Tip:
Highlight text to annotate it
X
>> PEITER MUDGE ZATKO: Just so we're clear, I'm only speaking as myself today. I am not
a representative of the US Government. I'm not a representative of my current employer.
I'm pretty sure neither one of them would be really happy with me up here talking. But,
I feel it's part of my duty as part of this community to kind of give you some stories
that are personal stories from this community as what I took into the Government, what I
learned while I was in the Government, what I saw that was a little bizarre while I was
in the Government. And what I'm taking back out of it.
And there are four stories I'm going to tell you that all have some unexpected outcomes
and unexpected twists. You probably heard about some of the stories in the media, but
these are kind of different back origins to them that you haven't heard before. I'll do
my best to be as accurate as possible. But I'm going from memory from some of these,
and some of these go back several years. Memory isn't perfect, so I apologize in advance.
So I'm not trying to *** off or be pro or con any particular community, but I want
understandings, which I why I'm trying to tell these kind of nonobvious stories. Somebody
had tweeted me something encouraging me to do this talk and saying anything we can do
to help people understand each other is good, because of course prejudice is bred from ignorance
and exclusion. So you can kind of consider this my transparency/trip report from three
years inside the DoD. Not long after I started working at DARPA,
I got funding approval for the first of one of many programs that I would actually run.
I know most folks are only familiar with a few of them.
The first program was called CINDER. And it was focused on super evolved advanced persistent
threat. The program had nothing to do with whistle blowers. It had nothing to do with
humans. It was targeting autonomous software. And there was an author, Forbes Magazine,
Andy Greenburg, who found out that Julian Assange and I knew each other and have kind
of known each for, I don't know, 20 plus years. And he wrote an article that, the way I read
the article, attempted to pit me and Julian against each other, claiming that CINDER was
a response to WikiLeaks. You know, a sexy story of hacker friends, you know, who now
find themselves at odds, one trying to spill the Government secrets, one trying to protect
the Government secrets. Yeah, it's a sexy story, the problem is it's entirely untrue.
Because CINDER had nothing to do with that. So since he and other folks wanted to kind
of make it a story about me and Julian where there was no story before, I figured I'd tell
you an actual story about me and Julian. And this first story is called how the DoD
unintentionally created WikiLeaks. So it was 2009. I had yet to go into DARPA. I was over
in Germany for the CCC Congress, which by the way is awesome. And by the way, Berlin
is freezing in December. So it's a couple blocks from the hotel over to the Congress.
And I braved it across. It takes about like 10 or 15 minutes before your lips come
back and you can actually start to form words again.
So there was this talk that I wanted to see at the Congress. I watched it. It was great.
There was a gap between the next talk I that wanted to see, and the whole decision was
do I go back to the hotel and go out in the frigid Berlin winter, or do I find something
else to pass the time. It's CCC, it's easy to find things to pass the time there. And
there was a talk that was going on about WikiLeaks. Remember, 2009. No State Department cables,
no nothing at this point. WikiLeaks had been around, but it wasn't in the popular vernacular.
It wasn't a household name. So I look and I go, Oh, what it's taking to
run WikiLeaks, how do we do it behind-the-scenes operationally. I go: That's cool. And it talks
in English and it's inside. So yea. And I'm looking at it, Julian Assange, Julian Assange.
The name was ringing a bell but it didn't mean anything again, because of course he
didn't hit it. Now I saw him on stage, and you know he's
a kind of striking physical -- you know, shocking blonde white hair, sharply dressed, and I'm
recognizing the voice and it took almost the entire talk before it dawned on me that I
knew him by a different name. I knew him as Prof. Some of you remember Prof, some of you
remember strobe that he wrote like ages ago. You know, he was over at suburbia.net -- profitsuburbia.net.
I was like holy crap! This is the same guy who I've known for years. I hadn't seen him
in like a decade or I hadn't interacted with him online. At one point I think he was even
managing Sun's security updates and patches for all of the distributions for Sun Us at
sunsite.unc.edu. So we should have nominated that for possible or potential epic ownage.
That's kind of cool if you think about that. So after the talk I was all excited. I went
up to him, waited until the smaller crowds died. You know, he was outside having a cigarette.
I thought this is going to be fun, because I had cut my hair. You know, I didn't have
the (inhales sharply) if you've seen the shirts. Most people remember me looking slightly different.
And I'm like oh, I'm going to play with this a little bit. So I walk up to him. I know
he doesn't know my voice, and he's not going to physically recognize me. So I do that whole
like hacker jerk sort of, you know, say something that, you know, like what the hell how did
they know that? And kind of to set up the state of detant.
I go hey, when was the last time somebody called you prof? He looks at me weird. And
I'm like well, if you think that's weird, did they ever find out why the MD 5 checksums
on the Solaris update patches didn't match the actual patches that people installed?
It was Sunsite, right? And he is just looking at me like who the heck is this guy? Probably
possibly because he hadn't heard the phrase "prof" for a while and it could very well
be that he had no clue what I was talking about with the latter one.
And I go hey, it's me, it's Mudge, Mudge from the LOpht sort of thing, and he kind of relaxed
and we chuckled about it. And I was saying hey, you know, you were really, really passionate
up on stage about WikiLeaks. What was the real impetus? What was the turning point that
made you do that? Because the last I had seen you, you were leaving the hack scene. Going
off to academia to do your advanced degree. He was working on a crytographically based
file system, a rubber hose file system for duress-based decrypting. And I said where
did you go? The old gang and everything, I haven't seen you.
So we chatted and he said let's go out and have dinner. So we spent the next several
hours over food in Berlin. And we were chatting, and I wanted to know just how passionate he
was. And how far he was willing to go on it. So I asked him a hypothetical question. I
said let's suppose back in the day my thing was I collected packet captures of everything.
Let's assume some of those packet captures have you going into the other systems. You
know, beyond a shadow of a doubt. If I submitted those packet captures, kind of incriminating
you to WikiLeaks, would you release them? And he looked at me, it only took a couple
seconds. He said hey, we get some very similar sorts of questions. Because people ask us,
you know, kind of on a parallel if someone were to send us a list of the contributors
to WikiLeaks, would we publish it? And the answer is that, you know, we don't want to
know who our contributors are, because we want to keep the protection there, "we" being
WikiLeaks I'm speaking of as him from memory here. So we try to get in touch with the folks
who contributed, but we won't know who they are. So ultimately in case that list is real,
we would have to publish it. I was like oh, that's cool. And then we moved on to the next
topic. Now if any of you actually interacted with
him or knows somebody who has, they will tell you that he is a very smart person and it's
absolutely right. It took me probably an hour to realize he never answered my question.
But he told me an interesting story. He told me, and this is what stuck with me in 2009
from that dinner, what the turning point was. Maybe this was a story just for me, maybe
it was kind of the appropriate thing. But I took this to be kind of ground truth and
it stuck with me, which is why I'm telling you. And I used to tell people inside the
Government the same question when later WikiLeaks kind of popped up. He said I had gone off,
I was over at University doing my graduate work. Something essentially fundamental research,
which means something to the Government folks. He said it was funded, you know, by the US
Government. It was a grant from like NSA type DARPA sort of funding. I don't know if those
were the actual agencies. And he said it was during that time period
where there was a big pull back from the DoD. And the message that the Universities received
was we're not funding you to do basic research anymore. It's all classified now. His work
got rolled up in that. Now, whether that was actually why it was
being pulled back or if that was just the perceived message, I don't know. So if you
think about it. Here is a nonUS citizen, who's made a life decision, go to graduate work,
kind of leave the community that we knew him in. And all of a sudden his funding gets pulled
and he is told that he is not allowed to know what it was he was doing, not allowed to know
what he discovered, and no actual reason as to why the funding went. I mean, it's kind
of what it's like when you're a graduate student and somebody pulls your funding, sort of thing.
And this just really, really rubbed him wrong. He said this is the wrong reason for classification,
if that's why he lost his funding. This was designed to keep people ignorant and withhold
information to keep folks disadvantaged. He said it was at that point he decided that
he was going to devote his life to exposing people who tried to keep secrets. And hence
WikiLeaks was born. So when folks in the DoD would ask me, hey,
do you know this WikiLeaks thing and what are your thoughts on how we could like, you
know, address it? They were surprised with my answer by saying you know by some accounts,
the Government actually created it in the first place.
It was at that point during the night at the -- in the restaurant, Julian goes well, so
that's what I've been doing for the past ten years. What are you up to? I said oh, I'm
about to go work at DARPA. (laughter) So that's my first story.
The second story is about Anonymous and the Department of Defense. I remember Anonymous
from way back. I mean, Anonymous, I use it as like a proper noun. But obviously we're
all familiar and it's much more. It's kind of a movement, a thought. It's more ephemeral
than that. And when I remember them they were going after scientology and RIA and there
were the FORTRANs and soap opera stuff going on. And at some point, their scope or the
target expanded to include the Government. And general wisdom was that the triggering
event was the DoD's response to WikiLeaks and Manning, et cetera. But the way I saw
it, there was actually something else that was a bit more subtle that folks hadn't realized.
So in 2011, the DoD released the strategy for operating in cyberspace. There was some
very minor backlash to some of the wording. There was originally a version leaked of it,
and that went out and it was followed up later by a later one. But there was some more specific
backlash and chatter in the hacker researcher community. The strategy stated that the DoD
was going to treat cyberspace as a domain to conduct operations in. And it appeared
kind of modeled off of outer space, you know, treating space as, you know, these are DoDish
words, a domain. And there were some confused conversations going oh, why isn't anybody
upset if you treat cyberspace as a domain, there wasn't that much upset with treating
space, and nobody lives in cyberspace, which you could only hear inside the Government,
like a statement like that. Because if you think about it, you know, we all live in cyberspace.
And the hacker researcher community made it -- you know, made cyberspace-- I'm really
not a fan of that word -- made the Internet and online our homes well before the Government
and everybody else kind of made it just where they always lived and did everything in.
So if you send a message that that's somebody's backyard and that you're going to militarize
and prep for war in somebody's backyard, that can sound really scary. And it can galvanize
folks to respond. One of the problems was there was not an understanding
as to who the message was actually intended for. So in addition to treating it as a domain,
they said something else, which was and in response to -- and I'm paraphrasing -- but
in response to hacks, we will consider responding with kinetic force.
So if you don't actually specifically call out who the recipient of the message is, everybody
reading it thinks it's directed to them. I read it. I thought it was directed to me.
And I'm going like what the heck? You know, I joke my buddy and I replace his, you know,
the HTML, the main Web Page, and that's considered a hack and all of a sudden I've got somebody
launching a patriot missile at me? I mean, this makes no sense. What level of hack? Because
if we look at like CFAA response, maybe they actually think a patriot missile is the right
thing for defaceing a website. I don't know. And none of these are the right questions.
Because I'm not the intended audience, but of course I'm reading it as if I was. And
of course the logical next question is wait, do they understand how attribution works?
Because what if I do it bouncing through an ally? What if I do it from within the U.S.
Are they going to kineticically respond against themselves? And you kind of go okay, wait.
Back up. If the message were directed to, let's say,
you know, other countries, somebody in specific that has a significant power that they say
look, we're talking about critical infrastructure or something of that nature, if you turn off
the lights in New York, we will probably be able to figure out who you are, because you're
not a small little hacker defacing Web sites and maybe there is attribution in place that
we could respond to. That would have been an entirely different sort of message and
I wouldn't have read it as the whole like wow, if I get in root on something in my own
system, is the Government going to shoot me? Which is just silly. But I wasn't the only
person who read it that way. And it's nice having been in this field and
in the hacker researcher community for going on almost 25 years, actually, over 25 years,
and some folks were sending me -- saying hey, have you seen what's going on in the chat
rooms? And there were folks who were claiming affiliation or claiming support of Anonymous
going hey, have you read this? Look who is trying to prep for war in our backyards? Do
they even understand how attribution works? This is ***. If they think they can find
me, it's on. Let's go. And the next thing you know there were a couple
Web sites defaced, and they ended in like dot gov. Now this is where it gets kind of
funky. Defacing a website is kind of a message. It's a little warning shot. But that's in
a language that Govies don't know. So the Govies didn't get the message as far as, you
know, what I saw. So here's the initial strategy for operating
in cyberspace that goes out. Probably directed to somebody else, but by poor messaging is
misinterpreted by the group. The group responds, fires a warning shot. The warning shot isn't
understood. And it's like hey, what these vagabonds are doing? Look at the little street
punks, or whatever. They're not somebody who actually has a message that we should actually
engage in. And it's just this little cascading effect.
So that is kind of unfortunately where I saw, you know, the expanding of scope and a lot
of misunderstandings. I'm not saying the two groups should be friends. I'm not saying one
group is good and one group is bad. But when you send a message out into the world, and
this is for both groups, you really need to make sure it's understandable by all the parties
that are going to receive it. You can't assume it's just going to be read by the person you
had in mind. With all love and respect, there is one very
obvious commonality between the hacker researcher group and the Government, and it's that they
can be very arrogant and expect that everybody will speak their own language and they don't
have to speak anybody else's. And I think that's a very common mistake.
So the recommendation for the Government from my vantage point on both sides is figure out
how your messages are going to be received by the more general populace of cyberspace,
because we all live there now. This is actually a great opportunity for diplomacy. You can
kind of think of it like the lost City of Atlantis. Because cyberspace kind of took
the world, I think, the world by surprise. Obviously it hasn't been around that long.
So what if Atlantis just popped pack up. And there was an advanced, very capable technical
group of people there, you wouldn't sit there and ignore them. You wouldn't taunt them.
You wouldn't attack them. You'd probably actually try to understand them and figure out how
messaging to somebody else might be interpreted by them. And you might even try and figure
out where you guys are and where you see things eye to eye and where you have differences.
So my recommendations to the citizens of cyberspace is keep in mind that the Government and in
particular the DoD has very specific focuses and goals. And they often only see things
from their own point of view. Because they're really focused on doing that job.
And when you read things that appear to be a message directed to you or your community,
coming from an unlikely source, you should question whether or not the message is actually
intended for you. Or if it's just intended for somebody else and really poorly worded.
And if you still think a response is necessary, you really need to think about the message
that you're sending to make sure that you don't make the same mistake in return.
My third story is -- let me give you a little background. I know a lot of people approach
me outside of work and go hey, you know what's going on. We're all owned. And these were
large companies that are oftentimes funded by taxpayer money. I'll just say it. They
are large Government contracting organizations. It's like hey, why don't you start a program
that actually pays us to go clean up the compromises, or at least figure out what happened, and
how bad the damage was. I'm like isn't that your job? And it made me think that there
is actually -- there is not a financial incentive for these companies to actually go fix the
problems. So the next question was is the inverse true?
Can Government contractors actually make more money by remaining compromised and continuing
to lose intellectual property? So this talk is called game theory is a ***.
I was having dinner with -- a lot of stories are because I'm outside having dinner because
I don't cook. I was having dinner with an old friend and
his company goes in and cleans up APT after big well-known names get compromised, whether
they're Government contractors or commercial organizations. And he posed a really interesting
hypothetical. Because we were just shooting the crap back and forth. He said what do you
think about the following chain of events? First, RSA gets compromised. Networks defended
by their tools are vulnerable and, as a result, a defense contractor gets compromised. Said
defense contractor, if you look up on Wikipedia, is the one who made this really cool stealth
drone. Later a really cool stealth drone goes missing over a Middle Eastern state. What
do you think about that chain of events? And I'm like that's terrifying. He is like yes.
I'm like no. No. For an entirely different reason.
Look at it this way. I have no clue. That's a hypothetical and there are a whole bunch
of rumors about what had happened. Let's assume that you as a country or a large organization
that your advantage is technology. You can field the fastest and the best technology
so you're ahead of everybody. That's your advantage.
Newest most advanced toys. Someone else steals some of your tech. What do you have to do?
You've got to replace it with newer tech. Right?You've got to keep your advantage.
So suppose a Government contractor gets some of the super tech stolen, and what does the
Government customer actually need to do? Well, the Government in that case -- and this is
a game theory hypothetical -- need to pay someone to make the next version so that the
people who just stole it don't achieve parity. So that they're not even. They could go to
some other Government contractor, because of course the one in question just lost everything.
But they actually most likely won't. And here's probably why.
The initial contract for very expensive research efforts can take a long time to put in place.
You're talking over a year. Sometimes longer than -- sometimes you measure it in years
rather than months. That was part of the coolness of CFT was that we were measuring that in
days. Imagine if you're under something, sequestration is what we're under now, it can take even
longer. So if a Government agency wanted to start a new program to replace tech, so it's
essentially starting the same program to do the same thing that you already were paying
somebody to do, A, it's tough to get permission to do that. Because you've got to go justify
taxpayer money and, well, we just gave you the money to do that. And, B, when you spin
it back up, you're going to have to redo a lot of work. You're going to have to redo
the contracting that you already had in place. You're going to have to spin people up to
speed on management side. You're going to have to respin up the tech side. And you've
spent years putting that in place. So why wouldn't you just go back to the people
that you already have a relationship with, already have a contract with, they already
know what they lost, or maybe you know what they lost and stuff, and you can tell them
because they're your customer. So you can pay them to do the next thing. Remember, they're
not financially incentivized to go fix how they were actually compromised in the first
place, or cleaning it up. Because staying with the familiar solution or situation is
comfortable, which makes it a trap that a Government funding source can actually be
particularly susceptible to. You can view this on a case-by-case basis
and kind of staying with the same contractor, it can even make sense. But if you step back
and listen to what has been talked about in the media, you may see something that is a
larger picture that seems like an endless list of technologies and IP being stolen.
And each time it happens, that company is in a situation where, A, there is really no
penalties or reprimands for it. On the contrary, they are rewarded with more funding.
So because their customer needs to make the next tech to replace the stuff that just got
stolen, to replace the stuff that just got stolen, to replace the stuff that just got
stolen. So, yeah, game theory is a *** because if you look at it from this angle -- and part
of the neat thing is you can fall into game theoretics without realizing that you're doing
it -- Government contractors can actually be in a situation or are actually in a situation
that they are financially incentivized in some places not to listen to their network
sys admins and not to really deal with the problem perhaps the way with the drastic changes
that need to be made. The fourth and kind of closing story, and
maybe I'll do a fifth story about Barnaby Jack and Abu Dhabi. Yeah, I think I'll do
that. I mention Barnaby Jack and I get all teary.
Yeah, maybe I just stick with the fourth story, then.
The fourth story, closing, is more of a kind of plea to both the Government communities
and the hacker researcher communities, because from the vantage point of both. I don't have
a lot of examples of our community, the hacker researcher community, really reaching out
in a proactive and positive way to educate and enlighten the Government. We do it, but
we do it really ad hoc. And I think we need to try a little harder to do specific examples.
I've been a little upset about some of the things on the news lately. And, actually,
one of your options, it is a scary option, is to actually go inside and try and fix them
there. People will fight you tooth and nail. It is not for the faint of heart. But that's
actually what I did when I went over to DARPA. I didn't go there because I thought it was
cool. I didn't go there because I wanted to be a part of the Government. I actually went
there because I thought that they and other parts of the Government had kind of lost their
way. And I had an opportunity to go in and fix it.
I did get a really nice unofficial e-mail from somebody recently and it was about CFT,
which makes me think that we actually, because you guys were all a big part of that, did
manage to pull some of that off. So I'm going to quote from this e-mail I got to my personal
account. And the person said "I recently had a meeting with all the agencies, and the DoD
services, and listening to them it was my turn to be terrified because of how out of
touch with reality they were with cyber security and cyber defenses, and it made me realize
how much I and the DoD owe you" and that's us "for cyber fast track." And here is the
part where I was happy. He said "I thought CFT was showing the Government how they should
be doing contracting. But now I actually understand what you were doing. It was showing the Government
what the real state-of-the-art is and why they should be afraid of people on the inside
who continue to just preach the status quo and throw money at the same problems the same
way they had done before. So that was actually pretty cool, because
somebody -- they're starting to realize that. And I've heard people at high levels, flag
officers, a couple pockets were starting to refer to hacker researchers as researchers.
It was hacker equals researcher, not hacker equals criminal. I thought that was really
cool. It's not saying that we should all go in and support the DoD and I'm not telling
you you should like the DoD. I've got a lot of issues with the DoD, and I'll continue,
and I'm sure they have a lot of issues with me. This talk might even be one of them.
But what happens there is now that they know where some of the real ideas and some of the
real talent come from, they're undoubtedly going to reach out and try to tap into it
in various ways. And this kind of goes back to an earlier story where they kind of projected
their problems and their images and their goals on somebody else. So there is likely
to be some uninformed and failed outreach efforts. So I've got a couple of recommendations
to the Government that maybe will help with that.
So I think it's really cool when Government officials throw on blue jeans and a black
T-shirt, because of course then they're part of our community.
(Laughter) But that's not necessarily all there is to
interacting with us. And it makes sense before you present at a conference like this, that
you should probably consider attending one and actually interacting and getting to know
the people. There was one guy who was a three-star general who did that at the Shmoocon, and
I thought that that was one of the coolest things. He wasn't there for any agenda. And
I remember conversations with him afterwards. He actually had an understanding. He was like
oh, this is awesome. No, there is no way people should try and go in and mess with them or
try and co-op them or try and -- and I was like yeah, exactly. That's us. That's the
citizens. That's the population of the U.S. So the message to the other ones who haven't
really made that turn is go and actually interact. Now the response I'd get was the schedule
is too crazy. Can't possibly do it. And I saw those schedules, and sometimes I was even
on those schedules. But if it's important enough -- I know, I acknowledge, they are
crazy schedules. These guys work like bears, which doesn't mean that they sleep for half
the year. (Laughter)
A bad analogy as soon as I said it. I was going to say like a swear word, and bears
came out instead. Anyway. If it's important enough for you to want to
reach out to a community, you've got to go out and you've got to make the effort and
you've got to put it in your schedule and you've got to go interact with them on a one-on-one
level first. Because that showing your homework and doing your homework shows respect.
The next suggestion to them is, and this is what I tried to encourage inside, is you can't
go out and do a recruiting pitch. Because it comes across really poorly. I used to get
so bent out of shape when I would see a Govie stand up at a hacker conference and I'm like
here it comes. We do awesome stuff, but I can't tell you anything about it. Trust us.
You with the mohawk, if you shaved your hair, if you put on a suit and maybe even a uniform,
stopped smoking dope, you could come work for us and actually do something with your
life. That's how I interpreted it. Now that might not be the message. It might just be
a look, you know, we need help and we're trying to reach out to you. But it's just a take,
take, take sort of message. What can you do for us today? You know, what can you do for
us now? And to me it was offensive. What would it be like if you had a senior
official from a very technical agency come out and actually give a technical talk? Because
this is Ameritocracy. That's where this community came from. Ameritocricy is your value in the
community is based upon how much you contribute to that community. And that's one of the reasons
why I was really happy that -- because I know a lot of people are like why the hell did
Mudge go over and go to the DoD? He was one of us and now he's one of them. And I had
spent 15, 20 years contributing to this community, and I wasn't about to stop. And when I was
there, I was able to actually fight for this community and try and make sure that the interactions
were a little bit better and that we were treated and engaged with normally. And those
10, 15 years of contribution gave me enough grace period to build trust up again on both
sides. And you've got to do that and you do that
by interacting with people. So the value of somebody in one of those agencies coming and
giving a technical talk wouldn't be that you learned something really cool about how SE
Linux was actually done and why it was done. Or what the internal battles were to get it
across. It wouldn't be that somebody is going through the technical components of one of
the numerous patents that are out there, you know, let's say the IPGLO location. You know,
the ones that we've read about. It would actually be that they're engaging us and interacting
with us in our own language and treating us as peers and starting a dialog.
So I think I will give the Barnaby one after this. But I'm summarize this one here.
Am I telling us -- you know, am I pleading that we should not challenge the Government?
Absolutely not. I think challenging the Government is your patriotic duty as a citizen and I
think it is very important to do. It's painful for both sides, but it's something that has
to happen and it's why we're such a great nation.
(Applause) We also need to -- I mean, you can't train
a dog just by repeatedly beating it. I mean, it will learn some stuff, but it will probably
learn stuff that you weren't intending and it will bite you at some point. So when you
see the dog do something good, it's nice to give it a treat, and there are certain little
pockets inside the Government. And one of the things that I think that we as a community
can do better is, yes, we need to challenge the stuff that we're seeing. We need to challenge
the things that are in the news. But if you see a small pocket of hope, like if you see
a Congresswoman that is helping put through Erin's law, you know -- changing things like CFAA. I don't deal with
losing people well. Excuse me. Somebody is going to change CFAA, we need
to support them. We need to help them. We need to encourage them for actually going,
because they're going to get a lot of crap thrown at them. And they're actually doing
the right thing and there is not a lot of people supporting them. So we need to be more
vocal as a community to actually support them. There was a Colonel in the Army who managed
to get the NSA to have to include "Little Brother" as a book that they read as part
of their training. Have you read "Little Brother," Cory Doctorow? That's awesome. That helps
sensitivities. That guy caught a lot of crap for that, and it was really cool. I mean,
there is nothing wrong with that book. That book gives you a new way of looking at things.
And the more ways you have of looking at it, the more understanding you have and the more
positive outcome. That guy is also, I say he is a Colonel. He
is over at West Point. His name is Greg Conti. I'll call him out. He was one of the people
who encouraged the cadets to actually go out and talk at our conferences and contribute
to the UA -- build your own UAV at a 99.99 percent discount by Mike Wiegand was an example
of that. And it's engaging and that's actually sharing in a creative dialog at Schmoocon.
He and his colleague walked through their training course that they ran at Fort Meade,
to try and socialize folks. It was lessons of the Kobayashi Maru. I highly recommend
you go watch this talk. Because he had to teach them how to cheat. And it's hilarious
and it's insightful and it's humanizing. Most importantly, it's humanizing.
So where we see those pockets of hope and of outreach and of engagement, I'd just really
like to ask all of us to try and figure out a way for each time we're challenging something,
we really have to try and encourage the good behavior.
Okay, so let me try to give my Barnaby one without breaking down into tears here. Let's
see if I pulled myself together. It's a real quick one, but it's my tribute to him.
Two things that happened in our actions with Barnaby that I'll always remember. I remember
all of the interactions, but two stand out. One was a talk. I was on the steering committee
of NDSS, and they asked me if I could bring in some folks to run some demos that would
kind of break the academics out of the academic mold, and you know what better people than
Barnaby Jack when he was working with EI and the rest of the EI team to actually come in.
The problem is that the conference, like a lot of conferences, they were cheap. They
wouldn't pay them to come do the work, or whatever. So I said all right, guys, you know,
the drinking bill the night before is on me. I'll foot the bill myself, which is a very,
very dangerous thing to do. Barnaby had a great time. I don't think they
went to sleep, they just kept drinking. They were on in the morning, and the audience at
NDSS I don't think actually really understood how cool the technology was that was being
demonstrated. Because this is almost ten years ago, at this point.
And Barnaby was remotely compromising a wireless router, replacing the firmware and then Trojaning
the Microsoft updates that were going through it over the wire before they were delivered
to the end system. And then they demonstrating a boot route, where they were getting an Ethernet
-- so a computer that was told not to boot off the network, the Ethernet adapter was
on the PCI board so it had direct memory access and it would still emit a boot P packet. And
if you responded to it, the Ethernet board would actually shove it directly in memory
and reboot it from the network even if your BIOS didn't have that capability.
So of course they would say here is your base operating system. It has a little hypervisor,
and of course the operating system would load up on top of it. This was a decade ago. This
was awesome. And the reason why I don't think any of the
audience actually caught the technical part of those talks is because Barnaby nearly threw
up on stage ten times in the middle of trying to give that talk, and everybody in the first
row was terrified that they were at some perverse form of a Gallagher hacker show.
(Laughter) And then the other thing I remember about
Barnaby was I had just gone in and I was working for DARPA. And my first public speaking engagement
as a U.S. Official was in Abu Dhabi. So here I am, first time, the Government is a little
nervous about me, I'm a little nervous about them. I'm flying under my Government official
passport, not my blue tourist passport. So all the coordination between the countries
that I imagine has to go on with those folks, and I'm in Abu Adbi and it was actually to
do the keynote for Black Hat. It was the first year they were over there. And it was the
first time ever that I was showing parts of the cyber analytic framework that I drove
at DARPA. And it was my way of trying to get a small group of peers that I could interact
with and get feedback and just talk honestly, you know, does this make sense or am I full
of crap? And Barnaby was there and the Gruck is there.
And those are two people that put together, that will deplete the world's alcohol supplies.
And he was doing his jackpoting ATM machines. Now the UAE has a lot of money they've come
into since the '70s. And in the palace there is an ATM machine that dispenses gold bars.
(Laughter) Very expensive gold bars. Not like you've
got a $200 withdrawal limit. I mean, these are in the tens if not hundreds, I can't remember
how high up the price was. There might have been the ability to withdraw a million dollar
gold bar from it. And some of you might have seen the picture of Barnaby going like that
right next to the thing. So Barnaby's had a few drinks and they see
the gold ATM machine. So how do you think it works? And they are peering behind it and
everything. And the folks who are -- I think it's the son or one of the relatives of the
Crown Prince, who I knew from a prior life, was looking at me going what's going on? And
they're all starting to gather around the gold ATM. And I forget who it was that tweeted
and said I remember Barnaby in the UAE and having to go to the State Department to basically
-- or the embassy, calling the embassy to make sure everything was okay.
So it wasn't the embassy, it was me, having to go over, talk to, you know, people who
are part of the court of the Crown Prince and explaining: No, I know you're not used
to extremely heavy drinkers, and you just invited a bunch of hackers into your country,
and they've demonstrated a bunch of crazy terrifying things, and now they're eying your
million dollar gold vending machine. (Laughter)
It's Barnaby Jack. He's cool. Don't worry about it. I'll tell you what, you probably
want to know if your million dollar gold vending machine has this problem. So why don't you
let him do a little bit, and then when they walk away, why don't you pull the plug on
the thing and then move it off the floor. Sure enough, everybody got a little tired.
Because of course there's some research that has to go into these things, and the alcohol
fueling only lasts so long. And when somebody got a little tired and decided to walk away,
the next day you see there's this big curtain pulled around everything and nobody is allowed
near the thing. So there was no reach out to the embassy and there was no international
incident. But there was Barnaby Jack, and he will be missed.
Thank you. (Applause)
>> You can't go anywhere. So I'm joined up here by just a very small subset of the CFT
performers that were involved with Mudge's DARPA program, cyber fast track. So we want
to take the opportunity -- hold on a second. (Applause)
We really just want to get up here and thank Mudge for all of his efforts inside DARPA
with this program. We all had a lot of fun. You've seen some of the research that's come
out of it at DEF CON and Black Hat and there will only be more that's coming out soon.
But we also wanted to thank him for his entire career from LOpht to DARPA and now onwards
to Google. I'm sure there's many more interesting things to come. So please give your strongest
round of applause for Mudge and everything he's done for the cyber community.
(Applause) There's more. Don't go anywhere yet. We're
not done. So what we didn't mention is hopefully -- I'm
going to say a few things about Mudge and hopefully some other people who participated
in CFT will as well. My name is Joe Grand and I've known Mudge
for a really long time. I was in the LOpht back in I guess we met in 1990, I was like
a 15-year-old punk little kid. And ended up getting in trouble for some things, joined
the LOpht, and Mudge came in around the same time. And he -- I don't know if I ever told
him this, but he was one of my mentors growing up. From that point as a 16-year-old kid,
everybody else in the LOpht was older. I sort of got to see the experience of somebody that
was like six or eight, twenty years older than me. I don't exactly know. He never actually
told me his age. (Laughter)
But it was something that I got to follow along. I was in the LOpht and it was a great
experience. And I sort of grew up in that from 16 to 22. After we started that stake,
you know we sort of disappeared for a while. Mudge went one way, I went another. Some of
the other guys just sort of disappeared. And then he sort of surfaced I guess 2008
or '9, and it was like all of a sudden Mudge is back and he's in DARPA. And I was like
holy ***. Mudge is back. And he's working for "the man."
(Laughter) And here I was, grew up with him in the LOpht,
and there is a lot of stuff in the LOpht that you guys don't know. And it was awesome. And
yeah, I didn't really know what to think. I was still involved in DEF CON and the hacker
community. It was just -- to me, seeing that, it was like wow, that was a big jump, and
that takes some serious balls to do that. And I could never imagine doing that. And
I think everyone was like what's going to happen? What's he actually going to do out
there? It turned out to be an amazing thing. CFT
happened and a huge number of my friends ended up doing all these projects. Charlie Miller
had two projects in CFT, and I was like how is everybody doing all this stuff? I was like
I want to do a project with CFT. I was running with Charlie one day and he was like yeah,
you should do it. Mudge has this whole thing wrapped up. You just write a proposal and
he reads it and if it gets approved they send you money and you can work on stuff. I'm like
really, is it that easy? He's like yeah, do it.
So that was last year. I was like I don't know, do I want to work for Mudge again? Like
that's going to be really weird. Like we were in the L0pht and I don't want him to be my
boss. Really, this was his huge complaint. It's like they'll give you money. I was like
I don't want to work for Mudge. But he's like it's Not working for Mudge, you know some
other group takes care of it. So I'm like all right, cool. And I thought
it was just a great thing that he was doing. So I submitted a project that got rejected.
And I'm not sure I'm allowed to say this because I don't know if it was part of the official
process, but he called me up. Like I submitted the official proposal and like 15 inutes later
he calls me. He said I need to talk to you in person about this. I don't need to send
you an e-mail. So he explained the process. I said all right. That's cool. Too much engineering,
whatever. It didn't fit the DARPA thing, the CFT thing. I'm like okay, that's fine.
But it drove me to like -- it's like I've got to get a CFT in. All my friends are doing
it, it's like I've got to take advantage of this while
I can, man, before it goes away. So eventually I got one in and I'm still working
on it right now. And it occurred to me that it's not that you can like -- you're doing
this project to make money. Right? You're not doing a job to make money. It's the fact
that you're able to get money to do what you want to do. And, you know, it's -- you do
it -- you do what you love to do and you're not losing money is sort of what it is. And
that's sort of what we try to do at the LOpht. It's like do what we want to do and not lose
money, but make sure that we can keep kind of pushing things.
So I don't know, I just wanted to say that. I don't know if you notice on the back -- can
someone turn around? On the back of these shirts it says "making the theoretical, practical,
since 1992." (Applause)
And I don't know how we came up with that, but that was one quote that we talked about,
writing exploits and kind of showing vendors, like look, this is a possibility. But the
one that isn't on the back of this shirt is what we always used to say about making a
dent in the universe when we were at the LOpht. I think Mudge actually came up with that.
So we would be in interviews and news stuff and press, and Mudge would say we're going
to make a dent in the universe. And I was like yeah yeah yeah, you know. I said it,
but I was like that's total ***. How are we going to make a dent in the universe,
we're are seven guys with -- you know, he had long hair, as you know. And seven guys
in a warehouse, it's like how are we going to actually make a dent in the universe?
Although the hacker community, is like a small -- that's not the universe. It's a small universer
but it's not the universe. But he actually believed it.
You know, and I was sort of like -- yeah, I was going along with it. But he believed
it, and it didn't actually hit me until he got to DARPA and did CFT, and I was like holy
***, he did make a dent in the universe. You know? It's like that -- the work the he
did and the work that came out of CFT totally changed the world, whether it's immediate
or whether it's later. It changed the Government, it changed the thought process, it's amazing.
So I just wanted to thank him and welcome him back out of working for "the man" back
into like the normal world. So thanks. (Applause)
>> I do also have to say that Charlie is responsible for probably 70 percent of the CFTs that were
submitted. I had a similar phone call with him, I don't know, a couple years back. I
remember distinctly. And people have a very interesting opinion of what it's like to participate
in any sort of DARPA or government grant. And speaking with Charlie and learning about
the streamline process and the kind of low overhead it takes to get a grant through and
actually get funding to, again, do what you want to do was very attractive. So I think
this program itself was wildly successful alone. But I think it also changed a lot of
our personal views about dealing with the Government, and I hope that can continue with
CFT with the next program manager. I would also say that bitsys -- are there
any other bitsys guys up here? So bitsys helped run the program for DARPA.
(Applause) So we will give them a round of applause ourselves
because they are great to work with. >> You know, I hadn't registered for DEF CON
in over 20 years, which brings some perspective. And I've known this guy for a very, very,
very long time, and he always wanted to be something greater than the average bear and
to change things. And I don't know if he would mind me saying
this, but I'll say it anyway, back in the day, when his hunger was great, he asked me
to take over the LOpht, which was probably a bad idea for a variety of reasons. But I
had faith in him that he is going to figure it out. And he did. And I've worked for him
now for the last couple years. And, unfortunately, I had been fired by him because the program
is ending. But congratulations, guy, you really did good.
>> Thanks, Dan. >> Thank you.
(Applause). >> I just want to say something super quick.
We're hackers, and we're individualists, and we hate anyone speaking for us. But Mudge
is pretty much the only guy that I'll let speak for me any time he wants.
(Applause) (End of session)
(6:00 p.m. PT)