BSides DC 2014 - Keynote

to bsides DC 2014 our second year here in Washington as a regional [Applause] bides we changed our slogan a little bit we're now the hober Fest of bides we thought it was a little bit more juny I'm going to just do a couple of housekeeping items uh my name is Mark Boltz for those of you who don't know me I am one of the co-directors of security besides DC one of the people who is insane enough to two and a half years ago to tell Jack Daniels that I wanted a bsides in DC this is Alex Norman he's our other co-director we are the ultimate bosses any issues final resolution come through us and what we say is final unless it's

the police or the FBI so generally we just have a couple of rules during your sessions we have two tracks one will be here in AB the other will be de in the back with the middle here is an air gap after the Marriott gets to reconfigure this from the General Session and keynote um that's today and tomorrow tomorrow morning we will have a panel discussion at 9:00 a.m. on diversity and it and where we're going with that and if we're making any progress and if so what progress are we making we have all of our vendors out here they're actually sponsors sorry I just broke my own rule on that so all our sponsors who help

make the event possible be sure to stop by and say hello to each of them we ask that for each session you always make sure that any kind of devices you have that make noise especially in the talks that they are non-disruptive and either do not disturb or silent mode please respect your speakers all of the organizers the volunteers and even your other fellow participants please adhere to our principles they are on our website the number one principle is simply do not be an [ __ ] uh please participate be involved this is your event not ours we are just helping you put this on and it's for your benefit so please be involved you'll see that we have the

various badges yes you need stinking badges please wear it at all times it indicates that you're part of our group the badge colors are significant orange is for all of the organizers basically what they say goes yellow is for the volunteers who are helping us they are also in staff shirts which is this blue color versus the Green that you got you can see any one of them if you have any issues concerns or need any assistance or have any questions if they don't know the answer they can find somebody who does the white are our speakers please thank them for making their part of this event possible green are our sponsors they're green because they give us

money lots of money because this Maria ain't cheap um red or security Please obey them and blue or all of you guys thank you very much for coming so this is our second year we sold more tickets in less time than we did last year last year we had about 455 attendees out of 650 tickets sold we sold over 800 tickets this year so far and we are running a rate of about the same in terms of attrition I believe so far we are around the 500 to 600 Mark I'm not exactly sure yet we got to pull the numbers a little bit later we were the first year largest bsides ever for a first year bsides last year we were the

largest bsides of any first year bsides event period it's an amazing thing I'm really really impressed with everybody that helped pull that off we are still running as one of the largest bsides globally after bsides Las Vegas so thank you all for helping make that happen too clearly shows that I wasn't too crazy when I thought that DC needed besides so a couple of events and items of Interest Lockport Village the newly founded tool DC chapter of tool will be over in London 2 they will be available today and tomorrow uh for the Lockport Village if you're interested in picking locks couple rules for them do not take the locks ask questions and please use

their locks for practice do not use those of the hotel or surrounding area the wireless CTF is also over in London 1 adjacent to the Lockport Village they will begin a little bit later today those are also on this level please follow their instructions check on the leaderboard please hack their Wi-Fi not ours or the hotels or the surroundings there's an IC Village they'll be up in Salon three of the junior Ballroom which is our other training space that is our Hall of Education two levels up we added that space this year so you can find them there this was created for Defcon this year they're doing industrial Control Systems programmable logic controllers and all that kind of fun stuff with

robots and [ __ ] have fun this evening at 7:30 p.m. at the Iron Horse Tavern a couple blocks away we are there at the black they're over there I'm sure you all know how to use a map tool at this point to find an address we will be providing drink tickets at least one per person with a badge you must bring your badge to get a drink ticket that gets you either a beer or a well drink uh courtesy of us we have no sponsor for this event this year this is out of our own generous pocket it will have DC and local area beers on draft we may provide more drink tickets uh depending on how things go and how

much money we have left in the bank after we pay the hotel uh couple of sponsors to call out we have engaged the audience General Dynamics Fidelis systems uh cyber Security Solutions they provided $6,000 to make this event possible it was our down payment for the hotel so please be extra generous and euse in your support and thanks of them especially on social media we have various above and beyond sponsors you can see all of these folks out in the hall s uh throughout the event um I'm not going to go through too much detail of them and our core supporters who at least chipped in something to help out um several of them are returning

sponsors uh especially want to thank tenable which actually bumped up at the last minute and and threw more money at us I don't know if Jack Daniel had a hand in that or not but in any case we appreciate their support of the event overall we also want to give thanks to sofos who provides an entire network kit to security bsides period all bsides have access to this kit and also thanks to jack for helping up with your our infrastructure team in setting that up we want to thank tul for helping out with the Lockport Village they will have various volunteers there helping to teach people how to pick the iron horse of course for

accommodating us even though they have a Washington Capitals game tonight uh which will put us busy at the first part of the evening and of course the Marriott hotel and the Marriott staff for helping make the event possible uh we are doing donations and collecting donations for either eff and or hackers for charity if you donate to either one of these or both each donation one each to each of them we'll also get you an additional raffle ticket for the Pony Express pone phone 204 we will be auctioning off at Sunday's closing remarks every completed speaker evalid every session also gets you a raffle ticket for that pone phone and an additional chance to win if you buy a

sweatshirt or one of last year's t-shirts at the shop when it becomes a shop after it's done being registration a portion of those proceeds also go to either organization there's a little popsicle stick you can use to designate which one you would like it to go to and then obviously thanks to our team Alex and all of our entire staff for making the event possible probably the next craziest thing I did after deciding to try and actually pull off a bsides especially of this magnitude was ask Jericho to be our keynote speaker today so I'd like to have everybody give him a warm round of Welcome while I pull up his

slides hello everyone Thanks for uh waking up on a Saturday morning I know how that goes we've all been to our sharei of conferences sorry is this thing recording too okay sorry um so anyway uh I'm Jericho uh I was told hey show up and speak about something they didn't really tell me what kind of topic or uh whatever I should do hang on one second they told me it's a keynote uh which is new for me this is my first time uh so you get to witness me lose my keynote virginity um I thought about sticking with what was up on their page uh how to hack a squirrel but then you think about it

good luck with that um I'm kind of skeptical of Keynotes myself uh I've been unhappy with most of them I intended in the past uh so this is certainly a challenge to me I take my talks very seriously uh Jake in the audience he was like dude what's up you know you're actually taking this seriously I was like yeah yeah um my second thought was what the hell did I agree to uh and then I thought wait what makes a keynote uh we all know that RSA had 16 Keynotes this year across four days so it kind of makes me think a keynote is just like another talk right and one of them was actually a panel

have you ever seen a panel keynote makes no sense to me so I asked Twitter I said hey what do you expect out of a keynote and one reply said it should explain why security matters well if we're in this business I kind of hope we can answer that another said they want a different and broader perspective okay that's fair uh one honest reply said a good seat for whatever talk comes next hey that's fair um I was told it should propose Solutions not more of you were doing it wrong yet another said it should contain stories that relay relevant experience well I'm kind of an outlier so not sure how relevant my stories would be few

people said it should set the tone but I don't think that can be done for a multidisiplinary conference like this um first the cfp selection can happen months in Advance long before Keynotes chosen so now that all the other speakers were there and ready to go I'm supposed to come in and set their tone that doesn't work for me uh unless the con is very specifically focused I don't think you can and some of them really are and that's a real conference set the tone come on people um I'd ask if Keynotes use slides because most of them I've seen don't and I was told that they do which is a great relief to me because they're kind of a

crutch uh not only do I have to use my notes so I don't divert too far off topic but uh if I bore you at least you get funny pictures I'm not much of a motivational speaker uh and this is an incredible responsibility hey how's it going how are you recognize oh you're laughing at me not that yeah yeah so let me again emphasize that this is an incredible responsibility at least that's how I took it um unfortunately many keynote speakers out there uh they don't seem to think of it that way uh they think about themselves uh their appearance the money they make uh it's a job to them and if you didn't know some

of these popular names no names mentioned uh get up to $155,000 to speak yeah all that so great question um and yeah it's actually in my notes uh before today I was getting three nights of hotel which is very generous I thought that was great uh this morning I was told I was is or I was offered an honorarium I told them no thanks donate it to a local animal charity so they're going to do [Applause] that so imagine if these guys with their $155,000 talks did that and started giving it to eff or securing change or one of the other Charities I think that'd be a little better um so how many big conference

Keynotes tell you anything new or different uh

that's an amazing Foundation there's a little bonus irony since uh Steve chrisan and I did a huge talk about vulnerability stats and bias and all that and I lie with stats later on in the talk and you guys can call me out on that and I even have a footnote in the in the notes that say yeah I know I'm lying but okay uh so we know security is needed and the State of Affairs is bad but most of us can't qualify it other than saying oh it's bad and here's some high level stats that mean you know as much as that one uh does that seem right to you no we need to fix that um so what's kind of the

status of security or at least as far as I see it um yeah it's complicated for sure um I don't think the industry understands fully what we're up against um do we know that companies some some of them claiming to help you or actually working against you I'm a security company spend your money with me I'm going to help protect you and then as soon as they turn around and you're not in the room they are working against you it's not that they're doing a bad job they're just like no I care more about lining my pockets than your security and it's not happening uh as a one-off it's at scale these multi-million dollar companies that bulk at inexpensive

Solutions and they say the scariest thing I've heard in my life in 20 years of INF SEC our customers aren't asking for better yeah you know how many times I've heard that in the past two years it scares the hell out of me so I say well of course not uh you're an idiot your customer hired you because you know security you're the one that's supposed to bring these solutions to them and they don't they're like o you know we only made $2.3 Million last year we can't afford that $20,000 solution that would just you know make our our service radically better better we're not going to do that um so that's not good we're up

against hundreds of millions of devices that aren't patched on time and never will be so yeah we can play the patching game but even in the modern state of things how often do you see an organization fully patched within 24 hours of a release you basically don't yeah it's not going to happen uh we have to consider millions of devices that can't be patched at all some of them running critical systems and that's scada which you can go toold up and mess with some really cool toys um ooh female in technology ready to launch a nuclear missile yeah uh that computer can't be updated either uh so how are we going to protect our assets

when we can't update anything uh I was actually going to use this screenshot for the last but only about half of you would probably get it all you all you old people so we have to understand the financial reward for doing bad things is greater than the punishment because law enforcement is Wolly behind um when federal agents are actually up on technology and yes there are some out there there are some agents that are malware reversers and these aren't just like the the cart team and the Geeks these are gun caring badge toting guys that can do really good [ __ ] but the problem is they're still way behind because of the resources they'll spend up to a year

investigating one guy or one group of Bad actors when there there's hundreds and thousands out there so the old adage of running faster than your friends when their bear comes it holds true regarding law enforcement bad guys only have to be a bit smarter or in a better jurisdiction than their peers because law enforcement takes that much time they can get away with it but we see that same adage applied to network [ __ ] and it doesn't hold anymore for the average company they say you have to be more secure than the other guy and that's all no there's a lot more bears in the woods these days how many of you actually watch your logs and see how many attacks

come in it's not like 20 years ago where it was like oh [ __ ] there's an attack it's been 3 days since we saw one of those yeah now it's like well there was 30 last minute ooh we're down to 20 this minute so it's a whole different thing no it was actually one of the things to reflect light that was a National Geographic team that the camera shoot didn't go so well and the the first picture was anyway uh so there's tens maybe hundreds of thousands of Bad actors out there uh doing Cutting Edge attacks and in the last 40 years we still can't figure out spam we're the professionals we're the Geniuses we can't figure out spam and we

think we're going to get a a hold on these high-end attacks and don't use the AE yeah yeah yeah cute okay security uh yeah damn it we still don't use secure programming language languages to help save developers from themselves and save developers uh from everyone else and yeah that was an actual crossy scripting on the web page of course it had to be statically added but and down here Jim's like ah yeah so everything's working against us we see warrn keypads security deployment fail people that click [ __ ] a general lack of understanding uh we have devs that have no incentive to think about security no executive buyin software meant to protect us that adds vulnerabilities and

L accepted standard that's barely the no server Left Behind Act trademark copyright no um so security software and this is another line with stats but not really uh so security software is in red there those are vulnerabilities over the past 10 years in blue is Microsoft vulnerabilities how many of you realize that the security software using these days has collectively more vulnerabilities than all of Microsoft yeah not many raised your hand and that's kind of scary uh as an industry we talk about understanding hackers and thinking like them yet we continue to provide degenerate solutions they show no understanding uh such as IP based threat intelligence uh how many of you were around 20 years ago hacking and we like

oh yeah I'm going to divert through this system or you know dial into this one divert through that one and and then make your attack and then the next day it was a different system yeah 20 years ago you were showing that IP based intelligence is ridiculous uh the vendors will catch up soon yeah wishful thinking yeah so we have data loss protection that doesn't seem to work against the over 13,000 breaches that we know about and by the way that number is way out of date now 13,1 195 that's because I wrote These slides like a week ago um that number's already way up and that's kind of scary too so there has to be a way to improve the

Dismal track record and actually improve things right I mean that's why we're here uh in theory if not then we should throw in the towel and go volunteer at our favorite shelters be it animal or human doesn't matter because doing that's going to save the world a lot faster than what we're doing right now uh if you don't agree consider that others have already thrown in the towel and given up and unfortunately for the industry sometimes they're a Cornerstone of our industry uh this was said in March or on March 20 2013 a year and a half ago so all those firewalls IDs IPS vul alerting Services vul stats they're all based on cve right yeah uh they're only missing about

32,000 known vulnerabilities right now and they said yeah we're not a comprehensive database we can't keep up with this [ __ ] uh that's because they only get a few million a year um and other Solutions out there did it for 20,000 a year does that seem right to you no why do you use them consider it so at some point we have to reconsider our Battleground and come up with a new paradigm I'm going to drink twice for that line then we need to stop using ill-fitting military terms industry buzzwords and just speak plainly uh else this will become the most important part of our security offering yeah it already is I mean how

many of you are like hey screw the con we're going to barcon and hallcon and everything yeah there's a reason for that we work long hours we don't get a lot done it's stressful so a bit of perspective uh before we come up with that new paradigm it's three drinks uh we really need to get some grounded perspective um on some things that are hindering us from making positive change in addition that whole tiate about the bad guys and stupid users uh the industry we Our Own Worst Enemy our intentions are the best but as they say the road to hell is paved with good intentions uh there's a few things our community is losing focus on and

ultimately they're doing as much bad as good and let's start with the impact of our work specifically vulnerability research now don't get me wrong there's a lot of great research out there um I I'm a fan of a lot of it uh it's very important to the industry the consumers and for those who we seek uh we seek to protect a friend was at a security conference re uh recently and going around talking to people and she recalls how everyone was up in arms over devices like pacemakers oh they can be hacked you know this may lead to a death or whatever and she looked around and everyone was overweight and drinking coffee and smoking and she's like isn't

a heart disease on your mind uh and they were like e doesn't matter you know um so she asked why aren't you focusing on that and they were like hey that comment's harsh the [ __ ] it is and that's logical um so about 600,000 people die of a heart disease in the United States every year which is one in every four deaths pick one of your friends to kick off why aren't you concerned huh if you Google four hackers that's one of the only pictures you'll find of four hackers anyway 234,000 death certificates listed diabetes as the underlying cause of death or contributing cause uh over 3,000 people in 2012 due to crashes involving a distracted

driver uh as many as 1,000 people die a year to autoerotic asfixiation hail to my kinky folk yeah um sight pay for Sight yeah uh and death due to hacking pacemakers comes in at a resounding zero yet this is the big concern this is what everyone's pushing we see people on TV on Fox and CNN oh my God pacemakers they can be hacked medical can be hacked yes it can I'm not doubting that I've seen the research it's there it's just that you have to put it in perspective um so when you talk about it just remember who you're talking to the next thing we seem to be losing focus on is our desire to hire more

security people for several years there's been articles about the increasing demand and how we're a zero unemployment industry and all that uh we see long-standing certification bodies continue to push their meaningless certifications new CT bodies jump on this yeah and uh hundreds of boot camps that offer a quick path to getting certified and if $600 and one week isn't uh good for you there's some of them that'll just outright sell it if you have the money um no name is mentioned hiring more Warm Bodies won't help the security problem at all in fact it's going to hurt us if anything even worse we have a small amount of people in the industry that have gone overboard

on demanding Warm Bodies represent boenders equally yeah there's a few years perking up right about now I know um the arguments range somewhere between the simple needed feminism and irrational desire to have more women in the industry qualification be damned uh in the process of lobbying for this some of them no names mentioned again are causing more drama and counterproductive to the goal uh they seem to forget uh there's difference between being offended and being harassed in some cases they actually manufacture drama at conferences they go out of their way to set up drama they bring a reporter into the conference to witness this drama telling the reporter oh something might happen and try to

like base their cause on this and unfortunately some of these organizations no name's mentioned mentioned like to do it at bsides so I'm kind of a champion for bsides and [ __ ] them for doing that and ruining good conferences or trying to and it's awesome that bide stands up to him and says you know we see through you um I know we have uh no one in the audience that discriminates against women or will admit to it yet it's a serious ongoing problem because it happens every day and in some recent cases I think right now they call it gamergate or whatever we're seeing a great example where females are death threats and they're having to

cancel their talks at the risk of having themselves or their family hurt and that's wrong uh to anyone discriminating against women for any reason let me uh share with you a historical secret they've been doing it longer than men get that [Applause] right Grace we like Grace uh yeah if you actually read the story behind this she's the awesome one in the group and that's why the men are like gathered around her she did cool [ __ ] they didn't um yeah first home computer ever built a female did it imagine that and if you really think women have no place in Tech there's someone that does have a message for you [ __ ] you

[Applause]

yeah so that's the prevailing thought right now in our industry come on I didn't make the slide you just have to Google and you'll find it come on so how about as an industry we drop the gender and race argument instead we treat everyone as a basic human being for starters then we discriminate on one thing and one thing only qualifications are you smart if you are work in the industry will'll be happy are you not smart get the hell out of here sorry I'm picking on these two because I know them um more importantly if we do this then when women when the racial minority whatever that is which in some places is the white man it

doesn't matter what the minority is if they come in and they're qualified and we treat them with respect we will have happy infosec people that will solve problems before any of this other [ __ ] will so I am told to Keynotes meant to inspire and I know I haven't been doing that yet uh but people pointed out I should Inspire in a good way and I was like damn it uh that's getting more difficult uh that qualification is important since like uh many of you I'm a career pessimist our industry is based on pointing out the negatives penetration tests show where security and admins fail audits show where we don't meet compliance vulnerability disclosure shows uh flaws

in programmers code that won't change unless we abandon our industry and that will not happen because we all enjoy our paychecks myself included so what used to inspire hackers let's see if we can uh figure out where it came from and maybe diverted in the right direction early on it was man vers machine in the general sense uh even before computers we had phone systems built out of elaborate electromechanical moving parts that allowed communication over a weird mesh of copper wire I mean when you think about that with what we have today it's fascinating that that even worked and it took a freak to say that's more than a wall phone that's basically a Gateway into the unknown and

they started exploring then it was personal computer especially the early kits you assembled uh as one computer grew or as the computer grew and became more powerful became more featur uh and allowed us to communicate then we had Bolton board systems and we started to share more then the internet made its appearance the BBS world was expanding and it lowered the bar for who could get online it wasn't just the grave beards hackers and researchers anymore and um that opened the network to continue to inspire explore and build tools and sometimes those tools did good or bad depending on who used it early hackers had it easy going up against systems with basically no security this was

before firewalls yeah imagine that imagine how easy it was hacking back then and into a degree it was on the other hand it was very hard you didn't have Google you didn't have manuals you couldn't download 18 different operating systems and run them on VMS on one computer um so the first big roadblock appeared and that roadblock is called security uh and deterred a few people the rest were inspired then admin started disabling Services changing default permissions and putting up firewalls majority of avenues were gone completely and the cat and mouse game intensified for a while I know it's not a mouse but I'm partial to squirrels yes that's a chipmunk it's also in the

family skur day which is the squirrel family few of you I know are just like looking for it so then the web happened um brought back a lot of passion for finding new ways in uh for hackers losing interest in the network side yeah that's one of the times my domain got defaced fluffy bunny he was cool she I don't know um that roadblock of a firewall was no more because it had to let traffic through the to the web server at first they were simple web server I heard an oh God did I put someone's page up on accident it's like oh my God I made that um web servers and static content uh then apps became more

robust uh not just one service HTTP we had PHP Json XML oh my uh a dozens a dozen new classes of vulnerabilities popped up crossy scripting injection traversals off bypass you name it and we learn that as security slowly catches up to the attackers inspiration is harder to find we have to find new things to simulate us and make us more interested uh if not then your job becomes a job a lot of us started doing security we got a paycheck and we were like this is great I want to do this I was doing this for free before now I'm getting money uh and at some point no it's like I got to pinest that shitty Network again I've

done it four times they're not fixing anything this isn't fun uh even the best job in your mind can suck we can all break [ __ ] that's a given uh we all know that most software is not designed for security admins build systems for usability and entire projects are graded by deadlines or budget uh hackers and Security Professionals like to boast about their greater intelligence as compared to many others I largely agree uh I don't think that we've been showing it for many years um since we've proven it's easier to break them build you aren't surprised in anyone in security when you say well I bought this device and I ripped the case off and I soldered some wires on

and I loaded my own firmware on the device and I got root no [ __ ] you'd be surprised at how many talks are submitted to conferences where that's the underlying principle I'm on the Defcon cfp team we probably rejected a dozen talks that were like that and a few got through because they were flashy they had great names and it's like oh we're going to expose this many devices in this many minutes uh if you were in that talk talk you saw yeah you can get root on 20 devices 19 if you have a soldering iron is this a surprise to anyone yet it was one of the more popular talks so we're not showing our intelligence uh as

we need to so I challenge you uh my designated fighter is Jim manaco so if you want to come at me go to him um give up the red cape put on a blue t-shirt every part of daily life is working against us test your metal and prove you're a badass ass at infosec uh switch sides work on defense we all break [ __ ] breaking in is a lot easier than defending it uh there's thousands of Bad actors already in your networks or desperately trying to get there uh find a new creative title you love have fun with it embrace it run with it if it empowers you as long as it's not evangelist quit using

that term um so hopefully you found a little bit of meaning uh I know I image sort Twitter kick froggy yeah yeah so hopefully you found some meaning in this uh talk if not I'll be taking $5 a seat for the next talk um questions you boo me for taking questions oh yeah mircat okay seriously yes

so the question is what is the future of defense and asking me that is asking NFL football player about diversity it's just um they're going to stand there and stumble for a while and be like hear some buzzwords and that's about all I have to offer on defense because I just haven't done it uh back when I was actually doing defense it was my own system it was 15 years ago um I think I kept most out but eventually no uh patric's been popped at least three times that I know of we operate daily under the assumption that it's owned uh by more than one person and that's kind of a scary thing is that that's become

the norm for a lot of people uh and at other recent bsides had some panels where um we we kind of put forth put forth the idea if everything is owned how do you do your job and one of the kind of interesting Concepts was well don't try to defend everything why are you trying to defend a 100,000 machines on your networ isolate your sensitive information put more weight into those if desktops get popped just make sure that you actually have access restriction you have access list you know [ __ ] that was like 30 40 years old ago is a security concept that we still fail to

do I know oh of right so there's an age-old chart as security goes up usability goes down and you have to find that little sweet spot to us in the room The Sweet Spot security is way up here usability is way down here to a developer to the end user they're like if I catch a whiff of security I'm coming over there and I'm kicking your ass you know they want to be able to go to Twitter to Facebook browse their porn whatever and the more privileges you give them the harder it's going to be to defend your system we understand that so at some point we have to say uh this is a company resource

you're on a company computer and you're going to follow company guidelines end of story if you want to browse [ __ ] bring your own device and know you can't get on our Network why can't we do that why are we giving into to our users when they're the ones making our lives hard at some point we have to stand up to them and say you want me to do my job well start doing yours instead of browsing these porn sites that have you know drive by attacks H oh yeah requiring secure code there's another unit unicorn um there's some languages that basically work against that completely and they're like ooh hey we can use this language I heard PHP is

easy to learn um and I I knock on PHP and part of that also is because if you ever look at the developer track record they're about 50/50 on whether they even acknowledge a security incident it's like hey that vulnerability could be remote code execution flip nope not going to deal with that one next uh that should scare you too any other questions space

Rog okay in that case I'll be out there if you want to ask questions that aren't in front of the audience thank every I'd like to thank everyone for their time and hopefully you enjoy the conference

than