 EFF fans and family, and welcome to our premiere version of our live stream, hovering and orbiting around EFF's revenue, but not that new. We're in the second series, a podcast, How to Fix the Internet. I'm Danny O'Brien. I'm one of the co-hosts, and then I will wave like this and introduce Cindy Cohen, who is the Executive Director of the Electronic Frontier Foundation. I came, I got waved in. It's great. Well, we're masters of the internet, so we can just control it with our hands at this point. Cindy and I interview the best, most interesting and most productive people trying to fix the internet at the moment. And we have, I think, like, no, they're all equal favourites, but like, still, we wanted to get Tara, Tara Wheeler on, first of all. Tara is, gosh, I have to read this out, but Tara Wheeler is an Information Security Executive, Social Scientist in the Area of International Conflict, Author and Poker Player. She serves on the EFF advisory board as a Cyber Policy Fellow at Harvard and as International Security Fellow at New America. She was Fulbright Scholar in Cyber Security last year, and you can find her on Twitter at, at Tara with an H, or at her website, hctbstarawithanh.org. Hey, Tara. You pinged. Yes, we have invited you into our, so how long have you two known each other? Like, how's that? Where did you two meet, first of all? I think it was an email of desperation once upon a time. Like, I think I emailed Cindy and the, the basic gist was, where are some of those EFF attack lawyers again? Oh, where's an attack lawyer when you need one? Well, this is where you go. Attack lawyers, defense lawyers, it's kind of the EFF thing. So the episode that was just gone out that Tara was, I guessed on, was pay a hacker, save a life. And we were basically talking about, I don't know whether you overuse this term, trash fire, Tara, but the kind of ongoing battle to both protect security and protect security researchers, right? And I think this is where, as you say, EFF and the EFF community frequently meet. I mean, Cindy, maybe you could talk a bit about what that looks like, like how, what part of that, what part of EFF does that kind of work? Yeah, well, I mean, Tara's right. One of the things we do is security researchers who think they might be in trouble or can see trouble ahead will just reach out and be like, help, help. And we have a whole project at EFF called, that we call the coders rights project, which are the kind of lawyers who are specially interested in that work. I would say, and this is one of the things where we have, I don't say we're all the way to success, but we have a partial success in the early days. I've been at EFF for a long time. So around 2000, 2001, 2002, if a security researcher reached out to us, we were very worried about them getting arrested. I once took an overnight plane to Boston to try to protect some kids who'd been sued by the city for talking about how there were security flaws in the Charlie card, which is the Boston Metro thing and so that they could give a presentation at DEF CON. It used to be kind of a crazy all hands on deck, big risk moment. Now, the risk is still too big, but I think that one of the things that was fun in talking with Tara is about how we've kind of, we've leveled up in terms of the ability to protect people. Companies are more open. They've got a lot more to do, but at least, it is pretty rare that we worry about somebody seriously going to jail because they've talked about a security flaw. So that's good news. We want to protect people, but really, it's still a thing we do. We do it in the months before DEF CON, especially in the Las Vegas security conferences, but also any real security conferences where people are going to be presenting things that they've discovered. We will be pretty busy trying to help navigate the situation. So, Tara, people who want to find the big plan you have, and you have a really good big plan, should listen to the podcast. But how do you end up intersecting with this world of hackers just about to save the world and then being dragged off by the cops? Oh, God. You paint it in its most exciting way. How do I intersect with this world unwillingly most of the time when it comes to the law enforcement side of things? But no, I think I end up in some of these conversations because I cross-cut some of the fields in information security. So when we talk about things like international conflict and information security, stuff that crosses borders, I tend to get interested. So I am interested in how sort of the world views information security researchers because I started out actually in academia. I'm originally a failed original academic. And so it turns out that they want money to keep educating you after a period of time. And Microsoft made a wee little mistake over understanding the difference between game theory and game design, which is how I ended up over in web application security and working on that. And so I've actually joked several people at this point that I started out doing case studies on China and North Korea, the relationships in the European Union when it comes to things like cross-border conflict. And 20 years later, I'm still doing that. I've come all the way back around to that again in this field because we're now at the international politics level. So that's how I sort of get involved in it. And other than that, accidentally, we're not unwillingly. Yeah, it definitely it definitely is shading into geopolitics these days. So maybe we'll find out what people think of implicit researchers. If you have any questions for Tara, throw them in the chat and then sophisticated GPT-3 AI bots will copy and paste them into our channel. And we as other bots will will answer them. But we have some already set up. So I will click on that little window. And oh, okay, this was a good one. So has the computer security industry got more professional of your time in it? I think this is Tim, both you and Cindy. And what has that professionalization? Has it been a good thing? I can start on this one, pass it back to Cindy and then sort of mop up at the end if you wish. I've been in this field knowingly for about for more than a decade and unknowingly for almost 20 years. I didn't know the thing I was doing 20 years ago was called information security. When I was busy doing community management and web application security, then trying to figure out the vulnerabilities in front end web applications and stuff like that. I didn't know that's the thing I was doing. So I have an opinion on the industry and the community that's only about a decade old. But my opinion on on the professionalization of what we do. I think some of it's grown more standardized and more automated. But at the same time, I I think that that the industry growing bigger isn't necessarily a reflection of it becoming better. I think that there's a big spread of capability of quality. And I think that like any place else where there is a gold rush, there there are some scam artists out there. And so it's difficult to sometimes tell the difference between the real deal and people who have just set up shop with a handy website, right? So it's difficult to tell and it's one of the reasons why professional or not I think the information security community is still so tightly integrated socially because most of the time it's really difficult for people outside the field to tell whether or not someone's any good at InfoSec or not, unless they're vouched for. So the answer is still the relationships in the tight community over time, I think. We don't have a really good way there's no there's no way to put like a degree on your wall that says I'm a hacker. There's nothing there that you can do. Despite you having lots of degrees on your wall behind you. So I don't know how many of you folks are just like super into that's not that's that's not Neo. That's John Wick and I made my own meme so then the meme is what is it work until you no longer have to introduce yourself. I keep myself centered with the fact that that's not a degree that's my GED. Oh yeah yeah I'm a high school dropout a lot. Like I like school I've succeeded at one or two of the schools I've tried gotten kicked out of or dropped out of more than I succeeded at but I'm weird like everybody else in InfoSec, right? So and so there's not really a good way to to certify that you know. I mean I think that's that's right and it's kind of a blessing and a curse right I think that the one thing about InfoSec is that people who don't think like the kind of people who can make their way through a educational process check all the boxes and get the certificate like that's actually you know there are plenty of security researchers who are awesome and who have advanced degrees and who can do all of that but then there's also this other piece of it where it's really a place where people who don't think in that way also have a space and can do amazing things and can see things differently. You know it's definitely much more professional than when we started and less academic there was a lot of academic research security research going on kind of early on and now you know their firms and and there are you know you hire somebody to hack your system you've got you know there which didn't really exist in the same way when we started this but then there's also these I have to say sometimes these like kids right um you know EFF's handling a case now for a kid who who figured out that the proctorio software that you know kids have to install the spy on them while they're taking tests and stuff was not very good and um you know he's just a kid and um you know figured out you know the problems thing and he's you know we're in litigation over that right now like the kind of that piece of it hasn't really gone away and to me it's the fun you know so where some of the fun stuff lives of course some of those are people who um really do need to talk to EFF before they go a little further um but but it really I feel like it has grown and there is a professionalization piece but the kind of other piece of smart people who want to take things apart and figure out how they work and then stumble into security problems along the way um is alive and well right right I I feel like there was so I I covered this as a journalist in the sort of early early bit of it and I mean the thing that struck me sort of being being embedded in it I just remember being in a squat in Manchester with all these hackers going I don't know what am I doing here a shout out to the access all area people for letting me stay there that night um but it really felt like a kind of fork in the road for a lot of 17 year olds at that point where it was either you know have a well-paid job in the industry or go to jail I mean one of the I won't name it Cindy but like one of the people that we work with I remember talking to him and said sort of how do you get into this he said well I got caught in a phone exchange um wearing a Bell Labs uniform um and I wasn't actually a not Bell Labs a Bell a Pack Bell uniform and it wasn't actually an employee so uh that was kind of you know certainly a point where he had to like put his life in order and so for me right then it really seemed like it wasn't so much about professionalization as trying to get kids who thought in a particular way and find them a home in a in a in a place where they could you know they could benefit society rather than just spin their wheels and get into trouble and it's really interesting you saying that that's the need that that is still that that stream is still alive right I do want to jump in on this one right here if it's okay and just there's a reason I'm kind of so upright at the moment like let me just get really real with you I think that the professionalization of our industry is self-defense more than anything else and the answer to that has to do with the fact that we have to be so credentialed to have a defense when something does go wrong right no I'm I'm I'm legit remember I told you I was going to do morning wine um we're doing we're doing afternoon wine right now here's the reason why I'm literally right this second all I have is bubbly water oh no I feel like my product placement here is not like you know it's so I'm gonna I'm gonna be super super real with you right now literally I I got off the phone with my husband a little bit ago for those of you that don't know I'm married to deviant Ola he's a very well-known physical penetration specialist and security expert he created like lockpick villages he's really well known for access controls talks and you know the thing that he does which is breaking into places and right now he's breaking into it like literally this minute he is dressed up in one of those uniforms you're talking about Danny and he's breaking into a place where if I said that name of the place literally everybody on this call would know the name of the thing he's and honestly I'm a little nervous right now I wasn't as nervous before the Iowa courthouse thing but right now but then you see Missouri this year well we could explain what the Iowa courthouse thing is yeah I can I can do so do you want to maybe explain to Cindy the Missouri thing in a second but I'll explain the Iowa courthouse thing if you want me to um last last year uh two folk from um I believe it was coal fire were engaged by the state of Iowa to test court county courthouse um security in the state of Iowa well in one of those courthouses they were caught and arrested by a local sheriff who did not respect their engagement letters and turned it into a really serious issue it's it's still kind of an ongoing issue even though the charges have been dropped because those two people still have mug shots up on the internet they had to they were arrested they had to explain to their kids and family why that was going on I'm going to be honest with you you know I I think that really kind of came home to me not as an information security professional but as a wife yeah my husband's in one of those I mean not not in a bell uniform but like in a uniform and with permission right so yes well probably um no wait wait wait wait stop right there yeah let's not I don't know I know you're not my lawyer but you're a little well just you know let's let's let's not I'm actually sitting here thinking about this and going it's nice to be distracted I was messaging it just dear friend of mine Amanda her husband Chris Nickerson runs lorries and you know he knows all this stuff too and I was like Amanda you know my lovely husband's at it again and he's just like yeah I know I know the feel you know there's kind of a limited number of us who like send people out to do this and you can be arrested you can be prosecuted and like I know who to call but I don't want to call you for reasons I've been warning wine Cindy yeah fair enough fair enough yeah but I you're I mean you're right um so the Iowa incident where people who were legitimately hired to break into something and did and then you know basically that got whooshed away and the thing is similarly well not similarly in Missouri uh there was a reporter I think with the st. Louis dispatch who discovered that an education uh website had a security fly in it and that the social security numbers of teachers and other schools employees were available to the public and um the governor called this person a hacker um but you know this is a person who's again I mean you know one of the things in the in the blog post in the blog post in the podcast it's so lovely as Tara talks about doing a good deed at a bridal shop and you know getting nothing back but this is like doing a good deed and getting you know the governor of your state calling you a criminal um these things are are troubling they're kind of the next step right the first step in this was to make it clear that this was legitimate work and I think the second step is to make sure that that gets enforced all all all around because you know this is the security reality that I think people like Tara know better than anybody is the only way you can tell whether something secure or not is to try to break it um and and there's no everybody you know I think it's a Bruce Schneier quote that you know everybody can build an encryption scheme that they themselves could not break but that is not actually the measure of whether something is strong or not you have to have other people and it's it's almost a you know it's it's a community type event right is the way that that that security develops is a bunch of people hacking on something trying to figure out whether it's broken trying to poke holes in it you know when we say something secure what we're saying is we've done a lot of that and nobody could break it yet not that there is some kind of security threshold that we've reached and we're over but more like well all these smart people tried and they couldn't do it um yeah I think just to throw in another another case here while we're piling up the contemporary cases I mean I think sometimes people um go oh that's the crazy Americans with their crazy you know over reactions and stuff so uh still going on but when when I was at EFF one of the cases we worked on internationally which some of you may know and I can go into more details if you have questions about it but is this Olabini case right in Ecuador where and we went over there to try and I mean it's a complicated the case itself is simple I mean the guy is innocent right he was accused of being part of like a huge hacking team that we're trying to bring down the country and he's actually he's not even a security researcher really he he builds secure languages right he builds sort of the tooling for security researchers but of course he has that mind right he likes to sort of you know play around with these things and so you know at home when they kick down his door you know I don't know whether he had a lot picking kit but I wouldn't be surprised he had a lot of you know ubiquies he had a lot of stuff that he was taking apart looking at and the police you know did that thing of laying all of this out like they would with a drug set hall and going well I mean clearly up to no good here and you're going no these are the these are the tools of the trade right these guys yeah yeah and they wanted they want to see something they should get a load of my garage right and yeah and and you know it's one of those things where there is that moment in all of these things where you're sort of going okay I know this doesn't look good but and I think a lot of this I mean it's one of the things that I found fascinating when I was at EFF was this idea of optics Cindy and like maybe you can explain what optics is in the world of law and being a lawyer in these cases well honestly I think it's a failure of law sometimes I mean I think the whole point of of the legal system ought to be to be able to tell the truth of what's going on and I think too often when the deciders or the people inside the system don't actually understand what's going on which happens a lot in computer research they'll just default to the optics right so you know and you end up in these weird places where you know you know if you had to stir on the end of your name after Napster you know you were suddenly assumed to be engaging in copyright infringement when you know the name doesn't mean you know like that is that's that's just facially ridiculous so optics is how it looks right right optics is absolutely how it looks and how it looks generally to someone who isn't you who isn't inside your community right so you know having a set of lock picks is you know lots of people have sets of lock picks for all sorts of legitimate reasons the idea that that would be an indicator of illegal behavior is just as ridiculous as discovering that somebody has a hammer oh my god they must be somebody who beats people over the head people who have hammers all the time know that that's not actually the primary use for them you know people might have lock picks because you know they help their family get into their house when they get locked out it's true and it's not just the op there's a there's another side to the optics which is the there's the public view of what's happening and I get that part of it the side of it for those of us in the industry working with clients or trying to fend off concerns is the emotional work that goes into the relationships when you're when you're talking to somebody maybe who hasn't ever been pen tested for the first time and you explain to them what's going to what's going to go on just the process of doing that emotional work doesn't end like signing the contract to do a full red team engagement this I mean this is what I do for a living right so so signing that in that engagement letter signing and and and getting started on the contract you still have to do that emotional work all the way through because I'm here to tell you at least three or four times during most of these engagements I get a senior executive who all of a sudden says wait a minute what's going on here are you telling me that we could actually have our security tested what's going to happen are we going to are we going to deal with brand management issues how do we handle the fact that we need to communicate that we have security failures and just the process of emotionally educating people and saying look everyone has to deal with security issues over time there's no such thing as security which is perfect what we're trying to do is make you safer in reality make you not you know the the the people who are just kind of looking up right now and going cybersecurity what is this right you need to emotionally educate people and that is how you kind of walk people down from the brink if they begin to panic a little bit during a test and it sounds to me like in the Iowa courthouse in the Missouri case everyone did that emotional work and we've bumped up at this point against sort of that next level that I think the EFF is really starting to work on it's not the companies anymore it's policy makers it's governments now that aren't understanding the work that we're doing and they're freaking out when they see it in action so I mean that's that's emotional work that we're all trying to learn how to do now at the nation-state level so where's where's the lawyers city no and I think it's it's really true I mean this is this is this comes up over and over again you know this this last week or so you know Apple sued NSO group Apple which is something we're we're cheering they you know they sued a NSO group is for those who aren't following this is a a scummy company that sells surveillance software to well clearly to some repressive governments who have used it and been involved in some pretty horrible human rights abuses uh the you know the the killing of the journalist kashogis appears to have had a piece of NSO group surveillance in the story behind it so we're talking you know murder we're not talking like oh inconvenience um with the use of this so apple you know sued using the computer fraud and abuse act because this software basically breaks into people's computers um and the thing that we're talking about a lot with people is why that's important and we support it and why we have to make sure that we're not killing we're not hurting the very people who told us about this software people like this in lab and other people like in our zeal to go after NSO group which is strong and I share an EFF has you know been active on this for a long time we have to make sure that we're not actually undermining the work that it took to get us to the place where we know this and that these things can be two sides of the same coin and that you have to look beyond does is this software capable capable of you know seeing something on somebody else's computer you have to look at what's going on in a bigger context to be able to figure out where liability is is proper is proper and where it's not and that's why the computer fraud and abuse act is such a poor tool for this it does none of that um it it it doesn't draw the lines it doesn't help us draw the lines between the stuff we want to protect and the stuff we want to go after so um this is you know this is why in this particular instance we're happy that apple has the CFA to use to go against NSO group but we're really got to be careful about how this goes from here yeah yeah yeah I I was oh I have echo oh no that me you just started you sound good to me okay Tara you talk while I stop echoing one moment okay you still echo hopefully it's not me there we go all right so um I was I was loving that that Cindy just brought up the uh the CFA a um I mean it's it's the bugaboo the crazy monster under the bed the insane um uh demon of our entire field and and we've it's gotten to this mythical level at this point because you can use it in so many different ways as a tool for um for for ill and you know I think it this is all going to be a systemic thing I'm going to keep saying this again and again that this is a systemic issue for our entire industry it's not just the optic it's not just the emotional work it's also that we've got to have some policymakers start to meet us halfway here and for all that we have the to the best of our abilities done things like professionalize the industry certainly Alan at sans you know uh rest in peace did an incredible amount to credentialize the industry we've got people who are now working to really make it understood what election security vulnerabilities are and aren't um you know got map lays out there over at Georgetown doing this kind of work again and again to clarify to policymakers what we're doing and how we're doing it um and yet it just every single time that that we come up against a policymaker who thinks you can whistle nuclear codes into a pay phone and open up Cheyenne mountain every time we deal with a governor in Missouri who thinks that right clicking on a web page and inspecting element equals hacking doesn't understand that he himself literally authorized the disbursement and publication of that information that is on literally him every single time we have something like that happen where people don't understand the most simple elements of the difference between publishing plain text stuff on the website and encryption intended to harm someone it just it makes us a little more nihilistic and i don't want to see that nihilism i want to see hope in this industry fun and and and clarity and increasing professionalization right i also feel that like one of the problems here is when this stuff does become political and i think we're you know the big elephant in the room here is it's now geopolitical it's like state versus state um in a lot of ways um that means prosecutions get used as a weapon as well right like there was i mean i i i don't have any insight on this but the fact that the governor of Missouri like made a big deal out of this must have been partly because he politically it felt like something that that you know would get him i mean i tweeted just like who thinks that this is going to like reflect well on the governor that they don't even know this things but of course i'm in my little world where everybody knows this is a foolish thing to do and the truth is is like again going picking on the olibini case the thing that that complicated it right was that the Ecuadorian government were switching their policy on they they've been holding julien assange in their embassy in london and the policy of the government changed that was actually the point where they threw through them out and so they kind of had to turn the the press cycle there from julien assange hero of the ecudorian people to bad guy who should you know we we don't trust anymore so they had this big thing of uh oh hackers have turned against um uh ecudor and and and are hacking it we suspect julien assange is behind this and this is why we threw it out and of course there were no hackers doing this but they had to find them and i think i see i see that that the thing that worries me as this becomes more of a problem that it may be blown up particularly by snake oil merchants right where people go you know you've got to give us millions of dollars to fix this problem the more politicians will go okay where are the who do what are the usual suspects that we have to round up and their security researchers right they look like they're visible they they've got the lock picks they fit the profile they go to jail but that's i mean again you you can't fix this entirely with a well written law but we have a spectacularly badly written law that feeds into this and you know the cfa has been exported all around the world there's a version of it in ecudor and there's a version of it in in all sorts of places that's that's you know one of the one of the ways that we combat this is education and that's tremendously important but the other way we combat this is kind of you know don't have vague over broad laws and that's one of the things that um that we don't have with the cfa and i you know i love Tara's reference to the whistling into the phone and you know because that's the the movie war games um which you know the story is that that's how we got the cfa in the first place that Ronald Reagan and a couple other highly placed people saw that movie and thought that Matthew Broderick could you know take down could launch nuclear weapons with a whistle over the phone so like that's just a bad way to do any legislation but um so we're scared we're scared every single time we try to do something new at this point we're scared every time we try to do something normal plain and old school at this point yeah a couple of years ago um i i started and it's continued on in the community at this project called the nerd list um and it is a collection of passwords used in movies film pop culture whatever that that we can use um that we can run whenever we're doing password cracking um hash cracking really and and what kills me is how not only how often it's used um and how often these kinds of passwords are used we're talking like Zion 0101 from the matrix trust no one from the x files hunter two from that really famous thread i mean people have been have been using this i it's under my name i like you can go take a look at it right right the second and if somebody uses this um and does something unauthorized with it is that going to come back to me yeah there's an email for you but but we're talking these are passwords that are commonly used that are found in media that have been published in film people use the password from swordfish like a depressing amount in their acting directory hashes so this is the kind of thing where we're doing something fun and lighthearted but this could come back and get me and i don't know if it's going to i'm just i'm taking that tiny extra chances we all push the envelope outward hopefully for understanding i mean they cracked those passwords in the movies like it's not like you went oh this is a good password it's like these are the passwords that they got okay so yeah i remember alex muffett who's a british security researcher wrote the one of the first password crackers and was like pilloried in the press for you know being an evil an evil hacker well so we're getting a few questions in um and also to reflect our podcast how to fix the internet in miniature as you will know tara we get our guests to like we bond on all the problems like this and then we go to the solutions because as you say there's no point being paralyzed in fear we have to get to a positive world so um let me while i'm looking at the questions like the question that we asked you in the podcast and i don't want to spoil it but is there any industry that we can learn has anybody done this before gone through this pain and and come up with something useful that we couldn't learn from outside of our industry i love that question thank you dany permit me to tell you that i love planes i love what they're fun to look at they're fun to fly they're fun to be in um i'm a student pilot right now and the reason i'm sitting here right now instead of a different day um is it's raining outside and i can't go out and do a little learning and flying uh but i love the industry and i've had conversations before about how aviation uh security and and improvement has worked over time i did talk on this at def con's aviation village the last time we had a def con in an aviation village uh and uh just pretty recently actually we um rob knake adam schoestack and i released a report out of harvard's uh kennedy school um at the belfer center on aviation security and how we can take the lessons of the ntsb and apply them to the mandate for a c s r b a cyber safety review board that biden um uh announced but hasn't yet implemented in the executive order from this year this is my cat get down franky um so um the the nature of aviation is that there is a massive culture of sharing your mistakes and a non and a blameless post mortem when something goes wrong now that doesn't mean people don't face consequences but the nature of aviation and why the ntsb does such a good job is not only their multi stakeholder model it's also that they have experts where experts belong um and those experts where they belong are shielded from the politics and the consequences professionally of making the determinations that they need to make aviation has done it right and we now have the safest aviation climate that we've ever had at this point but basically planes don't crash anymore um and yet in cyber security we have these massive incidents we want to cry not petia we don't even have any kind of shared truth on what happened for those other than a couple of blog posts and a few news stories were often respectfully dana the journalists sometimes get a little wrong um and now that becomes the truth that we have to go back and look for you know years later and there's no real shared history and lessons learned so we're looking to to get those lessons learned out there i think and i love how aviation did it i want to see cyber security do the same thing and yet deal with the fact that i just said cyber security people that's what policy makers say keep going do you do you agree cindy is this the sort of way forward is there stuff that you can draw and like creating the legal kind of environment or the the the optics to this i think it's definitely worth looking into i mean i don't know the ins and outs of how aviation works obviously bowing just had a big horrible problem but it did get corrected um so planes you know occasionally fall out of the sky that is true but but i i appreciate that terra has been in the middle of it and looking at it and i think that that is one way to um you know looking for good models in other areas i mean you know cyber security is important computer security is hard but it's not the hardest thing in the world or if it is there are other things that are real close to it and i think aviation is one of those ones where it is complicated enough the stakes are high enough that it seems like it might be a good example and then how does liability go from there i think you know accountability matters um but making sure that the risk of liability isn't getting in the way of people talking about what happened and getting a clear picture about what happened is um it's tremendously important tremendously it's not just the it's not just the getting a clear picture it's also understanding what rules to follow in future there's this is my checklist for a sesna 172 skyhawk okay um and this is the most dull checklist imaginable i have to go through every single time check and make sure that i've done every single one of the things on this list and it's dull but you know what my plane hasn't fallen out of the sky yet and i found things that could have been a problem for it one of the things we we can cross cut this answer going back to the question of the um the idea of charlatanism and infosec don't trust the people who tell you that they've got a secret sauce or a magic new weapon trust the people who tell you that information security is extremely boring when it's done right trust the people who tell you that you need to be focusing on your patch management cycle i've seen companies that take years to fix critical vulnerabilities at this point whose average i mean like across all the vulnerabilities they have outstanding is years on average to patch vulnerabilities that doesn't happen in planes in the same way and so trust people who tell you that stuff is boring because honestly flying a plane is like an hour of awesome but it's like 10 hours of incredibly dull form filling beforehand to make sure nobody dies and in cyber security we're now getting to the point where people can die if we screw it up oh yeah yeah we have um i i don't know whether it's come out yet i don't think it has with the interview with window window snider um uh who's who's brilliant security person who is working on taking some of these lessons and applying them to um the internet of things and yes i am widely told that that will be up and coming in 2022 which is not that far away so it's a fabulous interview and they fit well together right one hand Tara's pointing to the future of cyber security and what windows saying as well we've had 20 years of cyber security and we've learned some things let's feed them over into the internet of things world where things are much worse so because yeah because we have to get better at this is software eats everything we're sort of like running you know if we don't get there then there are going to be these problems in airplanes that are actually our problem now like because it's it's okay let's let's go to some questions that folks have been asking and this one's from Fred Blinstone uh on youtube not his real name uh uh so he's i'm just true it's true um is government regulation the only answer to actually he says internet of things security but maybe we can talk about this more widely because there's definitely regulation in there airline world right since neither vendors nor purchasers seem to care enough to do anything i'll start with Tara you like this i was i'm gonna i'm gonna flip it back over to Cindy here in just a second here but i'll note that it's not necessarily government government regulation it's appropriately aligned legal and economic incentives some of which might include government regulation it's not that vendors and purchasers don't care it's that their risk management calculus is off based on what's in the public interest as opposed to their private interest the job of government regulation at tc any of the regulators that are out there any of the standards bodies nist any of the incident responders like sissa they're they're part of a package of appropriate incentives to get people to do the right thing and that's the short answer please Cindy tell me where i'm from i can i agree completely i think it's really not about regulation or not regulation it's about what can we do to align the incentives and there may be places for legal you know i'm certainly a huge fan of legal liability um because if you hurt somebody you should have to make them whole and right now that is actually not what we're doing with a lot of these situations and so i think that that's one of the things that can help give a feedback loop and accountability and frankly just make fairness happen but it's not it's not regulation per se it's what is the regulation doing and is it is it supporting a Burma world or is it just making you have to you know check a whole bunch of boxes or go on bended knee to a regulator to get permission to innovate those are all the the things that you know we've seen regulation do sometimes when it's kind of decoupled from the actual goal there's two asterisks to that two which is that one of the reasons we have those misalignments has to do with legal liability inside companies often respectfully it is the lawyers who tell you you can't say anything you can't fix anything you can't acknowledge that this just happened we need to deal with the consequences of having received vulnerability reports or the consequences of regulation and sometimes the incentives inside a company look very different than they do externally it's one of the reasons why we found that the reason aviation security has gotten better the reason incidents have dropped in aviation security is because there's not only that process of playing most post mortems but also the the legal requirements make it more expensive to not tell the truth to the government and the public then they do to keep it secret that's not the case the incentives flipped in cyber security yeah and the second asterisk to the process of getting this this whole thing solved is right now as we as we push forward in cyber security with the incentive misalignment that we have it's really often true that that culture of secrecy is just it's so embedded everywhere that we can't get people to just tell the truth everywhere yeah well and one of the you know one of the other ways that this happens is through confidentiality agreements trade secrets claims you know but it you know there's a whole bunch of you know a legal legal barriers to transparency and we also need legal support for you know for for transparency but that can't be a liability get out of jail free card for for people who hurt other people well I think it's that thing we go back to this theme of like fear and safety right the the if people are scared I mean we learned this from doing a DFF from doing security trainings right because there was this whole period where where people who were very vulnerable you know didn't know the first thing about about how to protect themselves you know just using end-to-end encryption and these sort of things we went out there and I think we kind of initially had that thing which is a little bit from activism a little bit from infosec security of like going oh man it's really bad out there you're going to be attacked immediately and oh they can see everything and it just led to this people just turn off right they just they're just so scared and I think this happens in a corporate place too where they're just like I don't want to hear about it cover it up like literally the National Defense Authorization Act yesterday dropped the language requiring reporting of cybersecurity attacks and incidents to the government yesterday they dropped the language from it we're we're the opposite of succeeding right now like it's not failing it's almost like we're looking at our previous successes and literally deliberately rolling them back this is like it's like you just nuked your get-reful of good law on the process and you're just heading right back to the beginning again that's so funny that's a place where I think we disagree Tara I think that I think that I mean mandatory reporting of security problems to the government has not actually resulted in a lot of companies feeling really great about what happened after that right you tell the government they say thank you very much and then you never hear from them again about a lot or you know you don't really know what happened and so I think if we're I don't think mandatory reporting to the government especially in this context of secrecy it government secrecy is actually it needs to be buttress right we need the government not just sitting on vulnerabilities that it hears about the vulnerabilities equities process is broken we need the government to so it without more responsibility in the government with what it does for the information if FF is not all that comfortable with the reporting requirements because you know it's it's it's a privacy issue right I mean often what they're reporting to the government is you know your personal private information so it's something that we've been nervous about all along without all the other pieces because it's you know it's an ongoing issue that the government wants as much information about you as possible once it gets its hands on it no matter how it got its hands on it it can use them it can use it against you and so making sure that we're not opening another avenue of surveillance is really important and you know there's a whole bunch of fourth amendment stuff about how the government gets it for one purpose it shouldn't be able to use the other I mean I've got a whole list of things I would like to do to fix this but I I have to say you know we weren't deeply involved in this round of it but in the past we have been really nervous about just tacking on well and then you have to tell the government to um to somebody who suffered a security problem because it that alone I don't think will get us there and it can backfire I'm going to love the disagreement on an ongoing basis there there's I think you're absolutely right and as people of good will often do we've got different perspectives on what needs to happen because we think that the process is going to work in two different ways I want the mandatory reporting and and that process to continue because in from my perspective it's been the companies that don't acknowledge their vulnerabilities that have created the biggest problems in terms of security but what you and I are talking about are two different values privacy and security right and you can make trade-offs between those things and in this case there's a trade-off to be made and we can tune that variable as we go but for me on this one less transparency about when the company's experienced an attack and what the vulnerability was is less of a good thing especially if we can shield personal information while doing so so is the solution here really thinking about this more like a public transparency is is sort of increasingly happening with data um uh uh breaches is that it's your concern Cindy that this data is just getting handed to the government the government is another pit of secrecy so nothing happens with it and it's potentially exploitable by bad actors in the government well I mean that the the first two are definitely true the second part about exploitable by bad actors in the government maybe um but you know the US justice department takes the position that as long as the government gathered the information legally in the first instance they can use it for other purposes as well and so um I'm actually I don't you know I we might call them bad actors um I think the justice department would call it what they do uh right yeah so I think that we have to be really careful about thinking about these things because if you're only thinking if you're thinking it's going to go into this one little silo and it's never going to be used for anything else I've got news for you about what happens inside the US government around criminal investigations and uh and things like that it's not not necessarily the case so um I think Tara and I if they put us in a room together we could sort this out and get to a good place pretty quickly but um I'm nervous that a lot of what's going on isn't that and uh and we're going to be stuck with it but you know you know I mentioned a little this vulnerability's equities process like we need an ongoing process where the US government having been told of or discovering a security flaw has to you know err on the side um you know except in the most extreme situations of helping us fix it not hanging on to it so that it might be able to spy on somebody later and that mix is way off way off this is where the spyware companies come in like NSO group they're feeding this piece this piece where governments want to be able to stockpile vulnerabilities so that they can use them in the very rare situations in which that would work but the rest of us say unpatched and unprotected in the meantime um and you know personally I would much rather not be broken into in the first place than make sure that the government has a really easy time catching somebody who breaks in right it's the forensic versus the security issues and um the government stockpiling vulnerabilities is you know forensic they want to be able to to solve things at the end or or do their own affirmative things whereas I think that our priority ought to be security in the first place and making our systems as secure as possible so that we don't get broken into well go ahead you're about to ask the thing that I want to I want you to ask Danny okay I will ask the thing that you wish me to ask I am the controlled questioner so um this is I put it into our internal chat this is actually a question that the brilliantly self-named algorithms manipulator um asks which is should governments buy all the premium exploits which governments do right now um then disclose them so in answer both to that question and to Cindy's point sometimes the EFF is on the cutting edge honestly so much of the the the ode that has been created or discovered the the people that are caught up in it the truth is most of the time the I I think and I think that many people would agree with you on this one it's not that companies are developing awesome monster ode it's that they're embarrassed about the fact that they didn't fix a thing that's been publicly disclosed for months or even years and we're talking about not petia we're talking about not want to cry these are vulnerabilities that were out there for months before this happened and when we're talking about the 143 million people that just lost their data in the Equifax hack in 2017 you could barely call that a hack at this point because if you had constructs vulnerability that was the underlying flaw the cd had been out and patched for eight months yep that's not a question of governments needing to engage in a vulnerability equities process vulnerabilities equities process with Russia that's somebody who was asleep on the job for eight months and that's embarrassing I want to solve the problem of companies that are disincentivized to reveal embarrassing information not governments trying to figure out how to protect citizens yeah and I think that there are ways to do that I mean the data breach law in California has made a huge difference right in California and that includes a lot of companies who are not you know primarily in California because you've got California customers you know you you your liability goes down if you notify people that their data's been breached and so I think there are other incentives that we've actually seen I think a federal data breach law would be great and but but the important part of that is that you've got to tell the people who are affected you don't just tell the government and you know there are there are emergency examples there are other sorts of situations in which you know that's not all the all the time the case there are exceptions but in general the people who need to know that their data is been you know let go are the actual people who are impacted by it so and it's so top level right it's so top level what we're talking about right now international law and governments and policies number one the truth is is that any person in this community any person anywhere can reach out and do things like provide comment on public policies can can join the feedback circles for all of these policies one of the one of the things that the United States is going to have to start dealing with sometime pretty soon here is the new vulnerability disclosure best practices that were released by the organization for economic cooperation and development this last year and I was part of that working group of people that helped to provide comments on that to make sure that all the language was sensible that anybody can reach up and touch those policies and fix them and make them better part of the reason that matters is because down here where the data meets the dirt these aren't just government policies they are affecting human lives I've looked in the faces before people who have been terrified of the fact that they were under indictment for the cfa I am I'm very pleased to tell you all just signal my wonderful husband and he's doing just fine he's apparently kicking ass taking names taking pictures of elevators doing is he is he in is he kind of has he has he broken through well no kicking ass means he's doing it so yeah he's broken into all the things and everything's fine just see him going everything's fine so so Tara gets another drink from that so he breaks into another place I get to get another ounce of Cabernet but no this is this is real for everybody everywhere yeah you know and I do take your point that the you know certainly the Equifax hack you know it was the second time right I mean like you know Verizon Verizon does this big survey every year every other year of like you know what what are the big data breaches and what do they cause from and like it's like 80 to 90 percent of them are things where patches are available it's incredible number for consumer data breaches and so you know I really do take your point about that that the you know the the vulnerabilities equities process of the purchase of Odays is almost like I mean they're they're kind of they're very far apart in the in the real world now that doesn't mean we don't care I care a lot about vulnerabilities equities process and having it be fair and it's a horrible name I did we didn't come up with it but but but but I do think that the you know the the government needs to demonstrate that it's on the side of fixing things before I'm interested in more things being shoveled towards them as opposed as opposed to troubled towards the people who are affected the security community a broader community of people so I think we we're almost up for time and I know it went so quickly this is great you know they do twitch streams for like hours we could we could we could just watch Tara getting steadily drunk and like have a four hour shift but no apparently not on half a glass of what no not with a multi hour twitch so we could well that might be trouble no I have to put that away and head for the the soda machine yeah don't worry well we'll wrap it up in we'll wrap it up in four minutes I'm getting steadily caffeinated to so all right so Tara I have a question from a Tara Wheeler in the chat so do you want to ask about I want to ask about poker and here's the reason I step it in we all we all collaborated on questions and stuff before this yeah and um and so one of the things I I've I've kind of wondered for a while is it's it's rough without you know you have the summit and the fundraisers that we've had in the past for EFF and um as I I try to take my my responsibility as an advisory board member for the EFF which I can't believe you let me join the club um pretty seriously and one of the one of the ways I want to do that is really have this conversation about how information security and risk management is really similar sometimes in poker and in cyber security right um yeah I've talked about it a lot and one of the fun things I think we did last year was a it was an EF no two years ago at DEF CON was an EFF benefit poker tournament I'm dying to do that again do you have some time yeah let's do it let's do it I love it no there's and there's so many people you know it's it's a poker I find and those are games very interesting because they're all about you know threat assessment threat modeling but they're all about risks and benefits and calculating probabilities so you do get a band of course faking it right um you do get a lot of crossover between the infoset community and the poker playing community and of course that's like this right and of course what do you think Cindy you're oh yeah let's do it let's do it we're in we're in um I'll talk I'll talk with the you know the the DEF CON haven't you in four no that's not us right like we're not we won't well let's put this way we're not wagering EFF money that money you can ask and take your names uh to protect you all but uh there might be some EFFers who want to who want to uh play well I will remind everyone that if you donate money to the electronic frontier foundation right now it's an easy it's like roulette it's you'll you'll double your money um because folks are um kindly offering for every dollar you give the electronic frontier foundation someone out there will be giving another dollar so um do give do give money to EFF thank you very much for Tara advisory board member um and um all around uh infoset uh superperson um if you would like to hear more um from Tara um and uh everybody else that we uh we interviewed about the future of the internet and how to fix it do go to how to fix the internet dot org or go to your uh local podcast app that you use and search for how to fix the internet yes and when you love it write positive reviews like oh my god oh my god this is amazing um don't use bots to do that that we just don't do that but um trouble we don't want that um but also big thanks to the Sloan Foundation they made this available uh they made they made this whole uh they helped us make this whole podcast and and uh available and we've just been it's been so fun to get the chance to talk to people about how we make things better um and uh and how do we envision a world where we get it right and thank you very much again Tara yep thanks Tara and an honor thank you so much to both of you city all right take us away