Basically make their devices more secure. And we do that by looking at a couple Different Things on the device side, systems side and do hardware and Software Engineering to help them to that. Host theres quite a bit of competition in this field today, isnt there . Guest yep, yep. Youve kind of got to carve out a niche for yourself. Specifically, i work with a lot of crypt graphic devices host which is what . Guest these are devices that need to use cryptography typically to embed some sort of secret in the device. And if everyone uses it every day, maybe without realizing it, and this is the equivalent thing but on a device level. Host do you work with the federal government at all . Guest short answer is, no. I was in the navy for ten years, went to the naval academy. A lot of my background and training is with military and navy, but currently i just work in the commercial sector. Host why did you get into this field . Guest is it started, i think, at the naval academy. I did, was one of this group of midshipmen that was called a trident scholar, i really wanted to research protocols. I was just interested in how you could protect communications with using cryptography. In the navy, i was a submarine officer, kind of got more into it. And then kind of kept getting, just kept getting deeper down into it. Host now, weve talked to several people here, a lot of military backgrounds. Guest uhhuh. Host why is that . Guest i think the military has a unique kind of well, it has a unique mission in that it knows the importance of protecting information and communication security. And so comsec, that acronym, military acronym is very much imbued in you. And on a submarine especially, because some of the places a submarine will go the Communications Security is of very high importance. So i think that kind of environment leans to understanding those threats and how to protect those threats, and ive seen a lot of people take that forward outside the military. Host how does cryptography work . Guest so fundamentally, its based on mathematic principles. So different, different aspects of cryptography work a little differently, but if you theres one area called asimilar met trick cryptography which is also known as a Public Private system, and it works basically by having hard mathematical problems. So you and the interesting property of these problems is that in one direction theyre easy the compute, but then if someone got that answer, its hard to reverse it. So this is simplified, but if you take a, if you try to take two prime numbers and you multiply them together, thats easy. But if you were given a number and you had to figure out the prime factors just from that number, that turns out to be a harder problem. Host do you create the crypt graphic keys . Guest so the devices will it depends on the devices, but the device, if it has the capabilities, can selfgenerate the key. Or a manufacturer may design, depending on what they want to do, they may decide to put a device in and all the keys. The first ones typically more secure because not even the manufacturer would have access to those keys. Kind of like what we have heard about with the apple and the fbi in the last year or two. Host you mentioned amazon. Do people use crypt graphic devices every day like that . I mean, if you log into your bank, do online banking, is that crap to graphically protected . Guest yeah. On everyones phone its running a web browser that is using transport layer security which is just the name of the protocol to encrypt your communications over the web. And if you talk to google or go to facebook, its using cryptography. So its built in transparently. Most people dont realize theyre using it, but they rely on it to protect their communication. Host whats another form of communication protection thats used . Guest well, you could use it so, for example, the if you have a messaging app and you are, so theres a couple different messaging apps, but you could be texting somebody, and those can be encrypted, and those are some of the better ones are encrypted end to end which means not even a third party like the Service Provider of the application could intercept your communications. Is so only you and the person you sent the message to can decrypt them. Host is it more expensive to crypt something . Guest well, its expensive, with most modern phones theres not an expense in processing time. Its an expense really on the Development Side to make those kind of protocols and to do that engineering. Thats where you pay the expense, if you will, to design those systems. But once you have those in place on Something Like a modern phone, theyre not expensive in time or power to use. Host as we move into the internet of things world, is that going to be more and more crypto keys . Guest yeah, this is going to be more important. And i say that because internet of things is a bit unique even from other embedded devices like phones because theyre typically used autonomously. So theres no Human Interaction with, like, your thermostat or maybe an industrial controller. And weve seen some attacks where theyre able to exploit like web cams, for example. Slightly different, but the idea is those devices need to have a secure way to get firmer updates, they need to be able to if theyre sending out data, maybe its temperature data, sensor data, theyre maybe connected to sensitive machines. You wouldnt want that data to be intercepted by a third party either for business competitive reasons or for an attacker who may be wanting to try to exploit your system. Host so theres lots of different doorways into a system, correct . Guest yes, absolutely. The crypto, typically, is not the first choice of attackers. And i say that because theres usually easier meds to get in methods to get n. It could be that they have a password, or that passwords on the web site or Something Like that. Those are typically the first means of attack. However, the flip side is if you dont implement the crypto properly, that can also you could have a false sense of security. So you could think youre safe, but there are very subtle attacks that could, unfortunately, make that not the case. Host what do you do to protect your own devices . Guest so my best tip is i generally try not to have them. So i will go, sometimes i go into client meetings with a pen and paper, and thats but im a hid little old im a little old school. But, you know, thats not feasible all the time, so on my phone i, number one, make sure that i have all the firm updates applied. The kind of thing there is patch, patch, patch. You want to have, you could have things like a vpn service on your phone. So is if you this protects you from using the hotel wifi, you could have a virtual private network, and it basically encrypts through the immediate network. But really the number one thing is get a device, make sure the firmware updates are applied as soon as you have them. Host do all modern phones come with a vpn . Guest typically, i think apple has a builtingin, i know with the Android Devices its usually a third party app. Some of these are paid services that you can go and install this application. Host what kind of attacks are you seeing . Guest so on the devices, theres a range of attacks. The easiest ones are the kind of, so the kind of best Gold Standard of attack is to get a Remote Access into a device. So a typical internet of things deployment you have a one gateway device thats a more advanced processer talking to a bunch of sensors. And these sensors are smaller powered. So the kind of Gold Standard attack is to attack the gateway through a web protocol, maybe something wasnt set up, and then you can use that gateway device to jump to attack all these different sensors. So those are the biggest attacks that would have, like, the best bang for the buck for the attacker. But some of the things i focus on are more of the hardware physical attacks. If i can get my hands on that gateway device, i can start attaching probes to it, debuggers. I have a lot closer access to the hardware to do more sophisticated things. And then the real dangerous thing about that is even though thats a physical attack, but the information i would see from that attack i can turn that attack into a software take. So you take one attacker, he looks at the hardware, and then he publishes it online for a software attack, and then you really have a hybrid attack which is quite powerful. Host are these debuggers available to the layman . Guest they, the more expensive ones are geared to professional engineers, these would cost maybe 100, 200, but some of these devices have been commoditizedded to be in the 20 30 range. Yeah, you can certainly get them on the cheap. Theyre not as fast or reliable as the professional tools, but theyre certainly available. Host do attackers leave fingerprints . Guest the good ones, i think, try not to. It helps to, like, avoid the attribution. But, you know, sometimes we cant help it, right . Sometimes youre using a tool or something, and maybe that will leave some i dont do so much on the forensic side, so i dont know that area as well. But from what i understand, you generally try to not do that to make it harder to come back to. Host do you presume youre under attack cyber wise at all times . Guest yeah, its less, i think, more of a paranoia, its less of a heightened sense of awareness although my wife thinks im paranoid. I think thats just the military training, having a heightened sense of awarenesses, heightened sense of your surroundings, and its more about getting the attacks into a threat model. If youre doing something online knowing that theres these category attacks and they could have these impacts and kind of bucketing that information into because otherwise if you were paranoid all the time, you wouldnt be able to live your life. You wouldnt be able to go and buy coffee. Youd be worrying if someone put something in your coffee. Its the same kind of thing in the cyber realm. You need a healthy sense of paranoia, i think, but you still have to kind of interact online. Host whats your role here at black hat . Guest so at black hat im helping with the training on applied physical embedded attacks led by joe fitzpatrick. Four days of training where were teaching 30 people in each class how to take a piece of hardware, connect with the debugger, connect with tools, kind of learn about what the hardware is doing and then maybe use that hardware knowledge to construct a software attack and vice versa. At def con im giving a talk called breaking bitcoin wallets. Its a digital currency, and a hardware wallet is a smart card for using bitcoin, basically an embedded device thats custom made to help protect your, what they call your wallet. Its basically your private key. Its how you would send money or its what you need the send money through bitcoin. Host cryptocurrency is coming, isnt it . Guest yeah, so yep, its here. I dont know if its its here, and its being used. So the reason i started looking at that talk is that as more people start to use it and as the value of bitcoin starts to come, get higher, i was curious what are some of the hardwarelevel protections on these devices which are recommended to people as a more secure way to protect their cryptocurrencies. Host josh datko, thanks for being on the communicators. Guest thank you. Host and now on the communicators, more of our interviews from the black Hat Convention. Joining us, daniel kurtbe cuthbert who is coo of a Company Called fence post. What does that company do . Guest fence post does a lot. Weve been around for 17 years and were, in essence, hackers for hire. We get asked by our clients to effectively become adversarial targeting. So what happens if an attacker targets you, whats the worst that could happen, how do you react, you know . Is all the millions you spent on hardware and software and security and training, is it working, you know . How to you fit in in the internet. Host and you call them pen testers . Guest yeah, people who test pens, yeah. Host penetrations. Guest yeah. Host howd you get started in this business . Guest ive been doing it for a long time. This is my 25th year of hacking. Mine was curiosity. We moved to south africa during apartheid, and then the internet started. Coming from london to a country where strict restrictions were happening, there was censorship, and we had the first stages of the internet with dialup and bulletin boards, it was curiosity. And im quite curious and started to fiddle and moved from there. Host you reverse engineered . Guest no, no, not at the time. It was really basic back then. I liken it to stories my dad used to say when he used to walk to school barefoot, naked in the snow and backwards. I think now is probably the most exciting time to start hacking. The wealth of information out there is unbelievable. It takes very little to hack today. Youve got youtube, youve got tutorials. Twenty years ago there just wasnt much. It was a true wild, wild west, and there was just nothing out there. But now this is a really exciting time. Host should that information be on the internet . Guest thats a good question. I liken it to a life. So you can use a knife to cut an orange, you can do Amazing Things with a knife, you can also to really bad things. In london weve got a really bad problem with knife prime. That doesnt make a knife really bad, its just how you use it. There is a definite need for Penetration Testing these skills. Its just some taking it that one step further. Host do you have a specialty with your company . Guest we are very good at red teaming host which is . Guest probably the top end of testing. So we will try and gain access to you, your data, your employees no matter how. Its a fully encompassing Service Rather than just say an application test or a networklevel test. Its about as close to the bone as you can get. Host and when you go into a red team testing, are you trying to, lets say, break into ibm . Guest it could be however the client wants. It could be the client saying, do you know what . We think were secure. Weve developed this new application, or weve got this really great new phone thats coming out soon. We want to make sure that, a, everybodys involved; b, we can detect it; c, our people are doing the right thing. And finally, how do we stand up . Does the board say, all right, were probably going to get breached tomorrow, we need to make sure that were not on the 6 00 news and we look really good or, actually yeah, weve done everything we can, we think were in a good place. Host are attacks happening every day . Guest yes. Sadly, i think its easier the bad side of all this information being made freely available is that the attacks have just gone through the roof. Its now common place for us to hear about breaches. A couple of years ago youd maybe here of a Company Every now and then getting breached, but now its common place. People are getting popped left, right and center, and i dont think thats the good side host where are you based . Guest london. Host and can you do your work from anywhere in the world . Guest i can. Its an amazing career. Ive had the luxury of living in 17 countries. So, yes, you can. If you are dedicated and do this to be. Really well, youve got the benefit of being able to live anywhere as long as youve got internet access. Host could you breach all the phones that are in this room right now . Guest its very easy to say that, yes, we could target the phones. Think hollywood has glamorized a lot of hacking but, yes, its still quite easy to target a phone, gain access, especially an older android device. If its apples latest device, no, thats pretty secure. Its annoying. Its annoying to good hackers, to Law Enforcement who are trying to get access to. So you can do it, it takes time. Host could you break into this room . Guest physically . Host no, electronically. Guest with the door lock . Yes. Host easily . Guest yes. Host and im going back to the question i asked before, should that information be out there and available . Guest good question. So you can take two paths with this. On the one hand, the manufacturer should make this stuff more secure. A bit like autonomous cars. We expect stuff to be built properly. When i buy a kettle or a microwave, i dont expect it to zap and kill everybody in the house. I think with the likes of the internet of things that were seeing with a terrible track record on security they have to be tested. So that information that somebody uses to maybe test that kind of stuff could be a benefit when they find a vulnerability and, indeed, our industry is built upon that. And they work with that vendor to say, do you know what . I found this vulnerability, i was able to gain access to the room, heres how you fix it. Lets Work Together to make it more secure. Host from your point of view, is it important to know the motives of the black hat hackers . Guest yeah. Im nervous about colors. I think ive been doing this long enough where i think the white hat, the gray hat, the black hat, i think the meanings have become more diluted. You have those who are very criminally minded and have criminal intentions, youve then got those who genuinely want to help. And if you look at those who report vulnerabilities, hey, i use your product, im a customer, but ive also found it to be quite insecure, heres how you can make it better. So i think the motives are really important. Host do hackers leave a trail . Guest bad ones do. Bad ones do. Host the good ones . Guest if youre a really good attacker and you know what youre doing, it becomes hard. Attribution is not an easy things to do right. Host so sam hunter, what do you do at sensepost . Guest currently, im a security analyst and also the head of training at sensepost. Host what does that entail . Guest i get the hack stuff and also manage our training. Host what exactly is hacking . Guest hacking, so traditional hi hacking was more around building and making stuff, and more recently i think society has seen it as people breaking into systems, you know, attacking systems in an offensive manner. But traditionally, its approaching problems and solving problems in various different ways. Host but if you wanted to go into and hack something, how would you do it . Where would you start . Guest do you want to give me an example . Host yes. Break into the Las Vegas International airport which is right behind us. Break into their security system. Guest into their security systems. So firstly, theoretical scenario because id lo to leave the love of to leave the states one day. [laughter] what i would first do is id probably Research Staff members that work at the airport because humans are normally the weakest link. Theyre often easier to convince to click on something or to open a document than actually targeting systems. Host is this the social engineering aspectsome. Guest yeah. The social engineering aspect. Not necessarily trying to high my way in, but go on to linked inn and find out whos working there linked in and find out whos working there, research those people so go to their facebook, their twitter, whatever social Media Networks they have and start enumerating those and then find out what their interests are and then start seeing if i can get information on the technology that they use. So that might be then posting a picture of their new phone or their laptop or Something Like that or figure out what sites they frequent. Perhaps i can go after one of those sites and learn about the technologies theyre using. And the more information i have, the more likelihood i would have at succeeding in an attack. So if i wanted to send a malicious document to them, if ive researched them on facebook, i know their interests. I can write up something that would be interesting to them to open and try and condition vince them to open that document. And once theyre opened that document, ive essentially got control of their computer. Host youve got control of their computer . Guest yes. And lets say its a laptop, ive got persistent access to it, the next day when they go into work, i might have access when they go to work at the airport. Host how would you break into this room . Guest into this room host in through the electronic lock. Guest so the easiest way, id probably rent a room here first so i can get access to one of the key cards, then investigate the technology thats being used on the key card. Id probably spend a couple of days doing that, and then either see if i can write my own key card with a different room number to it depending on the technology in use, otherwise ill follow you around, and if i can have a card clone, see if i can use one of your cards and clone that to come in. Host how would you clone it . Guest you can build or purchase clone carders, but thats depending on the technology. Host is there anywhere safe anymore in the Digital World . Guest not really. So that old african saying that if a lions chasing you, you dont need to outrun the lion, you just need to outrun your friend, right . So the same applies to security. If there are enough defensive measures in place, attackers are going to go for a weaker target. Host where are you based . Guest i am based out of south africa. Host and again, like your coo, can you do your work anywhere . In the world . Guest yes, anywhere in the world. Host as long as you have a laptop. Guest a laptop and a connection. Host nothing special. Guest so nothing special. Off the shelf computers. We generally run lots of different operating systems on our machines. I think most hackers either a mac or if its a pc, theyll run some of the [inaudible] destroys their host rs, and were also quite paranoid about security, so we like to segment our system ises. Well have Virtual Machines running around machines on our host os, and that would be a windows system or a separate lennox system. If im writing reports for clients, im probably doing that on a Windows Virtual machine because i need office, but i wont use it for anything else. I will only use that for reporting. Therell be nothing else installed on it. I wont browse the weapon on that machine. Itll be completely the web on it. Host has sensepost been hacked . Guest no, to the best of my knowledge. Were pretty paranoid people. We constantly monitor our networks. Its high risk, so we take a lot of care. Host would you know if youd been hacked . Guest i think, i think were pretty good at what we do, we would know, wed figure it out. But its hard to conclusively say that, yes, we would know. If you look at some of the breaches that have come out over the last couple of years with nationstate capability being put out there on the internet for the public to see, its really scary. Like if you have enough budget, your capability is exponentially above what is publicly known. Host sam momentummer, your web site hunter, your web site says you specialize in tracking down internet jihadists. What are they . Guest so a little bit more daniel side of things, but that would be enumerating real jihadists and terrorist groups, but their social media presence. Finding those terror cells, because theyve recently, theyve been using social media to get their message across. Theyve joined the hightech world. But at the same time, theyre spewing out information about themselves just like all of us, personal information on the internet, their connections, their friends, their associates, where theyre logging in from. Once its on the internet, its there forever. Its still there. Theres lots of places where that gets indexed and stays forever. And if you know where to look, its quite easy to track down a lot of that information. Host how often do you change your password . Guest depending on which password. No, most of my passwords i change, gosh, every two or three weeks probably. But id say that i quite often forget most of my passwords. I use a password manager, but quite often its easier to just reset passwords and go into my manager and get it. Because ive got multifactor identification on all my important services. Host whats the best thing laymen can do who dont work in this field but still want to feel productive . Guest so regarding email security, id say be a little bit paranoid. If someones send ising documents to you, be very careful what you open. Make sure you trust where its coming from, look at the grammar and the worked, make sure it is from the source youre expecting it. If anything pops up after you open a document asking for additional permission the Something Like that, that should send off a red flag. Send that to someone that might be able to investigate it. With your own security, basic security on the internet, dont click on all those links that pop pup on the sides of web sites pop up on the sides of web site ises. They can send you to dangerous places. Regarding pass words, using a password manager is a very good idea to save your password securely. And probably the most important thing for passwords is to have unique passwords per site. So weve been trained for years and years to choose passwords that are easy to crack for machines and hard to remember for people. So a good example of a a password would be a phrase. I like to go swimming in the sea and not get attacked by a shark. Something like that. Its incredibly long, easy to remember, very hard to crack for hackers. But incredibly secure. But once again, having that different on each site because weve seen lots of sites getting breached over the years, that information making it out on the internet, and then bad people making use of that. Host what is your role here at black hat . Guest at black hat, so im currently training. Im giving our black ops master or course which is modeled around the russian underground, the capability that they have and showing security people who are interested in it what that capability is so that they can better defend against it. Host is the russian underground specialized in this area . Guest i would say over the years theyve, theyre probably leading the criminal syndicate, the game inside the offensive, yeah, at the moment. Host sam hunter of sensepost, thanks for your time. Guest thank you. Host and now joining us on that iters from the black that iters from the black Hat Convention is dr. Melissa kilby. Whats your role here at black hat . Guest so im really here on two missions. The First Mission is to engage with the Cybersecurity Community and update my Knowledge Base, and my second goal is to teach data science to cybersecurity professionals. Austin taylor and i, we cofounded ttk cyber to bridge the gap between cybersecurity and data science and bring more Artificial IntelligenceMachine Learning and more advanced data wrangling skills into the Cybersecurity Community. Host so whats the, whats the gap between cyber and data science . Guest so in cybersecurity theres a lot of different tools people use, they know how the use, but it takes a lot of time. And then people from data science, they use other tools that are pretty fast at manipulating data and getting the data into the correct format and also perform advanced analytics on it. And theres really a large gap currently. People in cybersecurity, theyre domain experts. They know cyber in and out, but they dont really know how to do more advanced predictions, advanced analytics with their data. On the other hand, data scientists come in and they dont know anything about cybersecurity. So its really bridging the gap, explaining the gap in terminology and technology. Also people are interested in learning more about data science. Host whats your background . Guest my background is in biomechanics. I started in cybersecurity just a year and half ago, and its super exciting to be in cybersecurity. Host when you say biomechanics, what are those . Guest biomechanics is about the human body, motor control, learning how we as humans evolved, how we learn and how we control our emotions. Host is a direct connection between that and cyber work . Guest yes. You also have very high dimensional data, very complicated data. So the same question we want to understand something that is deep within data and we dont know how to go about this. This is this is a recurrent thei encounter cybersecurity. People approach me and asked me all of this data, what do i do about it, how do i find the next activity on my network, on my computer . Its always the same question people ask. Host is there a social engineering aspect to your work . Guest yes. Social engineering is one field of cybersecurity where data signs is probably not to develop. So there are other areas like Network Security or Endpoint Security or Machine Learning is much more advanced but my personal opinion is that people should zoom out a little bit and approach cybersecurity as a whole. Thats different silos and fixes, kind of like, yes, just the bigger picture. Host you talk about Machine Learning. Where are we in advancements . Guest most people asked what his Machine Learning. Instead of saying what Machine Learning is can be seated to say what Machine Learning does. Its smart machines. Now your computer can make decisions on its own. Wow, isnt that crazy . Theres another term called Artificial Intelligence. This is taking it even one step further. We as humans dont even have to intervene anymore where as the computer, people call it raw data, just think of any type of the data source. We just pass it over to the machine and the machine magically on its own learns how to make useful predictions. I also think Artificial Intelligence will not replace humans or cybersecurity analysts. It will augment their capabilities. Because of the current state of the art is that a lot of processes in cybersecurity are very manual. So cybersecurity analyst has to sit down, look at the data and it also highly depends on the skill level of the analyst. Whereas if you use Machine Learning or Artificial Intelligence, you can take the whole process to the next level. We can find malicious activity that no windows about yet because cybersecurity is a dynamic field. So tomorrow is not necessarily like today, unfortunately. Host are we using Machine Learning in ai right now in cybersecurity . Guest yes. Im very pleased to serve the people using it more and more and more. But yes, still very, like few startups, few people who know how to apply it to the cybersecurity domain. I would like to see that everyone could use Machine Learning and data science, and this is also what our course is about, to bridge the gap so cyber is good analyst knows how to quickly manipulate the data can get into the right format and then make the machines sports of the to do the job. Its not about replacing the analyst. Its about augmenting the capability. Host your phd from the university of georgia and what were you working on there . What is your specialty . Guest i was working on control, and it was really a completely different feel. I was researching comparing old people to young people and see how motor control changes over time. I was also performing realtime streaming experiments. So just think of if you have the space of fun of you and you try to balance your body out and see how you perform. The feedback helps you perform better. We took it one step further to virtual reality. Now you have those goggles on and suddenly whole new world opens up, understanding how we as humans learn to control our bodies and how our bodies function. To take that knowledge to cybersecurity is, again, its the same problem. They are researching something we dont necessarily understand very well. We dont even know what we are looking for. This is the mindset that i would like to see a lot of people tackle even more. Right now its more, we want to look for something bad happening on our network, on our computer that we know well before, but we should be looking for something that we dont expect to find. So in cybersecurity theres a term called zero days, and zero days are things that we dont know today, exploits, vulnerabilities that can cause the next worldwide cyber attack. Host was there a lightbulb moment that made you switch into cybersecurity from what you were doing . Guest i wish there was. It usually happened by accident. I switched into cybersecurity and im so happy about it because its such an exciting field. Its challenging. Its very fastpaced. Technology changes very fast over time, and, yes, i couldnt be more fortunate to be cybersecurity data scientist. Host what does Invincea Labs do . Guest okay, so Invincea Labs provides services for the u. S. Government and also very excited to announce that our company will change their name this week. Host where did that income from . Guest so i just joined a company, but ive known a little secret that on the 26th of january the Company Became independent from Invincea Labs so this is happening evolved. Host you mention at the beginning of our talk you here also to learn and interact with other cybersecurity experts. What are you hoping to learn . Do you have a goal here at black hat . Guest yes. I hope, overtime, to become a hacker myself, to learn more about how cybersecurity analysts go in their manual approach to update my Knowledge Base and i can transfer it to the Machine Learning, Artificial Intelligence domain and advanced that field to again, achieve that machines are smart. They learn by themselves. They help us humans make better and you predictions. Host you are originally from frankfort, germany. Our similar efforts going on in germany that you see in the united states, do you know . Guest i probably dont know but i can just assume yes, that data science worldwide is becoming bigger and bigger and is also becoming a big thing in cybersecurity. Host melissa kilby, thanks for being on the communicators. Guest thanks for having me here. Cspan, where history unfold the daily. In 1979, cspan was created as a Public Service by americas cabletelevision companies and is brought to you today i your cable or satellite provider. This morning cspan2 cspane coverage begins at 9 30 p. M. Eastern on cspan two. Tomorrow we live in jefferson city, missouri, for the next stop on the cspan bus 50 capital to the j ashcroft will be our guest on the bowstring washington journal starting at 8 a. M. Eastern. Next on cspan2, a discussion with the National SecurityAgency Director mike rogers. He talked about the pending renewal of the Foreign Intelligence Surveillance Act which allow surveillance on some foreign citizens picky also shared instances of legislation has helped Intelligence Community to thwart terrorist plots