[00:32.240 --> 00:38.600] We're gonna talk today a little bit about what hacking was like, and freaking [00:38.600 --> 00:42.380] was like, and what the what the whole scene was kind of like back in the 80s [00:42.380 --> 00:47.220] and 90s. You know, how did this start? What was it like back then? And how does that [00:47.220 --> 00:50.400] lead us to where we're at today? And what does that mean for us kind of going [00:50.400 --> 00:55.980] forward? All these views and opinions are obviously my own. You know, everybody's [00:55.980 --> 01:00.140] experience might be a little bit different. So if anybody during the talk [01:00.140 --> 01:04.260] wants to, you know, bring something up or interject something, by all means. You [01:04.260 --> 01:09.800] know, this is a very a very social talk, right? So feel free to interject things [01:09.800 --> 01:14.360] and to jump in if you like. So the talk is hacking the day, playing words for [01:14.360 --> 01:21.260] back in the day, right? So who am I? My name is Brad Swanson. You can find me on [01:21.260 --> 01:29.220] Twitter is Digital Templar or you can just shoot me an email at gmail. I am the [01:29.220 --> 01:35.260] incident response lead currently for a SAS provider based out in California. [01:35.260 --> 01:39.420] Formerly I've been with Amazon with Thermo Fisher Scientific in a variety of [01:39.420 --> 01:47.200] security or audit related roles. A lot of PCI, a lot of SOX, a lot goodness. I've [01:47.200 --> 01:53.160] been doing security stuff for about 25 years now. Most of it as a good guy. The [01:53.160 --> 01:57.320] early years were a little sketchy, obviously, as many of us had. I got started [01:57.320 --> 02:03.040] in the 80s. My folks bought me an Osborne back in the day and I got the Osborne in [02:03.040 --> 02:08.660] January. I had a colossal caves adventure. Was sick of the pirate killing me in the [02:08.660 --> 02:12.020] twisty passages. So by February I was learning how to take it apart and fix [02:12.020 --> 02:14.640] the software so the pirate wouldn't kill me all the time. [02:15.300 --> 02:20.660] Careered back in the day for frozen crew at a really, really slow baud rate which [02:20.660 --> 02:26.400] led to a recreational interest in how phone systems worked to help cut down on [02:26.400 --> 02:31.400] my electric or my phone bill. Some of the things I like... social engineering. I love [02:31.400 --> 02:36.660] social engineering stuff. I just find it fascinating how you can hack [02:36.660 --> 02:41.300] people's brains. Red teaming. I want to be a red teamer when I grow up. And I also [02:41.300 --> 02:47.320] like romantic walks on the beach while sniffing Wi-Fi. So the standard [02:47.320 --> 02:52.000] disclaimer. These are my experiences. These are my views, my opinions. They do [02:52.000 --> 02:58.600] not reflect any stance of my employer, any stance of the team that I [02:58.600 --> 03:04.380] work with, etc. etc. My views only. My employer wouldn't even know that I'm here [03:04.380 --> 03:08.720] except my boss is in the audience right now. So everybody clap when we're [03:08.720 --> 03:14.420] done here. Not now. Not now. Just when we're done. Yeah. Also some other just [03:14.420 --> 03:18.500] extra information. If anybody has peanut allergies, look out for me. I'm like [03:18.500 --> 03:24.020] peanut dust. It's not good. So we're gonna cover basically three different kind of [03:24.020 --> 03:29.700] areas at a very, very high level here. We're gonna look at the social aspects. [03:29.700 --> 03:36.220] You know, what was it like back then and how is it now? Obviously, hacking has [03:36.220 --> 03:39.760] become a very social thing. We're all here. You know, we're all at CypherCon. [03:39.760 --> 03:44.480] We're all interacting with each other. It's not just, you know, I'm in my own [03:44.480 --> 03:49.120] little area with my head down, hacking away on a keyboard. We're talking with [03:49.120 --> 03:53.340] each other. We're learning from each other. We are, you know, interacting and [03:53.340 --> 03:58.600] interfacing as humans rather than just, you know, a name on a screen in green [03:58.600 --> 04:03.460] font. We're also gonna look at hacking. What are some differences between hacking [04:03.460 --> 04:07.880] back then and hacking now? And we'll touch a little bit on freaking as well [04:07.880 --> 04:13.980] and what the good old days were like versus what it's like today. So the [04:13.980 --> 04:24.120] social aspect. Back in the day, hacking was not as, I guess, anonymous, if you [04:24.120 --> 04:28.460] will, as it is now. It was started by friends. It was groups of friends that [04:28.460 --> 04:33.440] had something that brought them together other than hacking. So we have like the [04:33.440 --> 04:38.140] 414s, for example, right here in Milwaukee. The 414s were actually a [04:38.140 --> 04:43.840] group of friends. They were Explorer Scouts. You know, they knew each other and [04:43.840 --> 04:50.640] they had an interest in computers. Sure. So they would kind of go with the, you [04:50.640 --> 04:54.400] know, go out and explore things and then they found out that they could explore [04:54.400 --> 04:59.940] with their computers. And so that led to a little bit of trouble. They hacked a [04:59.940 --> 05:04.920] bunch of systems. They got into Sloan-Kettering. I went to touch the log [05:04.920 --> 05:08.640] files to make sure that they didn't get caught and did a little bit of damage [05:08.640 --> 05:13.540] financially. About $1,500, I believe. And that's what got them popped. They ended [05:13.540 --> 05:17.520] up on the cover of Newsweek. People had not really been exposed mainstream to [05:17.520 --> 05:22.080] hackers before, right? So it was a big deal. People didn't know how to [05:22.080 --> 05:27.480] deal with them. A couple of them were charged with like a toll fraud type of [05:27.480 --> 05:33.300] charge. But there were no computer crime laws really back then. So yeah. So then [05:33.300 --> 05:37.080] again, a group of friends that started out. You know, there was the firm. They [05:37.080 --> 05:41.420] were initially called Kilobot. They did a lot of sys-opping of bulletin board [05:41.420 --> 05:45.760] systems. If it was a hacker board, a lot of times it'd be somebody from the firm [05:45.760 --> 05:51.920] that would help out with the sys-opping of that. There was the Loft. Loft [05:51.920 --> 05:56.160] Heavy Industries out in Boston. That started as roommates. It was a [05:56.160 --> 06:00.620] couple of guys that were roommates. Their girlfriends, they had a loft area [06:00.620 --> 06:04.120] in Boston. And their girlfriends had a hat company. They sold hats out of this [06:04.120 --> 06:09.040] loft. They, you know, made hats and sold them. They used the other half of the [06:09.040 --> 06:14.620] loft to store equipment that they got from the flea market at MIT. So they [06:14.620 --> 06:17.200] would get all this equipment. They'd bring it in. They'd hack around on it. [06:17.200 --> 06:20.980] They'd fix stuff up. They'd do cool things. And then they'd flip it. And it [06:20.980 --> 06:25.660] turned into basically what was the equivalent of the first hacker space. [06:26.060 --> 06:31.380] Where, you know, their friends would come over and hack around on hardware. We had [06:31.380 --> 06:34.520] Cult of the Dead Cow down in Lubbock, Texas. There were a bunch of friends that [06:34.520 --> 06:38.640] worked together at a meatpacking plant. Hence the name Cult of the Dead Cow. They [06:38.640 --> 06:45.700] dealt with dead cows all day. And so again, you know, groups of friends that [06:45.700 --> 06:51.540] were friends before they were a hacking group, right? Then it expanded a little [06:51.540 --> 06:55.220] bit, right? So you've got these friends that you're hanging out with and doing [06:55.220 --> 06:59.600] computer coolness with. What if we could meet more people? Well, how do we do that? [06:59.600 --> 07:04.260] How do we spread the word? How do we get the word out there? BBSes. Let's advertise [07:04.260 --> 07:08.980] on BBSes. Let's spin up a hacker BBS. Let's have some some text files that we [07:08.980 --> 07:13.840] can, you know, have people come and read and learn a little bit. You know, we had [07:13.840 --> 07:20.140] things like the Legion of Doom, which was run by FiberOptic. There was Masters of [07:20.140 --> 07:24.540] Deception with Eric Bloodaxe, who used to be part of Legion of Doom that are falling [07:24.540 --> 07:30.560] out and they split off. You know, there are courier groups like Fairlight, Frozen [07:30.560 --> 07:36.680] Crew, you know, and they were, you know, they started as friends and then they [07:36.680 --> 07:40.640] expanded out. They brought in people that they didn't know that weren't part of [07:40.640 --> 07:44.120] that core group of friends. Now it's a it's a hacker friend. It's my online [07:44.120 --> 07:49.540] friends, my BBS friend. And then, you know, how do we how do we advance that? How do [07:49.540 --> 07:53.540] we grow that? How do we take that another step further? Let's meet people face to [07:53.540 --> 07:56.940] face. You know, kind of scary, but let's let's give it a shot and see what [07:56.940 --> 08:01.040] happens. So there were things like the Chaos Communications Congress. This [08:01.040 --> 08:06.320] took place in Germany. It was run by the the CCC, the Chaos Computer Club, and it [08:06.320 --> 08:09.980] basically brought European hackers together to kind of learn from each [08:09.980 --> 08:13.820] other and share things. We had the Hackers Conference. There was a book [08:13.820 --> 08:17.880] that was written, I don't recall the name of the book specifically right now, my [08:17.880 --> 08:20.900] apologies, but there was a book that was written that talked about a bunch of [08:20.900 --> 08:24.340] hackers and somebody said, hey, let's let's have a conference in California [08:24.340 --> 08:27.640] and let's invite these hackers that this book talked about and get them all in [08:27.640 --> 08:31.860] the same room. Let's see, once we put all these people together, what they can come [08:31.860 --> 08:38.720] up with. That might be kind of cool. We had DEF CON. DEF CON was 1994 and it was [08:38.720 --> 08:42.960] meant to be a one-shot deal. It was supposed to be like a big farewell blow [08:42.960 --> 08:47.360] out party to say goodbye to BBSs because BBSs started to die out in the mid [08:47.360 --> 08:52.840] 90s with the advent of the Internet, right? So, you know, Jeff said, hey, let's [08:52.840 --> 08:57.940] let's have a big party, say goodbye to the BBSs and we're done. We move on. [08:58.300 --> 09:02.940] Well now DEF CON continues and continues and continues and it's it's grown into [09:02.940 --> 09:08.460] something very large and cool. So and then we have Hackers of Planet Earth. [09:08.460 --> 09:12.700] It's a New York conference that gets that's been around since I want to say [09:12.700 --> 09:17.260] 95. Another, you know, another conference where let's just get people in the room [09:17.260 --> 09:20.440] and talk to each other about what we're doing. What are we, what are we [09:20.440 --> 09:30.980] hacking on today? So that's changed. Now what we have is a much more direct [09:30.980 --> 09:37.620] experience kind of, right? A lot less, a lot less of the anonymous communication, a [09:37.620 --> 09:43.300] lot more face-to-face. So there's a lot of regular meetups. We have things like [09:43.300 --> 09:48.440] MilSec, we have BurbSec for, you know, these are some of the local, local get-togethers [09:48.440 --> 09:51.760] where people get together and they talk about things. Hey, I figured out how to do [09:51.760 --> 09:56.520] A, B, and C. Or, hey, I'm trying to figure out how to stop this person from, you [09:56.520 --> 10:01.800] know, coming in and doing horrible things through my OWA portal. You know, it's a [10:01.900 --> 10:06.160] it's a way that we can bounce ideas off each other and and learn from each other. [10:06.160 --> 10:10.540] There's local 2600 groups that get together. You know, there's, there's local [10:10.540 --> 10:15.620] DEFCON groups. There's the DC414 group, which is phenomenal. There are, you know, [10:16.380 --> 10:20.500] DEFCON groups pretty much all over the country, all over the world. Twitter. [10:20.500 --> 10:25.780] Twitter has become a huge thing. There is some, there's a lot of noise on Twitter. [10:25.780 --> 10:29.000] There's a lot of shit posting. But there's also a lot of really good [10:29.000 --> 10:32.460] information. You know, looking out just in this room, I see a couple of people in [10:32.460 --> 10:36.760] this room that I follow. A couple of people that have really good info. And [10:36.760 --> 10:41.220] it's, it's nice to be able to hop on and check a spot and see what's going on in [10:41.220 --> 10:47.060] the world. Sometimes it's bad if it's a Friday afternoon and Tavis Orvandy posts [10:47.060 --> 10:51.400] something and you're like, oh, I'm not going home tonight. But, you know, it's, [10:51.400 --> 10:55.800] it's a good way for various people to be able to stay in touch. So, you know, [10:55.800 --> 10:59.920] hackers will use Twitter. Companies will, will post things. You know, maybe a [10:59.920 --> 11:03.620] company is coming out with a new product. Zero-day announcements, you know, [11:03.620 --> 11:10.520] that Tavis seems fond of on Fridays. And so, you know, it's, it's a good, it's kind [11:10.520 --> 11:16.520] of a good way to kind of keep your pulse on things almost, almost real-time. And [11:16.520 --> 11:19.820] then we have conferences, right? Conferences have become kind of a big [11:19.820 --> 11:23.680] thing now. There are a lot of conferences, a lot of people go to. There's obviously [11:24.360 --> 11:29.720] CypherCon, right? There's Black Hat. There's DEFCON. DEFCON actually made it [11:29.720 --> 11:33.880] 25 years before being canceled this year. I'm not sure if anybody heard that that was [11:33.880 --> 11:38.560] canceled. But there's, you know, there's ThoughtCon in Chicago. So there's a lot [11:38.560 --> 11:43.100] of kind of face-to-face, meet the people you're talking to that are on the other side [11:43.100 --> 11:47.380] of the keyboard. In the old BBS days, you could talk to somebody for years and not [11:47.380 --> 11:51.440] know what they look like. Not know who they were with, with the conferences and [11:51.440 --> 11:54.240] stuff. It kind of puts a face to the name, which is nice. [11:55.880 --> 12:00.420] ANSI art, right? Some people have to remember ANSI art. ANSI art was awesome. [12:00.680 --> 12:06.940] It was like a, like a bulletin board for your BBS. The cooler your ANSI art, the [12:06.940 --> 12:09.820] cooler your bulletin board. Well, at least that's what people thought back then [12:09.820 --> 12:16.600] anyway. So ANSI art was a big deal. And people would get on BBSs sometimes just [12:16.600 --> 12:20.760] to grab ANSI packs and move them around and, you know, find something cool on this [12:20.760 --> 12:25.300] BBS. Oh, I want that on my BBS. I'll download it and install it. BBSs were [12:25.300 --> 12:29.960] really kind of the lifeblood in the growth of hacking. You know, it was, it was [12:30.120 --> 12:36.180] a way that you could get outside of, you know, your, your, your basement or your [12:36.180 --> 12:41.600] bedroom or wherever your computer was and, and talk to people. You know, you [12:41.600 --> 12:46.340] could, you could trade wares on a BBS. You could download e-zines. There were a [12:46.340 --> 12:51.220] lot of communications that people started putting together. There was FRAC. [12:51.220 --> 12:55.600] There was CDC communications. There were, you know, several different groups that [12:55.600 --> 12:58.220] would write up these e-zines about these hacks that they were doing or these [12:58.220 --> 13:01.360] projects they're working on. And then those would be distributed throughout [13:01.360 --> 13:05.140] the BBSs, you know, via couriers and people, you know, grabbing it from one [13:05.140 --> 13:10.900] uploading it to another. BBSs really started to die around 94 when the [13:10.900 --> 13:16.160] internet took off. There's still a push. There's still some old people like [13:16.160 --> 13:21.160] me that are diehards, right? You can still download BBS software and run it on [13:21.160 --> 13:26.760] your servers. You know, instead of dialing in, people will tell not to. And, [13:26.760 --> 13:30.320] and, you know, it still has the same functionality. You can run Dora games [13:30.320 --> 13:35.960] and, you know, download files and everything. The thing with BBSs is you [13:35.960 --> 13:40.700] had to bring skills to the table back in the day, right? You had to be leaked, [13:40.700 --> 13:47.800] right? Otherwise, you weren't welcome. You know, it was kind of looked at as we [13:47.800 --> 13:53.340] have this hacking group, we have our BBS set up. What can you give us? What can we [13:53.340 --> 13:57.780] take from you? What skills are you bringing to make us stronger as a hacking [13:57.780 --> 14:03.920] group? You know, we're, we're LOD and we have, we have this big beef right now [14:03.920 --> 14:08.220] with MOD. And so we want better things and they've got what have you, what do [14:08.220 --> 14:11.380] you have that you're gonna contribute to us? If you had nothing to contribute, [14:11.920 --> 14:15.840] that was it. Forget it. Don't worry about it. You know, go somewhere, go, go hop on, [14:15.840 --> 14:22.900] you know, Prodigy or something. If you had skills, if you were good, you could get [14:22.900 --> 14:27.200] vouched for. You know, and a lot of times it required somebody that was already a [14:27.200 --> 14:31.980] member to say, oh yeah, I know Ed, I know Sarah, they're good people. Let them in. [14:31.980 --> 14:38.440] They know what they're doing. They're, they're really super elite hackers. And it [14:38.440 --> 14:44.140] was, in my opinion, it was kind of crappy because it kind of stagnated that talent [14:44.140 --> 14:47.420] pool. You might have somebody very intelligent that doesn't have that [14:47.420 --> 14:50.940] skill set yet that wants to learn it. They weren't able to, you know, unless [14:50.940 --> 14:57.780] they did a lot, a lot of work on their own to try and figure it out. So part of [14:57.780 --> 15:01.260] the reason was they wanted those bragging rights that our, our BBS is [15:01.260 --> 15:06.320] awesome. Our hacking club is awesome. But they also were very worried. There are a [15:06.320 --> 15:11.720] lot of busts that were going on for hacking and for, you know, piracy, things [15:11.720 --> 15:17.300] like that. There were a lot of people that when they would get arrested back [15:17.300 --> 15:20.740] then, the first thing they would do is, hey, do you have a notepad and a piece of [15:20.740 --> 15:24.280] paper? I will give you the name of everybody on that board and all the [15:24.280 --> 15:29.020] stuff that they're doing. So a lot of people kept it a very small, close-knit [15:29.020 --> 15:32.720] community just for a safety factor. Just to keep from, from getting arrested [15:32.720 --> 15:39.480] themselves. So now, I mean, it's really grown how we, how we do our communications. [15:39.480 --> 15:43.840] You know, we use websites and Twitter and Tor and YouTube. You know, we have, you [15:43.840 --> 15:50.360] know, different file sharing networks that, that we use. And it's really kind [15:50.360 --> 15:55.900] of expanded the reach, right? So BBS's used to be mostly your local area code, [15:55.900 --> 15:59.620] right? You'd have, you know, like, people will dial into this 414, but they're not [15:59.620 --> 16:04.620] gonna dial into a, you know, a 702 Las Vegas BBS because, well, that's long [16:04.620 --> 16:08.260] distance. That's gonna rack up a huge phone bill, unless you do weird trickery, [16:08.260 --> 16:12.760] which we'll get to in a bit. You know, so it was, it was local. Whereas now with the [16:12.760 --> 16:17.600] Internet, it's worldwide. You know, you, you know, one, one minute I'm talking to [16:17.600 --> 16:22.560] somebody on Twitter that's sitting two desks away from me that I work with, and [16:22.560 --> 16:26.720] two minutes later I'm talking to somebody in Turkmenistan who I've never [16:26.720 --> 16:29.020] met before, but has some good information. We're having a good [16:29.020 --> 16:33.060] conversation about stuff. So it's really kind of expanded that world to us. It's [16:33.060 --> 16:39.180] really opened things up. And you can do it from anywhere. It used to be, oh, what [16:39.180 --> 16:44.020] are you doing tonight? I'm gonna go home, boot up my computer, get on the BBS. Now, [16:44.020 --> 16:47.660] I'm gonna whip my phone out of my pocket and check Twitter quick. You know, it's, [16:47.660 --> 16:51.080] it's become with, you know, with smartphones, it's become much easier for [16:51.080 --> 16:58.640] us to stay in touch and to communicate with each other. Now, instead of having to [16:58.640 --> 17:02.220] be elite and having skills that you bring to the table, you need to bring [17:02.220 --> 17:06.860] that desire and that drive. And that's, that's all that you really need for [17:06.860 --> 17:10.780] somebody to reach out and say, hey, you know, I like the fact that you want to [17:10.780 --> 17:14.280] learn. I'm more than happy to teach you. I will teach you whatever you want to [17:14.280 --> 17:18.900] know. And we see that a lot. We see a lot of security groups within companies [17:18.900 --> 17:22.980] bringing on people that maybe don't have security experience, but they want to [17:22.980 --> 17:27.860] learn about it, right? We want those people. Those people have that drive. They [17:27.860 --> 17:31.980] have that, that ability to learn. We can teach security. We can't teach drive, [17:31.980 --> 17:39.240] right? You know, and it's, it's a lot easier for these people to learn stuff [17:39.240 --> 17:43.100] too. They don't have to get access to a board to get all this information. It's [17:43.100 --> 17:46.400] all out there. It's all over the internet. You know, you go out to YouTube, you [17:46.400 --> 17:51.320] watch a video, you can learn how things work. You know, you can go and, you know, [17:51.320 --> 17:57.520] buy something at DEF CON and then get on YouTube, learn all about it. And, you [17:57.520 --> 18:02.260] know, now you're able to go in and pop boxes. Which, good and bad, depending on [18:02.260 --> 18:09.460] what side of the fence that you're on. You know, it used to be that this [18:09.460 --> 18:13.060] knowledge would die out with people, right? But now that we're able to teach [18:13.060 --> 18:15.660] the new generation and the younger people that are coming up through the [18:15.660 --> 18:19.320] ranks that maybe don't have that skill set, it keeps it alive. And that's kind [18:19.320 --> 18:25.480] of the point of this talk. Is we want to keep this, this past in this history. We [18:25.480 --> 18:28.980] want to keep this alive and remember, you know, where we came from. Because that [18:28.980 --> 18:31.900] helped us get to where we are today. And where we are today is gonna determine [18:31.900 --> 18:36.140] where we're going tomorrow. And so, it's very important to not only talk about [18:36.140 --> 18:40.620] the past, but to talk about what we're doing today and in the future. You know, [18:40.620 --> 18:44.520] 30, 30 years ago we're on BBS is doing this stuff. Where are we gonna be 30 [18:44.520 --> 18:48.120] years from now? Probably talking about how I remember back when we used to use [18:48.120 --> 18:53.220] Twitter and, you know, communicated with each other. So, yeah. So, it's opened us up [18:53.220 --> 18:57.560] to a very nurturing type of environment. Which, which is good. You know, the more [18:57.560 --> 19:02.840] people will learn about this, the better off we're gonna be. So, hacking back then. [19:02.840 --> 19:08.320] Hacking back then was super easy, in my opinion, compared to now. You could do [19:08.320 --> 19:11.540] simple things. There, there are a lot of issues with things like file [19:11.540 --> 19:17.260] permissions, processes having way too many rights. One of my favorite things [19:17.260 --> 19:21.160] back then was you could link the password file to the dead letter file [19:21.160 --> 19:26.660] and then just send an email from nobody to nobody that contained a password file [19:26.660 --> 19:31.640] entry. In less than a minute, you've got a root account on the box and you can [19:31.640 --> 19:36.200] pretty much do what you like on it at that point. You know, password management. [19:36.280 --> 19:39.220] People didn't really give a lot of thought about that back then. You know, in [19:39.220 --> 19:42.960] the 80s, as long as you had a password, that thing was super secure. Never mind [19:42.960 --> 19:46.900] the fact that the password is 1, 2, 3. You know, once you got a password, nobody [19:46.900 --> 19:52.160] will get into that. Security, then more so even than now, I think, was an [19:52.160 --> 19:55.800] afterthought. I mean, it's still, in some companies, kind of an afterthought. You [19:55.800 --> 20:00.100] know, oh, we rolled out this new product. Did you secure it? Well, what can we do to [20:00.100 --> 20:07.000] secure it now that it's rolled out? That was a lot more prevalent back then. And [20:07.480 --> 20:12.280] as I mentioned, a lot of programs that ran as root had a lot of [20:12.280 --> 20:14.880] issues. You know, you could get a program running as root and then [20:14.880 --> 20:20.200] just crash it and take over that process space. You could overwrite files. [20:20.860 --> 20:24.100] SendMail. SendMail was the bane of security people's existence for years [20:24.100 --> 20:32.380] and years and years and years. So back then, if a system had a password, it was [20:32.380 --> 20:36.580] probably super easy to guess. It was probably 1, 2, 3, 4, 5, 6 or it was [20:36.580 --> 20:42.020] password or, you know, the the person's birthday or their wife's name or their [20:42.020 --> 20:47.340] husband's name or the dog's name. Complexity wasn't forced back then, like [20:47.340 --> 20:52.280] it is now. Exploits were a lot simpler. Somebody's got bad permissions, let's [20:52.280 --> 20:57.960] just exploit that. Bam, we're in. You know, or processes had way too much [20:57.960 --> 21:04.480] privilege available to them. There's no reason that a process that maybe [21:04.480 --> 21:11.500] writes a, writes a file, that it needs root access to everything. Servers sat [21:11.500 --> 21:16.100] alone and in the dark. They were neglected. They were like mushrooms. If it [21:16.100 --> 21:20.080] was a night or a weekend, odds are that server is locked away and nobody's [21:20.080 --> 21:23.680] looking at it. You know, the sysadmins went home. You know, we didn't have [21:23.680 --> 21:28.260] things like a sock that were watching over all these servers. They were [21:28.260 --> 21:33.780] lonesome and sad. And modems were plugged into everything. You know, war dialing was [21:33.880 --> 21:38.660] a big thing. War dialing is where you set your modem to just dial every number [21:38.660 --> 21:42.340] in a list until it finds a carrier and then it logs that number. Hey, I found [21:42.340 --> 21:45.340] something living here. And then you go back, you look at your list and you call [21:45.340 --> 21:51.180] them up. You see what lives there. A lot of servers had modems plugged in for [21:51.180 --> 21:56.380] maintenance modes. If you had like a like a big HP 9000, odds are there's a modem [21:56.380 --> 21:59.600] plugged in the back so that when you have problems, HP can dial in and fix it [21:59.600 --> 22:06.780] for you. Exploring humans can also dial into that and try and unfix it for you [22:06.780 --> 22:11.380] as well. We also didn't have things like bug brownie programs. So if there's an [22:11.380 --> 22:15.460] exploit, it didn't get reported right away to the company all the time, right? [22:15.460 --> 22:21.020] That exploit might live on for months or a year or years. You know, it was the type [22:21.020 --> 22:25.360] of thing where finally a good person would see that and would notify the [22:25.360 --> 22:29.000] company, hey, there's a problem with this. Or they would write, you know, write their [22:29.000 --> 22:35.020] own updated drivers or updated code that fixed it. But there weren't official ways [22:35.020 --> 22:41.600] really back then to report these bugs that were found. Nowadays, the difference [22:41.600 --> 22:44.860] is being that a lot of the vulnerabilities can be very technical. [22:44.860 --> 22:51.540] You know, Spectre and Meltdown are good recent examples of vulnerabilities that [22:51.540 --> 22:56.620] are tougher to exploit. It's not as easy as something having bad permissions or [22:56.620 --> 23:00.100] being able to overwrite a config file. You know, you have to jump through a lot [23:00.100 --> 23:04.480] of hoops if you want to exploit Meltdown and Spectre compared to, you know, the old [23:04.480 --> 23:11.700] days. Nowadays, it really, really helps if you can program. You don't have to be like [23:11.700 --> 23:16.880] an uber developer, but if you know some Python and know PowerShell, if you've [23:16.880 --> 23:21.900] used Metasploit a bunch and know some of the better modules, it really makes [23:21.900 --> 23:27.300] life easier from a security perspective. And sometimes now, instead of being a [23:27.300 --> 23:32.420] one-shot deal where, okay, I'm going to link this file and send an email. We're [23:32.420 --> 23:36.600] done. We're in. Now there might be several steps required. Okay, I'm gonna create this [23:36.600 --> 23:41.300] config and now I've got to link these files. And now I've got to move this file [23:41.300 --> 23:47.140] over here. A lot more, a lot more of a process now to get this kind of all [23:47.140 --> 23:53.000] pushed through. Blue teams. Blue teams have really thrown a monkey wrench into [23:53.000 --> 23:57.780] hackers trying to get into systems. We have socks. We have blue teams. Blue teams [23:57.780 --> 24:02.280] are very skilled. Blue teams have all kinds of training. There's a lot of [24:02.280 --> 24:08.880] knowledge that's shared so that they're able to detect things quickly. Systems [24:08.880 --> 24:12.760] are monitored 24-7. Even if you don't have a human sitting there looking at it, [24:12.760 --> 24:17.720] we have things like Nagios and various monitoring tools that will let us [24:17.720 --> 24:21.320] know the minute something goes a little screwy with that box. And as soon as it [24:21.320 --> 24:24.020] does, somebody's getting a page, getting woken up, and they're hopping on to see [24:24.020 --> 24:30.120] what's going on. So nights and weekends are no longer the sweet spot. We also [24:30.120 --> 24:34.220] have new technologies available to us. We have, you know, we have SIEMS. We have [24:34.220 --> 24:39.560] IDS IPS. You know, we mentioned like infrastructure and system monitoring. And [24:39.560 --> 24:42.440] they're gonna tell on you. They're gonna call somebody. They're gonna [24:42.440 --> 24:45.360] wake somebody up in the middle of the night. That person's gonna be mad about [24:45.360 --> 24:47.580] being woken up in the middle of the night. And they're gonna come and look [24:47.580 --> 24:53.000] for you. You know, again, back in the old days, wasn't quite like that. They might [24:53.000 --> 24:57.640] find out that you were in there on Monday when they come in. So the one thing [24:57.640 --> 25:03.340] that stays the same is that humans are involved. Humans are always involved. [25:03.340 --> 25:08.120] There's always a human somewhere in the chain, right? And humans are unpredictable, [25:08.120 --> 25:12.100] unpatchable, and under deadlines. Now you'll notice that unpatchable has an [25:12.100 --> 25:17.420] asterisk after it. And this is really small print. I apologize for that. But the [25:17.420 --> 25:24.180] the disclaimer is, humans can be patched through continuous security education. [25:24.420 --> 25:28.000] Unfortunately, a lot of companies don't do this. But it's a very good point that [25:28.500 --> 25:33.120] that was was brought up. I believe Jason, you had mentioned that recently. That [25:33.120 --> 25:37.480] humans are patchable. Saying a human is unpatchable is not exactly accurate. The [25:37.480 --> 25:40.480] thing that we need to do as companies is make sure that we do patch our humans. [25:40.480 --> 25:47.420] So we continue a continuous security education kind of regimen. People are [25:47.420 --> 25:51.000] helpful. It's just in our nature. We, you know, it's the golden rule, do unto [25:51.000 --> 25:55.840] others. If I need something, I want somebody to help me. Likewise, if somebody [25:55.840 --> 26:01.140] else needs something, I'm going to help them. But it's this helpfulness that can [26:01.140 --> 26:08.420] be exploited. Humans can bypass two-factor every time. So I worked for a [26:08.420 --> 26:15.280] company previously that we had our red team came in to do a pen test. They [26:15.280 --> 26:18.140] couldn't get in through the conventional means. They were just popping through our [26:18.140 --> 26:23.160] firewall. They called one of our users up. Hey, we need your password. User gives it [26:23.160 --> 26:27.880] out. Yeah, we're cool. We got two-factor, right? Saves everybody. They hit the [26:27.880 --> 26:32.660] two-factor. They called the user back. Hey, you know, we tried logging in as you to [26:32.660 --> 26:36.960] fix this problem, you know. They post as IT. You know, you logged in to fix this [26:36.960 --> 26:41.360] problem. We're getting this two-factor thing. Could you do me a favor and read [26:41.360 --> 26:50.820] me the code off your phone? And they did. Five times in one day. Yeah, it wasn't, it [26:50.820 --> 26:56.000] wasn't a good day for us when we had to report to the sea levels about that. The [26:56.000 --> 27:01.000] good thing is, is that person still works for the company. The company did not come [27:01.000 --> 27:04.040] down on that person and say, oh, you're a horrible person. You gave out your [27:04.040 --> 27:07.640] two-factor code. You're fired. The company used it as a training opportunity. They [27:07.640 --> 27:10.900] said, hey, here's an, here's a, an opportunity for us to provide more [27:10.900 --> 27:16.260] education to this individual. Let's explain to this person why what they did [27:16.260 --> 27:21.660] was wrong and how to not fall for this in the future. Which I think really needs [27:21.660 --> 27:26.400] to be the path that's taken. So often companies like, oh, you know, Ed screwed up. [27:26.400 --> 27:29.460] Let's can him. That's, that's not the solution because you're just gonna get [27:29.460 --> 27:34.720] another Ed in. Who's gonna fall for it? Improve your, your, your training posture. [27:34.720 --> 27:38.760] And that's, that's how you fix that. Humans can forget the details of your [27:38.760 --> 27:42.300] social engineering attack. You know, that's the, that's the old thing of be [27:42.300 --> 27:45.820] likable and forgettable. You want that person to like you, but you want them to [27:45.820 --> 27:50.380] forget about you as soon as you're out of their sight. Humans can make you [27:50.380 --> 27:56.300] appear legitimate to others. They provide that legitimacy. So if I want to get in, I [27:56.300 --> 28:00.600] want to get information off the, the CISO at a company, I'm not gonna go straight [28:00.600 --> 28:04.940] to the CISO and, and try, you know, just saying, hi, my name is Bill and, you know, [28:04.940 --> 28:10.080] I'm with your, your cloud service provider, but I'm gonna go to some of that [28:10.080 --> 28:14.060] CISO's underlings. I'm gonna get in good with them. That might be an easier avenue. [28:14.100 --> 28:21.260] Once they are vouching for me, that gives me credibility with that CISO. And humans [28:21.260 --> 28:25.160] are everywhere. You know, like I said, if, if it's a company, there's probably a [28:25.160 --> 28:30.600] human at it somewhere in that food chain, right? Eventually, you'll find that [28:30.600 --> 28:36.580] human and you can try and exploit that. Systems rely on logic, right? Very [28:36.580 --> 28:41.300] logical, you know, one zero. Humans rely on emotion. If you can play to somebody's [28:41.300 --> 28:47.560] emotions, it's done. You're in. And that's, this has stayed the same. In the, in the [28:47.560 --> 28:53.200] 80s, people were pretty much guaranteed way in. In the 90s, it was that way. Now, [28:53.200 --> 28:58.180] it's still that way. You know, how do we fix it? Again, education. Let's, let's [28:58.180 --> 29:01.980] train folks and let's show them the right way to do things rather than scold [29:01.980 --> 29:08.560] and fire and be growly and mean. So, I'm sure some of you have seen the movie [29:08.560 --> 29:14.340] Hackers. Norm was my absolute favorite. Norm was the security guard. So, so [29:14.340 --> 29:20.060] basically what happens is, Dave calls him up, says, you know, hey, the file I was [29:20.060 --> 29:26.660] working on is lost. My, my, my BLT drive went AWL. He looks around his room and he [29:26.660 --> 29:31.360] sees an empty food container and he thinks, a BLT drive. Norm doesn't have the [29:31.360 --> 29:36.060] education he should, as far as security stuff. So, he doesn't know that this is a [29:36.060 --> 29:41.740] line of crap that he's being fed. He doesn't, yeah, he doesn't understand that, [29:41.740 --> 29:47.840] you know, it's, it's not a real thing, a BLT drive. And back then, people were not [29:47.840 --> 29:51.660] comfortable around computers. In the 80s and 90s, computers were still, you know, [29:51.660 --> 29:55.140] in the mid 80s, not every house had a computer. I mean, computers were [29:55.540 --> 29:59.680] expensive. I had to beg my parents for years to get one and it took my friend [29:59.680 --> 30:05.320] getting a K-Pro before I got an Asborne. I was like, ah. People were very scared of [30:05.320 --> 30:09.240] breaking things and very scared of being in trouble. You call somebody at work and [30:09.240 --> 30:13.360] you're like, you screwed up your computer. Yeah, this, this is Frank from IT and you [30:13.360 --> 30:18.020] just broke your junk. They're gonna panic, right? They're gonna freak out. I'm [30:18.020 --> 30:23.480] gonna get fired. It's that, that same fear thing. They're, they're a little more [30:23.480 --> 30:27.700] comfortable with computers now. Everybody pretty much has a computer at home, or I [30:27.700 --> 30:32.180] should say a lot of people. They're more comfortable with doing things on it. But [30:32.180 --> 30:38.060] back then, it was real easy to have people fearful of their terminal. So, you [30:38.060 --> 30:41.960] could get them to do bad things and they wouldn't be suspicious. Yeah, hi, I'm from [30:41.960 --> 30:47.860] IT and you did something wrong. They'll do whatever you want then at that point. [30:47.860 --> 30:58.010] I'll just fix it, make it go away. So, that brings us to freaking. So, freaking, back [30:58.010 --> 31:03.070] in the, back in the old days, back in the 80s, the phone systems used something [31:03.070 --> 31:10.030] called SS5. SS5 was a, like a signaling system that the phones used. And it used [31:10.030 --> 31:13.930] what was referred to as in-band signaling. So, the phones had to be able [31:13.930 --> 31:17.690] to, to talk back to the central office and, and kind of say, hey, this is what's [31:17.690 --> 31:22.210] going on. This person's trying to make a phone call and they've put two quarters [31:22.210 --> 31:27.690] into me. Is that enough money? Well, they would do this with, with very faint tones [31:27.690 --> 31:32.130] that if you listen close, you could hear it. And that was in-band signaling [31:32.130 --> 31:35.650] because it was in the same band as your, as your voice traffic, right? So, you could [31:35.650 --> 31:40.030] actually record those tones, play them back to the phone, or make a device that [31:40.030 --> 31:44.790] would play those tones to the phone. And the phone would be like, oh, they just put [31:44.910 --> 31:48.410] a quarter in because I heard the, I heard the sounds, even though you put nothing [31:48.410 --> 31:54.390] in it. So, there are things like blue boxes, red boxes. These enabled free calls. [31:54.390 --> 31:57.990] They made it harder to trace calls. You could, you know, you could stack trunks [31:57.990 --> 32:04.670] across the country. Some very famous people in the computer industry, [32:04.670 --> 32:10.030] financed their way through college by selling blue boxes. It kind of really took off in [32:10.030 --> 32:15.630] the late 60s, early 70s, and had a really good run through the, the mid 90s when [32:15.630 --> 32:20.950] they switched to a new system called SS7. With the advent of SS7, they moved to [32:20.950 --> 32:24.970] out-of-band signaling. So, these, these codes and these tones didn't go through [32:24.970 --> 32:27.330] the phone line anyway. They went through the phone line, but not through the voice [32:27.330 --> 32:34.190] channel. So, you couldn't just do craziness. Just a little bit of, I don't know, trivia, [32:34.190 --> 32:39.150] if you will. There are red boxes and blue boxes in these badges. That's just [32:39.150 --> 32:42.690] one of the, one of the things you can figure out on them. Kind of, kind of neat [32:42.690 --> 32:46.170] stuff to be able to hear that. It won't work on a real phone, but, you know, kind [32:46.170 --> 32:50.490] of, kind of neat for history's sake. The phone system, it was a new frontier, right? [32:50.490 --> 32:55.190] So, hackers are inquisitive, right? We want to know how things work. You know, I'm [32:55.190 --> 33:00.510] sure a lot of us, when we were young, took stuff apart. My mom hated it. I would take [33:00.510 --> 33:04.430] things apart and never put it back together again, right? I would have crap [33:04.430 --> 33:08.590] strewn from one end of the table to the other. And my mom would be like, what are you [33:08.590 --> 33:11.230] doing? I'm done with that. I already took it apart. I know how it works. I'm done. [33:11.230 --> 33:16.390] Bored. The phone system was like that, right? It was, it was this new world that, [33:16.390 --> 33:21.110] you know, what does this do? How does it work? What does, where does this go? And we, [33:21.110 --> 33:25.410] you know, we had that inquisitive mindset that made it such a wonderful thing. [33:26.130 --> 33:31.310] Telephone companies would often leave trucks unlocked. Trucks contained service [33:31.990 --> 33:36.090] manuals. They would also throw old manuals into dumpsters. So, you know, late [33:36.090 --> 33:39.450] at night, you're bored, you're out cruising around. Hey, there's the telco. I wonder [33:39.450 --> 33:44.030] what's in the dumpster. Oh, it comes with a set of bell manuals. Now, you know how a [33:44.030 --> 33:49.350] lot of that stuff works. So, there were, there were a lot of late-night dumpster [33:49.350 --> 33:55.890] runs back, back in the day. So, back to the boxes here. So, red boxes generated a [33:55.890 --> 34:00.770] coin tone, right? And like a quarter tone, as an example, was kind of what? It was [34:00.770 --> 34:05.970] like five high-pitched beeps. You could use them on Fortress phones or CoCot. [34:05.970 --> 34:11.170] CoCot is a customer-owned, coin-operated telephone. Basically, a person could buy a [34:11.170 --> 34:15.390] payphone, install it at their business, and then they got all the money out of it. [34:15.390 --> 34:17.470] You can play nickels, dimes, quarters. I don't know why you'd ever play a nickel [34:17.470 --> 34:20.450] or a dime, unless you're just trying to make it look legitimate. We always just [34:20.450 --> 34:24.330] did quarters. And you can make it super easy. If you went to Radio Shack, Radio [34:24.330 --> 34:27.990] Shack had a pocket dialer. We could program phone numbers in, and then you [34:27.990 --> 34:30.610] push a memory button, and it would play it back, so you didn't have to be [34:30.610 --> 34:35.110] troubled with pushing the buttons on the phone. Because that was a lot of work [34:35.110 --> 34:41.470] back then, right? So, if you replace the crystal inside that pocket dialer, and [34:41.470 --> 34:44.630] then programmed, like, I think it was five asterisks into a memory location, that's [34:44.750 --> 34:48.470] a quarter. And so then you go and you call somebody in, I don't know, Algeria, [34:48.470 --> 34:51.230] and you just start hitting the button, and it starts racking up quarters, and [34:51.230 --> 34:56.350] now you've got a free phone call. Blueboxes basically allowed you to be an [34:57.150 --> 35:02.310] operator console. You could stack trunks, you could, with the right combination of [35:02.930 --> 35:05.110] things, you could, you know, there are ways you become like a directory [35:05.110 --> 35:09.310] assistance operator. You know, there are a lot of different things you could do [35:09.310 --> 35:16.310] with a blue box. Black boxes would set it so that if somebody called you, so [35:16.310 --> 35:19.410] maybe, maybe you got a BBS, right? But you're in the middle of nowhere, but you [35:19.410 --> 35:22.690] want people to call your BBS without racking up long-distance charges. The [35:22.690 --> 35:28.690] black box would turn off the ringing. You could set your BBS to then pick up, but [35:28.690 --> 35:31.350] it wouldn't trip. There are two relays, one controlled ringing, one controlled [35:31.350 --> 35:35.430] billing. It shuts off the ringing relay, never trips the billing relay, so the [35:35.430 --> 35:40.110] person's never, never billed. The phone company in the phone system, the CEO, [35:40.110 --> 35:44.210] thinks that you never picked the phone up, even though you did. So a lot of these [35:44.210 --> 35:51.030] boxes were pretty heavily used up until about the mid-90s. When, again, they [35:51.030 --> 35:56.910] rolled out SS7, where the in-band signaling made life a lot easier for the [35:56.910 --> 36:00.490] phone companies at that point. And they had things in place that they could [36:00.490 --> 36:05.410] detect things before SS7, but it was not as sketchy, or I'm sorry, not as [36:05.410 --> 36:10.010] reliable. It was a little more, a little more sketchy. There are times that, you [36:10.010 --> 36:13.350] know, you crank out three or four dollars in quarters, and all of a sudden you have [36:13.350 --> 36:18.470] an operator on the line. Sir, how many coins did you put in the phone? Yeah, 400 [36:18.470 --> 36:22.790] buy. Then you'd move on to the next phone before anybody in a Bell truck shows up. [36:27.440 --> 36:31.560] So with the, with phreaking, there are a lot of interesting, cool phone numbers [36:31.560 --> 36:36.580] that were out there. And these phone numbers would be traded on BBS. If [36:36.580 --> 36:39.500] somebody finds a cool number, you hop on your local phreaking BBS. Hey, I found [36:39.500 --> 36:43.300] this, you know. Feel free to use it. Or I found this. I don't know what the hell [36:43.300 --> 36:48.440] this is. Can somebody figure it out? There are loop numbers. What a loop number was, [36:48.440 --> 36:51.780] there, there's a high side and a low side. You could dial into one side, somebody [36:51.780 --> 36:56.780] dials into the other, and you could talk to each other. Conference bridges. That [36:56.780 --> 37:01.200] was a big thing, like the late 80s, early 90s. Everybody was dialing into conference [37:01.200 --> 37:04.660] bridges. And what that was is, a business would have a conference bridge for doing [37:04.660 --> 37:09.220] conference calls. It was just a phone to recall into, and you enter a password, and [37:09.220 --> 37:12.720] now everybody can dial in, you can all talk to each other. Well, the passwords [37:12.720 --> 37:17.520] were, you know, four or five digits long. Doesn't take much to brute-force that. So [37:17.520 --> 37:20.160] the hackers would find them. They're not being used on nights and weekends, because [37:20.160 --> 37:23.200] it's owned by a business, right? That business turned off the lights in the [37:23.200 --> 37:27.620] server room, and they all went home. So the hackers would brute-force these [37:27.620 --> 37:32.460] conference bridges. They'd log in, have their, their conversations. They'd talk [37:32.460 --> 37:37.420] about hacker stuff, and freaker stuff, and just kind of hang out, and do [37:37.420 --> 37:45.040] nefarious things. A&I numbers. A&I numbers were very handy. If I want to hack into [37:45.040 --> 37:49.780] my local Pizza Hut, and play around with their supply ordering system, but I don't [37:49.780 --> 37:54.580] know the number, I go outside of the DMART, the little phone box on the wall [37:54.580 --> 37:59.780] out back. I open it up, I plug in a butt set, and I call what's called A&I, [37:59.780 --> 38:03.880] automatic number identification. It's kind of what drives caller ID, and I could [38:03.880 --> 38:06.860] find out what their phone number. I'd read back the number I'm calling from. [38:06.900 --> 38:11.300] Now I know what the phone numbers are for this Pizza Hut on this line that I [38:11.300 --> 38:15.360] dialed out, and I'm gonna go home, start calling around that area with my modem, [38:15.360 --> 38:19.480] until I find a carrier. Now I know I'm into their, their supply system, and next [38:19.480 --> 38:23.600] week they're getting 30,000 pounds of mozzarella, which usually leads to a [38:23.600 --> 38:28.260] sale on, like, pizzas, which is nice. And then there are interesting numbers too. [38:28.260 --> 38:31.400] You might find a number that's really bizarre and weird, and these still exist [38:31.400 --> 38:36.160] out there. You know, government installations, there might be a [38:36.160 --> 38:40.520] voicemail box that's weird. You know, there's a voicemail box for a long time [38:40.660 --> 38:43.980] that was just a duck quacking, like you'd call this number, and a duck would quack [38:43.980 --> 38:49.100] and beep, and you can leave a message. Nobody really knew what it was, it was just a [38:49.100 --> 38:52.080] duck. Government installation, there are numbers you'd call, and they would rattle [38:52.080 --> 38:57.960] off weird numbers, you know, Bravo, 6, Alpha, 9, 12. Okay, what is that? You know, so [38:57.960 --> 39:00.640] then you'd share that number with your friends. They'd be calling, you'd all try [39:00.640 --> 39:05.200] and figure out what it was, and it was neat. It was, again, it was that [39:05.200 --> 39:10.300] exploring kind of mindset. And then there were sweep tones. So sweep tones were a [39:10.300 --> 39:15.640] number that you would call, and it was just a sweeping tone. It's like, right, all [39:15.640 --> 39:22.360] the way up, like super high-pitched. Sweep tones were the thing of urban legend. [39:22.360 --> 39:30.680] They existed. It was just a test, a test tone, a test number. The rumor was that it [39:30.680 --> 39:35.960] could detect a bug on your line. Not true. Not true. So if you think your line is [39:35.960 --> 39:42.920] tapped, don't call a sweep tone because it won't really tell you anything. So [39:42.920 --> 39:47.140] basically, in closing, you know, there have been a lot of changes over the last 30 [39:47.140 --> 39:52.200] years. A lot of things that have advanced, but a lot of things that kind of [39:52.200 --> 39:57.260] stayed the same, too, right? You know, we all kind of started out with that [39:58.000 --> 40:02.080] inquisitive mindset. You know, some of us were black hats, some of us were white [40:02.080 --> 40:07.660] hats, some of us were gray hats. You know, it all brought us here today. You know, no [40:07.660 --> 40:13.340] matter, I'm sure we have a wide variety in the audience, you know, everybody's [40:13.340 --> 40:19.020] experiences have kind of made the whole community what it is. So that's a [40:19.020 --> 40:22.420] that's a good thing. Who knows what we've got for the next 30 years. It's exciting [40:22.420 --> 40:25.700] to think about with how fast things are going. It's important to remember where we [40:25.700 --> 40:29.860] came from and to pass that on to the next generation as they come up. We need [40:29.860 --> 40:34.920] to remember our history and to keep that going forward so that we don't don't [40:34.920 --> 40:36.120] forget who we are.