 All right, we're going to get this thing started because I want to get home before midnight. I'm Jim Christie. I'm a special agent with the Air Force Office Special Investigations and I'm currently assigned to the Defense Cyber Crime Center. What we're going to do this evening, we have multiple federal agencies represented here as well as the Sydney Australia Police Department and kind of what we're going to do is kind of what we've done in the past. So what we're going to do is do a quick little bio on each of our panelists, let them make an opening statement and then we're just going to open it up to questions from the floor. So first Jason Beckett, Jason Beckett, raise your hand please, there's the director of the state electronic evidence branch for the special services group of the New South Wales Police Department, Sydney Australia, former inspector with the special services group. He went to the corporate world as a godless contractor for a while and then came back to the government in 2003. Holds numerous degrees and he's just a nice guy too and you'll have to pardon that southern accent that he has. Tim Fowler, NCIS and Tim is active duty marine special agent, has worked as a cyber agent for the Naval Criminal Investigative Service in Washington DC for the last six years. Tim has 19 years active duty experience and in 2004 Tim was awarded the bronze star with combat valor device by the secretary of the Navy for his media exploitation efforts in Iraq. So thank you. He begged me not to say all that. Andy Freed from our favorite agency, the IRS, Andy is a, usually there's a target on the other side of it so somebody's, Andy is a senior special agent with Treasury, Inspector General for Tax Administration, System Intrusion, Network Attachment, holy god that's a SINARC, 17 years experience with Treasury and I actually met Andy back in 86 when he first went to work for IRS and he had just left the Kennedy Space Center where as a security guy he actually developed the forensic software that everybody in law enforcement used in those days and as we point out to him it wasn't forensically sound in those days so we now buy commercial products. But most of the people that were wrongfully accused have been released by now. Bob Hopper, National White Crawler Crime Center raise your hand so they see you. Manages the computer crime section, Hop manages as an instructor cadre, manages the instructor cadre for NW3C in West Virginia, does anybody ever go out to West Virginia? Hop just retired about a year ago with nearly 30 years experience with the Arizona Department of Public Safety and 37 years in law enforcement. Hop's a law enforcement career, you know he did lots of drugs, oh no you investigated drugs and air smuggling, okay. Thanks for coming Bob, Tim Huff, FBI cart, got his computer and information systems degree from Jacksonville University and was a U.S. naval officer from 85 to 96. Then we kicked him out of the service and he went to work for the FBI because they'll take anybody. He was assigned to Pittsburgh field office in 1997 and is the chief of the FBI's computer analysis response team and he's the unit chief for those guys. Dave Thomas and I can't find your bio Dave, oh Mike Jacobs, oh man somebody messed with him up, Mike Jacobs, SRA, got groupies, cool. Mike joined SRA in October 2002 as a senior advisor following his retirement from federal government service 38 years. In March 2003 he was appointed to the director's SRA's cyber and national security program. Prior to that, I don't know what the hell is SRA stand for, system is integrator, I don't know what that means either. Prior to that, Mike was the information assurance director at national security agency, NSA, no such agency. Under his leadership, NSA became implementing, okay, yeah, you can read it online. Thank you, it was getting long. Ken Privet, raise your hand Ken, okay, this is a test to see if they know who they are. U.S. Postal Service Inspector General, Ken presently works as a special agent in charge of the computer crime unit for U.S. Postal Office Inspector in General, conducts computer intrusion investigations and provides computer forensic support to a force of over 450 agents. I met Ken probably about 10, 12 years ago, he was the Naval Criminal Investigative Service, NCIS agent, he defected, went to defense criminal investigative service and DOD kicked him out and he went to postal, he went postal. Dave Thomas, FBI was designated as special agent back in 1989. Mr. Thomas was appointed chief of the Cyber Division Criminal Computer Intrusion Unit in 2001 and he's directing the FBI's efforts in many large scale cyber investigations and some of you may know him personally, following a rights advisement. And last but not, oh, we got Jerry Dixon, I'm sorry, and Jerry, you didn't give me a bio, so he's a fed cert, so when we go through, if you tell him what you do and why you do it and who you do it to. Dr. Linton Wells is the principal deputy assistant secretary of defense for networks and information integration, been my boss multiple times through the years and you'll see more of him later. Okay, now if we could start at this end of the table and if you'd make your two minute short statement, advertising your agency, please. I'm Ken Perivitt and I work with the Postal Service Inspector General's Office on the Aging and Charging Computer Crimes Unit and just one thing to say, if anybody owns any postal systems out there, if you could just write the IP on your card and just pass it up to the front, I'd appreciate it. Thank you. 9 o'clock in Vegas, what are you people doing here? I'm with you, I should be, I don't know. This is like my eighth DEF CON, fourth time, third time Meet the Fed. My agency basically is a tax agency for those of you that are not inside the U.S. and basically what we do in my group is we're primarily the internal security people in that position. We do a lot of the computer intrusions, network denial, service attacks and phishing sites. That's pretty much what I do now, full time. My name is Tim Fowler and again I work for the Naval Crime Investigative Service specifically for the Cyber Department. Naval Crime Investigative Service is a civilian law enforcement agency, federal law enforcement agency and specifically with the Cyber Department we work computer crime investigations, both criminal, counterintelligence, counterterrorism, operations and investigations. So we work the full scope of the cyber field, but that's pretty much it. Well actually we do stuff that even make Mark Herman jealous sometimes. G'day, my name is Jason Beckett, I'm from Mississippi, the very southern accent, the land down under. Even though we are from what I've been called a backward country, we are actually the third largest law enforcement agency in the world. As a result we have one of the largest forensic labs in the southern hemisphere. We're both a sworn and unsworn section, most of our staff come ex-military or academia or for a variety of other commercial and consulting organisations. We look at the full gambit of computer security and computer forensics for New South Wales and most of the high end investigations for Australia. Mike Jacobs with SR International, SR International is a system integrator. Its principal client is the federal government and we have a pretty large practice in the information assurance domain. And one of the things I've been doing in each of the DEF CONs that I've come out to is try to recruit additional talent. And last year it was T-shirts for resumes. This year the recruiting budget is down. This year we have fancy NSA refrigerator magnets for resumes. These are rather special refrigerator magnets. You can apply them either to your refrigerator, your desk or your metal headboard. It's up to you. But we'll have a half a dozen of them for a half a dozen resumes. And the transmitter only works about 300 yards. Hi, I'm Bob Hopper with the, how many of you, but raise your hand if you've ever heard of the National White Collar Crime Center, all those people that raise your hands are probably cops. Make a note of that. We are a non-profit DOJ funded corporation that provides free, at no cost training to law enforcement all over the United States. My focus with the computer crime section is to provide computer forensics training and cyber investigations training. We move police officers from entry level to through advanced level training with computer forensics all over the United States. I don't have any magnets to give you. My name is Tim Huff. I'm with the computer analysis response team with the FBI. We do computer forensics for the bureau. We also help out state and local whenever we're requested. We have about 90 different sites across the country. Doing computer forensics, we have about 250 to 300 examiners right now. We're still expanding. We also have the regional computer forensic labs, 14 of those across the country where we provide personnel for those sites as well. Lynn Wells from the Office of Secretary of Defense. First off, to a factoid, which is that in the next five years, roughly 40% of the Department of Defense's civilian acquisition workforce is going to become eligible for retirement. There will be enormous opportunities for people with imagination, talent, and initiative which represents most of you out here in the audience. Just think. Pardon? It depends on what you're doing, actually. Anyway, so there are opportunities. And at the same time, the network is becoming critically important to the department. In fact, there's probably going to be a report released in the next few weeks that's going to call it the most important single integrating thing in the Department of Defense. So there's a lot of opportunities, again, for those of you out here to come learn more about us and really help us draw on your skill sets. Thanks. Good evening, Dave Thomas from the FBI. This reminds me, being growing up in the state of Tennessee, this reminds me of a large-scale temp revival. So if any of you feel the power and the spirit moving you, we're empowered to take confession 24 hours a day, so please come on forward. My job within the FBI is, I'm in charge of all counterterrorism, counterintelligence and criminal computer intrusion investigations for the FBI. I also have our cyber action teams, which deploy worldwide in the event of any cyber emergency. Thank you. We appreciate you coming. Jerry Dixon, I run the U.S. Cert Operations. Basically, we do the federal incident response and coordination across the federal agencies. We work with a lot of the critical infrastructure under operators. Obviously, we do a lot in the vulnerability management disclosure area as well. Some of you, we've talked to, you know, since starting with Black Hat. So if you have vulnerabilities, definitely look us up, especially if you're not getting the progress that you'd like to see from some of the vendors. We can, a lot of times, we can assist with that. And we do have jobs posted out there on USAJobs.gov. So we're always looking for some good talent. Okay. Before we start with the questions, we thought Turnaround is a fair play. You guys play Spot the Fed. So we're going to play a little game here ourselves. It's going to be called Spot the Lamer. Okay. So, these two guys are going to pick out the top six lamers that they find in the audience. You must come up, stand out in front of here. Quickly. Quickly. Marcus, send your daughter up. We're going to do that. We'll do that for you. We had a whole mess. Okay. Just line up right here. How many do we have here? Okay. One, two, three, four, five, six. We got six. Okay. I get to ask the first question, and then each panelist will get to answer a question, and you just point to the person you want to answer the question. One down here, she's six. Okay. Number one, did your mother sew your name in your underwear? No? No. Okay. Next question. Ken? Number two, have you ever participated in a Star Trek marathon? No sir, I'm a Star Wars fan. Number five, have you ever gone to a family reunion to pick up chicks? Only boys in a family, it's worse. Number four, have you recompiled your kernel yet today? Number two, do you have a copy of Frack in your bathroom? Number six, do you live in your parents' basement? Second floor. You're up there. Second floor. Number four, are your best friends on our IRC channel? Your best friends. Your only friends. Number three, can you speak fluent hex? Number one, what does LMAO mean? Number three, did you ever get caught playing with a three inch floppy? Number five, can you name the entire Skywalker family? Okay, now we're going to let you guys vote. So if you think number one is the lame, or let me hear it. Okay you can sit down. No, no, no, no. Come on back. Only number one can sit down. Number two. When you get the Marines, they wait for it. Number two, you can sit down. Number three, you can stay. Number four can sit down. Number five can stay. Number six can sit down. Now we're down to the last two. Okay, we'll go in reverse order. We have a special prize for you. We have a NSA mug and a free vacation. At this point it's up to you guys. There are only one microphone so that everybody can hear you. So if you want to line up behind the microphone and ask a question, you can direct it at any particular agency like IRS. Am I going to get audited this year? I hope so. Okay, yes sir. I guess I'd like to primarily direct this to the FBI, but of course everybody, I'd like to hear anything any of you have to say. This is a question that I just asked the EFF less than an hour ago. I'm really fascinated to hear your guys' side of this. Right now what is being done or what are you guys thinking about doing to force corporations when they're sending our personal financial data overseas to third-party companies to force them to be accountable for our personal financial data? We are the data owners. They're just the stewards of our data. We're not in the business of course to force companies to do anything. If that's something that you feel very strongly about which is what you do then you should talk to your congressman, talk to your senators and have legislation passed to prevent that. That's the right way to do it. Can you guys investigate though? If you want to ask a question you'll have to get in the flipping line. This is the puzzle. Don't make him angry by the way. The problem I have is I just moved into this apartment complex and every day I go to the post office box and they have a trash can right there and I have found numerous letters and at least first class mail in there. I've even seen a bill thrown in the trash can. I know you guys are federal agents so isn't that a federal offense for throwing mail in the trash can right there by the box? Not of its your own. That's correct. Are you the one that threw it in the trash? If it's not my trash, I understand that one. I'll see you in a second. See me afterwards, please. That's not a good thing. That's a bad thing. Mail in the trash that hasn't been opened is a bad thing. This is for Mr. Jacobs. Do you have any teenagers living in your basement? I have a follow up on that. Are they yours? I didn't hear the subject. Do I have what living in my basement? Teenagers. Not anymore, thank God. So I see that we've got a lot of different agencies up here. I'm curious about your take on how you guys overlap and then your opinion on are we set up correctly right now from a governmental standpoint to combat cybercrime? What for a lab? Come on, panel. I didn't have you up here for nothing. I'm sorry. I didn't hear all of it. Is that a point towards the lab? No, I mean you have a lot of different jurisdictional boundaries, right? And so I mean to us in terms of consumers or corporations that are combating cybercrime, how do you guys align against the problem? What degree do you overlap and then really organizationally are we set up correctly at the federal government level to combat it effectively? I'll start off with that. The FBI is the lead agency for all counterterrorism, counterintelligence investigations that revolve around cybercrime. Other agencies would feed information they get into us. For criminal cybercrime, it goes across multiple agencies, U.S. Secret Service, Postal, everyone on this table. We react very well, work together, we coordinate, DHS, FBI has people there full-time. We have people full-time. We have joint terrorism task forces and every FBI field office which has almost every agency or probably every agency here represented. So the government within the United States works very well and very closely together. All of us have known each other for a long time, which is the reason we're on this panel today, but it works very, very well in the U.S. I think just from an international perspective as well, we've dealt with just about every one of these agencies from either with a local issue or an issue that they've had in our country and the relationship works very well. One of the reasons I'm here is to keep the relationship going. Okay, so just to redirect that a little bit, are there any redundancies in terms of responsibility now or is there a need for any greater centralization of authority? I guess I'm speaking to the Department of Homeland Security in terms of coordination. I mean, centralization of authority in this country probably isn't a good thing. Yes, there is overlap. I mean, several agencies have concurrent jurisdiction, but we work it out. We have de-confliction mechanisms. Okay. All right, thank you. Let me comment on that just real quickly from a state and local law enforcement perspective just because that's where I just came from. There are a number of states around the United States post 9-11 that have made an incredible effort to ramp up their ability to communicate at all levels. I'm most familiar with Arizona because that's where I came from, but there are any number of states out there that are doing at the state and local level. They're in the United States now? Pardon? Arizona's part of the U.S. now? Actually, yeah, just barely. Well, that's more of a state than West by God, Virginia. All right, this is a question primarily for people that are doing enforcement and actually going after people who are doing cracking on systems. With the topic that was brought up for the discussion, it talks about Boyd's theories on getting inside someone's decision loop and following up after someone and getting in on the weaknesses on their system. For the crackers that are out here in the audience, a great deal of them actually, that's their bread and butter, they get into the weakness of a system. My question for those of you that are doing enforcement is where are the weaknesses that you can discuss for the crackers, where you can get inside their decision loops and you can actually come in and catch them that way? Anything you can share? Perhaps some of the audience could explain how they got caught. Actually, I wouldn't mind doing that. I wasn't really caught. I actually properly reported certain events through the proper channels and went ahead and had a counter-terrorism investigation conducted. Didn't find out until four years later through a frame information act. However, I don't know. I think a short answer was... The question kind of like went over the head like... Could you be more specific? No, no. What was the question again? You're supposed to be asking. I think the other gentleman asked. I think how we get involved in computer intrusions. From the IRS standpoint, strictly the IRS standpoint, I can tell you that the only intrusions that we generally will work are those involved in other crimes that primarily deal with fishing, impersonation, or threats. So generally, when we get involved in a case, we find out that at some point an intrusion was made and that's where we get the link in. I hope that answers the other gentleman's question. I just know from personal incidents, usually it's not the intrusion that's caught. It usually goes very undetected. But anyways, I have a question. Traditionally, Nita Fed has always been a big recruitment thing for different federal agencies of different governments and everything. Why would anybody from the scientific community want to work under the current Bush administration slash regime for an administration that continually tries to silence a lot of the scientific community? What incentives are there for us to come work for you? We make a lot of money, we have a lot of fun. Just so you know I'm not a Democrat. I have a question for our FBI friends. Can you tell us who the most wanted cyber criminal is and what did they do? J. H. Afani. J. H. Afani is the only computer intrusion person ever on an FBI wanted poster. He was the mastermind of the FoodNet investigation, which was the denial of service attacks against his competitors. And he's currently at large. J. H. Afani. He's Moroccan. I got a question for y'all. I'm not sure who exactly this is directed to. But there have been a lot of reports in the last few years of people, hackers wouldn't exactly be the correct term, but I guess we can use that for lack of a better one, that have found weaknesses in systems and applications, most commonly online systems, web systems, through no malicious intent, you know, that may have been looking at something and stumbled upon it. Now, back in the late 90s, memory serves me well. Most of these people, when they reported, at least from what I hear, they reported it directly through the company. The company basically thanked them for finding a problem and fixed it. But now it seems like when they report these issues, they are immediately charged with hacking the systems, cracking into them, and federal charges are brought against them. I'm just wondering from your perspective how you distinguish between a legitimate error that's found in a website versus malicious intent. Or is that distinguish, distinction made, or do you just prosecute fully? I'm not. Do you have a specific example of someone who's arrested for doing that? I can't think of one off the top of my head, no. Because I don't know of anyone specifically that, through a legitimate purpose, found a vulnerability and reported it to a company that then was arrested by the FBI. Absolutely. Okay, that would be a good follow-up question then. Thank you. Let's say that a vulnerability is found then. What would be the correct way, safe way to report that? Who should be reported to? Sir. Report it to your local law enforcement. If you've done, I mean, you have to be careful when you're looking at, again, is did you just accidentally discover vulnerability or were you probing a system trying to find one? There is a fine line there. You can walk between what is legal and what is not. Right. But most people probably won't encounter a vulnerability during their normal surfing happens. I think if you take a look, I mean, just from October until now, there's been what, over 5,800 vulnerabilities identified. And, you know, we process, you know, 1,000 plus vulnerabilities. And I can't think of any one of those so far that's been reported to, you know, the U.S. or the DHS where somebody's, you know, been prosecuted. You know, under responsible disclosure, you know, obviously, you know, we work with the vendor and what have you and try to assess and triage that. So, you know, again, I don't know of any specific examples in that one or part of it. Okay. Thank you. Well, I obviously have a question because I'm up here, but it's good. I have dealt with a few attacks. I've seen some people break in and through forensics. We've discovered who it was and a lot of the time they're in countries that you don't think that we could prosecute like North Korea or Russia or China. I'm wondering what is being done to capture these people and have we had any success? Yes. We've had outstanding success. 80% of what we work is international with the FBI. We work cooperatively with the Russian government. We work cooperatively with China. We work cooperatively with, we have an MOU in place in South Korea. I just came back from investigations where we've done in several Eastern European countries. So, we have a very outstanding relationship with most countries around the world. All right. So, this is kind of a strange question. I'm in a band called Preteen Porn Star and I own the domain named preteenpornstar.com. Periodically, we get emails that are in really bad English, terrible spelling, asking us for, you know, are we trading pictures or whatnot of, you know, underage people. And at some point, they'll always go into perfect English and say, I know this is illegal, but it's sort of a question. We kind of ignore the emails, but I'm wondering, are those cops hunting? If they were, we wouldn't tell you so. But no, that isn't the way law enforcement works. I mean, we're not going to solicit that. Now you're talking about entrapping someone. There is so much child pornography and sexual exploitation of children out there going on that we get and see on a daily basis to go out and create a phishing scheme, if you will, to try to look for someone who's not even predisposed to do it. No one up here has the resources to do that. That type of activity, though, should be reported. So I should forward those to you guys when it happens. Absolutely. Okay. Thanks a lot. It gets us hits, man. Don't know if I could beat that one. I'm just wondering, does anybody have a neck beard? Neck beard. Come on in the audience. Someone has a neck beard, right? Give that man another drink somewhere else. Refresh his drink. I have a quick question. Actually, two questions. Smaller companies, usually, they don't have too much budget to spend on the security if they discover something. They say smaller companies always go to local law enforcement, they say this is over my head. This is over our head. So here's the content for FBI. And the FBI will just tell them, you have to really lose so much money before we will take care of you. So what is the best way to get around for the smaller company if they think they are being attacked or anything like that? Probably the best way is to report it to the Internet Prod Complaint Center, which we have where we process 200,000 complaints a month. Your small complaint is if it's aggregated against complaints across the United States and sometimes worldwide, may show us that the level of that incident is actually high enough that we would actually go out and investigate that. So I would encourage you to report those incidents. And again, the Internet Prod Complaint Center online has a website in the form for doing that. Okay. And second question. If they are still suspecting something is going on, is that the right suggestion to actually get them to say, to actually ask them to install this key logger so they can prove to them, prove to whoever is going to investigate. This is why I did, and the versus is not what I did. I'm sorry, I didn't get the question. Should I actually recommend them to install the key logger so they can actually show all the activities they have done versus the one they have not done? Should the person you reported to, should you ask them to? Yeah, the companies. They would have to come to you with specific legal authority to get your consent to do that. But if any federal agency or state local for that matter shows up, then they will tell you what the investigative alternatives are of what they could do and what the legal authorities are, they could do that. Okay. Yeah, but the problem is they have to wait for the law enforcement to actually tell them what to do. I think that's the problem. I mean, you're empowered to protect your own system in any way you see necessary. I see. I just want to protect the evidence or show the evidence in the long run. If your system is a system administrator, you can protect your system, yes. I see. Okay, all right, thanks. Meet the Fed is kind of cool. It's nice to see faces, but it's on a national level. Besides going out and breaking the law locally, how can I meet the Fed in my area? I recognize you and I think you have. How are you guys doing? First of all, I'd like to say I spot a Fed, but wait a minute, a couple of people want to answer his question for him. I mean, just quickly, if most of you belong to companies or work for corporations, there are avenues out there for you to meet your federal law enforcement people. We have within the FBI InfraGuard with over 14,000 members. We have the InfraGuard website, but it's a place where other companies can get together and discuss vulnerabilities issues that's going on. Secret Service has their electronic crimes task forces in almost every city across the country. So there's multiple avenues out there that if you want to develop a relationship with local law enforcement officers that you can. You may or may not. I know you guys' official position is to enforce law as it is, but I just kind of wanted opinion from the panel as to if they think the DMCA goes too far and reverse engineering should be legal or not. I mean, it depends on what are you reverse engineering? Excuse me? What are you reverse engineering? I'm saying software in general. To me, it's not really wrong to point out the vulnerabilities and things that other people did. And I think the DMCA has kind of gone backwards on that whole concept. We appreciate your opinion. Well, but I was actually asking for an opinion. I mean, I know what you guys are going to say. You're going to enforce the law as it exists. So why the hell do you ask the question? You got this on tape, right? I didn't hear you, actually. All right. Do your agencies have trouble with investigations being compromised by the actions of corporate security and IT people, people that do their own investigation before they allow you to do yours? Yes. Any specifics, details, examples? How often does it happen, perhaps? It happens whenever a corporation doesn't report it immediately and then gets some kind of guidance as far as how to preserve the data so it can be maintained in a forensic manner and then testified to in court later on. If they go and do their own investigation, they're going to change things from when the incident actually occurred. If we get a pristine or exact copy right after this incident happens, then we can go with that. If they get in there and fiddle with it themselves and then later on find they can't do what they need to do and then hand it over to us, a lot of things have changed. We can't testify to things we didn't do ourselves. In many cases, we've seen cases where the individual organization or agency or company has done their own investigation, think they have fixed the problem and then finally decided to report it once we did the deep forensics on it. We found that they hadn't fixed the problem. They had tainted evidence and they were still at risk the whole time that they had this... they thought that they were fixed. Is this something you run into on a daily basis or is it more rare than that? I just wonder if that... is that a large percentage of what you deal with is compromised that way to where you're unable to do your job or is that not a very big problem? I think we can recover. It doesn't kill the case. It makes it much more difficult to work, but in most cases it doesn't end the investigation. Good evening. This is a follow-up to the comment of the gentleman from the Office of the Secretary of Defense. If we have... if this is true and there's a whole swat of time in coming up, the skill sets that are needed from our computer science-guided NCS programs, are you happy with the crop that you have here or do we have to move more to trade school kind of stuff like the Chinese do in our overseas? And this is actually a question to all of the panel. What do you expect from a computer science undergraduate and graduate education that can work in your agencies? I think a lot of the students we get from the Scholarship for Service programs are really hot. I mean, these guys are really sharp. In fact, I have a couple of them that are here with us today and they're tremendous and I need more of them and what I need them to do is to tow the line before they come to work for us so they're clearable. Thank you. I would echo that. I just hired two little geniuses straight out of college. But one of the... we have the same challenge. I mean, you got to sit down and take a polygraph, folks. Maybe I'll have a follow-up question there. A few useful index questions and so on. The latest qualifier from the jobs for the federal agency. People have told me they didn't register for selective service, they cannot become postmen anymore. Is that still the situation? You run a follow-up, a few federal laws and then you're eligible for employment in any of your agencies? Not forever. Not forever. But if you were doing it last week, you would probably be ineligible. You could be president. Either. Do you... Give him a magnet. Do you in fact pay taxes, though? I do, sir. Yes. On everything I make, actually. But I've also been a... I'm actually still a security consultant and I've done some work for the government and one thing that I've been very unimpressed with is the level of engagement of the open-source security community in the government. I'm impressed with the SE Linux project and at one point, as some of you may know, you were helping to fund OpenBSD. Something happened there and some of that funding went away. MITRE, CVE, things like that are a step in that direction, but I wonder at a government-wide level is there an understanding that all of this intelligence that you guys are sharing, if you would share that with those of us in the security community in the outside world and I also think it's a budgetary responsibility thing when I see these deep pocket contracts that you guys have with certain vendors in the Atlanta and D.C. area whenever open-source alternatives exist for these tools that will do everything that these tools will do and this is the days of cuts in funding and fewer and fewer resources for you guys. So share with us. Share with SourceForge. Share with the security community that you guys have got to help the security community as a whole instead of throwing money at these vendors. And I guess that's a question. So I'm waiting for a government-wide open-source security initiative and I'd like to reap the benefits of that as with the rest of us in the security community. So first off, there's a lot of great tools. As you know, since you've been a security consultant to the government, there's a lot of tools that get developed from a lot of the folks that support the government and a lot of that gets distributed and a lot of that turns into just take a look at some of the work with Snort back in the day. I think probably a lot of people here saw the picture on Insecure Org of President Bush down at the, I believe it was the NSA sitting next to the screen with Snort and map output and a bunch of other cool stuff. Right, right, right, securitywizardry.com But we all kind of saw that and were like those guys are really doing the same stuff we are but in my experience, all I saw was I came in and did some work for some assessment work for an agency and they had a big stupid contract with a vendor that they tried to scan hundreds of thousands of systems with this particular tool and it didn't work and they weren't meeting their FSMA compliance and all that stuff. Before you go too far down the path there I mean there's a lot of efforts, you know, science technology within DHS there's an engagement with a lot of open-source software out there. I mean there's a lot of efforts underway so I mean if you want to discuss a little bit more after this because I know we're running out of time here hit me up, I'd love to discuss it further. Yeah, just would like to see more of that I guess is what we're saying. DoD just had a major open technology development initiative also in the last, what, three weeks or so. Hi, I know that you guys are all up here recruiting or most of you are can you talk about ways that people who aren't formally trained in security or who don't have computer science degrees might have a way to see your various agencies, those that are interested in being feds but don't have the acronym at the end of their name or the degree to go along with it. Well let me start off with the Defense Cyber Crime Center. Most of the folks who come to work for us have no background with the government, no clearances before they get there and they come in as contractors so we're looking for talented folks that are trainable. We're going to teach you how to do the job. Without college degrees? Without college degrees? I'm looking for talented people. I just spent five and a half hours last night with somebody who didn't have a high school degree one of the most talented women. They've got an expertise, we can use the expertise. It's degrees, right? Can I get a magnet now and send you my resume later? All right. I do have a serious question though. So from the paradigm of a letter of authorization what would you include, what points would you see fit to be included for a private security contractor who is going to do an assessment and audit or a penetration test so that they kind of have you know CYA factor for themselves? That is they're hired by a company they have the authority and they're going to do this work, an assessment for a company but within that the MOU or the LOA they want to have some points covered what would those be? Before any company or any client engages someone to do that kind of work they establish and agree to rules of engagement that defines the parameters that the analyst is going to be allowed to deal with. Now that to a degree as long as you stay within those rules of engagement those parameters you are protected but it's an agreement between the parties that this is the nature of the work you're doing these are the limitations in the nature of the work you're doing and this is what the expectations are of what you produce as a result of the work you're doing. But within that agreement are there some specific and I don't mean from a civil court criminal court perspective are there some ironclad phrases or memorandums that you would want to have in that contract to protect yourself? Sure. The contract vehicles can be very specific. The do's and don'ts are going to be there in the rules of engagement. Okay. So you don't have any specifics that you think that should absolutely be germane to that kind of a... One specific is don't do anything stupid. Alright. Looks like we have two minutes so... Yeah. First of all I want to say it's kind of interesting to hear the service for scholarship statement because I'm going into that program so I'm excited about that. But my question is actually more for the FBI guys. We're doing a lot of training in my university on forensic stuff in general. How many or have you run into cases where these guys actually follow proper forensic protocol doing their investigation into a problem and then turn it over to you. And how many legal problems does that bring up if they actually do follow the proper protocols and stuff? Proper procedure for forensic protocols are determined by the agency organization that has a forensic lab. And most cases nowadays they need an accredited lab by some accrediting body which FBI is going through right now for our headquarters labs. I have not run to any occurrence yet where an organization has followed their proper protocol and then handed it over to us and we've had a problem. Mainly because the basic precepts of forensics is make a copy of what you got and don't change it. After that everything is pretty much easy. We can always take that image and reconstruct and go with it. We would prefer not to be told about it later on once they can't figure out what to do. We can always do parallel efforts but we'll get what we get and we'll try and help wherever we can as far as the forensic aspects of it. Law enforcement doesn't control crime scenes. We're used to being flexible. Unfortunately we just got the X. So I appreciate everybody coming. I think some folks up here have got things to trade. We're not giving them away. So you got to trade for this stuff. So thanks everybody for coming.