Keynote: Tiffany Rad
5:52PM Jul 30, 2020
Greetings from Philadelphia. This is Bernie s, and this is my botnet server of 50,000 honey bee bots in my backyard. Sweet.
How you doing, girls.
They like the paper.
Check out their friends.
Greetings from Philadelphia. My name is Bernie s, and I have the honor and the privilege of introducing my friend, Tiffany red as a hope 2020 keynote speaker, well over a decade ago I met Tiffany at a small hacker conference in Philadelphia, and came to learn about her amazing background as a hacker going back to when she ran a BBs as a teenager to becoming a lawyer after being inspired to do something about injustices in our criminal justice system, in particular with unfair prosecutions of hackers. Tiffany realized that back in the 1990s technologically ignorant defense attorneys prosecutors and judges were ill prepared to competently handle cases against hackers hackers and she told me that inspired me to become a lawyer and that inspires me. Tiffany's work went on to include finding vulnerabilities in transportation and critical infrastructure. And she became an expert in car hacking and the battle between car owners and car manufacturers over access to the technology inside automobiles. Tiffany's work has inspired so many people in the hacker community. And there's much more I could say about that but I want to hear what she has to say. So, here's Tiffany rad.
Thanks very much Bernie. Yeah, I have been attending hope, believe it or not for 20 years, it's been a long time that I've been in this community, and I've really enjoyed the hacker community in New York City in particular meeting up with you all at 2600 and died. It has been a long time. But that's my first presentation was about 10 years ago at hope I was talking about the Digital Millennium Copyright Act and I'll get to that and how that particular piece of legislation, really affects hackers, so does the Computer Fraud and Abuse Act, but for the work I do it's a lot more with the MCA stuff, but I'm going to tell you a little bit about my background how I got to do this kind of stuff and it's not a normal type of path that many people take through the educational system to become become, you know, go to college law school, all these things, it's it's different and I want to talk to you too about. If you have a different type of background, it is possible to do this type of research, get into law and there's the cybersecurity field is so vast right now. whatever your background is I bet that there's a place that you can fit in with some of the stuff that that's going on right now. So let me tell you a little bit more about my background but I chose the title to drive or be driven, because I'm doing a lot of work now with vehicles cyber security I have been for about 15 years even at the time when there were very few computers in the cars that could be. You could interact with still had a fuel injection computer had airbags in the car, and needed to turn them off to do off roading. That was a bit of a challenge so that's one of the things that inspired me to learn how to hack cars but I want to kind of go back a little bit and tell you about my background because as morning as mentioned, 2600 wanted me to talk more about how I got to where I am today. And to talk to all of you about what you can do, and. And believe it or not I teach it to universities, a college degree helps but it is not required to do this kind of work. Many of us from this genre are self taught. You can do this too. So I chose to drive or be driven because the choices we're making right now regarding who controls the code, everything from vehicles to planes to your phones, things like that, voting machines, it's very critical right now, the decisions that are being made. That's going to either allow researchers like hackers out there like you to be able to access this or whether we will be locked out or threatened with legislation, not legislation by criminal and civil penalties if we were to get into this. So, that's why it's kind of a choice is one of the reasons I chose that topic for the title. Let me tell you a little bit more about my background. I'm the CEO of a startup, so in 2015 I was working for some really big IT company, probably the biggest in the US. And and I got kind of tired of like the large corporate culture so I thought, you know, I'm going to start my own company. I have an idea for something and I think it's gonna work so I got some funding from the state of Virginia and grants I've run this company so far with that type of thing with the, with grants in particular. So, my background before that was, I worked for Cisco that was a very large IT company, and I've also been teaching cyber security for a very long time back early when I started teaching. Some of the professors were a little concerned, they're like, why are you teaching computer science students how to hack. Are you maybe teaching criminals and I said no no no. If they don't learn how these things are broken they're not going to learn how to fix them so are we really putting out graduates who are going to be designing systems. If they don't know how these systems are commonly broken. So I still do this in my classes actually I'm going to show you in presentation one of the devices that I got a grant and was able to build something cool for my students but it's all part of you got to learn how to break it. If you want to learn how to fix it. So I've taught my classes like that. Recently, actually, within the past year I've joined UC Berkeley School of Information and cybersecurity and I teach for them, but I've been teaching for the University of Maine system for. Gosh, a long time. Maybe 14 years. My research that I've done has encompassed everything from vehicles to industrial control systems we did one in 2011. I think it was 2011. That was called the prison hack, and I'll tell you a bit about that too but what was special about that. That project for me in particular was I got to work with my father and a lot that I'd learned some of my childhood growing up was seen what he did, being inspired by some of his work to get to where I am here today. Also, more recently, I suppose. Mr Robot is a fantastic hacker series on USA Network I loved it. They took our prison hack, and they put it into an entire episode of Mr Robot it was in season one and it was titled brave traveler. So if you, I think it's available now on YouTube you can watch that. But it's. It really was really interesting to see sort of like the nightmare type of security researchers episode of where they took your hack and put it into a TV show. It was interesting to see but it was scary in the sense that we were worried after we did this, we did not release our zero data and public to anyone actually at all It never touched the internet, but we were concerned that that someone would would take this and do bad things with it but disclosure I'm going to talk about too. We it was important to do this disclosure, we did our presentations at conferences, but we talked to the company. The organization that was affiliated with protecting the present systems, before we went and did our, our research presentation. So, this is my dad, and my research team that's Teague Newman there, we've worked together for many years, but this is a picture of my dad. This is CCC, when we did our 2011 Prison Break presentation in Germany, and the photo on the right that you see. This is my dad, showing people how commonly this type of security device is in a lot of places. It has a, an error in the code. For those of you that are computer scientists it's like the gate was wrong the, the way that it was designed was that you could trick one piece working and then the other one wouldn't work so if you knew what that was. You could get into buildings get into places because you could be unseen by this device and it was a coding problem. So my dad is here at a conference. It's literally in an aircraft hangar. In Florida, we were teaching for a program called go ruck. They had a double oh seven program, and he was there teaching that and taking it Newman and I taught lockpicking for this one. But again, it's about this sense of learning how to break things so you can build them and design them better, allowing it being able to legally. Talk about our vulnerabilities that we found in the exploits we used super important for improving security. So, when I was a kid we had 13 phone lines coming into our house. I remember that the neighbors thought we were in gambling or something like that because the BBs that my brother had set up had so many users. This was was way back in like I think the 80s. So, we had a lot of phone lines so we could accommodate more people wanting to use it. But that was one of the first time that I was able to really learn a lot about a lot about VBS is and and dialing numbers from. We, those of us who had BBs as we share numbers about try this number this is pretty cool site to try and so it was a very exciting time. And I got into computers because of that. Talking to users as a sysop was, was a lot of fun. But when I got a little bit older, I learned about what my dad did, and it's it's an interesting background. My dad was a field agent for the CIA and his specialty was sino Soviet affairs, but he would be hired. Well, when he worked for the agency. I'm not sure what he did, because he didn't talk a lot about the stuff he did then. He quit at some point.
And then when he quit he had this really interesting skill set where he could break into a lot of places, and he had the skills to do it so he set up a consulting firm and it wasn't was one of the first of its kind to do what we now call red team work. So back in the 70s and early 80s, my dad would tell me, I break into places so bad people can't break into places that made sense to me. Later that line was said in the movie sneakers which is not a coincidence. My dad was one of the technical advisors for the movie but he, he added a lot of a lot of to the script as well so he didn't just, you know, decide on the sneaks as he called them, and he called these, these his breaking sneaks through his entire career, but it was also he added to the script. So, in every one of the sneaks that you see in the movie sneakers and featured Robert Redford and I think it came out in 1982, perhaps, but in every one of the scenes he wrote in something that was maybe a little bit technically inaccurate so if you try to copy that anywhere thief, you would probably get caught, and later in life and actually two years ago. He started giving presentations about how you could really do it when he wrote into these scenes that was technically inaccurate. He felt like for him, it was a little bit it was a choice of ethics. He didn't have to do that. But, but still the movie is extremely realistic and it had a lot to do with how these were some of the the real types of snakes that he did, and the techniques he actually successfully used. And interestingly enough, all the years of my dad was hired to do these, these physical break ins using electronic systems to, he didn't use computers until a lot later in his career, but he never got caught. So, pretty extraordinary background to have my dad coming home from projects where he would give us a little bits of information that was so interesting to hear that I'm thinking wow, this is kind of neat. I wonder what I could do that's similar to this. Then I got to, I got to college, and in college, I met with at first that was my first experience meeting up with people who are hackers and went to college in Pittsburgh. And that's one of the times when they said you know there's this guy named Kevin Mitnick and Kevin Mitnick has an interesting case, and we talked a lot about and I started following his case even all the way through law school so it was so interesting to me about really the, the way that MIT next case when it wasn't it wasn't the way it was supposed to there was injustice I saw in the way the system worked. I saw that there were attorneys that needed to have a technical background or at least technical knowledge about how things worked to make it more fair. So I went to law school, and I didn't give up though on some of the technical interests I had growing up and started developing in college. So, so that's one of the things that I learned from my dad and being able to work with him later was pretty exciting. All right so but when I was in college I kind of got interested in some stuff too that helped me become a better researcher. Later in life. So, does it seem kind of odd that's my background was actually I was studying to become an epidemiologist. I started tracking biological viruses to patient zero. And I did that for a level, level five like a hot zone virus, and I spent two years of doing academic research, between Oxford and then Carnegie Mellon in Pittsburgh and. And this is one of the things that I started doing was figuring out how you could take a question. Where does this come from and start tracking it like meeting people talking to people I met someone on the plane that's like hey there's someone that sells these maps and I went to Bolivia, into the Amazon basin sells maps so I collected maps and I started pinpointing when I talked to and interviewed people, where this virus might have come from and where it originated. And what was causing the outbreak of the virus, which in this case was was societal type of
issues that were causing it. And it happened every year that's one of the things I discovered that I up to that time, the CDC had not known. So, this was me in college, and I flew down to Bolivia on a $500 grant and lived down there for a couple of months and got, I had a skill set that I was able to sort of trade to talk with doctors about the virus outbreaks that were occurring in their small jungle towns. I was an EMT, so I was able to assist them in the hospitals and learn from them about, about how these outbreaks occur so creating a network of interviewing people and putting putting pieces together to see how they fit. Then later I realized that some of the same research procedures that you'd use for tracking a biological virus you could use to track one that's digital. So, my background is not the same as a lot of students I teach where they, they come in and undergrad undergraduate program, and they're studying cybersecurity from the beginning. For me, I went through different types of backgrounds and this was one it's not related to law, but it was more related to later on when I started doing tracking digital viruses, viruses and worms and being able to plot these types of things where the, the instances were, what made it happen. Did someone share something in particular. It was so similar to tracking the biological viruses so. And I also learned how to create a research plan about what we're looking at. from many different angles. so really that ability to look at anything, even I use this now as looking at a vehicle, what types of systems. I can see from the outside of the vehicle from the inside of the vehicle what maybe had the manufacturers not considered when they had built this. And so I learned a lot of this from from there and the picture of me with the accent, not used for self defense we were loading equipment into a canoe and, which was made out of a tree by some people in the town and we went down the Amazon basin and we're talking to outposts where medical doctors had had had experienced part of this, this outbreak so it's a very exciting time in my life, and I don't think I'd be here today doing what I did, I do now had I not gone and done this project. And it was it was it was really instrumental also to learning how to be independent and work alone, because I did this I did this on my own with a grant from a consulting firm as a university student. So I really learned how to sort of make these make decisions, and have the confidence to go in and do the research, and at times, sometimes you're on your own doing this stuff so I learned very early on how to work independently. So let me. So,
this is me at the presentation that we did. So I'm kind of jumping ahead now to, I work with my dad at this point in 2011. I have enough technical background and actually my legal expertise are beginning to come into effect with the projects we're working on to. I started to work on this project with him and teak Newman in 2011, in two weeks, we created a zero day for dat means something that's brand new to know it hadn't been discovered before. For programmable logic controller that was commonly used in lots of stuff we know now, and 2020 how much stuff but back then, as their as the research team, there wasn't a whole lot out about industrial control systems, and these types of critical infrastructure vulnerabilities, but we thought, Okay there we could look at a lot of other things like braking systems and on trains, you know, a, you know, hv AC. This is the one that we felt like, okay, let's create a simulated prison in our basement we bought the software from the company that that made the product. And we were able to make it do things that it's not supposed to do. So we were able to make it look like if you were. If you were in the control tower in a prison, you would see on your screens, everything would be locked down, but in fact, if you had used the exploit that we created it would all be opened up all the doors straight out to the road. We were able to to control. And the reason we chose prison systems is if anyone were able to replicate or wanted to replicate this again we did not that zero day we did not release to anyone. We did it for a proof of concept, because at the time people were telling us that those things are air gapped there that nothing is getting out of these facilities, we found that was not true, actually. So, The reason we chose this is, if someone used it you'd still have to get by the guys with the guns if if someone had opened it up, it had not happened, and has not happened since. So, this was one of the projects that I worked with my dad because he had designed the systems in the prisons. Take Newman was a specialist with with networking systems, and then we also had an exploit writer to work with us, who was able to create the exploit code in just two weeks working from her basement. So, this, this really showed that it didn't take a nation state to be able to affect industrial control systems and PLCs and so very exciting time that I was able to work with my dad, one of the first times in my career, and we work together on other projects since, since then so for me that was one of the most fantastic things about doing this project was going to conferences around the world. Being able to do that with my dad. So, So that was great I mean someone who was an inspiration for me to get to where I am, and to be up there on stage with him it was very exciting. So this is one of the projects that we did together. And again, learning the research techniques I learned before was highly important for the work I did, was also very important was my legal background, and this is this is one of the reasons why is I made sure we didn't have any DMCA issues no issues. The Computer Fraud and Abuse that we didn't crack or break or exceed authorized access for the work that we did, we use the program in a way, it wasn't intended to be used, but it was it that we use the program, we didn't get into any of the particular code and affect it. But there are a lot of researchers that do, and they need to to be able to test these systems to see if they are safe. That includes voting machines medical devices, I have lots of friends that have encountered problems being able to access their systems and being able to do a responsible disclosure face disclosure however you call it, but for me. I've been able to represent well represent kind of like the man in the middle, for researchers, where we do a responsible disclosure to the vendor. I've been doing that for 14 years. So back when computers were a lot more simple. It was actually harder to do the disclosures before the advent of the bug bounty programs, I'm very glad to see the bug bounty programs because now we're able to contact manufacturer but also look to see do they participate in this program or this program and it's so much easier when I do the disclosures now. And when I find that there's a company that doesn't have one, it's still kind of the old school way of disclosures you usually have to contact the legal department, and they get they get kind of concerned about, hey, how is someone accessing our system. That sounds illegal to me. I said, No, no, actually, I'm reverse engineering and things like that are legal so let's talk about it but it's so much easier with bug bounty programs so I'm so glad that those have changed the responsible disclosure field that I've been working in for 14 years at this point, so it makes it easier for me to. We did this as well. For our project of responsible disclosure, we actually were invited to CIA headquarters to do this disclosure and it was, that was a pretty cool experience in itself, but we're glad to discuss this before we went public at a conference. So, now what do I do today. I know Cory Doctorow was one of the keynotes here and I am so glad I actually I'd seen Cory Doctorow keynote at other at this cop was at this conference, a long time ago. And he did a program for I think University in. In Australia, called car wars. So if you go online you can find car wars and I think it's like about 45 minutes of an audio story that he created about car hacking, and I was so thrilled. And I think this was maybe 2016 when he put this out so if you're interested in car hacking go listen to it, because some of the stuff that he was talking about I'm like yes I've been, I've been working on this stuff with vehicles for years, and I'm so glad that someone like Cory Doctorow has put it into a fictional story that was very exciting but it hit on a very important topic so you'll see some quotes from Cory Doctorow in here.
And also I picture from Tron is this is it a car is something like a computer you put your body into, it is very much like that. And that's one of the reasons I think it's so important that we're able to access these types of systems, is we this this is part of our life and how we get around and we have all these computers in our houses too so I want to know what these things do and I want to know that security researchers are looking at them as well. So,
these cars, you put your okay this these are real cars, these are these are images of real cars. Okay, so maybe that one looks as cool as Tron, but this one. I actually look more at stuff like this, as well. So, through my car hacking research them and doing for, I guess about 16 years 1516 years now. I got inspired by people that do modifications to their vehicles and for one reason or another they made their cars to go faster. Street racers highly illegal but I learned a lot from the way they do stuff. And from people that are hot rodders that change swap out stuff that's not stock. And what I learned from that is when they also have to change some of the stuff that the devices that connect to the computer in the car. How do they do that, because sometimes the manufacturer locks them out of changing this stuff up. These are the original car hackers before me before anyone else, these conferences have done the hacks, it's it's it's the people that do the modifications. So I look at cars that kind of are super fast like the one on the left and then also the ones on the right have a lot to tell me about how they operate. So now I'm going to tell you a little bit more about some of the stuff I'm working on right now that has to do with vehicles, but I'm going to also also talk to you about, if you're interested in this kind of stuff. You don't have to go to university necessarily to learn this stuff. There's still a lot that self taught. I'm gonna show you some programs and places where you can go where you can you can learn about this stuff too. So I do a lot with IoT in particular I did this for defense defense contractor I worked for in the past and for, and for big IT companies. But I look at all this stuff. So when we use again going back to the research that I did, way back in Bolivia. In college, you first look at the macro vision of what what the infrastructure looks like. And then you create your research plan to go deeper and deeper into each one of these so when I look at vehicles. Things such as actually cyber warfare affect this because this is something that, that, that could be accessed maliciously cars are in here. I look at also this the way that medical devices or access to. Well that doesn't directly relate to cars we need to have the ability for all these things to be accessed and assessed and because I am a true believer that cybersecurity research, even when you don't work for a company when you're doing this independently is very important you'll hear me saying that a lot because I, I've been fighting for this for so many years, and I every now and then I feel like we slip with some of the legal protections that we have to do this type of research so it's just kind of a reminder. One of the things we think about is if you're not a computer scientist ever computer scientist kind of studies, this says, I think is part of the curriculum, but it's if you're designing the code, who controls the code has a lot to do with how this this trolley problem works so the guy in the middle there with the switch is. It's you It's you maybe you work for a large company you work for a manufacturer, whatever you might be developing, you are the one who's creating the code. So, how that code operates. You move that switch, so it can either go one way or the other. So the trolley problems classic is, how is it programmed, is it programmed to protect the driver is a program to protect. A lot of people in a crosswalk in a city. How does it. How does that operate differently with no cars no God, geolocation where you are. When you're out in a, in a rural area. So how the code works. I feel like as drivers, we want to know this, even though we're putting our bodies into these computers and we truly only have a license to the software that runs all these vehicles. We own that when you buy a car you own the metal, the rubber tires, but you have a license to a lot of the stuff that controls how your vehicle works. So I want to know these things, so the trolley problem applies for what what I'm considering but you wouldn't want this you wouldn't want Lightning McQueen to look like this. I love this picture, because it really comes down to who controls the code, even if you have a vehicle that has, you know, maybe we're at level five I'll tell you what that is what the autonomous vehicles. In the next few years, but I want to know who's who's contributed to that code, and have any security researchers been hired by that company to do kind of red team testing. You think this is a new car, you know this isn't a new concept for manufacturers but for some of them, it still is they're they're worried about about hiring people to break their stuff, but luckily over the over the, over many years we're getting to a point where I've worked with many manufacturers and they're becoming a little more comfortable with like let's talk about how we can do some of these this testing, so I'm glad we're getting there. So here's the DMCA for those of you who who don't know what it is. But essentially, if you're a researcher, you can't, investigate and discover these security vulnerabilities, if it requires reverse engineering or circumventing some types of controls. So if the manufacturer put in, sort of like a lock on the code, where if you go me on this point, you're not authorized to be there or you can't do that because we've locked it down and it's for copyright protection. Since 2010 I've been talking about the copyright protection argument I understand what they're saying I think that the creators of this piece of legislation, were more talking about at the time, movies and music you know back in the Napster days and it now has trickled down to, you know, why can't we access voting machines. This is so important to our democracy. What about the medical devices that are going in our bodies, is there a report that maybe we can read that hackers have created about hey we have this pacemaker. And it has these vulnerabilities maybe you don't want your doctor to put this one in, or tell the company, we're not going to buy these products unless they've been tested. So untested Red Team way, not just does it work. So, so this is some of the thing that's things that are important in the DMCA something I've been, I've been fighting against for years, let me tell you some more about what I've done with it. So, it doesn't just affect our hackers tractors Would you believe, indeed, when. And when there's a library of congress review of the DMCA this group was showed up in mass I mean there were a lot of people that said we need to access our tractors well if you think about this some of these farm vehicles cost as much as the average house. And if you can't fix it. You got to take it to the manufacturer and have to send a you know a crane has to show up they put it on a giant flatbed like double wide trailer drive it you know, a day in the other direction. And then you're you can't use it for a while, while they update the, you know, some of the code on the computer, these are these are very computerized I mean, these are not just simple tractors like promoting your lawn these do a lot of really cool stuff including like how with some of these devices how deep a seed gets planted, you know, being able to map out your farm fields this kind of stuff, actually, is part of critical infrastructure with the farming in the US so security on these devices tractors planters theatres, very important. So we're interested in fixing their stuff, and knowing if their problems so they were actually very, very interested in their fighter repair. So
know that this is what happened recently. So let me actually I'm gonna open it up all these for you. So, there is an exemption that exists right now. If you're a car hacker. If you have voting machines if you have medical devices, these are some of the things that are protected. And you can sort of break the DMCA to do this type of research. Every I think it's every three years I might be wrong about that exact date but the next time it's up is 2021, that's coming up next year, people show up at the Library of Congress and other places they've set up to do hearings so you can get up and say hey, this is important for me to have this exemption for this reason. So, I have the last time there was a hearing I was, I was working for an employer who did not want me to participate in that. So, so I did not, but other years I have perhaps anonymously. But when the hearings, take place if this is something you care about make note of when those are, and you can write an anonymous, you know letter to the Library of Congress about why it's important to you to be able to hack, and in particular specific examples of I do this, I work on this if I couldn't, you know, if I didn't know this about it. This would make my job harder to do. So, you have to have good faith security research, meaning you can't go out and sell your your exploit or sell your vulnerability they don't want to see that you're making money because they don't consider that to be good faith security research. So that's one of the things that's a little bit different. I guess one of the other things is, okay, responsible disclosure, I think it's, it's kind of a popular topic now, it is not legally required. However, as is as is important in here to get this exemption. They want to see that you've made an effort to contact the manufacturer about about anything that you've discovered that may affect the safety and security of their devices of a car, something like that. But you're not required to do that, but it does go to show you're a good faith security researcher so you have a choice but it absolutely is not required if you want to stay anonymous and do this type of research, that's totally up to you, but I think that some people think you have to do a disclosure on any type of research not even that you know that this covers, you do not, but some researchers find it to be. It's part of what they do. We're working to solve a problem so disclosure is something that can help. So here's the Cory Doctorow comments. This is pretty much saying that you know we need to be able to access these devices, we don't really want to have to go to the manufacturer to say hey I want to unlock this thing. I think there's a problem or you need to be able to do this yourself. This picture is from someone's someone's car, they did something Quinn do car sharks is someone I know has been has been hacking a lot of the devices that output information to the driver So, but I really do like this and it really shows that goes to show, who controls the code. And if we need to fight to continue to have access to this. I really would like, wouldn't it be nice. Okay Library of Congress if you're listening to this, please give us a permanent exemption, every time this comes up they have an option of giving a permanent exemption for hacking cars for this research, medical devices again and voting machines. Those are the three big ones for safety and security and wouldn't be so nice. We didn't have to keep going back just grant us the permanent exemption would be nice. So, then we don't have to worry about going to these manufacturers and all that so. So, this is some of the stuff I look at when I do any type of device, and sometimes it might be. It might be network systems, it might be even looking at malware that again look at the research perspective if you learn how to think like a researcher, and how to break things and what might not have been covered, well at least back to my example in medical journals I read every single medical journal every published ever published about that, about that virus before I did the research it took me two years to do it. And I was like what are they missing what's not included here and that's how I came up with my, my thesis on my research topic is I did find stuff that wasn't known and I was just a college student. But anyway, this is somebody, sometimes I look at, think about how your car operates think like a bad guy. I teach all my students this too much to the chagrin of sometimes the. Is it true traditional computer science professors. This some of the angles of attack that we look at. So,
and take a look at. With this, okay so this was a publication by fireeye. They do car hacking to look at the exterior of the car I spent the last five years looking at signals that emanate from the vehicle. What what can be done with that kind of stuff what's being used. What things take for instance FCC again my legal background coming into effect what takes, being able to have a license to, you know, be able to intercept different types of communications. And what can you do as a researcher on a budget. So take a look at some of these. And then I also like this picture. Again, this is just a very broad, general picture there are no secrets to car hacking that are encompassed in these, but this is the interior of the car. So if you get access and can actually get local access like being able to plug into the OBD two port, things like that. What can you learn from that. That's how we started. That's how we started learning how to shut off the airbags in our car. When we were doing off roading many many years ago, was, what does the code look like when the airbags about to go off that kind of thing so then we started learning more about well, how does that system work. And if we want to turn it off, should we have a right to be able to, at that time, you couldn't you couldn't do it without a legal reason for needing to turn off the airbag, so it's different now now you can sometimes have a button, but learning how all these systems work by listening in on the canvas. It's very easy to do and actually you can buy a lot Arduino like different types of shields, like there's a canvas shield you can put on the Arduino, a very easy way to start getting into car hacking. Also, one of the things I look at that. I've worked on some legislation recently associated with this is, what about the connected roadway, and the transportation infrastructure. So while many car hackers are focused on the vehicle you know get the vehicle can we hack it What can we do with it but what about how the vehicle communicates with the infrastructure, there's so much information that the vehicle could pass to different types of roadside units. Well, this is something that that nitsa is, you know, this does increase safety is for your vehicle to be alerted if there's problem ahead the lights or, you know, the traffic lights are out something like that. So we get benefit from this type of connection and those of us that have a smartphone we know we have benefit from using this it makes our life easier, but there's so much information that is on this on these smartphones about where we go. When we go how we do it. But this is kind of what a city looks like to me now with the type of research I'm doing is the picture here on the left, kind of these bubbles of like, have signals coming out of vehicles. Very interesting. But this is something that I think as as car hacking and transportation. This is something I think more car hackers are going to be looking at in the future and I know there have been green lights forever I mean, there have been some presentations that are pretty neat where people have interacted with the infrastructure. Now for me, something that I've been working on for a long time now, many years I think it's been about six years is about autonomous vehicles, it's fascinating to me, legally and technically, because the idea of either being a dry. Are you driven. When you buy a car. You control the where it goes. Or do you just put in an address and it controls where you go so I'm very interested in this, and these are the stages of automation. I believe a Tesla had said, I'm very intrigued by Tesla's company because they also they hire hackers they're one of these companies that are like car hackers come work for us so I'm like, okay, so keep that in mind because I think they're hiring full automation they're getting closer to this by the I don't know by the end of the year there's been some critique saying maybe not, but this is when you can like go to sleep or watch a movie and it just takes you to work. So, for some of us that don't want to come and kind of come out a quarantine and have to drive in the DC area every day. I'm like, I want to I want to level five. But one of the things that you kind of give up is some control. So how much control Are you willing to give up for your vehicles we will ever have a choice, later on to get a car that has very little computers. I met this VC once he's like I have like a car from 1968, and after hearing your presentations I will not sell it. He's like that's that's gonna be a car drive for the next 25 years. So it's again as with connected cars, how they connect to roadside units and the lights. This was actually from a 2600 group that I follow. And I was, I happen to be in a meeting where we were talking about creating, kind of like a NIST cybersecurity framework for connected vehicles and how they communicate with the infrastructure. And I'm on my phone scrolling through the chat and I'm like, Oh wow, three blocks from us. Someone just took this picture of this box what this box is is this is
from a traffic light, a very paschalis a heavily used intersection in Washington DC, and someone just posted this and. And I said, you know, this is a big deal. Take a look you know not this in particular but people are are starting to look at the infrastructure for transportation. So, I'm doing a lot of work. Working on protecting that and on some frameworks for that are similar to the NIST cybersecurity framework, but for transportation specific applications. So what can you do so I'm getting to the point for all of you. There is a program that back in 2012, I was one of three employees at Mattel that Mattel Institute where we we created this cyber auto challenge, and it's it's pretty cool it's still going on. This is an old slide, but they did cancel it for this year, but it's going on next year, so let me tell you about can you be a part of this. Are you interested in some of the stuff I've talked about, try to do this. Okay. So if you're a high school student, great news, there's an opportunity for you. You don't have to be in college or grad school to do this stuff. So, I this is a slide that Patel has for the cyber auto challenge so I this is there's it's public. But what we'll be doing is the automobile manufacturers put these cars in a warehouse, and you get to hack them for a week, but now without instruction you have like a few days of classes, and you have like all night hackathons. So if that's your thing. That is fantastic. However, they also have people from the government that are there to learn so the teams are made out of made up of high school, college, government, industry. So, even people from people who actually say like the insurance industry and stuff they learn about this by being on a team so your team will have a lot of different types of people on it, and you'll have a goal that you're gonna hack the car. At the end of the program. And they all learn from each other. So, I'm a big supporter of this I tell all my university students about this. I should tell my, my graduate students at Berkeley about this too, for next year, but it's a really great program, it's free, if you can get yourself to Detroit, it is free. I mean, room and board and is paid for. So, that's one of the things you can do if you want to learn about this so this one my last Cory Doctorow quotes self driving cars can only be safe if we are sure no one can reconfigure them without manufacturer approval will never be safe. So, I'm telling you there is there's hope. Again, I'm not picking on Tesla This is just I love the graphic here, but there are companies that seek to hire hackers mentalities have changed about being scared about people accessing systems from most only original equipment manufacturers, and I'm still working on working with others to get them more comfortable with the fact I've learned from hackers, learn from people that do street racing car modding, and even into the gray areas and illegalities were associated with with vehicles learn how the stuff is done, how they cars are chopped how stuffs taken apart. You won't learn that at Mattel at the cyber auto challenge but if you can learn how these systems work from others that don't think exactly like you do. It's fantastic. And that's one of the reasons why to for this program. It's high school students who are really good with computers if you have an interest or an aptitude try going to because you're going to be able to contribute more than you might think. So, because I've we've I've seen some high school students that have fantastic abilities. And again, I know this is coming from a university professor I mean I am an instructor to universities, but you don't need a college degree to be able to do a lot of this stuff. I have, I think four graduate degrees and a doctorate. I am self taught in most of this as there are many people from my generation. Your generation that has the opportunity to go do cybersecurity programs get a Bachelor's in science and that kind of stuff but for what I what I did, it's it's some. You can be self taught and do a lot of this but learn how to do you know create a research project, come up with some ideas, find the resources like if you're into cars the cyber auto challenge there are other types of red team challenges that you can do but you're going to help make this stuff safer. And so, what can you do as a hardware and software engineer, do your training. Even the free training online participate in that stuff. Learn secure software and hardware engineering. In fact, I want to show you this this is something, actually I learned a solder from Mitch Altman, at one of the host conferences and also at CCC. So for my university students we talk about the rubber ducky. And one of the programs we actually watch an episode of.
Oh goodness okay just. We watched some episodes of people doing different kinds of hacks in movies and all that. So, one of them is someone using an evil rubber ducky. It was a little too expensive so I built my own for $7 I got a grant to be able to put this together. But I am the rubber ducky does nothing for this but it kind of emulates what it is but inside is Adreno nano, and on it are the programs that are used, similar to the evil, evil rubber ducky or evil made type of programs. And the reason I teach my students this is again. Learn how this stuff is exploited, and you'll learn how to be a better software engineer, so that is about secure software engineering. And I also teach them about hardware vulnerabilities so that's another one of my hobbies is software and hardware type of security. Think about the ramifications of the code, if you are the guy who's pulling that lever in one of the slides I had before with the trolley. That's going to be something you think about, because what you do professionally is gonna affect a lot of people so there are whistleblowing programs, things like that that have to do not just national security but if you find things that might end up in the stream of products that that do affect safety and security, there are protections for you if you do want to do a disclosure that something that just doesn't seem right with your company's product. So, there are ways that you can talk about that. So what can you do as an employer, but those of you who might be watching do bug bounty programs, please, because it makes it easier for people like me who bring you security researchers saying they don't know. They just want to tell you what the problem is, please don't threaten legal action, you need to know this information, wouldn't you rather know than not, and hire some internal and external red teams. I do think that doing valance scans and stuff like that is good defense but when it really comes to understanding where your problems are the red teams so that works both on hardware, software networks, everything so your red team and hire hackers to do that because they think in a way that might be different than your development engineers, pay for their training and reward completion. I have been through so many companies where it is very difficult to get the training that you requested, in particular, if you're asking to do Red Team type of training. So please do that for your employees because they're going to bring a benefit to your company that you may not have seen before. So facilitate a culture in your company that encourages reporting of these types of security issues. I have had. I've had some clients that have quit companies because they have not wanted to go up against the company with the vulnerability that they found they didn't they were, they were bullied they were, they were having some problems with with management so it's one of the things to to consider for creating that so. Alright, thank you. That is my presentation and I hope I've been able to tell you about even from a different type of background than straight up like cyber security bachelors and science degrees, I mean if you if you're doing that, that's great. You have a really good start but for those of you that want either colleges on an option, or you want to do this on your own, there are ways to do it. And I've done it, I can do it you can do it and this is a picture of my jungle boots my jungle had. I got my start, both with learning from my dad about how he was hired to break into places, how exciting and you have paid to do this, this is a fun field, I wish I could tell you about some of the projects I'm working on now. I can't but I love it. It's different every day. But I got my start literally by getting my bootstrap in the Amazon basin tracking something to, to, like, like a zero day, I found it, and I found something new about it, and it was, it really started me on this path of I want to know how to do more. So anyway I hope I have been able to inspire some of you. And if you have any questions, I got a little bit of time to answer some of your questions if you have any. Okay, let me stop the Slide Share. Okay.
We take a look.
Oh, the bookshelf behind me. Okay. Sure. okay, for those of you that do computer architecture, computer organization of design this is this is the Bible for learning about, you know, for computer architecture that means learning about stuff down on the hardware level. I think this book is old enough that it might even have like MIPS Instruction language and stuff in it so I do this, I do this as well. radios. So, what I do now has a lot to do with radio so I'm learning about this these things all the time. The rest of these are legal books. Mergers and Acquisitions that hasn't been one I've used in yet but I did take this in law school but. And I don't know, sometimes when I went pitch contest for my company this is one of the things I wanted wasn't money but I got, I got a cannabis okay so this this this was a. This was a great win. And up here these are challenge coins I've done work for the government. And when you do stuff that's kind of exceptional. And you get one of these and these are some patches I've gotten from some friends for military type of projects that I've done in the past so. So that's what's behind me for that. Oh, please. As I missed that a little. There was at the microphone maybe was to was to close my mouth sorry about that I didn't see that earlier. What advice would you have to inspire other people to find their own journey. Find something that interests you. I know that sounds very very generic but you have to be excited and motivated to excel in something, I meet a lot of students. When I do talks like this to high school students who are in accelerated like AP type of programs that are not happy. And I've met some, in particular, there's one in the county where I live in Northern Virginia where it's a really cool opportunity that you can do the AP classes in computer science, you can even have a simulated type of red team hacking. That can be done, but you can also learn welding, and they have auto mechanics. They even have food science for people that are interested in starting businesses associated with baking and all that so you have to really love this stuff and I think a lot of that initially came from watching my dad do what he did. So, so that was a. That would that's how I would recommend it is, you find something that interests you maybe it's it's voting machines, and that'll be great do that before November election so something like that. So that's that's what i would i would suggest. Okay, anyway for, so just in briefly in closing, you either gonna decide if you're driven, or you're going to be the driver and a lot has to do with being able to control the code so as a security researcher for a hacker. We need to be able to have these protections so I hope for some of you watch what's going on with the new Computer Fraud and Abuse Act type of amendments things that are being changed with it, watch what's going on with the DMCA and next year, when we have that next Library of Congress opportunity to be able to say, you know, Should we open up the DMCA for hackers for this stuff, I think your answer is going to be please yes and get involved. So, there are opportunities for technical legal policy people even sociology about how hacks occur, and what you can do to train people employees for them to protect themselves so anyway thank you very much. I'm so glad that that 2600 and hope allowed me to come here and it's been 20 years, being able to attend your conferences, I love it. Thank you so much, and. Right. Have a good rest of the conference.
Hello, I'd like to tell you about compacts new portable to computer, it's such a machine that it would be quite unfair to compare it with another computer so we've decided.