>> now joining us on "the communicators," jeff moss. how and why did black hat begin? jeff: it began more than 20 years ago. i operate a convention, def con, the world's largest hacking convention. this was a time when there were no jobs for any of us. the only people doing security were maybe people in the military and banks. as the internet grew and there were jobs, and there is money at risk, all of a sudden hackers started getting jobs doing security. i kept getting emails, give me an announcement to def con to make it sound professional. i have to convince my boss to send me to def con for my job. i was rewriting our announcements to make them sound corporate and more professional. one of my friends said you know what, throw a real conference. charge real money. make it a professional conference. i thought it was brilliant. but i did not have the money at the time. i was too young. i save my money for a year. i took a loan out then i started , black cat a year later. every year it has grown for 20 years. host: what is the difference between black hat and devcon? -- def con. very security focused. you have an info sec job. you are working for general electric or microsoft. you need to learn something you can apply hands on right away. where the rubber meets the road. i learned this new attack i'm , going to go home and defend my company against it. it's very practical but focused on enterprise. with def con, it is the sense of discovery, since of learning something new, whether it is picking locks. your corporate job is going to paper you to learn how to pick locks. hardware hacking, car hacking. conspiracy theories. everything that helps you learn how to learn. a friend brought up that we are teaching the next generation of hackers a way to think. if you spend any time in the field, you realize there is the mentality of how to hack, which is a skill set. an innate skill. then there is a professional -- then there are the professional hackers. imagine you are an artist. you create when you want to. or a professional artist, working for a company. you have to be creative day after day after day. def con is all about the people who want to be creative when they want to be creative. black hat is the transition to a day job. i have to be professionally created. i have to keep up and know the skills i need for my job but i am going to go to def con because that is where my creative energy comes from. and so that is why these two have always existed so well together. they are different. but the people generally started in one and migrated to the other. host: is there a subversive -- subversiveness in def con? jeff: there has to be. that is part of the antiauthoritarian. even to this day a lot of what hackers are told is you can't do that. that is not possible. we don't believe you. the voting machines are totally secure. it takes rebellious nature to say i think i can break into the voting machines. i think your cell phone network does have some problems. you are listening to me, i think there is a problem here. it just turns out people who are good at speaking truth to power tend to be a little bit rebellious. and the other thing you realize is companies are not really telling you what the problems are. are notgovernments telling you what the problems are. the criminals are not telling you how they are breaking in. it comes down to hackers and academics to tell you what is possible. when a hackers started messing -- only when the hacker distributed it did the manufacturer say ok, we will listen to you. was that subversive or is that a public good? because now consumers know don't buy that model and put the fda on notice, they should be testing for these things. there is a whole generation of medical devices that are not safe. maybe the fda doesn't like it. but maybe they are not doing their job as well as they could. you never make anybody happy. since a are times, doing this professionally and creatively they don't care. , they are doing it because it is there and they want to prove a host: where did the names come point. from? jeff: people get black hat confused. it is not that we are a bunch of black hat criminals, it is black hat briefings. we are telling them what the bad guys are doing are doing and how to prepare. it got shortened down to black hat. it turns out that all these hackers and academics are a crystal ball. you would talk to your friends and hackers and say what are you working on? i think i found this little edge case with routing. it turns out if it is , interesting to them, it is a problem six months in the future for everybody else. they are the canary in the coal mine. years ago, saying the internet of things was going to be a problem. now it is a problem. companies who want to get a head start on what the future problems would be, or maybe we should look at what the hackers say the problem is, and build a project and sell it. -- build a product and sell it. people come for different reasons. now we are seeing more government appearances. regulators, law enforcement. same sort of purpose. they are trying to figure what is coming next. def con was originally a party. it was started because everything was online bulletin boards. there was no internet. it was meant to put a face to a name. there was so much misinformation in the early days. there was no sense of a factual well when you could learn the truth. there was no amazon or google. everything was word-of-mouth. there was so much misinformation. if i put a disclaimer on my bulletin board that said no undercover police officers entrapment ift is they sign in. and we would think that doesn't , make sense. the first def con we had a prosecutor come and speak. and we had a lawyer talk about the liabilities if you are trained through virtual-reality but you are taught a mistake and in reality you exercise the mistake? who is liable? your employer for not training you write? -- training you right? the vr manufacturer? we were looking at these issues a long time ago. it became known as def con. my favorite movie, wargames. the main character is from seattle. in that movie def con plays a , big role. also in the early days i was a phone freaker. the number three key on your telephone is the def key. also at the same time i was , living with a hip-hop producer who was producing a lot of rap. one day i'm talking about this , hacker convention. the hip-hop guys don't know about hacking. as i'm describing the party one says that sounds def. it all came together perfectly. def con. host: what is a phone freaker? jeff: the phone freakers -- there were hackers and freakers and crackers. the phone freakers exploited the telephone network. the most famous examples of this would be steve wozniak, steve jobs, bill gates, these people who produced blue boxes that would allow you to place free phone calls and exploit the phone network. back in the day, the phone network was the largest network in the world. interconnected to the whole planet. if you wanted to explore, you were basically a phone freaker exploring that network. crackers specialized in movie copy protection. if you bought a game and couldn't copy it to share with your friends crackers learned , how the game was protected, reverse engineered the protection mechanisms and then , got around them. so, that was the three main communities. they each had a different interest. telecommunications, software , protection. now the line is blurred. as time went on and criminals entered, it wasn't just a game, exploration and joy of discovery. it became money. criminals came in and borrow techniques from anywhere they could. they used to try to recruit hackers in the 1990's and early 2000's. now the criminals send people to college and university. they make a lot of money from these malware campaigns. they pay real money they have , giant research and development budgets. they don't need the hacking community anymore. they do not bleach off of us anymore. leech off of us anymore. we are trying to figure out what they are doing. they are doing this as a full-time moneymaking enterprise and they put in a lot of resources. i think what is going on now is the press did not know how to explain the criminal use of technology. so they borrowed the term hacker, which was describing a skill set and use that to describe criminals using computers. but instead of saying they broke into the bank, the hackers broke into the bank. and that caused the schism. good hackers would still refer to ourselves as hackers. but to the outside world, we were security professionals. towas too confusing to try have this long discussion about what a hacker is or a hacker isn't. a skill set that can be used for good or bad. just like you have a criminal plumber, or a great plumber. the skill set is the hacking. the motivation is what differs. host: is that white hack hackers -- white hat hackers and black hat hackers? jeff: that was attempting to describe motivation. criminal hackers were going to be called spiders. but then the world wide web got invented. oh, we can't have spiders and web. we are going to call them crackers. the cracking community was like that is us, we are not criminals. we are not breaking into things like that. so, then it became colors of your hats, like old westerns. you could tell who the good guys were by the color of their hats. that is how it came about. now you an ethical hacker, it is really muddied. i just stick with criminal and not criminal. host: who attends this? how many? jeff: black hat, hard to say. probably around 15,000 people. it is a long program. there is training over the weekends and there is the main conference. some people just for training -- come just for training some , people come just for the conference. at defon, we are at -- con, we are at 25,000. pretty big. it is interesting. for black hat to me you can preregister. for def con it is all cash. pay at the door. there are no records, nothing to seize, no credit card records to subpoena. it is optimized for speed of registering people and not being unattractive target for law -- not being an attractive target for law enforcement. host: when we told people we were coming out here, turn off your phone. don't use a money machine. avoid anything electronic when you are down there. is that true? jeff: that is the myth. the myth is it is super hostile, that you have to remember now it , is pretty hostile everywhere. it used to just be hostile during def con and black hat. now, every airport seems to have a fake cell tower. if you're going to steal somebody's login why not at the business lounge at an international airport? that is where high-value targets are. if you monitor, you will see these fake stations. the amtrak station in d.c. has a fake cell tower. this is the way that it is. if you are a criminal and you can build a backpack to intercept information and leave the backpack plugged in somewhere, that is so much more low risk than trying to rob a bank. bad guys willual try to -- and you have hackers who want to test things out. they know it is a free-for-all in vegas this week. there will be fake cell towers. people trying to detect the fake towers. law enforcement trying to detect the people setting up the towers. year, we had a film documentary crew from france. they were french born legion, which turned out they were actually intelligence trying to identify who the people are they cared about. then, we had our own intelligence that were following around their intelligence. i'm sure there was another. there are so many layers that i have learned not to be surprised by anything. but it is a fascinating glimpse of behind the curtain. how does technology work behind the curtain? how do the government's work behind the curtain? what do other governments do? i was at a def con once and somebody came up to me and said i want introduce myself. i'm with the defense intelligence agency. what are you doing here? aren't you supposed to count typewriters? or how many car batteries? monitor the collapse of the soviet union? what are you doing here at a hacking conference? he said i'm trying to figure out if other countries are trying to recruit our hackers. well, ok, that sounds important, but how? there's a room with 500 people in it. you can't be in the middle of all those conversations. how do you know who is trying to do what? it is actually pretty interesting. what i do, i lean against this wall and watch for other people who are watching and pay attention to the watchers. fascinating. so, every year i love learning a little bit more about how the world works. host: a couple years ago, you had michael rodgers out here. jeff: no, the director before him. keith alexander. host: oh, i'm sorry. jeff: that was fascinating. host: it took you years to get him out here. jeff that position. : we have gotten people from the dod. we have gotten a lot of other people. never the director of the nsa. it was right before the snowden revelation. it was at the very peak of goodwill between the hacking community and law enforcement. and after that it has been , downhill. host: why? jeff: i think a couple of reasons. one was there was a sense that we were all working together. that we were all trying to make the world a better place, trying to protect networks. have fun while we were doing it. the intelligence folks always had a bit of mystique but we , knew they were using the same technology we were. it was not alien technology. they were just using it differently. we could relate. we had the same sort of problems in setting up and managing the technology. over the years, whether it was dhs or fbi, in cips, they were -- ncis, they were interested in what they were doing. we were sort of becoming friends. and after the snowden revelations, there was a lot of you never really let on you were , monitoring the citizens so severely. that was never even -- the hackers and security people felt that was too extreme. whether it was because of government oversight lacking, and they were doing everything they could legally maybe it is , not their fault. it is oversight's fall. whatever. whoever's fault it was. a lot of people felt like trust was betrayed. a guy was telling you something it confidence and it ended up here. that is not why i told you about this bug. i told you about this to protect government systems, not to do something else. so, there is a huge cooling-off. -- cooling-off period. that next year i asked the fed to please don't show up. not that they were welcome. but there was going to be drama if they showed up publicly. there was a lot of angry people. i didn't want anyone throwing water, screaming fighting. ,i didn't want anybody having a scene. tensions were hot. since then things have cooled down. intelligence agencies are not trying to engage as much. the groups that are engaging the , fcc, the ftc. we get some people from dhs trying to do some stuff on smuggling. so, we get the good parts, the noncontroversial parts. ftc is trying to stop robo dialing. trying to make home routers more secure. things everybody can identify with. i think dhs was talking about u.s. cert and outreach to companies. how do we build information sharing to help us learn what bad guys are doing? it will be a while before intelligence agencies are going to convince hackers that they -- not impartial, but they have their cards on the table. that is just the way it is. it is funny, some of the intelligence community people said it is better this way. we preferred the gray areas. it was getting too much light on us. i think it will be a pendulum. >> would you like to have anonymous out here? jeff: they are here all the time. anonymous is anonymous. you don't know who is in there. i'm sure there are hundreds. i'm sure there are organized crime people, intelligence people. that is the interesting thing. there is a lot of law enforcement presence from a lot of countries here learning. but there's a lot other people here learning. academics, writers people who , want to make movies about this. we have created this melting pot of like-minded people. in the early days, vegas acted as a filter. we are not near anything. we are not in the middle of san francisco or new york city. you have to get on an airplane and fly to vegas in the summer. so it was a natural filter. you only came here if you were really interested. you didn't just hop on a train and come down to d.c. from new york. so we had a good formative years of people who cared about this. that became the core for the conventions now. now a lot of people say professionally they will have to come because it is such a big event. i remember when it went from network security people to telecom. then marketers had show up because their customers were here. and it kept growing and growing and growing. at its heart, at its core are technologists, hackers trying to figure out how the technology works and what to do about it. as long as you can keep that, then the heart of the conference will keep beating. host: are you glad it is growing? jeff: i love the growth. but i hate the growth. it is both. i'm conflicted over it. when i started def con, there were two other hacking conferences that i knew about in the united states. they were invite only. i wasn't invited. or i could get an invite but i couldn't do it was in atlanta. i was too young and wasn't traveling to atlanta. i decided if i'm doing a conference it's going to be open to everybody. not invite only. that immediately led to a bunch of problems. if it is invite only, how many people are going to show up? i don't know. how do you plan for something when you don't know how many are going to show up? kind of work it out. if you don't know who is showing up, what prevents 100 law enforcement people from showing up? or 100 clowns from showing up? you can't control the demographic. on the other hand, they are interested. they care enough to show up. maybe they will add and contribute. that is how it has worked out. from 100 people the first year, to 25,000 people this year. and people say the conference has changed. it has changed. it is bigger, but it is reflecting the changing demographics. more women are involved. more artists are involved. more foreigners are involved. more large enterprise. in the early days we were hacking on two or three technologies. now there are probably 100 technologies. you couldn't get there without the growth. there are some conferences are still invite only. they stay small. they stayed these elite social networking talks. there is absolutely a place for that. consciously when i started i , wasn't going to be that elitist. i was going to let anybody show up. i have to live with the consequences. it is a fork in the road. control the tenets or keep an open door policy. but in hindsight, yeah, i probably was. i was copying games, reverse engineering protection, fiddling computer, in the truest ense of the word, hacking, not in the protections, but it was more about overclocking your cpu it go faster, trying to ibmpc. out of and later on in life, i was more into phone freaking. hacker, and when i caught him, i was like, ah-hah, doing, know what you're but you're doing something, and he said, okay, yeah, you caught i'll explain what i'm started this relations. light bulb. how do you get around the limits y lying and changing one number? of course you could do that. that made me change before that moment. d after that before technology kind of worked and it was beautiful and after questioned every assumption. these computers were clearly not thought they were doing >> did you ever get in trouble. trouble. got in back then, there was almost no hacking, st any completely different than today. about the worried current generation. there's current sentencing and guidelines and you could run automated tools and more jail time than you would than driving drunk and killing someone. sentencing guidelines are crazy. you see that sometimes. participate nt to in civil disobedience. ou want to dosz that evil bank and that guy gets arrested. felony ked up, gets a conviction now, and in jail a years. i'm not saying that's right or legal, or should be legal. i'm just saying the punishment disproportional to the harm. disproportionality didn't exist when i was a kid. one, there wasn't anything online. there wasn't a bank online. in the earlytality days is look but don't touch. operators,m the hamm which was you could listen in to people's wireless phone calls. whatever you hear wirelessly, that's legal, but if you act on becomes illegal, and actual sec law. steal an additional crime and learned about it and acted on it. it, that's en about okay. that's where the early hacker exploring the , networks. if you break into the networks, don't odify anything, touch anything or break anything. and i sort of explorers think some of the old-school hackers didn't think that way. fraud and abuse act, if you want aeats board, you're permitting me to log in. if you read ving the law, there's a lot f -- this is what tripped up aaron schwartz, you know, his downloading of legal documents hat he had permission to download. they just claimed we didn't give you permission to download all of them. give you nly permission to download a few at a time. permission to mean i'll download it and automate charged g, and he was he was goingd act, to lock them up for 10 years, and eventually he committed that. over it's like downloading a lot of sentencing, ximum so these problems they're working through as a community society, and these changes in technologies are what's a lot of e issue and the people forcing the issue aren't nally or intentionally at the forefront. they're pushing the technology seeing what they're capable of and so a lot of times, into the law in a way they're not intended. moss, besides yourself on the convention floor, who a rock star? >> i don't like the term "rock there's a lot of people -- as a community, i think wee done a really good job mentoring the next generation and there are some rock stars, ou know, that love to put on a show. ne of the greatest was barnes, barnaby jack. he was famous for hacking an atm stage and with such showmanship. he hacked and built it out on stage. they're saying that's not possible. if he's going to show it's it in the e'll do biggest, most spectacular way, months. ine he was buying atm machines with money. figuring out how it worked. stage inlminated in on 40 minutes. so you get a lot of that. i've been working with this on years and going to give my talk here and it's all going to come out in minutes, you know, years of effort have been. so that's why when you see what ou see on stage, you have to respect all of this work that's been done before and all the other people that made it possible. is standing on the shoulders of giants, people ho have done research bit by bit. nobody here really invented it. musician. like a you're always on the shoulders of those before you. some ould say there's people more famous than others because their hacks have been spread, like charlie miller, and chris widecheck, hacking smart cars. they did that in a spectacular work into it. i remember him getting warranty car after his disassembling his whole dashboard. what happened after his whole car? oh, nothing. so yeah, there's a lot of a lot i would say, and of women are really getting involved and i find that the it's a eresting because tech community, and a hacking community, we're just not good in other ethnicities nd other genders for a number of reasons. i think most of the attendees higher than stly the tech industry but a lot lower than many other and when you think about why is that, well in the field, you're pretty much on call 24 hours a day. wrong, you're es generally to blame. f you're doing defense in security, you don't get a reward the hacker out because you don't know when you kept the hacker out. it's almost thankless and negative. hen you're a sales person, you immediately know you made a sale you made and sold more product. in security, you don't get that feedback. i don't think a lot of people when you're in college and to uating where do you want go, security maybe, but if you the first e into it, two years are really brutal a ause it's sometimes thankless job. > jeff moss, what threats are here today that weren't here five or ten years ago. new threats, of and it reflects the amount of technology that we are just our homes. you didn't -- three years ago, i didn't have to worry about the fbi or a bad guy trying to access my dialogue with my si ri or my a lexa. ow, the fbi is subpoenaing a lexa conversations. that's the way of life now. he technology is also potentially your spy. it's not the fbi. but maybe you're in a bad lawsuit or divorce or your wife the sband subpoenas documents for discovery to prove you're cheating or something. not what the technology was there for, but that's what it's going to be used for. gotten these smart smoke detectors and thermostats. last time you updated your cell phone or bought a new cell phone? guessing the last two years. when was the last time you your smoke detector? probably never. hese devices will be in our house probably five or ten years. updated. be they'll be secure and connected to the internet. what we're seeing is the tidal wave of insecure pervasive technologies the cost of times, hanging out a smoke detector per company is greater than the cost of the smoke detector, the these devices in and deploying and tracking them. that's where they're going. we are now, we have a lot of risks we're not understanding. we don't accept the risks because we don't understand them. car with telemetry. go to ford, what information are advertisers? bout they're not going to tell you that. whether a lot of risks, it's personal or against the awsuit or financial or behavioral, but you're being a ced in a bubble, almost perfect marketing bubble if where ogy goes this way, you'll see the articles that you'll want to see. ou'll get the radio stadiums that you like but you're not going to be exposed to anything new. the micro target you get will be behaviors. our and you'll be placed into a bubble of your own choosing the on your behaviors, behaviors of the people you talk to. the famous examples, if you talk wish i could go to hawaii and you're gettingitizements, cheap fares to hawaii. that's the simple stage. more pervasive. you leave the wifi on your home. you doebt don't turn it off. you go to the super market. they track that. know how long you stood in gles. the next thing you know, now they a prin gles buyer. it,s and this is purposes, lly for let's have less food wastage but profile they make about you is amazing. hat's what's happening in the background invisibly that we don't realize is occurring and a should imes, maybe we just have a conversation about it and talk about that. to us. it's happening and i think that's another -- that's going to some really f in bizarre ways 10 years from now. a presidential election 0 years in the future when the democr ic information is available. think about it. if you were malicious and worked uber and you had access to uber data, you could tell where senators and representatives were driving to and the lobbyists were driving to and you could figure out who meeting with who, where and cheating on whose wife, where, just between your data and location your data, you could uncover a meetings that aren't supposed to be uncovered. nobody really realizes this. and there's a trade-off, i hackers are more conscious of the trade-off but trade-off between usability and security and we're consciously. we're not accepting that there's a trade-off. over 60 when you drive or 80 or 90 or 100 and your starts shaking, you're making a trade-off. this is getting dangerous, it's i know i'm at the edge. with technology, your mouth vibrate, your phone doesn't get hotter. you don't know when you're doing anything risky online or where the limits are. them are and gh not realizing. when you do something risky you in the ass, it's impossible to tell what the was. avior maybe your credit scores are now down a little bit. your credit card has been stolen. week, m somebody last last month, last year, what was the behavior that harmed me, you out. figure it you can't create this loop, unlike when you're driving fast, steeler shakes, i'm driving too fast, i better slow down. no feedback loop like that online. how do you make an informed decision. it's tough. >> how do you personally protect yourself on your own devices. i'm a big believer in simplification. apps t have many installed. >> do you use uber. >> no, i don't use uber because tracking. why do they need to track me calling per car. apple has been making progress apps to allowing geolocate you when you're not app. g the maybe i'll start using more apps because i like to edin, i don't want them tell me when i was near another linked in user. pc, and not from a on my mobile device. that's inconvenient but i decided to make that trade-off. don't need my every single and sold andcorded monetized. it is a pain but i'm getting a foot print,ess of a not getting the bubble around me or the targeted advertising. i block all the ads i can. that means there's certain web to. i can't go can't go to fox news anonymously because they block anonymous browser. sites. to the other news i am missing out a little bit on the bargain. >> do you use wifi. yeah, but i also use my own wifi. r the i'm not trusting the hotel's wifi. ramp. on i use my on ramp to get to trusted systems. notice the uptake in vpn services. neutrality t deregulation coming up, a lot of don't, ether they do or legally, they'll be in a much etter position if they want to watch your traffic, see what you're doing and inject you're ing in the pages going to, or sell that as marketing information. at home and browsing your favorite sports team and next thing you know, more sports g advertising. you're like i didn't tell everybody i like that team. isp is figuring out, never mind you're paying them and now they're trying to make 30 cents off of you extra. crazy. es me i'll use a vpn and get away from my local isp. i'll pop out at somebody else's isp. they don't know who i am. know my address. they don't know a lot of things about me. a vpn ow that there's user that likes a sports team to they can't tie it back me. can. isp that's local they talk about the last mile of broad band. mile away to get one from my isp because they're in everythingn to watch i do and try to monetize us. julian assan ge or snowden ever spoken at this convention. >> no. >> would they be the types of want to have on. >> we keep inviting them but i don't think so. couple of reasons, 1, stealing a bunch of secrets and you sing them doesn't make a hacker. a lot of people can steal things and release them to the press make you a sn't hacker. might be interesting. 'll definitely buy you a beer and listen to your stories but that doesn't mean -- what are you going to tell all the and i use the fauper, -- photocopier, and then we went to the press. it's unclear. they've spoken in every venue they could possibly speak at. won't be us and revealing anything new, and people that of really feel that was a violation of trust. here are other avenues of revealing what snowden could didn't. aled, but he so super controversial. technically, so, ou know, give the stage to somebody else that's doing something. one moss, at a convention, emerge. emes tend to we've tended to the communicator a theme. seems to be we've been hearing social engineering and liability. any other themes developing? >> i think you're right about liability. speaking about liability for years and i try to this. like if you have a smart car and something goes with the software and you crash, there's liability. tesla or whoever will be liable. a big database piece of software that sits in the room and you lose millions of dollars and you crash, there's no liability. one is a data center on wheels stationery. one has liability and one doesn't. they're just software. point, the competitive disadvantage, they get a free because they have a shrink wrap license. a pass becauseet they're life safety because you a person in have the vehicle. at some point, the data on the server isn't affecting lives. one gets liability and one does, that doesn't make sense. is a lot of e whole e is making the industry have liability. with the internet of things, as soon as the toaster burns down a and kills someone, there's going to be liability. the now, you could say only thing running software is console, my phone and tv. when it's running your whoil and omething goes wrong, you'll be impacting not technologists or geeks, you'll be impacting the consumers that are interested on the whole back whole toaster e burned down the house. industry has been resisting. we're in this period about the next five or 10 years. outhe industry can't figure a way of warranties or guarantees or some sort of protections, if they don't figure it out, the government will come down it. you and i are not going to like the results. other avenue. software will be so critical there will be no liability. and companies come here recruit. recruiting. i'd say especially if they want new, a lot of g is t car companies, space getting interesting. some ofr blue origin or these other countries, it's something new going on. i've mentioned medical devices. action in that area. and you also have these sort of black boxes. these algorithms that are trying determine based on your behavior, what time you wake up your to sleep and what smart refrigerator is dispensing driving and re actua o figure out new actuarial tables and they're trying to figure out all of this about you. it's an innovative time, whether you like it or not. in the golden age of data, and it's going to impact us. thing about you asked an earlier question about themes. theme that i didn't think it would be so popular is hackinga voting machine defcon this year. i started the idea, you know movies, where n they have an evident bag. i kept thinking, well, we've got get around the evidence folder. temper that or the money bag. you see the stomp, the led grommet. it looks roman, like a seal, flack seal. hard is it to get around that stuff? i don't know. but i bet some of these hackers do. so i started a village on how do envelopes, get past wax seals and past these was doing nd nobody that before and now that's a common thing. of e's a whole body nowledge on how to defeat tamper evidence and tapes. i thought, wow, voting evidence and i'm sure people have been beating them up on ebay. have been tuing them since bush-gore and i couldn't find any information. have not been beating on these things. academics have a few publications. i don't know anything about i bet i could t buy some of these on ebay, figure it ers in and out all over. we have voting machines, people nist, county commissioners rom election officials, people from dhs. craassemblage ofa hackers. o there's a little bit of excitement in that area just because it wasn't done last year it's new this year. > you have a b.a. degree in criminal justice from ganza ga. criminal justice class at ganzaga. i thought i was going to be an fbi agent. n high school, you know how they have career day, we were getting all these speakers. agent told us an incredible story about chasing bad guys that was unbelievable. saw that, i was like that's what i want to do. know any better at the time. i went to college, took a bunch computer science classes and never knew what i wanted to do. sociology, ng riminology, criminal justice classes. it was during the hiring freeze administration. only law enforcement hiring at the time was the fbi. that's perfect. that's what i wanted to do. typed up on a type writer, sent it in. crickets, nothing. called them, they said, we lost it. ofhought it was a secret way comparing my first application to the second. sent it in p and again. about two weeks later, i get a call. the special agent in talking tophy, start special agent murphy. he was like, tell me about your vision. people. help i'm interested. he said, no no, your eye sight. your vision. like okay. 20/20 in one eye and 20/60 eye corrected. he said that's not good enough. sorry. that was it. no chance in the fbi. six years later, i run into a a party, fbi agent. story. the he said that was false. he didn't want to process your paperwork. you should have caught onto that first locked. i didn't know these insider in bureaucracy. they probably didn't want to deal with your paperwork. right there, one little decision. >> where did you grow up. bay area. >> were your parents in tech? teachers. i'm the only business person. academic. e was i always have the weird business and i have the weird academic stories. >> >> what do you do on the computer. i found in tech as i do ressed in my career, i more advisory work, less hands on, just the nature. stay connected to feel i'm not a sham or have the feeling syndrome of like i'm disconnected from my roots, i maintain the defcon routers and servers. enjoyment,f gives me d it's a huge pain in the but you have to do one to stay current. on my mobile now than laptop. servers, e working on you need five screens and a lot of screen real estate. so yeah. >> has black hat been hacked. a badge of honor? >> oh, yeah. after us initely come for us. defcon was am attacked. his exploit saved for nine months, waited for the the web n to deface site. the server department have the updates. they made a big tongue in cheek thing. of fun that's when i took over and ever since, i ran our own servers. haven't i know, we been broken into. hat's when i decided i wasn't letting anybody else running this stuff. > does this world make you paranoid in the sense of this type of thing? >> i wouldn't say paranoid, everything is sort of fact. saying, it's not paranoid if they're really out to get you. you're out there. yesterday i tweeted somebody was into my twitter account. i kept getting these reset twitter. rom i said whoever is trying to account, o my twitter please stop. i need my twitter account the next week or so. maybe afterward, but cut it out. and they stopped. paranoia if t they're really out after you. paranoia comes in too much le a scribe importance to what they're doing. $50 sa is not ghoig task a on you satellite to spy going to the super market when the local cop could follow you there. disconnect would be paranoia. if you're being a criminal, if law surprised enforcement is after you. just because law enforcement is the cia , doesn't mean is localizing the whole division you. e after there's a lot of sense of over importance a lot of times and weird situation. say you are a hacker and you're in the to do something gray area or could be criminal, people would say they're not you, but i'm not doing anything. okay, but they don't know you're anything. law enforcement only knows you're not doing anything until looked at you. they don't have some magical they're not says doing anything, don't look at them. feel nair unfair that they were subpoenaing me. how you're behaving and who your friends were. only way they're going to know if you're a bad guy is if and go in and stir the pot look for a reaction. don't be surprised. that's how law enforcement would catch people. stir the pot, watch one person, inch what everybody else did response and roll everybody up. not rocket science. you see what's going on now in law enforcement. market bust. police had one dark market freighted, bust another one, watched everybody migrate now, the one they're in gather everybody's information. it's basic law enforcement tactics. i got off on here that route. maybe the paranoia question. presume that everything that you put out there and everything on your public?s >> you have to. i think. take a lot of precautions to make sure i protect it as best i can but i'm not going to be urprised if one of my conversations comes back at me, even though i think it was protected. i had a ceo. when i was chief security at ikan for a while. it was a pretty high profile job we knew our ceo was targeted. remember talking about it with him with his risk. he said every time i write an email, it's three audiences, who sending the email to, the foreign nationals spying on me and the congressional inquiry if i'm testifying. the job of the ceo, high profile international company. consulting work cfs. u do at thebout 40 of us, we advise secretary on whatever the secretary wants. hown the past, it's been on does the department accelerate their cyber skills. do they develop in their task and workforce, better skills. in ould be resiliency government for dhs. e did a task force on countering violent extremism and how can we rs, minimize that. we just wait for hallenging dhs may be facing and figure out things that might answer the questions and go that. d do in the atlantic council which is bringing to defcon the caucus, so we'll have this year, ves out so that will be really cool. timing eek day and the that the caucus ask travel out of congressional time, they of the weekend. and i'm involved with the relations, foreign which is fascinating, because global oking at a governance and where is it going. t's a fascinating time to be alive and you start off throwing a party for your friends 25 you're o, and now advising governments and companies, and you couldn't see story up. make that >> should there be a data protection agency. a national uld be privacy agency, i think. canada has one. is not enumerated in the .s. constitution so it's inferred. dhs is one of the only agencies mandated to have a privacy officer. i think it should be ape standard thing. the privacy of the constituents, of your workers and citizens a factor in whatever legislation you're proposing. -- you know, i think it's too bad. age, see in the internet that personal information is really what's a value. uber makes as much money selling riders hic data on its as selling rides to riders. tremendously valuable. > jeff moss is the founder and creator of defcon and black hat our guest on n communicators. >> c-span. unfolds daily. a 1979, c-span was created as public service by america's table companies and is brought today by your cable and provider. [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. . it ncicap.org] >> he's interviewed by financial columnist l business and associate editor. general supporter of the federal exchange act, that this would stabilize money at that local banks could issue money against both. had in revolt. t's created a national currency. for more of this weekend's schedule, go to book tv.org. texas is