 Anyhow, my name is Peter Berghammer and I write for a number of magazines. Some of them you may have heard of, some of them maybe not. Some are technical, some are consumer-oriented. I also provide a lot of security hardware and software reviews, but those are always without bylines. Some of the magazines I write for are Dealerscope, which is primarily for retailers, dealers, distributors throughout the United States. I handle corporate ethics, security issues, things like that for them. Media line, which goes to studios. I write a legal and studio law and security column that goes with them. And then you can see they just go on and on and on. Additionally, I own a couple of different companies too, and I kind of enjoy it because it allows me to kind of sit at different places in the food chain when it comes to journalism and things like that. The original company is Caperneo, and it's not a pitch at all. It doesn't really apply to anything today, but we're aerospace and defense. We've been around for almost a decade now. And then future formats, we do CE research and analysis, primarily for the big CE companies like Philips and Sony. So we do a lot of research in that area. And then we just recently launched some VC-funded work going on there. So, you know, it's rare on talks, and at least this is a nice intimate audience, so I don't have to worry too much. But the state of journalism today, it's always important, and I think especially at this one today, for me really to, and we'll get to it a little later in the presentation, but it's kind of important for me to put these disclaimers up, that these are just my opinions. The magazines I write for have nothing at all to do with this whatsoever. They could care less what I have to say, so I'm very, very fortunate in that regard. They do care about what I write, however, so that's always a problem. It's just public commentary. It's in no way an endorsement of anyone's products or non-endorsement if I criticize someone. It's not legal advice as long as we can be clear on that issue as well. It's not ethical advice. I really, really don't care. And although we'll come back to it, I have in this last sentence, in today's world these disclaimers are part of the business, and I think what we're beginning to see as journalists, and I see it, it's already happened to me just so everyone knows that I'm speaking from firsthand experience, is the pharmaceutical companies, for example, last year already started suing journalists who wrote things that are very, very critical of their products. One case that comes to mind is a sugar substitute known as Splenda, and it was a fairly nasty little lawsuit, and I've had my share too, and so I always put these in here that this disclaimer is really just a casual talk for what it is here at DEF CON just to kind of have a good time and no pressure or anything else. But what probably is the oddest thing going on is that these terms that are banded around, whether it's at Black Hat or at DEF CON, security and research, we all know what they mean, or at least we think we do, but when I talk to people and when I have sources who contact me with breaches or notifications or things like that, there's a huge gray area, and it seems to me that everyone has their own idea of what security means, what research means, also from my perspective, and it's not a fairly controversial statement, but I do actually, I've almost come to the opinion that the term hacking and the phrase hacker has really become a very meaningless phrase, and I don't mean that as an affront to anyone here, it's just it means so many different things to so many different people, it encompasses so many different topics that it's really almost a meaningless term because it means so much. So on bullet point number two, with the publications and the websites, security generally is meant to describe all the things related to a consumer's secure use of hardware and software. That's the big picture stuff, whether it's PC World or the LA Times or Contra Costa Times, those types of things. Generally when we're referring to that, we're talking in the consumer world. However, on the corporate world, security has a completely different context. So security research in this context also describes a company's best efforts to keep the product safe and secure. Now again, it doesn't mean much when you say best efforts, but best efforts is already a baseline gray area that can be exploited one way or the other, and we're going to take a couple of examples a little later in the talk and see what exactly is meant by best efforts. A security researcher though, meaning you guys in the audience, typically, and I think journalists like to portray you that way, you're kind of this lone mythic figure, maybe a loner working late at night, those types of things, and you're protecting us from harm or you're causing us great harm. There's really not a lot of middle ground in between the two. So you're protecting us from all the stuff that the average consumer is really worried about. Viruses, Trojans, you name it, fishing, farming, even spam gets lumped into that whole thing. And it's really kind of a nice poetic notion that journalists generally try to present about the hacking community in general. Now that's the white hat hackers. The black hat hackers, we just kind of flip all the terms over and turn you into crazy, maladapted individuals that are out to create malicious harm and vindictive harm. So in our sense at least, it's really unclear what we mean, now speaking as a journalist, it's really unclear what we mean when we say this company is trying to keep a product safe and secure, this company is trying to keep this consumer's computer safe and secure. In other words, safe for who? The user or, and it's also probably a little more certain, protecting the company's intellectual property. And the same goes for research and researchers, you know, in the audience here. What are you researching? What are the ends? What are the means? And in whose best interests? If there are any best interests. Sometimes it's just the pursuit of the challenge and it makes perfect sense to me. Before you have any conclusions reached today, though, about, especially this little one, safe for who? The user or the company's intellectual property. I really, really strongly suggest that you read the EULAs. You know, just for the heck of it, read some of the EULAs accompanying in the Clickwrap and Shrinkwrap agreements that come with your software. You might really get a kick out of what's actually being asked of you and what's being expected of you in the use. And you know, another question, and I'm not going to go into it today because that's really a legal issue, but it concerns this whole changing notion of what ownership means. Ownership of software, ownership of film, ownership of music. That whole concept has fundamentally shifted in the past, well, I'd say five years, but in particular in the past three years, that has so changed that the notion itself of owning a piece of software or owning a song, owning a film, completely, completely different than it was a few years ago. Another issue that we sometimes confront are these terms of security and privacy because security, privacy, they're used interchangeably. It's almost in a sentence you could mix up the words and no one would really know the difference. No one would really question. Now, to this audience, I know you know the difference between security and privacy, but if you think in terms of the broader publications or TV shows that cover this type of stuff, these two terms are almost used interchangeably. However, and I'll point that out again, they're definitely not. Under no circumstances are they anywhere close to one another. Security refers to the core integrity of a communication. That's it, not just in this context, but in general. Point A to point B, the integrity, that core integrity of the communication, the assurance that that exists is what we mean when we're talking about security. You'd be amazed at how many people in my profession at least don't know that. Even for me, I find it kind of amusing. Privacy, however, it refers to the confidentiality of the center, even if the center doesn't want to be anonymous or confidential, or at the thing, because we're also talking about interactive devices like mice or DVD players or any of these types of things. The privacy still refers to the confidentiality of the center. It therefore becomes the center's choice whether or not they wish to be revealed or reveal their identity. Anonymity is a subset of privacy and cannot exist without security. So anonymity is kind of a cat all in its own. It falls under privacy, but it can exist with the superstructure around it that's known as security. Yeah. Sorry about that. Do you want to make a quick announcement in case someone has already found it? I heard a really interesting chat from Symantec the other day, and Andrew Lytle was his name, and he brought up a very interesting point. First of all, I'm going to give him credit for having said this bullet point number one. But what I liked about it was very comprehensively summing up in plain English what privacy means. And in his essence, and I really liked it quite a bit, it's meant just being left alone. It's being left to your own devices. Taking that a couple of steps further, really when you're seeing a misuse of privacy and security, what's really happening here at its core is that there's a denial of personal autonomy. In other words, we're trying to manipulate you, we're trying to change you, we're trying to influence your actions, those types of things. In other words, you're not making your own decisions, you're being influenced to make those. I've heard a lot of complaints today about the press. We'll come back to this point on that one too. So in other words, the misuse of information is just used to manipulate. So if we're breaking down security into its simplest constituent parts, it really just comes down to identifying, codifying and tracking communications. It may seem surprising to some of you that tracking actually falls into that, but we'll get also onto that during the wrap-up. In other words, a device that has no connection to the wider world is of no interest whatsoever when we talk about security. So if you have a device that's not connected to anything on a network, connected to the internet or connected via a phone line or any number of issues here or infrared or any of those things, it's really a moot point in what we're discussing. Now there is a little bit of debate on security if some things like IRDA are enabled to what degree this little sentence might change, but right now just for the simplest purposes, and I'm sorry to really be focusing on this, but it's kind of an issue. So what we're saying is when we as journalists are talking about security, we really are discussing connected devices and the people that go with them generally on that one. The only exception to the rule, and there are a lot of films that deal with this type of stuff and it's very entertaining, not always very truthful but extremely entertaining, is when we're talking about personnel security, because then there's the machine and the machine itself may not be connected whatsoever to a network or anything along those lines if you think mission impossible or along those, but it's connected to a person per se because a person has access and they enter the room, they leave the room, all that type of stuff. That's the only exception, but really that's really something for another talk because it's a very, very intriguing world and it has its own subset of problems. The bad news at the start of the talk today is that hackers and security researchers really aren't that different from journalists in their methodology. Now I know there's, I've heard a lot of things about the press today and for anyone who saw earlier the Dateline Girl getting literally chased out of here by about 200 people, I know that passions run very, very high, but the methodology, the way hackers conduct their research or security researchers conduct their research because those two terms themselves aren't interchangeable, really doesn't differ that much from how we conduct our business as well. Sometimes we rely on the same stealth or subterfuge that hacker might, sometimes we're really relying on the paper trail, the documentation, all those types of things in the same fashion that a legitimate security researcher might. And we face exactly the same problems that a security researcher or hacker faces when it comes to exposing the information that we suddenly come upon or that we're able to, that we want to print. Sometimes we can't print it in the same way that a security researcher is unable because of at least the full disclosure ethic, unable to do anything with the information they have until they've given the company a chance to rectify that issue. So all flavors of these terms really have a lot more profound issues. And security, and this is what I really enjoy when I go to the black hats, you know, in the DEF CONs, there's so many times where it really exists, this whole notion of autonomy, anonymity, security, all these types of things, they exist in a very abstract and theoretical sense, and yet they're tied down because of the code, they're tied down and they really take a good view towards the day-to-day implications of what happens, what does this mean. So for example, if you're flash file, and no offense to flash because flash has a very, very security model in that respect, but if you have a flash file and you're able to corrupt it in a fashion, that's what you guys do. And what I do is I take a look at what happens, what are the implications of that, and there's a lot of music encoding work being done right now that's extremely fascinating, and we're going to talk about it from the other angle a bit later when it comes to the corporate abuse of those types of viruses, those types of worms. The other thing that I really find fascinating when I come here is that it almost always involves an intimate familiarity with the intricacies of the machine hardware, the patterns, the predictability, and a host of other topics, but it's a lot similar to another area that's really dear to my heart is physics. I really like this whole concept of the science behind what's being done because like it or not, it's an art, but it's also a science. So yeah, on the one hand, we have security researchers who are looking at it from the highly abstract, the theoretical sense, the advanced analytic sense. That's what, quite honestly, if we ever wind up chatting, that's kind of what floats my boat. That's what I like to write about in those areas. But really there's another issue that's starting to take shape and that's again where hackers and security researchers start to have other parallels with journalists and that's who are you working for? Who are you retained by? Who do you report to? That's a very, very interesting question ultimately because in the same sense that a scientist might conduct research as a journalist, when I look at people who come to me with flaws or other exposed type things or issues, you always kind of have to look at the motivations for doing that. Is it a purely altruistic thing? Earlier we referred to this Homeric notion of the hacker as someone who just very poetically is altruistically protecting the rights, the security of our communications. Now I'm talking about the white hats. I really like that concept, but then it gets a little compromised and you start thinking about who are they working for, what are they doing, what's the real motive here? That's my job is to actually figure that out and my colleagues. I mean we try to figure that out all the time. It's also one of the reasons we don't talk to PR people very much because PR people they've spent a very good tail but it's not necessarily what works for us or what's going to work for the article or the magazine or even our reader base. The other thing that's a little interesting is the flip side of the coin is the dark hat researcher, the hacker I guess is what will use it for lack of a better term at the moment. Maybe they don't have any oversight. Maybe they're just out exploiting vulnerabilities and those types of things. To our way of thinking, when we're writing articles when we're researching vulnerabilities in articles or we're even more importantly researching the lack of a corporate response to a vulnerability, it's not always an advantage that you're a dark hat when we get this information. And a lot of times I'm not sure that people understand that from a journalist perspective at least, we have kind of a chain of evidence that we have to preserve or a chain of evidence that we have to adhere to if you work for a good publication, they're going to request that and require the paper trail. But more importantly, it's good to get the tips from the dark hats but that verification trail sometimes is non-existent. So you know you've got a story but there's absolutely nothing you can do about it. And you know I've mentioned earlier, journalists getting sued and I really would be surprised if in 2008, 2009 we don't start seeing that in, and it's probably a good thing for the EFFD here too but I would be extremely surprised if we didn't find product reviewers and security reviewers on the journalist side who weren't on the receiving end of some types of lawsuits either to shut them up or to sue them for lost profits. And believe me, I'm a big fan of security companies. I'm not even implying that the security company has any intention of suing. It could be something completely different but it's something to bear in mind that this chain of custody, this chain of evidence is a very important thing for us. Now the other problem in the security arena is that there's just such a vast number of types of journalists who cover this whole thing and there are just a vast number of publications and television shows that cover this type of stuff. I'd mentioned Dateline NBC earlier. Okay, I think we can safely assume it probably was going to be something a little more sensationalistic about the show here. Something a little darker, something a little more titillating I guess is what you'd say. But you also have people who have vested interests and advertisers, which is very important for magazines in particular and websites, whose products, so for example a Bank of America might be very, very happy if you're going to be covering the security area because B of A actually advertises on the side or in the magazine that you write for and you are kind of hyping their security methods by association only, okay? So it's just something to bear in mind with journalists. The good ones don't do that but as I'd mentioned there are all sorts of types of journalists, magazines, that type of stuff. Other types of journalists love the really sensationalistic stuff like when DOD loses a laptop or the Department of Veterans Affairs loses a laptop. We're going to talk about TJ Maxx in a little while when they get hacked and credit card numbers are exposed and that it makes such a great story. People love that stuff. It speaks to all the core values that Americans who read that type of press really get a kick out of. Government, poor security policies breaking the law because there are laws governing encryption and how data should be stored on laptops and those types of things. So we really, really like that kind of stuff and there are a number of journalists who like to cover it. I'm not sure that it does any, and this is just a personal opinion, so again, I'm not sure it does anyone any favors in the security industry that type of coverage. Quite frankly, I'm not sure that anyone benefits. It's just a give me story. People read it because it's just as good as a dog bites man type story but it's something to bear in mind. There are other people who cover things and I earlier referred to it as the art of security and the ethical implications of what you do. So whether you're a corporate researcher or a black hat or those types of things, it's kind of a very, very interesting little area that there's a subset of journalists who are tremendously intelligent and hard-working, very, very diligent at what they do who love to cover this type of stuff. They love to expose security breaches that there's been a corporation that's attempted to cover them up. It's a good read, it's good story, it's good technology generally, very, very interesting stuff. And I know one or two guys and that's always a personal choice who actively work with black hats in order to open up security concerns where I don't want to say they're soliciting it but perhaps encouraging it. The lines of legality on that one I'm completely unclear of and it's not that I'm stupid, it's just that it's a really wide open area in that. And, you know, as a general rule of thumb and this applies to most of the journalists in the CE space as well, the consumer electronics area, in the security area, they're actually pretty well-versed in what they do. Some of them actually had corporate jobs, got tired of it and decided that, I had a couple hundred bucks of an article, I'll write this and everything's going to be fine and I'm still connected but I'm semi-retired and those types of things. I find them, by and large, extremely competent, really not that compromised by corporate concerns which is really a breath of fresh air. And I think in parentheses there, I said most of them are underpaid so realize myself as an exception but I don't accept money for the articles I write. Most of them really don't get nearly as much money as they deserve for the hard work they do and for the service to the industry on both sides of the fence that they do and there's not much we can do about that. There's generally a difference and I realize I'm covering a lot of semi-obvious ground for you guys but we'll go over this until we get to the more interesting stuff I guess but there is generally a difference between a printed publication and a website and what's really interesting to me right now is that a lot of publications, big, big publications that you all read at least once a week or at least once a month when it comes out, they're having a lot of trouble with their websites. It seems they can do one really well but not the other. So the ones that are doing really great publications are having a little bit of trouble with the traction on the website. They're not getting the types of numbers they want or those types of things or what they're finding is that their print publication readers are actually going to their website with a topic, term, or product and then leaving again. There's absolutely no traction whatsoever. I think it's an interesting one and it's an area that deserves a lot of analysis simply because no one's really sure why it's happening. I mean, so many fixes have been tried whether it's design or communities or the creation of networks. None of it's really worked right now so there is still to this day in the minds of consumers and technical people in particular that there's a real good understanding that there's a big difference between a publication and a website. Now, what's really interesting about that is it used to be that the printed word you could kind of go to the Washington Post or PC World, the real standby, great publications that you would get a depth of analysis and an understanding and more importantly kind of a breadth of information that you wouldn't be able to get from like a blog. Now, things have changed considerably now and what's really odd but in a good way odd is that blogs are actually driving most of the research and blogs are really driving most of the security concerns on the internet and in this community, our community as well. The print publications do a really good job. It's just coming up a little bit short and I think it's that timeliness factor that may have something to do with it. The profitability section of the whole thing really makes a very, very big difference and there's a lot lower overhead when you're operating a website and it has really, really profound implications for advertisers and also this whole notion of double checking content and even though I'm going to mention PC World yet one more time I don't work for them so there's no reason for that I'm just using them as a kind of a paragon of a really good publication. What's interesting is for anyone who follows this whole beach in the Consumer Electronics Software Hardware Arena about two months ago a new head of the publication came on board and for outward appearances it would seem that he attempted to get the editor, Harry McCracken to alter some of the stories based on good advertising from Apple and other types of things that's something that is absolutely unprecedented at top level publications at most top level publications. What's interesting is that Harry says, you know what? I'm out of here and I know Harry personally, he's a guy of tremendous integrity and I mean he just quit and that was that he had a job at noon at five o'clock he'd already been gone for an hour or so now there's probably a little bit more to the story but what happened is that within 48 hours he was back at his post, there was such an uproar and people found it so tasteless that there was this whole pay-for-play mentality going on that product reviews could actually be altered based on what an advertiser wanted that it really sent a strong message and I hope if you take anything away from the talk you know, look for journalists that are like that because it's rare but it's absolutely the most critical thing and I mean he's not here, he deserves an enormous amount of credit well, now I'm going to talk about the more serious journalists, the guys who take their profession pretty seriously and also see the broader implications of what you do and why it's so important and we don't just see it as a question of security we also see it as a matter of law and thankfully we've had EFF here actually throughout this week and we have a lot of the feds very interesting people, lawyers, attorneys it's almost as important right now when you go to Black Hat and you go to DEFCON it's very interesting to me that the legal aspects and the legal implications of the work you do are as well attended as the seminars on what you do and that's a fascinating comment on how interrelated it is you know, we also and myself in particular, since I write a couple of international columns I see this as a really important area of politics the geopolitics of security is actually the great untapped story actually of any security convention that's the one that's probably the most interesting, the most intriguing story I've come across in over a decade and we'll get to it a little bit with Blu-ray and HDDVD and HDCP and HDMI and all those types of issues a little later but this whole notion of geopolitics in the security arena geopolitics and privacy is an absolutely rich area, it probably just deserves more of a movie than it deserves an article I would think and then of course economics economics really is going to be one of the driving factors most of the time when we look at these issues, what we're seeing is that those very same issues revolve around personal freedom your right to do and see and say what you want to say censorship and constitutional law it's almost always has something at its core that deals with these issues and then at an even deeper issue it deals with complexities that we talked about earlier with privacy but also on things like cryptography and cryptography's role in guaranteeing your freedom of expression, guaranteeing your freedom of research and the implications of what that means and at its core a journalist who will do a security colors the approach to the above topics, so if you get a journalist who thinks it's just a really great story that a kid, a little kiddie scripter wrote an outlook script and infected millions of mailboxes around the world without looking at the broader implications fine, that's the kind of story you're going to get but you also get journalists who really are looking at the deeper things why it means so much and I think at some level, and I've been to DEF CON a number of years now those on the white hat and the black hat sides also understand that they just don't sometimes just looking at it from the perspective of what happens if I get caught that's why I need to, you know, talk or attend these legal things that's why I need to go here from the EFF it's much more than I think at a deeper level there's actually a very fundamental understanding that a real service even on the dark hat side a real service is being provided albeit in obscure ways but a very, very real service you know as I mentioned earlier security bloggers are really now the mainstay of serious security research that ability to log on morning, noon and night and actually get adequate literally up to the minute reporting on security flaws, exploits vulnerabilities, viruses, you name it is really, really a very, very important feature and for that print journalists such as myself we play no role whatsoever so by extension already we're kind of missing out on what I think is one of the most interesting and most timely portions of this and again it refers to that the timeliness and the intensity of near real time reporting just can't be beat I mean I can't even imagine how you could do your jobs without having that resource it is hoped but it's not always true but it's hoped that print journalists can still bring a better analytical and deeper cross related events to bear on any type of issue that's out there that's really where this whole break out between blogging and print is headed is that there is an attempt in e-week for example does it very, very well where there's a depth of reporting that they're able to accomplish that just can't be done on a blog so it's a very interesting little mix up as far as that goes the sense at the end is kind of an awkward one because it says in some very few cases however print can be compromised by the very audience it seeks to reach I would be lying if I told you that when I write articles I get a lot of pressure back not from my publications not from the editors or even the advertisers I've knocked on wood I've never ever had an advertiser call me demanding I make a retraction or a change or anything like that and I've never had an editor call me for a retraction or a change I'm just on something that an advertiser wanted so I'm hoping it speaks well to the choices of publications that I chose but by the same token I get a lot of email from people who are really pissed at something I may have written and I have to be sensitive I have to be very, very sensitive to that audience sometimes they're right, sometimes they're wrong but the fact that it's even a concern is something that I find really interesting and although in the best of all possible worlds I'd love to say I haven't been compromised the fact of the matter is with core readership that is very good at showing their opinions or expressing themselves you're not compromised but you take it into account in the future and it's kind of that balance between finding what's relevant and meaningful and staying the course so it's compromised maybe just too harsh of a word so let's just look at some of the top stories of the past year and why they got the coverage they did the top two stories actually I should say the first story I've written nothing about in any publication the second story I have an article coming out actually next month about some aspects of the TJ credit card, TJ Max credit card fiasco Sony and HP Boat are interesting stories in that after those were published those articles were published I suddenly was denied access to those companies and I used to fly to Tokyo pretty regularly especially the research labs and that's all changed I picked up another magazine now they need me again so in other words journalists are pretty expendable and that's probably as long as you realize it's probably not such a bad thing but again we talked earlier about Department of Veterans Affairs and DOD we love these stories because it really points to this overall perception that the government would like to regulate every single thing they do and yet they can't even keep hold of a laptop it's an unfair characterization quite frankly I mean laptops are lost every day and I have no doubts that laptops knock on wood for everyone but the laptops will be lost here at DEF CON but it's just something to bear in mind that it's just a good story it's is it relevant? No to go up on this how the problems rectified, fixed and amends are made that's really where the story is on something like that the TJ Maxx one is very very interesting and so far as not only does it point to extremely poor security you know if anyone here from TJ Maxx feel free to contact me afterwards but extremely poor security internal security policies but the real story to my opinion had nothing to do whatsoever about hacking the real story actually happened with once those cards were compromised and the numbers were cloned onto new cards and people were out spending and running up the limits on all this millions and millions and millions of individual numbers the problems TJ Maxx actually encountered with the banks who wanted some money back because they felt that rightly that TJ Maxx was at fault the banks actually wanted some of that money back for all the money they lost because a very interesting legal issue and a very legal argument because there are very few laws believe it or not that actually govern the transactions between stores like or large corporations like TJ Maxx and banks and you would think of all the people not to have a regulation governing getting money it would be a bank so you know again it was kind of a peripheral story that was very interesting you know likewise with the Sony root kit fiasco I'm not sure that the story itself solely had something to do with an attempted install and in some cases an actual install of a root kit onto user software to monitor their actions it's just an incredible an incredible breach of trust and confidence in that but the inability of Sony and I really like Sony a lot anyhow I mean they're a really great company I personally know a lot of guys there but that problem of communication and dealing with the issue to begin with and the fact that they let it escalate to the point where state's attorney general were going after them for what they did and then finally the denial on the part of my community and your community to some extent but a much lesser extent of the fact that what they did is no different than what a dark hat does is really quite amazing to me and it's this whole corporate malfeasance and I don't mean to imply that I mean in Sony's case I'm not even sure I could say there's corporate malfeasance per se but this whole appearance of corporate malfeasance is really an amazing issue that again you know earned it the word fiasco and since we're on the topic of malfeasance this whole HP spying and spoofing thing although you would think it's not related to what you do it actually speaks volumes about the perceptions of the average reader and the general reading public about what they think of the computer industry in general and I tell you if my reader base is anything and it's in I don't know almost 500,000 a week if it's any indication most of my readers feel that HP got off very very easy that if you had done exactly the same thing whether it was on the Sony case or the HP case the repercussions would have been significantly different and you would have done time as simple as that you would have done time the difference you can't afford lawyers etc etc in places where EFF comes in and those types of groups so it becomes a very fascinating one I think the five biggest and here I get to say it I guess but the five biggest fuck ups are where we really miss the point completely and when I say miss the point completely I mean that there was reporting on all of these stories here if you want it you can find it there's no shortage of any of these issues but where we really got it wrong or what the implications are about and where we really got it wrong is what it means for us operating at least in a constitutional democracy in the United States at least what it means that these stories really weren't given any broader context and I think that's a real tragedy so when I say the five biggest fuck ups I think I might want to amend that to the five largest missed opportunities to assert everything that's really great about the industry about the country about all these types of things and this is where we missed it and some are maybe a little controversial but we'll go from there the censorship issue with Google for example in China and again I'm not picking on these companies I really like them and I know a lot of people there and really good companies everyone named on this with one exception is a really great company but the fact that we miss what it meant for an American company to engage in censorship at the behest of a foreign government even though they're doing business there is really an interesting contradiction I'm not sure we as journalists did a very good job on that one quite honestly and there's some part of me that actually kind of wistfully wishes that some in this case since it involves China that some dissident group didn't sue one of these companies on behalf of the very principles we espouse here in this country it's just a personal observation I think another story that gets misreported or because there's a lot of pizzazz there it gets misreported a little bit is what the recording industry association of America is doing and again you know it's a free country they're freely entitled to do what they do their trade organization they collect licensing fees royalties whatever you want to call them okay that's their right to do this isn't what's in dispute but I think there's some issues here that are beginning to emerge they're really becoming kind of worrying now most of the press stories on the RIA are actually really great stories about either abuses of the legal process in order to bring people to trial or in some cases because now it's this edifice I guess is beginning to crack a little bit people are starting to or at least one right now is started to win lawsuits against the RIA so it's a very interesting and it's a great story no matter how you slice it now within the last 24 hours there's a little virus that came out known as W32.delete music for all intents and purposes it's a USB shared virus that doesn't mean much in and of itself but what it does is it actually systematically searches your hard drive looks for MP3 files and deletes them now the conventional wisdom is pretty simple which is some prankster out there decided wouldn't this be funny we're going to go do this we're going to create this worm we're going to do that and I probably shouldn't have put it under the whole RIA anything but I do want to point to one other fact about music files and film clip files and those types of things which is they're so promiscuous I think they're not too long ago they're everywhere everyone's got them on their computers everyone shares them everyone sends links it's really the type of file format that just knows no bounds now let's take these two things together and weave a slight conspiracy theory a little bit here which is are we beginning I'm not suggesting in any way shape or form just so I can be really clear that the RIA has anything whatsoever to do with W32.delete music in fact I'm guessing more than likely not I can't say that categorically it's just the worms too new but what's kind of interesting is are we now starting to see this whole concept of the abuse of for example intensive sharing networks social networks as a potential opening for corporate abuse the only thing that's interesting in that whole bullet point there is the fact that W32.delete music yeah I think everyone I'm hoping everyone in the room would believe that the RIA wouldn't do that but is there any doubt somewhere maybe that it could be accomplished by the RIA now that's a question it's a leading question I don't mean to put any wrong ideas in your head but then when you start looking at other outside facts you know the RIA was extremely aggressive in California when it came to lobbying to prevent certain electronic surveillance laws from being implemented last year extremely active I wrote about that I got a lot of nasty letters well pretty much from the RIA but you know nonetheless why would they be opposing any electronic intrusion type legislation again these are just open questions I'm a journalist so these are the types of questions I ask now are any of these three things fitting together absolutely not not yet I'm just saying that this is where kind of the genesis of articles get started next thing I just want to briefly refer to because there hasn't been enough work done on this issue is the Vista phone home issues and I'm really getting more and more concerned on this whole concept and you know Intel is also working on a nice little chip a nice little chip set and actually operation set so that when we leave our computers on everything can be monitored and updated in a good way in a paternalistic fashion I say that very cautiously because I think these are issues that even though they're stated in the EULA they're really not considered by people who are buying the operating systems or the chips they're really not thinking about this stuff what it actually means that's a very interesting one now Blu-ray HD DVD I'm just going to focus on those two really quickly because again extremely interesting problem there with the phone home features you know Blu-ray more so than HD DVD and I know these two very very intimately but I'm really concerned again about the web interactivity that exists there and in general with consumer devices even Sansa type stuff I'm really really worried about what it means to phone home what does it mean to actually have turn off turn off key turn on turn off keys to authorize and de-authorize players to de-authorize a player for playing illegal content so for example if you bootlegged the latest Pirates of the Caribbean there is a potential that your Blu-ray player would be shut down for playing illegal content bootlegged content how would they know more importantly and you know this is where it comes back to the geopolitics of the whole problem where I get very very interested where is the databases where are they residing are they residing in Burbank they residing in Tokyo they residing in Malaysia where are these databases and what information are they collecting what information for example in my viewing habits I'm not much of a TV guy but I do watch what information on my viewing habits is actually being sent where right it's just a fundamental question to what end and you know there's an interesting group in San Francisco right now called Detention Trust Seth Goldstein who's the founder and put it together a really really interesting group who's actually tackling this problem from a slightly different angle and he's tackling it from the web browser perspective which says you know what I've got all these damn cookies I'm visiting all these damn sites you know people are trying to track my movements all the time I'm going to claim ownership of my cookies I'm going to store all my view data on my own both on my hard drive and one of the attention trust partners partner companies for example Attention Bank it's a very interesting concept because really where they're coming from is saying wait a minute double click soon to be Google if the FTC doesn't have too many issues wait a minute that's none of your business I own my attention span I own my attention stream by implication it's and I should be able to monetize it and I think that's the big fear of this whole thing and that's going to bring us to metadata meta mining and metadata repurposing the fundamental aspects impacting freedom of expression I think really have to be looked at here when it comes to metadata and in the interest of full disclosure I did mention I own a VC firm too we invest in a lot of metadata companies that seems to be web 2.0 metadata type groups all startups all with extremely complex very interesting skill sets so you have to understand that but as someone who writes and someone who speaks I also have an obligation to kind of look at this issue a little more critically and take a look at what are the implications for metadata what does it mean on meta mining which is essentially data mining of all the metadata and metadata repurposing in other words the ability to extract the information from meta mining and represent that information to you in a new fashion or perhaps a new website or perhaps a new introduction to a clothing company or things like that what exactly is going on now yeah it's sort of borderline advertising what's interesting about it though is that advertising is a pretty open concept it's one that we understand we watch movies and we see a can of Coca-Cola we understand that that's a product placement for which they pay good money very rarely do you see product placements that aren't paid for in movies and more so now every time in film but on the web that's not always very very apparent so what's going on with this metadata thing and why is it so important well the first one is you would think and I think most people assume especially when they see double click cookies inside their browsers and that type of stuff that just their current actions are being tracked right they're being monitored they're reporting back on you know if you're like me you probably don't have that much that you'd be ashamed of I mean in my case it would be like looking at Chrysler's you know because my whole family likes German cars so it's not a big problem for me but the metadata people are really looking at retaining this information for a really really really really long time and when I say really I think I wrote in here forever alright I think it's time as professionals on the security side the legal side in particular that we you know really take a good hard look again at reexamining the linkability or the unlinkability between this this clickstream this what it really is called transactions I think we need to take a good hard look at data retention policies and you'll see at the bottom I say that data retention threatens privacy and you know I'll give some examples and again neutral examples it's just kind of a part for the course type example but in the last California election Arnold Schwarzenegger you know really although he has all these great futuristic films you're not always thinking in terms of the sophistication that goes into getting reelected and what I found really really interesting for him is that through metamining in particular and data mining that the Republican National Committee actually kept very very good demographics on what what Republicans like to drink what they like to drive you know as a whole and correspondingly then they would buy mailing list for example from Coca Cola you know so you would think it's a random thing for Arnold Schwarzenegger to send out hundreds of thousands of mailers just to Coca Cola drinkers but statistically it made a hell of a lot of sense and this is the scary part that linkage that's going on and I haven't seen too many companies I mean obviously the big exception is a company like DoubleClick but I haven't seen a lot of startups out there that are actually saying hey wait a minute we can approach this whole metadata metamining issue and then if you start thinking of the internationality of the internet itself it becomes a really big problem because this whole concept of metadata metamining and repurposing of metadata really flies into the face for example of a lot of European law you know this data retention policy this retention policy of forever really becomes a very big issue and I'm only going to talk just very briefly on this slide I'm going to jump to the near last slide and then unfortunately we have to call this a day or fortunately since it's Las Vegas I just want to talk about some of the under reported stories or should be reported stories out there right now some are positive some are negative I really think that this whole concept of WikiLeaks and authorized signature chains for initiating leaks verifiable leaks from verifiable sources is something that is completely undervalued I really think the work that's being done in this area please just do a Google search on WikiLeaks or RSTs you might be very very pleasantly surprised likewise I think you might find it interesting that Apple is on there because they're probably one of the most over reported companies in the country the thing I find so interesting about the Apple issue though is you know outside of Black Hat and Def Con we really don't hear that much about Apple security we do in some of the publications e-week is a good example even PC World you know monthly we'll carry some good stuff on that but I'm not sure that the complexity of the environment we operate in today is actually being done justice and I really like Apple too but I'm not sure that their approach is the approach that we all want to hold that posters about I really would urge you all because I know we're coming to the end of the talk to really go spend a little bit of time taking closer look at electronic voting and bear in mind this whole concept of paper verified voting trails meaning you get a receipt for what you voted for at the end of your session this is a company AcuPole and I'm only going to mention very very briefly I had it's a company that's now out of business they're long gone about a year and a half ago but they had actually a pretty good machine and you couldn't even open it it was a very nice little deal we have two minutes they went out of business because they had a really good machine what's interesting to me though is the executives that actually were willing to talk to me at the end of their life cycle and you know a couple of them had mentioned some states in which they were disapproved in order to pitch their product they were disapproved because the state itself was concerned that if they used AcuPole machines the vote might not come out right and that's a quote and that's a shocking thing when you think about that Web 2.0 vulnerabilities I'm hoping here there's also going to be something on OpenID I think it's something you need to take a really good look at great product also great vulnerabilities and please although I don't know him personally I did want to talk a little bit about Estonia and those types of things we're running out of time but please make the point of attending that talk and I want you to think just about two things in particular one is this whole concept of the blogosphere actually influencing political actions and negative political actions in the case of Estonia I think it's providing instructions on how to flood servers those types of things I think it's something very interesting and I'll just conclude because we're only a portion of the way through here what would happen and this is a theoretical question to conclude but what would actually happen if we saw cyber attacks on candidates' websites in this election cycle it's a highly theoretical question but just think about it maybe you guys are the experts, you guys are the pros what would happen if a Rudy Giuliani's website was hacked, would that actually be a plus for him since his platform is terrorism what would happen to these candidates if we saw that type of stuff and what would happen if we saw this new term as a political activity which is blogosphere meaning coordinated political action coordinated through blogs in order to disrupt a system I think it's very interesting I thank you all for your time and have a fun evening as well