I Am The Cavalry: Track Introduction and Overview (Part 1)

alright oh all right let's get started yeah sounds good all right so welcome to the kickoff for the eye in the cavalry track and just to be really really clear we are not the cavalry you are so we're gonna give a quick five-minute primer for any but it's brand new to this but we we actually launched here two years ago here at bsides so it's our two year birthday and we're gonna both frame the day but also explain what the journey has been like thus far and why we're very encouraged by it so two years ago where were we yeah I mean I think a little historical piece you know it started with a lot of conversations

between Josh and I you know my motivations for getting involved we're different we're different than Josh's my motivations for having these conversations and start to talk about this had a lot to do with the criminalisation of security research it was where my motivation started and then it shifted to you know having conversations talking about human life and public safety yeah yeah yeah so just as a short introduction two years ago we were finally motivated enough that what we saw was the problem statement they kind of unified us was that our dependence on connected technology was growing a lot faster than our ability to secure it more specifically in areas that affect the public safety and human

life so automobiles maybe you saw those in the news recently medical device hacking critical infrastructure the internet of everything basically being the Internet of hackable things so what kind of unified us whether it was my research on anonymous or his juice cleanse nightmares about how we were going to have to get licenses to be security researchers or programmers that we might increasingly criminalize this like we've seen in France and Germany and South America and even domestically there's things like wassenaar and whatnot but right now Jen Ellis is talking about a lot of laws that threaten if it implemented incorrectly they really threaten our profession or hobby what we do in a way that would not

be so good for public safety so initially when we launched we said we wanted to address issues that affected body mind and soul body was the public safety issue mind was the increased criminalisation of security talent and soul was the mash-up between civil liberties and cyber and yes we're gonna say cyber a lot here because the people we're speaking to that's the words that they use right and cyber is on the news every single night and Congress critters use the word cyber and part of being a good ambassador in the heart and soul of the cadbury movement is to be an ambassador if you go to France you don't speak in English it's but you know you want to learn the

language learn the customs you want to have the empathy to meet them more than halfway and find some common ground so the idea behind the cavalry is we'd look high and deep as far as we could we got pretty far along in our careers we found the adults in Washington and we found the adults in Europe and what we realize is the cavalry isn't coming no one's coming to save us for things like this we are the voice of reason we're the voice of technical literacy and if we don't try to do some things and experiment and fail fast and iterate then we're just gonna be screaming the darkness and talking amongst ourselves in the echo chamber so while I have deep

love for both of the debaters on the keynote stage that cynicism isn't solving anything and finding more and more zero days isn't really changing the incentive structure within which we find ourselves so the cavalry was really just a personal statement that you would make that you're going to try something I'm going to try to raise the conversation get outside the echo chamber and be that voice of reason so we deliberately targeted public policymakers the general public and those for industries very quickly though Bo who wasn't even at our lunch because he was presenting opposite of us really jumped in head first what was your I guess your introduction motivation uh yeah so I kind of got

introduced to Josh over some Yamazaki Yamazaki in the speaker room that day and really my motivation was just I saw that we have the ability to change things to make things better now more so than ever I so taking that instinct and putting it into action I saw a lot of promise in what some of the security community had done and this being one of the leading efforts as well as some of the thing that bunch of other people were talking about so the ability to actually influence change it to be effective to not just continually be frustrated in banging our heads against the wall because we couldn't find that better way yeah yeah I guess I was gonna say we

introduced on that first day we introduce some concept that we called fuzzing the chain of influence which sort of goes back to you were saying we're gonna try we're gonna fail we're going to keep trying or i can keep failing and then we're gonna write them find find ways to influence the right people and get the right people motivated and I think that's still true today talk about some of the things we working on hood so you'll see throughout the day we're going to do a couple different chunks on the agenda we're gonna have karen has been really passionate enthusiastic person willing to try to buzz that chain of influence and be a good voice and be a good

ambassador we're also going to have focus on duoc recei so Pierce Nickerson Tim kravec fo and Todd Beardsley from the metasploit project we're going to talk about how do you actually lead volunteer stuff because our culture generally doesn't like to be joiners like we're very solo actors we don't like to do things in groups so how do you actually get progress and tangible results in a democracy we're also going to have quite a bit of update on our progress of Medical and we've had some pretty stunning breakthroughs recently on making medical advice is safer by working with the right stakeholders in the government in the medical field well right white hats the right time Glenn

and Katie reservist and others for the ISO coordinates closure type stuff so we're going to give an update on that later today we're also have had probably the most impact on the automotive industry and while we didn't have a sexy video on wired we built really serious trust relationships with these guys we have a few things to announce on that front this afternoon but one of the things we want to do is show some wear our progress will probably it to that in one or two minutes here there's a I had some things I was gonna say today I'm gonna change my mind a little bit after having a fairly cynical dinner with lots of really good researchers

that just have convinced themselves that nothing's going to work and I think maybe one of the defining characteristics of this and keating missouri's was the one who put it in our heads in the first place it's not our technical skill that's making this thing work it's our empathy and I thought I was born without it right it's not the kind of trait you would think would be useful here but she basically said Josh we want to change the world we have two change ourselves first and we're really defeatist really negative we look for what's wrong with something if we're going to be effective teammates we need to build those muscles and the further we get into this experiment two years

later every single thing that's work has been because we look for what was right with something and we use the language of the target that we were speaking to whether it was Congress critters the FDA the device manufacturer you know they have similar goals to you they just have different experiences that you and I think the heart heart and soul here is when you see a coordinated disclosure policy come out from united most of our friends pointed out everything wrong with the United disclosure policy instead of saying they're going to crawl and then walk and then run and what we should do is celebrate it anytime someone says we're not going to sue researchers who test stuff and report to

us we want to start that learning curve and what isn't seen because we don't get the headlines and I don't mean to be negative here but for a moment what isn't seen is the treatment that United received from our friends mocking they're courting disclosure policy got a different airline to decide not to do one right because these guys are they're putting a little baby toe in the water to see maybe we'll just let people hack our website and when their toe got bit off by vicious piranhas who would ever get into the water right so I'm not trying to judge us I think the idea here is for this to work it's not so much our

technical prowess in our zero days it's our willingness to be a helping hand instead of a pointing finger it's our focus on future success instead of past failure it's coming with an open heart to be a teammate instead of being someone telling them what their wrong it's encouraging the good choices they make so they started journey and what we want to do is if you can look at Microsoft took them from you know probably 15 years for their mean time to enlightenment they used to you know our friends used to frame their letter on their wall saying here's the engine the threat i got from microsoft legal about the bug out of airport and now they have

blue hat and they have six-figure cash prizes and they treasure the collaboration they need it their sovereign velleman teams depend upon collaborates with third parties and that was a mean time to enlightenment of 15 years when you really need and want to compress that to three to five years for auto and medical things like that so I would just encourage you for the next couple months and the fact that you're in this room probably means you have a better attitude but there's plenty of things these guys are gonna do wrong on their learning curve but this is your one of their learning curve and what we found is when we're patient with them and when we engage them we get invited

in we'll do a full day workshop with the food and drug administration to what two weeks ago they'll have us asking questions will accelerate their learning curve will understand why they're stuck and they can't do XYZ like we want them to but we'll find out they can do ABC instead and I think that open heart is gonna it's the one thing that's going to change our fate because right now we're you know fighting a losing battle and how do you win in a losing battle you change the rules of the game so between Jen Ellis myself there's some government folks in the room I think I've done 200 congressional briefings jen is probably on 300 and we got to the point now

you're going to hear about this later in the current medical thing but the committee's that are asking and forming law for automotive cyber safety are basing a lot of their questions and source material on the five star that we launched one year ago so I would say two years into this the experiment is working now it's slow you have to build trust and the people who have gotten involved have learned it's less about texture aus and more about translation but if you want to decide that nothing's going to get fixed there's plenty of people in echo chamber to uh to console' you if you want to try some new things and you want to build some of those soft

skills we're finally seeing the fruits of that and we have a couple surprises peppered throughout the day one of those prizes is right now right so we've got some very good friends a lot of great places like in Europe where thanks like in Europe where a little bit different than the US where we've spent a lot of our time in the u.s. just because we're geographically located here we've been able to do to take out of a different tack in Europe we've had some really good outreach thanks to folks like Klaus and others who have really picked up the idea that we can get safer sooner and one of those is a company called rigor and this is a

quick video we pre-recorded this because we know that demo God's being what they are we can't count on any live demonstration over skype so this is a maybe sing just a quick ability streaker yeah so they'll introduce Draeger draggers a large medical device manufacturer over in Europe and they do a lot of other things as well as medical devices so all I'll let Hans introduced himself and drag her in this short video

tech fail hey guys i am as moles of the product security manager of traiga and they were responsible for maintaining and improving the security of all medical products we are a 125 year old family company from rubik germany with nearly 40,000 amputees creating technology for life if you think you haven't heard of us you still might have seen us for example in hospitals without ventilators monitoring solutions or anesthesia machines or you might've seen our oxygen tanks and masks me worn by firefighters or Marines using our diving equipment whenever it comes to compressed air you are very likely to come across on products customers users operators and patients that are connected to our devices they literally

entrust their lives to our products which is when their safety is one of our top priorities people that used to interconnect the devices in their everyday life really fast they are demand for smart appliances browsed read faster and they are need for security it is important to make sure that our devices and systems are hardened enough to withstand the connected environment Joshua instantly replace connected with exposed so to stay with this term exposing them adds a whole new class of threats and the past that was just the device in a closed environment adversary's needed physical access to have the device this in turn means when a device was hacked there was a targeted attack against that

particular device now this changed when we start to interconnect all those devices maybe over a hospital network by exposing them they appear report scans they can become subject to several forms of calabria damage be it from malware like cryptolocker by automated scripts to run lying operations for your currency mining operations for example or just the average computer virus connected devices can also be one stop on an adversary's path through the network to steal information like patient data but no matter how much you spend on training software quality assurance testing and verification there is still the programmers law of nature with its inevitable number of 5 to 50 floors per thousand lines of code and suddenly you go to fail there are

several types of vulnerabilities once you've fixed once you know about and the ones you don't know about but the worst kind of vulnerability are those that you will know about the others do first vendors a lot of those others might be you excellent security researchers acting in good faith and being a willing Ally to us adria we would like to make it easy for you guys to reach us which is why we are preparing coordinated disclosures named the statement is in its review process right now add in addition to internal feedback we are also getting very valuable feedback from the security community for example from the woods once published it will be reachable by a

dragon a calm / security that gives you the contact email address which is product their security at dragon apart together with RPG public key so that you can encrypt the sensitive information that you sent to us you can find the key also on public key servers we give you some guidance on what you should include so that we can reproduce the issue faster plus we'll describe what happens then and how you will be kept up to date or even be involved in the resolution for now it remains for me to wish you great time in Las Vegas thank you very much for your attention keep up the great work we are all the cavalry right

cool yeah so in case you missed that or in case the video didn't record it for posterity that's a major medical device company committing publicly to engaging with this community on equal terms on equal footing in an incredibly kloof away drakkar and Hans are very smart about what they're doing and how they're doing it they're very plugged into the security research community and some of the work from some of the people in this room have inspired them to be better so that's a another commentary on everyone in this room part of getting things safer sooner yet so I mean if you have worked in the medical device filled their legal teams and their PR teams are

very closed just like in the automotive industry just like the airline industry so we basically found a really cool passionate hacker teammate in pretty much every one of these organizations desperately trying to do the right thing and one of the things that I really liked about Hans was he tracked the cavalry stream he tracked the five star automotive cyber safety framework which is designed for cars but also meant for medical and he's changing his program every time some positive press he uses that as internal collateral to do what he always want to do in the first place there's people in this room at other medical device companies if you know Mike Murray he quit his own company started to go

work inside GE medical to make things safer sooner from the inside and slowly adding people like Josie Coley and other hackers to his staff to work on the inside so I think this idea that these indices are clueless isn't really the case what you have is really smart people try and do the right thing who needed teammates on the outside and if you ready your heart for it and if you get engaged there's plenty of injection points for these things there's also typically plenty of job opportunities to maybe stop being a whatever we're doing here and get an upset with it and maybe go inside and fix it so super encouraged that this is typically something they

won't want to do but we're hoping other companies now follow suit and add a ccording disclosure policy now when you go read it if there's things wrong with it we will quietly work with them to grow and mature it but please praise its existence because the alternative is a legal and adversarial tone with these companies so we're a little short on time for the opening ceremony about five minutes left if I recall is that correct five minutes of speaking and then we can throw it open for QA okay so I was too long-winded before but one thing I want to point out pravila didn't see it is one year ago on our birthday we published a five star automotive cyber

safety framework and we're going to go into great detail on that later but if you look past the word auto they're basically starts with premise 0 is that all systems fail so we've been taking the attitude not of scaring people just saying these things will fail whether it's accidents or adversaries they will fail so they're really five ready postures towards failure the casual one I basically say is tell us how you avoid failure tell us how you take help avoiding fill or failure tell us how you notice and learn from failure tell us how you have a prompt an agile response to failure and tell us how you contain an isolate failure the more formal names

are what is your safety by design so tell your customers how you your stl second one is do you have a published coordinated disclosure policy say you will not third to third party researchers at the good faith which is a form of insulation for us against things like dmca and see it civil suits number three is do you have a black box to learn from failure these guys were simultaneously screaming at us that there was no evidence of hacking well none of them had any mechanism to ever have any of it it's a packing so we want to break that circular logic number four do you have secure updates so it's your response time to a hack a manual

USB key sent in the mail with a three percent uptake that could be implemented incorrectly or is it a full remote over-the-air update securely like BMW did where all of their customers were patchy for anyone knew they were even vulnerable right so what we're trying to do is help them get over the hump on secure updates and the last one about critical separating critical systems from non-critical systems is who cares at the stereo 'get act who cares if they blasted on the hip-hop station as long as it can't also shut off the brakes or kill the engine and because we haven't segmented critical systems from non-critical systems we don't want to fix one bug in one infotainment system

in one vehicle manufacturer we want to fix the industry by making sure that their future designs are separating the critical from non-critical am I really focusing on less about x pci check lists of security products that don't work we really focused on avoiding failure taking help avoiding failure noticing and learning from failure prompt a natural response to failure and containing an isolated failure and bow and others later will tell you what they're doing medical five-star but this as the foundation of how do you create areas to collaborate together has been one of the reasons the empathy has been working so we have the heart of a servant the willingness to speak their language meet them at their level start

them on their journey and most of them were doing some efforts within one or more of these product categories or these solution categories the idea is not that we're going to prevent these things from being hacked is that we're gonna be ready or when they do and the ultimate goal of my final word on this I guess is our intent two years ago is to make sure we were safer sooner and I think the last couple weeks we've seen some of the surprises throughout the day is it's working so we really hope that you advocate participate and start building those empathy muscles for some questions questions yeah so we've got about five or six minutes for

questions we also courtesy of the phone system the old-fashioned thing that still runs pretty well we have Hans molson from dragger on the line in case anybody wants to ask any questions with hem Karen do you have a question you just retching there's there's also a microphone right here which you guys try to stab this way you'll get captured in the recording yeah hi so the question about perhaps using the reputation of the people who are participating in order to support the vendor efforts so right now as far as i understand it from what i've read is done behind the scenes like indirect work with the vendors and you've said that there is a lot of

cynicism going around about the vendor efforts so if it would be portrayed as a joint like effort with some of the people who are reputable researchers in security community presented as baby steps as you called it earlier perhaps this would lower the level of cynicism or at least bring it in some way so you're saying that when they come out with their coordinates closure policy if one of us was jointly right raising it if you were just or at least framing it right saying okay so this is not the best it could have been expected but this is what they're trying to do and we are behind it or coordinated support there yeah other just other announcement

of that right okay i think i think the thing that breaks my heart is there were people that were planning to say we're not going to see researchers then we're gonna announce it this week and they're not going to do it anymore because of a bunch of reasons but if we understand and I don't want to treat them like children either I think they're doing really good work they're trying really hard some of them in trying to get a coordinated closure policy for three years I'm just suggesting to us that some of us can change our conversation in the echo chamber to point out what people are doing right right so lately I used to ask you what was the best thing

the worst thing he take away from any talk I've started asking people what was the biggest surprise or what was the best part and that's all I ask so I'm trying to change the pH balance of the way we talk to each other or how can we build on this so you look at it like a little ember instead of a fire like we can you know put the amber out instantaneously or we can you know cultivate it and foster it and turn it into a bigger issue so I like your suggestion though we could do more overt support and I think we did that with BMW when they got hacked everyone was making fun of them

and we said here's the five-star here's two of the things they did really well this is actually a success story they didn't sue the researchers they didn't over-the-air update during the over-the-air update on if you don't read if you read our post mortem you actually were passing the updates in the clear but they noticed it and voluntarily told everybody in their announcement so that other people that might also have been passing their updates in the clear could start using as itself so I think we should be focused on where we need to be as a society and where we want them to get to and I understand it's going to take a lot of time to get them there I

don't want to be patient about it but I want to be realistic about it and that's where the give-and-take comes in anybody else responsibly we stopped because most of the time these disclosures is how badly the vendor reacted right they try to hide it very easy to fix it or their peaks were broken up yeah I think there needs to be some most give examples researchers are satisfied something read response and then that becomes yeah exactly man we need more of that I think what researchers we know run up against is that minis organizations are so immature and their handling of these things this is the first time they've ever had a critical vulnerability reported and so that's where more

companies having the accordion disclosure policy we're gonna be able to see those things so the next time you Drago receives a somebody follows that process and basically goes through and actually has some success we should then highlight that in celebrating that this is a success if someone was to submit it to a company that does not have won those policies that's where the you heard the horror stories from yeah the I was asked a couple times and my answer varies depending on the day they asked me but I said if you could only do one star which star would you do and I think it's the coordinated disclosure policy because I think that changes the idea

that researchers are a threat to researchers are somebody that can help us and as they get more bug types they'll start to get better pattern recognition because the Microsoft sdl is pretty darn good right now and they still have a lot of bugs every Super Tuesday so they went from the idea that people might find bugs too oh wait people are going to find the right bugs you could prioritize the bugs we deliver patterns of bugs and it fuel that a positive virtuous upward spiral and I think once we can see that they can start to see us as teammates and a valuable addition to their on top on staff security team that's probably the

right thing which is why I was so discouraged to see us scare away a few this year I still think a few of them might come through and that's why we're extra thrilled with the drag or here for taking a leadership stance I think what's going to happen as well as the free market is going to see wait this company cares about security more than these ones we're going to put our business there so it's not simply check passing laws like you know Rob grandma's poopoo een but we are actually working with several committees to make clue full geek designs policy changes as well that might actually make it easier to do the right thing all right I think

Karen's up