1 00:00:00,000 --> 00:00:02,959 NICHOLAS PERCOCO: Okay, good morning, everybody. 2 00:00:02,999 --> 00:00:03,999 I'm Nick. 3 00:00:03,999 --> 00:00:04,999 This is Josh. 4 00:00:04,999 --> 00:00:06,250 We will do a few introductions and then jump right 5 00:00:06,250 --> 00:00:08,000 into the content here. 6 00:00:08,501 --> 00:00:10,250 I'm Nicholas Percoco. 7 00:00:10,334 --> 00:00:14,083 I have always been and I currently am a hacker. 8 00:00:14,083 --> 00:00:15,083 Yay. 9 00:00:15,083 --> 00:00:16,083 (chuckles). 10 00:00:16,083 --> 00:00:18,626 Let's try that again. 11 00:00:18,626 --> 00:00:19,626 No. 12 00:00:19,626 --> 00:00:20,626 Whew. 13 00:00:20,626 --> 00:00:22,792 NICHOLAS PERCOCO: In my day life, day job, I actually run 14 00:00:22,792 --> 00:00:26,999 a small team called Spider Labs at Trustwave. 15 00:00:29,959 --> 00:00:32,999 And some of the background, I have done a lot of speaking. 16 00:00:32,999 --> 00:00:35,250 This is my eighth time speaking here at DEF CON and I spoke 17 00:00:35,250 --> 00:00:37,083 on stage at TED. 18 00:00:37,083 --> 00:00:42,584 I have also keynoted RSA this past year and here's Josh. 19 00:00:42,584 --> 00:00:48,167 JOSHUA CORMAN: Good morning. 20 00:00:48,167 --> 00:00:49,999 So I'm Joshua Corman. 21 00:00:49,999 --> 00:00:53,375 In my day job, I'm director of security intelligence for Akamai. 22 00:00:53,375 --> 00:00:55,083 My comments today are my own and may not reflect those 23 00:00:55,083 --> 00:00:56,959 of my employer. 24 00:00:57,999 --> 00:01:01,334 I've kind of been wrestling with being a philosopher 25 00:01:01,334 --> 00:01:04,918 in a hacker community, but I think I've come to own it 26 00:01:04,918 --> 00:01:08,876 and I think my research has trended from things like espionage 27 00:01:08,876 --> 00:01:11,999 and malware to things that have affected our lives 28 00:01:11,999 --> 00:01:15,626 and human rights and public safety and that has taken me 29 00:01:15,626 --> 00:01:18,667 down the path for today's topic. 30 00:01:19,083 --> 00:01:21,417 NICHOLAS PERCOCO: A little bit about where we came 31 00:01:21,417 --> 00:01:23,959 from and where we're going. 32 00:01:24,167 --> 00:01:27,918 This talk is actually not a presentation. 33 00:01:27,918 --> 00:01:28,999 This is a discussion. 34 00:01:28,999 --> 00:01:31,250 This is a discussion between me and Josh here on stage 35 00:01:31,250 --> 00:01:33,999 in a discussion with all of you. 36 00:01:34,083 --> 00:01:36,751 This is not a finished presentation. 37 00:01:36,751 --> 00:01:39,501 So if you're expecting at the end of this to have us to solve 38 00:01:39,501 --> 00:01:42,999 the world's problems, that's not the intent. 39 00:01:42,999 --> 00:01:44,501 It is to start the discussion. 40 00:01:46,792 --> 00:01:48,751 In the mid audience we have 41 00:01:48,751 --> 00:01:50,667 a microphone. 42 00:01:50,792 --> 00:01:52,834 It is there for you to use. 43 00:01:52,834 --> 00:01:53,999 If you have a question, you have a comment, 44 00:01:53,999 --> 00:01:57,709 you want something to add to the conversation, please use it. 45 00:01:57,751 --> 00:02:01,999 But also note that we have a finite amount of time here on stage, 46 00:02:01,999 --> 00:02:05,999 45 minutes to be exact, if you can't fit your comments 47 00:02:05,999 --> 00:02:10,959 in 140 characters, please save it for the Q&A session. 48 00:02:10,959 --> 00:02:11,999 We will have a Q&A. 49 00:02:11,999 --> 00:02:13,083 There is no Q&A room. 50 00:02:13,083 --> 00:02:14,542 But afterwards please join us in the Chillout lounge 51 00:02:14,542 --> 00:02:16,667 to continue the discussion. 52 00:02:17,334 --> 00:02:20,584 JOSHUA CORMAN: Part of the impetus of this how many 53 00:02:20,584 --> 00:02:23,709 of you have been to DEF CON before? 54 00:02:24,083 --> 00:02:25,083 Okay. 55 00:02:25,083 --> 00:02:28,125 A lot of new people here this year, I don't know if you noticed. 56 00:02:28,125 --> 00:02:30,334 It is both encouraging and overwhelming. 57 00:02:30,334 --> 00:02:32,999 A lot of us got into hacking because it was our hobby. 58 00:02:32,999 --> 00:02:33,751 And when we weren't paying attention how many 59 00:02:33,751 --> 00:02:36,999 of you noticed that it accidentally became our profession? 60 00:02:39,918 --> 00:02:42,667 Again, we weren't paying attention again. 61 00:02:42,667 --> 00:02:43,667 I.T. 62 00:02:43,667 --> 00:02:46,083 security which was our hobby and job ask now permeating every 63 00:02:46,083 --> 00:02:50,834 aspect of our personal lives and our personal safety and our kids. 64 00:02:51,626 --> 00:02:53,999 We are putting software in places it does not belong 65 00:02:53,999 --> 00:02:55,792 and it is merited. 66 00:02:56,083 --> 00:02:58,375 We have medical devices that are completely pwnable 67 00:02:58,375 --> 00:03:02,375 and are no encrypted at all on their Bluetooth stacks. 68 00:03:02,375 --> 00:03:06,709 When I tried to buy a car, I couldn't find one that wasn't hackable. 69 00:03:07,999 --> 00:03:12,667 You can find default names for hydroelectric dams. 70 00:03:15,542 --> 00:03:17,334 This isn't fun. 71 00:03:17,334 --> 00:03:18,334 This is real. 72 00:03:18,459 --> 00:03:22,083 As we depend on software in places, it needs to be dependable. 73 00:03:22,083 --> 00:03:25,918 And in the presence of attackers, it needs to be defensible. 74 00:03:27,501 --> 00:03:31,083 Every time I want to quit security, I realize that our failures 75 00:03:31,083 --> 00:03:35,209 will be inherited by me, my mind, my family and soul. 76 00:03:35,999 --> 00:03:37,918 Don't think about how do you get better 77 00:03:37,918 --> 00:03:40,542 at our day job, think about how do you hack your personal 78 00:03:40,542 --> 00:03:42,999 life and your personal freedoms. 79 00:03:42,999 --> 00:03:44,999 And that should be the scope of today. 80 00:03:45,792 --> 00:03:48,999 NICHOLAS PERCOCO: A couple of weeks ago I decided to do 81 00:03:48,999 --> 00:03:50,876 a juice cleanse. 82 00:03:50,876 --> 00:03:52,626 Have any of you ever done one before? 83 00:03:53,584 --> 00:03:58,083 You spend three days drinking six bottles of juice and nothing else. 84 00:03:58,125 --> 00:04:02,751 Besides having interesting bowel activity, it also gave me very vivid 85 00:04:02,751 --> 00:04:05,375 dreams when I would sleep. 86 00:04:05,375 --> 00:04:07,709 And so at night I would go to bed and I would wake 87 00:04:07,709 --> 00:04:11,667 up in the morning with these sort of memories, these odd memories. 88 00:04:11,667 --> 00:04:13,584 You know when you wake up from a dream 89 00:04:13,584 --> 00:04:18,167 and you are disoriented and you think it was almost a real experience 90 00:04:18,167 --> 00:04:20,167 within a dream. 91 00:04:20,501 --> 00:04:22,999 I had a few of those a couple of weeks ago. 92 00:04:22,999 --> 00:04:27,209 The first dream I jotted down that I took notes about, I was 93 00:04:27,209 --> 00:04:28,999 on a bus. 94 00:04:29,083 --> 00:04:31,459 The whole dream took place on a bus. 95 00:04:31,459 --> 00:04:33,083 I didn't know where we were going. 96 00:04:33,083 --> 00:04:34,542 I was a little bit confused. 97 00:04:34,542 --> 00:04:35,918 I saw people I recognized. 98 00:04:35,918 --> 00:04:39,209 I saw people sitting with paperwork and computers in front of them. 99 00:04:39,209 --> 00:04:41,167 I started to ask questions. 100 00:04:41,167 --> 00:04:42,167 Where are we? 101 00:04:42,167 --> 00:04:43,167 Where are we going? 102 00:04:43,375 --> 00:04:46,709 And I soon realized that we were all going to apply 103 00:04:46,709 --> 00:04:50,584 for federally issued software development licenses, that each 104 00:04:50,584 --> 00:04:55,709 of us somebody actually showed me they had one that was expired. 105 00:04:55,709 --> 00:04:57,999 They needed to renew their license or they could not even write 106 00:04:57,999 --> 00:04:59,709 a bit of code. 107 00:04:59,751 --> 00:05:03,709 So I thought that was pretty interesting to sort of have that dream. 108 00:05:03,959 --> 00:05:07,918 One of the other dreams I had that I took notes about, I was actually 109 00:05:07,918 --> 00:05:09,459 in a hotel. 110 00:05:09,459 --> 00:05:10,626 I travel quite often. 111 00:05:10,626 --> 00:05:13,459 I actually travel all over the world almost constantly. 112 00:05:13,459 --> 00:05:14,292 And, you know, in the morning when you walk 113 00:05:14,292 --> 00:05:16,334 out of the hotel and the "USA Today" paper is there 114 00:05:16,334 --> 00:05:18,999 on the floor and you see the headlines. 115 00:05:18,999 --> 00:05:20,876 That's how you wake up in the morning. 116 00:05:21,083 --> 00:05:25,999 I glanced down at the paper as I was off to a meeting and saw 117 00:05:25,999 --> 00:05:30,167 on the headlines, it said: Florida man arrested 118 00:05:30,167 --> 00:05:35,375 for hacking tools, possession of hacking tools. 119 00:05:35,375 --> 00:05:37,250 I remember flipping over the paper and reading page 7 120 00:05:37,250 --> 00:05:39,918 about what that story was about. 121 00:05:40,999 --> 00:05:45,375 And it showed it had a logo of Metasploit and it mentioned nmap 122 00:05:45,375 --> 00:05:50,501 and Nessus and other tools people have in their possession. 123 00:05:50,501 --> 00:05:52,667 I thought that was interesting. 124 00:05:52,999 --> 00:05:55,334 And then another dream I had I started soon realizing 125 00:05:55,334 --> 00:05:58,083 they weren't necessarily dreams. 126 00:05:58,083 --> 00:05:59,083 They were vivid. 127 00:05:59,083 --> 00:06:01,167 But they were actually nightmares. 128 00:06:01,584 --> 00:06:05,626 In this third dream, I was walking down the street in Chicago. 129 00:06:05,999 --> 00:06:07,125 Sort of dusky. 130 00:06:08,083 --> 00:06:13,542 Turned down an alley and walked up to a door and rang the bell. 131 00:06:13,751 --> 00:06:16,417 I remember trying to see a camera shining on me. 132 00:06:16,417 --> 00:06:18,167 I rang the bell and they buzzed me in. 133 00:06:18,417 --> 00:06:20,792 I went in and walked up three flights of stair and walked 134 00:06:20,792 --> 00:06:22,999 into a Chicago apartment. 135 00:06:23,167 --> 00:06:26,584 And there were girls and boys having conversation. 136 00:06:28,959 --> 00:06:31,999 There was a cluster of monitors and in another area there were some 137 00:06:31,999 --> 00:06:36,417 electronics laying about and, of course, a lot of cables all over the floor. 138 00:06:36,417 --> 00:06:39,250 Somebody I recognized actually handed me a beer and said, welcome, 139 00:06:39,250 --> 00:06:42,125 the discussion will start in a little while. 140 00:06:42,125 --> 00:06:44,834 I took my seat and started saying hi to people. 141 00:06:44,999 --> 00:06:48,250 And then all of a sudden the lights went out, electricity went out, 142 00:06:48,250 --> 00:06:51,626 all the power went out in this apartment. 143 00:06:51,959 --> 00:06:54,167 The initial reaction, I remember someone 144 00:06:54,167 --> 00:06:58,751 in the background saying fucking ComEd, the power went out. 145 00:06:59,167 --> 00:07:02,501 Then we heard banging on the front door and banging 146 00:07:02,501 --> 00:07:06,709 on the back door and men came into the room wearing black shirts, 147 00:07:06,709 --> 00:07:10,167 black pants, black boots and they started to say we were 148 00:07:10,167 --> 00:07:13,792 under arrest for violation of some act. 149 00:07:13,792 --> 00:07:16,083 And I can't really recall what that act was. 150 00:07:16,292 --> 00:07:17,999 They lined up against the wall. 151 00:07:18,083 --> 00:07:22,083 And line by one they zip tied us in our arms and legs and carried us 152 00:07:22,083 --> 00:07:24,083 down the stairs. 153 00:07:25,501 --> 00:07:27,834 Now, this was a nightmare that I had. 154 00:07:27,834 --> 00:07:30,876 Obviously it is not real but it is very much grounded in reality, 155 00:07:30,876 --> 00:07:34,083 in the things that we experience today. 156 00:07:34,083 --> 00:07:37,959 If you extend what is going on today, five, ten years from now, 157 00:07:37,959 --> 00:07:42,876 I can see a time when someplace like DEF CON can't exist. 158 00:07:43,459 --> 00:07:45,459 But we don't have to. 159 00:07:45,999 --> 00:07:47,999 There's a better way. 160 00:07:48,083 --> 00:07:50,999 I could see a time when friends are being arrested 161 00:07:50,999 --> 00:07:53,209 for writing tools. 162 00:07:53,626 --> 00:07:57,501 We're being criminalized for research, but we don't have to. 163 00:07:59,999 --> 00:08:02,751 JOSHUA CORMAN:Uh oh. 164 00:08:02,751 --> 00:08:05,250 So when Nick told me his dreams, I had two thoughts. 165 00:08:05,250 --> 00:08:07,209 First, I'm never doing a juice cleanse. 166 00:08:07,542 --> 00:08:08,542 (laughter). 167 00:08:08,542 --> 00:08:10,999 JOSHUA CORMAN: I said this isn't fun. 168 00:08:10,999 --> 00:08:12,626 Let's get real. 169 00:08:12,626 --> 00:08:14,167 These are actually precedents. 170 00:08:14,167 --> 00:08:16,999 Whether you love or hate Weev, Weev's case 171 00:08:16,999 --> 00:08:22,999 is very dangerous precedent for the criminalization of research. 172 00:08:22,999 --> 00:08:25,999 This community does and lives and thrives on our ability 173 00:08:25,999 --> 00:08:29,334 to do pervasively do security research. 174 00:08:29,584 --> 00:08:31,501 If you saw the aggressive prosecution 175 00:08:31,501 --> 00:08:35,999 of the late Aaron Schwartz and all the Aaron's law discussions coming 176 00:08:35,999 --> 00:08:37,751 from this. 177 00:08:37,876 --> 00:08:41,083 There is a state law in Texas that makes it technically illegal 178 00:08:41,083 --> 00:08:42,999 to do a port scam. 179 00:08:44,959 --> 00:08:48,999 Germany and France have already specifically outlawed certain hacker 180 00:08:48,999 --> 00:08:53,459 tools that are really just assessment and nmapy type things. 181 00:08:53,459 --> 00:08:57,125 I learned last night Brazil, after some actress had some nudy 182 00:08:57,125 --> 00:09:01,083 photo revealed, passed a law that makes it criminalized 183 00:09:01,083 --> 00:09:05,584 to have nmap or any port scanning tools at all. 184 00:09:06,167 --> 00:09:08,250 This isn't fun. 185 00:09:08,250 --> 00:09:10,751 These are things that are actually happening. 186 00:09:10,959 --> 00:09:16,167 And it is up to us in lieu of any adults in the room to be the adults. 187 00:09:16,167 --> 00:09:18,334 Now, that should terrify you, right? 188 00:09:18,334 --> 00:09:19,334 (laughter). 189 00:09:19,334 --> 00:09:21,501 JOSHUA CORMAN: But it dawned on me over the last couple years, 190 00:09:21,501 --> 00:09:25,292 I was researching Anonymous two years ago here at DEF CON. 191 00:09:25,292 --> 00:09:27,459 One of the things I was concerned about was 192 00:09:27,459 --> 00:09:32,125 a neo McCarthyism when you had aggressive, high profile demonstrations 193 00:09:32,125 --> 00:09:34,209 of hacking will. 194 00:09:34,334 --> 00:09:36,999 Whether you like them or not, it captured hearts and minds 195 00:09:36,999 --> 00:09:39,375 and scared policymakers. 196 00:09:39,375 --> 00:09:41,709 When powerful people are uninformed, they make powerfully uninformed 197 00:09:41,709 --> 00:09:43,083 knee jerks. 198 00:09:44,334 --> 00:09:48,083 He started off in his intro: He is now and always was a hacker. 199 00:09:48,125 --> 00:09:51,584 I fear the need to say: I'm not now nor have I ever been a hacker 200 00:09:51,584 --> 00:09:53,751 in our near future. 201 00:09:54,083 --> 00:09:57,209 If you are not worried about it, you really, really should be 202 00:09:57,209 --> 00:09:59,792 because policymakers are as technically literate 203 00:09:59,792 --> 00:10:01,876 as this community is. 204 00:10:01,999 --> 00:10:04,167 That's really the thrust of this talk, is that I think a lot 205 00:10:04,167 --> 00:10:07,459 of us even our best and brightest researchers, even our A listers, so 206 00:10:07,459 --> 00:10:09,000 to speak, every time I ask them why 207 00:10:09,000 --> 00:10:13,167 they aren't more concerned they are like, someone will come fix it. 208 00:10:13,167 --> 00:10:16,334 Let me tell you something, no one is coming. 209 00:10:16,999 --> 00:10:19,999 The people who are going to fix it are to the left of you, right of you or 210 00:10:19,999 --> 00:10:21,709 in your own chair. 211 00:10:21,834 --> 00:10:23,999 That was really the bit flip for me. 212 00:10:26,250 --> 00:10:34,042 So another part of this is, you know, for personal reasons I basically hit rock 213 00:10:34,042 --> 00:10:36,999 bottom in January. 214 00:10:36,999 --> 00:10:38,501 I lost my mom at 58. 215 00:10:38,501 --> 00:10:40,292 Had a pretty tough year last year. 216 00:10:40,292 --> 00:10:42,999 It really throws into context what's important 217 00:10:42,999 --> 00:10:46,459 to you and how much time you have. 218 00:10:46,876 --> 00:10:50,999 And I felt like I was diminished, that I couldn't really contribute. 219 00:10:51,334 --> 00:10:53,792 What I realized is people don't really make changes 220 00:10:53,792 --> 00:10:56,667 until they hit rock bottom, right? 221 00:10:56,667 --> 00:10:58,626 If you want to be a science person no one changes 222 00:10:58,626 --> 00:11:00,999 until the pain of exceeding inertia exceeds 223 00:11:00,999 --> 00:11:03,083 the pain of change. 224 00:11:06,876 --> 00:11:09,292 There is a general malaise here. 225 00:11:09,292 --> 00:11:11,334 Yes, we have had a great week the DEF CON. 226 00:11:11,334 --> 00:11:12,876 There were more talks about burnout and suicide 227 00:11:12,876 --> 00:11:16,334 and depression and there were also a lot of talks that had absolutely 228 00:11:16,334 --> 00:11:20,959 nothing to do with security because there is an implicit defeatism. 229 00:11:20,999 --> 00:11:22,999 And we don't have to accept that defeat. 230 00:11:23,250 --> 00:11:26,959 There is actually a value in hitting rock bottom. 231 00:11:26,959 --> 00:11:30,999 And that value says when no one has come to save us, it falls to us, right? 232 00:11:30,999 --> 00:11:34,751 And if you don't see good things happening, we can put good things in. 233 00:11:34,876 --> 00:11:39,834 So at my mom's funeral, I said the absence of heat cold 234 00:11:39,834 --> 00:11:42,999 is the absence of heat. 235 00:11:45,083 --> 00:11:47,459 A darkness is the absence of light. 236 00:11:47,501 --> 00:11:49,999 And maybe it is not that there is evil in light but maybe there 237 00:11:49,999 --> 00:11:51,834 is an absence of good. 238 00:11:51,834 --> 00:11:53,250 I realized each one of us can take matters 239 00:11:53,250 --> 00:11:58,209 into our own hands and put in that leadership that is sorely lacking. 240 00:11:58,209 --> 00:11:59,876 Nature abhors a vacuum and I can hear 241 00:11:59,876 --> 00:12:03,792 the sucking sound and it is time to fill that vacuum. 242 00:12:05,584 --> 00:12:08,626 Now, what that means is no matter how much we hate certain 243 00:12:08,626 --> 00:12:11,250 things, the alternative is worse. 244 00:12:11,501 --> 00:12:13,250 So we continue to fail. 245 00:12:13,250 --> 00:12:15,501 We don't have to fail in the same way, right? 246 00:12:15,501 --> 00:12:17,083 We're actually suggesting some pretty radically 247 00:12:17,083 --> 00:12:19,709 uncomfortable experimentation. 248 00:12:20,083 --> 00:12:22,083 I can't believe we're at DEF CON and we are actually going 249 00:12:22,083 --> 00:12:24,501 to suggest these things, but we haven't really engaged 250 00:12:24,501 --> 00:12:27,959 in the formal process in how things work in the world. 251 00:12:27,959 --> 00:12:30,209 You know, there is no senators or Congressmen who are experts 252 00:12:30,209 --> 00:12:32,292 on stem cell research. 253 00:12:32,417 --> 00:12:36,999 They rely on subject matter experts, think tanks, lobbies, et cetera. 254 00:12:37,083 --> 00:12:39,375 And as much as we hate these ideas we 255 00:12:39,375 --> 00:12:43,626 will ask you to both tolerate and participate in a series 256 00:12:43,626 --> 00:12:47,999 of very uncomfortable and very unnatural acts. 257 00:12:47,999 --> 00:12:49,918 And this means we already have EFF. 258 00:12:49,918 --> 00:12:52,751 EFF has done fabulous things for our community. 259 00:12:52,751 --> 00:12:55,375 We haven't really had a voice of interest for our profession and 260 00:12:55,375 --> 00:12:57,959 for our talent and expertise. 261 00:12:57,999 --> 00:13:01,250 Now we're actually going to be suggesting and starting we're 262 00:13:01,250 --> 00:13:05,250 doing it with or without your help but we would love your help, 263 00:13:05,250 --> 00:13:11,083 a 501 (c) (3) think tank for a research, number two, a 501(c)(4) for a lobby. 264 00:13:11,083 --> 00:13:15,584 Even though we think they are horrible corruptly, 265 00:13:15,584 --> 00:13:21,626 we believe it is time to have access to the power. 266 00:13:21,999 --> 00:13:23,999 We are also going to professionalize. 267 00:13:24,083 --> 00:13:26,209 We are going to do it very carefully so we don't 268 00:13:26,209 --> 00:13:28,626 become the monsters we fight. 269 00:13:28,918 --> 00:13:30,999 But just like the Bar association for lawyers or 270 00:13:30,999 --> 00:13:34,834 the American Medical Association giving a voice to the priorities 271 00:13:34,834 --> 00:13:37,999 of this community that is public and can give commentary 272 00:13:37,999 --> 00:13:43,375 on public policy and public events, that's credible, literate voice of reason. 273 00:13:43,876 --> 00:13:46,999 And then possibly, most importantly, we need to integrate a media 274 00:13:46,999 --> 00:13:50,083 and PR campaign to win hearts and minds. 275 00:13:50,083 --> 00:13:52,709 We have some of the best social engineers on earth. 276 00:13:52,709 --> 00:13:55,709 We've done a really, really bad job setting the narrative. 277 00:13:55,709 --> 00:13:59,542 I love seeing Nick on mainstream news or on TED stage. 278 00:13:59,542 --> 00:14:02,501 More often we have seen LeGotte (phonetic). 279 00:14:02,584 --> 00:14:04,250 Once again, we can take that microphone 280 00:14:04,250 --> 00:14:06,918 and bully pulpit it and get the right people 281 00:14:06,918 --> 00:14:09,709 with the right messages to actually represent our 282 00:14:09,709 --> 00:14:11,876 community interests. 283 00:14:11,999 --> 00:14:15,709 NICHOLAS PERCOCO: The chain of influence. 284 00:14:18,250 --> 00:14:23,083 Whether we like it or not, what we do, what we say, how we dress, 285 00:14:23,083 --> 00:14:28,375 how we what we do in our everyday lives influences people. 286 00:14:28,584 --> 00:14:30,792 Words that are coming out of my mouth right now 287 00:14:30,792 --> 00:14:32,999 on stage may be influencing you in a positive way, 288 00:14:32,999 --> 00:14:35,999 maybe influencing you in a negative way. 289 00:14:36,083 --> 00:14:38,375 You may take something that Josh and I have said and talk 290 00:14:38,375 --> 00:14:41,999 to somebody else and that message will relay to them. 291 00:14:42,375 --> 00:14:44,083 But that chain continues. 292 00:14:44,167 --> 00:14:48,459 Now, unfortunately we take someone from our community, someone who 293 00:14:48,459 --> 00:14:51,959 is a hacker from our community, and put them in front 294 00:14:51,959 --> 00:14:55,542 of a policymaker or a senator or a global government this 295 00:14:55,542 --> 00:14:57,709 is not just a U.S. 296 00:14:57,709 --> 00:15:01,209 issue, this is a global issue what they see is not someone they trust 297 00:15:01,209 --> 00:15:05,542 and someone who is an expert but they see a hacker. 298 00:15:05,918 --> 00:15:08,959 And so while the research that that hacker 299 00:15:08,959 --> 00:15:14,125 is doing may be vital to our existence, it may have life benefiting needs 300 00:15:14,125 --> 00:15:17,792 behind it, they still see a hacker. 301 00:15:17,999 --> 00:15:20,999 And so what we are doing within this movement is trying 302 00:15:20,999 --> 00:15:23,751 to organize, better organize. 303 00:15:23,751 --> 00:15:27,709 You can have the breakers, you can have the hackers. 304 00:15:27,834 --> 00:15:30,959 They're vitally important to our community. 305 00:15:30,999 --> 00:15:35,459 But then you also need people who go and come up with the fixes. 306 00:15:35,459 --> 00:15:37,667 Now the breakers may be the same people at that come 307 00:15:37,667 --> 00:15:41,083 up with the fixes, but they don't have to be. 308 00:15:41,167 --> 00:15:41,999 So if you're someone out here who likes 309 00:15:41,999 --> 00:15:45,167 to break things how many people like to break things in the room? 310 00:15:45,626 --> 00:15:46,626 Okay. 311 00:15:46,626 --> 00:15:49,709 How many people also like to fix things or like to fix things? 312 00:15:49,959 --> 00:15:51,667 So you are part of this as well. 313 00:15:51,834 --> 00:15:53,959 But it is not just the people in this room. 314 00:15:53,959 --> 00:15:55,250 We also need people to continue that chain 315 00:15:55,250 --> 00:15:58,167 and we need people from all different backgrounds, 316 00:15:58,167 --> 00:16:02,083 also people who represent the various industries. 317 00:16:02,334 --> 00:16:04,999 So when we go follow that chain and we put someone in front 318 00:16:04,999 --> 00:16:08,334 of policymakers or we put someone who is on national television 319 00:16:08,334 --> 00:16:11,501 or international news, they may be someone who has one foot 320 00:16:11,501 --> 00:16:15,083 in our community and one foot in the industry that we're focusing on, 321 00:16:15,083 --> 00:16:18,751 where there is the medical community, or the automotive industry or 322 00:16:18,751 --> 00:16:22,334 the transportation networks, whatever that may be. 323 00:16:22,459 --> 00:16:26,999 JOSHUA CORMAN: So we got to think like hackers, right? 324 00:16:27,250 --> 00:16:28,999 I want to recognize somebody who has done some outstanding work 325 00:16:28,999 --> 00:16:30,501 in the room. 326 00:16:30,501 --> 00:16:32,083 Jay Radcliffe, can you stand up? 327 00:16:32,083 --> 00:16:38,209 (applause) JOSHUA CORMAN: So much like the Hair Club for Men, Jay 328 00:16:38,209 --> 00:16:44,125 is not just a researcher but he is also a client. 329 00:16:44,125 --> 00:16:46,918 Jay hacked his insulin pump a couple years back and has 330 00:16:46,918 --> 00:16:51,626 since done some hacking on several different medical devices. 331 00:16:51,999 --> 00:16:56,083 One of the frustrating things, I look at that and I say that research matters. 332 00:16:56,083 --> 00:16:57,542 It really matters. 333 00:16:57,542 --> 00:16:58,792 It affects public good. 334 00:16:58,959 --> 00:16:59,918 He maybe did it because he didn't want 335 00:16:59,918 --> 00:17:02,125 to die or get hacked at an airport. 336 00:17:02,375 --> 00:17:06,999 But a lot of the research we do is fun but does it really matter? 337 00:17:06,999 --> 00:17:09,792 Are we going to find the 700th piece of Android malware, is that going 338 00:17:09,792 --> 00:17:13,417 to differentiate you as a researcher as you try to find fame and glory 339 00:17:13,417 --> 00:17:15,125 or make a name. 340 00:17:15,375 --> 00:17:17,999 When we throw these over the fence, does it work? 341 00:17:18,125 --> 00:17:23,083 I saw the work that Jay and others have done and also the huge loss 342 00:17:23,083 --> 00:17:25,209 of Barnaby Jack. 343 00:17:25,209 --> 00:17:28,250 Those two were doing some outstanding Jack. 344 00:17:29,167 --> 00:17:32,375 We were already planning to include Barnaby 345 00:17:32,375 --> 00:17:37,542 in this and that's very, very there's no words for that. 346 00:17:37,918 --> 00:17:40,751 When we look, they really have a hard time. 347 00:17:40,959 --> 00:17:42,999 It is hard we thought about the kill chain. 348 00:17:42,999 --> 00:17:44,375 Everybody know how Lockheed kill chained how to get bad things 349 00:17:44,375 --> 00:17:46,125 out of your network? 350 00:17:46,125 --> 00:17:47,209 We need a kill chain. 351 00:17:47,250 --> 00:17:51,626 It was tough for him to get and procure more devices to test. 352 00:17:51,626 --> 00:17:52,876 He did a good job testing and finding the vulnerability, 353 00:17:52,876 --> 00:17:55,501 but the vendor ridiculed, denied, and refused. 354 00:18:01,542 --> 00:18:04,542 We had a hard time affecting that change. 355 00:18:04,751 --> 00:18:06,834 Instead of looking on activities that I found 0day 356 00:18:06,834 --> 00:18:08,292 or I published a pwn or I have 357 00:18:08,292 --> 00:18:11,083 a different presentation at some different conference, 358 00:18:11,083 --> 00:18:14,584 we wanted to see how you pull that to a result. 359 00:18:15,709 --> 00:18:19,459 I went to Kevin Foo and he is an expert in industry. 360 00:18:20,542 --> 00:18:23,999 There is way more medical laws than you can imagine and we are still not 361 00:18:23,999 --> 00:18:25,751 getting there. 362 00:18:25,959 --> 00:18:27,375 F.D.A. 363 00:18:27,375 --> 00:18:28,792 is one of the bottlenecks. 364 00:18:28,792 --> 00:18:31,125 They didn't have the ability to reject devices. 365 00:18:31,125 --> 00:18:32,083 They are not actually putting in framing to allow 366 00:18:32,083 --> 00:18:34,083 for better granularity. 367 00:18:34,501 --> 00:18:36,959 So an individual researcher can have a hard time going 368 00:18:36,959 --> 00:18:39,959 through multiple gates and multiple obstacles. 369 00:18:39,959 --> 00:18:41,999 Really what we want to do is work with people 370 00:18:41,999 --> 00:18:46,709 in industry and map that chain of influence and then fuzz it and try 371 00:18:46,709 --> 00:18:50,083 and iterate a fail fast and focus on we're not done 372 00:18:50,083 --> 00:18:54,792 until we see a substantive change in how we raise the bar and do care 373 00:18:54,792 --> 00:18:59,417 on elective attack surface on life saving technologies. 374 00:18:59,834 --> 00:19:01,999 That's just a deep example of one of these. 375 00:19:01,999 --> 00:19:03,125 These are tractable. 376 00:19:03,125 --> 00:19:04,709 They look overwhelming. 377 00:19:04,709 --> 00:19:06,709 Maybe it is not Jay the one on CNN or maybe he is not 378 00:19:06,709 --> 00:19:09,167 the one that does the driver development to fix it, 379 00:19:09,167 --> 00:19:13,876 but we have the talent in the room for every single step along the way. 380 00:19:15,999 --> 00:19:19,584 NICHOLAS PERCOCO: So there might be some people even when Josh 381 00:19:19,584 --> 00:19:23,999 and I were first talking, thinking, well, this is really hard. 382 00:19:23,999 --> 00:19:26,167 This is going to be very hard. 383 00:19:26,167 --> 00:19:29,083 This is not going to be something that's going to be easy. 384 00:19:29,083 --> 00:19:31,626 But we often do very difficult things, and there's dozens and dozens 385 00:19:31,626 --> 00:19:36,083 of talks here at DEF CON about very, very difficult things that are being done 386 00:19:36,083 --> 00:19:38,334 in a technical world. 387 00:19:38,459 --> 00:19:40,999 So to put it in a little different perspective, 388 00:19:40,999 --> 00:19:43,999 we have we have a clip to show you. 389 00:19:43,999 --> 00:19:46,626 If you can dodge a wrench, you can dodge a ball. 390 00:19:49,999 --> 00:19:51,709 What? 391 00:19:54,999 --> 00:19:57,999 (Video playing.) NICHOLAS PERCOCO: So 392 00:19:57,999 --> 00:20:01,999 if we can hack something, X, fill in something, a iPhone, 393 00:20:01,999 --> 00:20:04,999 a SCADA system, if you can hack anything, 394 00:20:04,999 --> 00:20:07,125 we can hack this. 395 00:20:07,125 --> 00:20:08,999 But we have to be organized. 396 00:20:08,999 --> 00:20:10,083 We have to work together. 397 00:20:10,083 --> 00:20:13,999 We have to put the right people in the right roles to get this done. 398 00:20:13,999 --> 00:20:15,709 Like we mentioned earlier, you can't put a hacker in front 399 00:20:15,709 --> 00:20:18,000 of a senator because they see a hacker. 400 00:20:18,000 --> 00:20:19,709 We have to put the right people. 401 00:20:21,876 --> 00:20:26,834 Every single one of you has a role to play and can use their best skills, 402 00:20:26,834 --> 00:20:30,999 their best techniques to help drive this home. 403 00:20:31,626 --> 00:20:34,999 Jail breaking the system, it is incredibly difficult to find 404 00:20:34,999 --> 00:20:38,667 a jail break and implement it into weaponize something in order 405 00:20:38,667 --> 00:20:40,999 to perform a jail break. 406 00:20:40,999 --> 00:20:42,501 Very, very complicated. 407 00:20:42,626 --> 00:20:44,083 We can do that with this system. 408 00:20:44,999 --> 00:20:48,459 And as Josh mentioned earlier, some of our best social engineers are 409 00:20:48,459 --> 00:20:51,209 in this room or at this conference. 410 00:20:51,250 --> 00:20:53,709 Some of the best social engineers in the entire world are 411 00:20:53,709 --> 00:20:55,999 in the hacking community. 412 00:20:55,999 --> 00:20:57,542 But it doesn't mean we have to be dishonest and try 413 00:20:57,542 --> 00:21:00,459 to deceive people, but we use those skills. 414 00:21:00,459 --> 00:21:03,167 It is exactly the same skills that the best C.E.O.s on the planet have 415 00:21:03,167 --> 00:21:06,417 for selling their investors on something. 416 00:21:06,667 --> 00:21:11,250 We need those people to step up and actually play that role as well. 417 00:21:11,751 --> 00:21:13,083 So how do we do this? 418 00:21:13,083 --> 00:21:15,292 JOSHUA CORMAN: I really like the fact that we're calling that 419 00:21:15,292 --> 00:21:17,626 everything does have a role. 420 00:21:17,999 --> 00:21:19,125 We really mean it. 421 00:21:19,375 --> 00:21:20,959 When I say on Twitter Jay was giving 422 00:21:20,959 --> 00:21:23,918 a presentation and said one of the biggest bottlenecks 423 00:21:23,918 --> 00:21:25,959 is getting devices. 424 00:21:26,125 --> 00:21:29,125 Three people replied and said I know how to get them. 425 00:21:29,167 --> 00:21:31,584 You have something you can do. 426 00:21:31,626 --> 00:21:34,999 I was talking to a young guy from Portland, Maine, he pointed 427 00:21:34,999 --> 00:21:39,999 out one of his first job was doing device drivers and local SCADA operating 428 00:21:39,999 --> 00:21:41,834 system shop. 429 00:21:42,542 --> 00:21:44,792 You don't even have to be a hacker. 430 00:21:44,792 --> 00:21:46,999 You can just write really, really security aware code for one 431 00:21:46,999 --> 00:21:48,918 of those vendors. 432 00:21:49,167 --> 00:21:54,375 I couldn't find a 0day to find my day but I have been accepted in talking 433 00:21:54,375 --> 00:21:57,959 to government people in cross over. 434 00:21:58,250 --> 00:22:02,083 I can take the technical stuff we do here and I can actually make it mainstream 435 00:22:02,083 --> 00:22:05,209 accessible and get in front of policymakers. 436 00:22:05,209 --> 00:22:08,542 There are actually six of us hacker types at an U.N. 437 00:22:08,542 --> 00:22:10,751 meeting in Toronto this spring: Jeff Moss, me, 438 00:22:10,751 --> 00:22:14,250 Nikko Pones (phonetic) and some others. 439 00:22:14,876 --> 00:22:17,876 They were listening to us as the technical voice of reason. 440 00:22:17,876 --> 00:22:19,334 The bad news is we didn't get very organized 441 00:22:19,334 --> 00:22:23,292 but you don't have to be a rock star, A list name to actually contribute 442 00:22:23,292 --> 00:22:27,999 to the research that we're actually carrying to the outside world. 443 00:22:28,125 --> 00:22:30,626 Now, when I say anybody can play a role, I'm also speaking 444 00:22:30,626 --> 00:22:33,999 to those pillars in our industry, our tribal chieftains, because this 445 00:22:33,999 --> 00:22:36,918 is going to be really, really hard. 446 00:22:37,083 --> 00:22:38,999 And in the leadership role, we are going 447 00:22:38,999 --> 00:22:42,709 to need our toughest battles require our strongest lawyers. 448 00:22:42,709 --> 00:22:44,459 So we really, really need not just grassroots 449 00:22:44,459 --> 00:22:47,417 like yeah, yeah, ra, ra, we need leadership roles 450 00:22:47,417 --> 00:22:52,459 like executive directors on some of these different manifestations. 451 00:22:53,459 --> 00:22:56,959 Now, forget the term platform per se. 452 00:22:56,959 --> 00:22:57,959 This is a strawman. 453 00:22:57,959 --> 00:23:00,375 But we think we have put a lot of thought into this. 454 00:23:01,292 --> 00:23:03,834 We be will using this to take it to the meeting 455 00:23:03,834 --> 00:23:06,751 in eight weeks which we will discuss. 456 00:23:06,751 --> 00:23:09,999 We will really see that there are three ways to secure our future. 457 00:23:09,999 --> 00:23:11,999 We have to keep a very small list of priorities so we don't spread 458 00:23:11,999 --> 00:23:13,999 ourselves too thin. 459 00:23:13,999 --> 00:23:15,584 We can learn how to do this on a few topics and then we can 460 00:23:15,584 --> 00:23:16,999 move out. 461 00:23:17,709 --> 00:23:21,792 But essentially I think we need to focus on public good and safety. 462 00:23:21,792 --> 00:23:24,417 And that's really why I wanted to call out Jay and Charlie miller 463 00:23:24,417 --> 00:23:26,250 and Chris Vlasic. 464 00:23:26,250 --> 00:23:28,667 Did you see their amazing car hack? 465 00:23:28,999 --> 00:23:32,083 Whether they did it for an altruistic hack, it was amazing. 466 00:23:33,083 --> 00:23:35,918 I got a flood of emails from people who don't know anything 467 00:23:35,918 --> 00:23:38,542 about our industry saying I had absolutely no idea how much 468 00:23:38,542 --> 00:23:41,083 of a can be controlled via software. 469 00:23:41,209 --> 00:23:44,501 We have a few people doing research like this. 470 00:23:44,501 --> 00:23:46,709 But I would like to challenge us through this program 471 00:23:46,709 --> 00:23:50,334 to say let's say get a critical mass of rots of you. 472 00:23:50,334 --> 00:23:52,999 If you are going to pick an Android malware, don't. 473 00:23:53,459 --> 00:23:57,083 Pick an auto OS, a medical device, a control system. 474 00:23:57,083 --> 00:24:00,375 Because if we can demonstrate that we are doing a unique public good 475 00:24:00,375 --> 00:24:04,083 for public safety, guess what we can stave off? 476 00:24:05,292 --> 00:24:07,792 We can actually carve off and demonstrate and earn 477 00:24:07,792 --> 00:24:10,584 the permission in the hearts and minds that what we're doing 478 00:24:10,584 --> 00:24:13,751 is critically necessary and, therefore, requires that we can stave 479 00:24:13,751 --> 00:24:15,999 off the criminalization of. 480 00:24:15,999 --> 00:24:19,375 This is your first time speaking at DEF CON? 481 00:24:19,375 --> 00:24:20,709 NICHOLAS PERCOCO: No. 482 00:24:20,834 --> 00:24:24,083 Is this your first time? 483 00:24:24,083 --> 00:24:25,083 JOSHUA CORMAN: No. 484 00:24:25,083 --> 00:24:28,542 NICHOLAS PERCOCO: I don't think we will get away with it anyhow. 485 00:24:28,542 --> 00:24:29,999 (applause) I was shocked. 486 00:24:29,999 --> 00:24:36,999 I was like, I think he has spoken here before. 487 00:24:36,999 --> 00:24:41,999 JOSHUA CORMAN: We are being controlled by PW crack. 488 00:24:42,417 --> 00:24:45,083 You know, even if you don't care about the public good and love 489 00:24:45,083 --> 00:24:47,999 and safety and want to be a narcissistic vulnerability attempt, 490 00:24:47,999 --> 00:24:51,083 to avoid criminalization this is how we will do it. 491 00:24:51,083 --> 00:24:52,626 If you are going to peck something next year, 492 00:24:52,626 --> 00:24:54,501 pick something that matters. 493 00:24:55,667 --> 00:25:00,459 Whether your mother, father, uncle or aunt, it doesn't matter if you want 494 00:25:00,459 --> 00:25:03,626 to help public good, be selfish. 495 00:25:03,667 --> 00:25:08,083 If we do some things that are clearly valuable that no one else can provide 496 00:25:08,083 --> 00:25:12,250 and we do it in an intelligent way, we get the right PR and air cover 497 00:25:12,250 --> 00:25:16,083 for that, we are going to demonstrate that this isn't something 498 00:25:16,083 --> 00:25:17,999 we criminalize. 499 00:25:17,999 --> 00:25:19,667 I don't know if you snow the Obama clip, 500 00:25:19,667 --> 00:25:24,709 he will not scramble jets for a 29 year old attacker, Snowden. 501 00:25:29,209 --> 00:25:32,417 Into my research at the U.N. 502 00:25:32,417 --> 00:25:38,626 and ITU, I'm wear of human rights and civil liberties are not compatible. 503 00:25:38,999 --> 00:25:41,667 We are seeing the battle between the two and civil liberties 504 00:25:41,667 --> 00:25:44,083 and human rights are losing. 505 00:25:44,501 --> 00:25:45,834 They are losing big time. 506 00:25:45,999 --> 00:25:47,999 Part of it is because people are evil. 507 00:25:48,083 --> 00:25:49,999 And part of it people in power. 508 00:25:50,250 --> 00:25:52,125 Part of it is they are just illiterate. 509 00:25:52,375 --> 00:25:55,292 I had people in government say we should empower 510 00:25:55,292 --> 00:25:58,209 the carriers to do deep packet inspection 511 00:25:58,209 --> 00:26:02,125 to stave off intellectual property to China by enabling 512 00:26:02,125 --> 00:26:06,999 the deep packet inspection to do signature antivirus. 513 00:26:07,125 --> 00:26:08,999 And I spit out my drink. 514 00:26:08,999 --> 00:26:12,709 I'm like, you do realize the efficacy of signature is zero. 515 00:26:14,999 --> 00:26:17,083 That's really bad math, right? 516 00:26:17,083 --> 00:26:19,083 I can't stop them from question should we trade civil 517 00:26:19,083 --> 00:26:21,083 liberties and fourth amendment for safety 518 00:26:21,083 --> 00:26:24,918 but I can tell them that it won't grant them safety. 519 00:26:24,999 --> 00:26:26,999 So we need to do that for ourselves because we live 520 00:26:26,999 --> 00:26:28,792 in the world, too. 521 00:26:28,918 --> 00:26:31,292 If you really squint, what we are basically describing 522 00:26:31,292 --> 00:26:34,792 will resonate will almost everybody in the room but everybody 523 00:26:34,792 --> 00:26:36,792 in the mainstream. 524 00:26:36,792 --> 00:26:39,167 What we are talking about is protecting our bodies, 525 00:26:39,167 --> 00:26:41,834 our minds and our souls. 526 00:26:42,083 --> 00:26:46,167 NICHOLAS PERCOCO: So there is some next steps. 527 00:26:46,167 --> 00:26:50,792 As we spoke about earlier, we don't have the answer for you. 528 00:26:50,792 --> 00:26:53,292 But we have some next steps that we want to discuss. 529 00:26:53,792 --> 00:26:57,709 So the first of the next steps is naming the movement. 530 00:26:57,792 --> 00:26:59,501 We don't have a name. 531 00:26:59,501 --> 00:27:01,584 We have some stickers up here that have some phrases, 532 00:27:01,584 --> 00:27:04,209 but we haven't named the movement. 533 00:27:04,209 --> 00:27:06,542 If you have ideas, please let us know. 534 00:27:06,918 --> 00:27:08,334 We are very interested. 535 00:27:08,334 --> 00:27:09,334 We are all ears. 536 00:27:09,334 --> 00:27:12,999 There is also forming an executive and advisory board. 537 00:27:13,083 --> 00:27:15,999 This is not going to just be people from the community. 538 00:27:15,999 --> 00:27:17,751 We want to identify those people. 539 00:27:17,751 --> 00:27:19,999 We want to identify those people that have one foot in our industry 540 00:27:19,999 --> 00:27:22,834 and another foot in another because that's where we will get 541 00:27:22,834 --> 00:27:24,667 the most traction. 542 00:27:25,083 --> 00:27:27,334 Also holding the constitutional Congress, 543 00:27:27,334 --> 00:27:29,959 a meeting of anybody who wants to participate, 544 00:27:29,959 --> 00:27:32,667 let's get these things on paper. 545 00:27:32,667 --> 00:27:34,999 Let's brainstorm how we're going to organize. 546 00:27:34,999 --> 00:27:37,584 JOSHUA CORMAN: And this isn't hand waving. 547 00:27:37,999 --> 00:27:39,834 The guys at Derby have given us 548 00:27:39,834 --> 00:27:42,334 a space eight weeks from now. 549 00:27:42,334 --> 00:27:44,792 We will be holding the first hacker constitutional Congress 550 00:27:44,792 --> 00:27:46,334 at DerbyCon. 551 00:27:46,459 --> 00:27:50,334 We will try to figure out how to remote people in. 552 00:27:51,999 --> 00:27:55,417 Coalition of the willing and the chieftains and the folks that want 553 00:27:55,417 --> 00:27:59,083 to make sure we do this intelligently and we have the right platform and 554 00:27:59,083 --> 00:28:02,999 the right issues to promote, we're going to do this right. 555 00:28:03,125 --> 00:28:07,334 NICHOLAS PERCOCO: The other piece is to share the results. 556 00:28:07,334 --> 00:28:10,083 This is not we're not forming a secret society here. 557 00:28:10,250 --> 00:28:12,584 We want to share these results with people. 558 00:28:12,584 --> 00:28:15,083 We want you to have feedback into those results and understand 559 00:28:15,083 --> 00:28:17,626 what's going on at all times. 560 00:28:17,626 --> 00:28:20,083 And so we do have a Twitter account you can follow. 561 00:28:20,083 --> 00:28:21,626 We're working on ways to better communicate and a lot 562 00:28:21,626 --> 00:28:23,999 of that will be figured out at the hacker constitutional 563 00:28:23,999 --> 00:28:26,999 Congress and the protocols we will be using. 564 00:28:26,999 --> 00:28:30,542 Of course, executing projects, building the think tanks, take 565 00:28:30,542 --> 00:28:34,542 the medical research and put it in front of the right people that can 566 00:28:34,542 --> 00:28:39,167 change the way change the way they think about what we're doing. 567 00:28:41,501 --> 00:28:44,417 JOSHUA CORMAN: So if we we're not going to teach you 568 00:28:44,417 --> 00:28:46,999 to be experts on all the different international 569 00:28:46,999 --> 00:28:49,834 and domestic legal organizations. 570 00:28:49,834 --> 00:28:52,834 But what we can do and hope to do is just flip that one bit. 571 00:28:52,918 --> 00:28:55,083 If you thought someone was going to come fix this for you, we want you 572 00:28:55,083 --> 00:28:57,876 to realize that the cavalry isn't coming. 573 00:28:57,999 --> 00:28:59,292 It's you. 574 00:29:02,999 --> 00:29:04,999 Now, it's going to be difficult. 575 00:29:05,125 --> 00:29:07,250 It's going to take time. 576 00:29:07,459 --> 00:29:08,999 We're going to have struggles. 577 00:29:08,999 --> 00:29:10,167 We are also are a fairly cynical group so we 578 00:29:10,167 --> 00:29:13,584 will point out all the ways this won't work. 579 00:29:13,751 --> 00:29:17,209 But it's time to start failing fast and iterating. 580 00:29:17,292 --> 00:29:19,501 I'm willing to take the bumps and bruises. 581 00:29:19,501 --> 00:29:22,083 I'm looking at this as a marathon, not a sprint. 582 00:29:22,292 --> 00:29:24,999 And if not, when? 583 00:29:25,334 --> 00:29:26,999 If it is not you, then who? 584 00:29:29,083 --> 00:29:31,083 Yes, we have stickers. 585 00:29:31,083 --> 00:29:32,999 Yes, we have Twitter handles. 586 00:29:32,999 --> 00:29:34,125 What we really need is you. 587 00:29:34,167 --> 00:29:37,999 I have a question and I know you are itching to get to the mic. 588 00:29:37,999 --> 00:29:40,751 But how are you going to make this real and who's in? 589 00:29:43,375 --> 00:29:44,959 Stand up. 590 00:29:44,959 --> 00:29:47,083 NICHOLAS PERCOCO: Stand up if you're in. 591 00:29:48,459 --> 00:29:59,999 (applause) JOSHUA CORMAN: The adults. 592 00:30:00,334 --> 00:30:04,292 NICHOLAS PERCOCO: The microphone, yes. 593 00:30:04,292 --> 00:30:06,584 Hi there, Gary Reimer. 594 00:30:06,584 --> 00:30:08,459 This is my first DEF CON and I have been coming here 595 00:30:08,459 --> 00:30:12,542 because I want to get full blown into the security world. 596 00:30:12,999 --> 00:30:15,125 And while I'm not an uber geek like a lot 597 00:30:15,125 --> 00:30:20,334 of the people here I can communicate with anybody from a C.E.O. 598 00:30:20,334 --> 00:30:23,959 to a janitor and if I can understand it, I can help them understand it. 599 00:30:23,959 --> 00:30:25,709 And you had me sold five minutes ago which is I why I wanted to be first 600 00:30:25,709 --> 00:30:27,000 on the mic. 601 00:30:27,834 --> 00:30:31,334 I want to get your cards and be a part of this. 602 00:30:31,334 --> 00:30:34,209 I don't know how I can contribute but darn, I want to. 603 00:30:36,417 --> 00:30:42,999 (applause) NICHOLAS PERCOCO: Yes? 604 00:30:42,999 --> 00:30:45,250 I just want to say the Fourth Amendment is already 605 00:30:45,250 --> 00:30:47,999 the middle ground between the government can do 606 00:30:47,999 --> 00:30:52,292 anything it wants and the government can't do anything at all. 607 00:30:52,709 --> 00:30:56,250 We set rules this he have to follow, a warrant based 608 00:30:56,250 --> 00:30:59,918 on probable cause and witnesses. 609 00:31:01,584 --> 00:31:05,999 That's as far as we should go, period. 610 00:31:05,999 --> 00:31:08,250 The second part of that is more rules and more laws 611 00:31:08,250 --> 00:31:11,999 and more regulations are not going to fix this. 612 00:31:11,999 --> 00:31:15,792 JOSHUA CORMAN: You know, we had I appreciate your comments. 613 00:31:15,792 --> 00:31:17,999 We had some cognitive dissidence about this because we tend 614 00:31:17,999 --> 00:31:20,918 to be a fairly libertarian group. 615 00:31:20,918 --> 00:31:22,918 We tend not to like formal structures. 616 00:31:22,918 --> 00:31:26,250 That's why I hearing aid we need to hold our knows and lead lima beans. 617 00:31:29,250 --> 00:31:31,375 When you are jail breaking a iPhone you don't think 618 00:31:31,375 --> 00:31:35,083 about how it should or shouldn't be, you find a way to get it done. 619 00:31:35,250 --> 00:31:38,959 And I still carry cognitive dissidence over this. 620 00:31:38,959 --> 00:31:41,501 I'm the guy that called out No Child Left Behind act. 621 00:31:41,501 --> 00:31:43,876 The last thing I want to do is push more rules. 622 00:31:46,250 --> 00:31:51,999 But it is using every available mechanism. 623 00:31:51,999 --> 00:31:53,459 We haven't tried these yet. 624 00:31:53,459 --> 00:31:54,918 I am not sure they will work. 625 00:31:54,918 --> 00:31:58,667 I had some very critical people say you need to be transgressive. 626 00:31:58,667 --> 00:32:00,250 You need to break the law. 627 00:32:00,250 --> 00:32:03,626 You have to take Anonymous up ten notches or something like that. 628 00:32:03,626 --> 00:32:05,501 I thought historically about things. 629 00:32:05,876 --> 00:32:07,876 I'm not trying to equate this but Black Panthers were 630 00:32:07,876 --> 00:32:09,542 very aggressive. 631 00:32:09,542 --> 00:32:11,584 They were scaring people. 632 00:32:11,584 --> 00:32:14,083 They weren't causing substantive legal change. 633 00:32:14,626 --> 00:32:16,667 And then you had the civil rights movement which was 634 00:32:16,667 --> 00:32:19,417 more moderate and engaging in system. 635 00:32:19,417 --> 00:32:20,751 And it is unclear if one could have succeeded 636 00:32:20,751 --> 00:32:22,417 about the other. 637 00:32:22,417 --> 00:32:26,083 But I don't want to leave these options on the table. 638 00:32:26,083 --> 00:32:28,999 Even if I get my butt kicked and we're ridiculed and made fun of, 639 00:32:28,999 --> 00:32:32,459 that's okay because we have to try something. 640 00:32:32,542 --> 00:32:35,876 That's why we want to have the hacker constitutional Congress. 641 00:32:38,999 --> 00:32:43,626 I'm hyperconscious of your concern and I share it. 642 00:32:43,999 --> 00:32:47,334 I also want to connect the dots on some things that are happening. 643 00:32:47,334 --> 00:32:48,334 EFF does their part. 644 00:32:48,876 --> 00:32:52,250 There is also FORKDA (phonetic) laws and amicus briefs written for Weev 645 00:32:52,250 --> 00:32:55,542 and there is a whole bunch of law professors. 646 00:32:55,709 --> 00:32:58,999 The thing that broke my heart is none of those little groups were talking 647 00:32:58,999 --> 00:33:00,584 to each other. 648 00:33:00,584 --> 00:33:02,999 So some of the pieces contradicted each other. 649 00:33:02,999 --> 00:33:05,250 Even if it is just aligning and getting critical mass 650 00:33:05,250 --> 00:33:08,667 on the existing initiatives to force multiply them, 651 00:33:08,667 --> 00:33:10,876 that's reasonable. 652 00:33:10,999 --> 00:33:14,125 I think some of us are more angry and more aggressive than others 653 00:33:14,125 --> 00:33:17,542 and I hope that's why we're going to figure out what we can agree 654 00:33:17,542 --> 00:33:20,999 on and make sure that we keep ourselves honest. 655 00:33:20,999 --> 00:33:22,459 It is going to take a lot of work. 656 00:33:22,459 --> 00:33:23,792 I do share your concerns. 657 00:33:23,792 --> 00:33:24,792 Thank you. 658 00:33:24,876 --> 00:33:26,501 Hi. 659 00:33:27,999 --> 00:33:30,834 My name is Sara Jeffrey and I actually am really very, 660 00:33:30,834 --> 00:33:34,125 very grateful that you brought up Weev's case. 661 00:33:34,125 --> 00:33:39,083 I do prison support for Weev I mean, Jeremy Hammond, Barrett Brown 662 00:33:39,083 --> 00:33:41,876 and Bradley Manning. 663 00:33:41,876 --> 00:33:46,083 And they have a CFAA charge in their rap sheet. 664 00:33:46,083 --> 00:33:48,375 I was at the defense of Bradley Manning. 665 00:33:48,542 --> 00:33:51,125 For about six hours of the first day they were discussing 666 00:33:51,125 --> 00:33:54,999 the difference between an exe file, an installable file, and shortcut 667 00:33:54,999 --> 00:33:57,417 of a CD on a given drive. 668 00:33:57,417 --> 00:33:59,626 (speaker off microphone.) What? 669 00:34:01,999 --> 00:34:04,876 More action, less talking. 670 00:34:04,876 --> 00:34:05,876 Okay. 671 00:34:05,876 --> 00:34:07,999 This is part of the court marshal, one of the biggest leaps Okay, get 672 00:34:07,999 --> 00:34:09,834 the fuck out. 673 00:34:10,876 --> 00:34:12,584 This is important. 674 00:34:12,584 --> 00:34:13,584 (applause). 675 00:34:13,584 --> 00:34:17,999 The reason I'm not backing down is because every single one 676 00:34:17,999 --> 00:34:24,751 of you here are being persecuted like the actual activists. 677 00:34:24,751 --> 00:34:27,999 And Weev has had 60 days of admin segregation 678 00:34:27,999 --> 00:34:31,083 for tweeting from prison. 679 00:34:31,250 --> 00:34:35,250 Barrett Brown has detoxed opiates without medication. 680 00:34:35,250 --> 00:34:38,999 Jeremy Hammond has been in over 80 days of confinement 681 00:34:38,999 --> 00:34:45,083 for making inmates make anonymous paraphernalia during art projects. 682 00:34:45,375 --> 00:34:49,417 Bradley Manning has been tortured naked 23 hours a day and 683 00:34:49,417 --> 00:34:54,709 they called them a hacker like the way they did with Snowden. 684 00:34:54,959 --> 00:34:58,999 And they are using WGET as a hacker tool. 685 00:34:59,209 --> 00:35:03,375 These are all in the actual court proceedings. 686 00:35:03,375 --> 00:35:06,083 You can read them from the Freedom Press Foundation. 687 00:35:06,083 --> 00:35:11,250 They are coming for all of you, so you guys need to put the egos aside. 688 00:35:11,375 --> 00:35:13,292 That's all I wanted to say. 689 00:35:13,292 --> 00:35:14,292 Thank you. 690 00:35:14,292 --> 00:35:19,999 NICHOLAS PERCOCO: Thank you for your comments. 691 00:35:19,999 --> 00:35:21,626 (applause) NICHOLAS PERCOCO: That's falls directly in line 692 00:35:21,626 --> 00:35:24,999 with the discussion of the preservation of security research. 693 00:35:24,999 --> 00:35:28,334 As a security researcher, I have done things in the last couple 694 00:35:28,334 --> 00:35:31,125 of years which I may not want to do today just 695 00:35:31,125 --> 00:35:35,626 because of the chance of the broad application of CFAA. 696 00:35:35,792 --> 00:35:37,501 So thank you. 697 00:35:37,999 --> 00:35:39,834 Hi. 698 00:35:39,834 --> 00:35:42,250 You guys have talked a lot about the legislation that you don't 699 00:35:42,250 --> 00:35:45,918 want governments to institute against hackers. 700 00:35:45,918 --> 00:35:48,250 What about any legislation that you might want 701 00:35:48,250 --> 00:35:53,083 to institute that would provide a counteracting effect like, for example, 702 00:35:53,083 --> 00:35:55,626 holding vendors of vulnerable systems 703 00:35:55,626 --> 00:35:57,792 more accountable. 704 00:35:57,792 --> 00:36:00,667 JOSHUA CORMAN: I'm not sure people had that. 705 00:36:00,667 --> 00:36:01,999 I had a little echo there. 706 00:36:02,292 --> 00:36:04,250 Again that cognitive dissidence is ever present 707 00:36:04,250 --> 00:36:08,999 in my mind that I don't necessarily want to add a ton more legislation. 708 00:36:08,999 --> 00:36:09,751 It is more about fixing existing ones 709 00:36:09,751 --> 00:36:11,542 whenever possible. 710 00:36:11,542 --> 00:36:13,209 I think we should use it sparingly. 711 00:36:13,209 --> 00:36:15,999 One of the things we've realized there is a lot of things that divide us back 712 00:36:15,999 --> 00:36:17,999 to the prior comment. 713 00:36:18,083 --> 00:36:19,167 Some people are like, why are you talking 714 00:36:19,167 --> 00:36:21,417 about an amicus brief for Weev. 715 00:36:21,667 --> 00:36:24,209 He's a raging troll asshole or something like that. 716 00:36:24,209 --> 00:36:27,667 I think it doesn't matter if you think he is a raging troll asshole. 717 00:36:27,876 --> 00:36:29,999 It is like People versus Larry Flynn. 718 00:36:29,999 --> 00:36:31,999 You didn't have to like pornography. 719 00:36:31,999 --> 00:36:33,083 It was about free speech. 720 00:36:37,292 --> 00:36:40,667 We have to participate in the working groups that are looking 721 00:36:40,667 --> 00:36:42,250 to rev CFAA. 722 00:36:42,250 --> 00:36:44,999 It is not even for criminalization research. 723 00:36:44,999 --> 00:36:46,334 People are looking at defending themselves 724 00:36:46,334 --> 00:36:49,999 with other things that are also controversial. 725 00:36:50,083 --> 00:36:50,626 One of the things that a lot of people do 726 00:36:50,626 --> 00:36:52,375 is application security research. 727 00:36:52,375 --> 00:36:55,334 They realize there is no liability whatsoever. 728 00:36:55,626 --> 00:36:56,999 So if a toaster burns your house down, you can sue 729 00:36:56,999 --> 00:36:59,083 the people who make the toaster. 730 00:36:59,125 --> 00:37:02,999 If a device gives you too much chemo, you can't sue and win. 731 00:37:06,250 --> 00:37:11,834 We don't want to hurt GDP and competitive edge, but there 732 00:37:11,834 --> 00:37:14,999 is plenty of precedent. 733 00:37:14,999 --> 00:37:16,999 In the medical devices, you have the FDA. 734 00:37:16,999 --> 00:37:19,459 Or in cars, you have the five star crash system. 735 00:37:19,834 --> 00:37:22,667 It is not about shoehorning laws but tweaking them 736 00:37:22,667 --> 00:37:26,417 instead of creating them from whole cloth. 737 00:37:27,083 --> 00:37:28,459 Doug? 738 00:37:29,083 --> 00:37:31,292 Two quick questions. 739 00:37:31,292 --> 00:37:32,334 Pick which you want. 740 00:37:32,501 --> 00:37:36,584 Most of the populations you are talking about trying to channel here tend 741 00:37:36,584 --> 00:37:40,834 to prefer true democracy, one person, one voice, one vote. 742 00:37:41,209 --> 00:37:42,999 What we work in for the most part to do legislation 743 00:37:42,999 --> 00:37:46,876 is representative democracy which is a very different system. 744 00:37:46,876 --> 00:37:49,876 How do you plan to resolve that without alienating people? 745 00:37:49,999 --> 00:37:53,083 The other one is got a lot of people standing up here. 746 00:37:53,083 --> 00:37:54,083 It is awesome. 747 00:37:54,083 --> 00:37:55,083 I love to see that. 748 00:37:55,083 --> 00:37:57,918 Who you do you keep those people enthusiastic at 6 months, 12 months, 749 00:37:57,918 --> 00:37:59,999 18 months, 24 months? 750 00:37:59,999 --> 00:38:02,751 JOSHUA CORMAN: Great points, great questions. 751 00:38:02,918 --> 00:38:04,834 The reason I want to have that constitutional Congress 752 00:38:04,834 --> 00:38:07,167 is so we can decide how to make decisions. 753 00:38:07,167 --> 00:38:08,542 We decide how to decide. 754 00:38:08,542 --> 00:38:10,375 There will be trade offs to all those. 755 00:38:12,584 --> 00:38:15,999 Anything volunteeresque will have its ups and downs. 756 00:38:15,999 --> 00:38:18,209 I think the reason this will have some staying power, 757 00:38:18,209 --> 00:38:20,999 especially if we have early movement and wins 758 00:38:20,999 --> 00:38:24,918 is regardless of your motivation if, you are altruistic, there 759 00:38:24,918 --> 00:38:27,250 is plenty of motivation. 760 00:38:27,334 --> 00:38:30,999 If you are a narcissistic vulnerability pimp I was talking to somebody 761 00:38:30,999 --> 00:38:34,999 and they are like: I don't care, I want to be famous. 762 00:38:35,250 --> 00:38:41,125 How much relationship do you have with CNN or Vanity Fair? 763 00:38:41,125 --> 00:38:45,999 We could be a platform as a service for broadcasting good work. 764 00:38:46,083 --> 00:38:48,792 So there's some built in incentives regardless 765 00:38:48,792 --> 00:38:53,250 of your motivational structure to get some benefit out of this. 766 00:38:53,250 --> 00:38:56,083 And I think because we're so frustrating and because there is no other line 767 00:38:56,083 --> 00:38:58,999 of defense and it falls to us, I'm hoping that that gets 768 00:38:58,999 --> 00:39:01,334 a little bit of movement. 769 00:39:01,334 --> 00:39:03,083 Plus we just need to get an early win. 770 00:39:03,083 --> 00:39:04,751 I think we have a couple in mind. 771 00:39:04,751 --> 00:39:06,375 We have done a lot of prehomework. 772 00:39:06,375 --> 00:39:08,459 Did I answer the second question? 773 00:39:09,792 --> 00:39:15,792 So I just wanted to say while it is easier to subvert existing processes, 774 00:39:15,792 --> 00:39:18,999 we can use the same lobbyist organization 775 00:39:18,999 --> 00:39:23,083 or professional board or whatever to advocate repeal 776 00:39:23,083 --> 00:39:27,083 of existing law that we disagree with. 777 00:39:27,083 --> 00:39:30,709 We don't necessarily have to just roll with whatever's there. 778 00:39:30,709 --> 00:39:32,083 A voice is a voice. 779 00:39:32,083 --> 00:39:36,751 And we can use that to repeal law whole cloth. 780 00:39:36,751 --> 00:39:40,999 So for people who have reservations about that ... 781 00:39:40,999 --> 00:39:42,626 JOSHUA CORMAN: That's true. 782 00:39:42,626 --> 00:39:43,626 Absolutely. 783 00:39:43,626 --> 00:39:45,167 NICHOLAS PERCOCO: Thank you. 784 00:39:45,167 --> 00:39:46,167 (applause). 785 00:39:46,167 --> 00:39:49,083 Again, the choice between two questions. 786 00:39:49,083 --> 00:39:51,375 One is: We know we can save people. 787 00:39:51,667 --> 00:39:54,918 Okay, we can swoop in and rescue the public. 788 00:39:55,083 --> 00:39:57,083 How do we make this more public? 789 00:39:57,083 --> 00:39:59,542 How do we let shoutout that we've done this? 790 00:39:59,959 --> 00:40:03,125 And the second is if you could if you are familiar 791 00:40:03,125 --> 00:40:07,876 with the 501 medical device registration and where that fits 792 00:40:07,876 --> 00:40:10,999 in in the class 2 F.D.A., could you speak 793 00:40:10,999 --> 00:40:16,667 to how we can get software elevated to even a class 3 device? 794 00:40:16,667 --> 00:40:18,542 JOSHUA CORMAN: Okay. 795 00:40:18,542 --> 00:40:20,999 So I'm not the expert on the medical device pump. 796 00:40:20,999 --> 00:40:23,626 But that's why we've sought out people like Kevin. 797 00:40:23,918 --> 00:40:26,959 Kevin does a great job within his scope and remit. 798 00:40:26,999 --> 00:40:29,501 When I talked to him about Bluetooth tiny anecdote 799 00:40:29,501 --> 00:40:32,751 before we run out of too many I said why do you need 800 00:40:32,751 --> 00:40:35,501 Bluetooth on an insulin pump. 801 00:40:36,501 --> 00:40:40,834 He said, it is not like it is a pace maker. 802 00:40:40,834 --> 00:40:42,999 He said it is the bacon principle. 803 00:40:44,709 --> 00:40:48,250 Everything is better with bacon, everything is better with Bluetooth. 804 00:40:48,751 --> 00:40:52,709 One manufacturer did it and then they all had to do it because it was cool. 805 00:40:52,709 --> 00:40:54,792 What you have is something that's not medically 806 00:40:54,792 --> 00:40:59,250 relevant that's highly attackable in a life saving situation. 807 00:40:59,250 --> 00:41:01,417 So we need those subject matter experts to answer the spirit 808 00:41:01,417 --> 00:41:05,375 of your question and that's what we mean by mapping these. 809 00:41:05,375 --> 00:41:07,459 I think the roles and responsibilities we are hoping you can do, 810 00:41:07,459 --> 00:41:10,125 once we map that kill chain for that particular industry, 811 00:41:10,125 --> 00:41:12,584 then we can start iterating. 812 00:41:12,584 --> 00:41:15,250 The pushback I gave him, he said, Josh, the F.D.A. 813 00:41:15,250 --> 00:41:16,999 had a choice between failing to approve 814 00:41:16,999 --> 00:41:22,751 a medically life saving technology or being afraid of a theoretical hack. 815 00:41:22,751 --> 00:41:25,459 And I said, okay, fine, they had to rubber stamp it 816 00:41:25,459 --> 00:41:30,417 but they could have also said by 2015 anyone putting elective remote 817 00:41:30,417 --> 00:41:34,083 technologies on a device could have more validation 818 00:41:34,083 --> 00:41:35,999 and testing. 819 00:41:35,999 --> 00:41:37,792 There is ways to look at this as a marathon even 820 00:41:37,792 --> 00:41:40,999 if they couldn't do it with current things. 821 00:41:40,999 --> 00:41:42,792 I'm not trying to trivialize it. 822 00:41:42,792 --> 00:41:44,501 I know it is far more complicated. 823 00:41:44,918 --> 00:41:48,542 Keeping at it and being the tenacious hacker that fuzzes that 824 00:41:48,542 --> 00:41:50,999 kill chain, we will win. 825 00:41:53,209 --> 00:41:56,167 First of all, I think that a lot of people 826 00:41:56,167 --> 00:42:00,959 like my mother couldn't put together that hacking is related to safety 827 00:42:00,959 --> 00:42:04,999 and it was a matter of teaching her, well, you know, you have 828 00:42:04,999 --> 00:42:07,959 to find these vulnerabilities. 829 00:42:07,959 --> 00:42:10,918 When you find them, then they can be fixed. 830 00:42:10,918 --> 00:42:13,792 And until that point, somebody could exploit them 831 00:42:13,792 --> 00:42:16,709 without you being aware. 832 00:42:16,709 --> 00:42:19,959 So putting the spin on it, being about the safety of our families 833 00:42:19,959 --> 00:42:22,083 is super important. 834 00:42:22,083 --> 00:42:23,417 JOSHUA CORMAN: I agree. 835 00:42:23,417 --> 00:42:27,209 Second of all, how will you prevent an organization 836 00:42:27,209 --> 00:42:31,876 of hackers from being open to abuse? 837 00:42:32,083 --> 00:42:35,999 Because I feel like every time I see hackers organize, 838 00:42:35,999 --> 00:42:39,792 they do things like hoard exploits that it just doesn't 839 00:42:39,792 --> 00:42:41,999 work out so well. 840 00:42:41,999 --> 00:42:44,083 JOSHUA CORMAN: That's a concern that's come up often, is, 841 00:42:44,083 --> 00:42:46,501 you know, one of the things we actually said 842 00:42:46,501 --> 00:42:51,375 in our Anonymous research it was very prone to infiltration and hijacking. 843 00:42:51,375 --> 00:42:54,999 There were several political and government groups infiltrating. 844 00:42:56,083 --> 00:42:59,999 One of the things that's interested about hackers, they are prone 845 00:42:59,999 --> 00:43:03,501 to influence but you can't control them. 846 00:43:03,501 --> 00:43:04,999 We are really hard to control. 847 00:43:04,999 --> 00:43:07,167 It is almost the virtuous being so chaotic. 848 00:43:07,959 --> 00:43:09,999 I think this is going to be hard. 849 00:43:09,999 --> 00:43:11,999 I think keep bringing these criticisms. 850 00:43:11,999 --> 00:43:14,709 This is a good time for probably one more question. 851 00:43:14,709 --> 00:43:17,083 Then we will go to the room. 852 00:43:17,083 --> 00:43:18,459 We want to flag every single one of these because we don't want 853 00:43:18,459 --> 00:43:20,209 to just try something. 854 00:43:20,209 --> 00:43:22,417 We want to actually succeed at something. 855 00:43:22,417 --> 00:43:23,999 So keep raising these concerns. 856 00:43:23,999 --> 00:43:25,584 Oh, look, it is Jay. 857 00:43:25,584 --> 00:43:26,584 Last question. 858 00:43:26,584 --> 00:43:28,709 How fitting is it that it is Jay Radcliffe. 859 00:43:28,709 --> 00:43:33,959 This week I spent all week talking to media about a talk I gave 860 00:43:33,959 --> 00:43:36,999 at Blackhat and BSides. 861 00:43:37,209 --> 00:43:42,083 A software flaw put me closer to death than I would have liked. 862 00:43:42,209 --> 00:43:44,999 And when I approached the vendor about this, they said, 863 00:43:44,999 --> 00:43:47,792 you should have read the manual. 864 00:43:47,999 --> 00:43:50,667 And we're not fixing that. 865 00:43:51,250 --> 00:43:55,542 If you think that, you know, these things are in the future 866 00:43:55,542 --> 00:43:59,083 and that they're coming, they're not. 867 00:43:59,083 --> 00:44:00,334 They're here right now. 868 00:44:00,626 --> 00:44:03,584 And we need to change these things right now. 869 00:44:03,584 --> 00:44:04,999 And I can find a hundred medical device flaws 870 00:44:04,999 --> 00:44:08,459 and I'm still going to get the same response. 871 00:44:08,501 --> 00:44:12,083 It's going to take a mass movement. 872 00:44:12,083 --> 00:44:14,709 It's going to take all of us getting on the same page 873 00:44:14,709 --> 00:44:17,542 to make this problem change. 874 00:44:17,999 --> 00:44:21,667 I can do all these things, but I'm not going to move the rock 875 00:44:21,667 --> 00:44:24,999 an inch forward without more help. 876 00:44:25,083 --> 00:44:27,959 Exactly like Josh is talking about. 877 00:44:27,999 --> 00:44:31,626 In the media, in lobbying groups, in places that we haven't been 878 00:44:31,626 --> 00:44:35,125 before and there is no reason that we can't get together 879 00:44:35,125 --> 00:44:37,584 and move that system. 880 00:44:37,584 --> 00:44:38,584 (applause). 881 00:44:38,584 --> 00:44:40,709 JOSHUA CORMAN: Thank you. 882 00:44:43,375 --> 00:44:46,792 NICHOLAS PERCOCO: So we're out of time 883 00:44:46,792 --> 00:44:51,167 but this conversation doesn't have to stop. 884 00:44:51,250 --> 00:44:54,918 Please join us for Q&A in the Chillout Lounge immediately 885 00:44:54,918 --> 00:44:56,999 after this talk. 886 00:44:56,999 --> 00:44:57,999 Thank you. 887 00:44:57,999 --> 00:45:00,999 We also have stickers up here on stage if you're interested. 888 00:45:00,999 --> 00:45:04,375 (applause) NICHOLAS PERCOCO: They're on the chairs at the end.