Distinguished security specialist Winn Schwartau delivers an engaging talk at DerbyCon, covering the issues of technology being exploited and weaponized.
Hi! How many guys are actually hacking here? We’re going to talk about some issues that really got me crazy in the last couple of years – thanks to RenderMan back there, it’s his fault. We’re defending against hacks; that’s why we’re still stuck and so screwed. And why are we screwed? Does anybody think that we’ve got all the security shit done really working well?Back then, a number of years ago I wrote a book. It’s called Information Warfare and was published in 1991 or something. A couple of days after it came out the FBI and CIA are at my door, going: “Where did you learn all of this stuff? It’s all classified.” I never had a clearance, don’t want a clearance, and I didn’t really understand the question. How could this be classified if I thought of it?
I got into a lot of trouble with the feds. The Brits decided to ban the book and realized after six weeks that it was not a successful strategy. And Information Warfare was about attack mindset methodology, in front of Congress and all that stuff. Back in the day they would say: “Why would the bad guys ever want to use the Internet?” That was the police system when I got involved in all that crap way back. I don’t believe that mindset has changed very much. Have we done a really awesome job with security in the last 20 years? Show your hands. Any vendors? Show your hands!
Way back when we were talking about the issues that hackers were vilified and all the crap back in the day, and people didn’t listen. People did not understand and did not want to believe anything that we were saying. The concept of cyber terrorism back in 1988 was: “What the fuck? What are you talking about? Are you nuts?” And I, seriously, for many years was wondering that where we are today was never going to come to pass.
Unfortunately, I was right about too many things. It was almost like a science fiction-ish thing in many people’s minds. And in my mind I had a great deal of doubt as well, because I was so disgusted with the state of the security industry, and vendors doing their bullshit. If there are any vendors in the room, I’m sorry, I’m a vendor too – and hopefully I don’t whine much. But some of the vendors out there are like: “Damn, come on, let’s get real!”Some of these predictions (see right-hand image) have come true over the years. Some of the stuff I talked about: malware – I said it could be a form of war. “No, it’s not, Schwartau, you’re crazy.” Alright. Chipping – back in those days I made a hypothesis that we’re going to end up with third-party source silicone with built-in malware. “Schwartau, you’re out of your mind, Intel would never do that to us; you’re missing the point here.” And now finally there is some national awareness on the DOD level that chipping, or embedded hostile silicone, whatever term you want to use, is actually real.
We’re going to talk about HERF and EMP a little bit. Back in 1994-1995 I did for WarCon in DC; we set off a 1 terawatt EMP weapon, right next to the National airport. It was really cool. This was all off-the-shelf terrorist-level technology that I was interested in some 20 years ago, and how this technology was going to be adapted in the coming years.
Some of the global things back in those early days – in 1996 I was trying to say: “This stuff is a national security asset; information and economy and all these things,” and everybody said: “Bullshit, it’s not real, it’s not going to ever happen.” And we chose ignorance and arrogance and apathy road, routes, especially to Washington. And I guess some of you still go through bosses who don’t believe this stuff. There’s a few of you who have it like: “We’re not going to bother with this.” That is, obviously, from a paranoid hacker security mindset; absolutely not true.
We’re trying to move that forward somewhat, and even in the military it’s really the same. What about all the stuff that’s pre-kinetic? And I’ve always been interested in the pre-kinetic effects of things, because everything that’s going on beforehand has always been of big interest to me.The argument has been “Using the will”, it’s been about capability; growing up is really what I was talking about. What are capabilities? At that point, in the early 90s, it was kind of us, pretty much alone, the US, but there were a lot of capabilities being developed. And it became a psychological mindset: “Are we willing, or the bad guys will be asymmetric?” And my argument was, and still is: “Yeah, they’re going to go asymmetric, because they don’t give a shit. They don’t care. Their beliefs, their culture, whatever their religion is, and all kinds of things that we see, are vastly different than us.” We cannot go by typical type of symmetric warfare mindset. It is going to be asymmetric and we’ve certainly seen this going on more and more over the years, and what just happened with that mall in Kenya – it’s like “Damn, it’s really getting insane out there!”