 c-cert.global if you love the internet we need your help so the internet is in the downward spiral and there's a community to help that and with me on stage is Edward Drius who is the global chairman of C-cert and he will now take the stage please give him a round of applause thank you very much on this wonderful evening I will make it quick tonight so thank you very much for being here I want to introduce you to C-cert.global it is a new foundation and we want to explain what we're doing why we're doing it why we believe that this is an important job and that we want to ask you for help as well so first let me introduce myself nicely I have been on computer since 1985 I was quite young back then so I under C64 back then my first PC 1991 I fried my first main board shortly after that and started working in 1996 now this all is a tremendously long time ago but what this means for me is that I was here in computer science and computer security since before the internet came about and I love the internet you know the reason why I'm here I believe is also that I love the internet very very much so from the 90s I worked for various companies and I started actually doing volunteer work at DIVD in 2021 shortly after Victor Gevers one of the founders of the DIVD asked us asked me to start C-cert.global which is in essence an organization wanting to do the same things as the DIVD does but then internationally tremendous honor for me how could I say no I didn't and I'm here today what I want to talk to you about today very simple story really is as much as I love the internet the internet has a lot of problems I think the internet is in dire straits a group of volunteers and many of them are here today at the front row hello are trying to do something about this and they are tremendously successful I'm very proud in order to be working with them but there is a problem because many times they not only do research and find vulnerabilities they even scan the entire internet and find where those problems actually are but is that enough that is often not enough sadly and this is where C-cert.global comes in we try to take those findings and take them across the home straight because only knowing where it is and what the problem is is not enough you need to find an owner for a problem who's willing to solve it because if you don't the problem is still there and that requires a lot of work and that's what we were here for let me first start with what I believe are the biggest problems on it on the internet I believe we have TTL problems and it's not the TTL you might know it is different kind of TTL the first T stands for tech the internet is created by nice old wonderful scientists confused all scientists maybe who build this solely on trust and that is fantastic but once there are people on that same network that we don't trust there's no technology to actively counter that the internet has been suffering from that building on trust and that old-school technology ever into the 2020s now we all know the symptoms of this we know we all know we run IPv4 when IPv6 is already decades available and hypothetically way more secure at least much more difficult to scan but we don't use it and a lot of software that we use on the internet is built by for-profit organizations with managers and deadlines time crunches software supply chains are a mess even if you know what kind of software you use you don't know what's in it etc etc and this means that for example at the end of June when I checked the CVE database there were 22992 of them in there and 147 of them at a score of nine or higher which means we need to do something essentially right now so add this to the facts that scanning the internet takes motivated individual about three hours nowadays you know it's the internet is not that big if you consider and whenever something happens like exchange vulnerabilities or whatever more than a hundred individual groups start scanning and are in a red race both the good guys and the bad guys trying to out scan each other in order to find the problems the bad buys guys want to misuse them the good guys want to disclose them so the internet has technology problems the second problem I believe is there on the internet is trust there is either too much or too little trust but there are seldom the right amount of trust at the right time and this is a problem too at least this is a problem for us so look at these three little photographs I'm showing you here we have Google we have solar cells and we have a hacker defacing my website back in 2007 who of these three you reckon wanted to help me are you right it's not the first two ones the first two ones we know now right there's a lot of trust by the general public in all kinds of technology big tech we all trust Google we point our DNS service to 8888 we trust our solar suppliers and we trust our app as DIVDS disclosed not always a smart thing to do but how what what else can you do and as a matter of fact this first gentleman that defaced my website back in 2007 he left a little message where he could be reached on Jabber so I did I contacted him and it was a Brazilian gentleman and he told me what was going on he told me that I had a vulnerability in my open SSL implementation in my Apache web server so it's sometimes not always obvious who you trust or who you can trust I understand that very well but one thing that's absolutely true there seldom the right kind of trust at the right time in the right process so trust is a big problem and then the third TTL problem the L is law lawmakers don't help us a lot they are lagging by at least 10 years and they're pretending like the internet which is this big big Giants global community is not it's very difficult to geofence the internet but they still try to and they're running their laws and they're building their laws and they're building their alliances based on borders and this is seldomly aligns well to something as fluid and transparent as the internet big tech have now more power and leverage than governments and you can say well you know why should I care well they are not they don't have a seat in the United Nations maybe they should have but they don't they make their decisions without a lot of check and balance and these decisions impact us and coordinated vulnerability disclosures there's so many of them is treated super different across all of the globe so I pulled a news item from from the internet this says the Department of Justice will no longer prosecute ethical hackers who try to test security what do you reckon is the date of this new item what do you think this is a US news item how old is it five years ten years how about five weeks only five weeks ago they proposed a law where ethical hackers could not be prosecuted and this is how vastly different ethical hacking and coordinated vulnerability disclosures treated all over the world and that means if we want to scale this process globally we need to deal with different kinds of laws and jurisdictions and that means that someone is gonna need to do a heck of a lot of boring work but by golly we need to do it otherwise this global process will not kick off in essence no one is responsible many organizations take part of the responsibility but no one is responsible there is no one responsible for the internet so the only thing you can do is taking a little bit of responsibility in areas where you believe you can take a difference and in 2019 a group of Dutch volunteers probably don't need to know and tell you who they are but they're the Dutch Institute of volume vulnerability disclosure led by Victor Gevers and wonderful other people as good Oostbrug Chris Vanthoff and many others they do fantastic work I'm very proud to volunteer with them today they do fantastic research there are two outstanding processes I would say is research their capability to find and feel what is making a difference in technology today and dive into it like the solar panels this is super super relevant because in large parts of the world there is a war going on which is impacting energy consumption globally everyone wants to dive into solar cells but now we know that this isn't always with a risk for the end user Kaseya is another prime example of where they felt something wasn't quite right they thought maybe those MSPs some of them very small we're using this software to manage their many customers gaining direct access to their customers premises and doing all kind of administrative tasks now of course when they found it was very much broken and there were a lot of leaks in there this was a huge huge thing so they do fantastic research and they're going to keep doing that and globe sees a global is going to benefit from that as well but the second thing that they do very very well they are one of those more than a hundred organizations that scan the internet within three hours after something is happening they not only scan but also the results then get aggregated and run through an informed process so what they do essentially send abuse emails and it is wonderful that they're doing that they don't need to do that but they do because they're just wonderful people they want to take responsibility and they do it very very well but informing can be very frustrating which is why I created a little graph for you and this graph shows you the measured response on for example I think with exchange we send something like 40,000 emails to abuse email addresses or addresses we got out of the security dot txt and this is the measured response about 1 in 200 emails got a response saying oh wonderful thank you so much we love your work keep keep it going another 1 in 200 said go away you're trying to sell me something or I'll call my lawyer if you don't stop hacking me the other 99% silence or bouncers but that's how hard it is if you want to automate your warnings which are fair and coming from a good heart people should heat the warnings at the same time they don't so informing can be frustrating and this is why we need to be global because if people don't respond and they don't act on what we can tell them the problem is still there the internet still vulnerable speed is security and in order to be more speedy we need to build two global things the first is trust and the second is an understanding of law and acting according to local ethics and trust we believe we can build with our chapter structure it's there to respect and understand and adapt to local culture and we aim to build chapters wherever they are needed and allow for people to work under the same principles the same code of conduct and the same values as the IVD but do it internationally within a certain geographical area but we also need sector access because every now and then taking a vertical slice from a cake will yield you way more surface instead of a horizontal slice so building bridges to sectors that need us most and finally we need to build relations with people that can endorse us we should not underestimate for example how important it is especially in the beginning when you got a scanning email from the IVD and people were asking were these guys sending me all these emails about hacking and all that kind of stuff when the government could tell them no you can trust these people you know we have absolutely we have nothing to do with them but we know them you can trust them so these endorsements and building this trust and having someone who will vouch for us we need to find them as well and in that way we can start filling in the little areas in the globe so in readying for the future the DI4D board had a very forward thinking plan and they split up the initial foundation into several foundations I think I'm missing even two I think I'm missing a club and I'm missing maybe another one but these are essentially the or the new foundations that are going to do it the IVD will still be there for the research and it's kind of an informed process and CSERDA Global will be the organization responsible to take it internationally and then we have of course wonderful new additions like the DVD Academy and the fund from where we can fund wonderful new forward thinking projects and within CSERDA Global so this is our responsibility this is how building this network works so imagine there is a severe vulnerability let's just say it's already out there it has a CV number it's in the press whatever so first thing we do is we find if it's scannable if it's scannable we do quick research we create scripts and we start scanning the entire IPv4 space that's done pretty fast because there's only four point two nine billion IP addresses which is not a lot really not with our infrastructure and then we try to map the results where we get positive ones to automated emails these emails then as we can see in the graph are ignored right and this is where CSERDA Global comes in we take the extra effort we geographically we send it to our chapter structure to start spreading it locally in individual geographical regions and we take it through our partnerships into different sectors for example could be we have make been making friends with the MSP space we have been making friends with the NGO space and these affected parties then may even call their search their local search saying hey who are these guys and they will then tell them oh you can trust CSERDA Global these are good people you can trust their work then more vulnerabilities are mitigated and faster as well this is the essentially the design that we want to do and it will make sure that the giant giant checkerboard that we're trying to fill is the world relevant to IPv4 space with chapters and with sectors and we won't rest until we cover the entire checkerboard that is the world which is 200 countries and and Lord knows how many sectors but building a global trusted CSERDA Network is hard we've been working quite hard at it we're actually very proud we have started our first chapter in the UK but we need of course help and this is where you come in you get something as well because I can tell you from experience the experience of working with the talented and passionate people is something that will that will be very very good for your soul and I can recommend it to anyone but you will also meet international new friends and you will get support and they will definitely help you be a better person and a better professional this is the promise that CSERDA Global will make you but what we ask is people who believe in making the world a better place willingness to invest time to fill that darn matrix with us and we need people to agree with our core values and code of conduct that's very important but essentially we need to conquer the world we need to do it side-by-side and we can't have differences about how we do it so if this parts your interest there's many people you can get in touch with you can get in touch with Vincent Lennart, Marielle Charest, Wietze, myself, any DIVD member and a lot of them sitting here those are the people with the black shirts with the yellow logo on top of it they can refer you as well I want to do a big shout out to our co-founder Victor I hope people many people know why don't call him wait a little bit until you do that but let's all do a big shout out to Victor because he's essentially the reason that many of us are here and I want to do a big shout out to our UK chapter leads Scott Magridi, Gerard and Dave welcome on board guys we are so happy to have you and I will see you in a few weeks and our supervisory board that's Ronald Prince, Marco Bargmeier, Michiel Prince and of course Edwin van Andel so all of these people pivotal in what we do so give them a ring give me a ring if you want to if you want to see how you can help thank you very much for your attention and hope you have a wonderful MCH so we do have some time left for questions if anyone has a question please line up at the microphone in the middle stand close to it so that we can hear you microphone in the front please thank you for the wonderful work one question regarding contacting abuse contact do you just email the abuse app domain or you just check RIR databases for the abuse contact for the IP address space like ariana apnick ripe this is actually a question I can better refer right now to DIVDS I do that I don't make costs for it do you want to you want to take that question then you come to this you want to take that question thanks let us learn you can have my microphone so in contacting people we use various ways to track down contact information abuse information for IP block is one but preferably a last resort if you have a domain name from certificate or something we can of course mail info ads security ad etc at the domain if they have a website we can scrape it for security text or some kind of privacy contact and those are the various ways we try to get in contact great thanks another question is regarding threat intel like how do you prioritize like the CVs if for example in nation the states is after one CV do you go after that or is there any kind of protection yeah yeah so so we look generally at risk at the highest amount of risk to the largest group of people we try also to be as apolitical as we can in our decision-making so that's typically where we look at so it is a little bit of a an art if you will it's super difficult if you look at CVs you know the first two pages all of them have scored 10 right so so where do you start and and and this is really where the art comes in sometimes there's a lot of work being done already by vendors you know they're on top of it they really you know they they know what they're doing you know even though it's super bad you know let them have at it and sometimes it's something that we think well we're think we think people are really underestimating this one so we'll invest the effort there it is not yeah thank you are there any more questions if that is not the case then I would like to thank you for your talk and your work it was really interesting and great good job so give a nice round of applause please thank you