 Okay. Good morning, everybody. I'm Nick. This is Josh. We're going to do a few introductions and then we'll jump right into the content here. So I'm Nick Prococo. I have always been and I currently am a hacker. Yeah. And let's try that again. And in my day life, day job, I actually run a small team called Spudder Labs at Trushwave. And some of the background, so I've done a lot of speaking. I've done my eighth time speaking here at DEF CON. And I spoke on stage at TED. I've also keynoted RSA this past year. And here's Josh. Good morning. So I'm Josh Corman. In my day job, I am director of security intelligence for Acomai. My comments today are my own and may not reflect those of my employers. I've kind of been wrestling with being a philosopher in a hacker community. But I think I've come to own it. And I think my research is trended from things like espionage or malware to things that affect our personal lives and human rights and public safety. And that's really taken me down a path for today's topic. So a little bit about where we came from and where we're going. You know, this talk is actually not a presentation. This is a discussion. This is a discussion between me and Josh here on stage. And a discussion with all of you. And this is not a finished presentation. So if you're expecting at the end of this to have us to solve the world's problems here, that's not the intent. This is the start of a conversation. And we also have right there, sort of mid-audience there, we have a microphone. It's there for you to use. If you have a question, you have a comment, you want something to add to the conversation, please use it. But also note that we have a finite number of time here on stage, 45 minutes to be exact. And so please, if you can't fit your comments and questions in 140 characters, please save it for the Q&A session. And we will have a Q&A. There's no Q&A room. But afterwards, please join us in the Chill Out Lounge to continue the discussion. You know, part of the impetus for this is that for how many of you have been to DEF CON before? Okay. A lot of new people here this year. I don't know if you noticed. It's both encouraging and overwhelming. But a lot of us got into hacking because it was our hobby, right? And when we weren't paying attention, how many of you noticed that it kind of accidentally became our profession, right? Kind of messed up. But actually, we weren't paying attention again. Now, IT security, which was our hobby, and then our job is now permeating every aspect of our personal lives and our personal safety and our kids. We're putting software in places it does not belong and is not married. We have medical devices that are completely punishable with no encryption whatsoever on their Bluetooth stacks that are unnecessary. As I tried to buy a car, I couldn't find one without a hackable operating system. If you go to show Dan, you can find default user names and passwords for control systems for power grids, for hydroelectric dams. I mean, this isn't FUD, this is real. And as we depend on software in places, it needs to be dependable. And in the presence of attackers, it needs to be defensible. And I guess every time I want to quit security, I realize that our failures are going to be inherited by me, my body, my mind, my soul, and my family. So don't think today is how do you get better at your day job. Think about how do you actually hack your personal life and your personal freedoms, and that should be the scope of today. So a couple of weeks ago, I decided to do a juice cleanse. Has anybody ever done one of those before? A couple of people. Yeah. So you spend three days drinking six bottles of juice and nothing else. Besides having interesting bowel activity, it also gave me very vivid dreams when I would sleep. And so at night I would go to bed at night and I would wake up in the morning with these sort of memories, these odd memories. You know, when you wake up in the morning or you wake up from a dream and you're sort of disoriented and you think, well, that was real. That was almost a real experience within a dream. Well, I had a few of those a couple of weeks ago. The first dream that I jotted down that I took notes about, I was on a bus, the whole dream just sort of took place on a bus, and I didn't know really where we were going. I was a little bit confused, but I saw people I recognized. I saw people sitting with paperwork in front of them, with computers in front of them, and I started to ask questions. You know, where are we? Where are we going? And I soon realized that we're all going to apply for federally issued software development licenses. That each of us, and somebody actually showed me they had one that was expired. They needed to renew their license, or they could not even write a bit of code. So I thought that was pretty interesting to sort of have that dream. One of the other dreams I had that I took notes about, I was actually in a hotel. I travel quite often. I actually travel all over the world almost constantly, and I knew in the morning when you walk out of your hotel in the USA Today paper is sitting there on the floor, and you see the headlines, sort of how you get woken up in the morning. I remember looking, glancing down at that paper, I was off to a meeting and saw on the headlines, and it said Florida man, said Florida man arrested for hacking tools, possession of hacking tools. I remember flipping open the paper, reading page seven about what that story was about, and showed a logo of metasploit, and it mentioned Nmap, and mentioned Nessus, and other other tools on there that people might have in their possession. I thought that was interesting. And then another dream that I had, and I started soon realizing that these weren't necessarily dreams, they were vivid, but they were actually nightmares. And this third dream, I was walking down the street in Chicago, sort of dusk, you know, the sun's going down, turned down an alley, and walked up to a door. I rang the bell, and I remember being able to see, sort of, there was a camera shining on me. I rang the bell and they buzzed me in. I went up, walked up three flights of stairs, walked into a Chicago apartment, and there was guys and girls milling about having discussions. Over on one side of the room, there was a maker bot. Other side of the room, there was a cluster of monitors. In another area, there was some electronics laying about, and of course, a lot of cables all over the floor. Somebody I recognized actually handed me a beer and said, hey, welcome. The discussion is going to start in a little while. So I sort of took my seat and started saying hi to people. And then all of a sudden, the lights went out. The electricity went out. All the power went out in this apartment. And one of the initial reactions, I remember someone in the background saying, oh, fucking com ed. The power went out again. But then we started hearing banging on the front door, and then banging on the back door. And men came into the room wearing black shirts, black pants, black boots. And they started to say, we are under arrest for the violation of some act. I can't really recall what that act was. And they lined us up against the wall, and then one by one, it started to zip tie us, our arms and our legs, and carry us down the stairs. Now, this was a nightmare that I had. Obviously, it's not real. But it's very much grounded in reality, in the things that we experience today. If you extend what is going on today, five, 10 years from now, I can see a time when some place like DEF CON can't exist. But we don't have to. There's a better way. I can see a time when friends are being arrested for writing tools. We're being criminalized for research, but we don't have to. So when Nick told me his dreams, I had two thoughts. First, I'm never doing a juice cleanse. And I said, you know, this isn't a fud. You know, let's get real. These are actual precedents. Whether you love or hate Weave, Weave's case is very dangerous precedent for the criminalization of research. This community does and lives and thrives on our ability to do pervasively do security research. If you saw the aggressive prosecution of the late Aaron Schwartz and all the Aaron's law discussions coming from this, do you know there's a state law in Texas that makes it technically illegal to do a port scan? And for my international friends, Germany and France have already specifically outlined certain hacker tools that are really just assessment and NMAPI type things. And I actually learned last night that Brazil, after some actress had some nudie photos revealed, they passed under duress a law that basically makes it criminalized to have things like NMAP or any port scanning tools at all. So this isn't fud or fear. This is things that are actually happening. And it's up to us, in lieu of any adults in the room, to be the adults. Now, that should terrify you, right? But what it dawned on me over the last couple of years, you know, I was researching anonymous here two years ago at DEF CON. And one of the things I was concerned about is some sort of neo McCarthyism when you had a lot of aggressive high profile acts and demonstration of hacking will, whether you like them or not, it captured hearts and minds and it scared policy makers. And when powerful people are uninformed, they make powerfully uninformed knee jerks. And I, you know, he started off in his intro saying he is now and always was a hacker. I fear the need to say I am not now nor have I ever been a hacker in our near future. And if you're not worried about it, you really, really should be. Because policymakers aren't as technically literate as this community is. And that's really the thrust of this talk is that I think a lot of us, even our best and brightest researchers, even our, you know, A-listers, so to speak, every time I ask them why they aren't more concerned, they're like, someone's going to come fix it. Let me tell you something. No one's coming. The people who are going to fix it are to the left of you, to the right of you, or in your own chair. And that was really the bit flip for me. So another part of this is that, you know, for personal reasons, I basically hit rock bottom in January. I lost my mom at 58. Had a pretty tough year last year. It really throws into context what's important to you and how much time you have. And I felt like I was diminished, that I couldn't really contribute. And what I realized is, you know, people don't really make changes until they hit rock bottom, right? If you want to be a science person, no one changes until the pain of maintaining inertia exceeds the pain of making change. Well, it hurts pretty bad right now. It sucks. There's a general malaise here. Yes, we've had a great week at DEF CON, but there were more talks about burnout and suicide and depression. And there were also a lot of talks that had absolutely nothing to do with security because there's an implicit defeatism. And we don't have to accept that defeat. So there's actually a value in hitting rock bottom. And that value says when no one's coming to save us, it falls to us, right? And if you don't see good things happening, we can put good things in. So at my mom's funeral, I said, you know, the absence of heat is, you know, cold is the absence of heat. Black, darkness is the absence of light. And maybe it's not that there's evil in the world, but maybe there's an absence of good. And I realized that each one of us can finally take matters in our own hands and put in that leadership that's sort of lacking. Nature abhors a vacuum. And I can hear the sucking sound. And it's time to fill that vacuum. Now, what that means is no matter how much we hate certain things, the alternative is worse. So we continue to fail. We don't have to fail in the same way, right? So we're actually suggesting some pretty radically uncomfortable experimentation. I can't believe we're at DEF CON and we're actually going to suggest these things. But we haven't really engaged in the formal process and how things work in the world. You know, there's no senators or congressmen who are experts on stem cell research. They rely on subject matter experts, think tanks, lobbies, et cetera. And as much as we hate these ideas, we're going to ask you to both tolerate and participate in a series of very uncomfortable and very unnatural acts. And this means we already have EFF, EFS has done fabulous things for our community. We haven't really had a voice of interest for our profession and for our talent and expertise. So now we're actually going to be suggesting and starting. We're doing it with or without your help, but we'd love your help. A 501C3 think tank for professionalization of research. Number two, a 501C4 lobby, even though we think they're horribly corrupt and corruptible, it's finally time that we have access to the corridors of power. We're also going to professionalize. We're going to do it very carefully so that we don't become the monsters we fight. But just like the Bar Association for Lawyers or the American Medical Association, giving a voice to the priorities of this community that is public and can give commentary on public policy and public events that's credible, literate, and a voice of reason. And then possibly most importantly, we need to integrate a PR or media campaign to win hearts and minds. We have some of the best social engineers on earth, but we've done a really, really bad job setting the narrative. I love seeing Nick on, you know, the mainstream news or on Ted stage, but more often from the last few years, we've seen Legate. So once again, we can take that microphone and bully pulpit and we can have the right spokespeople with the right messages to actually represent our community interests. Do you want anything to add? What's the chain of influence? So whether we like it or not, what we do, what we say, how we dress, what we do in our everyday lives influences people. The words that are coming out of my mouth right now on stage may be influencing you in a positive way, maybe influencing you in a negative way. You may take something that Josh and I have said and talk to somebody else and that message will relay to them. But that chain continues. Now unfortunately, when we take someone from our community, someone who's a hacker from our community and put them in front of a policymaker or a senator or a global government, this is not just a U.S. issue, this is a global issue. What they see is not someone they trust and someone who's an expert, but they see a hacker. And so while the research that that hacker is doing may be vital to our existence, it may have life- benefitting needs behind it. They still see a hacker. And so what we're doing within this movement is trying to organize, better organize. You can have the breakers. You can have the hackers. They're vitally important to our community. But then you also need people who go and come up with the fixes. Now the breakers may be the same people that come up with the fixes, but they don't have to be. So if you're someone who out here likes to break things, how many people like to break things in the room? Okay. How many people also like to fix things or like to fix things? So you're part of this as well. But it's not just the people in this room. We also need people to continue that chain. And we need people from all different backgrounds. Also people who represent the various industries. So when we go follow that chain and we put someone in front of policymakers, or we put someone who's on national television or international news, they may be someone who has one foot in our community and one foot in the industry that we're focusing on, whether it's the medical community or the auto motive industry or the transportation networks, whatever that may be. So we get to think like hackers, right? So I want to recognize somebody who's done some outstanding work in the room. Jay Ragta, can you stand up? So much like the hair club for men, Jay is not just a researcher, but he's also a client. So Jay hacked his insulin pump a couple years back and has since done some hacking on several different medical devices. And one of the frustrating things for me as I watched this, I looked at that and I said, that research matters. It really matters. It affects public good. And maybe he did it because he didn't want to die or get hacked at an airport. But a lot of the research we do is fun, but does it really matter? We're going to find the 700th piece of Android malware. Is that really going to differentiate you as a researcher as you try to make fame and glory for yourself or a name? When we throw these over the fence, does it work? So I really dug into this and I saw that the work that Jay and others have done and also the huge loss of Barnaby Jack. I mean, those two were really doing some outstanding work. And it's a huge loss. We were already planning to include Barnaby in this. And that's very, very, there's no words for that. But you know, when we looked at that, they really have a hard time, right? It's hard to, we thought about the kill chain. Everyone know the Lockheed Martin kill chain for how bad guys get stuff out of your network? We need a kill chain. And what I saw is it was really tough for him to get and procure more devices to test. And he did a really good job testing it and finding vulnerability, but then he went to the vendor and didn't work, right? The vendor pushed back, you know, ridiculed, denied, defused. And I'm sure some vendors are better than others. But we really had a really hard time getting that into affecting some sort of change. And instead of us looking on activities like I found Ode or I published a phone or I have some, you know, different presentation at some different conference, we wanted to see how do you pull that through all the way through to a result. So I went to this guy, Kevin Fu, who is a Ph.D. in industry and he's been studying a lot of these medical device flaws. There's way more than you could possibly imagine. And we're still not getting through. So I asked why. And it's the FDA is one of the bottlenecks. They didn't have the ability to reject devices. And they're not actually putting in new framing to allow for better granularity. So an individual researcher can have a really hard time going through multiple gates and multiple obstacles. And really what we want to do is we want to work with people in industry and map that chain of influence and then fuzz it and try and iterate and fail fast. And focus on, we're not done until we actually see some sort of substantive change in how we raise the bar and do care for putting elective attack surface on life-saving technologies. So that's just a deep example on one of these. But these are tractable. They look overwhelming. And maybe it's not Jay who's going to be the one on CNN or maybe he's not going to be the one who does the driver development to fix it, but we have the talent in the room for every single step along the way. So there might be some people and even when Josh and I were first talking, thinking, well, this is really hard. This is going to be very hard. This is not going to be something that's going to be easy. But we often do very difficult things. And there's dozens and dozens of talks here at DEF CON about very, very difficult things that are being done in the technical world. So to put it a little different perspective, we have a little clip to show you. If you can dodge a wrench, you can dodge a ball. If we can hack something, X, fill in something, an iPhone, a SCADA system, if you can hack anything, we can hack this. But we have to be organized. We have to work together. We have to put the right people in the right roles to get this done. Like we mentioned earlier, you can't put a hacker in front of a senator because they see a hacker, but we have to put the right people. And we have people in this room that can fill all those roles. Every single one of you has a role to play and can use their best skills, their best techniques to help drive this home. Jailbreaking the system. It's incredibly difficult to find the jailbreak and implement it and to weaponize something in order to perform a jailbreak. Very, very complicated. We can do that with this system. And like Josh mentioned earlier, some of our best social engineers are in this room or at this conference. Some of the best social engineers in the entire world are in the hacking community. But that doesn't mean we need to be dishonest and try to deceive people. But we use those skills. It's exactly the same skills that the best CEOs on the planet have for selling their investors on something. We need those people to step up and actually play that role as well. So how do we do this? Yeah, I really like the fact that we're calling out that everybody does have a role. It's not a platitude. We really mean it. I mean, right when I said on Twitter that Jay was giving a presentation at B-Sides, and I said one of the biggest bottlenecks is getting devices. And three people we've never heard of replied and said, oh, I know how to get them. You have something you can do. And I was talking to a young guy from Portland, Maine yesterday, and he pointed out that one of his first jobs was doing device drivers at a local SCADA systems operating system shop. You don't even have to be a hacker. You can just write really, really solid security-aware code for one of those vendors. I couldn't find an O-Day to save my life, but I've been very accepted by crossover into talking to government people. He did a TED talk. I was in Vanity Fair. It's like, I can take the technical stuff we do here, and I can actually make it mainstream accessible and get in front of policy makers. There are actually six of us hacker types at a UN meeting in Toronto this spring. There's Jeff Moss, me, Batelik, Miko, opponent and some others. And they were listening to us as the technical voice of reason. Now, the bad news is we didn't get very organized, but you don't have to be a rock star, you know, A-list name to actually contribute to the research that we're actually carrying to the outside world. Now, when I say anybody can play a role, I'm also speaking to those pillars in our industry, our tribal chieftains, because this is going to be really, really hard. And in a leadership role, we're going to need our toughest battles require our strongest warriors. So we really, really need not just a grassroots kind of like, yeah, yeah, rah, rah. We need people to take leadership roles as executive directors on some of these different manifestations. Now, forget the term platform per se. This is a straw man, but we think we've put a lot of thought to this and reiterated this. So for sake of beating up, in fact, we're going to be using this to take it to the meeting in eight weeks, which we will discuss. But we really see that there's three ways to secure our future. We have to keep a very small list of priorities so we don't spread ourselves too thin. We can learn how to do this on a few topics and then we can move out. But essentially, I think we need to focus on public good and safety. And that's really why I wanted to call out Jay and Charlie Miller, by the way, and Chris Valasek, did you see their amazing car hack? Now, whether they did it for altruistic reasons or not doesn't matter. My neighbors were asking me about it. I got a flood of emails from people who don't know anything about our industry, saying I had absolutely no idea how much of a car can be controlled via software. So we have a few people doing research like this, but I would like to challenge us through this program to say let's get a critical mass of lots of you. If you're going to pick an Android malware, don't. Go pick a medical device. Go pick an auto OS. Go pick a control system. Because if we can demonstrate that we are doing a unique public good for public safety, guess what we can stave off? We can actually carve off and demonstrate and earn the permission with the hearts and minds that what we're doing is critically necessary and therefore requires that we can stave off the criminalization research. This is your first time speaking at DEF CON, huh? No. What? Are you lying? No. This is your first time. No, it's not. I don't think we're going to get away with it anyhow. Oh, good. Nice. You've got, oh, yes. It sounds like I've been smoking here before, but fuck you now. We're getting trolled by PW Crack. Okay. But, you know, even if you don't care about public good and public safety, you just want to be a narcissistic vulnerability pimp to avoid that criminalization, this is how we're going to do it, right? So if you're going to pick something next, you pick something that matters, whether you're a father or a mother or an uncle or an aunt, it doesn't really necessarily matter if you want to help public good. Be selfish. If we do some things that are clearly valuable that no one else can provide and we do it in an intelligent way, we give the right PR and AR air cover for that. You know, we're going to demonstrate that this isn't something to be criminalized. You know, I don't know if you saw the Obama clip about Snowden. He's not going to scramble jets for a 29-year-old hacker. We're going to take that back and demonstrate that we can do this. The next, the last bullet in this one that really my anonymous research and my research into the UN and ITU is I'm very, very worried that technology and civil liberties and human rights are not compatible, right? We're seeing the battle and the entanglement between the two, and civil liberties and human rights are losing. They're losing big time. And part of it is because people are evil. And part of it is people like power. But another huge part of it is they're just illiterate. You know, I had very powerful people in government say we should empower the carriers to do deep packet inspection, to stave off the erosion of intellectual property to China by enabling the deep packet inspection to do signature antivirus. And I spit out my drink. I'm like, you do realize the efficacy of signature antivirus for state-sponsored adversaries is zero. And essentially, that's really bad math, right? So I can't stop them from questioning should we trade civil liberties and Fourth Amendment for safety, but I can tell them that it won't actually grant them safety. So we need to do that for ourselves because we live in the world too. If you're really squint, what we're basically describing will resonate, little piece that will resonate with almost everybody in the room, but more importantly almost everybody in the mainstream, because really what we're talking about is protecting our bodies, our minds and our souls. So there's some next steps. So as we spoke about earlier, this isn't a complete, we don't have the answer for you, but we have some next steps that we want to discuss. So the first of the next steps is naming the movement. We don't have a name. You have, we have some stickers up here that have some phrases on it, but we actually don't have it named the movement. So if you have ideas, please let us know. We're very interested. We're all ears. There's also forming an executive and advisory board. Now this is not going to just be people from our community. We want to identify those people. We want to identify those people that have one foot in our industry and another foot in another, because that's where we'll get the most traction. Also holding a constitutional Congress, a meeting of anybody who wants to participate. Let's get these things on paper. Let's brainstorm how we're going to organize. And this isn't hand-waving. The guys at Derby have given us a space eight weeks from now. We will be holding the first Hacker Constitutional Congress for interested parties at DerbyCon. And for those that can't make it, we're going to look into some way to remote people in. But our tribal chiefs and coalition of the willing and the folks that actually want to make sure that we do this intelligently and we have the right platform and the right issues to promote. We're going to do this right. The other piece is to share the results. We're not forming a secret society here. We want to share these results with people. We want you to have feedback into those results and understand what's going on at all times. And so we do have a Twitter account you can follow, but we're working on ways to better communicate. And a lot of that will be figured out at the Hacker Constitutional Congress and what the protocols will be using. And then of course executing projects, building the think tanks to be able to take the medical research and put it in front of the right people that can change the way they think about what we're doing. So we're not going to teach you to be experts on all the different international and domestic legal organizations. But what we can do and hope to do is just flip that one bit. If you thought someone was going to come fix this for you, we want you to realize that the Calvary isn't coming. It's you. Now it's going to be difficult. It's going to take time. We're going to have struggles. We're also a fairly cynical group. So we're going to point out all the ways this won't work. But it's time to start failing fast and iterating. And I'm willing to take the lumps and bruises. And I'm looking at this as a marathon and not a sprint. And if not now, then when? And if it's not you, then who? So yes, we have stickers. Yes, we have Twitter handles. But what we really need is you. So I have a question for you. And I know some of you were itching to get to the mic. But how are you going to help make this real? And who's in? Stand up. Stand up if you're in. The adults. The microphone. Yes. Hi there. Gary Reimer. This is my first DEF CON. And I've been coming here because I want to get full blown into the security world. And while I'm not a secure geek like a lot of the people here, I can communicate with anybody from a CEO to a janitor. And if I can understand it, I can help them understand it. And you had me sold five minutes ago, which is why I want to be first on the mic. I'm going to give you my cards. I want to get your cards. I want to be part of this. I don't know how I can contribute, but darn I want to. Yes. I just want to say the Fourth Amendment is already the middle ground between the government can do anything it wants. And the government can't do anything at all. We wrote a specific set of rules that they have to follow, a warrant based on probable cause and witnesses. This is as far as we should go, period. The second part of that is more rules and more laws and more regulations are not going to fix this. You know, we had some cognitive dis ‑‑ I appreciate your comments. We had some cognitive dissonance about this because we tend to be a fairly libertarianish group. We tend not to like formal powers of structure. That's why I was saying we need to hold our nose and eat our lima beans. And even if you hate these things, this is a set of value levers. And when you're jailbreaking an iPhone, you don't think about how it should or shouldn't be. You find a way to get it done. And I still carry cognitive dissonance over this. You know, I'm the guy who called PCI the no child left behind act. The last thing I want to do is push more and more regulation and brittle things. I think the spirit of this is using every available mechanism. And we haven't tried these yet. And I'm not sure they'll work. You know, I had some very critical people say you need to be transgressive. You need to be ‑‑ you know, break the law. You got to be more aggressive. We got to take anonymous up ten notches or something like that. And I thought historically about things. I'm not trying to equate this to it. But, you know, the Black Panthers were very aggressive. They were ‑‑ they're scaring people. They weren't really causing substantive legal change. And then you had the civil rights movement, which was more moderate and engaging in system. And it's unclear if one could have succeeded without the other. But I don't want to leave these options on the table. And even if I get my butt kicked and we're ridiculed and made fun of, it's okay because we have to try something. And I think that's why we want to have the Hocker Constitutional Congress. We really want to establish what are our first principles and how do we avoid becoming the monsters that we fight. So I'm hyperconscious of your concern. I share it. And I also just want to connect the dots with some things that are happening. EFF does their part. There's also Fork the Law. There's also a whole bunch of amicus briefs written for WEVE to try to work with the judicial process. And there's a whole bunch of law professors here. And the thing that broke my heart was none of those little groups were talking to each other. So some of the pieces contradicted each other. So even if it's just aligning and getting critical mass on the existing initiatives to force multiply them, that's reasonable. I think some of us are more angry and more aggressive than others. And I hope that's why we're going to figure out what we can agree on and make sure that we keep ourselves honest. It's going to take a lot of work. So I do share your concerns. Thank you. Hi. My name is Sarah Jeffery. And I actually am really very, very grateful that you brought up WEVE's case. I do prison support for WEVE, Andrew, I mean Jeremy Hammond, Barrett Brown, and Bradley Manning. And all four of them have a CFAA charge in their rap sheet. I was at the defense of Bradley Manning and for about six hours of the first day they were discussing the difference between an EXE file, installable file, and a shortcut of a CD on a given drive. What? Okay. And this is part of a court martial or one of the biggest leagues. Okay. Get the fuck out. This is important. The reason I'm not backing down is because every single one of you here are being persecuted like the actual activists. And WEVE has had 60 days of admin segregation for tweeting from prison. Barrett Brown has detoxed opiates without medication. Jeremy Hammond has been in over 80 days of confinement for making inmates create anonymous paraphernalia during their art projects. Bradley Manning has been tortured for six months naked 23 hours a day. And they called him a hacker just like the way they did with Snowden. And they're using the word devil you get as a hacker tool. These are all in the actual court proceedings. You can read them from Freedom Press Foundation. They're coming for all of you. So you guys need to put the egos aside. That's all I wanted to say. Thank you for your comments. That falls directly in line with the discussion of the preservation of security research. As a security researcher, I've done things in the last couple of years which I may not want to do today. Just because of the chance of the broad application of CFAA. So thank you. Hi. You guys have talked a lot about legislation that you don't want governments to institute against hackers. What about any legislation that you might want to institute that would provide a counteracting effect? Like for example, holding vendors of vulnerable systems more accountable? I'm not sure people heard that. I had a little echo there. But again, that cognitive dissonance is ever present in my mind that I don't want to necessarily add a ton more legislation. It's more about fixing existing ones whenever possible. I think we should use it sparingly. But one of the things we've realized is there's a lot of things that divide us back to the prior comment. Some people are like, why are you talking about an amicus brief or weave? He's a raging troll asshole or something like that. And I said it doesn't matter if you think he's a raging troll asshole. Even if you don't like him, it's like the people versus Larry Flint. You didn't have to like pornography to like free speech. In case law does dictate things, that's one of the reasons we have to hack some of the judicial process and participate in the working groups that are looking to rev CFAA. And it's not just for even the criminalization research. People who are looking at defending themselves with hacked back or active defense or various things that are also controversial. But one of the things that a lot of us that do application security realize is there's absolutely no software liability whatsoever. So if a toaster burns your house down, you can sue the people who make the toaster. If the Therarch 35 machine gives you a lethal dose of cancer, you can't sue and win. And I don't think there's lots of good reasons for that. I've done a ton of research as to why the U.S. doesn't want to add more regulation and hurt GDP and competitive edge and other places. But there's plenty of precedent in medical devices. You have the FDA in cars, you have the five star crash rating system. So it's about shoe horning in and hacking existing regulations and laws to maybe just tweak them instead of creating them from whole cloth. Two quick questions pick what you want. Most of the populations you're talking about trying to channel here tend to prefer true democracy, one person, one vote, one voice, one vote. What we work in for the most part to do legislation is representative democracy, which is a very different system. How do you plan to resolve that without alienating people? And then the other one is got a lot of people standing up here. It's awesome. I love to see that too. How are you going to keep those same people as enthusiastic at six months, 12 months, 18 months, 24 months? Yeah, great points, great questions. I think the reason we want to have that constitutional Congress is we want to decide how we're going to make decisions. You decide how to decide and they'll be trade offs to all those and, you know, anything volunteer-esque is going to have its ups and downs. I think the reason that this will have some staying power, especially if we get some early movement and wins, is regardless of your motivational structure. If you're altruistic, you know, if you want to do good, there's plenty of built-in motivation to it. But even if you're narcissistic vulnerability pimp, once we have this Hearths and Mines thing in place, you know, I was talking to someone who's like, I don't care, I just want to get famous. And I said, okay, well, how much access and, you know, relationship do you have with CNN or Vanity Fair or whatnot? We could be a forced multiplication and platform as a service for broadcasting good work. So there's some built-in incentives, regardless of your motivational structure, to get some benefit out of this. And I think because we're so frustrated and because there is no other line of defense, and it falls to us, I'm hoping that that gets a little bit of movement. Plus, we just need to get an early win. And I think we have a couple in mind. We've done a lot of pre-homework. Did I answer the second question? So I just wanted to say, while it is easier to subvert existing processes, we can use the same lobbyist organization or professional board or whatever to advocate repeal of existing law that we disagree with. We don't necessarily have to just roll with whatever's there. A voice is a voice. And we can use that to repeal law whole cloth. So for people who have reservations about that. That's true. Absolutely. Thank you. Again, the choice between two questions. One is, we know we can save people. We can save, we can swoop in and rescue the public. But how do we make this more public? How do we let shout out that we've done this? And the second is, if you're familiar with the 501 medical device registration and where that fits in in the class 2 FDA, could you speak to how we can get software elevated to even a class 3 device? Okay. So I'm not the expert on the medical device pump. But that's why we've sought out people like Kevin. In fact, Kevin does a great job within his scope and remit. But when I talked to him about the Bluetooth, just a tiny anecdote before we run out of time. He said, I said, why do you even need Bluetooth on insulin pump? And he said, you know, it's not like it's a pacemaker where it's under the scanner. And he said, well, it's the bacon principle. What the hell are you talking about? And he said, everything's better with bacon. Everything's better with Bluetooth. So one manufacturer did it. And then they all had to do it because it was cool. And what you have is something that's not medically relevant. That's highly attackable in a life-saving situation. So we need those subject matter experts to answer the spirit of your question. And that's what we mean by mapping these. I think the roles and responsibilities we're hoping each of you can do is once we've mapped that kill chain for a particular industry, then we can start iterating. And the pushback I gave him was he said, well, Josh, the FDA had a choice between failing to approve a medically life-saving technology or being afraid of a theoretical hack. And I said, okay, fine. They had to rubber stamp it. But they could have also said, by 2015, anyone putting elective, remotely accessible technologies onto a medical device will incur additional scrutiny for adversarial testing and validation. There's ways to look at this as a marathon. And even if they couldn't do it with current things, you keep iterating. I'm not trying to trivialize it. It's actually far more complicated than that. But keeping at it and asking the questions and being the tenacious hacker that fuzzes that kill chain and fuzzes the chain of influence, we're going to have a win. So first of all, I think that a lot of people, like my mother, couldn't put together that hacking is related to safety. And it was a matter of teaching her, well, you know, you have to find these vulnerabilities. When you find them, then they can be fixed. And until that point, somebody could exploit them without you being aware. So putting the spin on it being about the safety of our families is super important. And second of all, how will you prevent an organization of hackers from being open to abuse? Because I feel like every time I see hackers organize, they do things like horde exploits that it just doesn't work out so well. That's a concern that's come up often is, you know, one of the things we actually said in our anonymous research was it was very prone to infiltration and hijacking. And there were several governments and political groups infiltrating and trying to hijack. But one of the things about hackers that's interesting, I think this Quinn Norton said this, because they're prone to influence, but you can't control them, right? So we're really hard to control. It's almost the virtue of us being so chaotic. I think this is going to be hard. I think keep bringing these criticisms. In fact, this is probably, we have time for probably one more question, but then we're going to go to the room. We want to flag every single one of these, because we don't want to just try something. We want to actually succeed at something. So keep raising these concerns. Oh, look, it's Jay. All right, well, last question, how fitting is Jay Radcliffe? All right, so guys, this week I spent all week talking to media about a talk I gave at Black Hat and at B-Sides, which a software flaw put me closer to death than I would have liked. And when I approached the vendor about this, they said, you should have read the manual. And we're not fixing that. If you think that, you know, these things are in the future and that they're coming, they're not. They're here right now. And we need to change these things right now. And I can find a hundred medical device flaws and I'm still going to get the same response. It's going to take a mass movement. It's going to take all of us getting on the same page to make this problem change. I can do all these things, but I'm not going to move the rock an inch forward without more help. Exactly like Josh is talking about in the media, in lobbying groups, in places that we haven't been before, and there's no reason that we can't get together and move that system. Thank you. So we're out of time, but this conversation doesn't have to stop. Please join us in the, for Q&A, in the Chill Out Lounge after this, immediately after this talk. Thank you.