I met my first interaction with Chris was over Twitter and we were arguing with each other.
But we squashed it immediately online and we've been cool there since.
Talk a little bit. I know you might know him in Planet liability and Tiger Team.
He's a cool dude and I was actually surprised that he's quite smart guy.
So here he is. Chris Dreyfus. Thank you.
Is that a mic? Here, talk.
I was supposed to come and chill out. It's all good.
So thank you for bringing me. I really appreciate it. You, smart face, sitting on your laptop.
Yeah, that's right. Thank you for letting me sit there and talk to myself for however long it's going to take.
My bad, bro. I took fucking hands. I want to drink the alcohol. Thank you, Umar and Achi.
Alright, so talking to myself, Spanser picked me up this morning because I was back to sleep.
That's not a picture of me, by the way. That's what they all say.
But I figured since I was four, I would come down here. And since I was down here, I tried really really hard,
and I had to give them a presentation. So anyway, that's me and that's really me and what I look like in the off season.
My credentials are pretty much that. That's what most people think of me.
That's really fine as well. I kind of don't care about it because if you don't like it, you can throw it. Fuck you.
Really, I don't give a fuck about what people think about me. But anyway, so we're on the same page about my history.
So where do we start? What am I going to talk about? So I want to kind of start to talk about where we are today.
And sort of where we came from in general. And really to do any of that, we kind of got to look at computers.
Because that's kind of what all of us are in in a way, shape, or form. Yeah, maybe.
So anybody know what that is? Pascal engines. Way earlier. I think it was a bitch machine in comparison to Pascal engines,
which is in like the 1600s. So this is the beginning of computing for us.
This is where we started to have automated adding machines and we started to move up through time.
And as we moved up through time, we got difference engines, right, in the 1800s. We had different engines.
Two things, like the Enigma in the 20s. We started having the first prototype computers, the ABC, right,
which then turned into, you know what that is? Enoch. Yeah, right. That's like the godfather gangster of all computers.
This is like the origin. Exactly, right. This is Vader. This is before Vader, right.
And then we started to get into all these awesome companies that were these little shops that really gave a shit about you.
And then you started to have the beginning of AT&T making transistors, which started to jet-compute into a whole other era, right.
So we had the Intel. You know what that is? Model it is. 4004. That's the beginning of the first Intel processors, right.
And then we started to be fucked. We really, really started to be fucked.
We started to have all these awesome ads of how sweet computers were and we started showing people how you could put screens on it
and start interacting with it and it was really sexy to have things like modems.
There's a sweet old school modem. And it was, you know, super hardcore, 1200 BPS.
And then you had cheap hard disk space starting to arise.
And that meant we could have more porn and all this other stuff. So now people really want to use computers because it's like totally useful, right.
And you can have all these awesome things and you can start doing stuff like interacting with people on them.
That's fucking awesome, right. You can really interact with people. You get this thing called email and then electronic mail comes out
and now you're like sending people messages and getting messages and then this little company comes around and makes it easy for you
because instead of all the crazy typing shit, you can now like run your hand over it and click it and they start making these great marketing ads
which turns the entire industry fucking gay.
And since the industry is now completely gay, we're wondering what we're doing, but we're really getting stronger in general, right.
And at that point we become totally dependent on this new technology that we're building.
Like we really, we have to jack into the wall all times, right.
So we make the interwebs and it starts off as a couple little points and then it really looks like this.
That's kind of the origin of where your internet came from.
And then as it goes from there, you start to get to general bulletin boards and stuff like that. You start getting into the smart webs, right.
Like Prodigy and Shale, like all the things where we used to go try and cyber with people before it became a bad term.
Which I still think is awesome. Like I think cyber warfare, I think it's just a whole bunch of people gang banging in a chat room.
So anyway, we get the internet speaking of and we get these really awesome webpages, right.
These really sweet, awesome, high value graphical content, kick ass looking things and the internet takes off, right.
So now we get the Web 2.0 action and now we're able to see videos and all this other really, really cool shit.
And we start using all these things like social media landscapes.
And we start being able to tell people about everything we do from taking a shit from waking up to finding new research to whatever else.
And we start telling people exactly who we are, where we are, how we are, as we are.
And we puke all of our information across the entire fucking internet everywhere just so we allow Google, right.
The fucking US Department of Omnipotent Information Awareness that's really honestly like this crazy mind share of everyone.
We're like fucking psychedelic Jesus janitor that all of us dump our shit on the floor to so that they can show it back to us for a price.
What about the other side? Right.
What about this, we made this cool tech, but what happened to us?
Because there's a really distinct difference in how we grew, right.
We had things happen. We had this thing, this hacker get created, right.
This is the evolution of our human species evolving with the technology that we're becoming so addicted to.
This is the definition of a hacker. If you don't agree with it, fuck you, you're wrong.
Sorry. It doesn't mean writing O-Day and being neat and cool and jerking off on stage because of how neat your stuff is.
That's lame. It really, really is bad.
Okay. I know. I'll fight people for it. I don't care.
This is a hacker. Thank you. Right.
All of you men are bitches. You weren't first. She was. Do you know why?
Come on. No history people in here. She was the first programmer. Yes.
Before the early 1800s when Difference Engines came out, she was the first one to do any programming in Difference Engines,
which is the origin of any of the computing that we're doing today.
Sorry guys. Totally missed it. By like a couple hundred years, we missed it.
So then we started to evolve a little bit more once the men caught up a hundred years later for MEDA.
And we started dropping bombs on stuff. We started using logic.
We started taking that logic and applying it to some of the things that were defeating us as humans.
So bomb was the first kind of brute force attack that they used against Enigma.
That's how Enigma really got cracked, was through the bomb exercise.
Then from there we started to get into like the 60s where we were taking a bunch of psychedelics,
blowing our own mind out as far as computing was concerned.
And then we fell upon ODE. Right? Now I don't know how many of you were like around for where's trading.
Okay. Does it hurt you every time you hear ODE?
Because that means a new video game that hasn't been released anywhere else.
Yeah, that's right. It doesn't mean anything with vulnerabilities or exploits at all.
That term was already taken. You reapplied it to something and that's done.
Figure out your own new word. ODE is video game shit.
It has nothing to do with hacking. But whatever.
The real ODE that started to happen with hacking was when trained students started to figure out algorithms
and started to making all of these different really, really neat things happen on the train track
in a model train group at MIT. It's the first really time the word hacker was applied
to someone who was manipulating electronic systems for use beyond what conventional use at that time was.
Okay. Yes, we're all adamant train people, right?
That's why we're all called hackers and we wear cool hacker t-shirts because we're in the trains.
So history, right? We used to have this awesome idea, and I don't know where the fuck it went,
that collaboration was cool. Right?
It used to be really cool to collaborate on things. It would be really, really cool if you were a train hacker
to show somebody else how to do it and they would take your technique and roll it into something else.
That technique would get rolled into something else and it would be virally spread across all of the different users
who were using these systems and the systems would evolve.
And then version 2.0 came out because of all the different hacks that were happening at the time.
And then you started to get hacker groups. Right? So now you think about in like the 70s
when Cap was for the first time published in Vogue magazine. Right?
That's how awesome and vanity we're based on is that the first real article on hackers was done in Vogue
in the 70s. Right? And then the shit completely hit the fan.
Because we started showing everybody how cool this stuff really was.
And we started having caps for it and we started having our own little hacker gang wars
because we were such bitches we couldn't work together anymore.
We started making all sorts of lead crews and tools and we started really digging in to what collaboration could be.
And we loved to share it. We absolutely loved to share it. We loved to share it so much
we made our own system to share it with. Yes, these are all the old BBSs I used to hang out on
and like Raze got busted for porn and it fucked up my life for a couple months.
But we really built these things around sharing. What's that?
What do you mean by access to porn for a couple months?
Well, it just taught me some new access-like-ass techniques.
So we built all these systems to share this stuff. We started to build magazines around sharing.
We started to have periodicals that constantly taught people new techniques
and tried to change the evolution of the humans that were using these devices that we're all addicted to.
We tried to push our own minds. We tried to push our own minds so much that we created handbooks
so that people who didn't know shit about it could learn. There was no bar to entry at all.
You've never even seen a computer before? The first thing you should do is read the hacker handbook.
Fuck getting a computer. Read this and then when you get it, you will throw down with this thing.
And then we wrote our own manifesto to tell the world that we were here as a new dawn,
as a new job, as a new type of mindset. This is getting lost, dude.
This is where we came from, this passionate, amazing world of sharing information and being selfless
and being able to truly experience someone else and their knowledge
and not have to laugh at them because they didn't know fucking Emacs versus VI
because they didn't write O-Days in this thing versus this thing when it's so stupid that people even call it O-Day
because does anyone know of real O-Day that's happened recently?
Come on, somebody play with me on this. Say yes. Yeah, tell me one.
No, I mean for real, tell me O-Day. Excuse me. Tell me O-Day that's a actual new way of hacking something.
Not what they call O-Day which is finding the same tired old bullshit that we found for 15 years on a new product.
I want O-Day. I want a new way to trigger. I want a new exploit, a really new exploit,
one that's never been found and never been triggered that way before.
Hasn't happened in a real long time, yet we're real proud of ourselves
because even at that time, we were still teaching camps.
We were taking kids that could do anything in the world and put them in a camp and going,
hey, here's how to share information with people, here's how to find it up.
We even had funerals for our dying technology.
That's how emotionally involved in this we were.
Right? That's where death comes from. It was the death of VBSs.
So what happened? Like where did all this go?
This was this amazing passionate world that we lived in and it fucking flew away.
It got completely lost. Right?
We watched this entire gloomy dark crazy society build around money. Right?
Because when we were doing this in the 60s and 50s and 70s and even the 80s,
for the most part, there wasn't a whole lot of money in it.
But now that money got involved and people realized that they could get hot chicks and get laid
and they could get a bunch of fucking cool cars, it made everybody switch sides.
And now a line had to be drawn. Good guy or bad guy?
And this is where it's at now.
And I don't like that.
Because we've taken this beautiful world and we've sucked all the goodness out of it
for our own self edification.
So what? Right? How do you fix this? What do you do?
Right? Because that's pretty bleak. Yeah, I know, right? Reality fucking blows.
Well, I started looking at this stuff and I was trying to figure out,
like the whole reason I wanted to do the talk and I did it at HashDays
was that people were like giving like the oh hey, here's the next cool solution.
Here's the next dope widget that you can buy that will make a billion dollars off of
that will save the world for the next 10 minutes until somebody figures out a bypass
or a way around it.
And I was like wow, it's kind of lame that like we're screwing the world that way.
Like we're forcing people to put in new stuff that screws them harder.
So the only thing I could start to look at was like how do we get screwed?
Right? And I had to start figuring out, and our records of this really suck,
but looking at how many machines there really were, and how many boxes there really were,
and how many people were out there actually using computing.
Now this is just computers, this isn't taking phones and all this other crazy bullshit
that we are connected to all the while.
And then start looking based on that, how many users are sitting in there,
how many users are going and how much the growth is happening.
So now we get an idea of how many assets there are and how much it's growing.
Right? And there's a ton of money involved in that.
I mean a ton of money involved in that.
Because we started to look at loss, and I'm looking at loss and trying to figure out
how does loss get created when you have this huge growth of users
and this huge, huge growth of assets.
Where does all this loss come from?
And then you know you can go through the millions of different,
whatever cool, semantic horizon, whatever lie of the day
that you want to use to associate why we're losing money.
But the fact is, is that in the 70s, right,
you think the Morse worm caused roughly about $10,000 worth of damage.
Right? Yet it infected like 60% of what was the internet at that time.
Imagine 60% of right now and how much that would cost us
if we were to do rates with all the people using it,
with everything in business we rely on.
Right? That's a lot of money.
Let's say even if it was five times that and $50,000,
and we applied that to today, we applied that to all of the users today
and the value of all the assets today.
Right? That was five incidents.
Now we're looking at trillions of dollars a year.
Right now. And our studies all agree with that.
Our studies all say we're losing trillions of dollars a year.
So I think that's funny. Right?
Because there has to be some correlation.
There has to be some correlation with the growth.
There has to be some correlation with the assets.
And there has to be some correlation with the loss.
So it kind of became easy, right, like kicking a puppy
or punching a baby.
And I sort of had this like epiphany moment, right,
that we keep buying these bigger guns and it's not working.
Right? Like we keep trying to do all this new shit and it doesn't work.
And we get more fucked and we lose more money.
So what can we change? Right?
We can change the users.
There's where everybody goes, no, you can't change users, blah, blah, blah.
Right? Guess what?
If you say, no, you can't change users, you're the asshole, not the user.
It's you. It's your fault.
Because we need to teach people deception this way and not this way.
Right?
Yeah.
That guy's shit.
Fucking rancid.
We need to teach people about war this way, not like this.
This is how we teach people war right now in the networks.
Build a whole bunch of really cool shit when you're outside,
fortify, do these layers thing.
Like layers don't fucking matter than that.
Right? That's throw down and own you.
This is build a bunch of layers for an exercise and spend a shitload of money to be fucked.
We need to educate people, not judge them. Right?
Because all of us and myself, I mean, like I know I've done it. Right?
This person's an idiot. They don't understand.
Right? How many times do you sit and you show somebody's shell on something
and they can't connect with what that risk really is?
It's your fault. You're showing them the wrong picture.
That's like me giving you a book in Italian and you don't read Italian
and I'm like, you fucking idiot.
You didn't get what that book said? What are you retarded?
No, I'm the idiot. I didn't assess that you're no fucking Italian. It's my fault.
And we need to own up to the fact that this shit is our fault.
We need to drop the knowledge on people.
We need to educate and train them and help them through it.
Because the only thing that you'll start to see if you start to look at these numbers
is that 30 years ago, the percentage of hackers to the percentage of users
was really trackable.
Most of the users were hackers, by that definition I put up there.
Most, think about that, if most of the users on the internet today were hackers.
Do you think we'd be safer?
Really, like I want to know, do you think we'd be safer?
Fuck yeah we would be.
Then what are we doing?
What are we, what, we just sit in fucking conferences and suck each other's dick all day
and we're like, woo, this is awesome, you're awesome, yeah no, me too.
Fuck. Right?
Like we really need to teach people.
Like go out, throw a conference.
Invite people from all over the place.
Get a shit face in a bar and talk security with somebody who does not give a shit about it.
And if you can make it interesting to them, you're fixing the world way better
than any person who's putting in a firewall or you're selling people bullshit
or you're hacking the outside of their network and showing them reports.
If you take one person in a bar who can give a fuck less about security
and teach them something that interests them, that makes them do something better in their life,
you have made a difference.
So all I gotta say is it's our fault and we just have to believe that it can get better.
Because right now I think a lot of us don't believe it can get better.
A lot of us want to hide behind the users are dumb and we're fucked
and social engineering gets you every day.
What can teach them over here to not do it?
Like teach them, do you just accept the fact that your mom's gonna get punched in the face and robbed?
Hell no. You will kill that son of a bitch.
You'll track them down. You got fuck in the internet.
And you're an actor. You will kick that ass and rob them and laugh at them.
Right? Like teach them. Have that same veracity to a total stranger.
And watch the world get better.
And just because I have to, be a superhero.
Oh no!
I'm done.
That's it.
Applause
Where's the mic at man?
You put it on the camera.
Alright.
Dude's uh, sometimes I think he's crazy but I think he's hitting the nail right on the head.
Because I think we, and we talk about it all the time, the crew over there, the un-IK space,
we actually have these debates all the time about educating people, training people,
and that's why I like these hacker spaces and stuff.
We need to, we definitely need to step up our game.
Quick point in the finger.
It's easy to be prideful and think that you know it all.
Because I do it all the time.
Applause
I just, a couple weeks ago I blew up on a down-dung on Twitter.
And I just apologize. Sometimes you just have to be humble.
Humility is the name of the game.
Because anybody could get owned at any time.
And so if you think you're big and bad and un-hackable and the world's done with one hacker and all that stuff.
Laughter
You're probably going to get owned at some time and you got to just take a dose of humble pie.
Alright, so we do have three talks remaining today.
And what I want to do for you is that I've talked to the speakers.
We want to get this done. We want to get three talks done.
After that we're going to go out to eat.
It's a really good time to network with people.
Some people you probably won't see this collection of people until you go to another con.
And also it won't be as intimate.
This is a very intimate setting to network with people that know stuff.
So I'm going to ask you to stay as long as possible.
We want to do these talks. We want to clean up the space.
And we're going to go out to eat.
So who's going to go out to eat with us?
Sure.
So we're going to have a nice crew of people.
We're going to network, talk.
And we're trying to build relationships here.
Because we can all learn from each other.
Huh?
Yes, please get.
Tiffany, Tiffany, do we have a space where we're going?
No, no, you have a lot of room.
We're finding a place to go.
Red Hot and Blue, question mark.
Red Hot and Blue, you had it.
We ate there last night and we enjoyed it.
That could be a possibility.
But after the next talk I'll announce to you where we're going to go.
All right?
We're talking about building communities here.
All right, next talk coming up in five minutes.
One second.