Saying give me an announcement for def con that sounds professional. I have to convince my boss to send me to def colony wanted to make us sound more corporate one of my friends said, you should just throw a real conference, charge real money, and make it a professional conference. I thought that was brilliant but i didnt have the money at the time. Too young. I saved my money for a year, took a loan out and then started black hat a year later and then every year, unbelievably, its grown for 20 years. Host whats the difference between black hat and def con . Guest black hat is the thats how i made my living. It was very corporate, Information Security focused, so this is you have an info sector job, working for general electric, microsoft, and you need to learn something that you can ail reply hands on, right away. Where the rubber meets the road. I learned this new attack and im going to defend my company. Its very practical but very focused more on enterprise. Def con is all about sort of the sense of discovery, the sense of learning something new, whether its picking locks, your corporate job isnt going to pay you to pick locks but at def don you can learn. Hardware hacking, car hacking, conspiracy theories, everything that helps you kind of learn how to learn. Friend brought up that def con is actually sort of teaching the next generation of hackers a way to think. If you spend any time in the field, you realize theirs the mentality, the mindset how to hack, skill set, innate skill, and then theres the professional hockers. I liken this toe lets say youre an artist and you create when you want to. Or youre a professional artist, like maybe working for a company, and you have to be creative day after day after day. And def coins all about the people who are creative when they want to and we black hat was the transition so now i have a day job and want to be precisionally creative. So i want to do black hat to keep up and learn my skills and i wants to go to def con for the creative energy. Thats why the two existed so well together. Theyre just different. But the people generally started in one and migrated to the other. Host there is a little bit of subversesiveness in def con . Has to be. Thats parent of the antiawer authoritarian. Hackers are told, you cant do that. Thats not possible, we dont believe you. The Voting Machines are totally secure. It takes almost a certain amount of rebellious nature say i think i can break interest the Voting Machines, your Cell Phone Network has problems. There is a problem here. So just turns out they people that are good at speaking truth to power tend to be a little bit rebellious. The other thing you realize is, companies arent really telling you what the problems are, and the governments arent telling you what the problems are, and the criminals for sure arent telling you how theyre breaking in. So really comes down to these hackers and academics to really tell you what is possible. When a hacker started messing remotely with an implantable medical device, with a the manufacturer said thats not possible. And only when the hacker demonstrated it at a distance did the manufacturer say, okay, now well listen to you. Well, okay, was that subversive he was messing with technology that could have a negative impact or a public good because now consumers knowdont buy that model . Put the fda on notice that they should really be testing for these things . Because theres a whole generation of medical devices that are not safe. So, maybe fda doesnt like it but this i pointed out maybe theyre not doing their job as well as they could. You never make anybody happy when you point out problems, but since theres doing this create tv lyric not professionally, they dont care. Theyre just doing it because its there and they want to prove a point. Host where did the names come from . Guest people get black hat confused. Were not a bunch of black hat criminals. Its he black hat briefings and we are teaming you what the black hats are up to. What the bad guys are doing and how to prepare. Its just gotten shooterrenned down to black hats. And it turns out all these hackers and academics are sort of a crystal ball. You talk to your friends and your hackers and say, what are you working on . I think i found this little edge case with routing. If its interesting to hem, its a problem six or nine months in the future for everybody else. Sort of like the can anywhere ray in canary in the coal mi. The internet of thing wood be a problem years ago. Now its a problem. So companies who wanted to sort of get a head start on what the future problems would, or maybe a new product category and learn what they hackers say is the problem and then well build a product and sell it. People come for Different Reasons and now were seeing more and more government appearances, raying laters. Def con was start because everything was online, Bulletin Boards no internet or irc, and just meant to put a face to a name. And theres so much misinformation in the early days. There was no sense of factual well where you could go in and learn the truth no amazon or google, and so everything was word of mouth, and there was so much misinformation. There was this one if i put a disclaimer on my Bulletin Board that says no undercover employerers are allowed, its entrapment if theyre sign in. And we would think, that doesnt make sense. Law enforcement wont that doesnt quite sound the first def con we had a prosecutor come and speak. And then we had somebody who was a lawyer talk about what are the liabilities if youre trained through virtual reality, but youre taught a mistake, and then in reality, you exercise the mistake, who is liable . Your employer for not training you right . The vr manufacturer . And so we were looking at these issues a long time ago. And so it became known as def con one im from seattle, my favorite movie, war games, main character is from seattle. And in that movie def con plays a big role. Also in the early days, i was a phone freaker, and the number 3 key on your telephone is the the def key, and also at the same time i was living with a hiphop producer who was producing rap, and so one day im talking about this hacker convention, and the hiphop guys dont know about hacking, but as im screening the party one says that sounds def. That it well by a def con. Im like, def con, war games, all came together perfectly, and so its a def con. Host whats a phone freaker . Guest so phone freak are early days there are would hackers and freakers and then also crackers. And the phone freakers were the telephone network. So the most famous example of this would be steve wozniak, bill gates, would ayou to make free phone calls and explore the phone network. Back in the day the phone network was the Largest Networks in the world. If you wanted to explore you were a phone freaker exploring that network, hackers were supplying the 25 networks, the precurse at the the internet, and crackers specialized in movie copy protection. If you bought a game and couldnt copy it, crackerred learn how the game was protected, reverse engineered the protection mechanisms and got around them. So, that was the three main communities, and they each had a different interest. Telecommunications, software and protection. Now the line is completely blurred. Then as time went on, and criminals entered, now theres money, wasnt just a game or fear of i mean, sense of exploration and joy of discovery, it became money. And so criminals came in and they borrowed techniques from anywhere they could. They used to try to recruit hackers in the 90s and 2000s. Now the organized criminals send people to college and universities. They make a lot of money from these malware campaigns, but they would pay real money, they have giant research and development budgets. They dont need the Hacking Community anymore. They dont leech off of us anymore. Were trying to figure out what theyre doing. Because theyre doing this as a fulltime, moneymaking enterprise, and they put in a lot of resources. And so i think what is going on now is the press didnt know how to explain the criminals use of technology so they borrowed the term hacker, which was really describing a skill set, and then used that to describe criminals using computers. But instead of saying the computer criminals broke into the bank, they say the hackers broke into the bank and that caused a schism where good headquarterses would refer to ourselves as hackers but to the outside world we were Security Professionals because it was too confusing to have a long discussion bottom the moral discussion about what a hacker is and isnt. Just say its a skillset that can be used for good or bad just like you can have a criminal plumber or a great plumber. The skill set is the plumb, the hacking. The motivation is what differs. Host is that where you get into the white hat hackers and the guest that was an attempt to try to describe motivation. For a while they tried to change it they wanted to say criminal hackers were going to be called spiders. Then the World Wide Web was invected and cant happen spiders on the web. The we called them crackers and the cracking community said were not and were not breaking into things like that. So, then it became colors of your hat, like old westerns. You could always tell who the good guys where by the color of their hat. Thats how it came about. Now youre on ethical hacker. Its muddied. Just stick we criminal and not criminal. To. Host who attends this . How many . Guest so for black hat, its hard to say but probably around 15,000 people. Its a lock program, so theres training over the weekendses and then the main conference, some people come for train training, some for the conference, in some for the whole week. Def con, 20,000. For black hatow preregister, corporate experience, its expensive. But def con, its all cash, pay at the door, theres no record, theres nothing to seize, nothing to foia no credit card records to subpoena. Its optimized for speed of registering people and not being an attractive target for Law Enforcement. Host jeff moss, when we told people at the cspan we were coming out here, oh, turn off your phone, dont use a money machine. Avoid anything electronic when youre down there. Is that true . Guest to some thats thing my. Thing my is that its super hostile, but you have to remember now its pretty hostile everywhere. Used to be just hostile during def con and black hat. Now every airport seems to have a fake cell tower operate, fake wifi catcher, because if you steel somebodys login, why not at the business lounge at the international airport. Thats where the high value targets are. So if you monitor your wifi signal youll re fake stations, amtrak station, dc has a fake cell tower. This is the way that it is. If youre a criminal and you can build a backpack to intercept information and just leave the backpack plugged in somewhere, thats so much more low risk than trying to rob a bank. So, of course rational bad guys will try to then you also have hackers who want to tests things out. They know its a free for all here in vegas during this week fake cell towers set up, people trying to detect the big towers. The Law Enforcement trying to detect the people who are trying to set up the towers. Foreign intelligence with our intelligence chasing them around. One year, we had a film documentary rue from france. Turn out they were French Foreign legion which mean they were intelligence, trying to identify who all the people are that they cared about. Then we had our own intelligence, we found out later, that was following around their intelligence then im sure debitor was just so many layers that over the years, ive learn not to really be surprised by anything. But its a fascinating glimpse of sort of behind the curtain. How does the Technology Work . How do the governments work behind the curtain . What do other government decide. Was in a def con once and somebody came up to me at the end of the convention said i want so sew introduce mis, im with the Defense Intelligence agency. What are you doing sneer arent you supposed to count type wyatters in europe or how many car monitor the collapse of the soviet union . What are you doing here at a hacking con sentence he said im trying to fig out ive countries are trying recruit our hackers. Well, okay, that sound important, but how . Theres a room here with 500 people in it. You cant be in the middle of all those conversations. How do you know who is trying to do what . Its actually pretty interesting. Lean up against this wall and i watch for other people that are watching. And i pay take to the watchers. Oh, fascinating. So its just rather year i Love Learning a every year i Love Learning how the world work jazz you head the head of the nsa mike rogers out here. Guest no. The director before him. Host oh, okay. Guest keith alexander. Host thats right. Guest that was fascinating. Years in the making host took your years to get him out here in. Guest not him but the position. We have tried for a years. We have gotten people from the dod and other people but not the director of the nsa, and it just happened that it was right around right before the snowden revelations. So it was at the very peak of good will between the sort of the Hacking Community and Law Enforcement and the intelligence, and then after that, its been just downhill. Host why. I think a couple of reasons. One was there was a sense that we were all working together; that the were all trying to make the world a better place, trying to protect networks, figure out what the bad guys were doing, have furnish while were doing it and the intelligence folks had a bit of mystique but we knew they were using the same technology we were using. Wasnt alien technology. Just they were using it differently. So we could sort of relate. We had the same sort of problems. In setting up and managing the technology. And over the years, whether it was dhs or fbi, ncis, they were just genuinely interested in what they hackers were doing and we were interested in them and we were sort of becoming friends. Theyre snowden revelations there was a lot of, hmm, you never really let on that you were monitoring the citizens so severely. That was never even the hackers ask security people felt that was too extreme whether it was because of the government oversight was lacking and they were doing everything they could legally and maintain wasnt their fault. Whatever, however you want to ascribe who is fault it was, a lot of people felt the trust was betrayed. I was telling you something in confidence and it ended up over here doing something else. Thats not why i told you about this bug if told you about this bug to try to protect government systems, not to go do something else. So, theres been a a huge cooling off period. Then that next year i basically asked the feds, please dont show up. Not that they werent welcome but there would be a lot of drama if they showed um. A lot of angry people. Didnt want somebody throwing water, fighting, screaming. I didnt want a scene tensions were very hot back then. Since then people have cooled off. The parts of government are engaging we have here, the fcc, the ftc, some people from dhs, trying to do some stuff on the smuggling. So we get like the good parts, i would say, the noncontroversial parts. Ftc trying to stop robo dialing, make home routers more secure. Things that everybody can identify with. And so i think dhs was talking about uv cert and outreach to company and build informationsharing networks to help learn what bad guys aring doing. We can get behind that but a while before the intelligence agencies are going to convince the hackers that theyre wouldnt say not impartial but that theyve got all their cards on the table. Thats just the way it is. Some of the Intelligent Community people say we prefer it this way. There was get doing much light on us. I think it will be like a pendulum. Host would you like to have anonymous out here . Guest theyre here all the time. Anonymous is anonymous. You dont know is no there theres a hundred anonymous people there theres organized crime people and intelligence people. Thats the interesting thing out here is theres a lot of Law Enforcement presence from a lot of countries here learning and also a lot of other peopler here learning. Academics, writers and people who want to make movies about this. So we created this melting pot of likeminded people and in the early days, vegas was this filter. Were not near anything, not in the middle of San Francisco or new york city. You have get on an airplane and fly to vegas in the summer. So, it was this natural filter of, you only came here if you were really interested in this stuff. Just didnt hop on a train and come down from d. C. To new york. We had a really good formative year of people who cared about this, and i think that became the core for the conventions now. Now a lot more people come. It seems people say professionally they have to come because its such a bit event. I remember when it went from Network Security people to telecom and then marketers had toship because their customers were here, and then it just kept growing and growing and growing. But at its heart, its core, are these technologists and hackers trying to figure out how the Technology Works and what to do about it. I think thats the as long as you cankeep keep that the heart of the conferences will keep beating. Host are you glad its glowing. Guest yes. I love the growth but i hate the growth. Im conflicted. When i started def con, there were about two other hacker conferences i knew about in the United States and they were invite only and i wasnt invite and i could get an invite but i couldnt get there because i was in atlanta and i was too outcome. I decide if im doing a conference its going to be open to everybody, not invite onlile and that load to a bunch of problems, so if its invite only and youre not taking registration, how many people are going to show up . I dont know. How do you plan for something when you dont know how many people are going 0 to show up . Kind of work it out. If you dont know who is showing, whats to prevent 100 Law Enforcement people from showing up or 1 crowned from showing up . You cant control the demographic. And on the other hand, like i said, well, theyre interested, they care enough to show up. So maybe theyll be in addition theyll add, contribute. Thats how its worked out elm win from 100 people the first year and 25,000 this year, and people will stay the conference has changed. It has changed. Its bigger. But also reflecting the changing demographic. More women are involved, more artists are involved. More foreigners are involved. More large enterprise its just in the early days we were harking won or three technologies. Now theres 100 technologies. You couldnt get there without the growingle and some hacking conferences are still invite only and stay small and elite social networking talks, and theres absolutely place for that. But consciously when i started, wasnt going to be that elitist. Would let anybody show up. So i have to live with the consequences. Its really a fork in the road. Control attendance or keep an opendoor policy. Host when did you start hacking . Guest probably when i was 12 or 13 maybe. Depends on how you define hacking itch didnt think i was a hacker back then until i probably about 14 or 15. But in hindsight, i probably was host where sunny was copying games, reverse engineering protection, fiddling with my computer. In the truest sense of the word, hacking, not the subverting computer protections. It was more about overclocking your cp to you make go faster, trying to get more out of your ibm pc, and then later nonlife i was more into phone freaking, and then met hackers acaught a hacker breaking into my Bulletin Board system, and when i caught him, i was like, ahha, i dont know what youre doing but youre doing something. And he said, okay, yeah, you caught me. Ill explain what im doing. And then started this relationship. This is how i get around your protection do. This and then i changed the program to do that. Then as soon as its explained to me in that simple way, turn on a light bulb, it was like, of course you can do that. Never thoughts could i get around the limits by lying to the system and changing one none and uploading it. That changed there was like before that moment and after that moment. Before Technology Just kind of worked and everything was beautiful, and after that its like question every assumption because these computers are clearly not doing what thought they were doing. Host did you ever get in trouble . Guest no, never got in trouble. You have to remember, back then, there was almost no laws against any hacking. Completely different than today. Today im worried nets current generation bus there are federal sentencing minimums, the sentencing guidelines. You could run downexplode run automated tools and get ore jail time than driving drunk and killing someone if the sentencing guidelines are crazy. And so you see this sometimes where people say i want to in anonymous, want to participate in civil disobedience so ill download this tool and get they evil bank. Than the guy gets arrested, he has a felony conviction now and is in jail for a number of years. So, his future employment options are destroyed. His life is over. For participating with an online dawes that online dos that lasted maybe 30 minutes. Im not sharing its right or legal but the punishment is completely differ proportional to the harm. So differ proportional to the harm. That didnt exist when i was kid. Back then one, because there wasnt anything online that wow could harm. Wasnt a bank online. But also the mentality in the early days was look but dont touch. All came from the ham radio operators, which was you can listen in to peoples Wireless Phone calls. Whatever you hear wirelessly, thats legal. But if you act on it, then that becomes illegal. This is actually an fcc law. If you hear somebody say im leaving my house and leaving the cash on the count and you go to hayes house steal the cash its an additional crime because you heard and it aberdeen on immigrant this eearly ethought watches if you break internetwork, dont modify anything, dont up to, dont break. Youre an explorer. And so i think some of the soldschooling hackers think that way ask the problem is the Computer Fraud and abusing a now really treats just even looking as a crime. But with some really bizarre results. The law was credited in created in the late 80s, early 90s so much its all predicated on this concept of permission. If you want a bulletin booked youre permitting me to flog but not per to log in but not permission to break. In if you read that law, anytime you connect to a web site youre not permitting getting permission. So we all break the law. Theres a lot this what tripped up aaron swartz, his downloading of legal documents that he had per police download. They just claim we didnt get you permission to download all of them meant to give you permission to download a few at a time he took that permission to mean ill just automate and it download everything then was charged with Computer Fraud and abusing a and an overzealous prosecutor wars going to give him the maximum and lock him um and he commit suicide over it. Downloading documents, maximum sentenceses. Problems still working through the communities and society, and these changes in technologies are what is forcing this issue, and a lot of the people forcing the issue intentionally or intentionally at the people at the conferences because theyre at the forefront, pushing the technology. So a lot of times you run into the law, and in a way they law never intensed. Host besides yous on the convention floor, who else will be a rock star folks attend snag i dont like the term rock star. Theres a lot of people as a community we have done a really good job of trying to mentor the next generation, and there are some rock stars, you know, that love to put on a show. One of the greatest was barnaby jack himself would famous for hacking an atm machine on stage and with such showmanship, his hacked and it made it spit bills out on stage. This is when the atm makers said it wasnt possible. Sew wouldnted to do it in the biggest, most spectacular way. A celebration. Spent nine months, his whole living room was full of atm been machines. Took him a year of hard work and all culminated in on stage in 40 minutes. A lot of that. Ive been working on this two years and im going to give my talk here and its going to come out in minutes. My years of effort. So when you see what you see on stage you have to respect all the work done before, and all the other people that made it possible. Everybody here is standing on the shoulders of giants, people who have done research, bit by bit by bit. Nobody here just invented it. Its like a musician. Youre always on the shoulders of those before you. Some people are more famous than others because theyre hacks have been more widespread. Like Charlie Miller or chris, famous for hacking smart cars. They just did it in a spectacular fashion and did a lot of work. Remember him trying to get warrantyiy service on his car after i disassembling the dashboard . What happened to this car . Oh, nothing. Theres a lot of people and a lot of women are really getting involved, and i find that the most interesting. Its a Tech Community and Hacking Community. Were just not good at bringing in other ethnicities and genders for a number of reasons. I think 11 of the attendees are women, thats a percent or two hire than the tech industry. But a lot lower than any other industries. When you think about why is that . Well, in the security field, youre pretty much on call 24 hours a day. Something goes wrong, youre generally to blame. If youre doing defense in security, you dont get a reward when you kept the hacker out because you dont know when you kept the hacker out. So its almost sort of thankless. Like trying to proffer a negative. Youre a sales person you immediately know one you made a sale. Your word is instant and the company is held because you just sold more product. In security you dont get those kinds of feedback, and so i dont think lot of people, when glory college and youre evaluating, where do you want to go . Security maybe . But if you really delve into it, thirst in years are brutal. Sometimes a pretty thankless job. Host jeff moss, what breadth are here today that werent here threats are here today that werent here five or ten years snag a lot of new threats and snob a lot of new threats and reflects the amount of technology were bridging into our bringing into our home. Three years ago i didnt have to worry about the fbi oar bad guy trying to accession my dog live with my siri or my alexa. Now the fbi is subpoenaing alexa conversations. Thats the way of life now. Technology is your spy. Maybe not the fbi but youre in a bad lawsuit, divorce, and maybe your wife or husband spines subpoenas the documents for discover to try to prove youre cheating. Thats what what the technology was there for but thats what its used for. We have gotten smart Smoke Detectors and Smart Thermostats and internet connected toasters and we couldnt okay. When is the last time you underdade your cell phone in probably the last two years. When was the last time you changed youre Smoke Detector . Probably never. So these devices are going to be in our house for five or ten years. Theyre not going to be updated. Theyre going to be insecure. Theyre going to be connected to the internet. So, what were seeing is just the beginning of a tidal wave of insecure pervasive technologies and a lot of times the cost of replating, getting the lad up and changing the Smoke Detector for the company is greater than the cost of the Smoke Detector. The physical labor in deploying and we have a lot of risk wes dont understand. We dont accept the risks yet because we dont understand them. The smart car thats giving telemetry go to ford and ask them what information about me are are you sharing with advertisers . Theyre not going to tell you that. But you have a lot of risks, whether its personal or against a lawsuit or a financial or behavioral or youre being placed in a bubble, almost a perfect marketing bubble, if Technology Keeps going this way, where youll see articles you kind of want to see. Youll get the radio songs you like but never really going to be exposed to anything new. Microtargeted advertisement in the mail you get will detargeted based on your behavior and youll slowly find yourself being put into a bubble of your own choosing based on your behaviors. Behaviors of the people you talk to. The famous examples of you talk about i wish i could go to hawaii and the next thing you know youre getting advertisements for cheap air fare to hawaii. Thats simple. Imagine when its pervasive. Leave your wifi on your phone, go to the supermarket, they track. That they know wherever you have been in a supermarket. How long you stood in front of the pringles and determining maybe we need change the lineup. Everybody goes to pringles aisle but nobody spies. Lets just how we show the product. Now they know year pringles entire share that with the next and monetizes that and they monetize that and this is all initially for totally legitimate purposes, less food wastage in the supermarket. At the end, the profile they build about you is amazing. So, that was what is happening the background that we dont realize is occurring, and a lot of times maybe we should just have a conversation about it. Just talk about that. Instead its happening to us. And i think thats another thats going to present myself some really bizarre ways ten years from now. Imagine a president ial election 20 years in the future when all of this demographic information is available about the candidates. If you think about it now, if you were malicious, and you happened to work at uber maybe and you had access to uberdata, you could probably tell where all your senators and representatives were driving to and probably figure out where automatic the lobbyists were driving to and figure you is meeting with who where and when and figure out who is cheating on whose wife where, just between your cell phone location dot to and your uber, you could uncover cover a lot of uncover a lot of meetings that supposed to be uncovered. And nobody really realizes this. And its just theres a tradeoff, i guess. Hackers are maybe more conscious of the tradeoff but theres a tradeoff between usability and convince and privacy and some security. Accomplish accomplish were making the tradeoff for usability and ease of use but not doing it consciously. Were not accepting theres tradeoff. You know when you drive over 60 or 80 or 90 and your Steering Wheel is sharing shaking you says its a tradeoff. Its excite budget i know im at the edge. With technology, your mouse doesnt vibrate. You phone doesnt get hotter. You dont know when youre doing anything risky online and you dont know where the limits are. Just kind of blow through them all, not realizing. When you do do something risky on line and it comes to bite you in the ass, its impossible for you to tell what bad behavior was because maybe your credit score is now down a little bit. Maybe your credit card has been stolen. Was that from something i did last week, last month, last year and what was the actual bad behavior that harmed me . You cant figure it out. So you can never create this loop, unlike when youre driving fast, this Steering Wheel shakes and you realize youre going too fast. Anywhere no feedback loop online. How do you mak an informed decision . Tough. Host how do you personally protectovers on your own device snooze im a big believer in simplification ick just dont have any aarps installed. Host do you uber guest no. Host because do sunny whoa they need to track me when im not calling for a car. Apple has been making really Good Progress about not allowing apps to geolocate when when youre not using the app, just because i like linkedin done mean i want them to track me where i go and tell me when im near another linkedin user. That was a big change ever or just use i from a pc, not only money mobile device and thats inconvenient but ive decided to make that tradeoff, that i dont need my every single whereabouts report it and sold and monetized. And it is a pain. But im getting a little bit less footprint. Im not getting the big bubble around me. Im not getting the targeted advertise. I block all the ads i can. Sometimes certain web site is cant go to. I cant go for fox news anonymously because they block the anonymous browser. So i downtime dont go to fox news. I go to other browser. I think im getting more out of than im losing in the bargain. Host do you use wifi. Guest yes buteye i own vpn. Im not trusting the hotels i would wifi. Its just an awe onramp. People are a big vpn services. With this Net Neutrality deregulation coming up, a lot of isps, whether they do or dont, legally now will be in a much better position if they wouldnt watch your traffic, see what youre doing, and then inject advertising into the web pages you go to, or just passively watch the websites you go to and then sell that at marketing information. Now youre at home browsing you tape riff sports team and youre guesting more sports advertising. Didnt tell anybody i liked that team but a maybe your isp now is trying to figure never mind your paying your i hsu p50 bucks a month. Theyre trying to make an extra 30 cents off you. Thats the stuff that drive mist crazy. So ill find a way to bypass my local isp. Ill use a vpn. Ill pop out in somebody elses isp. That isp doesnt know who i am i they dont notify my address or things about me. So, yes they know now thats a vpn user that looks a sports team but cant tie that back to me. My own osp, because theyre local to me, can. And its like they talk about the last mile of broadband. Im trying to get one mile away from my isp because theyre in the position watch everything i do and try to monetize it. Host have julian sang or Edward Snowden every spoken at this convention. Guest no. Host would you want to have them on. Guest we keep thinking about inviting them but i dont think so, for a couple of reasons. One, stealing secrets and releasing them doesnt make you hacker. A lot of people can steal things and release them to the press and that doesnt make you a hacker. Might be interesting definitely buy you aer into listen to your stories but that doesnt mean you what are you going to tell the hackers . And theneye the photo copier and then i went to at the press. Okay, already figured that out. So its unclear what the spoken to every venue they can possibly speak at, theyre world famous and not revealing anything new. So theres a lot of people that really that feel that was violation of trust. Other avenues of revealing what snowden could have revealed, but he didnt. So super controversial, nothing new technically, so give the stage to somebody else thats doing something. Host jeff, often at a convention one or two teams emerge. We attended several times and always seems to be a theme. Guest yes. Host we have b. G. Been hearing the term social engineering, liability. There are any themes developing at this early stage. Guest youre right about liability. Ive been speaking about liability for years, and i try to coup it like this. If you have a car, smart car, and something goes wrong and you crash theres liability. Tesla or whoever will be liable. But if you make a big database piece of soft water and sits in the serve room and crashes and you lose millions of dollars in your company, theres no liability. So what is the differs . One is a date a center on wheels, one is a data center sitting stationary. One has liability and the other doesnt but theyre just software. At some point the competitive disadvantage, oracle gets a free pass because they have a software shrink wrap license, tesla doesnt get a pass because their life safety but a they have a person in the vehicle but at some point, the data that is on that oracle server is affecting lives. And so to say that one gets no liability and one does, that doesnt make sense. So i think what youll see is a lot of pressure from the Companies Using software that have liability to make the whole industry have some sort off liability. The other thing is with internet of things, as soon as that toaster burns down a house, kills someone, theres going to be liability. Right now, you can say, well, the only thing rung software is my game console, my phone, my tv. When its running your whole house, and something goes wrong, youre going to be impacting not technologists or geeks. You youre going to be impacting the average consumers that arent interested in the whole back stonewalled why their toaster burned down the house. Just want a toast are that works. And youre going to get liability. And the industry has been reresist, and if they dont selfregulate its like every other industry, government will fix it for you. So were in this period, about the next five or ten years this, industry cant figure out a way of warranties or guarantees, or some sort of liability protections. If they dont figure it out, the government is going to come and do and it you wont like the results. Im not going to like the results. But theres no other avenue. Going to be so critical to the country theyre not going to let there be no liabilities. Host do Companies Come here and recruit . Guest oh, yeah, extensive recruiting. Everybody recruits here. People come here looking to change jobs. Theyre all looking for new challenge. You tend to find people sticking to jobs throw or four years and then looking for new green fields. Id say especially if they want to do something new, a lot of smart car companies, space getting interesting, people are trying to get to spacex or blue origin or other companies. Just hauls something new going on. I mentioned medical devices. A lot of action in that area. Then you also have these sort of black boxes. Algorithms trying to determine Machine Learning a go rhythms trying to determine based on your behavior what time you wake up and go to sleep and what your smart refrigerator is disintensing and when youre driving. Trying to figure Insurance Companies trying to figure out ways to calculate new actuarial tables to safe save money on insurance and they have all this dat about you. So its a really innovative time, whether you like it or not were in the golden age of dat and its going to impact everything about us. You asked earlier question about themes. Another theme that i didnt think would be so popular is theres a voting machine hacking is at def con this year, and a couple years ago i started a village called the tamperevident village. When you have the evidence bag and its in the evidence folder and i kept thinking, you have to be able to get around the evidence folder, somebody has to be able to tamper with that. Theres money bag or on your electricity meter you see a little grommet that looks very roman, like a seal. Wax seal. I figure how hard is it to get around these . I dont know but i bet the hackers do. So i started a village, how to get past seals and little nobody was doing that before, and now thats a common thing. Theres a whole body of knowledge around how to defeat the tamper evident stickers and seals cycle thought Voting Machines are in the news and im sure people have been beating these things up because you can find them on ebay and people have been talking about them since bush governor. And i bush gore. There is nothing known. So i was like i dont know anything about these either but i bet i can buy some on even buy and invite ebay and invite the hackers in. So this year we have ale these Voting Machines, county commissioners from the election officials, people from dhs, its a durning into a crazy assemblage of anybody remotely interested in hacking on Voting Machines, and the more you learn about them can the more scarity becomes. Theres as bit of excitement in that area because it wasnt done last year and its new this year. You have a ba degree in criminal justice from gonzaga. Guest from the first graduating class najim justice at gonzaga, yeah itch thought i would be an fbi agent because in high school, they have career day. We were getting all these speakers and an fbi agent told this incredible story about chasing these bad guys that just an unbelievable and when i saw that, i thought thats what i want to do. Didnt know any better at the time. And i went to college and then i took a bunch of Computer Science classes, and i never really knew what wanted to do but really enjoying sociology and psychology and criminal justice classes. When i graduate ted during the federal hiring freeze in the Clinton Administration so they couldnt hire. Only Law Enforcement hiring was the fbi. Thats perfect. Thats whats want to do. So i type up my 20page application and i send it in, and crickets, nothing. And i called them up and they said, we lost that. Can you file that again . I thought this dismiss secret way to compare my results from my first application and the second one. I send it in again. And about a week later two weeks later i get a call. Special agent in charge murphy. Start talking to special agent murphy. Hes like tell me about your visions. Well issue want to help people. Im interested in no, no, your eyesight what your vision . Im like, oh, okay. Well, its 2020 in one eye and 206 or 3060 in the other eye. Im not corrected. Thats not good enough. Sorry. Okay, sorry, goodbye, and that was it. Out of the fbi. No career chance. Six years later i run into an fbi agent at a party. I tell him that story, her says thats totally false false. He didnt want to process your paperwork, you should have caught on to that because the first times lost. Didnt know these tricks. If you apply to the office in salt you would you be fine but since you applied through spoke can they didnt want to deal with your paperwork so one little decision and my whole life. Host where did you grow up. Guest the bay area. Host were your parents in deck . Teachers. Im to the only business person, everybody else is an academic in my tamly. I have the weird business stories and they have the weird academic story jazz how many hours a day do you spend in front of a screen and laptop or guest i do everything. You find i found in tech, i progressed in my career, i do more advisory work, i do less hands on, just the nature. And so for me to stay connected, to feel im not a sham or have the impostor syndrome or fell feel im disconnected from my hacking rooted are maintain all the def conservers and update servers and i spend a fair amount of time protecting our network from other people hacking. Its enjoyment and a huge pain in the ass but you have to do it to stay current. I spend a fair amount of time in front of screens, on serves and more on mobile now than on my laptop because email is can do quickly, but when youre work observers you need five screens and a lot of screen real estate. Host has black has been hacked . Is that a would that be a badge of honor . Guest oh, yeah. People definitely come after us for sure. Def con was hacked a couple times. Another hacker buddy saved his exploited for nine months, waited until the con strokes deface the web site that was being host evidence by the friends server who depend have the right updates and they made a big tongue in which hahaha fun thing. So thats when i took over and every since then i ran our own serves and we havent been broken in as far is a know. Thats when i decided im not letting anybody else run this stuff. Host cost this world make you paranoid . In the sense guest i wouldnt say paranoid because agency is based on fact. The problem whats the saying . Not paranoid if they really are tout get you. When youre getting threats and people posting challenges online and rewards for breaking into your site you know theyre out there. Yesterday i tweeted somebody was trying to break into any twitter account and i kept getting twitter reset messages. Whatever is trying to break interest any twitter account, please stop. Need my twitter account the next week or so. Maybe afterward id like kit out, and they stopped. And so you just dont call it paranoia if theyre really after you. I think the paranoia come inside when people ascribe too much importance maybe to what theyre doing. The nsaa is nose going tax the 50 million satellite to spy on your going to the supermarket when the local cop can just follow you there. That is a level of disconnect would be sort of paranoia. If youre being a criminal, dont be surprised if Law Enforcement is after you. Just because Law Enforcement is after you doesnt mean the cia is mobilizing the whole division to come after you. Thats a little crazy. Theres a lot of that going on. Sense of overimportance. Its a weird situation because lets say you are hacker and youre starting to do something in the gray area, maybe starting to do something that could be criminal. People always say, well, theyre not coming after you. Im not doing anything. Well, okay, but they dont know youre not doing anything. Law enforcement only knows youre not doing anything after they looked at youment they dont have some magical presencey they say that person is not doing anything, lets not look at them. Sometimes people feel its unfair they subpoenaed me or there was a but look at how you were behaving, look at who your friends were. The only way to know if youre a bad guy is if the go in there and stir the pot and watch for a reaction. Dont be surprised. That was how Law Enforcement would catch people. Go in, stir the pot, they would bust one person, watch what everybody else did in response, and then theyd roll everybody up. Its not rocket science. You see whats going on now in Law Enforcement. Just a big dark market bust where the police had one dark market infiltrated, bugged another one, watched aberdeen migrate to the one they controlled now, and gathered all those peoples information. Just basic Law Enforcement tactics i dont know where i got off on that route. Macthe paranoia question. Host do you presume that everything that you put out there and everything on your phone is public . Guest you have to. I take a lot of precautions to make sure im protect it as best i can but im not surprised if one of my conversations comes back at me. Even though i think it was protected. I had a ceo when i was chief Security Officer at i done can and it was he high profile job and our ceo was targeted and he said, every time i write an email im writing for three audiences, for my who im sending the email to im write ago the foreign nation states spying on me and for the congressional inquiry if i ever have to testify. Thats the job of the ceo. High Profile International company. Host what kind of consulting work did you could at dhs . Sunny . Im still involved. Im on the Homeland Security advisory committee. Were about 40 of us and we advise the secretary on whatever the secretary wants. So in the past, its been on how does the department accelerate their cyber skills, develop the task in their work force. Resill general si in government for dhs. We just passed on countering violent extremism and returning foreign fighters. Americans who might have left at the country and come back in. How to minimize that. Really we just wait for challenges that dhs may be facing and then we figure out tasks that might answer the questions and then go ahead and do that. Im also involved in the atlantic counsel, which is bringing to def con this year the congressional cyber caucus, so a bun of representatives. Host at def con. Guest ways, the weekday and the timing that the caucus can travel out of congressional time is only on the weekended. ,. Mandated to have a privacy officer. That should be the standard will. The privacy of their constituents, workers, citizens should be a factor in whatever legislation you propose and its not we see in the internet age that personal information. They make as much money selling Demographic Data for the writers as it does for rides. The creator and founder of black hat and def con blinked back what did the secretary say was