I have been running that for a couple of years. When there a time were no jobs in Information Security for any of us. The only people doing security were maybe people in the military and banks. So this is really a hobby. As the internet grew and there are puttingd people things online and there is money at risk, all of a sudden hackers , started getting jobs doing security. I kept getting emails of people telling me give me an , announcement to def con to make it sound professional. I have to convince my boss to send me to def con for my job. I was rewriting our announcements to make them sound corporate and more professional. One of my friends said you know what, throw a real conference. Charge real money. Make it a professional conference. I thought it was brilliant. But i did not have the money at the time i was too young. For a year, iney took a loan out and then i started black hat a year later than i a year later. Every year it has grown for 20 years. Host what is the difference between black hat and def con . Jeff it is how i made my living, you have an info sec job. You are working for General Electric or microsoft. You need to learn something you can apply handson right away. Where the rubber meets the road, i learned a new attack, and im going to go home and defend my monday company against it. Its very practical but focused on enterprise. With def con, it is the sense of discovery, learning something new, picking locks. Your corporate job is going to teach you how to pick locks. Hardware hacking, car hacking. Conspiracy theories. Everything that helps you learn how to learn. A friend brought up to that def con is teaching a next generation of hackers how to think. In the field there is a mentality, the mindset of how to hack, which is a skill set. And in the skill. Then there are the professional hackers. I liken this to an artist. You create when you want to. Or a professional artist, working for a company. You have to be creative day after day. Def con is all about the people who want to be creative when they want to be creative. Black hat is the transition to a day job. Now i have to be professionally creative. So i want to do black hat so i can keep up with the skill the need for my job. But im going to go to def con, because that is where my Creative Energy comes from. These two have existed symbiotically, so well together. They are different. But the people generally started in one and migrated to the other. Host is there a little bit of subversive nest of def con . Jeff all yes. There has to be. That is part of the antiauthoritarian. In the early days even to this day a lot of what hackers , are told is, you cant do that that is not possible. , we dont believe you. The Voting Machines are secure. It takes a certain amount of rebellious nature to say, no, i think i can break into the Voting Machines. I think your Cell Phone Network really does have some problems. It just turns out the people who are good at speaking truth to power tend to be a little bit rebellious. The other thing to realize is, companies are not telling you what the problems are. The government is not telling you what the problems are. The criminals for sure are not telling you how they are breaking in. It comes down to hackers and academics to tell you what is possible. When a hacker started messing remotely with an implantable manufacturere, the said, that is not possible. Only when the hacker demonstrated it at a distance to the manufacturer say ok, we will listen to you. Subversive that he was messing around with technology that could have a negative impact or is that a public good . ,now consumers know, do not buy that model. And it put the fda on notice that they should be really set that they should really be testing for these things. There is a generation of medical devices that are not safe. Maybe the fda doesnt like it. But maybe they are not doing their job as well as they could. You never make anybody happy. You never make anybody happy when you point out problems. But a lot of times, since they are not doing this professionally but creatively they dont care. , they are doing it because it is there and they want to prove a host where did the names come point. From . Jeff people get black hat confused. It is not that we are black hat criminals, it is the black hat briefings. The idea was, we are telling you what the black hat are doing and how to prepare. Thesens out that all hackers and academics are a sort of a crystal ball. You would talk to your friends, your hackers, and say what are , you working on . I found this little edge case with routing. It turns out, if it is interesting to them, it is a problem six or nine months in the future for everybody else. They are the canary in the coal mine, looking at technologies. Years ago, saying the internet of things was going to be a problem. Now it is a problem. Companies who wanted to get a head start looking at future problems, or maybe there is a new product, maybe we should learn what the hacker say the problem is. People, for different reasons. Now we are seeing more and more government appearances. Regulators, Law Enforcement. The same sort of purpose. They are trying to figure what is coming next. For def con, it was originally meant to be a party. Everything was online, Bulletin Boards, there was no internet or irc. It was meant to put a face to a name. There was so much misinformation in the early days. There was no sense of a factual well when you could learn the truth. There was no amazon or google, so everything was wordofmouth. There was so much misinformation. If i put a disclaimer on my Bulletin Board that said no Undercover Police officers are allowed, it is entrapment if they sign in. We would think that doesnt make , sense. That doesnt sound right. The first def con we had a prosecutor, and speak. And then we had a lawyer talk about, what are the liabilities if you are trained through virtual reality, but you are taught a mistake . And then in reality, you exercise the mistake who is liable . Your employer for not training you write the vr manufacturer . , we were looking at these issues a long time ago. It became known as def con. One, i am from seattle. My favorite movie, wargames. The main character is from seattle. In that movie def con plays a , big role. Also, in the early days, i was a phone freaker. The number three key on your telephone is the def key. I was living with a hiphop producer. He was producing a lot of rap. One day i am talking about this hacker convention. Asone day i am talking i am desy says that sounds def. , it all came together perfectly. Def con. Host what is a phone phreaker . In the early days there were hackers and phreakers. The hackers would exploit the telephone network. The best examples steve wozniak, steve jobs, bill gates, these people who produce blue boxes that would allow you to place free phone calls and explore the phone network. Day, the phone network was the Largest Network in the world and connected the whole planet. If you wanted to explore, you are basically a phone phreaker, exploring that network. Crackers specialized in movie copy protection. If you bought a game and could not share with your friend crackers learned how the game , was protected, reversed engineered the protection mechanisms and then got around , them. Copy protection. If you bought a so, that was the three main communities. They each had a different interest. Telecommunications, software and protection. Now, that line is completely blurred. As time went on and criminals entered, now there was money it or the joyst a game, of exploration and discovery it , became money. Criminals came in and borrowed techniques from wherever they could. They tried to recruit hackers in the 1990s and early now the 2000. Criminals send people to college and university. They make a lot of money from these malware campaigns. They payroll money, have giant research and development budgets. Dont need the Hacking Community anymore. They do not leech off of us anymore. We are trying to figure out what they are doing. They are doing this as a fulltime moneymaking enterprise and they put in a lot of resources. I think what is going on now is, the press did not know how to explain the criminal use of technology. They borrowed the term hacker, which was really describing a skill set, and then use that to describe criminals using computers. Tead of saying the court the computer criminals broke into the bank, they said the , hackers broke into the bank. That caused the schism. Good hackers would still refer to ourselves as hackers. To the outside world, we were security professionals. It was too confusing to have this long discussion about the morals and ethics about what a hacker is and isnt. I tried to say it is a skill set to be used for good or bad, just like you can have a criminal plumber, or a great plumber. The skill set is the hacking. The motivation is what differs. Host is that what you get into the white hat hackers and the black hat hackers . Jeff that was attempting to describe motivation. Criminal hackers were going to be called spiders. Then the World Wide Web got invented. We cant have spiders and web we are going to call them crackers. The cracking community was like no, that is us over here we are , not criminals. We are not breaking into things like that. So, then it became colors of your hats, like old westerns. You could tell who the good guys were by the color of their hats. That is how it came about. Now, you are an ethical hacker. It is really muddied. I just stick with criminal and not criminal. Host who attends this . How many . Jeff black hat, hard to say. Probably around 15,000 people. It is a long program. There is training over the weekends and then the main conference. Some people come just for training, some people come just for the conference. Some people come for the whole week. Def con, we are about pretty 25,000. Big. It is interesting. Four black hat, you preregister. It is a corporate experience, pretty expensive. Def con, it is all cash, pay at the door. There are no records, nothing to seize, no credit card records to subpoena. It is optimized for speed of registering people and not being an attractive target for Law Enforcement. Jeff moss, when we told be it told people at cspan we were coming out here, turn off your phone, dont use a money machine, avoid anything electronic when you are down there. Is that true . Jeff to some extent that is the myth. The myth is that it is hostile. You have to remember now, it is pretty hostile everywhere. It used to be hostile just during def con and black hat. Now, every airport seems to have a fake cell tower operating, fake wifi. If youre going to steal somebodys login why not at the business lounge . That is where highvalue targets are. If you monitor your wifi signals while youre traveling, you will see all these fake base stations. The amtrak station at d. C. Has a fake cell tower. This is the way that it is. If you are a criminal and you can build a backpack to intercept information and leave it plugged in that is so much , more low risk than trying to rob a bank. Of course bad guys will try to do that. You have hackers who want to test things out. They know it is a freeforall. Freeforall here in vegas this week. There will be people trying to detect the towers. There will be Law Enforcement trying to detect the people do texting the towers. And you will have intelligence chasing them around. One year, we had a film documentary recruit from france. It turned out they were legion, actually intelligence trying to identify , who the people are they cared about. Then, we had our own intelligence and found out later we were following around their intelligence. Im sure there was another. There are so many layers that i have learned not to be surprised by anything. But it is a fascinating glimpse of behind the curtain. How does Technology Work behind the curtain . How do the governments work behind the curtain . What do other governments do . Once, and def con somebody came up to me at the end of the convention and said i want to introduce myself. Im with the Defense Intelligence agency. What are you doing here . Arent you supposed to count typewriters in europe or how many car batteries monitor the cost of the soviet union . What are you doing here at a hacking conference . He said im trying to figure out if other countries are trying to recruit our hackers. That sounds important, but how . Theres a room with 500 people in it. Upn be in the middle of all those conversations. How do you know who is trying to do what . What i do, i lean against this wall and watch for other people watching and Pay Attention to the watchers. Fascinating. So, every year i Love Learning a little more about how the world works. Host a couple years ago you had the head of the nsa, michael rodgers, out here. Jeff no, the director before him. Keith alexander. That was fascinating. It was years in the making. Host it took you years to get him out here . Jeff not him, but that position. We have gotten people from the dod. We have gotten a lot of other people. Never the director of the nsa. It happened that it was right before the snowden revelation. It was at the very peak of goodwill between the Hacking Community and Law Enforcement. After that it has been downhill. Host why . Jeff a couple of reasons. One was there was a sense that , we were all working together. Then we were all trying to make the world better place, trying to protect networks, figure out what the bad guys are doing have , fun while we were doing it. The intelligence folks had a bit of the mystique but we knew they , were using the same technology we were using. It was not alien technology. They were just using it differently. We could relate. We have the same sort of problem in setting up and managing the technology. Over the years, whether it was dhs or fbi, ncis, they were genuinely interested in what the hackers were doing and we were interested in what they were doing. We were sort of becoming friends. After the snowden revelations, you was a lot of, hmm never let on you are monitoring the citizen so severely. The hackers, security people felt it was too extreme. Whether it was because of government oversight lacking, maybe it is not their fault. Maybe it was the oversights fault. A lot of people felt like trust was betrayed. A guy was telling you something in confidence and it ended up here. That is not why i told you about this bug. I told you about this book to bug to protect Government Systems not to do , something else. There is a huge coolingoff. That next year i asked the feds to please dont show up. Not that they were welcome. But there was going to be drama if they showed up publicly. There were a lot of angry people. I didnt want people throwing water, screaming, fighting. I didnt want to have a scene. Tensions are really hot back then. Since then things have cooled down. Intelligence agencies are trying to engage like they used to. The fcc, the ftc, we get some people from dhs trying to do some stuff on smuggling. We get the good parts, the noncontroversial parts. Robos trying to stop dialing make home routers more , secure. Things everybody can identify with. I think dhs was talking about u. S. Cert and outreach to companies. How do we build Information Sharing Networks to stop what bad guys are doing . We will get behind that. It will be a while before intelligence agencies are going to convince hackers that they are not impartial, but they have all their cards on the table. That is just the way it is. It is funny, some intelligence people said, it is better this way. We preferred the gray areas. It was getting too much light on us. I think it will be a pendulum. Host would you like to have anonymous out here . Jeff they are here all the time. Anonymous is anonymous. You do not know who was in there. There are hundreds of anonymous people there. Organized crime people, intelligence people. That is the interesting thing. There is a lot of Law Enforcement presence from a lot of countries here learning, but there is also a lot of other people here learning. We have academics, writers, people who want to make movies about this. We created this melting pot of likeminded people. In the early days, las vegas acted as a filter. We are in the middle of anything, like San Francisco or new york city. You have to get on an airplane and fly to vegas in the summer. It was a natural filter. You only came here if you were really interested. You didnt just hop on a train and come down from d. C. To new york. So we had really good formative years of people who cared about this. That became the core for the conventions now. Now, a lot more people come. As, professionally they have for the conventions now. Now a lot more people come. Now its seen a lot of people havessionally they sort of to come because its such a big event. I remember when i went from just Network Security people to telecom. And then it went, you know, marketers had to show up because their customers were here and it just kept growing and growing growing. But at its core are these and tackers trying to figure out how the technology do about it. T to i think as long as you can keep that, the heart of the beating. Es will keep are you glad its growing . Yes. I hate thegrowth but growth. Its both. Im very conflicted over it started defcon, there were about two other hacking conferences that i knew the United States and they were invite only. And i wasnt invited or i could but i couldnt get there because it was in atlanta and i was too young and wasnt traveling to atlanta. Decided, well, if im doing a conference, its going to be open to everybody. Not invite only. And that immediately led to a bunch of problems. Its invite only and youre not taking registration, how many people will show up . Know. t how do you plan for something when you dont know how many people are going to show up . It out. D of work well, if you dont know whos to prevent whats 100 Law Enforcement people from showing up or 100 clowns from showing up. Control the t demographic. But on the other hand like i said, well, theyre interested, to show up, so addition and be an add, contribute. Thats how it worked out. People the first year and 25,000 this year. The conference has changed will say. It has. Its bigger but its also changing the demographic. More women are involved. More artists involved. Are involved. S more large enterprise. In the early days we were on two or three technologies. Now theres probably 100 technologies. Couldnt get there without the growth and theres some hacking conferences that invite only and they stay small and elite social networking talks and theres a place for that. But consciously when i started, wasnt going to be that elitist. I was going to let anybody show up. So i have to live with the consequences. Really a fork in the road. Keep an ttendance or open door policy. When did you start hacking . When i was 12 or 13. Maybe. Define about how you hacking. I didnt think i was a hacking back then until probably about or 15. But in hindsight, i probably was. Copying games. Reverse engineering protection. With my computer in the truest sense of the world hacking. In the computer protections but more about overclocking your make it go faster, trying to get more out of your little ibm pc. And then later on in life, i was more into phone freaking and i met hackers actually, into ht a hacker breaking my Bulletin Board system and when i caught him, i was, like, youre dont know what doing but youre doing something. [laughter] and he said, okay, yeah, you caught me. Here, ill explain what im doing, and then it started this relationship. Getting his is how im around your protections. Im doing this and i change the program to do that. Nd as soon as it was explained to me in that simple way, it turned on a light bulb and it as, like, of course you can do that. Why had i never thought you could get around my limits by by lying to the system changing one number and then up loading it. Of course you can do that. And that made me immediately athis changed there was before that moment and after that moment. Before Technology Just kind of worked and everything was beautiful and after that, of, like, question every assumption because computers are clearly not doing what i thought they were doing. In trouble . Ver get no. Never got in trouble. Ut you have to remember back then, there was almost no laws against any hacking. O completely different than today. Today im worried about the current generation because there sentencing deral minimums, sentencing guidelines. I mean, you could run and run some automated tools and get more jail time than you would driving drunk and someone. I mean, the sentencing guidelines are crazy. This sometimes where people say i want to uring anonymous, i want to ticipate in civil disobedience and then that guy gets arrested. Conviction elony now. And hes in jail for a number of years. So his future employment options are pretty much destroyed. His life is over for with an online dos that maybe lasted 30 minutes. Saying thats right or legal or should be legal. m just saying the punishment is completely disproportional to the harm. So that disproportionalty did kid. Exist when i was a one because there wasnt really anything online that you could harm. There wasnt a bank online. Also the mentality in the early days was really look dont touch. You can listen in to peoples whatever hone calls, you hear wirelessly, thats legal but if you act on it, then becomes illegal. This is actually in the fcc law. O if you hear somebody say im leaving my house and the cash on the counter and then you go to their house and steal the cash, decisional crime that you additional crime that learned about and acted on it. But if you just listened to it, the early. So that. Ethos came from just explore. Dont touch. So i think some of the old hackers still think that way and the problem is the cfaa, fraud and abuse act, now it really treats just looking as a crime. But with some really bizarre was ts because that law created i think in maybe the , early 90s. O its all predicated on this concept of permission. So if you run a Bulletin Board, in re permitting me to log but youre not permitting me, youre not giving me permission to try to break in. But if you read that law, any time you connect to a website, youre not getting permission, technically, were violating browse thery time we web. Its silly but if you read the aw this is what tripped up aaron schwartz, you know, his downloading of legal documents had permission to download. They just claimed that we didnt ive you permission to download all of them. We meant only to let you a time. A little at he took that permission to mean and download it everything and thats when he was charged and the prosecutor him the g to give federal maximum. Eventually he committed suicide that. Downloading a lot of documents, sentencing so these problems theyre still working community. A society and these changes in technologies are whats forcing lot of the d a people that are forcing the issue intentionally or people ionally are the at these conferences because theyre at the forefront pushing he technology and seeing what its capable of. So a lot of times, you run into a way that the law never intended. So, jeff, moss, besides yourself on the convention floor, who else will be a rock folks . The i dont like the term rock star. Of people as a community i think weve done a really good job of trying to generation. Ext and there are some rock stars, you know, that love to put on a show. One of the greatest was barns. Barn by jack that passed away a few years ago. Hacking an atmor machine on stage and made it out on stage. And this is of course when the atm makers were saying thats not possible. So if hes going to show emthat its possible, hes going to do in the most spectacular way. And it was just a celebration of months, his nt nine whole living room was full of out how nes figuring they work. Took him almost a year of hard culminated on stage in 40 minutes. So you get a lot of that. Ike, ive been working on this for two careers and im going to give my talk here and its all going to come out in minutes. Know, my years of effort have been. So thats why when you see what stage, you have to respect all this work thats been done before and all the other people that made it possible. Everybody here is standing on the shoulders of giants. People who have done the by bit by bit. Nobody here really just invented it. A musician. Like you know, youre always on the shoulders of those before you. Are someould say there people that are more famous than others because their hacks have been more widespread. Like Charlie Miller or chris valiczek, famous for hacking smart cars. Spectacular fashion. I remember him trying to get Warranty Service on his car disassembling the whole dash board. What happened to this car . Nothing. You know. So theres a lot of and a lot getting are really nvolved and i find that is the most interesting because as a tech community, and a Hacking Community, were just not good bringing in other ethnicities and genders for a number of reasons. Mean, i think about 11 of the attendees are women. Thats a little higher than the lower dustry but a lot than many other industries. And when you think about why is security , in the field, youre pretty much on call 24 hours a day. Goes wrong, youre generally to blame. And if youre doing defense in security, you dont get a reward when you kept the hacker out because you dont know when you hacker out. So its almost sort of thankless. A s like trying to prove negative. Where if youre a sales person, you immediately know when you made a sale. Is instant and the company is happy because you just sold more product. Where in security, you dont get that kind of feedback and so i of people whenot youre in college and youre do you want to you ecurity maybe but if really delve interest it the first few years are brutal sometimes a thankless job. Threats are what here today that werent here five, ten years ago . New ve so a lot of threats. And it reflects the amount of echnology that were just bringing into our homes. Three years ago, i didnt have worry about the fbi or a bad dialogueg to access my with my siri or alexa. Now the fbi is subpoenaing alexa conversations. Thats a way of life. Technology is also now potentially your spy. Maybe not the fbi but maybe a bad lawsuit divorce nd maybe, you know, your wife or husband subpoenas the documents for discovery to try to prove that youre cheating or something. The technology was there for but thats what for. Going to be used so we have gotten these smart detectors own Smart Thermostats and toasters. Kay. When was the last time you updated your cellphone or bought a new cellphone . Robably im guessing the last two years. When was the last time you detector . Our smoke probably never. So these devices are going to be in our house for five or ten years. Not going to be updated. Theyre going to be insecure. Theyre going to be connected to the internet. So what were seeing is just the tidal wave of insecure Pervasive Technology times the cost of replacing, changing out the Smoke Detector is greater than cost of the smoke detrekked. Just the physical labor involved and deploying and tracking them. So thats where were going. Where we are now is that we have of risks that we dont understand. We dont accept the we dont because understand them. Mart car thats giving telemetry. Go to ford and ask what you mation about me are sharing with advertisers . Theyre not going to tell you that. Of risks whether its personal or against a financial or behavioral or youre being almost a a bubble perfect marketing bubble if Technology Keeps going this way articles ll see the that you kind of want to see. Songs that he radio you like but youre really never going to be exposed to anything new. That targeted advertisement in the mail you get is targeted based on your behaviors and find yourselves slowly being put into a bubble of your your oosing based on behaviors. Behaviors of the people you talk to. You know, the famous examples of talk about i wish i could go to hawaii and next thing you now youre getting advertisements about cheap a hawaii. To you leave your wifi on your phone, you go to the supermarket, they track that. They know everywhere youve been supermarket. How long you stood in front of the pringles. Theyre trying to determine need to change the line everybody goes to the aisle but nobody buys. Lets adjust the product on the aisle. Thing you know youre a pringles buyer and they share it and ts monetized again again. And this is all initially for legitimate purposes. Less food waste in the supermarket. Tend the profile they build about you is amazing. So that is whats happening in background that we dont even realize is occurring. A lot of times maybe we should just talk about that. Have a conversation about it. Just happening to us. And i think thats another hats going to present itself in some really bizarre way ten years from now. Imagine a president ial election years in the future where all of this demographic information the ailable about candidates. If ou think about it now, you were malicious and you happened to work at uber, maybe, access to uber data, you could probably tell where ll your senators and representatives, where they were all driving to and figure out drivinge lobbyists were to and figure out who was meeting with who where and when is you could figure out who wife and wherese just on cellphone data and uber. Uncover a lot of fingerprint meetings that are eetings that are not supposed to be uncovered and nobody realizes this. And its theres a tradeoff, i guess. Hackers are maybe more conscious tradeoff but theres a and off between usability onvenience and privacy and security. When you do something risky online and it comes to bite you the ass, its impossible for you to tell what the bad was because maybe your credit score is now down a little bit. Aybe your credit card has been stolen. But was that from something i did last week, last month, last year . Ike, what was the actual bad behavior that harmed me . You cant figure it out. You can never create this loop unlike when youre driving Steering Wheel shakes and you realize you need to slow down. How do you make an informed decision in its tough. How do you personally protect in your own devices . Im a big believer in simplification. Many apps t have installed. Do you use uber . No. Because of the tracking . Yeah. Need to track me when im not using their calling for a car . You know. Apple has been making good allowing apps not to geo locate you when youre maybe ning the app so when these protections are put in ill start using more apps. I like linked in doesnt mean i want them to track everywhere i go and tell im near another linked in user. Thats a big change. Stopped using it. Or i just use it from my pc. Mobile device. And thats inconvenient but ive decided to make that tradeoff. I dont need everywhere i go recorded and sold and monetized. It is a pain. But im getting a little bit less of a footprint. Not getting the big bubble created around me. Im not getting the targeted all tising because i block the ads that i can. Sometimes that means there are certain websites i cant go to. Like, i cant go to fox news anonymously because they block anonymous browser. O i go to the other sites that allow me to browse anonymously. So i am missing out a little bit but i think im getting more out it than im losing in the bargain do you use wifi . Use my own i also vpn over the wifi so im not wifi. G the hotels to me its just an on ramp and then i use my own networking to trusted systems. So you might have noticed a huge saying theyrele uying vpn services with this Net Neutrality deregulation coming up, a lot of isps, or not legally now theyll be in a much better position if they want to watch your traffic, see what youre doing, and then inject advertising into the web pages you go to or just passively the websites you go to and then sell that as marketing nfks. So now youre at home browsing your Favorite Sports Team and you know youre getting sports advertising. Youre, like, i didnt tell team but liked that maybe your isp knows. Never mind youre paying them month, theyre trying to 0. 30 off of you. No. Would they be the types of people you would want to have on . We keep thinking about inviting them, but i dont think so. Reasons. One, stealing a bunch of secrets releasing them doesnt make you a hacker. A lot of people can steal things nd release them to the press and that doesnt make you a hacker. Might be interesting ill and itely buy you a beer listen to your stories but that doesnt mean what are you tell the hackers . And then i used a photocopier and then the press. Figured that out. What the ar spoken to every venue they could possibly speak at. World famous. Not going to reveal anything new. So, you know, theres a lot of really, you are know, that feel that was a trust. Ion of here are other avenues of revealing what snowden could reveal but he didnt. Super controversial. Technically. So giving the stage to somebody else thats doing something. Moss, often at a convention, one or two themes tend to emerge. Yeah. On the attended communicator ces several times be a theme ems to sometimes. Were hearing the term social engineering, liability. Are there themes developing at this early stage . Yeah. So i think youre right about liability. Ive been spoking about liability for years. And i try to couch it like this have a car, smart car, and something goes wrong with the software and you crash, liability. Tesla or whoever will be liable. Database make a big piece of software and its in a server room and crashes and you of dollars in your company, theres no liability. So whats the difference . Center on wheels. One is sitting stationary. Liability. The other doesnt. Tesla doesnt get a pass because they have a person in the vehicle but at the data that is on lives. Erver is affecting so to say that one gets no iability and one does, that doesnt make sense. So i think what youre going to see is a lot of pressure from using software that have liability to make the whole industry have some sort of liability. And the other thing is with internet of things, as soon as a house ter burns down and kills someone, theres going to be liability. Well, ow, you could say, the only thing Running Software is my game console, phone, tv. Its running in your whole house and something goes going to be or cting not technologists consumers. Verage i think youre going to get liability that way. And the industry has been and resising and resisting and if eh this dont its going to be like every other industry. The government will come and fix it for you. Were in this period i think of the next five or ten years if a industry cant figure out way of warranties or guarantees r some sort of liability protections, if they dont figure it out, the government is do it and me and youre not going to like the results. Im not going to like the results. Theres no other avenue. Software is going to be so ritical to the country that theyre not going to let there be in liability. Companies come here and recruit . Extensive recruiting. Recruits here. People come here looking to change their jobs. Always looking for a new challenge. Tend to find people stick in their jobs for three to four new and then look for green fields. I would say especially if they want to do something new. A lot of smart car companies, space is getting really interesting. Eople are trying to get to spacex or blue origin or some of companies. R its just theres always something new going on. Devices. Ned medical theres a lot of action in that area. Then you also have these sort of boxes, these algorithms trying to base your when youre driving. Theyre trying to figure out ways Insurance Companies are to ng to figure out ways create new tables to save money on insurance and they have all you. New data about and so its just a really innovative time whether you like were in the golden ge of data and its going to impact everything about us. You asked an earlier question themes. Another theme that i didnt think would be so popular is hackinga voting machine village at defcon this year. I couple of years ago started a village called the village. Ident the idea was you know on movies, its in the evidence folder. Thinking youve got to be ble to get around the evidence folder. Someone has to tamper with that. Meter, the tricity grommet, how hard is it to get around that stuff . Some of now but i bet these hackers do. How doarted a village on you defeat evidence, get past and eals, get past nobody was doing that before. Common thing and theres a whole body of defeating round tamper evident stickers and seals and tapes. Been sure people have beating Voting Machines up because you can find them on ebay and people have been them since bush gore. I looked around and couldnt find any information. Hackers have not been beating on these things. Cademics have a few publications but theres just nothing really known so its, like, well, i dont know anything about these either but i can buy some on ebay, hackers, and figure it out. So this year we have all these we have county commissioners and election dhs, ials, people from weve got its just turned assembly of anybody remotely interested. The more you learn about them, scarier it becomes. So theres a little bit of excitement in that area just because it wasnt done last year and its new this year. In ou have a ba degree criminal justice from gonzaga. Yeah. From the first graduating class in criminal justice there. An ought i was going to be fbi agent because in high school, you know how they have career day and people come in to school and talk . We were getting speakers and an this ent came in and told incredible story about chasing bad guys that was just an and when i saw that, i was, like, thats what i want to do. Better at t know any the time and i went to college and then i took a bunch of Computer Science classes. Really knew what i enjoyed do but i sociology, psychology, and justice classes. So i graduated in the federal the clinton in administration. The only Law Enforcement hiring at the time was the fbi. Perfect. Up on a typewriter my application and sent it in and crickets. Nothing. So i call them up and say we that. Can you file that again . I was thinking this is some secret way where theyre going results from my first application to my second one. Typed it up. Send it in again. About a week later, two weeks call. , i get a this is special agent in charge murphy. Special agent o murphy. What is your vision . Thats not good enough, sorry. Ok, sorry, goodbye. And that was it. Out of the fbi. No chance to have a career and fbi. Bi coulds in the he made that up, he did not want to process your paperwork. You shouldve caught on to that because of the first time it was lost. These insider tricks of bureaucracy but i bet if you apply to the office in seattle you what event fine, but since you apply to the one in spokane they did not want to deal with your paperwork. My whole life, just right there, one little decision. Host where did you grow up . Mr. Moss the bay area. Host were your parents and tech . Mr. Moss no, teachers. Im the only business person. Everyone else is an academic. I have the weird business stories. Host how many hours a day do you spend in front of a screen . And do you do laptop . Mr. Moss i do everything. Iu find, i found in tech as progressed in my career, i do more advisory work. I do less handson, just the nature. And so, for me, to stay connected, to feel i am not disconnected from life hacking roots, i maintain all the devcon servers and update all the systems and provision everything. Time spend a fair bit of defending our network from are the people attacking it. That gives me enjoyment and it is a huge pain in the ass. But you have to do want to stay current. So, i spend a fair amount of time in front of screens on morers and i spend im mobile now than on my laptop kly,use emails i can do quic but when youre working on servicing you five screens and a lot of screen real estate. So host has black hat been hacked . Honr . That be a badge of or . A. Moss defcon was hacked couple of times. I was hosting it with a friend, another buddy, saved up his exploit, saved it for nine months, waited till the websiteon to deface the that was being hosted by a friend server that did not have the right update. They made a dedalal. A tongue in cheek fun thing. Over. At is when i took ever since then i ran our own servers. As far as i know, we have not been broken into. And that is when i decided im not going to let anybody else run this stuff. Host does this world make you paranoid . In a sense, this type of thing . Mr. Moss i would not say paranoid because everything is sort of based on fact. Thethe problem, whats teh saying . It is not paranoid of people are out to get you. Yesterday i tweeted somebody is is he trying to break into my twitter account and i kept getting all these Text Messages saying here is your new twitter reset. Whoever is trying to break into my twitter account, please stop. I need my twitter account for the next week or so. Maybe afterward but cut it out. And they stopped. And so, yeah, you just dont call it paranoia if they are really after you. I think the paranoid comes in when people ascribe too much importance maybe to what they are doing. Tg toa is n oot goint task a 50 million satellite to folly to the supermarket when the local cop can follow you there. Criminal, dong a not be surprised if juan forstmann is after you. It does not mean this cia is mobilizing the whole division to come after you. On, is a lot of that going a sense of over importance at times. , situation weird because lets say you are a hack er, and may be doing something in the gray area, something that could be criminal. They are not coming after you. I am not doing anything. Know youre dont not doing anything. Law enforcement only knows youre not do anything till after they have look to you. They do not have a magical presence that person is not doing anything. Sometimes people feel like it is unfair they subpoenaed me but look at how you are behaving, look at who your friends were. The only way theyre going to know if you are a bad guy is watchy stir the pot and for a reaction. Dont be surprised. That is a lot of how long oarsmen in the early days would catch people. They would go in, stir the pot, bust one person and watch what everyone else did and roll everybody up. It is not rocket science. You see what is going noon now n Law Enforcement where the police had one dark market infiltration. They busted another one and watch everyone migrate to the one they controlled now. Gathered all the peoples information. Just basic Law Enforcement tactics. I dont know where i got of fon route. Hat maybe the paranoid question. Host do you presume that everything you put out there and everything on your phone is public . Mr. Moss you have to, i think. I take a lot of precautions to make sure, i protected as best not quite tom be surprised if one of my conversations comes back at me, even though i think it is perspective. I had a ceo, i was a chief Security Officer for a while and it was a pretty high profile job. Was targeted. O i remember talking to him about that, understand how was he thinking about this. He said, every time i am writing email im writing for three audiences. Im writing for who im sending me mail to, im writing to the foreign nation states that are spying on me and writing for the congressional inquiry if i ever have to testify. You know . Thats the job of the ceo. A highprofile international company. Host what kind of consulting work did you do at dhs . Mr. Moss im still involved. On the Homeland Security advisory committee. O, were about 40 of us we advise the secretary on whatever the secretary wants. In the past, it has been on how the department does it accelerate their cyber skills . How do they develop in their workforce . It could be resiliency and government for dhs. We did a task force on countering violent extremism and returning foreign fighters, americans who might have left the country and come back in. How do we minimize that . So, really, we just wait for challenges that dhs may be facing and then we figure out schemes that might answer the questions and go ahead and do that. Im also involved in the atlantic council, which is bringing to defcon this year some of the congressional cyber caucus. Were going to have a bunch of representatives. That will be wrote cool. Re ally cool. Because of the weekday and the timing that the caucus can travel out of congressional time. They can only come on the weekend. Involved with the council on Foreign Relations which is fascinating because we are always looking sort of a Global Governance and where is this going from an International Perspective . Its a really fascinating time to be alive. You start off at a party for your friends 25 years ago and now youre advising governments and companies. You could not see that, you cannot make that start up. Host should there be a Data Protection agency . Mr. Moss there should be a National Privacy agency, i think. Canada has one. Privacy is not enumerated in the u. S. Constitution. It is inferred. Dhs is one of the only agencies that has by law mandated to have a privacy officer. I think that should just be a standard thing. Privacy of the constituents of your workers, of citizens should be a factor in whatever legislation you propose. Its not, you know, i think thats, too bad, because as we see in the internet age, that personal information is really what is of value. Uber makes almost as much money selling Demographic Data on its riders as it does selling rides. Its tremendously valuable. Host jeff moss is the founder and creator of blackhat and he has been our guest on the communicators. [captions Copyright National cable satellite corp. 2017] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. Visit ncicap. Org] hoping to get transportation in 2001 because my background is in trade and transportation. I was a transportation banker for a number of years for both citicorp and the bank of america. And i had worked for transportation companies. So, my whole background was actually in transportation. So its nice to be able to return to a field in which i had worked previously. And its nice to be able to be back in a Department Im very familiar. Watch our interview with elaine chao, secretary of transportation in the Trump Administration friday at 8 p. M. Eastern on cspan, cspan radio app cspan. Org. And cspan. Org. President trump signed a bill imposing new sanctions on russia. He called the bill seriously flawed. Primarily because it limits his ability to negotiate sanctions without congressional approval. The measure also imposes sanctions against north korea and iran for those Countries Nuclear weapons programs and requires congressional review for any action the administration might take to lift sanctions. Tweetedeaker paul ryan the u. S. Just sent a powerful message to iran, russia and north korea. They will be held accountable for their actions. And Senate Democratic leader Chuck Schumer sent a message sanctions bill shows it is possible for both sides to work potuser to reign in when he dares offtrack. Should be a model for the future. Also today, President Trump endorsed a bill to reduce Legal Immigration targeting the number of green cards that are issued each year. Republican senators tom cotton of arkansas and david perdue of georgia authored the legislation and joined the president at the white house. President trump thank you very much. It is great to be here to unveil legislation that would be the most significant reform for