 Alright everyone, might as well get started on time here, welcome to the CDC panel! Time for me to go away. Is anybody out there who was here 20 years ago at DEF CON 7? Might have seen these guys, show of hands. Raise your hands. Pretty good. I saw it. I saw it. They were awesome. Yeah, they were great. Alright, listen to those dudes. This is like the 727, like DEF CON 7, DEF CON 27. As long as we're not the 737 Max, I think we'll be okay. So thanks for showing up. I'm really excited about this. This is the largest CDC assemblage on a panel in close to 20 years. I miss you guys! It was briefly introducing folks here. I mean, you can read the bios and stuff. I'm Joe Mann. I'm a reporter. And I wrote a book about these guys, which I hope you read. This is Death Veggie. Luke Ben-Fies, his actual name. Oh, God! Minister of Propaganda with the Gulf of Dead Cow. And he's got like a regular security job, too. Next is Omega. The elusive. He says this is his first hacker con in close to 20 years. So show him some love, please. So if you read CDC text files once upon a time or more recently, the odds are pretty good that Misha edited them. And he also invented the word hacktivism, which continues to resonate today. And if you're a fan of the $6 million man. Oh, yeah. Good file. And the clean-cut looking gentleman is some dude named Maj. Living legend, former DARPA cybersecurity czar and a whole bunch of other stuff. Frequent keynote speaker here just all around inspiration. Inventor of the cyber fast track at DARPA, which gave like government money to people like you to go find cool shit. And then finally, Chris Roo, Dill Dog, the man who wrote BO2K, released here 20 years ago, more recently birthed some unicorn called Veracote, which is Davos company. So if they were most famous 20 years ago, why would I write a book about them now? Why would we all be gathered here today? It's a good question. There are actually three reasons. One is they're still around today and they go back to the mid-80s. So it's that they're a skeleton key for like all of the major turns in InfoSec and hacking through that time. You don't have to go back and read 30 years' worth of Usenet posts. You can if you want to. But you don't have to to get the essence of the major leaps forward in InfoSec. That's one reason. The second reason is my last book was depressing as hell. It was called Fatal System Error and it was about basically how we're all screwed because security is hopeless and the Russians hate us and they don't care about crime and all this other stuff. All of which is still true. I don't want to give you the idea that we're not screwed. No, the Kremlin dislikes us. The Russians are fine people. Russians are nice folks. But it was a downer. And if I only got to write one book on cybersecurity, I would probably write it down. I would say we're basically screwed. But I get to write two. It turns out I lived long enough to write another one. And I wanted to do something positive. Here's something that works. Here's something that's worth emulating and worth trying. And the third reason is that CDC has, I think, at least three key qualities that are really, really important that I want to get out there into the world, particularly to folks that weren't around back in the day. The most important is critical thinking. I feel like we have a worldwide crisis in the lack of critical thinking. We have people who believe that the world is flat. And I don't think we're going to get the Department of Education to parachute philosophy professors into school districts around the country to teach them critical thinking. So we have to find some other way of celebrating and holding this quality up. And all good hackers are, by definition, critical thinkers. You're looking at a system and you're trying to make it do something it wasn't designed to do to see if that works. And we need that in all walks of life more than ever right now. The second is that one or more moral causes driving them. It varied over the years. It varied based on the individual. Pursuit of knowledge, spreading of knowledge, human rights, there were many moral causes. And I think that's really fundamental and is also getting lost today. And the third thing is that they're adaptable. The CDC morphed so many times. You know, bulletin board operators, text files that were funny, sometimes obscene. And then there was the tech influx and they managed to slap Microsoft around until they got this court certified monopoly to take security more seriously. And then they did amazing things since then in the public sector, Mudge and others, private sector, Dilldog and others, and keeping the idea of activism alive in the private sector, excuse me, in the non-profit sector and sort of garden variety activism. And they've done all those amazing things. So I think as stuff gets weirder and harder in this world, the ability to adapt, the ability to say, well, I know this thing, I'm going to keep these values and I'm going to try this totally new terrain, learn how to mess with the media, learn how to talk to Congress. I think that's essential now as we're doing with info ops and all this other stuff that none of us have a background in. I think it's really important to be able to do that. So without further ado, I want to sort of go through the chronology here reasonably quickly. It's like to have Q and A at the end and I want to talk about, have everybody talk about, you know, the way forward when we're done. So I'm going to start out with Luke here. Veggie, give us a little bit of the history. Lubbock, you know, where did CDC come from and when did you run into it? Well, Cult of the Dead Cow came out of Lubbock, Texas in the mid-80s. It was founded by... More into the mic. More into the mic. Came out of Lubbock, Texas in the mid-80s. It was founded by three punk kids, Swamp Rat, Frankenjib and the elusive Sid Vicious. Sid Vicious was only temporarily involved with it and then his parents took his modem away. But, you know, the other guys started to, you know, spread around bulletin boards within Texas and then further out publishing text files, sort of developing a network of other BBSs that would sort of publish and release CDC files because they framed it as a, you know, you get to release CDC files. We'll put you in, you know, you'll be a member of the K-Cal force and being a member of the K-Cal force means you're allowed to release CDC files. Like, oh, yeah, I want to be allowed to release CDC files. Yeah, exactly. So, as I say, it started in Texas, but by the late-80s, it had spread much further. I grew up outside of Boston. I had been exposed to CDC through their text files as far back as 87. So they were, you know, their group I was aware of and looked up to. I started to talk to various members on BBSs. Then I started to allegedly set up hypothetically illegal phone systems to talk to them and so that they could talk to each other and eventually I was invited to join. And, you know, that was in 91, I believe. Yeah, these are my people. Yeah. And so, you know, after that, you know, so I would say that I think it's probably to say that I was part of the sort of the second generation of CDC after the really early members, including obscure images who's here today, had sort of really blazed the trail. So, you know, from the very beginning, I looked up to CDC and I'm still immensely proud to be a part of it. Awesome. So I just want to say that among the first generation also is this better art guy. Psychedelic warlord. Yeah. Psychedelic warlord 2020 Make America K Rat Again. And Kevin Wheeler, I don't know if you... Swamp rat, yeah. Yeah, the... Sorry, sorry, Grandmaster Rat. Grandmaster Rat. He was promoted. So yeah, so that's the beginnings in Texas. Another very key early member is Jesse Dryden. Mr. Drunk Fox. Yeah, we're at DEF CON. We can say his handle is Drunk Fox. So he started Ho Ho Con, which was the first hacking convention to bring in, to invite the press and the cops, so they didn't have to go to the trouble of pretending to be hackers and secretly like trying to recruit snitches and bust people. So, Misha, you went to early Ho Ho Cons. So did Jeff Moss, some guy got some ideas from there I've heard. So take us back to early Ho Ho Cons. What was the significance of getting together in person with all these people you only knew on BBSs? Sure. So the first hacker conventions were like SummerCon, and they were invite only. So if you happen to be users on privileged BBSs that participated in SummerCon, you would find out about the invite. It would be in St. Louis during some summer months when school was out. Possibly at the same time as a Swinger convention. That's a different story, yes. There's a Swinger convention. So several of us were really confused when we showed up at some of these early conventions going, is this what hacking is? So the original hacking conventions were invite only. So these were private affairs. Hackers were going to talk amongst themselves and of course they wouldn't want journalists or certainly law enforcement there to record everything that was going on even though they probably were there from the very beginning. When DrunkFox started Ho Ho Con, his first attempt at Ho Ho Con was also invite only. But then somebody found out about it and they let the, Howard Johnson's know that there was going to be a bunch of hackers descending over Christmas time at their hotel and Howard Johnson's had a fit about this and they cancelled the contract. And so, and it became public that there was going to be a bunch of hackers somewhere in Houston over the summer, the Christmas vacation. And DrunkFox famously sent out this message to on BBS, CDC BBS is saying, Ho Joe's says no no to Ho Ho. And so kind of out of that, he said screw it, we're going to have another convention somewhere else. We'll find some other hotel to go to. And this time we'll just invite law enforcement and we'll invite the FBI and we'll invite journalists. Maybe they'll show up, maybe they won't. And so this was one of the first hacker conventions was sort of open to the public. And many of the things that people take for granted as features of DEF CON and BlackHot were actually pioneered at Ho Ho Con. So, spot the Fed. Why would you spot the Fed? Because we're inviting them to this convention and they're trying to fit in. They're the ones with the crew cuts and they're burly looking and they look uncomfortable being there and it's easy to spot them, right? So Ho Ho Con invented the spot the Fed contest. They invented selling hacker t-shirts in order to recoup costs for the convention. That was a big, so swag. Moisturizing, moisturizing, moisturizing. Moisturizing was a big thing. Capture the Flag was something else also pioneered at Ho Ho Con. And so this Ho Ho Con was kind of critical in computer security history for pioneering all these things sort of incidentally that have become staples of security conventions generally or BlackHot and DEF CON specifically now. So also a couple other quick things on that one is that Texas is kind of big and in Boston or New York hackers could get together more easily. So you sort of needed like an organized event to get people there. And I think the personal relationships that developed that you can only do in person instead of just online made a big difference in sort of the CDC's trajectory. And you could actually trust each other. Which is not been true of many other hackers. And that was one of the effects of SummerCon in that you got to meet Terran King, Night Lightning, all these hackers that you looked up to who were on BBS as you called. But again it was invite only. It was a very, very small select elite if you will group. The number of people who attended SummerCon was like less than 50, maybe 50 and then at Hohokon it was again open to the public. It started out with maybe more than 50 people and then grew and grew and grew. But for CDC it was the first time that most of us could meet each other. So I was living in Boston. I knew the Boston crew. I knew that the folks who would later the Boston people who would later join be inducted into CDC. The people who would later form the Hohokon. I didn't know the CDC people in Texas. I didn't know them in Wisconsin, Chicago. I didn't know them anywhere else. And so when DrunkFox put on Hohokon this was an opportunity not just to meet other hackers that I looked up to but it was an opportunity to meet other hackers in CDC. Other people in CDC that I had looked up to or that I communicated with but had never ever met. So that was important to us as well. Again, as you say, it's like you're meeting your friends for the first time. You're meeting the face behind the monitor. And especially back then that was a really big deal. So another thing that makes CDC different from other groups of the time and CDC wasn't the first, it's just the survivor of them all. Some of the others were more most of them in the beginning were more technical. People who were actually breaking into stuff a lot and writing about it on bulletin boards perhaps unwisely. Whereas CDC sort of came out, it's like the liberal arts wing of the hacker underground. It started with the text files. And not everybody was an engineer or a future engineer. Some people were more about social issues or the writing itself. And I think that actually allowed CDC to survive when others would get rounded up from time to time. So much. Tell us a little bit about the loft. For those of you who don't know there's substantial overlap between loft, which I assume you all know about, and CDC four members lifetime that were in both including the two gents at the end there. Loft pioneering hackerspace told congress what was what in 1998. Thank you for that. But the loft and CDC had an interesting dynamic which we'll get to in a little bit. So educate folks a little bit about the loft and how you came into it. Sure. So CDC when they asked me to join I was already in the loft I believe at the time. And what was interesting is they were making this transition from being a bit more of this sort of I mean we've always been like the crown jesters. But they wanted a bit more of a technical sort of presence as they saw the field moving and this sort of handoff to it and they said well do you have any you know like advisories or security you know write-ups that you could you know contribute to us that would you know move us in this particular direction. At the time it was one on S-key that I did and I was like of course I mean I was huge fans and Omega and White Knight were kind of the folks that I was hanging out with and I really looked up to and when they were willing to bring me in it just you know it meant the world to me. But what I saw with the loft and when Dill came in with the loft is we really started going heavily into full disclosure and we're credited with kind of pioneering a lot of like what it became the controversy some of the animosity to it as well but it was all about we're going to bring transparency to some of these security problems because big corporations you know I was working at Bolt Baranek and Newman this little company called BBN which had created TCP IP and the Internet for DARPA many many years ago and I was like I get to work here this is fantastic and they were starting to move over to Windows and we saw a bunch of vulnerabilities there and we went back to Microsoft so this was the Department of Defense and Government Contractors and Microsoft was at that point where they were becoming so large that the US government and other governments really couldn't influence them there was a bigger sort of market for them to play to and so they said we don't care that was kind of the response it's not a security problem unless you know it's affecting our bottom line and I went to Tad Elmer who was the CEO at the time actually might have been George Conradys I get him flipped around and I said hey you know I'm with the loft I'm with this hacker group and they're like we have no clue what you're talking about whatever I'm like I think I can get them to respond if you know if I do some things but it's not associated with this company so we started pushing vulnerability disclosure and advisories and so we started giving proof and exploit code and proof of concept because Microsoft could no longer say it's not a problem that's just theoretical you know because now everybody could do it and they started to move in response that was actually one of the loft slogans was making the theoretical practical since 1992 so that's where that really came from yep so and the really fascinating part with CDC because CDC had this sort of like bad cop and the way I was trying to help prop the loft up for like you know like I don't want to call it brand recognition but like where we came across was you know this sort of like neutral cop sort of setup and we were doing the same thing and here I got to play both sides and say if we release an advisory through Cult of the Dead and if we release the same sort of information through the loft it's the same message just packaged differently coming from a different source and it got a very different reception and it was fascinating so BO which you're going to hear about back orifice and back orifice 2K you know came across one way and we played to see if something's released and it has a negative spin can you ever claw it back and if something releases with a somewhat neutral or positive spin does it become perturbed so it became this great sort of like culture jamming like a Petri dish to really mess around with I was in love I just think one of the really incredible things going back and looking at this whole history is that at the time hackers were still they were sort of coming into their own late 90s really starting to get attention people were concerned, people were interested they were vaguely threatening they were a little scary and despite the pedigree of the people who were involved the way to actually make change was to be like cartoonishly villainous so grandmaster right here on the stage pacing up and down wrapping with gold chains and rabbit fur chaps and throwing CDs into the crowd literally igniting his crotch on fire with flash powder not recommended no that generated media that got the cameras and Microsoft when somebody from NBC or ABC or whatever sticks a microphone in Microsoft's face and is like what are you going to do about these evil hackers that are going to allow anybody to hack anything then they actually have to come up with an answer so back where this came first by Sir Distic here in 98 thank you and so that was the widely distributed Trojan and after that Microsoft could have said yeah you're right we really need to build in some security with TCP IP but instead they said you know what it's not a problem at all but if you're really concerned if you're really concerned then you can upgrade to Windows NT or Windows 2000 so they used it as an opportunity to upsell so at that point I probably would have given up and Sir D brings dildog here into the picture and has him write Bo2K so why didn't you give up and how was Bo2K more of a poke at Microsoft than Bo well and were you independently wealthy I mean how could you do this he's begging my answer here I got involved with loft through just random social connections so like 1994 is when I went to MIT and started to get the sense that there was some hacker culture there and got very interested in the whole field of security I met the loft folks in 96 when I went to DEF CON 4 which is now 23 years ago and we needed to talk some more after they had seen some of the stuff I was doing so we ended up becoming the first employee of the loft actually in I believe 97 so working on loft crack and things like that bringing in some revenue into the loft so that I didn't have to do my day job which at the time was just working at a bank I told my mom I'm going to quit my day job at the bank that I worked four years at MIT to do and I'm going to go work with a bunch of hairy hackers in a warehouse and make no money until we sell a bunch of copies of a password cracker and she was like you better know what you're doing I'm like oh yeah and then he saw my code and he's like I have no clue what I got anyway so you know we got loft crack out there and I was searching for other things to do saw back orifice was very inspired I was just like wow the notion of remote control and remote administration of windows systems was kind of near and dear to my heart back in 96 hacking windows was considered extremely lame nobody was hacking windows because systems were not nobody was using windows NT for anything important it was all like the Solaris and the Ultrix and all this other you know big name Unix brands that were cool to hack and windows was not cool to hack so I naturally gravitated toward this because I saw it becoming a big deal and published a lot of buffer overflow exploits and things like that and got really deep into system programming and kernel programming and when I realized how expressive and verbose and ridiculously broad the Linux so I've been doing that too lately the windows kernel was it was that you could do so much as a regular user like so much that you could get away with you know opening up threads inside other processes that you didn't start and then you know injecting code into them and then running extra threads in those process spaces I mean there's just the amount of stuff you could get away with was so big that the I wouldn't call it a tax service but your ability to create extremely creative programs that did things that nobody expected was completely supported by the OS and it wasn't there were no there were no exploits required like that's why I'm here there were no exploits required to write back where it was 2000 it was just the design of the thing was so security unaware that you could get away with doing amazingly like unprotected things and and surreptitious things completely within the bounds of the security you know designs of windows so I mean it actually gave you the the person remotely more control to the computer than you had sitting at it it was faster to use bo2k to do administration than it was to do it using the mirror on mouse you know a keyboard in fact we've you even released a professional pack yeah left had it had its own commercial bo2k plug-in set that no one bought well it was also free I think that's true maybe to give it away but it was yeah like a remote file browser and a registry editor and things like that we wanted to have parity with remotely possible and all the other like you know PC anywhere yeah like that yeah this is a legitimate tool I do know at least a few people that used it legitimately I mean you know I was the person who was getting the email and I got emails all the time from people like hey I'm in the Navy and we use this to administer all the machines in our lab and so speaking of which for folks who aren't aware just a little context with what what dill actually did with bo2k and actually so just to kind of pioneered with it was every one of the major implants that you see today the core functionality can literally be traced back to this and I've actually got the history on both sides to say it can be traced back to this so it was it was it was fun thanks yeah so you know beauty bo2k was a big deal I was a lot of fun writing it you know my challenges were making it nice and small and compact you know I you know wrote it without libc so you know comparable tools were you know megabytes and tens of megabytes of size it was like 160k or something total and compiled so you know just some of the technical challenges there I had a real fun time with the with the windows kernel and it was I don't know am I even answering the question you asked Joe let me add just as a side note we actually thought about selling bo2k for a dollar so as a as a remote administration tool it competed with PC anywhere and some other stuff if you were running an antivirus app it did not detect PC anywhere or any of these other commercial utilities even though you could trick somebody installing that using it just like bo2k it did not any virus vendors did not detect those commercial programs because it would be restraint of trade right they're making money off of it and you're basically depriving them of money and so for a short time we thought about actually well we could get antivirus vendors to not detect bo2k if we sold it for a dollar and so why we didn't sell it you can talk about that so so to set the stage at the time crypto was a munition as far as the US government was concerned and one difference between bo and bo2k is that we wanted strong encryption we wanted meaningful encryption because I guess it was just XOR in the original back office twice it was rot26 so what did you use in bo2k bo2k had a pluggable architecture so you could plug in different crypto systems it came with triple does and people wrote blowfishing AES Reindahl before it was AES but part of this is because encryption crypto was considered a munition people were going to be down on this from all over the world we assume how do we handle it so we actually hired a lawyer it was a are we allowed to say Cindy Cohn who's now with EFF so we retained the law and said hey we want to do this how much jail are we going to go to that was a really frequent thing on the mailing list yes it was and so basically she said don't sell it that's a totally different kettle of fish and you have to at least make a different version without the triple is available and you can say hey if you're outside the United States download this one instead sorry we I was just going to say off the one part of the it was a really common sort of like how how many years of jail are we going to serve for this the back and forth between loft and cdc for the exact same sort of thing with the crypto as a munition sort of thing we even set up during this time period we were like hey wait a second we actually went and started to get our license to manufacture firearms and high capacity and everything else because we found a loophole in the crypto law that says once you are a manufacturer of munitions and you have a license for munitions you can do crypto and anybody can go get a store front on the Charles river or anything else sell a prototype into some military or you know government agency of like a little less flash bang or something on it or whatever and you got this license and then all of a sudden you could do crypto back and forth so we were trying to show that it was this sort of like loophole and it really was a false flag and it was really this red herring sort of set up and that was the beautiful part about the loft and the cdc is that we could see this thing on each side and go hey wait we figured this out here okay well yeah but they view us as x well let's try it as y oh look they view us as y okay we'll bounce it back over to x so I want to do some at stake now so the industry is rapidly evolving Microsoft brings and AOL bring the internet to everybody and cdc and lofts suggest that maybe they ought to put in some security as well so they get around to that a little bit but it's 99-2000 people are making all kinds of money and why not try to go pro so thus loft takes some venture money and becomes at stake which lasts last about five years so some really amazing things happen to that stake some things didn't work out so well why don't you guys talk a little bit about the at stake experience I'll lead her off I guess I don't want to get us into that morass that mess I say that there was some really awesome stuff that came out you can trace almost I mean you can trace a lot of really influential people influential organizations like Stamos, Dave Goldsmith you know the Montesano there was a lot of good that came out of it there was a lot of like Kate Masouris and window Snyder a lot of technologies and people started amazing things after at stake now for the loft it was kind of like a defining moment after we had gone from a hobby group into something with the direction of admission into something that ultimately was a lot of friction in other areas and what we had wanted to do was we loved our hobbies and we all had day jobs for it and a couple of the things that I had written and that well contributed to or whatever made enough money that we were able to bring in our first paid employee for it and we were like wait a second how can we go pro such that we can do what we love doing during our day jobs because we don't necessarily all love our day jobs what we didn't understand at the time was kind of like how the VCs seemed to align with us but maybe didn't entirely but that sounded good and some hard knocks came but it turned out to be a really interesting complex system and anytime there's a complex system there's a lot to be learned there like the divestiture and the different branches that spread out from it like Veracode that came from the loft all the way through at stake incubated at stake and a lot of other ones were very positive Let's hear about Veracode Veracode's early beginnings were a decompiler effort that I had started in 1999 at the loft I had been doing a lot of reverse engineering by hand much of what I was doing was very repetitive and I wanted to build a tool that would help me do it faster so I found a very early decompiler research paper by Cristina Sifuentes from the Queensland University of Technology read through that it's the same research paper that resulted in things like Hexrays and Ghedra and things like that so I was one of the first to really go through this paper and find ways to enhance what would have been done there to produce high level models of low level binaries and we got funding through at stake to continue to do that research while I was there I mean at stake had a very vibrant research team which was the loft plus some other folks that we hired along the way and the safe decompiler which used to be called UDS which was the undeveloper studio also named after a contraceptive it was the loft we had a lot of bad jokes in there so I ended up sort of shepherding that IP through at stake getting some employees building a product and we when it got sold to Symantec we basically had no way of keeping that project alive unless we found a way to spin it out Symantec wasn't going to do anything with the decompiler we talked to some of their executives and they were like it's a C++ thing we don't do C++ anymore apparently Symantec had a C++ compiler that they had been selling for a while to compete with Borland so when they stopped doing that they just kind of looked at what we were building on paper and said no we don't do C++ anymore and they basically led Veracode to walk right out the door so we got some venture capital proceeded to get it funded and built a company the first to do binary analysis of things that were not necessarily on your desktop but sent to you across the internet people wouldn't send source code for analysis across the internet to be too valuable to let out the door but they'd be willing to ship your binaries because they're going to ship those anyway so there was a business model there you could do a service we have like 10 minutes we haven't got to activism okay so Misha Omega talk to us about awesome stuff in the private sector you can take my word for it if you don't know that much did amazing stuff in the government sector tell us a little bit about Oxblood Ruffin's entry into the group and the sort of like the birth of activism and how it's evolved since okay I'm gonna have to share some of the story with Luke I think I can say that the way that Oxblood introduced himself to us is by sending me an email insulting count zero and that was enough to be he was like I love all you guys except that fucker of count zero I was like what? what did count zero do to you? so he came at us in this again like Luke said in this kind of strange strange way and developed a conversation with a couple of CDC members and we ended up meeting him at DEF CON one year and he basically came at us almost on day one with a pitch you guys are pranksters and gestures and you have the stage a little bit have you thought about doing anything more substantial with the media that you can get or with the attention you can get have you ever thought about doing anything more with that and I think my response was why can't we have both you know what can a los dos and so anyway we ended up inducting Oxblood into CDC eventually and he brought a different he definitely brought a different perspective different sensibility he had a background working at the United Nations he clearly had like a marketing background to him he had a marketing head to him he kind of pushed us in certain directions for branding or messaging and he he kind of brought sort of a social consciousness yeah to CDC and this is around the time when the Great Fire Wall of China started happening and China was starting to expand out into the rest of the world and for various personal reasons he had an interest in China and we kind of for various current event reasons and also because this is sort of his pet peeve we kind of focused on China as just a focus of attention and China became kind of a reason for trying out different ideas and hacktivism became one of them so I just just to make sure that we hit a couple things before questions and I forgot to say earlier we're all going to sign books at 415 in the vendor area in valleys before you break off I mean you can't go from China without talking about Slobodan Milosevic and the CDC being in the head I just wanted to hit a couple things so one of the great things that they did is they had a hacktivism panel here at DEF CON a couple years later and Patrick Ball was like actual practitioner technologist in the field working on human human rights compiling databases making sure they're compatible so he crossed reference the army officers where they were with when the most human abuses happened and you know come up with the worst abusers and then try and get them fired he went after Slobodan Milosevic and who served as his own defense attorney at the Hague and there is a great exchange where Slobodan Milosevic asked Patrick Ball what is your affiliation with this dead cow cult Luke? You can find the video on the Hague website so when we saw that it was just like crazy and I'm not sure I like the fact that this genocidal dictator knows who we are It's the International Criminal Court of former Yugoslavia if you search the transcripts for Cult of the Dead Cow you'll come up with many many hits we're referenced You know you've arrived as a hacktivist organization when you're name checked in a war crimes tribunal not once but three times three times among the influences and impact of the group in this sort of this tranche of it was tour so Oxblood and Friends tried to do privacy protecting browser which in turn convinced Dingledine to put a browser into tour which seemed like a pretty good idea in retrospect Navy had something to do with that earlier also No, I mean Navy first and then it spun off and then they're like hey that's a good idea we should adopt that we had a significant influence in the early days of the Citizen Lab we're awesome people at the University of Toronto who track governments using malware against their own citizens so that lives on so I think we ought to go to questions that we're not going to get to any so forget how this works we have mics if you don't have mics just scream I was thinking just write your questions on twenty dollar bills and just bring them up change so I will restate it because this is this needs amplification which is you're looking at a panel of really white guys from a middle class sort of situation and where the hell is the diversity and there was diversity there so why isn't the diversity here now did I catch that correctly Lady Caroline didn't want to come but I will be seeing her this weekend this is really really important and this thank you because it's one of the things that we really cherished and it's one of the things that Beto O'Rourke really brought in because he was one of the earliest people and I'm not trying to push for this he was early CDC member but he was the one that even back then wanted diversity and wanted to bring in different sorts of opinions and it was something that we really cherished at the loft and the loft was very white as well we had mega hacker and we actually had Aida and everybody else but it's one of these things where we loved challenging each other we liked the fact that people came up from different backgrounds, from different understandings with different experiences and stuff and we were all frustrated that our experiences weren't different enough and if you are running a security group or if you are working with different people and you look around and everybody looks like you you're not good defenders and you're not good hackers because where you get the different ideas and the different perspectives and how to challenge what you're looking at is from diversity the more diverse the team you have is, the better you are at finding the vulnerabilities seeing things differently so either you become the old guard and you say no, nobody else joins or you become the old guard and you say I welcome the diversity let's move forward thank you one more question, the ikes so the comment was we didn't talk about the testimony to congress and what that meant and real briefly, that was CDC actually helped prop that up we wouldn't have had the publicity and the recognition for the loft to do it otherwise there was a lot of behind the scenes I was working with the national security council and Joe actually mentioned something that I thought was kind of interesting because he said we should talk about the loft it was almost like that hurts because it's not like we thought we were going to fix the problem but testifying to congress and it took a lot of convincing to get the loft and the other folks to go there was to open the door to show that there could be a communication between two different groups that don't see eye to eye maybe never should see eye to eye but have certain things that they're okay with together and actually so I really view that as that's what CDC to me means it's what the loft to me means it's what I didn't see at DARP and everything else I just want to open the door everybody else can take it further because that's what I wish it happened to us back then okay thank you very much I hope to see you at the signing and it's good to be back thanks everybody if anyone's interested I have a very limited number of university CDC challenge coins for sale and if you want one just pick me up