 All right, I think we're good. This is as long as the leashes they give me anymore. They cut me off every year They give me less and less Howdy, thanks for showing up. I'm not sure what talk you're here to see but it's not mine My name is Bruce Potter. I'm gonna be talking about the dirty secrets of the security industry. There's a secondary microphone here What's this sir? Just a recorder. Who are you? Your PC world, excellent. I love press. Last year the press quoted me as saying an expletive and my employer's name in the same sentence I hadn't even landed on the ground yet in my hometown and I had a nasty grant from our PR department saying we've had better pull quotes than this Fair enough. God damn it So I would request mr. PC world and anyone else if I if I do it happened to let it expletive go Don't quote me on it filled in with something colorful ponies rainbows. I don't care Just anything else so So priest is taking up a few seconds of my time, so I'll get right to the chase First thing I want to say this is nothing to do with my talk, but in general you're at a security convention Do you trust the wireless network here? No, right. Okay. Do you trust the hotel billing system after watching major malfunction own people's? You know TV sets in the last few years. No, should you trust the jackass that's up on stage talking? No, right. Okay. First and foremost talking writing articles writing books is all exercise and social engineering Okay, full stop I can write something that convinces people that I know what the hell I'm talking about and then they give me a microphone I could come up here and moon you all for an hour And they have no control over at this point, you know, it's like it's all over the first book I wrote was a wireless security book for O'Reilly and Like literally I just got a wild hair one day I sent out a Proposal to him and like two weeks later. They sent me a contract to sign, you know And there might have been like five email exchanges in between and that was it, you know, I like O'Reilly They're good publisher. I certainly enjoy working for him But you know it there was not a lot of do-gill as it's involved, you know And for people coming up on stage they're spewing stuff that you take as gospel You go back to your employers and your friends you tell them all about it It may not be true. So challenge everything that you hear when you're here at DEF CON not just what's the MAC address of the AP? But what did this guy just say about attacking MQ series? So this guy say about attacking Cisco routers, okay? By day full disclosure I am a security consultant for Booz Allen Hamilton in the greater Baltimore area by night I founded this new group and that's enough about me. So What's the goal of this thing? I'm gonna poke people in the eye today. That's kind of my intent There have been various Attempts at kind of stabbing the security industry in the face over the last few years at DEF CON. I'm gonna make another run at it There are 800 pound gorillas in the room today and they might be blocking a fire exit So if you ask them to leave that would be helpful Um But honestly, there's a lot of things going on the security industry today that we may not be consciously thinking about right? There's a lot of issues There's a lot of new things that have happened in the last eight nine ten years. This is DEF CON 15, right? DEF CON 4 still involves or DEF CON 5 still involves scavenger hunts where people were stealing shit, right? I mean like to be successful in the scavenger hunt you had to go steal stuff That that doesn't fly so well today, you know like we were much more calm than we used to be DEF CONs in years past were pretty crazy, but everyone's oh, it's DEF CON. It's like it hasn't changed It's like the security industry. Oh, it's the security industry. It hasn't changed What's changed between two none, you know 1997 and today it's immeasurable and so let's let's be honest Let's address that and that's what I'm gonna try to do today There's a lot of people in here that work for companies that I might kind of poke and say things about this is all Again, this is my opinion. All right. I mean, you know ill will I know a lot of us are working hard to solve the good Good problems and things like that I just want to get some discussion going if you have questions if you have concerns ask now throw stuff preferably very expensive digital cameras Give me some warning so I can catch them and scrape the serial numbers off so But feel free and again, we'll break this out somewhere else and there's bars here in Vegas I hear and we can take it up later there too as well, so So first things first I'm using keynote now instead of PowerPoint. You might notice the little spinny animations keynote users. I heard a few of you Max rule Except for everyone that's got an iPhone and turned off Wi-Fi the moment they came to Defcon So this is really awkward to have like one screen like way the hell normally I'm like in front of it pounding on it And I can't reach it so I draw this pyramid a lot and I think a number of you probably seen there already This is I I can hear this is my shirt, so I'm dancing for you. This is the pyramid And like right here at the bottom of doing this for the folks over here. They can't see anything Is operational stuff operational it the idea here this pyramid is like Maslow's pyramid of human needs except geared toward Security operations right you need to do certain things first in order to do the next thing Like I need to have food water and shelter before I care about is it Hillary or Obama? Right like before I get way up the food chain dealing with politics I have to have basic things taken care of same goes in the data center folks, right? It's all about keeping live systems secure and running. That's what security is okay not naval contemplation not feeding all our goddamn wallets it's about keeping things secure and We need to have some structure how we think about this This is a structure that I use again You can disagree at the bottom it operations you got to do that right or security doesn't matter right if you have The dumbest sys admins in the world and the smartest security guys doesn't matter you're screwed right? So we got patch management policies and procedures things like that you do that right you move up the food chain Okay, you start talking about firewalls triple-a services bread and butter network security, right? This is what we all know network security to be farther up the food chain Start getting a little bit more sophisticated have things like software security actually reviewing the custom code That we develop okay There's another really interesting piece of software security that can be deployed in an operational construct that people don't spend a lot of Time doing right now And it's something that I really think that we need to need to address a little bit better And it's the idea of providing software level access control. This is not world group user Rewrite execute privileges. That's not fine-grained access control. That's access control for 1972 and that's cool I mean it was cool back when they were making pentos, but it kind of sucks right now kind of like pentos do today so Products like se linux. Okay, that is the se linux is the equivalent of taking a strategic bomber to go get the groceries Right like it's hella fast and it carries a hell of a lot of groceries But it's a little awkward to take off and land, you know, I don't know about your safe way But I can't land my b2 at mine very effectively There are lighter weight products like app armor from novell that allow you to on an application by application basis Say what the application is allowed to do and not allowed to do it's allowed to get to this directory Write this file read this file do all these things. Hey, what's fantastic about that? Is if you have software that's written badly and someone goes in and tries to pop your box through that software Those types of systems will protect the box. The application may die That's cool But your applicant the rest of the system the rest of your data will be protected This doesn't require the developer to do anything different It just requires that you understand the product and deploy it in an operational environment neat stuff Not a lot of people do it because they like to jump up to the next level right IDS Okay, we've done we're done with stopping the tax and now we're gonna just contemplate them Okay, I got an IDS. Whoo. Look at that. Did you see what that guy did to our network yesterday? Wow Meanwhile your application server has been owned by like 15 different people, but it was really cute how they did it That's not acceptable right you need to be focusing what's going on the software before you care about IDS And then finally if you're really out there you can deal with honeypots But that's only if like you're an academic or you've done everything else so well, and you still have gobs and money so What gave birth to these gorillas that we're going to discuss? This is like the four-minute history of the tubes. Okay, so let's just just bear with that was Ted Stevens thing right call it the tubes I would I spent nine nine years in Alaska, and I saw that many his offices got raided the other day That was the greatest thing ever He's the longest running senator ever. It's like 40 years and someone's like, oh, do you think he did something wrong? I'm like he's 40 years in the Senate by definition. He's done something wrong Like you cannot possibly be in the Senate that long and not have committed a crime um So in the 60s computer security right those are the guys at the doors that checked your badges and had guns Okay, that was computer security in the 60s There were some academic discussions of you know how to secure these computer things But it wasn't really a field yet, right? We were still dealing with building the computers There was no commodity shops in Taiwan that would supply you with gigabytes of RAM on a second-by-second basis I mean this was tubes and we're all kind of bent with this thing like I'm falling off the side there for some reason But it says tubes over there in the corner for those that can't read Things got a little bit more serious in the 70s telnet was introduced Okay, telnet was actually kind of a groundbreaking thing when it came out It allowed people just to connect to other people's computers very easily and do stuff Which was pretty cool. It made networks actually very functional In the mid 70s. There's a lot of research done in the trusted computing systems Which kind of today the lineage is now the trusted computing platform and things of that nature all that genesis was back in the late 60s In the early 70s. We also had neat things like blue boxing Captain Crunch blew the whistle Blue boxes came out telephone freaking had its start in the early 70s Okay, that little green bar in the bottom that can people in like the front row and a half can see That's the my estimated amount of revenue in the entire computer security field in the you know throughout the 70s This is based on wild conjecture and a logarithmic scale. So Feel free to disagree In the 80s BBS is man. It's all about dial-up right like check out my mad 2,400 bod modem like wow that's so much faster my 300-bot acoustic coupler Viruses approaches went mainstream like you know, I remember as a kid I had like the drawer full of floppy drives and like all these Apple 2 programs And they're probably all riddled viruses to you know, like it was just you popped in a drive into somebody they're floppy into Somebody's box and like it got owned cool Like if it was only that easy today, oh wait, maybe it is The hacker underground was born in earnest 2,600 the hacker quarterly emerged Legion to doom CDC all these groups have the roots in the 80s Okay, old-school hacking man. That was that was it the PC was born and the Morris worm, right? The big, you know, what are they what they call that tipping point? That was the big tipping point right like holy crap We can write malicious software that will just run around and take down the entire quote internet at the time man That's that's nasty stuff and now we see this green bar. Hey, there's some more money in securing our systems well in In the 90s there was a lot more money right VCs lost all sense of reality and gave money to anyone Okay, just poof if you if you had a pulse and you said computer security You could get a couple million dollars to go off and do something usually burn it in a fire pit in your backyard Firewalls antivirus IDS rapidly emerged and became commonplace right stateful firewalls came out 1994 by 1996, you know, there's all these companies checkpoint whoever else that have state or stateful firewalls for sale 97 everyone's got them deployed like that time between stateless packet filtering and stateful firewalls You know, it's like we're literally like three or four years poof and everyone had stateful firewalls So just to be clear we all understood firewalls as well as we needed to in 1997 All right, there's no more interest at that point right like we should be done We understand the purpose of firewalls just file that one away for later The interweb was born and we lost 65,000 ports, right? It was port 80 and 443 to this day That's what most people think the internet is and my space has its own port now So it's so much goddamn traffic. They assigned it 80 point shit Hi Hackers went mainstream right Defcon got Explosively large all this hacker mentality thing everybody that could stand up a website and spell leet became a hacker group, right? The screw group was found in 1999 that was about our level of understanding at the time was you know, hey cool We we know how to install free BSD hackers the movie the pinnacle of hacker culture Yeah, anyway all those that said who who I have a special them never mind So and then and then the naughties that was a great name for this decade that we're in that didn't seem to Catch on you know back in ought eight or whatever and people should I think call it the naughties I'm just going to take this decade and call it that The internet went everywhere right like it didn't go to our toasters, but it sure as hell went to our iPhones And it went everywhere else and so it's pervaded everything that we do Note the green bar the information security industry keeps getting larger, right more systems more networks bigger IT budgets more money period how many people here went to black at more money all right, so I Mean there's a there's a lot of this hackers became profit driven, right? And there's two ways to view this hackers became profit-driven and went underground or making good money working organized crime and things like that Hackers were profit-driven and went above ground and got consulting jobs Right it's kind of a joke and it's kind of true We also it's funny. We've reproduced so if you go to Jinx hackware and you try to buy like onesies with little cute hacker Slogans they're out right because they sell out because we've all had kids Tuck in the Jinx bag under your seat right now, aren't you? So anyway Microsoft found security this decade. This is probably going to be a turning point in computer security Okay, what Microsoft has been doing? I'm not saying it's right not saying it's wrong But it's changing the rules of the game and we need to understand it slammer code read diehard 4 Which apparently was actually a pretty good portrayal of like computer attack and hacker You know kind of things so that was my counterpoint to the the hackers in the movie crap More tubes so secret number one that was all just set up to get to the secrets Right secret number one defense in depth dead. It's dead and never should have started in the first place Let's just put it that way this mantra that we live and breathe of layer on layer after layer after layer of security is Totally broken at its foundation right it is an operational response. I Need to secure the systems in my data center and the code sucks What do I do I buy firewalls antivirus all this stuff? That's the response the response how to make that better Is it build better firewalls and antivirus and anti spam software and all that it's to fix the code Okay, so the first thing that we had is we had computers Okay, we were happy that they did our bidding and didn't take over the world. All right This is a good thing. They had vacuum tubes. They were fragile. You could smack them and they stopped running There was no type safety there was no fault isolation no air handling no sense of assurance But again, it didn't matter because they could count to ten all right the Artificial intelligence war and I've said this before we thought AI was going to be solved in the 60s And by now the computers would be get running this conference for us because it was all about symbolic computing We would build more complicated processors that thought like human beings and that's how we would build artificially intelligent systems Turned out that didn't work so well, right? What what killed AI? What was the final victory in AI? MIPS raw horsepower Okay, you put a lot of information on disk You have processes as fast as humanly possible and suddenly you're deterministic at checkers, right? Seriously like we just beat checkers some guys up in up in Canada I think it was I don't how many people saw this but they beat checkers like holy crap now the way that they beat it They wasn't deterministic they didn't start from the beginning They can't quite capture the entire space of the checkers game But they work backwards from every possible finishing position and then they go ten steps backwards from there So as long as you get to the point where you've removed four pieces from the board the computer wins full stop Moore's law says in a couple years They'll be only have to remove three pieces a couple more years to remove two couple more years will actually have solved Checkers okay wasn't symbolic computing wasn't pretty you know ways of thinking about it It was raw horsepower the vacuum tubes didn't have raw horsepower, but they were awful awful cute so Over time we hook these things together, okay? Remember back to my fancy timeline for those that have seen me talk before this is clearly quantum leap forward in my PowerPoint presentation skills Some nods before it was just drunken like I had transparencies from the bar, and I just written on the bar napkin We hook things together the ARP and that begat internet begat, you know my space Firewalls popped up everywhere TIS release its source stateful firewalls all this stuff still had the bad code Right a better firewall didn't fix everything else didn't make my mail server better Mail server needs to be reachable from the entire internet firewall useless right Full stop But if you're not running other ports on your firewall or on your mail server your firewall doesn't really have to do anything Doesn't do anything the box couldn't do natively itself assuming it's IP stack doesn't suck Right and IP stacks have been around for a long time it and we're generally getting better at making good ones Although Microsoft in a bit of a you know way back machine thing a couple years ago in XP re-released I guess it was the land attack like it was like in the release notes like re-enabled land And if you sent something like from itself to itself from the same port to the same destination port the box of BSOD It's like cool. That was 1995. He did that he brought it back in 2005 But in general, you know our IP stacks have gotten better Steve Bellavan has this fantastic quote and it can pretty much serve as the foundation of how you think about security Right a firewall is a network response to a software engineering problem Okay got bad code didn't know what to do bandaged it at the firewall. That's the defense in death mantra Right got bad code put on antivirus got bad code put on triple-a services did all this crap Don of the firewalls was beginning of the age of defense and death so Networks became global Right we deployed IDS is an antivirus because we couldn't keep a handle on the bad code anymore We got more complicated with our security product offering more and more money got infused to the system We deployed multi-factor authentication and we spent a ton of time managing this right We pay security people to manage firewalls to manage antivirus to do all this stuff cost a lot of money We don't pay security people to manage bad code, right? We don't pay them to work with the developers that work with our vendors to make better code We pay them to manage the band-aids for the crappy code that was created in the first place Okay, I'm not here to say hey We need to change the software development model and push liabilities in the vendor and whatever I know Bruce Schneier and some other folks have some views about how to do that I don't know how to fix that from a policy and whatever perspective from a technology perspective though We need it. I've got some ideas and they'll come in a minute, but anyway I hit it when I trail off in a slide and I forget where I was and I start referencing random things and waving my hands hoping You'll just forget about me for a few seconds and wonder like what are you gonna do for dinner or and whatever and then I'll say something funny You'll check back in and then we'll just keep on going So so still we have bad code So now we're moving toward the network as a computer, right? Scott McNeely CEO of Sun said the network was the computer. He was right. He was wrong in two regards one He was about a decade too early and two we work for Sun So he was hoping the network would be the Sun computer, but it turns out no it's a wind-tell platform Sorry there guy So we're going to be service oriented Everything we don't understand it don't have a clue like I read all these, you know CXO level magazines and whatever And they talk about so a revolutionized our data center like all it did was hide it on the map So you couldn't find it anymore. He went to McDonald's and thought this is a really nice data center. It's got a fryer We don't understand XML security we don't understand these Incredibly distributed systems with all these services right we can't write line by line secure code Right how on God's earth can we expect to plug all these systems together anything that resembles a secure fashion? With no clue we understand a theory behind it We understand the theory of line by line secure code now We just don't necessarily know how to enforce it yet when it comes to this big service oriented who ha that we developed We don't get that at all and in between all those little components We've layered in lots of defense and death all these little dots and starbursts and other things that aren't rendering because it's too Damn small We don't we have to manage all that and we have to continue to adapt it XML firewall that's that's great because it sounds like it ties into software problem in the network thing and All you might parse it for like you know proper structure and things like that But you're not going to prevent really sophisticated attacks You're not going to prevent bad things from happening You might get the ankle biters like you got with your firewall, but you're not going to get anything serious So millions and millions of lines of code went into me writing this crappy presentation, right? There's billions of K lock in any enterprise Okay, billions of lines of code running all the networks and systems that we use every day to drive around Las Vegas to fly home To order pizza whatever billions of lines of code. We don't understand any of it. So Have we seen more security? Staff applied to this problem. Have we seen you know better management tools and whatever? Yeah, we've seen all kinds of advances there, but we still haven't fixed the code note Exploded on the slide PC world guy if you could not include the expletive Type safety, you know, there are people Gary McGraw He wrote a really interesting book Exploiting software and in the beginning there's a chapter of that kind of staring at this crystal ball and say what's what? Software security and it'll look like in the next ten years It's actually was written like three or four years ago And it was pretty well on track already one of the things that Gary. I think it was Greg Hoglund wrote with him Said is in ten years will be using all languages that are type safe And a lot of these kind of low-level buffer overflow problems that we have are going to go away I thought that was really really Aggressive I don't think that we're going to get rid of C anytime soon. How many kids just graduated college in this room in the last two years Wow, this is an older Defconn crowd. I guess Did you still learn C sir? Oh, yeah, right? Do you know what type safety is sir? Okay, good good. So the CS programs are getting a little bit better Trust and computing things of this nature. We need to push vendors We need to push operating system provider software providers hardware providers We want better code because ideally what I want to do to my IT security line item Budget is deleted, right? I don't want firewalls. I don't want IDS. I don't want any of that Okay, I want the software that my developers write and then my vendors provide to not suck full stop You know, it's not it's not a big request It's just a humble one that I don't want their code to be so bad that I have to spend millions of dollars to protect myself From their ineptitude, right? Why do we allow defense and death to be written up in academic textbooks to be preached from on stage at conferences and be Discussed in the halls as if it's legitimate It is not a legitimate or rational way of thinking about the problem Okay defense in-depth is silly We put our heads in the sand and we believe that if we buy these products were more secure and it's total and complete bullshit All right. Oh, it's one. I thought I might get an applause out of that or hell We hear something but I think I just scared the hell Tell us what you want us to do. Okay, the request was next time when I round the applause I'll ask I also will request that everyone there was actually a fee for attending this talk So if you come up afterwards and give me, I don't know 50 bucks 100 whatever your heart feels is proper Is that is that a good will that work too, sir? Whoever said that? Make the shopping cart go take it All right, so secret number two We are a long way away from making our jobs professional, right? We write security professional in our blogs and all that kind of crap. Well, we're not Well, a few of us might be by the you know proper definition, but not not many How many people have a degree in something that resembles computer security? How many people have it? Okay, well, if you will keep your hands up. How many of those are in information assurance? Right, okay, that's at least 50% of the folks in this room, right? 50% of the six people that raised their hands Was a master levels program sir. Yeah masters masters anyone have an undergraduate degree. It's something that says computer security. Oh All right, oh, we got one. Thank you, sir. I appreciate it even if you were lying just to prove my point You titled it himself excellence. I'm gonna be supreme overlord of all things electronic. I Have a doctorate. They said no to that My mentor disagreed he already had that title So what are we doing here, right? This is a tens of billions of dollar industry We are the leaders in this industry none of us are formally trained in this job We're all Faking it. We're posers There is no barrier to entry into security, right? We are protecting the world's financial institutions airlines military installations. I just walked up and said I could do it They gave me a job Yeah, we're damn good at lying to people as it turns out So What what you know? Oh my god name another industry that's not that that is a skilled quote industry that has the same situation politics I Said skilled sir skilled Yeah, we were socially adept kind of Except for after three o'clock when it gets to the bar so The question remains We probably do want to formalize our body of knowledge right like you know this whole defense in depth Is it good is it bad? You know that's like a little sliver of the holy war that is computer security And we've got bunch of young kids coming through school They're just owning stuff because that's what they like to do It'd be cool if we had a framework in which to get them educated and we agreed or at least had a process to Start agreeing on what the way to do things was you know, we don't we don't we can't agree in this room We can't agree to write textbooks. We can't agree to train people. What do we do? How do we codify our knowledge to build the next generation of mini Kaminsky's I? Want an army of mini Kaminsky's just so I can like punt them Is Dan here no of course not um Many hall of ours mini DT's you know, how do we take the knowledge that we have make it formal and not make it the cispy um, I mean that's a few a Few giggles. Yeah, whoo So I work for a large consulting company where there's a lot of cispy, so I'm just gonna duck Software developers are the smartest over gonna be the day they graduate from college Sorry developers in the room. It's the truth. Get used to it. You're going downhill You learn about all these formal processes and how memory mapping works at C C When you're in college when you get out of college, you learn new languages You can learn how to software engineering really works in the field Which is turns out quality is not important making it through QA is right there are two discrete things You understand what QA is going to test and you're right around it You know you don't actually make good software. You just make adaptive software that makes the QA guys happy And you do it on time so you can get out of work at a normal hour And you do it on budget because you like getting paid So that's the way software engineering works. We don't teach kids coming out of school how to write secure code There's a few programs around the world that do but it's not yet common place You know, but you don't pick up a compiler on day one and write hello world in a way that's resilient to attack Right most of the time like you write hello world and then you write something that takes input and then displays it to the Screen like and that program is totally ownable, right? It's just like get s blah Pop. Oh, hey look. I popped the machine It would be cool if like after hello world the next step was here's how to write You know a get s thing that actually is secure and start from day one I learned when I dropped out of college That in my computer science course they taught us exception handling and things like that as like a third-year CS problem I'd already developed all my bad habits by then I commented my code I commented out the crap that didn't work and rewrote it again underneath it and I kept doing this and I would have like 100k chunks of code with only like six compiled lines so Someone at some point should have said don't do that Right, but they don't we don't teach people how to write good code because we don't know how to because there's no Formal body of knowledge and we're not professionals yet. So this is something I don't I don't have a solution for this You know, so this is one of those things securities everybody's problem, right? Well, sure, right? Whatever like that's that's a fantastic idea It's you know why it's everybody's problem because we don't know how to solve it for them So we oh, it's your problem to deal with right like that's why security is that you see these signs like in the office No securities everyone's problem. No, it's it's your problem as it turns out. You just don't know how to do it We can't train everyone who has the word security in their title let alone train all the users Right like it's it's hard to get the money to come to blackhead and Defconn and most of you are just here to drink so Thank you. Thank you for being honest, sir. I appreciate it is Las Vegas if you hadn't noticed um I Don't know how anyone gets away. This is the boondoggle of all boondoggle It's 7,000 people you know most of them and you go to Vegas and you drink and you call the security conference and your employer Pays for I'm sorry. They might be listening Hi What we need everyone well auction it off later Users users need tools that they can't screw up right they need shotguns that don't have triggers and have solid barrels Because then they can aim it at their foot all day long and do this and nothing goes wrong like it's fantastic We need to build Software systems that enable the users to be as dumb as humanly possible and still maintain the integrity of our systems Okay, doesn't mean we should install a better VPN so that all their bit the crappy data is encrypted No, we should write better systems. How do we do that? We have to train people to be how to write it How do we train them? We don't have a clue Okay, so there's some government initiatives to try to get people smarter there's some private sector initiatives There's a lot of money being spent on this problem, but we're years and years and years away from making it better Okay, let's not kid ourselves and I know this is a holy war like you read full disclosure another list and you know Damn the security professional you guys are all a bunch of white hat losers blah blah blah fine Well, I can embrace that attitude right like this is something I didn't include here. I don't think but Think about the hacker culture 10 years ago and think about it today And why I like to say is if we had started schmoo con in 1997 Our main web server would have been owned off the face of the earth the moment we opened that conference for being a bunch of white hat Lamers right and it would have been socially acceptable like that's just the way the community worked Like there was a battle there about white hats and black hats and gray hats all this crap and people owned other people's boxes And it was all commonly accepted the chaos was part of the culture. It is no longer part of all culture This is the most polite group of people there were people no offense standing in line yesterday to buy T-shirts at like three o'clock on Thursday afternoon at deaf con Does that strike anyone is a little strange like this thing is all about damn the man Like someone should have walked up with like I work at jinx hat wear hack wear dot com t-shirt Walk behind the damn counter and bought themselves a t-shirt walked away like that would have gotten mad props But no we all stand in line We're very polite we're the British and the French having a battle in the 1700s We all stand on two sides. No way. I'm gonna shoot now. Then you should be One two, all right, you lost ten guys. Sorry. We'll stand here. I'll make myself real big All right. You miss me. All right guys. Come on. Let's do it again You know our adversaries are the American revolutionaries right they're crawling around in the woods And they're doing things that we can't do or at least we can't think we can do right because we're in this thing We all come in priest says get the hell out of the aisles and we do and I'm not trying to disparage the whole like not Pissing off the fire marshal because God knows we don't want to piss off the fire marshal That appears to be like a completely unregulated branch of the government There's like the executive the legislative the judicial and then the fire marshal like He's shut down everything but I Remember the first year that we had problems here the fire marshal I was the first talk on the first day in one of the tracks and one of the goons came up and said You've got to tell everyone that's not sitting down to clear out. I'm like, I'm not telling anybody shit like you tell a guy That's not my job. I don't want to get killed but everyone left, you know, everyone got up and play we left We need to kind of embrace the fact like okay if we're gonna kind of ride this line of grey hat and professional like Make a decision right be a professional. Let's figure out how to professionalize a workforce. Let's make the certifications worthwhile Let's make the education worthwhile. Let's make the training worthwhile Let's find a way to pass this on to the next generation. I do things that don't matter. I'm getting a ten minute sign. Oh my god. Oh All right, so defensive depth led to this ginormous green industry that I'd written Very few products are actually geared toward making things more secure, right? Like I think I might have said this there are some products software scanners You know ounce labs for it if I aspect to name a few that that actually are geared toward helping at least audit code Right and you've got hardware security modules and smart cards and things They're probably part of secure systems But a lot of what we buy is part of this defense in depth and that's the big part of most IT security budgets Right is what we would classify as defense in depth network security who ha so Let's look at a recent kind of I call this case study like it's formal It's a bunch of random bullet points pulled from a couple of different articles. So um Microsoft Microsoft went to the river and they found security, right? Hallelujah. They got it. They figured it out They spent a lot of money right or wrong what they're doing their approach They are spending more money than most put companies spend period on security and they heard it You know vendors and consumers all these people said we need more secure systems. Okay Microsoft said all right Well, we're right in Vista. What can we do in Vista and they've got all this stuff And they'll tell you all about it in a million briefings about how this is so cool One of the neat things was on 64-bit version of the OS their flagship product geared toward industry Where all their new applications and things are going they said what we're going to do is require all drivers to be signed Simple right this is good If you've ever seen like I do the talk on trusting computing and talk about a little bit about driver signing And then the good that can yield it doesn't mean it's good code But it means it's the code you intended to run Okay, think about that fun your laptop or your computer your iPhone or whatever today when you're at Defconn every time you touch the keyboard You could verify only the code that you intend to run is running Hallelujah like that would be fantastic to know there's no Trojans There's no there's no viruses that have been loaded no keystroke loggers that kind of thing which tend to work By basically acting as a driver and hooking the kernel. Okay, so Microsoft said no, sorry gonna have to get all your drivers signed Well, and they closed off a bunch of api's that the security vendors were using to do their stuff all the antivirus and whatever Security community security excuse me product community got very upset and said Microsoft's exerting too much pressure Right, they're locking us out of the space because not only are they doing this But the same time they're releasing a competing antivirus and anti-fishing product Maybe they overstep some antitrust bounds there or not But nonetheless they've made an effort to honestly lock down the operating system right and a pretty good one I think that most of us can common sense say yeah, that sounds pretty reasonable Well, the security product vendor said it's not reasonable to us because it impedes our ability to sell our products Okay, so then they start bickering some of these security vendors Authenticity and for once is the one I could find found ways to bypass the security mechanism that Microsoft had created and actually Geared their flagship product around that bypass So they had a hack Vista to make the product work then they released a press release that said hey We figured out how to hack Vista so we get our security product to work, right? Excellent that's what I want to hear like as a consumer of security products I want to hear that you had a pop the box in order to un-pop the box So Microsoft said all right we hear you we don't want to get sued antitrust lawyers are really expensive So we'll open up some API's will allow some unsigned interaction and basically defeat the whole purpose of what we were trying to do in the first place All right, so let's think about that in the past we presumed That our systems were so insecure that we had to buy third-party security products to make them better, right? That's the presumption period That's the ground truth of why we buy third-party security products not because they have pretty boxes The corollary to that is we believe the third-party security price code was of a higher quality Than the code that it was trying to protect Giggle giggle chuckle. Yeah, okay. There's some examples where that might not have been true The future says hey security is a real concern and big software shops are actually starting to do the right thing The corollary to that is so are we're going to keep spending money on security products Or at least the same type of security products, or is the security product space going to fundamentally change in the next five years? 10 I'm usually kind of aggressive on that What does the future look like I don't have any idea, okay? I'm just trying to set the hook for you guys to think about it Because I know at some point a goon is going to come up here and a hook something at me to get me off stage Secret the last full disclosure is dead Let's not kid ourselves, right? There's money in disclosing vulnerabilities. There's a lot of money in it And it's changing the landscape of computers e5. All right. Thanks. Oh Over the last 15 years really is when the disclosure discussion Started right we we're community. Okay. We're not a perfect group a professional group There's no def con professional engineer badge that you get or something like that, right? I mean we are an ad hoc community that has has grown and lived on the sharing of information Publicly and we can do so in a way to exert pressure on vendors to fix their software and their hardware, right? That's the nature full disclosure There's an entire spectrum of how to disclose the RF policy and the oh I safety guide and all these different private views about How to deal with disclosure? Okay, so responsible disclosure was we used to have disclosure panels at def con or people debated that gradient of Full disclosure well now Things have changed skip the stuff in the top in the bottom We have companies that will pay we have very legitimate companies that will pay for vulnerability information And there's some not so legitimate companies that may be paying for vulnerability information as well They're private transactions. It seems totally acceptable to at least the majority of the community that that's okay It's okay to find a vulnerability in a system not tell the vendor to tell a third party instead get money from them And expect that they're gonna do the right thing Okay, I'm not I got nothing against cdi and vcp. Okay. I'm just using them as an example here, so Cisco Microsoft won't pay they're taking a stand, right? The problem it so yeah, so then you know what that should the vendors pay well is that extortion? I don't know well I found You know and applying that kind of pressure it might be a good thing I'm not I don't want to take a stand on this largely because I don't have time to get into discussion right now, but Maybe they will it's funny because I remember taking example I used to do some about free wireless stuff in northern Virginia this guy came up to me I got this a couple times and they say hey, you know what I'm thinking about getting into wireless security consulting business and My this company that's down the road I was war-driving and I found a bunch of open things that he had and their file servers open and whatever So I was gonna go down and tell him if they pay me $10,000 I'll fix it like That sounds like extortion, you know like but it turns out that that's the market that we're creating today to sell vulnerabilities in so Okay, where's the line? What's the ethics in this do should we have a discussion about this? Maybe probably, you know Should there be a little bit more thought involved? Probably but you know what the next generation of mini-dans and mini-hell bars and all those folks They're growing up and they're seeing their idols in this community doing this and they think it's acceptable Okay, whether it is or not. I'm not going to debate but it fundamentally changes the landscape of full disclosure. Okay, the What it used to be was What disclosure method should I employ you know now it's should I disclose or should I make money on it? Maybe there's even gradients in there But there's a whole new area open up in the full disclosure world and its impact. We don't understand yet So we might have lost track of something Okay, my point of this is not to rail on these companies But it's the fact that ultimately we're trying to make live systems more resilient to attack right definition of computer security It's not to make us all rich. It's to make the systems more secure Just creating a secondary market as a clearinghouse for vulnerabilities actually make the end user more secure Can anyone tell me yes or no? Yes or no? And that was the best I could hope for We are potentially putting our entire livelihood at risk by running around like cowboys right now We haven't thought this through and we need to so where does that leave us one the landscape has changed, right? At least that's my understanding. I don't when I walk the halls and when I read what's going on in the popular press I don't see the recognition of things having changed. It looks like just more sophisticated products and more sophisticated attacks I think the ground rules have changed and we need to understand that I think we need to make vendors and the product manufacturers make products that are more secure Period trusted computing things of that nature. Hallelujah. Yeah, you're supposed to applaud now or something throw money body parts underwear We need to create a formal body of knowledge for information security and we need to hold each other accountable, right? I said some pretty inflammatory things today That three people challenged me. You all should have said something every last one of you should have said bullshit at some point during this Talk There you okay. You redeemed yourself. Congratulations Poor shit. There we go that we get some creativity there sir. Excellent We need to think about these things. Okay, you need to spend some serious thought What are you doing with your career? What are you trying to do with your little pet project? What are you doing with your little hacking group? You know, we do it in the schmoo group constantly debate What are we trying to get done? What's going on in the industry? Okay? It's not just about who's got what product and how cool the newest release of the mware is right? It's about how is this stuff changing the landscape of what we do so real quick Schmuck on past and future Schmuck on three how many people here with Schmuck on three? Yeah, so it's in DC for those that don't know we're gonna have it probably February 15th That seems to be the relatively solid date At the same venue Warburton Park Marriott in DC We're about a thousand people show up last year thousand people left Which was good. Although one unnamed goon Inadvertently tried to sleep in the wrong hotel He was pretty drunk went to the wrong hotel after talking with host health security realized He wasn't in staying at the omni. He was staying at the ward man, but he was in the omni Which is why his key wasn't working and other things We did something creative we kind of thought about training But we decided to do instead is turn the labs into like an open source lab development kind of thing where 30 people came I participated kind of like these to set up the network network. We did the same thing at Schmuck on It was very successful. We'll probably do that again as well raised a lot of money for EFF For the one laptop per child. They had a great panel discussion got some awareness on that overall It was a blast. Hopefully it will continue to be so in the future also. We'll have some more schmoo announcements I was hoping to have him ready for today, but we don't have him ready yet So stay tuned and all that but anyway, he's coming up to kick me off. So thank you very much