Rage Against The FUD

good afternoon besides Manchester we are the beer father's welcome to who we are in a sack quick quick quick massive c-word on the screen I don't know for me we carry a parental advisory because that me says conference see whether their children there or not so we feel it's appropriate to carry a parental advisory I'm offended I swear a bit f-bombs generally John never swears and we don't know much about you yet so we've got to talk fine today's the second time we've given this talk we'll talk a little bit about the first time again this job as well in a few minutes it's called rage against the foot so reg against the fear uncertainty

and doubt okay concepts that many of you will be familiar with working in the information security industry often used by manufacturers and products to scare you effectively into buying their particular brand possible theories yeah scary [ __ ] what will die set the concepts with dissect the concepts as well understand glad you said that not me my woman just started this is fine even at the paws of man you really put the three hours before we start can I just do this you come here if they almost take a photograph at the back of this app some honey and then translate it for something education

okay John yeah

[Music] back really before we get into the main content around what we're up to this year so we've been pretty bloody busy actually I see a lot of people here we've seen various talks around the UK

[Laughter]

the the bed farmers came into existence in August last year so we've been on yeah we came out with a few ideas what we thought at the time was going on in the image security industry was that it was up its own ass still as a persona a sport we can see its legs now okay if you take it so far too seriously and what a friction or a drama again still plugging it up going on there well we came together and thought would put a few ideas around so we put let's put talking to conference just catalyzed speculatively and we put talking to besides leads and Mark Carney to his eternal credit said yeah if you like the

idea of the bear farmers we take the piss a little bit we're a parody rock group come along and do stuff and we did a talk and it went down pretty well knocked on from that so we've gone around the UK talking about companies that take your security seriously or actually don't take security seriously that's been quite a popular topic and we thought the middle of the year will kind of turn it on its head a lot they do talk about something else so we've been around a little bit this talk we gave at steel comp in Sheffield on the 13th of July and we've modified the content so there's some stuff we check now and stuff we put in but we'll

show house who was a steel comments or our talk [Music]

alcohol was a thing and by the way Dave cheers for the whole group yeah so I we got poisoned and still gone so as we were about to literally before we were due to speak we were still on the stage and he was on the stage with what appeared to be a glass of whiskey and then on round robin you know the co-organizers of Steel come and so guys in here I'm whisky with always got one so this is the same [ __ ] right no it was different [ __ ] it was 500,000 scoville noggin right the vodka you saw exactly what happened right the entire tour fell to [ __ ] I was nervous right now is your drinking

like 30 year old whiskey we were drinking the [ __ ] was swept out the toilet floor argue with the same thing but yeah so he took it well to begin with like a chump and Shawn fell upon heat then I can speak for about 10 to 15 minutes acting I couldn't get anything working in the ITU all fell apart and it just kind of bollocks took the first ten minutes I don't think we found a provision doesn't show the bed oh I talk yeah it's got to plan so explana also good so that was that was still conscious building really well killing a bunch of people in Southie option and that chooses to strategically poison its main track

speakers and they didn't just get up so they got Scott hell they got who's the guy so guys some guy come a couple of people yeah

so feral 17 doubts Edvard Munch's scream right I'm sorta in for a bit of culture I know nothing about a particular in it it's knit they got the gun copy back so let's just quickly cover what the concepts of fear uncertainty and doubt are so fear is the idea that your husband told me that you it's an emotion a chemical emotion that's caused by a threat of danger paying harm see you ought to love me somebody sticking a gun at your face is gonna arouse that particular emotion uncertainty is well do it left room I take the right room not entirely sure it's a lack of confidence in being able to make a judgment of correct decision and doubt

is the am I being told the truth am I being told a lie I'm not entirely sure could blatantly mean to make a decision couldn't able to make a dangerous decision so who recognizes this concept out here yeah so it's it's Danny Thomas okay so Thomas was an apostle where did believe that Jesus could have arisen from from his crucifixion and its shanking by a Roman soldier in despair what Jesus did was he said yet fingers in that proves you that this actually happened allegedly was what dealt with Thomas's doubts okay well the deities are available there are lots of good books out there okay so anybody shout out what films this line from so somebody said two people

said The Matrix no never God said they never got said in the film it's a Mandela effect that people believe it was said see when Morpheus gives the blue pill red pill thing tanea they never got said itself but popular culture is perpetuating it as a thing that actually got said in the movie and people assume I'm asked whether it was said well yeah it's a falsehood the people let them become institutionally delete to believe him all right all right [ __ ] so that's what we think I don't normally get laughs so Bloomberg okay Bloomberg are a really big US news outlet and they talk about everything the talk a lot of crap and

here's an example of that so the publisher I think it was in October last year and the article was around the the idea that super mikro of the motherboard manufacturer was having Chinese government insert chips implanted onto their motherboards that would have been sold to Western countries Western manufacturers and the backdoor data okay all about to Beijing Chinese government it was but some Alex it wasn't true and their claim was it affected everybody as big as Apple and Microsoft and Intel Iran affected by this problem there was no evidence at all in support of this being truth and he would happily come out and said this is just [ __ ] yeah it's absolutely untrue so

we released a record chairman in my diffuser I see this was when that just before we have weekly charts where oh yeah songs of the performance right so every way what they do from the bear farmers Twitter account is publishing you record that we'd released because it can % Rock lots and we pick the topic of that particular wakin with domain that was amazing associating this particular example of [ __ ] Bluebird pray regularly headline-grabbing out clicking click make yummy other that's what that the symphony one Billy Ray would you're not in the room Dan school is great very very solid journalist but therefore securing mommy's ear upset magazine close to this article earlier in the air

which got us a little bit angry I'm glad to say the idea that there were flaws discovered in in popular password managers with the flaw was boiled down to cached credentials if Windows machines and that could be a problem that causes any kind of compromise it's nothing specific to password managers it was also bollocks but the actual article had its title modified that's what it actually said originally that using password managers is no more secure than using a text file now if that's not a headline grab then I've got no idea what is I don't know if you can read that there but the change of title but I categorically forgot to modify the URL and that left in half of the

original statement and so the the research company that did this kind of that truck in a lot of that that kind of sound bites and rhetoric as did the writer of the article here but because it was absolutely not true that's where manager is nothing like using a text file in order to store you could actually spilling secrets yes on some entity but it was a general point and it picked yeah it's about that from a common sense we're trying to bring this away try to bring awareness and then just say password manager is a secure solution we've been doing that a lot of those people in there it's like doing that this kind of articles are that's what we

need and and it's not that everyone has to use a password management at least they can form decisions and all the way the use of a password manager against reusing best restaurants since that's what it's all about then password managers have flaws let's this is really ridiculous and taken out of context and what bothers me the most is that is just yeah a lot of people just lightly believe this awareness and and then you get this kind of articles I think that's that's not good at all yeah it brings about behavior yes you say from what you perceived to be an authoritative source like the media I don't know I don't know to be honest how many foods do they get

that could be was I picked from this organization because they were the breaking news outlet but there were five or six other new that did example of the same thing yeah but the media influence is a lot more than you attention he realized so I have a beside job UK spokesman para tech calm last week I gave a comment to media about they last upgrade that actually unfixed to fix they've done in the upgrade before I believe you've heard about it and they were like werewolf two or three days so I told the Sun newspaper not on purpose that I was going to switch off my iPhone and go and get an admin pay as you go for two days

until they fix the thing and I'm pretty sure that got like 15 million hits online so out of those 15 million people's some of them will have actually taken me seriously and ditched their iPhone I didn't because especially an expert cause your crying out loud anyway

[Music]

education right so our FA MFA whatever fa sweet FA this is a debate that rages deigned out online all right about the do's and don'ts and rights and wrongs and multifactor off ya is SMS to FA a good idea right went very public a few months ago so actually it's better than not having any MFA at all which I felt that the time was a perfectly reasonable argument so for ordinary users of the services that supports our FA by our SNS then great switch it on and that wasn't to Ofcom made change last month to make sim or account swapping a matter of simply sending a text to you provider and they'll take care of everything and for

me that kind of became a bit of a little pat set off moment around let me see all the general safety in there so that's based to a mate and I problem for then got my original argument and said actually I'm not so sure it's good idea anymore so chaps any thoughts or not honestly yeah you're right it still at least what you're talking about I'm not aware about Belgium but I think some swapping and things and we're really really rare and very targets some countries in the world as different also new as I know that's that's a common practices there's a lot said but that's still going on a lot so yes as a mess

based not really good but still better than the one I'm a MFA in my opinion and if you have just used an Authenticator app that would be it would be really great but thing is everything is hackable only what we've seen this with Google's with their own employees they have this this physical key and no one was fished and I don't know long time it was that they that they have done it but they really no see of effective session that's why using the physical key so yes that that's the only that's the best way we know at the moment but that's still it's also not feasible for a forget merge user to use these physical keys it's also too

expensive so we have to deal with what we have so yet my opinion as a mass base 2 of a if that's the best possible solution nothing is a complex issues it depends on the platform using the phone you go for a bank for example if I use MFE perhaps a we have multi wheels of aesthetic issue it's not multi-factor where you have a passphrase and you have your passport so bike will call that a Fe but realistically if you have second fat phone SMS nearly slow the bearer but like John says using a thin it's done depend on well the basis of there are weeds end but realistically if you're attempting to be hacked by credentials

office you're a complex solution and there's no second factor that I think adding something thanks very much I won't sing a song I know some it's looking at the security protocols like that adoption is the hardest bit so any kind of extra security is clearly brilliant because criminals are lazy and criminals are greedy and if they knock on one door and it's locked they'll go knock on another one but making people adopt any kind of extra security measure is incredibly difficult I've been a magistrate for 12 and a half years and we have a thing called the judicial intranet which is a closed internet platform for judicial office holders across the UK and last year I think it

was the Ministry of Justice decided that they would implement two-factor authentication for access to the judicial internet and every single old judge with a wig and a pompous voice said I'm not remembering another password bugger off so they didn't do it they've done it now but they had a long hard slog to make people adopt it's a point being you a brilliant idea is about extra security layers but getting people to use them is probably to my mind - part yes exactly security as an enabler not as a blocker I think we as IT security professionals we kind of think inside our bubble a bit too much as well so we can't go on about

the idea of UCF and he became the talk of wax lyrical about how great these things are we got the rollouts my mum

that's one of the barriers to Security's us as a community of information security professionals hopefully we give really simple things really horrible stupid names like penetration tester bug bounties all these kind of labels we give to things that preclude the general population from understanding what we're saying don't even get me started on packet sniffers and backdoor spammers is all bobbins

we like to talk about this sort of thing this is about the idea of significance okay but how secure is a certificate we need Scott his next go to certain organizations and trustee fry an example of this and well know CAS are examples of this a certificate is more secure the more you pay for it in their head so for the vast majority of people in this room a domain validation certificate is perfectly adequate okay before entering the room deeply okay you own the domain yes sir prereq okay sir but since things like let's encrypt so how's it yet who's gonna let's encrypt yeah loads of people [Music] improving security but they're funded by and they're they're funded by very large

organizations Mozilla Foundation a fund their Facebook or a fund they're not making any money any operating profit and you get your certificate for free and you can also renew it using that protocol set up a widget and it will call out get your new certificate and you can have them as regularly as you want okay yeah that's kind of cool though because we know revocations bust yeah so every body

[Music]

this was in the pictures off your iPhone

so that's secret okay free certs it's not an issue that's the threat to them at the CIA industry right obviously so the CIA industry's kind of come back with well let's encrypt not a secure and free sir how can I possibly be secure but what about extended validation well what what about having your name in the bar at the top that really provides authenticity proof that you are who you say you are what's the bollocks okay Evie is no more secure than deeming from a true security point of view okay I don't throw them all that little company name bit there it's disappearing from all of the major browsers okay it went on mobile browsers a while back

I think from the current or next iteration of chrome Chrome and suddenly Leslie to away where we are okay folks as well the one I also September and Upton and the IE browsers never mind

[Music] so it's just further yeah it's just the idea of paying a little bit more money will give you a more secure SSL seller absolute rubbish and you can you get guarantees where you get warranty work you gets to demand worry so how is there who's heard of domain Warren safe box yeah security warranty so does that it comes in to keep we have a baguette if you know what you get back on where it covers you for or any other stuff you did so how can they study something that they are in the standard room in the first place because you the [ __ ] is Scott I've got love stickers but it's a

workshop so it's true this tinting heck was it just bad now since we bought in my hairspray right the answer lies in the blockchain so again I don't understand what the blockchain is fans in here if you really honestly do understand the block diagram it's just a bunch of all Orlean together and I've just been holding back from posting a picture of anal beads

we're in the right room guys anybody wirelessly enabled angels Amy last year he told me that they found some wirelessly enabled electronic nipple to the wirelessly enabled connections it's not secure because no one secures anything that they connect to

it was running the world and it was occurring mothers Intel IBM already said there our blockchain enabled security ensures that you can live a happy life a free TV on ITV in the UK and dads watching they would be planning r51 whatever the scores on the [ __ ] what does that mean to my dad and it didn't mean anything to me I'm a secure a pro and I've been doing technology thirty years doesn't mean anything to me and I founded the Matic project from the home office for two years on bloody Bitcoin rather than understand it so it's it's a mathematical thing that goes beyond my comprehension of mathematics right I'll be the first of many famous ladle Hey

it's just shine and excuse my age thing so maybe it's not watching it might be

we see these four ten quid from River Island I'm I'm here all week

so next-gen yeah we're all aware of the idea that if you buy silence is a really getting next-gen protection of the Navy retinas are available but silence is an example companies that use a next-gen as a concept in terms of quality of the product okay doesn't mean anything nothing because all of the but the point being is our next year this is a bit like our blockchain enabled that this doesn't tell you anything it really helps to beyond this yeah and I saw one from some cement idea there was negative zero game yes yes

logical conclusion machine learning so again I actually got ya anywhere a sentient computer in this computer human so Skynet doesn't exist and all that kind of stuff great in the movies but we haven't got anything computer why's the can operate with our tech in its initial instruction from human oh no so stop selling it like it's going to be the future decision maker because if we do that we're going to start seeing it be in the future decision maker okay anybody got thing to add to that now you know graduating so zero days thanks for that we're not going to talk about nicely or maybe maybe we could talk about this vendor or found 300 K 0 this

and one day so tweet yesterday from I think was Gavin Beaumont are you serious I mean who buys that no one I hope it must be smells of your ardent dogs a smaller we get paid yeah we're in there every other day change everything but we are kind of like zero days really trendy thing social media loves a good zero-day us to media okay I'll stand as defenders vendors love it and Google's Project Sarah love it okay who's heard of those guys all of you need to go it occurs to me and it's my opinion that there are certain engineers within project zero that don't like Microsoft very much but I'm like 46 years old and I'm kind of

grown up with technology didn't see jzm have a hard paper yeah yes knowingly okay Beirut's but yeah these modern cool tech companies acquire a little bit brush for my liking at times and Google is no debt no exception okay physician heal thyself is a little statement about do you get your own [ __ ] in order before you start criticizing all the people I'm Google's previously situation is terrible okay some of the technological decisions equally terrible but they take great delight and Thomas on Monday being one example a Google project zero researcher takes serious delight in fine hotshots it marks off gel direction there was a relatively benign Windows 10 on certificate bug relatively benign in the

the article who really own plague the risk to anybody of it but the researcher played as well or what bothers me that this is Microsoft was responses so he disclosed it to Microsoft and then you see the the old timeline it's published NEC Microsoft it's not that they ignore them miss it yes we will fix it we need more time and then nineteen days of lighting ninety days are over and they just okay you can say this is the way we do it with every company if fair enough I guess but honestly if a company which you disclose a buck to business it's really working together with you well Nia Betsy RISM fix it together and it's

better at least it's the end user who should benefit from it that's my my honest opinion and give them a month two months more and then it's all be fine yeah you're absolutely right Microsoft did engage people have said we can't release in this part usually because we don't think it's aesthetics recently yeah give us another Patch Tuesday in a month's time I'll do it for you there was another one recently and that was some kind of yeah nothing easy fix for Microsoft it wasn't part of us or some some I remember anymore it was a few weeks ago yeah I wasn't in the kernel that's what yeah and the main way of a flip was a Windows message and I think

so and yeah then again it's not reasonable that they can fix it in the light II guess so yeah I don't know as well come through in a couple of days as an intercept professional but cares about security posture my company's zero days are not actually on top of my product okay there are things that are because of you growing steadily is for Annette whoever and it's vulnerable to stuff you won't think like what take one a cry for example that was a little thing that was popped imagine that'd be pretty high up your list to not have your [ __ ] pawned indeed Apache would have been my parrot and when the cruise released in that particular time

true so right do you want to have that government statement well this one's masters filming me from over there

[Laughter] what would you like me to say about this well give an example the NSA Oh on them and a few miles away bananas about all of your machines globally otherwise things probably didn't happen this is guys it's quite rare for the NSA and governors-general to get that involved in the rhetoric and the advisories and stuff that led me to believe that at the time it was because it was a risk to the NSA okay so that's my example my slide there was one couple of months ago I think it might have been a zero-day on firefox and then the US authorities issued as well and you bang on the money it's not because they're worried about

other people that use those platforms it's because there's a threat to them and so by encouraging the rest of the uptaking community to secure the platform they're benefitting by proxy because then most of us just the user community doing their security for them but they also have more I'm gonna say a proper grown-up work company I'm saying this in company holistic view of what's going on and so they have more ability to manipulate the stuff and potentially backdoor themselves as well so that you know will work hard to patch staff and bug bounty stuff that actually they probably you know sort themselves out first before they've asked us to help them out you might want to just edit

that bit censorship in our talks yeah if we did censorship they are tops they're not catastrophe at the start still calm nobody would I'd never be able to speak okay I'm actually now really proud and pleased I'm banned from Yorkshire by the police so I wasn't there to see it we're gonna smuggle you in when you gotta inconspicuous right quite bendy as well so you could get me in a suitcase excuse me I can do the crap I won't do it now [Music] no suitcase oh so that's the reason really that I'm less worried about zero days and then back to my organization because actually it's the old crap that you've got to worry about the fact that

you've got my lifecycle management so iris you don't know Linux machines over there with SSH open on the internet because they were built 15 years ago by engineers this is this is fine it's a few years on there look for any I'm sure you people to go down there so yeah the point being is that there are things closer to home rather than cool zero days that you were really going to pay attention to so you're going to do your asset management popular because number one in security is understanding what you your threat posture is and if you don't know about this infrastructure set over here then you screw okay maybe don't know exists you can't touch it and

then you get pop what a cry stop yeah as I said that petition that ask Minister if you love you have correct I'm standing on the money if you ask a particular global supermarket brands that I won't name as I'm being filmed how many tins of baked beans they have in all of the supermarkets all across the world

in their entire global estate and every supermarket that I own other super want to change our available they'll tell you to the minute exactly

you said that you're too busy listening to us talk [ __ ] well not less thing for kind of get to the end now but just re-emphasize my point from the previous slide you look at these particular examples here there that just got dumped I wanna cry and want to cry because like I say with Windows SMB v1 supported and four or five into the internet which was what 15 years my cycle the NHS is still buying 20,000 devices on Windows XP even though they've got to know if I won a prize in the Sun token hookers the actual Institute for Health Research for three years okay working on amongst other projects for the National patient

registry system which was a four billion an eight billion million pound project that failed to deliver and paid a hell of a while contractures a lot of money okay where's McAfee involved this it sounds like a war yeah I think you've answered let's see Equifax okay so Equifax is we don't need to talk about the story and Equifax because you see very well documented for Apache struts was the problem there existed

today the game

[Music]

[Applause] [Music]

see ya clickbank so a lot of the crap that you seen in the online magazines and news outlets that's just there okay simple as that no other reason so immature learning blockchain that's all around you buy a product let's fly onto that particular vendor product sales but things like the government and probably bigger news outlets I think it's around behavioral control I think that's what it's all about it's about scaring you to making decision this in there interested me to do it and as I said at the end you've got bigger problems nearby support focus spend your energy in your resources and you time and effort and money master so that was our foot talk

we hijacked assess ourselves a bit throughout but we hope you enjoyed it and if you go and we'll see you in the bar afterwards thank you very much

before you go before we all clear off [Music] we've got a little a little bit of media we'd like to play for you a fox they know you agree to it so cyber Givens under TV series of tweets taking the piss out that by with the Trainspotting kind of feel anyway here's and here it goes unrecorded sorry part of it then some [ __ ] [ __ ] reuploaded soif I know this really is going to quit before I do it so Sam who was on before we were just did a little bit of John McAfee bashing nothing it wasn't heavy weight stuff it was wrong compared to what we've done in the past it was pretty it Salmonella

half long any questions we've been afraid

we'll be praying a pretty critical a bit fly over the last six months or not if you've noticed but we think it was cat Baba actually that said he felt that if I had been done to death public speaking

[Music]

what did you say sorry so many hospital so we decided we decided that we'd get rid of it Pfizer topic when we doing this because we we don't use it's old news but we couldn't we couldn't not play this [Music]

choose our fellow it's choosing carefully choose a CEO will choose a tape tablet to choose from we're choosing a social media manager no truth and no testing choose the most expensive I purchased unsecured USD builders choose Wales choose full other cases and mess much easier numbers choose teams on higher range of site choose the I honestly wanna choose sitting on the couch watching mind-numbing spirit-crushing tweaks stuffing in jobs with NTFS choose drawing away the end of all cashing new last were nothing more than selfish the world choose your future choose like why are the one today I think like that I choose the opposite choose life the reasons reasons when you go