>> Good morning.  So welcome.  This is the Cavalry Year 0. I'm Nick Percoco and this is Josh Corman. A little bit about myself real quick in my day job I'm vice president of strategic services at Rapid 7. But this is not about my day job I am one of the cofounders of the Cavalry movement along with Josh and my big motivation for being here and working with Josh in this is I want to see a day, I want to live in the future and be able to enjoy life in the future utilizing technology and have my family and my friends my father my wife my kids feel the experience technology and never have to worry about using a piece of technology or  being required to use a piece of technology for their own health and being in fear that theirs going to be a software flaw or bug that's going to cause them harm.
>> And I'm Josh Corman, in my day job I'm the CTO for Sawn Site and I too am not here representing them I speak for myself as a citizen and a father and as someone who is deeply concerned about our dependence on technology. In our professions right, whether you started this out of curiosity as a hobby and which became your profession, software and security issues now permeates every single aspect of your life and that's increasingly in the case. So if we know how bad a job we're doing as a security industry with 80 billion dollars of spending trying to protect random pieces of plastic and magnetic stripes I believe a higher standard of care and our best and brightest should be focused a little bit on things that effect public safety and human life . So we're really happy to see the change in the DEF CON community toward things of consequence.
>>So here's where we where last year. Anybody in the room, were you at the talk last year 10:00 a.m. on Sunday? Oh Wow, Great and thanks for being here today. So last year we started out, you know this was a conversation that we had with all of you in the room. This was not, we didn't know where this was going to be or where we would be but a year later, but we started out the conversation about body, mind and soul were really the planks of the platform we were looking towards.  Public good, human safety, human life on the body side.  On the mind was security research and as security research I was very concerned about that piece and then soul which was civil liberties and we're going to talk a little bit about where we've moved and settled on but today we have some important announcements.
>> One year ago we asked you to suspend your cynicism.  I think the soul of the hacker is really curiosity and puzzle but too many of us walk around the halls here with our defining characteristic being cynicism and defeat.  And we did not want to go quietly.  We wanted to find our spirit again and apply the trade that we've assembled into things that have consequences.  And as such we said please don't taze us bro give us one year.  If you want to ignore us fine but give us a chance for one year of experimentation and we'll come back to you and we'll say if we should keep trying or not, if there's hope or if we're encouraged or discouraged. So slightly tongue in cheek here, it's too hard, I think we're going to give up.  The spirit of the cavalry though seriously was that we looked high and low, we met with as high ranking people you can in the government and intelligence community trying to think naively that if we brought the right message to the right people in the right power they'd fix it and as depressing as it was to realize the cavalry isn't coming they aren't going to fix it, it was also empowering because that means it falls to us.  We can be the technically literate voice of reason and become ambassadors to educate them and to frame the issues for them so they'll make smarter choices. But here's the sarcasm tag we couldn't get through the medical devise manufactures and we couldn't get through to the auto manufacturers it's just an untrackable problem so instead we're going to make lots of money selling products.  So we're going to unveil right now for the first time ever on stage where going to have a solution to some of our friends medical device problems.  So first off I met a woman named Marie who is the Director of Cert in Norway and she is about our age and she has a pacemaker, and she's concerned that it will kill her. And because the medical device manufacturers really don't take this issue seriously because no one has died yet from hacking even though there's no logging to prove if they have or haven't. We've decided to make a line of clothing so, can you please welcome to the stage our model.
[Applause]
>> Those with a medical condition should not be required to sacrifice their night life.  Not only will it keep you shielded from unwanted interference you will shock and amaze your friends at the fashion.  Now this is our evening wear but we also have, you should see the lingerie collection.  Let's give a round applause for Nicole.  And I think we should probably auction that off later to charity. What do you think about that? 
>> Good idea.  Yah.  Would anybody buy that? 
>> No. 
>> But wait there's more.  So we had some money left over from our R & D budget and we spent the last year working with our friends who are diabetics. And Jay Radcliff specifically he put a lot of hard hours work into developing a new product that I'm happy to unveil today. And this is a nine volt intrusion detection system for insulin pumps and they should be available next year around this time.
>> As many of you saw yesterday we revealed a five star auto safety program for the car industry.  And because we want to hedge our bets and we hope they do the right thing, we're also going to unveil an antivirus product for your car.
>> So in all seriousness what we wanted to do with this first portion of this presentation is to really solidify the messaging around what the Cavalry is all about and bring you through that process.  Last year when we got on stage and did this we didn't have a solid message, we didn't really know where we would exactly evolve into at this point.  So what we want to just walk you through sort of the thought process and walk you through, you know, the various aspects of how we're actually accomplishing and plan to accomplish what we're working towards.
So first, our problem statement.  
>> So, you know I am a big fan of Dan Gear and he often talks of security in terms of our dependence right if we're dependent upon it and if it's worthy of that dependence so really what stuck in it for us and really works in the belt way and with policy makers and the general public is the simple truth the immutable truth that our dependence on technology is growing faster than our ability to secure it.
>> And the second half of that is while we struggle to secure organizations connected technologies; really they now permeated every aspect of our lives.  They're in our cars, they're in our bodies they're in our homes and even in our public infrastructure.  So you know, just think about that. Think about, does anybody in the room disagree with that problem statement?  No.  
>> Alright.  So, we're not good at mission statements we're good at security.  But not so much mission statements.  But this catches the gist of what we want to capture we want to ensure that technology potential impact public safety and human life are worthy of trust.  Doesn't means we can go fix them but we're going to do what we can with our power with our talent, with our power of story and research and by teaming with industry to make sure that we can achieve these goals and we've approached this with what we call the four C's  or collecting, connecting, collaborating, and catalyzing.  When we say I am the cavalry it's not Josh it's not Nick it's all of you, it's our talent pool it's a personal commitment that you say aloud which essentially says I'm going to be part of the solution.  If I am a researcher and I know how to break things I am going to be part of that life cycle. If I don't know how to break things but if I know how to securely architect and fix things we need you as well.  If you are a project manager we're horrible at logistic but we need to act like a campaign that needs to be managed in multiple phases.  And the cavalry was really about acting on these four C's. The general idea was we're not going to invent from whole cloth we're going to collect and connect excuse me collect existing research and researchers this tremendous body of work going back many, many years on things like auto hacking on things like medical devices we do not need to invent from whole cloth. The challenge is we do a lot of solo action and when we combine the medical devise researchers on our first call some knew how to hack devises but couldn't find how to get them. Others knew how to get them but had no idea what to do with them some of them had relationships in the FDA or worked at different manufacturers like a Med Tronic or a GE a Phillips etc. -- so when we connected them together -  
>> We bring people together, sorry.  We connect the researchers with other folks in the entire chain.  We spoke last year about something called fuzzing the chain of influence, trying to bridge the gap between security researcher and the executive at a manufacturer and be able to connect those people together, connecting the researchers, connecting those to people in media, people in policy to get the right message out.  We found that's going to be very, very effective, it has been effective so far.
>> You know, and the collaborating we really have to have a tone of team work.  There are multiple methods to get attention.  This weekend and in earlier black hat you can name and chain.  Right. We can find bugs, throw them over the wall, use that as a catalyst sometimes that works.  We chose we wanted to be teammates, and we wanted to ready ourselves to be better listeners, more empathetic and find the right stakeholders in these organizations many of whom want to do the right thing.  They just need help.  They don't have the knowledge, or they don't have the air cover or they don't have the stimulus to do so, so it's the collaboration where we started brain storming saying how do we get around these intractable problems?  We're hackers.  If we can jail break an iPhone we can figure a way to get more safety standards through the FDA or through the auto industry. And then we're going to continue fail fast or iterate until we have done so.
>> And then the last one is catalyzing.  You know, through our efforts and through the public awareness of what we're working on and even awareness within the echo chamber and outside the echo chamber if we're able to fuel additional research and more people to make a decision between say finding an android vulnerability and finding a vulnerability in a medical device that's going to be better for everybody else and just trying to catalyze that and fuel that research in a direction where it's focused on public safety and human life.
>> So if they're not coming, will you answer the call?  I can't hear you.  Will you answer the call?  Are you up for the job?  Because it falls to you.
>> All right.  So this has been the monster so we'll go quick through this and talk about some of the development in the last 24 hours.  So we believe that we have to be ambassadors, right, this isn't a technical challenge this is a communication and education challenge. We have to be a voice of literacy.  We will not get anywhere if Congress thinks the internet is a series of tubes.  We will not get anywhere if we let the headlines dominate that there's killer attacker frig's sending spam and oh my god little cats - oh my god, we're all going to die and that's not gonna be the most important prioritized issue.  So if we don't fill the void that void will be filled by others, they'll be filled by charlatans, by snake oil salesmen so we need to be that voice, the independent voice and we have to research things that matter.  I mean yes a lot of us got in this because we like to tinker with things.  Any thing.  If you want to tinker with anything why not make it something that can actually affect your family or your future.  And most importantly doing these things alone we are easily defeated right?  And when you link up with teammate you can do more.  And when you form a raid of five different talents you can actually tackle a dungeon. And if you want to kill the dragons it takes a guild so we have the most talented most innovative most creative, most adaptive talent pool in the world right here and we have the knowledge and the power to do something so that's going to come by working together.  And most of all, this is probably both our biggest strength and our biggest failure this past year when where introspective, is that this isn't about talking to ourselves.  We need to work with each other but this is about getting the hell out of the echo chamber.  Screaming at each other, screaming in the darkness and kvetching at the bar is not going to fix anything so this is an outward facing initiative.
>> And finally we must team with each other. You know thinking about as an independent researcher you're often sitting there in the dark on your own working on your project but when you pick your head up and look around and find like minded folks who want to help out and want to help out even with aspects of they're not deep technical but they have skills in other ways that can help your research, you find yourself much more powerful and be able to complete even greater tasks.
>> We have, so now we're going to switch gears a little bit to some of our year zero activities.  You want to call out some people?
>> All right so most of this has been about people and one of the bad pieces of disinformation we've had within our echo chamber  because we haven't done a good job in communicating is this is not a handful of people.  This is not an exclusive club.  We have a few hundred people on the mailing you list actively participating, we have several dozen researchers and several dozen people who work in medical, auto, critical infrastructure this is a very large and growing collaboration.  And the difference has not been again, it's not been our technical skills, it's people who have stood out and said I'm going to be part of the solution so we're going to call out a few in no particular order.  We'll just go back and forth.  So Mike Murray quit his own company he started to go take a job in the medical devise manufacturing world and he's single handily driving and defining a very robust secure software development life cycle, for one of the largest devise manufacturers in the world.   We're not just throwing a bug at them he changed his career to go directly impact and he's going to pull in all of the talent pool from all of his friends here to do so.  Katie Misuris one of the pillars of the research community from mat stake days and what not and who basically caused Microsoft to have the very first bug bounty program in history.  She wrote the ico standards on coordinating disclosure to help drive more collaboration between researchers instead of law suits. And she's has recently quit her job and now is the chief policy officer for Hacker One to help create a normalized interface that any organization can use to do bug coordination even if it's not there core DNA. I quit my job at Alcomi and I wanted to learn how to build public policy muscles and talk to Congress so in January I started as a CTO at Sonotype so I could actually drive more security rigor into the software supply chain.  And the names are dozens.  Morgan Naham has been very prominently profiled is working with people like cloudyo and the citizen lab to help dissidence.   We actually have Gloria Spites because he liked the Calvary to be more focused on the surveillance state problem or on civil liberties.  And we share many same beliefs and whatnot but we're going to focus on different fronts and we amplify and congratulate his effort and if that's in your heart to do we're asking you to join our movement, we're asking you to do something that impacts your life.
And then we're sad we can't watch it but we just met three physicians who are also hackers who right now on a different stage are presenting how to undermine and the risks in the 911 alert system because their concern as physicians is can compromise patient care in the ER and in their various perspective positions. That's a quadian replicate.  So we're happy to see that that call spoke to people and lit something in their hearts and people like Zac Lynn Yame [indiscernible] built securely to target the home IMT.
>> So we have a lot of other things we've accomplished this year and I think personally you know, one of the most rewarding things that I was able to contribute to within the calvaries was I was invited outside the echo chamber to give talks to people.  One specifically there was an event the national association of real estate investment managers.  I can tell you it's very different than DEF CON.  They, I got in a room with them and we were talking about security, security issues, risks to infrastructure, and literally it was about a 45 minute Q and A session and they asked dozens and dozens of questions about the large buildings they're investing millions or billions of dollars into that have internet of things, technology in them, the HVAC systems, the elevator systems, the security systems, the fire suppression systems are all networked and they were very concerned about the security of those devices.  I wasn't actually expecting that conversation to go that way.  I was just asked to give an update on the latest threats, you know, targeting individuals and corporations and it shifted very, very quickly to internet of things and the infrastructure of large, large skyscrapers in major cities.
>> And when we say conferences we don't mean the echo chamber.  Yes, we've been invited to speak to some. We've participated in shmookon, blue hat, absec USA some of the larger, Derbycon gave us room for our 100 person constitutional Congress last September.  In fact many of you were there, two days of amazing collaboration and figuring out what we wanted to do and how we wanted to do it.  But when we say this, an international cyber treaty, and cyber security for nation states was done at the Hague, the closing key note for Europe's National Cyber Security Conference at the Hague was the Cavalry. So for everyone that says this isn't going to work and no one's going to listen, we're being invited to places that we would never have dreamed of being invited to before.  And in September I believe or October, no actually November the Cavalry made it to stage presence at TedEx.  So my mother-in-law and my neighbors understand that we have risks in the things we depend upon in technology.
But the one that was most mind boggling to me was government.  I think most of us think it's a corrupt intractable impossible place to get anything done and that it's a bunch of crusty old guys who think the internet is a series of tubes.  I am highly encouraged by that group of people.
I've done personally, and there's other people in the audience who have been pushing the Computer Fraud and Abuse Act to reform. I personally did over 70 congressional meetings since January alone bringing technical literacy, an independent voice for you, to Congress.  And they're listening.
So I'm going to show that in a minute but I have a proof point.
>> So let's talk a little bit about what worked well.  Obviously the mission statement that we've pulled together, it resonated and it's all about timing as well.  I think many people have tried and had similar conversations say five years ago but the timing, it's right now, this is the right time to go in and talk to people about what we're trying to do.  It really, really resonates with folks.
>> The four Cs was really the key.  It's not that we didn't have talent it's that we didn't link it together in the chain towards action and consequences, towards results.  We did not want to have random activity.  We want to see tangible results.  I told the press yesterday, we don't want to fix one flaw in one device for one manufacturer.  We want to hack the incentive structure so we can make all devices for a particular industry more likely to be designed safely than otherwise.
>> We also, we also learned that it takes a guild.  It's not all about researchers. It's not all about the media.  It's about people working together.  Lots of folks who participated in the Constitutional Congresses and the various meet-ups who would self proclaim that they're not technical at all.  But they have background. They're lawyers they have backgrounds in public policy. They have backgrounds in PR and they're able to help work together like Josh said, help slay the dragon.  It's not just going to be the deep technical folks who are going to be able to do that on their own we need everybody working together. And we need to learn that. 
>> Yes. And Brian Keefer did and amazing presentation on why it takes a guild using a world of word craft as the carrying metaphor. But one more point, I don't know what kind of class you are when you do D&D or Warcraft or some sort of game but we noticed we have a lot of assassins and I found myself playing of role of tank this year even though I'm not speced as one but we have very, very few healers so as we've done this journey so if you know any healers that would like to roll one we definitely need some. 
>> The other piece if finding people within our ranks to educate us.  And outside, yes. People outside to come in and educate us. One of the, you know Jen Ellis spent time doing things like media training at Beside San Francisco.  Speaking to media is very, very hard.  Actually having a conversation with somebody just about something is sometimes very difficult when you know that they don't have the same technical aptitude that you do to be able to hone that message but also, sometimes you can be asked questions when you are speaking to media and it comes off completely different when the article's written and so being able to learn how to hone your message, understand your talking points was extremely important and during those sessions I think it really, really reigned in with who was participating.
>> Yep. And we really had fresh blood. So one of the things that's problematic around the echo chamber is our rock star culture.  We tend to put people up on pedestals and you have to be a rock star and you have to be extroverted and you have to be entertaining.  There are unbelievably talented researchers that came to Derbycon that we had never heard of.  They're very introverted and they're very shy and in some ways are as talented or more than the people we put up on a pedestal.  So we need to start encouraging, incentivizing and rewarding different kinds of things.  But as we started doing this and we started hearing from other people we also learned to reduce our jargon, stop using such internal language and internal speak.  We got over the word cyber.  Cyber.  Cyber.  Cyber.  Right.  If you want to talk to the beltway you have to use that word right and if that makes us [inaudible] to some of you we're just going to have to take that lump.  We have to hold our nose and eat our lima beans because if you want to communicate with the people we wish to influence we have to meet them at their language, and in their terms and at their level.
>> We were not perfect.
>> No.
>> We actually you know we actually said last year when we came on stage we really didn't know where this was going to go or what this was going to end up being but one thing we did learn if anybody, you know anybody who does any type of project management or project work for clients you know that when the scope is extremely large or the scope expands it becomes very difficult to deliver.  And what we learned early on is that while we had sort of the three pillars or the three planks of the platform of mind body and soul, that was a little too broad. And we began to really hone in and focus on body which is also known as public safety and human life.  And when you think about that, that message really, really resonates with anybody.  It doesn't necessarily mean people in this room but if you talk to somebody on the street and ask if they're concerned with public safety and human life in regards to technology they're likely going to say yes and they're likely going to start listening to you.
>> We've not given up on our fears that there's going to be an increased criminalization research.  Many of you see it as an existential threat to what you do.  And there is a separate initiative or two that I know of specifically working on CFAA to make it more accommodating to research.  But in some of their initial experiments they were basically told it's our right and our First Amendment protected speech to research.  Now what do you think a Congress person says to that?  They say you guys sound like a bunch of whiney brats.  Like, what's in it for my constituents?  One of the really nice surprises is when we led with the research happening on medical devices or automotive safety which they did care about either given their prior backgrounds or what their constituents cared about or auto industries in certain states then they're at the edge of their seats and they're asking how can you help us? What can we do?  Who can we work with?  And then you end with, well there's a bit of a chilling effect because there's the threat of criminalization with really vague laws written in 1984.  So it's really been the most resonant and as such, even though it pained up to let go of making those, you need to have a north star.
>> Also project management is not always very easy as well.  Anybody who's participating or helping out with the cavalry also has day jobs, and they have families and personal lives and this is a grass roots volunteer effort.  If someone can give five minutes a month that's great.  If someone can give five hours a month that's great as well.  But running projects and trying to accomplish things sometimes becomes very, very difficult.  Sometimes it's like herding cats. I know we've had to have several E-mail chains in order to try to get people on the phone and there were always 2 or 3 people who couldn't make the call.  That just happens.  Moving through and trying to take bite size chunks instead of looking at this large project and build accomplishments is something we learned would work better in the efforts we're trying to accomplish.
>> So just like we need more healers, if you have project management skills or know how to herd cats please, please come help us.  We've also had a very poor balance.  We've had some really harsh criticism from some of our best friends that we're too holier than thou or that we're not fixing anything fast enough. That this is doomed for failure. It took nine months before we finally said, you know if you're saying you're not doing anything if you exclude teaching, teachers do nothing and since we're mostly focused on education and awareness outside the echo chamber once we told them we had been to over 70 congressional meetings or that we'd spent full days with device manufacturers in industrial controls environments for free, or that we've been invited into automotive manufacturers to discuss the unique nature of embedded security that's different than enterprise security, then they calm down.  But we've done a horrible, horrible job reporting back to our friends what we've been working on.
>> So some of the surprises, we talked briefly here, we mentioned this but it goes beyond just the PR aspect of it.  It's also the soft skills.  Professional media training is one of those but communication empathy.  Really eliminating jargon.  It's very, very easy for any of us to have a conversation about a technical topic.  If you were to record our conversation and play that back to someone who's not within our industry they have no idea what we're talking about and that's sometimes very difficult if someone's trying to communicating to a policy maker or an executive at a device manufacturer because they're not in this room, they're not in this community and they really don't understand technology terms and if you eliminate that jargon and soften it it's amazing how many light bulbs you can get to go off in people's heads and you can able to connect with them much better.
>> Yah, I suffer from empathy deficit disorder.  I think many of you may as well.  And I had an argument with Katie Misouris who has been unbelievably wonderful part of the Calvary since pretty much day one.  She said Josh, what we lack is empathy.  We don't listen very well, we don't think about who we're talking to.  We don't understand the dilemma and challenges that an auto maker might have.  And as such, we don't connect with them and our advice is not useful to them. And the thing that she said that really stuck with me is, if we want to change the world the first thing we need to change is ourselves.  And it's really shocking how the killer app for this entire one year initiative has been empathy.  Listening skills, communication skills, mirroring, it's almost like if you took the social engineering and took out the malfeasance many of those skills have become critically necessary and she was right.  And she really put us morally on the right path that we need to look and listen twice as much as we speak and understand the dilemmas of those people we're talking to.  And you know people have been talking about this for a long time and we haven't taken advantage of it.  Jamie Erland has been giving free workshops on presentation skills and soft skill and I have been at certain CONs where there's one person in his audience.  So he was right and this makes him jaded. McCurl has been doing this and he's been right, he was just early.  So if you want to be more effective, the huge surprise and huge delight is even though we asked you to put some of your heart and mind outside of your day job, the soft skills we've developed have made us better husbands and wives and have made us more effective with our bosses because we're learning to talk on their level instead of just complaining when they don't listen.
>> We have one more fashion show today.  Public policy. I thought this one was going to be interesting and I bet the farm on this, that's why I changed jobs to one I could go work with Congress.  I'm shocked to see what we found.  On my very first day of the very first try I encountered a 27-year-old working on the commerce committee in the office of Senator Rockefeller and he actually knew he was in the midst of writing a kill chain analysis of the target breech on par with anything that any one of you have written.  I'd like to say he's the anomaly but in many of the offices of both the house and senate we found people of our generation or millenials understood this creative craftware and were asking intelligent  questions and can tell fact from fud.  And we're asking - I am highly encouraged so for our second fashion show I'd like to bring out to the stage counter evidence to the idea that all that Congress critters are grumpy old white guys.  This is Andrew Ruffin. Until a few weeks ago he was on the Senate staff and now he's going back to grad school. He's modeling a lovely attire.
[Applause]
>> I have a token for you.  Thank you.  Finding people like him gives me hope.  They're not going to necessarily find an oday in a home alarm system but they understand the consequences of it and they've really helped us to understand that this public safety message is the one that's going to most resonate and most push through what looked like an intractable problem.
>> So the other piece here, the other surprise was industry reception.  I can tell you last year when Josh and I were walking out and getting ready to come on stage Sunday at 10:00 a.m. last year we said we're maybe going to get 30 people in the audience.  Maybe if we're lucky 50.  And it was a room like this where there were hundreds of people who came out to hear what we had to say. And then after our talk hundreds of people followed us into the chill out lounge to continue the conversation for several hours and the conversations continued for weeks ahead.  And so that was very, very shocking to us.
>> And what shouldn't be surprising is these targets that we wanted to hit, it did surprise us but it shouldn't, many of them are already here at DEF CON they just didn't raise their hand or try to stick out. There are auto makers here right now.  I talked to two of them last night.  There are people in medical device companies who have been dying to do the right thing but their business doesn't listen to them.  They have mostly the right idea, in some cases they have the exact right idea but they needed air cover and help and as we started getting media coverage in the Guardian and Washington Post and Wall Street Journal they can point at those to their management chain and say I have been asking this for three years it's finally in the published consciousness.  Can we finally get in front of this?  And the answer they're getting is yes.  There's a guy working in a device manufacturing in Germany who every single time we have mainstream media hit he gets a new project approved.  And I didn't even know this until a month ago. So this is finding willing teammates who will both get on a phone with us to tell us where the bodies are buried and what not to do. And we're actually able to help them get done what they already wanted.
>> And the other surprise was the mission.  Talking about human life and public safety we found instantly resonated with people who were in media and in policy.  Very different then taking the message to them like Josh mentioned earlier, about trying to - we're all about doing security research and we want to change laws.  When we talked about human life and public safety people listened. And that was something that was a surprise as well.
>> And a recent proof point of this is on Tuesday this we had an invite only 50 person event over at the Four Seasons and we had  medical manufactures present, a law professor from George Washington University, a law professor and special counsel to the FTC who's working on public policy work.  Some of the best researchers like Billy Rios and Mark Stanislav and we pulled the right researchers for the right topics, we had the guy who designed and implemented the vehicle to vehicle protocol securely for 13 years.  Not only is it resonating, they flew all the way out to Las Vegas for a meeting to build teams and trust, a basis of trust that they're going to then take into the next year together.  This isn't a hypothesis anymore.  We have tested the hypothesis and it is time.
>> So people often asked us, even last year I think even leading up to this, what is the cavalry going to become?  And obviously the one thing we've been thinking about and we've been thinking about very, very hard is, what type of legal entity should we become?  Because there's advantages of becoming various types of legal entities.  We can do more, we can extend our reach more.  So some of the choices we had were obviously for profit, that's not something we're interested in.  But then there's the other 501 organizations. Things like professional organizations, lobbying organizations and then educational organizations and what we settled on is a 501C3 educational foundation.
>> Yah, this really is the path forward.  If we only try to change policy without getting hearts and minds it's not going to work.  And if we only professionalize our trade even though we're anti-professionalization, that's also not going to work.  The real bottle neck here is there aren't enough people who understand the implications of dependence on technology that can put them in harm's way.  So we have to make some changes going forward. Right now we're in active negotiations to be adopted by a large C3.  If it does not come to terms we're tired of waiting, it's been one year and we'll file our own but this will give us the ability to have tax exempt status and take donations from anywhere, to drive public service announcements, summits with medical, auto, industrial controls and home automation systems.  So some of these changes and we'll end with our announcement from yesterday, some of the changes are, we want to be much more self-service.  When people ask us what can I do to help? If we're not there to manage them it's been a missed opportunity.  So far the best collaboration is someone says can I come lead this effort?  Or when Mark Sandinslav said we're to start build it secure it dot LY. So the go getters has been easy but we're going to make it easier for someone to grab a kit and present at a local conference or get white papers, or what not.  We have to get better communication transparency. But really it's not, we don't want someone to come to us and say what we can do for the cavalry?  Instead we want to flip it and we want to say, here's what the Cavalry will do for you.  So if our mission focus is on public safety and human life, any one of you that wants to do that is going to get an entire polished set of resources with connections to the right people and media. With knowledge of the landscape in Congress.  With relationships at the FDA or FTC. Beau and I just met with the FDA last week and we're going to go again.  In fact we're going to do a siren boot camp for Congressional staffers at the end of August.  Anyone who wants to help in any single way great but if we can help you amplify your message and get your message to the right people or the right introductions, we'd like to do so.  We need to be more service oriented.
>> So this happened yesterday.  You may have seen news about it.  This is the front page in the technology section of Reuters and it has hacking group wants to play nice with auto makers.  And if you actually read that article you would see that we announced yesterday we've released an open letter to the auto industry on collaborating for safety.  So we're going to talk a little bit about that. We only have a couple of minutes left. But one of the big things, if you go to the Cavalry.org website, IamtheCavalry.org website you can see more details on this and there's also a call to action for you which we'll talk about in a minute.  But we announced within that letter the five star automotive cyber safety program.  And there's five points, five stars to that program, it's safety by design, third party collaboration, evidence capture, security updates and segmentation isolation.
>> These are critical capacities.  These are not going to be a PCI list.  Checklists don't work.  This isn't going to be telling them what to do and how to do it. These are five foundational capabilities we think every car manufacturer is going to need to have and we'll help them interpret, define and attest to them.  Number one, we recognize safety is important to our customers as such we've published an overview of our security software development life cycle for how we design, develop, test our products and our supply chain.  So tell us what you're doing to factor security into your design.
Number 2, you'll like this one.  We know we're going to miss things so we invite the participation of third party researchers acting in goodwill with our published coordinated disclosure policy.  How would you like to avoid 12 years of adversarial relationship with the auto industry?  Number 3.  Failures will happen so we need to actually study and understand and learn from our failures therefore we're asking for tamper evident forensically sound evidence capture. Now this is not plain speak for my neighbor, but think in terms of a black box.  You cannot simultaneously claim there's no evidence of hacking when you lack the ability to capture any evidence of hacking. So this has to be in place going forward.  4th. Secure updates. Imagine heart bleed in your car unpatchable.  Would it scare you to know several manufacturers use vulnerable versions of open source components and their remote connectivity?  We have to be better and we're going to start being better.  So the ability to update your software. Lastly segmentation and isolation.  We believe that there should be - oh I was listening to the [inaudible] too much, but you've got to keep them separated right?  You need to have separation of critical systems that affect life, like your braking, your steering column, your air bag, from systems like infotainment, noncritical systems. A hack of your stereo through your blue tooth should never disable your brakes.  And unfortunately through shared circuitry like on a can bus, right now they're sharing the same circuitry, the same memory map.  And we really want to see [inaudible] of what logical and physical isolation techniques they're using.  And again we're going to help them to do so.  So if any of you have driven a car, ridden in a car or intend to ride in a car we would like you to go to the following site and sign.
>> So if you visit this site, it's a bitly link five star auto, so bitly/fivestarauto.  Put it in your phone now, everybody in this room take five minutes after the presentation, read the letter, read the petition and sign it.  We need everybody in this room's support.
>> I know you're going to be concerned about privacy.  I love privacy.  You can fill out that change order thing even though it asks you a few simple questions. I love privacy, I'd like to be alive to enjoy it.
>> In all seriousness in the last few moments here some people think this is a waste of time, it's not going to work.  I'm willing to try and waste my time.  And I hope you are too. Some people think nothing will get better until we have accidents, bad outcomes, dead babies.  I hope they're wrong.  But here's the deal.  We can either wait for these catastrophic triggering events because we always have a sane and rational response to catastrophic events right?  So rather than avoiding like the polarizing emotional ones Andrea reminds us that the Cuyahoga River in Ohio had to catch on fire and stay on fire before very aggressive major laws were put in place to do something.  Twice.
So before we have our cyber Cuyahoga moment we believe that if we start the education and start the collaboration now and we raise the threat IQ of policy makers, then that knee jerk will be slightly less severe.  So if you think we're early we've chosen that now is the time to start.
And the last note I'll say is attitude is everything.  I'm going to remind you what we said at the beginning. At my first DEF CON the defining characteristic of this demographic, our zeitgeist was curiosity.  We passionately loved to figure out how things worked. When I walked around last year it was cynicism and defeat.  Cynicism is a choice.  And for many reasons we've come to that point.  But we can choose to do something that gives us fulfillment and purpose and we can choose that the timing is right and we can choose to hit reset.  It's not going to be for everybody.  If you want to watch us fail, that's fine but you have a choice about your attitude and I would encourage you that the timing is now.  People are ready.  The consequences are severe so please choose wisely.
>> So how can you get involved?  One of the big things is if you have the opportunity you can get a job in the target industry.  Medical device manufacturers are looking for security people.  Automotive industry is looking for security people. You can get jobs there. Innovative things companies are looking for security people. There's plenty of startup companies popping up left and right that need security people to work for them.  You can research some of the target technologies.  If you have that choice between a mobile device or a medical device, choose the medical device.  You can speak at target industry events. And that's not DEF CON, that's not Black Hat, that's not besides. That's medical device manufacturing events. That's internet things types of events. Automotive conferences.  You can speak at those conferences.  They're looking for people to speak on security.  And then you can help educate policy makers and media. When you have an opportunity to speak to those individuals you can explain the risks and explain it in clear easy to understand language so that the message is clear and broadcasted to the public in the right way.  And of course you can join the mailing list. If you want to become and active, active member or participant, join the mailing list or visit the website and Beau Woods has done an amazing job over the last several months building a website that has clear messaging on it and information and it's just going to grow as we have bodies of evidence to publish and place on that site.
So the Cavalry isn't coming so it falls to us. It fall to you.  Can I hear an I am the cavalry?  Can I hear I am the cavalry?  Oh.  I am the cavalry.  Thank you for caring and thank you for giving us that ear of experimentation.  So I think should we do another year?  Should we?
[Applause]
>> All right.  Thank you.
>> Thank you.
>> I don't know.  So if anybody has questions for these fine gentlemen we're going to escort them out to the foyer and you will be able to talk to them out there.