BSidesSLC 2015 -- Security Researcher, Security Besmircher -- Kevin Johnson

i feel like i need to do the can you hear me because it works so never mind wow what is okay is this better so i'm gonna warn you right now i pace this is a very good chance i'm gonna pace where i'm not supposed to deal but um i don't know what else to say right you know we should have a line don't go past this uh i'm kevin it's not that exciting at least well i'm excited by it because well i'm me i didn't pick this name when i turned 18 so i probably should have picked something better you know kevin johnson's kind of boring it's actually another kevin todd johnson with the same birth date in florida he's

always wanted by the police so that was a mistake it's awful i uh the reason i point that out is when i was flying out here um it's the first time it's affected my flights uh normally it just affects things like if like i had a car stolen when the cops picked me up to show me you know come bring me downtown to talk about the car being stolen uh they ran my name and it was like uh you know you're wanted in miami like uh no why um so you know but i'd say one of those weird things uh today we're gonna talk about security researchers security best mercher i do believe that that last word is one i made up um but i

think it works right it's like uh it's kind of like gruntled you guys know about gruntled right disgruntled people and gruntled people but according to the dictionary gruntled is not real either so i don't know it's one of those things we're trying uh but we're gonna talk about a lot of things today and of course i turned off the remote so that didn't work uh me i am the founder of secure ideas uh that is a security consulting firm based out of jacksonville florida salt lake city tulsa and charlotte um mostly in jacksonville sorry guys we are building up our presence here in salt lake city we've got two consultants now the awesome danny and jason wood and uh

we're all so mean if you ever want to reach out to danny uh just email him at seahawks at securities.com the people who know danny will understand why that was as mean as it was so uh i'm the founder we've been around for four and a half years uh we're just a bunch of nerds that accidentally got into security consulting and people keep hiring us uh we're not sure exactly how that keeps happening but we're not complaining uh you know i tell everybody i have a business goal of being a one percenter um i'd like them to have an occupy elderberry court because i own i have so much money um hasn't happened yet but i'm working

on it right i'm also irons faculty ions is this company uh their group they they do these interesting things that they call ask an expert but then they let me get on the phone so i'm not sure how that works and uh i'm a course author i wrote the web pen testing and mobile security curriculums at sans institute and uh continue to teach various classes all over the place as a matter of fact we're really excited the first professional evil uh pen test training class course uh event whatever the heck it's called you know luckily i don't have to speak for my job but um it's coming up in april we're really excited about that

i'm a podcaster an open source project lead and i have to say it my wife says it's the nerdiest thing ever i am a 501st member for the people who don't know the 501st is a worldwide charity group that dresses in screen accurate costumes from star wars right so uh you know there i am in my imperial officer my daughter in darth vader and you know harry potter and um i have an imperial guard i'm building a storm trooper i am building a wookie a chewbacca and let me just tell you that the idea of latch hooking seven feet of mesh uh to fur is uh as tedious as you can imagine um so this is what i

do like i said my wife says it's the nerdiest thing i've ever done i pointed out she met me when i was 26 so she doesn't know so and um i'm a nerd right i've got two kids who you'll hear a lot about brenna and sarah brennan and sarah brenna will be 13 next month which means that she will enter the time where she hates me for a few years and uh sarah will be nine in june they are amazing i'm biased right i learned when uh brenda was born my oldest that every parent in the world believes that their child is the smartest most beautiful most amazing kid ever the second thing i learned was

every other parent was wrong right and so they are one of the main reasons i do what i do and they're actually what drives this talk uh because i think that this talk is something that's critical for us as an industry but i'm biased right so uh you know if you want to reach out to me ever now of course this doesn't work that's wonderful that means i have to be up here i hate being up on stage i really do it's funny i'm a traveling consultant that speaks all over the country i hate public speaking uh i hate traveling and i hate meeting new people so i picked this job i don't know how

that happened right but the reality is that what we've got today is a wild west of security right uh everybody and their brother knows about security today they may not know good things they may not know correct things but it's something we talk about it's a big topic hell the fact that what we do has made it to the state of the union address two years in a row freaks me out because look around you we are the people the president of the united states is talking about and i don't care about your politics i don't care whether you hate the man or love the man or are indifferent the fact that what we do is a topic of

such importance that it's talked about at that level should scare you it's constantly being brought up in the news hell we have tv shows by the way this is going to be a pg-13 talk i should warn you now um but we have tv shows about what we do and they're very accurate um because how many people here saw how many people here saw the first episode of scorpion right yeah how many people here have hung themselves from an airplane flying over a runway at 200 miles an hour right yeah with a cat5 cable that you pulled out of the plane oh i'm sorry i was 5e i apologize you're right see i'm not even accurate

oh right i want to know where that cable came from right nice doesn't matter but and we talk a lot about right you hear on twitter oh csi cyber why can't they make it accurate because our job is boring i mean come on how exciting do you think your mother is going to find it watching you type in vi because we all know vi is the right answer right yeah i said that once in class i was teaching a class and i made the comment yo yeah you know the only religious war i get into is vi versus emax and that's because we all know vi wins this guy in the back of the room slammed

his fist into the desk bruh stood up and walked out like what the heck about an hour later he came back in he was a little calm i walked up to him like dude what what the heck right what was that and he turned out he was one of the developers of emacs so my response was dude emacs is an amazing operating system but you guys just so you know i don't necessarily say the right things at the right time right i'm very professional person says in my slogan professional evil but um i spoke at nasa once that was awesome i started my talk a whole bunch of nasa scientists in the room and i started my

talk with hey guys when we're done can you show me the fake moon landing site too soon there was dead silence in the room right it was like uh okay i pissed somebody off so i decided to try to save it right because you got to save the joke and i'm like don't worry about it mythbusters proved you were there that didn't save the joke just so you guys know and i should have warned you i basically am an 80d speaker all right squirrel what are we going to talk about today so you'll hear lots of random tangents and things like that the other thing is i have an amazing sense of humor i do want to be clear i did not say an

amazingly good sense of humor right but i like my jokes my favorite joke currently is uh do you guys know why walmart wasn't hacked they weren't a target but right come on

i told you it's not good zedzie humor i told my daughters recently i'm like hey do you know it's blue and smells like red paint and my daughters are used to me so brennan came out with blue paint she was right but so yes i'm warping them both of my daughters will have two years of counseling for every year they live with me but the reality is jumping back is that security is miserable you know i'm a pen tester plain and simple my job is to come in according to many people by the way they're wrong but many people think that my job is to come in beat you up tell you you suck and go home right

did you get hacked yes i hacked you oh well the reality is our job is to actually show problems and give suggestions on how to fix it right our job is to actually improve things but as an industry i think we've moved more toward the idea that our job is to beat up on people right because there's tons of issues out there there's tons of problems i go into organizations i mean look as far as i'm aware it is 2015 and yet i regularly find ms08067 on networks for people who don't know that is the stereotypical way to demonstrate hacking a machine and the patch was released in 2008 so seven years ago by the way if i

recall correctly the operating system it's four is no longer supported by microsoft right i don't believe msa is support we affected anything new currently if i remember correctly but that's ridiculous i have been in major organizations i have been in critical infrastructure and found ms0867 now of course my day just got easier right as danny said yesterday owned it's not how he phrased it but same thing right there's tons of issues and we're just ignoring the fact that we're not maintaining our stuff well we also have i'm a hacktivist oh you're a [ __ ] right i've been i just it's ridiculous i'm a hacktivist what made you a hacktivist i took the word put it on my label how

many people here are a member of anonymous just asking but if you go on facebook how many people have the guy fox mask as their profile picture next to their real name email address and physical address yeah you're anonymous what the hell right i don't think that word means what you think it means so we got activists we got hackers right apt everybody drink right advanced persistent threat also known as fishing i just bothers me right and then not even starting to talk about the disgruntled users i was in the airport right which by the way i can almost start every story i have with i was in the airport um it's bad enough that the night staff

at the atlanta airport know me by name and will actually bring me blankets when i'm there overnight right you know when you're being treated nicer by the cleaning lady than your own family you travel too much but we have disgruntled users i'm sitting in the airport and i'm eating my lunch because i was flying out here and i had a bit of a layover it was a really long layover for me i normally have 45 minutes to bolt through atlanta i had three hours i didn't know what to do so um i went and i had lunch and these two guys are sitting next to me and they hate their boss who by the way

just be clear it's not me but they're sitting there at the table and these two guys are ranting about the problems they have with their company and they're releasing details that i would love to share with you right now because that company is based here and i know information about problems with their systems i know information about data that's exposed where it shouldn't be exposed and i happen to know the domain administrator password for their network because they discussed it and i'm sitting there going i'm writing this down right this is awesome man i hope we get a pen test with them right you know disgruntled users do stupid stuff and then there's mistakes people just make mistakes

oops i didn't mean to do that and it exposed stuff right and we have all these problems going on and then we have new technology coming out right how many people here have an apple watch it's hoping right nobody yet but how many people who are gonna have an apple watch right yeah i saw a hand over there right okay i'm getting one but i don't admit it because they're ridiculously expensive but i don't want to tell everybody i'm buying the edition one for fifteen thousand dollars that's ridiculous but that technology is coming right wearable technology we now have the internet of things wasn't the internet always of things right like i get what they're

trying to say but we're making our jobs more difficult we're making it more complex and the reality is in my opinion our jobs aren't harder now than they were 20 years ago and i'm an old fart enough to know what our job was like 20 years ago it's not more complex we still have the same problem you accepted input trusted the input and made use of it right isn't that the nature of our problem sql injection what is it accepting input trusting it using it offer overflow accepting input trusting it using it social engineering accepting input trusting it using it right that's it yet if you read twitter if you read any news feed we

now have cross site scripting report reference sql injection command injection that's one vulnerability right we now have run out of one and two word vulnerabilities and we now have five and ten word vulnerabilities i was just talking to a guy and i'm gonna mess up the name of it but it was like path traversal cascading style sheet injection i wish i was making that up right it was like what are you doing well you inject a path that references a different cascading style sheet and they load that other one isn't that cross-site scripting right but somebody had to have an ego come up with a new name because we have to be famous we in my

opinion have turned into an industry of bullies right we have we name in shame we beat up on people we tell them they suck we're mean how do we even know what the real threats are according to mandiant it's the chinese or the north koreans right that's what mandian says so it must be true because they make lots of money right we attributed sony hack to north korea why because of a stupid movie anybody watch that movie did you enjoy it really

okay i'm cool with that right i've not watched it why because it looked dumb to me i hadn't even heard about the movie until north korea supposedly attacked sony right we don't even know what the real vulnerabilities are i talk to developers all the time because i believe part of my responsibility is to sit down and actually educate people right not just come in and go wow you suck but to say here are the problems here's why they are problems and we talk to people and they don't even truly understand what the issue is right i had a developer once logged into one of their websites through burp of course right and i look and they've dumped down a whole bunch of

visual basic script an individual basic script is the connection string for the sa password with vsa account with the sa password and it was a really long complex password and i say to the developer who's sitting next to me i'm like hey dude i've got your connection string right here and you're connecting his essay and i now have that and the guy goes yeah but look at how complex that password is yeah i get it it's complex but the key word there was look right then i had another guy in class once right i'm teaching a class we're talking about cracking passwords and i got this guy and he says to me oh i'm not worried

about that i have the world's strongest password it's really he's like yep i'm like what is it he told me so like okay but even worse it was a four-letter name so i say this guy dude i say dude a lot in stories i'm sorry but i'm like dude how is that the world's strongest password because you don't understand i'm 40 i'm 52 years old i almost gave him my age of 42 but he's 52 years old and that was his dog's name when he was four and nobody knows his dog's name from when he was four and you know what he's right if the threat really was somebody finding out who he was and trying to determine his password i

won't call it a strong password but it's less likely that somebody would know that that's a good point the problem is that's not the threat that's not what he's trying to protect against what he's trying to protect against is somebody with a script going after all the possible accounts on that system in which case a four-letter password i don't even consider a password it might as well be blank right and so i explained this to the guy and the guy gets freaked out we're not even talking about the fact that he said he had one password right but so i'm telling the guy and he's freaking out his eyes get this big and sweat comes here and he boom out the

door and he comes back in about 45 minutes later it's like whoa you okay he's like yeah man you oh man you freaked me out i just went i changed i changed my password that's really good did you pick something like did you pick something good he's like yes what is it he told me so i fixed part of the problem but not the other part we're working on it right but and now we're even into a problem are we even allowed to test what we want to test how many people here use cloud-based stuffs right yeah do you guys know why it's called the cloud nope vizio icon for the internet is a cloud

right it's on the internet so it's cloud so here's my deal here's what i want you guys to start doing start referring to databases as the cylinder right i found cylinder injection in your application that'd be awesome won't it yes yeah so please do that for me but like are we allowed to test our cloud apps are we allowed to go after those things so we go after that third party can we determine what's going on we don't know and we have major flaws at least according to reuters in the news and cnn hell they have their own logo i've been a nerd for way too long right i grew up nerdy i joke and say you know the guy

that used to steal my lunch money in school still does but he makes a damn good subway sandwich but no nobody told me if i wanted to be a hacker i had to be good at photoshop people were actually disappointed last friday or was it this last friday the ssl vulnerabilities came out right i lose track of time there wasn't a logo and people actually said that like this can't be that serious it doesn't have a logo if you were one of those people who said that please do me a favor beat the [ __ ] out of yourself right i mean come on we're building this a heart bleed ah shell shock didn't even have

one logo it had multiple logos right and what the hell is poodle i mean poodles are freaky looking dogs but they don't really scare me but we named vulnerability we have logos and a lot of people have talked to me about this and i've had people say to me oh but kevin that's good it's good we have logos because now we've got people talking you know what they're talking out their ass so it didn't help and then worse and friday proved it i have major companies that i've worked with that did not apply the patches last week because the severity of the bug can't be that high because there wasn't a logo we've had companies that have come to us

and have said can you verify we're not vulnerable to heartbleed you know you're still running windows 3-1-1 no no we just want to make sure we're not vulnerable to heartbleed that's a problem that's a negative we are actually being detrimental to our own security by doing this crap but as an industry we're doing it and we're making it worse right and my question is and this is what really drives me on this talk right is how do we even know what we're allowed to do and we say all the time right uh chair i think it was jeremiah grossman came out with an awesome blog post test yourself hack yourself and troy hunt out in australia wrote a

great blog post about the same thing and i agree i think you should be testing you should be assessing your own stuff what about the people testing the internet what about the people who just say hey there's a vulnerability let me see if they're vulnerable to it i don't know them but i'm going to find out are we allowed to do that and some people tell me we are some people tell me we're not right here's an example and i want to be very clear here i respect robert graham greatly he is a smart person this is what he posted on twitter during the shell shock stuff this is me right now seriously did you

people think i wouldn't the people who don't know that's a screenshot of uh wire shark right i almost called it tcp dump like i really did because i don't use wire's yard i use tcp dump to do the captures but that's just because i'm nerdy but uh wireshark of him scanning internet facing ip addresses for the shell shock vulnerability and exploiting it and his answer when we called him out on it was well i'm just running ping ping's not that big a deal the problem is he knows he's just running ping i know by looking at that that he's just running ping in the capture i see but what else is he running and if you're the he's running wireshark

good answer damn it he's a genius so so well we are hiring but um so but what else is he running and if you're the company that had that traffic come to you and you detected it don't you have to respond as if he's malicious isn't there the potential for you to have to do a breach notification if you can't identify if you don't have enough information to say that he didn't go further my read of some of the breach notification laws is if you can't prove you weren't breached you have to notify that you were right that's a problem and when i've talked to robert about this by the super efficient way to have a

conversation of twitter um he doesn't think that's an issue i do right and his answer is we're doing it for the greater good we're trying to help people so i asked him great you're trying to help people out of all the ip addresses that you identified that were vulnerable to shell shock how many of them did you reach out to and notify and the answer was none they can follow me on twitter how egotistical is that if you want to know if you're vulnerable follow me on twitter right now i looked at his follower list it's not everybody on the planet right it's not even every business owner on the planet yet they're supposed to know that robert

graham is nicely exploiting their system not a vulnerability assessment here right he exploited it but it's for the greater good greater good for his fame but we have other network examples right the apple developer network went down a hundred thousand records were pulled because a hacktivist security researcher he doesn't have a lab coat but he's a researcher right found a sql injection flaw and i want to be very clear i agree that apple should not be vulnerable to this totally this guy pulled a hundred thousand records they took the developer network offline for more than a week which means that every one of those startups that are trying to build the next angry birds didn't have access to do the

things they needed to do people who had jobs weren't able to do what their job required right people who were interested in learning i.t and programming and security weren't able to and when you asked this guy hey why did you pull hundred thousand records his answer was well i just wanted to prove it was a problem how many people here have done sql injection before right i'm not even gonna ask you if you did it legally right how many people here have done sql injection before right how many of you that raised your hand know about the count function where instead of actually pulling the records he could have said count how many records i would have

pulled he still would have gotten a hundred thousand number he still would have proven that he was able to do it but you know what it's not as sexy it's not as headline grabbing it's not as bad to the other company right so we have people doing this but don't worry about it i don't worry about i know you guys are concerned it's okay he posted on twitter apple this is definitely not a hack attack i am not a hacker i do security researcher now i do want to point out he said security not research not researcher but i do want to point out he didn't copy apple's twitter account he just said apple right so somehow apple's supposed to

know it i don't know who mike butcher is i should have found out before i put this in the slide but um he now knows right again how egotistical is it i'm a turkish guy that is so awesome apple must follow me right and that's what he did but he's a security researcher so it's okay because it wasn't really hacking it was research right and that makes it fun but you know don't worry about it he targeted google too right and this time he actually crashed the servers right twice one time wasn't enough they brought it back up he'd tried to assume and he could do it again he could he was just verifying that it

wasn't a fluke right that it really was him that crashed it again i hear from security researchers all the time on the internet that it's okay because there's no cost to what they're doing it doesn't hurt anybody you know i'll tell you right now google had to react as that was a real hack because you know what it was a real hack no matter what the guy calls it it's real that's like me walking in here holding up a gun shooting somebody and saying wait look i was just researching whether the bullet would actually go out you never know some guns jam right it was research wasn't murder it doesn't sound like a sokki psychopath to you does it

here this is what we've got going on and we as the industry seem to push this up and go this is awesome look at that guy he's a researcher he's so cool let's put him on stage right let me talk to you about ethics and this is what i think we're lacking here and here's the problem when you talk about ethics a lot of people say ah we don't need laws matter of fact robert graham posted a whole blog post where he discussed the fact that we should not be under the chilling effects of the law because we're researchers that's a scary phrase we should not be affected by the chilling effects of the law you know law is like don't speed

don't kill people don't steal right those are laws and while we may not agree that the laws are good i will argue with the best of you that the cfaa needs improvement but the reality is there are laws we have to follow them but i'm not talking about laws here talking about ethics there are things that are ethical yet illegal and there are things that are legal yet not ethical right and i used godwin's law right it was illegal for people to hire jews in nazi germany during world war ii but i don't think it was unethical to hide jews in nazi germany right and i'm not comparing this to the nazis this is not a

security researchers or hitler right good i appreciate that right but the reality is ethics are what are allowed by your sense of right and wrong we need ethics to guide us and i'll i'll be blunt i'm going to stand up here and tell you i'm not smart enough to know the right ethics because i was asked once i was i was somewhere and i'm talking about doing the right thing and having permission and having scope and this guy in the audience said to me so kevin you're telling me you would never hack somebody without permission you'd never break the law and i said no i'm not telling you that at all because i speak i drive too fast in my poor little civic

right and i'll tell you right now somebody mess with my daughters bets are off right i solve sudden forget the professionally and professionally evil you know i'll admit that i don't know where my line is but i know i have a line i know that there will be something that will make me consider crossing that line i'm not going to lie to you and tell you i'm a good person because i learned a long time ago i'm not good i don't deserve what i have i've been blessed but i do believe that we have to have an ethical standard and we've got some out there right we do have isc squared has a grade ethics code of

ethics right by the way i hope you heard the italics and quotes around great there you know according to their code of ethics you should not interact with black hats so does that mean i'm not allowed to run tools that a black cat wrote or under my read yes i'll tell you my clients would be at a disadvantage if i didn't run tools that black hat wrote right so i violate that code of ethics every day and i'm a cissp so if you want to report me have blast right i follow black hats on twitter i follow black hats on the internet to see what they're doing i think that's in mandatory for us as danny said yesterday in his talk

right we should constantly be learning and has to have an ethical guideline that tells us we can't learn from the source of the attacks we're trying to protect against is asinine not even getting into the fact that most of the ethical guidelines we have from sans and g and isd square are driven entirely by capitalistic grief i'm a certification company and you'll pay me to certify you and you'll agree to follow the ethics i have that bind you to my certification brilliant right money and this is what we run into we run into things like this and i'm sure that if you look up on this slide you see people up there that you admire

and people you hate because i look up there and i see snowden and i'm not gonna get into an argument but i believe that man's a traitor needs to be shot in the head because that is the penalty for traitor in the united states and other people will look you in the face and tell you he's a hero he's a whistleblower he saved lives and you know what i have a feeling both of us may be right right because again i'm not smart enough to know what the right way is but i'll tell you that i look at things that snowden did i look at things anonymous does and some of the stuff anonymous does i

look and go yes do it again and there are days i look at what anonymous does and say burn in hell right i look at jester and i cheat her every time he says tango down right and i'll admit the hypocrisy of that right i got no problem standing up and telling you i'm a hypocrite i am and i say it's because i'm not smart enough to know what the right answer is but here's the problem we are smart enough to know what the right answer is and if we don't stand up and say this is okay and this isn't we're [ __ ] plain and simple it's we need to we need to stand up and

say this is okay and this is not and there's ways to do this right one of the ways that i hear about all the time is we could pass a law yeah was it rapid7 just started a petition to like modify the cfa was it rapid seven i don't mean to pick on a company if it wasn't them right they'll call us anyways try to sell something but um

so right we need to change the cfa and i don't know about you guys but i've presented to the senate i've been in a room with senators and house of representatives and their staff and i've talked to them about security issues and been embarrassed to say they represented me because they don't know what we do we have a congressman that's in charge of the technology committee that proudly admits he's never written an email and again i'm not arguing a republican democrat any of that crap because i don't care but i do know that if we're going to have people who don't understand what we do making the laws we're screwed we need to provide that guidance and

i'll tell you this is why right i'm sitting in a plane and i had a lady sitting next to me and i talked to people right i don't know why i hate people but i'm talking to this lady and we're having a really good conversation we just wow yeah it's wonderful here's pictures of my kids here's my lego all this cool stuff right and then the woman says to me very nicely obvious question hey what do you do and i said what i always say i'm a penetration tester and i get the answer does that have something to do with oil no no it doesn't well it depends on the target right i don't know

and uh so she said what is that and i said well you know companies hire me and i hack into their systems to find vulnerabilities i steal data to show them where the risk is and then i tell them how to fix it she looked at me and she goes you're a hacker and i said yes ma'am i am right she didn't talk to me the rest of the flight yep another time my daughter was five my oldest brenna we're in a restaurant and we're sitting there and the waitress comes up and she looks at friend oh you're so adorable she's friend is beautiful there's no way my jeans created her but um she says to brenna what do you want to

be when you grow up and brenda looks at her proudest day of my life brenda looks her in the face and says i want to hack computers like my dad right yeah right and the waiters looked at me what did she say and i'm like grinning from here to here right like she said she wants to have computers like her dad and she goes are you her dad i said that's what her mom says right the waitress laugh there's no proof like i said they're beautiful they can't be mine but my wife hates it i say that the wagers left we had a new waitress the rest of the night the new wager said i don't know what

happened over here but she won't come back to the table because somehow i was going to steal her identity at longhorn right that's a problem because we're supposed to be the good guys we're supposed to be the people helping and i feel very very strongly and i i mean this this is from the bottom of my heart our job is to make it better and we're not when i look at my daughters and this is why i say my daughters are a big part of this my oldest brenna has a neurological condition she was diagnosed with at nine years old right she has a seizure disorder she has ocd and yes i'm violating hip all over the place here

right but she went to wolfson's children's hospital where she was treated and thank god and i mean that truly thank god she'll outgrow it by the time she's 16 not the ocd but the seizure disorder with no long-lasting effects right we're blessed about two months after she went to wolfson's we were notified by wilson's that they were breached and all of brenna's data was stolen they got her social her date of birth where she was born her address everything about her everything they need to steal her identity but don't worry about it wilson's takes this very seriously and they gave her a year of credit monitoring right now for people who don't know at nine years old you're not allowed to

sign up for a year of credit monitoring so wolfstan's paid for something nobody can use and the problem here is this is not a year-long problem brenda's identity has been stolen for the rest of her life she may not have long-lasting effects from the seizure disorder but she'll have long-lasting effects from the fact that wolfson's didn't protect her data to the level they should have protected it too and i believe very firmly that they didn't protect the data to the level they did because we failed we as an industry failed we are so busy building up our own eagles we're so busy being rock star ninja famous that we're not helping the people that need our help we're supposed to be the

superheroes no capes but we're supposed to be and we're not and if we wait for laws to come out and guidelines who in the world is going to pick those right we got certifications doing it how many people here are gx certified whoa so you sign the code of ethics right did you read it nope nobody does right how many people here have a cissp yeah do you want them picking our ethics do you want them and nothing wrong with certification i'm not sitting here telling you certification is evil right i used to work for sans i have tons of gx certifications i have the cissp right i'm not telling you that's wrong i'm just saying are there

is that where we want our guidelines built is that where we want our ethics to be determined and i don't know about you but my answer is no well i have amazing respect for alan power while i think allan power is an amazing man i don't believe he is the only person who should be determining what our ethics are and i know i know they have an ethics board and all that kind of stuff i'm simplifying this significantly right but that's an option right we also have bug bounties this is a great idea let's just open up our systems up and say to everybody hey hack me please tell me about it though right sadly though most of the bug bounty

programs i see they're finding low-hanging fruit which in my opinion is a failure of a bug bounty program if you still have low hanging fruit like cross-site scripting in a search button search box you shouldn't be opening up a bug bounty because you're not ready for it yet that's like giving a four-year-old the keys to a ferrari right you can't do it but that's one thing and then there's questions right how do you do it how do you know you're doing it right how do you know you've got the right people looking at your system how do you know that threat that you always hear right adobe did a bug bounty program and people bitched they're just gonna give

us a t-shirt no money i'll just sell what i find right that's what people said is that the route we want to go again i go back to we're supposed to be fixing things we're supposed to be the good in what we do and i feel very firmly about that i feel very strongly about this i believe that this is the route to go and this is not a popular one you say licensing and people are like i don't wanna license i want the government to determine whether i could be a hacker nobody determines whether to be a hacker it's a mindset and i also wanna point out i didn't say government licensing but i do believe that we as an industry

need to start looking at something that says i am able to do what i do that i follow a certain standard that i have a certain set of ethics and that when i give you the results of what i give you you can believe it was sufficient that it met some standard that i'm not some jackass who paid 1600 for a nessus license and called it a pen test right do you know how many reports i see where all they did was take the logo off and put their logo on i'm in hell i was looking at a report just recently where the links went still out to the tenable website for information about what the findings were

if you're not even smart enough to change the links get the hell out but licensing would fix that but i will agree that i don't want the government to license us i don't i'm a big believer in small government and i'm not saying i'm a republican i'm just saying i believe in small government right and i think that the minute you say that the government's going to license something we have a problem so what i think we need to do and again i want to be very clear i'm not that smart i'm just some jackass who started a business right but if we started something up like the infosec bar right lawyers have it now

i want to be very clear the legal bar is a government entity i don't want to model that part but if we were to stand up and we said hey look this is what we're going to do we're going to create a set of ethics we're going to create a set of standards on how you test how you do deliverables and what a report should include how you determine that something is high risk how you determine something is medium risk how you determine right if we set up that standard we could then start working with it and you're not required to do it you're not required to be a bar member right many of the states united states

allow you to practice law by calling yourself a lawyer but if somebody wants to hire your service you're able to say i'm bar certified right and we can hold you to a set of standards we can hold you to when you screw up things when you screw your customer when you do things that violate our ethics you lose that bar affiliation and the reason i think that this will work is because the movie industry and no it's not because i watch csi cyber the movie industry was forced with the same idea the movie industry started releasing movies and people started complaining that the movies were obscene and the government started talking about legislation their favorite thing right next is

taxation but they would legislate they'd pass laws to what the movies could have right they would pass laws to determine if a movie was okay and the movie industry said we got it dude and they created the rating system right and they built a rating system they started rating stuff they in self-inflicted a standard and the government went oh cool you got it awesome right and then back in the 80s i don't know how many people are old enough to remember the 80s but i do this horrifically horrible disgusting obscene movie came out gremlins and um people were like huh they blew up an alien in a microwave kids shouldn't see that and people started talking about

censorship people started talking about legislation obviously hollywood has gotten too big for their britches so we should legislate them and hollywood said whoa we got this one and they changed the rating system to include pg-13 right and a new rating came up and the government looked at it went dude you did it awesome good go on have a nice day and they solved the problem and i'm not a doom and gloom guy right i'm not going to sit up here and say the world is going to end but i do believe very firmly that if we don't stand up as an industry and say dude we got it and then actually get it if we don't

actually stand up and say this is the standard we're going to follow then that doom and gloom of the government passing laws of the government saying security research is bad by the way there's some security research that i think is valid right we like germany distribution no i didn't do nazi comments now distribution of hacker tools was illegal right now they changed that but if you were distributing hacker tools it was against the law in germany right which i found funny because i couldn't give you a copy of samurai wtf or weaponize flash or anything else like that but i could give you a copy of adobe flash and internet explorer but that's the route they went in italy

i peter ip addresses are private information laws passed by governments about technology suck they can't keep up right and that's why i say what we have to do is we have to stand up and do better right and i do think that it's something we have to do soon i think it's something we have to do now and i'm not the only person who can do it matter of fact i'm not the person to do it because again if we have one person stand up and say i'll create the standard it's gonna be based on that person's opinions and what i think is okay isn't what danny thinks is okay isn't what jason thinks is okay

right and while the three of us may agree on most things we don't agree on everything right and as an industry what we do is so diverse because we're not just talking pen testing here reverse engineering forensics incident response security we want to have something better than something like pci which is you must be this tall to ride the internet right we got to do better that's what it boils down to we got to do better and i know it's a mushy gushy thing but if we don't do better i'm scared to death for my children and my children's children and that's why we gotta fix this okay so got three minutes until i'm supposed to

be off the stage so any questions

yes sir we would definitely get batches but we don't need stinking badges so well in that case thank you very much everybody i'm honored that you sat here through an entire talk you