 Welcome to the Ethics Village. If you notice, there were cards on your seat. Everybody's got a card. What do you think this is for? So we're interactive at the Ethics Village. So we would like and encourage the speaker to ask you questions. And he's going to, he may ask or pose an ethical question. And so what we're going to do is we'll flash up ethical. If we think this is ethical, or we'll turn around and flash on ethical. And this will give the speaker an idea about the consensus in the audience. So with that being said, I met Render Man a lot longer than we both can to admit at this point. OK, remember, we've had a very friendly, adversarial, more driving relationship over the years. We've participated in a lot of the same contests. I soundly beat him in those contests. And, but it was a friendly, it was a friendly thing. And in the spirit of camaraderie, and I would contact a Render Man because I think he was on the Responsible Disclosure Panel at the Ethics Village with us last year. And he did as good a job as you can with the panel that we had. You did great. It's not funny to be the night before while I was drunk. So, hey, that's the best thing that you do. You get him drunk and then see what happens. Don't read any of them. So you did a great job. And I think that the most appropriate person to start the conversation as we discuss policy today, the Ethics Village, is a nice rant on disclosure from Render Man. So I'll let you introduce yourself. But again, thank you very much, man. It's easy. I'm from BC 217 along with all the other folks that were hosting the village today. Thank you. All right. Good morning. Just so you know why we have this rivalry, there was one war driving contest where they split Vegas down the strip. And it was first day was war driving everything east of the strip. And the second day was doing everything west. You drove to what? Santa Monica? Malibu. Malibu. And collected data there because you got more points for unique access points. So you drove three hours up to Malibu. That's not the whole story. So hang on a second. So what happened was, it was Friday night and we were getting ready to go to Hacker Jeopardy. It was midnight. And we had a team meeting because we had already war driven the entire town. We had spent 50 hours war driving the entire town. We knew where to go. And we were looking at our map. And I'm thinking to myself, LA is west of paradise. And then one of the members of our team, Mentat, said, oh, that would be unethical. So I said, well, this is a Hacker conference. And it's not in the rules. So we voted. And it was three to one, four going to LA. But since one of our members descended, we decided not to do it. But as a good hacker, we were walking out to Hacker Jeopardy at midnight. And I saw Romer, who runs the contest. And I took the opportunity to go to him and say, hey, man, I have a question. I said, I said, Los Angeles is west of paradise. And he looks at me and he goes, you motherfucker. So I'd like to ask the first ethical or unethical question. So if it's not specifically in the rules, like the description, was that ethical or unethical behavior? That is actually codified Defcon contest rule. Now, if it's not expressly forbidden, it's allowed. So you know, Render Man has a two-hour slot because we'd like to have discussion along the way. I saw some folks. I saw some black cards. I'd like to understand from somebody in the audience if they're willing to say anything, why do you think that was unethical? And if you don't want to say anything, that's perfectly fine. So at the time, I got really pissed because they beat us in the contest. And we had put a shitload of work in as well. And so I'm like, oh, it gets the spirit of the contest and everything like that. But it's funny how you add a bunch of years and cynicism. And you realize that, as you said, this is a hacker conference. Finding ways to do things that nobody else expects, that's what we do. My general rule now is I never participate in a contest. I can't cheat at. It's not cheating. At B-Sides, just on Wednesday, I am the first person to have been disqualified from a hacker pyramid in their 11-year history. I am very proud of this, actually. I was like, she did so blatantly. But in the entire week, the best thing ever was like, I saw Render Man the next morning after we had gotten back from LA and everything. And I said, well, we went to LA. And he looks at me and he goes, fuck, I should have thought of that. Yeah. Oh, yeah. It's one of those, like, you're pissed because you didn't think of it first. Right. It was like. A good idea is a good idea. A compliment you could get, right? I think some of the greatest compliments I gave you were the four-letter words I probably called you a lot of times the week. Well, that's our secret phrase of love. Fuck you. So we're really hoping for this to be an interactive thing. We're all, yeah? What's war driving? What's war driving? How old are you? So anyway. What's it on? There's an entire village now dedicated to war driving. It's called the Wireless Village. And so basically, back in the day, when wireless was first coming out, some folks were interested in how far had wireless penetrated into consumer homes. And so as good folk what we did, pioneering war drivers like Pete Shipley built a set of tools that basically you could run them on a laptop and they'd just go around and ask, do you have a wireless access point? And basically the wireless access point would answer and say, yes, I'm a wireless access point. Yeah, here's my SID here. The GPS coordinates where that was. And then there was a database sprung up so that people could share this information. Because one of the things we began to track was whether or not people were actually encrypting their wireless network because web was, so it just became a hobby. Because we were interested, like from my perspective, I was in charge of security, a large company, and I didn't want unauthorized wireless networks in my building, so I wanted to be good at detecting these things. So I took it up as a hobby to try and get good, and then I ended up getting really good at it. So standing in the back, we've got seats all over the place here, feel free. And then the thing is you have to sit in a chair. The capacity of the room, according to the fire marshal, is one ass for every chair and then we start live. So we're not really allowed to let people clutter up in the back door, so come on up and have a seat. And if there's not an ethical or unethical car in your seat, let us know. We can bring you another one. We don't blight without consent. All right. We'll talk about that later. There you go. All right, so. Wow, I don't think I've ever had like first slot in anything a depth gone in quite a long time. So that's what I do. That's what they pay me for. I fuck shit up. I'm hoping. Yeah. Yeah. All right. So thank you for coming out this morning. As mentioned, I am Render Man. This is my, you know, me at all. And I've been around for 20 years here. Founder of the Internet of Dongs project. That was my latest thing. Dona Dongs. I'm also the Pope of the Church of Wifi. And I have many other hobbies, which include being a human pinata. This is my 20th DEF CON in a row. Cut me in half, count the rings. Like I don't want to know how much damage I've done to my liver over all this time. We already went over some of the stories that EZ had about early war-driven contests. I'm one of the founders of the wireless village. Other people much better than I and more organized have taken it over, but to start that back at the Riviera days. DEF CON Black Badge owner. So this thing has saved me so much money over the years. I think that was DC-12? Yeah. And I'm also oddly one of only two people that have a DEF CON leather jacket that did not win it in a contest. So here's an ethical question. The guys that were handling the order from China for the DEF CON leather jackets, which you should only be able to get winning CTF or some of the really major contests. They had, they run a web store. They had ordered these things in for Jeff, but I guess somebody didn't get the memo in the company and they put them up on the website. I got my order in before they realized they shouldn't be selling these things. You should be sending them to Jeff. Apparently only two had got out the door before they realized this and mine was one of them. I've told Jeff, he knows he's cool. I believe when I told him that I had done this, he's like, okay, if all the people should have one, it should be you. And the fact that you basically have one, you hacked one in a way is kind of awesome. So I don't know, is it ethical to have one? Okay. I think I'm one of only two people I've identified that has competed in all of Lost's mystery challenges. For those of you who don't know, Lost Boy would do a challenge that would, you would sink your entire weekend into it. Mind bending stuff, you literally did not know what you were gonna be doing that weekend. You would just like hand you something and be like, now the contest has started. You're like, it's a, you know, it's a skull. Like, what do I do with this thing? You have no idea. You have to figure it out. And just some of the most amazing things in this contest. How many of you are familiar with Eddie the Yeti? No? He does a lot of the art you'll see. Like, if you even look at the door for the village ops, you know, the, you know, village ops speakers only has got that splattered kind of style. That's him. I actually have a family crest designed by him for the hacker family tattooed right here on my ribs. Because this community means a ridiculous amount to me. You are all family I just haven't met yet. And hopefully I'm not related to any of you. And as I said before, I never compete in a contest I can't cheat at because I'm wanting to find new and creative ways to do things. That's what hackers do. If you follow the rules, that gets boring. If other people want to compete in a contest and do their thing, I'm not going to take that away from them. But if you see me up there, know that there's a plan in place somehow. So what I was, as a senior cybersecurity analyst at ATB Financial in Empton, Alberta, which is a provincial bank. So in the states, you got, you know, state banks. This was provincial. So they were geographically limited in their customer base. Internal pen tester, breaker of things. The benevolent adversary was the title I came up with. Worked there for four and a half years, saved their butts a bunch of times of stories that NDAs can't tell you. A little bit about the bank created in 1938 because larger banks wouldn't serve rural areas during the depression. So they're like, screw you, we'll set up our own bank. Blackjack and Hooker, no, that's Bender. It's a Crown Corporation commercial business owned by the government. This will be relevant later. So I've done lots of stuff with disclosure, using the term loosely to, hey, you've got a problem here, shit's on fire, yo. Try to let people know about things. It's big easy mentioned for driving. It's an old map from, I think about 2002 when I was mapping Edmonton. This is the downtown area. And it was amazing. I remember the first time I went out war driving. Found 25 access points. It was like, oh my God, there's so many here. I think I have 25 in my house now. Like, power on. Like, it's, yeah, I'm definitely gonna get brain cancer from that, I don't think. But back in that day, you'd find open access points everywhere. And it was literally, somebody went to Best Buy or whatever, bought this thing, plugged it in, and went about their business, not realizing they just invited the world that could roll up to their door into their business network. Obviously, this is problematic. So some of them, you'd be outside the business and you'd see the SSID, the name of the network was exactly the name of the business. So it's like, oh, that's pretty easy. So a little bit of Googling. You'd find who these, a contact person there and you'd make a phone call or send an email and say, hey, did you know anybody who can get it in range can get onto your network? A lot of people just kind of ignoring me. A number of people were very thankful. They hadn't considered this or they didn't realize that some employee had done this, which is still a problem. Got a few free lunches out of it, but that was not the cost. That was just them being nice. Few incredulous replies of people saying, oh yeah, really, by the hell are you doing this? Who's gonna go driving around with a laptop you know, opening this with a bunch of antennas on their roof, really? Few people got a little threatening, but once you actually talk to them and say, no, I don't want anything. I'm not extorting you or blackmailing or anything. I just want you to turn this off. But there's lots of horror stories out there of people who tried to alert people and got, you know, threatened legally and got into a lot of trouble. So I was very lucky. Obviously, as wireless start proliferating, you couldn't keep up with it. It was just nuts. Like I said, that first night was 25, but now it's like from my couch, I could see 25 different neighbors networks. It's easy, so. So here's my first ethical question to you. How bad does a problem have to be before you have to report it? Before you feel you have to say something? Anybody want to comment on that? I'm genuinely looking for inquires. For a business or a personal? Let's go with business for now. Yeah. It's going to be more likely to be attacked than regularly. Yeah, we're saying a business needs to react faster because they're more likely a target and going to be attacked. Yeah, saying that somebody who discovers this problem may not realize there's even larger implications in that plan. They've worked with this company before. And do they burn people who actually are athlete? Or he's saying, what's the reputation of the company? Do they burn people that report things? What I've actually found is asking for contact information for somebody already inside, so you're not having to hit that perimeter barrier of HR or sorry, PR or anything like that that will call a lawyer first, ask questions later. I'm actually being proactive for senior citizens who have high income but that's a big problem because they don't know that they are, so that's a big problem. Yeah, so you say on a personal side, senior citizens would be an issue because they may not have nonprofits because they may not know. From the business side of you, it is answered by money, so it costs less to report it than not to report it. Well, you're saying are less than. Now you're actually speaking like an IT risk professional. For me, just as a kid running around in the car with laptop and everything, finding this stuff, I just have this sense of like, this ain't right. Somebody's gonna get, somebody's gonna do something stupid, make their days, somebody else's days suck. I can't sit by and not do something. Yeah, he's basically saying it doesn't matter how bad the problem is, you should report it anyways. For me, it's, there's a, gonna move on here, but for me, there's a point where, okay, if I report this, am I just noise? Is it's like, am I just, oh yeah, that's something, we've got this other mitigation or something, or is it literally like, shit's on fire? Hey, did you know, you might wanna put that out. And in a lot of these cases, when it's like open door access to their network, that's really bad. So what I did about it was, we had a lot of situations of people trying to report and getting into problems, people doing things while we're driving that we get them into trouble, police or otherwise. So I created a stubbler ethic, which is still up, strange as I know. General advice on how to conduct war driving, create these maps and not get into trouble. Things like don't connect, because that you're definitely crossing a legal line. But it's also respect private property, don't trespass, much like hikers, take only pictures, leave only footprints. Don't impact these businesses or anything like that. Don't connect to the network to try to figure out who owns it or anything like that. If you just go off of the data that it gives you publicly, that's fine. It worked for me and it was something that I could point to and say, hey, here's how I operate. Don't worry, everybody in this community knows that this is the standard I hold. As much as you want to think that I did something terrible to you, no I didn't, I'm actually a nice person trying to report things. It's amazing when people don't believe altruism still exists. A lot of the community adopted it, they were under no pressure. But since then, I've generally tried to be ethical and moral about my activities, varying success. I mean, I do play a bad guy for a job and live that life in a way, but I don't want to see people hurt. But if you fast forward 20 years, January 2018, so I'm sitting on a showdown and dump the ASN IP registration database and search for airport. Found 19 airports in North America. I just limited myself to North America and started going through their IP space on showdown to see what I could see. The 170-odd line spreadsheet later, I'm staring at some very serious vulnerabilities in critical infrastructure. And this was because I was bored. Trying to report this stuff was hell because you've got, a lot of this stuff was like the coffee shop or the newsstand in the airport. So on the business side, not operations. If you say you've done something to, the air traffic control side, oh yeah, they're gonna be all over that. But it's like, oh, here's the entire point of sale system and security system for the coffee shop online and the security system has no passwords on it. You can just go in and start viewing video directly. That ain't good. You know, particularly you can start deleting things because you're logged in as admin by default. Like this stuff that just should not be that way. There was other things, there was baggage systems. There was VPN routers that were way out of date and that had some very well-known high-level vulnerabilities. And I mean, I fly a lot to these kind of events and other things and it's like, my ass is on those planes going through those airports. I have a vested interest in this. So I don't have a problem trying to report this, but ethically, the problem was technical. Who do you call? There are no people at airports on the business side to take those kind of reports. How much do you fight to try to find this contact information? Ended up getting through to somebody at a US cert that ended up opening up 19 tickets, one for each airport and they basically sat down with each airport and said, hey, here's what was found publicly, no hacking required. You might want to do something about this. Now some of it is, okay, we rent the IP address out to the coffee shop or whatever and that's their problem, which is fair, but a lot of this stuff wasn't. The best or worst, depending on your perspective, one airport had a half dozen Cisco routers. How many of you are familiar with Cisco Smart Install? One, two, three. Short version is it's not a bug, it's a feature. And I see Smitty back in the hallway holding a very large antenna and I'm pointing it at me. Like I'm a little terrified here. But it's meant for zero touch installation so you could send this thing out to a remote office. It connects back to a central server, pulls its config and all the secrets and everything, and then reboots and it's functional. Great, sounds like a nice feature. Except their implementation royally sucked and you can actually just send a single, I think it was a single packet, that will change the address that it pulls that config from to you. So now you can pull the running config, you can push a new one, you can upload new firmwares, or just brick the damn thing. There was a half a dozen of these at McCarran Airport that almost all of you probably flew through to get here. Fortunately, one of their security guys, I had had beers with the year before at DEF CON, gave me his business card. So 11 o'clock at night when I find this, I'm rooting through my box as I never throw up business cards. Find his card and I'm texting him at someone godly hour, saying, hey, is this your IP address space? Yes. You might wanna check out these devices on these ports. Oh shit, linked them to the exploit. It's like, oh crap. And by 7 a.m. the next day, it was fixed. Turns out it was their upstream provider that had dropped these in and was problematic. The day after they fixed it, a senior VP from the company showed up to apologize in person. But we're talking like full access to core Cisco switches at an airport. You can't sit by and know that and not do something. So at least with McCarran being open and giving me that business card, establishing that relationship was very valuable. When I have to fight to report something, you're not making it easy for me. My time's valuable to me, right? So at what point, you know, there is going to be a point where my ethic kind of runs out or it's like, I'm just gonna let you stew. You know, I'm gonna let you crash and burn. Okay, maybe Portra has been talking about airports, but so what is the moral ethical legal responsibility to report problems to those who don't wanna hear it? If you have to, you know, beg and control and is, you know, stand outside their windows screaming, at what point do you stop? Yeah, this is the question out to you. In the back? I think so you gotta find someone who's gonna be fine. Yeah, you're seeing like basically go up the chain. Or just go aside. And as was mentioned earlier, talking to social networks saying, hey, anybody know somebody who's inside and can point me to somebody who will listen. What do you think if you want to discover real significantly of them others? Is there a challenge that we kind of face a lot? What is the culture we're gonna answer our emails at all? And I thought like, this is the thing that you cannot go public with. It was just simply too dangerous to go public, but it had to be fixed. Yeah. And this is the quandary that I found myself in a lot of times where it's like you're sitting on something that is so explosive, you know, so dangerous that you know somebody else is gonna find it sooner or later. Can you sleep at night knowing that you could have done something when something really bad happens and it's exploited? You know, that's back? Yeah. Saying that, you know, you get a battery or fuel tank of like how much you can put into it after a while, you're just gonna be like, screw it. Yeah, he's talking about point fix on specific vulnerabilities, not the systemic problem that created this in the first place. Last one there. Yeah, so she's talking about where there's direct impact on people as opposed to like a company's bottom line. In this case, we're talking potentially the ability to screw with the airport in a way that could affect airplanes ability to land. You're actually now worried about the butts and the seats in the sky. Another effort, major Canadian wireless ISP. 600 customer routers with Cisco Smart install wide open, thanks to Shodan. Backtracking a little bit from that. They also had a web server with a index directory with a template of the config with the exact same secrets already embedded in it. So you have the keys to the kingdom right there just from that, let alone the smart install thing. It took me three months of, you know, a couple of times a week making calls, making, you know, sending inquiries, filling out, you know, their web form or something saying, hey, you got a problem. We need to talk and nobody would ever get back to me. It kept just dead ending in some, you know, inbox that nobody ever checked. Finally had to activate the social network to find somebody that had, you know, a friend or a colleague already embedded inside. That was rather painful to have to deal with. Because again, you're sitting there and it's like every day goes by. It's like, when is the other shoe gonna drop? When is something going to happen? So, you know, they fixed it, took them about six weeks. They rolled it on batches, you know, as one does. Their customers still have a crap load of issues, but at least the ISPs side of things is okay. We're talking like fuel management systems for, you know, city vehicle fleets, Coast Guard stations, their fuel management systems, airports, some of the remote camera systems. There was a one customer of theirs that had a camera system overlooking a bunch of vehicles that were just being imported and being unloaded at a harbor. And it's like, this was a big part of their security system. You sit there, you look at night and it's like there's one guy. I'm looking through the security system. I'm seeing what they're recording. I can kick that recording, you know, turn that off, steal a whole bunch of vehicles. This is a problem, right? Funnily enough, the ISP actually docked me and realized, oh, this guy actually knows what he's talking about. Maybe we should listen to him. He's not trying to extort us or anything. So at least I had the reputation and reliability from past experiences to save me from uncomfortable situations and get them to pay attention. Yeah. Got kind of a strange question. It says that you spent three months to try to get someone competent. Normally, my experience is that responsible disclosure you make many days after you're alerting the company before you make a renouncement. Did you think about making the announcement publicly saying, okay, all these customers are vulnerable and just naming and shaking? So he's talking about naming, shaming, responsibility versus responsible disclosure. If you gave it your all, they didn't respond in 90 days. For me, this is where it's getting weird and we'll address some of that later. But in this particular case, this would probably have destroyed the ISP and I don't want that blood in my hands. Now, if I gave them the information, they did nothing and I knew it reached the right people and I did chose to do nothing. That's all on that. If it's some tech support person or a receptionist or something that's just doesn't realize what this email means or at least that they're fault in some ways, that's the weird ethical thing. What are companies more on ethical responsibilities to secure their services and equipment they provide to customers? If you are buying something that's touted as a secure service, what happens if you find out it's not secure? How many IoT devices they say, it's secure on the side of the box and you open it up and find, oh, there's TeleNet, there's FTP, there's like, no, it's not. So that's, yep. A lot of companies will play that legal parsing game of what does secure mean? It's like, oh, well, you opened the box and powered it on. Number four, all warranties about security are void. Most secure computers, one covered in cement buried six feet below the earth. That's not on. So for me, in this particular case, because there wasn't necessarily CVE associated with just having smart install installed, it was a feature, not a bug. It didn't flag for them necessarily, but it also shows the typical IT thing of overworked, underpaid, under resourced, understaffed that nobody looked at this stuff and nobody saw the open directory with the template config file with all the secrets in it already. So internet of dongs. Yes, I hack sex toys. No one's laughing, thank you. Seriously, the back of the business car I have says, yes, we hack sex toys, please stop laughing. And I give that to people while they're laughing at me and they're like, you get this a lot, don't you? Yes, this is an industry where people can be hurt. But strangely enough, no one else really wanted to look at this stuff, not with any sort of seriousness. I don't suffer from a great deal of dignity. So I was looking for a project to do, you know, IoT, web app, mobile app stuff, you know, to learn. And quite frankly, this industry does not know what they don't know. It is really a target-rich environment. So you've got to find the low-hanging fruit and learn quite a bit. They were making 15-year-old errors. You know, stuff that 15, 20 years ago we were dealing with, you know, direct object reference, SQL injection, some we're still dealing with, unfortunately. But they've never made a connected device before. You know, it's always been manually operated, you know, you know, battery, you know, some wires, you know, they've got materials people, they've got electrical engineers, they've got design engineers, but they've never made a connected device before. They bought some TI or Nordic chipset, you know, DevKit and never had the chance to go to conferences like this, interact with people who say, you think that's a good idea, you know? So, and this is a rare case where the ethics get interesting because they were genuinely naive. They didn't know what they didn't know. How do you face that then of like, I can't condemn you because there was no pathway for you to know, you know? They all go to their trade shows and everything like that. They never would have exited that little bubble. And the stuff that I found over the last couple of years with the stuff, full databases dumped with a single query to their web API, you know, accounts where you can, you know, change the password to anything you want and hijack it. Therefore, you become that, you know, user for better or worse, now you're able to send invitations to other users to control their vibrator. Is that no sexual assault? Because it's under false pretenses. Full PII or the strangest and scariest ones was one device where they had a search function so you could connect with other users. Every user had their, they wanted to know how far away each user was from the other. There's multiple ways to do that calculation. They chose that in the search results, it embedded the GPS coordinates of the other user in the reply. And yeah, I would do the calculation locally. So I have maps of, you know, where people are in the world are masturbating. You know, this is the joys of my life. I've worked, reached out to multiple vendors with fairly great success because most of them say, you know, we care about the privacy and security of our customers. Well, do you, do you know how a lot of them have gone from incredulous to incredibly thankful in the span of like one phone call because I literally hand them their butt on a platter, not the 12 pound twerking butt from Pornhub. But you know, it's like, here's your user database. How did you get this? I sent this string. Oh, shit. One had a MailChimp admin API key embedded in their app. Full access to all their mail lists. Yes. So talking about one of the challenges that we're facing and I have to bring this up, I think it's very good is are you allowed to make that query? Are you allowed, are you allowed to go that up one level from your bold part of what you're allowed to do in your device? And this is very, very good question. So he's basically saying in this case where it's like I suddenly ended up with their entire user database, did I cross a legal moral ethical line? I don't think I did because it was so incredibly simple that, you know, it was a sort of thing. If I can type it into the URL bar, that should never happen. You know, that should not work. That means your security is so crap that I'm sorry, you don't deserve to complain. Again, lawyers and everything would probably disagree, but yeah, but attackers don't understand scopes. You know, they don't have, you know, it's out of scopes that no attacker ever. Ben's right. What? What is your intent? Ben's right. Yeah, Ben's right. Yeah, what's your actual intent? If you're actually trying to find something bad to help them. Yeah, in this case, because I never posted it anywhere and you know, put it on PaySpan or anything. I contacted the company. I told them how I did it. I never asked for anything. You know, if they offer, that's, you know, a different situation. But it's amazing that the suspicion that still abounds when somebody comes up altruistically to say, hey, you've got a problem. So is anyone ever undeserving of privacy and security because of how they choose to live their lives? Because there are, what I've found is there are a ridiculous amount of researchers who I would never trust to, you know, hack sex toys because the maturity level needed and the professionalism needed just isn't there. Yeah, yes, there is stuff that is genuinely funny, but there are people who say, well, you know, they're a bunch of degenerates or something, you know, like they don't deserve our attention or anything. They, you know, they're making these judgments. For me, I'm looking at it as these are legal devices that, you know, are owned by adults. They are sold publicly, legal in most jurisdictions, few exceptions, as consenting adults. Where's the problem? So, nope, yep. No, what I was saying was that somebody who is not able to, does not take the minimum effort to secure their stuff, doesn't get the right to call me criminal because I, you know, change a parameter in a URL. Like, if it's something that simple as a default, it's not with me for finding it, it's for you for creating such a shitty product. So, again, with the internet docs, found one MailChimp API key. I could see everyone who subscribed to their mail lists, so customers, drafts of things. I could also send as them, didn't test that, but I had full admin access over the API. Again, three months to get a reply. I even had to call the mail lists for any of their domain email addresses and just carpet bond them, like send it to everybody, including like CEO and everybody, finally got a response back with like, somebody talk to this guy, he's being persistent. I never tell them exactly what I found in the first email because usually there's a lot of incredulousness and explaining what needs to happen, so I prefer to get on a Skype call. We'd set up the call and then there was few emails back and forth, and then somebody hit reply all. I contacted him today via mail with app devs, app devs looped in. We're already resolving potential security flaws in the app to make sure we fix it. Also, I offered him to hop on a call with team to see what his real agenda was. And like, again, they don't believe altruism exists. When I confronted them with this, it was freaking hilarious. They just like wilted. It's like, oh, crap, you heard that. But if that was after I showed them, no, here's your MailChimp API key. Here's what I could do. Here's links to the MailChimp API documentation on how to fix this. I did a lot of work for them, basically. And then they're like, oh, yeah. And so you thought I was gonna be a bad guy, like, and they're like, yeah, we did, sorry. Talking about smack, about somebody behind their back, is that any different than to their face? I mean, if you've ever done any sort of tech support, I mean, the things that tech support sees, hears, and deals with users make you wanna smack them. But there's a certain level of professionalism, and I find it tends to cloud your judgment and how you approach these challenges, like, will you put in more time to try to find a way to disclose something if you dismiss them? So if you dismiss this one company, well, somebody else who does something is equally dumb in your mind. Is some other factor gonna suddenly, oh, because it's a sex toy? Oh, no, they don't need any of my help kind of things. I love those penny drop moments when they realize they're pwned. They fixed it right away, sent me some free test devices. But with the IOD stuff, because you are dealing with something that is very personal, and you have things like lithium polymer batteries in very sensitive locations, this Samsung show, those like to catch fire if you draw too much current and such. The Chinese OEMs and other white box vendors, they're really hard to get ahold of. I wish more IOT vendors would look at the sex toy industry because they've been very responsive, very responsible and have taken this where they need to go and sought out the help they needed when confronted with the reality of, hey, your shit sucks. But then you just face plant into stuff tangentially. Is it an ethical issue if someone genuinely does not know better and contracts a third party that's an idiot? This is the question I always have. It becomes this obsession of, I have to get them to fix this thing because that's when I feel like I've won, particularly if it's something dangerous to health or harming a person. Those are things I need to know to sleep at night. So, how's this for bad? Bluetooth device connects to a mobile app, web API back end, we've all seen these sort of things. Oh, yes. Me too. We'll get to that. We're leaving, so could you repeat the question? Oh, the question was, you know, this seems dangerous. You know, I thought that there could be like harm to yourself. Should you just go anonymous and like, we're gonna get to that. So, long story short, in this case, within two minutes of looking at this product, I'm looking at personal identifying information. I am looking at everything. There's not a directory on this thing that is an indexed. They're leaking source code for everything, including the website and the API back end. Hard code, secrets, everything. Their iOS developer signing key was in there too. So, I could sign a new version of their iOS app. Backup files with my SQL passwords, so get folder with a copy of everything. There was just, it was the worst thing I had ever seen in terms of a product. And that was just 20 minutes to find all of that. It was a piece of jewelry meant for safety calls. There was a broach or a bracelet or a necklace that you could tap one or two or three times, and it would interact with your phone and make a call out to like, hey, creepy guys being creepy, come get me from the bar. Other ones would fake a phone call. There's a sound and alarm. Good idea, good product. Nice, a very simple way to just tap something on your wrist that you're playing with and alert a friend to come help you. But as you see, using this product would be incredibly dangerous. It was get my Ivy. It is now defunct. They were selling almost exclusively through Amazon, not very well because you could see all the customer registrations. You could see how many they were selling. But this is a safety device. This is the sort of thing that a friggin' stalker would love. All right, because there's also like GPS coordinates in this stuff. I mean, we'll talk about moral and ethical failing. These guys failed to do anything to protect their customers. If you don't set out with the intention of building an insecure product, like nobody intentionally builds an insecure product. But you end up doing so anyways. If you hear about these problems, you have a lot of minds, an ethical responsibility to fix it. But if you make sure that you never hear that there's a problem, stick your fingers in your ears and go, la, la, la, la. You know, what is that? Very unethical. But the scary part is, that company also made medical devices. So I've had a lot of successes over the years. So I want to ask a question. Sure. So if you want to ask a question and have everybody hear the question, you can come to the mic. And so on this is, I thought about soda companies, right? Do they have the same kind of circumstance? They build a product that they know will kill their customers, but they still persist and do it and market the shit out of it. And I think what we have here is, it's a consumer education issue. We need to demand better products. As long as we keep buying insecure products, they're gonna keep producing them for us because as consumers, we've been trained to buy, buy, buy. Cheap, blinky shit. Cheap, blinky shit, exactly. So as long as the cost to secure it is greater than the cost of something being fucked up. Yeah. There's no business model that says I should spend hundreds of thousands of dollars securing something if I'm only gonna get $10 every time. Unless you legislate around it. Yeah. Yeah, I mean. So, oh, yes. Yeah. But what I would say with the consumer side is most consumers do not know that the device is secure, right? So unless you have certain... It said secure on the box. What? The box is secure. As a consumer, you kind of trust the company that you're buying it. And what you can do is kind of say, well, is this a company that has certain reputation or not, is it a new company? But beyond that, if you don't have a technical knowledge about the product, you are kind of going blind and saying, please be safe, please be safe. Yeah. This is exactly the problem, especially with security products, because what happens is, and I don't mean to steal your talk, but we have a two-hour slot so that we could all run our mouths. And the problem is, as researchers, what we're really trying to do is find a balance between getting the word out to the consumer, not being branded a criminal. I mean, this conference, I remember 10, 15 years ago, coming to this conference in a plane going home and I described to people what we were doing. I was at a hacker convention. And the person in the plane's like, criminals have conventions. I mean... Lawyers have conventions. Oh, it's the same thing. I mean, like, well, you know, lots of different criminals have conventions. But it's... Well, Congress. Yeah. Dip, there might be Congress here later, so stick around. This is policy day. The whole thing, though, writer man, it's like, you know, we've been dealing with this for decades where back in the 90s, we used to just drop code and fuck shit up. And this is the only way you could communicate with vendors. And they finally learned a lesson. It's like, okay, we need to make things at least minimally better so that I can't just send three or four bytes of data and completely destroy your computer. And, you know, you won't be able to recover it back and you're going down the best buy and the guy's gonna come and fix it for you. And so they've gotten a little better, but then it also gets worse because now it's like, oh, well you have to download all of these security updates automatically. And then the company starts to take liberties with that. So everybody might have or use a program or heard of a program called Windows, right? I don't know what you're talking about. So in the United States, a lot of people use Windows. So you have a problem in Linux. It's known as SystemD. So. Now he's got his head down in shame, right? So the automatic update does more things than just fix security problems. It always adds and removes features that the consumer may or may not know about, right? And so now the pendulum is swinging back towards the vendors where they're just indiscriminately changing things in software. A software manufacturer is like, God, he can change physics. Look at the F-35 fighter jet. There's a simulator in one of the villages. You can actually go and play with it. That is a fighter jet that has been completely absolutely because it was basically software. Yeah, it's basically a software defined networking. It's a software defined airplane basically. Yeah, and so it's out of business. We have a B-52 bomber in this country. Somebody told me something that was interesting. The mother of the last person to fly a B-52 bomber hasn't been born yet. That plane is designed to last for another 100 years. All of the stuff that we're making now is just so tied to the software and it's built into the sales cycle of companies now. We're becoming these consumers who are just taking this hardware and software and just chucking it away. Much like beer. You don't buy beer, you just rent it. We are not buying products anymore. We are getting a license for it. So ultimately, I think I guess the ethical and ethical question is, as a company, is the company ethically responsible to build a secure product? Well, I'm asking, we have cards. I mean, we paid a couple hundred bucks for cards. We want to use them because the DEF CON folks said we needed to have a more interactive village and when we talk about policy and ethics, it's very hard for us because we can't have a shiny thing that you can solder. This is something, this is policy, right? So is it ethical? Should we make secure products? But if people keep buying them, why should we care? Because it'll be gone. It'll be gone in two years. It'll be obsolete. Is it even worth it? You guys have anything to say to this? Yeah, well, I mean, in the US, I mean, it is a lot more clear now. Like that kind of stuff, like the Federal Trade Commission has gone after companies like D-Link, but secure on their boxes when, in fact, they have default passes. You're starting to see action by, as I say, FTC and others, but when you get like white boxes. From the FTC here later today. This should have been happening 10 years ago. Right, I mean, some of the stuff you were addressing earlier about like a responsible disclosure, or like you're getting into like the CFAA, I mean, Dave, like the Attorney General's office here, right? Would you like to come up and use that? Come on. Come on. Come on, yeah. So some of the stuff you were talking about earlier, really with the Computer Fraud and Abuse Act, I mean, it is great when you start to like send in probably commands to dump stuff out of the databases. I mean, historically, they typically don't go after prosecutors. Usually don't go after. Yeah, I mean, this is when you look at it funny and it just barfed everything out at you. Right, I mean, usually if you're the end result of what you're trying to get the data for is for a good purpose, they typically don't, even though they might be able to legally. Having dealt with a number of other companies before you show kind of a precedent and that, no, I haven't done anything malicious in the past. Me saying, well, no, I was about to call them to report this actually holds water, so. Yeah, and so in the Department of Justice here in the United States, published guidelines for corporations to actually roll out their own responsible disclosure program. So both the FTC and the DOJ are pushing corporations to actually have those programs so they can receive them responsibly and then they must act upon them and push out firmware updates and stuff. That's only like within literally the last two years where we're starting to get some of that push from a federal level. Yeah, IoT Village will have a hell of a lemor on that. Nice, let's move on. I've been successful, haven't had any major problems to that point. But it's basically rushing what we let with a lawyer in the chamber. Somebody can have a bad day and just decide, yep, we'll stick the lawyers on them and then you've got to get one to deal with responding and it's like, they can make your life hell. As you were saying, comment earlier, yeah, there's a lot of great personal risk. The shoot the messenger thing is quite rampant. This Atriant company makes the toll rewards kiosks for the membership clubs in the casinos. They had a shitload of those sitting on showdown, right? Publicly available, you could get access to PII on these things, they reported it to the company who initially were responsive, but then I think they looked at how much it would cost to fix this and started just cold-shouldering and ignoring the researchers. Researchers are like, well, when are you gonna get this fixed? You're supposed to get going on this when you're gonna do it and they wouldn't reply. One of the researchers went to a convention with one of the VP's or the CEO of this company and after this guy's talk confronted him and says, hey, I'm that guy on the researcher, what are you doing about this thing? Are you going to fix this? He got punched in the face. Seriously? Whoa. Yeah, I've got the link if you want it. Speaking up about something may inquire, others may start digging into your past, not 100% sure with the case of malware tech, but his past came back to haunt him because he suddenly found himself in the limelight. If you are sitting on knowing that this really bad thing could happen, but you're afraid of drawing attention to yourself, again, this is going to anonymous disclosures and such like that, we all know that you piss off the wrong people, they won't stop spending money trying to figure things out. You can always be traced back somehow. I still feel an obligation when I know something is bad because I like to sleep and knowing that I could have done something and didn't is a terrible, terrible feeling. If there's going to be great personal cost, is it ethical to not disclose? This says it's unethical. You're saying it's unethical, right? I kind of agree with you, you're saying ethical, okay. There's a lot more unethicals going on. That means you're decent human beings in my book that you are, you're wanting to help people, you're wanting to save lives, you are what I want the hacker community to be more like. But I'm a lawyer. Well, we'll forgive you for that for now. We'll allow that today. But hey, you can hack the law. But you can find loopholes or ways to argue a case that's a precedent to fix on these things. So that is a type of hacker. So in this new age of responsible disclosure, coordinated disclosure, they don't work unless the companies behave in an unethical way. Companies are not incentivized to secure things right off the bat unless it's gonna affect their bottom line. If they're not woke, they don't know they need to take reports from the public. They don't know they need to have a vulnerability disclosure program and a way to communicate with them. Some companies will be like, oh, hey, we've got this bug bounty. Oh, you found this bad thing. Here's 10 grand and an NDA. Now you can't talk about it because that 10 grand is a lot cheaper than actually paying to fix it. So it's just capturing kill. We need to start calling out these really egregious examples and outright liars. Those with like secure on the box that it isn't. Those that do take reports but don't act on them. You need to be careful. I found this out the hard way. Note that earlier when I was describing my employment, I said I was working for ATB Financial. On October 10th, 2018, right after DerbyCon, I got fired. Just called into meeting room and said, we no longer need your services. To say I was stunned was a understatement. No reason given, just vague allusions to violation of confidentiality or something. And I'm like, I'm a hacker, I'm an IT professional. I'm a security guy. Confidentiality and personal integrity is all I have to trade on. If I am suddenly seen as having violated confidentiality, I'm burned. Like, you know, burned notice on me, I am persona non grata. This was incredibly traumatizing to me. Had I been in a headspace I was two years ago, I probably would have killed myself. It was that hurtful to let go of that suddenly in that way. I am a new man, I am my challenges with mental health or well documented on Twitter. But I'm also a hacker, so I did what I do best and I started digging. Because suddenly I had a lot of free time. I'm not even gonna pose the moral and ethical questions, I'm just gonna start listing what happened and the facts here and let you decide them. So here's what happened. The B-Sides Edmonton Conference, September 2018. The first day the CISO service, Alberta, who owns the government of Alberta's IP blocks said, we scan and fix problems all the time in our IP space during a panel. I'm sitting in the audience, I get on my phone, I look at show Dan and I'm like, no you're not. Because I'm seeing all sorts of stuff that should definitely not be there in their IP space. I added some slides to my talk the next day and a few selected examples. Screenshots of administrative pages without passwords for printers, lists of the show Dan entries for servers that had 50 plus vulnerabilities listed. Didn't redact the IPs or any other information. I'm like, this is already public, this is out here. This is what I found. Why are you saying that you're fixing these things when I can find this on my phone? There's an End of Life Novel server, Twonky Media server with a bunch of pirated movies on it. Again, I did this in like two minutes. I spoke to the CISO that day and sent him a message that night that I was going to use some of these as examples in my talk. He responded positively saying that, yeah, we don't want anybody getting in trouble for pointing out something that's already on show Dan. Gave my presentation, had these slides, called out his comments. At no time did I disclose who my employer was, I was operating as a private citizen as far as I was concerned, or as I thought the public was concerned. Sent a complete list of the issues that I had listed as well as others I had found to the CISO two days later. Had lunch with him a week later. Everything seemed cool. He was like, yeah, you ruffled some feathers, but we're getting stuff fixed. Thanks, you're making things better. Cool. Posted the slides to the local security community slack. One of the employees that had asked for that, this was an employee of the government of Alberta, at Service Alberta. And he was gonna pass this up to his superiors because they were curious what was in the slides so they could, you know, I wanted to be transparent. So I gave them to this knowing who it was and where it would go. That's fine. Returned from Derby County and was effectively immediately fired. The vague allusions to violating confidentiality, they briefly mentioned like a presentation. It was literally one of those, well, you know what you did. No, really, I didn't, like, you let me stay here for a month after that and everything seemed cool. Like, what the heck, what happened? Engaged a labor lawyer to, I know my options, you know, deal with the legal stuff. At one point, we inquired as to why I got fired. And the response from the ATB's legal department was filled with demonstrable inaccuracies. Things like that I had used some private data source or something that privileged data source for this. I'm like, no, it's showdown. You want the links right now? There was just a lot of things that was like, okay, some things, yes, may have pushed a line but you're accusing me of things. So the whole story that they had was muddied. You know, operating as a private citizen, not as an employee of the bank. So I started VoIP requests for free of information requests. The CISO in their communications confirmed I was operating as a private citizen and not as an ATB employee because I talked to him, you know, I mentioned that, you know, I work for this bank and everything, he, you know, it was brought into the conversation, but it was a case of, oh, by the way, yeah, it works for ATB, but that's not how he was operating. So even he had my back in this case. Their concern was that I was airing their dirty laundry and were concerned that I work for ATB and was, you know, maybe I was going rogue or something, I don't know, it was lots of redactions. The now current CISO referred to me as a psycho at one point, which was fun, but no one denied that the vulnerabilities existed. They were just more concerned with the fact that, you know, as I say, airing their dirty laundry. February 2019, I finally had a meeting with my ex-managers after much negotiation and the Chief Security Officer at ATB. While I could counter the factual inaccuracies of what legal it sent, ultimately it came down to violation of code of conduct. Part of the code of conduct says, communicate and act in a way that does not embarrass yourself or ATB both during and after work hours. Do they know me? Like did they research me at all before they hired me? Like, if you trip and fall on the street and I laugh at you, that's embarrassing. Does that mean you now have to figure yourself like it's such a subjective thing that you could spend the entire weekend arguing, you know, the semantics of this, but ultimately that's what they got me on, was that they did not like what I did, therefore let me go, and legally they could, which is unfortunate for me, but I can't blame them. The biggest problem was that because ATB was owned by the government of Alberta. Yes it is, I don't know that. Even though I was operating in a private capacity, they thought I had the potential to cause serious harm in our relationship with the owner, according to the legal letter I got. I failed to see what harm that could be. Again, it was surprising to hear all this. Basically someone at government of Alberta had communicated to ATB management that they had concerns about this presentation and my actions. The CSO confirmed that I, confirmed to me, and I had no reason to not believe him, that no one told him, you know, fire his ass or anything, that it was ultimately his decision and one that he felt was appropriate for what happened. All the data was public, confidentiality was not broken. They have, the government of Alberta has no official vulnerability reporting mechanism. There is no email address or way to report a vulnerability. Again, operating as a private citizen, I had gotten permission from the service Alberta CISO to present the information. I thought I had covered my basis. That's where I screwed up. So service Alberta is a department that is listed as the owner of the IP blocks. The problem is service Alberta allocates them to the different ministries, agencies, you know, et cetera. There is no overarching government structure to oversee any of this. Everyone is their own silo. They all do their own thing. There are some vague standards they have to adhere to, but they don't, there's no one watching. There's no one watching. I had permission from the CISO service Alberta to talk about stuff that was service Alberta, but he had zero authority to give me permission to speak about anything else I had found and there's no way to tell where those lines are in the IP space. So the service, the server that had 50 plus CVEs listed in a showdown actually belonged to the Ministry of Justice and you can expect they're gonna have a lot of lawyers and be kind of pissed off. But since I had time on my hands, I wanna say how bad the problem was. Sitting down with showdown, the end result was 176 IPs, 3200 vulnerabilities within their IP space alone. That's not with stuff that was third party hosted or other sites outside of that net block. We're talking root passwords and files, the admin consoles for F5s, publicly facing, one server, the record was 122 CVEs on one server. And this is just with showdown and map basic tools, like nothing weird. In short, their IP space is a shit show. All right, anybody can go in and look and see this. Like this is not a secret, this is not confidential information. I wanted to get it fixed still. I had been fired, I had been traumatized, I couldn't let it go. I needed to know that I had made things better and that there was something good coming out of all of this. Contrast the CISO's office, there was no central authority. Several oversight departments within the government of Alberta engaged. Even they were having trouble wrapping their brains around it. They were thinking I was like vexatious, they always trying to be vengeful or something like that. I'm like, no, just here's the information, here's what it means, fix this stuff. Like I'm not trying to get a job back or anything like that, I'm just trying to get, do the right thing here. It took it sweet time, moved at the speed of government. You know, as these things do. March 2019, I was sent a letter from the Ministry of Service Alberta acknowledging the findings finally. So it's like, yes, I'm not crazy. They actually acknowledge that there are problems. They directed me to continue sending any reports to the CISO's office at Service Alberta. Their own standards say, high risk vulnerabilities will be fixed in 30 days. Okay. I got this letter and that started the clock for me. You now know about it, you've acknowledged you know about it, now you should start fixing things. Three weeks into this, I'm in LA. I'm not seeing any changes in this IP space. So, sent a message to my friend that works for the government and he calls the CISO's office and basically repeats what I had said to him, which was, hey, your standard says 30 days, that's coming next week. We have an election coming up. You know, please fix this. Because we were having a provincial election just over a week. And there's a lot of concerns about election security lately for various reasons. And he called their office and spoke to someone there and passed along the message. They called the cops on me. Apparently I made threats and I'm walking along the beach in LA and just laughing my ass off at this because the cop phoned me and says, oh, can you come in for an interview? Or can we visit you? Well, if you come and visit me, you better book a ticket. You know, I'm currently in LA and they're like, are you coming back? Yes. Cops have read the communications and basically said, there's nothing here. But there's an official complaint. You know, we have to investigate. I want me to come to police HQ. No, not happening. I want to come to my home. I have a doormat that says come back with a warrant. That ain't happening either. You know, they kept saying, oh, don't worry, we're not gonna arrest you. Don't worry. I'm like, well, cops are allowed to lie. Your words mean nothing. Sorry. So figured neutral ground. Met at a coffee shop. I mean, walk them through all the data, show them communications I'd had with the ministry. He said, hey, I've been working this, I've been trying to get them to fix this stuff. You're Albertans too. You've got information in these systems. You know, your butt's in the line too. And as citizens, they were very thankful for this. Unbeknownst to them, my girlfriend here, Circuit Swan, was two tables away listening to all of this and sitting on a dead man's switch that if things had gone sideways and they arrested me and everything, everything would have gone public. Thankfully, that wasn't needed. They were actually very professional, very good. Their good cop, bad cop routine needs a lot of work. It was, she said, oh yeah. Because they had nothing to hit me with, it was funny. And the funny part is after talking with the cops, their deficit of skills in like, them not knowing what Shodan was or how I was determining all this stuff, I think I'm gonna be teaching them classes here soon. I told them to pass along to the CISO's office that this was ridiculous and that we need to bury a hatchet so it's like colony. Two days later, the new CISO did reach out, met for coffee. This is the guy that called me Psycho, by the way. We met for coffee, got on the same page because everyone was just knee jerking and assuming I was doing something malevolent. Talking with him, I'm like, I gave you all this information, I didn't ask for anything. I've given away any leverage I have. How am I doing anything bad? I'm like, yes, I could go to the media or something like that, but then shit's gonna hit the fan and these things are probably going to be exploited. Don't want that. So, GIA's reaction in response to my pointing out the emperor had no clothes, got me fired, caused ambiguous reasons to give him why I was fired and very well could have destroyed me mentally. Potential damage to reputation, career, path because I violated confidentiality when I have evidence, I didn't. And this was only after finding like a half a dozen little things and putting them in a slide and a small B-Sites conference. They suddenly gave me a lot of time and I realized how big the problem is and made their life worse in a way they paid that on. Continuing to fight to report, get my reporting to them, calls to action, like saying, guys, come on, like my information's in these systems, your information's in these systems, let's secure this. I had every reason not to want to help them. I think we were all in agreement with that one that I had every reason to be pissed. But I didn't, I kept going with this. Eventually, after they called the cops on me and everything like that, it's like I get the feeling somebody there doesn't like me. My patients may run out one day but I haven't hit that yet and I see no reason why it's going to. I sleep very well at night knowing that I've made things better because as a direct result, they are overhauling all their governance of IT security. They've created a task force to specifically go through the list of things I found. They've been given, that task force has been given the power to make fixes like, no, you will not, you will stop whatever project you're on and you will fix this now level. I became the stick that they needed to get other security initiatives going because I was now, the flying there, when I was the thorn in their side, that they needed internally because there are good people there that were trying to do the right thing but they couldn't get the political weight behind them. Now they could. It's improving. They've fixed a lot of these things. Some ministries are faster than others. A lot of ministries apparently don't have dedicated staff for such the incidences or for dealing with these sort of things. There's a lot of ass covering that seems to be occurring but that happens with everywhere. So in the end, me being fired actually made things a hell of a lot better. Not because I got fired but because I suddenly had reason to dig to want to make things even better. So silver lining. So there's a lot of issues with disclosure of vulnerabilities nowadays that I, speaking as myself, have a problem with. It's fraught with so many dangers. We need something like whistleblower laws. My biggest problem was everybody said, oh, well you could have reported this through a whistleblower or something like, no, that's if you work for the company and if I've been wanting to, if I found a vulnerability within the bank and wanted to report it or something like that, yes, the whistleblowers statutes would have covered me but even though we were owned by the government, I had no standing because we were in arms length crown corporation. I had no standing to report these things to the government and get the whistleblower protection. So as a member of the public, if you go up and say, hey, your fly's down and they take exception to that, well, you have no recourse. That's scary. We need something in the books to prevent retaliation against members of the public who are reporting things with positive intentions and goodwill because companies and governments can retaliate all they want against the public. There's no protections right now. If you see something say something, you know, the New York police department's catchphrase after 9-11, you kind of stop and think twice about saying anything if you know that, well, if you piss off the wrong person or the killed the wrong golden goose, you know, because if somebody's perhaps doing something shady and embezzling or some sort of fraud or something like that, you pointing out, hey, this vulnerability exists could potentially cost them a lot of money. They're gonna get really pissed. And if they're in a position of power, you've got no recourse. We're all, we are worse for it. We all see the same problem and don't speak up. There's so many people I've talked to that have seen these things. It's like, yeah, you know, company ABC, yeah, I know about this vulnerability and this thing and that, but like they're, they got lawyers, they're scary. I'm not gonna say a thing. And you hear that from like a whole bunch of people that all know the same thing, but they've never compared notes. Nothing's gonna get fixed because everybody's running around scared. We need to take them that fear out of disclosure. My suggestions, again, a whistleblower protections that are, you know, doing good faith for the greater good, prevent, you know, slap suits, which is strategic lawsuit against public participation, usually used against, you know, suing some group into oblivion just to keep them busy so they don't can't campaign against you or cause problems. There should be critical infrastructure reporting mechanisms at every city, state, country level. That if, yeah, if you, if you call it critical infrastructure and I can be charged, you know, in addition, you know, because it's critical infrastructure, you should have a way of doing things and reporting things properly. You know, let me half way here. You know, you may not want me poking at it, but if I do find something, let me find, you know, let me report it, let me do the right thing and you hold up your hand and actually fix the damn thing. I'm doing free work for you. There's a group of us here, this year called the Loli Hacker Collective. Loli Hacker Collective. Oh, yes. Isn't that a, actually more, you know, a lonely collective. So this is a group that we call the Loli Hacker Collective, all of us individuals who are coming to Vegas who we can come out of other people. It's called LHC and during, we have a Telegram group here going on. Okay, cool, huh? Do you know what we found accidentally on this group? We found from CERN. Does anyone know what CERN is? Yeah, we found one of the nuclear cyclotrons on the internet, publicly, no creds. You just logged in, do whatever you want. We actually figured it out from the ASN who actually the owner was. We contacted them four hours later, it was offline. So, example, what you're exactly talking about. No, this is good. Yeah, but it's like four hours. Yeah, and that's the thing is that you had to look up the ASN and everything and figure out the answer. Why wasn't there a security.txt file on their webpage, for instance, or something? Yes? Yeah, so in the United States, critical infrastructure does, and I don't know how it works for each one, but you can go to National ISAC, ISAC. National ISAC has all the various sectors of critical infrastructure and that's the way that they communicate vulnerabilities back and forth. Having, trying to report all the airport stuff I found was difficult because most of those groups are very closed. You have to be in industry or have some reason to be there. As a member of the public, I can't just wander in and say, hey guys, shit's on fire. So the FTC is gonna, isn't FTC here today? Yeah, they're on. That should be something that should be poked in the eye with. That's me. Oh. Don't poke her in the eye. Oh, that was easy. So. Would you like to come up? Yeah. My name is Eareem. My name is Eareem. I'm a Fed. I work at the Federal Trade Commission. I was the one who hooded for you what you're saying is really important. By the blood, sweat, and tears of a lot of people who will be here, like Eric Mill and other security folks in the federal government. We recently published a standard for federal agencies to have a way for disclosures to be submitted. My agency is still not doing it. So when you talked about the people inside who are like trying, I'm not on the security team. I just give a shit about it. So when you say people on the inside need fuel to be able to fix things, it's really, really important. So I slap people in the face with white papers but your advocacy is awesome. Poke me in the eye later. I'll be here having a coffee. I'm very happy to talk about what's fucked up in government. That's awesome. That was easy. Emani, we found another one of the speakers. Have you heard from Andrea yet? So Andrea, the organizer of the afternoon portion of this is still MIA. She did get her three badges, though. What? I had the floor on that floor and I can't. All right, what do you think? It's a hard time. She's got 20 minutes to show up. I've got like one or two slides here and then we can get discussion going. Better training for law enforcement. When I'm having to explain what I'm doing and why it's not illegal or dangerous and stuff like that, that was funny yet embarrassing. So law enforcement needs to know and be that. Specifically the people supposed to be working with IT. Yeah, these were the cybersecurity, the cyber cops basically. They work with their IT department and everything and has to go to the cops IT department to ask, okay, so what is this thing this guy's charged with? What the hell did he do? Okay, I think we need to put a little more money into training here. Someone needs to get fired once in a while. Not in the case of me for reporting, but for like, if we've all seen them, some person that just is the problem that just, a head needs to roll once in a while. These people on their toes. So my suggestions, if you're ever doing disclosure, just in general, document the hell out of everything. Save copies of emails, all communications, even if like record phone calls if you can, it's legal, do it by texts. Be professional and property or communications, notes, everything. Yeah, okay, there's some communications that came up in the swipe stuff that I'm looking back. I'm like, okay, I didn't help myself there because I just got a glab or, you know. Get into writing. Employer agreements on public speaking. Like get something from them that says, we want to vet all your talks or not because it was some ambiguity with my case where they'd never asked to see any of my talks. They would just ask like, oh, what's that about? But they took great exception and said that, oh, we have this policy with you that you would, we would vet your talks and then if you'd followed that, this would have been a void. I'm like, no, we had never done that before. Suddenly saying you're gonna do it now. Yeah, didn't seem right. If you do security research, possibly get a lawyer on retainer. I'm looking into this of just having somebody to phone when I have a question of like, where's the line? But also when somebody comes back at you and freaking out at you, she'd say, talk to my lawyer. Which will often shut them up because they may not want to spend the money on a lawyer but it puts you on a much even playing field with them. Be friendly with the media. Collect business cards, there's media around here. You don't have to give them anything ever but just keep those communication channels open and have that as a nuclear option. In my case, the cops, their only major concern seemed to be that if I started tweeting everything out, with links to like the CVEs, which may or may not include like a link to the vulnerability, it became an issue of how many steps it was before you could get to put the vulnerability with the IP address. So if it was three clicks, it was allowed but two was too much. So I couldn't link to the vulnerability directly in a tweet with the IP address but I could link to a page that linked to it. This is what you need lawyers. And no local laws about incitement to commit a crime because that's what they were saying was, if I started going to Twitter, am I inducing, am I aiding somebody on to commit a crime? In the end, I wouldn't change much about what I did. If there was some single thing I could have changed to not get fired and not but still make the point I wanted to, I would. Change some phrasing, but you still have to hold truth to power. Sometimes, lighting a fire into the powers that be requires you to light the powers that be on fire. I found our nasty problem, it's getting fixed for the better. Got through the emotional stuff with my friends, the hacker family, good community out here. I got a better job, better pay, better boss. And six months of unemployment actually gave me a lot of time to get my own shit together. Lots of little life things that pile up that you needed to do. It was... The house is clean. The house is clean, she says. My personal morals and ethics are intact and also my integrity. So, disclose your own risk. I've had many, many successes, one very spectacular failure. Just in general, never use me as a role model for anything. I feel free to ask questions. I've got documentation on all this, but if this story can help make a point to somebody else to make it better change, to make things better, feel free. Do what allows you to keep your head high. People could say, well, it's not your responsibility, it's not your job, you shouldn't have to worry about that. If you feel worried about it, do something about it. Fight, never give up pushing back when you know you're right. But also cover your ass. Read the fine print, know what you're getting into. Feel free to ask for help. EFF is a wonderful resource I've had to use there a couple of times on talks just to make sure I don't cross any lines because nobody should have to go through this crap like I did, but anyways, thank you. And I guess we'll have some questions and discussions. How are we on time? Well, I mean, there's time, but I think that, you know, your talk was slated for an hour. You said two. No, it was an hour talk and then an hour discussion, but we kind of mixed everything in, so you've got until two. Okay. Or one. One. You've been up 15 minutes. So any questions? Well, he extricates himself from the row there. And did Andrea show up yet? No? Bealer, bealer, bealer. Yeah. So I got two pieces of advice a bit later than I wish I had gotten them. The first one was no free speech until financial independence. And the second one was I read a script writer in Hollywood who reviews scripts for a living. And when he walks out of a movie with a friend and the friend says, hey, what'd you think of the script? His answer is, I don't work on spec. What do you think of these? Everybody's got to get paid. Like it's doing things for the money. Yeah. If somebody's paying you to do it, do it, you know, by day I do penetration testing, you know, IoT stuff. But this other stuff, like I said, something that you just face plant in, you don't even try and it pops up in front of your face. A lot of you in this room are probably familiar with this thing of you'll walk into a room and you'll see something that a hundred people have walked past that's wrong. Like you'll see a lock that's undone or some other problem. This is that thing in my head that I can't let go. I see a problem. I want to understand the problem. I want to fix the problem. Yeah, I could be offering my services or, you know, making myself for hire to these companies but then you're suddenly getting into weird issues with, you know, at what point is it blackmail or extortion if you say, well, I could help you fix this. Do you think that there may have been a way for you to somehow make the government of Alberta cognizant of their issues and get paid that you didn't take advantage of? Like maybe going to a season of polls? I became a political hot potato that the whole team they were running to fix this stuff. I would have been wonderful handling them and working with them. But yeah, it's that whole thing of politically there's no way this guy like, you know, was the problem. We got him fired. Could you ever trust him? So it's one of those things. I don't worry about the money. I worry about the lives because a life is worth nothing and everything. So I was just curious because first of all, thank you for sharing your story like in depth and very personal. Thank you. That was really good. So I'm curious, I mean, with so many of us who are obviously concerned about different aspects of this, is there not something out there that's like what I might characterize as a safe harbor as a service? And if not, like even on an international level could we, we're the ones who are interested, we're the folks who are talking to each other, we have the knowledge, we have the desire, we have the impetus. Can we not get that going? There's, the thing I heard about was exploits in escrow or something like that. It was the idea that you, a third party, you know, handles the anonymous intake of a report, passes it off and there's enough layers of obfuscation and legal that they can't figure out who. Problem is when you report something that it's like only you would have noticed, it would have known because, you know, that's your job or whatever, or it's like, you know, you're the only one that's ever connected to that. You know, your IP address is in its logs. All that obfuscation and anonymity goes out the window. You know, you can't, it still would help if there was like, you know, legal representation and such like, I honestly think that some of the best value you could get out of like US cert or CCIRC or something like that is to just take a class of interns doing computer security training, sit them down with a showdown account and a phone and just have them make courtesy calls. If somebody phones up and says, hey, I'm with, you know, a government agency, you've got an insecure thing here, you might wanna fix that. You are gonna get so much action and positive, you know, things being fixed from that because the thing is these agencies are sitting there nagging these companies, you know, fix your shit, fix your shit, patch your shit. But until somebody actually points out, hey, you haven't actually patched that. You know, you have to point to them and tell them what to patch. And then when you point to one thing, you see another and another and another. And then the scale of the problem becomes apparent and then the company is like, okay, maybe we actually need to get our shit together. That for me, you would need a hell of a group to share enough vulnerabilities and direct things. I mean, you could do it as sort of like a mixed master kind of thing where it's like all the vulnerabilities in, they all go out, nobody takes the same path twice kind of thing, but just getting the information out there. Yeah. Cool. First of all, I wanted to say like your experience is of what happened to you is like so interesting because thankfully sort of ended in a good note and making air quotes in here because retaliation is real. And I'll do like a short story. Eight years ago, I'm from Venezuela. Eight years ago, I did a, I had noticed some patterns on social media from the Venezuelan government getting help from other governments and Twitter and Facebook and Wikipedia and stuff for the 2012 elections. And I ran a study and I presented this on a conference in DC in 2012. In the moment I got back, shit hit the fan and I started getting threatening phone calls and my car busted into my passport was having issues and I had to like GTF out of there. Thankfully I'm now here in America but like retaliation is real. And thankfully in Canada that did not happen to you. So like I guess maybe part of the question or a question would be are there any laws or anything that says, because you were essentially pointing cracks in the dam. Like, hey, there are cracks on this dam or on the foundation of this school. Like this could fall down and topple over. And like, if it's on. The example I use is the emperor has no clothes. Yeah. The emperor's pride is so great that he doesn't want to be thought of fool. So he claims to have seen this magnificent fabric that doesn't exist. Goes strutting around in these new wonderful clothes. Everyone's like, oh, these clothes are wonderful. Oh, yeah, everything's fine. Everything's secure. Little kid goes, I can see your doodle. And then the whole thing falls apart. Yeah. And, you know, at the end of the story, he walks back to the palace in shame, realizing he got duped and, you know, he's going to have to deal with that. He doesn't shoot the kid. Exactly. That's effectively how it felt to me was that in the real world, they shoot the kid and then everybody else is like, oh, I see nothing. Yeah. And that needs to stop. We need to have when a company does something egregiously bad, not like so incredibly stupid and like forgets the basics, forgets human decency of like, you know, don't post your PII publicly. Like put a password on your Amazon bucket. Like, oh, damn that. Every week, there's another one. Yeah. Like, something should just be like, OK, that's like fish to the head level. Like, we're going to take you out in the public pillory and just like start making up your fine is going to be partially the sales from all the rotten vegetables to the townsfolk. Yeah. It's crazy. Thank you. All right. Oh, one more. Just about good here. When does anonymous drops actually set it come into place? When does it ethical to bring in anonymous discussions like that? If you think that there's not a way it would necessarily be traced back to you directly, because sometimes, like I said, there's things that it's like, blatantly obvious who, because you tried to report it before and hit a wall. But if they go back and look, you say, oh, well, I tried to report it before it must be him. If there's enough abstraction, like there's been stuff I found just very tangentially from other work I was doing, that it's like, like I said, the courtesy call. I tried. I reported. Here's I sent an email. I made a phone call. I tried. How much you have to follow, it depends on the issue. Some of it could be really minor stuff. Like, hey, your webcam or whatever is publicly facing, it's looking at the lunch room in the office, but I can see like corporate logo on the wall or something like that and know where it is. Really, hey, your employees might not like that just saying, but you don't necessarily need to follow up or doing so anonymously is fine. But oftentimes they won't take that seriously. It'll get filtered. So again, having done this a lot, having a reputation, having a reliability of it, of actually reporting something and not publicly disclosing until it's fixed, meant that people were willing to listen. They weren't just willing to dismiss or, you know, that was called lawyers. Back. Would you advise using strong anonymity protections from the very beginning of the research process and then making the hard decision about whether to expose your identity? Strong anonymity protections. Instead of doing security research for your IP, use for it, just whenever you do anything, it's a matter of practice. So that you don't have that incident, you're the only IP to vote something. Yeah, so you talk about obviously, well, so much of the stuff that I find I never intended to. I wasn't part of a project or anything like that for work or whatever. It was the, huh, I wonder. And it's like, oh, that's interesting. That's not the IP space I was looking at. But what's this? Oh, shit. Now, great. Now I got another one. One more? One minute. Right, one minute. If I have anything for render man, thank you for running.