 The one and only, the person who I really want to grow up to be, the security commungent, Jeff Mann. Hey, how's everybody going? Doing. I can't speak. It's been a long week. Thanks for coming out on a four o'clock when there's so much to do here at Def Con. Is everybody having a good time? Yeah. I'm going to say right up front if you think this is like a hardware hacking talk about chip sets and stuff. It's not, so feel free to leave. I don't talk about that kind of stuff usually. This is my contact information. Feel free to reach out to me if after this talk you ever want to have a discussion, push back on anything, have questions to ask. I've been doing this stuff for a really long time and my goal right now at my stage in my career is to try to give back and impart as much knowledge and wisdom as I've mustered over the last 35 years or so to the next generation. So thanks for coming out. I guess start off. How many people watch or listen to Security Weekly? A couple people. Anybody have the Tribe of Hackers book read it yet? Fewer people. I want to tell a little bit about myself since probably half the room doesn't really know who I am. Just to give you a little context of why I'd be up here, why they call me a curmudgeon, why I'm on Security Weekly, why I'm in a book called Tribe of Hackers. Very briefly, I just want to shout out to my company that I work for, Online Business Systems, because they pay for me to be here all week. It's an consulting advisory company. At least our group is. We do a lot of advisory work. That's what I do. We have a pen testing group, security testing group, and we are very much hiring because we are in a growth mode. So if you guys happen to be looking for work, that's as much of a plug I'm giving here today. Paul Security Weekly is a webcast podcast that's been around for 15 years now. The last two years in a row at RSA at the Security Bloggers Meetup, we've won most educational security blog, which is special to me because that's why I'm there. I'm trying to teach. I'm trying to pass on the things that I've learned based on the experiences I've had. So if you've never checked us out, that's the website. We've got a bunch of different shows. We've got a new one that's being formulated that we're hoping to start in October that I'm actually going to be the lead host on. And that's a little tease. We haven't formally announced it yet. I showed you the Tribe of Hackers book that I'm in that. The Tribe of Hackers book, if you haven't heard of it, is a guy named Marcus Carey. He runs a company called Threat Carey. He's an NSA cryptographer. He got this idea to ask people that he knew from the cybersecurity community that are more well-known or doing cool things a set of questions. So he put together a survey, 14 questions, and asked everybody the same questions, had them fill it out. And everybody's responses is a chapter in the book. And it's questions like, you know, what's wrong with cybersecurity? What's right if you could change one thing? What are some mistakes you've made? What's your favorite hacker movie? It sort of runs the gamut of serious questions to lighter questions. It's a good read. I encourage you to check it out. And actually, he has just published a second edition of Tribe of Hackers. It's called Tribe of Hackers Red Team. I think they're both available for sale now at Amazon. So go check that out. As I said, I've been in this business. Technically, I've been in the cybersecurity business for about 35 years. I've been saying that I've been a hacker for 37 years and counting. But I was thinking about this morning, I've really been a hacker all my life because I really believe that being a hacker is more of a mindset. It's more of a mentality. It's more of how you look at things and approach things. And you can hack anything. It's not just computer hacking. It's not just technology hacking. And it's not just human hacking if you go to the social engineering village. It's really a way of looking at life where you question things, where you are curious, where you wonder how things work. You wonder why things are the way they are. You wonder if something could be done differently and better. You're always looking for a different way. As you can see, I spent a good deal of my time at the National Security Agency. I was actually hired by the National Security Agency because I scored well on a series of aptitude tests that basically showed that I apparently could do things like cryptography. But it was really, at the time, it was more of a matter of, and it was almost like you've seen on TV or movies, do you like to do puzzles? Was there a puzzle in the back of the book that you can solve? You might want to come talk to us. And I liked doing puzzles. I grew up doing puzzles. I still like doing puzzles. I like solving puzzles. And so I kind of like view this whole thing as a puzzle. And I think it all has to do with sort of that hacker mindset. So about 10 years at NSA, I was a cryptographer. We'll get into a little bit more detail later. I came out into the private sector 23 years ago. Primarily I've been a consultant advisor ever since. I did a few years of pen testing, what came to be known as red teaming. We called it vulnerability assessment back in the day. And if anybody has alcohol on them, it's a custom on security weekly when I bring up PCI that everybody has to take a drink. But I've done PCI as a QSA for 10 years. I'm still doing PCI advisory work. And as a qualifier, when I say PCI, I'm really meaning security or information security or data security. It's not just a compliance thing. But that's another talk for another day. Back when I was working at NSA and starting in this career, what I learned about initially was that this thing that we do, at least in its origins, had to do more with data security or information security. And NSA didn't always exist. The organization that preceded NSA didn't always exist. And it wasn't always popular. There was an attitude in this government, I think this gentleman was back in like the early teens or 20s of the last century, where they were trying to formulate a group, I think it was around World War I. And he was pushing back, and a lot of politicians were pushing back, saying, why do we need like an intelligence gathering agency that steals information? Gentlemen don't do that. So that's a quote that was like posted on the wall in my first office when I started at NSA. I did a couple of things at NSA. I give more full-blown talks on this. I guess I'm just going real fast just to give you guys a little bit of teaser, if you will. Early days of NSA, I was responsible for taking a one-time pad, which is a manual crypto system. It's actually unbreakable. I don't know if we're worried about security, why we don't still use it. Oh yeah, speed. I took a one-time pad and turned it into the key on a floppy disk, wrote a computer program. I was a project manager, had somebody that could actually code, write it, and basically produced the first software-based crypto system that NSA produced. To do that, I had to kind of hack the system because NSA at the time only built machines, only built little black boxes. Software hadn't been done yet. So looking back on it, I kind of had to hack the system and hack the requirements on how you build things to make it work for what I was doing. I also happened to work with one of my customers, which was US Special Forces. They used a particular type of one-time pad that the encryption algorithm was a table called a visionaire table, or a visionaire square, which is a slide of the alphabet, 26 different offsets, and it happens to be a reverse alphabet. That method of offset of characters, that table, produces unique three-letter combinations. There's actually 123 of them in the whole big table. The guys that would do communications and write the one-time pad messages for the Special Forces, they would memorize them. I didn't. As an aide to me, as a crutch to me, because I was working with them on some different types of crypto systems that relied on that essentially algorithm, I had just been through intro to crypto classes. I'd learned about cypher wheels, and I thought there ought to be a cypher wheel for this visionaire thing. So I ended up making it long story short. They saw it, loved it. We made 15,000 of them and distributed them to Special Forces. As far as I know, this was in the late 80s, and they used them for at least 10 years. Actually, two nights ago, ran into a guy that was ex-Special Forces who remembers actually using the wheel. A couple months ago, a buddy of mine was asking me about something that he called the Diana crypto wheel that Special Forces used to use. That peaked my interest, Special Forces wheel. Again, long story short, he had seen on the internet somebody was selling a wooden model of what was essentially this visionaire wheel that I invented it. I actually have one with me because I got in touch with the guy, the artist, the craftsman that made these things, and I said, hey, would you like to talk to the guy that designed it and sort of invented it? And he sent me a couple. I'm hoping to get this into the NSA crypto museum, because this is a part of history. Because two nights ago, I met a guy that was very grateful and very excited that he met the guy that made that. Most important, or the most important story as it pertains to our current subject matter today. A couple years ago, there was a book came out called Dark Territory. In that book, there was a chapter four entitled Eligible Receiver. Within that chapter, there's this paragraph that says in part, and I'll read a little bit of it to you. The NSA had a similar group called the Red Team. It was part of the Information Assurance Directorate, blah, blah, blah, blah, blah, blah. During its most sensitive drills, the Red Team worked out of a chamber called the PIT, which was so secret that few people at NSA knew it existed, and even they couldn't enter without first passing through two combination locked doors. The PIT was an office. It was the office that I worked in. I worked with a bunch of guys that we started doing pen testing and learning how to hack computers back when the internet was starting to become publicly available. So we ended up being the first pen testing team later to be called Red Team at NSA. So the main reason why I'm in this book is I started pen testing at NSA. The PIT actually existed. This is an aerial photo of some business offices that are just west of Baltimore, Washington International Airport in Baltimore, Maryland. The building in the corner there is Phoenix 3, and the corner of the building there, I forget whether it was the second or third floor. It was a long time ago, but that's where the PIT was. It was an office, but somehow it turned into folklore. So I'm in a book where they talk about this super secret chamber that was just an office. As I mentioned, PCI was a thing that I did. I did it for 10 years. Everybody groans when they hear PCI. Feel free to take that drink. But to put it in a little bit of context, these are the customers that I had in the 10 years that I was a QSA, a Qualified Security Assessor. You may recognize some of the names of these companies. A lot of people think, oh, PCI, that's just retailers. That's just department stores. But it really touches just about every company you can think of. Think of any company that you do business with where you take a credit card or debit card to pay for whatever the products or services that they're offering. All those companies, organizations, no matter what they are, are subject to PCI. And again, when I say PCI, I mean information data security. So they're supposed to be doing basic fundamental security practices that all of us would expect that companies should be able to do by now. And because they're not, that's why we have conferences like these going on for 27 years. And that sort of gets to the message that I'm trying to get out to today. And I'm not here to sort of tell you what I think. I'm here to tell you that I'm concerned because I've been in this industry for so long that we seem to not be solving anything. Ultimately, problems continue to happen. We're still breaking things everywhere. I don't know how many villages are here this week where things are getting broken. But I essentially think that we have a problem. And I want to give you some thoughts that I have hopefully pique your interest to get you to think more, think differently about this thing that we call cybersecurity or security, this thing that we do. That's sort of the essence of the talk today. I think the problem largely revolves around, in many different ways, obviously about technology and how technology has changed our world and how technology, we time and time again think if we just do it better, if we just make something new and different and shinier, that that'll solve the problem. I think fundamentally, security is not something that is a technical solution. I think technology is the problem. I don't think there is a technical solution that ultimately solves this thing that we're trying to do. My proof point is, and I've given up a long time trying to keep this slide current, nary a week or a month goes by where there isn't some major new breach where some large company, I didn't try to update it. You get what I mean. And when you've been in this business for 35 years and you went out into the private sector hoping to change and make companies better, make them more secure, I at least wish that we were collectively doing better and displayed in that not happening as often as it does. But again, and there's a lot of facets to this, but again, it revolves around, I think, the belief that technology, since we're using it so much for communication, we think there's technology solutions that'll ultimately solve the problem. I think technology, tools that we use are tools, not solutions. And I like to think of them as tools. And when you have a tool, you have somebody that is wielding the tool. So I think the human part of the equation never goes away. Many, many years ago in my consulting career, when I was just getting started, and I've heard other people give variations, so I don't think this is an original thought, if I gave any of you some paintbrushes and some oil paints and a blank canvas, could you paint a masterpiece? Most of us probably couldn't. If you're an artist in there, I apologize, but most of us just can't pick all that stuff up and just create a masterpiece. But you have all the tools, you have all the parts, why can't you just create the masterpiece? And I think that's sort of the mentality we sometimes have in this industry, especially when we're companies trying to solve security and we've got vendors and whatnot coming in saying, we'll just use our stuff and that's all you need to do. I think this is also part of the problem. I found this a couple of years ago and I thought this was a really, really well thought out slide and it's never legible on any presentation, but it's a really good breakdown of all the different facets of cybersecurity in this context, CISOs, assuming that the CISOs in charge of it all in an organization, all the things that they have to deal with at some level, major categories and subcategories. I'm telling you, I've been in this business for 35 years, I'm not an expert on everything on that slide. I could probably speak to a lot of it, but I'm certainly not an expert on all that and I've been doing this a long time. I defy anyone to find anybody that's got all of this down and yet companies are hiring people and they are making them responsible for doing all this so it's not surprising that they turn to technology to try to help them solve these problems and it's not surprising that they rely on automation and other people outsourcing all these other things to help them solve this. Let me say also, I'm not trying to say that all those things are not good at all. Again, tools, they're useful, they have a purpose but they also have limitations. I'm not saying don't use them. I'm saying wield them well, wield them responsibly, understand the limitations more than anything. So I've been going around the last couple years basically having this same thought and trying to come up with creative new ways to try to convey this to anybody who would stop and listen. So thank you for being here and I just lost somebody, darn it. I'm not making you feel guilty. We're just getting to the good part. I think back to when I started at the DoD and when I was learning basic information security and data security, the way I learned it was based on something called the risk equation. So you've probably heard about it. You may have seen something like it. You've certainly heard the terms as we jump into it but I want to introduce it to you the way that I learned it sort of in the classical definition sense. Pay attention. I throw some of these things in just for laughs to try to keep your interest. One of my first lessons when I started at NSA back in the 80s was I had a chief scientist that said this and he said around the time I was creating that software system that everybody said NSA doesn't do but I think this is extremely true and I think we're experiencing it. We create something. We think it solves the problem. We go a little while and then somebody figures out how to break it and we've got new problems and it's kind of a lather rinse repeat kind of thing and I think we're kind of all collectively as an industry, as a community whether we're this part of the community that's in this end of Las Vegas or we were the other end of the community that was down the road a mile or two a couple days ago. We're all in this together and we're all struggling in the same sort of we'll call it a continuous loop. How's that? First and foremost, the lesson that I learned, the way I learned security is that it's all about data. It's all about protecting information. I think too often we get spun up now and this is a belief you can accept it or not. I think we focus too much on the information technology and not as much on the information. Again, with the belief that technology and automation can solve the problems. So we try to secure everything rather than securing the things that we need to secure. Anybody recognize this scene? Anybody ever seen the movie Sneakers? I did this talk a little while ago and nobody raised their hand which really made me feel old. If you haven't seen this movie and you're at this conference, put it on your to-do list, put it on your bucket list. This is one of those must-see movies if you want to live in the hacker community, especially the computer hacking community. Very briefly, not to do any spoilers, but these two guys when they were in high school in the movie, they were hackers and it came out in 92. So imagine they were younger much earlier. They were hacking over phone lines using these things called modems, mostly connecting on the mainframes because there was no internet the way we know it. They were breaking into something one night and they got caught. Well, one guy got caught, one guy got away. So Ben Kingsley characters, the bad guy went and spent 15, 20 years in prison. Robert Redford went free, went to start a cool security company both electronically over the internet, over the phone lines, as well as doing physical access. So this Sneakers is one of my favorite movies because it sort of introduced the idea of social engineering to the community. In this movie, in this pivotal scene, they're sitting on this thing which actually is a crazy supercomputer or it's a mock-up, which is the computer I used to use at NSA which you can now see at the NSA Cryptologic Museum if you're ever in Maryland, stop by. But in this pivotal scene, they're talking about, you know, basically why did you go bad and why aren't you doing good and they were having a conflict. Again, I don't want to do any spoilers because you should see the movie. The bad guy character says, the good guy character, there's a war out there, old friend, a world war and it's not about who's got the most bullets, it's about who controls the information. What we see and hear, how we work, what we think, it's all about the information and of course nowadays we could add where we move, what we click on, where we walk around, where we jog. It's true today, but it's not a new concept. It was enough of a concept that they put it in a movie in 1992. I would submit to you, it's been around for hundreds if not thousands of years. The key to it all is protecting information. What I did at NSA was primarily working with the military. The military was my customer per se and the data that was being protected was data that was most often associated with the military and activities associated with the military does. Also national security, also spies and all that kind of stuff. Hopefully you've heard of the classic triad that describes information security, CIA, confidentiality, integrity and availability. Technology arguably has introduced a few more aspects that I like to simplify things and break things down, so I still kind of think of it in these bare bones terms, confidentiality, keeping things secret, integrity, making sure the data is actually real. It hasn't been altered in any way and availability, making sure you can get to the data when you need to get to it. These are the fundamental things that we, if we work at companies or we, if we work with companies, if there are customers, this is really fundamentally what we're about and we know that and we sort of set that aside I think and don't think about it. And all I'm suggesting is maybe we should think about it more and not so much we've broken another system and all sorts of bad things could happen because we broke it. And we're seeing some things that are more real in terms of what could happen in terms of a bad outcome but not always. So again, keep these things in mind. I sort of got a slide out of order. Here's the basic risk equation, the way I learned it. And it's, it's again, there's many versions of it. There's lots of mathematicians that will apply math to it. I like to simplify it as simple as possible so I can understand it mostly. But it's most basic level, risk, which is the likelihood of something that you don't want to have happen happens. And that's a function of something we call vulnerabilities, something we call threats and something we call countermeasures. This is a brief description. We'll go into it in a little bit more detail. But vulnerability is the way I learned it was simply a weakness. A weakness in something. We think of it as bugs. We think of it as odays and things like that. But it's not just the technology. It's processes. It's people. It's things that are done and not done. Here's an interesting one for me. Threats, the way I learned it, were people. Threats were the enemy. Threats were the ones that want to do something bad to you that would lead to that risk, well, that bad outcome which the risk is attempting to measure. And then countermeasures in the equation is what you do to offset or to counterman to mitigate the fact that you have vulnerabilities and threats in this thing that you're dealing with. So keep those in mind. These definitions are actually written down along with a whole lot of terms. I encourage you to go out and find a version of this. You can find it on the internet. It has been republished over the years and it's changed names because the government likes to reorganize. Information security at NSA became information assurance and now it doesn't even exist. It's morphed. But they would update the titles and update the terms over time. But I encourage you to go find this. I'm not making this up. The risk out of this book is possibility that a particular threat will adversely impact an information system by exploiting a particular vulnerability. The threat definition. Any circumstance or event, I hate to read slides. You can read. I'll give you a minute. I don't usually do that. This is a slide that I put together over 20 years ago when I first came out and I was trying to work at a company that was trying to get clients to let us come in and we'll break into your systems and we'll tell you what's wrong and we'll tell you how to protect yourself from the evils of the internet. I don't think this has changed. I mean, we might change slightly the terminology, but these are the fundamental threats that most companies face, at least in the commercial sector. And the motivations are all pretty much the same. Motivations mostly these days are money, but you still have this mattering state and it's espionage and it's trying to steal secrets and all that kind of stuff. But again, this is not new stuff that we're dealing with. It's been around for a while. Vulnerabilities, again, it's a weakness in the systems and the weakness could be procedural or it could be technical. And finally, I will throw up Spectre and Meltdown because when I first started thinking about this talk was when the whole Spectre and Meltdown thing came out because there wasn't an immediate patch to fix the problem, which is another problem I see in the industry where we're sort of, well, problem is discovered, we install the patch, we're good, and of course everybody patches. There's no issues with patching. But I like to reflect on things as like, wow, you know, we focus so much on the vulnerabilities and yet here's one that you can't even patch. I sometimes think we're addicted or we focus too much on that one element of the risk equation, and my theory is I think it's because we think it's the one that we can influence here down the street. I think it's the one that we think we can convince people to buy our stuff because it's something that's more or less tangible that you can measure, hopefully. That last element though is tricky, countermeasure. And the countermeasure is what you do to offset the vulnerabilities against what's more or less a constant, which is a threat. So think about all that and let me ask you the question because if you notice in that equation the word security wasn't there. What is security? We're all security experts, we're all in the field of security, we're aspiring to be security experts. But what is it that we're actually doing? Is this thing called security? I usually leave hanging that question but I thought I'd throw a little bit more out to hopefully get you guys to think. I think in the context, because I ask a lot of people about this, what is security? I usually warm up to it. But it's a great conversation starter. I think mostly people think in this business that security means secure, which is more or less synonymous, at least in their head of what I would say hardened. We want to make our networks impenetrable. It can't be broken into, or our systems, our devices, or our applications. We want to make them impervious to attack. And that's not that's legitimate, I guess. It's okay to think that. I just think it's kind of what we've gotten wrapped up in. But that is making something secure or making something hardened, which is not an English major. Is that a different part of speech than security? Something else? I think security in my opinion is more all those processes and counter measures and the things you do. I saw a buddy of mine the other day and he gave me the best answer that I've heard yet when I've asked the question. And I didn't even get a chance to ask it yet. He said security is a feeling. Think on that a little bit. Just again, the data security model, the confidentiality, the integrity, and the availability. Do we focus in what we do on what it is that we are trying to protect? Or do we assume that the data that's flowing through and being stored on our systems is protected by default because we've stored or protected our systems? And is that all we should be doing? Is that enough of what we're doing? Or is that the right approach to what we're ultimately doing, which is attempting to secure the information? The risk equation again. Let me add another layer to it. This is the risk equation, the way I learned it when I worked for the military. I would submit to you that most of the time the risk that we were trying to reduce or manage or get to an acceptable level was the likelihood that something bad would happen in terms of human life. When our customer was the military or the diplomatic corps we're ultimately trying to protect human lives and the lives of citizens of the country, domestically and abroad. I can't say we had unlimited budgets back then but we certainly understood and our focus was we need to protect citizens, we need to protect our people. So the risk essentially was some aspect something to do with human life. Now in the commercial world most of the time that's not what it is. In the commercial world you start introducing money. And I would submit to you in a commercial organization it's, you know, most companies are in it to make money, most companies are trying to make profit. So there's really only fundamentally two risks that companies face. The ability to earn revenue and how much it costs to conduct the business that allows them to earn revenue. So again I'm just asking you to rethink what we're doing here in terms of what is our goal? All the different things that you do in your profession or aspire to do start thinking about it in the context of if it's your own company or organization or if it's a customer you have start thinking about and talking about the ultimate goal is they're trying to make money or not have to spend as much money in order to conduct business in whatever variation shape they perform that is and try to put everything you're doing trying to sell them, trying to do for them trying to encourage them to buy or change in terms of their processes in the context of how does this help us accomplish that ultimate goal of the ability to make money or not have to spend as much money to make money. There are no exact answers on that how much do you spend to accomplish that but it seems intuitive that you don't spend more than you have the ability to make money so we always cry about there's not enough money to do all this stuff for security I would submit to you wherever you are however much money you have in your budget that's how much you need to do what you need to do to do security or be secure with what you've got and that gets much more often into the security side of things because it's the processes, it's the behaviors it's you don't have the product to buy things it's what do you have to work with so again what are we doing here let me throw one thing out for you if you accept the supposition that security per se is not in this equation if you also accept the supposition that a lot of what we do in this industry but again here and down there somehow revolves around vulnerabilities and if you accept and again I'm not a mathematician that vulnerability is a variable in an equation that doesn't even have security in it that has something to do with security but isn't of itself a security what if all that stuff that we and they and everybody is doing that's vulnerability related isn't security at all what if it's just your job you're an admin secure your boxes and systems it's just what you do harden them you're writing your developer you're writing secure applications applications that can't be broken into that's just your job that's not even security you're in charge of protecting a network or the network that's in the cloud or whatever it is if it's associated somehow with vulnerabilities but vulnerability is a variable in an equation where security doesn't even exist what if what you're doing is not security at all so again what are we doing? what is security? I would encourage you because I don't want to discourage because there's so much talent and there's so many smart people here and there doing amazing things as a personal note I would love to see all this energy channel not only into helping your companies and organizations but to think bigger bigger I'm a little bit of a social activist on the side there's plenty of needs in the world but you know as a side job or if you're fortunate enough to have heard the main job use all that talent for a greater good find something to plug into and there's opportunities that DEF CON supports so look for things but again not to discourage but to make you think or rethink what it is we're doing here what is security if it's not everything we're doing with vulnerabilities and threats I have my ideas but I like to just leave it as a question and again keep in mind there's data involved and data is information information in the sense of most companies is the ability to earn revenue or not have to spend as much reduce costs I've blown through this presentation I hope you don't mind I encourage you to question everything that is at the heart of what being a hacker is but I would also accept questions push back tell me I'm full of crap anyone have any questions comments yes sir right right so right so the question is how do you include other things like reputational loss of reputation the whole deep fake things technology has created some new things that are variations on a theme in a business sense over the years when I've worked with companies and talking to the executives and trying to explain to them why they need to do security or hire us to teach them how to do security or after we've done our job what they need to do to invest to really do security always it's been a concern corporate reputation brand it's a little bit easier to understand in a corporate sense because that all indirectly relates to in theory or they certainly believe the ability to earn revenue or if they're a publicly traded company they get hit on the stock market I've been involved in the recovery for several companies especially back in my PCI days that did go through major breaches and they did have their reputation soiled as it were it's changed a little bit but largely I think the world per se is very forgiving because deep down inside all the other companies feel like well you know glad it happened to them and not me or there but for the grace of God lucky it didn't happen to us I mean certainly people have been fired from companies when companies have been breached but the company's reputation they got hit in the stock market but they rebounded and are doing well target I wasn't involved with but they were a recent retail credit card type breach a few years ago they're doing reasonably well the deep fake thing that's a different I haven't really given that much thought other than what I've been thinking about is how what we consider data or sensitive data or private data is really really changing because it used to be like name address phone number bank account number credit card number and now it's what we look like in our fingerprints and how we feel and how we think and what we click on and which way we turn our head and did we go that way down the street it's a crazy new world what I've also thought interesting about the deep fakes thing I saw April Reich give a talk on it a few conferences ago anybody remember Rodney King was that name ring a bell to anybody I think it was like 1991 we had video evidence of police officers beating the crap out of a guy and all those police officers were acquitted there was no question about the validity of the video back then and yet justice was not served and now we get videos and and on the internet that have the ability to be altered and whether they're altered or not we as a society don't seem to be questioning we but we accept what we're seeing is real and I I don't have an answer I don't know where I'm going with that I just find it fascinating that we had when we had reliable video we didn't believe it but now when we have unreliable video we're believing it and all I can say is something's terribly wrong but I don't know what it is thank you for asking the question I'm sorry I don't have a better answer yes you first yes you well I guess I would say I have vulnerability fatigue personally and again I'm not a mathematician but if you go back to the equation if anybody's a mathematician please tell me what the term is you know when you look at this as a math equation vulnerability the way I understand it is a variable and variables obviously the value changes and which changes the result I think there's probably a term for a variable in an equation that more or less is treated as a constant you know while it fluctuates it's treated as a constant and again I don't know what the math is for that but my point is I think we need to get over the vulnerabilities and sort of accept the fact that they're always going to be there and maybe we don't need to focus so much our efforts on making sure that they're not there not present not ever popping up maybe we focus on responding and reacting so that somebody that attempts to exploit the vulnerability is easily and early easily early quickly defeated to minimize the consequence and I think that might be as a teaser the beginnings of what we might talk about is security okay like I said I don't want to say what I think I like to leave it hanging I teach so cratically yes sir so I'm not sure I understand the question completely what I'm hearing you ask is why do people handle or treat the security of data differently whether it's printed it's available in hard copy or whether it's digitized and handled electronically is that the question why do they treat it differently because it's easier to protect I mean when I started with the government it was prior to NSA I dealt with classified information that was mostly printed out on paper and locked in a safe so go to the lock picking village and you can learn about how long it takes to crack the combination on the diaboled five drawers safes but also that safe that I used to use in an office that had a lock and it was in a building that was had locked doors with guards that protected the entrances and roamed the halls and it was on a campus that was surrounded by barbed wire fences and you know you could only get in certain ways layers of security no single point of failure but those were all the things that were done to protect hard data it's a whole lot basically we gave up on that when we put everything digitized we gave up the ability to have more of a physical sense of security where we really knew that the data was safe and we could tell if it had been compromised because of tampering and all that kind of stuff we kind of sort of gave that up because we wanted speed and convenience and the ability to have data at our fingertips in the early days of the internet the early search engines if you typed in a search term you got the results based on things like the first places it found or the indexing that the early search engines were doing the most times it showed up you got the results based on sort of frequency I'm scared today and again I don't have an answer for it because if you type in a search term in Google or I type in a search term in Google or any of us type in a search term in Google we all get different results so what is we have all this data sharing because it advances truth and we believe it but we all have our individual truths because Google tells us something different so in a way we've given up all our sense of not all but we've given up a sense to a degree of security of our data because the risk we've perceived is not as bad as the ability to have all that data freely is it an existential theological philosophical crisis that we're running into I think so but maybe that's another topic for another day how are we doing on time I can take more questions anybody else yes sir well vulnerability by definition can have zero threats because there are two different variables in the equation yep if you have no threat and that's a zero in the equation I used to try to figure this out when I was learning this whether it was additive or multiplicative I landed on addition and subtraction to simplify it but also people intuitively understand if one of the elements well it has to be multiplicative for zero to give the result being zero otherwise if it's additive it's you're just lowering the number and I don't want to go overboard on the math but as far as I went with it back in the day I was trying to figure out a way to display it and all I got was if a zero is in the numerator the result is zero but if the zero is in the denominator the result is undefined and I always wanted to play with that somehow but I never could because I'm not a mathematician so what you disagree with is what do you agree or disagree that this industry spends a lot of time on vulnerabilities gotcha yes, yes I think we're in agreement the belief that the biggest influence on the risk is driving down that vulnerability number would you agree okay great any other questions, comments, push backs yes me so there's no way I'm restating that but she's essentially asking me to sum up where am I going with all this first and foremost my goal is to get all of us to kind of rethink because our focus has been on vulnerabilities some of the ideas I have are and I sort of touch on them here a little bit and I have another talk that goes more into it paying more attention to what it is that we're trying to protect which is specific data and figuring out in an organization what is sensitive and what is critical and again I'm speaking in sort of commercial terms we've sort of got larger societal issues like the deep fakes but at least most of us need to make a living or making a living so we work for companies and that's who worries about this we in the infosec hacker community we want to secure everything I mean you see that slogan all over the place and I kind of feel like we need to get over it because as a practical matter nobody can afford it so if you're working for a company figure out what needs to be protected and protect it to the degree that it needs to be protected and it's the way that was done in the military when I learned we had things like confidential information secret information, top secret information we had information that was valued differently in terms of its sort of life expectancy how long we needed to keep it safe and how critical it was if the information was revealed most organizations that I see in the commercial world it's either unclassified or it's company confidential and company confidential whatever's going on in the company is protected or attempted to be protected at the same level I don't see that being scalable ultimately I think we need to start figuring out how to isolate and figure out what it is that we're trying to protect and I really am suggesting and feel free to disagree I'm totally fine with that but I've watched us as a community try to secure everything for 25-30 years and I think we can all agree it's not working and pretty much what we've been doing is continuing to try to do better and try to do better and try to do better and all I'm saying is maybe we should try something different in this context not new something old the way it used to be done maybe that we have some lessons to learn about the way data was protected by the military by the DOD decades ago that we haven't really fully implemented yet does that make sense so that's one idea hold that thought so data classification the idea that don't secure everything isolate things I think education and just sort of understanding how things work in terms of business flow data flow because it's not always just the information it's not always just the data it's how it's working through the network and working through your business and who touches it and stuff like that and I'm not trying to give answers I'm trying to ask questions and get people to think and think differently and I'm hoping brilliant and bright people that so many of us are will take that and it will spark something right this way so I'm not here with answers I'm just here with questions the older I get the more questions I have yes sir one more time you raise a good point most of what we do in this industry again both sides of the street revolve around confidentiality keeping things secret yes we worry about integrity a little bit yes we worry about availability but just like vulnerabilities seem to be the majority thing we worry about confidentiality seems to be the majority thing we worry about I'm kind of at time if you want to talk to me I can hang out a little bit I very much appreciate your time I very appreciate you coming early for the next guy because I know he's who you're really here to see again question everything and again if you want to keep in touch with me on Twitter it's my email address look for me on security weekly live long and prosper