 As next speaker doesn't really need much of an introduction does he you've either seen him awkwardly hugging people if you've never seen that you just saw it okay right here that's his MO he is a prolific awkward hugger he's also the InfoSec Ranger for Aponi Express he's just an all-around positive guy in the community and somebody who I consider a good friend so more help me warmly welcome Jason Street you're awesome I hope they heard that okay hold on a second I gotta do this just in case anybody you know suffers from epilepsy this is not good rarely almost just I like an abortion rush with that just like came off me it's like wow okay just hello hi everybody how's it going um so uh thank you for coming here as you can tell from the uh the talk title this is a talk on failure and uh it's one of the it really came about in a really weird way uh last year uh chris was awesome enough to have me here last year doing a talk called breaking in bad where and you know what it was about it's about me being awesome I mean let's face it I talked about like oh I broke into this place and it's like here's video of this and how I got in here and wow amazing right and it made me start thinking about other things right isn't that in a lot of talks that you see you get the a real right you get like oh this is amazing and nothing bad happened while I was researching you know it was just all good so I said screw that I'm doing a talk this year and it is nothing but my fails failures that I've done and not cool fails like you know oh I accidentally left an orange out and invented penicillin you know not like I oh I tried how to create a filament with a light bulb while I was destroying tesla and created the light bulb you know not like that it's literally just I cratered and failed and don't do these things it will be in badly for you um it doesn't feel good talk so it's all good um and so I'm gonna I'm gonna talk about a couple of them um like I a lot of people unfortunately know way too much about me already and you know that's my fault um but the key thing is I failed that's if you want to know more about me it's like I'm very comfortable with acknowledging that because through my failures I've learned so much and through my failures I've been able to connect and create even better victories because of them uh so I don't hide my failures it's like I acknowledge them and like you know hey straight up this is this is what happened so uh that's the I mean I'm I'm a success I mean I'm great at failures it's like I mean I if I could fail at failing it's like I wouldn't be able to happen you know it's like I'm a winner at it um so luckily it's not a profession because then I would probably fail at that uh and one of the other things I have to say I'm very comfortable with this because since this whole talk is on failure if I bomb or screw it up that's the talk so it all works out right this is a win-win situation for me it's amazing so I love it um what we're going to talk about though is I'm going to discuss two red team fails two blue team fails and two uh community fails uh that I've done and I'm going to jump right into it um the first fail was one of my first no my first job as an information security professional I was a network security administrator for this uh online bank area their bankrupt so I don't have to worry about not saying their name but uh I was the you know I was the network security administrator because the guy let me choose my title and I wanted the initials NSA it's like I'm the NSA here it's like you need to watch out um I was horrible uh because I started out in physical security and law enforcement and that is a totally different ballpark because security there and physical security you know what you're doing you're dealing with people that every day it is the worst possible day of their life either something horrible has just happened to them so you're there or something's about to have a horrible happen to them because you're there either way it's pretty horrible so you get this jaded persona of like where you're not wanted you're not welcomed and and people that you're dealing with are suspect because something bad can happen if you don't distrust them so when I started and I was in IT it's like doing help desk doing the computer stuff because that was amazing I got burned out and a lot of things led to the fact that I gave my my notice on uh on the task force because it was just really bad and I'd loved and relish doing the help desk and doing computers because then I could be me I could be the silly guy I could be the big kid it was amazing but then when I got the job as network security administrator it changed and I was like look at all these suspects at their terminals I don't know what they're doing but they're doing something you know so I would walk around and it's like and one of the things we used to do is badge check to make sure you had your badge properly if you didn't have your badge company policy dictated that you went to the receptionist and got a temporary badge and you had to wear that the whole day it wasn't the cone of shame it was just good security procedure good policy so I'm walking through on a Monday and I'm walking by doing my little badge check and I see the CEO of the company and he's in his office and he's facing sort of away from me at the desk and I walk by and say hey what's going on and he's like and he's not normally you know hey Jason what are you doing he's like I'm doing great how's it going spider since tingling it's like I look back at the door you don't have your badge do you and he's literally like no and I'm like come with me and I walked the CEO owner of the company to the receptionist so he could wear a visitor's badge all day was that a victory for me no that was a victory for him that he believed in the policy so much that he went with it even when some weirdo was telling him to wear a badge that was on him that wasn't on me it's like so I was always like that I was always like trying to check to make sure because everybody was trying to do something everything was suspicious and so I had a very confrontational relationship with a lot of the users instead of being someone there that was going to help them I was someone to avoid and usually now people just do that you know cons and stuff you know so but this was like my job people were like trying to do that and that was that wasn't helpful so I got really upset about that and the epitome and the reason this is the most poignant slide that I have because I received by the board of directors for this company they one day for a birthday present they gave me a picture like that had the that exact picture of Barney five and said five security agency and something else or something we're gonna nip it in the bud or something funny right and had that um and I put that on my walls I am literally so bad sometimes a human interactions that it took me two years before I realized oh they meant that as an insult they're saying that's who I remind them of that wasn't to be nice it's like so I mean because that's what they considered me that's who they saw me as a caricature of someone that was supposed to be doing security how serious were they gonna take me when an incident actually occurred it's like so it was a huge fail and they kept coming so don't worry we're gonna keep going um now the next one is where it says uh what did we learn from it I'm not just gonna tell you about the fails because you know who wants to have time for that so I've got some lessons that I've learned that hopefully that you can learn as well from it so you know like a wise man learns from his uh smart man learns from his mistakes a wiser man learns from the mistakes of others so I'm gonna make you guys super wise by the time this is over I promise okay uh so one of the lessons that I learned was you got to cultivate relationships you can't just appear when something bad happens the users have to know that you're working the users have to know that you're there to help protect them protect their assets your job is to help them keep their job because if you're doing a good job of protecting them then guess what they get to still keep having money they still get uh expanding they still get to do their business because if they get hacked or they get breached or they get compromised and they go under they no longer have a job you need to show them how their vested interest is in being part of security the next thing is you got to foster the measure being part of the solution not part of the problem you got to understand exactly how creative users are I hate people talking about stupid user did this stupid user clicked on a link no take solitaire off of an employee's computer see how quickly that mother comes back okay see how quickly that comes back on the system with these computer illiterate users okay they will find a way so instead of creating an environment where they're actually trying to help you they're using your their creativity to circumvent you and that doesn't help anybody now empower employees to get involved with what you do talk to them have lunch and learn lessons show them how they can be part of the solution they're part of the information security team already from day one they should realize that one of their job responsibilities information security and if they don't that's one of the things that you need to be teaching them as well so do that it's like get that kind of relationship so when they see something suspicious they'll report it to you I have a guy he's a great guy I love him to death he sends me spam no you didn't understand this I have a spam rule for my spam rule to get the spam that he spams me with okay he has gone to the point of actually sending me spam from his home email address at home just to make sure that there's a new campaign it looks like it's coming out I just wanted to give you an FYI I have set it up that about every 500 to a thousand emails I get from him I'll reply back with oh that's a new one thank you very much that's a good one thanks for sending it to us and his reaction like I'm part of the security team I just helped them out which is what you want you want them to be part of the security team you want them to feel that that they're part of it I effin hate his emails he will never know that because he gets to talk to his other employees and tell them how he's part of information security their first response is wait we have an information security team what and then he gets to talk to them and train them so that's how you do that so the next one um this is a I literally when I was giving this talk and I I brought up this one I actually got too much into the moment and actually started turning red because it's so embarrassing this is like one of the worst fails I've ever done in my well not really professional fails that I've ever done I gotta be specific on this it's like there's been a lot but professionally this is one of the worst ones so I have a computer at my desk it's like and I watched the firewall logs this is the this company that I worked with and I had a computer set up where I was watching the firewall logs like a soap opera you know I could tell when something was going on it's like I was looking for the red I was like seeing IP addresses where they're going and then at one moment one day a flood of telnet connections going to internal IP addresses from other internal IP addresses I freaked up out okay thanks for that message there so I freaked out I was like what is going on here it's like uh so I was like freaking out I was like what am I gonna do it's like I jumped up you know leapt up you know I didn't even put my cape on and stuff you know because that's usually how you're supposed to do these things and it's like and I ran over to the networking team and I told these guys I was like seriously what's going on it's like we've got this attack so what's this IP address what's going on and I'm like freaking out my boss wasn't there uh at the time which you know he's learned to regret later uh and I was trying to figure out what was going on they're saying that's an IP address from one of our routers I'm like oh my they're inside we've got internal apt going on I'm like cyber everybody drink this is bad okay so I literally go to I can't report to my boss what I do I go to the CIO of the company my boss's boss you know he loves me right and I told him like this is what's going on we need to respond to this this is an instant response we go and so I go back to the networking guys I'm like well hey what else is going on what's here that we're trying to track it down we're trying to look at this jumping and it's like it's like you know quick bring up the visual basic and we'll do a trace route on them or something you know it's like it was horrible I was freaking out 15 minutes into this fiasco one of the network engineers raises his hand um could that be that scan I'm doing uh for all the Cisco routers in the network and I'm like mother couldn't you said that just a little bit sooner and the CIO is looking at me like couldn't you have waited just a little bit later and I'm like so it was horrible it was a back I was embarrassed because it's like I totally created this whole drama and it's like and it's not even the cool drama that I usually start this was like bad drama and I just it was bad and it's like I looked I'd lost respect in the eyes of the CIO it's like I didn't have that much respect with the engineers anyway so they didn't care it's like and that was on me they could have told me right at the very beginning what was going on I'm pretty sure I could have taken the moment at the very beginning so instead of ignoring all the other engineers and just go to their supervisor I could have helped avoid that I mean because we treat you know security and networking you know they're like we gotta slow everything down we gotta slow everything down to inspect the traffic no we gotta speed things up we gotta worry about our bandwidth so it's a constant fight I mean I literally it's like when I go over to the networking side so if you don't have to go do something in the networking uh part of the cube I'm telling my boss like look here's my safe word if you hear anything coming from me if I'm not back in 15 minutes call the black choppers you know it's like because I'm going into enemy territory here it's like but that's not the right way to do it it's like that doesn't foster a proper relationship we need to create and uh listening not just telling I only went over there when I needed to tell them about a firewall rule they needed to make I needed to check an IP address I needed uh IDS rule signature uh done something like that when it was just I just needed them when I needed them there was no relationship there was just total animosity because you know I could be a jerk sometimes believe it or not you're supposed to act like y'all don't believe it you don't have to be so accepting of that fact okay we'll go on so thank you so uh you have to develop an invective communication channel before crisis so this is sound strange coming from a guy in information security but go talk to him without having to need anything start up a conversation I mean let's face it they're geeks just like you and you know what they like just like you because they probably have you know firefly action figures or you know batman versus they've got some kind of action figure telling you what they like look at that find a common ground okay so you can find something interesting that you can talk to them with go on a lunch or something maybe do something like that it's like get that kind of involvement going on um the next thing is to develop an effective before they go and then all of us in this situation just okay yeah that next one is just straight out me don't lead to those assumptions you know if I would have spent just a little bit more time trying to figure out what was going on before I I mean literally I was like sounding the alarms ringing the bells I mean I was lighting the fires of gone doors of you know it's like just making everything go down right it's like if I would have just waited on that that incident wouldn't have occurred so you have to understand you can't just jump it's like you got to look every once in a while and I have a lot of problems with that but usually it's good when I'm doing the red teaming part it's okay um speaking of the red teaming side I don't usually like having a rapist on my slide deck and stuff you know especially if he's convicted I don't even like having a ledger rapist unless they're privacy advocacy or ipv6 but uh red teamers always use this slide everybody's got a plan until they get punched in the face you know why it sounds cool so I can like and I've been a red teamer I've never gone into an engagement with a client like hi I'm part of the red team booyah where's the plan doesn't seem to work okay but when I started out in red teaming I thought that's what I had to do not physically punch people in the face okay it's like wouldn't have been a red teamer for long I thought I was in there to go in there and tell them all the things that were wrong with them it's like I mean literally day one I'm there talking to people like hi I'm here how to tell you how ugly your baby is I mean I haven't really seen your baby yet but it's an ugly baby okay it's like I mean we're just gonna all we're gonna do is just go over all the different facts about how ugly your baby is it's not the ugliest baby in the world probably okay but it's gonna be pretty darn ugly just get used to it and of course everybody welcomed me with right warm arms and just you know open you know that was a great example right they loved me no but I thought that's what I needed to do because I had to verify I had to prove to myself that that's who I am I had to prove to myself that this is the guy that I am it's like because if I didn't actually totally pwn you and destroy your network well then I wasn't as good as you wanted or that you paid for I have very low self-esteem it's like this is something that I personally was invested in it's like I had to come in and destroy you so I would feel good about you paying me so it's literally you know hi boom pay and I leave so I got very confrontational I had a lot of people very confrontational because some people I this is gonna surprise some people don't like to be told their babies ugly I mean who knew you know I was I was but it's true believe it and so there was this one incident where I was doing this work for this one company and this guy was a jerk okay trust me not as big as jerk as me I always win but it's like he was a jerk always giving me attitude always doing these things to just try to be annoying working around things he was the client you know but it was his bosses bosses bosses that hired us to show where there might be failings about how bad he screwed up and and we found one it was a good one he liked to use a certain password and the funny thing is is when you drop the domain action domain controller and you get all the hashes of all the passwords and you crack them all you're able to actually get what his password history was to so he used a variation of that same word so what was funny was during a call with his boss and boss's boss and our boss I played this game of trying to find a way to work that word into the call it wasn't a common word but it was effing hilarious during that conference call because I didn't want him just to realize that we got all this stuff I wanted him to know we got all this stuff so guess how many times I got hired back to that company zero because I was an a-hole I was a jerk I was difficult to deal with and I took it too personally trying to prove my point that I was better than him and that made me suck bad not from professionally but trying to actually educate them how much did he learn from me how many vulnerabilities did he really actually take to heart or understand he didn't learn anything but I'm not hiring that guy again he's an a-hole whatever all the findings that I came up with were invalidated by my attitude I screwed that up that's a bad thing to do so once again I think I hate saying this this is actually a good quote from a guy who you know once he no longer had a plan he bit someone's ear off but everybody you fight is not your enemy and everybody that helps you is not your friend which is actually sort of apropos that's what you have to convey to your clients you are fighting them but that's not because it's not because you're an enemy you're trying to show them the weaknesses so they can get defended and protect it against real criminals real people that are trying to attack them so you face the fact that if you're not part of the solution then you're the problem I didn't teach that guy anything it's like he didn't learn anything effectively except for who else to call besides me not ghost buses but somebody else and so an ally's coming to unlucky forums and from unlikely places after I learned that lesson I started getting the team involved I started talking to them it's like telling them like look I'm here I know you know some of the vulnerabilities I know that you're trying to get them fixed and guess what I'm here I'm a third party voice to help get your frustrations and your fixes to management to help you get those fixed I'm here as your advocate not your adversary that's amazing I have literally had clients on an engagement one of the engineers told me it's like by the way if you go check over on the subnet you've got this old SNMP server that's not supposed to be running it's like it's supposed to be in development they won't change it they may want to take a look at it's all I'm saying you know never would have found that but I helped him and by helping him he helped me and more importantly than anything else he helped this company be better secured and better protected because of that so do that and also short-term satisfaction often leads to long-term headaches if I kept doing that attitude of that engagement I would not be standing up here I'd probably be in a breadline of San Francisco or something because that's a cool place to hang out and stuff in your homeless but still that's where I'd be because I would not be working here no one would want to hire me it's like so yeah you can get that short-term feather yeah I punched him in the face and guess what no plan they didn't have one yay you're cool and unemployed so you have to understand that you have to be an advocate for them not just an adversary now this next one that comes in is really crazy because this literally I'm really slow sometimes okay I'm a little thick but on all my fails this is the one that actually came to me in the middle of the engagement I realized oh I could be doing this so I was on this engage with this client where they had a secured area I mean it was really secured but there was a door going this way and a door going that way or like this way and that way okay I might select really weird for me so you know for a guy who likes to go like all this all the time this is annoying so I still love you no no no don't look at me so I had a door coming out of a hallway here door coming out of a hallway there and then right here is this glass door coming in so what I want to do is I want to look like I'm coming from one door and going to the other door so someone will let me in so I do the half step half step's very cool it's like this you'll stand like this and you wait till someone to come in and then you start and you're already a natural gay because if you're like hiding behind a corner and you're stopped your gates a little off it's like then if you were just naturally already walking through a door so I did this half step for about five minutes it's better than yoga promise me and someone walked in and I walked in behind her she looked at my badge and she knows something was a little off and I don't blame her it said Gregory D Evans oopsie ink so that could be a warning label it's like I do come with them and uh and I had the face on the badge actually had me going like this so yeah you should know something's a little off and she opened the door but she let me in she went right I went left went to the first office pwned them went to the second office pwned them went to the third office pwned them you know I come out of the third office and guess what she's down the hallway talking to somebody I can tell by the body language and expressions that she's upset and concerned and she knows that she did something wrong and that's when I had the epiphany I was I can walk right out of the door right now I have compromised three machines I have successfully punched them in the face okay I have shown them a failure I've shown them a flaw I have shown that I can actually compromise machines I've done my job and then I could and I'd be gone and then I thought but what if I keep going and let her catch me what would happen if I give them the win what would they learn then versus a report later and that is the day that I stopped doing red teaming and I only do social uh engineering and security awareness engagements now I no longer do red teams because you know what I did I walked down that hallway I said hello to her she did not say hello back that was pretty rude for just for the record and it's like and she goes and it's like I walk into another person's computer uh uh cube office thing and I pwned them you know it's all good less than a minute and a half later this guy just like barrels in you know he's ex-air force I found out later it's like what are you doing here let me see what he said you're not able to but I'm like oh my god I regret this decision you know it's like I'm and I'm like I'm literally like as fast as I can I'm actually even putting the real get out of jail free card out look I'm supposed to be here you're supposed to call I'll call the number you don't need to tell me the number I know the number to call it was their chief information security officer so he's sort of on to me and uh and they won and they learned and she was empowered to do that again all their employees were empowered to do something like that again when they see someone in an area they're not supposed to be familiar I will go into an engagement and I will do the best to destroy you I promise I will be doing the best to try to compromise your people destroy your buildings and ruin you financially okay to the best of my ability on the last day I promise you I will try to get caught I will spend the whole day trying to get caught by your employees to give them a win to give them something to look up to not all the things that they need to stop doing and look down at and it's like so thank you and one of the funniest ones of trying to get someone to win and this was literally I quit I don't know sports ball very well but it was literally like a guy trying to like go through uh get a touchdown and all the little leaguers are like climbing on them and they're like right till the last part of the goal he falls down like okay you got me because I was at this bank and I'd already compromised it I already got in there and I was trying to get caught and so I'm literally sitting behind the teller line and I'm bored I got bad hdhc okay so it's like I'm like totally freaking bored here because no one's catching me I'm totally freaking sketchy I should be caught by now so I tap on the teller's shoulder and I say what's the user ID and password for this machine it is a banking server that is actually doing business right then and there processing stuff he tells me the user ID and password the user ID is the same as the password which was the same as the machine by the way yes that was a finding later okay so I log into it I do a graceful shutdown of the server that is conducting business for them I unplug it and I start taking it out to the thing and I'm thinking maybe they'll start understanding something's going wrong okay and I get to the teller line and the guy goes maybe something's going wrong and he stops me and he's like excuse me sir what are you doing and I literally had to physically restrain myself from saying the top five things that I knew would say that would get me out of the building anyway right it's just instinct it's like I knew if I would say it he's like oh okay go ahead it's like so I had to stop and as soon as he said that I was like oh you got me oh you were good how did you know I was a bad guy you're you were I mean you gave me the user ID and password but you were just checking to see if I was sketchy or not very good you were awesome what's your name we're going to report how well you did you're an example of what's right in security awareness you just you were great you need a maybe response time needs to work just a little bit okay but you're good so I gave them that win and that doesn't diminish what I do it helps them do better and that's at the end of the day is what it's about you got to give your target a win and it doesn't diminish your attack you got to your servers don't respond to an attack with a resentment people do you know I have never had a server when I'm in the middle of a compromise and stuff you know I don't like this anymore blue screen of death okay I've had some blue screens of death but I don't think I was personally hurting their feelings that's just how they do right so you don't have that but humans do and they will react that way you can't just go in with the red team and just break everything and expect everybody to be happy with it or respond well to it now also when you look at the blue team as a teammate and not an adversary you both win if you go in saying we're part of the same team trying to help you better but listen one of the key things that you have to understand if you think that your red team and your job is to show red uh blue team how they failed or show or beat blue team or defeat them in their their things it's like you failed you are hired by that company to help them be better secured period they don't care about how many old days or how many pumps oops there we go see that's what I get for like doing the thing getting all excited it's like they don't care about how uh adversary you want to be they want to be better protected at the end of the day and if you leave that engagement with just a win and not them better protected give up your job you're failing so but this is about my fail so we'll keep going so sorry I get ranty it's like it's been a long weekend already so i'm a little retty so this next one is um really personal to me because it's been happening a lot in this community and uh this is a community fail and it's a it's a little switch up because I it's evolved on how I thought about it well how things have been going on but I want to start off with one important thing I started off this uh at the very beginning of the year when I gave a version of this talk I talked about a guy who was the technical editor of my first book who plagiarized his section of the book and nearly I mean when you look when I look at the things that have happened to me in my life that are horrible and it's like he is above cancer right below my father's death and he's like above me being homeless it's like he was a horrible man and when I first get his talk I didn't name him because I didn't want to give him credit or I didn't want to make it recognized and that turned out to be a fail because I realized there's a difference between being wronged and being upset there are people at this conference who hate me they don't like me they say all kinds of crap behind my back and I'm not being joking I'm serious I know they are I've heard some of the things and there's probably someone I don't even know about they don't like me that's a stupid awkward hugger guy you know they don't like me and they say bad things about me I don't care they're just being bad Dustin Fritz wronged me he did something wrong that damaged me he needs to be named when someone wrongs you no matter who they are or what community they are and what standing they are in the community you need to speak out and say something about it because they're probably wronging somebody else too that's what needs to change so if someone doesn't like you retweet it to drama llama okay that's just life it's going to happen but if they wronged you let people know and speak out on it and so my fail and I try to do that as my fail I thought that was my fail not like naming them and just going through and trusting them too much but I realized later that wasn't my fail that I should be talking about after my book came out there was a guy locally in my city who said something really horrible on LinkedIn because you know LinkedIn's a great social network that you can get your feelings hurt on and he said this really bad thing on the review about my book and it was the day of a DC meeting and I was pissed I mean I really hurt my feet I'm used to people saying bad things about me on Amazon online because I mean it's the internet you're supposed to not read the comments that's one of the rules right it's like so I was really upset with them and I get to the meeting and as soon as I open the car door he's out there with a group of people so what do I do I'm me okay I am nobody special and I'm not saying that as false ability that's who I am I am just as worthy and just as anybody else in this effing room I'm just a guy up here speaking at the time anybody else here can be right up after me and speak as well and so I went to him as just a normal guy just like all pissed off with hurt feelings and I verbally destroyed him because I can use this nice little tongue and stuff you know for meanness and I was mean I was cutting I was biting I tore him down and I told him exactly how pissed off I was how invalid I think that he was how I thought he was worthless for his opinion didn't matter to me and I told him all these things around all those people did they consider me just another guy that was driving up who was upset and had his feelings hurt no among his peers and his people and stuff I was someone that they saw who wrote a book and did these things totally destroying their friend who now they thought lesser of because of that that hurt him bad I wronged him that was a mistake on my part that I still feel bad about he is still a jerk I do not like him I don't want to have anything to do with him but I still wronged him and that was my mistake that I live with and I've actually gone up to him a year afterwards and I apologized it's like I didn't try to like it wasn't one of the apologies like well hoping to become friends no it's like no look I burn that bridge I'm good with that let's make the river wider okay I'm okay with that bridge being burnt but I apologize I was bad I shouldn't have said those things so you got to understand the difference between being wronged and being upset they are two different things it's twitter people let's grow up and coming from me that's an admonishment okay so let's go to the next one let's talk about the lessons that we learned I love the fact that I'm already going through and said way and I'm like oh yeah I already said those things okay so what that what what does that so everyone makes mistakes but some have a remorse or desire to correct them you have to be able to do that if someone makes a mistake and they come up to you and they try to make it better yeah you try to help that you try to smooth it over you try to this is a community we're going to fight we're going to have disagreements I always say I respectfully disagree with what you have to say it's like there are people that I am violently opposed based on their religious beliefs or their political beliefs and they are great friends of mine I don't have to like everything that they have an opinion on I like them as a person never judge someone more harshly than you want to be judged for your failings every person that you go online and you tweet all thing oh my gosh demo fail or you go oh their program is so full of bugs it's ridiculous look at adobe oh my gosh okay okay we can make fun of adobe it's like let's okay sorry sorry it's getting ahead of myself it's like getting too much of the rapture we still do that so but you also understand that what would happen if your failings were public what would happen if you woke up in the morning and someone announced something that you'd screwed up trust me it was in october I remember it was at night it was the the first friday of october it was like october 7th it's like I remember driving home with donuts for my family from a 2600 meeting and getting the first tweets about the problem with my book I didn't sleep for 24 hours or more not knowing what to do feeling suicidal didn't know what was going to happen if Marcus j carry wasn't talking me down I don't know if I would be here I was floored it's like I would it totally was unbeknownst to me that this was happening I didn't know how to respond I didn't know how to react I literally it took me over six months before I eat donuts again it was such a negative association obviously I've overcome that very well okay but it's like it was bad it was a horrible time in my life but it's like I still need to understand that that's on them not me it's like you can't just take all the guilt it's like sometimes people are just a holes to you it's not what you did wrong it's just they like proving how wrong you are so you need to understand that now the last one has also evolved a little bit too because Defcon 12 so I'm actually going to be probably on time a little bit but it's like I may run over because I'm like that so Defcon 12 my first death con I was an idiot I came in not for the and at first I when I first started thinking about it and talking about it I assumed it was in it because I dressed and I spray painted my hair blue and I wore my shiny dragon shirts hold on I'm getting there so it's like I thought that's what no I spray painted it was like I actually when I showered it came out and I had to reapply the spray paint the next day so yeah there's like there's images on the internet unfortunately of those so but what I did also was I didn't have any conversations with people I had photo ops with people I got a picture of Rainforest Puppy H.T. Moore was dropping Metasploit with Spoon M and the gang freaking at Defcon 12 I've got an awesome picture of them at the OSVVD party did I talk to them about what they were working or what they had developed that was a historical moment in our timeline in our history and I'm there going you know I didn't learn from it and so the key part of that mistake was not how I dressed it was not because I went in and I wasted all those opportunities the mistake was that I thought Defcon had to be this way this is Defcon this is what occurs this is what happens if you come to Defcon with preconceived notions of what it is you're going to be pissed Defcon is not a conference anymore it's it's changed from that a long time ago it is a conglomeration of conferences of passions all put under one two roofs that you can go to and you can experience you want to do nothing but social engineering guess what I think there's a village for that now it's pretty cool it's like uh if you want to do hardware hacking there's a village for that lock picking there's a village for that wireless hacking there's a village for that there are people there are 20 000 people here and you don't go and say oh my god there's 20 000 people here you go and say there are 20 000 opportunities for you to find someone that has the same passion that you do that are trying to work on the same kind of projects that you are that can help you with them and if you're not approaching it that way you're really wasting your time here this is an event for everyone of every persuasion of every kind of passion for every kind of hacking it's not my Defcon that I used to do and this is how we did it it's everyone's Defcon with everyone's perceptions on how they bring to it that's what we have to start learning and I didn't learn that lesson it took me two or three years to figure out that and when I did I stopped going to a conference and started having a family reunion with my friends in my community and that changed my life so that's what you got to have so there's nothing wrong with wanting to be around others who enjoy what you do right there's nothing wrong with that but learn what they're doing try to take an interest in that understand what's going on uh one of the things that most cons is learning so make sure that you're a part of it you have to be learning here I'm not saying you have to go to every talk but you have to you can learn things at the parties there's a speaker that's talking about all this cool technology that he's just coded he's developed that's great and he's speaking in front of a thousand people and he's nervous he's like he's gotta talk and explain that you put three beers in him at a party buddy you're learning the old day that is how he did the chain is like now you're getting some info it's like he will talk to you it's like he will help educate you teach you show you where you can go to get more information that's a network and out of 20 000 people when I put this is a bad deaf kind of advice okay in a conference of 20 000 people make sure you judge the whole conference on the interactions of one or two people because yeah that's logical okay I will tell you right now there is at least a hundred people at this conference that are up to no good they're jerks they're not nice people and you should watch out for them doesn't that leave 19 900 other people that can help you and benefit with you and be friends with you which one's greater and when do we start concentrating on the lesser than the more this is an amazing place and I'm not saying that because I'm standing on this stage I'm saying it because I mean it and I believe it when I go home and I go anywhere else in the world I love this event because this is where my family is so that's what that is now never also but more importantly I know I'm okay I'm going to be a little late let's be honest I'm going to be a little late I'm going to run late I'm sorry I'm running a little late that's okay he's not looking at me happy so but never forget that just like a dentist you're a valuable part of society and just as well known one of the phrases I hate the most is being called a rock star so oh you're a rock star either I know I'm not a rock star people who can play music are rock stars I'm a dentist I tell people things they don't want to hear you got to brush three times you got floss more regularly you're not flossing as well as you should be it's like I'm the guy who has to come in and do repair on that breach or cavity and it's painful it's expensive no one wants to go through it and I'm the guy that everybody doesn't want to be around because I'm a dentist right because I have nothing interesting to say it's all the bad stuff like oh my gosh people aren't brushing their teeth properly you know you know the guy who created Invisalign Braces he's famous he's a millionaire he goes to conferences all around the world dentist conferences talking about his Invisalign Braces he's written books people come up to us I can have a picture with you sir I love your work in orthodontry it's amazing and he takes pictures and you know what happens after he leaves that conference he's an effin dentist I care so little about him I didn't remember what his name was to tell you what it was I don't carry the dentist just like me since I said about this conference I'm just me you're just you doing the best you can to make things better there is no status in that no one has a higher value of trying to make this place better than anybody else and that's something that has to be remembered more than anything else now I'm going to spend all the 20 minutes I have left to ask for someone to give I need three people to get fails but they've got to be quick fails or he'll get mad at me for every person that gives a fail that they've personally done I will give you a fail bomb one fail bomb has a book that I will be happy to sign it's actually my book so sorry you may be degraded but um but the other two will be for hugs so everybody wins most will want the hugs but still you got a chance that you may have to get the book so who wants to share a fail yes come here and share a fail yes and as I'm a professional person I didn't take it out yet so you talk so I grab this oh okay uh yeah I am currently locked out of my router at home and uh I haven't told anyone because I'm too embarrassed about it you're in the right place to get help with that though wait hold on you gotta open it up and see what it says it's gonna be fine come on up come on up who's next yes and the next person that up to this mic gets the last one oh oh it's a race okay so uh I I accidentally hit uh disable instead of diagnose on a machine uh about an hour or so away had to go and fix that on a sunday afternoon that's that that's not good come here pick one that's a fail it may be a little more epic my first uh red team engagement fishing engagement was uh for the military and we accidentally actually use shades of green which which you don't know is a disney resort and uh it was the public stuff and they brought it to their spouses and wives and uh we shut down disney for like three days oops that is you deserve the book actually that that's it everything so the kid well it will be trust me so the key thing is every single one of you in here could have stood up every one of you made a fail and every one of you have learned from it and that teaching moment could help teach someone else so stop just sharing your successes and how you've done everything right and start sharing some of your mistakes those other people that come after you won't make that mistake as well and by the way yes I was I was trolling you all the whole time I didn't know I was using comic sans fonts the whole talk was about fails so there were several fails inside the presentation as well no seriously that's it I'm done