Voodoo People - David Hartley

thank you to you 20 odd people that stuck around to listen I wasn't expecting a large crowd at the end of the day I'm going to close with a bit of a rant hopefully not too angry old man style you're not gonna learn much really my intention is just to say some things and get you to think about some things my views are mine don't represent my employer necessarily but they do slightly I hope everyone's had a good besides I obviously hadn't seen the talks when I wrote this talk but luckily it kind of fits anyway I've attended quite a few and the theme throughout the two days has kind of played well into this anyway a lot of the talks that I've

seen here all good stuff lots of clever people doing smart things sharing ideas very you know that wisdom is being imparted on a lot of you in a lot of different ways the car hacking lock-picking teaching how to fuzz all the things pen test the stuff defense offense etc etc stuff on hacking careers building businesses it's all genuine good stuff so I'm not gonna rip into it I'm not gonna say it's bad stuff it just kind of plays into what I had to talk about today which is kind of this what has happened to this industry was reflecting quite accurately and a lot of the talks that have been given and it's all stuff for cyber warriors and digital

soldiers besides is awesome all of the b-sides all of these events when I got started there was no conferences at all so the fact that there are so many conferences now that have spun up in the UK were people are sharing all the time passing information around teaching people new things is awesome but back in the day we kind of had to roll our own and I was part of a small group called we had a little conference where people got drunk did crazy things said ideas and it was all about just having fun together and we all work for different competitors there was no egos in the room there was nothing about your big

branded slides and things today the world's changed it's very very very different on it's all cyber it's all serious stuff and all about being big business and okay fair enough but it's it's become a career rather than a job which is weird for some even describe it as a calling it's all got really grown-up and super serious I've been around for about 10 15 20 years doing this stuff and it's more in the last three four or five years where it's really shifted and all again reiterating all the talks and everything was great but I want to close the event by basically just reminding people to have a little bit more fun with the stuff and

stop being so hardcore in serious and taking yourselves and it so seriously it shouldn't all be work and no play so I've worked at two notable firms in my time of words and a lot of places but these are the most you know all a company called at stake and a company called end of your art and people that I work with at these firms are just awesome crazy bastards and play with anything and hack anything and do it for shits and giggles and it does turn into marketing and it does turn into talks at various conferences and yes services fall out and we make money but that's not why anyone did it we didn't go and do these things to

solve cyber or to save the world it was for fun couple of prime examples here some how can we did on pause and pause devices we modified them so we could play video games on them and wrote the day to write the games to load on there and play longer than doing the research and finding the bugs and weaponizing an exploit no one said no don't do that because people were having fun doing it and people just do stuff because they can and they've got the freedom to do it no restrictions constraints on what they choose to research now is having a conversation with one of the vendors over there about their education program I suppose if we

asked a question about how they are teaching people to do research and the way that they are doing is by handing over a doctor methodology prescription research and then giving it to people and saying that's how you do research and then products and services and money fallout boards the [ __ ] at me and you're not going to get good stuff out of that you're just gonna get formulaic stuff put someone in a room with a bunch get stuff to play with and just let them get on with it set fire to it burn it melt whatever happens something good might happen something bad my app but it doesn't matter you just keep doing that

and just have fun more so I love I owe a lot of people at and we are and at stake a lot because they're the ones that brought me up and I grew up with that and that carries on to the people I work with and the teams that I run and the people I teach doesn't but why did this happen why did this industry get so grown-up and super serious all of a sudden and it's for valid reasons globally we are losing trillions trillions of dollars pounds whatever currency you want to put on it and that's increasing each year from cybercrime so it's a very real problem that does need something doing about it

I'm not belittling that the UK specifically is losing billions every year also now all that money's flowing out imagine if we had a corruption free government country where that money wasn't flowing out and it was staying here all the good things that could be done with it so it's it is important but it is big business for criminals and the economy pays a hefty price price so it is serious stuff but it's also a big business for industry too now I work for consultancy was further along here but I still put myself in the same camp if all of the companies countries economies are losing so much money these guys are making a lot of money out of it as well and they

pay taxes so really no one talks about how much is it really will losing versus the industry that's cracked up you know whether its products whether it's consultancy whether it's sales it's all about making as much money from this stuff as possible when crest launched in 2006 there was three or four companies on the list rubber stamped as being a plus plus would do business with again whatever there's over 150 therms now worldwide that are accredited rubber stamps is the best to go and get you security from and crest itself is a not-for-profit organization it doesn't mean they don't get paid everyone pays their membership fees so there's business in rubber stamping people to do

business there's also a massive skills gap that's legit we're told all the time that we need more cyber people more more people with more skills to solve all these problems there's not enough of us to do all these things apparently so that's genuine and legit as well the UK government have even made it a top priority to build more cyber people however I've seen this in lots of different industries where someone decides there aren't enough people so we go and build people the motives aren't always the tourists so engineering construction nursing it same happened in those industries there weren't enough people but what that really meant was because it was a scarce resource you had

to pay a lot of money for it so if you over populate the industry with more and more people and stop it being so scarce you can pay less so it's really about driving the cost of it down so again it comes back to business I just wouldn't assume that everyone that's shouting about the skill and we need to build more and more he's doing it with the truest of intentions it also obviously being a good citizen and saving the world and being a digital cyber warrior isn't enough for you then there's [ __ ] tons of cash to be made you can launch a cyber security company you can be a cyber security Warrior you can

get paid the big bucks by the flashy pars go on all expense trips to Vegas and party etc it's just this constant temptation of internet fame and fortune if you come in cyber the financial rewards for uniquely talented people and all the rest of it oh great there's also plenty of recruiters out there that are willing to tell you the same and dangle big wads of cash at you every time you land at a different company just personal view there I think they're all snakes I decide not I guess like some of you already enrolled some of you are looking for roles some of you were studying etc everyone's telling you is a massive skill shortage you're a scarce

resource why would you need to pay a fixer to find you an employer there's a whole bunch of desks over there we people ask you need to go and work for them the internet people know how to do Osen but can't figure out where to get a job you've got to pay these guys and yeah you do pay them because they take a cut of your future earnings demand is outstripping supply you don't need to pay someone to find you a role so it's super super attractive now to come and work in cyber whether you know it's recruiters trying to attract you it's various different consultants he's telling you how exciting it's gonna be how challenging how your special

talented little unicorn and you the only one that can do this stuff but that's not enough now we need to build the people in the shape that we want them to so we break from it now put out a little trail from school to college to university to whatever little trail of do this then do this do this do this do this so you can get you to be a cyber just make it more accessible to get the skills we've also got education curriculum so again about further refining people into this mold we're still in a university that isn't lost on me where there is cybersecurity courses but it's the same across the land lots of different cybersecurity

courses all called something different but again it's about building this next step along you take from school to college to university cyber courses galore and then we've got the industry roadmaps that get put out so the likes of crest and sands that again tell you more learning is necessary do this course get this badge get this certificate and all it's doing is producing more and more cloned individual cyber warrior cyber soldier ninja whatever all factory produced for the roles that apparently we need to solve cyber and defend whatever and but it's just to me it's all geared up just to flood the market with templated people the cyber factories now I'm not saying it isn't real we do need these

people society community industry nations every one of them is facing genuine and real threats what we do in our profession is important stuff it's just I think too many people keep going on about how special you are or how special we are and really leads to that taking ourselves far too seriously but then we are charged with defending societies from attack relied on to enable corporate success we sit and stuff about how security should be enabling the business to make more money we should be defending it to stop it from being attacked we should be stopping all this money from flowing out we should be securing our nation's secrets etc you know I get some picture

it's like what we do in cyber echoes across eternity and I just find it it's all a bit heavy pressure much it's like no that this isn't what I do so the reasons I do what I do and he's certainly not why I got into it when I got started it wasn't even a proper job there was no internet fame or fortune we weren't seen as digital heroes if I said what I did as a pen tester my friend sniggered we were seen as dirty hackers exploits didn't have logos or websites or marketing teams I didn't know it was a job I just sort of fell into it I'm really I fell into it like a lot of

other people just through curiosity and experimentation wondering how that works well I'm not gonna ask someone how it works possibly they don't know I need to break into it I need to open it up I need to figure it out and ya know you need others thought it was some sort of life skill for survival in a new digital age and all this [ __ ] some activists you know a call to arms to start the new digital revolution so it's not like this cyber warrior stuff now isn't new new there was other people back in the day still living out there as different fantasies online but most people myself included were just [ __ ] around with

computers just geeking out in our bedrooms playing with stuff for the fun of it we just we didn't take ourselves seriously we didn't think we were serious people no one took us seriously either we were just doing it for the lulz and today it's very different so but I don't know when it kind of happened please snuck up on me apparently now we're all cyber warriors defending the world safeguarding the digital future for everybody and you get stuff like this from consultancies like that's their red team or whatever please so you get this stuff as well call to battle to protect our nation's on the digital battlefield you know those guys over there that are

wearing camo that even laugh at this year hey who do we think we are we are not digital soldiers we are not cyber warriors it's nonsense there is no cyber terrain to capture but in reality this is what it is you remove the marketing spin the attractive come in cyber etc and you just end up in a big caught drinking locale dairy-free lattes auditing systems and doing PCI reports but obviously that doesn't attract many people to the industry but I mean like it doesn't have to end up that way it doesn't have to be this so I kind of want to ask why did it stop being about having fun for people why did it taking

all that is super serious and all those threats and things are real but why was the fun gone now I speak to a lot of young people coming into the industry events like this when we interview them etc and they're just so super seriously they're all about their career how far is their career gonna go when they're gonna get that title when they're gonna get that badge how are they going to end up as a CEO or something and Jesus that's depressing it's just but they've come through this in doctrine they've come from a factory line producing these people they think the same way the Seavey's are templated the places they study that they've all

got the same skills but there's no creativity innovation there is some people still we're for sure not everyone was the same but there is unmask a lot of people that are just in this to get a career and that's fine there's nothing wrong with that if that's what they've chosen to do with their lives I just wonder why people aren't doing a little bit of reflection and wondering could they not be enjoying themselves a little bit more with it and stop stressing out I'm putting all that pressure on yourself it's still a very young industry and there's a lot of time to correct it so as a very brief quick example this is a vent that we run

called hak foo it's happening right now in a prison of in Rutland and we just get people down there for a couple of days this year it's a prison it's been the Wild West it's been an army base it's been all the things and there's a whole bunch of hacking challenges some of the stuff you'd be familiar with like you know Web Apps sequel injection Alissa's defusing bombs building robots to do specific tasks and it's an immersive learning experience but the most hot day is about having fun we take our people throw them for a couple of days into a random weird unique venue with all sorts of [ __ ] going on and they just play and have fun

and learn stuff in a safe environment and I would do that over any cybersecurity course training course education program classroom based stuff any day and if you're interested go and look at the videos now I'm not pitching this cuz we don't sell it you can only go to it if you work for him to be or not to network more people are just saying there are different ways of teaching people skills and there are different ways to give people the freedom to learn things and experiment and have fun them what is happening in most places but I mean basically back in my day I just wanted to hack [ __ ] just because it was fun it is fun it still is

so my advice to anyone that's still here and listening is like don't stress about job titles exams certs training courses career wealth stuff [ __ ] it it's just gonna put you in a big big dark black hole where there's no fun so just break stuff and mixed up I'm not even advocating that you just go and destroy everything that you see and find the bugs and the weaknesses go and create something new as well build something for defense build something the Internet of Things is just full of [ __ ] but there could be some good stuff in there if people actually went and built it and play with it and experimented with it

and built something new it doesn't have to be about breaking stuff it's just doing stuff for shits and giggles so enjoy your job enjoy your life and maybe perhaps there'll be internet fame and all the money's will would be bestowed on you but maybe not you shouldn't be doing it for those reasons you know definitely don't think about being a digital cyber hero tomorrow's future digital battleground or whatever so I'm sorry if that was a bit rentee but the most I hope it will just challenge you to think about where you are in your own careers what you're doing why are you doing it and just go back to your offices your home's your labs your classrooms whatever you got

going on and just do some awesome and fun for yourselves to play with something to break something to make something whatever just really explore that creative side instead of coming to some presentations where they tell you about some tall how to use it how to do your job and then you take that information you go away you template you do copy sell some of the people have spoken to you if either created tools forge new paths themselves when they've been doing their own research and yes it's useful they share it with you but you shouldn't just consume and repeat she'd go and play and safely experiment with it yourself and do something yourself okay so basically at the end of

it just have fun and enjoy I don't think there'll be any questions thank you