 Chris has been around the community for a really long time, guy with a huge heart, but a lot of knowledge. And he's promised to follow SE Village rules and keep this speech PG-13, which I, it's just gonna be, I think it's gonna be the biggest accomplishment, no matter what you all learn, that he can actually do that. We have SE him and the keep and get PG-13. So, help me in welcoming my good friend, Chris Roberts. Thank you, brother. So the other reason I have to keep this PG-13 is my wee band who, I kind of didn't see if she's in it. Yeah, there she is. I owe her $20 for every swear word. So I will do my best to keep this with no effing and blinding and swearing. I did a talk earlier. How many of you were at the Sky Talks one earlier? All right, come near a couple, good. It's that, but it is definitely the PG version of that one. Okay, so, again, welcome to the SE Village. Do me a big favor when you're done here. Give everybody here with a volunteers a frickin' big, a blasted big hug. Damn it. I gotch down into a lot of thug, please. All right, we're gonna have some fun. We're gonna talk about technology. We're gonna talk about technology in humans, and I'm gonna try not to kill myself on this blasted piece of cable. We're gonna talk about where we are, where we've been, where we're going to from a technology standpoint. As normal, we'll put the good old agenda slide up. Why and who am I in all the shenanigans without one? Obviously, the abyss. How many of you are familiar with Dante's Nine Circles of Hell? Yes, all right, we have an IT version now. Evolutionary parts are options. Why are we here? Why are we talking? Why are we doing this and everything else? A little bit of housekeeping. Yeah, as Chris said, I'm not blasted Welsh. I didn't have pet sheep, and I will try and keep the PG-13. And by the way, give everybody in here a hug. Please, seriously, this is put on by them from a volunteer standpoint, and it's a guilt. It's not a gosh darned old skill. And as some of you who follow me on LinkedIn, I am a hacker, I am not a criminal. All right, the quick about me one. Yes, I've been messing around with this industry for goodness knows how many years. Started off by breaking things. We broke Nigeria, we broke the space station, the Mars rover, there's the occasional aeroplane that might've got in the mix or two. And as you guys will find out later on this morning, no, this afternoon, we're on our way, we're on an afternoon. We're gonna talk about trains and everything. I'm fine with people taking videos, I'm fine with recording. I'm going to also not do some of the disclosures I gave in side talks, because I don't need this as another piece of FBI evidence. And we'll go from there. And we're messing around with humans. All right, 2018. It is a poo show. Can I get? It ain't all pretty out there. Here's why. This are the statistics. In 2017, we lost, i.e. it was stolen. Some of it in two and three billion records. So that's passwords, that's records, that's identities, that's credit cards, that's all of that kind of data. Here's the irony of this whole got on and all thing. Oh, God, this is freaking hard. Blast it hard. I'm doing it, we're getting there. Anyway, we don't even know how much stuff we've lost. We've lost between 1.9 and 8 billion. There's a company out there called 4IQ. They're seemingly about 8 to 16 billion. There's a lot of blasted data that we've lost. All right, let's do a quick recap on some of the logic and some of the reasoning for this one. We'll talk briefly about humans. Let's talk a little bit about humans. Why we're doing humans? Because we're in the gosh-darned, or lessee village for crying out loud. Let's be nice to humans for a second. The beauty of humans, for all that we are, we have a capacity to evolve. It's a nice statement. It meets nice warm and it's fuzzy and it's gray. And it's like, yay, we're humans, we're good. We're wonderful, we can evolve. However, doesn't mean naturally that we are evolving. The fact that we actually have to tell people to tweet after we've left the burning building and please don't molest the crocodile. By the way, this is the correct way to hold the gosh-darned old chainsaw. This is not a good thing for evolution and for us. So we have to start taking over the very audience that we're addressing and how we're addressing them. And especially when we start taking and look at the numbers and the statistics. If you were taking it by about 2020, we'll have about five and a half-ish billion connected people. You do the statistics, you do the numbers and the interest of keeping this and trying to get us back on track. At the end of the numbers, we have about 9% of the people that we engage with and that we talk with outside of obviously the 30,000 of us that are running around the conference that understand or get security. That is a nice number. A lot of people put it a lot less than that. So when you are talking with people and when you are engaging and having conversations with them, really have to think how do I engage on a level and in a mannerism that you will understand not that I feel comfortable actually having the conversations with. If you need the visual that goes with it, here's the visual of the other 91% that you have to engage with. How do you get through to that person? The fact that the password one through six is not exactly the best thing to use. And by the way, putting seven, eight and nine on the end of the gosh-darned old thing isn't gonna help much either. This is who we have to work with and that word work with is where we have to be. We can't ignore them. Well, we can, but we probably shouldn't. And this is, you know, smartphone stupid people. There is an element of truth to that. I'll go one step further. Smartphones and bloody, I gosh-darned old annoying vendors. Can I get away with bloody? It's an English word for crying out loud. It just means I gosh-darned old in English. It's like bollocks. All right, this is what frustrates the living heck out of me. We come out of RSA, we come out of Black Hat and we come out of all these conferences that say, oh, you must buy more technology. You must buy APTs, you must buy all of this used behavior analytics stuff. You must buy the new blinky lights. I call rubbish, actually I call stronger than rubbish, but we'll call rubbish in here. Why? Because the statistics don't bear it out. This came out of NUICS. NUICS put out a really good report. 90% of attacks happen with known exploits. This is when you leave, open things on the internet. This is when I can get in using RDP. This is when we can get in using everything else that's left open. This is simple stuff. This also comes down to the simple stuff along the lines of policies, procedures and controls. I don't know how many organizations we go into that don't have these. This isn't stuff where you need to go spend tens and thousands and hundreds of thousands of dollars with companies. This is simple stuff you can do internally. So if we take a step back and go, where are we? This is where we are today. We're adding more complex technology. We're handing it to a population that doesn't necessarily question that technology, that doesn't necessarily take the time to understand the implications of the technology. By the way, for everybody that's taking pictures of the screenshots, I will make sure that these are available. Hit me up on LinkedIn, hit me up on Twitter, do something, I have a Dropbox, everything of all this stuff will be in there. So just hit up on that one, sit back, pin your ears back and just enjoy the discussions. I'll also make sure that Essie and everybody else has got it. So we're putting it everywhere. We're giving it to a population that doesn't understand it. We don't have enough qualified people to deal with it and we haven't got good eyes on our environment. So I have to change it so we have a mess to clean up. There's a stronger way of putting it but we'll deal with that one. So what do we do with it? Where are we going? Where are we heading? We put this together, a little bit of fun. There are four paths I will argue that we have, evolutionary paths. This is some research that was done a couple of years back. It's up here because it's kind of fun and I've done some additional stuff on one. Molecular and cellular technology, basically the whole concept of nanotechnology. Nanotechs, basically carbon molecular systems that we can actually basically do a whole lot of stuff with radio frequencies, with laser frequencies and everything else. Strength, hardness, amazing stuff, really complex systems. And then if we apply what we know with Mother Nature we can actually have a lot of fun with it. Why? Because we take after Mother Nature with a lot of the technology stuff we do. We attack people, we use viruses, more the same as the humans get. So we build a vaccine in the electronic world. We build it with carbon architectures and we start basically looking at what does a vaccine do? How does it get into the body? Uses our DNA. So RNA, ribonuclear acid, all your bugs now belong to us. And we can build these in three different ways. We can let the body build them, we can have a combination build where we build them externally and inject them into the body or there's basically the assemblers that build them inside the body themselves, carbon architectures. Some fun stuff. Everybody's like, I haven't heard of this stuff. This was 2016. This is teaching carbon nanotubes basic language. This is also on the bottom right hand side teaching them basic shapes. In other words, as you work and look and go through the body, how do they understand what is in the body? Now, if I inject carbon nanotubes in the body, they have to be able to move around. So in 2017, just like kids, we teach them how to move. We attach tails to them. So you have a carbon nanotube on that top left side that basically is attached to a carbon tail and all you do is apply a heat source or another kind of RF type of source to it. Now I can make it move. The tail vibrates with the frequencies, not if it goes. Just like kids, we also teach them how to actually understand chemicals, chemistry and systems, which is the bottom right hand side. Now we fast forward to today, and this is where we are. The top right hand side, turbo charged sperm. Yay! Take sperm, wrap a carbon nanotube around it, apply a heat source, probably not too much heat because it's gonna hurt like it's not. And go. Now you have basically an RF frequency common turbo charged sperm. The one in the middle is the interesting one. For those of you that have been cut open or anything else like that, obviously septicemia is a problem or potential issue. So what you ended up doing is taking the stitching system, put carbon nanotubes on them as well as an antenna based architecture which can then transmit heat, it can transmit frequencies, it can transmit chemistry. So now you know whether that infection has actually gotten back into your system or not. Go to the doctors, it's all very nice. This is great, it's wonderful, but guess what, we're a room full of hackers. So we can hack the code. That is a very busy slide and I'll apologize in advance. What I'm trying to get across are two things. One, the language that you use is a very long language and cello is the actual architecture that is used to actually have the discussions on it. Gate simplifications. If we take it a little simpler, we'll use XKCD for a second, we'll try science and this is how we do it. We take assembler language and basic language, we turn it into an engineering language and then we turn it into a frequency wave. That frequency wave can now be transmitted into the body and can be received with receptors and with antennas that are built into the carbon nanotubes and we can now make them do things. What do we wanna do? Well, we wanna try and do some fun things with the body. This is the fun one, this is the easy one. We take a binder, we take a receptor key, we add all of the other technology to it and we have this really nice complex system that we can actually inject into the body. In English, what we've done is we took bird flu, we've bound it to multi-walled nanotubes, carbon architectures, we did a little Petri dish and studied it all up and had some fun with it and yes, we've done this in a lab. We fooled the body into thinking it was good, how a virus works and how a vaccine works. We have the propulsion system that tails itself on various other things, the tracking, the methodology and all these other good things, which means if we're doing good, we can go after cancer, we can go after Alzheimer's, we can go after goldstones, we can go after all these amazing things and actually target direct to the molecules. If however, like some of us do, go hey, if I can program it to do that, what else can I do? Well, if we're not playing nice, we can program it to go after red blood cells. And the nice thing about this whole thing is you don't need an entire rack of equipment to do it. That's $100 worth of equipment. You wanna go hacking a human? It's gonna cost you about 150 bucks in a whole bunch of research. That's the evolutionary path number one. And if it makes it more interesting and more fun, we can do the same thing with all the agriculture as well. This is some of the stuff that's going on in the agricultural world. The whole concept of targeting drugs into the foods, into the food systems, into the supply systems. So for most of us at this point, we're kind of feeling this way. All right, so that's evolutionary path number one. Evolutionary path number two is some of the stuff I'm currently working on. I have a lab in the basement right next to the whiskey room, which is really happy I can do drug coding, yay. We are gonna hack the brain. Why? Because it's fun. This is not how we will hack the brain. This is a really good way to put a USB drive in, but after that, it gets a little messy. This is also how we are not gonna hack the brain, but this is a really good one-time use pad. We're not gonna take the Elon Musk version of hacking the brain because you look like a complete dork. We are, however, gonna do some other things. So one of the areas I've been focusing on for about the last year, year and a half or so is mapping the brain. I have a set of EEG monitors. I've actually got a couple of commercial ones and I've actually got a couple of ones I've actually built. One of them uses four EEGs, two at the front and two at the back side of the lobe system. Basically, another pair of glasses do it like this and they have monitors on them. On the left-hand side is the basic brain activity that I've actually got on one of my systems. What that's tracking is it's tracking me thinking about my computer. On the right-hand side on the screen over there, there are three different colors. Each one of those represents basically me either thinking about my computer, thinking about a phone or a module for the car. The logic here is simple. We've spent, what is this, DEFCON 26? We've spent 26 years screaming, complaining and growling, grumbling about passwords. Agreed? And then we have RSA, Black Hat and everybody else is like, ah, I can band-aid that, I can give you something to try to fix it. Well, to hell with that. To heck with that? Can I get away with hell? Yeah. What do you mean no? Damn it. No. No. No. No. No. No. No. Do you take check? No. No. No. No. No. No. No. No, I'm gonna need to do this point. Here's the logic. Rather than throwing another band-aid on the problem, why don't we fundamentally fix the problem? Why don't we go, hey, we, the squishy sack of water and bony stuff, can actually be our own authentication methodology? Why can't we actually turn around and get rid of passwords once and for all? Why can't we actually extract enough data out of the gray map to go, how do we do this? Here's how we do it. EEG monitors, get some good quality ones. We've had a conversation in the biohacking village earlier on today about how to use them and all the other stuff. The whole concept is to take the monitoring system from the four main loads, the interaction with you with the computer and the computer's interaction back with you and then some underlying noise, shall we say, if we wanna better put it, as to who we are from a uniqueness standpoint. There is a whole 12, 18 months of the discussion behind this one. Take the signal, relay it to the computer itself. The computer itself goes, hey, I actually know this crazy six foot three hairy thing and he is thinking about me, hey, I'll open. And he works. As I walk down the stairs now, I can open up the computer and I can open up basically one of the Android phones that I have. I have another set of these that have wires all over them, I keep them in a very locked up area because I don't want any of that stuff getting out but it's working on the phone, it's working on the laptop. It's working under all sorts of interesting conditions, stressful conditions, alcoholic conditions and various other things. There's, yeah, alcohol test is always a good one, let's face it. Two o'clock in the morning I'm like, I need a drink while I'm doing this and then basically the whole system goes, aha, I have to recalibrate, you've had a drink. The irony of the whole thing is it actually recalibrates differently for beer than it does for whisky and I'm like, yes. So here's the logic. We need to do away with this whole password mess. We need to actually do something different. Our simple existence needs to be that key. So how do we do it? And I look at everybody in this room, this isn't just me standing up here saying how I've done it, take this information and go build something better. Do something different with this and improve on it please. Why do I say that? Because I'm not the smartest one in the room and I need other people to take up on this. But do it better and do it differently. This is also part of the stuff I'm working on with uploading consciousness. One thing I haven't said publicly and I actually said it earlier on today, I now have a predictive engine on one of my other computers. What I'm doing is as I'm thinking about doing something with those glasses on, the predictive computer is now thinking two to three steps ahead of me as to what I'm gonna do next. It's 75% right at the moment. Which is really cool when the computer tells me I want a cup of tea before I know I want a cup of tea. The other is just sensed my mood. So, let's talk about actual artificial intelligence, not the rubbish that you get sold at RSA or Black Hat. How many vendors do we have in the room? They want to admit to being a vendor at this point in time. All right, how many of you have been sold something that contains or have been tried to be sold something that contains artificial intelligence? All right, bear this in mind as we go through this little set of slides. We're gonna talk about general AI, okay? We're gonna talk about the stuff that there is like, ah, we need to replicate humans. Well, here we have some fun with this one. This is security vendor artificial intelligence and this was the pitch battle of Black Hat earlier on this week with artificial intelligence, okay? Here's the provocative stuff. You want AI, you will give up on privacy. Hold that thought for a second and hold the logic on that thought and we'll go through some of the slides. Here's some baseline. It needs data. It relies upon data and quite honestly, the algorithms that we have rely upon a ton of data. Doesn't matter whether you're using neural nets, distributed nets, architecture nets, whatever else you are. We need more data. Not only do we need more data, we need the right data. How many of you know what user behavior analytics are? Okay, RSA is full of it this year, Black Hat was full of it. And they're like, ah, they'll protect your company. Well, a couple of things on this one. It won't, let's just answer that one straight off of that. And number two, it's only taking intelligence from the organization it's protecting. Doesn't have access to your home data so it doesn't know whether you're coming in the office early because you've had an argument with a significant other. It doesn't know what mood you're in so it doesn't know any kind of pedometer. It doesn't know any information about you. It's not listening on your Alexia or any of these other things. It is not situationally aware, it's dumb. Here's the logic behind it. Love this one. You want it properly, we hand over all the data all the time. No barriers. Your work, your social, your home life, all glows together. Why? Because if you want actual artificial intelligence it has to understand everything about you. In order to make an informed decision as to whether you are good, bad, ugly or threat or anything else, it has to understand all the situational awareness. Why do we know this? Because we do Venn diagrams. This is machine learning. It is not security. Little subset of one subset. This is artificial intelligence. Again, not security. And everybody's wondering what the actual little circles are. Here's the circles. Here is us. We are made up arguably of three things. The influencers are surroundings and everything that has made us who we are. Unless something has access to all of that data, either from an intelligence standpoint and awareness standpoint, EEG standpoint or everything else, making those decisions and making them accurate becomes harder and harder unless you're willing to accept some large deviation from me. You want security, we have to have all three of those. If we're actually gonna do this right, we need to be able to hold that data and make an informed decision. And yes, we're getting a little dystopian on this. Not that I want to go there. Let's explain it in basic language. How many of you code? Cool. Regular programming. I wanna go from A to B. What does the program does? Sod it, I'm going from A to B. I can use sod it. From A to B. Great, regular programming explained 101. We good with this? Yes? Okay. Machine learning. You say, hey, I need you to get to B. You can start at A, because it's a nice starting place and you wanna go to B. Machine learning says, do me a favor, don't run into the wall and for crying out loud, please don't stop on the stage. So what does the machine learn? Do you guys? It goes... And it gets there at B eventually. It bounces off the wall like a dodger every now and again, but it gets there. Everybody good so far? Our augmented intelligence. It already knows that you wanna end up at Z. This is Z not Z, okay? This is the Colonials. Yes! Don't even go there, okay? I hacked cows because Scotland didn't actually separate from England. We'll get to that in a little bit. All right. So augmented intelligence. You tell it where it wants to go. It bounces around and then it's just like, sod it, we're gonna get there. This is actual artificial intelligence. It sits at A and goes, I don't wanna go to B, B smells. It's raining. Well, why can't B come to me? I don't really think I exist. If your artificial intelligence program that you've been sold doesn't wake up and question its own existence, it's not an artificial intelligence program. Yeah, it's machine learning you've been sold a bill of goods. Okay. We can have a long debate over this one, but quite honestly I have a bit of a problem with most of the stuff that's being sold out there. I think Snake Oil was RSA that year, wasn't it? Did anybody see the Snake Oil? Did anybody actually pay for a slotting ticket to go to RSA? Fuck, these are expensive. You can actually forge them if you go down to the King Codes. I'm a lap, this is PG. I didn't say how you can forge them. Photocopiers. Intelligence best case scenario. So here's the argument on this one. Best case scenario, any Sentinel system wakes up, takes a look at us and goes, why the heck are you in the driving seat? Get in the back and we'll take care of you from here. That's the best case scenario. We actually have a system that looks at us and goes, you guys can't take care of each other. You can't take care of the gosh darn little planet for crying out loud. Get in the back seat, we've got you covered. Worst case scenario is obviously Hollywood. Let's take the last of the evolutionary paths that we have. I'm allowed to do this when I think even in a PG one. The stumbling drunk. It is death gone after all. Insanity. The fact that we still go to death and the fact that we still got a black hat and RSA instilled by Blinky Light Rubbish and we still expect to actually have it work. Guess what? It's gonna fail. Evolution of the doomsday clock. This is actually part of it as well. So the logic is, in 1940s we had a doomsday clock. Everybody was like, oh, I've got a bomb. And everybody was like, oh, I've got a bomb too. And everybody was like, oh, we've got bombs. We're not gonna blow each other up. That was great. Those bombs have been replaced by these things. So you look at where the nuclear side of it was our deterrent. Now we have to look at the laptop and go, ah, we're putting them in the hands of everybody. It's not as much of a deterrent. Again, the technology looking at putting us over the edge. So, as we speak of technology, this next light, not this one, the next one, this was a rather nasty and tough one to put out there. And I don't like it, but I do like it. And it's a bit of a kick in the, am I allowed to use the word testicles? It's not nuts, it's testicles. It's a biological thing. It's a bit of a kick in the testicles for the IT industry. We failed. Let's be honest. 9 billion bits of information went missing last year that charges that rely upon us to secure them. We failed them. We've lied. Why have we lied? Because every single time, for years ago, and I was one of the people years ago that walked into the CFO's office and said, hey, if we buy a firewall, we'll fix everything. Five years later, we went, hey, if we buy this IDS, IPS, it'll fix everything. Then we buy DLP and it's meant to fix anything. Guess what? We haven't blasted fixed it. We still have issues and we still have problems. And we still have vendors and suppliers are telling us that they will be able to fix everything. Guess what? It's not happening. We know that. We have to get the message to everybody else. We have to be the ones that help influence. We have to be able to communicate effectively to the business. HR, legal, compliance, everybody else in the organization, we need to be the ones that communicate more effectively with them about our industry and about their industry and how we work better together to keep the blinky crap, taking that 20 bucks, we keep the blinky crap from being sold into the environment. Why? Because we've got to do a better job of it. My daughter's been next door causing chaos on Mayhem in the younger side of the world. I'm getting old and gray and let's face it, a lot of you here will be considered the next generation. You've got to do a better job than we did. And you've got to learn from our flipping mistakes, please. And embrace change. And as it says, diversity. We have to do a heck of a lot better than we're doing. So that's my plea. So what are our options? Kind of a bleak picture. What do we do about it? Well, it's simple. It's us. We have to be part of the solution. How many of you work in an environment where end user training is once a year? Actually, I don't. I work at Larris. We train ourselves daily. It's quite fun. This is something we need to do differently. Bring it on a continual cycle as you talk to the people that are engaged with you every month. Hey, it's January. It's tax season. Don't click on that data and tax document. It's February. It's Valentine's Day. Nobody loves you on the internet. And if they do, it's Bob and he's 45 and he's in a basement in Detroit. He ain't pretty. Okay? It's March. It's March Madness. Don't click the spreadsheet. This is simple stuff we can do. You look at Chris and the ILF. That could be April and May and June. Let's be perfectly honest. All of these are things we can do to help the individual. You help the individual. You help the family. You help the friends. Guess what? That will eventually peter back into the company. I don't need you looking after my company. I need you looking after yourself. And in doing so, you will basically, through osmosis, look after me. So we fix the humans. See that? Our technology's taken over. Take your pick. Preferably, I'd rather fix the humans. All right. And by the way, shoot the gosh darn little coffee machine. Please, and the toaster and everything else. All right, simple stuff. This is simple stuff. This isn't buying blinky stuff. The fact I can still go out onto showdown and find RDP on the internet. And I can find 3306 and 1433 on the internet. Make it go away. You don't need to buy new technology. We just need to educate people more effectively. All right, as it says, remove the easy ways in. So for crying out in crypt everything, how many of you know PrivacyRights.org? If you don't know it, write it down. PrivacyRights.org is an amazing website. It is also a very effective one when communicating the message of security. Why? Because a bunch of the breaches are theft of opportunity. Somebody goes in, steals a computer, the gosh darn little things are encrypted, and now healthcare breaches are another couple of thousand. All right. As we're having security discussions, we don't have a perimeter. This is something that we have to help people explain and understand. It doesn't exist. We can break in, let's face it, to anything, any time, pretty much so whenever we want. And we could put money in escrow if we wanna have a separate discussion about that one. But when you wake up in the morning and the toaster knows when your first meeting is and your car already knows the directions and your fridge is arguing with the microwave over to what you're gonna eat for breakfast because it already knows when the meeting is, if you don't have a bloody perimeter. 20 bucks? Okay, help your organizations understand this. They buy perimeter defenses. How many of you are part of a discussion where maybe end user or end point detection is part of a conversation? Quick show of hands. Let me ask another question. How many of you know where every single one of your end points are? Yeah. I'm gonna call bullshit. Yeah. How, oh, that, will we take on a collection after this please, otherwise I'm, all right, it's simple. We talk about end point protection, yet we don't even know the basics of where all of our end points are. Give me a flip and break. Figure that part out first. As it says, get the eyes on the inside of your world. All right, simple stuff. Physical security, stop ignoring it. Nobody inside an organization is a special snowflake, including us. Therefore, nobody should be exempt from social engineering, physical engineering, the whole gosh darn it a lot. And if anybody has a bad policy inside their organization and they find me wandering around it and I don't have a badge, you are welcome to taser me. Or anybody else. And if you don't want to taser me, I'm too big, get four of you and rugby tackle my sorry arse. Posteria, and the arse is allowed. The arse of a donkey, donkey's arse, that's actually allowed. It's allowed now, gosh darn it all to heck. That dammit. Look at how side you're full of the poor. So many keeping tabs. All right, another one, passwords. Good grief, this is simple, okay? Break your passwords into four sections. Everything that you really, really, really, really, really, really don't want on the internet, everything you probably don't want on the internet, stuff that you probably don't care about if it's on the internet, and stuff that's probably already on the internet. Simple as that. And by the way, where you can use past phrases, use the darn things and get hold of XKCD and talk to them about that kind of stuff. It's simple stuff, this is easy, simple education. All right, stop buying the blinky lights. There is no easy button, the cake is a lie. That's about all I can say on that one. If you are sold a bill of goods by a vendor, get hold of me, I will taze at them. Why do I say this? I was in Madrid earlier this year and this is what I found. The first anti-hacking software apparently. So I got myself a copy of the first anti-hacking software and I decompiled the first anti-hacking software because it wasn't compiled properly and they gave me the source code after I asked them very nicely and then I put it up on GitHub. Needless to say, it's not the first anti-hacking software anymore. All right, why? Why are we having these conversations? Let's go through some of this stuff. This is some of the stuff that some of you know that I've been working on with some older stuff, some newer stuff in here, some fun stuff in here. All right, we talk about the IoT ecosphere. When somebody turns around and says they know IoT, show them that, pin it on their forehead. If they can't identify at least half of it, they don't know IoT. That's about all I can say about that one. FinTech, financial technology. The ability to basically digitize the brick and mortar banks, which is great until you realized last time we checked it, which is about a year and a half ago, 65% of the companies had not done any security testing. Yay. And we're giving it to everybody's mobile telephones. Now, for those of us that might be banned from about half of the world's airlines, we have to go break other things. In this case, we go break locomotives. Because, well, they're fun and they're all over the place. Why do we break them? Well, partly because they're fun. How many of you remember at school that blasted question, train A starts at point, train one starts at point A, travels at 45 miles? You remember this one? This is why we hacked trains. I hated that problem. So did about a year and a half with the research on it. Wasn't allowed to use most of it. So a bunch of us sat around a table for 48 hours with a bottle of single malt, 250 cat five cable, and a lot of other fun. And we decided to hack trains. In doing so, we realized that it's an entire modular network. One of the fun parts of the module are the rail yards, specifically the intermodal yards. That is an intermodal cargo rail yard. User ID admin, I think the password for that one was admin one. Telnet to the internet, skates you into a web interface as well, the really nice thing about this is as trains come in and out of the rail yard, there's an RFID tag on the side of them. It gets read in, it's got the bill of goods on there. Each one of those little colors represents a different system and a different setup. The nice thing about the rail yards is they're semi-autonomous. So you can go into the database and instead of the fruit juice going to California, you can actually send it to Alaska if you want. Quite fun to do. You can have some fun. You can send California out like all the dead animals. You can send Alaska all the apple juice and fruit juice. It's simple stuff to do. This is easy stuff. This is web application attacks. Now, if you don't want to go up to the rail yards and you want the big actual trains themselves, GE is really, really good at giving you access to all of these trains because they send all of their trains out with a default user ID of GE and a default password of GE. Yay. We did a live demo on stage in another country and that bottom screen at the bottom was user ID GE password with six zeros just to make things a little easier for us. That actually went from us to the telecom communication system which had a public IP address into the trains front of system which then got us into the engineering part of the train. And as you can see, you can now do all the analytics on the train, the actual locomotive engine itself. So if you want to start it, stop it, have fun with it, you can't make trains go sideways though, I found out. Is there anything? Oh, tell me about it. Now, for those of you that want your own little set of trains, for those of us that grew up with trains, there's a really nice product called Reef Offense. It's basically a geofencing application that you can put around anybody's area. In this case, it's around the house in Nevada, Colorado. Very good friend of mine, Jesse, who's been on stage a number of times with me. I put a Reef Offense around his house and there's a BNSF train track that goes right by it. So for a while, all the trains would hit the basically train system and just stop there. Eventually I got a phone call from him and it was you, stop the damn trains from doing that. So it's fun, so yeah, you can have fun with those. For those of you who want to mess with signals, GE's transportation global signaling system, user ID I think is admin password. I want to say it was either admin or it was just password. I can't remember exactly which one it was. That was nice and fun and simple. But if you want to have a little bit more fun with these things, this is the nasty stuff. So on the locomotives these days, there's the positive train control, PTS. The whole concept here is if the driver is not paying attention, something's happening or whatever, there's a whole bunch of autonomous systems that are basically going, ha, you know what? I probably shouldn't go through that next red light and I probably should only go around the bend at a certain speed. A lot of it is governed by these nice electrolytic systems which you can pick up on eBay if you want. Total cost of eBay purchase, I want to say it was around a thousand bucks, give or take a bet. But you can buy them and not only can you now buy the darn things, but also if you look on the top left-hand side, you can actually go out to the patent office and download the entire patent for these things. Which means when we look to this, we realize that the man not present button. So it's a little button that you have to press when you're physically there which says, hey, I want to over-road sense and I want to be stupid. In other words, I want to keep the barriers up or I want to turn all the lights green or whatever you want to do. That had shared memory. For those of you that code, at this point in time, you're going, ha, ha, ha, overflow. Oh yeah. So what you can do is you can do both a web attack and a network attack at the same time and you get to a stage where you can basically do a man not present attack scenario. You can get in, basically plug into one of them because they're all a nice star network because let's face it, they've all got to talk to each other. The entire network starts talking from one switch. If you're sensible, you can scan the entire set of switches, get the IP addresses and put them into a batch file. That file actually is more of a Python script but you can put them into the script. The script runs against every single one of them and after about 20 minutes, you can turn every single light in both directions green. Which does we end up with this? Now we talked to AAR and two companies about this two years ago. Nothing has been fixed. Which is why I'm stood up on stage going fix your stuff. So if AAR, NTSB is listening, here it is. I did talk to DHS this weekend, they're actually going to fix some of the other stuff we're about to talk to as well. Cows. So this came about for two reasons. Reason number one, Scotland tried to actually separate itself from England and say what you did, the same thing for England what a couple of hundred years ago. Instead of us throwing tea in the dump, by the way, why the hell would you throw tea and it's good stuff? If you're crying out, seriously, it's tea, it's civilized. It was the cheap stuff. Tell me about it. All right, Windows machines. So we decided to hack cows. We hacked cows two different ways. One because we were going through Wyoming and we realized there were a whole bunch of signals and secondly because, well, it decided to go after the milk in the cows. All right, VNC opened to the internet milk robots. Milking cow machines. These are actually in Europe, in Wales and some other areas up in Wisconsin. Who's from Wisconsin? Everybody from Wisconsin here? No, good. All right, I don't have to apologize to anybody. There's a few in Wisconsin we own as well. I think we've got about half a million head of cows at the moment, give or take a bit. So on that bottom right hand screen is awesome. As the cow goes into the milking machine, it obviously automatically attaches. It measures the pH of the milk. It also measures the health of the cow. It can inject drugs into the cow and it can inject stuff into the milk. Bottom right hand side is the screenshot. User ID I want to say was like with the VNC it was like all ones are all zeros or something like that. And they're all the same because the vendor sold them and kept it simple. Yay. And if you want to have fun with a livestock, RFID and barcodes on the livestock, same kind of concept. We drove through Wyoming and my blasted RFID antennas were going nuts. I'm like, what the heck is it? They realized the cows are walking around with pedometers on them. And the pedometer's giving a GPS coordinate to an access database that's centrally stored in the cloud with a whole bunch of data. So we're like, hey, we can get into this. So we did. So Jesse's house in Arvada, Colorado now has about three courses of a million head of cattle in it. Because we keep overwriting the GPS coordinates with his coordinates of his house instead of where the cows actually are. It's fun stuff, it's easy stuff. But again, this is stuff that we should be able to fix. This is basic, simple security. This is stuff as a security team which should be able to help people understand and work through it. So it really isn't gonna end well because, well, this is what it is. Never get onto shipping. Back to that whole concept of intermodal. You know, we talk about firestorms and we talk about basically taking down the grid and we talk about all this other stuff. And yes, it's possible to take a lot of that down. Keeping it down is actually a lot harder, by the way. But let's talk about shipping. Let's talk about all the fun stuff. Again, not allowed to mess with aeroplanes so solid, but darn it, heck, we'll mess with ships. Four trillion dollars worth of goods across shipping. We go through 12 million, we bring in 20 million. You get the idea in pictures. The top 20 US ports are fairly large. Why do we care about this? Well, we ask the question, why do we care? This is why we care. Because years and years ago, the connected ship was, you know, not so much. Nowadays with SATCOM, with navigation systems, with upgrades, with engine management, with predictive management and predictive maintenance on the shipping systems, so much of it is now connected. The shipping systems have more connectivity all the time. The GPS hacks we know about, we're not messing around with those ones. We leave the government to play with those ones. But part of the reason is, is they have rather big things to play with. And for those of us that grew up with all the scale metrics and the like, a ship is fun, it's big and you can play with it. So we decided to play with them. This is what we found. Yay. Top right hand side, Windows 2000 server. Chinese edition, it's a pirated copy. It was sitting on a tanker going into Adelaide, I think. Bottom right hand side, Windows Server 2003. By the way, these were done in March of this year. So not long ago, this is not old stuff. This is March of this year we did a bunch of this. We got in through the SATCOM systems and because the SATCOM systems are doing GPS and navigation updates and we're also updating the building and the management and the maintenance stuff, it's basically a very simple handshake to get into it. What do we do when we're in? Yeah, let's scan them and let's have some fun. How many did we look at? We looked at lots. That's just some of the list. It's easy and it's simple to do. And you start taking a look at where shipping is going and the amount more of interconnected. We talk about autonomous shipping. There will be go between localized ports and various other things. We talk about the transferable. It's the stuff going at all the rigs. All of this is completely interconnected. And you're like, okay, well that's cute and that's cool, I can get to a Windows interface but what else can I get to? So if I want to ship and I want to cause maximum disruption and I want to actually see what else I can do, the funnest thing to do would be, hey, let's stop the darn ship because you're not stopping a ship, it's fun. But how about we go one better? If we can't make it go sideways, let's see if we can roll the damn thing over. This was ballast control module. So this was getting into a ship, going into the RDP system of a ship and then getting into the engine and ballast maintenance module of the ship. Total time to execute, 20 minutes. Maximum damage, that was an 80,000 ton vehicle. 80,000 ton ship going into San Francisco. We caught it going into the harbor. Rolling that over in the harbor would probably have caught some fun in games. Not probably would have gone, yell that again, let's face it. This is simple stuff. This isn't zero days or APTs or exploits or anything else. This isn't stuff that throwing more tech at it is gonna fix. These are simple things that we can all do. SE Village, it's about the humans. We need to be better at communicating these kinds of risks to all the people that we deal with and all the people that we work with. So, quick recap. We know we can deck out IoT, fintech. Oh, how many of you guys mess around with the vehicles these days? How many of you have been done to the vehicle hacking villages? I haven't been down there yet, but some of us, Justin and a couple of us are working on LiDAR bombs. It's gonna be fun. About twice the size of a cigarette package on placed on the side of a bridge. Both sides of a bridge puts a virtualized LiDAR barrier, a LiDAR barrier across the entire road, both directions. Yay! I just wanna deal with all the Teslas in San Francisco. We reckon we can get gridlock in San Francisco in like a Monday morning or something. So don't be surprised if that happens soon because it's fun. All right, some final thoughts. Let's have a wrapping up on this one so we can get everybody back on track. I love this quote. The ultimate measure of man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy. We are there now. This isn't waiting. This isn't going, oh, we're getting there. We're here now. We have tech up the wazoo. We've got 20, 25 billion devices coming online in the next few years. We have to make a difference. We have to communicate more effectively. We have to be more inclusive. And we have a lot to do. Because quite honestly, this should be the future. There are ways to work effectively with the technology. However, we don't work with the technology. This is kind of where we're going to end up, unfortunately. It's a mess. So I will leave with a final thought. I put this up on LinkedIn and a couple of months ago, whenever it was, and it got some crazy amount of hits on it, but it's very true. I do a lot of work with the guard. I do a bunch of work with the government. We do a lot of stuff with the civilian side of the world with Larris. I as an individual, I'm going to fail. It's as simple as that. We collectively can be so much stronger together. So my plea is every single person here, get out there, spread the word and help everybody understand our realm. Next time when you bring a friend to DEFCON, bring somebody who's not even in the industry. Bring the accountant. Bring the, don't bring the lawyer, actually. Please. Bring somebody, bring family, bring friends, but bring somebody who's not in the industry. Because the word's got to spread. It's as simple as that. I would like us not to go off the edge of the cliff backwards, and the only way that's going to happen is if we all stand up and have a single voice. So with that, as always, Douglas Adams. So long and thanks for all the fish. Everybody thank you very, very, very much. A final tally. 120. Oh, shh, 120. Don't let go the heck. He actually did good, didn't he?