 Thanks for being here, steering into the abyss, dark side of crime fighting, security, professional intelligence. What I'm going to do, it's a longer talk as usual, it's longer for black cats so I'm going to try to hit the high points. You pick up the CD and there are I believe about 34 pages of documentation supporting what I'm saying. So some of it I will simply refer to and trust you if you're interested in seeing that I'm not making it up, look at the CD and you'll see the support for it. It's got several, let me get this stuff out of the way, several parts and so I'll signal when I'm starting a new one, the beginning is about the fact that I can't get my mind around that this is my 16th DEF CON and that I keynoted, yeah, that's for longevity right that I am living and yet there are markers to tell you how you are doing along the way within the first couple, London Sunday Telegraph had a piece on something I'd said and it's referred to me as a father figure for online culture, I thought that was cool and then about a decade later some hackers said you know you're going to change that to a grandfather figure for online culture and then last year during my talk someone tweeted you may think Richard theme is just a deranged old man wondering about the con but he does actually have something worthwhile to say and those of you who are young and are mused by this story just know that this too will be the dots of your trajectory which will inevitably project into the future you cannot even imagine as your chemistry changes but keep in mind that what chemicals take away, chemicals can put back. There is, blessed be the names of those chemicals. Okay so ideally as we follow this trajectory over 20 years at DEF CON are 19, we have a greater sophistication, greater sense of nuance, greater sense of the grayness of all things, we hear about gray hat hackers as if they're one of three. Let me tell you the real definitions of a black hat hacker translates into a hacker. A gray hat hacker is a hacker who knows when it's appropriate to fudge the truth. A white hat hacker is a hacker who put the truth down somewhere and doesn't remember where they put it. It's all gray. It is all gray hat hacking because hacking and computer science and computer technology and infosec is a subsection of society and society is all gray and the longer you live the grayer it gets and the more the blacks and whites dissolve into the irreducible middle. This talk is not like many of them are, the useful talks, the practical talks, the talks that tell you three things you can do on Monday morning when you get back to work. What I'm trying to illuminate with this is the fuzzier or grayer landscape of our professional and personal lives and as we grow older we see they are very much the same for a well integrated human so that ideally when you come to some of those cross roads in the future that this talk will illuminate you will remember some of the things I said because the decisions you will have to make at those moments are not trivial or easy because the world in which we now live is not trivial or easy and information security is not trivial or easy. Gosh there's just so many information security professionals. 2010 Frost and Sullivan said there are 2.28 million information security professionals in the world to which a experienced and truth telling security practitioner said then it sounds a lot better when you say information security professional to make air quotes because that's not what they all are. We're all in this together all hackers all hacking is gray hat and nevertheless as an industry which is really what is still this this is still about black hat it's really about that the industry like all industries has developed a narrative which is self-serving it defines the view of reality which is permissible to speak it defines the paradigm and when you define the paradigm up front you don't have to worry about the answers because you're determining the very questions that can be asked and those things which of which we are not allowed to speak we do not have to worry about how people feel or think about them because they never surface they remain anomalous or a source of cognitive dissonance or background fuzzy noise but the fact is those in the picture of the narrative don't see that there's a frame and there is a ground of being for the narrative and that's what I want to illuminate if I can some of it the context not the content which it is habitual to hear about here or at black hat things have changed over the years years ago I referred to the creation of the digital space as resulting in real birds in digital cages I came to that when I was asked by a global public relations company way back when when I start writing about this stuff in the 90s email was so new that when someone got an email it didn't even occur to them that the person writing it wasn't right there in their city so I got an email from someone in London because they had read something I'd written for an English magazine and assumed I was in London he asked me to come over for a drink after work to discuss doing brand defense and I called him and said I'm in Milwaukee I can't come over so easily but we can work we didn't have words for we didn't say work remotely then it was a new concept but I said I can do a lot of that from here we can collaborate tell me what brand defense is he said well that's easy if we have a client say who's a tobacco company I say I see you want me to build what we were learning to call websites that defend your client and he said no no no we want you to build websites that attack our client from a multiple multiplicity of points of view and we'll give you enough information to be credible in your attacks but not so much that it will be a smoking gun that could bring serious damage to our client and therefore you will collect in those websites the real birds in digital cages the people who are opposed to our client and inflect the conversation alter it so that it becomes essentially harmless in the end and we will turn the digital cage and the birds because they have the illusion of the freedom of flying that comes from flapping will think they are free and flying in fact so I called those real birds in digital cages he wanted me to go into use net groups which existed so how many of you know what he used that group is all right not not bad I was talking to a young whippersnapper who was trying to get me out of my literary mindset into transmedia and I said well the person who introduced us we met during the days of the bulletin board and he said what is a bulletin board and I said you know this is before Google it's when we use gopher and predictably he said what is gopher deranged old man wondering about the kind lost in his memories so he wanted me to go to use net groups using what we didn't yet call nymphs to create false personas we didn't call them screen presences and inflect the conversation so if it got too stickier close to something that would be damaging kill the cat or set fire to the curtains or do something that will distract people from what they're thinking you probably recognize this now as the real world in which we live the virtually inflected world in which people project themselves into virtual spaces because we evolve to be trusting of our senses and so we think that what we see is what's there and the bottom line of everything I speak about and write about is that nothing is what it seems it really really isn't this is not a conspiracy theory this is just what's so nothing is what it seems it's what's so it's also so what so that's not news well now instead of digital birds in real cages with the advent of social media what we really have a real flocks of birds in digital cages and in addition to the illusion of the freedom of flying because when we look up or down or to either side we see other wings flapping we have the illusion of security because we're part of the herd we're part of the hump of the humplings the bell curve a word I think I created the hump of the bell curve you know there's like 10% up front those are the masters of society who create environments and realities for us and we're the 80% in the hump of the bell curve humping along humplings hump that's what they know how to do and then there's 10% at the end that are the dregs and the masters keep the dregs so the humplings will see the dregs and be grateful they're not the dregs and thank the masters for keeping them in the hump and not letting them fall back into the dregs I eat people who can't get work after three years or have a lower standard of living or who are denigrated in many ways and then everybody is happy except the dregs but they serve a larger societal purpose by making the rest happy so if you deconstruct their unhappiness they too are happy they just don't know it so they get violent you know at any rate providing that hump providing that herd providing that flock of illusory digital wings provides not only illusion of freedom but the illusion of security and as the bigger and bigger cage turns because we are part of a flock we cannot even see the edges of the cage so far as that parallel universe from us in other words we are all assimilated we cannot help being assimilated into the organizational structures of the larger cultural entities of which we become apart Margaret Mead great anthropologist said years ago that it takes her a full year to learn again what she learns in one week when she enters a new culture and the reason is when you come in new you see it with beginner's eyes as the Buddhists say you see it fresh you see that the cues you are used to responding to aren't there but there are different cues and you see it clearly like the terminator at the moon over against the light and the darkness you see the reels in the mountains of the cultural norms and behaviors in a different way but after a week or so she already unconsciously was assimilated into the culture to a degree that undermined her objectivity and ability to see and it took longer and longer and longer to see more and more and therefore we go by the known but unwritten rules you know that and any organization some of you belong to them there are four kinds of rules there's known and written which are the manual they give you when you're hired and have to go through some organizational orientation and they're known for a moment as you leave through them then they go on the shelf and they become written but unknown over time because you never consult them again there are also unknown and unwritten which are the deep cultural structures of our lives the 98% of us that evolved and of which we are unconscious so we don't have to worry about those but the ones that govern the organizational life are the known but unwritten rules and anybody who succeeds in anything is pretty good at picking up on and intuiting what are the known and unwritten rules and obeying them in order to advance in the organization and keep sustenance and livelihood alive a friend of mine who's a cop and is also a Roman Catholic this is not meant to denigrate the Roman Catholic Church and all its illustrious history I'll just tell you what he said to me he's a cop and he's a Catholic he said you know my church and my police life work the same way when you're a rookie you know you're watched and as the dirty money comes through and drug money doesn't all go back to station and some of the coke gets bled off or you go into an alley and you beat the living you beat somebody and you're standing there waiting for your partners to finish kicking him into unconsciousness they watch what you do and if you're okay you don't do anything and the word goes around real quickly you're okay you're one of us and if you are one of us then you are elevated up through the structures and when you reach the top as Timothy leary said you never get the truth from the company memo because you become so instantiated as an aspect of the company you're like invasion of the body snatchers somebody put a seed pod under your bed in the night when you joined and over time you become you look like yourself but pretty soon you only say the things the paradigm the company approves of allows you to say and you don't say the other things at all and and so you become you become part of the Borg and so my friend the cop said that's who makes captain you don't make captain if you don't protect the institutional life of the structure that advanced you and which you have by that point so internalized that you are it like you become Bishop and this is why the culture of my church he said has become a global he said it I didn't say it I don't know if I even believe something like this he said a global criminal pedophile enterprise I don't know I don't know anything about that if that's true or not but he said it's the same way you come in and you see quickly unless you're unconscious what is going on and if you say something you go to Fort Wayne, Indiana and if you don't say anything you become Archbishop of New York or Boston or LA or Chicago and it's oh that's just what so but in that case because the evil is so deep it's not so what but at any rate as an illustration of how organizational life assimilates us it works pretty well well the same thing happens in the so-called security space the space of information security and in the intelligence community where group think permeates percolates through the structures and from externals the input is is minimized so the weakest link in of the chain is frequently the definition of the problem and the definition of the problem as Matt blaze pointed out is often not what we think it is that's true not only about security but it's also true about the security industry itself so the question I'm asking is who are we really what is the security space really and what is our self referential narrative about the industry include and above all like all paradigms what does it exclude and allow us not even to think about saying much less say what is the rule base of the filter and how well does it work with the perimeter because like computers themselves the perimeter no longer exist there is no perimeter defense if there's no perimeter and there's nothing but mobius strips interlacing with one another like parallel universes so let's not be white-haired hackers and forget where we put the truth let's simply identify what the truth is and articulate it nothing is harder to see than the truth we've come to see believe so deeply that we don't even see them because our narratives become self-referential they're bounded by mutual self-interest and they're characterized by a heavy dose of groupthink beliefs are fine beliefs are good they're useful just don't believe in your beliefs just hold them lightly true of all beliefs notice oh oh that's something I believe and then let it go because we know now from neuroscience that we make decisions prior to inventing the reasons we say we do them the decisions take place unconsciously they manifest and then we say the reason I did that and it's always as Nietzsche said in the war between pride and tell and humility that's why autobiography is never trustworthy pride always wins so how do you change the paradigm well once when I was in the church I was in a leadership project in which we're discussing new paradigms for clerical leadership in the Episcopal church and after we brought in all the people from Silicon Valley and all the think tank people and somebody had money and funded this and the second year of a three-year project I was sitting there listening to the gavel of all these what we called cardinal rectors big churches you know I mean if you play it right you can do okay you know I was sitting in a million-dollar rectory in Hawaii tending my parish my wife had a sign made that said the pastor is in with an aeroplane in the beach blanket and we're sitting in a million-dollar house and that's when you realize you came to do good and you did well you know so an analysis of the deeper political and economic economic structures will always reveal behaviors and beliefs in a different light and it will illuminate our mixed motives and the fact legitimate and illegitimate enterprises interpenetrate one another deeply like yin yang you know there's black and white and they interpret penetrate in the white becomes a little gray in the black becomes a little white the overworld and the underworld make up just one thing one vanilla chocolate swirl of pudding one complex system and this also has a serious impact on security and intelligent practitioners on our psyches on our relationships and our lives when we refuse to face the dark side of what it is we do and its impact on us then it has even more impact on us because the more you push it down the harder it pushes back beware needs you said less you stare into the abyss as you stare into the abyss less it stares into you cognitive dissonance is always present and it can lead to serious stress but if you become conscious of it and work at resolving it or at least managing the contradictions in your life it seems to work a little better what is the goal of becoming conscious a friend shared a story about a intelligence practitioner who as a result of someone he had recruited in another country as an agent of the person was discovered out it tortured to death died horrifically the person who had recruited him our guy was struck by it burdened by it he started drinking heavily they had to take his clearances away for well put him on a different desk and send him to a therapist and I said but where is the therapist with the therapist is cleared by the agency therefore assimilated into the culture of the agency and I said what is the goal of therapy the goal of therapy the answer came back clearly is to get the guy back into shape to go back to the original desk and do the work again which got him into trouble psychologically speaking in the first place I said well that's not what I did counseling for for 20 years when I did counseling the goal was to enhance someone's ability to see the darkness in their own life see all the contradictions integrate them into a bigger self and transcend with wholeness and integrity what they thought had been a burden and he said that's not our goal our goal is for the guy to get get back to work we're not concerned with wholeness and integrity and I said so what happens if he can kind of work but you're not sure if it all took he said then we watch him very very very carefully well it has an effect on us in the days before it became public I was talking to people who were tortured and I was talking to people who did the torturing it started to affect me to listen to their stories listening to someone who did torturing talk about for example the Uzbeks you ever work with the Uzbeks he said it was a novelty when we told the Uzbeks that one of the purposes of torture was to get information got it they didn't know that they thought it was just something we do and I was telling that to someone who'd been doing interrogation seriously and well for 17 years and he said the Uzbeks my god do you ever work with the Turks by which he meant that all they want is a confession there doesn't have to be a perp that doesn't have to be a crime there's a piece of paper sign it oh you don't want to sign it that's the way it is listening to their stories oops deaths the story of medical practitioners doctors falsifying death certificates when someone said oops lost them heart attack oops deaths and then used the information they gained from each instance of torture to advance the ability to do torture well the next time this is medical experimentation on human beings which was prohibited by Nuremberg but is practice water boarding is a red herring it's an image of something we can imagine not being so bad as rumsfeld said just dipping him in the water or something like that as if choking to death almost is not so bad because we didn't kill him except when we did but the serious torture is not just water but it's used as an image to distract people from the truth of what it is that we do but it is not what we are allowed out here in the psychic space of of america to talk about clearly and so as a result as jane wagner said i'm getting more and more cynical all the time and I still can't keep up what is it what does it do to you to hear secrets or live with secrets and carry them as a burden I had dinner in washington once with a friend from fb i and a friend from nsa and they were talking about what it did to them and one of them said imagine if you were listening to terrorists slit the throats of people in real time you're hearing the horror and you go home at night and your wife says how was your day and all you were allowed to say was fine dear it was fine so one of the impacts of the dark side is secondary trauma a therapist told me to read about trauma when I tried to engage her a bioethicist in a project to look at torture at least before it was in the public domain and of course they wouldn't because it would jeopardize their professional positions so I read about trauma and what it did to you and I went back and I said I've read all the sequelae of trauma that are predictable and she said you know I wanted you to read that and I said sure because I'm dealing with people who were traumatized and she said anything else and I said no because when you're in it you can't see it and she said you're showing all the symptoms of secondary trauma my wife said I could have told you that a year ago but she was my wife so you know you listen but you don't listen but when a therapist you don't know says it you say oh I didn't know that my point is that by virtue of the work we do in the security space we often all of us and all of us in America by virtue of knowing and having these conversations if we dare to have them begin to show the symptoms of secondary trauma it distorts our view of reality it makes it more binary and it makes us more paranoid not just appropriately paranoid but wondering what is really going on all the time and then when they call you a conspiracy theorist for wondering it makes it even worse because you're not allowed to evolve a conversation civil discourse about the truth in order to know what it is because the one thing that holds true is it does set you free to tell the truth and to know the truth and integrate it into your life so hopefully this analysis will make us think twice before we use the buzzwords and jargon of our profession words like security itself and defense like when they change the department of war to the department of defense before going into 150 countries with the military presence as we have now or words like terrorism or cyber war words which are weasel words designed to create a paradigm which we unthinkingly articulate and in which we unthinkingly live one example of what it does to us is this article which appeared on dark reading security pros may be ready to crack under growing pressure faced with securing personal devices and a growing base of threats and security pros feel overwhelmed ISE to survey reports. What it is about is the fact that when you're doing a job that you know can't be done it causes not only trauma but it breaks down your ability to function effectively. It reminded me of the story in John Hershey's Hiroshima. After the blast there was a flash of light and a doctor noticed two, three people coming into the office their arms peeling and bleeding and burned and he started to treat them as he would anyone who came to the office with those symptoms but when he turned around there were five or ten more and he tried to treat them but then there were twenty more and thirty more and he looked out the window and hundreds were streaming down the street burned and bleeding toward his office and he was reduced to someone who could only go from one to the other to the other saying they're there they're there they're there the security industry they're there it'll be okay they're there but is it in fact implementing in the meantime the structures of security that will give security or is it simply carrying out the de facto commission which now the intelligence community itself has become commissioned to do not by any state because they're dissolving as the boundaries around them dissolve but by the fact of their lives in the trenches where they exchange information with one another in an effort like a thermostat to maintain some kind of equilibrium in the global body politic so that chaos which is always threatening to break out at any bubble or aperture will not break out the bottom line of the security world is to be able to assure people that the world in which they wake up tomorrow will be pretty much like the world in which they went to sleep that's a different commission than creating implementing and sustaining security so hence the title whoever battles monsters should take care not to become a monster too you stare long enough into the abyss the abyss will stare right back at you or the way the sign put it at sandia national labs do not look directly into the laser beam with your remaining eye pretty good okay so security has a context and what i want to do is turn a little context into content and illuminate the slightly bigger box into which we say we're going when we're going out of the box it's really just a bigger box we never get to the end of the biggest boxes of all the ground of being itself but eddie bernays created context you remember eddie bernays i like to use this example that the publishers asked him to help with selling books so he went to bright intellectual people nobel prize winners said his literacy relevant to america this is the 1920s they all said yes yes yes signed off on that called together architects builders contractors said do you want to help build an america viable in the 20th century yes yes yes they all signed off as a result anyone coming in to an apartment building or house after the 1920s and not before would often find what they agreed to build which were built in bookshelves and then when people came into those apartments or houses without thinking or seeing it they bought books you got a bookshelf you put on a book context into content unseen digital cage go in fly by books so as i say i want to believe in your beliefs but contextualize them differently hold them differently and that does not often happen at security conferences where your beliefs are reinforced and repeated so much you actually believe in your beliefs the price james Baldwin said one pays for pursuing any profession of calling is an intimate knowledge of its ugly side now i learned that growing up in chicago worked with my alderman until i was through college i was never once asked to do something legal you know typical was when they asked if i wanted to be a a precinct captain i was eighteen i said well yeah but where's kitty going they said oh kitty's still on i said well how can i be a precinct captain kitty our precinct captain is still on oh no no no i was so naive we need a republican precinct captain so you can destroy campaigns undermine people and report back as an infiltrator in spy uh... the problem was that i was eighteen you had to be twenty one to be a precinct captain he said that's not an issue that's that's for the document department uh... as you know so the bottom line is you grew up in that environment i woke up one day in the middle of my young life and said my god the father of every friend i have is doing something illegal one was in jukeboxes you know the seabrook story and now that kid is the director of security for seabrook and he directs security all right uh... offers you cannot refuse is what they were making to people others when gambling equipment i found out one was distributing porno porno in those days was sixteen millimeter films black and white you ran on noisy projectors uh... not nearly as efficient or or effective is just being able to put on your headphones close the door and say i'm going to be working on this for a while right god bless the digital cage uh... so what i'm really saying is know yourself right i mean the goal of spiritual growth is to know yourself to face the worst you think about yourself see it see it's not worse it's human we're just human and integrated in yourself so you can transcend it and be a more actionable agent of of what results as what we call freedom as a result of that kind of integration integrity in order to do this in the security space we have to look at what are the deep politics of the security space i use that term from peterdale scott teaches at berkeley has written a lot of books like deep politics in the death of jfk he's not concerned with who killed jfk because so many people justifiably wanted him dead that it could have been any of them and any of the scenarios in the absence of further evidence uh... could have been the right scenario uh... it it certainly could have been the cubans it could have been the vietnamese payback for jen uh... being assassinated it could have been the mafia of course because his dad was mafia's but dad grew in boston worked with the mafia's distributed liquor uh... bootlegger uh... his dad got into such trouble he had to have a sit-down with sam jen kahn in chicago my town uh... and have him take a contract off his head and they did they worked it out i had uh... uh... charlie fischetti lived upstairs of our apartment in the apartment building a group in chicago he was uh... components lieutenant uh... until he died of a heart attack in miami you just grew up in this in this milieu so anybody could have killed kennedy but what he wanted to focus on was the important distinction between traditional conspiracy theory conscious secret collaborations toward shared ends and deep political analysis which is the study of those practices and arrangements whether not deliberate which are usually repressed rather than acknowledged in the latter there is an open system with the virgin power centers and goals not a single objective for control point so it's not like somebody is doing this to us is that there's a convergence of mutual self-interest and an unwillingness to acknowledge the truth for example of the security industry and what it does is kind of like a guy when i was working on a project on intelligence and ethics with some people i talked to a guy in the navy said we have a moral code don't lie don't cheat don't steal we don't say don't kill because the only reason we exist is to kill so if you fielded that one in it would change the paradigm of calling it a a moral code or an ethical code or whatever they call it uh... in addition as a result of the morphing geopolitical structures into meta-national stage-managed globalism the sources of power the references the points of reference for power in the world are not what they think concrete example i didn't talk for the FBI in chicago special agent in charge of the chicago office talked about it's not your father's fb i anymore he said we were instantiated uh... stood up as a police agency in america and we don't go for it but now as a result of boundaries dissolving we have to go for new intelligence all the time the flip side of that is the cia was instantiated to break all of the laws it could in its mission in all other countries except ours but now it's impossible to say where ours ends and the others begin in other words foreign and domestic like natural and artificial in the world of biology no longer make meaningful distinctions because the grayness and fuzziness in the middle has expanded all the way to the edges there is no foreign and domestic when you're looking at the sources of power what the special agent at the fb i said is i used to be able to appeal straight up to the patriotism of people we're working with to do x y or z on behalf of our country and they find now it is in conflict with their allegiance and the sources of their uh... authority and power and money which comes from that a national structures which do not yet have names to which the money in its flows continues to point so i'm not making this up criminal structures are sustained or tolerated by police always have been whitey bulgar and uh... in boston for example working closely with the fb i the integration of crime and legitimacy is the way it is crime and legitimacy interpenetrate one another you can't have one without the other i wrote with uh... new paradise rich uh... security workshop information security is one task both offensive and defensive of the intelligence community sanctions breaking foreign laws while prohibiting similar activities on american soil but simple distinctions of foreign domestic no longer hold the convergence of enabling technologies intrusion interception and panoptic reach combined with a sense of urgency about the counter-terror imperative and a clear mandate from our leaders to do everything possible to defeat an amorphous non-state enemy defined by behaviors rather than boundaries borders or even clear ideological legions has created an ominous but invisible and seemingly inevitable set of conditions that undermine previous cornerstones of law ethics and even religious traditions therefore i t in security professionals exercising implicit thought leadership because you create the structures that bind and inform society in civilization your real charges not to defend and protect the nation any longer stabilize the world this is not your father's world anymore either so we have to assure people that must wake up in a safe and sane environment because otherwise uh... things fall apart now we're doing all this in a deeper context yet in a context of a world within the world a secretive world a secret world which since nine eleven has grown and grown and grown i had dinner not long ago someone who helps to write the protocols and policies of governments on intrusion and detection uh... i said are we ever going to get freedom from intrusion and surveillance back she laughed it was easy of course not she knows how deeply uh... the structures of authority and power have been uh... penetrated those technologies uh... we're never going to get them back in the washington post data priest wrote the top secret world the government created in response to the terrorist attacks of september eleventh has become so large so unwieldy and so secretive that no one knows how much it costs how many people it employs how many programs exist within it or exactly how many agencies do the same work there are twelve hundred seventy government organizations in nineteen hundred private companies on programs related to counter-terror homeland security intelligence in over ten thousand locations across the country almost a million people hold top security clearances thirty three building complexes for top secret intelligence work have been built just in september two thousand one many security intelligence agencies do the same work creating redundancy fifty thousand intelligence reports each year a volume so large that many are routinely ignored after it happened because they were traumatized by a trauma leads to sometimes to speak someone described the scene in the office of the director of the nsa when he told senior officials the new executive order mandated x y and z and the silence was frozen because he said these are things we had been told all our professional lives we did not do we do not do that because it violates the law in the constitution unless we recontextualize the fourth amendment so that it makes some sense in a world without walls it will continue to have less and less meaningful application and as michael haden said when asked if there were not ethical implications or legal implications to vacuuming up the communications of americans without court order or warrant he said we don't have to worry about those because quote we have the power unquote that's the world in which we do our work and on behalf of which we do our work but you do not hear it spoken of conferences like black hat it is the given it is the unspoken premise an assumption that the economy based on that secret world will continue to manifest itself as a military industrial entertainment media educational complex in which the nexus of power one to the other is so close and tight that one becomes indistinguishable the other in my short story in mind games i only brought a few right pitch right now supposed to be a vendor pitch i have half a dozen of these if anybody wants one signed and for only five bucks the few remaining in print islands in the clip stream it's gone all electronic five bucks for that one five bucks for that i have five of each it's really a prize and it will be worth a great deal of money one day all the older i get the better i was and uh... when i'm dead my value will be through the roof okay so we don't usually discuss the simple reality of the sources of research and development in the world which funds our enterprise it's just a given people deal with one another they do not always ask from where the money comes you do not always know in different falls like operations ten minutes are you kidding jesus all right forget but forget that uh... all right got the the meat of this and they're all in that on that cd but let me just start rattling them off uh... and and make this kind of fit is what hackers and security professionals really say when we talk to one another in the privacy of our uh... shared spaces okay uh... one stood at the vendor space at blackout last year with me and looked out at the sea of boos in the beach bunnies and and the booth bunnies i mean and and all the swag the chocolates and the pens and the glowing lighted balls and said you know not one of these people can deliver on the promise they make which is to secure the enterprise not one of these people can deliver on their promise they are selling something that cannot do with a claim which is protect and secure the enterprise and when i mentioned that a particular application was based on smoke and mirrors to the editor of a major national security information security publication he laughed and said richard our industry is based on smoke and mirrors a quote which you heard me say was said by the editor of the magazine but cnn yesterday reported and richard theme said the whole industry is based on smoke and mirrors every attributed statement i made a black hat they remove the quotes interwoven things out of context and brought in statements made by others and will those into it was a nice piece it just had very little to do with what was actually said in the way it was said uh... i just point that out alright we identify the threats that we can fight not the threats we cannot fight we sell what we can sell not what we can't sell uh... cryptography is a great example cryptography is the opiate of the naive uh... because sure it can protect a lot of things but not if the system is broken peter noiman was talking to uh... revest about voting machines and riveted the cryptography is terrific and the voting machines and peter noiman said yes but the entire system is broken and revester cryptographer said that's not my problem holistic thinking at its best right and he's really smart guy i remember someone laughing at the atm and other embedded device code he was looking at because it was so simple and easy to exploit one hacker said in my non-expert opinion i would say the cell phone stuff is even easier and another added mobile device security implementations currently sucked more than the abomination that we call mainstream software okay dan gear pointed out by name the financial world is proven by demonstration that we humans are bundling capable of building systems we can either understand our control the digital world is insisting on a second round of proof just as the greatest enemy of our personal health is ubiquitous cheap food the greatest enemy of our national health is ubiquitous cheap connectivity you know that the applications being added by the thousands and the smart phones being added by the thousands simply increase the coves and niches of the coastline of the attack interface so there's a whole section that i won't even touch on what the fb is actually doing in cointel pro two point oh i will skip the section on a meal dirkheim which you can read about in which he pointed out that criminality legitimacy necessarily interpenetrate one another in any society and i'm gonna skip the point about what the banking system is actually sustaining and supporting uh... an example of which is how much money is effectively laundered uh... through that system i will give you a couple quotes u.s. and european banks laundered between five hundred billion and a trillion dollars of dirty money each year half of which is in the u.s. loan senator carl levin summarizes estimates are up to a trillion of international criminal proceeds are moved internationally deposited bank accounts uh... between two and a half and five trillion have been laundered by u.s. banks and circulated uh... the flow of corrupt money and transition from transitional economies is twenty forty to forty billion dollars uh... the result of this is without the dirty money the u.s. economy external accounts would be totally unsustainable living standards would plummet the dollar weekend the available investment in loan capital with shrink and washington would not be able to sustain its global empire i'm not making it up i'm just saying the banks do this and not just american banks ubs the vatican bank uh... barkleys around the world uh... as well as city group bank of america is a beautiful statement on their policies and money laundering completely contradicted by their actual practice well as fargo which over you was just find over a million million dollars because they wanted over a billion dollars on behalf of the cartels in mexico which are fighting one another to death killing for over thirty five thousand people they wanted so much money through wells fargo that equaled one third of the mexican gdp and wells fargo's claim was that no one at the bank noticed okay alright so three thousand died on nine eleven i'm sorry i love bond traders and firemen and policemen too but thirty five thousand have died in the cartel wars which are enabled and sustained by the banking system which it is the primary purpose of the security industry to protect who was always cited as the five minutes who's always cited as the first line of defense the financial institutions must be defended and protected so people can know they will wake up in a secure and safe world as we have been for the last few years of course this is just the way it is all the documentation on all the banking systems i cite and talk about our on the cd let's get back to what hackers or security professionals are saying about this they are in my humble opinion the focus is on stuff to be placed on top of a flawed underlying foundation we can never get to acceptable levels of info sec unless either a we rip out the networks and start from scratch or change the competence of government and corporate info set folks to not tolerate mediocrity and empower them with the authority resources is important to do what it takes to do it right otherwise good money goes after bad and the status quo is maintained i no longer do pen tests or red teams because nobody learns from what we find they just want to check the box of compliance so why bother i'm not making a difference anymore remember what i said about info sec professionals beginning to feel overwhelmed by the impossibility of doing the job why bother i'm not making a difference of clients don't care except for making a nice profit on a gig which is where it goes and you become cynical then i know i'll be ignored so why should i another said the problem is to tell the truth you have to one not be a vendor and two be willing to spill the beans and getting on there are very few people willing to get up and say i work security my job is to prevent intrusions we get owned a lot so i kind of fail at my job sometimes it is really really bad and here's how we deal with it in other words manage the risk so people can wake up feeling oh yes this or that happened uh... rsa et cetera whatever uh... even when we do our jobs right we're gonna get owned the real challenges get business leaders to accept that reality and let us redirect funding the programs that help companies deal with it attacks are simple defense is hard it is gradual it is continual it is not sporadic it is elusive and it is often boring you do not hear too much defense presentations of black hat you hear a tax because they're sexy and fun and it's more fun to blow shit up then keep it from being blown up that's what a hacker does i understand that what i'm articulating is not popular a disciple of gondy said even those of us who loved him rejoiced when he was assassinated because his presence was a constant upward call to be more than we were and it was a real he didn't say it this way in urdu he said it was a pain in the ass but that's what he meant it is a pain in the ass to look at this stuff and try to deal with it not forget it suppress it and ignore it the minute we go on to the next presentation what is the step of the craft we're not willing to ask the next round of hard questions because we haven't realized yet that what we've got is broken there are people out there still trying to perfect avian ideas mousetraps no big data solution will magically solve the problem if i have to see it first in order to detect it later eighty percent of viruses might be stopped twenty percent don't when you are owned you are owned risk and accountability our inability to identify and convey technology risk kills us executives don't get it we don't therefore have the conversation at the place of power and authority where it will make a difference to begin grasping what we're doing and yet what is doing the shocking things the hbg fiasco which i love someone describing as a by uh biker's suck bumper sticker at a harley rally you know don't be stupid uh he said software security problems in all sorts of goods and services check greater societal dependence in the technology check greater complexity everybody's selling zero days to god knows who for money check professional development of digital weaponry check a black market economy check industrial espionage check leaked information targeted traded check intelligence agencies outside the u.s growing capabilities like iran saying after stuxnet in the future we will have to consider preemptive action those of you who know know that stuxnet is the one in the public so we can talk about it like waterboarding but there have been others and some of them are serious and portend worse things for the future what keeps me up at night a guy asked in an interview the other night what keeps me up at night is when the chief technologist at cia tells me he can't sleep at night that's what keeps me up at night he says reading the fires intercepts gives him nightmares but i can't tell you what's in them thank you you've done your job secondary trauma yeah the real question is not how much security do i need until i have no risk it's how much do i need until i can live comfortably with the real risks i am facing have the conversation okay i'm finishing i've only got 10 minutes wasn't that a x wasn't that a roman numeral x okay um all right let me let me wrap it up um let me just wrap it up by saying build networks with the people who are really your friends let me tell you how i knew who they are the guy came up to me about a few years ago uh when i had two months to say for a change and and the people were saying cut and the guy who does the audio this is cut but the guy who does the audio said uh because he'd read my book and loved it he said there are two people i won't cut martin luther king jr he's dead and you so uh make friends with the little people right