Saying give me an announcement for def con that sounds professional. I have to convince my boss to send me to def colony wanted to make us sound more corporate one of my friends said, you should just throw a real conference, charge real money, and make it a professional conference. I thought that was brilliant but i didnt have the money at the time. Too young. I saved my money for a year, took a loan out and then started black hat a year later and then every year, unbelievably, its grown for 20 years. Host whats the difference between black hat and def con . Guest black hat is the thats how i made my living. It was very corporate, Information Security focused, so this is you have an info sector job, working for general electric, microsoft, and you need to learn something that you can ail reply hands on, right away. Where the rubber meets the road. I learned this new attack and im going to defend my company. Its very practical but very focused more on enterprise. Def con is all about sort of the sense of discovery, the sense of learning something new, whether its picking locks, your corporate job isnt going to pay you to pick locks but at def don you can learn. Hardware hacking, car hacking, conspiracy theories, everything that helps you kind of learn how to learn. Friend brought up that def con is actually sort of teaching the next generation of hackers a way to think. If you spend any time in the field, you realize theirs the mentality, the mindset how to hack, skill set, innate skill, and then theres the professional hockers. I liken this toe lets say youre an artist and you create when you want to. Or youre a professional artist, like maybe working for a company, and you have to be creative day after day after day. And def coins all about the people who are creative when they want to and we black hat was the transition so now i have a day job and want to be precisionally creative. So i want to do black hat to keep up and learn my skills and i wants to go to def con for the creative energy. Thats why the two existed so well together. Theyre just different. But the people generally started in one and migrated to the other. Host there is a little bit of subversesiveness in def con . Has to be. Thats parent of the antiawer authoritarian. Hackers are told, you cant do that. Thats not possible, we dont believe you. The Voting Machines are totally secure. It takes almost a certain amount of rebellious nature say i think i can break interest the Voting Machines, your Cell Phone Network has problems. There is a problem here. So just turns out they people that are good at speaking truth to power tend to be a little bit rebellious. The other thing you realize is, companies arent really telling you what the problems are, and the governments arent telling you what the problems are, and the criminals for sure arent telling you how theyre breaking in. So really comes down to these hackers and academics to really tell you what is possible. When a hacker started messing remotely with an implantable medical device, with a the manufacturer said thats not possible. And only when the hacker demonstrated it at a distance did the manufacturer say, okay, now well listen to you. Well, okay, was that subversive he was messing with technology that could have a negative impact or a public good because now consumers knowdont buy that model . Put the fda on notice that they should really be testing for these things . Because theres a whole generation of medical devices that are not safe. So, maybe fda doesnt like it but this i pointed out maybe theyre not doing their job as well as they could. You never make anybody happy when you point out problems, but since theres doing this create tv lyric not professionally, they dont care. Theyre just doing it because its there and they want to prove a point. Host where did the names come from . Guest people get black hat confused. Were not a bunch of black hat criminals. Its he black hat briefings and we are teaming you what the black hats are up to. What the bad guys are doing and how to prepare. Its just gotten shooterrenned down to black hats. And it turns out all these hackers and academics are sort of a crystal ball. You talk to your friends and your hackers and say, what are you working on . I think i found this little edge case with routing. If its interesting to hem, its a problem six or nine months in the future for everybody else. Sort of like the can anywhere ray in canary in the coal mi. The internet of thing wood be a problem years ago. Now its a problem. So companies who wanted to sort of get a head start on what the future problems would, or maybe a new product category and learn what they hackers say is the problem and then well build a product and sell it. People come for Different Reasons and now were seeing more and more government appearances, raying laters. Def con was start because everything was online, Bulletin Boards no internet or irc, and just meant to put a face to a name. And theres so much misinformation in the early days. There was no sense of factual well where you could go in and learn the truth no amazon or google, and so everything was word of mouth, and there was so much misinformation. There was this one if i put a disclaimer on my Bulletin Board that says no undercover employerers are allowed, its entrapment if theyre sign in. And we would think, that doesnt make sense. Law enforcement wont that doesnt quite sound the first def con we had a prosecutor come and speak. And then we had somebody who was a lawyer talk about what are the liabilities if youre trained through virtual reality, but youre taught a mistake, and then in reality, you exercise the mistake, who is liable . Your employer for not training you right . The vr manufacturer . And so we were looking at these issues a long time ago. And so it became known as def con one im from seattle, my favorite movie, war games, main character is from seattle. And in that movie def con plays a big role. Also in the early days, i was a phone freaker, and the number 3 key on your telephone is the the def key, and also at the same time i was living with a hiphop producer who was producing rap, and so one day im talking about this hacker convention, and the hiphop guys dont know about hacking, but as im screening the party one says that sounds def. That it well by a def con. Im like, def con, war games, all came together perfectly, and so its a def con. Host whats a phone freaker . Guest so phone freak are early days there are would hackers and freakers and then also crackers. And the phone freakers were the telephone network. So the most famous example of this would be steve wozniak, bill gates, would ayou to make free phone calls and explore the phone network. Back in the day the phone network was the Largest Networks in the world. If you wanted to explore you were a phone freaker exploring that network, hackers were supplying the 25 networks, the precurse at the the internet, and crackers specialized in movie copy protection. If you bought a game and couldnt copy it, crackerred learn how the game was protected, reverse engineered the protection mechanisms and got around them. So, that was the three main communities, and they each had a different interest. Telecommunications, software and protection. Now the line is completely blurred. Then as time went on, and criminals entered, now theres money, wasnt just a game or fear of i mean, sense of exploration and joy of discovery, it became money. And so criminals came in and they borrowed techniques from anywhere they could. They used to try to recruit hackers in the 90s and 2000s. Now the organized criminals send people to college and universities. They make a lot of money from these malware campaigns, but they would pay real money, they have giant research and development budgets. They dont need the Hacking Community anymore. They dont leech off of us anymore. Were trying to figure out what theyre doing. Because theyre doing this as a fulltime, moneymaking enterprise, and they put in a lot of resources. And so i think what is going on now is the press didnt know how to explain the criminals use of technology so they borrowed the term hacker, which was really describing a skill set, and then used that to describe criminals using computers. But instead of saying the computer criminals broke into the bank, they say the hackers broke into the bank and that caused a schism where good headquarterses would refer to ourselves as hackers but to the outside world we were Security Professionals because it was too confusing to have a long discussion bottom the moral discussion about what a hacker is and isnt. Just say its a skillset that can be used for good or bad just like you can have a criminal plumber or a great plumber. The skill set is the plumb, the hacking. The motivation is what differs. Host is that where you get into the white hat hackers and the guest that was an attempt to try to describe motivation. For a while they tried to change it they wanted to say criminal hackers were going to be called spiders. Then the World Wide Web was invected and cant happen spiders on the web. The we called them crackers and the cracking community said were not and were not breaking into things like that. So, then it became colors of your hat, like old westerns. You could always tell who the good guys where by the color of their hat. Thats how it came about. Now youre on ethical hacker. Its muddied. Just stick we criminal and not criminal. To. Host who attends this . How many . Guest so for black hat, its hard to say but probably around 15,000 people. Its a lock program, so theres training over the weekendses and then the main conference, some people come for train training, some for the conference, in some for the whole week. Def con, 20,000. For black hatow preregister, corporate experience, its expensive. But def con, its all cash, pay at the door, theres no record, theres nothing to seize, nothing to foia no credit card records to subpoena. Its optimized for speed of registering people and not being an attractive target for Law Enforcement. Host jeff moss, when we told people at the cspan we were coming out here, oh, turn off your phone, dont use a money machine. Avoid anything electronic when youre down there. Is that true . Guest to some thats thing my. Thing my is that its super hostile, but you have to remember now its pretty hostile everywhere. Used to be just hostile during def con and black hat. Now every airport seems to have a fake cell tower operate, fake wifi catcher, because if you steel somebodys login, why not at the business lounge at the international airport. Thats where the high value targets are. So if you monitor your wifi signal youll re fake stations, amtrak station, dc has a fake cell tower. This is the way that it is. If youre a criminal and you can build a backpack to intercept information and just leave the backpack plugged in somewhere, thats so much more low risk than trying to rob a bank. So, of course rational bad guys will try to then you also have hackers who want to tests things out. They know its a free for all here in vegas during this week fake cell towers set up, people trying to detect the big towers. The Law Enforcement trying to detect the people who are trying to set up the towers. Foreign intelligence with our intelligence chasing them around. One year, we had a film documentary rue from france. Turn out they were French Foreign legion which mean they were intelligence, trying to identify who all the people are that they cared about. Then we had our own intelligence, we found out later, that was following around their intelligence then im sure debitor was just so many layers that over the years, ive learn not to really be surprised by anything. But its a fascinating glimpse of sort of behind the curtain. How does the Technology Work . How do the governments work behind the curtain . What do other government decide. Was in a def con once and somebody came up to me at the end of the convention said i want so sew introduce mis, im with the Defense Intelligence agency. What are you doing sneer arent you supposed to count type wyatters in europe or how many car monitor the collapse of the soviet union . What are you doing here at a hacking con sentence he said im trying to fig out ive countries are trying recruit our hackers. Well, okay, that sound important, but how . Theres a room here with 500 people in it. You cant be in the middle of all those conversations. How do you know who is trying to do what . Its actually pretty interesting. Lean up against this wall and i watch for other people that are watching. And i pay take to the watchers. Oh, fascinating. So its just rather year i Love Learning a every year i Love Learning how the world work jazz you head the head of the nsa mike rogers out here. Guest no. The director before him. Host oh, okay. Guest keith alexander. Host thats right. Guest that was fascinating. Years in the making host took your years to get him out here in. Guest not him but the position. We have tried for a years. We have gotten people from the dod and other people but not the director of the nsa, and it just happened that it was right around right before the snowden revelations. So it was at the very peak of good will between the sort of the Hacking Community and Law Enforcement and the intelligence, and then after that, its been just downhill. Host why. I think a couple of reasons. One was there was a sense that we were all working together; that the were all trying to make the world a better place, trying to protect networks, figure out what the bad guys were doing, have furnish while were doing it and the intelligence folks had a bit of mystique but we knew they were using the same technology we were using. Wasnt alien technology. Just they were using it differently. So we could sort of relate. We had the same sort of problems. In setting up and managing the technology. And over the years, whether it was dhs or fbi, ncis, they were just genuinely interested in what they hackers were doing and we were interested in them and we were sort of becoming friends. Theyre snowden revelations there was a lot of, hmm, you never really let on that you were monitoring the citizens so severely. That was never even the hackers ask security people felt that was too extreme whether it was because of the government oversight was lacking and they were doing everything they could legally and maintain wasnt their fault. Whatever, however you want to ascribe who is fault it was, a lot of people felt the trust was betrayed. I was telling you something in confidence and it ended up over here doing something else. Thats not why i told you about this bug if told you about this bug to try to protect government systems, not to go do something else. So, theres been a a huge cooling off period. Then that next year i basically asked the feds, please dont show up. Not that they werent welcome but there would be a lot of drama if they showed um. A lot of angry people. Didnt want somebody throwing water, fighting, screaming. I didnt want a scene tensions were very hot back then. Since then people have cooled off. The parts of government are engaging we have here, the fcc, the ftc, some people from dhs, trying to do some stuff on the smuggling. So we get like the good parts, i would say, the noncontroversial parts. Ftc trying to stop robo dialing, make home routers more secure. Things that everybody can identify with. And so i think dhs was talking about uv cert and outreach to company and build informationsharing networks to help learn what bad guys aring doing. We can get behind that but a while before the intelligence agencies are going to convince the hackers that theyre wouldnt say not impartial but that theyve got all their cards on the table. Thats just the way it is. Some of the Intelligent Community people say we prefer it this way. There was get doing much light on us. I think it will be like a pendulum. Host would you like to have anonymous out here . Guest theyre here all the time. Anonymous is anonymous. You dont know is no there theres a hundred anonymous people there theres organized crime people and intelligence people. Thats the interesting thing out here is theres a lot of Law Enforcement presence from a lot of countries here learning and also a lot of other peopler here learning. Academics, writers and people who want to make movies about this. So we created this melting pot of likeminded people and in the early days, vegas was this filter. Were not near anything, not in the middle of San Francisco or new york city. You have get on an airplane and fly to vegas in the summer. So, it was this natural filter of, you only came here if you were really interested in this stuff. Just didnt hop on a train and come down from d. C. To new york. We had a really good formative year of people who cared about this, and i think that became the core for the conventions now. Now a lot more people come. It seems people say professionally they have to come because its such a bit event. I remember when it went from Network Security people to telecom and then marketers had toship because their customers were here, and then it just kept growing and growing and growing. But at its heart, its core, are these technologists and hackers trying to figure out how the Technology Works and what to do about it. I think thats the as long as you cankeep keep that the heart of the conferences will keep beating. Host are you glad its glowing. Guest yes. I love the growth but i hate the growth. Im conflicted. When i started def con, there were about two other hacker conferences i knew about in the United States and they were invite only and i wasnt invite and i could get an invite but i couldnt get there because i was in atlanta and i was too outcome. I decide if im doing a conference its going to be open to everybody, not invite onlile and that load to a bunch of problems, so if its invite only and youre not taking registration, how many people are going to show up . I dont know. How do you plan for something when you dont know how many people are going 0 to show up . Kind of work it out. If you dont know who is showing, whats to prevent 100 Law Enforcement people from showing up or 1 crowned from showing up . You cant control the demogr