 So, 20 years ago, most people didn't know what a DDoS was. What they thought phishing was a boating activity and hacker was a bad word. In a loft in Boston, a group of hackers stumbled into this world in the early 90s. They created loft-heavy industries and in 98, they were invited to testify before the Senate Committee on Governmental Affairs about the risks and the risks with the burgeoning internet. That unlikely event marked a turning point for the industry. Today, cyber attacks dominate the news and ethical hackers and researchers are on the front lines pushing for better security practices and more critical thinking. We're going to hear some never-before-revealed details about that historic trip, hopefully. And we're going to see how they view security issues that are still problems today. So, I'm going to introduce them. So, Kingpin, also known as Joe Grand, is a computer engineer hardware hacker, former DEF CON badge designer and proprietor of Brand Ideas Studio. He joined loft as a 16-year-old and worked on a bunch of acronyms, P-O-C-S-A-G pages. Thanks, Kingpin. A little tracking of the president, no. Decoder kit, amps-based cellular phone hacking and Palm OS application development. You guys remember that one, right? What was the name of that, Joey? Harry Palm. Was that Harry Palm or booty call? I don't remember which one it was. The war dialer, probably. So, Chris Weisopel, also known as Weld, Pond is a co-founder and chief technology officer at Veracode, was at CTO at Veracode. At Loft, he was a thorn in Microsoft's side researching security in Windows and writing Windows versions of Loftcrack and Netcat and was webmasterforloft.com. Tan. Woo! That was Facebook right there. Tan published a paper in 1999 envisioning a cyber underwriter's lab to test software for security weaknesses and he led incident response after a logic bomb was planted in a UBS at UBS. He did pen testing and read teaming for 12 and a half years at JPMorgan Chase and now works in security at a large health insurance company. Peter Zotko, aka Mudge, worked in DARPA as a senior government official for DoD running cyber. Tan. Oh! He also worked as VP of engineer, engineering at Motorola and he was a deputy director at Google. He's head of security for Stripe and chairman of the board at the cyber independent testing lab. Chris Thomas, aka Space Rogue, is a founding member of Loft, was a long time editor of the Hacker News Network and is a public advocate for security topics through speaking writing and general gadflyness. He worked at Atstake and then went on to work in research at Tresweb, Spider Labs and Tenable. He currently leads Global Strategy for IBM's X-Force Red team. And then Dildog Christian Rowe, better known here as Dildog, was the co-founder and chief scientist at Veracode. He's the founder of Hailstone, a security incubator inside CA Broadcom. He was a researcher at Loft and Atstake and a member of the Cult of the Dead Cow by anyone remember Cult of the Dead Cow. He wrote original code for back orifice 2000, co-authored Loft Crack and Anti-SNF and wrote some of the first buffer overflows for Windows. So thinking back to that testimony that was May of 1998, what did you say or convey to them that day that you think worked? So I'll start. So I think the thing that worked and it was something that you never plan it, right? I think much dropping his line of the 30 minutes worked, but we were like a visceral representation of what the adversary viewpoint was. Like we were the first ones to actually talk like these guys were building secure systems, building the software, they don't know what we're doing, we're hackers, we could break this stuff. Like we made it really real to them that there are people that can do that stuff. And we're talking person to person. I think the other thing that we did that was important was we conveyed the poor state of software security and vendors just couldn't say, all software has bugs, we have security bugs, because if we could find them, we said they should be able to find them. So I think those were some of the basic foundational things that got through. And then going along with what Weld had said, sort of raising awareness of hackers in general, I was just at the Mob Museum in Las Vegas recently and learned about something that was pretty cool. The Kefover committee back in like the 50s where they were basically exposing organized crime to the masses. It was the first time people learned about organized crime. This is like a little bit of an exaggeration, like a little bit of an exaggeration, but the testimony was sort of like that because people had sort of heard about hackers and up to that point they thought they were always bad criminals, whatever. I would see something in the newspaper once in a while, but this was the first time where we were on stage and saying, we can do good. Like hackers can actually do the good side. Besides the adversarial, we can educate people and do stuff that we think is helping. And I think that was really important. It was sensitivities. That was, I've got a mic. You're the only one with it on you. It was one of the first examples of cultivating sensitivities across the chasm. Hackers were criminals. That's the only way we were referred to in the media. It's actually kind of how that whole thing came about in a strange way. And on the government side, we knew that there were some overlap where we all wanted the same thing, but we didn't want to become government. We, government didn't sure the heck didn't want to become us sort of set up. So why can't you just ignore the other parts and like figure out how to make progress in the areas where you both have interest? One of the things that actually worked really well out of it, which took about two years afterwards, was that Senate testimony was leveraged to introduce a verbiage into PDD 63, Presidential Decision Directive 63 under Clinton, which stood up the Scholarship for Service Program. So if anybody went to one of the 73 colleges and got a tuition and then later had to go work for the FAA, FCC, FTC or anything else but had your tuition paid for, that was largely driven by that Senate testimony as an exemplar of this is why we need smart young people, not just the old like, you know, old guard and the bureaucrats and the policy wonks, which are very valuable, but maybe didn't know that new thing coming in. So it was an awareness sort of set up. Historically, the government was being briefed that, you know, like it was the Cold War, that if cyber was coming, you'd be able to see it the same way you'd be able to see missile silos built up, that it would take 10 years, that you'd see large movements of, you know, equipment and funds and everything else and you could track it. And this was different because it was like, you know, here are some kids in Boston who did nation state stuff out of dumpsters as far as they were concerned. And they did it in a matter of months. So what does that do for your threat model? And I think that was probably the biggest wake up call for the government. How do you think things have changed since then? Well, is this thing on? Okay, I think that definitely, that exploits have definitely gotten significantly harder to write over the last 20 years. I remember writing a lot of the first early windows exploits and finding bugs was something that I literally stumbled across. It was not something I had to search for. You know, exploit trading for cash definitely existed, but the sort of nation state support for exploit marketplaces and things didn't exist back then. So as the vulnerabilities have gotten harder to exploit, the relative costs and price associated with an exploit is skyrocketed. It's simply skyrocketed. So exploits also didn't usually require nearly the amount of chaining that we have to do today to actually fully exploit a system. Laying, you know, all of these layered defenses have really raised the bar on attackers and had an effect. And the most well-funded attackers are still finding that the lowest-hanging fruit is uninformed and unlucky users who happen to click on the dancing bears. So, but that said, instead of like phishing people's email, just email or making a crappy phone call, you've got online forums and SMS texts and whatever it takes to get to people. Tinder, I don't know. There's a lot more opportunities to fish people these days because of our increased connectedness. So while it may be harder to exploit things, it has become easier to exploit people over time. That said, on the plus side, more far more people are aware of the need for security these days. Even a grandma on Facebook knows about hacking and might even know what phishing looks like. Two-factor authentication is available in many places when it wasn't. But that said, still surprisingly, not on a lot of banks. You know, of all the places that should happen, more banks don't have it in enough places. In video games? Yeah, yeah, right. Video games happen, not your bank, I don't know. And yes, SMS two-factor sucks. Please, everyone stop using it. So yeah, I mean, I definitely, the profile for the attacker has changed in terms of the amount of work. It took me weeks to write a really good weaponized exploit back in 1998, and now it would take nine months to write something that was from initial injection point to full control. I guess it's a hard target, yeah. Like it's our target. One of the things that changed, and actually since we have two folks from Veracode here, and this goes back to Slint, which was the original Lexical Integrity Source Code checker that kind of maybe helped you guys a little bit with the idea there, was at the loft I wanted to do this sort of like consumer reports thing, and say like, let's look at software, whether it's binary, whether it's source code, and say like, tell people what's good and what's bad. And the problem was there were no examples of good, everything was just crap. And you can't go out there and give people actionable advice by saying like, well if you're gonna choose web browsers, well you've got CERN's browser and that's it. And it sucks, so there you go, you're welcome. If you want a word processor, you've got this one option and it's crap, so you can't do it. Now we actually have examples. I mean, Windows 10 was a huge step function for Microsoft as far as hardening. You've got Chrome. You've got a couple of good examples that show that you can do solid build quality, really hard targets. I mean, at the same time for every one of those, you get like a thousand things that just don't do it that are out there at Mass. But now we have examples of good and bad. But beforehand we didn't have examples of good. Plenty more examples in general. Now it's all indexed. It used to be that if I wanted to exploit every single network driver on the planet, I would go find a bug in MSDN's example code because everyone would cut and paste that. Now if I want to do something like that, I go to Stack Overflow and I find bugs in Stack Overflow samples because people are just going to cut and paste that. If you want to find bugs in ICS stuff or SCADA DCS stuff, Stack Overflow, seriously, you'll find poor. Look for the resumes. And people will post examples of what they've done in code in those embedded control systems. Yeah, and then you just look for where they worked. So, and by the way, GitHub is the new pace bin. Anyway, I think another dimension of what's changed is definitely the adversary space. Senator Thompson asked us when we were there, he said, could a nation state hire a group of hackers such as yourselves and hack the United States? I don't think he would ask that question in 2018 because it's in the news every day. But it was actually like a theoretical thing back in 1998, will governments do this? And yeah, of course our answer was, yes they can. Well, a funny thing was the National Security Council visiting the loft prior to the Senate testimony where they all huddled out in our parking lot and we all got freaked out so we ran over and we said, no, no, we just invited you in. That was a huge extension of trust sort of stuff. You have to, you know, you can go back to your skiffs in Washington and talk all you want. You have to tell us what you're talking about in front of us like huddling. And they said, well, this blows our threat models. What you've done, we always thought was only nation state capable. And so we were wondering if any governments have approached you yet. And, you know, the answer was no, but if you'd like to be the first, we're willing to entertain offers. And luckily they laugh. I think that's the time when we gave them the loft root beer also, and all of you got headaches and stomach problems for the next week. Everybody got sick, thanks Joe. It's amazing they invited us back. But yeah, still poisoning the government and National Security Council and masks, yep. What's going off of what Weld said is that nation state or not, like attacks are so common now, we're back in the day they weren't, we're like we're so desensitized to it and we're naming our bugs and we have giant presentations about it and it's like a real circus. But an attack happens, you know, stock price goes up, there's a media frenzy, stock price goes up and then everyone goes back to work and then you do the next one. So it's like really this very different cycle. Related to the tools, you know, like we were creating our own tools and we were getting stuff out of dumpsters and reverse engineering things that weren't available to the documentation wasn't there, now everything's online and the tools to do stuff, especially from the hardware perspective where I'm from, the resources are out there, you can get every tool you need to hack hardware for under $100. I mean, we went dumpster diving for documentation on more than one occasion, but now you can just Google for it, so. Yeah, so that's, you know, I think it's the access to information and the resources, which is great and possibly, you know, for people on the defense, maybe not so great. So one question before I let the audience have a chance. How did the testimony, the invitation to come to Congress happen? That's a point of debate. Yes. It's actually really not a point of debate. No, it's a point of debate. We can have it. Okay, well, as we'll tell you. Yep, well, I mean, what had happened was, at the loft, we were trying to do it full-time. So we actually had a couple folks on early payroll, and I was going out. This is pre-payroll. Well, actually, yeah, that's right. Well, Loftrack was paying a little bit of stuff. A little bit, yeah, we get impressed. Yeah, we were getting a lot of press, and that's actually what kind of started this in my mind. We were getting a bit too much press, and I was really worried. This was, remember the MIT thing, where I had to sit up there against Annette Day, who was the FBI director, or the cyber crime FBI part, and this was hackers for girlies when they had hacked the New York Times, and so I'm sitting on a panel, you know, that MIT had invited me with, all the Loft guys were there, Tann was there. You know, this one really well. And the FBI Boston cyber part says, like, we're investigating all the leads, we've already talked to all the relative people, and so I open my big mouth and say, on the same panel, no you haven't, because if you look at the source code on the hacked page, it calls out greets to the Loft and Mudge, and I'm sitting here on the panel with you, and I'm telling the audience that you never talked to me. You know. Didn't go over too well with the Boston FBI. We were also making like a lot of news, you know, the local NECN, the cable news, and stuff like that, and I honestly thought that we needed a contingency plan, so I actually started to go out to the government, and very quietly I started to advertise that I would train, and you guys remember me going out to a bunch of these, Air Force Information Warfare Center, you know, Quantico, NSA for I4C4X groups and stuff like that. Anybody in the government could get me to go out and I would educate them and train them, just on tech stuff, and I would not take any payment, because I didn't want them to have chains or strings to pull sort of stuff, and the goal was, I figured that the FBI or the DOJ was going to at some point, just from the media, try and make an example out of this, and like pull us up and make some big sort of like, we got the hackers, you all know about them, sort of set up, and if that happened, that I wanted to be able to like reach out to the folks at West Point, and have like, you know, colonels and majors show up in uniform and say, no, these guys aren't the bad guys, they've actually just been very upfront and help. Through that, I ended up briefing the National Security Council several times, and became friends with Richard Clark, and then we had the meetings with him, and then he became kind of a friend of the loft, and he brokered it with the Senate, and he and I kind of talked a lot about that, and I was uncomfortable with it, and then they reached out to us, and then I had to broach it with the other loft folks, and I remember well just familiar, and tan with some of the back stuff. I didn't do a great job of sharing it with all of the loft folks, but it was kind of prepared, because we were not going to go into the Senate, and get ambushed, and just get raked up and down the hills. It was going to be friendlier else we weren't going to do it. We were very scared ahead of time. You were terrified. Walking into that room, what kind of reception we would get, right? I think it's one of the reasons why I demanded everybody wear a suit, because we didn't know who we were going to walk in there and have the Senators call us all criminals, right? He did not have a suit. He wore his father's. Yeah. And I haven't worn one since. I mean, we were assured that it was going to be a friendly meeting, but we also in the back of our minds felt, you know, we could get in there and they're just going to call us all criminals, and what do we do then? Because if you watch it, you'll actually see that it was Senator Thompson that says like, I'm informed that you think you can take the internet down at 30 minutes. I was talking about my BGP work that I was doing at my day job, which was a government contractor at the time. And there's no way that they would have known that had it not been the fact that in the day job and the night job, I shared that with the folks in national security council. So I mean, a lot of these questions, you know, were sensational, but they were relatively safe. And it was a little weird because we were still terrified. But we worked out for sensitivities. I think we did a good job preparing the written testimony because looking at that, like the spoken for me, I'm sort of embarrassed about, but you guys were fine. The written testimony was like a really good description of what could happen. And so we had prepared that in advance. I think we had to send it to them a little bit in advance. So we didn't know- It's still public record if you can find it. Right, it's in the public record. So we didn't know how they were going to react to us, but by doing that, it put something into the public record that actually was going to stick regardless. And John Glenn obviously messed up a little bit when he was like, and I've worked with some of you and I'm like, oh, Jesus. So one of the other interesting things about it was, we only agreed to do it if we could testify under our hacker aliases. And we just almost couldn't believe that they allowed this. They said the only people who ever testified before under their aliases were in the witness protection program, which might not have been a- This made expense reimbursement really difficult. This was hilarious and I might be giving away a little bit of OPSEC for it. I mean, these guys all know this intimately. I hate flying, I'm petrified of flying. And we wanted to go to the NSA Crypto Museum. And if we took a train, we weren't gonna get to the Crypto Museum before it closed. So we rented a Dodge Ram 3,500, you know- Like a 11-seater van. Yeah, 15 passenger van, black tinted up windows, and like Brian Oblivion and everybody else, like the hardware guys are like, let's put in tennis. Let's actually like map the Northeast Corridor. The thing looked like it was a SIGINT sort of van going on. This is 1998. And there's a story about taking the wrong turn, which I won't go into when we went into the NSA wrong entrance, with a van that looked like SIGINT. We really fit in, because we had all the antennas. They didn't know what to make of it. But when we get down there, they were like, you know, we're checking into the hotel. And it was Ali Anderson, Bob Baderant, you know, CCD, DDE, FF. And the weird thing was the hotel was like, yeah, we've seen this before. You're going to the Senate, aren't you? So the other thing under the hacker names was the reason we did that was because we were protective of our day jobs, right? Like we were going to be talking, we didn't know how the vendors and the partners of the companies we worked at, we're going to take this. Well, we did know how Microsoft used to handle it. Yeah, Microsoft, you know, because obviously they can pull strings with your employer, right? But it didn't work out so well because there was reporters there with cameras and our picture was on the front of internet week when we got back into work the next week. My picture was on the front of the Washington Post. Washington Post, yeah. I mean, the handles, though, wasn't just for day jobs because not all of us had day jobs. But... Some of us weren't old enough to work yet. But the, you know, we were pissing a lot of people off because we were seven kids in a warehouse and you had some professional jobs still, but whatever, it was, we were, I remember reading some mailing list posts of people on like, you know, academic cybersecurity, whatever we called it back then, list saying, why don't you guys come out from behind your handles if you have something to share and whatever, and we're like, well, we're sharing the technical information. You don't need to really know who we are. We're the Loft and Boston with Kingpin and Mudge and this is what you need. But it was also a protection mechanism just in general because we, you know, what we were doing was not normal. Also, even at that point, we had built up a considerable reputation individually and as a group under those names. And if we suddenly started using our real names, nobody would know who the hell we were. Well, what are the reasons you don't give up the names? If you remember when I went down to the Clinton round table in the White House for that, and this is where my name actually, because I had done, I thought a pretty decent job of never having a picture of me, never having my name on the internet or whatever. And so I get invited to go down because Dick Clark goes like, hey, you guys have done good, Mudge, why don't you come down and meet with the president for this sort of photo op. This was right after Spakledraw, the big DDoS sort of stuff. And to go into the White House, you have to always give them your social security number and other stuff like that, because they wanna check, it's embarrassing if you owe child support or if you have warrants out for you and you're being invited in to see the president. They gave that list directly over to the media. And so I had my name, they don't give a social part, but they give the names. And I get a call from a reporter, I'm back in Boston, and they're like, hey, Spakledraw, I just got this sheet from the press corps at the White House and it has everybody's name on it. Is Mudge really Peter Zatka? And I'm like, I was like, okay, thank you very much. I hung up and I immediately called you. So I called the National Security Council going, he just blew my cover, and it goes to the White House Communications Agency, and they're like, oh, we'll fix it. So what they do, yeah, they fixed it. What they did is then they sent out to the same press folks the exact same thing with my real name replaced with Mudge. On the exact same thing. Now, I got death threats from the hacker community because folks were like, hey, you're a sell out. What are you doing? Are you a fed? Are you a hacker? I mean, look at all the stuff that contributed open source or whatever you look at the CFT. You can see why I'm doing it, I hope. But yeah, this is part of the reason why you don't want your real name out there sometimes. I mean, that wasn't a lot of fun as like 26 year old getting random phone calls to my cell phone, even in cell phones that nobody else knew because there's some good phone freaks out there. You know, threatening your life. So you guys prompted some interesting newsroom discussions when I was reporting on your activities and my editor would say, okay, so we're supposed to identify people with their real names. So who is Space Rogue? We need a real name and I'd be like, well, but that's the name that I have to report. That's what they're giving me. So I had to do some education that this is a new type of world, a new reporting era. And so that was really fun in the newsroom. Not just the media. The academic journals had to do the same thing. I published papers with Bruce Schneier and David Wagner, Microsoft's crypto stuff that I worked on. Usniks wouldn't accept my judged and vetted paper because they didn't have my real name on it. I don't know if you remember the... One of the Federal's papers? Yeah, I don't know if you remember this Eleanor, but I think you specifically asked me what my real name was. And I was like, you know what, if it's good enough for the US Senate, it's good enough for WIRED. All right, so let's take it to... Anyone have any questions? All right, so we're gonna take some questions. I'm gonna ask... Really? Come on over. All right, anyone has questions? Please queue up right here. Hey, Render. I hope it's... At least it should be a friendly question, I hope. You never know with him. Well, you wonder who was sending all those death threats and everything. No, I just wanna say all of you are directly responsible for me. Is that... Sorry. I don't know if we should take credit for that. Now, formative years, you know, late 90s, there was no... There weren't a lot of examples out there of what to do with these skills and these interests. So, you guys are the only thing out there. And I think you did a damn good job. So, thank you very much. Thank you. And if you agree and you think that these guys like, you know, help form who you are, please stand up. I wanna see. You are responsible for all of this. Yeah. And some of these people probably weren't even born then. Thank you. Thank you for everything you've done. That actually means a lot, because when we were doing the law, I mean, especially when we were trying to figure out how to fund ourselves, we looked at going into government contracts and we looked at any sort of funding thing where we wouldn't have to become like a commercial entity. And it's honest to God why I did cyber fast track when I went into DARPA, because I'm like, I want what we needed at the law in order to keep doing good stuff available for other folks, even if I don't get to do it. And actually, some of the guys actually did do, you know, get to take advantage of it in there. And the biggest thing was, it was a pain in the butt for us to figure this out and it shouldn't be that pain in the butt for other folks, because they should be able to do it more easily so they can figure out the next thing and take it further. And like, that's the whole sort of thing. It's like, how do you get the next team and inspire them or the other people and not make it as difficult? And you've released a lot of really good stuff and a lot of other folks in here have released a lot of really good stuff, but it's good stuff. And that, well, that's why I think we were successful is that other folks who think that or that we might have inspired did needer stuff than we did. And I mean, look how DEF CON has grown too, like we were standing on the shoulders of other people and inspired by other people. And then it just keeps growing and it's like this exponential growth where everybody can do something, right? It's amazing. So it's just gonna keep going. And you know, I feel like it was just a little... Yeah, it was 8LGM, there was LLDA, there was a whole bunch of stuff that we were just a little piece of it. And it really is, yeah, I mean, it's an honor to hear that and other than feeling old, thank you. But it's amazing, yeah, so thanks, thanks. What'd you guys screw up along the way? What did we screw up along the way? A lot. A lot. Yeah. A lot of stuff we'll not talk about. Yeah. Is that it? And you'll notice that stake's not being talked about a lot, although it actually was really important for a lot of other areas, but it was very personally painful for all of us. And that's just... Yeah, I don't wanna say that was a screw up, but it was definitely a learning and growing experience. Yeah, I mean, I tell people that I wouldn't have changed it, like even though it was hard. Yeah, it is what it is. And it is what it is and we were trying to do something, we wanted to fund ourselves and we were trying to do something nobody had done. There were not soft security consultant companies. For those that don't know, that stake was the commercial entity that Loft turned into after we got VC funding or got bought over a way around. Pack ourselves out. And then that all kind of fell apart. But we wanted to do it full time and we took a risk and nobody, it's not like we could follow the path of anybody else, we didn't know what happened. And yeah, there's a lot of personal stories. There weren't a lot of vendor-funded security companies out there at the time. Yeah, especially in the middle of one year. It shaped a lot of what we did moving forward also. I'll tell you one of the things I always wonder if I did right or not is I kind of buried what the take the internet down in 30 minutes was. And I did that during my day job, I did it during my night job. I didn't even really share a lot of it inside the Loft with like the BGP update attacks. There's a whole bunch of tricks with putting like the target inside an AS set so it gets discarded. There's a lot of, we're seeing it now in the media and it's a very viable one. And actually, if you go back through like a Potaris or some of the other route views sort of things, you can see some interesting nation-state stuff going on if you know what to look for. And it goes back almost to 1998, which was interesting. And I always wonder if I shouldn't have actually released a proof of concept for that. I'm still wondering. Maybe now, but not then. Well, I know, well now it's actually more like an hour and a half rather than 30 minutes because all of the private peering exchanges and the IXPs and stuff like that. But yeah, that was our big thing was you can't hide behind it, you can't make it opaque. Here's how it works so both offense and defense can understand it. And there was a lot of confusion about that and a lot of sensationalism. And I always wonder if it shouldn't have been backed up with an actual Odei release. So scary. Uh-oh, uh-oh. Hey, guys. Stand down. The table recognizes Devi and all of them. How do you do? I guess I wanted to ask about the changing landscape both of the hacker community and the world at large because people, my first question is kind of easy because I think it's a no. Could the loft exist today? Or we think of the law, we think of Hacker Halfway House. We have like maker spaces and hacker spaces but a lot of younger people could see you like, oh my God, I wanna do that. But that isn't really that anymore. If people want to share minds and maybe even crash together or maybe not, maybe that's enough. What is feasible for people who really wanna collaborate in this economy and in this time and in this job market and could the loft exist today? Or what is it now? What should other people do now? I mean, look at all the hacker spaces that exist all over the world and they're not exactly like the loft because we were much more private and careful with what we were releasing and sharing. Private just as far as like people could come over. We wanted to be physically located. We wouldn't have virtual members because of the direct interchange when we had like group meetings and stuff. We could do virtual back then because virtual didn't exist. But the hacker spaces that exist are in different regions around the world for people to get together, like-minded people to get together and work. It's not exactly the same. It was just that particular time, I feel like we were lucky that the seven of us plus Silly and Dilldog when they came in later like- And Stefan. And Stefan, we just happened to all click and it was just work because there was a lot of other people in the Boston community that we hung out with and did stuff with, but for us it was just a really special sort of lucky thing. Maybe it can exist. I feel like there's more kind of commercialism of it, because we were doing it and we didn't expect to make money at first. When we wanted to, we tried to by selling t-shirts and services and stuff, but it was- Loftrack and abuse track. Yeah, I mean, we weren't planning on doing that, but now it's very financially driven, I think a lot of times, and you can do things on your own and have a hobby, but if you wanna survive, you have to promote and do things that maybe aren't more sensational than- I'd like to just go and say, yes, it can. And here are the examples. Chaos Computer Club, right there. Tool, right there. Fantastic examples of that sort of hacker mentality at a much larger scale. You wanna look at specialization as the stuff that Dilldog really started to go into. Project Zero, I mean, who doesn't wanna be a part of that sort of setup? So it exists out in that sort of philanthropic sort of thing, that sort of open thing like CCC, it exists inside of organizations like the Google Project Zero sort of stuff. So yeah, I think it's even better than it used to be. One observation that I've got on that is that many times the availability of the internet and interconnectivity has allowed people to collaborate on shorter projects, like individual projects. We have repos now where people collaborate. We have Slack channels where people collaborate and they usually, they might be overlapping from certain groups of people, but you'll have people working together for a single purpose as opposed to simply just having a group of friends that hang out. So instead of being people and sort of place-oriented, a lot of the organization these days is project-oriented and outcome-goal-oriented type work. I can't count the number of Slack channels that I'm on now. And just all for different kinds of purposes and not necessarily for the purpose of making friends and being a close-knit group, but for helping to bring something to bear to help solve problems, to push some agenda forward, to make some software that should exist, a reality or whatever. But I've just found that it's easier to like make small bubbles of projects and work on an iterate on those. So I'm gonna actually comp the mic. So I have a day job and we actually had Karen Elizari at our conference in Washington. And one of the things Karen talked about was that corporate environments in corporate America need to embrace the hacker community, the security community. Because a lot of the clients that I talk to still view all of us as enemies. And I'll walk into a client meeting and I obviously don't dress like this and people like I know you from DEF CON and I have to say now that's not me. Because there's still a perception. And like I bought my daughter a t-shirt and she goes to school and people go, oh, aren't hackers bad? And she knows the answer. No, hackers are people who get stuff to do things that the creator didn't think could be done. Right? Do you have a question? Yes, the question is. I specifically told you before you got out here. Oh, but I can't moderate myself. So what are your thoughts on how we can better get that sort of... The sensitivity. There's a relationship between what we all do here and what businesses do because we're in conflict more than not. This was actually what drove cyber fast track. And a lot of folks don't know is that I would get pings from NSA and the White House periodically saying, you seem to be a day walker. You're friends with the hacker community. You may or may not have a whole bunch of clearances, sort of stuff like that over here. How can we trick them into doing work for us because they seem really clever? And I'm like, did you really just phrase it that way? I mean, this is how you make new adversaries. And I think the thing that worked the best is not embrace the hackers or whatever. It's to recognize that it is another group of people and they're different. And you don't have to turn them into you and you don't have to turn into them. So if the law city of Atlantis just pops up out of nowhere and has significant capabilities, you don't go like, oh, we gotta make them become Americans. And you don't say like, oh, we have to just attack them. You don't know what it is. You build out a relationship and you figure out where you have like goals and similarities and you focus on those and you let people be themselves in the other areas. That's what worked. That's where, I can't tell you how many times I had to send back nasty emails and Keith Alexander and I went head to head a number of times on this. But I don't think you have to embrace it. I think you have to respect it and figure out where you have like overlaps and where everybody can move forward without trying to co-opt people. And so you're like, oh, cut your hair and become a government person or the hacker way is the only way. Where's my hair person? But I think it's funny that you say that because I don't go into a lot of corporations but I feel like we've done a really good job as a community to share the good side. And what I get from people when I do, when I do go into organizations, they say it's nice that somebody's here that has a different perspective, right? Because so many people are in their silos, they're working, they don't go to DEF CON. We sort of think it's normal to come here, but it's not, right? So having that perspective, it's much better. You may not have noticed, but that's not well-drill hair either. Yeah, you're still wearing your wig, you know. You're on there. Yeah, so I think coming in and having a fresh perspective is okay. It's just trying to maybe convince people that that's okay. But we feel you. Yeah. All right, thanks, Render, for breaking the seal on this one, but I just want to say, you guys, you're the original bad boys. You're the original sort of hackers and you guys through ups and downs through the years. Here you are all these years later and you're doing good. You turned it around and you're doing good for the community and for our industry. And I just applaud that because it paved the way and showed that it's possible. No matter how you started out, that you can turn it around, and you can encourage the community and do awesome things, so thank you for that. And yes, there is a question. But folks should realize that means a lot to us because that's Johnny Long for Hackers for Charity. Yeah. So hearing that from you, given that that's how we feel about you means a lot. Thank you. Yeah, thank you. You guys showed me that it was possible, so it really encouraged me, so thank you. But my question is, let's assume that you weren't the good guys. How long would it take you to take the internet down today? Well, Connecticut or? Well, it's actually, we got that a lot right afterwards. And it was weird because we wrote that a lot, but honestly, I mean, I honestly didn't even share a lot of the BGP stuff inside of the loft. And a lot of the questions were, well, if somebody could take the entire internet down, why haven't they done it to demonstrate it? And even back at that time, you saw people hijacking prefixes. You saw people redirecting it. I had a friend at MIT that used to periodically take the East Coast and just route it to a dorm in MIT in order to saturate the lines just to mess with the other dorms over there. You know, the loft web server was physically at May East. It was on the Fitty Ring at May East. So we knew from whence we spoke. We had a friend who actually put it there for us, free of charge, which was nice. The MD5 components were all zeros for everybody for the shared secret in order to talk BGP for the national access point. But what people didn't realize is there's no value in actually taking down all of the internet because then you take down all of your targets as well. If I wanna go into a foreign area and do a strike, why would I black out the sky so I can't fly in there myself? So the problem is that you can still take it all down. It would take a lot more because of the cascading effect and some of the dampening. And there's a little bit of RPKI and some 3379 BGP-ish sort of stuff, not much. But by going to private peering points, they've made it really easy to go in with a scalpel and take out individual areas rerouted and nobody else notices. And we're seeing the crypto hijacking for the mining pools happening. We're seeing that places like Iran and other areas occasionally leak their route advertisements out. It's probably not even a hijack. It's because they're intentionally routing the stuff through their own monitoring infrastructure. Remember that time North Korea just disappeared from the internet for like, how long? I have no recollection of what you're talking about, Senator. There's another aspect to this question because after we did the testimony, we had several people come up to us and say, hey, I heard your testimony, you've picked on the internet, blah, blah, blah. Was it because you could do X, Y, and Z? And we'd be like, well, that's not what we were talking about, but that would work. That would work too. And so at the time, there were multiple ways to do what we were talking about. And are there other ways that we don't know about to do it now? Maybe. I mean, I think you're seeing it being taken down in a very interesting way by social media right now in itself. Thanks, John. Hello. I'm guessing you guys all have a lot of experience with the law and being on the good side and the bad side. So my question's kind of around that. The Supreme Court came out with a decision a few months ago, and this is my translation of what I read, was police need a search warrant to go track down a cell phone, but the government for national security reasons don't. What do you think of that? I think it only applies to geolocation information. In other words, where the location of the phone is and tracking of it, if I'm remembering the court case properly, no? I thought there was more to it. I'm sorry, I thought there was a lot more to it because it rambled on. I didn't follow up on that particular case. Okay. I definitely wouldn't say that we're all caught up on the law. How I ended up in the law is I got arrested as a kid because I had nowhere to do what I wanted to do and these guys accepted me in. So no, the law is, I don't think, I don't know how much we've actually paid attention. At least I haven't paid attention to it even now because I would rather do something I want to do and share it and then pay the consequences later than not be able to do it and then not be able to read the information. So literally I was a senior official of the Department of Defense and I funded about 180 different small projects from hacker spaces and individual folks. I did have to follow the law a lot and in particular a lot of US codes for Title 10 and Title 50 in addition to CFAA and electronic communications and privacy acts sort of stuff. I'm not familiar with that particular case so yes, some of us had to follow the law and that's why we became midnight basketball for hackers for Kingpin. So I will say though that since you brought the legal question, there are a lot of issues that occur at the federal level and the state level that can require a different viewpoint for input, okay? A lot of the people who are writing these laws may not have the vision to see all the angles that a specific law or rule may impact and that's where we can come in as hackers, right? We can help inform the lawmakers of our point of view and how we think that certain proposed laws may impact us or other parts of the internet and so one called action that I'll give now is to get involved in that process, right? Call your senator, write your representative. Seriously. It makes a difference and if you hear about a law or a proposal that's getting put forth, let them know that you may be an expert in that topic and are willing to talk to their staff and their age. Or at the very least give them your opinion. Give them your opinion, write the letter. They assume for each call that there is 100 people who didn't call. Now might be a great time to tell every congressperson that you can to go ahead and read Matt Blais' paper on the safety of secure voting machines. Yeah. That's a key topic right there. I mean, I've done several briefings in DC for different staffers of different representatives and senators and they eat this stuff up. They really do because they're hungry and thirsty for that knowledge. For data. They don't have any other place to get an unbiased third party opinion that's not paid for by a lobbyist. So if you can get those meetings, you can write those letters and let them know your opinions of whatever bills are being crossed. It makes a huge difference. And even more importantly, give them your opinion. But if you have data points, nobody's bringing data to this game. Our industry is the only industry that doesn't have clinical trials and ground truth and anything else. You bring numbers or other things. You stand out. Give them your opinion. For God's sakes, if you have data or if you start to measure stuff, that's how I rebooted DARPA. That was the entire framework. That was the 125 lines of code malware that took half a billion dollars away from Keith Alexander and redirected it. Cause it was like, well, we brought data. What do you have? Well, you got an opinion. That's great. Here's data. That actually leads right into my question. If you guys were invited back to the Senate now 20 years later, what would be your main message to the senators? Chief Speaker. Somebody to choose from. Well, we sort of did that. We did that a couple of weeks ago, months ago. Yeah, a couple of months ago. But it wasn't directly with the senators. It was with staffers. Staffers. You know, it was basically what had changed, what hadn't changed. And you should watch the video. I mean, there. I guess a big message that I would like to bring is that we've come a long way in 20 years, but we've got a lot longer to go. Long way to go with what we're doing, especially with the rise of new technologies like IOT, the risk and electronic voting. We've got other issues that we need to talk about. So we have come a long way in 20 years. We're not dealing with the same old doom and gloom, but we still have a long way to go. And my personal campaign is, don't stamp things with safe or not safe. Don't do, and you know. It's unackable. You know, like a UL seal or a FIPS 140, sort of like does it pass or not pass sort of thing. Give them a continuum. Give them a fuel economy. Give them crash test rating. Give them the nutritional labels on the food so folks can make informed decisions. Give them transparency about the libraries that are coming with it. Something that is measurable because all of the other industries have this, and we don't. And I have nothing for or against, like FireEye versus CrowdStrike versus, you know, Carbon Black versus whatever. But like, they all say they're the best and they're all very different and you're putting them in your environment. I mean like if you went to the grocery store and you're like, well, all the food is just food and there's nothing else. No other information. And your doctor's like, don't you dare have sodium because you're going to die. You're like, oh, this looks pretty good and bacon. If there's no information, you can't make an informed decision. So that's what I'd actually talk to the senators about. It's like, that is something that the government can do a little bit. And I wouldn't use liability, like we said during the first time, that went over like a lead balloon with the Senate. I didn't say like, you know, incentive structures, you know, or other ways of like encouraging people maybe giving them tax breaks or whatever for organizations if they gave that data so that folks can make their informed decisions, because one size doesn't fit all. It's all how you word it, right? Yeah, I think the other thing that we sort of touched on in this meeting here and something I think that I would spend more time talking about is they had asked us like, well, what can we do for legislation? And sort of the answer was have less of it, get rid of DMCA and don't prevent us from doing security research because we're the good guys. We're still the good guys. So I think that would have to be a big point of like letting them know, you don't need more laws to make stuff happen. You can kind of let back a little bit and let people get some more freedom to. Well, that was an interesting time because HR514, DMCA and WIPO, World Intellectual Property, you know, stuff was all coming out. So our big message to them then was, do not make it illegal to see what's in the sausage. You know, because that's what they were gonna do. And I think today, unfortunately, kind of the same message except now it's advertise what's in all the sausage so that folks can figure out whether it's kosher or not because it matters to certain people. So this is a tweet from Dan Kaminski in 2014. For an industry built on layers of abstraction, there is a remarkable lack of historical awareness around older technical design decisions. In the context of the cloud and DevOps development, do you think that's making the problem worse or better? Could you repeat that? Yeah, sorry. We missed a little of that. Sorry, did you get the tweet work? Just swallow the mic also please, we can't hear you, thank you. Right up there. Okay, Dan Kaminski, 2014. For an industry built on layers of abstraction, there is a remarkable lack of historical awareness around older technical design decisions. In the context of the cloud and DevOps development, do you think that the problem is getting worse or better? So some of these foundational things that everything still sits on have really not been fixed. Like VGP still has problems, DNS has problems, the whole SSL certificate system has problems. And this is something that we talked about when we talked a few months ago up at the Senate, is it just seems like we're just sort of biding time and just hoping everything just keeps going okay as we become more and more dependent on that technical infrastructure. Every year it goes by we're more dependent. I don't wanna be dependent on that when the only doctor that can operate on me is doing telepresence across the planet and someone launches a VGP attack. So we're getting more dependent on this stuff but no one's really going back and doing a good job trying to fix the foundations. And I think the hacker community in InfoSec in general has a pretty short memory. So because there's so much information coming out, there's what, 500 something talks just at DEF CON now. And it's hard to sort of know what the prior decisions were or even prior work. So we're seeing repeating stuff and I don't know if there's a way cloud or not. Like how to consolidate that in some way. And I know the dark tangents trying to do it with InfoSec.org or something to harvest all of everybody's talks from all over the world. But I don't know how we can have a cohesive memory of like our entire community or something. I think that's what you need to learn what happened in the past. What's that? A lot you might wanna forget. A lot you might wanna forget but oh you know what, maybe we should just put everything in like blockchain. Ha! Ha! Ha! Would that work? I'm a hardware guy. In terms of, you know, the processes by which we write software and things changing over time, it used to be that you simply did not find out about security issues until software was polished. These days we find out about it sooner and sooner because of the availability of various types of testing. I made it my business for like 10 years to write static analysis software that could make it easier to find flaws before they went out the door. But that was met with a lot of resistance by developers. To really continue to effect change in the future to improve the state of things, developers need to be more involved in finding their bugs and fixing them sooner. That said, there's a lot of friction there because the tools aren't very good for developers. They're not written with developers in mind, they're written with appsec people in mind. And the profile, the use case for developers iterating quickly on code and trying to get things out the door quicker is, it disincentivizes security analysis. So coming up with tools that developers can actually use that are low false positive rate and fast enough to be part of their process is really key. I know I'm gonna go ahead and say this is something I'm working on actively. Today, I know that that's where I need to be in terms of developing tools. But in general, pushing the cultural envelope for developers to make it such that security is something that not only is something that they wanna do because it makes them feel good. I mean, other developers that I talked to do want to write secure code. They do wanna use tools. They just don't wanna have to be a pain in the butt. So meeting them where they are instead of forcing the hand through the security teams who won't let code out the door is really where we have to be. It's hard work for the security community to do that. It's been historically over the last 10 years we have simply said, you know, fix your code or by the time it goes out, you're gonna have your parents pull down or be embarrassed by all these vulnerabilities. But that's intellectually lazy on our part. It's simply saying that it's good enough to embarrass developers into attempting to write more secure code. That's not gonna attack the problem at scale. We actually have to help them make it easier. And that means becoming their friend. It means not being seen as an adversary to development. But one of the things that would actually help a lot for developers and DevOps and everything and then I'll touch upon the cloud things. I think that's a very important question. There's some sort of feedback. So if you turn it on like stack guards, you have no clue whether it actually inserted them or not. If you turn it on fortify source on like a Linux system, you have no clue whether it removed 90% of the weak functions that you didn't know that you shouldn't have put in there with strong ones or .005. And actually it's closer to the latter in a lot of cases. So there's no feedback for developers as to whether, you know, when they're trying to do the right thing it's having an effect or not. So I do think that's something that we could do a lot better as a security community is like providing feedback and measurements. On the cloud stuff, I'm actually really impressed with the cloud from the large providers. Not so much from the small ones. And it's because they're essentially getting fuzzed all the time by their users. So if you look at Amazon or GCE or anybody else, they're really hardened in a lot of ways or Azure, you know, sort of stuff because they have millions of users who are doing crazy stuff all the time in the real world and also they're doing A, B testing as to what to roll out. So yeah, I actually think that abstraction at scale if it was like, you know, if you think of the world as AFL at large, you know, just, you know, as a mechanical Turk version of AFL. Yeah, that's actually really useful for the large providers but the small ones don't get that benefit and they scare me. So cloud to mixed bag. This is for Mudge. Tell us about the election hacking and your response. Does it have to be Mudge? Does it have to be Mudge? It doesn't have to be. Oh, it's a topic I've talked about a lot. So I've got a question for you. You got a question, go ahead. I've been wondering how, if you can tell me, I don't know, statute of limitations when they, you know, when that ends, but what's your most... Are you implying that we did anything that requires statute of limitations, ma'am? I don't know. You're at Def Con, you're up on this stage. I don't know. What was, what are your most, like what's your most fun or entertaining or memorable hack that you can talk about? No comment. Do you guys remember the midnight poker nights with Hobbit? I'll see you get off the bull ISP in Latvia and raise you a small internet connectivity area in the Gulf States for, you know... Okay, you need to shut up right now. But back to Rogues' election question. I think the thing to keep in mind when we read about election hacking in the press is that there's a big difference between probing a registration database and changing an actual vote in a real election. And there's a very big blurring in the media between, oh my God, the election was hacked or the voters were hacked in some state and whether or not a vote was actually changed. You okay? Yeah. All right. So what have you heard? So I just, I think it's important to keep that in mind and when you see these media reports of registration database was probed or copied or whatever, that's not the same thing as somebody breaking into an election and changing an actual vote. It's not the same thing, but all this in the media over and over again, votes are getting hacked, the systems are vulnerable with this, it makes it so that people don't trust the system. And I think that's partly true. Right, people don't understand that, so they're not gonna trust the system unless people are gonna vote. And there are actually people out there who don't believe our president was elected legitimately because they believe systems were hacked. There are people who believe that. And I think that's part of the problem. That's worse. Right? That was part of the goal is that they're trying to cause mayhem by forcing people, or changing people's mind. I'm not gonna get into who's day. It could be anybody, but a lot of the information that we're seeing reported into media and I'm not going to 400 pounds. Not going there. There's a lot of people in that, now I've lost my plan. So actually, it's really... We only have a few more minutes left. I just want to give a pointer to the answer there. Alex Halderman and the folks out of University of Michigan went over to Estonia. And what a lot of folks don't know is actually that was part of the Google project that I ran for Project Vault. And watch the video of an actual online e-voting internet sort of environment. It is amazing and terrifying and it is 15 years old and hasn't been updated. And it is still the exemplar of the best thing out there which should make people paused. Bear in mind that the real election hacking is being done by our own government. It's called gerrymandering and you can vote against it. Yeah. That is the perfect point to close on. We should just drop the mic and walk out on that. So I want to thank all you guys. That was awesome. Go ahead Eleanor, sorry. One last question. If you, what advice do you have for hackers and researchers, security researchers today? Let's start with at the end of the line and just move this way. Advice for people in the audience? Never be afraid to get started on something. I oftentimes get into form of analysis paralysis wondering if the thing I'm going to do is going to either make me money or be valuable or whether people will notice it. You just simply don't know if it's interesting, get started on it, tear it apart, make it your quest to learn about that thing as much as possible, break new ground whenever you can. If you think nobody else has maybe done it, just do it and try to finish what you start. It's the hardest thing ever when you've got a million ideas but that's the only way anything ever gets done. I think my big advice to security researchers today is just be careful. There's a lot of companies that don't like you, there are laws that don't like you and that doesn't mean don't do it, please keep doing what you do but be careful, do some research on the laws, don't cross the lines, stay out of jail, stay out of the courtroom. I'd say play the long game. I remember going out to talk to cadets when I was at the loft. Those cadets are now kernels and they actually have impact. Same thing with Senators AIDS. Same thing with CFT, I mean Kingpin came up at the end of my talk at DEF CON like a few years back going like, we didn't know what the heck, Mudge turned into the man, what's going on? And I got a lot of crap for it but then folks saw that no, actually not still kind of Mudge, trying to make the dent in the universe sort of thing. And you made it easy for us to take government money. We got one minute guys. So play the long game. Everybody else is optimizing locally, optimize globally and for the long term. I guess a lot of people ask me like what they should focus on in terms of people I work with that are actually coming to me to learn how to get more advanced in their security testing and everybody wants me to point them at something the company is using or would be useful or whatever but ultimately it has to be something you're really interested in because it's gonna take tons of hours of your devotion. So obviously focus on that. And then the other thing I would say is that it's really easy to get wrapped up in the excitement of things and make mistakes and today disk space is cheap and there's this concept of big data. Everybody's collecting data on everything. So a lot of things that we may have gotten away with as kids I think we got really lucky and it's definitely a much more dangerous environment out there for people. So make sure you are careful not to cross the line, more careful than I think kids normally are. But don't be afraid to fail either, otherwise you'll fail. So I would say I hope you welcome the newbies, be nice to them. They have imposter syndrome but if they're here, they wanna learn. And the other thing I would say was network with people that aren't just like you, like people when you go back to the office, developers, UI people, managers, get them to understand how we think. So spread it a little bit outside our community. I think you just have to love what you do and it doesn't matter what it is but if you are passionate about something like that, that's really what you wanna do. You wanna find something that you really care about and you shouldn't be searching for money, you shouldn't be searching for being on stage, you shouldn't be searching for branding year or whatever. Yes, I know I'm up here, that wasn't the goal when I started hacking. But it's because I love what I do and if you do that, you can look around DEF CON and there's a lot of people that do amazing things that are not on a stage. They're doing stuff that you're not gonna read about in the news and it's all over this entire hotel, right? So you find something that you love and good things are gonna happen. Great, thank you. Thank you.