 Good morning. Again, my name is Patty Walsh. I am a journalist and I have been going to DEF CON since DC-10. And the topic for discussion this morning is hackers in the media, misconceptions in critical tools rather to combat them. Who am I? Am I a your worst enemy? A demonic creature from the underworld. Something as evil as a cross between Kim Jong-il and the Department of Homeland Security. It's quite frightening. The big, bad, atrocious media. Or E, all of the above. Oh, none of the above. I'm based in Vegas, born and raised here and certainly choose E. However, there's a difference between the media and journalists, believe it or not, and we are going to examine this further. Background on the media. According to the dictionary.com site, which is so prestigious, media is a means of mass communication such as newspapers, magazines, radio, internet or television, and the group of journalists and others who constitute the communications industry and profession. Okay, who cares? What does that mean? So in other words, we have a collection of all these different avenues of media, but really, what has it become? And to many, this is what it is, even those within the profession. I think this is actually quite accurate. And so, I would like to talk about the background on the media, rights and privileges, theirs as well as yours, so we're going to examine that. With the role of media then versus now to kind of preview, update you on what's going on. Let's talk about some Supreme Court cases real quick just to jot down. We got the New York Times versus Sullivan, which was 1964, and basically what that was is that the New York Times printed a one-page ad in their newspaper discussing how Dr. Martin Luther King was wrong for, or no, rather that he was right, I'm sorry, I'm nervous right now, that he was right for actually going through the civil rights and whatnot during that time. And so they were against Alabama because of Alabama jailing him, so they ran a one-page ad. And essentially what happened then was that Sullivan, who was one of the police guys down there, said, hey, wait a minute, how come you're running this one-page ad on this? How come you're talking about how come you are siding with us and you're saying things to us which are libel? Libel, to brief you, is written defamation of character, okay? Slander is oral defamation of character. What does that mean? In other words, if someone writes something about you and they misquote you, you could sue them for libel, but there are factors to that. Say, I want to know, say I interview you and we're talking about some networking issue and I misquote you to the point where it makes you look bad, where your name is on there, where people are going to read it, and where it's going to negatively affect you. What could happen is that that is something called malicious intent. Now, if I do that, I could be in a lot of trouble. You know what, guys? I want to stop here. And you've heard about what's going on with Cisco and everything, I'm sure, right? Vaguely. Okay, tell you what I'm going to do. I'm going to talk about that because all this stuff can wait because I think that this is much more important. So I'm not going to waste my time with this. This is boring me, this is boring you. So let's get on that and then we'll have some candy and some water and then we'll pass out some of those books or whatever. Okay, let's talk about what happened with Black Hat. You guys want to be briefed on it, right? Okay, basically what occurred is that apparently, and I was not there, I was not in the room when it happened, just to let you know. So this is what I've heard and what I've discussed with several different sources. I guess there's this man named Michael Lin, who you've heard about him. He is with the ISS and he was doing research for a group called Cisco. I'm sorry? Formally. Oh, see? There you go. You just caught me in the act. You've got to be careful with the media and you've got to clue them in because if you don't clue them in, then someone writes something about it. So you just caught me. Good for you. Always be on your toes. That was a test. Alright, so he was formally with Cisco and he was doing research. Actually, I was just briefed on this this morning too because I had to do a lot of work the last couple of nights. So, and I'm very intimidated of you guys. Yeah. Well, I'm in here too, but not with computers. So he was doing work on the routers, the reverse engineering from what I hear. And from what I hear, he was doing work on what was sort of like a hardware box and there were security flaws and exploits in there and apparently from what I've heard, he was working with Cisco for six months on this particular patch that was vulnerable. From what I've read and from what my sources say is that there is there's like 80% of all the network traffic in the world goes through Cisco and apparently several different sources have said that three days before Black Hat, Lynn was going to discuss a serious exploit. What happened was that it was very sensitive information so because it was sensitive information, Cisco wanted them to reprint the CD and they wanted to rip out certain pages within his speech and so that was a form of censorship. Apparently, Lynn said that he would comply originally and go along with this but Cisco threatened legal action to stop the conference's organizers from allowing this researcher or rival tech firm to discuss how he says hackers could seize control of Cisco's internet routers. Cisco instructed these workers to tear up 20 pages outlining the presentation from this conference that Lynn was going to speak at and ordered the 2000 CDs containing the presentation to be destroyed. That's like 2000 CDs so they wanted to change that and everything else. Lynn initially went ahead, he actually did go ahead with the presentation. He talked about flaws exploits within Cisco. What that means, excuse me for a moment. Okay, I appreciate you guys staying with me. Obviously, I've just been briefed on all this this morning. There have been a lot of changes going on. I was prepared and I just found out about the Cisco thing. I do know what I'm talking about. I do know what I'm talking about but not on this topic. So, I'm not even going to pretend like I know what I'm talking about. So, what my dear sweetheart has suggested is that we just do Q&A. Flat out. You ask me questions. I answer them instead of me going through all this. And if you want to get up and leave, go for it, take some candy, do what you got to do, get some water and we'll be fine. So, being in light of all these circumstances and because I just found out about all of this and I haven't done my research on this topic. Well, some of this I have but about the Cisco thing, I haven't and I'm not even in front like I know what I'm doing. So, eat candy, do what you got to do, start asking me questions. I don't care you to talk about whatever you want to talk about. If you have comments about the media, I will handle them and we will take it from there. I apologize if this seems unprofessional and what not. I certainly do and if you're disgusted, have more candy. Okay? All right. You know what, darling? Can I trouble you to come up to the mic so that way I can hear it and everyone else and then you can grab some candy, get some water, whatever. Okay? Thank you. So, did he release the flaws? And you as a person in the media, do you believe that he should release the flaws because if he knows about it, everybody else or the bad people would also know about it. And do you think if he did release the flaws and come out publicly and say, this is out there, should he be prosecuted for doing so? When? Yes. That's an excellent point and thank you for that. I cannot say whether or not I think he should be prosecuted because again, I just found out about this, but I'll be honest with you. There are two sides, even three, four, five to every story. Now, him talking about this, just clearing it two hours, you know, just putting two hours before when I heard and then talking about all these exploits where someone, people have told me that there was a patch already in place. But that administrators weren't aware of this patch or if they were aware they weren't told to start installing it, which is a problem. Now, what you bring up is a very valid point because that goes towards cyber-terrorism. As we mentioned earlier, over 80% of the world's network trafficking and whatnot is from Cisco. And for someone to stand up here at a Black Hat conference and discuss these exploits and discuss these terrible gaping holes, that can swing both ways. It's kind of like a pendulum. On the one side, one could see this guy and say, okay, Lynn is a martyr, he's a White Hat type of guy or whatever. He's really doing his thing, but at the same time, we have to worry about cyber-terrorism, right? Because even though he had been working on this patch for six months with Cisco, at the same time, him just discussing it flat out there and telling people and then making it a public forum, one could say that that even makes more people vulnerable. Okay, well now we know for a fact that there is this hole, that there is this problem, that there are these vulnerabilities. Well, what are we going to do? Also, you've got to look at it from a legal perspective, a breach of contract. I'm not aware of what contracts he signed. I'm not even going to pretend that I am, but from what I heard, he had agreed, either verbally or written, I'm not sure which one, that he would comply and not necessarily give this speech. Or if he were to give the speech, he wouldn't go into so much detail. And then what? Only moments, hours before he gives the speech, yes, he resigned, but that's also an issue of breach of contract. And Cisco is claiming that it was premature and that this patch was undeveloped. So you're looking at an issue with now, from what I hear, the FBI may be involved, may or may not be involved. This also, like I said, I would argue that this is an issue of cyberterrorism because of identity theft, what not, you never know what's going on. However, could he be prosecuted, that is quite possible. Because not only on a breach of contract issue, but also for exposing this, even though one could say that he is a martyr, and again, I'm not familiar with all the information, at the same time it's a very sensitive issue. So it really depends on how you look at it. I think it's possible that they could. Does that answer your question? Okay, do you want me to elaborate on anything else? And you know what, you make a very valid point, because you go to the issue of freedom of the press and what not. Unfortunately the memory can get into that all day, but no, you're absolutely right. What is the media's job in this kind of a situation? Now I have read the front story on the Wall Street Journal, and you know, it seemed to be fair, but I don't know, but at the same time, you know, you have all this information coming out, and yes, he did release this information, but it's critical information. You know, and people need to know about it. So what's the media's responsibility here? Is the media supposed to just sit on their hands and say, oh, well okay, you have another hacker screwing around, whatever, or you have, you know, someone who is legitimately concerned for the national interests and the national security of this country, especially in this type of climate, you know, so what are we going to do about it? How far can the media go to get this information out? And from what I read, I guess apparently there were 347 articles that just came out yesterday on this topic of Michael Lin, and it goes to a stronger point. You know, what is the media's role in this? To give the facts, right? Well, what are the facts? You want to go deeper than that, don't you? You want to get to the core of the issue. Now, I could found out a bunch of statistics to you, but what's the underlying issue at hand? The fact that we have someone that was willing to go up and talk about this despite the repercussions, and you know, here is the press's chance. AP Wire, a bunch of the wires picked it up and everything. Here is their chance to report about this and say, you know what, here's a guy that stood his ground and talked about it and was not afraid to do it. Instead of just the usual, well, let me write about the hacker scene. Let me write about how bad hackers are, how evil they are. Let me write about how, you know, they take your credit cards and this and that and the other. That's not what it's about. And so, hopefully, the media will take this, what happened, this event, and they will report it accurately, which probably will never happen. But at the very least, you may get different perspectives on it, and that is the good thing. But you're right. Whether or not he does get prosecuted, which he could, is it a matter of legality or is it something deeper? And that is to be determined by the readers. But it is the media's responsibility to write about it and at least show the different side. Thank you. Thank you, dear. I'm sorry, sweetheart. What's your name? My name's Fasha, and my question is, you know, politicians and the public at large have a very negative view of hackers and the hacker community, and that, you know, resulting in laws such as USA Patriot, which, you know, sort of equate with terrorism and what not. And I'm curious if you think that, you know, that negative opinion is the result more of the media and the desire for headlines and publicity or is that more because of the hacker community itself? Thank you. Thank you. Excellent question. Here we go. Question is, does the media mold society or does it mirror it? And what does that mean to you guys? You're right. Politicians are always spinning everything. Media is always spinning everything. Who pays whose bills? It's one big giant pan in the rear end, right? However, when the media reports on something, are they sensationalizing it because they want people to listen or are they reporting it accurately? And most of the time, they're sensationalizing it. Why? Is that the fault of the media or is that the fault of the people? You would say vote? Okay, let me ask you guys a question. This is probably the wrong type of audience to point this out, but would you be more interested in hearing about Harris Hilton and who she's marrying and, you know, what her dress is for today and how much she spent on this bag, or would you rather know about international issues? Would you rather know about where your taxpayer dollars are going or would you rather know about, you know, political implications? And that's where it comes from the forefront. Well, let me just say that you never hear in the media as far as, you know, all the good things that happen. As far as raising security awareness, working with corporations, going into the middle of Africa and setting up wireless networks and, you know, going to the South America, you know, helping, you know, human rights group, you know, fighting dictators and whatnot. You never hear about that. No, you don't. Now you have the Hope Conference in New York, which happens once every two years, I believe, but that is a big problem. And is that because the media can't tell the story if they write about the good things that the hackers are doing or is that because hackers and other people aren't approaching them on it? Okay. So it swings both ways again, but you make a valid point. There's a lot of things going on with the global South, third world countries, whatnot, and hackers have done an amazing job. In China, I believe they have tried to help take down and annihilate firewalls that the Chinese government has put up to block certain information from coming back and forth. You know, they have done work in the Middle East. They have done work in Africa. And they really... That goes back to the White Hat, Black Hat thing that maybe you guys refer to, but I don't like, you know, it just depends upon what one's agenda is and how are we going to educate the media and tell them, you know, hey, why are you trying to get a story just about our negative perspective and how we're these bad, dark creatures lurking in the shadows, you know, and we're exploiting everybody? That's mostly not the case. What do you do then? It's all about, you know, how you approach them, but you've got to be careful because, like I said, they have their own agenda too. Do most of the population in the United States, are they more interested in hearing about the good things that hackers do, or are they more interested in the bad things? Or what is good and bad? That really is. What sells? Public opinion polls, okay? How are they going to make their money? How are they going to continue to go for the economy and whatnot? You know, that is the main issue and if there is, that's what disgusts me. That's why I'm a journalist, because I don't trust what I read. I don't trust what others report on. But, you know, it's not just the media's job to educate the masses. How are they going to do it? Somebody's got to help them. Somebody's got to sit there and say to them, what the hell are you doing? This is messed up. This is what's going on. But then again, if that journalist is not willing to do the research and to talk to you about it, you probably want to stay away from them. So, I didn't answer your question, but yes? Well, a comment on what you previously said, I think one of the main problems we have is that for every one person we have, there's a step forward that has valid information. They'll step forward and say otherwise. They're just one little bit of a limelight that would give bad information out. There's nothing but purpose to it. My question is that it seems like there's a really big double standard. Not only in the media, but the general consensus now of people that we can have freedom of information, a free speech for things like the anarchist cookbook. These are things how to make explosives to hurt people in general. But yet, if someone releases an exploit from the software, we're viewed as complete criminals. It's still information, but we're being prosecuted for it whereas you can go into some libraries and pick up an anarchist cookbook. What's your view on that? You think it's going to go away anytime soon? Thank you. He brings up a good point and that is the scene whores and the newbies and the script kiddies and all that. Are they really the people in charge? Or are they just basically coming in for the party? And I think that's what the problem is because usually I would assume those that are so willing to talk to the media are not necessarily what they say they are. Maybe they just want the attention. And if they were really interested in talking about the important issues, why would they put their name on the front and everything like that? But he makes a very valid point because you have this huge contradiction going on and the question is how are you going to deal with it? Well, number one, before you start spouting your mouth off and saying a bunch of things that you're going to regret, before you talk, obviously. Number two, know your rights. Well, what are your rights? Do you have any at all? Any time that someone from the media says to you you know well, can I interview you? Fine. If they take out a tape recorder and they start interviewing you and they haven't asked your permission first be aware of what you say. If you say something that is off the record if you say something but you don't want them to know about it say that it is off the record because otherwise it may be printed. And for you to protect yourself you've got to make sure you know what you're doing. Number three, try to do background on the person that wants to interview you. Why do they want to interview you? What's their agenda? What's your agenda? Try to find a way to negotiate it. Yeah. Hi. Thank you. Are you aware of whether Ben's presentation at Black Hat was scheduled well in advance or whether this was brought last minute? Actually, thank you for that question. I have heard both from various different sources on all different sides. No. I've heard that it was scheduled three weeks in advance for him to do the speech and then moments in advance that he said, no, not going to do the speech. Is that what you're talking about? Well, what would appear to me is that if he was working on if he was working on a evidently fairly comprehensive patch for this and he had scheduled what he had scheduled talk that was basically for the sole purpose of dropping a bunch of exploits well in advance it sort of to me signifies that he never really intended to implement the patch. Whereas on the other hand if if this was dropped for absolute last minute it would to me mean that he tried to but for some reason couldn't or wasn't allowed to implement the patch and felt this was his own that this was his only recourse. Okay. I would actually be if you come up with any more more concrete information on this this would be a very valuable piece of information to me and I think to a lot of other people. Okay, and I thank you for that. To be honest with you, I don't know. People have told me that he knew about this in advance and people have told me that he changed his mind at the last moment. Unfortunately, Glenn is not here right now to talk about it but you're right. And where does the media stand on this? Okay. Say they find out about it when it was supposed to come out. And you're right, that is a very that is very significant. Is it their job to report about it? Or would they get in trouble if they wrote about it? You know what I'm saying? Like, okay say someone were to do some investigative work and find out. Do the cat know about what was going to be happening or did he change his mind at the last moment? Say someone found out about that. Now, if they were to run with that and say it, that's information, right? Okay, and people need to know about that because that is critical. But at the same time, if they're running you know if they say something and it puts Glenn in jeopardy then you got a problem. So I mean it's kind of like it's kind of like you're dancing around if you will. You know, you can't really say okay well we found out about this so we're going to run the story on it because there may be consequences to that. So... Yes? Well in my mind I think that for someone to run either way with this you know it would be of the utmost importance that they be able to back up whatever statement they made have sources to back up whatever statement they made on the subject because you know especially at this stage the last at least from my mind the last thing we need is unfounded speculation. But if somebody has sources that can back them up on this then you know that's essential to the whole thing. Because if the rumors keep going around and around and around and nobody knows what's going on then that creates kind of like this upheaval and then it just gets nasty is what you're saying. Now I don't know whether or not they know for sure or not but yeah they should come out and say it. But if that puts him in danger then that's a different story. Thank you for that. Yes? How would you suggest combating the media's misconceptions once the article's been printed? I've seen I saw one article about Hope where it was about how we the U.S. combats all these terrorist training camps when there's a terrorist training camp in our own backyard at Hope. Now right after that article about three to four months after their article the author reprinted a response because thousands of people were emailing him just angry at what he printed and that was a good example of the hacker community going back and saying what you printed is wrong and you should correct this and he actually corrected it but then there's other things that it was for a journal it wasn't for one of the main media outlets that most of the general public reads while I remember the True Life I'm a Hacker series if you're familiar with that that was a huge misconception but I didn't really hear about that other than from the hacker community how would you suggest the combatant's misconceptions after they've been printed? Thank you Yeah, if something is messed up when it's printed say something about it but at the same time is it worth it? Yeah is it worth it? Well, there's only so much that you can do right? But the fact that you even make an attempt to say, you know, like the example that you just gave No You know, it is um I would say it is worth it because if you feel that you gain nothing out of it at least you made that attempt at least you stood your ground and said hey, you know what, you're wrong because if you don't make that attempt it's just going to be out there it's going to be information that's false and floating around and nobody will know so that's why you should take that stand and if nothing happens and if they print something that's false and there is no admission of error run that is a form of libel which again is written defamation of character which means that they could be sued so you're right Yeah, you could stand your ground and write a letter to the editor whatever, whatever, whatever Wouldn't that be um like libel against the whole community instead of just a single person? Because I've just heard of cases where it's a single person or I really don't understand how that would work for the whole community Yeah Thank you If the whole community is at stake that's something that you got to clear up, yeah and I mean we always hear about individual cases but it is the overall impact and if that's bad on the community then you got to do something about that and is it worth it, is it worth it or not I don't know, you know that depends on your point of view but I would say it's really worth it, yeah because if they're writing something that's false and it has an impact on the entire community then something needs to be done it's no longer an individual case it's no longer someone going against the media that's actually committing libel on a mass level, you know what I'm saying what do you do with that? You get together with your friends and you clear it up and if something happens it happens, excuse me One more question Hi I think you're doing a really great thing actually being here actually trying to get the story, trying to get the truth what's going on my question is a very simple one you get the truth in every story and you report the truth but my question is do you always want to report the truth if you can the question is what is the truth no but you're right some people do try to say what's going on, what they see and everything like that and go to different sources, you're right because you should be objective but there's no such thing as objectivity because everybody has their own bias to keep a story quiet or public safety not create history would you keep that story in the wraps or would you actually report the story because the people would want to know about it hypothetically in the last week there had been a bus bombing in Vegas would you report that story if the local and state authorities told you not to or would you not report it it's a tough decision but I'm curious what you would do as a member of the media thank you for that I would report it if it's something that the community needs to know about and if that's a risk that I have to take I would do it would I disclose my source if they said I want to be anonymous no and that's the same thing you have going on with Carl Rove and the New York Times and everything I would report it now as a journalist though and that's up to the editor that's what a lot of people don't realize yeah the media is bad just that and the other but we have people that we got to answer to also that doesn't answer your question I'm sorry thank you I'm sorry about all this and if you want candy just take the whole bag out of there so next we have a presentation on using bioinformatic methods for network and information analysis meet the fed