 trying to keep it on some level of time even though we really, really stunk at that so far. I know, I know, I know we have done some pretty bad things. So over the years we have been asked numerous times about how we came up with this concept, what is the social engineering capture the flag, how it started. So we figured the best way to do this is to make it a speech here, talk about what it is, why we started it, some of the facts about stories that maybe you've never heard, things that we haven't really talked about publicly in the inception of this contest. So I don't think we need to care about this room, blah, blah, blah. Okay, let's go into some of the most important things. So what is a social engineering attack? I think we all know this by now. You know, this is the basic stuff, but we classified the three different areas, which is either phishing, on-site impersonation or phone elicitation. And we were approached by DEF CON to see if we can come up with a social engineering competition where we're like, can we legally do all of these? And the answer is no. Legally we cannot. Legally we can't fish unexpected users. So we have to take that out of the mix. Impersonation, physical, really hard to work into a competition that takes place in like two or three days. So that left us with phone elicitation. So we came up with the concept of creating a booth, said booth right here in front of me, and putting people in it to make live phone calls. That was kind of our concept. And we said, but you know, that's been done a lot. So how can we make this contest even better and cooler? So we had to figure out what was the goal? What was it that we were trying to accomplish with the SECTF? And our goal was that we wanted to not only have a cool contest that demonstrates the danger of social engineering, but something that would be entertaining, something that average person could take a part in. You didn't need to have like super elite, some kind of elite super human skills or something that anyone can really jump in and take part of that. So we split it into two different sectors. First is OSINT or open source intelligence. And then the second is the calls here at DEFCOM. So we came up with the concept of using Fortune 500 companies in America and only in America because that's what our lawyers said. Because our lawyers are in America. So that keeps us safe. And then to pick the contestants and to give them their targets, give them two or three weeks, we started off with two, to do their OSINT, write a report, and then to use that report to come here and make the phone calls. So our first one was DEFCOM 18. And here's probably the biggest story. Dave is not the FBI. Okay, so anyone know the history of Dave and I? No, I really don't want to give you the history here. Okay. I don't want to give you the history because this is going on the DVD and it's not very family friendly. So I'm not going to give you the history. But Dave pranks me all the time. Dave has done some pretty horrible pranks to me all the time. And at the time, so DEFCOM 17, we were there and they talked to us about making an SE competition. And we had come up with that whole concept, launched it, it made big news. Like we were kind of shocked to how much media was behind the SE CTF. But it wasn't positive media. It was media saying that we were going to hack in the companies live at DEFCOM and ruin them and humiliate them. And we were going to release credit cards and passwords and a lot of fear mongering. So I get this call. And the call starts off with hello, this is agent Smith from the FBI. I want to talk to you about your competition. And I go, nice try, Dave. Click. Hang up. I'm like, you know, jerk's not going to get me again. I already fell for goatee. I fell for everything. You name and I fell for it with Dave. Great social engineer I am. So I'm like, okay. The phone rings again like a second later. I pick it up. I'm like, Dave, ready told you not falling for it. He goes, excuse me, sir, I don't know who this Dave person is, but I suggest you not hang up on the FBI when he's talking to you. And I'm like, is this Dave Kennedy? And he's like, no, I already told you. My name is agent Smith. I'm like, okay. So let me start all over, sir, I'm so sorry what's going on. Anyhow, there's two or three really large companies that called the department of justice and said that we were going to hack into them and humiliate them publicly. So the FBI called, wanted to know what our contest was all about. So my first phone call right after that was to the EFF. And the EFF said, hey, we can, we definitely want to help out. So they looked over everything and they said, the best thing you can do is offer to go to DC, take your computer, all your things and show it to them. And you know, like, don't make it a big deal because that's when it looks like it's something you're doing something wrong. So I did, went to DC and said, here's all my files, take a look at our rules, take a look at what we're planning to do. And I got the unofficial word that, you know, we cannot endorse what you are doing, but you are not doing anything that we can stop. To me, that was an endorsement. So I was pretty happy with that. But the lesson I learned with that is Dave is not the FBI, it was DEF CON 18. So we came up with the theme, how strong is your schmooze? And we, you know, this was the art for it. Someone found that for us. And this was our room. Now, it was in the rib. Okay, it was in the rib. And have any of you been to DEF CON on the rib? So like, you get like hepatitis walking on the floor, right? So it was like, the floor was sticky. It really was. Like when you walked, it was like, you know, you heard it. It was like pretty, yeah. And there's Dave again. So this was our room. Can you see that? Okay. Can you see there's a slide washed out? Do we need light adjustment? No? Okay, we're good. Okay, so it was tiny. I mean, we are talking like the table and then maybe there was, what do you think, Nick, like five or six rows? I don't even think that big. And not depth. It was like, maybe I think they said like 100 square feet. It's like a closet. You know, it was literally like a closet. And the room was packed. I mean, we were, goons were coming in saying that we're like getting, you know, we're breaking fire codes all the time. So something really special happened. This is going to sound braggy. But it's important to understand the nature of the competition as it continues to grow. This was DEF CON 18. And in 18 years of DEF CON history, they never awarded a black badge to a first year competition. And we were the first contest ever to get a black badge in year one. So that was it. Thank you. Thank you. It was a huge privilege. I remember when Dark Tangent came in and told me that we were going to be black badged. And I was like, I mean, I thought you had to be DEF CON for like two or three years before. And he was like, well, you know, the excitement. I mean, literally it was like a line out the door and it was down the hallway and it was like people were sitting on the floor of the river. I felt so bad for them. They're probably all dead now. And they were waiting to get in the room. And then they were lining the floors of the room. And it was like 12 million degrees in the room. It was just unbelievable. But it was really, really successful. And something major came out of that besides the DEF CON coolness of it. It was that we had a report that we wrote that showed that it didn't matter if you were skilled or if you were a noob, that social engineering affected every company. And it's something like I knew inside. I think we all kind of knew. You got to think this is six years ago. And we had this report that we wrote that indicated that this was a real problem. And nobody knew. Companies didn't understand how to handle vision calls. And it was a real problem. So we're like, okay, this got us a lot of press after DEF CON that the fear mongering was still there. So the next year, DEF CON said, you're going to do it again, right? You're going to do it again. We want to have it again. We're going to do it again. So we came back with the shmoo, strikes back DEF CON 19. That was our theme then. And they did something nice for us because of the popularity of the competition. They gave us a much bigger room. They really, really pounded out the space. We had not nearly this big. It was probably 500 square feet, which for us was about six times the size of our previous rooms. And we were really excited. And we were like, well, I'm never going to fill this. It's too exciting. And again, we had, I should have said this before, DEF CON 18, we were begging people to sign up. We were like, please. And people were signing up left and right for the competition. And then they were being told if you compete, you're going to get fired. I had four or five competitors that had to drop out last minute because they were told if you compete in this competition, when you come back, you have no job. So they would call and they're like, what have we done? I'm like, dude, don't lose your job over a competition. It's just for fun, right? Don't lose your livelihood. So DEF CON 19, it was like the same thing. The fear mongering had persisted. And people were afraid to sign up for the competition. So it was really hard. We were like begging people. And eventually we got 12, I think it was 12 or 14 contestants. We had our companies another amazingly successful year. And now this year, we wrote the report and we found out that the first year's report was downloaded about 100,000 times. And that was shocking for us because we were like, you know, I guess when you're in the space, you kind of know the problems, but you don't think that it's going to be that popular. And the second year, we were like, we really got to write a much better report. I'm a really good report writer. So we struggled with that, of course. And the second year report just totally like blew the numbers off the first year report. But the problem was still there. And this was the thing that kept fascinating us. Is that we were thinking maybe because of all the press, it would get better, right? That maybe there'd be some training, but it actually got worse. I mean, it got a lot worse. Like the problem started to escalate as more and more skill came into the market. And we saw that the problem was actually getting worse, not better. So fear mongering pursued, right, at the end of the year, and the next step was to get a job as Def Con 19. So this was the year that we said, what can we do to make some changes to Def Con 20. And we thought one of the things that would be really cool is to pit men against women. So we spent one year from the end of Def Con 19 to where we had our sign ups kind of groom in the community talking about women in S.E. and trying to have a handful. It wasn't an equal split, right? They didn't have a lot of women who joined the competition. So the guys obliterated this year, you know, they really did. You would have thought, I should have asked, how many people really would have thought that women would have won? I'd guaranteed 100%, right? That's what I would have thought. But it didn't happen this year and it really was just because of having guys in the competition who were skilled or professional and this being a lot of the women who had joined their first time ever stepping into a booth or making a phone call for these purposes. But some interesting data came out of Def Con 20, which is, you know, women are scary. You know, and it doesn't matter what species we are, they're scared of us because although they didn't win, I always tell this story. We had this one young girl who was in the booth and she did this, she said it was my first time ever making a phone call like this, I'm just going to play dumb. And in my head, I didn't say this to her, my head I thought, that's just not going to work. And I was like, why would you do that? And she got in the booth and this literally was her pretext. Her company was Dell and she had called them and she got a guy in the phone and she said, I'm just a stupid college girl. And I don't know how to pick any type of technology. Can you help me? And this guy spent seven minutes telling her why he was the king of the universe for helping her with any technical problem because she was just a silly college girl, right? And every time she would self-deprecate and he would puff up, she would go, so what kind of antivirus do you use? And then he would say it. Oh, but what kind of operating system is the best? Oh, then he would say it. And then she went, it was so ridiculous. So then she got done with all the questions and then she says, you know, I want to get more points. I want to, you know, see if I can get all the flags. So she says, you know, I'm thinking of starting a company and she was, she was Latino and she used this and she sounded Latino and she used this to her benefit. She said to the guy, you know, me and my cousins, we're going to start a cleaning company, a janitorial service. Well, who do you use for janitorial services? And the guy just built it, you know, for who Dell used it in his office. Then one cousin is going to come and he's going to do pest control. So who do you use for pest control? And he spilled it. And then it was, I have another guy, another cousin who's a security guard and we're thinking of adding security guard. So when she was done, she was a college girl who was starting a janitorial pest control security guard, computer repair, vending machine delivery service. And the guy was still like, I'm the king. I can help you. And I go, how is this even working? And the guy was just like, I'll tell you anything you want. I mean, she just kept going. You know, it was just crazy. So we obviously wanted to revisit this topic. Yeah, that was Defcon 20. So some other things occurred at Defcon 20 that changed the scene for us. And this is probably one of the big ones. We got visited by the chief of the NSA at the time, General Keith Alexander. He had come to Defcon because at the same time, and this is not the nature of this talk, so I won't go too deep into it, we helped start a kid's competition. And that got a lot of really good press because we were teaching kids about social engineering, critical thinking, lock picking, and General Alexander came to Defcon. They asked to meet with me and we met and I invited him to the room. I said, why don't you come see the adult in the room? Actually, it was kind of funny. I should tell you the whole story. I'm sitting at the desk and somebody from Defcon calls and says, hey, can you come back? General Alexander wants to talk to you and I said, well, in the middle of a call, you know, we're doing the thing and she said, maybe you don't understand what I just asked you. General Alexander wants to see you. Maybe you should just come. So I hang up, I tell the room, hey, guys, can you just give me like 10 minutes, I'll be right back. I run over and I'll just visit the room. So I said, when? He goes, I don't know, we'll be some time. So we're sitting there, we're doing calls. We had our youngest female competitor ever. She was 17. She was in the booth and these like, you know, big guys with the black suits and little air pieces come in and they're like, we're going to clear the room now. I'm like, we need to clear the room and they're like, you know, check for weapons. So they do all that stuff and then General Alexander comes in and he brings all of this for us, which were you're doing the best thing you can do for this country. Keep doing it. We need this. And hands me a director of the NSA challenge coin and it was like all over the press and that changed everything, right? All of a sudden, so the year one, we had this rule. If you were a company that was a target that we would offer you all the data we collected, the OSINT reports, the call data, we'd give it all to you for free. So anything you do will help you fix the problem. We'll even give you an hour of consulting for nothing just to help you fix this problem. That's been the rule since day one. Guess how many companies called me in DEFCON 18? Zero. Exactly zero. Guess how many companies called me in DEFCON 19? Zero. DEFCON 20, this happens. Guess how many companies called me out of 10? Nine. Okay, nine. Nine. So very close. But nine. One was like, I'm never talking to you again. They still hate us, okay? Nine out of 10 companies called. Then I got invited to the Pentagon. Can you believe this? The heck, look at me. The heck, right? So I got invited to the Pentagon to debrief like 35 like four star generals and heads of state and like just ridiculous. So let me tell you this story. Anyone ever been to the Pentagon? Okay, so you know that these things are not allowed, right? So I'll tell you this. So I didn't know. So I walk in and I'm being all like, you know, towards the Pentagon. It's cool, right? And I get to the room and I'm standing in the room that's about let's say half of this size. And it is just wall to wall monitors. No windows, you know, you're on the inside. Wall to wall monitors. And I have all these guys and gals sitting in front of me and they have my reports for the last three years printed out. And they have them all there and I'm like, well, they're really prepared. And I go, this is so cool I got to take a photo. And I went my cell phone out and I just see this big, huge black guy. He's got a phone. He's got a phone. I'm like, what's going to happen? I'm like, I don't know why. Why is this so bad? I'm like, and I'm like, and they're like, put the phone. I'm like, why is that not in the locker? I'm like, I don't know. I don't know anything about phone lockers. And then you see the big sign that said turn all technology. And I'm like, I didn't read it. I was a paying attention and I'm in the Pentagon. So I got escorted out of that room to a special room with these big lockers and I had to lock all my stuff in there. And I wasn't even allowed to bring my computer or anything. So I should have thought about that. Anyhow, besides that and not getting tased, which was a really good thing. We were able to tweet about that, talk about that on our social media. And that changed the nature of this competition. So the competition was the same. But the way it was looked at, and not by us, not our community. Our community looked at it the same way. But the way it was looked at by the outside world was now what we wanted originally, which was we're here to help not to hurt you guys. We're trying to prove that social engineering is a big problem and it's not getting fixed. And we can do it. We can fix it. We just have to work hard. And things like this happened. One of the other great stories, Dan, I'm going to do it, that happened at DevCon was we had a guy in the booth and he picked an employee out of a hat on the website for this target company that he had. And as he was making his call, this was the, I'm getting some of the story messed up, I've been told recently, but I'll tell you my version of it at least. There's a big security conference called DevCon. And we may be a target and I want to make sure that our computers are all secure so we can't get attacked by DevCon. Thanks, Dan. We had fear-mongering already. So he's calling as this employee who was a tech guy. So the pretext would make sense, right? Tech guy in the company calling the stores making sure they're up to part. And it's working well. Well, little do we know, someone's texting Josh saying, Josh, what the heck are you doing? Why are you calling us about DevCon? And Josh goes, I'm not calling you about DevCon. And then some of his buddies go, Josh, what's going on? We're getting calls about all this. And Josh is three doors down at DevCon listening to a speech. So that's the real Josh on your right. And that's the fake Josh. Dan, the milkman sitting right here made that call and they came in. And at first you know, yeah, it's a little crazy. At first we were like, they come in, they're going to entourage, and I'm like, it's him. He's in the booth, you know. And I was like, well, so, and then we got a picture and they were really cool about it. So it was a really, really interesting story. Something that probably only happened at DevCon, a little weirdness like that. Some other cool things that occurred, that DevCon of nothing to do with the CTF, but we got to meet and hang out with Effective Mushroom which was really cool. I just added that in because it was something Vegas-y. And that was really cool. They played there that year. But we weren't satisfied with the men versus women results because what I wanted was an even split. Like I wanted 50% women and 50% men so we can have a true, you know, true look at who would be the winner. So we launched in DevCon 21 the who's the deadliest social engineer competition. And again, we promoted that it was going to be a male versus female competition and we really wanted to bump up having equal women to men. And then the other thing we would do is the one target would be given to both a male and a female. So we pick a target company and a male and a female would not as a team, they would both be assigned that same target. And then a coin flip would determine who goes first at DevCon. So they both have to prepare a report. They both come to DevCon and then a coin flip determines who goes first. So who do you think won this year? Yeah, so here's the thing we learned. Women scare us. Same thing we learned last year. And they do because it was it wasn't just a win. It was like like an obliteration. It was like a 700 points between the woman and then the next winner which was the second place which was a woman and then the guy below her was like another it was like a thousand point difference. So we walked away with our tail in between our legs and had to try to redeem ourselves the next year. So it was some really interesting things that came out of that data also because what we found that was really fascinating for me is as guys we tend to try to always use pretty base pretext. We come in on the boss, on the manager here's what I'm going to tell you to do and the women came in as not with the authority but they came in and I know this word seems like a little more submissive to the way it appeared to the caller and that worked really really well. I mean it was like amazing, right? They let the guys egos on the phone go nuts and even when they had another woman egos get bigger and then they always succeeded and I'm like going hey these women got something to us I got to try this and I did I tried it and it worked so well it's amazing right so ego suspension really really interesting topic but that really worked well for them in the same exact pretext so you can take the same pretext like I'm calling from corporate IT and I'm doing an IT survey because we're about to do some new product update or something like that and you have a guy do it and you have a girl do it and the results were that if the guy used authority and the girl used ego suspension that she always had a bigger score so it was really really fascinating data set that year this was the winner Lily she was just amazing at her call and really fascinating she did this thing also anyone ever hear of a researcher a psychologist researching Amy Cooley okay couple right so she does this thing about power posing you know you stand like a superhero and you know you stand in a place that make the confident people would stand and you do it for two to three minutes before something that makes you really nervous and it creates confidence feelings in you and she was doing this like in the room she was like and I'm like she's a little weird and no clue what she was doing but afterwards when I asked her what she said she had this confident pose and it helped her feel really confident and she got in the booth and had never done a social engineering call ever in her life and just totally owned it really really phenomenal some other things we did there I just might as well share all the stupid stories that happened is yeah so I had this concept for the kid CTF and you know sometimes these things come to me really late at night and they seem like great ideas but I should do what I tell my clients wait 30 seconds before I take action I didn't I had this idea that would be really cool for the kids competition that their final exercise that they have to run through the room and put a code in a box to win and they're getting shot at by snipers with Nerf rifles while they're doing this running through so I tweeted any snipers coming to DEFCOM that want to shoot children DM me so yeah yeah yeah exactly who said it yeah that's exact yes I know believe me okay I'm not the smartest bulb in the bread whatever you get it okay proof in the pudding right there so I get two calls one was from my buddy at the FBI saying did you read that last tweet out loud before you sent it and I went yeah it's fine and I'm reading it as he's I'm like oh dear lord oh oh my gosh I didn't put Nerf in there and he's like no no you didn't and we're wondering what you're talking about I'm like I have a really good explanation man so I deleted that tweet but in the meantime I actually got contacted by a guy Bones I don't know if he's here and he's like hey I'm coming to DEFCOM I'll shoot kids what do you got mine and we hired him and he still works with our group I don't know what's wrong with me I said you do understand I met with a Nerf rifle right and he's like yeah that's cool and I'm like okay that was way too calm but so anyhow so those are the Nerf rifles I bought and then something else really cool happened that year I had been you know we have a podcast that we do once a month the social engineer podcast and thank you thank you one listener by the way now seriously how many people listen to it okay I have a serious question Dave you here Dave okay no voting okay listen do you guys like Bruce Hornsby or not if you like Bruce Hornsby no if you like Bruce Hornsby raise your hand if you want Bruce Hornsby okay and how many of you would rather not have any more Bruce Hornsby on the podcast I got people raising two hands and legs no no I think look look look keep come on guys come on support me I talked them into it okay so so we always try to have like interesting guests on the podcast and people that we think we can learn something from because of their jobs and we had a lot of psychologists and researchers well I reached out to Apollo Robbins if you don't know who he is you can check him out amazing he's called the gentlemen thief some of those guys like you've probably seen his videos and just don't know it's him like he'll take your wallet off you while he's actually talking he'll take your belt off you won't know and he'll take your watch off and I had reached out to him and started the conversation with him and said hey wouldn't it be cool if you came to Vegas and because you know this that's where he is and I'm like and we did a podcast live podcast and he's like man that may be cool you know so we talked about how we can logistically worked it out at work and then he's and then I threw this crazy thing like what if we do a speech together you know we can do a speech about social engineering and what you do and how it works together and he's like yeah sure that'd be cool like you know I'm like this is awesome so we did we had a we had planned a speech and we were in a little room much smaller than this and it got a lot of real big interest so what ended up happening is Nikon moved us to to a really really large room and we were in the room and we had some malfunctions of our projectors and because of that we were like sitting there what are we going to do we had all this stuff planned and he's like well let's just you know improvise and he pulls a guy out of the audience and like takes his belt out takes his watch off takes his wallet out right in front of the audience right and that was the that was the speech but but he was working he was working with an actor at the time who he had told the actor by the way I'm giving a speech with this guy all about social engineering and you may want to you know come and hear it so he called me and said I'd like to bring somebody into DEF CON but we got to do it kind of on the slide so we had got a great chance to meet Will Smith which was really cool which was really really cool yeah actually he is like so awesome in person yeah it was really neat and he's just a really great guy and it was for the movie Focus that he was training with Apollo and then we had a we talked about disc, Tim talked about disc and he wanted to learn about disc so we did a little disc lesson in the back and then oh this is a great story he says so he had a body guard and all this stuff he was supposed to come in for like the speech and then we were going to take some pictures and he was going to leave so not everybody was going to know and he was like man this community is pretty cool to the DEF CON shop area and I'm like yeah you realize there's no way to keep you secret when we go walking down the hallway and he's like yeah you know it'll be cool so I'm like okay you know so we're walking down the hallway and this drunk guy comes running up and he goes dude you look just like Will Smith the ladies must love you and Will goes yeah I do okay and the guy's like fist bump oh man and he walks away and I'm going and I'm like you don't even need me that was epic and he's like I didn't get used to it and I'm like that was the coolest thing I've ever done that was a good year a good year so then last year I felt like we'd done all the data collection we could in different types of SE so I thought how can we make this really difficult for the contestants so I came up with the idea of tag teams two people in the booth at one time right I thought that's going to make it super hard in addition that we said no phone spoofing and you had to hand the call off a minimum of three times in one call you had to hand it off three times to get any points you had to hand the call off three times in between I'm like this is definitely going to help prove that maybe they can combat a social engineer no you're shaking your head absolutely not so these were some of the things we did no spoofing two people in this booth sorry I'm not really sorry people don't really shower a lot when they come here so you can imagine this confined airtight space with a heat lamp up there and they're sweating and we give them 30 minutes yeah that was great so what did we learn from it well let me tell you some of the stories from that we had some amazing things that happened I'll tell you one of the best rebuttals I heard a lady on the phone the target said if you're calling from corporate headquarters why is your number not corporate headquarters and it was like we were using google voice so it's a random number that's because I'm training my co-worker and he introduces her and says we're on an adobe connect line and that's why the number looks different and the lady goes oh okay and then he was able to hand the call off like non-stop right I think we had 20 something handoffs of one call was the max and it was just literally like so now like you know Brian's going to ask you a question oh now Chris is going to ask you a question and the phone was just like okay okay okay okay and I'm like how is this working we tried everything to make a disadvantage for the social engineers at the end of the day they still won right so it was it was crazy also how many of you were here for the Thursday competition okay a few of you hopefully many of you heard about it that started because we did this well not because I handcuffed cute blonde but because we started just throwing together we were there Thursday we were there early and we're like what can we do to have fun I had some handcuffs which by the way was another funny story on my carry-on luggage I had duct tape handcuffs this is going to sound weird I had some almond oil it's good for the skin okay really it's good for the skin I had duct tape handcuffs almond oil and four Nerf guns and some tweezers and hairpins and it goes through the thing and the guy goes whose bag it is I'm like that's mine and he zips it open and he goes really and I go dude I'm going to Vegas he goes oh he zipped it back for me it wasn't even he didn't even think about it he was like zipped it I was like oh and I'm like that works like all sorts of horrible things in my bag like I'm going to Vegas man oh yeah we heard what I heard that's crazy so last year was so popular on Thursday that we decided to make the competition that we did this year which was Mission SE Impossible and it went really really well so well that Jeff came in before and he said all he heard about was how awesome it was so he wants to make it bigger and better next year of course but it's going to be back next year so I'm pretty happy about that yeah so this is how the booth looked with two people in it pretty tight right pretty tight and our room was constantly packed we had a 45 minute wait time outside the room at all times so you guys who were there complaining to DEF CON that's what got us this room this year which is packed so that's pretty awesome because you don't really move up in the room size world in DEF CON unless you're really really needed for that and when we got that because of you guys not because of us right and you can see this is the way the room always looked it was also the first year that we tried something new we threw together some speeches for the village just one day and DEF CON heard all the people talking about the people that we had invited in people like Jason Street people like Michelle gave a talk Kevin Mitnick gave a talk Dave gave a talk and it got popular so they actually threw together a camera crew and videoed those speeches they ended up on the DEF CON DVD and it was something that was highly requested so that is why we have our beautiful camera goddess and camera god in the room for the last two days filming all of our speeches because now it's like an official track for DEF CON so that's pretty cool for us to have that happen so here was DEF CON 23 and we're like what can we do to make it bigger and better and or just at least make it a little bit different so this year if you were in the room at all you know that our theme was telecommunications and it was something that we really wanted to see now when I made this deck of course I didn't know how it was going to turn out so I'll just give you a couple of the quick synopsis from this week we had a guy that literally looked at about nine minutes left, he said to the audience I'm going to be the only person in DEF CON history to get zero because there was like no points on the board at eight minutes in he got one person that was willing to answer everything for him and he totally cleaned house in eight minutes right just totally amazing we also found a few other things we found a company on the good side that after the contestant got them to go to our website twice with two different employees the third employee he tried it on the guy paused and he goes oh I'm sorry I'm being told I'm not allowed to go to that site so they had internal communications somehow and warned the employees quickly we're talking within a 25 minute span of phone calls that they were no longer allowed to go to that website that was blocked that was really cool we also found out that my website gets blocked for porn which is really weird because there's none on there and one of the people today tried to go to our site and they said they couldn't get to it but we figured out what it was the white canvas guys helped us figure it out some articles we write on how social engineering is used by child traffickers because they use a lot of these skills unfortunately for the negative and some of the content in those articles can get by content then let me see then we had two contestants that just didn't show they didn't show, they weren't here so we asked the audience anybody want to stand up and try it this is day two after seeing people sweat and suffer in the booth and we have seven people up here all begging for a chance to get in the booth and we did a lottery because we figured how are we going to pick this we did a lottery and we picked out two names out of the hat and we had Leni and Whitney getting the booth and I don't know if anyone here for the Whitney call that was utterly ridiculous right? it doesn't even do this for a living I was like what is going on here totally really just open the doors wide on that just a really friendly wonderful conversation a really great year I mean a really really great year unbelievable year for the SECTF so what are some of the things that we've learned and this is this is probably some of the big points for us guys that corporations they're still really bad at social engineering they're not training their employees we're not seeing a big a big shift in that online information leakage it's huge every year I wish I can share some of these points with you I really do but it would be very bad for me to do so but every year we get reports in where people have found some anonymous tips one year we had a contestant that found a you go to the intranet page and you click get help click here for help he had clicked there and a document came up about how to log into the intranet and the badge that they used in their example was a working badge number and password and he was able to log into their intranet we're talking like 2014 and 13 whenever it was and these things are still out there and then 2015 we found a company this year that literally has their ISOs so the ISOs that they used to burn their corporate computers online to the public yeah which means you can download the ISOs and basically figure out what software is automatically installed and things like that just things that were found were all the breaches you think it would get better and this is probably one of our big points that we learned we also learned it doesn't take a pro to be successful you don't have to be a pro we've had complete nudes get in the booth and totally own it we've had people today's a great example Whitney got in there and never made a call before and she was amazing right and all the contestants that don't do this for a living get in there and they still are so successful there was nobody failed there was nobody that got nothing right so that is shocking right you would think that if maybe if you're new to this you would get nothing there's nobody in this competition that got nothing so and probably the biggest one for us is internal pretext are probably the most successful acting like a fellow employee regardless if you're spoofing or not just works it just works take away facts women are scary probably the biggest take away fact trust the FBI call and don't call them Dave Kennedy okay that's another big take away fact you can be our next contestant I want to see some new faces in that list next year okay I want to see people joining up for this we do have rules and we have lawyers that's important to remember okay because we're not going for like passwords and credit cards and things like that we have some pretty strict rules that are that are guided by our lawyers why so there's all the main reasons and it is because we don't want the company or the employee to feel victimized and there's always a level of embarrassment when it comes to social engineering that's granted right we don't want someone to feel victimized second is I don't want to be in jail so we have rules for that reason and I don't want the contestants to be in jail so we have rules so when we follow them everybody gets along and remains out of jail even when we make it really really hard like no spoofing having to hand it off we still win as social engineers and remember your cell phone is not welcome in the Pentagon okay that's probably a lesson you should all know for now so this is our what's going to happen next year we got some things planned I can't release them yet because I'm not 100% confirmed but next year we hope to change this competition up a little bit and try some things that we haven't tried yet before so stay tuned for it everyone asks how do I learn where I can sign up so social-engineer.org if you just go to the website is that on there social-engineer.org or our twitter accounts and if you follow them we announce it this year the registration was open from January to June so if you tell me I missed it I can't help you okay if you don't go on the internet for four months there's nothing I can do for you and don't give me a card and say hey can you call me or email me when you release it because I'm not your secretary and I can't do that so just go on the website and twitter and follow it podcast is the social-engineer podcast it is on the.org site there's a big thing on top says podcast it's on iTunes also and I will say this because I'm really proud of this point we are PG rated we're a month 74 months no they're all been edited so they're PG rated so I keep my podcast PG rated because I have kids that listen to it and one of the things I hear from a lot of people in the community that listen to it they love the fact that they can listen to it at work you know and they don't have to worry about the boss walking in and you're talking about something obscene or they can listen to it in a car with their kids and it's entertaining so we keep it PG rated and they've tried to ruin this I had a couple podcasts where Dave and Jordan just like literally said the F-curse like 45 times took me like six hours to edit it but I still edit it you know because I feel like that's an important part to make sure that the podcast can be listened to by anybody who wants it especially kids I think social engineering is really important to teach our children we want them to know these things they can protect them against predators and also give them some really useful skills for the future any other questions before we move on podcast oh yeah so talking about the podcast if you want to know what it's all about and what it's like tomorrow we're doing a live podcast here in this room and anyone ever heard of Paul Wilson or Paul Wilson couple guys okay so from he's from the real hustle in the UK he's also a really really great street magician and illusionist he came in he's here for the podcast tomorrow so we got him in so he'll be here with us he's a good friend of mine he wrote the forward for my first book and we've kind of kept in contact ever since and I was like hey you're going to be anywhere in the US let's get together for the podcast and he's here for that so if you're interested in that 10 30 tomorrow morning in this room it'll be Q&A for that do you have a question can someone read my question for you is I'm curious with this challenge with this game have you ever had an individual that would speak through an interpreter who's worked through a translator because I'm deaf and we're deaf and you know we're taking in your information here through an interpreter and wondering if that would add to the challenge no I've never had but I bet it would be an amazing vector I bet if we can use what is that system called TTL a TTL system or an interpreter I bet it would work really really well because of sympathy and assistance themes I'd be more than willing to try it if you want to join in next year I'd be more than willing to try it I really would, I encourage you to try it great, thank you that would be awesome other questions Dave raises him and I'm not going to call on him because it's probably going to be a prank or you know when he did one time he modified the seat in his car so the heater so you can boil water on it and then he had me sit on it and I almost charred my pants I mean we're talking water boiling yeah I thought I was sick and I thought I was going to get sick in his car so I kept leaning forward like oh man give me some more AC and he would put the AC on and I leaned forward too much once and I realized wait I'm only hot when I lean back and he started laughing and I'm like what did you do my butt is on fire and it was like my pants were crispy and he's like dude I got you so who goes through all that trouble to modify a heater in your seat just to get me yes sir I cannot hear you at all can someone give me the last part of that I swear I did not yes okay so if I if I understand the question you're asking how much information and what information we're looking for from a company so we give every contestant a flag list and it's things like who's your janitorial service who's your dumpster service what kind of OS do you have do you have a cafeteria on site or do you have versions when do you get paid how long you work for the company the list of complete flags is in the report which is also on the social-engineer.org site you can look at the previous years this year's report probably won't come out until October I'm looking at Michelle to see if she's flipping me off October or so December October maybe September now because she's pushing it October it will come out in October and the report the flags will be I made an executive decision you see how that works authority that works she's thinking about how to kill me but we try for October and then we have a free webinar guys that we host every year we host a free webinar and we go through the results step by step in a lot of detail so if you follow the twitter account then we will be tweeting about the webinar and you can sign up for it and even if you can't attend you can get the download the video download yes ma'am so the question was do we look at changing flags to make it more difficult is that the way to increase the bar and as much as I would like to say yes to that my issue with is the lawyers are pretty good at telling us what line not to go near right so if you were ever at DEF CON 17 I was there and I remember sitting in the audience at the SC competition I was there college girls and getting their credit card numbers over the speakers and I said I don't want to ever be in that position right because if that was my daughter or my son and it was their credit card I'd be pretty ticked right I want to find out who did that and do some not nice things to them so I don't want that to ever occur so the flag list that we have are flags that as a social engineer I have used every single one of them to break into write a fish for or fish a company what's your password and we're also really strict on no personal details on the target themselves so Sally answers the phone I don't want to know her date of birth I don't want to know where she lives I don't want to know her husband's name her dog's name because it's not about proving that Sally is stupid right and it's not about stupidity at all it's about proving that companies need to do more awareness training on SE so if there's a way and if you have suggestions that you think would increase the difficulty but not step over that line I will gladly show them to the lawyers to get the you can just email me I will gladly do that sir thought about what oh yeah so no never the question was have we ever thought about warning the companies that we call I guess that would have a real layer of complexity right like send them a card dear company you are going to be a target here and see what happens you know that might that might work right maybe we'll try it if we want to make it much more difficult I never thought about doing that also I think that after the report comes out the companies are more prone to look at the data and say wow this was useful whereas when you base it on fear they get hurt and then it's right but the retail companies are a mystery shopper we're not exactly being hired so yes sir use the hotel as a target nope never did that no the goal was again was to show as a country how big social engineering is a problem so we never did small calls like getting a free pizza to the room or something like that I mean we do those usually just when I'm hungry at night I don't really do it I don't really do it for the competition no we never used hotels that's interesting it's a good point I never used hotels so maybe entertainment industry is another as a vector for one year it's a good one no we never call them because that to me feels like extortion yeah we don't I'll tell you what happens a lot of times we have people from those companies sitting and afterwards they come up and this has happened this weekend here's my card can we talk when the data is ready I said yeah sure no problem or it goes out on twitter last year's report got down with 125,000 times it's all over the place so people are reading about it somebody in their security sector of that company is talking about it and then they're saying hey we need to talk to these guys because we're in the report on the website on the podcast we are saying over and over call us we will gladly open up and talk to you about this and we will give you the data yeah I know yeah it's not I know it's not the best but according to my legal advice is I shouldn't just reach out to a company by the way we SEG you I hope you're not pissed and we have data if you'd like it let them make the first step you know it's like you don't want to instigate if they're not happy there was one year where a company said they were going to sue us they were really upset and they were going to file a suit really large like millions of dollars and it was like a quick email and it went away they just were really upset so we don't want to ever instigate and rock that boat to cause that but that's my clock okay so I have more time because who wants to hear Dave speak I mean literally look no one even okay one more question then we'll get Dave set up that hurts real bad okay that hurts real bad okay guys thank you very much