 Just so we're clear, I'm only speaking as myself today. I am not a representative of the U.S. government, I am not a representative of my current employer. I'm pretty sure either one of them would be really happy with me up here talking, but I feel it's part of my duty as part of this community to kind of give you some stories that are personal stories from this community as what I took into the government, what I learned while I was in the government, what I saw that was a little bizarre while I was in the government, and what I'm taking back out of it. And there are four stories I'm going to tell you that all have some kind of unexpected outcomes and unexpected twists. You've probably heard about some of these stories in the media, but these are kind of different back origins to them that you haven't heard before. I'll do my best to be as accurate as possible, but I'm going from memory from some of these and some of these go back several years. Memory isn't perfect, so I apologize in advance. So I'm not trying to piss off or be pro or con any particular community, but I want understandings, which is why I'm trying to tell these kind of non-obvious stories. Somebody had tweeted me something encouraging me to do this talk, saying anything we can do to help people understand each other is good, because of course prejudice is bred from ignorance and exclusion, so you can kind of consider this my transparency slash trip report from three years inside the DOD. Not long after I started working at DARPA, I got funding approval for the first of one of many programs that I would actually run. I know most folks are only familiar with a few of them. The first program was something called Cinder, and it was focused on super evolved advanced persistent threat. The program had nothing to do with whistleblowers, had nothing to do with humans. It was targeting autonomous software. There was an author, Forbes magazine, Andy Greenberg, who found out that Julian Assange and I knew each other and have kind of known each other for, I don't know, 20 plus years. He wrote an article that, the way I read the article, attempted to pit me and Julian against each other claiming that Cinder was a response to WikiLeaks. A sexy story of hacker friends who have now find themselves at odds, one trying to spill the government secrets, one trying to protect the government secrets. That's a sexy story. The problem is it's entirely untrue because Cinder had nothing to do with that. Since he and other folks wanted to kind of make a story about me and Julian where there was no story before, I figured I'd tell you an actual story about me and Julian. This first story is called How the DoD Unintentionally Created WikiLeaks. So it was 2009. I had yet to go into DARPA. I was over in Germany for the CCC Congress, which by the way is awesome. And by the way Berlin is freezing in December. So it's a couple blocks from the hotel over to the Congress and I braved it across. It takes about like 10, 15 minutes before your lips come back and you can actually start to form words again. So there's this talk that I wanted to see at the Congress and I watched it. It was great. There was a gap between the next talk that I wanted to see and the whole decision was, do I go back to the hotel and go out in the frigid Berlin winter or do I find something else to kind of pass the time? It's CCC. It's easy to find things to pass the time there. And there was a talk that was going on about WikiLeaks. Remember 2009, no State Department cables, no nothing like that at this point. WikiLeaks had been around, but it wasn't kind of in the popular vernacular. It wasn't a household name. So I look and go, oh, what it's taking to run WikiLeaks, you know, how we do it behind the scenes operationally. I'm like, that's cool. And the talk's in English and it's inside, so yay. And I'm looking at it and I'm like, Julien Assange, Julien Assange, you know. And the name was ringing about, but it didn't mean anything again because of course, you know, I haven't hit it. Now I saw him up on stage and, you know, he's a kind of striking physical, the kind of shocking blonde white hair, you know, sharply dressed. And I'm recognized in the voice and it took almost the entire talk before it dawned on me that I knew him by a different name. I knew him as Prof. Some of you remember Prof, some of you remember Strobe that he wrote like ages ago. You know, he was over at, it was Suburbia.net, I think, Profitsuburbia.net. And I was like, holy crap, this is the same guy who I've known, you know, for years. I hadn't seen him in like a decade or I hadn't interacted with him online. At one point, I think he was even managing SUN's security updates and patches for all of the distributions for SUNOS at sunset.unc.edu. So we should have nominated that for, you know, possible or potential, you know, epic onage. That's kind of cool, if you think about that. So after the talk, I was all excited and, you know, I went up to him, waited until the crowds kind of died, smaller crowds outside, he's having a cigarette. And I said, oh, this is going to be fun because I'd cut my hair. You know, I didn't have the... If you've seen the shirts, most people remember me looking slightly different. And of course, I'm like, oh, I'm going to play with this a little bit. So, you know, I walk up to him, I know he doesn't know my voice, and of course he's not going to physically recognize me. So I do that whole, like, you know, hacker jerk sort of, you know, say something that, you know, it's like, what the hell, how did they know that? It kind of just set up a state of detente. And I go, hey, when's the last time somebody called you Prof? And he looks at me weird, and I'm like, oh, if you think that's weird. Did they ever find out why the MD5 checksums on those Solaris Update patches didn't match the actual patches that people installed? Oh, a sun sight, right? And he's just looking at me like, who the heck is this guy? And probably possibly because he hadn't, you know, heard the phrase, paw for a while. And it could very well be that, you know, he had no clue what I was talking about with the latter one. And I go, hey, you know, it's me, it's Mudge, Mudge from the loft sort of thing. And he kind of relaxed. And, you know, we chuckled about it. And I was like, hey, you know, you were really, really passionate up on stage about, you know, WikiLeaks. What was the real impetus? What was the turning point that made you do that? Because the last I had seen you, you were leaving the hack scene, going off to academia to do your advanced degree. He was working on a cryptographically based file system, a rubber hose file system for a duress based decrypting. And I said, you know, where'd you go? You know, all the old gang and everything haven't seen you. So we chatted and he said, you know, let's go out and have dinner. So, you know, we spent the next several hours over food in Berlin. And we were chatting. And I wanted to know just how passionate he was and how far he was willing to go on it. So I asked him a hypothetical question. I said, let's suppose back in the day, my thing was I collected packet captures of everything. Let's assume some of those packet captures have you going into other systems. You know, beyond a shadow of a doubt. If I submitted those packet captures, you know, kind of incriminating you to WikiLeaks, would you release them? And he looked at me and it only took a couple seconds and he said, hey, we get some very similar sorts of questions because people ask us, you know, kind of on a parallel, if someone were to send us a list of the contributors to WikiLeaks, would we publish it? And the answer is that, you know, we don't want to know who our contributors are because we want to keep the protection there being WikiLeaks. I'm speaking as him from memory here. So we try to get in touch with the folks that contributed, but we won't know who they are, so ultimately in case that list is real, we would have to publish it. I was like, oh, that's cool. And then he just, you know, we moved on to the next topic. Now, if any of you have actually interacted with him or know somebody who has, they'll tell you that he is a very smart person and that's absolutely right. And it took me probably an hour to realize that he never answered my question. But he told me a really interesting story because he told me, and this is what stuck with me in 2009 from that dinner, what the turning point was. Now, maybe this was a story just for me. Maybe it was, you know, kind of the appropriate thing, but I took this to be kind of ground truth and it stuck with me, which is why I'm telling you. And I used to tell people inside the government the same question when later WikiLeaks kind of popped up. He said, yeah, I had gone off. I was over at university doing my graduate work, something essentially fundamental research, which means something to the government folks. And he said it was funded, you know, by the U.S. government. It was a grant, you know, from like NSA-type DARPA sort of funding. You don't know if those were the actual agencies. And he said it was during that time period where there was a big pullback from the DOD. And the message that the universities received was, we're not funding you to do basic research anymore. It's all classified now. His work got rolled up in that. Now, whether that was actually while it was being pulled back or if that was just the perceived message, I don't know. So if you think about it, here's a non-U.S. citizen who's changed, who's made a life decision, go to graduate work, kind of leave the community that we knew him in. And all of a sudden, his funding gets pulled and he's told that he's not allowed to know what it was that he was doing, not allowed to know what it was that he had discovered and no actual reason as to why the funding is. I mean, that's kind of what it's like when you're a graduate student and somebody pulls your funding sort of thing. And this just really, really rubbed it wrong. And he said this is the wrong reason for classification if that's why he lost his funding. This is designed to keep people ignorant and withhold information to keep folks disadvantaged. And he said it was at that point that he decided that he was going to devote his life to exposing people who tried to keep secrets. And hence WikiLeaks was born. So when folks in the DOD would ask me, hey, do you know this WikiLeaks thing and what are your thoughts on how we could address it, they were a little surprised with my answer going, well, you know, by some accounts, the government actually created it in the first place. It was at that point during the night at the restaurant, Julian goes, well, so, you know, that's what I've been doing for the past 10 years. You know, what are you up to? I said, oh, I'm about to go work at DARPA. So that's my first story. Second story is about Anonymous and the Department of Defense. I remember Anonymous from way back. I mean, Anonymous, I use it as like, you know, a proper noun, but obviously we're all familiar and it's much more, it's kind of a movement, a thought, you know, it's more ephemeral than that. And when I remember them, they, you know, they were going after Scientology and RIAA and there was all the 4-chance or the soap opera stuff going on. And at some point, their scope or the target, you know, expanded to include the government. And general wisdom was that the triggering event was the DOD's response to WikiLeaks and Manning, et cetera. But the way I saw it, there was actually something else that was a bit more subtle that folks hadn't realized. So in 2011, the DOD released the strategy for operating in cyberspace. There was some very minor backlash to some of the wording initially. I think there was an initial, you know, small leaked version of it that went out and it was followed by a later one. But there was some more specific backlash and chatter in the hacker researcher community. The strategy stated that the DOD was going to, you know, treat cyberspace as a domain to conduct operations in. And it appeared kind of modeled off of outer space, you know, treating space as, you know, these are DOD-ish words, a domain. And there were some confused conversations going, why is anybody upset if you treat cyberspace as a domain? You know, there wasn't that much upset with treating space and, you know, nobody lives in cyberspace. Which you could kind of only hear inside the government like a statement like that. Because if you think about it, you know, we all live in cyberspace. And the hacker researcher community made cyberspace, I'm really not a fan of that word, made the internet and, you know, online, you know, our homes well before. The government and everybody else kind of made it just, you know, where they always lived and did everything in. So if you send a message that, you know, that's somebody's backyard and that you're going to militarize and, you know, prep for war in somebody's backyard, that can sound really scary. And it can galvanize folks to respond. One of the problems was there was not an understanding as to who the message was actually intended for. So in addition to treating it as a domain, they said something else which was, and in response to, and I'm paraphrasing, in response to hacks, we'll consider responding with kinetic force. So if you don't actually specifically call out who the recipient of the message is, everybody reading it thinks it's directed to them. I read it. I thought it was directed to me. And I'm going like, you know, what the heck? You know, I joke my buddy and I replace his, you know, the, you know, HTML, you know, the main webpage, you know, and that's considered a hack and all of a sudden I've got somebody launching a Patriot missile at me. This makes no sense. You know, what level of hack? Because if we look at like CFAA response, you know, maybe they actually think a Patriot missile is the right thing for, you know, defacing a website. I don't know. And none of these are the right questions because I'm not the intended audience. But of course I'm reading it as if I was. And of course the logical next question is, wait, do they understand how attribution works? Because, you know, what if I do it, you know, bouncing through an ally? You know, what if I do it from within the U.S.? Are they going to kinetically respond against themselves? I mean, this is, and you kind of go, okay, wait, you know, back up. If the message were directed to let's say, you know, other countries, other, you know, somebody in specific that's got a significant power that they say, look, we're talking about critical infrastructure or something of that nature. If you turn off the lights in New York, we'll probably be able to figure out who you are because you're not a small little hacker defacing websites and maybe there's attribution in place that we can respond to. That would have been an entirely different sort of message. And I wouldn't have read it as the whole like, wow, if I get root on something in my own system, you mean is the government going to shoot me? Which is just silly. But I wasn't the only person who read it that way. And it's nice having been in this field and in the hacker researcher community for, jeez, going on almost 25 years. Actually over 25 years. And some folks were sending me, they're like, hey, have you seen what's going on in the chat rooms? And there were some folks who were claiming affiliation or claiming support of anonymous that were going, hey, you know, have you read this? Look who's trying to prep for war in our backyards. You know, do they even understand how attribution works? This is bullshit. If they think they can find me, it's on, let's go. And the next thing you know, there were a couple websites to face. And they ended in .gov. Now, this is where it gets kind of funky. Defacing a website, it's kind of a message. It's a little warning shot. But that's in a language that Govies don't know. So the Govies didn't get the message as far as, you know, what I saw. So here's the initial strategy for operating in cyberspace that goes out. It's probably directed to somebody else, but by poor messaging it's misinterpreted by a group. The warning shot isn't understood. And it's like, hey, what are these vagabonds doing? Look at the little street punks or whatever. They're not somebody who actually has a message that we should actually engage in. And it's just this little cascading effect. So that's kind of unfortunately where I saw, you know, the expanding of scope and a lot of misunderstanding. I'm not saying the two groups should be friends. I'm not saying one group is good and one group is bad. But when you send a message out into the world, and this is for both groups, you really need to make sure it's understandable by all the parties that are going to receive it. You can't assume it's just going to be read by the person you had in mind. With all love and respect, there's one very obvious commonality between the hacker researcher group and the government, and is that they can be very arrogant and expect everybody will speak their own language and that they don't have to speak anybody else's. And I think that's a really common mistake. So the recommendation for the government, from my vantage point of both sides, is figure out how your messages are going to be received by the more general populace of cyberspace because we all live there now. This is actually a great opportunity for diplomacy. And you can kind of think of it like the lost city of Atlantis. Because cyberspace kind of took the world by surprise. Obviously, it hasn't been around that long. So what if Atlantis just popped back up and there was an advanced, very technically capable group of people there? You wouldn't sit there and ignore them. You wouldn't taunt them. You wouldn't attack them. You'd probably actually try and understand them and figure out how messaging to somebody else might be interpreted to them. You might even try and figure out where you guys already see things eye to eye and where you have differences. So my recommendations to the citizens of cyberspace is keep in mind that the government and in particular the DOD has very specific focuses and goals. And they often only see things from their own point of view really focused on doing that job. And when you read things that appear to be a message directed to you or your community coming from an unlikely source you should question whether or not the message is actually intended for you or if it's just intended for somebody else and really poorly worded. And if you still think a response is necessary you really need to think about the message that you're sending to make sure that you don't make the same mistake and return. Another story is well, let me give you a little background. I know a lot of people approach me outside of work and go, hey, Mudge, you know what's going on? We're all owned. And these were large companies that are often times funded by taxpayer money. I'll just say that they're large government contracting organizations. And it's like, hey, why don't you like start a program that actually pays us to go clean up the compromises and at least figure out what happened and how bad the damage was. Am I in that your job? And it made me think that there's actually not a financial incentive for these companies to actually go fix the problems. So the next question was is the inverse true? Can government contractors actually make more money by remaining compromised and continuing to lose intellectual property? And the next question is what the hell is called game theories a bitch? I was having dinner with a lot of these stories because I'm outside having dinner somewhere. I don't cook. I was having dinner with an old friend and his company goes in and cleans up APT after big well-known names get compromised, whether they're government contractors or commercial organizations. Shooting the crap back and forth and he said, hey, what do you think about the following chain of events? First, RSA gets compromised. Networks defended by their tools are vulnerable and as a result a defense contractor gets compromised. Said defense contractor if you look up on Wikipedia is the one who made this really cool stealth drone. Later a really cool stealth drone goes missing over in a Middle Eastern state. What do you think about that chain of events? I'm like, that's terrifying. And he's like, yeah. And I'm like, no, no, for an entirely different reason. Look at it this way. I have no clue. That's a hypothetical. And there are a whole bunch of rumors about what had happened. But let's assume that you as a country or a large organization that your advantage is technology. You can field the fastest and the best technology. So you're ahead of everybody. That's your advantage. Newest, most advanced toys. Someone else steals some of your tech. What do you have to do? You got to replace it with newer tech. Right? You got to keep your advantage. So suppose a government contractor gets some other super tech and what does their government customer actually need to do? Well, the government in that case and this is all game theory hypothetical need to pay someone to make the next version so that the people who just stole it don't achieve parity so that they're not even. They could go to some other government contractor because, of course, you know, the one in question just lost everything. But they actually most likely won't. And here's probably why. The initial contract for very expensive research efforts can take a long time to put in place. You're talking over a year sometimes longer than, you know, sometimes you measure it in years rather than months. That was part of the coolness of CFT is that we were measuring that in days. Imagine if you're under sequestration is what we're under now. It can take even longer. So if a government agency wanted to start a new program to replace tech, so that's essentially starting the same program to do the same thing that you were already paying somebody to do. You're not going to have permission to do that because you got to go justify a taxpayer money and we just gave you the money to do that. And B, when you spin it back up, you're going to have to redo a lot of work. You're going to have to redo the contracting that you already had in place. You're going to have to spin people up to speed on management side. You're going to have to re-spin up the tech side and you've spent years putting that in place. So why wouldn't you just go back to the people that you already have a relationship with, already have a contract with. You know what they lost or maybe you know what they lost and stuff and you can tell them because they're your customer. So you just pay them to give you the next thing. Remember, they're not financially incentivized to go fix how they were actually compromised in the first place or clean it up. Staying with a really familiar solution or situation is comfortable, which makes us a trap that a government funding source can actually be particularly susceptible to. You can view this on a case-by-case basis and kind of staying with the same contractor could even make sense, but if you step back and listen to what's been talked about in the media you may see something that's a larger picture that seems like an endless list of technologies and IP being stolen. And each time it happens that company is in a situation where A, there's really no penalties or reprimands for it and on the contrary, they're actually rewarded with more funding. So because their customer needs to make the next text to replace the stuff that just got stolen to replace the stuff that just got stolen to replace the stuff that just got stolen. So, yeah, Game Theory is a bitch because if you look at it at this angle and part of the neat thing about Game Theory is you can fall into Game Theoretics without realizing that you're doing it. Government contractors can actually be in a situation or are actually in a situation that they're financially incentivized into their networks to submit and not actually to really deal with the problem, perhaps the way with the drastic changes that need to be made. The fourth and kind of closing story and maybe I'll do a fifth story about Barnaby Jack in Abadabi. Yeah, I think I'll do that. The fourth story, sorry, I just mentioned Barnaby Jack and I just started getting a little teary. I think I might stick with just the fourth story then. Fourth story closing is more of a kind of plea to both the government communities and the hacker researcher communities because from the vantage point of both, I don't have a lot of examples of our community, the hacker researcher community really reaching out in a proactive and positive way to educate and enlighten the government. We do it, but we do it really ad hoc. And I think we need to try a little harder to do specific examples. I've been a little upset about some other things in the news lately. And actually one of your options, it is a scary option is to actually go inside and try and fix them there. People will fight you tooth and nail. It is not for the faint of heart. That's actually what I did when I went over to DARPA. I didn't go there because I thought it was cool. I didn't go there because I wanted to be a part of the government. I actually went there because I thought that they and other parts of the government had kind of lost their way. And I had an opportunity to go in and fix it. I did get a really nice unofficial email from somebody recently and it was about CFT which makes me think that we actually because you guys were all a big part of that did manage to pull some of that off. So I'm going to quote from this email I got to my personal account and the person said I recently had a meeting with all the agencies and DOD services and listening to them it was my turn to be terrified because of how out of touch with reality they were with cyber security and cyber defenses and it made me realize how much I and the DOD OU and that's us for cyber fast track and here's the part where I was really happy. I thought CFT was showing the government how they should be doing contracting but now I actually understand what you were doing. It was showing the government what the real state of the art is and why they should be afraid of people from the inside who continue to just preach the status quo and throw money at the same problems the same way they have done before. So that was actually pretty cool because somebody they're starting to realize that and I've heard people at high levels flag officers a couple pockets we're starting to refer to hacker researchers as you know researchers it was hacker equals researcher not hacker equals criminal and I thought that was really cool it's not saying that we should go all in support the DOD and I'm not telling you you should like the DOD I've got a lot of issues with the DOD I'll continue I'm sure they've got a lot of issues with me this talk might even be one of them but what happens there is now that they know where some of the real ideas and some of the real talent come from they're undoubtedly going to try and reach out and tap into it in various ways and this kind of goes back to an earlier story where they kind of projected their problems and their images and their goals on somebody else so there's likely to be some uninformed and failed outreach efforts so I've got a couple of recommendations to the government that maybe will help with that so I think it's really cool when government officials throw on blue jeans and a black t-shirt because of course then they're part of our community but that's not necessarily all there is to interacting with us and it makes sense before you present at a conference like this that you should probably consider attending one and actually interacting and getting to know the people there was one guy there was a three-star general who did that at Shmucon and I thought that was one of the coolest things and he wasn't there for any agenda and I remember conversations with him afterwards he actually had an understanding he was like oh this is awesome no there's no way people should try and go in and mess with them or try and co-op them or try you know I was like yeah exactly you know that's us that's the citizen that's the population of the US so the message to the other ones who haven't really made that turn is going actually interact now the response I'd get was the schedules too crazy can't possibly do it and I saw those schedules and sometimes I was even on those schedules but if it's important enough I acknowledge they are crazy schedules these guys work like like bears which isn't to me that they sleep for half a year bad analogy as soon as I said it I was going to say like a swear word and bears came out instead anyway if it's important enough for you to want to reach out to a community you got to go out and you got to make the effort and you got to put it in your schedule and you got to go interact with them on a one-on-one level first because that's showing your homework and doing your homework shows respect the next suggested to them is um and this is what I tried to encourage inside is you can't go out and do a recruiting pitch because it comes across really poorly I used to get so bent out of shape when I would see a gov stand up at a hacker conference and I'm like here it comes we do awesome stuff but we can't tell you anything about it trust us you at the Mohawk if you you know shaved your hair if you put on a suit maybe even a uniform stop smoking dope you could come work for us they do something with your life and it's like that's how I interpreted it now that might not be the message it might just be a look you know we need help and we're trying to reach out to you but it's just a take take take sort of message what can you do for us today what can you do for us now you know to me it was offensive what would it be like if you had a senior official from a very technical agency come out and actually give a technical talk because this is a meritocracy that's where this community came from a meritocracy is your value in the community is based upon how much you contribute to that community and that's one of the reasons why I was really happy that because I know a lot of people are like why the hell did Mudge go over and go to the DoD he was one of us now he's one of them and I had spent 15-20 years contributing to this community and I wasn't about to stop and when I was there I was able to actually fight for this community and try and make sure that the interactions were a little bit better and that we were treated and engaged with normally and those 10-15 years of contribution gave me enough grace period to build trust up again on both sides and you've got to do that and you do that by interacting with people so the value of somebody in one of those agencies coming and giving a technical talk wouldn't be that you learn something really cool about how SE Linux was actually done and why it was done or what the internal battles were to get it across it wouldn't be that somebody is going through the technical components of one of the patents in one of the numerous patents that are out there let's say IPG allocation the ones that we've read about it would actually be that they're engaging us and interacting with us in our own language and treating us as peers and starting a dialogue so I think I will give the Barnaby one after this one here am I telling us am I pleading that we should not challenge the government? Absolutely not I think challenging the government is your patriotic duty as a citizen I think it is very important to do it's painful for both sides but it's something that has to happen and it's why we're such a great nation we also need to I mean you can't train a dog just by repeatedly beating it I mean it will learn some stuff at some point so when you see the dog do something good it's nice to give it a treat and there are certain little pockets inside the government and one of the things that I think that we as a community can do better is yes we need to challenge the stuff that we're seeing we need to challenge the things that are in the news but if you see a small pocket of hope like if you see a congresswoman that's helping put through Aaron's law you know changing things like CFAA we're noticing people well excuse me somebody's going to change CFAA we need to support them we need to help them we need to encourage them for actually going because they're going to get a lot of crap thrown at them and they're actually doing the right thing and there's not a lot of people supporting them so we need to be more vocal as a community to actually support them there was a colonel in the army who managed to get the NSA to have to be Little Brother as a book that they read as part of their training have you read Little Brother, Corey Dros? that's awesome that helps sensitivities that guy caught a lot of crap for that and it was really cool I mean there's nothing wrong with that book that book gives you a new way of looking at things and the more ways you have of looking at it the more understanding you have and the more positive outcome that guy is also he was one of the people who encouraged the cadets to actually go out and talk at our conferences and contribute so build your own UAV at a 99.99% discount by Mike Wiegit was an example of that and that's engaging and that's actually sharing and it created dialogues at Shmucon he and his colleague walked through their training course that they ran at Fort Meade to try and socialize folks it was lessons at the Kobayashi Maru I highly recommend you go watch this talk because he had to teach them how to cheat and it's hilarious and it's insightful and it's humanizing most importantly it's humanizing so where we see those pockets of hope and of outreach and of engagement I'd just really like to ask all of us to try and figure out a way for each time to encourage the good behavior okay so let me try and get my Barnaby one without actually breaking down into tears here see if I pull myself together it's a real quick one but it's my little tribute to them because there's two things that happened interactions with Barnaby that I'll always remember I mean I remember all of the interactions but two really stand out one was a talk I was on the steering committee of NDSS if I could bring in some folks to run some demos that would kind of break the academics out of the academic mold and what better people than Barnaby Jack when he was working with EI and the rest of the EI team to actually come in the problem is that the conference like a lot of conferences is very cheap they wouldn't pay them to come do the work or whatever so I said alright guys the drinking bill the night before is on me I'll just foot the bill myself which is a very very dangerous thing to do Barnaby had a great time I don't think they went to sleep they just kept drinking they were on in the morning and the audience at NDSS I don't think actually really understood how cool the technology was that was being demonstrated because this is almost 10 years ago at this point and Barnaby was remotely compromising a wireless router replacing the firmware and then trojanning the Microsoft updates that were going through it over the wire to the system and then they were demonstrating a boot root where they were getting an Ethernet so a computer that was told not to boot up the network the Ethernet adapter was on the PCI board so it had direct memory access and it would still emit a boot pee packet and if you responded to it the Ethernet board would actually shove it directly in memory and boot from the network even if your BIOS didn't have that capability so of course they would say here is your base operating system it has a little hypervisor and then of course the operating system would load up on top of it this is a decade ago, this was awesome and the reason why I don't think any of the audience actually caught the technical part of those talks is because Barnaby nearly threw up on stage 10 times in the middle of trying to give that talk and everybody in the first row was terrified that they were at some perverse form of a Gallagher hacker show and then the other thing I remember about Barnaby was I had just got in and I was working for DARPA and my first public speaking engagement as a US official was in Abu Dhabi so here I am first time, the government is a little nervous about me I'm a little nervous about them I'm flying under my government official passport not my blue tourist passport so all the coordination between the countries that I imagine has to go on with those folks in Abu Dhabi and it was actually to do the keynote for black adults the first year they were over there and it was the first time ever that I was showing parts of the cyber-analytic framework that I drove at DARPA and it was my way of trying to get a small group of peers that I could interact with and talk like does this make sense or am I full of crap and Barnaby was there and the gruck is there and those are two people that put together that will deplete the world's alcohol supplies and he was doing his jackpotting ATM machines now the UAE has a lot of money they've come into since the 70s and in the palace there is an ATM machine that dispenses gold bars very expensive gold bars not like you've got like a $200 withdrawal limit I mean these are in the tens if not hundreds, I can't remember how high up the price was there might have been the ability to withdraw a million dollar gold bar from it and some of you might have seen the picture of Barnaby kind of going like that so Barnaby's had a few drinks and they see the gold ATM machine I was like why so why do you think it works and they're peering behind it and everything and the folks I think it's the son or one of the relatives of the Crown Prince who I knew from a prior life was looking at me going what's going on and they're all starting to gather around the gold ATM and I forget who it was that tweeted and said I remember Barnaby and the UAE basically or not the embassy calling the embassy to make sure everything was okay so it wasn't the embassy it was me having to go over and talk to people who are part of the court of the Crown Prince and explaining no I know you're not used to extremely heavy drinkers and you just invited a bunch of hackers into your country and they've demonstrated a bunch of crazy terrifying things and now they're eyeing your million dollar gold bending machine it's Barnaby Jack, he's cool don't worry about it, I'll tell you what you probably want to know if your million dollar gold bending machine has this problem so why don't you let them do a little bit and then when they walk away why don't you pull the plug on the thing and then move it off the floor and sure enough everybody got a little tired because of course there's some research that has to go into these things and the alcohol fueling only lasts so long and when everybody got a little tired and decided to walk away the next day you see there's this big curtain pulled around everything and nobody's allowed near the thing but you know so there was no reach out to the embassy and there was no international incident but there was Barnaby Jack and he'll be missed thank you so I'm John Oberhide but I'm joined up here by just a very small subset of the CFT performers that were involved with Mudge's program cyber fast track so we want to take an opportunity hold on a second I just wanted to get up here and thank Mudge for all of his efforts inside DARPA with this program we all had a lot of fun you've seen some of the research that's come out of it at Def Con and Black Hat and there'll only be more that's coming out soon but we also wanted to thank him for his entire career from loft to DARPA and Google I'm sure there's many more interesting things to come so please give your strongest round of applause for Mudge and everything's done for the security community there's more we're not done so what we didn't mention is hopefully I'm going to say a few things about Mudge and hopefully some other people that have participated in CFT will as well my name is Joe Grand and I've known Mudge for a really long time and I was in the loft back I guess we met in 1990 I was like a 15 year old punk little kid and ended up getting in trouble for some things joined the loft and Mudge came in around the same time and I don't know if I ever told him this but he was one of my mentors growing up from that point as a 16 year old kid everybody else in the loft was older the experience of somebody that was like 6 or 8, I don't know how 20 years older than me I don't exactly know he never actually told me his age but it was something that I got to sort of follow along I was in the loft and it was a great experience and I sort of grew up in that from 16 to 22 after we started that steak we sort of disappeared for a while Mudge went one way, I went another some of the other guys sort of disappeared and then he sort of surfaced I guess 2008 or 2009 and all of a sudden Mudge is back and he's in DARPA and I was like holy shit Mudge is back and he's working for the man and here I was grew up with him in the loft and there's a lot of stuff in the loft that you guys don't know and it was awesome and I didn't really know what to think I was still involved in DEF CON and it was just to me seeing that I was like wow that was a big jump and that takes some serious balls to do that and I could never imagine doing that and I think everyone was like what's going to happen what's he actually going to do out there so it turned out to be an amazing thing CFT happened and a huge number of my friends ended up doing all these projects Charlie Miller had two projects and I was like how is everybody doing all this stuff like I want to do a project for CFT and I was running with Charlie one day and he's like yeah you should do it man and Mudge has this whole thing wrapped up you just write a proposal and he reads it and if it gets approved they'll just send you money and you can work on stuff I'm like really is it that easy he's like yeah do it so that was last year so I was like I don't know do I want to work for Mudge again like we were in the loft and I don't want him to be my boss for real this was his huge complaint I'm like they'll give you money he's like I don't want to work for Mudge yeah so but he's like it's not working for Mudge you know some other group takes care of it so I'm like alright cool and I thought it was a great thing that he was doing so I submitted a project that got rejected and I'm not sure I'm allowed to say this because I don't know if it was part of the official process but he called me up and like 15 minutes later he calls me he's like I need to talk to you in person about this I don't want to just send you an email so he explained the process to me I'm like alright that's cool too much engineering whatever it didn't fit the DARPA thing the CFT thing I'm like okay that's fine but it sort of drove me to I was like I gotta get a CFT in all my friends are doing it I gotta take advantage of this while I can before it goes away I'm like I'm not doing it right now and it occurred to me that it's a it's not that you can like you're doing this project to make money right you're not doing a job to make money it's the fact that you're able to get money to do what you want to do you do what you love to do and you're not losing money it's sort of what it is and that's sort of what we tried to do at the loft is like do what we want to do and not lose money but make sure I just wanted to say that I don't know if you notice on the back could someone turn around on the back of these shirts it says making the theoretical practical since 1992 and I don't know how we came up with that but that was one that was one quote that we talked about writing exploits and kind of showing vendors like look this is a possibility but the one that isn't on the back of this shirt is what we always used to say about making a dent in the universe when we were at the loft we came up with that so we we'd be in interviews and news stuff and press and Mudger would always say we're going to make a dent in the universe and I was like yeah yeah yeah I said it but I was like this total bullshit like how are we going to make a dent in the universe we're like seven guys with he had long hair as you know and seven guys in a warehouse like how are we going to actually make a dent in the universe other than in the hacker community that's like a small that's not the universe that's our universe but it's not the universe we believed it you know and I was sort of like I was going along with it but he believed it and it didn't actually hit me until he got to DARPA and did CFT and it's like holy shit he did make a dent in the universe you know like that what he did in the work that came out of CFT like totally changed the world whether it's immediate or whether it's later it changed the government it changed the thought process it's amazing so I just wanted to personally thank them and welcome them back out of working for the man back into like the normal world so thanks I do also have to say that Charlie is responsible for probably 70% of the CFTs that were submitted I had a very similar phone call with him I don't know a couple years back I remember distinctly and you know people have a very interesting opinion of what it's like to participate in any sort of DARPA or government grant and you know speaking with Charlie and learning about the streamline process and the kind of low overhead it takes to get a grant through and actually get funding to again do what you want to do and was very attractive so I think this program itself was wildly successful alone but I think it's also changed a lot of our personal views about dealing with the government I hope that can continue with CFT with the next program manager I would also say that BitSys are there any of the BitSys guys up here so BitSys helped run the program for DARPA so we'll give them a round of applause ourselves because they're great to work with I hadn't registered for DefCon in over 20 years which brings some perspective and I've known this guy for a very very very long time and he always wanted to be something greater than the average bear and to change things and I don't know if he mind me saying this but I'll say it anyway back in the day when his hunger was great he asked me to take over Loft which is probably a bad idea for a variety of reasons but I had faith in them that he is going to figure it out and he did and I've worked for him now for the last couple of years unfortunately I've been fired by him because the program is ending but congratulations guy you really did good thank you I just want to say something super quick we're hackers and we're individuals and we hate anyone speaking for us but Mudge is pretty much the only guy that I'll let speak for me anytime he wants