 I'm Bruce Schneier. Thank you. Are there any questions? I'm serious. Look, if there are no questions, you're all going to get to go early. Hey, question over there? Oh. We can do this. So fundamentally you've got, you've got two dynamics going on. You've got the first dynamic, right, which is, you know, good, cheap and fast, pick any two. So, so you're still going to have that problem. The other thing you have, that's what makes Vegas interesting, is a lot of Vegas is subsidized by gamblers. Go to places that want to have gamblers. That's where they're going to get the food cheap, because gamblers are subsidizing it. This is a very weird economy here, because stuff tends not to be normally priced. And, you know, that's, I gave a talk a long time ago on hacking Las Vegas. And, and one of the ways to hack Vegas, one of, actually one of your best, one of your best bets for value, bets is a bad word, a sports book. Because you can go to one of those sports book rooms, bet on a football game, and basically drink for free for a couple of hours. Right, because the turnover is so low. So, for Vegas, you know, one, best way to win is not to play. Two, if you're going to play and you want, you know, you want free drinks and play cheap, sports book is good. And three, if, if you want to play and know you're going to lose and have fun, my advice has always been the craps table. Because like, unlike any other game, you're all in it together. Right, you all win together, you all lose together. The pass line is one of the lowest house edges on the casino floor. Ignore all those other bets, they're scary, they're bad, you know, enough math. So those are the places to go. You want good food at a reasonable price, you want to go places that incend people to come. The secondary casino is a desperate for people. Right, the top casinos don't need to offer discounts. Odd question, but I'll take it. Hi Bruce, my name is Damian. Hi, I was hoping you could talk about the advancements by NIST and quantum computing and the risk to public key cryptography. All right, quantum computing is interesting. Quantum computing, it's largely theoretical, right? We have a quantum computer we've built that factors 15, I believe. And maybe it's a little bit bigger now. But there's a sort of a theoretical way of doing computing that's non-Newtonian, where things happen in parallel. And the question you ask me, what the hell good's a quantum computer for? It's not actually good for a lot. But it turns out that the easiest thing a quantum computer can do is factor large numbers. And the second easiest thing it can do is discrete log problems. So basically a quantum computer is a public key cryptography killer. That's its core application. Against everything else, it's hard to tell what it can do. At a theoretical level, the maximum it can do is decrease the complexity of any computation by a factor of a square root. Effectively, that means in symmetric cryptography having the key. All right, so if you have a 128-bit key that's secured against all computers, which it is, someone who events a quantum computer, you need a 256-bit key to get the same level of security. So against symmetric cryptography, quantum computers are not an issue. It's really easy to double a key length. Against public key cryptography, it is a huge big deal because it can make our basic public key algorithms obsolete. It can make factoring easy. It can make it linear. Now, things aren't all bad. There are a number of public key algorithms that use coding theory. Some of them bend into 70s and 80s, a little work in the 90s. Largely, they're only done by coding theorists and we cryptographers ignore them because it is so obscure and so inefficient compared to RSA or Diffie Hellman that we don't need them. But they do exist and they would be secure against quantum computation as far as we know today. So when you look at quantum computers, I mean looking into the science fiction future, it does have the potential of changing things but not all that much. It doesn't make secrecy go away. It doesn't make a cryptography go away. It doesn't even make public key cryptography go away. It makes certain algorithms go away and it makes certain algorithms insecure. And I think quantum computing is great. I love the theory. But, you know, is it going to be practical in our lifetimes? You know, it's hard to know. You know, right now there are some very, very severe limitations like making the I.O. work. But, you know, we're really good at this. This is now turning into engineering. When we come back here in 10 years, there might be a quantum computing room at DEF CON. That'd be kind of fun. I'm a college professor from Canada and I teach a survey course in security to first year software engineering students. I use a lot of DEF CON videos and a lot of the expert content because they're not overly technical at this point. What advice would you have for me to try and communicate to the students and what advice would you give to them, seeing that they'll probably be seeing this talk on video in about six months? Interesting. I think hackers are an extremely valuable part of society. And I wrote an essay some years ago on the mindset of hacking. And I wonder if it's something that can be taught. You can teach domain expertise. I can teach networking. I can teach lock picking. I can teach how airline security works. But the mindset of looking at systems in that certain sideways way, I think it is almost innate. The example I always love to use, you haven't heard of Uncle Milton's ant farm? It still exists. I mean, it's around when I was a kid. And it's this little plastic, narrow thing and you filled with sand and you put ants in it and you watch them dig tunnels. It's kind of cool. When you buy Uncle Milton's ant farm, which you can at any hobby store, it doesn't come with ants because that would be kind of weird. It comes with a little certificate that you mail into the company and they send you a tube of ants. So the normal person looks at this and says, whoa, I can get a tube of ants. I look at this and say, I can send a tube of ants to anybody I want. What a great country. And that's thinking like a hacker thinks. How can I take this system and make it do something that it's not supposed to do, that it's not intended to do, that the organizers didn't, the creators didn't envision it to do. And I think this is something you walk around the world doing. And I remember when I was a kid going into a voting booth with my mother and I'm yay tall and I'm looking around and saying, I could cheat this machine. You don't have to do it, but you have to think that way. So I like exercises that flex that muscle. Yoshi Kono teaches a course in Hacking University of Washington. And he has his students kind of keep a blog together on hacking systems. And one of them writes a post on what it's like to return a car to Avis in ways you can hack that. And someone else is looking at, you know, some of some other random commerce system. And it almost doesn't matter what. Right? And how can you get more food at the Thanksgiving dinner table and you're supposed to just ways to think about how systems work, how they, how they fail, how they can be made to fail. And all else is domain expertise. All else and that's going to change. I mean, the talks we're seeing here at DEFCON this year are not the same types of talks we saw 15, 20 years ago. The world's changing, but that way of thinking doesn't change. The badges get weirder, but it's all about, and the badges are started out to be a little arms race between people who wanted to forge the badges and people who didn't want the badges forged. Now they kind of taken a life of their own. So, you know, and I've written a couple essays on this, and I sort of urge you to look at them and give them to your students. But, you know, thinking like a hacker, and it's a valuable tool for all life. Not just for hacking. Right? Advertising is hacking. Politics is hacking. Right? How can I subvert the system from my personal lane? And look at how to do that, I think is interesting. All right. So, as an aside, people who ask questions, you might notice you're being given an envelope. The envelope is, has my initials on it and has a number on it. Those of you who have one save it, it will become valuable later. Those of you who don't, might want to ask a question. I want to hear your thoughts on the TSA Pat-Down process and the potential for us to make us less safe. I'll give you a quick example. So when I opt out, I don't go through any scanner, not even a metal detector, and I'm walked past already pre- screened flyers or passengers. So there's a potential that I could drop something off or pass something off to an accomplice at that point. Because the line is great between cleared and non-cleared passengers. And then once they're impatted down, they often don't check the bottom of my feed and some other areas. It's funny, I've noticed this too, I know people have. Right now when you go through the full body scanners, you're allowed to opt out. And I really recommend you all opt out. Not because the radiation is going to kill you, but because if we don't exercise our rights to opt out, we lose them. And I opt out and I opt out not to have a private room. You can do this to me in public so people can watch. And he takes a really interesting point that I've noticed. So the way this works is you stand in front of the machine and the guy says go through and you say opt out. And I've been told, it's never happened to me, that sometimes they ask you why and try to convince you to do it. They would never do that to me. They just say, okay. And they go in the little microphone and say opt out mail. And then some guy comes and pats me down. And he's right. They don't send me through the metal detector. They take me around both machines, the full body scan of the metal detector and do a manual pat down, which for any of you in law enforcement knows is kind of a joke. Because any pat down that is not personally embarrassing is actually not very effective. And I have asked TSA people and not gotten a good answer. Why when someone opts out you don't send them through the metal detector and then pat them down. The metal detector is right there. It's being used. They're shutting people to A or B. And I don't have a good answer. And I think that that does make you a lot less safe because it's really easy to send something through a pat down. I mean, so the pass off scenario I think is going to be less likely. I mean, you got to rely on, you know, getting lucky and things moving at the right speed. And if you get it wrong now you've got the thing in your hand and that's kind of awkward. But in general, I kind of think these measures are in the noise. You know, I think you always see it. We had a newspaper story this week about some 13 year old who got on a plane without a passport and without going through security and like Scotland or something. You know, those things don't really bother me because you can't build a plot around them because they're not reliable. I mean, right now we know that, I mean, we don't know the numbers, the TSA doesn't report them, but some percentage of guns get through airport security. Right? They run tests and airport security fails to catch some percentage of guns and some large percentage of knives. Right? In a sense that's okay because you can't build a plot. Now compare, I mean, a gun to a bottle of water. Right? If the TSA agent catches you with a gun he's going to call the FBI and at the very least he's going to ruin your day. If the TSA agent catches you with a bottle of water he tosses it in a trash and you go right through. What that means, even a reasonably good percentage of gun detection is enough to foil a gun plot but anything less than a hundred percent perfect water detection system is useless because you can keep trying until you get in. There's no penalty for failure. In the water case as opposed to the gun case. Right? So I definitely agree with you that that's a very weird TSA procedure about not setting you through the metal detector when you opt for a pat down. But I'm not that concerned about it because of sort of the dynamics of the whole system. Hope I answered that question. That's actually an interesting one. Hi. Austin Holt. We met earlier. Hey. I get earlier here. I don't know if you were in the audience. We were going to do like no talks but just pictures. But that doesn't scale as well as this does. I've got a question about application security. So when we have commercial software or any type of product I think it's important not to blindly trust the developer's claims that it works the way it's intended. They claim it to work for access control any of the security functionality. Current way that that's being done internationally is there's security evaluations that can be done on the software. The common criteria is the current international standard. OWASP has the application security verification standard. My specific question is more about the international standard that's used today. Common criteria between countries. Do you have any recommendations on how to improve the current system and make it better? I don't know. What are your thoughts? I think it's becoming worse. I think you said something very wrong in the beginning. You said that we're taught not to trust things and not trust manufacturers claims. We're stuck doing that. We actually have no choice but to trust manufacturers claims. When I started doing cryptography I had some vision that we as a community or as individuals would analyze code ourselves and make sure it works. I've never done that. Ever. You know sometimes it's claims of a trust but I trust more. I mean I know the people who wrote PGP and I tend to trust it more. But generally operating systems code even security code we are always we have no choice but to trust claims of vendors of writers. I mean I write something called password safe. I mean I used to write it now it's now it's being written by Rory Shapiro hacker in Israel. I'm trusting him. You're trusting him. You're trusting me. We're all trusting each other. As soon as society gets specialized at a very real level we have no choice but to trust each other. It's what my latest books about. You know I'm gonna drink that bottle of water and I'm gonna trust that it's not poisoned. Even though it's been opened. But I'm gonna do it. And it's getting worse right in the beginning we built like the way beginning we built our own hardware. Then we bought hardware and wrote our own software. Then we bought software and wrote our own applications on top of it. Then we bought applications. Right now we're in the cloud. We didn't actually own anything. We're trusting at such a huge level. My Gmail. Anyone have any freaking clue what operating system Facebook uses? Anybody care? Right we have to trust it. So one of the ways we trust things are through these standards. And the thought is that there are some independent verification or auditing. And so common criteria is a standard. There are ISO standards. There are NIST cryptography standards. Right you know and we look at a product or service and it has a bunch of buzz words and we say oh those are good ones and you know in a sense they're all sort of equally mediocre. Because all the standards ever do is secure the system against a known list of attacks. Right yes it does this yes it does that. You can never have a standard of is it secure. You can have a standard of is it not insecure in this particular way. Right but when you look at a new attacks new ways of thinking new and new threat models. So you know I like standards but I don't get too wrapped up in which one. Because what a standard does is it forces the vendor to have someone else pay attention. And that's generally good. So you know I don't know if it matters that much. I'd like a better answer. I mean this is actually a truly hard problem. You know I mean but this is this is this is you know computer science. We can't even prove programs terminate. Right let alone are they secure. I mean all we can say is and this isn't bad. Right I can't break it and all those other smart people can't either. And they've tried for a month. But we don't know what happens if they try for two months. Now you all know this. This is this is what hacking is about. And this is why a new person can go to an old problem and look at it in a new way and and and figure out a way in. Thank you. Hi Bruce my name is Pete. I have a couple of TSA related questions. First one is it seems to me that forever the U.S. Congress has routinely exempted themselves from all the crap they pass on to us. Taxes insider trading health care or whatever. But in this case they're being subjected to the TSA pat downs. There's a lot of YouTube and other traffic about very bad scenarios with congressmen. And I'm wondering is that indicative that there's a new gang taking over or something. You know it's interesting. I mean pilots had this issue too. And some very Patrick Smith who writes the ask the pilot column was very vocal about why use screening pilots when they're controlling the airplanes aren't you not thinking this through. And I argue that actually he's not thinking it's true because the issue isn't screening pilots. The issue is screening people who have pilot IDs. So either I have two choices right. I either build an entire subsystem on pilot ID verification or I just freaking screen everybody. And I think the same kind of dynamic is working with with with congress I'm sure you know Obama doesn't get screened isn't fly commercial. The that it's just building in the exceptions was such a big thing and they and they did airport security so fast. You know if this becomes institutionalized then you'll see you know fast lane right now we have the TSA pre-check program. I'm sure all of congress is in pre-check. Right you know so those sorts of bypassing the line systems only happen after something comes institutionalized. When it first showed up it was we need to do this quickly. So you didn't have that. But you know it's an interesting point because you're right they do exempt themselves you know and maybe it is that screening is just so quick. It's not like you know taxes which really you know matter it's some financial level the way you know pat-downs don't. Thank you the other question is. You don't get two envelopes you know. Oh I'm sorry. Hey my name is Andrew I had a couple questions related to that age group of kids. I think we learned to get one of them. And well I've got a 10 and a 14 year old and my brief story is you know I sat down at my son's computer in the kitchen to you know check some news websites and his Skype logs open and I see the message don't run this file Josh. And you know there's a message says oh Josh while you were cleaning your room I wrote this little batch file that would open up terminal windows until your computer ran out of resources so don't run it you might not know how to stop it. When I got home I thought it was a bad idea so wanted to tell you don't run this file. So based on your research for Beyond Fear and your new book too and you know about self-regulating groups and how they you know self-enforce and things like that I wondered if you'd comment on you know how that age group learns to be responsible with technology and things like that. So I I have long said that the internet is the biggest generation gap since rock and roll and fundamentally the the young people are the one I mean in any generation gap the younger generation wins cause the old generation dies and whenever you see things like you know young people don't understand the internet that's nonsense right I mean they're the ones who are defying the internet they're they're the ones who create the internet they're the ones who figured out the old people who don't. So I to me young people have a much more intuitive grasp of the internet of security of the way things work in ways that we don't and ways that scare us maybe think about you know the I don't know the I don't know the rock and roll the generation gap me what are the old people say what was the big problems right it was you know drugs and sex and and and no women forgetting their place and you know death of marriage they kind of pretty much nailed it and that's actually what actually ended up being pretty good so the young people tend to be right the really good person or anyone has kids especially teenagers the ethnographer Dana Boyd I truly recommend reading her stuff she has a blog she's written papers and a number of her speeches are online about how young people use the internet and about how they I mean a lot of I'm looking at this audience and you know a lot of you guys know this but your parents don't and I think it really is it's got to go the other way I mean I'm gonna go to a lot of computer security conferences where you know a bunch of industry people talk about how young people don't understand privacy I mean do you forget young people care a lot about privacy right from their parents from their peers privacy is a huge deal when you're 16 I mean people are still people but the into the intuitions are different because and Richard theme talked about this an hour ago people are at his talk right the the the technology at which you come of age is a technology you find normal and the technology you're good at this whole nonsense about trial predators kids know who are who who adults are who tend to be kids they're not fooled it's the congressman who are fooled please my question is how do we secure those internet-based applications where authentication is critical and what are your thoughts on cloud computing well you know I mean the two answers right is one is we don't and one is we we do I mean we right we largely do right you know internet banking works pretty much okay right it's not perfect there are problems but we know we're good at authenticating things where it does matter right gaming works pretty much okay right if any of you work for big companies you probably have some kind of secure access token that works pretty much okay you know there's no magic bullet lots of ways we can do it better we're always fighting usability right nobody wants to put their thumb on a device nobody wants to learn to play guitar hero if people follow that new story from last week of implicit passwords I mean you know people just want to do their thing and it's getting worse and cloud computing is a really good example of this right instead of my my my data on my device my data is out there somewhere but this is the future you know people who are you know you're talking about young people again they are used to getting their content on the closest available screen right that's their house at school at their friend's house right that's the way it's supposed to work right people like it when they lose their iPhone they get a new one push a button and all their stuff magically appears on it and again if you start interviewing teenagers they kind of don't really understand where their computer ends and that begins because that boundary doesn't actually matter anymore it's disappeared and I think one of the actually I'll launch into this a little bit I think one of the fundamental things going on in computing right now is this loss of control right that we are losing control over the end points right I have no say in whether this updates are not basically I have a Kindle it's even worse right so I mean I can't even write a file erasure program for this thing because I can't get to the memory right so we're losing control of our of our end points and we're losing control of our data you know I run you Dora but I'm a freak right everyone else is on Gmail right their mail is on Google servers so suddenly my authentication which was I put this in my pocket right and I'm the one who's touching it basically so I can get by with just a password because the password plus the fact that I'm not gonna lose it or it's in my locked house now becomes just a password so you need more authentication we're not getting it because usability people don't want it and they're gonna be a bunch of issues here and the loss controls a big deal other ways right it's being used third parties are getting access to it for advertising for marketing law enforcement it goes across borders and then suddenly the NSA gets it and it's in a computer in Utah I mean all these things are happening because giving up control is such a powerful consumer thing I mean people want that my mother does not want her photos on our computer she'll screw it up she wants Flickr to have them when her computer crashes the photos are saved it's a Christmas miracle and I and this is unfortunately and I think it's unfortunate this is gonna be a much harder future to secure because security is about control and I talked about trust now we have to trust all these entities and you have no business relationship try calling Google customer service actually Google has great customer service the problem is you're not customers might become a Google customer an advertiser and they have customer service all over the place so we were seeing these these non business relationships this loss of control all of which force more authentication but you have the the back push of users not wanting it now I can you know we've made some progress right the most common password is now password one instead of password but that took a decade which means you know in 10 years of password one two three four where the a is an at sign because we're all speaking leet now right this is this stuff's hard please good morning Bruce um yesterday general Alexander gave a presentation as far as building a better relationship between the hacker community and government agencies such as the NSA I assume he didn't buy any of that right well he felt largely he failed to address a lot of the issues with trust which as you know is a huge factor as far as building these relationships how do you see the relationship between between agencies such as the NSA and hacker community community developing the next 10 I don't know but it seems more like they lied to us and we more we and we buy it I'm not impressed I didn't go but someone said there's an NSA recruiting booth in the in the dealers area actually the enigmas cool go see it I have the but someone told me actually Richard team told me this that they have a list of attributes of the NSA on their signage and one of them is transparency right me clearly we're inventing new meanings for words here and too much of Alexander's talk was like that uh you know the NSA needs hackers I mean the NSA were the original and the original modern hackers so they are going to be you know a still a one way conduit for information I mean they want everything we can do they will give us nothing they can do but you know this community is turning more and more legit this is not the deaf kind of 15 years ago it's really not and so now I mean you have a place where the you know instead of spot the Fed the Fed now puts a sign up we are the Fed come visit us right and so so like the cryptography community there is this this information exchange that works one way in the 1990s the NSA started coming to crypto and Euro Crypt Brian Snow was the first one to come and he wear a badge and said NSA other people common they'd have a badge and say DoD or you know Fort Meade Maryland or you know they would they would you know obscure who they were they'd sit in the back and never ask questions and presumably right I mean they learned a lot from the academic community but they never gave a paper they never presented anything so and that's relationship now because now the NSA realizes is that so much of intelligence gathering is not crypto related right that it's computer security it's network security it's hacking it's physical so you're going to have this back and forth with no fourth and that is the way it will be I mean you know we're not going to ban them from coming because I think that's that's wrong too and you know they can always pretend they're from someplace else but you know a lot more people here are legit than were 15 years ago so I'll bet the NSA recruiting booth you know is pretty popular and it's often sometimes they have cool swag actually so you know it might be worth seeing what they got you probably can't take the enigma machine unless you're really fast and get a distractor or maybe three of them so we should talk later that works all right thanks Bruce uh this builds on the a couple of questions ago um with the yahoo hacks and and you know the the hack of the week whatever uh that releases passwords and stuff we like you said the the passwords aren't getting that much better um and I see when I try to talk to my not less technical friends and relatives that convincing them to you know do things like use different passwords on different sites and use more complex passwords and not click on that link from you know the guy who swears he's your buddy uh that that it just becomes so complicated for non-technical users that they just kind of give up and don't care about any of it do you have any suggestions or ideas on how to make that so I think this is a failure on our part I mean there's a whole lot of it in our industry blaming the user right the user chose a bad password he deserved to get it I think we in the community are failing because we are expecting the users to choose good passwords and they can't for all the all the reasons you talked about right they're not going to and I think it's our job insecurity to make security systems that work with actual users that educating the users a mistake I mean think of automobiles right the first automobile was sold with a repair manual and a toolkit but automobiles didn't really take off until you know my grandparents could buy one right or in computers until my mother got a computer my mother is never going to do anything right the only reason antivirus on our machine is I put it there but that antivirus has to work magically without her knowing about it I even I want to actually upstream in our ISP why in the world does she get malware and spam should be blocked at the ISP you know so I want us to build better security systems anyway or you know and Microsoft's actually has some really good work now being done on on security dialogues you know scary dialogues the dog comes up and says you know if you're a normal person it says complicated technical gibberish make this button go away yes no right that is a security warning to an average person and whenever we do that we are failing right unless we truly believe the user has a piece of information in order to decide which button to push and we tell them and Microsoft has a really good work on this where they're trying to use dialogues here's a situation here's what you know that we don't here's why it matters and here's what you should push depending on what information you know that's a good dialogue box instead of you know I'm the programmer I have no idea what you should do I I'm gonna I'm gonna give up and make the user decide because then it's not my fault right so so we do we need to get better we need to get better at at psychology of security need to get better at user interface need to get better at automatic security I mean spam is a really good success story you know anti-spam happens at the ISP largely and I don't get any spam anymore really I get them get almost nothing I mean and spam's an enormous amount of internet traffic but it just works magically my mother doesn't get spam and it's nothing she did right that's good that's what we want the more we can do that the better we'll do morning so I think one of the things that I find very useful about your writing is analogies bridging the non-technical and and technical worlds I like doing that so well one thing that I wanted to ask about was BYOD and specifically you know mobile device security as you can see there's many talks around mobile security here what are some useful analogies I can use to get across some of the risks to my senior management you know be you and I think BYD is again this trend of loss of control my be why I mean if people know this buzzword it basically means your employer doesn't no longer give you a computer and says here's a thousand dollars by a computer and you know why because you've already got a computer you've already got a cell phone you don't actually want the corporate stuff it's more to carry and it just annoys you right but then once that happens you get the loss of control so so this is I think this is an important trend this is a trend that is going to reduce security trend that's not going away because getting out of the provisioning business I think is is is valuable to companies and they actually want to give their employees cell phones and and you know analogies really think of it as loss of control you know because now as an employer I no longer control that end point it's very similar to home banking customers in some ways because you can imagine that banks could give each one of their customers an iPad you must bank through this and I can and I control it and I set the patch levels and you can't do anything else on it so I can make it secure but instead I say you know go to your browser and log in from anywhere right but that's and that and banking works that way more and more of corporates IT is going to look like that it's going to look like Facebook right it's going to look like you'll log into us this site and and the way that works I mean why banking works is you get a very very limited number of things you can do but you don't log into your banking website and get a command line that'd be cool right you get a bunch of options same thing with Facebook same thing you know with all of these sites so I think we're going to see more of that less free form which is okay because most people don't need free form they want to do certain things right they're going on they're going to court website to fill out forms to get some stuff to read to share documents to send and receive messages so think of it more as a social networking site and that's what I think the effect of BYOD right I mean I think I'm gonna do quicker answers now because I'm running out of time and no one asked me about uh SHA-3 what's wrong with you people Hi this question is about your book Liars and Outliers and with a reference to the previous panel which was talking about philosophy, history and politics which I'm thinking might be a trend now here that we're going to get into other things so it says in your flyer that you quote Thoreau and Socrates and uh as a former graduate student of philosophy uh and being familiar with the plate as republic one of the diet tribes in the republic is about people that are experts in other fields thinking they can do philosophy so I was wondering if you could expound or whether you think it's appropriate don't shoot the messenger for hackers to become uh lead leader thought leaders in other fields yeah hacking is not a domain hacking is a mindset 100 percent yes hacking is a way of thinking hacking is a way of looking at the world you know we tend to be hackers in computer science we could just easy be hackers in biology right we could be hackers in model trains which original hackers were so yes simply because hacking is a way of hacking actually is a philosophy and you know then there's some things where which can leech in other domains law is like that because law is a way of looking at the world so lawyers often write about very different topics you get law professors and read law journals running at all sorts of things because it's an economist also it's a way of looking at the world so in in that we can bring our mindset to other problem spaces I think it's valuable what I try to do in my latest book is to go the other way right to say here is what philosophy and sociology and psychology have to teach us in computer security right I'm not trying to go there and tell them their stuff I'm trying to go there and say what do you got that's useful for me in my field and that was a really interesting thing to do I had a lot of fun writing this book because I'm trying to you know what because security is fundamentally about people it's about technology only a little bit it's really about people and lots of disciplines try in their own way to understand people they do it differently I started a workshop four years ago it's called the workshop in security whom behavior the day was to bring all these different disciplines together who work on the same sorts of problems from very different perspectives have been talked to each other and that was way cool interesting thanks good answer thanks dodge that one morning Bruce um my question to you is uh with the advent of social media um and uh how people are blogging and on twitter there seems to be a large percentage of people who have this sense of uh futility and fatigue when working in the security industry now I was wondering if uh you felt that that contributed at all to actually solving some of the bigger challenges in the security industry you know I actually worry about fatigue also because it's so freaking hard especially when you're fighting you know uh fighting for privacy fighting for security there's so many forces are ready against it I mean these days I worry less about the criminals and more about the legitimate forms right I mean the corporations the governments who are using political and economic systems to force technological changes to make us less safe and and it is really easy to get discouraged and you know I have no good answer for that I mean we know we in sometimes the best we can do is lose slower and there's there's a quote that that is sort of always stuck with me uh by Martin Luther King Jr who said once that the arc of history is long but it bends towards justice I mean what he's saying is that in the short term we can lose and lose big right but a hundred years ago you know half of us in this room couldn't vote right two hundred years ago a bunch of us were slaves right that history does get that we do improve even though you we hit you know some local minimums that look pretty bad so I mean that's that's the advice I have for not losing heart it's easy I mean luckily they know more and more of us come up right and do things so so people get tired can can can sort of sit back but I've been feeling I've been right in the same essays for 20 years sometimes I mean CNN asked me to write about the Aurora shooting what am I going to say I flip back I wrote a long essay about the uh the Fort Hood shooting I said basically the same things about uh whatever university shooting that was Virginia Tech right you know so I mean I can re I can take the same essay quote I quote Virginia Tech and write Aurora movie theater it's just as relevant but I feel like I've said it already right how do you give the problems don't change right we're still fighting the same battles and it seems like we have to win every time and the better guys only have to win once so no this is hard I mean I mean can't you ask an upbeat question Gadsu sorry Bruce so I have to end soon okay you like so two minutes so okay yes or no questions go okay I will phrase it as yes or no question first I was going to ask you about what political hack we're missing but since you said the solution is lose slower I've got the answer um with regard to software it seems that uh Chrome for example auto updates and that it's been a very good thing for computer security in general um I think a lot of people in this room probably opposed to software automatically updating and a lot of users are opposed to it because historically it broke functionality so my question is at this point in time have we reached the point where effectively all software should update automatically based on a trust relationship yes hang on hang on okay how many envelopes do you have left no no don't count I'm just just just take them and go back along the line and hand them out in order because I'm sorry so so a couple of things will happen now I have here so I should couple this I'm I'm now going to a book signing this isn't my book it's it's available at the book store and I'll be going there and doing a signing I have this which is the book flyer it's kind of the thin version of the book uh it doesn't have as many words but on the plus side it's free and I have piles there and there so if you feel free to grab one those of you have cards this is the galley of the book now the one galley is before the book is published the publisher uh prints these and gives them to book reviewers basically so those of you with cards if you come here I will give you a galley uh the galley has more typos than the real book so you gotta sort of accept that and I in return I ask that you mention blog tweet anything something that that you read the book I really appreciate that so that's the plan for now I'm going to go right here where this box is and then I will go to the book so I think I should stop at the Q&A area first and say hi so I'll do that so I'll do that for like 15 minutes then I'll go to the book signing and then the rest of our day will continue and we'll all have fun thank you for coming thanks for coming Defcon