 This is Internet Wars 2008. You might be expecting Guy DiEvron, but, well, he flaked. So I got sucked into doing this, so my name is, actually, hold on. You can look at your own screen. Well, I wanted to make sure. I don't know. My name is John Ives. I work at UC Berkeley. I do IDS. So I'm looking at high-speed IDS sort of work. We have a panel discussion here today with a few people. So I'm going to start off with Marcus over here. Actually, no, before I start off, me is me in the room. Do you want to come on up here? Come on! Come on! Come on up here. Actually, there are a couple other people who are also interested. Bruce Potter at one point. Is he around? Jay Beale. Come on. You said you were going to be here. Okay. That's great. Marcus, why don't you introduce yourself? Hey, Waking Grant Clarence is right here. Just come on up. You're done. Mark Sox, I run the Internet Storm Center. Adrian de Vopre, I work with Mark at the Internet Storm Center. Louder. How do you go? Adrian de Vopre, I work with Mark at the Internet Storm Center, and I'm a Canadian. So please excuse my horrible accent. He's a socialist, right? Aren't we all? These days, yeah. Don Blumenthal, I'm an attorney. He used to be a federal trade commission. And over here on this side. Nick Weaver, I'm a researcher at ICSI, and just general eyes in the cloud academics. So of what I say, 90% of it is wrong. I've read actually some of your papers, so you're not actually that bad. Okay, 89% of it is wrong. There you go. So since Scotty gave me absolutely nothing to really go on, we're kind of throwing this together as we go. So I screwed up this slide. Let me get it all out. The idea was we were supposed to talk about global operations and what's happening now. Well, that's Scotty's specialty. My specialty is looking at packets. So we're going to talk off. I'm going to mention a couple of things that are happening in the global space that people might be interested in. Recently in the last couple of days, there's been a lot of blog traffic about some Russia versus Georgia cyber war. So far it hasn't reached the level... Dan, come on up. I've got beer. So as I was saying, so far it hasn't reached quite the Estonia level yet, but it's still out there. Last year, Pakistan tried to use B2P routing to steal YouTube. They didn't really like some of the content. That didn't work out so well for them because they couldn't handle the bandwidth. Self-doss. Supply chain. At Christmas, you might have noticed that there were like picture frames with viruses on them already. That's an interesting method of attack. I mean, it's not something that we spend a lot of time thinking about. Here we have J. Bill. And then right now with the Olympics going on, China has traditionally blocked a lot of stuff. So for this, I'm going to do the shout-out to Tor and the EFF people. Awesome product. You note, however, Tor can't be that significant because they aren't reset-injecting Tor because Tor is still over TCP and therefore vulnerable to reset injection. So I don't know if it's a good thing or a bad thing that the Chinese actually don't care about Tor. True. I mean, the amount of bandwidth actually going over Tor is kind of weak. Nothing says this guy is interesting like using Tor. Or nothing says this guy is just pirating stuff over bit Tor like using Tor. So since Gotti gave me nothing to go on, I'm going to rant for a couple of minutes about things I see going wrong on the Internet. And then I'll talk about a couple things that are actually looking kind of nice. So first of all, the attackers are everywhere. Yeah, like this is a surprise. Patch cycle. J. Bill was talking about it yesterday and some today. You know, it takes some companies to get out of patch, but if you talk to like HD more and the Metasploit people, they'll have an exploit out in hours. There's a problem here because we're not going to be able to protect people if we don't patch them. I mean, we have a fix. We have it. Deploy the damn thing. Poor crypto implementation. Be or debian people. Infrastructure attacks. DNS. And the BGP. Track 4. Blackpock. Looks like an awesome one. Sequel injection. You know, damn it. Validate your inputs. You know, it's everything's there. The libraries are there. Distributive Boop Force attacks. You know what's the problem with this? We're still using passwords for everything. I mean, we've known passwords are bad since, well, let's see, war games. That's what, in 1983, I think, 84, I have a real problem with the black box mentality. I'm running antivirus, so I'm safe. Bullshit. But we're spending so much money. Money equals works. Blinky lights are good, too. You have lots of blinky lights? Must have the blinky lights. That's the problem with the AV. It doesn't have enough blinky lights. That's why it's not catching everything. Oh, and the more annoying dialogue boxes you wait, the more secure your system is. I've been doing some work on, like, IDS assisted honey clients. I've been working on this concept recently. And you upload stuff like virus total after you find it. It's amazing how few places find it. And I take that same EXE a week later. Still, only four places and four things can find it. I can actually look at the code and say, yeah, that's a problem. You should have figured this out long ago. Neal's provost at Google does studies of malware on the net of the stuff he finds. He has this graph of three antivirus products. One of them that, unfortunately, he doesn't say which is because of the corporate lawyers, only detects 30% of the malcode he finds. And the best only detects 80. Fishing, targeted fishing, yeah, yeah. We all know that. Final one. Problem exists between keyboard and chair. It's the loser error. We're going to fix that. We're all human. Our users are human. Some of them are smarter humans than others, but that's the way it is. May I recommend a Stanley Foo Bar? It's the universal user fix-it tool. Okay, so I've... Now I'm going to talk about what I think is going right. I struggled with this slide for hours. And hours. At two o'clock in this morning, I had this on the screen. That's what I had. Okay, so I came up with... We're sharing more. More than we ever have before. We're still not sharing enough, but it's a step in the right direction. We teach our children to share. Yeah, but they forget... And then they grow up and become teenagers, and they try to share. And we tell them, little Johnny, you can't share. Well, the motion picture industry will come and drag your little ass into jail. But yet we still share. Sharing is good. Yes. That was funny. That's a good point. But yeah, I think honestly, actually... I'll just go off on this one thing. But sharing is really nice. Actually, this is one of the things... We still have disclosure debates. We still have... That's great. I think one of the nice things, though, and one of the themes that a bunch of us have been trying to bring to this conference is we've got to keep talking. We've got to keep talking about everything because we find... A lot of us have all been finding weaknesses in applications. We've been finding weaknesses in the Internet. We've been finding weaknesses... If we listen to this guy in the leather jacket here, we find weaknesses in the fundamental glue of the Internet. Whether you call that DNS or you call that BGP and so on. And a lot... Sometimes nothing happens to people to understand. We don't get people in our own industry to understand. We don't get the IT people. We don't get the users to understand. Well, maybe we give up on the users, but we don't get even ourselves to even take something as seriously as it should be taken or really think or even take a quick look. And I think one of the biggest things we can do is talk to each other. Talk to somebody else about what you're seeing, what you're finding, what's weird. Somebody may say, hey, that's... No, that's just fine. You're stupid. You're getting some of the greatest ideas kind of just talking to lots of different people and seeing what happens. Take a drink. Get over on Twitter and just start sharing it a whole lot easier. Open source tools. I love open source. The problem we're having is that everybody's inventing the same thing over again. And there are so many open source tools. Finding the right one. We're almost getting inundated with them to the point that it's hard to figure out which one you need. That one, but I still love the open source stuff. I love OSSEC. God, I use that one a lot. IPv6 adoption. This one's going slow, but it actually is moving now. The last free BSD box I set up, I actually did it over IPv6. It was great because there's nobody using that damn site. So it came down really quick. So what does IPv6 have anything to do with security out of curiosity? Isn't there a website on v6 that's got all the porn for free? But you have to be on v6 to get it. Never mind. It sounds awesome. Yes. And finally, more people are aware. Now are they making good decisions? I think we'll have to wait and see on that one. But if people are more aware, they're actually making an effort. Is it the right effort? At this point... I would add one more thing. The attackers, the big scale attackers have been not very creative and not very ambitious. Thank God, because the storm guys, if they really wanted to do something interesting, could totally rip us a new one. But, well, they haven't yet. No. No. Ripping us a new one is not profitable. Look, the bottom line is if you break too much stuff, it just makes the security industry more money, more resources, more defenses. Don't break things. Just silently screw with stuff and it'll go on day, after month, after year. Unless, of course, you work for a security company, in which case, big noisy worms that include strings like insert witty comment here, attacking your competitor's intrusion detection systems might be a good idea. Who would do that? Yeah, that's actually, that's a point I made in my talk to make, everywhere, is listen, if you're going to man in the middle of my stuff, would you please make sure to actually fulfill your full responsibility man in the middle of it, send it to where its real destination is. I come to these conferences and like, you know, some punk kid is, you know, ARPS moving the router, but he's not actually routing, which means he's not getting most of my good stuff, but he's also really pissing me off. You know, just route my traffic, let it get there and that'll be fun. But no, as Dan points out, really hardcore, we really, there's so much we don't know that's going on because it's not all stupid and, you know, it's not all stupid and huge and non-subtle. And I think that's one of the things that we keep getting wrong in the security community at large. We keep forgetting that just because we haven't seen it doesn't mean it's not happening. In fact, if you look at your outbound flows, if 90% of them are encrypted and they're heading to a country there's probably a problem there. Or one that I have heard of. Well, we won't go down that, well, we'll go down that road. Let's go down that road, yeah. What country have you heard of, Jay? Well, it turns out I had a public school education, so not that many. But the letters R U and C N are really, really interesting ones and there's so many more. And C N is short for Canada, right? It is, it is. Absolutely. Don't mess with Lichtensteiner. They'll cut you. And the Vatican, they'll send your packets to hell. So at this point we need some people to ask questions. You have a really good question, you'll get a beer. So come on, come on up. One thing is you're going to have to be loud because we didn't get speakers, we didn't get microphones for questions. What's wrong with the current one? Question to be repeated was what about Internet 2? When I hear Internet 2, I think of Chris Abad's Web 4.0 The Internet Without Idiots. It's a glorious dream but it ain't reality. Or the other way is Internet 2 is a way for us wild-haired academics to get a lot more bandwidth so we can get our porn faster. Optimized porn sharing. Whoever decided to re-brand high-speed networking like more cables, more fiber as Internet 2. Brilliant. And then there's the Lambda Rail. Are your bits going down a Lambda Rail? And don't forget Genie. The ultimate place to hide your stash. So more questions. Question was what are we going to do about telecommunication companies who claim that we have reached peak bandwidth? Guys? Switch providers? I hate to say this but they are somewhat right for the cables that exist between them and your house so go with FIOS and pull new wire and accept that it costs money. If you can't make money making the Internet faster, hey maybe you can make money making the Internet slower. Oh and even if you do have a lot of bandwidth build by bit very early on because every ISP is either a telco that wants to be a cable company or a cable company that wants to be a telco and the biggest source of the bandwidth coming down the pipe is video which is competing with your pay-per-view services. Next question. Way back there. Stand up and if you can come forward that would be great. The question is research on the storm botnet. There's been two big groups academically on it. San Diego and ICSI is one of them and the other one is I can't remember which. Look at the papers in Leet. There's basically there are multiple groups of researchers so up storm botnets control network that they're looking out its mouth. There's another upcoming paper in CCS on the topic so there's a lot of academic things on the storm botnet control system and deeply understanding it but it shows you how little the storm authors care about it in that they haven't done anything about it yet and we poor academics are constrained because yes we could send out a command and make the storm botnet evaporate into the ether but doing so would get us thrown in jail. Right up here. One of the biggest parts of my job is interfacing with the general public and I'm wondering how you would take your concerns and the concerns of this conference and explain them in a way that can be understood by the general public to where they demand more of their providers and get them to do the right thing. Well similar to the issues between Canadians speaking with Americans and vice versa I think that people who speak tech or speak even worse security geeks we don't speak a language that business people or politicians understand and vice versa we don't understand them really. When they speak that legally used nonsense it's totally Greek to me so the inability to communicate is just extreme and it's not going to go away anytime soon. I would like to hope it's doable but we're geeks we're all borderline Asperger's syndrome some of us not so borderline. So I might have been doing some outreach lately. Um it's it's actually very interesting. I mean as security professionals we have asks we have ways that we want the world to work and we want ultimately other people to implement our desires. Look if I have if the number of hours in terms of getting what I want if I spent 0.001% of the total hours was me that'd be shocking. Most of everything that I've gotten has been the work of other people and if you actually want to have an impact on the real world it's not about talking to your peers it's not about high fives and cool stuff it's about hey we as the security community believe that there is something that you might be interested in and um it's hard maybe it even gets you some crap if you want results outreach is as much a duty as it is a a task to be performed. Consumer ad is a big piece of the process and there are people who specialize in dumbing things down if you're talking about consumers and there are people who specialize in getting people together to develop things such as enterprise security plans there aren't enough of them and there are not too many people who talk at cross purposes still but um it's a growing field and I think it's actually accomplishing some things at least in my small part of the world around Ann Arbor. The problem that we're having is that we create the plans, we create the policies but nobody's listening to them I mean it doesn't matter who we're talking to we're talking to the geeks but they're not listening we've told them so much over the years that they've just started tuning us out so I think the problem that we're going to have to encounter we're going to have to deal with is refining what is the stuff that they absolutely need to know because they have a tension span of 10 seconds and we need to actually get down to the place that we can give them this is exactly what you need to know click the one that says update Well from experience for multiple clients and corporations agencies basically I tell them one thing that makes them listen lawsuit, you're going to be sued your data is posted on the site or your data has been circumvented or been accessed by unauthorized people bottom line is they actually listen oh by the way we could be sued for this you can see how fast they actually react to that So hang on Outreach is not about necessarily threatening people Outreach is about communication about shared desires and shared customers if you just run up to people and say I'm going to kick your ass whether it's true or not and we seem to be pretty good at making it true that's not necessarily the best way to say hello to someone I mean at least give people a chance to ignore you especially especially if it's someone or an organization that has never worked with the security community I mean I want you guys to realize how bizarre it is to be approached by someone and say hi I know you're not paying me but I've done some work that you would normally pay people to do and pay them a lot of money and you now have to do a bunch of things but I'm not a customer and I'm not anyone that would ever be a customer do what I say or else Let me tell you one more thing we need to fix and this is on all of us We as a community, security professionals you get the business folks those who don't understand where we're coming from they hear 15 different opinions about what's happening think about when Dan put his patches out back a month or so ago immediately raped inside our little world media's running stories all over the place who do you believe, who's telling the truth if something comes out in the healthcare world like the SARS the stories pretty much agreed upon the medical community gets their act together before they go public we've got to figure out how to get our act together in one voice, then we can begin attacking those who don't understand what we're talking about but as long as we're in chaos I don't think there's any way that they're going to understand what we're trying to say, the message that we're putting across Right up here, yeah Grab the mic I've got two points to make against the first one is that there is a step beyond outreach which is actually doing it yourself rather than just going to people and saying oh you need to do this you actually either join them I've done that myself in various capacities and you know you don't get as much air time, you don't get in newspapers but you actually get a lot more done the second thing is more around what a lot of the security people seem to be doing these days which is banging on about the problems and I think that a lot of security people yeah, fair enough to find a problem they should be fixing it they should be coming out and saying here's the fix, here's the patch rather than just basically saying we've notified Microsoft, we've notified all these people they should be partnering more working with people to make sure that they're not just chatting about problems, they're actually fixing them I have a campus of 40,000 IPs at any given moment and about 50,000 users it's a little hard to actually come out there and fix the problem for them so it's like we need to get a clear that's why we need clear, concise instructions and we need to give it to them in a way that isn't you have to do this or you're going to get hurt you want to do this because it's the mentality that you project you want to make it so that they want to do it the problem is is even when it's easy it can be hard look at the struggle Mike Perry has had trying to get Google to change their cookie management and it's relatively minor changes and they can naturally infer things and go if you typed in hctps mail google.com make sure that nobody can steal your cookies but they basically refused to do so and only input limited a big leaf buried in the preferences that you have to know about first and that was only a couple of weeks ago because they finally heard it that he was giving a talk on the subject so sometimes it can be really frustrating when you have your friends the company security contacts at the company you have half a dozen people all banging on something and nothing happens okay we've got a lot of beers here so we need some good questions come on we've got somebody back there I think it's hard to address the question seems to be we're seeing a lot of attacks from China is it really some kind let's just be clear it's China is it really or is it just we have a lot of people with a lot of computers deal with it that's what happens when there's that many people that's the question you guys know the answer I think the actual motivations of the targeted attacks the ones that we don't see all that often don't see them all that often occur probably occur fairly often are almost irrelevant they may be state sponsored i.e. China or France or Russia or what not might be organized crime there might be various people there might be politically motivated private sector areas might be corporate espionage what you have to be aware of are one of the three agents that are interested in your organization and what are the types of countermeasures you can put in place because for those types of subtle targeted attacks they're very difficult to detect they're very difficult to defend against but they are out there are they motivated by politically motivated private sector group in Russia is it organized crime really hard to tell in fact even the ones going back a few years you guys called it Titan Rain was it really really state sponsored China or something else and there is no firm answer no one really knows here probably someone in China knows but they're not telling us oh fucking yeah personal opinion only repeat the question for him the question was should cyber warfare actually be considered a class an act of war you end map me I nuke you well I was talking to somebody here a couple days ago we were having a conversation he was saying how the Russian government has basically said that cyber war they actually treat that as weapons of mass destruction sort of situation and they will respond in kind they'll have to vague over how the in kind was going to be that is treating it as an act of war well the Russians want us to sign a treaty with them they'd like us to ban all the hacking tools make them illegal pass laws to take it all away they don't realize of course the most popular tool out there is a fricking browser come on up here this is somebody else come on let's start a line phantom microphone phantom microphone now wouldn't we run out of beer and maybe you can see me afterwards and I'll see about it are we allowed to kill more beer but you have to ask a good question hey the families families can drink all they need in order to actually to talk right go for it I am just not drunk enough to secure the internet right now at the sands conference the confirmation of extortion attacks on skated networks was confirmed all right all they said is that they have detected activity outside the United States now okay attacks outside the United States activity like that it's all they'll admit to what does that tell you speak faster where do you guys stand as far as it being not silent that's not something that will go unnoticed what's the question what's your guys opinion on that here's my opinion take his beer away from you you get a negative beer here's my opinion on skated systems I've come to the conclusion that if you understand skated systems you won't sleep at night I don't want to understand skated systems so I can actually get to sleep we got somebody over here come on up you right there hang on we got to repeat the question the question was how much how many of the actual attacks are being funded by business competitors in an act of industrial espionage versus I don't know people who just like breaking into things for no apparent profitable reason you know quote or quote make money themselves what makes that hard is there are nation states out there that are doing corporate espionage on behalf of the corporations in that country so how do you know if it's legitimate if it's RBN if it's an individual company if it's a distribution problem what we do have is we have at least one data point which was the Israeli Trojan which was visual basic dude writes a fricking Trojan in BB about the least lead hack that has ever happened in all time it was written by Gatti he's not here to defend himself so I'll say yes it was silence equals consent so this Israeli Trojan guy writes he's like how am I going to get it anywhere interesting he fricking puts it on a cd and has it run via auto run and sends a mail to 50 top executives as it's like literally just a package with a very nice and friendly message that says hello sir I have a presentation of a business proposal I would very much appreciate if you take a look and by sending the mail he got around every firewall, every defense and it ran by default so he didn't stop there he now had 50 top executives machines and he starts renting them out for like 15,000 British pounds a month for 3 years this is visual basic pawning Yosh that was definitely Gatti here so was this some random guy looking to make money was it industrial espionage do the lines matter do the lines even make sense anymore it's 2008 the game is about monetization if you can monetize VB you can monetize anything next question question has any cast has had any effect on mitigating the root name of the attacks? yes you're talking about the october 2002 attacks and then we any casted after that in february of 2007 it was a non-event yes okay next question come on we need questions up here we still got beers people don't like beer? or can we just rant how can we complain about how the internet performs a way to fix the internet well it operates exactly how it was supposed to operate so what we really need is a solution to fix the internet so how do we actually come up with real solutions to fix we build new people we can't change the internet so no patch for stupidity now this is a feature okay we got a question right here not to bring up a topic you guys seem to not really want to talk about but I'm a skater geek and no I don't sleep very well at night but what does the panel feel should be our policy kind of as a community and then also as a country and I know some of you are international sorry Canada but yeah the 51st state Canada with using skater attacks for attack and defense I mean I've seen tons of skater symptoms my biggest fear is that we're going to go out and hack somebody with skater attacks and they're going to come back after us and we're boned if that happens just in case anyone doesn't know it'll be a mess I want to answer that question by not answering that question which is to say the first thing I'll say is if anybody here owns any skater and that's either version of the word that's exactly either either meaning of the word would you please take it off the internet please for the love of God Jay when they put Modbus on TCP and you go to IDA website and even on there it says why did we put this into TCP they say so that the engineer can work on the nuke essentially from home it saves money they don't have to go in to evaluate their devices so that I can manage from one country to another this is on their website today about these skater protocols running across the internet how do we get around that that kind of mindset you're going to head back to your farm in southern Pennsylvania right I've been tempted to get a cabin up in the Sierras with a solar off grid and a couple acres of arable land the other thing is Dave Bess nuclear power plant in Ohio got its control system taken down because of slammer which got onto a system through a VPN of a subsidiary contractor some other crap like that if you can't keep nuclear power plants from getting infected by the most obnoxious worm on the planet um well you know it doesn't even take that that's what the um is somebody in a car yesterday hit a telephone pole near Memphis knocked out the FAA traffic control center because they cut a fiber optic that was above ground why not laugh stupid yeah the inter tubes are fiber optic yes so there is a great quote all networks are connected just to bandwidth varies are not necessarily easily reachable to the internet but all systems are reachable from the internet if there's an electrical path that can be owned okay we got one person back here so I think the question is seriously do you actually think you can break a SCADA system because these embedded hardware devices that no one understands and never been fuzzed are totally perfectly engineered no I'm saying you can break in but what can you do safety is a global system property enough said actually uh you want to tell me what can be done well so so one of my buddies he goes ahead he's like hey Dan I got a video for you see this guy this guy has a SCADA geek who will break your brain I can have a yes so check it out alright so check it out he shows me so shows me this chemical mixer and it's just sort of sitting there and they move the camera over it's like a kind of edited video to the operators display and everything is looking great and fine and wonderful yeah that's because they are spoofed in front of the operators display and we're showing them great and normal wonderful telemetry what was really happening was the ultimate buffer overflow by which I mean white fluid overflowing up out of the chemical mixer and springing down all over the entire place and this goes on for about 10 seconds when the lights go out because the power was shut down in the fake factory so um that was an X windows hack not a SCADA hack we've had X windows hacking for a while now guys does it matter yes no it's not modbus hacking it's not distributed control hacking it's not even SCADA hacking these guys are showing industrial control systems for minor plants can you take down a power grid from the internet no so here's the thing not via SCADA not via ICCP but that's not my fault those aren't my protocols that's someone else's fault and that's okay I mean you can say that the reality is is that we have massively interconnected systems and uh it doesn't matter whose fault it is what matters is is that it can go down look at it this way the Dave Best nuclear power plant in Ohio what if it wasn't slammer what if it was a code agent acting on behalf of somebody wanting to fuck up the nuclear power plant that is by my definition would be a SCADA attack question I got moved up how the hell that happened I got a question for you and I mean I don't know the answer to this, this is a just I'm clueless what happens when you dumb fuzz SCADA devices generally they stop how good is it for devices on SCADA networks to just stop generally that's not a problem okay I mean I hate to say it that way but generally it's not a problem if a process goes into a fail state the process fails and the process stops what you need to be able to do is you need to be able to take control of the system and do something with it and you just stop it like just dosing the system the cookie plant knows how to shut down it doesn't make orios that kill you what happened to you hey wait wait wait how long was how long was the cookie plant shut down for I don't know day two days you know what the same thing happened was it shut down a month was it shut down a month oh wait the plant shuts down for a month when Edna drops her finger into the cookie machine so you know generally you can't rupture those through the control system generally speaking generally is only five percent of the time it's the other five percent that I'm worried about what you're talking about is you're talking about being able to take control of the process if it stops if it just stops then it stops but if you take control of it and you execute the control but if you take control of it and do something where or worse you interstitially place yourself in the middle and you say you know what I'm going to show you what you're not able to see I want to make one quick reply here and that is basically what you are hearing here is internet security before it all went it all went wobbly SCADA in 2008 is about the internet in 1988 to 1993 that is the reality that is the attitude that is the data that is the dream that has no relevance to reality I wish it was safe one more piece on this one more thought here and that is the piece we all have to realize in your world in the control system safety is the number one thing safety overrides everything security is our world and we've got two different cultures this is something we have to exactly if safety doesn't happen shut down two million gallons? not bad it's a DOS I would hack you actually I'm going to get the guy behind you because you already had a question I'll come back to you if we have time you talked about Marucci Marucci the guy who used to work there is a contractor got pissed off, took a little radio system outside opened up a sewage that one, it stunk up the place for a while should point out that all of the security wonks are actually at a different conference because they weren't aware that this was the week that was scheduled just so you know that's the skater world that we're up against, the trick is what do you do with these people? that's the world of Joe Weiss we've got one question over here actually no that was a really important thing you just said it's not about the complaining and the whining and the poking at skater it really is about what do you do with these people they're experts in their field they're masters of what they do you know I can't manage or fix or do anything more than look at a power plant that's all I can do is play with code and maybe break a few things so the question is never oh look at those guys over there it's what do we do to outreach the changing state of the threat environment it's a much more interesting and harder problem I don't even go so far as to say me whining about skater being easily breakable whether it's true or not is not the answer of how do we fix things what worked for me was swallowing my entire ego and going and saying so tell me how this shit works okay we have somebody over here we need to keep moving so the question is what is the worst case scenario this is skater right worst case scenario the example was losing all the video for a UAV network which would have to pilot people can die that's a worst case scenario worst case scenario the operators lose visualization correct visualization of a significant power grid for more than 4 seconds but he was talking about specifically in operations for like military people die at that point well if the operators lose visualization for 4 seconds people die because that's called the blackout this is where this is just one of many things I'm trying to bring up but this is where I keep getting into man in the middle of attacks of any sort any ability for me to we always I've been kind of ranting on this a little bit but confidentiality we all get into availability a lot of our thought here has been in availability but integrity oh god is that the one we don't talk about so much and oh god is it the fun one to play with if I can give the operators one of you just like in the movies if I can give the operators one of you and the reality something different then that's where things get really fun because then I'm not fighting with anyone then I'm just simply doing whatever I want and hoping I can keep pulling that off we're down to like 5 minutes now a quick one on integrity because he's been talking about it all weekend I used to work in the college of chemistry there and if somebody were to break in and change the formulas for some stuff you can have some little shit head happenings so integrity from Okem class just having some idiot cross contaminate the reagents is a pain when the vessel opens and you get something close to tear gas there you go okay another question I'm going to drink all the beer if I have to so come on ask the question actually I've got one in my hand if I have to and we have one over here I'm getting really close to drinking this one okay Dan has a comment he always has a comment I think we need to make I think we need to stop presuming when we ship software that we're done that software has an endpoint that is when the box leaves the room okay I'll grant him that one and I believe that ultimately the serviceability problem which is how do you fix things when you screw up and you will it needs to stop being a surprise stopping at oh my god we did what and start being we're going to ship it and it's going to have problems as much as we tried for it not to and how do we make it so that these things can be easily updated and fixed we have such a problem creating fixes and dealing with the lack of modularity in the systems that we are deploying I ultimately really do believe if we're going to really deal with all the flaws that are out there the fundamental way build systems needs to be revisited okay we have a question somewhere in the back I've told I can't really see anybody here but I want to actually stand up stand up come on talk come on up here because I can't hear you we cannot hear you we won't tell Joe you said that we won't tell Joe you said that so on the on repeating the question the badge is a little bit of a problem here because he says it doesn't work all that well and it's really hard to update I think the other issue with update is not only do we make it hard to update things but we also keep forgetting that any time we're updating software for vulnerability we're in a race and we always lose I don't mean we all always lose I mean most companies take three months to deploy a patch and that's if we make it easy for them to deploy the patch lots of us are starting to get into more and more embedded devices I don't know how many of you have these weird phone things but there are real pain in the butt to patch some are actually don't patch at all and yeah we keep getting this wrong and honestly if you have an appliance I don't want anybody in this room to buy a security appliance until you talk to the vendor and ask them oh by the way how do you patch this thing you'd be surprised what you find out see the problem with defense from our perspective it's a zero sum game we only need to have one hole and we're fucked that's all it takes it's good enough that they move on to somebody else but really in the end if somebody is determined to get into your network it's a zero sum game they just only need one little problem one little desktop someplace and I didn't patch their acrobat as Jay was talking about earlier today it only takes one and at the same time companies have learned the lesson real well how much stuff has broken because of a patch that's the fear, uncertainty, and doubt is something that I think more about when I'm talking about trying to convince companies to patch than about what I'm trying to get them to use open source software I always thought it was fucked up data we have somebody over here I think I'm about to get cut off here well everything's already connected to the internet anyway hopefully they won't cut off our mics or it's just all through NATS the bad news is their time is up the good news is there's a Q&A room like 12 of you