I have been running that for a couple of years. When there a time were no jobs in Information Security for any of us. The only people doing security were maybe people in the military and banks. So this is really a hobby. As the internet grew and there are puttingd people things online and there is money at risk, all of a sudden hackers , started getting jobs doing security. I kept getting emails of people telling me give me an , announcement to def con to make it sound professional. I have to convince my boss to send me to def con for my job. I was rewriting our announcements to make them sound corporate and more professional. One of my friends said you know what, throw a real conference. Charge real money. Make it a professional conference. I thought it was brilliant. But i did not have the money at the time i was too young. For a year, iney took a loan out and then i started black hat a year later than i a year later. Every year it has grown for 20 years. Host what is the difference between black hat and def con . Jeff it is how i made my living, you have an info sec job. You are working for General Electric or microsoft. You need to learn something you can apply handson right away. Where the rubber meets the road, i learned a new attack, and im going to go home and defend my monday company against it. Its very practical but focused on enterprise. With def con, it is the sense of discovery, learning something new, picking locks. Your corporate job is going to teach you how to pick locks. Hardware hacking, car hacking. Conspiracy theories. Everything that helps you learn how to learn. A friend brought up to that def con is teaching a next generation of hackers how to think. In the field there is a mentality, the mindset of how to hack, which is a skill set. And in the skill. Then there are the professional hackers. I liken this to an artist. You create when you want to. Or a professional artist, working for a company. You have to be creative day after day. Def con is all about the people who want to be creative when they want to be creative. Black hat is the transition to a day job. Now i have to be professionally creative. So i want to do black hat so i can keep up with the skill the need for my job. But im going to go to def con, because that is where my Creative Energy comes from. These two have existed symbiotically, so well together. They are different. But the people generally started in one and migrated to the other. Host is there a little bit of subversive nest of def con . Jeff all yes. There has to be. That is part of the antiauthoritarian. In the early days even to this day a lot of what hackers , are told is, you cant do that that is not possible. , we dont believe you. The Voting Machines are secure. It takes a certain amount of rebellious nature to say, no, i think i can break into the Voting Machines. I think your Cell Phone Network really does have some problems. It just turns out the people who are good at speaking truth to power tend to be a little bit rebellious. The other thing to realize is, companies are not telling you what the problems are. The government is not telling you what the problems are. The criminals for sure are not telling you how they are breaking in. It comes down to hackers and academics to tell you what is possible. When a hacker started messing remotely with an implantable manufacturere, the said, that is not possible. Only when the hacker demonstrated it at a distance to the manufacturer say ok, we will listen to you. Subversive that he was messing around with technology that could have a negative impact or is that a public good . ,now consumers know, do not buy that model. And it put the fda on notice that they should be really set that they should really be testing for these things. There is a generation of medical devices that are not safe. Maybe the fda doesnt like it. But maybe they are not doing their job as well as they could. You never make anybody happy. You never make anybody happy when you point out problems. But a lot of times, since they are not doing this professionally but creatively they dont care. , they are doing it because it is there and they want to prove a host where did the names come point. From . Jeff people get black hat confused. It is not that we are black hat criminals, it is the black hat briefings. The idea was, we are telling you what the black hat are doing and how to prepare. Thesens out that all hackers and academics are a sort of a crystal ball. You would talk to your friends, your hackers, and say what are , you working on . I found this little edge case with routing. It turns out, if it is interesting to them, it is a problem six or nine months in the future for everybody else. They are the canary in the coal mine, looking at technologies. Years ago, saying the internet of things was going to be a problem. Now it is a problem. Companies who wanted to get a head start looking at future problems, or maybe there is a new product, maybe we should learn what the hacker say the problem is. People, for different reasons. Now we are seeing more and more government appearances. Regulators, Law Enforcement. The same sort of purpose. They are trying to figure what is coming next. For def con, it was originally meant to be a party. Everything was online, Bulletin Boards, there was no internet or irc. It was meant to put a face to a name. There was so much misinformation in the early days. There was no sense of a factual well when you could learn the truth. There was no amazon or google, so everything was wordofmouth. There was so much misinformation. If i put a disclaimer on my Bulletin Board that said no Undercover Police officers are allowed, it is entrapment if they sign in. We would think that doesnt make , sense. That doesnt sound right. The first def con we had a prosecutor, and speak. And then we had a lawyer talk about, what are the liabilities if you are trained through virtual reality, but you are taught a mistake . And then in reality, you exercise the mistake who is liable . Your employer for not training you write the vr manufacturer . , we were looking at these issues a long time ago. It became known as def con. One, i am from seattle. My favorite movie, wargames. The main character is from seattle. In that movie def con plays a , big role. Also, in the early days, i was a phone freaker. The number three key on your telephone is the def key. I was living with a hiphop producer. He was producing a lot of rap. One day i am talking about this hacker convention. Asone day i am talking i am desy says that sounds def. , it all came together perfectly. Def con. Host what is a phone phreaker . In the early days there were hackers and phreakers. The hackers would exploit the telephone network. The best examples steve wozniak, steve jobs, bill gates, these people who produce blue boxes that would allow you to place free phone calls and explore the phone network. Day, the phone network was the Largest Network in the world and connected the whole planet. If you wanted to explore, you are basically a phone phreaker, exploring that network. Crackers specialized in movie copy protection. If you bought a game and could not share with your friend crackers learned how the game , was protected, reversed engineered the protection mechanisms and then got around , them. Copy protection. If you bought a so, that was the three main communities. They each had a different interest. Telecommunications, software and protection. Now, that line is completely blurred. As time went on and criminals entered, now there was money it or the joyst a game, of exploration and discovery it , became money. Criminals came in and borrowed techniques from wherever they could. They tried to recruit hackers in the 1990s and early now the 2000. Criminals send people to college and university. They make a lot of money from these malware campaigns. They payroll money, have giant research and development budgets. Dont need the Hacking Community anymore. They do not leech off of us anymore. We are trying to figure out what they are doing. They are doing this as a fulltime moneymaking enterprise and they put in a lot of resources. I think what is going on now is, the press did not know how to explain the criminal use of technology. They borrowed the term hacker, which was really describing a skill set, and then use that to describe criminals using computers. Tead of saying the court the computer criminals broke into the bank, they said the , hackers broke into the bank. That caused the schism. Good hackers would still refer to ourselves as hackers. To the outside world, we were security professionals. It was too confusing to have this long discussion about the morals and ethics about what a hacker is and isnt. I tried to say it is a skill set to be used for good or bad, just like you can have a criminal plumber, or a great plumber. The skill set is the hacking. The motivation is what differs. Host is that what you get into the white hat hackers and the black hat hackers . Jeff that was attempting to describe motivation. Criminal hackers were going to be called spiders. Then the World Wide Web got invented. We cant have spiders and web we are going to call them crackers. The cracking community was like no, that is us over here we are , not criminals. We are not breaking into things like that. So, then it became colors of your hats, like old westerns. You could tell who the good guys were by the color of their hats. That is how it came about. Now, you are an ethical hacker. It is really muddied. I just stick with criminal and not criminal. Host who attends this . How many . Jeff black hat, hard to say. Probably around 15,000 people. It is a long program. There is training over the weekends and then the main conference. Some people come just for training, some people come just for the conference. Some people come for the whole week. Def con, we are about pretty 25,000. Big. It is interesting. Four black hat, you preregister. It is a corporate experience, pretty expensive. Def con, it is all cash, pay at the door. There are no records, nothing to seize, no credit card records to subpoena. It is optimized for speed of registering people and not being an attractive target for Law Enforcement. Jeff moss, when we told be it told people at cspan we were coming out here, turn off your phone, dont use a money machine, avoid anything electronic when you are down there. Is that true . Jeff to some extent that is the myth. The myth is that it is hostile. You have to remember now, it is pretty hostile everywhere. It used to be hostile just during def con and black hat. Now, every airport seems to have a fake cell tower operating, fake wifi. If youre going to steal somebodys login why not at the business lounge . That is where highvalue targets are. If you monitor your wifi signals while youre traveling, you will see all these fake base stations. The amtrak station at d. C. Has a fake cell tower. This is the way that it is. If you are a criminal and you can build a backpack to intercept information and leave it plugged in that is so much , more low risk than trying to rob a bank. Of course bad guys will try to do that. You have hackers who want to test things out. They know it is a freeforall. Freeforall here in vegas this week. There will be people trying to detect the towers. There will be Law Enforcement trying to detect the people do texting the towers. And you will have intelligence chasing them around. One year, we had a film documentary recruit from france. It turned out they were legion, actually intelligence trying to identify , who the people are they cared about. Then, we had our own intelligence and found out later we were following around their intelligence. Im sure there was another. There are so many layers that i have learned not to be surprised by anything. But it is a fascinating glimpse of behind the curtain. How does Technology Work behind the curtain . How do the governments work behind the curtain . What do other governments do . Once, and def con somebody came up to me at the end of the convention and said i want to introduce myself. Im with the Defense Intelligence agency. What are you doing here . Arent you supposed to count typewriters in europe or how many car batteries monitor the cost of the soviet union . What are you doing here at a hacking conference . He said im trying to figure out if other countries are trying to recruit our hackers. That sounds important, but how . Theres a room with 500 people in it. Upn be in the middle of all those conversations. How do you know who is trying to do what . What i do, i lean against this wall and watch for other people watching and Pay Attention to the watchers. Fascinating. So, every year i Love Learning a little more about how the world works. Host a couple years ago you had the head of the nsa, michael rodgers, out here. Jeff no, the director before him. Keith alexander. That was fascinating. It was years in the making. Host it took you years to get him out here . Jeff not him, but that position. We have gotten people from the dod. We have gotten a lot of other people. Never the director of the nsa. It happened that it was right before the snowden revelation. It was at the very peak of goodwill between the Hacking Community and Law Enforcement. After that it has been downhill. Host why . Jeff a couple of reasons. One was there was a sense that , we were all working together. Then we were all trying to make the world better place, trying to protect networks, figure out what the bad guys are doing have , fun while we were doing it. The intelligence folks had a bit of the mystique but we knew they , were using the same technology we were using. It was not alien technology. They were just using it differently. We could relate. We have the same sort of problem in setting up and managing the technology. Over the years, whether it was dhs or fbi, ncis, they were genuinely interested in what the hackers were doing and we were interested in what they were doing. We were sort of becoming friends. After the snowden revelations, you was a lot of, hmm never let on you are monitoring the citizen so severely. The hackers, security people felt it was too extreme. Whether it was because of government oversight lacking, maybe it is not their fault. Maybe it was the oversights fault. A lot of people felt like trust was betrayed. A guy was telling you something in confidence and it ended up here. That is not why i told you about this bug. I told you about this book to bug to protect Government Systems not to do , something else. There is a huge coolingoff. That next year i asked the feds to please dont show up. Not that they were welcome. But there was going to be drama if they showed up publicly. There were a lot of angry people. I didnt want people throwing water, screaming, fighting. I didnt want to have a scene. Tensions are really hot back then. Since then things have cooled down. Intelligence agencies are trying to engage like they used to. The fcc, the ftc, we get some people from dhs trying to do some stuff on smuggling. We get the good parts, the noncontroversial parts. Robos trying to stop dialing make home routers more , secure. Things everybody can identify with. I think dhs was talking about u. S. Cert and outreach to companies. How do we build Information Sharing Networks to stop what bad guys are doing . We will get behind that. It will be a while before intelligence agencies are going to convince hackers that they are not impartial, but they have all their cards on the table. That is just the way it is. It is funny, some intelligence people said, it is better this way. We preferred the gray areas. It was getting too much light on us. I think it will be a pendulum. Host would you like to have anonymous out here . Jeff they are here all the time. Anonymous is anonymous. You do not know who was in there. There are hundreds of anonymous people there. Organized crime people, intelligence people. That is the interesting thing. There is a lot of Law Enforcement presence from a lot of countries here learning, but there is also a lot of other people here learning. We have academics, writers, people who want to make movies about this. We created this melting pot of likeminded people. In the early days, las vegas acted as a filter. We are in the middle of anything, like San Francisco or new york city. You have to get on an airplane and fly to vegas in the summer. It was a natural filter. You only came here if you were really interested. You didnt just hop on a train and come down from d. C. To new york. So we had really good formative years of people who cared about this. That became the core for the conventions now. Now, a lot more people come. As, professionally they have for the conventions now. Now a lot more people come. Now its seen a lot of people havessionally they sort of to come because its such a big event. I remember when i went from just Network Security people to telecom. And then it went, you know, marketers had to show up because their customers were here and it just kept growing and growing growing. But at its core are these and tackers trying to figure out how the technology do about it. T to i think as long as you can keep that, the heart of the beating. Es will keep are you glad its growing . Yes. I hate thegrowth but growth. Its both. Im very conflicted over it started defcon, there were about two other hacking conferences that i knew the United States and they were invite only. And i wasnt invited or i could but i couldnt get there because it was in atlanta and i was too young and wasnt traveling to atlanta. Decided, well, if im doing a conference, its going to be open to everybody. Not invite only. And that immediately led to a bunch of problems. Its invite only and youre not taking registration, how many people will show up . Know. t how do you plan for something when you dont know how many people are going to show up . It out. D of work well, if you dont know whos to prevent whats 100 Law Enforcement people from showing up or 100 clowns from showing up. Control the t demographic. But on the other hand like i said, well, theyre interested, to show up, so addition and be an add, contribute. Thats how it worked out. People the f