 First things first, disclaimer, I'm employed and I'd like to stay employed. One of the side effects of being employed is that you end up doing a lot of research in your spare time. All of the research has been done in my spare time. This is all from publicly available sources. You could discover this just as easily as I did if you know what you're looking for. The voices in your head. So I've been in information security for 15 plus years. That's gonna have to change to a different kind of number pretty soon and that scares me too. I've done everything from firewall admin and log review all the way up to CISO, publicly treated financial. So I've seen it all. I've done it all and I'm not afraid to tell other people to do the crap jobs I've been doing for the last 15 plus years. I've done a lot of stuff in the utilities vertical. You may have heard me talk about that crap. I've done a lot of stuff in the financials vertical and I'm not an expert in anything. Remember, if somebody tells you they're an expert, they're lying. Nanoseconds. In researching and thanks to the Twitter, I came across this awesome clip of a rather incredible scientist and mathematician who gave us compilers and programming languages and much more exquisitely than I could possibly say is going to tell you about nanoseconds. Admiral Hopper. They started talking about circuits that acted in nanoseconds, billions of a second. Oh, I didn't know what a billion was. I don't think most of those men downtown know what a billion is either. If you don't know what a billion is, how on earth you know what a billionth is. I fussed and fumed. Found the one morning in total desperation, I called over to the engineering building and I said, please cut off a nanosecond and send it over to me. And I brought you some today. Now, what I wanted when I asked for a nanosecond was, I wanted a piece of wire which would represent the maximum distance that electricity could travel in a billionth of a second. Now, of course, it wouldn't really be through wire. Beyond space, velocity of light. So if you start with a velocity of light and use your friendly computer, you'll discover that a nanosecond is 11.8 inches long, the maximum limiting distance that electricity can travel in a billionth of a second. Finally, at the end of about a week, I called back and said, I need something to compare this to. Could I please have a microsecond? I've only got one microsecond, so I can't give you each one. Here's a microsecond, 984 feet. I sometimes think we ought to hang one over every programmer's desk or around the neck so they know what they're throwing away when they throw away microseconds. Now, I hope you all get your nanoseconds. They're absolutely marvelous for explaining to wives and husbands and children and admirals and generals and people like that. And I wanted to know why it took so damn long to send a message by a satellite. And I had to point out that between here and the satellite, there were a very large number of nanoseconds. You can explain these things. It's really very helpful, so be sure to get your nanoseconds. For the record and for posterity, if you haven't spent a significant amount of time studying Admiral Hopper, you're failing. Do it. The woman was brilliant. She gave us compilers. She gave us programming languages. Her contributions to computer science are astronomical and her explanations of the mundane are brilliant and hilarious. There's a clip of her going toe to toe with David Letterman that will knock you right off your socks. It's absolutely amazing stuff. I had every intention of bringing some nanoseconds to give out, but it turns out the Transportation Security Administration has a lot of problems with bundles of wire in luggage. They have a lot of problems with pennies. You can imagine what they think of pennies plus wire in the same bag. So possibly for the first time in the history of humanity, money equals C, the speed of light. You need to be very aware of how far light can travel because it is, for now, the ultimate limiter. The distance that light travels in a millisecond, one 1000th of a second is about 300 kilometers. It's 186 miles for the rest of you. In a millionth of a second, you get about 300 meters, 328 yards, 984 feet. In a nanosecond, you get about 30 centimeters or roughly a foot, 11.8 inches. These are the absolute finite distances. This is as far as fast as you can possibly go. In reality, you go a whole heck of a lot slower than this. Because we're not talking about light moving in a vacuum. At the best, it's moving in air or optical fiber or it's electrons moving through a conductor. So those distances get quite a bit longer. It's much more costly. Most people, like she said, don't have a good handle on what these numbers are. The majority of this talk, nanoseconds is funny to talk about. Most of this talk, we're actually going to talk about microseconds. We're not quite in the nanosecond space yet. When you think of things that are really, really fast in human scale, you think of the blink of an eye. The blink of your eye, 350 to 450 microseconds. Trading is 10 times faster than that. Before you ask, this is a talk about money. Filthy, lovely money. And it's not about any of the other things on your buzzword bingo card. For the second year in a row, I'm talking about finance at DEF CON. Last year, we talked about PCI and we'll be talking about PCI again this afternoon in this room. It turns out that most of DEF CON is offense. It's how to be as offensive as you possibly can. And also a little bit of defense. But knowing sometimes that a vulnerability exists or a class of vulnerabilities exist. And I am going to talk about classes of vulnerabilities. That helps to sort of focus attention. And once attention is focused, then research starts happening, then development of solutions starts happening. And sometimes crazy people like me will tell you about stuff that doesn't matter this year. Two years ago at DEF CON, my co-presenter Tiffany Rad and I told you all about how you weren't going to be able to keep your secrets outside of your brain. And this year the Department of Justice has said give me your password or go to jail indeterminately. You'll stay there until we decide to let you out. So you had your two year warning. Last year, I talked about bad things in the world of industrial control. This year, I think I'm the only talk that isn't about industrial control. Next year, everybody's going to be talking about money. So most of us don't really have a good idea of this whole trading thing. I mean, you're used to when you're younger and your dad was watching the news on TV, looking at the Dow Jones industrial average and the Nikkei index and NASDAQ and alphabet soup, how does that mean? And facing facts, we're hackers. We don't have any money. We don't have any legitimate money. The idea of stock markets and exchanges started back in about the 1200s with commodity and debt trading. So this is pork bellies and orange juice just like Ferris Bueller. In the 1500s, we got intermarket trading. So where trades would be executed for one organization on multiple markets. In the 1600s with Dutch East India Company, we got our first real equity trading where you didn't have to be a lord or a peer. You could own part of a company. So this was the beginnings of corporations. By the late 1800s, or sorry, early 1800s, this is a funny story. Everybody knows RFC 1149, IP by Avian Carrier. Reuters implemented that in the early 1800s. They used carrier pigeons to go between Aachen and Brussels. When you think about that for just a minute, you realize that patents and software are stupid because prior art is sometimes an awfully long time ago. In the late 1800s, the electronic ticker tapes are happening. This is Daddy Warbucks kind of stuff, you know, the glass dome and the paper spews out and somebody has a snit. This is telling you about what the prices were. By the mid 1900s, quotation systems started to come into active use. These are things that looked an awful lot like a typewriter. They had a little bit of electronic knowledge to them, but what they were capable of doing was telling you the next price. They were an inquiry type system. By the late 1900s, computers are maintaining all the records. They used to maintain records on paper and with chalkboards and stuff like that. If you're old enough, you remember using little bits of paper to move money around at banks. They called it deposit slips. If you're from a modern country, you've been using debit cards for the last 25 years. If you're in the United States, you'll start using them in another five. Checks, really? And you spell wrong too. It's Q-U-E-S. By the early 2000s, computers are trading with each other and largely without human intervention. Humans are providing sort of stick handling kind of guidance but are not responsible anymore for individual trades. Some definitions that are really important. High-speed trading is committing trades on a scale faster than human interaction. Remember, the fastest humans can go is the blink of an eye. There really isn't that much else about us that can go any faster. That's 350 to 450 microseconds. Trades are now in the very, very low three digits and very, very high two digits, numbers of microseconds. Algorithmic trading is using math. At this point, about half the room glazes over completely and the other half of the room starts giggling because they know that the speaker doesn't know enough about math. Based on the results of incoming information, market data feeds and even English language or human language press releases, computers are able to make trades, executing literally in that flash moment. I said change. Arbitrage. This is a funny term. Everybody likes saying it because it's got that lovely arbitrage. Sounds very important, very Wall Street. It's the practice of taking advantage of the difference in price between two or more markets. This is usually, or sorry, this is historically done in space where you'll have a single organization that trades on NASDAQ and the New York Stock Exchange and it has slightly different prices on the two. So you would buy wholesale and sell retail. You'd buy at the low price and sell at the high price and the other market. Everybody sort of naturally does this. We're accustomed to buying wholesale and selling retail except if you're in farming, in which case you buy retail and sell wholesale. Now we're talking about doing arbitrage in time. So this is no longer about having to be in multiple places at once. This is about being inserted interstitially between two other events in time. So from the time that you know that someone wants to purchase a large number of shares until the time that the purchase executes, there's a gap in there. And that gap in there, you can step in and say, well, I've got them for sale. So it never goes out to the wider community because you're right there ready to sell. So arbitrage is very interesting. Mostly because when you said I've got them ready to sell, you don't have them yet. You're going to buy them right away so that you've got them by the time they get around to saying, oh, yeah, I'll buy from you. Inside of hundreds of microseconds. Scary fast. When markets were new, middle of last monium, trade times were hours. You know, it's human beings. They're arguing with each other about price and haggling. Everybody loves a good haggle, right? By the late 1800s, we're down to minutes. By the 1900s, we're down to seconds. This is largely the trading technology that we're most familiar with because we've all watched Ferris Bueller's day off one too many times. Anybody do this thing? Yeah. By the 2000s, we're in 200s of microseconds. In the future, I don't know, Tachyon pulse emissions or something, future prediction kind of stuff, because we're going to hit that wall of the speed of light and we're going to hit it kind of hard. It's going to hurt a lot. The architecture of these systems is astonishingly simple. When you look around the internet for architecture diagrams for high speed trading, what you'll see is that someone threw up in Visio and gave you a chart this big and it looks like shit because they've included every damn thing they can think of. We all have the blinky lights and shiny things disease. These people have it in a way that we'd look at them and giggle because they're completely insane about this stuff. In reality, there's only four moving pieces you need to know about. You've got an exchange of some type. Whether it's a New York stock exchange, whether it's a commodity market in Chicago, whether it's a private exchange, well, anything, Toronto Stock Exchange. You have a trading engine that's tightly coupled to that. The trading engine is this odd special piece of hardware, and I'll come back and talk to it in a minute. The trading engine gets its information from market data sources. This is telling you what's going on in other markets, what's going on in the news, what's going on in the market you're tightly coupled to, and there is a human who provides, like I said, the sort of stick handling control over what's going on. That machine in the middle is kind of an interesting box. It's faster than most other computers you have. It's one of the few times when you can go to a major supplier of rack mounted computer equipment and they will sell you something that has been overclocked and maxed out and liquid cooled and oh my god, that's cool. You know, 12 to 24 cores, 128 gigs of RAM is not unusual. Gigabit, 10 gigabit, Infiniband, PCIe interfaces between machines to cram that latency as low as possible. The thing that you'll never see them use is the actual network interface on the box. They'll always replace it with something faster. You don't really realize quite how much latency is added by things like well trusted, well documented, completely debugged ethernet drivers and IP networking stacks. Instead, you should go out and have a couple of developers in their own little space design for you a custom FPGA card that interfaces directly with ethernet so that your application can build a trading in memory, a fixed transaction in memory and pass it to the FPGA as it's being built and the FPGA will ram that thing out on the wire as fast as possible. You'll notice that those couple of developers don't have the kind of historical legitimacy that something like the BSDIP stack has. Think about that for a minute. So how fast is fast? How fast does fast really matter? Need to keep hammering this point home because it's something that most people just can't grasp the first time around. If you're executing trades in terms of seconds, you have no position. You will lose every single time. You will lose your shirt in the market. You're the kind of person who sits at home watching ads for ITT tech. Sorry. In milliseconds, you're losing nearly every time. And when you think about it, milliseconds, you don't notice milliseconds, right? You take a brand new laptop, brand new server and a brand new gigabit ethernet switch. I tried this just last week at home so I have the number to prove it and send a ping to the server and get the response back. Half a millisecond. It's pretty average. So your home stuff is pretty slow, right? I mean, you heard me say before that half a millisecond is just way too much, right? Sub millisecond, big players are regularly beating you because they've got better, faster computers. They're replacing them with asset timelines that aren't measured in years. They're measured in weeks or maybe months. So new hardware goes in there as fast as possible because new hardware is faster than old hardware. In the hundreds of microseconds, you're a bit player. You're winning based more on flip of a coin than on being able to actually win. And if you're in the tens of microseconds, you're almost always winning, which is kind of a nice place to be. Almost as important as being just playing fast, just very, very low latency is also being very, very predictable. So all those white people out there that like to talk about, you know, crazy high jitter and how that completely wrecks the voice conversation and how people can't understand and be intelligible and they go all Skype robotic and stuff. In this, this situation, the jitter matters because it's being taken into account as part of the calculation. You know what your round trip time to the exchange is and that round trip time has to stay the same. If the round trip time becomes variable, you've introduced a new variable in a calculation where you were expecting a constant. This is going to cause you problems, right? You know, if the speed of light keeps changing, it's really, really hard to get your spaceship to go to work nine. We used to joke about this back in the olden days when I was a router switch jockey about what would happen if you started having packet loss and the packets were just sort of falling out of the front of the router and hitting the floor. So you put a bit bucket underneath. Everybody remembers that horrible joke from the 90s. In this case, if you drop a packet, you're losing money. So drop packets are the enemy. You know, Ethernet. The idea that collisions can occur? No. Collisions are not permitted to occur. It's simply not allowed. Massively inefficient protocols like TCP, that handshake, are the enemy. Error correction? Who needs that crap? Proximity relieves a lot of these issues, right? The closer you are, the easier things are. The less likely that weird happens. You know, when you're doing an international ping, think about the path that packet's going to take. Theoretically, it's going in an undersea cable, but maybe you just got switched to satellite or maybe every other packet takes a satellite path instead of a wire path. You lose all that predictability. You've got an induced jitter that's just off the chart, right? So you move closer. You want to be in the same city. Metropolitan Area Network kind of stuff. Well, those are great. You know, dark fiber from building to building. That's awesome. Remember how long a microsecond is? If you're more than a couple of buildings away, that 984 feet is going to kick you right in the ass. So you got to be on the land. You need to be close. 300 meters is sort of the absolute top end. That's a thousand feet in American. And remember that this latency costs money. It's measurable. You can look and you can say, you know what? We're always 10 microseconds late. That means that we're losing 30% of our trades. Can you make that 10 microseconds go away? We're going to start winning 30% more trades. Damn, there's money there. There's often a lot of money there. So of course there's money. If you got money to spend, if you got money to make, you're going to make it happen. Nobody freaked out when I showed you that hyper simplified diagram. Nobody said there's stuff missing. I've seen network diagrams before. There were no boxes with flaming hair. Nobody caught that. It's like it's morning. You know what's the afternoon, right? It's a no-crap kind of moment. Once it's pointed out to you and you go, oh, shit. There's nothing actually protecting those links, except that they're private. How many people have private internet connections? How many people have private frame relay? How about private VLANs? How about private MPLS? Yeah, you dumbasses. There is no private. But the marketeering jerks can sell to people who are uninformed who say to them, well, it's your private link. It's your dark fiber that runs from one to one. There is no patch panels in the way. There are no switches that you're transiting through in a blind Layer 2 system. You know, it's private. It's all yours. And nobody's ever been on a network with other participants, right? There's only two nodes on that network. Only two. There's no one else. There's no other customers. No one else is connected to that exchange except you. You are the only customer of New York Stock Exchange. It's such crap that it shouldn't be. I mean people who use computers every day that have, it's frustrating because there's no firewalls. Like the simplest thing, the most basic thing, I want to control with whom I am communicating as tightly as possible. I want to say that I will only communicate with this list of IP addresses and I will only communicate on these ports. The bare minimum. Because, guess what? Firewalls add latency. Really great firewalls. Awesome. Firewalls that are all, you know, UTME. They add a crap ton of latency. What do we do about that? Well, there's not really a whole lot we can do, really. We sort of suck it up and say, oh well. Because we're security people and we're okay with milliseconds of latency because nobody notices that when they're web browsing. And there's nothing in PCI DSS that says you have to have a fast firewall. You just have to have a firewall in a box in the corner of your data center, providing a home to mice. Remember that latency stuff costs money. And if you're not in a position where you're saving money, you've gone from being an information security department that is a cost center to being an information security center that is a huge cost center. So the risk is smaller than the cost, which is smaller than the profit, go away. There are no firewalls. Well, let's go back further in time. Anybody remember the 90s? Like six of us in here. We used to use these things called ACLs, access control lists. We built them into our routers and stuff. We all had the Martian list. Anybody remember the Martian list? You know how many things are on the Martian list anymore? There's like four lines. They don't use ACLs because they add latency. Any time you put an ACL in, the router or switch has to receive the entire packet. And only after it has received the entire packet does it make a decision, latency. Most switches don't do cut through while ACLs are on. There are a couple that do now, but they're rare, few far between. And risk is smaller than the cost, which is smaller than the profit. So screw you, no ACLs. Meaningful system hardening. Remember I told you about these crazy funky boxes that you would think are completely stripped. I mean, these are the race cars of this industry. These are not your Camry. There are no airbags. Brakes are for the week. Actually, they look a lot like those kids who get their mom's Civic and weld a coffee can onto the tailpipe and put a type R sticker on. Because they all still have sol.exe and calc.exe if they're Windows boxes or send mail, man pages, an mp3 player, four different databases. That's all Linux boxes. All this custom interface crap is in there too, right? So remember our little team of two developers that wrote some custom FPGA code that of course completely implements the Ethernet standards and the IP standards. And they did it all using John Postel's recommendation, which is that you'd be very conservative in what you send and very liberal in what you accept. We know they did a great job of writing this entirely bug-free code. Not so much. So you go to them and you say, well, let's look at the code on your FPGAs. No, a secret. You're not allowed to see that. No sharing. And then you've got all the usual complaints about maintainability. I mean, God, once you take telnet.exe off of a box, then they can't see anything on the network. All their troubleshooting is gone. And these specialized systems come from manufacturers that you've never heard of. Anybody in this room recognize even a single name up there? Oh my crap. Is the entire trading technology industry in this room right now? Shit. This is the only talk you came to Vegas for. Crap, crap, crap, crap. Everybody does good threat modeling, right? Everybody has a good solid threat model for their organization. They know exactly who their bad guy is, who they're trying to protect against. Me? No. I can get hired as a secretary anywhere. I mean, have you seen these legs? We know what's missing out of our usual set of controls because we take for granted so much. We take for granted that there's going to be change control because, of course, everybody has change control. Everybody uses ITIL, right? Not so much. We take for granted that they're going to have done a great job of things like employee screening. They don't even do a good job of that in the government for crying out loud. So, you know, how do we talk about this threat model? How do we start to build who the potential bad guy is? This is not simple stuff. This is actually really hard. So, how do we do that determination? Well, let's walk through a couple of things that I think are threats. I think vendors are a threat. It's not that I don't love Blinkalights and shiny things and it's not that I don't appreciate being taken out for dinner and drinks every now and then, but you're trusting that the marketing slick is going to have exactly what you get on it. Anybody seen a lie on a marketing slick? Anybody bought a product that didn't have a feature they told you it had? Okay. Everybody hasn't put up their hand. Obviously hasn't bought anything. This is a talk about capitalism. You're also trusting that they haven't hired any bad guys. So, you know, all the shortcuts that you take in your organizations? Yeah, they all take them too. I think it's a maybe. I'd like to have faith that the vendors are doing the right thing. I like to think that ethics is a word that they know. I'm probably completely kidding myself, but imagine something very simple. Imagine that a vendor has a disgruntled customer. All vendors have all disgruntled customers. Imagine that a vendor has a disgruntled customer that's making their life miserable. Imagine if one developer takes it upon themselves to screw with that customer. They get custom patches only for them in which they've mucked around with the precision time protocol just enough that a microsecond isn't a microsecond anymore. Sometimes it's a little less. At the end of the day, they still have the same number of microseconds. They were just of different lengths. Kind of awesome, isn't it? I think developers are a threat. Any developers in the crowd? Yeah, I will tell you to your face that I love you, but I'm lying. Remember what Admiral Hopper said about wasting microseconds? 984 feet of wire, wrap it around your neck. Please and thank you. In most algo trading, the developer isn't a developer. The developer is like a developer trader. There's someone who has more knowledge of what's going on from a market perspective than they have around traditional SDLC. And best of all, they don't do dev, QA, SIT, staging, all that crap. They just put their changes right on to production and they do it multiple times a day. Nothing can go wrong. Nothing. And remember how it's kind of odd. When you're working for an organization, you're giving up your IP, right? That's the whole, you give me dollars and I give you brains. You've become the means of production and the supply and also the labor. It really breaks the whole notion of the industrial revolution. Sometimes people get a little attached to their IP. Anybody ever taken something that they made at work and taken a copy of it home? Anybody telling the truth? It turns out the developers are a bit of a problem. They tend to take the crap home. In this case, we're talking about 32 megabytes of code. Anybody even remember megabytes? Yeah, kind of like kilobytes. I remember once upon a time, I had less than a megabyte of storage in my entire life. Yeah. 32 megabytes of code, snuck it out over SSL connections, went to jail for eight years in one month, paid a fine, has a Facebook fan page. It's kind of awesome. It took them a while to catch them, too. I think there's another kind of thread in the insider. So in the financial world, they talk about insiders and they mean something very, very specific. We're not talking about that kind of insider. We're talking about somebody who works in the organization. My favorite to pick on here is traitors who get smart every now and then, start playing with their blinky lights and shiny things, or administrators. Remember, all of these boxes still have in that dark IT department that nobody talks about that exists in the capital markets org, they've all got their own administrators doing the same kind of admin work that we've all done through the history of time. I'm just largely saying have you tried turning it off and back on again. When these traders or administrators who have superior access to the system, remember those comfy warm feelings about things that, of course, you know exist, internal controls around segregation of duties and all that good stuff, where everyone has root on the trading algo box. I think I'm joking. Could you cause negative effects on other participants if you were an administrator on a box? Could you induce a couple of microseconds latency in someone else's connection? Remember those fancy FPGA boxes? FPGA cards that probably don't have the entire standard on board? If you send them a packet that makes them barf, what kind of barf do they have? If we look at other places where we've seen this happen, where we've seen half-assed implementations of Ethernet or IP, we'll look to the world of industrial control and say a couple years ago if you had an Allen Bradley PLC and you sent it a ping with a payload, a simple ICMP packet with payload, it would literally just stop processing. It didn't crash, it just stopped. Can you make somebody else's algo engine stop? Can you make the market algo market engine stop in one packet? I think so. Or you've also got the disgruntled employee, because you know every organization is completely free of that, who says you know what I'm going to make sure that my employer never wins another trade. I'm going to induce another 75 microseconds of latency. I'm going to do it by adding a quarter of a microsecond every other day until it gets to 75. Along the way I'm going to be very angry about PC load letter, and the guy in the cube next to me who listens to music at a reasonable volume while collating. Turns out traders are a bit of a problem. This is my favorite, favorite, favorite case to wave in the face of people who say that printers are not part of information securities duties. This dude took the code out on slices of trees and only a couple hundred of them. That's really awesome. They had to do forensics on the printer to figure out what happened. Everybody knows that your printers have disk drives in them now. Sentence to three years in prison, plus two years of supervised released, and at that point will likely be deported. Oops. I think the market is a threat. I really do. And it's an odd kind of technical threat. In our world we've seen this kind of threat before. It's an amplification kind of attack, right? You know, once things start going sideways, you can push them hard and make them go a whole lot more sideways. If the market suffers from malformed messages, where someone is sending the market malformed messages, or worse the market is sending out malformed messages, what's going to happen? Badness. How would malformed messages happen? Shitty code push. There's a bunch of issues around transaction risk scrutiny and whether or not a transaction is permitted to go through. And there's some compromise systems kind of problems that I think are very, very real. Because, you know, every large organization with more than 30,000 employees has, oh my god, has never had a compromise system on the inside. There are no botnets running inside a Fortune 50, Fortune 100 companies. It turns out that, yeah, the market is actually kind of a huge threat. In May of 2010, the Dow Jones Industrial Average plummeted 900 points in minutes. This is the flash crash, about three minutes. There's a huge amount of documentation. There's what I think is a great document from NANX. I was told when I gave this talk at Black Hat that the NANX report is a lie. I don't know whether that guy had a tinfoil hat on under his toupee. But the point is that this was exactly that kind of amplification attack. An algo started selling and it saw the price drop because supply increased on the market. And so as the price was dropping, it said, oh my god, I got to sell. And so it sold more and the price dropped more. And it went, oh my god, I got to sell more and the price dropped more. And things went downhill from there. Hi guys. I am so scared about this next panel, I mean. Ed Felton, whom you all know from Princeton, did a really good tear down of it. And thinks that it comes down to really kind of five points. A bunch of weird quote requests went into the end, the stock exchange computers. Normally these quotes are shoved in a queue. But because of the high rate of requests, the queue got backed up. And there was an error. The quote lists a price and a time. In this case, the price was determined when the quote went into the queue, but it wasn't time stamped until it left the queue. And it was in the queue for more than a couple of microseconds and the price changed during that time period. So what people thought was the price wasn't the price, essentially. And these got really confusing. Everything went crazy. The market destabilized. And the faster it happened, the weirder it got. And remember we're talking crazy faster. I mean this whole, the whole issue happened inside of three minutes. And those trades were all backed out. So they essentially pulled a mulligan on the market. I didn't know you could do that outside of stupid games or white men play. So how do we trust in this kind of framework? I mean we've got these threats. And these threats are kind of spooky, scary, nasty, weird, odd. We don't really know what to do with them kind of threats. We don't really trust our co-workers. I don't trust very many of mine. They steal things from my desk, like my stapler. And there's no good way to monitor what's going on because this is happening so incredibly fast. But the best monitors for this stuff that are available from the general IT market are sampling only. They do not examine every packet. They examine on a sampling basis. The more packets there are or the larger the packets are, the less sampling they do, the more inaccurate they become. There are a couple of very, very specific devices that are made for this market that do a much better job. But you're in IT security, not capital markets. So you've got no idea who those companies are or where those devices come from. Traditional security is an absolute fail here, just epic. We're 100,000 times too slow. We come in and say, well, we're going to add a couple of milliseconds of latency to those transactions so that we can make you secure with our UTM device, which will protect you from email-based threats. The only thing that's supposed to translate the network is fixed transactions on specific IPs and specific ports. Anything else that's moving on that network is illegal and shouldn't be there. You should just frigging drop it. You don't need pattern behavioral detection. And IT security is so goddamn proud of itself that it's unwilling to listen. It's unwilling to learn. It's unwilling to sit and be the student and say, well, shit, teach me about this stuff. Because we're all focused on checkbox compliance that's so easy. Right? Oh, do we have a firewall? Check. I have 21 minutes left, not five. I know I started late. So let's answer these hard questions later. The hard questions, we're not in a position to answer right now because we're still way too busy figuring out where the heck our socks are and pulling them up. We're not going to be able to secure custom everything. Who possibly in this room besides maybe 10% of you can go through FPGA code and figure out whether or not it's got a bug relative to a standard that spread over 700, 800 pages worth of documentation. Yeah. We've got to learn how to be fast enough and we're not there yet. We don't even really understand this whole money thing. And we need to make the case that security efforts are important because they reduce the chance of disaster. We don't know for sure that the next time there's a flash crash that those trades will just be backed out. The market may just say, caveat empty, suck it up. I need you to do something though, pretty much anything. It's time to party like it's 1999 and do some network security basics like those ACL things. Let's implement some, shall we? There isn't a whole lot in the next generation. Juniper and Cisco are coming to the table with some stuff that's pretty fast. It's still not quite fast enough that there's an argument, but it's pretty fast. We need to keep up and I don't know exactly how we're going to do that, but I am sure that we need to do anything, literally anything. Even just understand what it is. Go and find the people in your organization that bark physio and get them to walk you through the diagrams, follow the packet, follow the money, follow the process, start to understand exactly what's going on, and make friends and influence people. Buy some coffee. It's kind of important. The reason I'm so pissed off about this is because this report came out just a couple of weeks ago that says IT security pros think that performance is more important than actual security. We're shooting ourselves in the back while we're giving ourselves a self-congratulatory reach around and it's stupid, senseless, pointless dumbassery because we're also damn sure that we're experts in everything. Challenge the vendors. We want more than checkboxes. They come back and they say, well nobody's asking for it. So because nobody's asking for it we're not doing it. We're gonna give you raging a feature itis instead. We're gonna change those LEDs from green to blue and that's gonna make it better and bullshit. If you're a risk process, policy or GRC wonk, what the hell are you doing at DEF CON? Thank you. Work with the business folks. You have equivalents in the business that aren't in IT that understand things from sort of a different perspective than you do and their tolerances for risk are very different from yours. You may still be suffering from the palerism disease where you think that attaching an iPod to a computer is this oh my god hair on fire kind of threat. They're not in that same kind of world. They don't think dogma is all that important. They're ready to rewrite the rules every time something changes in the markets which is daily. You're never going to be able to change their minds about the cost of latency because it's real. They've got the numbers to back it up. They've got the profit. You're not a profit center. You're a cost center. So work with them and learn to understand that just because we did it that way last year isn't a good reason to do it that way this year. Compliance people meet your financial compliance people. They know more about compliance than you ever will. The SEC is taking an active interest in this. Just last week they released something called the Large Trader Reporting Rule just 13H-1. You should read it. It's really really interesting. This is their entire response thus far to the flash crash and what they're saying is it would be nice if we had an audit trail. Yeah that's right. All you need to be regulatory compliant is a better audit trail. If you're in the trenches do some fucking research. We haven't seen original research at DEF CON in God knows how long. The next derivative piece of shit talk. I am so fed up. Do the research please. Make the time if you don't have 20% or 10% time from work. You should be doing it at home. Find something and start picking at it and peel up the edge. I only started really poking into this actively about six months ago. I'm here you're not. Understand your business partners. Build the POC labs that you could show this stuff. Your POC lab is going to have to be weird mesoteric. It's not the POC lab that you're using right now for your little windows vulnerabilities and desktop bullshit. You need 10 gigabit E. You need to fin a band. You need PCI-E machine-to-machine. You need machines that have 12 cores, 128 gigs of RAM and stupid fast connections. You need the open source fix transaction system so that you can build fix transactions and send them out on the wire. You don't understand this stuff and you try to talk with authority about it. Until you've played with it, you don't get to talk about it. It's kind of like teenagers in sex. Encourage the vendors to get with the program. Please thank you. Oh my God. Vendors step up. A couple of them have and huge kudos for the couple that have. I'm in the next panel but I will do Q&A. If you see me walking around, I'll talk to anybody for anything. Yes, you can bring the beer up now. Oh, you're waiting for... I'm in the next talk. I need the beer now. I'm worried about those paper towels though. Yeah, I always have my towel. Thanks everybody. I really appreciate you coming out.