There is also multiple capture the flag contests which is basically red team, blue team, offense, defense, how do you hack something, how do you defend something. How do you get certain targeted treasure chests. And, some of the level of skill in these competitions are what we normally say can only be done by nation states. And instead, you have hundreds and thousands of people who are engaging in these types of contests. I think that can satisfactorily bust a myth, only nationstate adversary what we have to be worried about. When the tools and techniques are available to everybody, it is very, very easy to take advantage of them. We also had an iot village, internet of things village. One of the highlights for me was that Remote Controllable wheelchair. I dont know why you would want to remotely control a wheelchair but somebody made this thing. And it was driving up and down the halls without anybody on it because somebody figured out how to gain access and control it and drive it around. I think that underscores some of the direction were going in this whole completelyconnected world where now that weve got everything connected, it is everywhere accessible and therefore it can be controlled by anyone who has a little, small degree of technical skill and willingness to use that. There were at least two sitting congresspeople at defcon this year, 2 00 that i know of. In past years there have been more at that event. I think that underscores importance at least so tom people in d. C. Why they want to get engaged with this community. With that i will throw it over to jay to talk about black hat and the challenge at that darpa ran. Im curious, how many have been to the rsa Information Security conference . A fair amount, maybe a a 10th of the room. Black hat . Defcon . Rsa is very much Information Security conference. There is booth and they will shine your shoes and money goes to charity. Defcon is not Information Security con for instance. It is a hacker conference. There the money will still go to charity. They wont shine your shoes and get a mohawk. I desi didnt donate enough to charity because they kind of overdid me. This is about hacking. Driven by curiosity, trying to understand the system, to figure out if you can make the system what you want it to, even though necessarily not what the makers of that system originally intended it for. Hackers and hoodies, this is all people making mischief. There is that element to it. But there is a lot of people just fascinated by systems and want to try and get in and understand it. So black hat happens in earlier part of the week. Defcon later part of the week. B side, b side conferences are there, on flip side of some other cool conference. One of the biggest things i think came out of black hat was, we were very pleased because apple came and they announced the bug bounty program. You might have followed this this came up in the news the most in the last couple months with the fbiapple hack where fbi wanted access to one of the apple phones from the san bernanadino murderers. They ended up using a vulnerability they bought the use of, and it came out a lot ample was really only big company left that did not have this, did not have the a bounty, an amount of money they would pay if you were a Security Researcher and hacker, you found a bug, they would list your name on the website, but that was it. They wouldnt offer you any kind of rewards or any amount of money. They have bug bounties up to 200,000. Some hackers were there, that had been awarded one million points from united because they had found all these points on united. That is why United Airlines, the airlines, not the van lines, United Airlines said we would rewarded Security Researchers that find these bugs. Commerce department was there in force. And Alan Friedman of commerce has been doing a great job pushing, trying to get out these vulnerability disclosure programs. For me that was one of my big takeaways. You might have even seen that doe started hack the Pentagon Program for Security Researchers to try to find bugs in the pentagon websites. Apparently it was a win to call it, hack the pentagon, rather than some kind of bureaucratic name you know, dod Vulnerability Discovery process, comma, amateur. The, also really pleased, one of the things that came out, was, it was surprising to many of us in the community, got a lot of press, was hackers for hillary. There was a event on wednesday. So from these conferences from the early days well talk about this, especially defcon, so apolitical. You had a spot the fed conference, contest. If someone was there, that was a fed, was maybe a federal agent trying to infiltrate the community, it was your job to try to spot them. More if you were there, at the fed, you would try to hide and not get spotted. Here you were, that was at defcon. Here you were out of this community and now youre having this political event and there was probably 30 people at the event cohosted by jeff moss. He is known to jeff moss, our senior fellow. He is known out there as the dark tangent, founder of these conferences and cohosting this event. So maybe 30 people and equal number of journalists covering the event. Really caught a lot of people as, the maturation of the field, like all of sudden now we matter. Now the, now the, we used to have to go to d. C. It testify, now coming to us. I have one or two other things. Maybe i hold off right there and just i can comment on your hackers for hillary, the event. I think it shows, as you said a maturation, mostly of the people that are attending these conferences. I mean, i started this back in my 20s. Im in my 40s now. So there has been people deaf con gone on for 24 years. People have defcon has gone on for 24 years. Were seeing a change in government attitudes towards hackers. 20 years ago it was nothing but fbi raids. Now you have groups like commerce, fda, dod, reaching out trying to bridge the gap and accessing knowledge and expertise. Saying help us out. Were seeing a change from completely adversarial relationship between government and the Hacker Community and it is starting to thaw a little bit where there is cooperation. It hasnt completely thawed by getting there. Some of you know about the hacker history, when you testified in front of congress in the 90s. In 1998, we testified in front, i forget the name of the senate committee, we made it very distinct point only to use handles. Our handles in the official record. Im in there, senator john glenn called me space rogue on the record. We did that because we were afraid of reprisals from other companies and other parts of government. So we made it a big point of only using our hacker handles. That has changed obviously. I now use my real name, cris thomas but everybody calls me space or space rogue, sr. That is sort of my identity and who i am. It shows a little bit of thawing and relationship between government and hacker types. Lori is the lone fed on the panel. Spotted. Spotted the fed here. Im wiley. You were also participating in, were you on meet the fed . I was on the meet the fed panel. We used to do spot the fed where we would out feds. We invite feds to sit there and engage in productive conversation. Used to be to many feds. He brought you them up on stage and get a tshirt. The fed has to have arrest powers and then you get a tshirt. Then there were too many here. Jeff moss is a fed. Jeff moss is a fed. Tell us a little bit why you were out there from the government and why, what you found valuable about meet the fed . Yeah. So the ftc was out there. We actually brought our own fed tshirts to wear so we were easily spottable. That was cool tshirt. We made special ftc defcon shirts. There is secret code you can crack on them. I made it up myself. Is it ross 13 . It is not ross 13. We were out there because we wanted to do outreach to the Hacker Community and let people know what our agency does and were interested in hearing about Research People are doing that can help us understand vulnerabilities especially iot systems, give us ideas about how we can protect consumers from scams, from fraud, and we wanted to make those connections. Thats why we were there. So, in the spirit of creating your own clothing line, this wouldnt be bringing defcon to d. C. , if we didnt have black hoodies for all of our panelists today. We have very special Atlantic Council exclusive hoodies for all the panelists. I will just hand these out. And then maybe we can hold them up and get a photoop. Thats jay. While he is doing that lorrie. If you go to black hat rsa, you get a badge and has your name and you get a black hat. Because it is a hacker conference it cant be just that simple. They have every year now, not just a bad, it is a circuit. I believe this is an x86 board, and it has input, output, everything you need. There are badge competitions what will this badge on me do, what can i do with it . They will actually get in and discover io ports and discover what the badge does. Lets hold our sweatshirts up so hoodies. Not sweatshirts. Noto on. Photoop. Thanks. I didnt have enough. You didnt have enough. Appreciate one more. Actually go ahead. Hackers have more hoodies than the population . Like, my standard. Stereotype confirmed. Its a little chilly in my house. I like to keep the thermostat down. I keep a hoodie as daily driver behind the keyboard. You mentioned badges, jay. I have several that i picked up there. From the car hacking village. Like the intel community. More badges than you have, obviously the cooler person that you are. Thats right. So this is something that was created by Security Researchers and got a tool on the end here, that plugs into your car. So this is the on board diagnostics port of your car. Plugs right in. You can start reading out the codes coming across your obd2 port. This is one from the bio hacking village. And, this one will read near field communications. You can read implantable chips in your hand. I know you all have them. You can also read credit cards with the rfid credit cards or passports. Passports. If you have a badge to get into your house or work place. Be careful if you get too close to me. I might be reading it. I could impersonate you playing it back when i get to your home. This underpins so much of black hat and defcon. If you go to normal Information Security conference they will have talks how you can improve your Business Resilience of your company. These conferences, these vegas black hats, we have the Technological Infrastructure around us. Which dont know how it works. We assume people are out there taking care of it. What is running out there four years, gathering of folks driven to understand the Technological Infrastructure and come out to try to figure out all the ways it is not secure. Now and that is why it is so good to see the fcc and other goffs out there gov. S out there, look these people are figuring out how this stuff is completely insecure, much of it, and we better work as quickly as theyre discovering things and as we continue to spew out ever more of this technological stuff or it will all end in tears. There is a great, someone tweeted out, here is what we do, here is how las vegas handles gambling machines. Covered all controls that las vegas includes for gambling machines. If you as player think the machine is fraudulent. Talk to the inspector. There are rules. There is independent testing to make sure it is right, on election machines, voting machines, none of that is true. It is illegal to figure out how it works. It is not independent testing. There is not, fcc has very limped powers compared to vegas. It is easier to game a election machine than it is a Gaming Machine . That did come up a lot, coming right out of the dnc hack and i think there is a lot of us trying to calm our attention to the election machines, because if the russians were going to mess with elections, there are a lot more direct ways to do it. Interesting you bring up election machines. There is dmca exemption, Digital Millennium Copyright Act exemption on election machines that i believe takes place this year after the elections. It allows researchers to look at systems to see if vulnerabilities in them without fear of prosecution. That is a big thing. Specific exemption went through the copyright office, library of congress, very difficult to get. I see a lot of researchers taking up this year and looking at machines to see how vulnerable they are. Election machines simulator for people to come up and try hacking. I have been at princeton university. Ed felton did some research there on voting machines, and they still have the one that there that is playing pacman. This is the security level of our, certain devices but actually space had really good comments earlier today, that i saw about what it would mean to make those a Critical Infrastructure. Yeah, Critical Infrastructure. There was a comment or movement, not exactly sure where it came from of making election computers. I think we should use the term computer as opposed to machine. Election computers as he as Critical Infrastructure. My opinion that comes with a bed of baggage. For one thing we have seven industries labeled as Critical Infrastructure. Were getting to the point, gee, everything is Critical Infrastructure. If everything is, nothing is. We have organizations in place to look at these systems and certify them at national level. Nist has an organization, i forget the name, voluntary Election Commission or something, that allows local governments and i think a lot of people forget that local governments are the in charge of election. It is at county level or city level. That is how we always run the elections for last 240 years. Declaring them Critical Infrastructure kind of changes that how we look at them historically. I dont want to rat hole down this too much. I dont think there is any election computer hacking this year . I didnt see any at defcon other by sample at eds booth. A lot of iot hacking going on. Yes. Home devices. Had a couple of medical device this is year. Obviously cars. Did anybody go to the car hacking village . Yes, she was. The villages are like a conference within a conference. They have things people can go and explore on their own. Its interesting you bring up you there to meet people and outreach. You brought up earlier, the running joke, for me the biggest part of defcon or any of the other smaller conferences i go to its the hole away. When you hang out in the hallway and Start Talking to people. I get the most out of any of that from the hallway and any other conferences. I can watch the talks at home once they are recorded. Interacting with people i can only do at the conference. So for most of us we been there several times out to vegas to do that. Lorrie, i think its your first time. Because most of the folks in the audience have not been can you probably can serve as the best bridge between d. C. To which is the defcon. Why dont you tell us a little about what you observe as the first time attend the at some of the comfort is . Sure. I started the week, kind of a small conference and is much more accessible because less than 3000 people. Still somewhat chaotic. I gave a keynote talk, so imagine a really big room. There are vendors with booths around the edge. In one corner people learning how to pick locks, and another quarter their people who are hacking something, i dont know what. In the middle theres like the eff booth. I was on the stage trying to talk to these people who were standing or sitting on the floor. Thats how it gave the keynote talk. But it was fun and i did do some audience participation. It was chaotic but a good experience of meeting people. I had never tried to pick a lock myself and i wandered over to that area and a volunteer rushed up to me and had me a lock in chubby how to use it. It didnt take very long to find out how to pick locks. Watch out. And then i also did a career panel where they had a room where they were anything people about their careers and taking questions from the audience. I talked with them about the various careers ive had and took a lot of questions. It was fun. Then i went to black hat, and this is a very corporate, very polished event. You get name badges that had your name on them. Notice, theres no name on this badge. We are completely anonymous. The bad was like a poker chip. You have black hat was very corporate, very, you know, lights, flashing lights. They have the sole breaking glass thing when the speakers come on stage. There was a big vendor booth where everybody is handed out free tshirts. I brought back a whole big bag for my kids of tshirts. I dont have to go shopping for back to school. And then i went to defcon, and defcon is like 20,000 people. You dont get, you dont register in advance so theres a lot of lines to pay and to get into all the sessions. Its very chaotic but just so much creative energy. You see all these people all hobbled together looks like theyre all soldering something. The contests were also really interesting. The challenge, it was, the grand challenge, teams have built computers to hack into other computers. The teams had nothing to do during the event. The computers were just going, but they had running commentary and visualizations to make a really exciting. So that was very interesting. The other point i want to mention is being there as a woman, theres only about 10 limit at these events. So it is kind of isolating. For the most part i found it was a fairly comfortable environment, but there were still a few things going on, especially a defcon, that were uncomfortable to being there as a woman. Going back quickly to the cyber grand challenge. I always kind of seems, always, for the past week i seems as like Garry Kasparov versus deep blue ibm and whether man or machine is the better hacker. We will skynet be here and how many of us will be left at the end . Its crazy. Interesting, the winner of the grand challenge, a team that had a faculty member and other people associate with cmu, and the winning team is also from cmu and the actual played each other. The humans beat the machines this time that the machine did pretty well. Let me get some tough on the cybercrime challenge. Darpa industries of grand challenge is what they said we want to have, defcon has this capture the flag we have a team of humans that will have a series of computers and they will have to defend that system and try to patch it as well as going out and trying to attract all the other human teams that are playing. So darpa said can we do this autonomously so that weve got, it ended up, the finalists, seven files of supercomputers that had to be built and programmed by these teams, basically made up operating system. A program that would pretend to be female and another one that would pretend to be one of the. The computers, the referees would release, heres some new code, and the computer supercomputer would have to keep the code running, spot any for those in that code and then decide what was best to patch it, given the least loss to availability and then when it found bugs, go out and try to hack the other teams that did not found them and patched it yet, trying to get shut patch first or hack the of the carefirst until i think they know it speaker is technologically the challenge is a major step forward. I applaud darpa for bringing that. By this i dont think we wouldve ever seen that at defcon. With that level of federal involvement at the show. I think the fact there are was able to bring it to defcon really shows how both groups are starting to come together and take advantage of each other. There were 600 or so vulnerabilities that they built in for the computer to find her i think the computers down Something Like 350 or 400 found a bunch of bugs that the programmers didnt know were there, but the referees didnt even know in the system but the supercomputers founded. They include some famous books of history like the one that led to the morse worm. These computers were finding and patching them in like five minutes. Speed but also i think mayhem was the name of the machine that one, then compared and the human capture the flag and didnt do as well. Switch back to where the skynet today, maybe next year. Thats good. The theme of this year was the rise of the machines. Actually theres a big prize at the end of defcon 4 some of the best competitors, the best contests. They call it the black badge for the uber badge. If you get the chance to go to look at the video of this thing, because its made by hollywood stunt effects artist. Its 3d badge, like the ipods out and rolls around and looks at you funny. Thats not as good as the award for the cyber grand challenge. The team that won, got 2 million. It was really pretty cool. But i dont think darpa is going to do another grand challenge for autonomous Computer Security. I think its too bad. I hope were going to be another one of these because i think the lessons that came out a great. I would suspect a child to be picked up by an organization, maybe defcon itself, maybe not darpa. There was a small contest that went on. They called it, that when was schemeaverse. I might put you this but essential yet to do database commands to play a space game and take over the universe. A lot of this was people manually doing database commands or scripting it so they could run 100 times. The winner built in ai in sql to be able to play this game and came out with i think 299 out of the 300 prizes. I think youre right. I think defcon will continue to place we will see the rise of machines and the events of ai. I just want to talk about the talk because someone the review board that gives the talk. Weve got about 600 dogs, maybe 650 talks that were proposed this year. We had to whittle that down to i think 80 that made it through. There was a lot come its fun because you can see this and you know what the hackers are interested in and were peoples attentions are going. Theres a lot more internet of things thats coming in. And a special theres a lot in there on blocks, about being allowed these smart locks that maybe bluetooth, you get close and enter in your code and the phone and it will unlock. People being able to unlock those from a half a mile away. A lot of these locks are not even using passwords or theyre sending passwords in the clear. All you have to do is set up an antenna with a modest knowledge and you can see these packets going by and you can now, and you can do this. The only could lock it tested, 10 or 20 that actually had good cybersecurity had the physical security was so bad you could just pop it open with a screwdriver. We are still trying to get that balance right. Here it is, something designed for security. Its a freaking lock and do still sending passwords in the clear. It wasnt trying to encrypt the passwords or any of that other stuff. Really incredible. Seeing a lot coming in on cars. Theres a lot coming in on drones. A lot of stuff on drones i think is still a little bit gaming. But theres some interesting stuff in there. I someone talk by a chinese researcher on using gps spoofing. He had realtime gps spoofing to be up to throw off a drone and make it do what he wanted. Thats why my pokemon go is malfunctioning. Exactly. That was filled for commercial drones but again this is how iran supposedly took down one of the use stealth drones a couple of years ago. If this thing come into gps spoofing and starting to get so these are the ones in the researcher can control it with a joystick, and theres also, just one last on the cars i will mention. Another set of chinese researchers doing really interesting work and how you can throw off the scent is on autonomous vehicles. All different ways of throwing off their older sonics, throwing off all different ways to confuse and defeat those sensors. Its still a Research Product that you can easily sell them two or three years from now if someone wanted to you could equip a car for this and cause havoc on the roads. Another one of these examples of curious people coming in and saying we are building this stuff. We have is dependent on this and yet the dependence is misplaced. I think theres also a talk about ran somewhere on thermostats. So some researchers built a proof of concept ran somewhere virus that they manually loaded on ran somewhere loader on a thermostat and they went to some torches to get on there but it demonstrates even internet of things from Home Internet of things come devices can have this type of thing on there. If you think back to march i think it was the lead counsel released a paper on smartphones and tenant recalled that these types of things. We had a really cool like housee said there would internet of things in your home get taken over by hackers or malfunction of breakdowns between operations of trying to compete with each other. And look into the possible outcome. I will take a minute to talk about that. Two last things for me. One is, when you see the stars come out you should always ask, one of the first things we do is how do you have to get access to the system . On some of these like the example below just talked about, he basically had to trick the user into putting code into the thermostat. I saw another great one, it was for attacking the colonel in windows and apple. The base level of Program Within computer but you had to have physical access. If someone can get physical access in your hotel room they can complete on the computer. Thats one of those key questions. You were able to do this remotely. Do you have to physical access or try to trick someone into doing it . Is a common tenet which have physical access all bets are off. If youre staying at the council you can basically do anything. The key is whether you can get remote access. At the black cat this year it was for the first time a track on human factor to look at how easy or difficult is it to trick humans into basically cooperating in your attack. Id like to see more on the flipside which is how do you make security so easy that its easier to do things more securely. Right. Good. Weve got about 10 minutes left and then well go through it and just do like a final impressions before we open it up for questions to the audience and put a pic if you want to send a question, accyber. What was the thing you hate the most and what your big take away was. The things i hated was hacker jeopardy, which was come its supposed to be a fun contest but its a fun contest that involves a host stripping down to her underwear. Didnt feel that was appropriate. And lets see, surprise. To which is lots of surprises. Because i do a lot of work in usable security, the human factor stuff i thought was a city. I went to an interesting talk from a forensic linguist who was analyzing scammer phone calls for the linguistic feature so we could better spot scammers, the telephone scammers so i thought that was pretty cool. Which would take away . Take away. This is a really vibrant community and theres just a lot of interesting and also scary things going on out there. Same three questions, Biggest Surprise, thing they do most and biggest take away. Im going to try to merge them all together. I was really surprised at the level of interaction this year versus past years. Ive been going to defcon now for almost 20 years myself. The interaction doing government and hacker types. Im really glad and frightened at the same time to see at what level thats happening. Both sides are bringing baggage. You mentioned at the jeopardy which i would like to see some changes made to that event. On the government side we still have rates and prosecutions. That shouldnt be happening. But despite those obstacles we are still trying to reach across the aisle and trying to help each other out. Im both surprised at that and scared. If i can stay on the surprise and scared comment. Thats been what, when i let this program, when we started this program and how can one has picked it up, its that how can we step across these two communities, why we had technologists like jeff. We wanted to be in that space. They knew they couldnt solve it just with technology. They needed to help solve it year. Some i thought that defcon was ive never been more scared for a talk, because i was telling about the vulnerabilities process, some research we did at columbia. This is now the white house led process on what zero day vulnerabilities does the government keep and which is he going to share with the vendor . I asked described at the beginning, do you think the government keeps hundreds to itself, thousands to itself, more or less . And i would say, twothirds said hundreds, thousands or more per as far as we could tell the actual answer is in single digits. Thats probably what i wouldve thought before in going into this research. We were called off by two orders of magnitude. Last year it looks like the government kept to. Not 200 or 2000 but to vulnerabilities. I was really work in the crowd with some of my background. I come through the fed era and he was a former nsa guy, former white house guy delivering this message that nsa and the Us Government is less evil than you think. I did not give aid and i have not visibly been hacked yet. But i will tell you i was really worried about that talk. I think for me the Biggest Surprise was the quality of the people there technically to be able to do things that i had come even with my background, i had not expected to be possible. The guy who won the car hacking challenge, he was a 21 yearold. He had on a hat that said i just turned 21. He had been out partying. He managed to do this in a number of hours. Not days at a number of hours. You can see a graph when you were there at a projection on the wall and use like everybody was gradually gaining points and then he came in and went from virtually zero to just done in a couple of hours. So when 21 year old kids are able to do this, i think that underscores a capability that exists even within this community. The worst thing was the crowds. 22000 is a lot. We are going to need a bigger boat i think is the lesson. I think theyre going to caesars next year. Although it has more bottlenecks. We will see how that works out, particularly with those escalators. And then the take away, as everyone else has said, the amount of collaboration, cooperation. From the interaction among everybody. No fights between fans and hackers. Fortunately, for everyone i think the worst was people falling asleep because they had been partying all night and being escorted back to the elevators to go sleep. So with that i think we will open the floor for questions. And again we will be taking questions on twitter. We have a couple of mics we will run around in pursuit lets start in the room first, and i saw your hand first. Mike nelson with cloud flyer. The number of our people were there as well and very clever congressmen and others were interacting with some of the smartest people in the room. The question i had was whether any of you heard policy complaints from the hackers and the technical people you talk to, specifically for people complaining about the agreement that would make it hard for workers hackers to work internationally . Any other complaints you heard . Are they still ignoring washington, d. C. . It was a talk, a couple it with them when specifically on the problems with the, how things can change or should change. Recent actions that have been brought under the cfaa. That was a big topic of conversation at seaside. I look in the else heard anything else. Well, as always in the hallway track you hear lots of complaints about lots of things. Policy was one of the chief complaints. In the hacker charity we kind of abroad are osha for a long time. In fact, we bring security to security conference because none of the actions to be people out the hotels and private contractors can figure out how to deal with this. We kind of have run our own so for a long time and within the past two years is been a noticeable imposition from d. C. On to what we do, what we consider our ground, our home is where we play, live, work. That will naturally have negative side effects especially when some of the policymaking is not as technically useful as some of the people in that room, which is all of us endeavor. But i also heard a lot of people both in the especially at seaside also on the periphery talking not about how bad this stuff is complaining the same right, we need to fix it. How do we fix it . How do we influence his policymaking apparatus . I should mention there was one about ntia with Alan Friedman talk about policymaking. You were there. Who was also one where we are policymakers coming up like Susan Schwartz to explain recent policymaking things. You with obviously talking about what you are looking for. I think theres a growing attitude amongst Security Researchers and that entire community that, like it or not, policy is here to stay. It is being imposed upon us curtly. We need to flip out and make, makes everybody happy or at least the most people happy with the best technically literate and a foreign policy. Theres a growing movement at least in circles i frequent of people who are trying to get involved in trying, when the fcc has an open Comment Period, actually sending comments, that sort of thing. Previously they may not have got involved and just logged complaints from the sideline. Im hoping that the larger, that movement, if that tepper continues to go ethics of the people. At the need to think that it was a good people standing only. Weve got questions about how to be more effective when submitting comments to the fcc, things like that. Cfa is always going to be an issue. Jennifer and others ask them to bring it up and dont criminalize curiosity and phrases like that are extremely common. Both from teachers. Incredulous always good to be a tough one for this. I was out at aspen security form right beforehand and brandon was almost yelling at a cryptographer that asked the question saying this is your problem to fix. Work harder for this. So encryption can always be easy. Theyve done a lot on that issue. It did pop up a little bit. One of the congressmen who was there is will heard from san antonio. I forget which district. He had been not just Work NationalClandestine Service but had been consulting for want of the Computer Security companies. So he was of the committee before he got elected. Of the people spewing so its great. Its a second year coming up. Hes not sitting back Holding Court at the congressmen. Hes just mixing it up and getting in their and learning. I would love to see more elected officials get involved. If you go to vegas themselves or invite some of us to talk to them, either way. The are enough of us that are more than willing to meetings and sit downs and put the tie on. I think its important and i think there are people in the committee who thinks its important willing to engage. Rstc crew, one of our commissioners, commissioner mcsweeny came out with us and spoke on two panels. I know that were some in addition to the elected officials, there were some staffers, which is great to see. Theres more and more staffers who have a background in Computer Science and and other Technology Field who can bring that knowledge and education to bear. So we will go out to twitter and pull into question. What is the ftcs stance on endtoend encryption . So the ftcs would like to see encryption used to protect consumers. We dont have an official stance on endtoend encryption. Yes, we will go to you. I did not make it to conference this year but last year i was at defcon and black hat, and the common theme for any of the feds were speaking was basically a recruiting pitch. Come work with us, come work for us. Things of that ilk. In the past year weve seen substantial movement on the policy side when especially look at defense. Ash carter has put forward the force of the future initiative which is supposed to increase the ability for, special cyber experts to get involved working for the government and military. We see brings cris lynch who was a black hoodie to all of this high level meetings and as noted in every article thats written including by myself most of that. But on a basic level theres more to mitigation, what isnt working . Is there now a willingness to go work for the government . The pentagon needs 400 cyber experts. Has only told half of those slots. Is the outrage effectively bringing people in two provide the talent . Theres a dramatic shortage of cyber talent throughout the industry. Its not just the government. I think the government is uniquely situated to attract some of the talent. Its not always about paychecks. As a lot of people in this room know, government attract a certain caliber of people and some of those working cyber field. If the government place on those aspects of its employment its going to attract people. Its going to be difficult, just like it is in the regular industry. I work for a cuppa and he called tenable. We did three recruiting events that are now been vegas this year, to try to get qualified candidates. We are just as much trouble as everybody else. I think its an issue industrywide globally actually but i think the government is uniquely positioned to take advantage of some things that only the government can take advantage of to try to attract those kinds of people. I think the program is allowing direct commission of the colonel for hybrid expert. I think also there is a willingness it seems to engage in new mechanisms of working with the community, through hack the pentagon to vulnerability disclosure programs, through atf, bring people in in nontraditional ways or maybe its not somebodys fulltime job to come and fix something but they are able to engage. Lori, you are a perfect example of that. You are fed. Youre in the government but youre also after your tenure youre going to go back into the academic world. Yeah. I think ar there are increasingy we are seeing people who are coming in midcareer or even senior part of th their career r shortterm state and the government. Actually a bunch of the feds that i talk to at defcon view themselves as this was a career change. I may go back. Also i think with the ftc we dont currently have a lot of positions open but we are very interested in collaborations and bringing in faculty members for sabbaticals, bring in their students for summer internships, having been, said that doctors were there to pick those sort of partnerships have been incredibly useful. Are right, were going to take one from twitter. Do we think that as a result of this new effort to bridge the gap between defcon thats going on, that we will soon see better, more technically literate and informed policies directed at this legislation . And if so, how long before that kicks in . I think were starting to see it now, so a little bit. It is a slow process. In d. C. Things do not move quickly. Weve been working at this for years and years already. I think it will take several more years but as the legislation is introduced and bills are proposed, those bills in my experience what ive been reading, and one gets a little bit better. So hopefully that continues and we start getting to the point where the our bills relied. Week, hackers. Lets get involved, unless we start commenting on Comment Period for our views are not going to be hurt. But i see that increasing over time and hopefully that continues. Its interesting. There is a sense among a lot of hackers i know that if i can break into, then its absolutely not secure and you should not trust it. Thats not the way the policy works. Policy is always working for compromised. If you can make it a little better than where you were last year. We are in this race im can we get it good enough before things really, especially before we roll out iot. The more we are rolling out the internet of things are more were increasing that one of the and exposing ourselves. Lorrie . I think progress is slow but we are seeing it, and besides imposed i think of the regular agencies, the ftc now has an office of technology which started out a few months ago for we are bringing that expertise in the agency. The sec is trying to bring that expertise in, and increasingly the agencies are high more technical experts who are being involved in the policymaking process. Spent i agree. I think if you look at the types of engagements that happened over the last few years, susan short was out speaking, and one of the things she said was engagement with that community is what is helping to become better at doing their job in this new dynamic field. I know that thereve been several other agencies whove actually engaged and worked closely with Security Research community and the better for it. I think maybe it will start if i can summarize i thought that maybe well start with the agencies and the different kind of hands off parts of government and move the way up through, to legislate a potentially traditional and other areas. That can be hope. My name is jonathan nichols. Im wondering about hackers who come from nontraditional backgrounds, guys who dont have degrees, guys who have work experience. Im one of them. A lot of the kids i know dont have any educational experience. Or it doesnt seem to be a traditional tenuretrack for those guys. What can i say to the younger hacker kids who dont have that background . How can we get them into the industry doing the right thing . I mean, i guess microtrack is very nontraditional. I wont go into details but i started working in retail selling computers. I guess you just have to, this will sound very cliche, but follow your passion to learn what you want to learn. Do your own research, although shown findings. We have the world wide web. Its very easy to publish stuff. Follow what you like to do, become an expert at once both and. Once you become expert simply want to pay you for your knowledge. Thats really a waitress or break in the industry. In the meantime you have to work in computer sales to pay your bills seek and follow your dreams and then follow your passion. I know that sounds good shape but really its just focus on what you like to be and what you like to do until youve reached the point where you are the expert and someone wants to pay you for that. When im talking to my policy students, some of the alumni are here, i give them the same advice. Published. Youve got to get out of there. We are publishing Different Things, and be an expert. Even if we dont want to be an expert in what you have to be an expert in, just being a hiring manager. I know there are trainable. If anything i think this field as they opened the people that dont have a college degree. Its going to hurt them desolate to get them into government if they dont have a degree, but with as much Venture Capital money as has been in this field 415 years, talent and good ideas i think will come through. Taking the nontraditional is doubtful if more difficult than going High School Come for your college, grad school, job. But it may be more satisfying depend on who you are and it may help you out in the long run in your life. It varies from person to person what path you want to take. Its very much meritocracy driven. If you have the knowledge theres such a short of people you will get hired. I would also say consider going back to school. Ive noticed that in the Security Research community that tends to be an inverse relationship between education and status. Some of the people at the top did not finish high school, eq can believe it. Ive also noticed and publishing theres an inverse relationship with the academic communities and a lot of circles, the longer you write, the more respected the paper. 140 characters is all you get. So we will go back to the audience. The lady back there. Sharon, voice of the modern. I do question that can has to do, is there a hackers without borders . Que . Que x the question is because modern defcon i was in cuba entering there in the process of getting internet. Theyve got people coming to india to study the. I talk to midlevel government officials and i said we of americans help you with your American Security and he said who i will help us. Ive been wanting to be an american. So if theres any way like, the hackers cant have a talk about that defcon going into third world countries, second world countries and helping them with infrastructure and security . There is an organization known as hackers for charity, which is actually the charity itself trying to bring hackers embrace organizations. They primarily right to operate in i believe its uganda. They had been there for some years i believe theyre trying to move their headquarters back to the United States and basically be the assistant for other charities. I dont know if theyre interested in going to cuba or not. Possibly. There are some efforts. I would like to see more, bigger efforts. Especially in developing nations, very strong point, very big issue for developing nations that they need that assistance. I think it would be great if maybe we use the peace corps or whatever to try to bring that expertise to some of these other countries. Theres a few others i can think of. One is geeks without bounds. They do something, although it is not exactly fat. Theres also one called securing change which is one by i like the organization. Very small. Could use a more assistance. There are other people who, i was at the hope conference, hackers on planet earth, every two years in new york. Hackers can go to it because its relatively cheap and downtown manhattan. But a couple of years out hope that was a big thing i noticed people going into third world country and doing things like standing up mobile phone infrastructure so that just around the villages and that is not in rural towns that dont otherwise have a wiki can get long distances, they can talk to each other. There were several other attempts to get outside of first world countries and then go on to people in other places, not to impose technology on when its not wanted by to engage and help with there being pulled in as advisers and technical experts, as people who can lend a hand. I would love to see more of that. Personally i would love to go to cuba and set some of that stuff. Unfortunate my boss probably doesnt want to delete what i am doing. Is also a trend among academic Computer Science departments to programs to encourage undergraduate students to do that sort of thing. Insisting your summer working for a u. S. The company, spend your summer in one of these countries teaching Computer Science are setting up infrastructure or what ever. Go back to twitter. Theres a question, how do we square that this will fear that some of the people in the community have of the federal government in things like surveillance, prosecution, some of the things that are maybe legacy and the stork of problems, particularly around Law Enforcement and doj, with some of the newer trends, more recent outreach from folks like ftc, fcc, fda in some of these other organizations, to try to bring this team unity in for the benefit of government . Its a good question. I talked about both sides bring some baggage to the table, and its been difficult to try to overcome some of that. How we accelerate that process, maybe its time. Time heals all wounds come hopefully. On the one side where legislation which many in my community feel is overhead in poorly worded, but at the of the time we have people celebrating breaking into nasa, dod and doj. Their stuff happening on both sides, but i think there has been a following and if you will come and people try to bridge that gap. How do we accelerate that and removed after from both sides is a challenge. I dont want to over cost the community. We talked about the act of unity with curiosity. When youre at defcon theres a high degree of mischief. One guy, he had a little Remote Control he developed a couple of years ago and it would take over a wireless mouse because thats not encrypted. He could just take over a wireless mouse and it would be disrupting peoples presentation. Its kind of fun and games missed you but then you got some in the full Anarchist Society mr. Robot mode, the system is screwed and what we do within that system is okay. Theres a big talk, incredible into to talk, about 2000 people, some guy talk about, how he would fictitiously takedown the kuwaiti government and the crowd loved it. You definitely do have with 22000 people at defcon you could have a wide spectrum of different people come especially since tradition and then a french into a part of society. But at the same time their elements within the group that are trying to bring positive change to work across the government. The most popular mens fashion accessory other than a black hoodie is the utility kilt. Its like cargo shorts but extremely popular. When you go, if you turn on your wifi on your computer its always because you get like 40 Different Things that all say ballots, ballots cast, click me. Theres also jokes that people put into the wifi name like im with stupid. Fbi surveillance van number 43 spirit mystery thing set up at a previous october it would always be food coloring put into the swimming pool. Or bubble bath. Anyway. Go for another question. You talked about the ways the community can participate in this, this discussion about the conduct of the in public comments, the idea to contribute to potential legislation. We want to give the point where things are good enough. I think generally overlooked out what the ftc is doing, we are trying to get a riskbased approach that recognizes that security is a journey and not a destination. There are things that are very important for the community to participate in. One thing that hope comes out next year when it is with the widest talk about strategic action plan which is the Underwriters Laboratories standard the other was this session of black hat which operating system for software. Is there a way for the community to engage in some of those sort Publicprivate Partnership efforts it seems to be what we really trying to go forward with as a Larger Community . One of my favorites of those is im the cavalry. Ill introduce beau on that. I am involved in that as we well. The time of the Cavalry Movement is sort of josh korman and beau and some other folks said look, nobody else is going to fix these problems. We need to step up and try to fix some of these issues that are out there. They cavalry isnt coming, that youre the cavalry. The organization has been trying to impact public policy, trying to educate corporations and trying to get security built into products before the cost issues, before vehicles were on the road that can be broken into. I am the cavalry is definitely one way. You talked about peters effort, Ranking Software based on how much security is involved. Katie was involved in the doj bug bounty, getting that off the ground. There are a lot of people in the committee who are involved, but i would like to see more. I think part of that is education on our side is that we reasoned in the news and we are like thats a bad and complain about it and dont like to stand up and say how can it in for somebody to change it . They dont look out to find out what the public Comment Period or when they can submit a comment or what hearing they can attend embrace their hand and asked the question. Part of that is us have more education so we know how to influence, but part of it is trying to get people motivated to be the influencers. Its so changed over the years from the early days where people would save up their ball of those so they could launch that defcon are black hat and get office is that look what i just broke and in the vendor had to struggle to catch up. That was normal in the late 90s. That just doesnt happen anymore. It just doesnt happen. Its expected that at a defcon top you have to talk to the vendor. If you dont see what vendor this is a new public not to get a talk. You are expected to show a demo and release of the told to go after the vulnerability. Thats expected if youre coming up with something. Thats also acted you know told the vendor beforehand. Another thing i heard about, there was some one who talked about their proposed authentication guidelines. They have taken their proposed standard and put upon pashtun you can submit comments. Its not like the typical, you have to write a letter to you can comment and they are dynamically adjusting this proposed standard before going to the official Comment Period. A nist subsidy for them is an excellent example of industry, government and hackers all working together to come up with a standard its a great candidate ive seen a lot of organizations start to adopt it. It is the repository for code. It is a place where people store and can share the code. Taking that means government is coming to the hacker spaces, to the Software Developers basis to look to show rather than the other way round. Since you are here, you want to point out on the review board, ive never anyone bring up some session of the mighty concerned about how well they can speak english and can they do a good presentation what i have heard people say the rest and, therefore, they shouldnt doctor its meant to be which the content of the talk so its very egalitarian in that way. I think i will say to respond to that, efforts but i am the calvary and other thing is to bridge some of the stakeholders let it in these various ecosystems to work on coming up with solutions. Its a fairly young amateur industry if you look out at engineering. Thats been going on for thousands of years, medicine, thousands of years. Cybersecurity, like 20. We are still pretty young. We dont have all quite worked out yet. The way to work it out is to get together and think these things through together. I will also say that Something Like a Cybersecurity Framework might not work for iot type devices. We might need to consider not an approach that multiple approaches to solving some of these problems. The way i put it sometimes is what works for the first 5 billion will not work for the next 5 trillion that were putting on the net. That might be a challenge coming up, i think we got some of the smartest people that id certainly ever met are both nbc and in the Hacker Community and bringing those together as well as replenish and other places is i think a good start, a good framework to start working on. So we will go out to the audience again. Weve got one at the very back. Michael eisenberg. I walked in as the discussion of electronic voting was going on, and i am frankly perplexed by the willingness to dismiss it so quickly as not germane apparently. There were a number of articles that appeared during the week of black hat in some of the trades about is the franchise the 19th Critical Infrastructure and a lot of comments back saying them right. To to have an economy with waterworks and electric power and aviation until the manufacturing unless you can reserve the democracy. If the franchise is being corrupted by hacks, Everything Else is at risk. I would think that would be something that ought to preoccupied all of us. I associate myself with that, michael. It i want to align the infrastructure to the Homeland Security policy directive and those constitutional function. The enduring Constitutional Government and continuity of government framework, opposite voting is essential to do. The. It might be interesting if the new administration, which is one thats going to become thats going to become if we look to try to realign this Critical Infrastructure does National Essential functions. I had comments that came out of the week before, so two weeks ago during the week of aspirin were i think we got four main things i think the president ought to do. Want is to be sure to make the case, as we find out what happened, for example, with the dnc hack, to make sure people understand this is about policy, not politics. The defense of democracy, not democrats. Second, to work with our european partners. There are critical french, german and austrian elections coming up, and outreach to those nations and let them know what happened to us and what they should look out for i think is critical. Three, if it turns out the russians were responsible for the dnc hack, i think theres a bunch we can do. The u. S. Cyber command, National Cyber mssion forces is supposedly already looking into red space to be able to disrupt in case something happens. I would ramp up the planning for them. And last is as we mentioned, theres lot more direct ways to mess with an election than releasing documents. Even if we just work with congress for an Emergency Fund on the day of the event. That way if polling places are reporting results over the internet, which i bet of bunch are doing, that simple that you run for 1000 cant take that down. For a relatively low amount of money we can do some of those common sense things that make sense whatever Political Party you are. Alright, with, with that, i think we will end it. It is 130 so thank you all for coming. We will be around later with our badges and our