typed LS, and the passwords were gone. The database was gone. There's some two-factor support, both for authenticating to one password that you can force it to ask for a two-factor token. You can make them authenticate with a two-factor every time or once a week or something like that. It also supports time-based one-time passwords inside 1Password, which is a nice feature. So you can go to a website, say, fill
in my name and password, and then it copies your current token to your clipboard. You hit Enter. Now you're the thing where you enter your code. You hit Paste, and that goes on. Journal and Backup is...
when I was working on this talk for work, I originally gave this talk in a really abbreviated form at our local hackers group, Nova Hackers, back in May, and then I tweaked it to give us a lunch and learn at work, and as I was enhancing the slides and going through and making sure I didn't miss anything or screw anything up, I found some keys that I didn't recognize, some data structures that wasn't there before. I don't know what the hell this is, and I dug into it for a while and eventually reached out to AgileBits and their support form, and they said, oh, Nice hunting. Glad you found that. It's a new feature that
they're building where it will encrypt your passwords as you change them with a new key. It's also based on your password that's 500,000 rounds of PDKDF2. But it encrypts them as you change them and stores them somewhere in the database. And then at some point during the day when you're not doing much, it finds everything that's changed and writes them out to a file. And the idea being there that they will get a consistent journal of things that have changed is always got a backup but it's not doing it in such a way that it takes a long time out of your day so if you're you know sitting there trying to get to a password and it's in the middle of doing this process it's going to
be super slow so they kind of split the process up into encrypting and dumping this way so that it doesn't impact the user but that feature is not live yet even what I saw in one password was only halfway there so this could also change a million ways from Sunday before it finally gets released but it's kind of fun that I found that There's clients on phones, I haven't looked at those. There's clients in the browser, I touched on that. There's an official command line client, which is a pain in the neck, but it's incredibly powerful. There's browser extensions, there's security issues related to browser extensions, because then when, you know, how does the browser
talk back to the one password thing, and they've talked a lot about how that works. There's the ability to send passwords to other people through SMS, which is just obfuscated with a fixed key. haven't really dug into how that works it's good if it's an emergency but then after the emergency passes you should probably change your password and then touch ID is great on the Macs the newer MacBooks and I guess now the the iMac Pro have touch ID sensors and it used to be that it would store basically that the login data that was encrypted with the master unlock key it used to store that in your keychain and there was when you authenticate it to the Mac by touching the Touch ID,
it would then provide the contents of that keychain entry back to the application. The application would then look in your preferences file, pull out a key that's hidden in your preferences file, decrypt it, and now it's got access to it. That's reasonably good security. You need access to the box, you need access to the preferences file, you need access to the keychain. And theoretically, you couldn't get to the keychain unless you're the 1Password app. But, and I haven't really nailed this down, but it seems like if... the keychain is synced over iCloud keychain, then you can retrieve that with some work on other Macs that are also subscribed to that iCloud keychain. So it's actually possible to pull the secret
out of there and then pull the secret out of the preferences file in the first box and you can decrypt it. With the newest versions, with 1Password 7, it's actually changed that. The secrets are now, the key is in the secure enclave on the box. The secret is in the preferences file. When you unlock it, it's decrypted by the box. You'll never have access to the key. It can only be done on the box. significantly safer. So if you've got a Touch ID Mac using one password, absolutely upgrade to 7. It's a lot better for that. And that's it. I'm really grateful to Agile Bits for being so transparent about how this system works and especially for answering all of my questions. I kept throwing really ridiculous obscure technical
questions at them and they were all very good about answering them. And then of course Expella's let me kind of turn a simple question we had in a table talk into a long talk and a whole really long set of blog posts. And if you want to, there on my blog I've got this. I just published it this morning. It's five different sections plus a beginning and an end and all kinds of data. Ridiculous amounts of technical detail. I also have on the GitHub, on a GitHub repository, I've put some simple example scripts that you can use to decrypt the data. So basically you can say, going to decrypt the muck okay what's the salt and you go to the database you find okay here's
the salt what's the IV okay get that what's the thing so you copy all the different things in and it spits out the answer you can use that to really just walk through a one password database you know block by block and you decrypt individual things so you start off by decrypting the muck which then you decrypt the key set which then you decrypt the first private key which then you can decrypt the vault which then you can decrypt an item so you can prove to yourself that this is all actually working the way that you think And then because doing this on your own password data is probably not a bad idea, I was
actually able to set up a couple staging accounts. I needed those for a while. Then as I was putting together this talk, I said, you know, I really need just test data. So I've actually got a whole script there that generates all the different data structures for you. You can use that to create some test data and prove to yourself that whatever tools you're building work. And then when you're confident that works, then you can try it on real data. Good. Even that, I mean, passwords. Be careful. That's it. Questions? A lot of data, I know. Yes. Does one password support YubiKey as a second factor? And they don't yet. And I know there's been discussion about it on
the forums and they have answers, good and bad, and I'm not really sure what the planning is. I think there's an argument to be made that things like that might be too, and this is me speaking, that things like that might be a little bit too tied to specific vendor, specific niche technology. It's a great idea. I mean, and they're already doing that by supporting touch ID on the Macs, but that's a lot less niche than a YubiKey. But no, they don't support it at this point. Okay,
a push from NIST to standardize the use of the, yeah, use of YubiKeys and stuff. Yeah, YubiKey's are neat. I did some digging a while ago for another talk into how different web authentication systems work, and I love the whole U2F framework and the interaction with YubiKey, but it was not very well supported in the browsers. I don't think Safari still supports it, or I think Safari still does not support it. There's a lot of negatives in that sentence. But it's a great idea, and if we can start getting more pushback on that to get that more widely supported, that'd be great.
Any other questions? Yes. Yeah. Yeah. Yeah. Yeah. So... The question seems like a couple of parts, part of it is addressing the question of password resets, just a pain in the neck. And I don't know the details, but I know that there are some efforts underway, not by Agile, but just in general in the community, that there are some efforts underway to standardize, possibly even at the API level, a way to change your password. And the idea there being that eventually password managers could say, hey, your password has been breached, type in here, and boom, boom, boom, you change it, and one password will reach out to the service and change it for you. I know that that's being worked in
general, but I don't know if any of that has made any progress. And then enforcing MFA, all that's coming down to, obviously, the individual services. But again, with that watchtower feature where it's saying, this site was breached more recently than your password was last changed, or this site has been weak, actually have a feature there where they say, hey, this service supports MFA and you don't have it enabled. You might want to consider that. So they kind of do have features in there that can help prod you that way, but there's nothing they can do to enforce that that's going to be at the service level. Any other questions? All right. Thank you very much
for coming.
No, we've got, we're actually split into two different groups, or two different groups. We have, we're a very small company. We're like 80 people. And we have the CISO and me as his own security minion. And then the CISO also manages three, now three IT people. And so they do most of the day-to-day management of the tools, and stuff like that. And we're now getting another person who starts next week who's going to be sort of bridging the cap. It'll be more security related, but again, he's going to be doing all the bullshit stuff.
just like having these parts set up just so I don't have to, because I have to run the other all and get them set up too.
Doesn't look like this works.
Yeah, I flipped it on. It's on? Yep. It's on. Oh, maybe now, because it's ready to use. There we go. Cool.
Okay, I got to make a phone call.
Can I move around?
Good afternoon. My name is Ralph DeFranjesco. I'm here to talk about detecting drones. Before we start the presentation, let me ask, who owns a drone in here? I was just going to ask, who owns one or more? One more? What about the rest of you? You wanna know drones? You'll tell you what, I have 10 of them. You gotta ask Santa one for Christmas this year. All right, so what I wanna do is I wanna share this experience with you. I used to work for one of those three-letter security agencies, which I don't anymore. But I wanna share with you an experience I had in working there and why I came up, why I'm interested
in drone detection. What I want to do is I want to put out a definition, and we don't all have to agree with it, that's fine. I want to explain the problem that I was trying to solve. I'll propose a solution that I came up with. It's not the only solution, but it is one solution. I'll show you the equipment that I used. The next step, how I'm going to move this thing forward. The next, next step, how I hope to evolve this thing. And then I'll talk about a final solution, and then I need your help on something if you're interested in helping me with it. So this was a definition that the FAA has. A drone is defined as a vehicle that is not piloted by a
human from within the vehicle itself. Again, we don't have to agree on it, but it is a definition. So let's see if some of these apply to that. So what I thought was a drone would be a quadcopter, right? You're controlled remote control. There's no human intervention in a cockpit. A predator, obviously. Same thing there. It's remotely controlled. A smart plane. and one of the RC cars or boats or planes. What I didn't think was a drone would be a paper airplane. Anybody think a paper airplane is a drone? Anybody would disagree? No? How about one of those rubber band powered planes? No? How about a kite? No? Or a balloon? Some of those things I don't think fall into those categories.
So here is the problem. I was looking to see how can I detect the drone, how can I accurately detect that it is a drone and repeatedly, and then how can I do it with COTS hardware and software? Seems reasonable, right? So here's what I used. I used a laptop, a PirateBlock mic, which I'm gonna show you the one that I used or close to the one that I used. I used Audacity as recording software. I used a drone, it was the Parrot Mamba, but you could really use any drone, it doesn't matter. It all works the same. This is very similar, I couldn't find the exact one online that I used, but this is what a parabolic mic looks like. So it's very directional, you point in
that direction, it's gonna capture the sound from in that direction. So what I did was I mounted the mic on a stand that I built, planted it in the ground, pointed it upwards, about 30 inches off the ground. I didn't really have anything to go by, I chose 30 inches because I'm short and that seemed like a reasonable height for me. I plugged that detector into my laptop and then I started Audacity. And then what I did was I flew the drone over the detector to see if I could detect it or not. So the first time I flew was about two feet over the detector. And this is what I got. You can imagine
as you're flying in, right, it's softer. When it comes over the detector, it's going to get louder. And then as it leaves, it's going to get softer as well. And that's kind of what you see right there. And then I increased it. I went to six feet above the detector just to see if I could see it. Same thing was 30 inches off the ground, flew six feet above it. Same kind of thing. It was coming in, flew over it, it increased as it left. We saw it decreasing. Then I got bold and I said, well, let me try 20 feet above the detector. And I kept getting the same things in all these tests.
Again, you can see it coming in, increasing it, and then going out. So that's kind of what I did for the first test. And I said, well, that's great. I could pick up a sound. I could probably pick up a lawnmower or if somebody had a weed whacker or a helicopter and do the same thing, right? I'm going to get that kind of noise. But a drone has a very distinct sound, does it not? We could probably, with our human ear, detect the difference between a drone and a helicopter or a drone and a lawnmower. Plus it also has to do with its use. A drone's going to fly in and fly out. Sometimes it'll hover. Yeah, I mean, that's possible. But you're flying the thing. A lawnmower is
not. A lawnmower is going to stay there for a while. A weed whacker is going to stay there for a while. We're not going to see this in, kind of out, you know, motion with those. So I look to see, can I detect that sound to differentiate that from a drone or another type of instrument? So I reused the data from the first capture that I had. And then I downloaded various sounds. The lawnmower, the helicopter, a weed whacker, I think a hovercraft, and an airplane. I didn't bring all of them today, but this is what the drone looked like. Now keep in mind that when we hear sound, it's made up of different frequencies. It's just not one frequency. If it was, it'd be
more of a tone generator. So from the drones that I had, and I captured a couple different files, and they pretty much came up consistently. This is what I saw, and those frequencies right there stuck out with the drone, which you would expect. It has that very high-pitched, that's one of the higher frequencies in this graph right here. Here's what a hovercraft looked like. It still had some of those higher frequencies there, but look at the other frequencies as well as compared to this. Certainly in the center of that, in the 100 kilohertz range, in the 500 kilohertz range were the strongest. and here it was not.
And then I did a helicopter. Now, there were some similarities in that 100 to 1.25 kilohertz range, but we saw more on the lower end, which is what you would expect, because when a helicopter flies, it has that thumping noise, that very low type sound to it. And that's where we see it on the left-hand part of the graph over there. So I was able to discern that I don't have this all worked out yet. I'm only showing it from this perspective. I can capture the sound, but I can't do anything with it right now. This is one of these things where I'm looking for help on trying to do what anybody has experience in
processing sound. What I want to do after this, I want to try to put it into a neural network. I want to take pictures of the drone flying. So I'm going to train this thing. I'm going to teach you what a drone is and what a drone is not. And then as it flies over my detector, I can take real-time images and detect at that point if it's a drone flying or not. And then as I get them right, I'll keep teaching it or get it wrong until I work it out to where it's accurate enough. This is what I want to do at the end game. So I want to put a detector out there, use the neural network, detect it, and so if it's coming in at
this angle, the sentry will swing in that direction. And as soon as the pants is over it, it'll detect movement and then just start firing and see if I can knock this thing out of the sky or not. I don't know, maybe it's a bit ambitious, but it beats throwing rocks at it. And where I live, they shoot them down with shotguns. I'm in Northeast Maryland, by the way. All right, so if somebody has this type of background, electrical engineering, computer science, or you're just interested in the project, see me afterwards. I'd like to talk to you about it. I'll take any questions. Anybody have any questions for me? My objective?
I mean, I think the first step in the process is detection. Wouldn't you agree? I would agree. Sure.
Remember I opened the conversation up that I started with a three-letter agency, right? So, I mean, that's my interest, right, in trying to detect drones in airspace they're not supposed to be flying in. I mean, the practicality of mounting sensors all over a property, I mean, I don't know. I would have to keep trying to see. But my aim goal is to detect them. If I can do something with them, I mean, they have things now that I believe it shoots out of a shotgun. It looks like a, what am I thinking of? Well, I mean, it's a gun, yeah. Yeah. It has like a net around it that you can shoot it and capture
the thing down. I don't know how realistic that would be, but from an automatic perspective. But yeah, I mean, ultimately I'd love to detect it and knock it down.
I couldn't. I'm not that tall to do that. I know, I know. Well, I couldn't hold the thing up any higher than that without it falling down on me. So next time I'm going to stand on my deck. try to get it, see how I can fly it and still detect it.
Sure. So what I plan to do, I mean, if it ever turned into something, I think mounting sensors at different heights. They could be in trees, they could be on flagpoles, they could be mounted at different heights, pointed in different directions to catch them coming in or leaving.
Oh yeah. Sure. Absolutely it will. Yeah, no, it will. It definitely will. I mean, that's just something I'm going to have to deal with. And you know, like I said, this is just a solution. It isn't the end-all be-all. But it's the start, you know, to try to detect these things. Now, some people are using frequency to try to detect this thing coming in, right? That's a hard thing to do live, right? Because then how do you react to that live? So you catch the frequency that it's on. could triangulate it. That's definitely doable. It takes a lot of processing power to be able to do that. Any other questions?
I have. I have 10. I tried two other ones. That was the Mambo. I tried the Parrot and I have a DJI. around the same. It wasn't exact, but it was close. Yeah.
I don't think they do. I don't think they can detect something that small. I mean, these things are pretty small. I mean, the parrot's about 16 inches square, so it's So that's pretty good size, but I don't even think it's possible to detect that. But the Mambo is about a third of that size.
Oh yeah, right, I've seen it, yeah. Right. And does it have recording or picture taking capability?
So that's another option I looked at to see if I could interfere. So even if the drone flies over, if it isn't taking any pictures or recording anything, I mean, outside of it flying into like a helicopter or a plane or something like that, what damage would it do? But if I could interfere with it taking a picture or the video, then I could stop its ultimate mission, right?
About a third of that. So I'd say it's about eight or nine inches square.
And they fly in headless mode too, right? So you don't even need to see it. You can just create the mission and fly it.
Yeah, so I think flying in no-fly zones is the risk either on military installations where there's classified information or where there's aircraft. flying into aircraft. That's really the risk.
You had a question?
So what I did was I went onto the internet, right, because that's the best place to go for this, and I found some, I got some sound recordings already, and it sounded like the background filter was out. Now that is an issue, right? But I'm thinking at that height, how many things are going to really be flying? I mean, you have a bird, a couple of insects at that height, certainly planes and helicopters. So I don't know how much I have to filter out, and they're facing up.
You do. You do get white noise. At 20 feet, I was starting to pick some up. I would think on a windy day, it's probably going to be useless because the wind, it's like blowing on a microphone. You kind of get that weird white noise to it. So again, it does definitely have limitations. I'm sure when it rains, if there were a traditional downpour, I wouldn't be able to pick it up. If you want to defeat the system, fly it while it's raining. I do want to point one other thing. So I'm hosting US DroneCon this year. It's April 6th at Cecil College. It's about a half hour away from here. It's in Northeast Maryland. So if you're interested in coming by, love to have you there.
If there's no more questions, thank you very much for coming. I appreciate it.
Right. I mean, I think in the long run, I could probably mount these sensors at different heights, depending on the property. You had a high fence in a tree on a flagpole to get me more of a height advantage. But if you're flying at 2,000 feet, I'm probably not going to get it.
you're interested in? I don't have the equipment myself, but I think I get your idea. Okay, great. Thank you. I appreciate that. I appreciate the feedback. Hi. I'm with Wellington University. Okay. We offer a drone cert. Oh, great. I don't do it, but the guy from that program, and we're right down the road in Newcastle, Delaware, it's possible that there could be some I didn't answer that I have a drone, but it's still in the box.
I teach a course in cybersecurity and the Internet of Things. That's what I got the drone for. Gotcha. Now it's the next level of getting approval from insurance, from the university. I do the same thing. I teach at CISO College. I was a full-time professor at Drexel. and then I jumped there for 10 years. Now I'm at Cecil. But I incorporate the drones into my program. So I show the students how to deauthenticate a drone. So you're flying, all of a sudden you lose control of it. I show them how to take control of it afterwards. I show them how to get onto the drone because that parrot is very, very susceptible. You can get
onto it. That's what I got. You have the parrot? You'll have fun with that because it's weak security. I'm a glider pilot by training. Oh, OK.
Oh, yeah. Right. Oh, my God. Yeah. God forbid what could have happened to you, you know? Yeah. You were lucky, right? Well, thank you. I appreciate it. Sure. Sure. Okay. We'll do.
Go ahead and put this in. Sorry, they broke the thing, so just toss it in your pocket. Okay.
It's on, but it's not being recorded. Okay. Okay. So the screen's also recorded or streamed also? Oh, it's split in half? So this is capturing all of you. Okay. I have a special rig where it makes the Hopefully the prettier one more. Because the last one didn't, for some reason he started tearing. So his feet start tearing into the back screen. Interesting. I'm going to have to scrap his tongue. I got to rely on the back up. This is the back up. So the back up just captures everything. I guess you can notice. Yeah, yeah. That's pretty cool. I like that feature. I like that. Yeah, it's like I'm staring off into this instead of turning my neck. Yeah.
Oh, okay. Okay.
Good afternoon, guys. How are we doing? Everybody still awake? 3 o'clock Friday? Yep. A couple yawns. My name is Randy Westergren. Today we're going to talk about hacking for good. I do have a little bit of disclosure. I did borrow my fiance's laptop, so if Pinterest pops up during the presentation at some point, my fault. I am a developer in North Wilmington at a fintech company called Marlette Funding. Any developers in the room at all? Yeah? Okay. One. That's kind of the problem, right? I also have a history of sysadmin work prior to my development life and AppSec is kind of a hobby and passion of mine. So bring that to work every day and sometimes at home at night. I want to start off with
talking about what hacking is or what we think of hacking as. And I really love this image. So many great things about it. First off, it's probably what everyone thinks of when they think of a hacker. You've got all the classics in there. The hood, of course, that goes with it. Very dark. Terminal is open. Notice there's...
keyboards that this guy is typing on two different computers and he also has gloves in case you know to be careful right so a lot of interesting things about that picture but if that's what we think of hackers as it's not extremely uncommon right if you do a quick google image search for hacker you come across a lot of these images even that guy in the third row that doesn't look like he fits there But hacking isn't everything bad. It doesn't necessarily mean even accessing computers or digital hardware illegally. In the traditional sense, in the old days, hacking meant you were coming up with a novel solution to an engineering problem in a creative way. So this is a message from the early days of the Linux mailing list.
This is Linus Torvalds. message to everyone and he's kind of just saying hey guys this is a new code base I'm working on little pet project this is a program for hackers by a hacker clearly Linus who later turned his project into Linux wasn't talking about breaking into software he was talking about coming up with an interesting project that solved a lot of problems all over the world and given the success of Linux I think he met that goal What do I mean by hacking for good? If you look at this image, I think this is always a good analogy. If you don't know what this guy is doing as far as motivation, whether he was paid or not, this might not look much
different if he was an ethical locksmith or somebody breaking into a house. He's even got a black hat on there. We don't see any company logos, although that could be a misleading factor in the process. This guy looks a little bit more innocent. He could even be working on his own house. He's in the process of using legitimate techniques to break into his house or that given room. But they're the same techniques that a bad guy could be using. to enter into software that he's not supposed to be accessing. Another example of a good guy that kind of looks like a locksmith being paid to do bad things or typically bad things if you don't know what his motivations are are pen testers. Any pen
testers in here today? No? Well, if you were, you'd be wearing that shirt. But
altogether, these are grouped under a... term called white hat hacking. We've all probably heard this term before. It's a term used to describe anybody that's hacking in an ethical way and trying not to break laws. This guy is a white hat hacker. This is a five-year-old who escalated privileges in his Xbox account, his dad's account, and found a vulnerability in Microsoft's Xbox.
up on the hall of fame of Xbox or Microsoft's website and I think he even got a $50 credit for his Xbox store. So that's what a little bit different than the guy in the black hoodie at the first start of it. So traditionally we have a little bit of a variance here from two extremes and then one guy in the middle, right? Black hats, white hats and this gray hat in the middle. So what's a gray hat? I think a good example of this is something recent. So MicroTik had routers that had a zero day and very high number of them accessible across the internet. Somebody was scanning them with a tool like Shodin or just a mass scan across
the internet identifying these routers. And although illegally accessing them, the motive wasn't bad. It was to patch the routers so that nobody could abuse them. This is what we refer to as gray hat hacking. The person who was doing this had good motivation but they were still breaking the law in the process. Today I'm going to focus mostly on white hat end of the spectrum. We're going to talk about examples of AppSec research that has benefited the community as a whole. What do I mean about when I say security research, essentially hacking for good. falls under the umbrella of White Hat, but it may or may not be something that's paid for or rewarded or has some financial motivation in the
first place. If you do a similar image search for a security researcher, results are a little bit different, really all over the place. We've got Kim Jong-un there on the first row. We've got just...
A lot of weird stuff going on there. The reason I present this is because it gives us an idea of how galvanizing the term is outside of our community. It doesn't necessarily show that this term, security researcher, is understood outside of our industry. I'll talk a little bit about responsible disclosure. Anyone ever heard of responsible disclosure before? Anybody used it or had to use it? But so Walmart has a responsible disclosure policy. It is surprising to me as I came across this. Basically it is a process by which an organization or vendor can publish ways for researchers who come across vulnerabilities in their software properties to be notified. In a process by which they agree to interact with you in a peaceful
manner. used to be a lot more consensus on or I shouldn't say consensus there is a new consensus around the term it's it's that it doesn't work right responsible can mean a lot of different things to a lot of different people it turns out not everyone agrees on what responsible means so that term is being kind of discarded in in favor of coordinated disclosure meaning the same thing on the opposite end of the spectrum what's called full disclosure which is quite the opposite of coordinated disclosure being working with the vendor and and waiting till there is some kind of patch release and and agreeing on a timeline to release the details publicly full disclosure is
on the other end of the spectrum where a researcher comes across a vulnerability decides that the best way to get that patched is to drop it publicly to everyone the argument there being that The more people that know about it, it puts more pressure on the company to fix it quickly, which tends to be a critique of coordinated disclosure. And it lets the users know their risks up front. And this is a picture of the, a screenshot of the full disclosure mailing list. Used to be a hotbed of full disclosure vulnerabilities being dropped day to day. I think you see a little bit less of this now, just because the industry has come a long way. in coordinating disclosure, and we're gonna talk a little bit more about
that. One way it's come forward is bug bounty programs, right? HackerOne is one such program where companies can also operate their own individual programs, but HackerOne is a centralized program management platform for hosting bug bounty programs, so organizations, especially larger organizations, can take the load off and have somebody else manage various aspects of that program. Here's a good example of what you might come across as a reward for working with a bug bounty program. It looks like the Dutch government operates one. If you happen to find a vulnerability in their platform, you get a little shirt that says, this is all I got, right? This allows a t-shirt. What isn't security research? I think this line is appropriate to draw
and very important. Anybody remember this logo? Yeah, you don't hear much from anonymous anymore, but kind of a genre of hacking we call hacktivism
the idea behind this is somebody is hacking with an agenda they have some reason to hack and sometimes those reasons even come later after they've found a vulnerability in some organizations software you've also got things like this I'm not going to read the whole thing but it's an email sent to a business owner essentially extorting him and saying we're going to DDoS your site or we're going to exploit a vulnerability until you pay us bitcoin. These things are not legitimate security research. These side on the things of, on the black hat side of things. Security research or white hat hacking also has a dark past. Many of you probably know about the Computer Fraud Abuse Act. Been used to prosecute
legitimate crimes in computer fraud and abuse. also been used to the language in the act itself has been leveraged to prosecute what you might consider arguable offenses where intent was not considered or just things that we as researchers might come across very often that have no criminal intent or action behind them. You also see stuff like this all the time, not so much anymore, but more so in the past where somebody operates a cryptocurrency project, some security researcher finds some very serious flaws in it, and then you have somebody that critiques the critiquer rather than accepting the feedback and the scariness of the vulnerabilities in their software. So in here, you know, this guy's threatening lawyers
to come after this person. Same deal with this. This is just a recent email of somebody also operates another cryptocurrency project. He wrote up a blog about how there were various vulnerabilities in the platform, different pieces of the software. He gets a reply back that attacking his character is the fact that they're not real vulnerabilities, that there's no way he could hack anything and all kinds of names. So this stuff still happens today, but I think my sense is that it's less and less frequent these days. You also see things like this on occasion, where there's legitimate research being presented at a large con like Black Hat. In this case, it was some RFID research. Some company
didn't like that that research was being disclosed at Black Hat, and they sent lawyers this guy that was going to present and it resulted in him not being able to present that research. So these are some, a little bit of background on AppSec. I want to talk more about the current state and how things are going in the future. Anybody remember Equifax? One of the largest exploitations of vulnerability in a long time. not just the scale of the breach itself, 140 million plus people, but the type of data that was breached, things that we're not going to be able to change, names, you could arguably change that, but social security numbers, birthdays particularly, we're not changing that kind of stuff after a breach. It's easy
to change your password after a breach, but some of this information sticks with us for our life. This was caused by a or leveraged through the use of Apache Struts. Anybody heard of Struts before? A very large MVC Java framework used by developers to more rapidly put together and prototype a web application without having to worry about all the basics. The problem with these large frameworks is, and especially when they're adopted by so many installs, is you come across very serious vulnerabilities like this one this is a CVE that was responsible for the hack in this case as you can tell it's a it's of the highest severity it was disclosed publicly March 10th 2017 and Equifax
was not able to patch it in a quick enough because it obviously was the cause of their their massive breach I won't go into a huge amount of detail about the proof of concept, but let's go over it a little bit. This is an example of just a regular vanilla web request. You've got normal looking headers there. Nothing special about it. But to differentiate that from the actual proof of concept that exploited this vulnerability, as you can tell in the content type header, there's a little bit of variable parsing that goes into there. Even all the way down to You can find the payload mixed in there and it's even checking whether it's cross-platform, right? It also checks
whether it's Windows or it's a Linux command prompt that they're going to be hitting, ensuring a lot more success, a higher success rate for the person exploiting the vulnerability. So here's a kind of look at the timeline of the attack across the internet or attempts at attacks exploiting this vulnerability. It is thought that March 10th is when Equifax was actually breached. There's some discrepancy here. A couple different sources say 14th, 10th. There was some knowledge about the attack as early as the 6th, as the struts released a fix without any announcement of vulnerabilities being included at the time, although they reserved the CVE at that time. Another big one of recent... news is is true for anybody experience with Drupal at all PHP
framework content management system up there with the likes of WordPress Joomla these frameworks operate a significant chunk of the internet in the top million websites as you can tell Drupal doesn't have as large a market share as WordPress but it's up there and the vulnerability called Drupal get in
had the same situation as Equifax where there was a race to exploit this across the internet by bad guys who wanted to weaponize the vulnerability. So another classic case of remote code execution, unauthenticated. You can see that this was what March 28th this year. Quickly after that exploitation took right off. A quick at the actual code responsible for it so this is a web request to update and some form elements on the back end of Drupal there are some markup languages there's some inputs that Drupal uses on the back end so that they can build forms dynamically here's an example of what a legitimate form would have been built like notice that the the hashtag at the start of those
keys and those arrays are kind of where the input is used here's a look at exploitation of that vulnerability so there's an exact command there this is very benign attempt at exploitation but it kind of just demonstrates the proof of concept and then you've got a smaller time span zoomed in a little bit here but as you can see as as the vulnerability was released exploitation took off down a little bit probably because some patches were going out and I kicked back up again and these are attempts at exploitation not necessarily successful I want to touch on so those are two open source projects I wanted to touch on other software properties things that are developed in-house by
other by companies themselves and some some research that I've done personally that resulted in similar disclosure paths One of the big ones I found was with Verizon. I have Verizon Fios at home. They have a My Fios app. So I downloaded this from the Google Play Store and decided to take a look at it. Here's kind of what we're looking at. I installed the app all the way on the left. I've got my phone. I put a proxy between the requests and responses over the Internet. watch those API's as they interact with the web servers and database on the back end for Verizon and that's kind of just classic man in the middle but it's a self man in
the middle so I can view the traffic itself right viewing that traffic I was able to see a number of legitimate requests that went across the wire one thing to note here this is a this was over HTTP but that was not the sources of vulnerability itself this is a look at the main widgets for my files app as it loads as you can see the third widget has look a mail preview functionality within the application the request on the right is actually fetching the contents of the mailbox so this is a legitimate API used by Verizon you fetch actual Verizon emails and into the widget to show the preview on the left and also the full functionality once you click on that widget here's an example response from
that as you can see one of the the last keys in that JSON array or or object is the title for the actual widget on the left it says you know import important changes to your Verizon account something like that
I wanted to cover real quick that if you zoom in, it's hard to see over here, but if you look at some of the parameters in that case of the URL, you'll see direct reference to UID equals my username, rwestergren05. This threw up a red flag to me just because if you're writing these kind of backend APIs, you know that authentication is passed in through the cookies or even maybe the user info header down at the bottom. It should be inferred who the user is they shouldn't need to be provided the user name so Same case with the send email request You'll notice the in the payload at the bottom. There's a reference to a uid of who
is sending the email all cases of this all uses of this API within this application were identified as insecure direct object references right so put in my friend's email to see if I could get his email inbox with his permission and it worked perfectly so I could have plugged in anybody's email address and gotten their emails and sent email on their behalf here's a quick proof of concept I put together for Verizon to so I could send it to him the first line is just establishing with valid credentials the username and password of my Verizon account Any valid Verizon account would have worked for this exploit. And then I'm building the same request that I showed you earlier. Instead of the UID
as mine, whatever the target username I put in. Anybody that we want to fetch their emails, we could have done this. And then it just loops through the Python script just loops through the response and prints out the headers and the subject and all that. I sent this to Verizon. And... blogged about it and blogged about my experience and the technical details of the bug. It did get some press. As you can tell, the journalists mainly focus on the negative, right? The fact that there was a vulnerability in the first place. The fact that anybody could have accessed these emails. While that's scary and true, I like to highlight this part, right? I had a great working relationship with Verizon. I'm not going
to read you the whole message that they wrote to me, but the last two lines are fairly, I appreciated them. I thought that was a very positive. We appreciate the constructive and collaborative approach you took with us to solve a security challenge, working together for everyone's benefit. Finally, we have arranged for you to receive one year of Verizon service. So they didn't have to do that, and they didn't have to write an ICMO. I felt that was a good example of collaboration across the industry. there previously wasn't any. Verizon didn't exactly have a published responsible disclosure program, they didn't have a bug bounty program, but they still took the feedback and they didn't take offense at it. They took it seriously. Another
example I want to use is ad networks. Everyone hates ad networks, right? Because they make our web pages look like this, right? Hard to even get to the content these days. guy ran an example called the million dollar web page he's selling every pixel to make a piece of history I guess this is his goal but yeah the ad network world is very interesting and I still don't fully understand I think I don't know if anybody truly understands it but the way it works at a high level is you open a browser and you're going to a new site and you don't have an ad blocker on or anything you're rendering ads You are the client in the green right now. You're
hitting the website, CNN.com or whatever, and it goes,
their ad provider goes through a series of steps to bid the available inventory on their website at the moment. They take into account all kinds of nasty data that we know about today, including super cookies, things like that. But as you look, it goes through an exchange. demand services and different ads that actually want to end up and buy the inventory on the website to land the ads. So I started playing with learning more about the ads and how they work themselves. So if you're hosting, if you're a publisher on your website, your ad company may ask you to put a snippet of JavaScript on your main website. This usually encompasses the bidding logic that we saw a
couple slides earlier and Facilitates the actual ad rendering on the website I went through and started playing a little bit with ad network And started just by inserting a hash at the end as we know This anything after the hash isn't sent to the server when you make a request So I thought that was a good place to start since it wouldn't interfere with anybody's server It turns out a lot of these ad networks use the main website as a refer on the page and this is passed through all those various networks before they end up rendering an ad on your site. Of course this is cross-site scripting. I'm going to show you how this happened. But on the New York Post I'm sure they
didn't want arbitrary JavaScript running on their, being able to be run on their site. This is kind of where that exploit came from I don't know if you can see that it's a lot of code there but there is a lot of red and then you see an escape out of that red and there's a document right that's actually trying to write and render the ad the the string is ended with a single quotation and then arbitrary script can be run from there right it's a classic lack of sanity sanitization same was true of Walmart you know
not Walmart's fault it was not their problem exactly but because they depended on ad providers who render ads on the on their behalf it was their problem right I'm executing arbitrary JavaScript on this users ad experience and I can I can do whatever I want on that page now right so I can collect cookies I can see if they happen to be logged in taking a complete hijack of their account Just another example of how this happened. Very similar, right? Document writes all over the place. Very nasty JavaScript. But you can see the main screen and the main payload was escaped by a single quote and then arbitrary JavaScript. That could have been inserted. So I inserted an alert, but a bad
guy could have embedded his own script to randomly run whatever kind of script he wanted on those sites. Discuss was another example where I came across this. They have a... native add another add system within discuss so you can kind of see like sponsored posts and things like that very similar requests here again these these server side scripts that or engines that were rendering these ads were not correctly parsing payloads after the hash which are typically not sent to the server and then not escaping single quotes in this case in some cases double quotes in this case, single quotes. So we go back to this screen and this kind of shows the fragmentation of the ad industry. Now if you guys came across this situation with random
ad providers being unable to trace exactly where a payload came from, you might think that it's kind of like trying to disclose in a tornado, right? You just don't know where the requests are coming from, who rendered it, who's responsible for it, and it's really tough. So what I did is I just wrote a blog post about it. And it was picked up and I was contacted by a couple of the top ad networks. AppNexus is one of them. Brian O'Kelly contacted me and we worked together on trying to solve this industry-wide, right? a lot more about the ad industry. I knew about the security issues that were going on across the ad industry.
He emailed me directly. We talked about it and he helped me get this issue solved industry-wide. I don't know all the contacts in the various ad networks. He was able to push that and get it fixed for me. another example I bring this up this is a blog post he wrote after after the situation and he's mainly just discussing the issue itself and how working together the admin the ad industry can be improved from a security standpoint so another example public sector apps this is a local example I like to bring up Newcastle County here
started a or purchased a subscription to
a button called, a panic button called Rapid, what is it? Rapid? No, Rave, Rave, Rave, yeah, right. Rave Panic Button. Very interesting because this app was resold to many municipalities across the U.S., and not just used by or developed by Newcastle County. The rave was right in front of me. So it kind of works like this. On-site premises, hospitals, schools are able to presumably interact with 911 much faster. They share floor plans, they share phone numbers, personnel, things like that. They securely provide critical site information for responders is their main mission. So I did the same thing, I downloaded the app. I wasn't the usual user of that app simply because I'm not a school or hospital or anything like
that. But I did sit in the middle of the traffic and try to proxy it also. As soon as I spun it up I saw a request like this. This stuck out as a red flag immediately just because you can see the authorization header. That was global. So there was one username and password for the app globally. This was static in the app and all requests were made this way. So as you can probably guess, if everyone in this room downloaded it and put in their own information, you could mimic these requests and access all the information within the entire system.
example of some of the data that was returned from the previous request this is just just happened to be a pin reset the app didn't look particularly heavily used at that point I think it was still new but again I worked with the industry on that and I contacted them and and I let them know that I didn't write that but I blogged about it and I interacted with the company I told them my concerns, they took it seriously, and I thought it was another good story. I also put together the technical description of the problem, blogged about it, and it got some attention that I think was well deserved. Even though it's a joke that this happened in the first place, it's good
that it was taken seriously and it was remediated. Internet of Things. I like this one. Syslink is a developer of outdoor lighting systems. So think billboards on the highway and they have lighting systems. These aren't the digital billboards that are actually LED or anything like that. They are static billboards retrofitted with these outdoor lights and actually have remote control systems built into them. They had an app. I drove by a billboard one night and I had this idea. I wonder how those are controlled. Turns out SmartLeak a solution just for that. But I didn't have a login or password, I still wanted to poke around, so I decompiled the app itself, right? Looked around, looked for the API requests,
and boy did I find them, right? If you can see the get customer list method in that Java there that actually runs in the Android application, you don't see any hint of authentication whatsoever, right? There's just generic requests to make this and I find this pretty often just because I think what happens is Developers developers don't think that these requests will be seen right simply because they're made by the phone. They're not very public You have to do a little digging to see them sometimes install your own root certificate to proxy the requests But in general they're not seen by the everyday user So I opened up a shell for on Android and I set a breakpoint and the do login process I attempted to login and
I saw this request go across the wire right actually I saw once I stopped it I manually ran the get customer list and all the customers were returned without any other authentication whatsoever so you can see there's a lot of information that could have been abused in the system this is one one I think this is a demo account but all the structures that were managed by this account and so any any user could have manually gone through the system and taken ownership of all these structures any companies billboard and really turned off all the lights right I presume billing information and other things would have been in there Also on the web server, the main web server for the APIs, directory
listing was enabled and there was all kinds of logs on there. You can see the logs were open. There were literally username and passwords within the log files on the public web server sitting with directory listing enabled. So once again, I contacted Outdoor Link and we worked together on it. stuff happens and working with these guys instead of berating them on Twitter or something ended up to be a more positive experience right I won't go through the entire process but what ended up happening was the vendor turned off the old API they were creating a new one anyway and they phased that out and went with a properly authenticated and author is a author authorization framework
so looking forward The industry, I think, tends to be improving. You're seeing a wider acceptance of bug bounty programs all over the place. I showed you a few examples where even those that don't have bug bounty programs or coordinated disclosure processes publicly established, they're still willing to work on security problems. The Department of Defense is expanding their bug bounty programs. I mean, this is huge stuff. FACS figures from Bug Crowd, one of the larger bug bounty programs you can see just year over year rapid increase in adoption and researcher payouts.
Again this is a breakdown by industry. I find this very interesting just the amount of industries that are outside of technology that are adopting these programs. I mean healthcare, government, these are areas that we particularly thought that the was not a priority and maybe it still needs a lot of work but trending well right these guys are starting to start bug bounty programs it's unheard of another good example of moving forward is a security.txt this is an RFC still in draft the goal is to standardize coordinated disclosure programs so if you don't want to operate a bug bounty program that's fine is that all organizations should have a published security contact right and this this kind of
codifies that as you can see the the main goal here is to define a standard by which organizations will describe the process to interact with independent security researchers here's an example of security.txt file very simple right just the contact this happens to be they have a hacker one profile PGP key anything that would be relevant and and you can go through our RC to find more details about that standard still room for improvement I think that developers need to continue to get better about security I think it starts with developers and they need to be concerned about this guy right not the gloves or the or the two keyboards a typing on but the attempt at
exploiting whatever he builds. Because in the end, it's all of us that are responsible. Thanks.
Any questions? Sure.
Well, I think they're the same term. I think that's what I was trying to say. Responsible disclosure is an older term. I think they mean the same thing in my view. Responsible just being replaced with coordinated means your responsible isn't different than mine. We don't have to argue about what responsible means. Some people think if vendor hasn't resolved a vulnerability in 90 days that it's automatically full disclosure. No if ands. There may be edge cases where 90 days doesn't exactly make sense or it's hard to update product. There's a million reasons out there, I think.
I think that's where the agreement, every situation is different. I've had to get in situations that are a little bit nasty where had to threaten full disclosure. I never really wanted to, but I've had to threaten it a little bit. Each situation is different, I think. I find that uniquely because I'm a developer, I can argue with developers because I know what it takes to fix an issue. It's a little bit harder if you're not familiar with the backend engineering that goes into a given vulnerability. But in general, I think that you can't pressure them, you know, extreme is unacceptable right you can't not patch a vulnerability in a year or you can't expect that a couple business days is enough for the development cycle so I
think each situation is different
I think I think that's between the researcher and and that company
If it's patched I don't think that it again it depends on how what kind of software this is if it's just like a SAS solution or something like that I think once there's been a good conversation about the the validness of the patch I think many instances where I've written a blog about the technical details of the blog or an issue but not necessarily said are you okay with me disclosing this issue I think that's one of the advantages of being independent you're not exactly looking for their approval all the time right you're you're working with them but I don't think it's fair to say don't tell anyone that you did this because I didn't into any agreement with you,
you know, and not do so.
Up to you and how the process went, right? I think I did, I can't remember exactly, but I think I did mention to Verizon, hey, I'm publishing this. ask but I said yeah I'm writing a blog about it morally folk not to ridicule ridicule you but more to document the technical details behind it I will talk about and I did like the experience with them things like that full disclosure yep
That's what I view as the responsible or coordinated approach. I've never done full disclosure. I understand people that do. I'm not knocking it. Everyone has their reasons. I may not agree all the time. Again, it's a researcher by researcher, vulnerability by vulnerability kind of situation, I think.
both I like them both I I don't I think hacker one is a little bit more incentivizing in that they they have some leaderboards and maybe bug bug crowd is doing this too but hacker one has some interesting like when a company is not just they're not giving away swag or they're not getting given away monetary prizes they have a unique system that looks like gives points to developers and they kind of fight other for rank and it's kind of puts a game around it instead of doing it for you know a t-shirt or whatever oh right okay
Yep.
Mm-hmm. Oh, yeah. Yep. I remember that one, too. Yep. Yep. Yeah. Security is hard. I think everyone in this room knows that. It's easy to get wrong. Some of the stuff I find, I agree with you, is surprising. It's kind of low-hanging fruit, the first thing you would look at as an adversary. So it is surprising. I think all we can do is work on it and work on developer education.
Is that it? Thanks, guys.
I actually sat in on calls with you. No kidding. Okay. Oh, nice. Okay. So I just wanted to say thanks. I mean, at the time, there was a bunch of us in the call, but I appreciate the work you do. Yeah, yeah. Awesome, man. I was glad to hear that. It was kind of funny. Like, there was those in a community community. Yes. Okay. And there were some people that went in and they were panicking a bit. Can I ask what? Oh, okay. Yeah, yeah. I remember that one. Yeah, yeah. But it was a little discussion that kicked off with some I'm getting, yeah. Right, right, right. And they actually did. Yeah. I think we had a gift
card or something. Yeah, yeah. That's awesome. It's another great example. I wish I could go on with those examples all day. I think the culture is. I've seen your site. Oh, OK. Awesome. Thanks, man. I think the culture is just changing dramatically. I think that was another great example. Like, why don't we just all work together? Don't throw me in jail. And I won't do nasty things to your side, right? just a meet in the middle approach and I think it's getting better out there. Yeah, slowly. Certainly those programs I think help more awareness around stuff like that. Sure, yep, yep, absolutely. Anyway, I always figured I'd run into one of these conferences so I wanted to say hi. What was your name? David
Bell. Nice to meet you. Cool. Thanks again. Alright, thanks buddy. We don't like you now. Yeah, yeah, yeah, yeah. Luckily I haven't come across that yet but I was like, oh man, you've done that four times. Someone's on you, someone's around her.
I'm going to plug it in just to be. Yeah, my battery's charged up, but yeah. Yeah. Yeah. It's got an outlet on board here.
Good, I'm just about getting ready to give my talk here. Well, it's 4 o'clock, so we've got time. Yeah. Yeah, where was it leaking from this time?
Even with the nipple, huh? Wow. Seriously. Wow.
Thanks. Bye. Why is that going...
Why is that going to my background?
It probably did, yeah. So let's just go here. We just want to extend the display, right? It's not showing a second display. I'll hit the display.
detect another display yeah
yeah because i didn't touch anything it just jumped
Is this mic live? Yeah. Yeah. Hello? One? Yeah.
Yeah. Yeah, I understand, yeah.
Sometimes I project really good and then other times not. So the mic can't hurt, right? So this is live streaming and being recorded?
to pull you to your screen capture. It's like feedback. It's just tearing. I've never seen it. I don't have enough. I don't have enough. I don't have enough. You don't want to troubleshoot something in the midst.
Back up. Back up version. No. Yeah.
Yeah, you're trying to shoot in the midst of it. Usually it goes pear-shaped. It goes from bad to worse, rather than get better yet. Yeah, we have one good recording. Hmm. That's the fun part. All my tests, both of that. I did perfect and followed. Yeah. And the same, everything the same, right? No. It's everything the same. Even like, any time I change location, I'm going to five tests in my location. It's all past.
something with this dual, the projector and back? No, no, it's something that, again, it's part of something on my setup where when we split here, this is where we split it, but this is mine. Oh, yeah, so it's not, yeah. It shouldn't be that. It's been part of the test all five times. The only new real thing is this room, but I can't troubleshoot it. I can't troubleshoot a room. Shouldn't be getting anything feeding. Shouldn't be anything coming the other way. Yeah, it shouldn't be coming, but it's only happened like in the past.
The other camera in the middle is the wide-angle one.
Let's wait a couple of minutes. Okay.
Good to go. Good afternoon. Thank you.
So I'm here to tell you a little bit about the of e-waste recycling which actually goes back to just after World War II. Believe it or not, most people think it's a much more recent thing bringing to mind the picture of the steaming heaps of e-waste. But after World War II, the military had tons and tons and tons of equipment left in the South Pacific, which wasn't returned to to the US, including ships.
So the Taiwan, at that point, was kind of the China of today. It was a poor country. It was in Southeast Asia. They started taking the ships and all this other material that was left from the war and started processing it for content mostly at that point for the steel but it was also there was it was copper there was gold and platinum and palladium in the in radio equipment microwave radar etc so it turned into quite a bustling industry both for the metal content and as time went on
of materials also both both the steel which they would cut up and send to other countries and or use locally it grew into recovering not only the the metals but but pieces and parts of the radios navigation equipment cable etc kind of mom-and-pop shops and some larger industries but
pollution became an issue and also labor issues. The government decided it was going to crack down on this and started passing regulations and also as their economy grew and turned into a more viable economy, labor costs were rising at the same time. happened was
these processors essentially got, for lack of a better word, forced out of Taiwan. And they were looking for another place where labor was cheaper and regulation was less onerous. So in the late 80s and early 90s, quite a few Taiwanese who owned these scrap companies to China, both in the Pearl River Delta, the Guangdong area, and the Shanghai area, and set up shop for the cheap labor, the lack of regulation, and also it was, China had begun to become a big exporter. China has no, essentially no copper of their own. They're a net importer of copper. So to them, again, at that point, being a poor country, they didn't, with tons of labor, but not much money, they didn't want to go and buy LME copper cathode
on the open market when they could buy low-grade scrap that required a lot of labor to recover that copper.
at about that point was when the telecoms were switching out from the old mechanical switching to the current digital switching. The old mechanical switches were immense in the amount of metal that was in it. Each 10,000 line switch contained apart from the steel, just the relays and the circuit boards that are probably 100 tons for every 10,000 lines. So you start you start figuring that out both you know worldwide it's you know just immense amount of material and it required tremendous amount of labor to process it. So the material coming out of Europe labor was expensive there it it got shipped to China. The material coming out of the United States same thing got shipped to China and even in South
America labor was marginally cheaper than here, it was still more economical to send to China. So millions of tons of telecom scrap got sent to China, which essentially is what got China really set in the U.S. business. There were scrupulous operators, and I spent many years going over there every year and kind of auditing the places that I sent material to. there were unscrupulous operators who had import permits but really had no facilities and they would essentially import material and literally just take the container out in the street and open the back doors and just auction it off to literally people with wheelbarrows. I've seen it with my own eyes. This is where the bad reputation of from China for the pollution, because the people that were buying it
this way, they were just subsistence peasants, probably even had no concept of the environment. They were just processing this to make a day's pay. The legal operators, unfortunately, had to compete price-wise with this. So it was difficult, but they did it. And of course, along with that, was famous for bribery. So the entire system was based on paying officials to get the permits and to get the quotas and to pass inspections and just to stay in business.
Around 2000, even just like Taiwan, the Chinese got tired of the pollution and labor exploitation and incrementally they started closing off the markets for particular things. CRTs was the first item that they banned. As time went on, they didn't really ban other items for a while, but what they did is to be a big market for what was the catch-all was called mixed metal scrap and people would just throw literally pile of anything in the container and send it off and they would they would bury in in that pile hazardous waste they'd you know whatever so what the government did is say okay there is no more mixed metal scrap now you have to send you can't send more than two types of commodities in in a container
it has to be It could be circuit boards, it could be motors, but you couldn't just throw whatever in there. So what happened at that point was people started sending this material to Hong Kong and it would go up to the northern territories of Hong Kong and then literally, like ants, the stuff was carried across the border into China processed. This is a picture I actually took myself up in the Northern Territories at Shenzhen in the background. And they were carrying this stuff in sacks on their backs for years. Eventually,
that was stopped, but that was only very recently. We're talking in the last couple of years. really stopped all importation of waste into China. So what's backing up a little bit is, so what else has been happening with this? Both the US and Europe have passed producer responsibility laws that require the producers of equipment to pay fees to recycle it. In Europe, it's EU-wide, but in the United States, it's on a state-by-state basis. And it's, so there's still a lot of equipment from the U.S. that's not going to
where it's supposed to go. This is a picture of a pilot project that I did for the state of Maine before the they wrote the law they wanted to see what was actually collected, whose materials, and how it would actually work.
This is how the producer responsibility law is supposed to work. Some states have it where the pay, the collector actually has to audit every piece of equipment, make model serial number, send it back to the manufacturer to verify, and then they get paid based on that report. pretty cumbersome system. A lot of, of course, the producers have an incentive to reject claims. The European system is a little more functional in that they will have different collectors audit their streams on a, you know, maybe for a few weeks, a year, or on a rolling basis. Take those averages. government actually bills the producers based on those figures. So it's not quite as costly for the people that are doing the collection to get paid. And so there's an
incentive to collect the materials.
As of now, there's still only half of the states have some type of laws. all over the place. There's nothing unified. And unfortunately, the US and a few other small countries in the world have not signed the Basel Convention, which is, I don't know if you're familiar with it, it's a UN treaty on the transboundary movement of hazardous waste. And while it's a treaty, other treaties it's when they sign it you've also reserved the right to modify it for your own country you can't make it less strict but you can make it more strict so kind of like what's happened in the United States while people say well yes we comply with the Basel Convention it's it's still
difficult to send material from from one country to another for example you may be able to descend from use Colombia as an example you can send from Colombia to the EU you can send circuit boards to a to a smelter there and all it requires what they call an annex 7 notification it's it's it's a piece of paper that travels with the shipments you don't need a permit you don't have there's no you know it's perfectly fine because the circuit boards are what's called a green list material but it they are listed on the Basel Convention other countries for For example, Chile. You want to send circuit boards to the EU, you have to get a contract with the smelter for a year.
Then the smelter has to contact the competent authority in Chile to verify that you are a licensed recycler. And then that authority in Chile has to get the authority in the EU that yes, the smelters is a licensed authority. And this can take anywhere from weeks to months. The only exception to this is the OECD countries, even if they are Basel, they have the free movement of these materials.
This is a 2017 map, but it's indicative of what's happened today. When the materials stopped going to Hong Kong and being smuggled into China,
there was still a need to do something with these materials. And they started going to Thailand, to Vietnam, to Malaysia, Indonesia. A lot of the same Taiwanese that had the companies in China are trying to open companies in these countries. in this day and age, it's not working out because these countries, while they may be corrupt, they've seen what's happened in Taiwan, in China, in some African countries. So they're being very cautious. There's not a lot of material going. I know a lot of these processors. It's not like the floodgates have opened. It's very difficult to send material. at the end of the day what's happened is it's come to the point where it's even with expensive
relatively expensive labor it's it's worthwhile to actually process material on on a local level because you're avoiding shipping costs all around the world which have become expensive your the commodities have dropped so the incentive to send it somewhere else for a high price and the buyers are not paying much because they're having to pay so much bribes the thought of building a new factory is expensive so there's just not the demand for it the last 10 years or so I've spent a lot of time in Latin America and setting up responsible recyclers in every country in Latin America this is one in in Guadalajara that dismantles the equipment
and sends it on you know to its proper destinations and this was in 2011 but they're still in business they're making a profit there's one in Colombia that I set up even earlier than that largest recycler in Colombia this day they got 125 employees they're making a good profit there's one Panama Brazil these companies they're all making money doing this United States now when China shut off everything this past year companies here now are actually starting to process the material themselves there's two this is a little diversion here but in the EU they call each scrap, they call it WI, waste electrical and electronic equipment, which includes everything, including vacuum cleaners and toasters, all the way up to
telecom and IT equipment. They've also passed the thing, you've probably seen that on equipment, it says ROSE. It's a standard. It's not worldwide, it's a European standard. kind of like the California regulations here, it kind of forced the hand of manufacturers worldwide to use lead-free solder, to not have mercury in switches, to limit the use of cadmium and chromium and flame retardants in the plastics. Because you can't, you know, it has to be ROSE certified to be able to sell it in the EU. Part of that was also made equipment a little bit easier to dismantle. Fewer screws, plastic which was marked, which was a big plus because for many years the plastic didn't have the number on it. A lot of this
plastic would go to China and they would literally have people burning little pieces of it and smelling the fumes to tell what kind of plastic it was. Yeah, it seems... unbelievable but but it's true so all these you know all these things have helped CRTs were were and to a diminishing degree now we're big one of the biggest issues in the industry a just because of the sheer the volume of them and B because of the lead content of the glass see on the chart there I mean some of these the glass, the back part of it, contained by weight up to around 25% lead. So although it wasn't the heaviest part of the monitor, the front part, the panel was
the heaviest part. So a lot of systems were developed to process these. We cut the front off, then you just had plain glass that could be used as crushed up and used as an aggregate. The containing part was high and had a high enough lead content it could actually get sent to lead smelters they used it as a flux and could recover the lead
this was a system I worked for Sims recycling for for a few years not too distant past they built a huge plant up in Canada just to process monitors to separate them they didn't cut the glass off they used they just crushed it up and had good dust collection. There was no very careful for contamination. They crushed it up and they used XRF, X-ray Fluorescence Technology. As the glass passed over sensors and air jets, it would actually separate the glass, the two types of glass, and a magnet would mag off the shadow mask and the electron gun. So while it worked very well, it was a very expensive system. Canadian this is built particularly for the Canadian market because they had a pretty strict
law but the government set rates were not sufficient to cover the costs of this and so after after two or three years this was a probably a four million dollar plant that they had to shut down and dismantle because it couldn't even break even with the rates that were that were specified by the government
Yes. Yeah. Well, I mean, it's, yeah. So, that was in, that was in. Right. Right. I mean, there was, I mean, while it worked, I mean, there were some issues. I mean, it was, you know, it was difficult if you threw in TVs that had wooden casings. I mean, But still, you had to do something with it. And what's ended up happening, and I'm sure you've all seen in the news or trade journals, is that the unscrupulous people are really the ones who have taken most of this material. Because no matter what you do, there's a charge. There's a cost to get rid of this, regardless if the lead has any value or anything. Electronics didn't have some minimal value. But at the
end of the day, cost of at least 10 cents a pound to get rid of a monitor or a TV so even if you're basic like 15 or 17 inch CRT is going to weigh 25 or 30 pounds that's two or three dollars plus the freight to get rid of it the unscrupulous operators would say well we'll take it for free or we're only going to charge you five cents or you know less than the going rate to do it so what would they do they would they would rent rent old warehouse, they would bring this material in, they would strip out the degaussing coil, which is a copper coil, they would strip out the electron gun, they would strip out the
circuitry, which in these cases are really not worth much, but they're worth something. And then when they filled up the 250,000 foot warehouse to the roof with leaded glass, they would just beat feet and leave the landlord with
on his hands. I mean this happened over and over and over and over again. And within the last year, there was a, I believe it was in Kentucky, there was one company that, I mean, it seems like science fiction, but this was a, you know, a real company that supposedly was doing the right thing. They rented an excavator in the owner's name. They took it out to a piece of land that he owned some, you know, in the woods somewhere. giant pit and buried you know hundreds of tons of monitors. Hello? It's like and then he was surprised when he got caught. His name all over it.
So there's two ways of processing this material. You can take everything apart by hand, screw by screw like they're doing upstairs at the in the spawn camp which which is really my view, the preferred method, because you really recover everything and you're supplying employment to somebody at some level. The other system is these giant shredding machines, which, again, when I worked for Sims, I actually managed a plant in Australia that had, it wasn't this machine, but it was essentially the same machine. 400 horsepower shredders that will shred the material down to more or less like a three quarter inch particle size. And I mean, you couldn't throw an engine block in there, but you could throw this podium in there, you
could throw the chair, you could throw a photocopy machine, whatever, and it'll eat up about eight, 16,000, 20,000 pounds an hour of whatever goes in there.
Ferris material gets taken off by a magnet. Nominally, there's still some plastic or copper attached to it. There's a little picking line where you got a couple of people that will pull that off and it'll get reprocessed. The screen that it goes over then that's about a quarter of an inch and the fine material goes through. It's gonna be mostly glass, wood, things that got pulverized very easily and some copper, the fine cables would go through. You can get copper, hopefully you get copper recovery from that. The rest of the material goes up to what's called an eddy current, a magnetic separator. It's a rotating magnetic field which actually rather than attracting, it's the concept of like a
transformer, it actually induces a current in non-ferrous metals such as aluminum and copper. It actually repels these and because they're dissimilar metals, it repels them at different rates. So depending on the speed of the belt that feeds it, the rotational speed of the magnet, and where you put a splitter. So you have this stream coming off here, it hits this rotor with, it repels it. the aluminum will fly further and you adjust your splitter so the aluminum goes this side and the copper goes this side and the third splitter the plastic and circuit boards fall down they just fall down they don't get repelled now that material contains plastic and circuit boards nominally what's left it goes to another belt that's got probably
five or six feet wide that has induction of coils, very small ones all the way across, probably 100 across a 5-6 foot wide belt. The circuit board goes across there, it has metal in it, even if it's a small amount of gold, copper, whatever. It senses that at the end of the belt, it's time such that if it detects metal back at 3 feet, there's another air jet that will blow that piece one way and then all the plastics fall off. So now you've We've pulled out everything but the plastics. You've got circuit boards that can go for recovery, and I'll explain that in a minute. The plastics then went on to another XRF machine, which would sort it by composition, and then to optical sorting
that would sort it by color. But at the end of the day, all of these streams were, you know, it's not a perfect system. The circuit board part worked fairly well. The fines mostly had no value. The plastic part worked well up until a few years ago when oil price is low and you couldn't compete with virgin materials because it was too difficult to get rid of the contamination. And even 1% contamination in plastic makes it not suitable for reprocessing.
melt at different temperatures so if you got one one type mixed with another and you try to put it to the extruding machine or it's got other metallic components it jams up the machine and then you got a hundred thousand dollar machine you get a completely tear apart so this is this is the basic theme of the shredding system
those are the outputs that would come out of it
is a scheme of how hopefully the best use of recycling would be where you actually reuse material that comes in. So if you've got computers, if you've got routers, you've got telecom equipment that's still viable to sell the spare parts to companies that still have legacy equipment, if that's not feasible, you can still pull out memory or processors or other equipment that's for spare parts and then what's left over goes either to dismantling or shredding. The circuit boards is, there's only very few places in the world that actually process circuit boards. They're what's called secondary copper smelters, of which there's none in the US. There's one in Canada, that's Miranda.
three in Japan, there's two in Germany, there's one in Belgium, and there's one in Sweden. That's really it for the entire world. These circuit boards go there,
they burn them with natural gas in a completely closed, reducing atmosphere so as not to make oxides. They get rid of the organic compounds that scrub the gases. They're all very tightly regulated. What's left over is essentially the metallic components. They'll take off with a magnet any steel. The residue goes into their smelter. It gets mixed with copper ore and or copper scrap to make copper anode. And then it goes to what they call a tank house, where they electrolytically refine the copper to make copper cathode, which is kind of the standard 99.999% pure copper.
The precious metals that have been in the circuit board now fall out of that into the bottom of the bath, and they're taken to a laboratory where with acids and reagents, they can extract the precious metals.
That's what I know about electronics recycling to date.
Any questions?
I'd say that at this point there's probably very little that's actually getting to landfills. There's still a significant amount that's not being properly disposed of. There's still people both in the United States, not so much in Europe because they get a unified scheme, but certainly Southeast Asia,
material is still processed kind of on a ad hoc basis and people will extract you know the valuable part and just and just chuck out the plastics or things that have no no economic value but I mean things things are definitely improving there's not there is nominally a value in everything even the plastics if you if you take the time to do it correctly so you know even while you reading the papers today that you know the giving up on recycling and it's not worth it and everything. The real fact is that even though the plastics may not have, they may not pay anymore. They were used to selling the plastics for X per ton, right? And now they're saying,
well, we'll take the plastics, but we can't pay you anything for it. So people say, oh, I don't want to do that. But the fact is, you have to do something with it. So if you have a company that's willing to take it for free and can actually make a product out of it, it's still a better economic value for everybody than paying something to put it in the landfill. It's pretty hard to get across. When people are used to getting paid anything nominally for something, the minute there's a cost to it, they throw up their hands. But worldwide, things are really improving. And while this thing with China in the last year, not only did they stop taking e-waste years ago, still
things being smuggled in. They really stopped it now. When they stopped taking corrugated paper, office paper, they just stopped taking everything.
And the reason that they did this was, while they've made strides in managing the corruption in China, it's kind of so ingrained that there was still material being smuggled in. And the government just finally said, you know what?
just like happened in Taiwan, their economy grew enough that while it's still not comparable to the US, the standard of living is such that they don't feel compelled to provide these low wage, meaningful jobs to everybody. The manufacturing sector is picked up, the rule of law, while to us may still seem pretty rudimentary, is a lot better than it was. So they didn't see, they weren't compelled to get this low wage, grade polluting material and people were were and are rising up about the pollution and the corruption so for the Communist Party to stay in power you know while they are the power they still nominally listen to what people are saying and take it into account I
think you
and I mean I've dealt I've dealt with all the fortune 500 companies so I won't name any names but while they all make a big show of of how green they are and how they you know their their suppliers and blah blah blah at the end of the day all of them rather than have any of their prints if they have manufacturing overrun at the end at the end of the they really a new product, right? A new router, a new switch, a new phone, whatever it is. Rather than sell those phones, say into a third world country or, you know, no. Absolutely not. They will send it to a company like Sims Recycling for guaranteed
destruction. Brand new boxed product that they now have to pay somebody to take out of the box you know, throw away all the little, you know, open up all the little bitty bags of screws and power, you know, all these things, and absolutely forbid any re-use of this material just to protect their brand and their profits. So, I mean, while I understand their rationale, it still grates on me.
It's a hard pill to swallow when you're in business, but when the customer says this is what you have to do, and you want that business, you want HP's business, you want Apple's, you want Microsoft's, this is what you gotta do.
Yes, actually, just this past month, within the last 30 days,
court cases going on for a number of years about the
comes down to reuse but it's really about repairing your the right to repair your own equipment a lot of companies that this Apple being for the biggest offenders basically would void your warranty if you if you worked on it or put in a third party but there was also big I mean John Deere a lot of other big companies even cars, now that there's so much, your car is run by a computer. So if you try to go in and change the parameters on that computer, before they were saying this is a violation of our terms of service and our agreement, you bought the car, but it's not really, just like you bought an iPhone, but it's not really yours. The court just decided that
they can't do that. That you now have the right to to repair your equipment they cannot void your warranty I'm and and I haven't read the full thing but it appears that they're gonna actually you know the the they can't deny you access to the repair manuals and to you know the things to enable you to fix it now they probably can charge for it I'm sure they're not going to make you know I'm sure that you're not going to be able to download PDFs of everything you want for free but at least it that that's moving in in the right direction. Oh, the separation? Okay. So, again, having run this plant in Sydney for six months, what I came to learn is
the manufacturers of the equipment will tell you, oh yeah, just take a bucket loader and this big pile of whatever and throw it in there and just magically all these different things come out. Well, you know, it doesn't really work. What works is if you triage the stuff to do a couple of things. One is to segregate it by type. In other words, if you've got all the photocopies over here and wait until you have 100 tons of photocopiers, routers, things that contain precious metals, and those things nominally it's worth to open them up and take off whatever steel and plastic, whatever extraneous stuff you can easily before you throw it in. Two reasons. One is
it's taking up the value of the machine to grind up things that have no value essentially number two is the real recovery on all this I mean the value is you get a little bit out of the copper and aluminum the real value of any of these these recovering things is the precious metals as you probably all know precious metals are soft gold silver platinum palladium so what happens when you run it through a shredder it's grinding all the stuff up it wipes off the gold the silver and stuff on the other the other components just throw a whole PC in there you're gonna lose 30 to 35 percent of the precious metal content on the steel aluminum and plastic because it's it's it's gone there's no there's no
way to recover it so while there's a nominal cost to to pre-processing it you more than recover that at the other end so
and you know even when I ran this plant it was eight years ago now
companies are resistant to put that labor into it because you're competing against exporting the stuff to a country where they're going to process it. So you're looking at, well, if we just run it through the shredder, we're still going to get X, and we're still going to be ahead of, if we put the labor into it, we're either going to be behind or not really gain anything. Now the market has changed, where you can't just willy-nilly ship this. There is no, you know, for this stuff anymore. So I think it is, you know, I think that this type of machinery is going to become more valuable and more, I mean, it is productive, but you've got to put some effort into it to get a good
product out of it. And now it's becoming, I think, economically viable to do that in countries where the labor cost is higher.
of it has to do with knowledge and training. My experience is that it's, if you have the knowledge of what's really worthwhile in products and you take the time to train people and pay them enough to stick around, that that's, you know, that that is probably the best solution. Because, again, it provides wages. The problem with the big machines is, any they require big volume and you're talking about you know several million dollar investment and they use significant you can imagine a 400 horsepower motor running you know eight or ten hours a day so and the maintenance so I'm seeing quite a resurgence worldwide not just you know of you know physically taking things apart by hand which which to me is
is a good thing because you're when you're taking apart by hand now you're also recovering some more reusable product products out of it you instead of losing a piece of memory that may be valuable now that's coming back to the market now you know a lot of this stuff the prices of new stuff are so cheap that we're a lot of things that what you want to reuse it it's by the time you take it out and test it and all these things it's you know it's a nominal but at least it's you have the opportunity
all good thanks thanks for your time and attention
The highest, when you talk about recycling, people always think about just grinding stuff up or turning. I think it was Mother Jones. This was years and years and years and years ago was recycling is just turning one piece of worthless crap into another piece of worthless crap in most people's concept. But if you can actually reuse it once or twice, that's really a much higher level of recycling.
No, I don't think so. They'll use it with a cracked screen.
Because a replacement screen cost is the equivalent of a used phone. So there's no incentive to, unless you fix the...
Yeah.
I think that's what's going to
do. No, no. No. It's going to lower. Yeah. No, I mean, I agree on it. But I think what it's also going to do is it's going to force the companies that make the phones to keep their prices more in check. Because now,
if they keep a phone at $1,000, and you can fix your phone for $50 instead of $400, keep selling phones they're gonna have to make it more attractive to do it and to your to your question of of of whether you know of whether people are gonna do it or not I think it's you know it's not nothing's like that it's gonna change overnight it's the same as like recycling seat belts any of these things kind of more or less social changes it's it's incremental it's you know it's it's it's education
The Rose standard supposedly, you know. Well, I mean, look, it did put the numbers on plastics.
It did make things a little bit easier to take apart. Look, industry still has a hand in challenging any, you know, of regulation. So there's a balance between what would be, from our perspective, the best of all worlds and what company needs to stay in business.
I've ever taken a battery. Yeah.
Yes, that works. I never really discussed it. Find out in a second. This laptop has an amazing battery life, except when I'm presenting. Oh, I'm right. And for some reason, when I'm presenting, it dies. If you could wear this, this is just for recording purposes. Yep, and I'm going to put this in airplane mode so it doesn't...
Yeah, it's a good plan. And then...
talk. Blah, blah, blah. Is that mud troop in front of everybody? Nope. Not doing it. Not doing it.
How you doing? That's good.
That's good. It's like a conditioning vent that has blinky lights in it. I know that's not what it is, but it looks like that from here. So how's everybody doing today? I'm not started yet, I'm still before my time. I just, you know, I always feel stupid standing up staring at people like, Hi. You know what I mean? Hey. How you been? It's been so long since I talked to you. Yeah.
I don't know any good information about anything. Yeah, yeah. As a matter of fact, I'm gonna speak for 50 minutes on bullshit. Yeah, this is a social engineering exercise. See how long it takes. Right, well no, it's not bad, it's just made up. The question is do I make it up well, right? To walk out, yeah, totally. There's a red line?
Like this. I... So I'm going to stay back here.
That's on purpose. I purposely... I did some OSINT, found out the color of the carpet in the room, bought those shoes, dirtied them up so they looked like I'd had them for years, and wore them. Yeah, totally. This is my hover ankles. I think so. It works. I am so sorry.
crack pipes come to me. I don't know what you're talking about.
I haven't thought about that talk in forever. Oh my god. That is awesome. That is awesome.
I had a slide that had a crack pipe and we got somebody to... Right, but we had somebody photoshop a logo on a crack pipe, because Adobe at that time was the crack for security. Yeah. OK, I guess I should get started, be on time, and all that kind of stuff, you know. According to my watch. I don't know about your watch. Right? I need a Fitbit, because I'm immediately healthier the minute I put a Fitbit on. Right? Because yeah, it's kind of like my standing desk. I got a standing desk, so I immediately lost weight. I didn't really, but I felt like I did. So that's how you do health things. It's kind of like a CrossFit. You know how to
find out if somebody does CrossFit? Exactly. What I want to see is vegan CrossFitters, right? What do they talk about? I don't know. But good afternoon, everybody. I'm Kevin Johnson. Now I feel trapped behind this red line. I don't know where to go. Don't go all the way up here like this. Okay.
Thanks. I suck anyways. So good morning, afternoon, something. Welcome to Delaware? Delaware, right? Oh, wow. I was in a...
No, it's not that I... I like Delaware. Every time I've come to Delaware, it's been very nice. One of the best things about Delaware, I get to see Joss and Janice. This is a good reason to come to Delaware. So, I'm Kevin Johnson. I'm not that excited about being Kevin Johnson. I've been Kevin for 45 years. Kevin Johnson for 18 less than that. We're gonna talk about bacon. I personally think bacon is awesome. And I know not everybody agrees. I actually have a consultant that works for me, and she doesn't like bacon. Her excuse is that gives more bacon for everybody else. I've told her she's wrong. I actually have another friend who is vegan but eats bacon. And I've tried to explain to them that
that means they're not vegan. And they're like, but it's bacon, and I can't argue with that. So, you know, it's just the way it is. The funny part with that is I had the conversation with them, like, do you eat pork chops? They're like, no, I'm vegan. And I'm like, so you kill a pig and only eat the delicious part. That seems bad. That seems worse than... I don't know. So we're going to talk about all the bacon. A little bit about myself first, because we're supposed to do like bios and all that kind of crud. Oh by the way, this talk, totally, PG-13. I may curse. I'll try not to and I'm looking around and it seems okay. I will try not to curse, but every
once in a while it may pop out. I have a migraine right now and that's what tends to happen. So just as a heads up. I am Kevin. I'm the founder and CEO of Secure Ideas. We are a consulting firm out of Jacksonville, Florida. We also have an office in what I refer to as Charlotte, South Carolina. For the people who are not geographically idiots, you will know that Charlotte is in North Carolina. Yeah, Rock Hill, which is a suburb of Charlotte, is in South Carolina and is where our office is. You would think I would know that since it's our office. We've been around for eight years, we're a bunch of nerds. Basically that's
the story of my life. I'm a nerd. I am so nerdy that the guy that used to steal my lunch money still does. But he makes a damn good Subway sandwich. So, I've been involved in IT since 1991. I professionally graduated high school. I got a job as a developer and a bulletin board system syssa. It's been so long, I don't remember which way to pronounce it. Running bulletin board systems for people. Yes, that is how old I am. Did that, moved on. Got involved in security about 98, when the company I was a system administrator for got hacked. And I got pissed, and said that is never happening again. and then act again like three, six months
later. So I was wrong, but I started to get involved in security dealing with that, and I became a consultant just over a decade ago. I have done everything from, I'm an INS faculty member, not the pet food company. So I'm an INS faculty member. the web pen testing mobile security courses for SANS Institute, one of which has been open sourced. We open sourced the entire six-day web pen testing course in January, which I'm excited about, right? The Professional Evil Web App Pen Testing 101. That's out there, we're still releasing it. I am an open source fanatic, so Samurai WTF, 10 year anniversary is this year. As a matter of fact, tomorrow when I have my suitcase with me, I have some challenge coins from
the Samurai 10th anniversary. So if anybody sees one, wants one, come talk to me and I'll hand them out. The password.
You, out. So what he's making fun of is Samurai, for the people who don't know, Samurai WTF, which is the web testing framework. That's honest, that's what it stands for, not that other WTF thing. When I first released it, I released it because I missed Defcon and I was bored, so I wrote an operating system, because that's what you do. And when I released it, I set it up, built it, zipped up the VM, and uploaded it to SourceForge at the time. And I think it was like a day later, I got an email that's like, hey Kevin, what's the password? And I'm like, it's Samurai, how did you not know that? You're a hacker.
So I realized I'd never released the password, so I created a text file and put it on the desktop. a new release. Of course, you had to be able to log in to get to the desktop to get that text file. I felt it was a challenge. But that was my excuse, at least. But so I've done a whole bunch of open source work. I speak. I like to say that I'm an international speaker, because I've been to Australia once and Canada a few times. It's kind of like the Jacksonville International Airport. We're an international airport because we have a flight to the Bahamas once a week. I said that joke in Jacksonville and somebody's
like, we are too at International Airport. I'm like, fine, where's customs? And Atlanta is not the right answer. But the thing to keep in mind is that my main role is penetration testing. I attack organizations. I get a kick out of it, right? I get to tell you you suck and go home. That's my job, right? And it's a great job, but it affects my perspective. Like, we'll be talking to a customer and the customer will say to me, hey, Kevin, how's the test going? And I'll be like, oh, it's great. And they're like, oh, so we're secure. I'm like, oh, no. You suck. It's going great for me. I'm having a blast. The report's going to suck to
write, though. You know, things like the Equifax breach, right? Everybody else is like, oh my gosh, Equifax, they got our data! And I was like, they've had our data. How'd they get in? Man, that's awesome, right? So it's slightly weird, right? And that affects my entire perspective, right? Everything about me is wrapped up in this idea of how cool it is to break stuff, right? And break stuff for good.
So I get to do a lot of that. There is, and I want to be clear, this is the two sales pitches for today. I try not to do sales pitches in my talks, but here's the two sales pitches for this talk. One, our training, the recorded training, is free for vets, active duty military, and first responders. If you're a vet, active duty military first responder, our recorded training is free. Our live training is significantly discounted. What we do is we basically just pass on the per seat cost we're incurring. or the after-do military or first responders. So that's first sales pitch. I'm not a great salesperson. I sales pitch three things. Second sales pitch, if you work with a
non-profit charity, please note the two parts to that word, non-profit and charity. We had a non-profit that has like a billion dollar a year budget ask us for this. We said no. So if you work with a non-profit charity, our services are free. And they're free for as long as we offer the service. there is a rule I'm going to try to say it politely you cannot be a jerk charity I'll give you an example since what like what is a jerk charity Westboro Baptist Church those jack holes that protest funerals they are a nonprofit charity according to the federal government I'm not giving them free service make sense so as long as you're not a jerk charity our services are
free again those the only sales pitches for today. The last thing I'm gonna tell you about is something I'm very proud of. My wife, Denise, says it's the nerdiest thing I've ever done. Of course, I pointed out that she met me when I was 26, so she doesn't know.
I am a member of the 501st Legion. For the people who don't know, thank you, for the people who don't know, we're 16,000 members as of the last census around the world. What we are is a costuming group. We build screen-accurate Star Wars costumes and then we raise money for charity. I think we raised $16 million indirectly last year, which is kind of cool. But I didn't raise $16 million worldwide. This is me in my Vader. That was actually a really cool event. They brought together 300 blind kids and they had them watch the movies. Now, not as a joke. I think it's kind of cool. They refer to it as watching the movie. And then they had us stand there for a few hours and
let the kids feel what the characters felt like. So this is a little boy who is blind feeling Darth Vader's chess box and everything. I am crying in this picture. Plain and simple, tears streaming. And we've got other, lots of other, 500 First members in security, Scott being a recent addition. We're a nerdy group. But that's me. The last thing I'm gonna tell you is I am full of tangents. Well, I'm full of lots of things, my eyes are brown. And I have a sense of humor. I want to warn you though, that you might have misheard me. I bet you some of you heard I have a good sense of humor. That is not what I said. I said I have a
sense of humor. I'll give you an example. My current favorite joke, don't ruin it.
Does anybody know why Walmart wasn't hacked? They're not a target. But, right? I actually got to introduce the CISO of Walmart at an event, and I told that joke, and he would not shake my hand. I did this, and the dude went, and I'm thinking to myself, you got the good side of the joke. I said you weren't hacked, right? Then I was at an IONS forum in Minneapolis, and the CSO of Target was the keynote speaker, and I begged for them to let me introduce her, and they're like, are you gonna tell your Walmart joke? I'm like, of course I'm gonna tell my Walmart joke. And they're like, no, you can't introduce her. I'm like,
that sucks, man! So, like I said, sense of humor, not good sense of humor. But let's talk about what you're here for, right? How many people here have seen the TV show Parks and Rec? Yeah, right? Man, this show, it was stupid, right? I mean, it really was dumb. But I laughed every week. And there were days, my wife would come in, she'd be like, Kevin, what is so funny? I'm like, I don't even know. I'm just giggling away, right? The show was great. And as I started looking at it and started thinking about it, and this is something, and I'm going to be mushy, maybe, right? I love you, man. What I've realized is that
I'm not that good at what I do. I'm not that smart. I'm not that capable. I, though, have had a series of giants that I'm allowed to stand on their shoulders.
And I hope that someday that I can, not a giant, but a kind of tall guy maybe, that can help other people stand up. This is one of the things that I love about this field, this industry. It's also one of the things I hate about this industry, is that we are really, really good at telling people how they can be better. And in a lot of cases, we're really, really bad because we tell people how they can be better, right? And I think it's important that we as an industry, we as a community, build up because we suck right I mean let's be blunt 2018 almost 2019 she blows my mind and yet we're not much better at
security than we were 20 years ago my oldest daughter she's 16 now Brenna when she was nine years old she was admitted to Wolfson's Children's Hospital for seizure disorder OCD my daughters both have OCD as do I right and not just like oh I like patterns but neurologically diagnosed right about three months after Brenna was in Wilson's they were breached you can literally look up Brenna's social security number on the internet today her identity has been stolen multiple times and I I don't mean her credit card number, because if your identity, like a lot of people say, oh, my identity was stolen. What'd they get? My credit card number. If that's your identity, your life sucks. Right? You're
probably one of those people that take selfies in the bathroom, because all that does is tell people none of your friends will hold the phone for you. But Brenna, for the rest of her life, at nine years old, I got to have the conversation with her that for the rest of her life, her data was exposed because of a security problem, right? It helps. When she was 15 and we had to fill out the paperwork for her learner's permit, my wife and I could not find her social security number, so we Google searched it and typed the number in. So it's sometimes helpful, but that's a problem. That was seven years ago. This morning, this morning, Jason Gillum, one of my people, is doing a test and figured out
a way, unauthenticatedly, I think I made up that word, steal every customer's piece of information from this company we're testing from the internet right this is a customer that's been pen tested lots and lots and lots by other firms and I'm not this is not a well our we're so much better that's not what I'm saying what I'm saying is we're just not improving and I think that one of the reasons we're not improving is that we don't approach community correctly I don't we don't approach education correctly. We do a lot of victim blaming, right? We do a lot of, oh, you're stupid, or idiot developers, or, and red teamers, we're the worst, right? Oh man, I won! Ha ha ha! Right? I mean,
this is what we do. And so when I was watching Parks and Rec, and, you know, I was sitting on Netflix, oh, this is funny, right? It started to hit me. they had built, and when I say they, I'm talking about Leslie Knope and Ron Swanson. I also want to be very clear so that people don't leave here thinking I'm psychotic. I may be psychotic, but I know they're fictional.
This was not a documentary contrary to how they tried to film it. I'd love them to be real, but what it hit me was that this little group of dysfunctional weirdos built a team, a community of people who were helping each other and doing the right thing. And the main two characters, people that don't see it, Leslie Knope, and Leslie is cool. She's not cool. But she loves government. She thinks the government is there to save us all. She is absolutely one of those people who's like, yay! Socialism or something. I don't know. And I'm not getting political because the only political battle I will fight is VI versus Emacs and that's because VI wins. Right? Every time. Well, not every time. I said that once and a guy
in the back of the room in the class like punched the desk and yelled and stormed out of the room. When he came back in about an hour later I found out he was one of the Emacs developers. So, I didn't know what to say other than, man, Emacs is a great operating system. But, Leslie loves government and she believes in a process and somebody there to take care of you and show you what to do and tell you what the rules are. Right? And she believes that that will work because everybody is just good. And if we help each other, it would be awesome and the government would run everything. And then you have Ron, which hypocrite because he's the head of a
governmental agency in this town of Pawnee, right? Yet he hates the government. His very, like, he believes not in anarchy, which isn't the fact that the government should be tiny. Like, the government should be there when you need them, but you get to pick when you need them. And people should have to be left alone, right? And do their own thing. And it hit me community we have Leslie's and we have Ron's. Right? We have people that fall somewhere in the middle and everything else like that. But the really loud people, the really, oh man, and you hear it, right? There are people, we need licensing for security people, right? How many people have heard that? We need licensing for security people. Yeah. And we hear things
like, oh, ethical hackers. I always laugh at that title. Whose ethics?
Because some people make the mistake and they'll say that ethical hacking means you follow the law. I disagree with that statement. Right? Because there are things that I consider ethical that are absolutely illegal in some countries, including the U.S. Right? I believe if you mess with my kids, I should be allowed to beat you within an inch of your life and then kill you. Right? They're my kids. The sheriff probably disagrees with me. That's a very interesting thing. Depends on the area. I do live in Florida. But, right? This is what we see. We see these groups and what we find if we ignore the stupid arguments on Twitter. Right? It would be Twitter. There's some good stuff.
Have you not seen We Rate Dogs? This is the best. You've got to see. Look at your face. Have you not seen We Rate Dogs? the best Twitter account ever! People send them pictures of their dog and they rate it. And they're always, this is the best dog ever, 13 of 10. It is awesome. Even the ugly dogs get rated well. Like, re-rate dogs is just a nice Twitter account. But, total tangent, I told you, I'm full of tangents and other things. But, we see a lot of the arguments. I just saw one, what's a pen test? What is the difference between a pen test and a vulnerability assessment, right? Ooh, good answer. I like him. I owe him five bucks now. Ah, no, it doesn't depend. I'm
just using it as an example of a stupid argument on Twitter, right? I actually followed Dan Kaminsky and Thomas Potacek just so I could see the two of them fight on Twitter. They're both smart people, but without fail, one of them will say something the other one doesn't like. It's the only reason I follow the two of them on Twitter. Right? But what we see, I'm glad this is being recorded. Most of the arguments we'll see, like I said, if we remove the stupid ones, are often because the people on the two sides of the argument two people. Right? Like we see the, and I'll be honest, I'll be very clear where I fall in this stance, right? You'll see the people like Chris Roberts
who will say, well, it's okay I hacked that airplane while it was in the air. I know I'm exaggerating. And then you have people like me like, well, the FBI showed up for a good reason. Right? And there's that type of argument. And in a case like that, it's a falling on two sides, right? Whether we should regulate, whether we should not regulate, whatever. And it's not a disagreement on what's good. It's not a disagreement about how useful or useless that person is, except when we talk about Kevin Mitnick, because he's just a scumbag. But... When we look at it, it's very often because we've got people who just disagree on stuff.
Right? And we have to work on the community. And this is kind of funny to me because I am probably the most introverted, shyest person you'll ever meet. Says standing in front of a group of people, right? Yes, this is an act. I hate traveling. I'm petrified of public speaking, and I don't like meeting new people. Period. So I became a traveling consultant that presents around the country. But, I didn't say I was smart. If you look at our community, like, you know how people will say, and I don't mean this as a joke, right? But you know how people will say, oh, that person's on the spectrum, or this. Like, I don't believe we're on the spectrum. Because I think we've
broken it. Like we have people like me, right? I'll be honest, I don't like being touched. Don't touch me. Nothing against you, right? Just I don't like being touched. Other people, oh man, this is the way to do this and this is the way to do this. But we are the weirdest group of people I've ever met. We have people of all types. I was at a conference once and people were talking about this weird thing. It was outside. And I'm gonna have an endorsement. And they were talking about camping and hiking and all this kind of... And I'm like, why the hell would you do that? You've got a great mattress, right? In your bedroom. There's other people who do sports.
And then there's people who watch sports. That's weird. Right? Please note I did not say I did sports, right? Because I don't understand that either. But my hobbies are computers. Everybody... The reality is we have to build a community. We have to. And I look at things like B-Sides. And it's an effort to build community. Because this is an awesome two days. This is, I'm sad to say, this is the first time I've ever made it to B-Sides Delaware. I've heard about B-Sides Delaware for years. I've heard how great it is up here. And I'll be honest, part of me was like, yeah, I don't have time. Right? I'd talk to Josh and Josh would be like,
man this place is awesome! And I'd be like, you're biased! He is! Right? And I got here, I flew in last night, and I came over here, Scott picked my ass up at 6.30 this morning in Baltimore. That was nuts. And we drove. I passenged. That's a real word. That's a verb, right? Passenged. It is now. It's kind of like gruntled, right? We're all gruntled employees. Because become disgruntled. But so we I passenged up from Baltimore and we drove up here. That was weird. Right? You have tunnels. Like holes in the ground. People drive through. That's nuts. I grew up in South Florida. That would be flooded. Right? That's like you guys have basements. That would be an
indoor pool and not a good one where I live. But I hung around upstairs. And I had about 4,000 people, I don't count well, talk to me. And they didn't talk to me like, oh hey, you're speaking, right? Because that's egotistical, like, well, I'm a speaker, you must come to me, right? No, they were talking about cool stuff they were doing, right? I learned things standing in the hallway. besides Delaware, right? I learned how great the people up here are and the things you all are working on. I saw kids running around doing cool things, right? And I listened to some talks. I learned things about e-waste. Dude, that talk was awesome. You all missed it. Not all of you. I saw some of you in there with me.
But that was a great, like, it's this thriving, vibrant community that we see. And I hate to tell you, it's not enough. Why not? Because then you can go out to Defcon, right? And there's 50,000 of your closest friends wearing black in the summer heat of Vegas.
There is literally a hacker smell that comes out of the casinos. It's crazy, right?
But I'm not bashing Defcon. I like Defcon. I go, right? I haven't been in a few years, but I love it. And then we leave here tomorrow. Because I believe, unless I totally screwed up the calendar, tomorrow is the last day at Eastside Delaware, right? Okay. Right? We leave here tomorrow, and my question for you is, what are you doing Monday for the community? What are you doing online and around the area and everything else? We have to keep building it. We have to join this community. We have to open ourselves up to it. And, oh, by the way, we have to step up. Because I'll tell you right now. We look at...
is how many people here go to the OWASP meeting every month when there is one? I know it's not a hand went up. Do you have an OWASP chapter here? The answer is yes. I knew that. Thank you. But not a single one of you goes to the OWASP chapter meetings. Now I don't know why you don't. I'm not judging. I am judging you badly. But that's important. How How many people here have complained about the latest OWASP top 10? Right? I have. I've ranted about it multiple times. Now ask me if I submitted data to the OWASP top 10 project. And the answer is no. I'm a hypocrite. They suck. I didn't help them. Right?
How many people here use open source tools every single day? Right? How many people here have ever done a pull request? How many people here have opened up an issue with a bug they found in an open source project? Right? So I got four hands that time. That's good. Did you give them enough detail they could fix it? Right? Did you submit a code sample they may use to fix it? And I know some of you are sitting here going, but Kevin, I don't know how to code. Okay, but President Obama was able to code. to. And I use that as a bad example because I hate the hour of code thing that he was one of the examples of. I think it was awesome he was an
example of it. But it's this idea that if you just do an hour of code you'll be an amazing programmer and that's a lie. Right? But, like how many of you have submitted code? And then you'll say, but I'm not a developer. And it's like, yeah, okay, how many of you have submitted documentation? of you have sat down and done a video explaining how to build something. And I know what you're going to say. You're going to be like, oh, but Kevin, I'm an idiot. This is so simple, everybody knows it. Okay, I'll point one out to you. I run a security company that has 21 of the smartest damn, okay, 20 of the smartest damn people out there, and me. You know what one
of our most popular blogs is on our blog? How to install beef.
description of how to install a piece of software. That's one of our most popular blogs. Another one is explaining what CORS is. And I'm not saying there's anything wrong with having to explain what CORS is, but a lot of people don't know what it is. This is a simple introductory thing, and when Mike came to me and said, I have this idea, what do you think? I'm like, oh, I think it's an awesome idea. He's like, I don't think it's going to be that big a deal. I'm like, no, lots of people don't know that. And he wrote it. simple documentation we have to build stuff because we've got three major problems that I see standards
ethics and clicks I feel like we're in high school right so it's standards one of the biggest problems I see is we don't have them right and I can rant about something close to my heart right people here do pen testing right I'm the only one okay two of us three of us okay good right thanks okay do you know how often I go and do a proposal for a pen test and my company is not that expensive right we only build 250 an hour and I know that doesn't sound like an only okay but in consulting that's a lower rate okay um and we're competing against people who do $500 pen tests I'm gonna be rude, but if you're paying $500 for
a pen test, I'm not gonna fight you on that price. I know you're gonna come back to me in three months when you realize how crappy it was. But, right, I'm competing against people who run Nessus reports and change the logo and call it a pen test. Those people should be set on fire. But,
We talk to people, standards, right off the bat, standards. How do you know somebody is ready to be a pen tester? How do you know somebody's good at forensic? How do you know somebody's good at this job? What do you compare them against? I'm gonna go with certification. Well, that's a great plan. How many people here can afford to go, I'm gonna pick a random company, SANS.
But how many people can afford them? $7,000 worth certification. Right? Now, I'm not saying there's anything wrong. I personally, I was a SANS instructor. They are an awesome organization. They are. I am not bad-mouthing them. But I am pointing out that their price currently is higher than I can afford. That doesn't mean it's bad. It's up to you to decide. Right?
we know we compare that to who the CEH right I heard it earlier today the person said they were a certified ethical hack their slide was missing the ER but that's okay um and they said that just meant we knew a lot of flashcards and I thought dude that sucks it's a great quote I think it's accurate right but that that's horrible attitude not not from the person like I'm not making fun of the person I'm just saying the fact that we have two different standards for certification one of which is seen as worth seven thousand dollars and effort and everything else like that and one that's seen as well if you can memorize flashcards you can pass this
and I'm not telling you you're right or wrong on either one of those but that's a problem for standards and then we look at what do you do How do you handle it? What's your career path? How many people here believe that they can go take a course at a technical college, and I'm not making fun of technical colleges, and come out and be a senior pen tester? Right? Scott does. I had a guy I interviewed, and I was interviewing him for a non-senior position. He had just graduated college, and one of the questions I ask is, what do you need to make? what's your salary requirements and please note that I'm not trying to have you negotiate against yourself I hate that idea but I literally am
saying what do you need what would you like to make to do this job and the guy said to me with a straight face I would like $300,000 a year I said. That is a quote of what I said. I'm like, yeah, so would I. And he goes, you don't make $300,000 a year. I'm like, no, I don't make $300,000 a year, and I own the damn company. And his answer was, you don't make enough. You're right. But, right? I'm sorry. I kept going with that interview because it was hilarious. But,
man, that was like, I wanted to interview and my wife told me I wasn't allowed to, and she owns the company as well. And I wanted to interview, this guy submitted a resume for us and he was absolutely not qualified, but he was a sonar tech when he was in the military. And I wanted to interview him and we were gonna have three people in the room and one of us would just go, and we would see if he could tell one of us, wouldn't that be awesome? Right? But, we didn't do it. We didn't do it. Right? But how do you know? What's the right controls you should have? As a security person, should you be running check marks against your applications? How many people think yes?
Good, because their product sucks, in my opinion. But, do you have a web app firewall? Are you required to? Right? Should you?
looking at it like I log do you review no that's too much work right we have to build these standards and we as a community have to build them we as a community have to get together and say this is what we do because I'll be blunt if we don't and including the next one if we don't the government will care your politics. I don't care if you're a MAGA wearing hat guy or a resist forever not my president guy. Okay? I don't care. The government is not where we want the standards for what we do to come from. We have to do it.
I have no problem with compliance regs. The problem with that, if we built the standards, we could help drive those. Right? I got you in one second, so you don't care. Because I get tired doing this, so I want to do it. Because if we built the standards, we can drive that. And the example of that is the movie industry. Back in, I think, the 50s. Yeah, I know. You set me up. I appreciate it. I owe you five bucks. Right? But the movie industry, people were bitching and complaining, excuse me, about the inappropriateness of the movies. was about to step in and regulate them and give them ratings and censor them and the movie industry whoa we got this R P G G right and then in the
80s gremlins I don't know why I saw that movie I don't know what was wrong with it but people like oh my gosh gremlins that's evil right and they're like don't worry we got it PG-13 they drove the regulation we could do the same thing yes
Yes.
Yes. It's a great question. Yeah. right the way we do it is that we start discussing it openly we at least open ourselves up to be willing to listen okay because I'll tell you right now do you know what the best standard out there is right now he says who said that yeah wrong do you know why Pete has isn't the best standard out there Nobody cares, exactly, right? And I love PTES, other than the fact that it tells you this is the only wireless card you can use. They fixed that, right? The best standard out there, PCI DSS. It is. Do you know why it's the best standard? No, it's not because it's the most prescriptive. That's
a nice word.
And we all agree with them and sign contracts to go with it. where the FTC now uses this as the industry standard for what they compare organizations to after a breach. Did you meet this requirement? Right? It's also kind of cool because it's, you must be this tall to ride the internet. Right? It doesn't attempt, and be clear, right now, I'm like, PCI is awesome. What I'm saying is if we're going to build something, we should build something similar. We can build off of it. Right? It doesn't try to answer every single question. shows you a set of things you should aspire to. And then lets you figure out how to do that. And then lets the industry figure out how to assess it. Now, there are
negatives there. Becoming a QSA or an ASV is ridiculously expensive and asinine, right? But that's why I say it's not the right standard, but it's a good model to base it on. And the way we do this is we work with a group of people who are not in it just to make money. Okay? Notice I didn't say not to make money because we're greedy capitalists, right? My business goal is to be protested by the Occupy movement. You know you're rich when there's pup tents in your cul-de-sac. Right? But we need to build this together. And I think to build the standards, we have to focus on the second thing. And that is ethics. Right? Because we, what are your ethics? What do you think is
okay? Do you believe it's okay to we've iterated through all of the data from AT&T and downloaded it? I'm not asking, I'm just throwing that out as an example. Or do you believe that Wesley McGrew's ethics are better when he's talking about going after people for scanning his systems? Right? I don't know. I'm asking you that we need to come up with what we think is ethical. Because I, be honest, I hate the term ethical hacker. Right? Because I'll tell you right now, the guy that stole a million dollars from that bank... followed his ethics because that million dollars was insured and this is okay and blah blah whatever right ethics while we I don't say ethics are flexible they are to a certain extent
but what your ethics are may not match mine right what I think we need to do is say what are we allowed to do and what is the process and what do we think is a bare minimum of Like for example, I have customers say to me all the time, can you do a pen test? Like I want you to hack me like the real hackers do. I always giggle at that, right? Does that mean I get to sell the data when I'm done as like a bonus? Right? Like, man, I stole a million credit card numbers from you. Woohoo! Making extra money! Right? Like, is that okay? Or is it okay for me to
tell you who I hacked? Right? What are the right standards? And I think, I believe, and I'm not that smart, I barely made it out of high school. But I believe that we could create, and have a lot of it already, a basic level of what we consider required ethics for what we do. I don't know, you don't have a history of stealing stuff and selling it on the black market. Something simple. But we build that level of ethics up. And then we have to realize the third problem we have. And that's clicks. Right? We got the goths. We got the nerds. We got the sports. No. What you see, and I see a lot of this, because over the last few years, Secure
Ideas has stopped going to as many security conferences as we used to. And it's nothing against security conferences. But it's because... I'll be blunt, like I told you, I'm a greedy capitalist, right? I'm trying to succeed at paying payroll every two weeks. That, to me, is a level of success. That every two weeks, everybody in the company got their paycheck. Yes! Right? To do that, I can't talk to the same 50 people every week. Right? And nothing against it, right? But so what we've started to do is to go to security security cons, hacker cons, there's a difference, and non-security cons. I go to the HIMSS events, I go to the RSPA events, whatever. And what I see is that
there are people who are here. Like I'm at this one event and I'm talking to people and I mentioned HDMORE. And I wasn't like name-dumping like, I know HDMORE, because everybody knows HDMORE, except they don't. at a professional InfoSecCon and I had about 200 people in the room and when I mentioned H.D. Moore nobody reacted. And I went, it hit me. I don't know what it was about it. It's like, how many people here know who H.D. Moore is? Right? And not a single hand in the audience went up. They didn't know who he was. like to believe that everybody in this room knows the guy who created Metasploit, right? The guy who has created a tool set and a huge team of people helping
him, right? Awesome stuff, but did something that moved penetration testing and exploit development light years ahead of where it was, right? And nobody in that room knew who he was. And I realized it's because even inside, nerddom that is InfoSec, and I say that with pride, we have cliques of people who don't cross, right? How many people here go to auditor conferences? Yeah. You learn stuff? Of course. You say that at DefCon, man, after this, I'm going to the auditor conference. People are like, why would you do that? That's stupid. No, it's not. That's, whoop, okay. They had me right up to the end of that. I had to learn what they're looking for so I could hide that shit. But
I'm like, no! You out! You're gonna bring up the Adobe Crackpipe again, aren't ya? But, you gotta learn, you gotta interact with other people, you gotta talk to people, right? And we are seeing better at that. We are seeing people moving in. The place where I'm seeing it really bad is this last one. Public and the users. We still have lots of, oh, that stupid damn user, you know how much better it would be if we didn't have users? I don't know, man, you wouldn't get a paycheck. Without the users, we're useless. Our entire job is to support them. We are, as penetration testers, as security people, glorified QA and help desk.
I know you don't like that. I don't like it. I want to think of myself as a wizard. Right? I am a genius. I'm not. I'm a glorified QA person. I poke at stuff until it breaks. And when it breaks, then I giggle. And I go have fun. But that's a different thing. That's the difference between being QA, right? But we have to engage the users. We have to engage the public. We have to engage developers. How many people here make fun of developers? Right? I can't help it sometimes, but have you used Ruby?
I am so sorry, or are you on crack? But I'm opinionated. By the way, all of my opinions are my employers. That's my Twitter bio. Right?
There's a small problem with that. I've got two more minutes.
Right, and she's the boss right there, right? It's like Josh is the same boat I am. I borrow the pants from my wife when I travel. We have to start engaging people. See, I was timing good before that. I don't even know what to do with that. But what I want us all to do is I want us to start going out and helping people learn. I want us to start educating. I want us to start sharing better. Because I'll be honest, that's one of the things I loved about this industry when I got started. And I will tell you right now, this is the only industry I know. walk up to the geniuses and giants of what we do and talk to them and
they'll talk back. They will answer questions. I know, and I'm not special. I'm not. But I know that I can reach out to Mubix. I can reach out to Matt Carpenter. I can reach out to Josh Marpet and Scott Lyons and I can ask them questions. And these geniuses, well, other than Scott, but these people who take time to answer my question. And then I say that to people and every once in a while somebody showed an example. Well I talked to this guy, Chris Roberts, and he wasn't willing to help me. I'm not sure. I used him as an example because he was mentioned earlier so he's in my head. Right? If the person you reach out to
isn't willing to help you, they're not actually good at what they do.
found time and time again every single time I reach out to somebody who is supposedly a genius who is supposedly an expert and their answer is figure it out yourself right they don't actually know what they're talking about and I use the OSCP mantra and I want to be very clear I'm not making fun of the OSCP here I think that certification is awesome what they do there is cool but I think that a lot of the idiots in the industry have taken that try harder answer think it's a way to make themselves seem smarter. That's not why it happens with offensive security and the OSCP. But we see people on Twitter. Somebody will say, hey, you were talking about this. How do you do that?
Try harder, man. Do it yourself. That's a shitty answer. Go out and help people. Share. Talk. Communicate. And educate. We can be better. And we need to be. Because there's way too many things broken today. just getting worse, okay? And I will tell you right now, if you have any questions, if you ever in a situation and I know how to fix it and help you, ask, I will, okay? And if I don't, call me on my own hypocrisy, okay? Thank you very much, everybody. Enjoy yourself. Have fun.
Related talks
31:02
28:25
48:45
57:35
22:25
40:35