 is Aldebaran. He's from DCG 613. That's 11613, the same one that Hoodie Pwn is from in Melbourne, Australia. He's presenting, what is GRC hacking anyway? Alan is a self-proclaimed triple-A rated GRC hacker, having presented similar talks at Defconn Villages and PCI Council events. So take it away, Alan. Oh, by the way, after this talk, we're going to be open for just general socializing, hanging out, and talk. So take it away, Alan. Sorry, I'm one of the Defconn Villages volunteers like four years, I think. Is Alan AFK for some reason, or is his audio broken? Oh, he disappeared. I'm guessing he's refreshing us. Yep, I'm guessing that's happening too. Because technology, technology. We call that the crunchy roll. Yeah, my browser quick, but this is me. I found most problems are fixed by refreshing the browser. Yeah, I found that. Welcome, welcome, welcome back, Aldebaran. Can anyone hear me? Oh yeah, we can hear you fine. We can hear you now. All right, yeah. You couldn't before I was, I started and it didn't seem to, no one seems to be. Make sure you turn on megaphone too. It is on. Okay, let's just try to share the slides again. Remember to turn it up. All right. Okay, great. Thank you very much for the introduction. And yeah, thank you very much for having me once again. It's an honor to stand on. I was going to say this virtual stage once again, but this is a new stage. Sadly enough, the old one has been destroyed. But yeah, always good to talk to the Defconn groups, peeps. Some of the nicest people you'll ever meet. And yeah, an honor once again to stand in front of you. My name is Alan Baranov. Also known as Aldebaran. This is my first stop of my, what I've called my Excel tour. A blatant rip off of someone else's era tour, but we won't go into this. And yeah, the first stop is Vegas baby in a manner of speaking. So I'm going to present a few stories from my life, which I hope will be slightly entertaining to some of you, maybe a bit inspirational. And yeah, so I've started, I'm going to start it off with some of my talk with really digging into one of the best talks I've seen and one of the kindest and smartest people that I know, Mr. Ray redacted. He didn't pay me to say that, but I did steal some of his talks. So I've got to tell, I've got to say that he's a good, good person. And yeah, good, good, good talk. And I'll give you the details of that, but I'll go through what I got out of it. I'm also going to go through, if there's time, my April Fool's experiment, some of the stuff that I've done with the confecon stuff and where my life has taken me in the last couple of years because of that. And yeah, just a few thoughts about what I believe from what it means to me to be a hacker. And yeah, as per the title, I am a GRC consultant, which is probably the last person that you would think would be a hacker. And also, it was something that I really needed to consider because I was very keen on starting up DCG 11613, Melbourne. And my question to myself is, am I the person to do it? Am I a hacker? And it took me a bit of thinking, a bit of internalizing to think about that. So let's jump ahead. For what it's worth, yeah, I've become quite famous for most of my presentations, I've done in Excel. And the ones that I don't do in Excel, people don't seem to remember. So that's why I stick with you. Yeah, okay. So yeah, I'm not going to give you any more background about myself. These are all my different social networks. I guess when I was setting up my blue sky one, I really didn't think that people might actually ever want to take it down and see what it's about. But because that's a very, very long, a very, very long one. And yeah, feel free to take a picture of the QR code. It's absolutely fine. Don't worry. It'll just take you to a recall. No, it won't. It'll take you to my LinkedIn. That's where it'll take you. Yeah, let's jump into it. So as I said, some of my talk is stolen directly from RaiseTalk. I thought it was inspirational and one of the best talks I've seen. And it starts and goes through all the different generations of hackers that they are highly recommend that you have a look at it. You can either find it by typing Ray and then generations of hackers or something to that effect or the link is there at the bottom of the slide. He breaks it down into different generations. He goes into the different ones, gives you a lot of extra information about them. I highly recommend it. But what I got out of it. So he starts off with the first generation hackers. These are the kind of pre electricity hackers. The, so the idea of a love lace that a love lace is an interesting character. I heard a story about it that while Babbage was building his machine. He kind of built it around the concept of a weaving machine. It was used a lot of the kind of technology, the ideas behind weaving machines. And in those days, weaving was was very interesting because different organizations had different ways of weaving and the methodologies that they would do it were all kind of built into cards. I'm not quite sure whether they're automated or whether they're manual, but they gave instructions on on how to actually weave in this particular way that that organization wanted it done. They were very intricate and of course very closely guarded because you know your organization did it in the way that you would want to do it. And Ada saw this and thought, hmm, okay, well maybe you could use the same idea. And you could use these cards as kind of mathematical and pretty much invented the whole idea of programming. And I think that's quite, quite amazing. You know, it was something that was there for people to see and anyone could have seen it but she did. And that I think is what makes someone a hacker is not seeing the world as it is but what could be and what they might be. I'm in the same kind of generation a little bit later or 50 years later, I think almost exactly or maybe 100 years later. I'm not sure exactly, but Alan Twerin came along and he seemed to be the father of modern computing. A lot of people were computing at the time. And, yeah, it's it but but his ideas and his completeness of vision is pretty much still used today when when we design computers. And his ability to take patterns and to understand how maths could be transferred into the real world and back again. I think is pretty much what what what he's very well known for. In his day professors, which he was we're not meant to get their hands dirty they were supposed to kind of design the machines that they needed and then give it off to to people to go and make for them. But he didn't be actually spent a lot of his time getting his hands dirty filling around with machines. And I think that that is part of the hacker culture. So I think from that the first thing I get is is, you know, the first element of being a hacker is seeing what can be not what is but what can be. One of the big things that's happened at DevCon this year is CDC, the cult of the dead cow releasing their valid network. You know, people could have just accepted that that companies run the internet today. But not them. They've released something that that is more like what they want. Right, second generation. The phone freakers. So what I get out of the phone freakers is that they were building a culture more than just the tools that they were using. And, you know, the fact that they were breaking the law and breaking into two organizations. They're a bunch of weirdos all over the world. And they found a way to to be able to speak to each other. I once saw quotes. I'm not sure exactly where it is or who it's attributed to, but it said that nodes are people who use telephones to talk to other nodes about telephones and probably use computers to talk to other nodes about computers and internet people use the internet to talk to other people about internet. That's that's what nodes all about. And I think the second generation what it inspires is it's all about the culture finding your people. Once you have bored to death, all the people that are around you talking about the minuscule of something that interests you. You go find other people who are interested in the same thing. And back in the 60s and 70s it was not that easy to do. And nowadays it's it's a lot easier to do. And it's a hacker thing. Right. Third generation hackers. That's when BBS is hack magazines, text files and cults came out. And I think that's that's the third part is is just trying to really, really, but like really understand things. And the kind of quest and the thirst for getting information. And I think, you know, we know of a lot of the old school hackers who got into trouble. Got arrested even because they had this kind of thirst for knowledge and kind of trying to break down the barriers which today we don't need to worry about it's all out there if need be. And getting on to the fourth generation of hackers. So, the way that I summed it up was money, money, money. It's the rise of information security. You know, all of a sudden companies are worried about the fact that they have money that needs to be protected. And so they hire us and all of a sudden we're inside we're no longer outside looking in we're on the inside now, and we're getting paid, which is awesome. I'm not going to look too much into that it just makes it a lot easier to be a hacker. Because of that fact. The fifth generation, which is where nation states started to jump in. Yeah, it's war and war and war. We're getting involved in that. And I don't want to look too much in that but I do think that the fourth and fifth generation is kind of where we lost a bit of our soul. And, you know, it makes it easier makes it nicer. It means that that we have money available to to go to, you know, Vegas to go and meet up with each other. But it also, you know, it means that that we did lose a little bit of what it means to be a hacker. Sixth generation, this is the one that that I really liked out of out of the out of the talk. And I think that this is this is to me, the most important part the sixth generation, which is where we are now. So, Ray goes in that that he started understanding it from the bear farmers. But there's also the B sides. So the whole philosophy behind B sides in that trying to get people together, the whole idea of DEF CON groups, you know, around the world, people meeting up so that they can discuss and just be with with other groups and with us with with the stuff that we've been doing over the last few years where we've been getting different different DEF CON groups together and chatting amongst ourselves and then of course the Diana initiative and queer con and all the changes that have been in DEF CON that have made it more inclusive that it's not just a whole bunch of, you know, white guys with, you know, that haven't showered for for three days or whatever talking to each other. But there's different people different. Yeah, that are that are all being accepted and embraced, just because they happen to be hackers. They're one of us. And I think that's that to me is is the important bit. And the thing that that that I found very inspirational. Yeah, all of that. So, so with me, I mean I started my my, I've probably always been a hacker deep down inside but I think a lot of it came out during the covert time when everyone was kind of stuck to stuck at home. And zooming became what we all did with each other. And I met people like Ray and the cocktail con crew and Alyssa with her fancy Fridays and yeah, Danny always calls me fucking Alan so I'll call him fucking Danny rando and Professor Kilroy from the streamers and the who slide is it anyway crew. And and yeah and in Australia the comfy con people and all the really kind besides people that, you know, just other nicest people and people that you just want to hang out with. All different all different types of people. But all all hackers and and I think that is is something that we definitely absolutely need to embrace. Jumping from that when I jump a little bit into neurodiversity because it seems to me that that's kind of almost all everyone who's a hacker is has some sort of neurodiversity going on in their brain. The weird thing is that worldwide neurodiverse people only make up at about 15%. It's between 10 and 20%. So I've kind of settled on 15%. So it's around about 15% of all people. So, you know, in any crowds like eight of those people are not going to be neurodiverse they'll be neuro typical. But you go to a hacker meet up or whatever and it's almost always like everyone seems to be some sort of neurodiverse used usually ADHD but there are other types of neurodiversity that you'll find. And that's that's great. I think it's it's very important. Um, so kind of weird, you know, what do one neurodiversity what what makes hackers, you know, tend to be neurodiverse people. And we look at at the idea of, you know, it's a way to show your creativity neurodiverse people usually have very a lot of creativity. They have respectful rules. They have attention to detail. They have the ability to hyper focus. So people that are trying to really understand something and need to put in eight to, you know, 10 hours on it. You need you need the ability to hyper focus. You're not going to be able to do it if you don't have that ability and lateral thinking. Um, the ability to see patterns and to see what could be and what should be is is yeah is is one of the things that makes people hackers, I guess. So in terms of what organizations can do to get hackers to get people interested. Um, I was I was reading some of the stuff that that that kind of exclude people. Um, so job descriptions for a start. Um, a lot of people who are who are neurodiverse having positive syndrome, and they read all of these interesting jobs and like are really keen to do them but also at the same time, hang on. I don't think I can do that. I can do most of it, but not all of it. Um, and so therefore they just exclude themselves. Interviews or my word interviews are terrible. I hate them. Um, I don't think I've ever got a job through a job interview. Usually it's through word of mouth and I can kind of bypass the whole interview thing because where do you begin? What do you say? Like, how do you say too much? Am I saying too much? And the whole time you're sitting there and your brain is going crazy because it's like, well, I've said too much or too little or is that enough? Or is that the wrong thing? Or how do I say that? Or, um, eventually it gets down to like, I mean, I've heard of this Alan guy, but I'm not quite sure exactly who is or what he does. But, um, he seems nice. Why don't you just give him a job? Um, do I need to mask? Do I need or do I should I be myself? So I'm asking is, is where you kind of pretend not to be neurodiverse? Um, it, it's, uh, it puts a lot of stress on the person. So the whole time you're busy stressing, uh, can I, can I stim? Can I not? That's, that's kind of where you kind of tap your foot to move around in a bit to, to comfort yourself. Interviews are terrible. Um, but the, you know, they're a necessary evil. So, so how do you do them in a, in a way that, that make people more comfortable? Performance reviews. Performance reviews are like interviews that you do every single year to prove that you're actually doing your job. And the question is, okay, well, you know, if I wasn't doing my job, you'd take me aside and tell me that I'm not doing my job. So why all of a sudden do we need to discuss that right at the end of the year when there's no ways I can change what I'm doing anyway? So yeah, performance reviews. You know, you get into them and well, when I do, I get into them and forget all the stuff I've done through the whole year. It's terrible. And of course, flexibility. Um, so, you know, can, you know, can people work at home or do you need them to be in the office? Do you need to watch them all the time? Do you need them to do time cards? You know, as, as, as a consultant, I need to do time cards because we need to charge my time against the projects that I'm on. But I've worked internally and had to do time cards, which, you know, in some cases we actually tested them and no one actually read them. So what was, what was the purpose of wasting time to do that? And then of course failures. Now, the image on the left hand side is, is an image that I said I will put into every single talk I ever do because it's like such a cliched picture that used to pop up in every talk and then in kind of the early 2000s. So. But I think, yeah, it's one of those things where, as I said, it's great to have hackers and to have neurodiverse people. Because of their creativity and their respect for rules and their attention to detail, but also those things can work against, against them and against any organization. But creativity doesn't always just get switched on. You can't switch on creativity like the second cartoon will show you. Sometimes it jumps in at the exact wrong moment. It jumps in at the time when you least expecting it. Respect for rules. Neurodiverse people hackers will always respect the rules if they understand why they're there. But if there's a rule that's just made up and they have no idea about it, that rule will get bypassed exactly like, like on the picture on the left. Attention to detail is wonderful until you get someone who's neurodiverse and says, well, actually. And of course, hyper focus is, is lovely, but you can't just switch it on and off. Sometimes you need, you know, sometimes it only switches on at the, at the last, last minute. And sometimes when you've got it, you really don't want to get out of it and someone coming to bug you about something that will just take five minutes is enough time just to get you out of that hyper focus and ruin the rest of your day. And of course lateral thinking is lovely, but it can overwhelm you. It can stop you from even jumping into something because you just have no idea where to start or where to begin or what to do. So, yeah, there are a lot of places where where you can just unfortunately fail. Okay, so finally, why do I see. And I think my answer to you on that is why not you see there's a lot of offensive security people out there, a lot of hackers that have decided to go that way which makes sense, because it is interesting it is fun. And it is a way for you to to try to, you know, express your creativity and your hyper focus and your lateral thinking, etc. But you should never just stop with that. There's not that many, unfortunately, hackers in GRC. But those that are in are very useful. The idea of using creativity to try and work out how an organization can meet their objectives. Sometimes you have to be a bit creative. You don't have all the budget that you need. It's easy just to say, okay, well, we'll spend, you know, millions of dollars trying to keep out people that might be breaking into our organization. But if you now got half of that, or you got like a tenth of that, or you got none of that. Well, that's where the creativity comes in. Attention to detail. Some of the standards that we use are pretty detailed. And for good reason, understanding why they're done in that way, you know, can take some attention to detail some hyper focus some lateral thinking even just to get them to work. So what I'm saying is, you shouldn't limit yourself. If you are interested in doing anything in information security, and even outside of information security, doing, you know, any, any job out there could could benefit someone who's a hacker who can think, Hang on. This isn't a good way to do this. Let's do this ever so slightly in some other interesting and new original way. So I said I would give you a couple of ideas of, you know, things that I've done in the past. So I think you can see one of the ones that are most famous for right up on screen. This whole presentation is done in Excel. So what happened was, we were running a conference called besides Melbourne one of the besides. And it was in 2020. Of course, it was getting more and more dire as to whether we actually have it or not. Eventually, we pulled the plug. And it didn't happen. A lot of people were very upset with that that created talks and wanted to present them including myself. And so basically an organization, well, a conference got stepped up called ComfyCon. The idea being it would be a conference that could be ran from home. So yeah, shout out to Ian and Shana for that. And it was one of the best conferences ever. I highly recommend you take a look at it. Some really smart people and myself are presenting there. And it was going to be an interesting one. So back in those days, 2020, it's only three years ago, but it's a different world altogether. We didn't live on Zoom like we do now. So I was a bit nervous about presenting in Zoom. I was a bit scared about how to change between the different slides that I had. So I had different slides. And then I also had Excel stuff that I wanted to show. So I had graphs and all of that. And I was a bit nervous to move between them. So I decided, you know what, I'm going to tell all my Excel stuff and put it into PowerPoint. But it didn't look good. And it didn't feel right. And then I thought, you know what, actually, I'm going to take all the PowerPoint stuff, stick it into Excel. And then that kind of made my hacker brain excited. And now all of a sudden I had a challenge. And that's where I think I got really excited about my talk. And since then I've spoken at different conferences. So KrikeyCon was one of them. Blue Team Village here at Defcon in, which one was it, 28? So the one from remote. I presented that same talk. And yeah, it really was exciting for me to be able to present on the world stage. And yeah, with my little Excel spreadsheets, which my kind of hacker brain came up with as that might be a little bit interesting. And that's the one talk. The other one that I had, this one's way back when, and I always had on my CV a little line that said I created an April Fool's Day project. My boss came to me and said, you know, we need to do a bit of education. And you need to, you know, you need to show me that you can do some education across the organization. I was working at a company at the time, a large company with a few thousand users and stuff. One of my kind of KPIs was do education and it's like, okay, well, you know, how can I do that? Back in those days, there was no such thing as as kind of phishing tests or anything like that. So I kind of came to him and said, hey, listen, I have this this kind of Linux box that you've given me. And I don't really, I'm not really using it for anything. So what if I send like fake emails to everyone and then see who clicks on the links in the emails and he was like, really, that's that's an interesting concept. So we kind of put it together. It was supposed to go live on Valentine's Day. But I couldn't quite get it together in time. So we got it together in on April Fool's Day. And the idea being that someone sent you a postcard or whatever it was, please click through. Once people put in their names and email addresses and stuff that could go through to the next page. And when they did that all of a sudden, all I really had was it was a counter. And it was quite an interesting concept at the time. And I'm really happy that that my manager at the time who was really, really good used to be okay with all my crazy ideas accepted that. And so that was the April Fool's Day thing that that that we did together. At the same time, I wanted to do what we would now call the physical penetration test. So I reached out to, I didn't want to do it myself because that would have been a waste of time. I reached out to a few organizations that said, hey, can you guys do this? And none of them were really interested. In fact, one of the kind of big consulting firms said, oh, yeah, we can do it. We can do, you know, a kind of a test for you. And I'm like, okay, but you need to send someone out here and they need to do this, that and the next and they're like, oh, no, that's absolutely out of the question. So eventually I got a small organization who was also kind of full of hackers and stuff to pick up the challenge. And so we actually did that. So what I'm saying is, you know, in GRC, you can have these crazy ideas. And if your organization supports you, you can get away with some of them. And it's always going to benefit both you and the organization at the end of the day. So I guess what I'm saying is just because you're in GRC doesn't mean you don't have to be a hacker. Just because you're a hacker doesn't mean you don't have to be in GRC. I think hackers are a way of life. And I think that, yeah, we should all try and aim for not only being a hacker but also being a kind and responsible person. And I think with that, I'm done. Pretty quick, half an hour. I'll leave my details here. And yeah, if anyone has any questions for me. Could you define GRC? Okay, no, I can't hear anything. So I guess my audio is going crazy. I'm going to jump out and I'll jump right back in. So if anyone has any questions. I can hear you x-ray. Oh, good. Okay. We haven't had the complete audio failure. Loud and clear over here. Aldebaran, can you define GRC hacker for or what GRC means rather? Yeah, sure. Okay, so do you want the official definition? Do you want my definition? Your definition because I hadn't heard the term GRC before. Okay. So GRC stands for governance risk in compliance. The idea being that people that will manage the governance of an organization also do some of the work in defining what the risks might be. And then of course I deal with any compliance requirements that the organization might have. Quite honestly, there's very little governance that I do in my day to day work. So the idea being governance is taking care of the fact that the organization and the people that actually have given money to the organization are separate. So there is a way of controlling that the organization does what the people who lent the money wanted to do. So there's very little of that in my day to day. There is a lot of risk, but risk is, I think for us, for information security is a little bit new. And a little bit kind of, I wouldn't say infantile, but there's a long way to go. So that's what risk is. Mostly we define risk at a big level. So the chance of you getting a virus on your network is pretty, almost pretty certain. Whereas an asteroid hitting your data center will be very, very slim. So that's what risk is. Compliance is generally making sure that whatever standards you're required to comply with you do. And also in some cases you may elect to use some of the standards that are out there because they're actually pretty good in that they're very well defined. So for example, your NIST standards are usually very, very well defined because they've got some really smart people looking at what needs to happen. Another standard would be the kind of PCI standards. So that's the that's to do with with credit card information. So if you take credit cards, you need to to adhere to what they do. Yeah, so that's kind of an introduction. I'm not going to jump too deeply into all of that. But if anyone has any questions around any of that, I'm happy to, to, yeah, to clarify. Is that good for you extra? Oh, yeah, that was a great explanation. Thank you. It's usually kind of seen as the least exciting part of information security because we deal with a lot of detail and a lot of almost checkboxes but not quite because you know to get to to the point where you can see that a box has been checked does take a lot of work. And in some cases, as I said earlier, a lot of creativity and a lot of working with people and a lot of understanding of how things work. So it's definitely something that that hacker can get their teeth into. Right. And it would also include things on the business side more than, you know, a lot of hacker folk are focused on very technical things with the GRC side opens up to the whole business aspect. Correct. Yeah. Yeah. But also, you know, a lot of the stuff that we do is actually very technical and and sometimes when you're dealing with the technical people that will try to talk around what you're asking. So if you have a technical background, if you know how things are supposed to work, you can sometimes stop them in their tracks and say, hang on a sec. You know, it doesn't sound like you're telling me what what I need to know. Yeah, what about banana? Oh, yeah, I forgot that part. Yeah, exactly. Yeah. And I see actually you've shared the talk that I was alluding to earlier, which is good. Thank you very much for that. Someone asked, is there a group on telegram for group for what? Defcon group or GRC group or not sure what kind of group you're talking about. Thank you very much for that presentation. It's quite good. I getting people to think outside the box of what hacking is is one of the things we talk about a DC for four meetings. I describe we describe hacking as discovering what something is capable of that the original designer didn't intend. So if you use a screwdriver to open a can of paint that was not the intended use to screwdriver. You can focus on networks and computers, but hacking applies to all kinds of areas where you do things that weren't expected with the resources that were at hand. So I could see where it could apply to GRC. Yep. Yeah, exactly right. Yeah. And that's exactly what my thinking was when when I've started up. DCG 11 613 was, you know, let's let's show how hacking can be not just breaking into into stuff how it can be used in very different in very different ways. Yeah. Okay, well, thank you very much for the opportunity and yeah, thank you everyone for for watching and listening to my talk. Great talking. Yeah, thank you.