 Welcome to the annual DEF CON convention. This meeting was held in exciting Las Vegas, Nevada from July 9th to the 11th, 1999. This is video taken on November 22. The efforts, morality, practicality, patriotism are packing. I'm Phil. I'm one of the feds, I guess it's my third time up here. The reason they asked me to come and talk to you is a couple, for a couple reasons. One thing that I do professionally is try to protect the infrastructure, the IT and weapons systems for U.S. Army. I work for the Army Chief Information Officer, and my job is to do information assurance, policy, program, architecture, acquisition and finally implementation to the program managers across the Army wherever we may deploy or wherever we may have a presence to protect our systems. I started this business about 27 years ago, 27, 30 years ago, where my greatest enemy in protecting my systems was the U.S. Empire. I'm concerned about the Soviet Union and Warsaw Pact, those kind of folks who had a substantial capability to take our systems out or listen to them or exploit them. I'm a veteran of Vietnam and I'm also a veteran of Gulf War and I'm very aware of what can happen when people listen into your system. Vietnam used to be very concerned about something called imitative communication deception. If you haven't seen my history films, I suggest you take a look at them because it hasn't changed all that much. Whether you're getting into a system today and looking at data or you're listening to a FM, AM radio channel, such as we had in Vietnam, listening into where the next helicopter drop zone was going to be or where the next landing zone was going to be, the next pickup, it was all information gleaned. What they used to do to us in Vietnam was capture or listen to our radios, unsecure radios I might add, listen to a 10-digit coordinate in which a helicopter would come in to pick up people or to drop people off. And the folks on the ground would radio back to the helicopter pilot and a team chief and say, hey, man, land where I pop yellow smoke. Well, guess what they would do? They would hear that and it'd be two areas on the ground with yellow smoke. And it was a 50-50 chance that the helicopter would land in the right place and if he didn't, the land in the right place he was received with directly and direct fire. That is real cyber warfare starting back in the mid-60s. Those kind of lessons I tell you have not lost themselves in the business that I do today. I'm here today if you read what's on the agenda to talk about paper citizen morality, ethics of hacking and so forth. But I must do this claim right off the bat. The rest of my presentation on the speech I'm going to do today is my opinion. It is not the opinion of the U.S. government. It is not the opinion of the Secretary of the Army, a certain opinion of the Army. Chief Information Officer, it is strictly mine. I want to first of all thank the organizers of DEFCON for inviting us out here. This is a great opportunity for us. We've interfaced with a whole lot of you all out here. I picked up a great number of tips and I think after yesterday's Meet the Fed panel we are a little more synthesized to some of your concerns as well. I appreciate the opportunity to be here today and I hope that I made the right decision by leaving my Kevlar at home. Actually I was at DEFCON last year as I mentioned and I was pointed out as a Fed in record time. Carl Lewis had met an Army on this one. I guess I'd missed either the cowboy boots or the just for men gel so you can't tell. But I will tell you I did get a haircut for you guys. You're welcome. So anyway, since I couldn't hide anymore and I do appreciate that I understand the value of what this conference does and can do, what you bring to the industry and community and the impact you have on the government. I just simply said okay well I'll be a speaker this year. Before I could let me come up here though they warned me not to bore anyone to death and not to get on my military high horse and I know time and under any circumstance was I to be allowed to make any reference to anti-online or a guy named JP. However I think Peter Shipley and I could talk about some things after the conference as well on that. There are a few things I want to say today and after that I'll point out if you haven't got your t-shirt yet a lot of my co-workers are in the audience here and I'm rather proud of the feds that came out at this conference because they're harder spot than they were last year. There's certainly a multi-talented group of individuals gathered here today. A group that many profit-seeking computer security headhunters would give their first born a recruit and I've talked to many of you. The best of the best in the elite there's no question. Computer security companies have probably approached many of you and I know that some of you are even now currently employed by some. The irony of that situation certainly hasn't missed any of us in the Department of Defense or the corporate world or the FBI or a number of other people who find it hard to accept the very people who stir up the coals are the ones getting paid to put out the fires. Could that be compared to hiring a thief to install a security system in your home? Would you appreciate his expertise when he comes back three weeks later and relieves you of that stereo system that you just procured? Hackers working for computer security companies? What a combination. You know they say that a large percentage of criminals returned to prison and caught continue a crime using many of the new techniques they learned while they were in jail. These people that lived in the environment consisting of all the expertise in their career field, criminals and criminals, wouldn't have to work in a computer security company be almost the same. When they hire, when they're hired to work for these firms there's nothing like being a kid in a candy store. All the latest and greatest tools, technology that they've heard about, that they didn't have access to or maybe didn't have money to buy right there at the fingertips. Can all hackers honestly say that they wouldn't be at least bit tempted to do a little vulnerability testing on their own once they were on the inside? This was discussed yesterday during the Meet the Fed panel. Don't get me along. I'm not saying that everyone would do it, but I am saying that there's a certain percentage who would consider it. And that is a big percentage that most employees don't want to risk. Many of you may say I'm stereotyping and not everyone with a hacking background does illegal hacking. And if they did, it doesn't mean that they would continue to do it once they were hired to work for the good guys. But smokers, dieters, addicts of all kinds would tell you that it is a lot harder to change a way of life than it is to give in to the habit one more time. Before I go, let me make something clear. I'm not labeling all hackers as criminals. I'm saying that criminals are criminals. If you haven't been caught for breaking the law, and if you have been caught for breaking the law, you're a criminal. If it is your passion and pastime to poke prod, dissect computers, computer code while breaking your law, then you're a tactician in high demand. When it comes to military, we have enough problems to worry about without adding convicted hackers or criminals to the payroll. And if you believe what you read in the papers or CNTV, I'm sure most of you will agree that we just don't need any more trouble than we have. And isn't it ironic, if you will, when we had the conversation yesterday about doing a load of unavailability analysis just to show people how well they were insecure that someone took down the DEFCOM home page. And if you haven't seen that, you need to take a look at it. So you do yourselves, and that's kind of telling. On the other hand, there's no question that we would benefit from hiring people at the level of intelligence expertise that these people have. Script kitties excluded. It's no secret that the biggest obstacle to military faces in this effort to run cybersecurity race is a lack of well-trained people who are always committed to the longevity that's required to complete this important task. Dr. Honker, Jeff Honker was here on the platform, which he yesterday from the National Security Council, spoke about implementing initiatives that would keep that technical staff in place at least a little longer. More money is a great starting place, and that would also enable us to complete, compete for personnel in other corporate contracts, some of our friends, which we call Belway Bandits, to be able to get those folks into the business. Why do hackers hack? Well, we consistently hear about the part of the hacker culture that claims that they do it for the good of computer security, and that pointing out vulnerabilities in other people's system is a good thing that educates the victim about the gross lack of their security. If they should happen to delete or alter a few files or alter a home page while they're at it, then so be it. I mean, I lock my door every night before I go to bed, but that doesn't mean that you're invited to come in and help yourself with my belongings. That's the same rationale that I use for people who use that argument. What about repercussions of these lessons? I can take a few situations that are near and dear to my military heart. What would happen if a hacker broke in through it and called it an education to make an education point and point out vulnerabilities in the system that control the stocking, the shipping, and the medical supplies for our troops abroad? Is it worth the lives of our countrymen to have bragging rights about owning someone else's box? How funny your education would it be if a shipment of weapons meant to protect our homes and families were replaced with packages of turmoil and wear to a few well-placed keystrokes? These things are all possible and they are of great concern to me. Is everything justified in the name of education? I think not. Then are those hackers who group themselves as a hacktivist category? Hackers against child pornography, hackers against war and so on is an honorable intent that they feel strongly about these issues and a lot of people share those concerns with them. Hackers want their voices to be heard, that's clear, but it is illegal to penetrate the best... It's illegal to penetrate, is that the best way to speak out? Have hackers stopped to think how much good is being done by their actions? Listen to what I'm thinking. How many children have been saved from the sick cruelties of child pornography by defacing a home page? How many suitors have been kept off the front lines by taking down the U.S. Army home page? They also make the assumption that large numbers of people see these authors' pages. But a message put up at 3 a.m. and taken down at 6 a.m. probably isn't going to be seen by the political audiences, and they presume that it probably won't be seen by a lot of other people either. True, many sites archive these pages, which give them a lot more exposure. But if exposure to the media is a child pornography is the goal, then why not put up your own websites dedicated to saying child pornography is bad instead of risking legal actions by tampering with someone else's? I'm certainly no expert, but I'm probably a guest writing a letter to a congressman or senator or other local officials might get the ball rolling a little faster than a web page full of misspelled curse words. I can't help but think how much work could be accomplished in a fight that could be won if hackers are mobilizing their efforts in certain other directions. If they put up as much organized effort in riding a bike to work or not littering on the highways or carpooling, conserving energy, as they do in the illegal penetrating of other people's systems, we would certainly have a better planet to live on. If they put their considerable computer expertise to work in training, research, development facilities, we might even have shopping malls on the ocean floor or could be talking about putting condos on Mars. Right along, it hasn't changed much in the beginning of time. And I wonder if hackers have stopped to consider the people who are being affected directly or indirectly by their evil deeds. If you think about the system administrator who will spend for days repairing the damage that was done or a small business owner who may have to close down because he can't afford to restore the data that was destroyed. Take the Citibank incident, for example. Even though most of the money was recovered, a fairly large chunk was not. Why? Or what do you think paid for that loss? Do you think Citibank just chalked it up to the old wealth factor? Or do you think that the taxpayers, consumers, including the culprits, paid? As the saying goes, no good deed goes unpunished. What you do takes talent, patience, perseverance, determination and a low-end computer with anything but an AOL account. What you do gets attention in the media, the military, your peers and even the FBI on some occasions. What you do gives jobs as system administrators, network administrators, virus detection companies, software engineers, teachers, students and lawyers. And all this is remarkable. Excuse me, folks. Real quick announcement. Is there a Brett Bressler or Roman Israel in the audience? Or does anyone know these people? If you do, would you please ask them to go to the second floor and talk to William Sharon when there is a family emergency that you need to handle immediately? Yes, sir. As I mentioned, all this is very, very remarkable. If it wasn't remarkable, many of the feds wouldn't be here today to hear what you have to say and hear what you have to discuss and share with us. However, a famous patriarch of the dark side once said, Luke, I am your father. But he also lit up the night sky with his burning carcass. The point is it's not really fun to be a bad guy, but in the end, when it comes down to an attorney or damnation, a few hours or days behind bars or the FBI beating down your door in the middle of the night, wouldn't you rather choose the big hat and cliff chin of Dudley Blue-right or besides, Dudley always gets to go and Oliver will never choose his breeders over Popeye. The potential will be far greater than any in my generation. The sky is limited, but there is a catch. The old saying was true about not being able to have your cake and eat it too. The elite activity will never be rewarded and those hackers that have escaped prosecution may feel like they'll never be caught. But sooner or later, justice will catch up and they'll realize that no one is invincible. As for those hype hackers who feel productivity, talent, if you do it right, you have absolutely no boundaries. You can go anywhere you want. In closing, I have just this left to say, who the G-man of the Department of Defense in order to form a more secure network, establish firewalls, ensure domestic connectivity, provide for system administrators, promote the changing of passwords and patch every exportable whole in mind to man before team splitto global hell for the elves take them apart. Do hereby request the immortal warriors of Rodney King and why can't we just get along. Thank you very much. I have seven minutes and I'll take any questions you have or we'll call it even split here. Yes, sir. I'm glad this is a good question. The question was that he had read an article that myself and Miss Robin, who is my personal hacker, did a demo to some of the higher ups in the government in which we were broken to a system exploiting port password management. Turned on a couple directories, captured some audio through a way file, brought it back, turned on some cameras, took their pictures and so forth. The question was, what was the reaction to leadership? Shock. It's probably the best word to sum that up. I think that most of the leadership business understand that people's email is in jeopardy and they have grown to at least understand that risk. Not sure that the higher up you go in the executive chain that they fully understand the technical ramifications of that capability. But when you turn on a capability to their local PC that captures them speaking or if they happen to be silly enough to leave the camera plugged in and you can take their picture while they're speaking, that kind of really makes them quickly aware of the vulnerabilities of the technology and where to place it and so forth. I gave that demonstration to some folks at the Army War College and I'll tell you a little funny story here. There was a lady in the front you could tell about her body language she was extremely nervous and under significant stress which worried me because it is not my intent when I do these presentations to put anybody in a heart attack mode. So I finally stopped the demo I asked Miss Robin to quit for a minute and I asked this lady straight up, I said is there something I can do for you which like glass or water she said no, she said you know, I'm really pissed at my husband and I'm trying to understand what my demonstration had to do with her present feeling about her husband and I said well why is that ma'am I mean I started the conversation she had my interest, a couple hundred people in the audience I said why is that she says you know I told him to take the computer out of our bedroom I think we at least made one convert that day any other questions sir sir I really don't know anything about that so I can't comment on it sir one of the problems we haven't served 24 years in active duty is my hearing has gone somewhat could you come closer or have someone repeat the question please okay a fan I am not obviously although I am willing to trade the cult I have a very nice army information insurance cup and I'll trade it for a CD and a t-shirt there's no big secret if you've watched the media and so forth that back orifices causes some some degree of stress and concern of course you know you can continue those kind of things that's your first right amendment again I mentioned yesterday that case law is a bad thing to be the first one in don't be surprised if sometimes some day people are held accountable for these kind of applications and the damage they caused and that's about all I say at this point sir I think it's an age old the question I'll try to rephrase it the concerns whether we ought to educate our users more and worry less about hackers or focus on the the education of our system administrators I am one of a growing school I think that says a user shouldn't be any more educated than using the system and the system administrator the service provider the service provider and the system administrator the service provider ought to be wholly responsible for securing any integrity at system I think that we are focusing our attention and our resources on the system administrator the service provider the technology and fusion to provide that security the user should have password or access control mechanism biometrics this is the kind of thing educating the user on system access is the solution there is some work to be done there but I tend to shift that burden to the service provider sir and you said you can talk about that what is your personal opinion about the ethical issues associated with doing that it's really clarified it's not that I didn't want to talk about it I truly do not know about it my job in the department is computer network defense not computer network attack and I focus on that the ethical issues on computer network attack I'm sure that I even now in mind determine what the grounds rules are we had a discussion last night by the pool with Dr. Honker and a few others about the legalities of the stage of war what constitutes an attack in a traditional sense in the physical world you throw a bomb at me it's very clearly that you've attacked me you shoot at me and I know this as well you penetrate my system and violate my sovereignty as folks consider that to be an attack as well but from a legal perspective I don't know what constitutes an attack and I don't know that Congress will wrestle with that anytime soon should we not counter attack in the same manner that we all attacked those are decisions that have to be made by people way above my food chain and again I'm not answering your question but I simply don't have an answer for you is the next speaker here what I want to get into your time your question sir I don't know that either okay I have run out of my time I appreciate again the invite here I appreciate your attention and have a great rest of the conference thank you very much