Now joining us on the communicators, jeff moss. How and why did black hat begin . Jeff it began more than 20 years ago. I operate a convention, def con, the Worlds Largest hacking convention. This was a time when there were no jobs for any of us. The only people doing security were maybe people in the military and banks. As the internet grew and there were jobs, and there is money at risk, all of a sudden hackers started getting jobs doing security. I kept getting emails, give me an announcement to def con to make it sound professional. I was rewriting our announcements to make them sound corporate. One of my friends said you know what, throw a real conference. Charge real money. Make it professional. I thought it was brilliant. I was too young. I save my money for a year. Then i started black cat a year later. Every year it has grown for 20 years. Host what is the difference between black hat and devcon . Def con. Jeff you happen info sec job. You are working for General Electric or microsoft. You need to learn something you can apply hands on right away. Im going to go home and defend my company against it. Its very practical but focused on enterprise. With def con, it is the sense of discovery, learning something new, picking locks. Your corporate job is going to teach you how to pick locks. Hardware hacking, car hacking. Conspiracy theories. Everything that helps you learn how to learn. A friend brought up that we are teaching the next generation of hackers a way to think. There is the mentality of how to hack, which is a skill set. Then there is a professional hackers. I liken this to an artist. You create when you want to. Or a professional artist, working for a company. You have to be creative day after day. Devcon is all about the people who want to be creative when they want to be creative. Black hat is the transition to a day job. I have to keep up and know the skills i need for my job but i am going to go to def con because that is where my Creative Energy comes from. They have existed well together. They are different. But the people generally started in one and migrated to the other. Host is there a subversive this . Jeff there has to be. That is part of the antiauthoritarian. Even to this day a lot of what hackers are told is you cant do that. That is not possible. We dont believe you. The Voting Machines are secure. It takes rebellious nature to say i think i can break into the Voting Machines. No me your cell phone does have some problems. It just turns out people who are good at streak speaking truth to power tend to be a little bit rebellious. The other thing is companies are telling you what the problems are. The governments are telling you what the problems are. The criminals are telling you how they are breaking in. It comes down to hackers and academics to tell you what is possible. When a hacker started messing remotely with a medical devise, the manufacturer said that is not possible. Only when the hacker it district distributed it did the manufacturer say ok, we will listen to you. Was that subversive or is that a public good . Consumers now know, dont buy that bottle and put the fda on notice, they should be testing. There is a generation of medical devices that are not safe. Maybe the fda doesnt like it. But maybe they are not doing their job as well as they could. You never make anybody happy. A lot of times, they are doing this creatively. They dont care. They are doing it because it is there. Host where did the names come from . Jeff people get black hat confused. It is black hat briefings. The idea was, we are letting you know what the bad guys are doing and how to prepare. It got shortened down. It turns out that all these hackers and academics are a crystal ball. You would talk to your friends and say what are you working on . I found this little edge case with routing. If it is interesting to them, it is a problem in the future for everybody else. They are the canary in the coal mine. Years ago, saying the internet of things was going to be a problem. Now it is a problem. Companies who want to get a head start, way maybe there is a problem, then go build a product and sell it. People come for different reasons. Now we are seeing more government appearances. Regulators, Law Enforcement. They are trying to figure what is coming next. Def con was originally a party. Everything was online. There was no internet. It was meant to put a face to a name. There was so much misinformation that it was no sense of a factual well when you could learn the truth. Everything was wordofmouth. There was so much misinformation. If i put a disclaimer on my Bulletin Board that said no Undercover Police officers allowed it is entrapment if they sign then. That doesnt make sense. That doesnt sound right. The first def con we had a prosecutor speed. And a lawyer talk about the liabilities if you are trained through virtualreality that you are taught a mistake and reality you exercise the mistake. Who is liable . The vr manufacturer . We were looking at these issues a long time ago. It became known as def con. My favorite movie, wargames. The main character is from seattle. Def con plays a big role. In the early days i was a phone freak her. The number three key on your telephone is the def key. I was living with a hiphop producer. Im talking about this hacker convention. A hiphop guys dont know about hacking. As an describing the party one says that sounds def. It all came together perfectly. Def con. Host what is a phone freaker . Jeff the phone freakers exploited the telephone network. Steve wozniak, steve jobs, bill gates, these people who produce blue boxes that would allow you to place free phone calls. Back in the day the phone network was the Largest Network in the world. If you wanted to explore you basically were exploring that network. At work hackers were exploring the precursor. Crackers specialized in movie copy protection. If you bought a game, crackers learned how the game was protected, reversed engineered it and then got around them. So, that was the three main communities. They had a different interest. Telecommunications, software protection. Now the line is blurred. As time went on, as criminals entered, it wasnt just a game, and joy of discovery. It became money. Criminals came in and borrow techniques from anywhere they could. They used to try to recruit hackers. Now the criminals send people to college and university. They make a lot of money from these campaigns. They have giant research and development agenda. They dont need the Hacking Community anymore. We are trying to figure out what they are doing. They are doing this as a fulltime moneymaking enterprise and the put in a lot of resources. I think what is going on now is the press did not know how to explain the criminal use of technology. They borrowed the term hacker, which was describing a skill set and use that to describe criminals using computers. Instead of saying they broke into the bank, the hackers broke into the bank. That caused the schism. Good hackers would still refer to themselves as hackers. To the outside world, we were security professionals. It was too long to have this conversation about what a hacker is or isnt. It is a skill set just like you have a criminal plumber, or a great plumber. The skill set is the hacking. The motivation is what differs. Host is that white hack hackers and black cat hackers . Jeff that was attempting to describe motivation. Criminal hackers were going to be called spiders. Then the World Wide Web got invented. We are going to call them crackers. The cracking community was like that is us, we are not criminals. So, then it became colors of your hats. You could tell who the good guys were by the color pats. That is how it came about. Now you an ethical hacker, it is really muddied. I just stick with criminal and not criminal. Host who attends this . Jeff black hat, hard to say. Probably around 15,000 people. It is a long program. There is training and the main conference. Some people come just for the conference. Devcon, 25,000. Pretty big. It is interesting. For black hat to me you can preregister. For def con it is all cash. There is no credit card records to subpoena. It is optimized for speed of registering people and not being a target for Law Enforcement. When we told people we were coming out here, turn off your phone. Dont use a money machine. Avoid anything electronic when you are down there. Jeff that is the myth. You have to remember now, it is pretty hostile everywhere. Now, every airport seems to have a fake cell tower. If youre going to steal somebodys login why not at the business lounge . That is where highvalue targets are. If you monitor, you will see these fake stations. D. C. Has a fake cell tower. This is the way that it is. If you are a criminal and you can build a backpack to intercept information, that is so much more low risk than trying to rob a bank. Bad guys will try to do that. You have hackers who want to test things out. They know it is a freeforall. They will be fake cell towers. People trying to detect the fake towers. Law enforcement trying to detect people. For intelligence. Foreign intelligence. We had a film document recruit. They were french born legion, actually intelligence trying to identify who the people are they cared about. We had our own intelligence that were following around their intelligence. Im sure there was another. There are so many layers that i have learned not to be surprised by anything. But it is a fascinating glimpse of behind the curtain. How does Technology Work behind the curtain . What do other governments do . I was at a def con winds and somebody came up to me and said i want introduce myself. Im with the Defense Intelligence agency. What are you doing here . Arent you supposed to count typewriters . What are you doing here at a hacking conference . He said im trying to figure out if other countries are trying to recruit our hackers. That sounds important, that how . Theres a room with 500 people in it. How do you know who is trying to do what . What i do, i lean against this wall and watch for other people watching and Pay Attention to the watchers. Fascinating. So, every year i Love Learning a little more about how the world works. Host you had Michael Rodgers out here. Jeff no, the director before him. Keith alexander. That was fascinating. It took you years to get him out here. That position. We have gotten people from the dod. We have gotten a lot of other people. Never the director of the nsa. It was right before the snowden revelation. It was at the very peak of goodwill between the Hacking Community and Law Enforcement. After that it has been downhill. Host why . Jeff a couple of reasons. One was there was a sense that we were all working together. We were all trying to make the world a better place, trying to protect networks. Have fun while we were doing it. The intelligence folks had a bit of mystique but we knew they were using the same technology we were. It was an alien technology. They were just using it differently. We could relate. Over the years, whether it was dhs or fbi, in cips, they were interested in what they were doing. We were sort of becoming friends. There was a lot of you never really let on you were monitoring the citizens so severely. That was the hackers felt that was too extreme. Whether it was because of government oversight lacking, maybe it is not their fault. Oversights fall. Whatever. Webers fault it was. A lot of people felt like trust was betrayed. A guy was telling you something it confidence and it ended up here. That is not why i told you about this. I told you about this to protect government systems, not to do something else. There is a huge coolingoff. That next year i asked the fed to please dont show up. Not that they were welcome. But there was going to be drama if they showed up publicly. There were angry people. I didnt want people fighting. I didnt want to have a scene. Tensions were hot. Since then things have cooled down. Intelligence agencies have engaged. The fcc, the ftc. We get some people from dhs trying to do some stuff on smuggling. We get the good parts, the noncontroversial parts. Trying to stop rowboat laying, make home routers more secure. Things everybody can identify with. I think dhs was talking about u. S. Cert and outreach to companies. Had we help learn what bad guys are doing. It will be a well before intelligence agencies are going to convince hackers that they are not impartial, but they have their cards on the table. That is just the way it is. Some people said it is better this way. We preferred the gray areas. It was getting too much light on us. I think it will be a pendulum. Would you like to have anonymous out here . Jeff they are here all the time. Anonymous is anonymous. Im sure there are hundreds. Organized crime people, intelligence pupil. That is the interesting thing. There is a lot of Law Enforcement from a lot of countries here learning. Theres a lot other people here learning. Academics, people who want to make movies about this. We have created a melting pot. In the early days, vegas acted as a filter. We are not in the middle of san francisco. You have to get on an airplane and fly to vegas in the summer. You only came here if you were really interested. You didnt just hop on a train and come down. So we had a good formative years of people who cared about this. That became the core for the conventions now. Now it seems people think they have to come because it is a big event. It went from Network Security people to telecom. Then marketers had show up because their customers were here. At its heart, at its core are these technologists, hackers trying to figure out how the Technology Works and how what to do about it. As long as you can keep that, the heart of the conference will keep beating. Host are you glad it is growing . Jeff i love the growth. I hate the growth. It is both. Im conflicted over it. When i started def con, there were two other hacking conferences. They were invite only. I wasnt invited. Or i couldnt get there. I was too young and wasnt traveling to atlanta. I decided if im doing a conference its going to be open to everybody. That led to problems. If it is invite only, how many people are going to show up . Had you plan for something when you dont know how many are going to show up . If you dont know who is showing up, what prevents 100 Law Enforcement people from showing up . You cant control the demographic. On the other hand, they are interested. They care enough to show up. Maybe they will add and contribute. That is how it has worked out. From 100 people the first year, to 25,000 people this year. It is bigger that it is reflecting the changing demographics. More women are involved. More artists are involved. More large enterprise. In the early days we were hacking on two or three technologies. You couldnt get there without the growth. Some conferences are still invite only. They stay small. There is absolutely a place for that. Consciously i wasnt going to be that elitist. I was going to let anybody show up. I have to live with the conscious the consequences. Control the tenets or keep an open door policy. Host when did you start hacking . Jeff when i was 12 or 13. It depends on hacking. I didnt think i was a hacker until 14 or 15. In hindsight, i probably was. I was copying games, reverse engineering protection. Hacking more about overclocking to make your computer go faster. Trying to get more out of your pc. Later on i was into phone freaking. I caught a hacker breaking into my Bulletin Board system. When i caught him, he was like id dont know what you are doing, the you are doing something. He said, you caught me. This is how i did it. As soon as it is explained to me, it turned on a light ball. Of course you can do that. Why had i never thought you could get around my limits by just changing one number . Of course you can do that. That made me change before that moment. Before, Technology Just kind of worked. And then i questioned every assumption. They are clearly not doing what i thought they were doing. Host did you ever get in trouble . Jeff no. But back then come a there were no laws against any hacking. Different than today. Im worried about the current generation. These federal sentencing minimums, you could run automated tools and get more jail time than driving drunk and killing someone. Sentencing guidelines are crazy. You see this sometimes. I want to participate in civil disobedience. Im going to tos that evil bank. He has a felony conviction now and is in jail for a number of years. His employment options are destroyed. For participating. Im not saying that is right for legal, or should be legal. Im saying the panache punishment is disproportional to the harm. That didnt exist when i was a kid. Back then, there wasnt really anything online that you could harm. The mentality was look but dont touch. It came from ham radio operators. You can listen into people, whatever you hear wirelessly is legal. If you act on it, that becomes illegal. This is an fcc law. If you go to their house and still cash, it is an additional crime that you learned it and acted on it. That is where this came from. Explore these networks. Even if you break in. Dont touch anything. You are there as explorers. So, some of that old still oldschool hackers still think that way. The problem is the Computer Fraud and abuse act now really treats just even looking as a crime. With some bizarre results. That law was created in the late 1980s. So, it is predicated on this concept of permission. If you run a Bulletin Board you permitting me to login. You are not giving me permission to break in. If you read that law, any time you connect to a website, you are not hitting permission. Getting permission. There is a lot of this is what tripped up aaron swartz, his downloading of legal documents he had permission to download. They claimed we didnt give you permission to download all of them. He took that permission to mean i will automated and download everything. That is when he was charged and a zealous prosecutor was trying to give him federal maximums. Eventually he committed suicide over that. Downloading a lot of documents, maximum sentencing. These problems are still working through as a society. These ch