 Good evening folks, like you haven't heard enough from me yet, but I want to talk to you about 10 year anniversary, Essie Village, right? It's kind of crazy. So when my team and I were sitting around talking about like what I should flap my lips about, we said maybe there's some lessons that we've learned over the last decade of putting on this village here at DEF CON that we can apply to the community, to ourselves, to figure out what it is that we can learn. So every year I always start off asking how many people is first time DEF CON, always shocks me. Literally this year I think it was over 60% of the hands went up. And then I asked how many times, how many people first time Essie Village, both morning, afternoon, the days, and I see an overwhelming amount of hands. So I thought because of that the best way to start this off is kind of to tell you the origin story. Let me make sure this thing is on of Essie Village, right? So I figured let's have a story time, a little bit about before we get to the lessons learned about how all of this started. So here's the path that we took. DEF CON 17, I came to DEF CON 17 and got asked to sit on a judging panel for a social engineering contest that was happening here. It was right after my first book had come out and that contest was a little weird. It did not follow our mantra of leaving people feeling better for having met them. They were calling random college girls and getting their credit card numbers and not muting those numbers while they were being read and I was horrified. I was sitting there going oh no I cannot be a part of this. I get paid to do this by really big companies and this is not a great thing to have on video. And you can see people in the audience writing down these numbers and I'm thinking oh no this is bad. So I had a little conversation with some people at DEF CON and talked about hey maybe we should professionalize this. I gave them some tips and Jeff said good do it. And I'm like no no I was just telling you what you should do. I wasn't saying I wanted to do it. I was just saying here's the things you should do. And he's like great we'll see you next year with your competition. And I'm like but wait. And then I'm like I just got social engineered by Jeff Moss. He's like come on he isn't social engineer. People really what the heck. So I'm like okay now I gotta go home and think about all this. So all my ideas scared the daylights out of everyone I told them to. So I did the natural thing and I had at the time I was new in my company. You know we were just starting off. I was still working on another job and I said I don't have a lot of money so I called the EFF. And I said hey I got this idea. I want to throw it by you. They signed a couple lawyers to me. We went through it and we went through all the things that I could and could not do. And they were so amazing. I'm telling you if you don't support the EFF you should. Because they helped me like for months and months and months and months for nothing just to make sure that we can get this competition off the ground and not break any laws. Then I did a whole mess of interviews. So I went on podcasts and magazines to try to promote this. And that I thought was a great idea. But one of the themes of the speech will be my thinking of great ideas generally might not always be great ideas. Because what ended up happening is some big companies that rhyme with like Apple and Microsoft and other ones like Oracle all went and complained that they were going to be hacked live by malicious hackers at DEF CON. So I got a phone call. And if anyone knows the history between me and Dave Kennedy this story will make sense to you. I learned a valuable lesson that day that Dave Kennedy is not the FBI. So I got a call from a guy who says hey this is so and so from the FBI and I'm like nice try Dave. I've already fallen for this prank a number of times and hung up on him. So if you don't know who Dave is Dave runs trusted sec and Derby con and he's made up career lifelong career of pranking me. Like at one point he actually modified the heater in his seat of his car the passenger side so you can boil water on it and then invited me out to dinner. Yeah that I'm telling you that's what stuff he does. This is the kind of pranks he plays on me. Other ones are not made for this village at a PG-13 level so I will not tell you them but you can imagine at that kind of response from him like this would make sense to me. So the guy calls back and I'm like Dave seriously man give it up I'm not going to fall for it and he's like sir please don't hang up on me. You know we really have to have this and I'm like this doesn't sound like Dave and I'm like so you're not Dave Kennedy. He's like no I already told you my name and you should not hang up again. I'm like fun times. So I get invited down to Virginia to present the SECTF idea and fortunately I'm still here so I didn't end up in prison that was great. So we did our very very first SECTF at DEF CON 18 but the things I had to present to people to just make sure that they knew that we weren't these evil malicious hackers that were going to go and wreck the earth was basically this set of rules right so our contest was really designed and you've heard it if you've been in the room at all we designed our contest with the mantra of leave them feeling better for having that you we wanted to show how dangerous social engineering is as a vector especially through vishing and to see if over the years and we did not plan on doing it for 10 but to see if over the years we can show that there would be some improvement or not despite all the people and the wonderful people working and in this competition so we split it into two which was first oscent portion of the of the competition and then second was the call portion of the competition and we figured that would give us a lot of data that we can analyze what's what are we finding on social media and on the internet and what are we finding through live calls so we uh we we launched the competition with one main rule and that is that no one gets victimized not the people in the booth not the people were calling okay so DEF CON 18 kicks off and um that was the title of it the how strong is your schmooze you can see our art has changed over the years a little bit that's a little yeah okay anyhow let's move on that was our room it was 175 square feet uh anyone here there for that first one yeah yeah really whoa holy mackerel there's more hands than i expected holy mackerel wow yeah round of applause to you so i also laud you because you're still here and you're not dead because that was in the river and so many of you sat on the floor see that was i don't know back in the day like maybe DEF CON didn't care so much about what the fire marshal said so we had more humans in that room than we should have ever had like i'm surprised we didn't all combust um it was so hot in that room my little drum booth you could see it back there and we had one speaker that i brought because we couldn't tie into the house speakers because uh everyone hacked the house and the sound didn't work so we had one speaker and uh we hired someone to stand there and type um like a court stenographer to type everything that was said learned my lesson on that one too anyhow um our very very first ever competitor for the sec tf ever wane stand up come on do it wane right here and i said oh you're from australia you can go first that was the way we decided things back then there was absolutely no thing it was like oh yeah let him go and i completely nailed it right completely completely nailed that first call ever 10 years ago there he is still we're still friends and he didn't kill me so we uh went through that year and i gotta say something uh tiny tiny uh hopefully hopefully somewhat humble brag we were the first and only ever competition in def con history to be awarded a black badge on the first year um and that was something that was like we never expected that right so when they came in and said we can't believe what you put together in the room in the pact and how you did it so black badge and that was since then i don't know about every year because it's never guaranteed right so we'll see what happens this year but every year we've we've been a black badge um competition since even the first one yeah so then we uh did def con 19 the schmooz strikes back yeah you know because we're really genius with those names you know um and and because of the success of the first year we were upgraded and the room was huge it was really really big uh compared not not this but i mean compared to the 175 square feet i thought there's no way we can ever fill this room and just like what you guys done this year it was ridiculous there was lines all the way down the hallway it was just unbelievable um the way that it went off but uh again we had a really another very very successful year but then we started to think i wonder if the sec tf is enough maybe we should do more things because you know after the calls were over we would sit around and chat with people about social engineering we always had handcuffs in there we'd show people how to break out of them we'd sit around and pick locks we'd do fun stuff but it wasn't structured so we said maybe we should start struct structuring some things so we did um during def con 20 where we decided to up the game and we did battle of the sexes where we pit men against women so same company right so the goal was with this was we had one target company and we would assign to both a male and a female target and to see who would who would be better uh you could probably guess who won wasn't men just in case in case you were in case you were confused okay so uh yeah battle of the sexes was that this um again that stepped up the competition on 20 something really interesting happened that year so that year the um the the the gen the uh general alexander the director of the nsa was at def con i know that sounds really we're just saying that out loud right like the director right so i got called in the middle of a we were doing a call and i got called and i learned my lesson by the way from previous three years ago now and they said uh the director of the nsa is here he'd like to see you and i'm like i'm in the middle of doing a phone call right now and they're like please come to this room and i'm like okay if this is dave i'm just gonna go anyway because if it's not i think it's just a safe bet to go so we paused the whole room like no kidding can you imagine this any of you sat here today we paused the whole room i go into this little room and there's like secret service everywhere and me being me i like rock right through them up to him and go to shake his hand and this like giant dude tackles me and i'm like yo you invited me here everyone chill right so you know we ended up talking for a few minutes and he says we've been watching what you have been doing and i'm like of course you have of course you have i mean come on we all knew that already right and he says uh is it okay if i come into your room and observe the competition i'm like yeah sure so at that point when he walked in the room actually that didn't happen first we had seven secret service agents come through the room and sweep it and then they said he's allowed in and in the booth was our youngest ever competitor hannah are you here there she is everyone still our friend and he got to observe the call and then he came up front and what's happening here is i feel really honored by this he awarded me a director's coin for that for the for the director of the nsa which i still have on my wall which i guess they're really special i don't know much about that so excuse my ignorance but i guess it was like for them get given out a year so i felt that big honor and he said um son and not in that voice but i'm gonna try anyway son what you're doing is great for our country keep doing it and after that it was like no more newspaper articles about us being scary hackers everything was like the glorious hackers are saving the united states from bad social engineers and i'm like thank you mr alexander general alexander sir don't taste me bro um and something else really amazing happened at that at that speech so we had one guy in the booth and he decided to do this crazy thing he said um his target let's just say it rhymes with um AT&T and he um he went through their page and on their on their security engineers page they put the pictures of all of their employees so he said i'm gonna pick one that looks like me maybe if he looks like me he'll sound like me i know the logic isn't good right it's really not sound there's actually no scientific evidence that that's true but he said let me do the thing so he did and he he picked this guy and he starts pretexting against him and he's calling and his pretext which is utterly ridiculous is hey there's this big hacker convention going on called defcon i think we're a target i want to make sure your machines are secure what os are you on and people were like flag flag flag flag flag and i'm like this can't work this doesn't make sense i don't like what's happening here well finally he gets somebody on the phone and he says uh the guy turns him down hangs up well i guess that dude was friends with the real josh so he texts the real josh and he's like yo josh are you calling us telling us about defcon and he's like no and he's like well someone's calling saying they're at this conference defcon and that we're we're gonna get hacked well five minutes later the door opens up and the real josh comes walking in because he was three doors down at a speech and the real josh comes up to the table and he goes are you calling at and t and i'm like no not me man the guy in the booth because because like him and his buddies were all like huge you know and they come walking in like it's fight time and i'm like yeah no no no not me man this that guy that guy in there like he should probably kick his butt i'm just sitting by this computer watching this his computer too you know you can take it you know but no ended up they weren't mad they had a really this great picture it was like such an awesome story right to have happened at that defcon you really can't make that stuff up so after that year um you know like i said it was just a whole change in the tone for the for the conference and for the for the village because people were now way more accepting of it not viewing us as like some evil entity so let me move on to defcon 21 and uh you know chose like who's the greatest uh deadliest social engineer theme again now what was awesome about this is the year before um i should have said this before but defcon 18 19 we had basically uh like one woman in both years compete so to do the who's the you know battle of the sexes i had to literally like cold call women in the community and talk them into joining the competition and and you know we had a good number we had 10 men and 10 women and that worked out well and then once that happened the next year it was like tons and tons and tons of women and you can just look around the room and see how awesome it is that there's probably more women in this room right now than there are men and that is such a difference from when this village started when it was all male dominated and i think we have so many women winners now it's like i don't even know if why guys even sign up anymore you know so the lesson that i learned from those years is yeah that women they're gonna scare us you know no matter no matter no matter what species we are they're scary man they're scary yeah that's the lessons that we can learn from those few years so um who's the deadliest social engineer well at that point we did something else really interesting the year before we had started our first kids competition so the year before i forgot to mention that defcon 20 we also said let's expand this out to kids and we had uh ages like five to 12 and we made ciphers and puzzles and we handcuffed little kids to chairs which i know in retrospect sounds so horrible but it's defcon right and they had to like get their ways out and they'd be crying like here's a shame loser get out whatever and it was just like it was like really horrible right but they loved it the kids kept coming back and begging for more so this year i said i have this amazing idea now i gotta tell you this story and i realized when i tell you this i'm gonna i'm like really stupid okay i get that but this is what happened i have this crazy idea in my head that we should do the last exercise of the whole kids competition where they have to solve a skittily code now if you don't know what that is it's an ancient roman code where they would take a piece of leather and wrap it around a wooden dowel and they would carve their message on the leather then the leather would go with one messenger the dowel with another they would both go to the front lines and if you didn't have the right dowel on the right leather it didn't work so we took a paper towel roll we put paper around it we wrote a caesar cipher then we shredded the paper and then we put the shred in the bag and the kids had to solve the shred this was after like eight hours of solving other ciphers like we were really abusive it was terrible and then the code said that they had to run through the def con se village room and insert the tube into a box in the back so that was the idea i came up with and i thought how fun would it be if there was a sniper in the room with a nerf gun shooting the kids as they ran through the room so most of my ideas involve whiskey and late nights so i tweet at like one in the morning any military great snipers coming to def con that want to shoot kids DM me okay now i'm retrospect i understand that this is not the smartest of tweets for a person with two children to put out into the world so i you know so i i get a call from one of my buddies who works for a government agency and says hey chris i want to talk to you about your def con idea i'm like oh it's awesome man which i tell you about i got this great plan and he's like no no wait before you tell me can you just open up your twitter account and can you read that tweet out loud and i'm like yeah sure man no problems well i open it up and i go oh dear god in heaven what have i done i'm like i have three dms he's like can i have those names i'm like no click so we hired them uh okay so we bought these nerf cxsd cxsd 60 long shot rifles scopes the whole nine yards my son and i bought mod kits we modded them then we practiced on my daughter um which i think is any good parent should do i had her run through our yard and we took turns shooting her um when they were strong enough to knock her over we thought this was a great plan still not thinking right okay then i take these nerf guns and i take them apart because they come apart in little cases i put all of them into a duffle bag with four pairs of handcuffs two pairs of duct tape and i take it through tsa so the tsa agent says i gotta search your bag i'm like yeah and i figured and he unzips it and he does this and i just say i'm going to vegas and he's like okay he zips it back up hands it to me right i'm like i guess that's an excuse for anything you know i'm glad i'm i'm really happy my answer was i'm going to shoot kids right so so yeah so uh so we did um i'm gonna take i'm taking tons of time on this story but it's just great so that so i gotta tell you that way the kids won so we had all these teams the first kids they they've solved the cipher they come running through the room and bones is over there on a sniper tower and he's and we just hear this kid fall squeal and i'm like oh no i'm like at that moment in time was when i realized this was a horrible idea because i'm hearing little children squeal and pain and i'm like oh no this is such a bad idea and i'm like hey bones like you hired me showed up i'm like oh god what have i done so these kids are running through and the deal was whoever's holding the tube can't get shot right if you're holding the tube you can't get shot and we have teams of two kids so this brother and sister team the brother says to his sister look i'll be your human shield so i will you hold the tube and i'll use my body and you won't get shot to this day it's like oh my god so he comes walking in real slow like this and all you hear and i'm like that's enough he's like he's not down and i'm like and then he yells clip and there's another kid below him loading clips throws a clip up there's a this kid is getting shot like 19 times i'm like no you must stop and the parents on the corner get him and i'm like what have we done this is not leave them feeling better for having met you so the kids finally get to the box they shove the tube in and they turn around yes and he goes right in the forehead i'm like dude they won he's like man down so i take those guns they're dismantled i sold them on ebay i don't want to memory of that that's terrible i'm like no no man we can't ever do that again so that happened at defcon yeah i'm still here right okay and something else cool happened that year yeah we i was given a speech with apollo robbins and wil smith was working on the movie focus and um he came over and wanted to see the speech i was given with apollo and then he got to i got to hang out with him afterwards really cool defcon like right so that was a really cool experience to have an s e village i'm like look at that we just helped somebody like learn a skill for something that we're never gonna do like being a movie okay so defcon 22 this is when i said i got to step the game up right let's see if we can make it more difficult for the people competing so we can't i laughed at this idea came up with the idea of a tag team so you're gonna sign up i'm going to assign you a partner you have no clue who they are somehow across the world or country you're gonna work together and then you're gonna get inside of a booth made for one person both of you at the same time and you have to figure out how to hand off the phone call that was the concept right for it so we had we we did it we did it and i tell you some of the pretext that they came up with it was genius i one one caller said hey uh listen i'm working on training a new recruit uh we're on adobe connect uh that's why the number doesn't look real very legit and i want you to uh you know i want to i'm gonna listen in while he does the call and then i'm gonna grade him after that's done is that okay and people were like so well yeah sure i'd love to help new employees and then the second person would come on and be like flag flag flag flag and i'm like this should not work like why is it i can't make it hard for them but it was it was it was quite amazing so the first lesson was definitely it didn't matter what we did we still won right so that that was like a huge learning lesson from def con uh 22 we also then at that moment started um mission s e impossible uh it's much more advanced now but this just started this is also a really terrible idea we handcuffed random people together and then threw a shim on the floor and they had to figure out how to get out of the handcuffs the ideas are not i know man in retrospect i think about it it's not great this is what it looked like in the booth with two people crazy yeah and this is what the room looked like it was not right so we had that's also the first year def con 22 when we started running speaking track so we had people come in to fill time afterward um giving really great speeches to the crowd right so that was a really really great year moving on to uh def con 23 you could so that's def con 22 the team that's hot that's the team we ran the whole s e village with right pretty pretty small so um i was pretty pretty proud of that moment that we can do all that we did with them okay uh oh def con uh 22 result was this 22 or 23 right um chris silvers was that 22 or 23 for you where's silvers oh yeah but was that 23 or you're 24 okay man i got the pictures messed up maybe because i have a picture of you here and i thought that was maybe this is 24 and i just didn't my slides are screwed up i'm sorry yeah yeah so that was you 24 so chris silvers won def con 24 and still ends up working with us the reason i'm bringing that up is because all these people that are still here and we've abused them terribly and really weird ways and they still stick around and our friends i'm like i know it's great yeah yeah and i feel the same way it's quite quite a quite an honor so def con 24 the room was expanded a little bit we uh we had more space than we ever did before in previous years but again it didn't help we were still over capacity and full and the great part was as we would constantly ask people to tweet to def con give them a bigger room give them a bigger room and you guys would all comply so def con's twitter account would get blown up and then every year they would ask me can you please stop asking the room to do that i'd be like okay and i'd be like hey guys i need you all to take your phones out and tweet to def con we need a bigger room and they'd be like can you please stop i'm like no because you know because you told everyone we were closed this year so take that you know okay and our our def con 25 team expanded a little bit our room got so big we needed to expand our team that really helped right def con 26 just last year whitney whitney took it home um with with a great win if you didn't see that call i believe uh whitney and chris kersh reenacted that call at uh layer eight conference and it could be found on the internet so i strongly suggest looking for those chris kersh um he won the year before and um and him and i reenacted that call he i was the i was the the target and he was the se like he was on the call and then last year him and um whitney reenacted their call and they're both out there really great videos to watch if you want to understand not only some pre texting ideas but like the flow of the calls like we tried to reenact it as closely as possible with even confusion and things like that okay so now that brings us up to uh oh yeah actually that brings us up to def con 27 this year like what the heck happened this year right i don't know yet i didn't know when i was writing this but i could tell you this year was crazy right i mean so the first year we ever ran sectf on thursday um how was that for you guys did you like that yeah it was good yeah yeah good i'm happy with that because i liked it better too um we always have people saying saturday was rough trying to find support numbers that are open so having it thursday and friday means that you're gonna always get a weekday a weekday call so i thought that was pretty cool uh that we can do that so just an overview of what the themes were right so we look over the last decade of sectf themes and we can kind of see what it was uh that we started to to do from the beginning in addition what i like about this is that we can start to see when we actually started choosing industry related themes so you can look at like uh uh def con 23 is when we started seeing the telecommunications and then after that we just kept choosing themes information security gaming transportation and this year let me clarify it is not the atf as in the government agency it is alcohol tobacco and firearm industry so people who manufacture those things that are fortune 500s in this country that was the the theme for for this year we don't call government we don't call banks and we don't call health care and the reason is each one of those end in something very bad right so you're either you're really getting you know you're really getting arrested or crawling government um you're breaking glba law for calling banks or you're messing up on hepa for calling health care none of those things are good for any of us so there's no reason to do it and no reason to get close to that line so we just don't okay so let's talk about the the sec tf winners i wanted to figure out how we can make this applicable to us as a community right and what what did se village do over the last decade for us as a community so um before winning i wanted to figure out and i went through all the first and second place winners so i didn't take every contest and i just went through first and second place winners over the last nine years i don't have this year statistics right so over the last nine years um what what do we see well those that were in security or social engineering before they competed 39 percent of contestants were involved in info sec before they competed in the sec tf and uh 61 percent were not right so we can see the difference there whereas after comp competition what's happened 72 percent decided to get into info sec and uh 28 none now i'm not there's no court i can't you can't do a correlation right without real scientific study so i can't sit here and say that it's definitely because of se village that this has occurred but i think it's a great stepping stone and you can talk to people like rachel and you can talk to people like i mean christ you were in it before um you were doing you were doing this stuff yeah but hannah wasn't right so his daughter uh wasn't in it and then we could talk to people who've taken that leap after doing the competition and saying wow that was actually more fun and easier than i thought it would be i want to try my hand at this and we could see that huge statistical jump 72 percent of people so um that helps me realize that this is a training ground this is a beginning training ground i shouldn't say it's an all-stop training ground right and why because here's some other uh learning lessons that i found in reviewing some of the stats um looking at se village winners previous years so i think they're pretty proud of the fact that they win or competed because most people that have competed put it in their linkedin profile either as part of their resume or as in their honors section you know like saying hey i competed in the sec for i won one of the big things we found is that time spent on reports generally average 60 plus hours that they spend on doing their o-synterm reports and then the page count of winning reports generally over 50 so now i don't we just can't sit here and say again correlation that quantity equals win but what i can tell you from reading these reports for the last decade is that the reports that people spent 60 plus hours on um and the reports that came in with lots of detail and were were uh filled with knowledge are the ones who people always gotten that booth and they did excellent and why you know what's what's the correlation there what knowledge is power right and that is the it is so people get in that booth they know the company so well they're speaking the lingo they're saying that the acronyms they're using the internal words they're naming managers we saw today people are getting asked well who's your manager and some of the contestants are just spitting out names of actual employees that work there because they had known the company so well they might know a better than their own company right they did that much o-synter on them so we we see this direct correlation to people who spend the time and energy actually becomes successful um at at competing in this competition so what else does it tell us well sadly one of the other things that we learned is that companies are still pretty bad at this right we still learn that because um today i got to say i was really happy we had a couple companies that really shut us down i mean shut us down ben i'm not talking if you were in the room i'm not talking about the ones that don't answer their phone because security through obscurity is not really security right so just hiding like an ostrich doesn't mean you're secure but we talked there was a few people that answered the phone today and asked legitimate questions forced a caller into giving them details you know told like really made them feel who are you where do you work who's your manager showing that they were they had some training they had some real critical thought and i think that that's amazing that's wonderful to see um also i think when we look through the years it's not always that 32 percent or whatever it is those that were in the se industry before or in infosec that won many times the people who won don't do this at all i really i think about chris curse right that guy's amazing he was in marketing right and he's still in marketing but he got in there the first time he competed and completely bombed and then he said that's not the way i'm getting remembered and he came back and he worked really hard and he got back in that booth and he owned it right and and he had he doesn't do this for a living and he still doesn't do it for a living and yet honestly to me his call is one of those his group of calls are one of those calls that we can use as as direct training it just it was just phenomenal so it doesn't take a pro to be successful another thing we learned internal pretext work you know what generally doesn't work actually who can guess what generally doesn't work what pretext surveys someone said it every time we hear of surveys especially external surveys they generally don't work generally now i can't say always because there was one case with a guy who is standing in the back named chris solvers who won using a survey but but yeah he yeah he cheated a little actually he didn't cheat there was no cheating he actually found out that they just did a survey and he called and saying yeah your survey data didn't get sent i need to redo it verbally and then did it verb is i like that's epic yeah you really can't yeah you really can't you really can't fault that so in that case survey did win but um generally survey pretext don't succeed and in the sec tf because it's too easy to put off but internal internals do and then there's more right the big rule which which we've had and we said every year leave them feeling better for having met you you know we've only had to disqualify one contestant in all 10 years and for for breaking this rule only one so out of 14 times 10 140 and actually we used to have a couple more back in the day um you know we used to have like 10 each day so we can even say probably more than 100 maybe 150 160 competitors over a decade only one has got disqualified for breaking this rule so that's great that means that 100 and whatever for 39 people 100 and you know 49 people successfully competed and won and never had to make someone feel bad never had to cause fear never had to threaten firing or getting hacked or breached that's a pretty powerful statistic if you ask me which means you can do it in this industry you can actually be a professional and not have to be a malicious jerk you could just play a bad guy on tv you don't have to be one right now how well how is this possible well you know one of the things that came to me as i started to do this competition more and more and i saw more and more people entering the industry and i had people coming to me that were competing and then starting their own businesses and saying how do you do that internally how do you do that for your clients how and i kept asking this question how how how i realized that i had to do something to help those people who were asking so we developed a code of conduct code of ethics i'm sorry not a code of conduct a code of ethics i'm really proud of this code of ethics to be honest because it's gotten adopted by some major organizations and even a european country if you can believe that a european country called me isn't that weird to say that a european country called me i mean obviously the country didn't call me but someone called me from the government and said we're developing a pentest rule book for all pentesters in our country could we use your code of ethics in that rule book i'm like yeah that'd be great right so we put this out on the social dash engineer dot org site make it publicly available for everyone to use internally externally however you want to use it but for me i'm really proud of this because it it keeps that mantra throughout the whole theme of the code of ethics and how you can be a professional social engineer but you don't have to be a bad person you don't have to use fear you don't have to use anger you don't have to use uh extreme emotions to get the job done and yet you could still leave room for education which is our second mantra right but but why why did why did i feel the need to have to go this far to actually create a code of ethics and to me that the simple answer is looking at something like this google trend right look at that left sidebar this is from 2009 when i did my very first sec tf now this has nothing to do with the sec tf i was using the years and then you jump forward to this year right or was it 2018 last year and look at the difference in the interest in social engineering over those years we can see the interest in social engineering has gone up people are searching for it they're talking about it they're discussing it back 2009 social engineering wasn't a very hot topic it wasn't our community but it wasn't in the corporate world in the business community and now what we can see just by watching trends is that it's more searchable people are looking for it more they want to know more about it and i think probably the most common question that we get in our company is how do i get into this industry the second most common question is how do i hack facebook but that is the first most common question is how do i get into this industry so matter of fact this second day of defconn i've been asked that question more than six times a day by different people in this room how do i get into this industry so we had to write a code of ethics because people want to be in this industry and feel that it's necessary to start there but we also have a series of blog posts and podcasts and newsletters that can help you with how to break in how to break into this industry other trends we noticed okay i'm running out of time i don't have much time for questions but i'm gonna rant for a second so the um the other trends that we notice is that uh sadly this in our industry the uh i always need to be a hundred percent motto still exists and it's not great i mean think about that think don't think about yourself as a pentester for a second think about yourself as a client and now someone comes to you and says you're always going to lose you're never going to win give me more money right now i'm not suggesting that we let them win i don't think that's a good idea but i am suggesting that we need to work on improving our methodology and how we train to help them win so it's a legitimate win right and if we can't do that then why are we in this business is it just about our own ego so we can feel good hacking people that's not the right that's not the right motto right uh second um bad mouthing competition to get work you know what i found this statistic that this is a graph that shows how many u.s companies are actually actively doing phishing training 15 percent are actually doing phishing training in the u.s and there is more than enough work for all of us we don't have to beat each other up we can be competitors and we can actually be friendly we can help each other we don't have to be jerks about it but i'll have to walk around def con bad mouth in each other talking bad about who does what and this and that won't walk around the other communities doing that we can actually band together become stronger and and and fix the problem or try to at least i don't know if we'll ever fix it but we could try to right there's more than enough work for that okay i got eight minutes i'm gonna try to push this ramp through because this is this is my big one this is my pet peeve okay and uh a pet peeve is live tweeting live tweeting now i don't mean live tweeting of everything i mean live tweeting your pentests live tweeting the things you're doing for your clients how stinking awful is it again don't think about it in yourself how are you if you're a client you're sitting there and you know you hired me and now you see one of my tweets go man this company is like swiss cheese man this company is a wet paper bag i didn't mention your name but i say that and you know that i'm talking about you how does that make you feel have i left you better for having met me no it doesn't it's terrible so i i asked i asked three or four people that i truly respect in the industry that do that do pentesting red teaming i asked them just plain out i didn't tell them what it was for until they answered me i said can you tell me what you think about this topic of live tweeting pentests and i don't know why i put davis first because he spent his whole life pranking me but dav and this is you know dav made a really good point as customers are looking to them they're trusting them for for trusted special services and live tweeting these things hurt customer relations right he ends it with it's not the right thing to do and that's a valid point chris nickerson i look up to him for years before i actually started my own company you know the things that he does the red team you haven't heard him layers layers i talked to him about this and he said it's a breach of contract to do these things pretty strong pretty strong language right i talked to wane my buddy who did the first sec tf call and the same thing i mean just look look at this look at us it's wrong and really just stupid and selfish man powerful words right and then finally um chris roberts you might know him um he's the guy who's supposed to make the plane slides sideways no just kidding and he talked about how it's not professional it's not professional again clients are looking at us in comfort confidential work of trust and ethical work so when you do these things it really breaks that trust down and that confidence down and it's just not great it's just not great as a as a as a professional okay i'm gonna end the rant with live tweet makes hulk mad okay don't do it okay it does so end the rant done let's talk about takeaway facts as we finish this up and maybe have enough time for a couple questions so the competition was born where at a hacker convention okay so at the biggest hacker convention with the most volatile network on the planet earth that's where the competition was born but with a goal to show how a social engineering was dangerous and it was still a very viable vector but if we can change it can change your life for the better if you allow it and we've seen that happen so many times for people who've competed and wonder people just competed i've had people come in and tell me man they got they've had job offers after uh competing and being in the booth been interviewed and made your articles and that's changed their life for the better if we can actually use the experience to learn and grow which is a big big thing which means coming together as a community working together and not fighting against each other and then we can really leave each other better for having met each other right and still grow in this industry and band together the funny part is the bad guys do it they kind of band together they share secrets on their forms they tell each other how they do things so there's no reason for us not to do the same exact thing and then shameless plug time is that kind of moved all of this sevo's not moved it we're still here we're gonna be here but we decided to start our own conference our social engineering conference to really talk about how social engineering can become a professional profession is that a right sentence professional profession i use the word profession twice in a row okay i'm gonna do it a professional profession and how you can how you can grow in this industry and become a professional social engineer okay those are the lessons i got folks i have a few minutes for questions i can try to answer if you have any thank you yes sir yes you back yes the nice shirt you're welcome i can't redo it i only have three minutes uh so sec tf for this year is over uh you sign up by watching the s social dash engineer dot org site sometime in january as when we will announce 2020s sec tf assuming we are invited back by defcon so if we are we will announce it then yes sir wane wane ronaldson sir no problem debate date of birth no thanks man i wasn't a question i'll give you the 50 bucks later now you and rachel man yeah yes ma'am um i i don't have any local organizations but i know that there's some really good b sides in certain areas and is this a's which tend to do which could be really good you really have to just check about what kind of content they provide not all of them are going to be applicable for you i know a lot of people use um on the social dash engineer dot org site we have a framework for social engineering and i actually know of a few very large companies that use that framework to plan out all of their services for the year that they want to to have so you can look on that and it's just all free information you know we try to put out as much as possible the blogs new letters podcast the framework and it's all free so you can use that as part of your security awareness and i'll give you a card and we can talk more after yeah it'd be great so yes sir so the question was the person that got this qualified what did he or she do uh he called as the president of a company and he uh when she stopped complying because she got nervous he threatened to have her fired um yeah right so now think about this um we don't know her life circumstance so she's sitting at home she hasn't paid her mortgage in two months her car bills late she just got divorced her husband screwed her ex-husband screwed her over and now you just say you're going to get fired how do we know how that affects her right maybe she does something awful to herself maybe she you know we don't want to paint a morbid picture we just don't know how that affects somebody i don't want to ever have that on my conscience that a competition a game created an environment where someone could harm themselves or someone else so that that to me is like automatic dq yeah we just don't i don't mess with that you're done we cut his call we shut the phone down said out you're over yeah just i have no time for that yeah um let's see yes sir tan thank you wow holy mackerel can i have another hour yeah no no i can't i would definitely not leave people feeling better for having met me um okay so you know quickly and i can maybe answer this after um out in the hallway for those who want to ask more questions but i think um the biggest impasse for me was getting the getting corporate america to understand that social engineering is a viable and real vector that you need to you need to have services surrounding and that there's no blinky box you can put into your network that fixes the human so um for me and it's not saying i i i'm not going to say i fixed that because i didn't um i think i think what happened is the fact that we see that google trend the more people talking about se meant the more times that corporate america was hearing it the more times fishing stories were in the news fishing stories in the news the more times that corporate america was thinking about it and that's how i got past that was by just what wane said was using those things using this competition all as a basis to say that's why we need to do this so i think you know wane kind of hit hit it on the head that i've been doing the same thing you know yes oh i i can't say i first of all i'm not going to say yes or no to anything because i'm not going to tell you what the theme is for next year um we'll see maybe maybe do i have i have i have 14 seconds haha the time has stopped we made time stand still questions for 14 seconds i'm just kidding okay i'm over time so guys uh if you want i'll go out in the hallway we can talk a little more if anyone has more questions and um thank you so much for great 10 years