 How's it going everyone? Thanks for coming. First of all, my name is Luis Eduardo, you are in Track 5 and the presentation is called Hacker Culture Around the Corporate World. Amazing how people lose good talks to come to this one. That's fine. Real quick, who am I? Networking guy, became a security guy a few years ago, just pretty much for obligation. Work now for new security. Some people know me for doing the WLAN, the wireless networks for several conferences. I spoke at conferences in the US and Latin America. I work here at Magoon and I have a website that I don't know yet what I'm going to be doing with it. Quick disclaimer, I have to put this here. Everything that I'm saying here is based on my thoughts, nothing to do with my employee or my employer. My employer just let me be here. Everything I did is based on my research. This is a non-technical talk at all. If you want a technical talk, go see a really good one. And as Bruce Potter says, don't believe anything I say. I could be totally wrong. So why am I doing this? Well, guess, lots of people here are hackers, right? And I've been around to several conferences and I see a difference between hackers here in the US. You see people at DEF CON, you go to another conference, you see the mentality is totally different. Then you go to another country, it even gets more different. And not only hackers, right? The whole security society per se. So I'm going to be talking about a little bit of the differences between these communities. Let's put it like this. And actually how this integrated to the corporate life. Let's see if there's anything interesting. Also the security awareness, like in general, right? Everybody uses the internet now. Security is kind of embedded. So if you guys are here, I hope you really have some concerns with security at all. And I think all of you do. But some people there, they use the internet and they have no clue. They shouldn't, or they should, but it's hard to require for my mom, for example, to know stuff about security. So let's move on. If you have any questions, just raise your hand and can you interrupt me anytime? So pretty much. If you look around you, when I say look around you is here, it's in your job, it's with your security related friends. Those guys that only know from mailing lists and stuff like that. People, although apparently when people say, oh, or like yesterday, some person stopped, oh, what is this convention? Oh, it's a hacker convention. They think, oh, a hacker, bad, whatever, that whole thing. But even people here, some people are here for work, some people are here for fun. Some people don't even go to talks. Some people get drunk. Some people do all of the above. And that's the fun part about DEF CON, right? But some people really, I don't know if lots of people really understand the whole hacker culture thing. And you don't need to be really, let's say, technical or anything like that to be, to have some influence in the hacker community in a positive way. So some people, and worst of all, right, I have in a few slides actually, I'm keeping a hat. But the security marketplace, it's kind of new, it's fairly new. So you have still lots of people who do not understand security, what I put on the slides. By the way, the slides are mostly like for reference for you guys later. But I refer on that as insecure people. Maybe they're good managers, but they don't understand how sometimes we think. They don't understand how to deal with us. And I'm going to get to it when I get to the corporate thing. But you see even here, right, there are people and there are people that might not even know or send the wrong message and try to influence you guys to do like other stuff to say, oh, I'm doing what I'm saying. Let's move to this path. Let's do bad things or let's do really good things and etc. And who knows what this guy knows? That's why I put on the beginning and that's what Bruce says and I totally agree. You shouldn't believe on anything I say, but the objective of the talk is to make you hopefully better, try to make like our lives better in the corporate life. Being the corporate life if you're a totally like black hat that makes money selling botnats and stuff like that. Or if you work for a large company and we all have challenges regardless. We have to make money somehow. So that's the idea. And some people are just afraid of us. Let's put it this way. Some people don't understand how we could fit in the security world or in the corporate world. And even people who in theory work for security companies or in the security department or something like that. These douchebags they totally don't understand why security exists or why it's important. Why they need that and even like users in general. So talking a little bit about the differences that are out there. I did this boring thing just so you guys don't read everything ahead but it's not helping. Anyways, so geolocation, the culture backgrounds. So all over the place people have different backgrounds. For example, I'm from Brazil and I live here for a while. And it's totally different. Like every place has the good things and bad things. It would be cool to understand from other societies, cultures, whatever. Try to get the best thing. And well that's the ideal world, right? But if we can apply this somehow in our nine to five job that would be better. And try to help people understand security in a better way. So from even or even at your with your family, whatever, right? So geolocation is one thing. The cultural background is huge. Like sometimes you can't say something or sometimes if you mention something people get really upset with you. Or, I don't know, people are different in general. The freedom of speech. Sometimes you can go on newspaper and say something. Sometimes you have for example the magazines like 2600 and stuff that is really cool. You have other zines around and you, sorry. But some other places you cannot say anything. You cannot expose your ideas. And the internet kind of in the past 15 years, 10, 15 years, gave this leverage for people to say whatever they want. In a good way, it's good in a way but it could be really bad in another way because there's a lot of misinformation in there. Lately in some countries in Europe you cannot, for example, use hacking tools. So anything that is related to, like if you, if the tool is ideal for something like, like say Nmap or something like that. If it's classified that it can use for bad things, it's going to be really bad. Politics depends on, depending on the country, it's really bad too. Money is more on the corporate world. And let's move a little faster here. Security work in a hole, that's what I said. There's a lot of people that, mostly, one second. There are people that just don't understand and I'm going to move to the corporate thing to go on this. Sorry, I should have that shot of Jack Daniels before this. So depending on where you live or in the society that you live, move back. So some places you have, it's really common for example in Germany, you have the Chaos Computer Club. They have like in several cities and people just go there and they hang out. And I don't, like you have the 26 meetings here. Some places they don't even have that. They don't bother about that. And that's really kind of, it's a good thing that people should follow. And that doesn't happen here. It doesn't happen in many places, I'm sorry. And then you have the formal meetings. Sometimes you have like associations like the ISSA or other types of associations. And sometimes it's not linear, the thing. It's not level. Like things are totally different. And I'm sorry, I'll try to. So and then we have the myths, right? Like the hackers, like the security professionals that are not classified as hackers or they hate hackers or the hackers who totally hate the security world, the professional security corporate thing. And then you have also the academic people. They're strictly academic and then they do not accept some of the stuff that the hackers do. Although they are, they are still hackers. And then you have the problems with security professionals that hate security professionals just because this guy doesn't know as much as I do or he's not a good manager or etc. And this is the kind of stuff that we should try to make like the changes. And transfer of information, again, the internet. The internet could give you like really bad ideas about what's happening. You open like websites, newspapers and stuff like that. You read the technology, whatever is related to technology, and the technology is really not, they don't understand. So if you read through, like the thing is not totally explained. So we read and we say, what is this guy, what is this person talking about? They don't know or they're missing something, but could be a total misconception of whatever they, whatever else they're trying to talk about. So talking a little bit about the types of security events that are around. You have like the hacker conferences, of course, we're here at one, we had, I'm sorry, we have several ones here in the US and in other places like I keep track of, try to keep track of the conferences and year by year it keeps growing. Like you see places like in Asia and Europe, of course, but even from smaller conferences to bigger conferences. And then you have the most academic centric events, I put conference, but it's more like events. Still group things, but then you tell a hacker, let's go to that place. Oh no, it sucks. And then you go to the, the whole thing is really good, but people have that kind of, you want to see privileges a little bit and they don't want to go just because of the label of the thing. And then you have the big shows like the corporate conferences that people go just because the company is paying for and they do not attend anything or they go and they don't understand, they don't want to understand and stuff like that. How does it differ from DEF CON? Absolutely nothing, right? People come here like to have fun and stuff like that, but try to learn as well. That's, that's the whole goal. And this stopped working. No, it didn't. And overall people in all of them, and of course we're geeks, so that doesn't change many things. But the social aspect, this is like DEF CON, yeah, people socialize and stuff like that. But other places like it's missing this kind of the glue that brings everything together, right? So if we could find a way to make that better, and I think it's not that hard, we could totally work on it. And the word in general is changing. So let's say the online life becomes critical. What does that mean? Many people like live based on the internet, even if they're not like IT professionals or security professionals. You'll see, for example, I put here critical infrastructure systems. Everybody totally relates that to SCADA systems. Not really. Like if you see the case from Stonia that happened a few months ago. Stonia, most of the people use everything on the internet. They pay bills, they check whatever basic stuff for the everyday life. They depend on the internet. So the internet totally became a critical infrastructure system somehow. And of course we have the whole convergence thing, right? Email, instant messaging, cell phones and social networking websites and stuff like that. So there are cases that people get like, even like there was a case in Brazil not too long ago, some guy got hijacked because and everything was set up through Orcut. So he showed up at this place and he's like, he had several points in some online game and they took the guy like gun down and to give out his password and stuff like that. So how important is security in general for the thing, right? People should be more concerned about security. And of course we see security in movies. There was like The Last Die Hard and stuff like that. But it's nothing new still. But again, it kind of falls into that concept that things are not that good. So meaning all of this, there is a demand for the security market. So if we mess it up, we can, or if we don't do the right thing, we can really mess it up. Meanwhile in the so-called hackers world, what happens? People are after the new stuff, right? New technologies, the new challenges, the new eye toys, whatever, try to find zero days with everything or that's, or play with the thing, get a badge of Defconn and play with it until next year, see what you come up with, all that new stuff. But everything's available, things are not changing that much. And worst of all, some of these tools or the technology available is not only for script kitties to do stuff. It's used for real crime, right? As I said, use Orca to hijack a person, or use just fishing and malware and all that stuff to get money. And money, of course, is a motivation. So there are ways for people to make money, for the hackers to make money, either in the underground world or go to the corporate life. The thing is that if you go to the underground, you can get caught, right? And you're like our friend here. So now I think to the most interesting part, and thanks for the ones who didn't leave yet. So moving to the corporate life, why did companies stay away from hackers before? Because, again, I've seen, and again, it could be wrong, but for the past few years, it kind of changed. Companies, big companies or important companies, they started hiring hackers. So number one, like high level of fear from hackers, very low or no trust at all. Depending on the company, of course, that wouldn't be a security company, but something like we don't, like there's that mentality that either they don't understand security and I think they don't need security, or the convenience versus security, right? Even like you're gonna get a new access control system for the doors of your company. Oh, but this is too hard, or you force your user to change the password every X weeks or days, whatever. People don't like that, but that's also changing. The famous no one is gonna try to do that. I've seen that happening like with vendor so many times. You find a bug, well, that's how before zero day was a cool thing, right? People like you show something to some guy who writes a code. He's like, oh, this is happening, there's a problem when we run this, and he's like, well, but they shouldn't be doing that. Yeah, but people do that these days, right? Not these days. People haven't been doing that for a while. And for some people that usually are in management, just procedures matter. Like is that the whole thing that I had in the beginning, right? People don't respect whatever the work of somebody that is good technical and doesn't, totally doesn't understand it. The whole thing, security by obscurity, if I ignore that, that's gonna be okay. And some people totally don't understand that one could work, surf the internet, play games, and do whatever and even be more productive to your regular everyday co-worker, right? Some people just go to work to pay the bills, and that's it. So what has been changing in the past few years that I noticed? At a certain level, of course, and of course this depends on the country, it depends on the company level, it depends on so many things, but people are seeing that people who are out there who don't live in that bubble thing, they help to think outside the box. So bringing real-world experience to the environment, that's the important part. And suddenly security became a necessity. What do I mean with that? Security became a necessity because of the things that I spoke before. The whole convergence like instant messaging in iPhones and cell phones, everything all integrated. And some people, like in other areas, they had success with that. So forget about IT, about security and stuff. You bring somebody from that has a different knowledge or like there was an old movie or something like that, the guy was crazy, forgot crazy people I think was the name. The guy was crazy and he makes the company totally make money and stuff like that. And usually when you hire smart people, these people are usually they know smarter people. And that would either bring those people to work with you or totally just like to exchange ideas. Like so many people like friends, they work at competitor companies, of course you don't trade secrets, but you know kind of what people are doing. And at least I think when you have an open mind or if you question if you want to see the best for you, you're going to ask like the movie, is this good for the company? Meaning, or you're going to question when somebody says some BS to you, you're like what is this guy thinking about, talking about? And usually people didn't really bother about that. They might ask that in their heads, but that's it, right? They're like oh, that's work, that's how it works, I'm not going to do anything. And the last thing, the motivation for companies maybe to change is that they got somehow hosed because of security, they lost money because of that and that's why they needed to implement better stuff. And security becomes better than bad marketing. But in my own opinion, what do hackers bring to the corporate world? They have the kind of do what you like style, right? The kind of I'll do whatever I like, not in a bad way, like dedication and be open to challenges and determination and stuff like that. Things that the corporate world pretty much lost a long time ago, at least. I worked with people before, way long ago. Then you see a person goes there and that's it, that's his job and he doesn't have any desire to move on type of stuff. Now real quick, why did hackers stay away from the corporate life? The bullshit that you go through every day like with the stupid things. Probably you're gonna have stupid policies and stuff like that and dealing with stupid people that's normal every day. So what could a hacker do to make money in a corporate life? Could work for a big company, could work for a small company, be totally like a contract outsource or open your own company. So if you were a contractor, the ups and downs, depending on the country, it could be better for you to be a contract and not have all the perks of being a full-time employee. And some places it's hard for you, for example, to open a company. In the US, if you have a great idea, if you have the thing you take to the VCs and you can get a company going, some other place is totally impossible to do that. So that's one of the stop barriers that one of the barriers that stop people from doing that. And there are so many people that I know that, for example, work in another country and they do work for a company here in the US and they don't want to move away. They could if they wanted to, but they have their lives there and they're okay with that. And I mentioned that already. So when we talk about the companies, what are the pros for working for a big company? You have sometimes the perks, the good stuff like Magico and all that stuff, but you also get some other benefits that would help. Sometimes you get more money, you have a little, like you're backed up, whatever you're doing for work, you have the company behind you, you're not going to do anything, or usually you don't try to do anything bad, you happen to do something bad, you have the company behind you, and the whole chaos of working at a company. The bad stuff about working at a big company sometimes could be really boring. Sometimes the bullshit really goes over like, good ideas, oh, this is a good idea, but it's going to require too much work or change too many things and stuff like that. Some bad procedures and lack of focus. That's one of the things that the big companies miss or have lack of focus. And dress codes, it doesn't matter. So what we see in our corporate life these days, you have sometimes good professionals under bad management. That means some really good guys, good ideas is the bullshit over good ideas. You have bad professionals all around. We might be bad professionals. That's one of the goals of this talk, to make you realize that ranking is not everything about being a hacker, right? There are some good professionals doing the wrong thing. Why the wrong thing? The wrong thing maybe because of procedures, the wrong thing because they're not motivated and stuff like that. And sometimes the high level guys, they don't understand the importance of the people that work for them or for security in general. And of course you have the good guys working for the right people. So usually what can a hacker do, right? If I miss something here, somebody can tell me. But usually you can be a consultant, a researcher, security engineer, security architect, whatever, all the way up to the CSO or whatever, what have you in that level. And it all depends. The goal for the whole thing is that sometimes a good technical person cannot be a good manager. And to be a good man, to manage really good technical people, you don't need to understand technology at all. You just have to understand how those people think, how those people work, what make them happy. So these insecure people, they're all over the place. I'm pretty sure there are some of them here. And just like the Movie Fight Club, right? They manage you, they manage your systems and your money, they pay your bills, they work with you, they work sometimes for you, unfortunately. But that's shame on you in that case. And one way or the other, you depend on them. That's the whole thing. What we expect from a job, money, more money, the more is better. Fun challenges, this is the perfect, like you drink the Kool-Aid, that's what you want to do, right? You hope not to have a manager that understands how to make you happy. You're never going to be happy, but at least somehow. Try to avoid other people that do not understand security at all. Like I've seen examples before, that you depend, let's say, on the IT guy. The IT guy, I've seen great IT guys, that they understand, they get it. Sometimes they have resources like that, or resources constraints, meaning they're not doing a better job just because of that. But you have some really bad people, right? You say, please change this, this is really stupid, and they're like, whatever. I don't think that's going to be a problem, the obscurity thing, until it happens. So the challenges of having hackers in the corporate world, pretty much, as I said before, it's a fairly new market. Some people, they really shouldn't be involved with security, and they are. Some security professionals just don't get it in general. They're like, if you step back 15, 18 years ago, when people were doing applications, everybody was like, I'm going to do programs in Clipper. Suddenly everybody knew how to do programming in Clipper. Security is kind of going that way, right? You have some really bad consulting companies and stuff like that, and that could be really bad. Some hackers, I'll leave that for the next slide. Some decision-making people, they, again, they don't understand. It's just like convenience or lack of information or whatever, but you see some laws that are passed in some countries or even here sometimes. That makes totally nonsense. And then even they have to either step back and redo it, but then it's done or just leave it the way it is, and that's it. And there are the people who, like sometimes there are people who decide if you're good for the company or not, depending on how it goes. The challenge, I talked about that. Let's make this easier for you guys. Some people who work for you might be not that good, but that's, again, shame on you. People who you need to get this stuff done. And micromanagement. Micromanagement is something that we really don't like, I guess. And to the interesting stuff, what usually makes the life of a hacker really not or really uneasy at the corporate environment is the ego, right? If you have one person, one of us is already really bad. If you have more than one of us, it's even worse because then you have, like, two egos... I'm sorry, lost the word now. Two egos collapsing? No, it's not collapsing. But they're fighting with each other, crashing, thank you. So that's the definition of ego. And then, of course, besides the ego, you have the boringness. People, we don't like to be bored at work. Otherwise, we're going to surf the internet and kind of become, like, accommodated in the work. And that kind of sucks. So this is all the ranting that we've been hearing for years, and this is just the definition of boringness. But at the end is mutual respect, right? And that's the point. Tune out, this was your regular, whatever, DEF CON talk, people ranting and saying corporate sucks and all that stuff. But what can we do to make it better? That's one of the things that we're going to be talking about. The same way that you demand it, you somehow demand respect, you need to show respect, you need to gain respect. So how can we make that better? How can we take stuff to the next level? Instead of just ranting and shit, show a solution. Rant is good, but rant with a solution, I'm pretty sure that people are going to like you. And of course, respect the company and the work that you do and make the second one here or the third one goes with the second one that make your job as fun as possible, but otherwise go find another job. And again, technical people, and sometimes I am one of them, that you're like, management sucks and this and that and that. Well, yeah, but again, would I be a good manager? Probably, I don't know, but here I'm going to say that probably not. I could be really good in technical stuff, but I could totally suck in management. Not that all the managers know how to deal with our kind of technical people. And again, the whole respect. You try to understand what they're trying to tell you, but make sure if you have a point to make that point. And what should companies do to make it better? Flexibility is one of the cool things that we all want. We want to work the times that we want. Some people, of course, take advantage of that, but some people totally don't. And at least like from my experience, when I work from home, I totally work more than if I was in the office. And people hopefully, they're starting to get that. Recognition, do some type, like recognize the job, the work that somebody that is working for you is doing. Provide resources. Let the guy go to DefCon. Let the guy, if there's some new product in the market, like put some money down, let the guy play with that. But at the same time, like tell him after you learn something, come back, like in a few weeks, and teach your team about something like that. Work smart, kind of, it's up there as well. Communication is really important, right? Again, don't expect that communication is good. Make sure that, build that relationship somehow. You don't need to be your boss's best friend, but you have to make sure that he tells you when something is wrong. The same way that it's bad when you just like walk away from a company, it's really bad when you show up on there, they're like, oh, thank you. We don't need you anymore, because you suck. Like, and try to make the company, and that goes for any jobs, right? Like, not only security, not at all. But instead of like, try to make your job more, or try to make them get the stuff done in a more clever way, and not like sloppy, just like to get products out the door, and stuff like that. And for, this is mostly like for bosses, and I'm glad I'm not one, because that's to kind of show, you have to be, I think, to be a good manager for like a, to manage a group of hackers, or one hacker, whatever. You have to show respect without losing the authority. And that's with that ego thing in the middle, it's really hard, right? So, hats off to the good managers that deal with us. And this is really cool, I think. Delegate, if you're a manager, delegate tasks, and then tell the guy, this is your project, this is something that you have to do, or go study something, stay like three days at home, a week at home, and come back and teach your group, or your team, whatever you learned. I think that's something really cool to do. If the guy decides to get drunk every night, and not learn anything, well, you have a bad guy working for you. So, shame on you again. And of course, to help the guys, or to motivate the guys to do a better job. Sometimes they even say, hey, thanks, that was cool, it makes a difference. You don't need to get, of course, if you get that $500 American Express voucher, that's really cool too. But sometimes just like a bat in the back, that's already good, and some people don't get it. So, who's, so that was pretty much it, like just a little abandon here. Who else is doing the good stuff to, I think, help the corporate, our lives in the corporate life. The Hacker Foundation, or, and about the stock, kind of. The Hacker Foundation, if you guys know, and probably some of you might be going, like Hacker's on a plane was a cool thing, that they did, was come to Davcon, from Davcon, go to the CCC camp in Berlin. So, that would like try to learn what other people, how other people think, what are the challenges. Then you're gonna see sometimes what you take for granted. That's something that, that's the only way that you see that. That's the only way that I saw some other stuff. The Computer Chaos Club in Germany, they kind of have a more formal, I'm sorry, and the Hacker Foundation is gonna be doing something similar that what is the CCC in Germany, is kind of like in different cities and stuff like that, where you can have like a house or a space that you can go anytime, like you're not doing anything, just go there and chill out and code and do whatever. And there's the new thing from Johnny Long, if you, well, we're gonna go to his talk hopefully today. It's, I had charities. That means, let's say if you're not in the corporate life yet, and or even if you don't want to be in the corporate life, but you want to do something like to put in your resume so you're happy with that, go help like to build a website or to secure a website, a web server, whatever for some country that needs something or for any charity that needs something. And I was talking to him a few days ago and I thought it was a really cool idea. So I think that's good. So I'll let you guys go to a more interesting talk. Things are not totally broken, but it could get better. On both sides, both sides, the corporate and us, we could do stuff to make it better. I'm sure most of the people from the corporate that I was writing about, they're not here, but the other side is here. So let's try to make things better to make our lives easier in the future. And I think that's it. I want to thank these people who kind of gave me some feedback that helped to put the slides together and some of the thoughts. Big thanks. And that's it, guys. Any emails? Shoot me an email. I'm going to be at the Room 106. Track 5 Q&A. But I totally advise to go to Jeff Moss's talk because it's going to be more interesting. Thanks, guys.