INSIDE THE
NEWS + ADVICE
Matt Devost at DEFCON
Matt Devost, President and CEO at FusionX, sat down last week with Ivy Thomas to discuss his insights on cyber, DEFCON and more.
Ivy Thomas How long have you been attending DEFCON?
Matt Devost That’s a good question. I don’t know the exact year I started. 16 or 17 years or so?
IT That would be DEFCON 5?
MD Something like that. We were trying last night to map out exactly which my first one was, but we’d have to sit in front of Wikipedia and correlate when Summercon was in Washington, DC, with some memories I have like not going to HOPE because I was going to DEFCON. Things like that. It’s been a long time.
IT Have you noticed over the years any changes, have some been more memorable than others?
MD The most memorable for me were the years at the Alexis Park Resort, 1999-2005. It was such a closed, contained environment. The community was growing at a rapid pace, but it wasn’t overly large. On Saturday night, you could go out into the big, open pool area and start at one end, then walk the whole area and run into basically everyone you wanted to see at DEFCON. I certainly miss that in this age of the large venue size with 15,000 people. It’s now a little bit hit or miss whether you’ll run into the people you really want to be seeing.
IT That’s true, I stopped by the Rio this morning thinking I’d pick up my badge after brunch, and the line was wrapped all the way across the hotel and casino floors and out to the pool area. It must have been at least a quarter of a mile of people stacked three abreast, and even for the early birds it was a three hour wait to get in. So for me, at least today, DEFCON was definitely canceled!
MD [laughs] It’ll get easier as the weekend goes on.
IT Over the years what’s your involvement in DEFCON been?
MD I’ve been a speaker and an attendee, but I haven’t played a formal role in DEFCON as an organization at all. At this point I’ve spoken a couple of times and attended numerous, numerous times.
IT That’s interesting. I’m curious about the kinds of topics you’ve presented over the years. Have you seen any noteworthy trends as far as the ability to network with different industries?
MD Yeah, I mean, “industry” is probably a bad term, it’s just interacting with other practitioners in the field, and that’s definitely increased over time. As the community’s gotten larger, and you have more content and specialized tracks, it allows people’s common interests to kind of aggregate. For example, I’m interested in mobile security, so I’ll go to this talk and then most of the people sitting nearby are also interested in mobile security. So naturally, at the end of the presentation, people will gather in the hallways and talk with each other. It’s good to see that, pairing with folks of common interests. I think a lot of that is driven first, by folks’ ability to network, but then also to have a topic of interest to aggregate around.
IT What other topics presented at DEFCON have captured your interest?
MD I like a lot of the health care sector’s embedded medical devices, financial stuff obviously, notorious zero days [previously undisclosed vulnerabilities]–I participated in a presentation one year on a Lotus Domino vulnerability that was discovered–stuff like that always piques my interest. These days, unfortunately, there are so many people I want to see on the social side that I spend very little time actually in the talks, and it’s been that way for me for several years. I haven’t even looked at the agenda yet.
IT It’s interesting that you mentioned medical devices, at DEFCON 20 I got to sit in on a panel that asked if we were able to use our second amendment right should our neighbors get onto our lawn and mess with our medical equipment using wifi. That was a very interesting panel.
MD Yeah, Jennifer Granick, I bet?
IT Yes, Jennifer Granick of Center for Internet and Society. This particular SkyTalk was a bit later in the evening.
MD There’s always a “mock trial” at DEFCON, too. Some interesting concepts.
IT So, what would you say the hottest topics securitywise are, going forward?
MD I think it’ll be more of the same of what we’ve seen over the past couple of years. We’re getting a real hard look at embedded medical devices, control systems in automobiles and everything. The “Internet of Things” seems to be getting a lot of play, what with people putting Internet-enabled thermostats and other technology in their house, definitely a key interest. Then there will always be the kind of core critical infrastructure vulnerabilities surrounding DNS and other things. Those will always be big draws.
IT Out of the different modules, Lockpick Village, Wireless Village, Social Engineering, Capture the Flag: What courses provide unusual training that you’d most recommend to those relatively new to the DEFCON community?
MD Lockpicking is always very fun for a newbie because it’s so tangible, you can hold the locks in your hand when you actually do it. Going by and observing a Capture the Flag [competitive hacking event] is always interesting, although it might be overwhelming for somebody if they’re non-technical. You generally have some really skilled folks participating in those contests. It’s fun to just watch the dynamics associated with them. Social Engineering’s another fun one, just because you get to see people applying the human dynamic and influencing human factors. And I love the Tamper Resistant Competition, where they take all the tamper-resistant seals on boxes and packages and locks, and they have a contest to see who can get through them all, without providing any evidence that they’ve been modified or tampered with. That, to me, is usually fun.
IT Yeah, I think I’ll check that one out this year. And, that was my experience being relatively new to security conferences, what drew me in was lockpicking, because I can get my hands on it and see the mechanics of what I was doing.
MD Yeah, it’s very tactile and they’ll sell you lockpicks and some practice locks, so you can take them back to your hotel room.
IT I actually have some practice locks with me right now. I think SerePick will be out here this year, they have the best gear. So, grab bag question: Will you share with us one killer memory or war story from a past DEFCON?
MD Aside from just the general Alexis Park days, just hanging out at the pool, one of my favorite memories is of the year I played Hacker Jeopardy. It’s just a tremendous amount of fun to watch, and to be up on stage is a fun experience. Winn Schwartau talked me into doing it against my better judgement, but we had a good time.
IT I really enjoyed this quote of yours, “The reliance on computers to operate key infrastructures has created a tunnel of vulnerability previously unrealized in the history of conflict.” I saw that you’d written it into your thesis and that it got pulled until a little while later. Can you tell us that story?
MD Yeah, that actually got pulled from my thesis because my thesis advisor thought it was too sensational. Then, a couple of years later I was responsible for writing a good portion of the [1996] Defense Science Board report on Information Warfare. I was able to take that quote and put it in the report. It was funny because in the media coverage of the report, which was 100 or so pages long, the quote that they chose to extract and highlight was that exact quote. So, I had some fun with it. I clipped the news article and sent it off to my thesis advisor, saying “You’re right, it was overly sensational, because the news is using it now.”
But, the whole point was just to get people to understand that we have these critical infrastructures that we’re completely dependent on, and they were becoming increasingly dependent on information technology – SCADA and other control systems, communication networks, IT in general – and those systems were inherently vulnerable. I mean, they just were not secure. We still have issues with that, but back 20 years ago, they were just not at all secure. I saw that this was a tremendous national security threat, and if we didn’t start correcting and remediating it, an attacker could exploit that to cause our critical infrastructure to fail. Fortunately, that never really happened, at least on any large scale. However, it’s still a risk that we live with today, based on my experience.
IT I was looking at the site of another company you’d put together, the Terrorism Research Center [terrorism.org/resources]. I saw a great paper which was written by two researchers in China regarding “unrestricted warfare”, which I absolutely believe is being practiced today.
MD Oh, yeah. That paper is almost 15 years old. At the time, I circulated it to a lot of people, and I got into a little bit of trouble because, though it was not classified, it was a very sensitive translation that the US government did. But I felt that it was so important for people to understand the perspective that existed there, and how a foreign government was thinking at a strategic level about these technologies, and what conflict would look like in the future.
And you could make a pretty strong argument that it’s played out pretty much the Unrestricted Warfare way. They got very involved in cyber espionage, and the use of cyber as a tool of strategic influence, and the economic aspects of that. While there’s been no economic attack, there are governments that are certainly positioned well with regard to securing our debt, the currency used, etc. If they wanted to, they could have a substantial economic impact on us. So it’s just this idea that among large nation states, the fact that you might have a force-on-force conflict, at scale, was a thing of the past, because you couldn’t predetermine the outcome. Instead, they would just resort to information warfare, and have a kind of small, strategic war. It was a fascinating concept, and still is. It’s clear that the Chinese kind of live by that. It wasn’t an official doctrine, just a theory they incorporated, but it’s present in a lot of things that they have done and are doing.
IT It’s fascinating how our technological infrastructure has shifted the paradigm of full spectrum dominance, as it’s a much larger spectrum now.
MD It is. As of the past couple of years, cyberspace is considered an official domain of warfare: like sea, land, air, and space, we now also have cyber, with a Cyber Command, a cyber strategy, a deputy assistant secretary of defense for cyber policy.
IT Yes. I always wanted to meet one of those teams when I was working out at the Pentagon, but their doors were pretty heavily locked down. I knocked a few times! Just kidding. So, also in that paper, it mentioned that the United States is fairly restricted by its own policies, needing to follow the policies that we’ve instilled and expressed to the world about how we should behave in foreign affairs. I’ve also heard from friends in the industry that yes, China hacks the US, but the US hacks China back.
MD Yeah, I’m sure. It’s a multi-faceted, complex problem. But the keys are in where and whether or not it fits for the job, the level of activity, wrong, right, things of that sort – and there are cultural differences with regard to what is wrong and what is right anyway.
That’s one key thing that I’ve triggered on several times in the past couple of days. Focusing on intellectual property theft as a core diplomatic tenet is fundamentally flawed, because our view of intellectual property and other countries’ views of intellectual property are misaligned. For example, the Chinese will look at it and say: “For 2,000 years we invented all these great things, and other societies got the benefit of our inventions. And then, over the past 100 years, you’ve decided that intellectual property is important, and that just happens to coincide with when the US and other governments had periods of innovation. So, why was it okay for you to use our intellectual property for 2,000 years, but it’s not right for us to use yours over these 100 years? You need to pay, we’re trying to better our society. You were trying to better your society when we invented gunpowder and all these other innovations that came from the Chinese culture.”
IT That’s a very good point. I can certainly see how Eastern practice is to pay attention to a much longer timeline, as their civilization has been established that much longer. I think another great difference between American and Eastern strategy is exemplified by the strategy games that we play. Here in the United States we play chess and poker, and over in China and Korea they play the game of go [Chinese: wei-qi, Korean: baduk], which is much more complex in terms of strategy. I’ve heard it said that “if chess is a battle, go is a war.” In the endgame, it all comes down to the ability to read ahead, and the number of moves that you need to read ahead in the game of go is so much greater. I guess I can see their ethic there.
MD It’s interesting, and we discussed it in my talk that I did here at Black Hat this afternoon, how in the West we don’t have a lexicon for strategies associated with deception and things of that sort, whereas the Chinese have lexicons and strategies that go back centuries or thousands of years. So it recurs over and over again: in documents, in strategies, they relate back to fundamental concepts that exist, where we don’t have a correlation for that in the United States. It gives you two completely different approaches and perspectives. That, and time. They look at time from a generational standpoint, whereas to us, five years is long term.
IT That actually brings to mind another quote that I read from your website, which is that 2009 was the “year of living cyberdangerously,” simply stating that by 2010, that was when we should really start implementing real change.
MD I wrote that blog post as kind of a recognition of trends that I saw, to identify a flashpoint where things would turn in a different direction. And if you look at what happened in the next year, we had the Operation Aurora attacks and the increased prevalence of the nation state focus, and it’s been incredibly dynamic for the past five years.
So yeah, I put that down, which I will from time to time. I consider myself a quasi-futurist. I’ll be thinking, okay, there’s an important change taking place, an interesting dynamic that I want to recognize. I hope that also means that there’ll be some sort of sea change of defense strategy, which hasn’t quite occurred yet, but will possibly.
IT Last year, DEFCON was actually officially canceled for representatives and members of the federal government. They posted “If you’re a Fed, seriously guys, just stay away this year.”
MD Yeah, I’m intimately familiar with that. Jeff [Moss, the founder of DEFCON] is a good personal friend. I gave him some grief about that, but the reality is, I think it wasn’t canceled, but more like, why don’t we take a time out. Obviously, we need a breather. The problem is that even from the early years, the federal government community has been fully embraced within the DEFCON community. They’ve been attending. There are people that I know who are feds, who have spoken, who have been volunteers, who have worked security as goons [DEFCON staff], who have done all sorts of interesting things.
One other thing that I love about the hacker community in general is that it’s supposed to embrace people. People are different, and there are so many different lifestyles, personalities, and so on, that the thought that we would exclude someone based on their place of employment was to me, as a member of the community, a little crazy.
And I publicly said that at the time, and the reality was, the feds still came. The people who were part of the community knew enough to kind of overlook that and realize that, though I think it was heartfelt and genuine to say, “hey, we kinda need a breather,” the reality is, that no. Maybe the keynote speaker, getting General Alexander to speak at Black Hat, made the community feel betrayed by his speaking, and then the revelations that came the next year. But the people who are here and want to learn and exchange knowledge, see their friends, and participate in this hacker culture, will always be welcome in our community.
IT Have you seen that atmosphere clear up since last year, or do you think it will be a long term fallout?
MD I don’t see it as an issue. There’s obviously a lot of distrust of the government, I mean, all of the DEFCON materials are themed in the “Disobey” vein of things, which is great–having people be provocative and think about their government and policies, and technical implementation of policies. General Alexander I don’t think is a bad guy. He was given a policy prescription by the leadership of the United States, and his claim was that he was actually really good at technically implementing the policy that he was provided with.
That is almost even itself part of the true hacker way: to tweak systems and make them better and understand them. He just happened to take that policy and apply a very broad, methodical approach. That resulted, I think, in more efficiency, a broader portfolio of people to look at than people were comfortable with. And that’s good, as now the pendulum will kind of swing the other way. It’s always happening, for 20 years we’ve been talking about the security and privacy pendulum: it swings one way, then something really bad happens, and it swings toward security. Then it starts to swing the other way, and you have more privacy. Then something happens and it swings back toward security.
But it also inspires a whole generation of hackers to create technologies that enable privacy. Moxie Marlinspike is releasing his encrypted voice communication app for iOS [whispersystems.org]. People are creating companies that have greater privacy enabled.
Silent Circle, Wickr, all these technologies are popping up that use client tie-in and end-to-end encryption to allow private conversations. Even Mark Cuban invested in a company called Cyber Dust, on the premise that just because we’re communicating digitally doesn’t mean that communication should have permanence; that it shouldn’t be subject to monitoring or eavesdropping or have any level of permanence. You send me a message on Cyber Dust, I read it, and it’s gone.
IT That’s interesting, but is it truly gone?
MD Well, I mean, you would hope it would be. I haven’t vetted it technically, but I like the premise of it. Digital communication should allow for concepts of privacy and secrecy. If I whisper something in your ear, I whispered it because I didn’t want anyone else to hear, and that shouldn’t resonate or be recorded for all of the future. I think people are implementing technologies to provide that level of privacy that they expect in the real world. And that’s exciting.
IT That’s an interesting point. I grew up in a generation where IRC was already implemented, we were starting to move on to AIM, but we didn’t have a persistent Internet connection in our house. Now I observe teens and young adults who have full access to Twitter and everything, and they’re surrounded by these technologies. As a father, would you say that affects children?
MD It does. I’ve had that debate with my daughter, who’s my oldest child, on the use of technology. The fact that “cyberspace is a bad neighborhood,” to quote my friend Bob Stratton who put that one out 20 years ago. Recognizing that, and recognizing the fact that digital communications in most environments have a permanence that is probably not appropriate for a 13 year old girl to have, well…. When Jeff Moss comes and speaks at my class at Georgetown, he talks about being able to have a handle. Back in the old days, 25 years ago, you had a handle, and it was pseudonymous, and nobody knew your true name. If somebody knew your true name, that gave them power over you.
But the key thing was that if you had this handle, and you did something stupid, you could throw it away and it was gone forever. It was never associated with your real name, and there was no permanence. There are lots of people in the hacker community, myself included, who’ve done that. I discarded mine because someone else was using the same one and there was some confusion, but Jeff will talk about how he had a prior handle and gave it up, and took a new one, and no one knows what his old handle is except him. The stupid things that he did are not associated with him as an adult. That’s not the case for those teenagers who sit around on Facebook and Twitter with their real name and real picture. There’s a permanence to the data in those environments, there are entities that are scraping those environments that I just think are scary for them. Maybe in 20 years they will say, “Oh, there was no problem, why were you so worried?” But you do have concerns about absolute permanence of things that you do as a 13 year old.
IT I understand. Kids probably have to grow up really fast, too. How much regret do you think kids have, knowing that what they do on the Internet now is going to affect them in the future?
MD They don’t. At that age, they don’t have the maturity to understand those issues. I honestly think at that age you’re thinking about things that influence you, like peer groups, popularity. You don’t think about what this might look like in 20 years. Even with my college students, I see that a lot of them, at least early on, don’t understand the permanence of these things that will be linked to them.
IT One more open-ended question for you. When I had the opportunity to sit down with Kathleen Smith, she mentioned that you had some great ideas regarding re-integrating military veterans with national security career opportunities in cyberspace. Do you have any comments on that?
MD Yeah, it’s an area that’s kind of near and dear to my heart, just based on frustration. We have all these military veterans who served their country, who have technical skills. They were responsible, using wire and duct tape, for keeping people alive in Afghanistan, and are really sort of geeks or technologists at heart. They get out and have a hard time finding employment or don’t do a good job of mapping their skillsets in the requirements of the position. And then I would go and talk to the folks at NSA, and they would complain that they have 3,000 open job reqs at Cyber Command, and they can’t staff these things.
My frustration, that I’ve written about and talked to Kathleen about, is let’s do the one-to-one mapping. If someone maintained networks and was a sysadmin and kept bad guys out, there’s probably an incremental level of training, if any, that’s required to get them to be able to fulfill some of these entry level positions. So why aren’t we doing that kind of one-to-one domain mapping for veterans, and helping them transition? So, the stuff that I’ve done with her has been working on influencing people to engage in that one-to-one mapping, to recognize the fact that we can cycle these guys in infosec, and to educate the veterans not to be modest, that they have the requisite skill set to go in and be successful in these positions. Don’t not apply because it says that you have to be a security guy. Some of the best security people I know started as sysadmins. They had to keep systems alive, they had to patch them, they tinkered with them all the time.
IT Endless arguments with computers. So, on a community level, do you think giving people penetration testing training, followed by a Capture the Flag tournament that invited veterans in, do you think that would give them the confidence to apply?
MD Yeah, I think so. Getting them training, we talked about getting a veterans-only Cyber Range, things of that sort.
IT Cyber Range?
MD Like a Capture the Flag on a sort of permanent basis, where people can log in remotely for distance learning. There’s a lot of things that could be done. I just don’t want to hear “I’ve got 3,000 positions and I can’t fill them,” and not see money being spent on trying to integrate veterans into that workforce. And, through the good graces of two of my fellow Black Hat board members, we got two interested vets into training at Black Hat this year, whom you met at dinner last night.
IT Yes they were great. Thank you so much for your time. You’re an inspiration.
Ivy Thomas is a DEFCON veteran and Founder of Information Security Society of the Nation’s Capital. She researches Mac OS X Security and is organizer of #LadiesLunchCon. Follow Ivy on Twitter @ivydigital.