Peiter C. Zatko, aka Mudge, a well-known former member of the L0pht and ex-researcher at DARPA, tells a few stories from his past experience at Defcon.
Just so we’re clear, I’m only speaking as myself today. I am not a representative of the U.S. Government; I am not a representative of my current employer. I’m pretty sure neither one of them would be really with me up here talking. But I feel it’s part of my duty as part of this community to kind of give you some stories that are personal stories from this community as what I took into the Government, what I learned while I was in the Government, what I saw that was a little bizarre while I was in the Government, and what I’m taking back out of it.
There are four stories I’m going to tell you that all have that all have some kind of unexpected outcomes and unexpected twists. You’ve probably heard about some of these stories in the media, but these are kind of different back origins to them that you haven’t heard before. I’ll do my best to be as accurate as possible, but I’m going from memory from some of these, and some of these go back several years. Memory isn’t perfect, so I apologize in advance.
I’m not trying to piss off or be pro or con any particular community, but I want understanding, which is why I’m trying to tell these kind of nonobvious stories. Somebody had tweeted me something encouraging me to do this talk, saying anything we can do to help people understand each other is good, because of course prejudice is bred from ignorance and exclusion. So you can kind of consider this my transparency/trip report from three years inside the DoD.
Not long after I started working at DARPA, I got funding approval for the first of one of many programs that I would actually run. I know most folks are only familiar with a few of them. The first program was something called CINDER, and it was focused on super evolved advanced persistent threat. The program had nothing to do with whistleblowers; it had nothing to do with humans. It was targeting autonomous software. And there was an author, Forbes Magazine, Andy Greenburg, who found out that Julian Assange and I knew each other and have kind of known each other for, I don’t know, 20 plus years. And he wrote an article that, the way I read the article, attempted to pit me and Julian against each other, claiming that CINDER was a response to WikiLeaks. You know, a sexy story of hacker friends who find themselves at odds, one trying to spill the Government secrets, one trying to protect the Government secrets. Yeah, it’s a sexy story, the problem is it’s entirely untrue because CINDER had nothing to do with that.
1. How the DoD unintentionally created WikiLeaks
So since he and other folks wanted to kind of make a story about me and Julian where there was no story before, I figured I’d tell you an actual story about me and Julian. And this first story is called “how the DoD unintentionally created WikiLeaks”. So it was 2009. I had yet to go into DARPA. I was over in Germany for the CCC Congress, which by the way is awesome. And by the way, Berlin is freezing in December. So it’s a couple blocks from the hotel over to the Congress, and I braved it across. It takes about 10-15 minutes before your lips come back and you can actually start to form words again.
There was this talk that I wanted to see at the Congress. And I watched it. It was great. There was a gap between the next talk that I wanted to see, and the whole decision was: “Do I go back to the hotel and go out in the frigid Berlin winter, or do I find something else to kind of pass the time?” It’s CCC; it’s easy to find things to pass the time there. And there was a talk that was going on about WikiLeaks. Remember, 2009. No State Department cables, no nothing like that at this point. WikiLeaks had been around, but it wasn’t really in the popular vernacular, it wasn’t a household name.
So I look and I go: “Oh, what it’s taking to run WikiLeaks, how do we do it behind-the-scenes operationally?” And I’m, like: “That’s cool!” And it talks in English and it’s inside. So yay! And I’m looking at it, and I’m like: Julian Assange, Julian Assange… The name was ringing a bell but it didn’t mean anything again, because of course, you know, hadn’t hit it. Now I saw him up on stage, and, you know, he’s a kind of physical – the kind of shocking blonde white hair, sharply dressed, and I’m recognizing the voice. And it took almost the entire talk before it dawned on me that I knew him by a different name. I knew him as Prof. Some of you remember Prof, some of you remember Strobe that he wrote ages ago. You know, he was over at suburbia.net, I think, or profitsuburbia.net.
I was like: “Holy crap!” This is the same guy who I’ve known for years. I hadn’t seen him in, like, a decade or I hadn’t interacted with him online. At one point I think he was even managing Sun’s security updates and patches for all of the distributions for SunOS at sunsite.unc.edu. So we should have nominated that for possible or potential epic ownage. That’s kind of cool if you think about that. After the talk I was all excited. I went up to him, waited till the crowds kind of died. He was outside having a cigarette. I thought this was going to be fun because I had cut my hair, I didn’t have the…if you’ve seen the shirts, most people remember me looking slightly different. And I’m like – oh, I’m going to play with this a little bit.
So I walk up to him. I know he doesn’t know my voice, and of course he’s not going to physically recognize me. So I do that whole hacker jerk sort of, you know, say something like: “What the hell! How did they know that?” Kind of to set up the state of detente. I go: “Hey, when was the last time somebody called you Prof?” He looks at me weird, and I’m like: “Well, if you think that’s weird, did they ever find out why the MD5 checksums on those Solaris update patches didn’t match the actual patches that people installed? It was SunSITE, right?” And he’s just looking at me like “Who the heck is this guy?” Possibly because he hadn’t heard the phrase “Prof” for a while and it could very well be that he had no clue what I was talking about with the latter one.
And I go: “Hey, it’s me, it’s Mudge, Mudge from the L0pht sort of thing,” and he kind of relaxed and we chuckled about it. And I said: “Hey, you know, you were really, really passionate up on stage about WikiLeaks. What was the real impetus? What was the turning point that made you do that? Because the last I had seen you, you were leaving the hack scene, going off to academia to do your advanced degree.” He was working on cryptographically based file system, a rubber-hose file system for duress-based decrypting.
And I said: “Where did you go? You know, the old gang and everything, I haven’t seen you.” So we chatted and he said: “Let’s go out and have dinner.” We spent the next several hours over food in Berlin. And I wanted to know just how passionate he was and how far he was willing to go on it. So I asked him a hypothetical question, I said: “Let’s suppose back in the day my thing was I collected packet captures of everything. Let’s assume some of those packet captures have you going into other systems, you know, beyond a shadow of a doubt. If I submitted those packet captures, kind of incriminating you to WikiLeaks, would you release them?”
And he looked at me, it only took a couple of seconds, and he said: “Hey, we get some very similar sorts of questions, because people ask us on a parallel: if someone were to send us a list of the contributors to WikiLeaks, would we publish it? And the answer is that we don’t want to know who our contributors are, because we want to keep the protection,” – “we” being WikiLeaks, I’m speaking as him from memory here. He went: “We try to get in touch with the folks that contributed, but we won’t know who they are. So, ultimately, in case that list is real, we would have to publish it.” I was like: “Oh, that’s cool.” And then we moved on to the next topic. Now, if any of you have actually interacted with him or know somebody who has, they’ll tell you that he is a very smart person, and that’s absolutely right. It took me probably an hour to realize that he never answered my question.
But he told me a really interesting story. He told me – and this is what stuck with me in 2009 from that dinner – what the turning point was. Maybe this was a story just for me, maybe it was kind of the appropriate thing. But I took this to be ground truth, and it stuck with me, which is why I’m telling you. And I used to tell people inside the Government the same question when later WikiLeaks kind of popped up. He said: “I had gone off, I was over at university doing my graduate work,” – some essentially fundamental research, which means something to the Government folks. He said it was funded by the U.S. Government, it was a grant from, like, NSA type DARPA sort of funding. I don’t know if those were the actual agencies.
And he said it was during that time period where there was a big pullback from the DoD. And the message that universities received was: “We’re not funding you to do basic research anymore. It’s all classified now.” His work got rolled up in that. Now, whether that was actually why it was being pulled back or if that was just the perceived message, I don’t know. So if you think about it, here’s a non-U.S. citizen who’s made a life decision to go to graduate work, kind of leave the community that we knew him in. And all of a sudden his funding gets pulled and he’s told that he’s not allowed to know what it was that he was doing, not allowed to know what it was that he discovered and know the actual reason as to why the funding ceased. That’s kind of what it’s like when you’re a graduate student and somebody pulls your funding sort of thing.
This just really, really rubbed the wrong way. He said this is the wrong reason for classification, if that’s why he lost his funding. This was designed to keep people ignorant and withhold information to keep folks disadvantaged. He said it was at that point that he decided that he was going to devote his life to exposing people who try to keep secrets. And hence WikiLeaks was born.
So, when folks in the DoD would ask me: “Hey, do you know this WikiLeaks thing and what are your thoughts on how we could address it?” – they were a little surprised with my answer going: “Well, by some accounts, the Government actually created it in the first place.” It was at that point during the night in the restaurant, Julian says: “Well, that’s what I’ve been doing for the past ten years. What are you up to?” And I said: “Oh, I’m about to go work at DARPA…” So, that’s my first story.
2. Department of Defense vs. Anonymous
The second story is about Anonymous and the Department of Defense. I remember Anonymous from way back. I mean, Anonymous, I use it as, like, a proper noun, but obviously we’re all familiar and it’s much more. It’s kind of a movement, a thought. It’s more ephemeral than that. And when I remember them they were going after scientology and RIA, and there was all the 4chan and soap opera stuff going on. And at some point, their scope, or the target, expanded to include the Government. And general wisdom was that the triggering event was the DoD’s response to WikiLeaks and Manning, etc.
But the way I saw it, there was actually something else that was a bit more subtle that folks hadn’t realized. So, in 2011 the DoD released the Strategy for Operating in Cyberspace. There was some very minor backlash to some of the wording initially, I think there was an initial small leaked version of it that went out and it was followed by a later one. But there was some more specific backlash and chatter in the hacker researcher community. The strategy stated that the DoD was going to treat cyberspace as a domain to conduct operations in. And it appeared kind of modeled off of outer space – you know, these are DoD-ish words, a domain.
And there were some confused conversations going: “Oh, why isn’t anybody upset if you treat cyberspace as a domain?” You know, there wasn’t that much upset with treating “space”, and nobody lives in cyberspace, which you could kind of only hear inside the Government, a statement like that. Because if you think about it, we all live in cyberspace. And the hacker researcher community made cyberspace – I’m really not a fan of that word – made the Internet and online our homes well before the Government and everybody else kind of made it just where they always lived and did everything in. So, if you send a message that that’s somebody’s backyard and that you’re going to militarize and prep for war in somebody’s backyard, that can sound really scary, and it can galvanize folks to respond.
One of the problems was there was not an understanding as to who the message was actually intended for. So, in addition to treating it as a domain they said something else, which was – and I’m paraphrasing – in response to hacks, we will consider responding with kinetic force. So, if you don’t actually specifically call out who the recipient of the message is, everybody reading it thinks it’s directed to them. I read it. I thought it was directed to me. And I’m going, like: “What the heck?! You know, I joke my buddy and I replace his HTML, the main web page, and that’s considered a hack and all of a sudden I’ve got launching a Patriot missile at me? This makes no sense. What level of hack? Because if we look at, like, CFAA response, maybe they actually think a Patriot missile is the right thing for defacing a website. I don’t know.”
And none of these are the right questions, because I’m not the intended audience, but of course I’m reading it as if I was. And of course the logical next question is: “Wait, do they understand how attribution works?” What if I do it bouncing through an ally? What if I do it from within the U.S.? Are they going to kinetically respond against themselves? And you kind of go: ok, wait, back up. If the message were directed to, let’s say, other countries, somebody in specific that’s got a significant power that they say: “Look, we’re talking about critical infrastructure or something of that nature, if you turn off the lights in New York, we will probably be able to figure out who you are because you’re not a small little hacker defacing websites and maybe there’s attribution in place we can respond to,” – that would have been an entirely different sort of message, and I wouldn’t have read it as the whole “Wow, if I get root on something in my own system, is the Government going to shoot me?” Which is just silly.
But I wasn’t the only person who read it that way, and it’s nice having been in this field and in the hacker researcher community for going on almost 25 years, actually, over 25 years. And some folks were sending me: “Hey, have you seen what’s going on in the chat rooms?” There were some folks who were claiming affiliation or claiming support of Anonymous, and they were going: “Hey, have you read this? Look who is trying to prep for war in our backyards. Do they even understand how attribution works? This is bullshit! If they think they can find me – it’s on, let’s go.” And the next thing you know there were a couple of websites defaced, and they ended in, like, .gov.
Now, this is where it gets kind of funky. Defacing a website is kind of a message, it’s a little warning shot. But that’s in a language that Govies don’t know. The Govies didn’t get the message as far as what I saw. So here’s the initial Strategy for Operating in Cyberspace that goes out, probably directed to somebody else, but my poor messaging is misinterpreted by a group. The group responds, fires a warning shot. The warning shot isn’t understood. And it’s like: “Hey, what are these vagabonds doing? Look at the little street punks, or whatever. They’re not somebody who actually has a message that we should actually engage in.” And it’s just this little cascading effect.
So, that’s kind of unfortunately where I saw the expanding of scope and a lot of misunderstandings. I’m not saying the two groups should be friends. And I’m not saying one group is good and one group is bad. But when you send a message out into the world – and this is for both groups – you really need to make sure it’s understandable by all the parties that are going to receive it. You can’t assume it’s just going to be read by the person you had in mind. With all love and respect, there is one very obvious commonality between the hacker researcher group and the Government, and it’s that they can be very arrogant and expect everybody will speak their own language and that they don’t have to speak anybody else’s. And I think that’s a really common mistake.
So the recommendation for the Government from my vantage point of both sides is to figure out how your messages are going to be received by the more general populace of cyberspace, because we all live there now. This is actually a great opportunity for diplomacy, and you can kind of think of it like the lost city of Atlantis, because cyberspace kind of took the world by surprise. Obviously, it hasn’t been around that long.
So, what if Atlantis just popped back up, and there was an advanced, very technically capable group of people there? You wouldn’t sit there and ignore them, you wouldn’t taunt them, you wouldn’t attack them. You would probably actually try and understand them and figure out how messaging to somebody else might be interpreted by them. And you might even try and figure out where these guys are and see things eye to eye and see where you have differences.
So my recommendations to the citizens of cyberspace is keep in mind that the Government and in particular the DoD has very specific focuses and goals. And they often see things from their own point of view, because they’re really focused on doing that job. And when you read things that appear to be a message directed to you or your community, coming from an unlikely source, you should question whether or not the message is actually intended for you or if it’s intended for somebody else and really poorly worded. And if you still think a response is necessary, you really need to think about the message that you’re sending to make sure that you don’t make the same mistake in return.
3. Game theory is a bitch
My third story is … well, let me give you a little background. I’ve got a lot of people approach me outside of work and go: “Hey, you know what’s going on. We’re all owned.” And these were large companies that are oftentimes funded by taxpayer money. I’ll just say they are large Government contracting organizations. And it’s like: “Hey, why don’t you start a program that actually pays us to go clean up the compromises, or at least figure out what happened and how bad the damage was?” – “My, ain’t that your job?” And it made me think there’s not a financial incentive for these companies to actually go fix the problems. So the next question was whether the inverse is true. Can Government contractors actually make more money by remaining compromised and continuing to lose intellectual property? So this talk is called “Game theory is a bitch”.
I was having dinner – a lot of these stories are because I’m outside having dinner somewhere, I don’t cook. So I was having dinner with an old friend, and his company goes in and cleans up APT after big well-known names get compromised, whether they’re Government contractors or commercial organizations. And he posed a really interesting hypothetical. We were just shooting the crap back and forth, and he said: “Hey, what do you think about the following chain of events? First, RSA gets compromised. Networks defended by their tools are vulnerable and, as a result, a defense contractor gets compromised. Said defense contractor, if you look up on Wikipedia, is the one who made this really cool stealth drone. Later a really cool stealth drone goes missing over a Middle Eastern state. What do you think about that chain of events?” And I’m like: “That’s terrifying!” He’s like: “Yeah.” And I’m like: “No, no, for an entirely different reason.”
Look at it this way: I have no clue, that’s a hypothetical and there are a whole bunch of rumors about what had happened. But let’s assume that as a country or a large organization, your advantage is technology. You can field the fastest and the best technology so you’re ahead of everybody. That’s you advantage – newest, most advanced toys. Someone else steals some of your tech. What do you have to do? You’ve got to replace it with newer tech, right? You’ve got to keep your advantage.
So, suppose a Government contractor gets some of the super tech stolen, what does the Government customer actually need to do? Well, the Government in that case – and this is all a game theory hypothetical – need to pay someone to make the next version so that the people who just stole it don’t achieve parity, so that they’re not even. They could go to some other Government contractor, because of course, you know, the one in question just lost everything. But they actually most likely won’t, and here’s probably why.
They initial contract for very expensive research efforts can take a long time to put in place. You’re talking over a year, sometimes you measure it in years rather than months. Part of the coolness of CFT is that we’re measuring that in days. Imagine if you’re under something – sequestration is what we’re under now – it can take even longer. So, if a Government agency wanted to start a new program to replace tech, that’s essentially starting the same program to do the same thing that you are already paying somebody to do, a) it’s tough to get permission to do that, because you’ve got to go justify taxpayer money and hear: “Well, we just gave you the money to do that” in response. And b) when you spin it back up you’re going to have to redo a lot of work; you’re going to have to redo the contracting that you already had in place; you’re going to have to spin people up to speed on management side; you’re going to have to re-spin up the tech side; and you’ve spent years putting that in place.
So, why wouldn’t you just go back to the people that you already have a relationship with, already have a contract with? They already know what they lost, or maybe you know what they lost and stuff, and you can tell them because they’re your customer. So you just pay them to give you the next thing. Remember, they’re not financially incentivized to go fix how they were actually compromised in the first place or clean it up. Because staying with the really familiar solution or situation is comfortable, which makes this a trap that a Government funding source can actually be particularly susceptible to.
You can view this on a case-by-case basis, and kind of staying with the same contractor, it can even make sense. But if you step back and listen to what’s been talked about in the media, you may see something that’s a larger picture that seems like an endless list of technologies and IP (intellectual property) being stolen. And each time it happens, that company is in a situation where there’re really no penalties or reprimands for it. On the contrary, they’re actually rewarded with more funding, because their customer needs to make the next tech to replace the stuff that just got stolen, to replace the stuff that just got stolen, to replace the stuff that just got stolen.
So yeah, game theory is a bitch, because if you look at it from this angle – and part of the neat thing about game theory is you can fall into game theoretics without realizing that you’re doing it – Government contractors can actually be in a situation or are actually in a situation that they’re financially incentivized in some places not to listen to their network sys admins and not to really deal with the problem perhaps the way with the drastic changes that need to be made.
Government communities and the hacker researcher communities
Now the fourth story, and maybe I’ll do the fifth story about Barnaby Jack and Abu Dhabi – yeah, I think I’ll do that. Sorry, I mention Barnaby Jack and I just start getting a little teary.
Fourth story is more of a kind of plea to both the Government communities and the hacker researcher communities, from the vantage point of both. I don’t have a lot of examples of our community, the hacker researcher community, really reaching out in a proactive and positive way to educate and enlighten the Government. We do it, but we do it really ad hoc. And I think we need to try a little harder to do specific examples.
I’ve been a little upset about some of the things on the news lately, and actually one of your options – it is a scary option – is to actually go inside and try and fix them there. People will fight you tooth and nail. It is not for the faint of heart. But that’s actually what I did when I went over to DARPA. I didn’t go there because I thought it was cool; I didn’t go there because I wanted to be a part of the Government. I actually went there because I thought that they and other parts of the Government had kind of lost their way. And I had an opportunity to go in and fix it.
I did get a really nice unofficial email from somebody recently, and it was about CFT, which makes me think that we actually, because you guys were all a big part of that, did manage to pull some of that off. So I’m going to quote from this email I got to my personal account. The person said: “I recently had a meeting with all the agencies and the DoD services, and listening to them it was my turn to be terrified because of how out of touch with reality they were with cyber security and cyber defenses, and it made me realize how much I and the DoD owe you,” and that’s us “…for Cyber Fast Track.” And here is the part where I was happy, he said: “I thought CFT was showing the Government how they should be doing contracting. But now I actually understand what you were doing. It was showing the Government what the real state-of-the-art is and why they should be afraid of people on the inside who continue to just preach the status quo and throw money at the same problems the same way they had done before.”
So, that was actually pretty cool because they’re starting to realize that. And I’ve heard people at high levels, flag officers, a couple pockets, starting to refer to hacker researchers as researchers. It was hacker equals researcher, not hacker equals criminal. I thought that was really cool. It’s not saying that we should all go in and support the DoD, and I’m not telling you that you should like the DoD. I’ve got a lot of issues with the DoD, and I’ll continue – I’m sure they’ve got a lot of issues with me. This talk might even be one of them.
But what happens there is now that they know where some of the real ideas and some of the real talent come from, they’re undoubtedly going to try and reach out and tap into it in various ways, and this kind of goes back to an earlier story where they kind of projected their problems and their images and their goals on somebody else. There’s likely to be some uninformed and failed outreach efforts, so I’ve got a couple of recommendations to the Government that maybe will help with that.
I think it’s really cool when Government officials throw on blue jeans and a black T-shirt, because of course then they’re part of our community…But that’s not necessarily all there is to interacting with us. And it makes sense, before you present at a conference like this, that you should probably consider attending one and actually interacting and getting to know the people. There was one guy who was a three-star general who did that at ShmooCon, and I thought that was one of the coolest things because he wasn’t there for any agenda. And I remember conversations with him afterwards. He actually had an understanding. He was like: “Oh, this is awesome! No, there’s no way people should try and go in and mess with them or try and coop them.” I was like: “Yeah, exactly!” You know, that’s us, that’s the citizens, that’s the population of the U.S.
So the message to the other ones who haven’t really made that turn is go and actually interact. Now, the response I’d get was: “The schedules…too crazy. Can’t possibly do it.” I saw those schedules, and sometimes I was even on those schedules. But if it’s important enough… I know, I acknowledge, they are crazy schedules, these guys work like bears, which doesn’t mean that they sleep for half a year – bad analogy as soon as I said it. I was going to say like a swear word, and bears came out instead. Anyway, if it’s important enough for you to want to reach out to a community, you’ve got to go out and you’ve got to make the effort and you’ve got to put it in your schedule and you’ve got to go interact with them on a one-on-one level first. Because that’s showing your homework, and doing your homework shows respect.
The next suggestion to them – and this is what I tried to encourage inside – is you can’t go out and do a recruiting pitch, because it comes across really poorly. I used to get so bent out of shape when I would see a Govie stand up at a hacker conference, and I’m like: here it comes. “We do awesome stuff but we can’t tell you anything about it. Trust us. You with the mohawk, if you shaved your hair, if you put on a suit or maybe even a uniform, stopped smoking dope, you could come work for us and actually do something with your life.”
That’s how I interpreted it. Now, that might not be the message. It might just be a “look, we need help and we’re trying to reach out to you,” but it’s just a “take, take, take” sort of message: “What can you do for us today? What can you do for us now?” And to me it was offensive. What would it be like if you had a senior official from a very technical agency come out and actually give a technical talk? Because this is a Ameritocracy. That’s where this community came from. Ameritocracy is your value in the community and it’s based upon how much you contribute to that community. I know a lot of people are like: “Why the hell did Mudge go over and go to the DoD? He was one of us and now he’s one of them.” And I had spent 10-15 years contributing to this community, and I wasn’t about to stop. And when I was there I was able to actually fight for this community and try and make sure that the interactions were a little bit better and that we were treated and engaged with normally. Those 10-15 years of contribution gave me enough grace period to build trust up again on both sides. And you’ve got to do that, and you do that by interacting with people.
So the value of somebody in one of those agencies coming and giving a technical talk wouldn’t be that you learned something really cool about how SELinux was actually done and why it was done, or what the internal battles were to get it across. It wouldn’t be that somebody is going through the technical components of one of the numerous patents that are out there, let’s say, IP geolocation, you know, the ones that we’ve read about. It would actually be that they’re engaging us and interacting with us in our own language and treating us as peers and starting a dialogue.
So, I think I will give the Barnaby one after this. But I’m going to summarize this one here. Am I pleading that we should not challenge the Government? Absolutely not. I think challenging the Government is your patriotic duty as a citizen, and I think it is very important to do. It’s painful for both sides, but it’s something that has to happen and it’s why we’re such a great nation.
You can’t train a dog just by repeatedly beating it. I mean, it will learn some stuff, but it will probably learn stuff that you weren’t intending and it will bite you at some point. So, when you see the dog do something good, it’s nice to give it a treat, and there are certain little pockets inside the Government. And one of the things that I think we as a community can do better is, yes, we need to challenge the stuff that we’re seeing. We need to challenge the things that are in the news.
But if you see a small pocket of hope, like if you see a Congresswoman that’s helping put through Erin’s Law, you know, changing things like CFAA. Somebody is going to change CFAA, we need to support them, we need to help them, we need to encourage them for actually going, because they’re going to get a lot of crap thrown at them. And they’re actually doing the right thing and there’re not a lot of people supporting them. So we need to be more vocal as a community to actually support them.
There was a Colonel in the Army who managed to get the NSA to have to include “Little Brother” as a book that they read as part of their training. Have you read Cory Doctorow’s “Little Brother”? That’s awesome! That helps sensitivities. That guy caught a lot of crap for that, and it was really cool. I mean, there’s nothing wrong with that book. That book gives you a new way of looking at things. And the more ways you have of looking at it, the more understanding you have and the more positive outcome. That guy – I mentioned he’s a Colonel, he’s over at West Point, his name is Greg Conti, I’ll call him out. He was one of the people who encouraged the cadets to actually go out and talk at our conferences and contribute. The build your own UAV at a 99.99% discount by Mike Weigand was an example of that.
It’s engaging, and that’s actually sharing in a creative dialogue at ShmooCon. He and his colleague walked through their training course that they ran at Fort Meade to try and socialize folks. It was “Lessons of the Kobayashi Maru”. I highly recommend you go watch this talk, because he had to teach them how to cheat. And it’s hilarious and it’s insightful and it’s humanizing. Most importantly, it’s humanizing. So, where we see those pockets of hope and of outreach and of engagement, I’d just really like to ask all of us to try and figure out a way for each time we’re challenging something else to try and encourage the good behavior.
5. A Tribute to Barnaby Jack
Okay, so let me try and give my Barnaby one without actually breaking down into tears here. Let’s see if I pulled myself together. It’s a real quick one, but it’s my little tribute to him. There are two things that happened, interactions with Barnaby that I’ll always remember. I mean, I remember all of the interactions, but two really stand out. One was a talk. I was on the steering committee of NDSS, and they asked me if I could bring in some folks to run some demos that would kind of break the academics out of the academic mold. And, you know, what better people than Barnaby Jack when he was working with the EI and the rest of the EI team to actually come in?
The problem is that the conference, like a lot of conferences, was very cheap; they wouldn’t pay them to come do the work or whatever. So I said: “Alright guys, the drinking bill the night before is on me; I’ll just foot the bill myself,” which is a very, very dangerous thing to do. Barnaby had a great time. I don’t think they went to sleep, they just kept drinking. They were on in the morning. And the audience at NDSS I don’t think actually really understood how cool the technology was that was being demonstrated. Because this was almost ten years ago, at this point, and Barnaby was remotely compromising a wireless router, replacing the firmware and then trojaning the Microsoft updates that were going through it over the wire before they were delivered to the end system.
They were demonstrating a bootroot, where they were getting an Ethernet, so a computer that was told not to boot off the network, the Ethernet adapter was on the PCI board, so it had direct memory access and it would still emit a BOOTP packet. And if you responded to it, the Ethernet board would actually shove it directly in memory and reboot from the network even if your BIOS didn’t have that capability. So of course they would say: “Here is your base operating system, it has a little hypervisor,” and of course the operating system would load up on top of this. This was a decade ago. This was awesome. And the reason why I don’t think any of the audience actually caught the technical part of those talks is because Barnaby nearly threw up on stage ten times in the middle of trying to give that talk, and everybody in the first row was terrified that they were at some perverse form of a Gallagher hacker show.
And then the other thing I remember about Barnaby was I had just gone in and I was working for DARPA, and my first public speaking engagement as a U.S. official was in Abu Dhabi. So, here I am, first time, the Government is a little nervous about me, I’m a little nervous about them. I’m flying under my Government official passport, not my blue tourist passport. So all the coordination between the countries that I imagine has to go on with those folks, and I’m in Abu Dhabi and that was actually to do the keynote for Black Hat, it was the first year they were over there. And it was the first time ever that I was showing parts of the Cyber Analytical Framework that I drove at DARPA.
And it was my way of trying to get a small group of peers that I could interact with and get feedback and just talk honestly: does this make sense or, you know, am I full of crap? Barnaby was there and ‘the Grugq’ was there. Those are two people that, put together, will deplete the world’s alcohol supplies. And he was doing his “Jackpotting ATM Machines”. Now, the UAE has a lot of money they’ve come into since the ‘70s. And in the palace there is an ATM machine that dispenses gold bars. Very expensive gold bars. Not like you’ve got some 200-dollar withdrawal limit. I mean, these are in the tens if not hundreds, I can’t remember how high up the price was. There might have been the ability to withdraw a million-dollar gold bar from it. Some of you might have seen the picture of Barnaby kind of like going like that, you know, right next to the thing.
So Barnaby’s had a few drinks and they see the gold ATM machine. So, how do you think it works? And they’re peering behind it and everything. And the folks who are – I think it’s the son or one of the relatives of the Crown Prince who I knew from a prior life – were looking at me and going: “What’s going on?” And they’re all starting to gather around the gold ATM. I forget who it was that tweeted and said: “I remember Barnaby in the UAE, calling the embassy to make sure everything was okay.”
It wasn’t the embassy, it was me, having to go over, talk to people who are part of the Court of the Crown Prince and explaining: “I know you’re not used to extremely heavy drinkers, and you just invited a bunch of hackers into your country, and they’ve demonstrated a bunch of crazy terrifying things, and now they’re eyeing your million-dollar gold vending machine. It’s Barnaby Jack, he’s cool. Don’t worry about it. I’ll tell you what, you probably want to know if your million-dollar gold vending machine has this problem. So, why don’t you let him do a little bit and then, when they walk away, why don’t you pull the plug on the thing and then move it off the floor?”
Sure enough, everybody got a little tired, because of course there’s some research that has to go into these things, and the alcohol fueling only lasts so long. And when everybody got a little tired and decided to walk away, the next day you see there’s this big curtain pulled around everything and nobody is allowed near the thing. So there was no reach out to the embassy and there was no international incident. But there was Barnaby Jack, and he’ll be missed. Thank you!