27

Panel – DEF CON to help hackers anonymously submit bugs to the government – DEF CON 27 Conference


>>So it’s 9 and we starting on
time, which is, it feels just
wrong [panel laughs] why are we starting on time, this is, this
is Defcon. Oh no [panel laughs]
I do this to please proctor. umm, so we’ve got a number of
people on the panel here, uh I
will introduce to you briefly, they’ll get plenty of
opportunity to talk, umm, and
then I wanna give you a little background and then we’re going
to, take off. So err, on the far
end of the table we have, umm we have Corbin Souffrant from
Leviathan Security and then
we’ve got Jennifer Granick umm, from the ACLU umm super-hero to
hackers around the world. Err,
we’ve got, who’s next, Runa Sandvik from the New York times,
we’ve got Pablo Bower from the,
>>Bruwer>>Oh, Bruwer I’m sorry you know it’s funny, I have only
read your name, never actually
said your last name, umm, from the, Donovan group. Mark Rodgers
A.K.A cyber junkie. Umm and then
Chris Cribbs from uh Sisa. Ok so, why are we here, umm. We
want Defcon uh Is about building
a community and I’m always looking for another opportunity,
to either build bridges or build
relationships, or solve problems just like we started Defcon in
China to build bridges umm with
hackers in China because they’re just like us, try to hack sh*t,
but umm, the relationship
between researchers wanting to report vulnerabilities to save
the government is very strange
because there’s a lot of apprehension. So is there a way
to create a process, for people
to report vulnerabilities, hackers, researchers, to report
vulnerabilities into the cert,
of a, a U.S cert, to help do some good, now if you wanted to
make money, there’s a 1000000
ways for molentize vulnerability, if you want to
get recognition you compete in
bug bounties, you get your name attached to bug reports you
know. This is sort of a edge
case, umm and we don’t know big the edge case is, we don’t how
critical it is, we don’t know
how many people are with holding, not reporting, or maybe
monetizing because they have no
other avenues to report, or do the right thing, but it’s
interesting enough that we want
to find out umm, if there is a way for Defcon to act as a
facilitator an immeditary
between people trying to report anonymously and then uh U.S
cert. And to explain how defcon
even got into this conversation, I want to first send it over to
Pablio and uh and Mark a little
bit, so maybe just give us a quick history of why, how we got
here?, why Defcon?>>Yeah,
thanks Jeffery, so err, we-we all have different lives, we got
personal lives, we got>>oh move
in closer to the mic>>oh, we got different lives, we got
personal lives, we got
professional lives and uh I have been fortunate enough to be
involved uh as an attendee in
Defcon since Defcon 4, so it’s been a big part of my life, ummm
and>>whooo>>yeah errr and err,
because I have in the community for a while people in the
community will occasionally
reach out and say like, hey look I-I notice this thing and I
don’t want to explain how I
notice this thing or umm I’m afraid of the repercussions, but
somebody should do something
about that, uh and that’s great and that’s wonderful but they,
>>and that that’s because they
knew you weren’t concealing that you were involved with the
government>>No no I am not
concealing I’m I’m a active duty navy officer I was young, I
needed the money umm [ audience
laughs] umm, but because I’ve been in the community for a
while an- and and I’ve got
friends in community trust and so uh myself and umm my partner
at the Gotadam group uh JK Snow
uh we got to thinking you know, we could we could do something
about this, we can have long
term impact and so we called on Mark, who kindly volunteered his
time for about 2 years to come
down and help us, kind of scope how this could happen. How could
we link the hacker community to
a national surrances what kind of assurances would the hacker
community need, how would that
tactical implementations happen and what projects exists that we
could leverage, by the way
theres and open source thing we could contribute to which is a
show of good faith and so, what
do you wan,>>So, So then Mark gets a call>>So then mark gets
down [panel laughs]>>Narrative
voice>>So hopefully most you know me, umm I am a hacker and I
have been hacking all my life, I
consider this community my family, umm, so when Pablo
reached out and said this is
what we want to build, I immediately had some, some
concerns about how could we do
something like this,this is really an interesting and
challenging problem, and if
there is 1 thing that hackers like, that is charging problems,
umm plus uh they give you access
to a really sweet hackers space that has lots of toys to play
with. And so uh it was a
pleasure to kind of a to come down and play with the toys and
help do this. But we set about
to kind of work out yer, what is the safe way we can do this, and
the most critical thing is, how
can we foster trust in this, because even just thinking from
my perspective, eh how can I
trust, a process to disclose something to a government
entity, without there being any
potential repercussions for me, if I wanted to insure a problem
solved and so we looked at
architecting the solution and I have to say there are still
many, many open questions and
that’s when the reasons why, like we hope you guys can feed
into this, because I think the
only way this works is if the community is behind it. And the
community helps shape it.>>So
then uh we suppose to be announced last year, uh so here
we are a year later. Umm
timelines things you know, got complicated. But uhmm but then
all of sudden things started
moving really quickly, umm , although there was some
technology explored and audited
umm, and so now it’s starting to becom- become real and so now
I’m getting more and more
involved and it’s like OK well where would the data go, who is
going to get these reports?
Because there is concern power to talk about, there is concern
that if it goes to the wrong
agency they going to sit on the data, they going to recognize
the data, they going to hold it
from other agencies or industry or manufacturer or whatever. So,
umm in my mind it’s pretty much
why we, there needs to a civilian organisation can’t be a
military organisation that gets
these reports, right and who is historically gotten these
reports that would be U S cert.
Umm sss and I have good relations, uh I know a bit of
the berdomic inside of DHS and
ugh it just made sense, umm that it would be umm a civilian
partner. Well, umm, the other
question is well if you know the government, the right hand, left
hand problem,I-I asked Pablo
what’s my biggest risk, like Defcon, what do you see the
biggest risks to Defcon for
doing this, and I don’t know if you want to tell that story
>>Yeah so umm, I had a lot of
very interesting conversations, so as a government person I am
calling, calling Defcon and
going hey listen I want to work with you, you kind of get the
side eye a little bit, so, so
Jeff asks uh you know what is what is the concern, I said,
well Jeff yer here is my biggest
concern, umm th- the 2 biggest concerns I see from, the hacker
community is that we as the
government mess this up and burn the bridge again, for Defcon the
biggest concern is you got tips
from some of the hard, some of the smartest hackers on the
planet and this is going to
become the best target ever for possibly for foreign nation
stakes. Umm and so it- it is
something done with significant risk, umm but, hopefully in-in
good spirits, umm and Jeff was-
was kind enough to go well Iet me talk to my folks and let’s
get together and tell me the
story and uh take back.>>So I immediately called Jeff a panic
[panel laughs] I’m like ok
lawyer [panel laughs] what am I getting myself into if umm what
are the risks here umm and
Jennifer’s been on uh the defence side uh forever, mostly
your whole career>Oh sorry [speaker
laughs] I think you and I met
Defcon 3>>Yeah 2 or 3 it was really early 1’s>>Yeah>>Umm
and so I called you up and
explained this is kind of what we want to do, what are the
risks, do we have to build a
whole new data centres and new location in case there is a
search warrant and they take my
web server by accident [ laughing] you know like how does
it work, so Jennifer was
stepping me a little bit through the legal concerns>>Yeah I-I
mean so you-you first have the
legal concerns for the people who are the reporters which is
you know the vulnerability
finders, the reporters who are usually the people that I worked
with in the past. But so,
put-put that side of umm people aside for a second and think
about what are the legal risks
potentially for Defcon and I think there are, umm you know
sort of the subsistence problem
of what information is going to be on the server and then umm
the kind of procedural legal
problem, what happens if somebody shows up with a
subpoena or search warrant and
wants this information . And so to some extent you know, you
think about air gapping your
machines to make sure that if something does happen to it and
it’s taken or taken down that
you know the rest of the umm, the rest of the stuff is still
available and it still happens,
you know can still proceed umm, that you don’t loose the
entirety of Defcon functionality
if the box is taken. And then obviously the technological
concerns about, if it is taken,
if somebody does cease it, umm making sure that, you know they
not going to be able to see
anything, umm without any opportunity for us to uh to get
into court and challenge it. Umm
but I think you know 1 of the problems is that uh search
warrants authority goes from you
know people in the smallest towns or police officers in the
smallest towns in umm in America
all the way through to uh international organisations,
until you meet- with you know
varying levels of sophistication and understanding of the, the
goals of the umm,
vulnerabilities of disclosure and of how the legal procedure
ought to work. So you got to be
ready for umm, responses from all those, those sets of people
and I think of the substance
problem which is what kind of information might people put on
this particular box, and you
know it’s going to be, umm, a chile, you know a vulnerability
information, it’s going to be
very attractive as uh as target there could be, you know people
giving, you know s-sort of
information about their co-workers. I think so and so is
a spy or something like that is
that defamation you know, we give that to the government
what’s the issue there, and then
of cause, 1 of the things that, that as a privacy lawyers is
that uh we see a lot is hydro
ban information. uh usually child pornagraphy, so you to be
careful and have a process in
place for how you going to deal with, if you going to see the
information. How you going to
deal with all of that. And umm, really in some ways, you know
the best situation is 1 where
the imtermadiatry, umm who secures the box and keeps it up
and running.and you know, is
responsive to the community amd give the information an uh
doesn’t have the ability to see
any information on the box at all. That’s the that’s the, the
best way to, to umm, to protect
everyone, I think>>And you engineer yourself out of the
problem>>Absolutely>>Yeah, umm
so I want to to get to Chris, but I first want to go to, to
Runa, umm, whose err, I-I’m not
I don’t know who is responsible but highly involved in umm
operating, umm the New York
times.>>Yeah so>>Yeah and maybe the parallels between this
problem and what you face.
>>Sure so uh I am the senior director of information security
at the times, I have been there
for about 3 and a half years>>Go closer to the microphone
>>Umm and before then, I worked
for freedom of the press, umm, consulting different media
world, help set up and support,
umm secure drop umm which is a system which allows people to
anonymously submit tips to, umm,
anyone hosting the instance, in this case, it’s the New York
Times, Umm, so back in 2016, we
found that there was, there was no way for, a source to contact
the New York Times, the newsroom
full stop. It was a case where sources had to build
relationships with reporters and
establish that sort of level of trust and err, agree on a method
of comps before they could umm
communicate or before the source would be comfortable sharing
info, umm, so we then set up our
tips channel, which has signal and whatsapp and secure grab and
a couple of other options, to
allow anyone really to send anything to the New York Times.
And so we then developed a
process internally for who is going to check the submissions,
what do they do with the valid
submissions, they things we consider a legitimate tips. How
do we safely share them with the
rest of the newsroom, what do we do when we get info that isn’t a
tip. What do we do when we get
information that really should be, sitting with law enforcement
in some cases, umm. And we
really built that out and running, really successfully now
for about 3 years umm, and
before that I think back in, when was it 2015 the tail centre
for digital journalism did a
survey of I think a dozen media works with secure grab to sort
of answer the question of is
this system actually helpful, are you getting legitimate tips
are you getting valuable data
from having this system. Umm and I think back then everyone said,
yes. There was sort of this,
yes, but I am also getting a lot of crap, and I think it was
gottum that said that we
actually get, far more just crap in memes in images that we don’t
want to see, but having this
system is far more, like the value that we get from it does
outweigh getting all that crap
in the first place.>>So umm, so, then after talking with
everyone I-I was thinking, Ok
there is something here, there’s probably a benefit to the
community, the risks can
probably be engineered out, or managed. Now we need to talk
with, who can be a possible
partner and I think that’s when the conversation started with
err, with Serwen and Enkit and
err, and so, uh I want to introduce umm Chris Cribbs who
is going to talk about it from
the other perspective. Having this sort of blab>>So can we be
interactive here>>we can, yes
>>Alright let me ask a question here, with a show of hands, has
anybody heard or know what Sisa
is, those who work for me, don’t count, umm, alright US cert?
Show of hands, alright better,
so US cert is Sisa. SISA is the cybersecurity infrastructure of
security agency, we like
security so much that it’s in our name twice [speaker laughs]
umm so we, uh are new by law as
of last November, umm, created out of a portion of contrame
homeland security set up as an
operational agency on the level of err, other agencies. Umm but
we are uh the advocate within
the government for the researcher community, the
private sector, you know, kind
of team internet. uh we have managed vulnerability reporting
processing for years now. Umm
through the US cert portal,so first, first kind of first
principal though is always you
know our preferences, the the vulnerabilities are disclosed to
the vendor. Understanding that
doesn’t always work, the communities not mature enough,
necessarily across the board not
you guys, but the vendors. uh so that leaves the back stop so US
cert has the capability for
reporting vulnerabilities, uh on the IT’s side we’ve contracted
with the federal funded research
and development centre at uh Columentral university the
software engineering institute,
they run the seaark CC process, so you go there uh you enter all
the information, it’s anonymous
uh as far as I know it’s never had a bridge or spillage or any
sort of disclosure. I think this
year through June at least, we’ve already managed triogued
almost 8000 vulnerabilities, umm
so we think we have a process that works. Now the challenge
here is that I’ve got a
numerator. I don’t have a dominator. I don’t know what the
potential for vulnerability
recording there are still clearly through this
conversation or at least very
much potentially through this conversation some that still,err
have reluctance to engage with
the government on to have these issues addressed, directly with
the government and there needs
to be some sort of err, arbrat, uh arbiter. So, you know what we
thinking and what Jeff mentioned
upfront, is er what is the edge cases out there, what are the
impediments or challenges that
the community sees err, in terms of reporting through the
standard process again w-we
think this is successful maybe I’m throwing a random number
round 95 percent solution, what
does it take to get that 5 percent. What are the
concerns,how do we do this in a
way, you know, we talk about risks, umm, yes this could be
targeted by foreign intelligence
services, but it could also be other things put in through the
process you know, I think about
the, the junk, the memes, the, err, other sort of collateral
that could come through this
process. W-we don’t necessarily want to work with, so what I’m
interested in is figuring out, A
what are those kind of edge cases or th- the the, maybe the
best way to put it, is you know,
we can’t take an approach where I’m from government and I’m here
to help. We’ve got the answer
for you, I need to have more of a customer service mindset, so
we think we have a product, if
it’s not answering the, the 99 point 9 percent of the problem
set, what do we do to get over
that final hump, and so this I think secured drop is a, is a
conversation that is useful in
terms of closing out the top end, those more, potentially
highly valuable vulnerabilities,
but how do we get there, how do we do it in, in a way that both
manages the engineering piece,
but also some of the administrative infrastructures
stuff from my side, the people
side, umm so , kind of top of mine at least for now so>>Ok
so,umm, so I think maybe Pablo
you ought to mention that, umm, some of that sweet government
money was spent on an audit.
>>yeah so, err, we-we did the initial meetings we started
taking looks at existing
architectures, umm we found the freedom of the press secure
drop, it was open source, it had
been tested, uh it had been in use err, and so we were able to
convince some government
partners to, err, fund a code review. Umm we wanted to be very
transparent about this, uh we
reached out to freedom of the press uh who-who co-cautiously
and nervously took my call
initially uh until we were, uh th they were sure we were
transparent and we uh we got
linked up with their def group, umm we paid for a code review
that we uh asked Leviathan
security to do, uh we shared the report with err, with freedom of
the press of the def group, and
said here are the things we found, here’s how much money we
have to contribute to def fixes,
what would be your priorities? And so between Leviathan and the
freedom of the press development
group, umm, they set out the priorities they filled us in on
some improvements they got
coming, err, that they hadn’t announced yet, so they said
don’t fix those, we already got
fixes for those. Umm we’ll take the other fixes uh so Leviathan
went through, uh and worked
right through the github and uh all of the fixes were submitted
and have been accepted into the
main branch and are available for everybody else to use
through the official secure drop
box repro.>>So err, all that I’m uh my left your right is
Corbin who led that effort in
Leviathan to do the security on it, and I thought, it would be
interesting just to, what is the
quality, what is, you know how much confidence, umm, what do
you think of the, technology.
>>Yeah so, we’ve had a card review of everything like,
infrastructures, uhmm secure
drop pass would be deployed by individual companies, freedom of
the press doesn’t deploy it. It
is a product so, New York times just went on servers and
everything umm, every other umm
organisation that uses it, so you went through the
documentation on are they
recommending same deployments, because IT get like uh a news
organisation may not be like, as
great err, umm, err, maybe like si, uh regular, umm company, so
we went through them, we looked
through the cryptography umm, to make sure that, are things being
submitted actually being
submitted securely umm is there a risk of somebody being
deanon-denonamized or manned in
the middle umm all, all that sort of effort. Over all the
code based it’s a open source
project and it’s, used by important people so it was umm
pretty well put together. Umm
uh, w-we didn’t come across any like remote executioner umm,
anything critical like that, umm
and as Pablo mentioned after we submitted the report of our
findings to the uh secure drop,
uh sorry to freedom of press, we then made some contributions
back, uh the biggest
contributions were the wondering how they could securely delete
files, umm, because you don’t
want someone to come in with uh supeno take your servers and
just frantically grab everything
off the disk and figure out what was submitted. Umm, then we also
wer-were working with them to
set up a proto type to provide umm, enter ending encryption
file uploads right now the file
uploads are submitted umm, unencrypted elletor, and then
they are encrypted in ram before
written in disk, umm so we kind of helped work on potentially uh
making a browser plugin that
would encrypt the files, before they are uploaded, umm, the uh
javascript in the browser plugin
err, in one of the interesting things about that is the plug in
can execute the signed
javascript without having you to, without forcing you to
enable scripts by the browser,
so it’s a way you can have javascript encryption without
risking some man in the middle
in your connection and umm, throwing in malicious javascript
encryption thing up there. Umm
and Furnel press wants to work in the future potentially get a
browser plugin that can do that
umm, maybe in, built into the torfire box bundle umm,
eventually uh but those are long
term plans and they kind of looking at what would be the
best solution for end to end the
encryption, because would it worse if it was something that
make it less secure, umm so,
that is sort of what we working on as far as that goes.>>Ok so,
I wanna really spend a little
bit of time getting questions with the audience, cos the point
of this was pretty much err,
community consultation, but we had to get you up to speed of
what we were thinking so i don’t
know does anyone have anything else to say? Should we go to
questions? Does anybody have
anything, wanna do questions? Do we have a microphone somewhere?
Team, team Goon. No I think, I
don’t think all of the microphones got put in this
early, umm, so if you do have a
question, yeah stand up and kind of shout it, then we will repeat
it uh so everybody else can hear
it and it can get into the recording. So raise your hand,
anybody have a question? If not,
ok this gentleman over here, [off mic] so the question was
that Defcon is sort of
international now with China and US cert is uh international
getting reports all around the
world. Umm is is there any potential future for either
sharing or working with say
europeans certs or others if that was it.>>I, you know Pablo
nodded his head and I was
thinking yu, well absolutely I mean, cert to cert relationship
across the world. uh we, don’t
differentiate you know again, certs are, if you look at uh
some of the norms that have,
that have been agreed to across the country, certs are that kind
of DMZ, that space that uh is
protecting the overall ecosystem, so umm you know first
blush at least right now uh
again so still working some of the thornier policy and legal
questions, but that’s ultimately
where it has to go, because we not just talking about US
vendors, we talking about a
global community, uh instead of companies that will need to
coordinate these things and do
hand-offs and things in that nature. But there’s likely
again, getting into the thornier
policy principals, it’s jus, you have to think through what are
the,what are the implications
with sharing with certain states tha or countries that may not
share our same system of values
and what are our triggers and thresholds to walk through that
process, but. Uh, I will pass
that down the line.>>An answer in an ideal world, I mean, the
hacker community is a global
community, it’s not just a US community, and so whatever ends
up being built has to support
that global community. And yes that means there are significant
challenges ahead in terms of how
we handle certain things, how things get disclosed etcetera,
but that absolutely has to be a
priority.>>Go on pile on 1 piece here, my ultimate concern
here is when I, when we receive
vulnerabilities, we do not turn around and share those with the
intelligence community for
exploitation. We have a bias a very pres, uh a preference and
an almost argumentative and an
er a posture in the federal government on disclosure. And
that will be 1 of the
considerations when you think about some of the uh s nations
that we engage with. How are
they going to use this? what are they going to do this? And what
is that again? What is the
arbiter? Maybe that is 1 of the pieces to think through is, is,
is, can Defcon play a roll, in,
facilitating some of the or at least some of the oversight of
some of the engagements.>>Ok,
let’s do another question. May we, ok this gentleman in the
front, and then that gentleman
in the back. Yeah yea, [off mic question] So I think I can try
to summarize the question, well,
err, his uh chu uh participates in err, in uh bug bounty
programs and and is er tester,
and umm, he says before he will even get to the point of
reporting, he generally, he
wants to make sure he can test the properly on the crank
server, umm and so, could this
system or something similar,[cough] umm help in the
future, enable test umm of
government systems to to sort of make sure before you report that
it’s feasible. So I think, I-I
mean it’s not contemplated in what we are talking about, I
think if you,your a tester you
don’t have a problem being identified reporting so you
would probably go through all
the normal pact to pentagon or other existing programs. Umm and
if you have a problem with a
specific technology used by the government, [cough] maybe you
would be able to test that
technology somewhere else, because we-we’re not necessarily
interested in the threshold of
you have to reproduce it, and we give you money, it’s more like
we want to know if there is a
problem. Is ss tha>>What I was going to say was that, bug
bounty programs have a very
clear set of rules of engagement and there is a , is an implicit
invitation to come in and look
at that infrastructure and find stuff. This is to cover these
edge cases like for example,
there are edge cases where just through ne- just through normal
operations will find
vulnerabilities or will find hints to vulnerabilities. And we
not nes we no we definitely not
inviting people to go hack into infrastructure to find
vulnerabilities that are not
covered by programs to programs. All we saying is, if you find
something or if you see
something, we want to give you the channel so that you can
disclose it and so it can be
triaged.>>Hey umm, Jennifer.[laughing] I can see
you chomp in>>I’ll just, I’ll
just add you know that the riskiness, legally riskiest part
of vulnerability disclosure is
research umm, because of the uh legal roles that arguably either
arguably or definately limit of
what you can do with somebody else’s box or somebody else’s
data, umm and I think that you
know, what we-there are other means out there to report
vulnerability information, but
the 1 things is annuminaty can do is protect you know goo good
faith testers, but not allowing
them to report but actually revealing their identity. Umm I
would say that you know i-it’s
always you know if you can it can be a good idea to consult
with a lawyer if your planning
something, that is umm, potentially legally risky with
somebody else’s machine or
somebody’s data, umm but it is going to be risky er and
ultimately the answer really, yu
you know can’t always be no, right? There are going to be
times where, unfortunately
people are going to have to take on that legal risk. It’s good to
do it, with the benefit of uh a
good consultation ahead of time, but I think that umm, you know 1
of the goals of the project is
to be able to, removed that legal risk, which is a
disincentive for people to
report things that really should be reported.>>Can I do a show
of hands, umm well this might
deanonymize you but, [ laughing] anybody in the audience, do you
think a system like this would
be remotely useful? Are, can you see it’s use, or see it’s
utility, show of hands. Well
tha-well that’s actually more than, more than I thought. [off
mic question]>>So, so there’s
err, there’s uh a quick question I want to ask as well, which is,
I’ve been a security researcher
for over 20 years and I have run into scenarios where I have
found things, just through
browsing the internet, interacting with an application,
and I have struggled to disclose
them, because the company has no disclosure policy, company
doesn’t have bug bounty programs
in some cases, decades before bug bounty programs existed. How
many of you in the audience have
run into issues, potential vulnerability etcetera that you
haven’t been able to disclose,
because there is no process or there is concern about how you
would of disclosed it.>>Can I
put an second order question on top of that, is what would be
umm, the impediment of reporting
it through the standard US cert process, is it you just don’t
like GDP uh that’s what I am
trying to get through this, like what, what are the use cases
that the standard, US government
SISA process US serk process, isn’t addressing the
requirement.>>So going back a
few years, that process wasn’t in place>>that only,>>eh yu,
err, but the other issue is,
there is always concern when you find something about how err,
various entities are going to
react. I have been legally pursued by companies for
finding, good faith
vulnerabilities. And so protection would encourage me to
go forward more,>>Well this is,
this is potentially the Misqinsky problem, Dan
Misquinsky, when he found the
famous GMS bug. It took him 9 months of his life to coordinate
with all the other effective
parties, and he felt really good and he made great change, after
that he said never again,like
I’m not doing that twice. And so sometimes people find the bug
and they want to drop it and
they want to walk away and get on with their life, because he
can’t commit to a certain level,
umm, so i-if there’s a Pablo there’s comment then we have go
to the next question>>Can we
get a vote though>>Oh yes the vote yeah yeah>>Mar-marks
question>>Ho-How many people
have trouble with umm vulnerability reporting, when
they had something they wanted
to contact someone and reveal it and they just had difficulty
figuring out how to do it, or
doing it,>>Show of hands>>whose had that>>Ok, thank
you, oh Pablo, oops>>yes>>Ok,
did you have a comment, I’d like to go to the next question>>No,
I wanted to clarify the last
question, if the question was about security testing, the
secure drop instance, err, I
would be, so first of all the software is up there and it’s
open source sec of all it’s not
going to be hosted by the government, umm, wo-wo-working
with the uh with Jeff and err,
I-I think we going to be able to get Defcon to host the servers,
uh, but I would be very
interested to see if we could sponsor maybe a black badge
competition in the following
years that we can ask the community>>Hack the system and
help improve it>>Hack the
system and help improve it, w-w-we wanna make that sure the
system is secure, not just for,
for the US government instance but also for the fronts
instance, yeah,>>W-w-wait we
have to go to this gentlemans question [off mic question]
right, here’s maybe to summarize
that, do you wanna>>Yeah so>>Do you wanna>>The question
was, this, this boils down to
trust and the uh US government has practically done a hideous
job of, working with
researchers, working with the press, uh you know going after
people, attacking the tour
networks so how do we work on that, how do we work on the
outside entrust and the inside
entrust, uh hopefully this is a step we trying to be as
transparent as possible, umm
it’s going to be tentative at first, not everybody is going to
trusted it, uh there’s gonna be
issues somebody’s gonna find a issue with secure drop, uh,
hopefully we get it fixed.
Somebody is going to submit a bug and feel it wasn’t uh
handled correctly, uh there are
going to be mishaps absolutely, I-I think with the intent of
good faith needs to be there, we
need to be transparent>>So 1 of the main reasons I got involved
in this is because I believe
that trust is the critical element that will make this
work. And I want to see you rip
this thing apart, and find issues with it, and point out
these flaws and so that we can
work through it. And it may take irretagations to get to a real
good trustworthy product, but by
engaging with the community and having the community do that
work, I have confidence that we
can get there.>>Well what I want to add here is that we not
going to engineer trust. And
it’s not a single solution approach, I think there was
actually a really good
conversation yesterday uh in 1 of the Healow suites, umm about,
err, some of the legal issues
DUJ plays a role, they need more guidance and more clarity on
what the things, and how CFA
comes into play here, but in terms of where I sit, I am not
the IC I am not the law
enforcement. I am the private sectors advocate, within the
federal government, I think we
have a pretty good track record, from at least, from where sit,
what I have been told, unless
they lying to my face. I think we can manage this, I think we
have a good ability here but
trust is a 2 way street, umm, so the there’s obviously based on
this conversation, based on the
feedback from today, that trust isn’t where it need to be, but
this is a maturing discipline
it’s a maturing conversation tion, uh there is still
obviously still work left to do.
>>Ye we got time for 1 more question. You got to make some
noise so we can find you>>Right
there over>>There, there we go, If you wanna if you wanna to run
up and answer ask a question
which is closer to us then we will repeat it for everybody,
[off mic question] yep, yep [off
mic question] [laughing] Come on down.>>So I’m just curious like
[off mic question] so, ya,
interesting qu->>Do you want>>Yeah yeah you have>>Ok uh so
I don’t have the answer for
this, but it’s a great question,umm basically uh
potential summary of this
project is witness protection for hackers and the federal
government has experience with
witness protection in other context for example, the law
enforcement context,umm you know
for this project would it beneficial and wo-would we want
to do in order to take the
knowledge and lessons from witness protection umm, legally
and umm otherwise security wise
and these other context and how we might apply that knowledge to
this particular project.>>So,
now you’ve asked the question [laughing]>>That’s not fair
>>Uhh, well so, umm, so unlike
witness protection we not dealing with uh with a physical
person, it’s it’s information,
so it would be more about protecting, umm separating the
person submission and you know
to prevent deanonymization, segregation, and I think that’s
where the idea that Defcon
operating the servers in the middle we get torgue connection
to us, the magic happens, the
torque connection to uh cert, so cert never sees or the discern
the IP you know, the exit mode
and back and forth there are 2 separate touring instances
running and so there is some
operational s s a little bit of sophistication, that like Chris
says we not going to engineer uh
trust, but there is a lot of things we can do to reduce the,
the risk. You know like files
are deleted, so lets say an analytical cert, get a file,
well then they, they download
the file and delete it off the server, so if the server does
get on you got what there
between the last time and the analyst downloaded, right there
is operational things we can do
to make it not a juicy target, right, it’s not, there’s not a
lot of stuff there,like 6hours
of things that kind of eh and I think kind of that’s why, uh I
like consulting with Runo
because she deal with this with real people and other sketchy
countries where life safety is
at risk and they all are trying to do the right thing,bu-but at
a significant risk.>>I-I think
1 of the>>wait Lasher>>Umm I actually wanted to add a
question, even though that’s a
great question, that a challenge might pop up in this case that
we don’t have in the media
context is that if a source submits something to the New
York Times, our rule is to
report on the content, our rule is to verify if it is accurate,
and then report on the content.
We do not, work to,umm, deanonymize the source, we do
not work to figure out who they
are and how many laws they broken to>>But we not trying to
put it the reporter in context ,
you just try to take their information and try to validate
it,>>Correct, so we take the
information and we do whatever we can to validate it, either by
communicating with the source,
through secure drop or some other channel, if we can, just
then there is a process in which
the reporter would have to get the information verified through
other channels, but our rule is
never to try to de anonymize the source, and I think that might
be a concern in this context, if
you submit something, think through this process, would the
government then make an effort
to figure out who sent the information. [pannel chatter]
>>Yeah and just to add to this,
1 of the goals of the err, assessment that we did, uhmm,
was part of the attack servers,
depending where an actor is sitting trying to deanonymize a
source,like how much damage
could they do, if someone owns the Defcon server, and has some
implants sitting on there,
reading everything that comes in. we looked at where would
they actually be able to see the
information and what would they be able to deanonymize, that was
also why we looked into after
you pull the data on too, off the server and the journalist
looks at it, how do you actually
get it securely deleted so that even if somebody comes in, takes
the server physically and tries
to analyse what was on there. Umm like how do we prevent
anything from happening as soon
as it’s read by a journalist like delete all evidence. Umm so
hopefully it doesn’t get to the
point,of having to deal with that witness protection thing,
it’s a it’s a recorded
everything is deleted and tha-that’s it for the source and
they don’t have to look at it
again.>>who- ho, and honestly I-I will tell you honestly 1 of
my plans is that if there is a
little engineering to do, it is to make sure that Defcon can
honestly answer a subpoena
request that says no we don’t have the keys, we can’t tell you
what’s on the server, but FBI
the, you know US cert can, so you part of the government go
talk to you part of the
government and I’m going to be having a coffee. [ laughing]
right, the idea is to get us out
of the middle if there’s an internal dispute. And I am sorry
Chris, but [ speaker laughs] you
might be in the middle of that. [laughing]>>Thanks [laughing]
>>So umm we kind of coming to
the end of time. I wanna have one more question to the
audience, so after hearing this,
this is our since this is our first ever sort of consultation
after hearing this, umm
obviously there’s a lot more discussions we have but by a
show of hands who thinks Defcon
should pursue this? Ok who thinks this is the most castro
traffic disaster uh thing in
the, you know, threat to to Defcon, ok. Well a threat to
defcon>>Defcon>>Yeah there are
many threats to Defcon [panel laughs] you all are a threat to
defcon.[laughter] Alright so if
anybody has any concluding remarks then I think we done,
>>I-I just have 1 little comment
to make, just to kind of sum up what I think I hear from people
in terms of, I see a lot of
support obviously, but what I think I hear from people in
terms of concerns is that
there’s a heavy reliance on technology to to do the
protection, the hard work of
protecting the community of people who are going to be be
reporting, but what I am hearing
in the comments is where people have concerns is that technology
we, you guys know better than
anybody else that technology can fail. And there are other things
in terms of trust processes,
relationships inside the government and government to
government, umm you know having
more of an appreciation for the importance of research and less
of a punitive approach by umm,
law enforcement and that these other non technical human legal
policy relationship parts where
the areas where people really feeling so concerned and want to
make that stronger, in order to
make the project like this to really actually be be
trustworthy and beneficial to
the, the everybody who is involved. That’s, that’s what I
am hearing.>>Yeah yeah and I
would agree with that, that I think it’s been a good
conversation, helpful feedback
and if I think if we look at this, th-the US government is
littered with a graveyard of
good ideas and in so, we need to manage expectations, do this in
a way that is pilot based , but
let’s really focus on maybe some of the use cases, I think you
guys know this stuff,umm, really
darn well and just tell us why, what are some of these examples
or hyper equals where this might
be at use,obviously implementation a 1000 more will
come up that we never really
anticipated but it is always helpful to kind of scope the
issue and er and er start small
and spririal it up>>alright, well thank you for
participating, we around, we’ll
be here all week umm [laughing] around to, to answer questions,
thank you very much. [applause]

Stephen Childs

27 Comments

  1. Yeay. It's that time of year, get ready for that steady stream of Defcon videos!

  2. Jeffrey Epstein was murdered
    and beaten in his cell
    he was found hanging
    dead of a heart attack
    What the hell
    Now Epstein has nothing to tell

  3. First defcon vid i have ever hit the dislike button on….didnt think that day would ever come

  4. Always with the sub par audio. Tech folk everywhere we look…. no audio person.

  5. What happened to DefCon? I noticed a change a couple/several years ago, but is there a specific instance that cause the con to change to this level?

  6. Wait, what, isn't this completely backwards?
    Shouldn't the government be reporting bugs to software companies so they can be fixed instead of asking people to literally give the government more bugs they can exploit?
    What kind of logic is this? The vast majority of the worst attacks in recent memory have all come from NSA software!!

  7. What safeguards are in place to protect the data from being weaponized against the average person? What about if a Julian Assange or Ed snowden type of person does the right thing and reports what is being done? shouldn't we be standing up for them and see what happens to them first before we jump head first into this pool full of fire?

  8. With all the media/journalism one sided/ biased. how do we know that certain information will be deleted then ignored?

  9. This sounds like you guys are doing the government & coorporations their job. They are supposed to provide these kind of services.

  10. I dont trust governments and I dont trust any Woolley NGO's who claim to be independent but are bank roled by central government like NSA,CIA GCHQ. what happens to hackers who go for politically sensitive vulnerabilities i.e GPS network !

  11. Whew, lots of comments against Defcon working with governments. I don't have a solid opinion onn this yet, but I do believe it is still important discussion to have with the hacker community, and hence as the title points out: "discuss".

    What I WON'T stand for though, is the quality of the video and audio. That is a mega OOF right there…

  12. I think engineering a global solution is very unlikely if there is an arbiter. I believe the mechanism suggested is not a solution to the real problem.

    Hypothetically, a hacker from a foreign country can find an exploit in a bank and can transfer money from random accounts to any given account. If he reports to US government, they will abuse it; if he reports to the bank or the local government directly, he gets jailed for exploiting the bank system; if there is an arbiter they can abuse it or choose not to send the information to the intended party. There should be a better end-to-end solution.

  13. People should pay for their own vulnerabilities, the whole part of being a good computer hacker or programmer in general is not trading convenience for security and why should any one just give a solution to the problem and people should create their own solution. Humans deserve the mistakes they get in life and they fully deserve to pay for them since if people do not know pain they cannot know relief. Systems are designed to be exploited because they are made by imperfect people and the governments of the world right now do not have the best interests for the civilians of the world.

  14. Camera not white balanced, mics quiet and feeding back, video guy switching to PiP view when only the background slide is up, this is so hard to watch

  15. Some solutions are not easy, if People are worried that the government will try to track them if they report something, DEF can’t you just open up a PO Box? And whoever has something to report can write up the report just like sending an email, only print it, and send it through the mail

  16. I'm sorry… Why anonymously submit 0days when you can sell them? ohh, Chinese hackers submitting bugs to the US government. Gotcha. "Help do some good" a.k.a. "Fuck Your Shitty Wall"

  17. Good intentions, but with governments bring major bad actors themselves, would you really want to supply them with possible new attack vectors?

Leave a Reply

Your email address will not be published. Required fields are marked *