 I'll start to end into my talk. The next session in here, this is the parking lot 10 in case you're confused, will be gobbles, the wolves among us. Right now, right now you're here for selling out for a fun and profit. Before I even get started, I'm home back from NMRC. I might have a little disclaimer here. I'm not coming up here to stir any shitpots. I'm not coming up here to piss anyone off. For any of you that are here to hear me bitch about security focus, you can probably leave now because that's not going to happen. This talk was kind of thought up and during before all that happened and I've got my own opinions on that anyways. I don't necessarily consider them to be selling out. They've always been a business and they sold their business. That can't really be selling out. So as I said, I'm at Helendoc from NMRC and as some of you also know, during the day I'm Steve Manzik, moderator of a phone watch among a few other things. The whole reason I've had the NMRC handle, basically I used to work for We Don't Hire Hackers type companies like IBM and Ernst & Young. So having the handle is a nice place to hide when I would do my recreational stuff. As far as what I do for NMRC, it's actually pretty fun. Right now I get to wash Nomad's car, Moa's lawn, you know that kind of cool stuff. He says if I drop about 100 pounds I can be his pool boy next year. So I'm like, I got a goal to work for, right? Okay, this talk I'm basing on that this is why people hack. Okay, I'm not traditionally hackers, at least my idea of it, have hacked to gain knowledge, to get into stuff that maybe you shouldn't be into but no one else can get into. That's how it's kind of cool. And of course lately, right, everyone wants to be an internet rockstar, right? It's kind of cool to go places and everyone knows who you are just based on your hacking. Here's a post that addresses selling out. This was posted by a guy by the name of Haiku Hacker. Not sure if he was here for the con or not. This was on the full disclosure mailing list. It was directed at a specific person. I won't go into that, but it was a bit of a little flamework one on. Essentially he's saying that selling out's a bad thing and all of us bastards that do it are horrible people because we're exploiting the true hackers of the world by taking their research and their tools and making money off it. And we have another quote which illustrates probably the other side of the argument from someone that's probably fairly well-known. And just to get out of the way I'm a bit biased, I actually do fall into this category of people because if someone wants to accuse me of that's fine, I sell out. I am a security consultant, that's what I do for a living. Oh well, great. What I am gonna do today, I'm just gonna go through some examples of different so-called sell-outs, how they did it, the wrong way to try and sell out, and probably some better ways to sell out and actually still hang onto what little dignity you may have. The whole media boring thing, there's a talk done by Guides at H2K2 where he basically said that bug track is a tool now for people to get famous and get good jobs. I think he even said that Certistic Works for Microsoft, which was probably one of the best jokes I heard this year anyways. You know, he was going on about how vendors use FUD and blah, blah, blah, which some of the stuff he said, he did have a point, especially the FUD thing and the media boring thing. We see that all over the place and that's what I'm gonna start going through is just some specific examples of, actually I think I have three of an example of someone who you can consider a hacker slash script kitty, a security vendor, and then just a generic example. So this is my first case study. Robert Little, Pimches. Don't know if you're here, don't rush the stage or anything. You can talk to me later if you got a problem. So, how do you sell out in this case? You know, you pick something that everyone is worried about, say an abster being shut down by Rhea. Start to face a few websites in support of Napster, but be sure to leave your email address behind so then the media can contact you and interview the hell out of you. After you get caught and everyone knows who you are, launch a security company. Business might be a little slow, so start again, pick a new case you maybe, I don't know, terrorism or something like that. Let's start nailing websites again, hoping to generate business. Probably not the smartest way to do things. My next case study is just basically security vendors in general and this one I am a bit biased. I did that one point in my career work for Bind You Razor, so I'm not necessarily saying this is a bad thing. There are some areas where security vendors do definitely go wrong though. So the basic premise behind, we've got our X-Force, we've got our Razor, we've got, I don't know, probably another dozen or so vendor research groups. They'll go on the higher, there's many big names, blackout white hats, if you're smart, that kind of stuff. They'll go on higher as many of those guys as they can. Then they'll just start pumping out as many advisories as they can and of course in those advisories you've got all the web links and all that stuff for the products. That's not necessarily a bad thing, really. Where they seem to go wrong is when they start putting press releases and PR in front of actual research and working with vendors. We've seen cases of that. We can use X-Force as a patchy thing. I know there's two sides to that argument as well but the bottom line is they didn't work with a patchy. They rushed an advisory out, some say they did it for the marketing. I would tend to agree with that. So I'm calling this one a better way to sell out. I wouldn't say it's a better way but I figured this is probably the way if you are going to sell out you should do it because there's a lot of good reasons to sell out. A job is one of them. I'd definitely rather be working in security than flipping burners for eight bucks an hour. So probably a good way to do it. Just do what you already do. Go out, do your advisories, publish white papers. Don't get caught doing anything wrong. Don't get your criminal record. We can all remember the case of all back. I can't remember the guy's name but he was trying to get a job with one of the new boutique firms and they turned him down when they found he had a record and so of course he went to the press bitching about that. But really, what do you expect, dude? They do a background check. You've got a criminal record. None of their clients who also will ask for background checks are going to want to touch you. It's just kind of common sense there. Sure, sell out, take your job, make your money but continue to do what you're doing and continue to support the community and release your tools and release your exploits. I think that's where the real difference between selling out and not selling out is. You'll see guys who I would call true sellouts go and try to be something they're not. They'll all of a sudden go from being a hacker to what you're talking about. I don't know what hacking is and keeping all of their tools and exploits and research to themselves. Sure, you can call those guys sellouts. The guys that continue to support the community and continue to dump their exploits in and things like that, I don't consider them sellouts at all. They're just using something they're good at to make money and really what's wrong with that. The real reason, I think, anyways, this is mostly my opinion and probably a few other people's opinion, but I think the real reason that we see guys like me and you can lump the loft guys or all kinds of guys like that into this category being accused of being sellouts is we've got groups like Guides Talk and the EL-8 guys. I don't think the anti-security guys really belong on this slide. They're more anti-full disclosure because they think they're supplying script kiddie munitions than they are anti-sellout. But you've got a lot of guys that don't want guys like us who actually know how to research and actually know how to hack. They don't want us to go out and secure networks. They don't want us to go out and release our research. However, their zero-day is gonna be effective when they're going up against some guy that is just as good, if not better than they are. Media, I do wanna address the media a little bit because they seem to feed into this whole thing. Hi, Thomas. This is a quote that I took off of an email that I and a few others received. I'm not attributing it to anybody because it was a private email. But I think this is probably valid for all media organizations at one time or another. I think we could probably accuse almost everybody in the media at one time or the other, saying or doing something that was wrong, that they didn't research. So I do have a few pointers or guidelines for the media to consider when they're reporting on stories. You got a pen, Thomas? The bottom line is that the media seems to grab what's sexy, what's cool, and they don't like to research it. They'll just go, oh man, this guy just said simple nomads are fed. Quick, get that on the front page of whatever website. And really, you need to research that kind of stuff. Sorry, I didn't mean to mention simple nomad. He is not a fed. I'm not gonna sit here and read slides for you guys, but essentially, this is what the media can do or should be doing. And the big thing is don't spread fun. Check your sources, review your sources. There's this thing called anonymous source that, you know, I've been an anonymous source many times that I've had to be. I know a lot of people probably have and many media guys are pretty good at protecting their sources and still proving a point or proving their story. The last one is probably my biggest pet peeve. Just because somebody uses a computer to commit a crime doesn't mean they were a hacker. You know, yet the media, oh my God, you know, there's a palm pilot in this guy's pocket when he robbed the bank, he must be a hacker. You know, it's just getting out of hand. I want to address hacktivism a little too. And I call it the lone gunman myth. And the reason I say that isn't because I'm against hacktivism, I'm actually all for it. It's just the real problem is, we're not seeing it yet. You know, we're not seeing any real hacktivism yet, at least in the media. You know, all we're seeing in the media is website defacements and, you know, denial of service attacks and, you know, silly stuff that no one really cares about. You know, I would probably say that most of the web defacements probably aren't really read by anybody. And if they are, I don't think they're getting the point to crots. I think it would be real cool to, you know, see things like, you know, there have been a few talks this weekend about hacktivism and some of the things you can do, helping to build tools, helping to secure not-for-profit boxes. You know, why can't someone have hacked into Enron a year ago and exposed what they were doing? I think a lot of us, a lot of people go to save a lot of money. You know, I'm in that side space who I just said anyways. You know, like we're all sitting around arguing, you know, with the ELA guys or Guides or whoever, when really, most of those guys actually, you know, know their stuff and are pretty good. So instead of sitting here, you know, fighting amongst yourselves, you know, let's start doing something, you know, like building the cool tools or helping to not-for-profits and stuff like that. I'm going through this pretty quick. Okay, we're gonna go to something that kind of doesn't fit in here at all. You guys wanna? Yeah, I'll see you guys. Okay, so we're gonna play something long. And of course, I went through a presentation way too fast so we're actually already getting close to the end. I brought all these guys up because during Black Hat and yesterday during DefCon, we did announce something new. And so I thought, you know, bring these guys up to talk about it a little bit as well. Doesn't really fit with the whole selling out thing. But essentially what we announced at Black Hat was the Internet Work Security Information Services initiative. And what that is, is it's gonna be an open source, volunteer-supported, centralized information source. The data's gonna be free, not real. Oops. It's probably supposed to be an explanation mark, I'll bet. And, you know, we announced a new discussion list called Vol'n Discuss. As far as volunteers involved with ISIS, we have the guys from PacketsDorm, who you see a lot of them up here, and the open source vulnerability database project, which Charles is going to see a couple words about. Hi everyone, I'm Charles, I'm from SensePost. I was asked just to say a few words about the open source vulnerability database project. Basically what happened is the guys from Digital Defense and some of the guys from SensePost, we've been building databases of known vulnerabilities essentially based on the Nessus signature IDs over the last few years, and Digital Defense and SensePost have come together to launch a project together with these guys to make that database publicly available. So we'll be moving off our infrastructure into public domain, and it'll be run under the charter of the race of the project, so it's gonna be completely open source, completely free. It will be moderated, so it's not a discussion list, it's an idea to have a high quality database of really accurate up-to-date information. And what we've been doing is we'll be making it available in such a way that you can do complete, probably CVS dumps of the database. So anybody who wants access to it, you'll be able to connect to the service and pull the whole thing down. So that's pretty much it. Visit the website, maybe just a quick note on where we are. The website is up. We're busy forming the, call it the coalition, and establishing the charter and stuff like that. We're also busy finalizing the technical details of the database structure, exactly how we're gonna move it, how we're gonna push the data down. I mean, as soon as we do that, we'll go live with the data, and we expect to have a database of, in the region, I think, for about a thousand or so entries when we start. So there's gonna be a lot of good stuff there, and the rest of it will really depend on you guys. So drop in, visit the site, and support us in what we're doing. So I just realized I blew through my entire talk in about 20 minutes, so I'll probably win an award for the worst talk at DEF CON, but that's cool. They do have gobbles coming up next to do is world's among us talk. My talk's not really geared too much for questions, probably geared more for flames. And actually that's one thing that these guys missed to cover. The ISIS project is looking for volunteers, especially if you have a vulnerability database laying around somewhere that you don't want, or if you'd like to release to everybody. Since post-indigital defense already donated a couple, I think there's something like over a thousand records, is that right guys, in there? But hey, the more help, the better. I really didn't want to have to go up in and talk. We at Pakistan, all the Pakistan guys, raise your hands and wave at the crowd. Say hi. That's Christian, and I'm Emerson. At the moment, what we're trying to do is, we have a whole bunch of files which don't have descriptions. They're more than just a few files. They're a few thousand files that don't have descriptions. The old stuff. And we need some help classifying it all. So at some point in the near future, we'll be sticking something on the site and we need your help. Basically, like if you can, hands up here, who can read C? Stick your hands in the air. Okay, give yourselves a pat on the back. You've got yourself a job. So we'll be doing that. And of course, we'll be busy. We'll also be helping support the open source from Ability Database guys and all the other bits and pieces that go along with this. And of course, all the people out there who are busy developing your tools and the likes, send us your stuff. We want to start friends, Romans, citizens. Send us your wares. So bring it on. That's basically it. Good, back to Steve. Yeah, so essentially ISIS is gonna be, you know, volunteer ran, it's gonna be free. I think the key point behind this is that the data will remain free. It's going to be a not-for-profit and you'll be able to dump all the data any way you want. It's another people. Yeah, sorry, never-for-profit, thanks Emerson. So yeah, so like I said, I'd probably get the word for the shittiest talk that I've gone because I blew through that real quick. I'm not gonna take questions because I know you guys are probably gonna, or some of you are probably gonna flame me. So if you do want to come up and talk to me, feel free to come up here and talk to me at the end of the talk. Okay. Someone want this, come get it. It's free. Okay, I'll take a question here and then you can take some free hardware. That's actually a really good question. I'm glad I took that one. Essentially he was asking, you know, say you're an NRR employee, you're making six figures. How do you fight not selling out, you know, to expose that there's something bad going on? You know, I think that's a tough one, right? And I think everyone will make their own personal decision on that. And one of the questions to ask yourself is what do you do? You know, you're an assistant man or a security guy of a corporation and you know they're doing something wrong. Do you protect that data? Do you not protect it? Or do you expose it? You know, I think that's a personal question. Everyone has to ask them. Obviously I'd encourage you to expose them. I know in the U.S., I'm a Canadian so I'm not completely familiar with a lot of the U.S. laws but I know some of the states have like whistleblower laws and you know, things like that that you can protect yourself. Or do it in honesty, you know, find a guy in the press that you trust and feed him all the information anonymously hoping that he'll protect your identity. And each beat up a plus. I don't think I'm gonna let those connectors are in the back so. So yeah, so that's, like I said, next up we've got gobbles talking about the worlds among us. If anyone doesn't have any questions or comments or you don't want to come punch me in the nose, feel free, come on up.