 Thanks, Mike. Appreciate that. I was joking around with Mike yesterday about this as well. If he's learned anything about running besides Greenville, hopefully at this point he's learned that if you want to ensure your conference either gets canceled or delayed, you invite me to be the keynote speaker. For those of you that don't really know what I'm talking about, in 2017, besides Greenville, we had like a freak winter storm, I think it was in the spring or in the late winter that calls besides Greenville to get delayed about six months and then of course he turns around and invites me again for 2020 and then all of this happens. So it's ironic. It's funny. It's an inside joke, but whatever. Another inside joke is the fact that this is sounded by you'll comment up here and we might get to that here in just a moment, but you're here to see a talk called Sucking at Capitalism. Okay, that's the name and I realize this is the first time most of you are hearing this. I didn't really give it to Mike with enough time to get it out in any type of marketing or anything, but that's the name of the talk here and it really kind of revolves around ethics in the business of InfoSec. Once again, I'm Tim, Tom's also known as Landmaster53. So I've been around long enough to see things done a lot of different ways. I've helped start a consultancy. I've helped resurrect the consultancy. I've worked as a senior principal and managing consultant. Started my own training company. This company also does development and consulting work. I've been a director of training for an organization. I've been a contract trainer. I've done quality assurance for several training companies. I was a senior leader for the, for an NSA army certified red team or NSA certified army red team. And I was the guy that built the curriculum for the army's first cyber training for a program, which has since become the cyber branch of the army. And so I say these things not to pat myself on the back. Okay, I say them because I've seen a lot of different organizations do fee for service work. And I've had a chance to learn a ton from my own experiences, but also the experience of others, because the leaders I've got to receive mentorship from during that process. And I've formed some opinions about how we do ethics in InfoSec business. And I'm just here to basically share those opinions. Now, another funny, probably the only funny point about this whole talk is, is well, I'm getting ready to like slam all over capitalism, at least the way that we're currently doing it in InfoSec. And then my good friend, Adam Anderson, who my love dearly and I know is listening right now, otherwise known as the Nancy Kerrigan, because he is the Upstate ISA's second favorite speaker. He's probably going to get up and tell you to do all of the things that I'm telling you not to do. Okay, so the irony there is real and it's funny. So feel free to see this as kind of a preemptive flame session for everything that I'm going to talk about. I'm sorry, Adam, I love you brother. I'm sure you'll have wonderful things to say. So I usually start talks with a disclaimer and you know when you see a slide like this that I could potentially be saying something that's going to get me in trouble. All right, that's basically what it comes down to. Number one, I'm not going to name any names. I'm going to talk about some real-world examples and some real-world experiences that I've had with organizations both as an employee and as a consumer and as an individual. There's a good chance that you may be able to make assumptions and figure out who I'm talking about. But I'm not going to give away any. I'm not going to give away links to materials. I'm not going to say any names. I'm going to try to be as anonymous or non-attributional as possible about these things because I think some of this could somewhat help people form somewhat of a black eye about certain organizations and put a black eye on some organizations or form opinions and I don't want to necessarily do that. I just want to point out some systemic issues here. I also know that much of this is subjective. This is my opinion and this is based on my experiences. These are based on my circumstances and this is based on my view of the world. There's a really good chance that a lot of you are going to have different views, different opinions and that is completely okay with me and it should be okay with you. I'm just up here sharing mine and you are free to either take that or leave it. The last thing is because of that I could potentially offend someone. I don't ever seek to offend but I realize that there are definitely people out there that do seek to be offended. Those individuals usually find what they're looking for. I ask you to be open-minded, open-hearted. Listen, understand, engage in dialogue and then we'll kind of move on from there. Once again, this is very subjective, very opinionated and that typically leads down that road of possibly offending people. Let's talk about a couple of very different companies in our industry and while these two companies are hypothetical, both of them exhibit qualities of various companies that I've either worked for or I have been a customer of within our industry and these are all within our industry. So number one, consulting number one, develops and distributes open source tooling. So as an organization they actively develop these tools, give them away for free. They also support other open source tooling. So for the things that they use or the things that help them in their daily job they also support those not just by using them but also by marketing them, telling people about them including them in their training courses and even in some cases financially they donate to the cost. Even when open source tool developers don't ask for any money there are organizations out there that will say, you know what? They've helped me a lot. I'm going to give money back to them through there. They're buying a coffee link or whatever the thing may be, PayPal, whatever it is. This organization understands that satisfied employees make satisfied customers. An example that really stands out to me is an example of this hypothetical consultancy here is I was at a, I had an opportunity to go back and be a part of an annual party for a company that I once worked for. And at one point in time the owner of the company brought all the people together and the families were there and everything so it was a really good wholesome family environment and the owner pulled everybody together and said, hey look, we did really well this year. We made a whole bunch of money and it was very transparent in literally giving numbers, right? We made X number of dollars more than we expected to this year and yes, everybody gets bonuses and yada yada yada but I've decided that instead of trying to take this money and try to do something to bolster technology at the company or add a new thing or do this or that or find ways to spend it so that we can reduce our tax overhead or whatever it is just gave it away. So look, I'm giving it to you guys. I'm giving it back to the employees that make our customers happy because our customers are the ones that are paying us to do this work and you're the ones that are making them happy. I'm cutting everybody a check and these checks were not small. We're talking four or five digits to these individuals and this was in addition to bonuses that were already going to be paid based on performance and so on and so forth and so that kind of thing just speaks to me and says, hey, this company understands that satisfied employees make satisfied customers and they went the extra mile to ensure that their companies were or not certain that the companies but their employees were well taken care of. Companies that use rates to throttle work. There's a lot of different reasons you'll see rates change but in this particular case I've seen organizations that will not just raise rates because they can but they'll raise rates because in a lot of cases they can't and by can't I mean they can't satisfy the amount of work that's coming in. They've got a good reputation. They've got a lot of folks coming in but they don't feel like they can find enough skilled labor to do the things that they're being asked to do. Sometimes they'll raise their rate in an effort to reduce the backlog. Sounds crazy, sounds counterintuitive but I've seen that happen before as well. Transparent use of qualified subcontractors. So this is kind of important to me because I do a lot of subcontracting work and I've also been on the other side where I've hired subcontractors. It gives people an opportunity to start and grow similar businesses and someone would say, well why on earth would I foster competition? The reality is there's more work to be done than there are good people that can do it so the more small companies, the more organizations that can get started and get up and running, the better off our industry is going to end up being in the long run. And also this transparent use of it is being just transparent about business practices. I do not have such a matter of expertise here so I am bringing in somebody in that does and I'm being transparent about that and it helps lead into trust and things of that sort. Believes in quality over quality and this goes in a lot of different directions and the things that they do and the things that they purchase and the end result of all these things is no one in this particular company is necessarily filthy rich. So what's the common thread of all these particular bullets here? Well, I would say that they're focused on a culture of giving versus a culture of receiving and this is something that a lot of companies I think talk about and while they talk about it for a while rarely does it stick, right? Rarely does it stick but when it does it absolutely shows there are people you can see it through your interactions with that particular organization and the problem with this particular consultancy right here is we look at it and we say, wow, they really suck at capitalism. So let's look at consultancy number two here. Consultancy number two bids on any contract with cyber in the title. I have been the victim of this myself personally. Before PBAT my practical BIRP sweet pro advanced tactics class ever went live. I taught it for an organization privately first is almost kind of a beta run through the course and it was the result of an RFP. They reached out and said, hey, you know, we would love to be the first ones to do this. However, we have to go through an RFP process, yada, yada, yada. We're going to literally copy and paste your description of the course into the RFP so that it's like there's no way anybody else can do this. It's proprietary information, right? And so they put out the proposal and I bid on it and I was really surprised to get the email that said I lost a bit. And so I reached out to the organization. I said, hey, look, you know, obviously you know at this point in time that I've lost a bit. I just want to let you know that I'm a little concerned because I know what you were asking for, you cared about and I'm not sure how an organization can come in and bid on something that is a proprietary and coming from one of the individuals that's known as being an expert with that particular thing, a subject matter expert in that field by a company that couldn't even find a website for on the internet. And they went back, did some investigating and of course that's exactly what it was. Somebody was literally just bidding on every contract opportunity they saw come across their desk. They had the word cyber. This is a real thing and this is happening. And of course I think we can all agree that's not good for the state of security. It's good for the state of those businesses perhaps, but not for security overall. Consultancy number two sells any service with security in the name and regularly takes on work outside its core competency. And I would say that one in two often lead into three, right? Because when you're bidding on a bunch of stuff that you don't know how to do necessarily, then you're going to have to take on work that you're not really qualified to do either. So there's that. Now bullet number four, bills above market rate because of company or individual name recognition. Well, this doesn't sound wrong, right? But I've seen a lot of organizations do this is if the person with name recognition, that name recognition, that rock star, is the one doing all the work. I have literally seen proposals from companies that always include the bio of the rock star. Even if that company never intended for that particular person to fulfill that contract, but they sell it as if that person is. And I believe we call that in business, the bait and switch, right? That's the infosec version of the bait and switch. Hey, rock star is going to do this. Not really, okay? Maybe when you're in a chat channel and we hop on a phone call and do an email, rock star is present, that person didn't do the work. Because it's impossible for them to do everything that these organizations are taking in for work. The next one, the bill is the same inflated rate for both the rock star from bullet four, as well as the senior and junior analysts. Here, I would ask people to raise hands if I could see you, right? But have you ever seen a consultancy that asked for a different rate for rock star X versus college grad Y? Now, I would imagine those exist. I would imagine there has to be tiered rates or tiered offerings in some organizations. I've just not seen that happen. I've seen it talked about. I've not seen an organization do it. But there is a big difference between the quality of the product, right? A better asset is going to get paid more, okay? So they justify that higher rate. But all too often what we see is that inflated rate that that person's justified to bring in is actually applied universally. And that's done for a lot of different reasons. Most of it to not be transparent. Okay, so this is a big problem. And it's a problem that's of scale, right? And it's fed by demand. There's simply hard enough people to do the amount of work that's available in our industry and to do it well. So the bigger consulting firm gets, the more people they need, the more competitive hiring gets, the lower the skilled talent pool becomes for that organization. And the skilled talent pool grows for the industry as a whole, is growing slower than the attack surface itself. So the impact is that a company grows, talent pool gets watered down, overhead costs grow, but the quality goes down, and the rates go up, okay? Now this demand then leads to the temptation to satisfy all comers, which goes back to these top three bullets here, right? And these, and obviously as they're saying here, they simply can't provide a quality product when this is happening. So the end result is watered down security for the consumer at the same or higher premium rate. And the worst part is that this consumer doesn't know any better and believes that they're continuing to receive a quality product based on either brand or past performance. And to me, it just doesn't seem right. But I'll get into that here in just a moment. So the next one, it seeks VC capital funding or exact position. Is this not the American dream, right? To get bought out by millions of dollars at the age of 35, okay? So the temptation of taking that big payday is where it gets tricky for companies with good intentions. Like if you have bad intentions, it doesn't get tricky. This is exactly what you're out for. But if you have good intentions, it can get tricky here because once investors get involved, things can go very quickly from model number one to model number two. Do people become rich that way? Absolutely they do. But often they become rich at the cost of the community and the people that both trusted them and trusted in their vision. Okay. So in contrast to the previous example, what's the common thread in all these bullets right here? Well, to me, it's a clear focus on maximizing gains and sometimes those gains are coming at the cost of others. Now this, even though this example here is about consulting, the model is not unique to consulting, product and training vendors are equally affected, and InfoSec is full of people and companies that are taking advantage of the fact that they're citizen, or that they're clients, right? They don't know any better. So rather than take responsibility and help our clients understand, right, these organizations are capitalizing on lack of knowledge, right? But this company, consultancy number two, this company excels at capitalism, okay? Now while these bullets are synonymous with what many would consider capitalism and properly functioning capitalism, I'm going to spend the rest of this presentation making the argument that this is the result of capitalism done wrong, done due to the greed of man and not to the core tenants of what capitalism was founded to be. So we'll start that argument now, okay? And I'll start it by briefly defining what I think capitalism is, but what capitalism is, okay, then shedding some light on the origin of it. So here, bullet number one, Google defines capitalism as a system in which a country's trade and industry are controlled by private owners for profit, rather than by state. Okay, so it's pretty straightforward. Our Constitution gives us the freedom to buy and sell property for the purpose of profit. Now does that mean that profit is the ultimate goal? Or does that mean that profit should be the sole focus? Well, let's look at this next bullet here, and this is a warning from the authors of our Constitution, this one specifically from John Adams. And you can read this whole paragraph and come back to read it or do it now as I'm speaking, but ultimately they all are speeding into these two bolded statements right here. And I am going to read to these bolded statements. The first one is, we have no government armed with power capable of contending with human passions unbridled by morality and religion. And the second one is, our Constitution was made only for a morale, a moral, and religious people. It is wholly inadequate to the government of any other. Okay, so what does this mean for our definition of capitalism if the people that wrote the Constitution are telling us that morality and religion are really important to the use of this Constitution which governs and gives us this capitalism. So morality comes from religion, right? So these two particular terms here are pretty closely tied together. And most of the world religions share a common thread. As I was thinking about this and reading this thing, I'm like, I've got to find this common thread. If this morality and religion is so important to the proper implementation of this capitalism, then what's the common thread here? And the common thread that I've been able to find are not all world religions, but the major ones. We're talking about Islam, we're talking about Christianity, Judaism, is love. Love is a common thread there. And so it got me thinking, if I were sitting in a room here and I said, who here has heard the words uttered before? Love your neighbors as yourself, or do unto others as you would have them do unto you, right? The golden rule. I think I would see almost every single hand go up. And while these are actually religious concepts, and as a matter of fact, they're pretty much verbatim from Bible texts, they are shared across many religions across the world and recognized by society as a whole. Even a non-religious society recognizes these particular things. So my point is, is that even if Adams was referring to Christianity here as the implied religion, the point doesn't actually change when we include others or just include societal norms. Some sort of religion or moral conscious is required to navigate the rights that our constitution affords. And that constitution includes this idea of capitalism. So if capitalism is described by our founding fathers as being tied to morality, which stems from religion, and the majority of world religions and societal norms share a common thread of loving your fellow man, then the next step toward better understanding capitalism, as I was going through this, was better understanding what exactly is love, okay? So what is love? And no, I'm not talking about that hit song from the 90s, okay? Of course, that's not what I'm hearing. And another kind of humorous point is, I believe I could be the first person in the history of security conferences to actually divine and talk about love in a talk, right? Especially a keynote. So this is, I will gladly wear that banner, by the way, so feel free to label me as that. But bottom line is love is really difficult to define, okay? I think where I got from most places with some variation of this first bullet here, right? A complex series of feelings and emotions towards another thing, okay? But it's really difficult to define and the definitions are all over the place. And so what we see the world religions, which I had that common thread of love, what they do is they don't actually or aren't able to define it either. So what they do is they actually take it and they try to say what love looks like. Give examples so that we have an idea or an image or a visual of what this thing called love is. So Quran with regards to love says that Allah is with those. Allah loves those who are of service to others. All right? The Bible goes in great depth talking about love and in these particular two passages here, it's patient and kind, doesn't envy or boast, it's not arrogant or rude, it's resentful, it doesn't rejoice at wrongdoing, rejoices in the truth, bears all things, believes all things, hopes all things, endures all things, and that there's no greater love than laying down your life for a friend. And so basically what we have here is love boiling down to service, sacrifice, and a reduction of self for the good of others. So let's bring all of this stuff together. If the founding fathers designed capitalism for immoral and religious people and the major world religions in society a whole find their basis in love, and if love looks like a reduction of self for the good of others, then which business example, consultancy one or consultancy two, sounds more like capitalism now? I would certainly make the argument that in consultancy number one appears to be excelling at capitalism, why in consultancy number two appears to be sucking at capitalism. Okay? So this thought exercise led me full circle back to the keynote that I gave in besides Greenville 2017 that Mike spoke of earlier. And the talk was called InfoSec Proverbs, the Tim Tomes Top 10. And basically what I did was is I just wanted to put together the Top 10 lessons I've learned, whether it be about business, about technical stuff, about personal development, professional development, whatever. That was my first time ever doing a keynote and I felt woefully out of place just like I do right now with everything else. Definitely not a thought leader by any means. But I just wanted to kind of like just throw those things out there. These are things I could share with people that are looking for mentorship. So I created a talk around that. And number seven of that particular list was it is better to give than to receive. And the point that I was trying to make is that pretty much applies to everything that I've been a part of and everything that we do within the InfoSec industry. Conference talks, whatever. I'll give you some examples of those. Let's look at mentorship. If everyone's giving mentorship, then who's receiving mentorship? Everyone. Same thing goes for service. If everybody's serving everybody, then who's being served? Everyone. This is actually a biblical concept but once again it does not require being a follower of Jesus to understand that this just feels right. If we are all giving, giving away software like ReconNG has done more for my career and my quality of life than selling it ever would have. It has led to countless job opportunities. It has personally it's probably been 80% of the development skills that I've acquired over the years have come from my continuous development of that project and rewriting it over and over again. Quick story about that. Early on within the development of ReconNG I had folks come to me and they would corner me at a conference and say, hey look, we're developing open source intelligence gathering tools and we're looking to make them subscription based but you're giving away something that directly competes and in many cases is better than what we're doing and it's not fair or necessarily not necessarily fair but they were angry about that. They didn't like the fact that I was doing it. I was preventing them from capitalizing on a need that they saw that others had and as I look back at that ReconNG came out in 2014, this may have been 2014 or 15 when this happened I often wonder where are those individuals now not because I'm putting myself on a pedestal but because I really wonder because I see what giving in a way did for me in my career and I wonder if what attempting to sell it did for theirs and so I really wonder where I wouldn't be if I hadn't and I wonder where they are and I think it'd be an interesting contrast to see the differences one based on giving and the other one based on receiving and then the third point I'll make here is giving away training things like giving away training giving away workshops going and speaking at a conference and not expecting to be paid for that that not only helps others but it also builds a personal brand and it forces you to become a subject matter expert at something I don't know that there's too many people that say I'm going to go to a conference to talk about this and never prepare I'm sure it's happened but most people if they want to get up and speak about something they're going to work at becoming a subject matter expert in that area and so as a result of that as a result of that you build your own professional skill set you build your personal brand all these things work together and you're giving you're going out there and you're doing it because you want to help other people and it ends up benefiting you in the long run now these examples here are based on the individual but they apply to businesses as well this is there are a lot of organizations and a lot of individuals that break this chain of selflessness not selfishness but selflessness and what this does is it contaminates it contaminates the society within our industry and it erodes at the very principles that capitalism was founded under based on the things that we've talked about so as I looked for examples of areas where there are clear problems with this me culture versus the we culture in our industry I landed on four different problems I want to dip our toe into each of these and talk a little bit more about the motivation behind them and how I see it affecting our industry and these four problems are manipulation of recognized standards restriction of open source tooling training price gouging or the price gouging of training pentest puppy mills which has been long since talked about and just kind of go into the motivation behind each of these things because the first part I want to talk about is standards manipulation and the example that comes to mind is the OWASP top 10 in 2017 so for those of you that aren't aware the OWASP top 10 most of you should be aware what the OWASP top 10 is because as far as web application security goes this is some kind of sets the standard for where all of our assessments start like when you do web application security assessments the top 10 are the minimum baseline of what you should be looking for and looking at and focusing on so in 2017 this particular list was delayed and it gets released every couple of years in the cycle delayed several months and it was delayed because the draft included a really questionable entry okay so what was questionable about that entry well it turns out that OWASP leadership had corporate involvement with a particular organization meaning that OWASP leadership worked for a particular organization that released a product that particular year that focused on solving the problem that this new entry presented okay so there was a ton of there was essentially the list itself directly supported a conflict of interest for the leadership of the organization that released it based on corporate involvement that they had with private companies and so luckily in this particular I mean obviously that's a conflict of interest right so luckily the industry actually stood up right the industry stood up called them out and they went back and pulled in some outside people they re-did the analysis and re-released the top 10 a couple of months later so things were fixed but the bottom line is a manipulation of the top 10 could have had far reaching effects I mean think about it causing the community to emphasize on something that wasn't crucial as it seemed while downgrading the emphasis on something that was the impact of that is essentially untold it's impossible to calculate that but think of potential compromise that could have happened as a result of that and since people weren't looking for it all these vulnerabilities could have potentially gone unseen or unchecked or unmitigated I don't need to go much further here to realize that that's just wrong okay but why did they do it what was the motivation? well the motivation here was clearly to capitalize on a position of power for personal financial gain and at the same time sacrifice the security of a whole bunch of people essentially everyone to do that okay so the second problem here is restricting open source tooling now this really appears to be a noble effort okay it's a noble effort that makes two main arguments an argument number one is that bad actor capability is more important or more impactful than universal knowledge excuse me of that capability okay now the original paper spends most of the time making this particular argument and it claims to use facts that support this point but it provides very essentially zero supporting evidence now I expected as I read to this thing to see links and to see references and all kinds of stuff because the person's throwing out a lot of facts and making sweeping assumptions and I didn't see and there's no links in there there's just no links to third-party information which tells me that that information is coming from internal whether it's internal to him or internal an organization that information is coming from somewhere but it's definitely not coming from a third-party resource that that particular person is willing to point out so for instance here in some of the flaws like that goes that that's gone into this thing the author says that bad actor should be forced to invest in a capability in order to have it and that an effective way to prevent them from possessing it is preventing public release of that capability so so my question to that is what happens if a bad actor is willing to invest the capital and the time into developing a capability that we have disclosed and prevented from public release all that does is it creates a gap it doesn't actually get rid of any bad actors but it creates a gap between the haves and the have-nots okay there are still going to be the haves they're still going to be threats there but the problem is is the good guys go from being fully aware to being virtually completely kept in the dark and I actually look at this and say well if you're going to make that argument the same argument can actually be made for the way to be made to to say that we should no longer provide security patches for unpublished vulnerabilities and I say unpublished vulnerabilities specifically because the release of patches for unpublished vulnerabilities gives bad actors now the ability to reverse engineer and diff software to find the patch issue and then create exploits for it so no patches would restrict their capability and that seems to be more important the knowledge of those issues so if the benefit outweighs the risk with regards to security patching then why not with tooling and so that's some of the logic that you kind of see there and now argument number two is actually a really good argument there's no viable justification for obtaining raw offensive capability pseudo anonymously I can totally get on board with this as somebody that releases open source tools if an author is willing to associate themselves with the tool if I'm willing to say I wrote this thing then the users of that tool should be okay with saying that they're using that particular thing I can get on board with this so it's not 100% bad argument I mean it's not 100% bad idea and it certainly appears to be a noble effort but what is the motivation and you heard me kind of allude to it a little bit where I was saying that there was no information I didn't point to any public information that most of it probably came from internal and as I looked a little bit closer I found out that the person that's driving this movement works for a company that would greatly benefit from any implementation of this idea they're one of the marquee names for all the kind of stuff the information that would feed into this one of the marquee names for an organization that would implement or assist in any type of legal regulation of that stuff they would be someone that the government turned to to do this and so I am making an assumption here completely this is I totally don't know this is fact but it certainly appears to me that this movement here could be motivated by a desire to capitalize in a way that hampers many of us operationally while greatly benefitting a few financially and whether it's done for noble whether there is some nobility behind it or not what is the motivation here now unlike the the WASP issue this one's not resolved okay there are some new resources out there we can try to view some arguments the various arguments that are being made to make a decision yourself I got a link here to one that's coming online in a couple of days this is not me right I am not running this the person that is somebody that I think is a very middle of the road person tends to not get involved in drama but really cares about the truth in making good decisions as an industry and so I'm willing to put this link here but I just want to make it clear that I am not the one that is putting this information together and I'll let that person I'll let that person reveal themselves when and if they release this thing if they choose to do so I will not I will not name any names like I said okay so the third issue and this one really hits close to home for me is training price gouging and the reason why it hits close to home for me is because this is this is my passion I love teaching people about the things that I know and if a second the things that I've learned in fact I built my company around it and I say my company it's just me right it's me with an LLC but it but it is a company built around training and if I ever grow it will be to train I also do some other things on the side but I'm a training company so this is close to home so what I did was I went out and I tried to build a table here of the average daily price of training for various organizations for various providers now these providers are generally highly rated you can find negative negative feedback pretty much anywhere with the exception of practice sec just kidding right that's funny now seriously that that's my company right so of course I'm including myself for transparency here you can absolutely find negative reviews for any of these but these are all generally considered to provide highly rated training I mean it is based on an eight-hour day too which is why some of these numbers look a little bit funny because there are organizations that teach four-hour work or three-day workshops four hours a day and so that you have to kind of do some math with the hours but ultimately eight-hour days so black at 2019 or this is pricing for black at 2019 $1250 to $2000 a day black Hills InfoSec $198 a day now I have zero here because black Hills recently came out and said hey if you can't afford to take the training we'll give it to you for free so obviously that seriously reduces the daily price but I went with what their listed prices which I think was 395 days for a four-day workshop that was a total of $16 my prices standard across the board $500 per person per day regardless of whether it's on-site open open enrollment whatever Sands is $1,170 a day now Sands is the only one that might not be exact and that's not because you know I want to fudge these numbers to make them look bad or anything like that it's because every time I go there and I check the prices they're actually higher than it was before and so there's a good chance that they may have actually gone up since I collected this information even though it was only like three to five days ago I just want to make sure I throw that caveat out there. Spectre Ops pretty much $1,000 across the board I'm all the classes that I could see that were listed upcoming and Trusted Sex same thing about $750 okay so why is this information is important okay so I went and I did a little survey on Twitter this past week and asked a question how much are you willing to spend out of pocket per day for decent training and here I specify not the best but something relevant that will make you marginally better at your craft without being reimbursed this is a really tough question to ask and it's a tough question to answer because it's extremely subjective well how many days is it right rich people versus poor people so there's a lot of subjectivity that goes into this but ultimately I was just trying to get enough data to make this point and I think I did okay regardless of where the statistical anomalies may be and how you could maybe draw some conclusions from 90% of people 90% of people are willing or can't or aren't willing or can't spend or won't spend over $500 a day for training so what does this say about the providers on the previous slide well it says that they're explicitly targeting big money customers right governments large companies they're not interested in helping individuals they're not interested in helping people they're not interested in padding their pockets by supporting clients with a lot of money and so what does this do for our industry well it creates a barrier to entry and a barrier to improve of all of course increasing profits for those organizations now this problem and this is what really grates me and really irritates me this problem is amplified when you apply the fact that the people that need the training are less skilled and because they're less skilled are less likely to be paid enough money to afford the inflated prices that are being asked to be spent this is a huge problem of all the problems I think we're covering here I think this is the biggest and it's certainly the one that grates me the most you could probably tell by the level of passion in this particular segment has gone up in my talk because this bothers me this affects me it would have affected me greatly if I wasn't privileged coming up and having people that pulled me through the through the industry and set me up with great training but I didn't pay for all the training I got it came from them that was a privilege that they afforded me not everybody has that and so that being said it's a problem it's a problem that we got to deal with and the last one that I want to talk about is pentest puppy mills and this one has obviously been talked about a lot over recent years it's a twist on example number two but in this case the result was inflated prices making the service inaccessible all the medium businesses where pentest puppy mills actually have the opposite effect which I'll get into here in just a moment they prey on a lack of knowledge versus individual brands so they're not preying here on rockstar brands they're preying on a lack of knowledge of the clientele and that's not 100% of what they do but it's a part of what they do because quality is never really intended with a pentest puppy mill there's very little concern for quality and that's the main recognition that rockstar thing that I was mentioning these companies take advantage of weak regulatory requirements things like PCI you can be compliant but you're not necessarily secure and they provide a solution for that check the box security mentality which frankly a lot of organizations have they sell these services with a sense of confidence in providing a service that they don't actually specialize in so this also goes back similar to example number two instead of being enabled by that brand recognition these pentest puppy mills are enabled by their low rates now in order to offer these low rates they've got to make some compromises right and we'll get to that in just a second so they undercut other firms by conducting fully automated low quality tests they have to conduct fully automated low quality tests in order to pay the people that they're paying while also providing the service the rates that they're charging automation absolutely has this place but it's been long since known that these tools aren't very good they only have the ability to find I shouldn't say they aren't very good because they're trying to do something very difficult but they only have the ability to find a very low percentage of actual issues that exist and depending on what part of the industry you're in it gets worse like find an automated tool that writes zero day exploits for like network services not going to happen or at least doesn't exist in any real good capacity now web application security in an environment that's changing in an environment where a developer can solve a problem in a literally unlimited number of ways the scanner the idea of having a scanner that can find problems in all these things is darn near impossible so this is a very real problem and so if you've got organizations that are undercutting others and then conducting these fully automated tests they're absolutely going to be low quality and so what you end up having is you have these things being sold with confidence and that leaves clients with a false sense of security ok now where this becomes dangerous is for consumers that are hiring these companies that actually care about the results of these tests because let's face it they're absolutely going to be consumers that only want check the box stuff and they don't actually care about the results and you know what pentest puppy mail go for it you can service those clients I don't agree with anybody looking at security that way but the bottom line is there are people that are ok but that price point that they're able to offer is absolutely going to draw in others that don't know any better and then they're going to be taken advantage of and this leads to a reduced level security for anyone associated with those organizations that fall for that particular tag business tactic ok so so that's the four main problems and kind of my summarization of those there could be an individual talk done on each of these I literally just barely skim the surface of these things but I just wanted to throw those out there so now how do we fix this problem right this this ill this we have we have rampant ill applied capitalism and it's leading to these issues how do we fix it ok so solutions for providers number one I don't expect any leader of any company that behaves like this to actually watch this talk and take anything I say seriously right so the site is essentially meant for those who realize they're a part of one or potentially could be moving in the directive of starting their own organization and being a provider of one of these services number one be transparent with your business practices and your competencies right if you don't do something well don't tell us don't don't don't tell don't tell somebody you do well ok and if you have an organization that comes in says look we're looking for a one stop shop we want somebody that does all these things is it not perfectly ok to be transparent with your business practices and say hey you know what that's not something I do well but I will I do know people and I will find a quality subcontractor or I will lean on one of my quality subcontractors to actually fulfill that part of the competency that we lack to give you this full product that you're looking for there's absolutely nothing wrong with that nothing at all but but but as a subcontractor I have absolutely run into companies that just refuse to let me be me and what's absurd about that is how hard is it to say huh Tim Tomes I wonder where his credentials look like since he's conducting my test Google Tim Tomes founder of practical security services LLC that's not who I hired right so it's not even really a secret in most cases so why not be transparent about to begin with anyway so box all right so they offer different tiers of surface or for you offer different tiers of service based on asset proficiency once again it makes sense if you've got a rockstar charge rockstar rates for that person they're worth more they're going to work faster chances are they're going to be more efficient getting done quicker but that doesn't mean that that it should be the same rate as a result of that right you can up the rate for somebody that's going to be more efficient and a better asset that just makes sense that actually feeds into what our founding fathers had in mind for capitalism there's nothing unethical about that price training so that it's accessible to all and this kind of goes into the next bullet just stop being greedy have a heart for others contribute to the good of everyone and you can do that by pricing training so that it is accessible I'm not asking you to give it away like black hills right in fact black hills I saw some people saying take advantage take advantage I don't necessarily agree that you should take advantage if you have the ability to give a little more you have the ability to pay that 395 bucks do it there's still work going into that even though black hills isn't going to ask you to if you have the ability to do it if you don't then go get your free training and that's a great thing that black hills is doing for you but ultimately just think about someone else other than yourself as you're embarking on this journey now I get it a lot of the stuff is much easier said than done right and ultimately it requires a huge culture change this is not going to be something that you brand new guy just got hired or intern is probably going to be able to change within an organization this definitely comes from the top but one of the good things about capitalism right is the employees and consumers we have the ability to drive change and so this is kind of the next couple of points that I'm going to go into so solutions for individuals this is for us the individuals number one share your tools and discovers but do it responsibly now responsibly is a loaded term whole another talk right on what responsibly means but ultimately what I'm telling you to not do is lock it away and make it inaccessible okay recon ng is kind of an example of that and I have an interest I think it may perhaps a different approach to kind of how I manage this thing responsible disclosure of of recon ng for me or responsible distribution of recon ng for me is making it is making it somewhat difficult to use I did that intentionally people ask me well why you know why do I have to know sequel to do this or or why is it difficult to set up the environment or why is the command structure built this way because I get hit up on issue tracker and and twitter dm's all the time from anon hacker with a guy with you know with the with the anonymous mask you know I'm trying a broken English I'm trying to hack my friends I'm trying to dock somebody on Facebook can you show me how to do with recon ng no I'm not going to show you how to do it you're not the intended audience and I'm not going to contribute to that if you want to use the tool you're going to need to invest some time and some effort to do it now I'm not requiring you to invest to invest in such a way that you have to completely redevelop the tool but I am requiring you to invest some time to work through the learning curve and that's how I've chosen recon ng a responsible distribution affect the culture change once again this starts at the top so if you're near it try to influence it don't sit idly by and watch our industry and your peers suffer for the sake of a few individuals greed don't do it you don't have to and that kind of leads into number three here there's more work than there are good people to do it and that results in a ton of opportunities if you're a valuable asset consider finding a new job consider moving if a company experiences a mass exodus of talent that sends a pretty darn strong message to the leadership of that organization if anything can drive culture change that may be it for employees okay number four don't support companies that hurt the community plain and simple don't support them by supporting these companies all you're doing is emboldening them to make it worse so if you've identified any companies that and I'm sure many of you as we've gone through this talk have said organization comes to mind one, two, three don't support them if that's an organization that you pour money into on an annual basis don't do it anymore the next slide I'm going to cover ways that you can you can compensate for that but just don't do it and then the last one cough it out as an industry we're pretty good at self-policing I would say we're pretty good at that making these kinds of things known and getting the word out I think goes a really long way to fixing this particular problem in fact this entire talk is me calling it out alright I mean if that didn't if that didn't hit home pretty much immediately when I said that that's what this is this is me calling out these particular problems I see an issue and I want to make it known so that we as an as a community can fix it okay so now solutions for consumers what can consumers do if my consumers do and I'm talking about individuals or companies that are purchasing these services whether it be training whether it be consulting whether it be development support whatever avoid the one-stop shop okay one-stop shopping is super tempting right but it can cost you money in the long run and I think it'll become apparent here in just a few months some of my points to support this and why you should do it small companies usually have a sharper focus okay a couple individuals get together they're really good at a thing maybe it's exploit research maybe it's web application security whatever they to get together they start a small company it's a small company and then they hire around that one core competency in which that company was developed you have a really high average skill per individual of a small company you can't I shouldn't say that if the universally applies but it certainly it certainly has in my experience on the other on the flip side large companies right as they grow they've got a higher less skilled labor because as we said multiple times there's just not enough good people out there to do the work that needs to be done and so they're gonna have to hire less skilled labor and in order to get the number of jobs done that are coming in they're gonna have to automate more and some of that automation is to take the is to take the place of a lack of skill so you're gonna end up with a less than average quality per engagement and what this ends up resulting is that you have the short term game because guess what I'm only spending time doing one contract I'm only spending time talking to one client and that seems to save money now because I'm saving time but it ends up in a long term loss and so let me give you an example as an individual as a company and as a VP of services for for another company I've lost contracts to companies that have come to me and said hey we want you to do x y and z and I just simply couldn't and when I when I told them I couldn't or when I told them you know and you know I gave them everything I've talked about here in terms of how we can solve that problem right I advise some of the this stuff they chose to go somewhere else they chose to go somewhere else now it is it isn't worth noting that I personally I refuse to do anything outside my my core competency and I don't do subcontracting right now so that as a result I simply cannot and will not satisfy these requests and and I feel like I need to say this because that if I didn't I could be putting myself on the same side of the argument that I'm making or against it against the argument that I'm making so I want to make that clear I don't do anything outside of my core competency but in this particular case is I was open with them and I was transparent say hey look we don't do that or I don't do that and I advise them of these particular dangers and they ended up going a different direction many of those companies ended up coming back at a later time and ended up paying me to do the work a second time when if they would have just taken the time in the first place to form those relationships with me for the one thing and then another organization for another thing oh and by the way guess what we know each other so I could have given them really really good leads into companies or small companies or individuals that could have done a fantastic stellar job for a reasonable rate with for them but they ended up coming back paying me to do it a second time anyway so long-term loss ended up paying two or three times to have this done and they saved a couple of hours work early on very real problem avoid the one stop shop as tempting as it may be the end point number two kind of leads into that a little bit as well I build relationships with local small companies chances are there are some in your area that you're not even aware of I didn't really grasp this until I started going to some of the local meetups here in the upstate area and realized that oh my gosh there are security consulting firms here there are really good development development firms here there's good local training in the area there's there's there's stuff and yes it could be considered direct competition but once again there's more work than there is people good people that can do it so competitions are really good thing right now having more of these companies is a good thing I just didn't realize that that that there were that many good small companies doing these things around me and and I think another thing that we would agree on is when you're doing work like this trust is really important you know how easy it is to build trust when month after month you go to these meetings and you see these people you see your client right asking good questions in in these things you see your client showing concern and care and passion for the for the work that they're doing you see your client up there presenting technical or well thought out material it is really easy to build trust when you're doing that okay and so I am convinced that the best services you never heard of exist here it just takes a little bit of time and a little bit of effort to get involved go out meets the people and make they have the phone calls right have the additional phone calls put in the extra hours of contracting to bring in these small organizations that are going to do really really good work for you and have a high average skill and oh by the way since they don't have all that overhead they're also typically cheaper I've actually had people tell me I had to raise my rate because my rate was so low they were afraid contracting was going to think I was a fraud okay no I just don't I don't have an office I have to pay for I don't have a bunch of employees that I got to pay for it's just me I'm really good at what I do I'm a one-trick pony but I'm really really good at my trick okay and I want to do that trick for you okay and I'm willing to do it at a nominal rate and so they just don't that doesn't equate with with companies with regards to modern capitalism or the way that we've been doing capitalism so we really need to kind of change that mindset okay so I probably way over at this point in time and I'm not looking at any text so I imagine Mike's probably screaming at me so I'm gonna let's get to this conclusion here number one I'm a huge proponent of capitalism true capitalism regardless of what this presentation says I have to that has to be known I'm a proponent of true capitalism I don't believe that change happens when you're forced to give right and feel free to go down a while saying this and read this verse at the bottom of the page when you're forced to give there's no heart involved in it and when there's no heart there's no change okay capitalism true capitalism gives us the opportunity to choose to give to choose to choose others over ourself and that ability to choose is a change of the heart and the heart is the only way that we're gonna fix this problem and many other problems that are very relevant in our culture in our country right now but and as I've said current capitalistic tendencies rooted in itself are not what the founding fathers intended and I hope I help people see that today there are absolutely companies doing it right I know I pointed out some things that could potentially be wrong but there are absolutely people doing a right doing doing it right but in the cases that those are wrong we all have a part to play and we all have a part to play as a part of the solution and I hope I've been able to present those to you as well ultimately we have a choice between the good of humanity or for the good of self and at a time when I believe it's never been more relevant I'm imploring everybody that's listening to this talk please choose humanity right choose others choose the industry choose the thing that you love so with that I'm gonna conclude this presentation Mike please steal it from me because I have totally blown your timeline brother