There is also multiple capture the flag contests which is basically red team, blue team, offense, defense, how do you hack something, how do you defend something. How do you get certain targeted treasure chests. And, some of the level of skill in these competitions are what we normally say can only be done by nation states. And instead, you have hundreds and thousands of people who are engaging in these types of contests. I think that can satisfactorily bust a myth, only nationstate adversary what we have to be worried about. When the tools and techniques are available to everybody, it is very, very easy to take advantage of them. We also had an iot village, internet of things village. One of the highlights for me was that Remote Controllable wheelchair. I dont know why you would want to remotely control a wheelchair but somebody made this thing. And it was driving up and down the halls without anybody on it because somebody figured out how to gain access and control it and drive it around. I think that underscores some of the direction were going in this whole completelyconnected world where now that weve got everything connected, it is everywhere accessible and therefore it can be controlled by anyone who has a little, small degree of technical skill and willingness to use that. There were at least two sitting congresspeople at defcon this year, 2 00 that i know of. In past years there have been more at that event. I think that underscores importance at least so tom people in d. C. Why they want to get engaged with this community. With that i will throw it over to jay to talk about black hat and the challenge at that darpa ran. Im curious, how many have been to the rsa Information Security conference . A fair amount, maybe a a 10th of the room. Black hat . Defcon . Rsa is very much Information Security conference. There is booth and they will shine your shoes and money goes to charity. Defcon is not Information Security con for instance. It is a hacker conference. There the money will still go to charity. They wont shine your shoes and get a mohawk. I desi didnt donate enough to charity because they kind of overdid me. This is about hacking. Driven by curiosity, trying to understand the system, to figure out if you can make the system what you want it to, even though necessarily not what the makers of that system originally intended it for. Hackers and hoodies, this is all people making mischief. There is that element to it. But there is a lot of people just fascinated by systems and want to try and get in and understand it. So black hat happens in earlier part of the week. Defcon later part of the week. B side, b side conferences are there, on flip side of some other cool conference. One of the biggest things i think came out of black hat was, we were very pleased because apple came and they announced the bug bounty program. You might have followed this this came up in the news the most in the last couple months with the fbiapple hack where fbi wanted access to one of the apple phones from the san bernanadino murderers. They ended up using a vulnerability they bought the use of, and it came out a lot ample was really only big company left that did not have this, did not have the a bounty, an amount of money they would pay if you were a Security Researcher and hacker, you found a bug, they would list your name on the website, but that was it. They wouldnt offer you any kind of rewards or any amount of money. They have bug bounties up to 200,000. Some hackers were there, that had been awarded one million points from united because they had found all these points on united. That is why United Airlines, the airlines, not the van lines, United Airlines said we would rewarded Security Researchers that find these bugs. Commerce department was there in force. And Alan Friedman of commerce has been doing a great job pushing, trying to get out these vulnerability disclosure programs. For me that was one of my big takeaways. You might have even seen that doe started hack the Pentagon Program for Security Researchers to try to find bugs in the pentagon websites. Apparently it was a win to call it, hack the pentagon, rather than some kind of bureaucratic name you know, dod Vulnerability Discovery process, comma, amateur. The, also really pleased, one of the things that came out, was, it was surprising to many of us in the community, got a lot of press, was hackers for hillary. There was a event on wednesday. So from these conferences from the early days well talk about this, especially defcon, so apolitical. You had a spot the fed conference, contest. If someone was there, that was a fed, was maybe a federal agent trying to infiltrate the community, it was your job to try to spot them. More if you were there, at the fed, you would try to hide and not get spotted. Here you were, that was at defcon. Here you were out of this community and now youre having this political event and there was probably 30 people at the event cohosted by jeff moss. He is known to jeff moss, our senior fellow. He is known out there as the dark tangent, founder of these conferences and cohosting this event. So maybe 30 people and equal number of journalists covering the event. Really caught a lot of people as, the maturation of the field, like all of sudden now we matter. Now the, now the, we used to have to go to d. C. It testify, now coming to us. I have one or two other things. Maybe i hold off right there and just i can comment on your hackers for hillary, the event. I think it shows, as you said a maturation, mostly of the people that are attending these conferences. I mean, i started this back in my 20s. Im in my 40s now. So there has been people deaf con gone on for 24 years. People have defcon has gone on for 24 years. Were seeing a change in government attitudes towards hackers. 20 years ago it was nothing but fbi raids. Now you have groups like commerce, fda, dod, reaching out trying to bridge the gap and accessing knowledge and expertise. Saying help us out. Were seeing a change from completely adversarial relationship between government and the Hacker Community and it is starting to thaw a little bit where there is cooperation. It hasnt completely thawed by getting there. Some of you know about the hacker history, when you testified in front of congress in the 90s. In 1998, we testified in front, i forget the name of the senate committee, we made it very distinct point only to use handles. Our handles in the official record. Im in there, senator john glenn called me space rogue on the record. We did that because we were afraid of reprisals from other companies and other parts of government. So we made it a big point of only using our hacker handles. That has changed obviously. I now use my real name, cris thomas but everybody calls me space or space rogue, sr. That is sort of my identity and who i am. It shows a little bit of thawing and relationship between government and hacker types. Lori is the lone fed on the panel. Spotted. Spotted the fed here. Im wiley. You were also participating in, were you on meet the fed . I was on the meet the fed panel. We used to do spot the fed where we would out feds. We invite feds to sit there and engage in productive conversation. Used to be to many feds. He brought you them up on stage and get a tshirt. The fed has to have arrest powers and then you get a tshirt. Then there were too many here. Jeff moss is a fed. Jeff moss is a fed. Tell us a little bit why you were out there from the government and why, what you found valuable about meet the fed . Yeah. So the ftc was out there. We actually brought our own fed tshirts to wear so we were easily spottable. That was cool tshirt. We made special ftc defcon shirts. There is secret code you can crack on them. I made it up myself. Is it ross 13 . It is not ross 13. We were out there because we wanted to do outreach to the Hacker Community and let people know what our agency does and were interested in hearing about Research People are doing that can help us understand vulnerabilities especially iot systems, give us ideas about how we can protect consumers from scams, from fraud, and we wanted to make those connections. Thats why we were there. So, in the spirit of creating your own clothing line, this wouldnt be bringing defcon to d. C. , if we didnt have black hoodies for all of our panelists today. We have very special Atlantic Council exclusive hoodies for all the panelists. I will just hand these out. And then maybe we can hold them up and get a photoop. Thats jay. While he is doing that lorrie. If you go to black hat rsa, you get a badge and has your name and you get a black hat. Because it is a hacker conference it cant be just that simple. They have every year now, not just a bad, it is a circuit. I believe this is an x86 board, and it has input, output, everything you need. There are badge competitions what will this badge on me do, what can i do with it . They will actually get in and discover io ports and discover what the badge does. Lets hold our sweatshirts up so hoodies. Not sweatshirts. Noto on. Photoop. Thanks. I didnt have enough. You didnt have enough. Appreciate one more. Actually go ahead. Hackers have more hoodies than the population . Like, my standard. Stereotype confirmed. Its a little chilly in my house. I like to keep the thermostat down. I keep a hoodie as daily driver behind the keyboard. You mentioned badges, jay. I have several that i picked up there. From the car hacking village. Like the intel community. More badges than you have, obviously the cooler person that you are. Thats right. So this is something that was created by Security Researchers and got a tool on the end here, that plugs into your car. So this is the on board diagnostics port of your car. Plugs right in. You can start reading out the codes coming across your obd2 port. This is one from the bio hacking village. And, this one will read near field communications. You can read implantable chips in your hand. I know you all have them. You can also read credit cards with the rfid credit cards or passports. Passports. If you have a badge to get into your house or work place. Be careful if you get too close to me. I might be reading it. I could impersonate you playing it back when i get to your home. This underpins so much of black hat and defcon. If you go to normal Information Security conference they will have talks how you can improve your Business Resilience of your company. These conferences, these vegas black hats, we have the Technological Infrastructure around us. Which dont know how it works. We assume people are out there taking care of it. What is running out there four years, gathering of folks driven to understand the Technological Infrastructure and come out to try to figure out all the ways it is not secure. Now and that is why it is so good to see the fcc and other goffs out there gov. S out there, look these people are figuring out how this stuff is completely insecure, much of it, and we better work as quickly as theyre discovering things and as we continue to spew out ever more of this technological stuff or it will all end in tears. There is a great, someone tweeted out, here is what we do, here is how las vegas handles gambling machines. Covered all controls that las vegas includes for gambling machines. If you as player think the machine is fraudulent. Talk to the inspector. There are rules. There is independent testing to make sure it is right, on election machines, voting machines, none of that is true. It is illegal to figure out how it works. It is not independent testing. There is not, fcc has very limped powers compared to vegas. It is easier to game a election machine than it is a Gaming Machine . That did come up a lot, coming right out of the dnc hack and i think there is a lot of us trying to calm our attention to the election machines, because if the russians were going to mess with elections, there are a lot more direct ways to do it. Interesting you bring up election machines. There is dmca exemption, Digital Millennium Copyright Act exemption on election machines that i believe takes place this year after the elections. It allows researchers to look at systems to see if vulnerabilities in them without fear of prosecution. That is a big thing. Specific exemption went through the copyright office, library of congress, very difficult to get. I see a lot of researchers taking up this year and looking at machines to see how vulnerable they are. Election machines simulator for people to come up and try hacking. I have been at princeton university. Ed felton did some research there on voting machines, and they still have the one that there that is playing pacman. This is the security level of our, certain devices but actually space had really good comments earlier today, that i saw about what it would mean to make those a Critical Infrastructure. Yeah, Critical Infrastructure. There was a comment or movement, not exactly sure where it came from of making election computers. I think we should use the term computer as opposed to machine. Election computers as he as Critical Infrastructure. My opinion that comes with a bed of baggage. For one thing we have seven industries labeled as Critical Infrastructure. Were getting to the point, gee, everything is Critical Infrastructure. If everything is, nothing is. We have organizations in place to look at these systems and certify them at national level. Nist has an organization, i forget the name, voluntary Election Commission or something, that allows local governments and i think a lot of people forget that local governments are the in charge of election. It is at county level or city level. That is how we always run the elections for last 240 years. Declaring them Critical Infrastructure kind of changes that how we look at them historically. I dont want to rat hole down this too much. I dont think there is any election computer hacking this year . I didnt see any at defcon other by sample at eds booth. A lot of iot hacking going on. Yes. Home devices. Had a couple of medical device this is year. Obviously cars. Did anybody go to the car hacking village . Yes, she was. The villages are like a conference within a conference. They have things people can go and explore on their own. Its interesting you bring up you there to meet people and outreach. You brought up earlier, the running joke, for me the biggest part of defcon or any of the other smaller conferences i go to its the hole away. When you hang out in the hallway and Start Talking to people. I get the most out of any of that from the hallway and any other conferences. I can watch the talks at home once they are recorded. Interacting with people i can only do at the conference. So for most of us we been there several times out to vegas to do that. Lorrie, i think its your first time. Because most of the folks in the audience have not been can you probably can serve as the best bridge between d. C. To which is the defcon. Why dont you tell us a little about what you observe as the first time attend the at some of the comfort is . Sure. I started the week, kind of a small conference and is much more accessible because less than 3000 people. Still somewhat chaotic. I gave a keynote talk, so imagine a really big room. There are vendors with booths around the edge. In one corner people learning how to pick locks, and another quarter their people who are hacking something, i dont know what. In the middle theres like the eff booth. I was on the stage trying to talk to these people who were standing or sitting on the floor. Thats how it gave the keynote talk. But it was fun and i did do some audience participation. It was chaotic but a good experience of meeting people. I had never tried to pick a lock myself and i wandered over to that area and a volunteer rushed up to me and had me a lock in chubby how to use it. It didnt take very long to find out how to pick locks. Watch out. And then i also did a career panel where they had a room where they were anything people about their careers and taking questions from the audience. I talked with them about the various careers ive had and took a lot of questions. It was fun. Then i went to black hat, and this is a very corporate, very polished event. You get name badges that had your name on them. Notice, theres no name on this badge. We are completely anonymous. The bad was like a poker chip. You have black hat was very corporate, very, you know, lights, flashing lights. They have the sole breaking glass thing when the speakers come on stage. There was a big vendor booth where everybody is handed out free tshirts. I brought back a whole big bag for my kids of tshirts. I dont have to go shopping for back to school. And then i went to defcon, and defcon is like 20,000 people. You dont get, you dont register in advance so theres a lot of lines to pay and to get into all the sessions. Its very chaotic but just so much creative energy. You see all these people all hobbled together looks like theyre all soldering something. The contests were also really interesting. The challenge, it was, the grand challenge, teams have built computers to hack into other computers. The teams had nothing to do during the event. The computers were just going, but they had running commentary and visualizations to make a really exciting. So that was very interesting. The other point i want to mention is being there as a woman, theres only about 10 limit at these events. So it is kind of isolating. For the most part i found it was a fairly comfortable environment, but there were still a few things going on, especially a defcon, that were uncomfortable to being there as a woman. Going back quickly to the cyber grand challenge. I always kind of seems, always, for the past week i seems as like Garry Kasparov versus deep blue ibm and whether man or machine is the better hacker. We will skynet be here and how many