 Well, you guys are here, right? We'll give some shout outs. We have um anyone in a DEF CON group DCG from local area code Okay, well this one is gonna happen then please go and check out DCG room. These are all DEF CON groups DEF CON is the year-round We have to plan year-round also, but like we can do great things right DCG 305 go Miami So yeah, like you know go there after get inspired if you guys are new The room over here is the LHC room. They were out partying a little bit last night So there's nobody in there right now, but you know things happen in Vegas Also, we do have a bar over there, you know, so if anyone is eating a refreshment or whatnot. We have that If anyone needs the bathrooms, they're gonna be right over there. Just kind of as a heads up and then also As we're getting older right some of we've lost a few great hackers this year There is a memorial room, right? So if you know you want a place that's quiet to reflect and whatnot That's also there and it's just a really fabulous spot for just healing and it's also a good spot just quiet and After our After our discussion in our talk, right, there'll be a question-answer period We're gonna go over there in one of the rooms so that way it's a more intimate environment And if you have any questions and answers for any of the folks up here, so we'll let you guys know which room Is it gonna be that? And so yeah, and next minute or so we'll we'll get started. So thank you guys all for coming and Waking up early. I know that might have been a challenge for some of you and for those who haven't gotten the sleep This is gonna be a great talk and then, you know, then you guys can get some shut-eye So thank you very much and Hey guys, how's it going? All right, come on. Let's wake up Come on, cheer up. Come on. You made it for the Midget Defcon So this is our 31st year of Defcon Thank you for coming it all works out because you guys showing up and spreading the word and Make sure that everyone's like gets excited about learning about what Defcon is not just a pack of hackers and doing crazy stuff But it's more about the community and and the most important thing is talking about How much work it takes to make everything look kind of simple and working? And you know, thanks to these guys. It's something that We all should like, you know, remember So this is our first talk today for this is track five It's called a different Uber post moron by Joe Sullivan and Enjoy Hey, everyone My name is Joe Sullivan. I'm currently the CEO of a nonprofit But for most of my career, I've worked in cybersecurity like a lot of you And I'm gonna walk you through an experience I've been going through probably since when I started thinking about at the beginning of my career That's still going on When I had the chance to be the CSO of some really big companies one of the things that I Came to really appreciate is that you can't do security on your own It has to be a I think of it is really a three-legged stool Like there's the commitment that you make inside your organization But you have to partner with the government also And then the third thing that a lot of people don't understand is the importance of part partnering with researchers So I've had a lot of opportunities to talk with security leaders about my case They often reach out to me when they're Getting nervous because they have a bunch of lawyers showing up to their meetings Or they're getting together and kind of closed rooms And so I've had a lot of chances to talk with security leaders about what my case might mean for them And how they could set up their organization their company and their relationships with government to be better So that what happened to me doesn't happen to them But as I was thinking about it, there was one story in perspective that I Don't think got enough attention. And so that's why I asked to do this talk And that's the perspective of the security research community And so I'm going to kind of look at this case not from my perspective but from maybe the perspective of an outside researcher and Thinking about it not just in terms of this case, but what it means for the future as legal cases are always about precedent One note as I'm getting started I'm appealing my case So the case is still going on which limits what I can say in some contexts Also, I was an employee of Uber During the whole time that the incident Transpired and so I had an employment contract and an NDA and all that so I'm limited to what I can talk about from that perspective as well So when I talk about the case, I'm only going to reference what's in the public record And if you hear me talk about something, it's from the perspective of what I saw sitting in the courtroom not from what I saw inside the company so I've been working in computer security since 1997 I was actually a federal prosecutor here in Las Vegas and I was asked to become a cybercrime focused prosecutor while living here and of course that was in the first Few years where Defconn was starting to pick up and that might have been one of my first Defconn experiences and I might not have been spotted as a Fed But I got to know a lot about the security community by coming here and thinking about the different perspectives And that's when I started thinking about The research perspective on working with us And so I'm going to touch on a lot of that as I go through this but each of these stops Kind of taught me a lesson that led to some of the things that happened in this case But the case for me really got started. It was in November of 2017. I Got an email on my personal email from a reporter asking me to go on the record about me being fired from uber and I Think I hadn't even been fired when the reporter reached out to me It's kind of like it was a really strange situation where I was learning as much from Bloomberg as I was learning from my company or X company depending on whatever moment that day it was And I was up in the mountains It was Thanksgiving week. I was on vacation with my family. I was actually in a grocery store We were getting food for Thanksgiving and I got kind of these messages And I was like this This must be a big misunderstanding. I went out hiking that afternoon with my family and I didn't know it almost immediately articles started coming out talking about how I'd been part of a cover-up and that I was fired for covering stuff up And that I had paid money to people to delete data and I didn't really know because after I was terminated. They also bricked my phone and my laptop remotely So I was kind of up in the mountains with no tech But like Twitter and everything else was blowing up that day and the narrative was set. I think Jump forward three years later I was working as the CSO at Cloudflare at the time and I Think my family and I found out through the news that I had been charged I've actually found out because a friend of one of my daughters heard it on NPR and told them I think and told her and so It was the second time I got surprised Third time is gonna be on me. I guess But there actually wasn't accurate. I wasn't arrested they put out a press release saying I was arrested but I was actually at home and So they corrected that eventually But I did get charged and I was charged with two counts the first count was Basically obstructing an FTC investigation is the way they characterize it and the second count was something called misprison of a felony the first count really had to do with What our company said to the FTC and didn't say to the FTC about our security posture and Whether we were transparent with them That's a talk for a different day. What I want to focus on is the second count misprison of a felony Miss prison is this really old Common law type thing and I'm not a legal expert on this stuff. Although I should be at this point But misprison is basically if you helped someone else get away with the felony in something like that and so The first part of it of misprison has to be that there is a different felony and in this case that different felony was the actions of the researchers and so For me to be convicted the jury had to believe that the researchers had committed a crime first So jump forward we actually Went to trial Last September. This is a no cameras in the courtroom. So this is a picture of one of my daughters drew That's me in my mask on the left the judge a witness the jury on the right But like I want to narrow down the focus. So I do want to talk about number one that misprison count But one of the things I really appreciated when I got sentenced in May just a couple months ago Was the judge? Went out of his way to say at the sentencing hearing to the government. This was a very unusual case There's never been a case like this before He asked the prosecutor. Could you think of a case like this? It's ever been brought before The prosecutor said not on all fours the judge said not on all threes so they were going at it and The judge said this is not a white-collar case. There was no financial motivation It's not like anything. I've ever seen before and then he also talked about the investigation that my team did The thing that I was most happy about from the trial was the way my team got portrayed and how the judge perceived them What the judge said was we're not The data not actually never got exposed in the wild So a lot of times I'll see these lists of biggest data breaches in history and up in the middle of it will be this case But those records were actually all recovered and never kind of like out on the dark web if you will So because my team did a really good job on the investigation And the judge recognized that the prosecutor even agreed Well the prosecutor I think said we got lucky So kind of stepping back again I've been thinking a lot about what I said at the beginning about how security needs to be a Partnership to get it right inside a company and as I think about my case. These are some of the questions that I worry about How do we tilt against the bias of perceiving every request by an outside person as a as extortion and If you talk to the like if you talk to the people at the bug bounty companies This is an issue that comes up on a daily basis, especially with new programs and especially especially with new researchers and We also want to create an ecosystem where companies feel comfortable engaging with those researchers and One of my biggest disappointments from the case is I think I set that backwards Because of the way this case was perceived because of the way the researchers slash hackers were perceived and all that I've heard lots of stories especially in the first year afterwards of companies like hitting pause on their bounty programs Rolling them back their lawyers getting very anxious about them And then you layer on top of it kind of the blow up of ransomware, which is you know another level in terms of intrusion and extortion And then another question is how do we make sure that researchers can trust a company? Like how many people know what a responsible disclosure policy is hopefully a lot of you. We'll talk about that But companies put up these responsible disclosure policies that says we won't refer to you long We won't refer you to law enforcement if you give us All the information and cooperate and make sure that nobody gets hurt. That's paraphrasing. I have some examples. We'll go through and How do we make sure that the law protects this engagement and make sure that companies can Utilize the researchers and the government will respect it and then we'll have that really strong stool for all the consumers who use our products to stand on So This is where I want to go way back in time So I mentioned I was a federal prosecutor I Don't know. Does anybody remember Napster? Well Napster was a really interesting case from the perspective of me as the by the time The recording industry and everybody was really upset with Napster I was I had left Vegas and I was living in the Bay Area And I was working full-time doing tech cases and I think I was the first Federal prosecutor in the country just like in an office full-time cranking on federal cybercrime cases. I Actually had a folder in my office that said Napster because we had been getting pushed to prosecute Napster And I always remember I had this conversation with my top boss Robert Muller who went on from that job his next one was head of the FBI and he said Right now it feels like a bunch of companies fighting with each other Let's let them fight it out first and like let's we need to figure out the dynamic of our relationship with companies and how much we should be doing what they ask us to do in the because cyber is very different from a lot of other areas of law enforcement in that So much of what happens happens in third-party private sector hands so much of the internet especially in this country sits in the servers of a bunch of companies and so from the government perspective, it's really hard to figure out what the right dynamic is around Relationships we need cooperate if you're on the government side you need cooperation because you need access and visibility to protect people but if you're on the company side You're you're you're dealing with like also privacy commitments and it's a it's a lot going on there But then there's also the economic motivation of the company and wanting to push certain cases and not push certain other cases And so as the government you kind of have to think through all that So we decided not to and there were civil suits and it actually resolved things for Napster And I remember thinking that was good but then I Think it was Def Con 9 There was a Case So there was a speaker. This is the whole agenda of Def Con 9 by the way That's every speaker for the whole event And you can't obviously see it obviously you can't see it from where you are and I can't either But I'm pretty sure the bottom left Was a guy named Dmitry Skylarov speaking about He was an employee of a Russian company called Elkom soft and they had put out some software that would break The encryption on the adobe e-book reader. So it was kind of like Napster 2.0 unfolding and Adobe was really pushing hard with my office to prosecute a case and so they they Dmitry Skylarov came from Russia. He spoke at Def Con and if you could look really close I Took a screenshot from Wikipedia of Noticeable incidents at Def Con The second one was when Dmitry came off the stage from talking about the adobe e-book reader encryption breaking tool He was arrested by the FBI And he was taken into custody and it was a mess and a lot of people protested this is The picture on the right is people from the security community protesting against the prosecution of Dmitry and That was at the San Francisco federal building So let me back up. Sorry. So how did that how did the Dmitry story end? I think everybody realized pretty quickly that Dmitry was He wasn't intending to do anything particularly I guess his company might have been trying to monetize the situation but the charges were dropped against Dmitry and They went forward against the company I was involved in the case early on and Then I left the US Attorney's Office and I went to go work at eBay So I didn't actually I was there during the time when the charges against Dmitry were dropped I was part of the prosecution team and then after I left the case went forward against the company I think the government lost So to me that was another chance for me to think about the research Versus company versus government triangle and I was on the side of the government and we were arresting a researcher and At the time I thought that was the right thing to do But then I went into the private sector and I remember almost like a month after I got to eBay We got this email and it was from somebody and said we have we found a security vulnerability I will tell you if you pay me and I remember I personally had this like angry reaction to this person like Why do they want to get paid we I'm trying I'm fighting inside this company to get them to do the right thing and protect our users And we need to do everything we can Because that's my job and then there's someone on the outside who could help me and they wouldn't give it to me And that was like my next perspective from a company on security researchers But then I like I really got to start Learning more about that that different perspective. This was an article written by Bruce Nair and 2001 just a couple of months after Dmitri case well still pending and There was this big fight between Microsoft and the research community Because Microsoft had gotten mad because researchers were publishing vulnerabilities and I started really thinking about it from different perspectives Move forward a few years. I got to PayPal I switched from the eBay side to the PayPal side and I helped Andy Stein grubble who's now the CISO of Pinterest With the publication of what we did at PayPal in 2007 and it got praised I think by a lot of people in the research community because we published one of the first responsible disclosure policies This was an article by Jeremiah Grossman praising it And so this was the language that we published at at PayPal in 2007 because we'd gone from that experience where we were angry researchers for wanting money just to completely flipping and we said If you follow our guidelines, we won't refer you to the government and we won't Bring an action against you and Almost immediately after that companies started publishing those more and then researchers Started pushing even harder and saying you shouldn't not cross it. You shouldn't just not prosecute us You should actually pay us And there was the no more free bugs campaign the Dino and a bunch of people So a couple years later, I had moved over to Facebook I was the CSO at Facebook and I worked with Alex Rice who's now the CTO of hacker one And we published some our own version of what I had helped write at PayPal So we published the Facebook version in December 2010 and we said basically the same thing We won't bring lawsuit or ask law enforcement to investigate you if you contact us We actually came to here at DEF CON. We launched our bug bounty program at Facebook in 2011 And that was a heavy lift for us back then because we weren't the mega corporation that it is now But we announced and launched the program here. It got a lot of good publicity and we paid out for a lot of bugs but the relationship with security researchers from inside the perspective of the company wasn't actually That amazing when we first rolled out the bounty program This was an interesting story about a month after I think so we now said we're open for business will pay you for vulnerabilities this young man in the Palestinian Territories at the time Found a vulnerability on Facebook where he could post on somebody else's wall And he tried to report it to my team But he couldn't figure out how to do it and there was like this whole glitch in communication Because we weren't good at communicating and he wasn't good at communicating and we were all trying to figure this thing out so he got irritated and he went on Mark Zuckerberg's Facebook page and he using a picture of Snowden posted on Mark's page So first sorry for his first line first sorry for violating your privacy and so I Had this dilemma of We had language in our responsible disclosure and bug bounty program saying we won't go after researchers and we will pay you And so we actually talked about this inside the company and we're like is this an unauthorized access Is it illegal what he did? We decided we're not going to refer this to anybody. I mean it was CNN sent a reporter to interview him in person And so the case got a lot of attention and I got a lot of blowback because I said well, we can't pay you for your research Security community actually came together and created a fund and a bunch of people from the research community Contributed the fund and so he ended up getting a lot more money than he would have if We had just paid him the bounty But you know there are a lot of like these and I could give you probably a thousand examples like this This is just one that I could talk about because it was so public another one that was kind of public was There was this Researcher Reginaldo from Brazil and he found an RCE in Facebook and Not too long before that one of the leaders on my team had been quoted as saying Our bug bounty program is so awesome. It's doing great And someone asked what's the max bounty you'll pay and he said We would pay a million dollars for the right bounty if you found something that was that significant and harmful and This researcher he thought about it and he's like I've got RCE on Facebook, which is basically for those who don't know It's just like straight access So he had found something big, but he reported it to us and we worked with him We did pay him. I think our largest bounty at the time. I think it was 33 thousand five hundred But we also hired him and he moved from Brazil to work in on my team And kind of be on the other side of the bug bounty program and that went really great I think he stayed at Facebook for six years. I left Facebook in March of 2015 after seven years they're building out the team and I went to uber and Within I think a month of me getting to uber we published a responsible disclosure policy saying the same things And I worked with a couple of members of our team to put that out And we said we won't take legal or administrative action against people who report vulnerabilities and so on just kind of like similar to what we'd said before and One of the cool things what that I appreciated at that time was further down on that page There's a name Rob Fletcher We were acknowledging Rob and Rob was actually one of the people who was helping push out this policy with me He had been an outside researcher who'd contacted uber before I got there Reporting of vulnerability and the team had hired him even before I got there and Rob ended up ultimately running the product security team At uber and is very successful security engineer We Right after that. I mentioned publicly I think this one was on quora that we had a private hacker one bug bounty program So we launched so this is literally within a very short period of time after I got to uber and then You know you like a lot of companies launch a private program now And they never take it public and there's a big debate whether you keep your bug bounty program private or public We decided we wanted to take it public But we had to sit in private for a while to fix all the things that researchers reported to us Because I'll tell you when you launch a bounty program. You really do find things that you wouldn't find otherwise From a company standpoint bug bounty programs are amazing Like as a security leader, I'd have this huge budget and I would pay pen testing companies a Set amount of money up front and then they would find three vulnerabilities every time And so it was like no matter how much I paid them I was going to get the same kind of report that I would have to like look really hard to find a little bit of important stuff With researchers, you don't have to pay them a dime Until they find something important and so like from a company's standpoint I really believe that we like and I used to say this I would say it's negligence to not have a bug bounty program like you have to have that Opportunity for people to do the work. So we launched our public program And within a very short time after that This came to my personal email and my uber email Hey Joe, I found a major vulnerability in uber. I was able to dump uber database and many other things. I Did what I always do. I've gotten versions of this email hundreds of times. I forwarded it to our bug bounty triage team and Rob Fletcher the same researcher who had gotten the job at the company I Just put this slide in to remind me that everything I'm going to talk about now is stuff that was covered publicly in the trial So like I was saying at the beginning. I'm only going to talk about the case from what's public So Rob sent an email back Really quickly after I'd gotten that email forwarded it to them and Rob said hey, my name is Rob I work in product security here at uber. I understand you have a vulnerability you want to disclose our preferred Method is use our public bounty program at hacker one, but if you'd like to use email to exchange details, let's go and so That's kind of the start of the case During the trial there was a whole bunch of debate and testimony and argument about The interaction with these researchers slash hackers and I never know what to call them because back at the time we think of we thought of them as researchers and You know now everybody thinks of them as felons So there was this whole question of whether they were this was a slide from the trial getting a bunch of quotes from people who Testified and it was a bunch of people from my team saying Mostly what happened in this case in terms of our interaction. It was quite typical We had a lot of debate Internally often about you know back then so you know you have to remember 2016 is a long time ago now and internet time Especially in bug bounty program time We had very generic rules back then companies now have very long rules of what you can and can't poke at and so like Colin Green said during his testimony. There's no Supreme Court of bug bounty rules we just look at each case and try and figure it out back then and Rob said our guidelines were flexible and another member of the team Matt said In his testimony look if we if in these situations we actually went and referred someone to law enforcement. Can you imagine? How the research community would react and then our program would tank so We Actually the new CEO of Uber when he testified he said it was the right thing to do to pay them We during the investigation I don't want to spend too much time on the investigation because I don't have that much time and and this is focused more on the researcher side We documented everything on the team. We had a large number of people involved This is I think 25 members of my team worked on the investigation. We pulled in the communications team They communicated all the way up to their exact level. We pulled in legal They communicated with their manager who ran the privacy team for legal So they were all kind of in the loop working through what we did on the case We had a data breach response policy. We had a data breach response plan. We have a breach incident response playbook We had all the documentation you would hope to have we had specifically the names of who in legal We were supposed to escalate things to we did those things legal was responsible for deciding What gets disclosed according to policy to whom and legal the lawyer testified said They gave the advice to my team. It's not a reportable data breach situation if three things one They're you're confident the hackers no longer have the data to confident The data was not disseminated further and three you can get the hackers to sign an NDA So that was the advice from legal at the time And then I want to jump back to my sentencing hearing because this was again the only time I like the judge really gave his opinions on the case was at the sentencing and So a big focus during the case from if you go back to those articles I showed you they came out in 2017. They all said we gave them an NDA to shut them up and The judge said The NDA argument the government makes doesn't fly This wasn't a cover-up. It was part of the ability to solve the problem in my view and the way that the evidence came in I was so happy like I said earlier when the judge said that because it validated how hard my team worked and what they did on the investigation Because we on my teams. We always had a culture of attribution in our investigations We always wanted to know who we were dealing with on the other side I would love to someday give a talk just on the concept of attribution because like security leaders very much disagree on Philosophically whether people inside the company should care who they're to know who they're dealing with on the other side We always wanted to know Because we would refer a lot of cases to law enforcement But we also sometimes didn't and there was a great example on the wall We had at Facebook that was mentioned in an article where Like a 11 year old kid had done something really stupid and we were like what are we gonna do with this case? So we wrote a letter to his mother and it was And asked her to have him apologize and he did and we're like that's a good resolution for that case But we you know we also we also You know and it's a weird situation it goes back to the people in the private sector having a lot of discretion about what to do and And actually being the only ones who have visibility into what's really happening in a lot of these situations Like That culture of attribution and this is it could be a whole other talk to around attribution Like if I left Facebook in spring of 2015 and of course in 2016 There was a lot of stuff happening at Facebook around the 2016 presidential election and suggestions of this concept of misinformation That security team put out a really detailed write-up publicly About what had happened from the Facebook perspective and chose to be transparent I think there were a lot of other platforms that had just as much misinformation on them But they didn't put out the reports and so I I think Facebook actually got a lot more heat So jumping back forward to our case my team did an amazing job on figuring out who these guys were on the other side It turns out it was two young men one 19 and 20 one 20 The main person responsible from my team's determination was a kidney Brandon who lived in Florida And he basic I don't want to talk about his personal life because I don't know him But my team got to know him really well and really came to like him as a person But they also really appreciated his skill as in terms of obfuscation because it took a lot of effort To track him down and this would be an amazing talk also But the thing that the team did that was really great was You know when you when you have a situation where you're trying to get attribution What we typically do is trigger a lot of back-and-forth and then sooner or later They make a mistake and expose something and it could be financial it can be IP it could be lots of different things And so in this case back in 2016 the way we actually like we did a lot of back-and-forth with these guys because I had said to my team it's not enough to get an NDA signed by someone we don't know their real name and So my team did the attribution work and The way that they Exposed themselves was when we sent the NDA through doc you sign They kind of It's not so easy to use your VPNs and tours and stuff in those situations and so an IP leak to us We're able to link it to some other stuff that we found on blockchain and pretty soon. We knew where they were and then So we knew it was Brandon who was the main kid behind this So we this was an email from a member of my team. Hey Brandon That was and then and there were like three or four things in the well first off the email was sent to Brandon's actual real email address, which is not what he had been communicating with us and it said I Wish I could see it Because it's really good so anyway He in this email Matt said a few different things one of which was like I really want to meet you and talk to you about attribution and how you And and obfuscation and how how you work this all out And he invited we invited him out to come do a talk to our whole team at uber in that email We also said in the email one of our team is in town to interview you and check to make sure you've deleted the data and Because we had figured out where in Florida he lived and we sent a Member of our team who was a longtime CIA interrogator We sent him and he went and met with Brandon and He put together a very long Personality profile and analysis of Brandon and said basically this is a 19 year old kid 20 maybe was 20 at the time This is a 20 year old kid who you know He's afraid he doesn't leave his house much he Really likes this hacking stuff and computer stuff. He's just gotten involved in it recently. He's trying to figure it all out and So we had a couple of members of my team interacted with him one had a lot of interaction with Brandon and We even tried to get him a job at a security company So I think about this case like I've given you some facts thinking about it from the researcher perspective not mine You know, there's the version on the left uber paid 20 year old hacker who lives with his mom to cover up massive data breach is kind of like one version and then Nicole Perot from who was a reporter at the New York Times and an excellent cyber security reporter She did a detailed review and published something with Mike Isaac Who had been the main reporter for the New York Times covering uber and they actually Somehow got access to a bunch of the emails between Brandon and my team and kind of looked at it from a different perspective and That but that didn't happen until a few months later And of course like the stories that come out the first week are the ones that get read more than the ones that come up a few weeks later So now I'm gonna jump forward to the trial again and The government presented its case my team presented its case. I didn't testify the jury was instructed about a violation of 1030 which is a 18 year I see 1030 is kind of one of the core Anti intrusion laws in federal law in the United States and one of the the fundamental thing is did you access a computer without authorization? and so It went to the jury and the jury Was debating for a few days whether I was guilty or innocent and they sent out these two notes to the judge and the jury is allowed to send notes out to the judge and In this case the jury asked Could uber give authorization after the access Because that's the advice that the if you remember the advice that the lawyer testified He gave was we could we could authorize it after the fact. I Think he used some Latin phrase nunk protunk during the trial, but the idea was If somebody trespasses in your yard, and then you say, okay You're welcome here. You know, there was a no trespassing sign, but you're cut, you know And I didn't personally invite you yet But you came in and then I can authorize you after the fact and I've never researched the law on that Specifically, but that was the advice that I think that bounty companies and a lot of programs have always had because if you think about The first time a researcher Finds a vulnerability in a company. They probably haven't signed up for the bug bounty program They probably haven't clicked through any of those terms that be key could be presented as quote unquote authorization Like that's how the companies try and say that they gave authorization as you publish these policies The decision at the during the case was The jury just has to go back and read the the statute which says an You know a felony starts at the time of the unauthorized access or a felony is committed then So the jury came back with a guilty verdict for me, but this isn't what I'm showing you I'm showing you the a different Judgment in a criminal case This is a judgment of United States versus Brandon the researcher he Now also is convicted of a felony as of June of this year So There were lots of other different Situations, I don't think I have time to go into them, but these two researchers slash hackers slash felons had Actually Gone and accessed other companies in the same way and found their vulnerabilities and contacted them as well one of them Linked in Just called it a breach called in the FBI the FBI was not able to find them Like my team was We were actually in touch with the team at stub hub because I think the person on the stub hub team used to work for me back when I was at PayPal and They were dealing with the similar situation they confirmed to us that They they resolved their situation as well and so From the outside it looks like they They reached out to a bunch of companies One company declared a breach one paid them and tried to explain bug body programs to them And others just kind of did different things But did the researchers slash hackers slash felons take the data of those other companies and dump it or Monetize it. No, they just deleted it actually in those cases too Because I think they were trying to help the companies That's the way I thought about it at the time and that's what like I'd love to learn more about what actually happened at these other companies So it's kind of wrap it up. I think we really need to Look at cases like this from the perspective of the researcher and I feel like it's hurt things a lot From everything I've heard so we need to get more proactive and communication about the realities and expectations between the public Researchers and companies. I remember when this case blew up my my dad called me That day in 2017 and he's like Nobody understands bug body programs. My dad's like he was like 76 at the time I was like, yeah, I know We We need to get better at having like consistent shorter policies So that and we need to make sure like I still don't know what the right answer For guidance for people is on it and on that unauthorized access question. So like I was talking to somebody and they said I should put a slide into this presentation listing 20 different scenarios and ask whether It's a authorized or unauthorized access if it's an employee inside the company who Accidentally stumbles on an exposed database and then the employee goes into it Is that an unauthorized access that it's now a felony if it's a Pentester and they go outside the boundaries of the contract and they find something is that an unauthorized access that needs to be reported If a bug bounty person does it like like where you draw these lines It's not as clear as it should be And I haven't seen any I mean, I don't know I don't get CC'd on notifications to the government about exposure But I do often hear about them and talk to the security leaders beforehand and they don't feel like they have clarity on these issues I Hope that the Department of Justice continues to invest in dedicated Lawyers who understand cybersecurity and that they get all over the country and that they that they're involved in all these cases You know, there's that one really good thing that DOJ has is a policy that anytime a security researcher is to be prosecuted By one of the districts out in the country. They're supposed to run it by the computer crime section in Washington, DC So I think that's a good thing and I'd like to see more stuff like that The thing that bothered my team the most was a lot of people telling them if they just done the right thing Like none of this would have happened. That's not the that's that's too simplistic a perspective on on these complicated dynamics I Want companies to be able to launch these programs. I want researchers. I want someone to someday get that million dollar bounty and so we need to create an environment where companies are comfortable launching these programs more than ever and I want to make sure we educate young people on the right ways to do these things I Wish roots still existed as part of DEF CON because my daughter's got to go to that Growing up and they learned a lot about this stuff and we need to have programs like that Like when we talk about cyber education for kids and schools and stuff like that It should actually be teaching them about bug bounty programs and how they could go make money while they're in high school Because then they'd really learn Because they'd be motivated So anyway, I think That's basically The stuff that I've been thinking about we need to really harmonize our program policies We need to engage people we need to talk about this stuff We need to kind of change so that my dad doesn't have to say again people don't understand So why am I doing this talk? Why am I taking risks standing up here and talking about this stuff? It's because I Think this stuff is really important And I think we should be looking at it from the researcher perspective as well as everybody else I Since I'm on stage. I want to use this opportunity to pitch My nonprofit work for one second. I'm the CEO of a nonprofit. I go to Ukraine and help I Originally tried to volunteer to do cyber security work there because I when I was the CSO of cloud flare last year We did a lot of work to help and so I really enjoyed that and when I left cloud flare at the end of last year I wanted to stay involved Turns out that our nonprofit we focus more on medical equipment and then we started a new program in January That I initiated we get companies to donate their used laptops And I bring them over these two pictures on the right were me delivering laptops To kids and in the Butcher region north of Kiev that had been devastated in the initial days of the invasion I was in Ukraine last month and so these pictures are from there on the left side was on the 4th of July We were with some troops who just got back from Bakhmut and we were doing medical training on How to use tourniquets the right way it's a most important thing they need to know medically and so we were there and If you work in a company Go find out what you do with your used laptops and send me a note Every laptop that I've brought to Ukraine has become has come to my organization because of somebody in the security community Worked to get the people inside their company to and I can't tell you how happy you can make a 13-year-old Who's doing remote schooling on their parents phone feel when you show up and give them a MacBook Pro It was like that the girl on the bottom right and her mom we had to wait 20 minutes to take this picture so that they could stop crying It's like what we take for granted, you know, they're trying to live a normal life in a lot in a war zone Kids can't just like hide in a bunker for years. They need to actually you know They had they had to go through covert there to and do remote schooling and now they're still in remote schooling Half the kids in the country in remote schooling and half of those kids don't have a laptop. So The other reason I'm doing this is because I told the judge in my case I wrote a letter to him before my sentencing and I said if you don't send me to prison I Will stand up and I will talk about the things we need to do better And I think this is one of those things that we need to do better so I told him I would put my name on the list for every conference and go and talk and The government the prosecutors were asking that I get 15 months and the judge said no Thankfully, so I'm here to give this talk But I have to live up to my commitment to the judge that I will talk about these things right now So thank you for your time