vimarsana.com

All right, welcome everyone. This is our Second Annual it is becoming an annual tradition what to do this close as possible following devcon, which is very popular for a lot of us. If you are out in las vegas, it would be for you. I am very happy to see so many people in the room, and i know there are more following us online, the internet, twitter, or on cspan. My name is bo woods, i am the director of the diversity initiative. I would like to welcome you to event hosted by the cyber cyber statecraft initiative. I would like to welcome those who are following on the webcast. I encourage you to join the conversation with the twitter hash tagged acccyber. Devcon two d. C. , we hope it will policy forayer of people to understand the significance, urgency and Response Options to the flood of Technical Information from the hacker conference that took place in las vegas. That is devcon, blac chyna black hat, and others. Joinedry pleased to be by a distinguished group of my colleagues and friends. Spacee chris thomas, aka rouge. Still cant call him chris. He is the first Cyber Security Research Think tank. Popular Hacker News Network tv show. Cofounder of the the congressional Cyber Security caucus, one of two Congress Members are joined us at devcon last week. Jessica wilkerson is from the house energy and Commerce Committee where she focuses on Cyber Security and legislation. She joined us last week. And the moderator for todays event, Ariel Robertson is a freelance writer and analyst who specializes in defense, security and technology policy. Whichsts the tech affect, is on ramifications in society. I look forward to this panel discussion. Before we kick it off, here is a short video or presentation that i hope is going to convey some of the excitement and intensity of last weeks hacker conferences viscerally to the audience. Voice slides in 60 seconds. I might hit yet, but i might not. Are you ready . Lets go. We had wonder woman, we had the cyber safety track, panels, congress on panels, the 2000 hackers cheering them. Village, we had a healthy balanced diet. We had serious conversations. We had the oil had. Badges, bash life. We had black badges. 24 karat gold. Tiki gods in our image. 24,000 hackers in a hallway. Some issues but not as many as you think. Cars and trucks. Medical devices. We got technical medical devices. Black voting computers. More voting computers. All the voting computers. We have all the things. We cyber interpreted all the things. We hacked the planet, we did something historic, we had fun. We will do it again. Devcon is not canceled. Now i want to play a video. That was an immense challenge. I look forward to seeing how well i did in this need round. We have got a short video that is from a Facebook Live that congressman heard and congressman landsman did. Let me play that for you now. We will get started. [indiscernible] they are rounding up the distance. This is what all of the hacker understandid to help the vulnerability of our Voting Machines. I with my man jim langevin. The former secretary of state. [indiscernible] what should the secretary [indiscernible] [inaudible] we will be back with you soon. [indiscernible] [laughter] beau woods all right, that concludes the video. A good, quick segment to help transition this into the panel. Without further ado, we would like to invite my panelists to come up. All right, arielle. All for, thank you coming, thank you all for coming. I am honored to be a part of this panel. Such an amazing crowd. First, can you we had three conferences all in the last 10 days. Defcon, we also had black hat, and we had beside las vegas. Can you explain the differences between each of these different conferences, who they are geared towards, who goes to them, who puts them on, and so on . The first conference that started 25 years ago was defcon. It was a gathering in vegas of hackers that wants to hang out and see each other in person. From that, 21 years ago now i think, black hat arose, which is the commercial or vendors sponsored event that is a lot of mostly training as well as a vendor area, but is there a commercial for lots of security companies, the expo floor, etc. , and that is bside grew out of talks that were rejected from black hat and people thought they were still good talks. They created a third conference within the same time span called bside. That has grown into a hackercentric conference. They will talk for a lot of new people. People go there because of the talks that they offer. Bck it would be like the side of a record, for those of you who are old enough to remember records. Terrible to play in your car. The beside refers bside refers to that like a Hacker Family reunion. Go families pay for them to to black past, but they skip on that and go to bside and hang out with their friends. Defcon is huge, 25,000 people. It is hard to meet and run into anyone you know or with any regularity, then black hat is very vendor focused, industry focused, so people go to black hat to look for their new job in the c suite, where as the other has people finding their first job in information security. Ariel robinson what all was everyones role at these conferences . For myself, i was registered as press at black hat, i was an attendee at bside, then i was in and out of defcon very briefly before he went to the airport i went to the airport because for five days in las vegas was totally enough for me. What about you all . There were eight days. I arrived on friday night of defcon, and i had a talk with beds, meet the feds i did on saturday night as part of the evening lounge, two hours designed to be interactive and give the Research Community a chance to talk to friendly feds. They do exist. Well,s was at defcon as thanks to the Atlantic Council. He got to spend time with h. Gressman urd. I got a tour of most of [please stand by] because of the fact that everybody in the industry is in one location at one time, it is the perfect opportunity to meet other people in other companies. The first three days or so during black hat. Then you go to bside, a volunteer on the committee for bside which means i select which talks are presented at the. Onference call for papers. Ariel robinson i am going to call out all of the acronyms. Cris thomas i apologize for that. Get a staff badge. T bside i cannot spend a lot of time there. Then on friday and saturday, i nick withew with assessing his boss, representative hurd. We visited some of the different. Illages that defcon that was my experience. That is long. I went [please stand by] seemsicy world because it unbridgeable, and is not, so we do everything we can to demonstrate that. Have a great time, but i was not at defcon or black cats. Atlantiche help of my coastal colleagues and the cavalry, we were at the today track at bside which included like a mock congressional hearing which was really fun. Exercisecyber crisis that put policymakers and hackers to empathize with one another and build understanding of educational awareness. Also arranged for currently use ngevin to comea out. Was had like a hacker speed we had like a hacker speed dating. They wanted to pair them up, finding a good personality fit. We did the tour that nick alluded to, interactive exhibits, with workshops and villages. I did a talk called do no harm, which is the one you saw where we showed up half an hour early for the room, we had 100 people in line. We had a rough that the room for 200 and a line out the door. We put together a medical device hacking village, the first time in defcon. It was also one of the contests and events. This is a term for the people that put on the defcon conference. I did not make it over to the black hat. I had a full schedule. Ariel robinson i spent a lot of quality time running between hotels. There was a lot. Speaking of these different villages and grounds for the bside las vegas, the different tracks in the ground, there was the Common Ground and ground resource had the engineering village, the i. T. Village what all, can you describe what all goes on there. There . Like what is that. . Is like birds of a feather meet ups. Vehicles in place. Had vehicles in place. The same thing with the voting machine village, a bunch of Voting Machines set up to experiment with, etc. There was the lock pick village, the industrial village. There was the kids a silent for kids to learn Different Things a silent for kids to learn different a silent asylum for kids to learn Different Things. Handson experience with Different Things. And is allencompassing under the big term hacking. Add,t know if you want to beau. Beau woods it is all about the content and the track, but there were about 12 or 15 tracks over the course of that eight days that went on in parallel to each other. It was pretty intense. The hacking conferences are some of the only ones i know of where people go to say they did not go to see a talk, because they spent most of the time that the villages talking with their friends, having lunch, going to parties. It was really an allencompassing set of events for three different stakeholder types, the kind of the community with these las vegas corporates. More kind of Hacker Community with defcon. Then you will have lots of people who spent all weekend in a room trying to do the capture the flag, to basically do red , theylue team penetration spent the whole weekend doing that or running through a contest for the crypto privacy village, trying to break. Ryptography in real time or exploring social engineering issues. Social engineering village is really popular. Ofting information out anyone. It is my specialty. Beau woods as a journalist, you are topnotch engineer. There is a heavy focus on educational awareness, building new skills, capacities. This year more than ever we tried overtly in some of the content that we created to make it about building policy skills that were compatible with Public Policy issues. They were allowing the hackers to be more cynically minded civically minded. They wanted to pursue pay, unlike two participate unlike years ago when it was more of the active, not quite hostility. Changed, so we are trying to develop capacity as well as awareness of the situation. One of thosen so we will come back to the evolving relationships of the different stakeholder groups. What else was different about and what didear, you expect, did you not expect . This for the Congressional Staff members. It was your first times as well, my first time as well. Las vegas, crazy place. One thing that i think was different, having never been nefore, there were congressme their speaking on panels saturday afternoon and the track to 2000 people sunday. The best of our knowledge, that hasnt happened. Differentf what was about it for me than what i thected, i have spoken at con vegan in washington dc, the local hacker con the convention in washington dc home of the local hacker con, and used that to get the better understanding that there are people in congress that are interested in making sure that they have a seat at the table, and that we have a lot to learn from hackers. But that convention is d. C. s hacker convention, so i thought, they might have some credit relation to policy crenellation to policy that is not known for having the spot the fed bean. I came in expecting a little bit of resistance. I wanted to be an ambassador. I had every Single Person i met, i made a point to say i am from congress. I need your help. , atpected to get a lot of best, neutral, and some negative reactions, and that really wasnt the case at all. People were surprised to see me there. Engaging the. D in they wanted an outlet to make sure the voice of the Hacking Community was heard. They were very receptive to the fact i was willing to come into the 105degrees heat of las vegas to talk to them. I appreciated that to feel like there was no barrier that i was welcomed right away at my first defcon. Ah and its a good thing. The hackers want to work with government. Want to work with hackers. In e seeing programs government. Whats going on . Who are these people . Im, like, oh, these are the congressmen. Cool. It was really interesting to see that reaction from folks. More positive than i was expecting. Thats the f big surprise for me, how engaged people want to be in this community and we realize that if say nt step forward and something and make our voices known, things will be done our input and we want to intosure we have our input that process. I have this thing where to put the word hack or hacker into a press release or report i immediately with research or researcher. [laughter] but apparently that might not thing. Tally bad thats good. My researcher. I think it was amazing how accepted we were. Excited that we were there. People would find out that i was like, oh, d theyre, my god, thats so cool. But i think the thing that i ound surprising and i think this shows, you know, i think of d. C. As this bubble that lives beltway and have you to get out of the d. C. Bubble to really understand how the rest world is working. Do i kept asking me how get involved. Who do i talk to . What do i do . Me. As surprising to in my mind, i was, reich, your obviously already involved and were re here talking to you and we seek your so i think it was striking to me that i think at perspective, i dont know if weve done a good enough job of advertising. Like, you dont need to be part of any special group. With using for us centralize point where we can go we need to talk to vehiclesho knows about or medical devices and specifically we need people who can hack them. To say you can reach out directly to us, you can email directly. You can call the main line and have them connected to me. Love to talk to you. There was some kind of special permission or pass needed in congress, in myo mind, im, like, join in the queue. You mentioned im the calvary. I think one of the things theerent this year was that lasary had its own track at vegas; right . Yeah. Calvaryd so i am the is a global Grass Roots Initiative that was started exactly four years ago. Happy birthday, by the way. You. Ank its something ive been heavily involved with and its i joining the Atlantic Council because we found we were badly needed in we wanted to have a d. C. Platform and a d. C. Outlook for some of that. Third year, yeah, third year with the track. And its grown every single year and its been Pretty Amazing to along e what has grown with it. We this year was much more focused on Public Policy things. One of the things that surprised me like everybody else was the hackers and ch the Security Researchers were not just tolerating people from d. C. Actively engaging them and jessica, i knew you would be we talked ide when that. I thought it was a huge relief i think it ut also shows the turnover in the Security Researcher community. This year as every year the 20 andnce grew by about i think that it actually grew more than that because i think a older people have started not going to defcon and events. The other technical. As so i think were actually guard ng some of the old who are really and still have a lot of the battle scars from talking to congress, agencies, being threatened with arrests, a lot of those folks have kind of aged out of the community and we have whom e crop of people for this is their first or second year in the Security Research community and theyre very eager to engage. One of the things that one of at the keynote speaker he bside i am the calvary track was karen alizzari and she talk. Ted she met a lot of people who were realizedsitive and she at that point that we have permission to engage more broadly in society. Just havent given ourselves s a community, individual selves, permission to engage. So i think this year was an helped on point that unlock some of the people who go and ose types of events engage more broadly in Public Policy and other discussions chamber. That echo many ar cry from not that years ago when they were actually uninvited. They were for reasons that we talk about. Yes. We can move on from that. Google it. Yes, google it. [laughter] so some of this and actually of the reason that they were uninvited was about trust. The technology cosystem is critical and ever evolving. Has trust between the betwe community and etween or industry executives, how have these different relationships changed . Has driven think that change . Question. A tough go. I mean, i think one of the was whenons that i had the sony hack happened and president obama said we need to this on tv. This on tv. It felt almost like a call for the adults in the room. And as the original call for i am the calvary is realizing ome of the people at the top werent going to come in at the last minute and save us and i in we had to be the adults the room. I think that was the feeling for a lot of Research Communities the case. We also saw a lot of activity cyber policy. And what i realized is right the lines of what was said earlier which is that if we positively and proactively, other people will void. The some of the initiatives in years, the last 30 child unlock protection act, the act, the digital act, these opywrite are laws that have kind of turned hackers into criminals. Been a large distrust of law makers from the hacker side. To ink what were starting ee is theres there is a the trust level is starting to on both sides is starting to that you. Starting to see as evidenced by weve had met for years and theres usually, you get a couple of law makers on stage the audience but the number of people in the audience interested in that sort has grown dramatically as evidenced this year. Whether its through just having a program in the first place. Thats Part Congress selfinterest is driving the need to be, like, we need to build some trust with the ecurity Research Community because they have so much to offer us. We need their help. And part of the way that we can that is by trying to be honest brokers with them in xplaining what were doing in congress and saying the doors open if were doing something about it. Want to hear if its wrong, we want to hear about it. And if there are challenges that addressing right now, we definitely want to hear about that. Yeah. Our bside track, there and Tech Congress is a group thats trying to get more tech savvy them a yearlong fellowship in congress. I think they did a survey of offices and found that there were, like, four eople who had a Computer Science background out of 14,000, Something Like that. Its a small number. Are here. Them [laughter] i think they found there were had members of congress who a Computer Science or tech 400 and d out of something, 435 Congress Members. Member actually a higher of Congress Members with a tech staffers. Than enough. Not dont also agree with john mcfee. Usually i dont. Guy who helps out the security industry. Said Something Like, you know, with the amount of on connected erchnology today, its no long acceptable for congress to just have a staffer on that. They need more than a staffer a part time job. I think thats absolutely accurate and i think doing more drive technical literacy is what we need. And someone with a completely got lated background who into this actually about a year watching this very panel online. Yes. Lets talk about the types of really required to be in this world. Lets talk about the tionships between nothing personal. [laughter] gave an ow, josh excellent talk, one of the about the bside need for the Hacker Community to which is om elites written with an l and a 7 and it his talk after seeing it for a few weeks, it asnt until his talk when he turned it into elitism and added what i call f normal. L337 actuallywhat meant. Yes. No kidding. Mean, im okay but how is that relationship evolving and the role do you think Technical Community how can he technical and nontechnical communities Work Together more efficiently . One of the things that weve trying to do is lead with empathy. Start by listening and understanding and getting to know the concerns of whether Public Policy community, industry, whether patients or or hospitals or whoever were trying to reach. Ou have to really lead with empathy and you have to start hat way because if you dont, then nothing else will work. Think thats a skill that we the inly have a lack of in Cyber Security research industry. A lot of us got into this didnt like people. We would rather spend time with machines that are logical and we can figure out how they work. People are not like that. Thats okay. Thats why i talks. Thats right. So we have to build soft we also have to find teammates like nick and a lot of other people who are already in the locations that we want to be and to team up with them and ambassadors. I think thats the only way that nascent work has really paid off. Jessica, as the bridge to your offices and you so i , how have think what i realized pretty early on working with very folks was that i didnt need to be a technical they didnt need to be a policy expert. We could meet in the middle. They could give me the lay of the map of the technical realities. This is what the technology will permit and what it will not permit. Thatthere, i could combine with the political realities and policy goals and objectives and two of us or however any of us were there, we could arrive at a politically feasible solution. And so i think that was kind of part, just accepting, you know, i dont expert be the technical in the room. I know what youre saying because i have a technical kground but were way past ive stopped being able to follow you but it doesnt matter. I believe this and you and then having the person on the other end of that conversation say i dont cant just hy you pass a law that does this or why just make regulate everything ever in the world but and i telling me i cant believe you and then we arrive at a feasible the e background is question. I think that at least in my you do need people with as many different backgrounds as you can imagine cyber ffective in security at large. Right. It cant just be technical people or policy people. Need lawyers, psychologists, you need economists, lots of folks. I think the problem is absolutely linguists. Problem tends to be that them a long eading very much. In tech folks are companies. I think it helps bridge the divide in terms of, you know, youre coming from. Tech is absolutely a big part of it. This wouldnt exist without the theres a lot of other to the ing aspects deserve it i think well. The first primary threat model needs to be somebodys there. Ther and go from yeah. Relate. , i can i joke that, you know, when you only have technology of people logic and binary, were looking at Access Management the next idea is lets have longer, more humans dont work that. Talk s something we could about forever and i totally think we could have another wednesday on this. This is my personal area of passion. Security. G but were coming up on time and we hit o make sure that ort of the last and arguably most important question which is ow can these two communities, the hackers, Security Research ommunity, and the policy communities continue to work and her more in the future what should each Community Know about the other before or during interactions . So. I think one thing is terminology. Earlier. Ht it up or language. You constantly are replacing he word hacker with Security Researcher which i encourage you to continue to do so because a ot of people see the word hacker and instantly think criminal. Hackers tend to use the word as a badge of honor exploreody who likes to and technology and find problems and get them fixed as opposed to constantly is breaking stuff. So language is definitely a big beltway. Side the the , cyber, cyber inside beltway, d. C. Hackers dont like that word so much. Not something were a big fan of. So language is a big issue and problems in communication so i try to stay away from words that can be and have different meanings for different people. Im on a mission. People have of taken up this word but the totally, in me has digital safety. Thats a good one. Instead of Cyber Security. Words in the ugh english language that we dont have o use words that different meanings to different people. Contribution to this question. Recognize that there are certain realities to each Group Situation that youre not going to change. I have to ately now completely contradict both of the points you just made. Originally ill put it this way, back in 2015 when i was first report for congress i refused to use the word Cyber Security. I replaced it with information i just wouldnt let it go. Thats no longer thats no case. The i will put it out there that in opinion this nomenclature battle is lost. It is going to be Cyber Security. It will be. People will say it and my advice if you want to work in the policy world or interact with it used to it. I dont think its going anywhere. Off o make more of a point of that and tie it into the point i made before about i think we have ts not a satisfying answer to say there are laws and regulations and reasons we cant a law for these things so i think understanding those barriers on each side and why they exist and those kinds of things are really empathy piece i mentioning. Congress should look at the and saysearch community with a few outliers. I think the same is true for the Security Research community. You should look out and say, ook, as my boss was saying on the video, right, theyre ooking for things that are broken so that they can be fixed. Theyre not looking for things they canbroken so that do anything particularly malicious with it or anything other than say, hey, this is get it fixed. Nd i think that, that misconception of congress is out to get us or security hackers doing evil things is if theres one thing that i could get both about the other, that would be it and that ties back into building trust. Which is, you know, i think that one, you know,han analogy about trust, this is a leap of faith. Youre ot going to not going to just get there to build trust, you have to be willing to be the person to step out there and say m taking a risk and i think that we are trying on the hill to do that with the security say, hey,ommunity and look, we want to get your input. Trust that you all arent going to burn us by doing something that, you know, gets boss names in the headlines to hackers and so yes . Well, exactly. Thats he headlines, probably the word that would be used. So thats what were trying to do and i think that in term as connecting with congress, being willing to take that leap and say that there are members, there are staff that with you is o work very important. Yeah. One of the things that ive seen all the teammates including some of those who are ot here in the policy world is curiosity, a desire to learn ore, learn how things work in the different world and different space is the willingness to put up with some defects or some of the features that got us where we are that may not work other contexts. Nd to sit down and listen and engage. And thats one of the things that makes hackers too. Most of us started out being a puzzler. We just wanted to figure out how things work. Apart the radio or whatever when we were very young those n by figuring things out, gain a deeper knowledge and understanding that to be able to manipulate those things in surprising and have sting ways that security consequences to them. Recently yesterday, we ot word that there was a bill introduced in the senate press y which in the release the warner bill that introduced, in the press release they credited their consultation with the council, myself and folks at of the and looking at the press surrounding it, ive heard very searchers or hackers complain. Positives a lot of about this particular piece of legislation. I think thats a testament that sides pen when the two Work Together. I dont know whether that bill is going to get passed. Lot of the elements in it are maintained and upheld, but also n that bill in a lot of the other postures towards Cyber Security and the government. Ut i think its a great existence proof that working safer sooner. N be thanks. Thats a great wrap. Up for ing to open it questions. In can for those of us the room, you can obviously raise your hand. You can also tweet at me. For all of you online, you can arielatwork and use accyber. Catch you all. Ll yes, sir . What were the top three things about [indiscernible audio]. Wow. Repeat the question. What were the top three technically ou saw that you said wow we made need o either make a new law or modify an existing law to situation . E i dont know if i saw anything that would require a modified law. Made me e things that stand up and say, wow, this is more important. Voting machine hacking bill was one of those examples. Was surprised at how much interest there was in that. The car hacking village still a i wasnt expecting. So i dont know if any of those hings require new laws or modifications to existing laws but theyre definitely interesting and exciting for me to see. One thing that weve been digital bout is the millennium copyright act. Recently as of a couple of years ago, there was an exception for Security Research voting, medical devices, computers. Its very odd. Apply to the library exemption to get an for certain devices and that only lasts for a short amount of time. Three years. So the current exemption is for Voting Machines. Reasons were he able to do it this year at defcon. Devices in cars, that one had a delay on it which until after ayed the last election. Nd theres been some conversation about how do we like the mca, those that people doing research working in good faith dont accidentally get caught in the used to stop movie piraters. Theres also been talk about loosening up a few the Computer Fraud and abuse act, written in the 80s. Of sections that could narrowly be applied today the intent of e the original authors. Theres a lot of laws that need be updated. I dont know if theres anything prompted me to think we need to change something. Sir. Er here, thank you. One second. Thank you. S the Hacker Community like hackers without borders or do they notice which passports carrying . Ers are its more like hackers without borders. Is very r community much traditionally an meritocracy, more about what you youre from or what you where youre from or what you know. Are. Who you talking about elitism, thats issue. G less of an i would say as compared with a lot of other places, its more borders. Ers without i like that analogy. There are actually a couple of hackers ions that do without borders work in other countries. Conferences ker around the world. Its not just a u. S. Thing. That theres think actually a lot of diversity of ackground perspective, race, gender, gender identity, a lot hacker things in the community that are havent found anywhere else ive gone. Particularly in education. Mean, i know lots of people who have dropped out of high the best are some of hackers, Security Researchers i 100 who work for Fortune Companies in very prominent roles. Almost, not quite but almost an inverse relationship between education and success as hacker. Formal education. Yes. Formal education. Good clarification. I think that diversity is part of our strength and i think that preserving and enhancing is really ng that good. O your point, i mean, anybody at defcon can walk up to anybody else and have a very high is lity conversation which part of the reason why i think none of the hackers were afraid towalk up to Congress People say what are you doing, why did this this, why does matter. So i think its great to have we want to hink enhance and preserve that. To that point, i mean, you that play out in the policy of going back to Software Controls which the biggest policy concern putting expert controls in the way of defeats lity Research Security in the united states, abroad, in the entire ecosystem. And the recognition that, you know, its not just a united issue, Security Research is one of the primary factors that drove the policy change to look, we need to reexamine this issue and make sure that not rability reporting is something youre going to need a license to do. I know speaking for myself as very e who came from a different background and different outside place, the the Hacker Community, i start any talks this way. Called people in special operations no problem. Of going terrified into my first bside than of calling special operations. When i got there and houtout to wendy who is here today and also the reason that im in this community at all, i got there with her, everyone was so nice. And, you know, shortly after this event last year, she d me to reach out to founder of o is the defcon to ask him actually some f these same questions and we had a twohour conversation about it just because i asked. Great. Ally so we have a question from twitter. I find this from i find as well among t many hackers with respect to policy due to the cfaa. Any thoughts on cfaa reform and an you remind us what cfaa stands for . Computer fraud and abuse act. I think it was passed in 86. Sometime in 280 the 80s. Makes a crime of just about everything. Used as a sledge hammer by some attorney generals prosecute what i consider to and itlevel or noncrimes was a came to the forefront a and im e case against going to blank on his name. Shouldnt. Aaron schwartz. Thank you. And you can google both of those names. Very tragic cases. Im sorry. Been estion is has there efforts to modify it . Any thoughts on reform . Reform it. Love to i dont know if any current efforts are underway. To what the k department of justice is doing on a panel with an department of he justice while i was at defcon what he araphrasing said but the department of justice is recently, very week, ly as in last released new model vulnerability for osure guidelines federal agencies that they can se that basically try and clarify what kind of research acceptable or that agencies, departments and could put out and say heres something that you can do that you dont have to worry the department of justice has worked with basically a precooped memorandum of understanding that were not going to come after for doing this research on the federal side. In the world s of or at large, one of the stats things. Two one thing, one positive step taken is to has require review to try and make of the 94 ll das offices have similar policies for prosecuting and abuse act cases and justice itself conducted a review of cases that brought under the cfaa and based on their review and that i got from Security Researchers in the last years, weave is the case where justice is we got that wrong. That was purely Security Research and probably should not prosecuted as it was. That though,beyond there is the Computer Fraud and does also allow for rights and so Companies Get statutory damages because of security violated cfaa. That is obviously not contained n the scope of what justice is reviewing but i think it is important to realize that the epartment of justice is taking steps to try and address some of ambiguity that i think there is in the Security Research community about cfaa. The other thing thats important there too is not just looking at doj or any but when you look at the federal agencies who have these sectors like cars and medical devices in of those both agencies have actually come out with support of coordinated very sure and have been clear in communicating to the companies within their sector, have a t you to coordinated Disclosure Program to work closely with researchers. Tohink thats very important mind. In and Security Researchers have involved in making these efforts happen. I know i am a lot of work fda and with the several meetings on the hill myself. Doj. What not. The department of defense. So in that sense, there is a lot of moving forward from the Security Research side. What about for not research y security ut just noodling or modifying up to six months ago, there was john deere having o go back to the manufacturer to make a change when it could have been hacked . Yeah. Right to repair. Yeah. Thats do you want to to be able to getting the right people in the room and willing to be and empathetic and to move forward together. Yeah. Are also questions of liability. By the way, shameless plug, questionsthe kinds of that we talk about on my podcast, the tech effect. Has been a guest. I look forward to having all of well so we can discuss defcon to d. C. Part two. Been going to defcon for years now. Its good to see you guys. Go this year. And i would be interested in working with policy. I would be interested in helping. I dont want to have to quit my you can o do it unless pay me enough to quit my day job. Im a freelancer. Dont count on it. No money in it. But there is the honor of making the word a safer place do withs what i get to my day job and since i came to corporate education, i actually know how this translates from tech to english wondering if you two anybody can give guidance i can get more involved to make the world a better place. Even my license plate is white hat. I can start with that. Start coming to more events like these. Bsides. Ng to local out local meetups. One thing thats so great about he Hacker Community is one of the many definitions of hacking is how to make things work in might not eople expect, nontraditional ways. There are all sorts of official ways to get l involved. Again, i wasnt in this world at all 18 months ago. We had a we had a at he mock congressional hearing we did at bside las vegas, a the e of people asked just right question and we went on a basically 30minute conversation get involved whether youre in d. C. Or even for folks who are not and dont to d. C. Any time soon. Heyre really seeking people who know what theyre talking about in some of these issues where theres not an established that they can turn to or an established convening that comes together. So no matter where you are, ouve got somebody who represents you up here. And you can tap into them to go and be their friend. Cliche, but use a write your congressman. A Grass Roots Organization or any m the calvary other organization already involved so that you can volunteer and help out with them. Numerous are opportunities to engage with the federal bureaucracy, the executive branch of government. Cyber ean, you mention security, education, national nitiative for Cyber Security education has an rfi out right now that says if you know something about Cyber Security we want to hear from you so that we have a better understanding of what is the lay of the land, what should they be focusing on going forward. Ncia is another great example, telecommunications and Information Association ran completely process open on vulnerability disclosure, theyre running one internet of things, awareness. Nd beau knows more about this. So and these are open initiatives. Most of what the government is putting n it comes to out rules and regulations, andre looking for comments many of these particularly the fda, i the agencies like mean, they have open workshops come to discuss the guidance currently being eveloped and so those are wonderful opportunities to put in to paper to show up person and say i am an expert in this field. Heres what i think that you the federal government should be looking at. Had another question. Im mike nelson. I work for cloud ware. Black hat. I didnt get to go because my colleagues did. That this panel is happening. Its fascinating. But i havent heard much mention the cloud and i was curious whether there was a cloud hacking village or whether there how we discussion about can use the cloud to protect against some of the cyber problems. We spend most of our life in the loud on facebook and the like and its much more photogenic to makers o jeeps and pace and Voting Machines. I dont think there was a village. King just seems like another echnology that we use these days. All of vendors who are there to solve all your cloud um, something that ill forthcoming on this but looking at the language obfuscation and the tech can solve alldors your problems just sign here is huge problem. And i think weve seen the same with the cloud as weve seen ai. H iot and you know, the use of the term ai 60 in Companies Went arning statements from below 60 in fy 16 to almost two quarters of fy17. A similar rise with machine earnings. Yes. Big data was last year. Yeah. Data was last years defcon iot and cloud before that. Know, the irony is that we ai. T actually have and i think the other thing that i would just say, um, because this is something my focused is especially on with vehicles and medical gridss and Systems Energy essentially. Lot of companies and other organizations who are racing to adopt the newest, thing and the things that were still struggling to secure that are causing problems the biggest the 30, risks are 40yearold protocols and technologies and these other things. Been very interesting for us and a particular focus for us trying to say thats great. Look at the future technologies if you want but we still have to olve the problems from decades ago. And we tend to have the same problems in clouds that we do we ywhere else which is build something thats insecure and indefensible and then we ant to put a layer of icing on the top and say its all good to the truth is we need build more security in the its level because impossible for an after market type of solution to work in every case. Of Amazing Things but its never going to be as good or cheap as something thats in. Ently built i want to build on your point cloud to hange from iop. Industrial ng about control systems. Theyre designed to have a long iot ime but now we have devices that were building. Some are designed for a long life. Some not. Mistakes ng the same we made. Are you on beaus working group . We work close together but im not on his work group. We have a bunch and a couple on here. So i know you were raising your hand for a while in the middle here . Thank you. What i was about dont want to get sucked into that because theres a whole political mess points. Ple of he voting hacking village was pretty eye opening. Im kind of surprised that it opening because its been an issue for the last 20 years. This isnt anything new that we know about before. Weve known that the machines if been fairly wide open you will. Very easy to compromise. Im glad to see that focus on the Voting Machines now. Hether or not there was any issues during the actual election, i cant speak directly to that. Dont know if anybody else wants to a lot of times is what we hackis, well, no one could that and someone could. No one would hack that. In this case, i think weve that. Ed so or a little bit flipped that. Has been he Research Done if you go up to princeton, up es a voting computer there running pacman. Which is a game from the 90s. The Security Research community a long time that have computers are lots of Security Issues with them. He threat model has usually been just to keep those things unconnected, disconnected in the much, much ing it harder. E did a panel last october on hacking the election system, hacking the electoral process. And what we found is i dont the government has said but it would take a high number of resources to do nything like that but were starting to see indicators that certainly a lot of people are now paying attention in the to some of the potential hacking attempts of and of the voting systems election systems globally. Hacking village i think they had, like, 26 or 30 all of them were hacked. One of them, only one of them actually hacked remotely though. Ost of them had to be taken apart. Something plugged in. Physical access to the device. Comfort but its small comfort. Sounds like someone would notice that. Yeah. Elections are also very closely monitored and people ook at results very closely especially organizations like the associate press so if widespread irregulari rregularities, Something Like that would be noticed. At a local level im not sure in it would stick out that much but nationally, a large number of votes changed that were not be, i have to think somebody would notice that. And theres technical steps that place in order to them the ability to hack unnoticeably. Increase the amount of effort that it would take. Audit trails that can be printed out. Right. s weve got time for probably questions. More yes . Be here for a reception afterwards if you want to hit us up then. Taking questions. Black hat the first defcon under the trump administration. Sense of howe us a some of the activities and policies from President Trump played out there . No impact. Other than, you know, maybe some hallway, i in the dont think the activity has changed at all because of who president. There were some people who were not there though. Visas, ople were denied some of the speakers were denied country. Come to the here were also some Security Researchers who chose to stay away. Had a Chilling Effect on coming in. Searchers that goes to your hackers comment earlier. There were some actually some the e who ran part of events and chose not to run to e events this year and stay away. Partially for fear of being turned away at the border but just out of y protest against what they see as policy. R so it didnt have a huge impact but it did keep several people away. I think other than the travel issues i mean, its not something that we go to defcon its, like, oh, the policies are good or bad. It was regardless of the president. It was interesting to me how general, i mean, you all policy ce more of the iscussions than i did but even what was discussed in terms of policy, there was very little to politics which was so refreshing. Citizen interested in this issue. There seemed to be a consensus the panel that new products coming online in the internet of things are simply are that ing the failures occurred in software written manyftware ago. S secondarily as a citizen, what should the ampling person know about how secure they actually are and what to do about some action can be taken by that gets in the way of innovation, which is what everyone is afraid of. But preserves trust in the markets to be able to grow in a sustainable way, and avoid the catastrophic impact that might ,et gdp, National Security trust in government and those types of things. There is probably not enough time on the panel to have an indepth conversation about that. Withe can send out links some of our work that we have done. Wendy . I brought one of my badges with me. It was from the contest he mentioned. He might also have some electronic badges. They are a big part of hacking at the conference. Fiddle around with things. I was wondering if you could show badges and how those informed hacker play at the conferences. I am glad you asked. I did bring a bunch of badges. I went overboard this year. The electronic badges are things that are made to be hacked. They are puzzled and easter eggs and cool, fun things. While we get those up, lets get some history. Def con has paper badges like everyone else. But hackers being hackers, they went to kinkos and copy. Has become a battle between the organizers of the conference and those who get in for free. That is where it came from. That is how i got started. It got started. Usually there are contest associated with the badge when you can hack the badge and find hidden messages in the code. They create their own badges, or create a badge just to have a badge. It was a big thing this year. This is for the people running the event, like boone or def con staff. Then there were custom badges. Some of them had specific badges. This is another. It is pretty cool, has a radio antenna on it. It has a knob you can dial in. There was a badge for the bio hacking village. This is actually alive use culture. Yeast torow your own make bread or beer. And there was one with a vial full of white powder, so a response had to be taken. There are other unaffiliated badges. And some are running around selling them unannounced on twitter. What might be like a food truck, people rush to them. It is likelled Hunter S Thompson crossed with. Ender from futurama to hackalso try someones badge with bluetooth. I was not very good, so i kept getting hacked. This is one of the legendary badges, mr. Robot. I got it in a raffle. The creators of mr. Robot were not at all involved in the badge creation. There is a copyright and trademark issue. Just a provide some comparison, those are the def con badges. The las vegas badge do you have yours . I brought the two that i have because i had a feeling this might come up. Unfortunately, i left them in the other room. I will go grab them. The las vegas badge was a poker chip. Tikihere was a hawaii, theme. Another had a black ribbon and said press. Speaking of mr. Robot, i did get to hang out with christian slater. That was pretty big. 2500 for a black hat and you get a paper badge. It was like 200 something for def con. When it is an electronic badgett is really fun. I think that is a wrap thank you all for coming. We will be available after the panel for a bit. You can find us on twitter. Thank you. [applause] [captions Copyright National cable satellite corp. 2017] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. Visit ncicap. Org] a look at the senate where they just confirmed Marvin Kaplan at the National Relations board. A term ending in 2020. On the other side of the capital, the house is in recess for the month of august. Some members are meeting with constituents. Josh stockhammer represents new jerseys fifth district, it tweeting today and, republican Bradley Burns said it, took a quick tour of a Seafood Restaurant after our business after our meeting. A true family business. Sunday, american educator, tea party activist, is our guest. For different reasons, everyone has an idea that the federal government is out of control. Get,ost asked question i what do you suppose that is . What do we do about it . If we had been teaching the constitution properly for the years, we would know what to do. She is the author of several books, including a central stories for junior patriots. Our live, threehour conversation we will be taking your tweets and email questions. It is alive from noon until 3 00 p. M. On booktv on cspan2. Now joining us on the communicators is the founder of black hat, jeff moss. How and why did black hat begin . Jeff it began more than 20 years ago. I operate a convention, def con, the Worlds Largest hacking convention

© 2024 Vimarsana

vimarsana.com © 2020. All Rights Reserved.