Presenter:
Transcript:
All right, I have the distinct honor. Wait. Hold on, hold on. Get back! And you can't come up yet. I've got the distinct honor of introducing a guy. How? I almost tear up. I know this guy for a long time. We met each other through the community. A long time ago, I did RSA, we did blogger meet ups and all this stuff together.
So he's a good friend and I've tried to get him down here a couple of times and he's a world traveler. You got to forgive him. He's from Canada. But no, seriously. Dave Lewis, Global Advisory CSO out at Cisco, please come on up and give us that final keynote. Man. You never really think. All right. Can you hear me now?
Nope, nope. There's Kenneth Fick. That's right. You've been hiding. You always got to worry about the Irish. I can say that because I am, apparently, it's one of those things where I'm very happy for all of you who actually showed up. I really do appreciate it. I was starting to wonder there. When I came into the room, there was like 12 people.
Still not the smallest talk I've ever given. But I'm here today to talk about what I call a lessons learned by falling on swords. And over the course of my career, I've made a lot of mistakes and I can say a lot of mistakes, but I've learned from them. So one of the things that I find time and again is I hear people say, oh, failure's not an option also, or that, that sort of thing.
It's really a misnomer. It's really not the greatest way to approach things. We have to be sure of that. For those of you standing up in the back, come on down. We got seats. I don't bite. All right, let's get to it. So I have been doing security in one form or another now for three decades, and it has been an absolute wild ride, to say the very least.
I have actually gotten to the point now where I've invested in a whiskey distillery and a soccer team, because why not? And I'm busy.
And it's one of those things where it's like, I've gone through all of these different iterations in my career, and it has been really amazing to see all the things that I've done wrong and be able to talk about them. So hopefully people that are starting out in their career won't make the same mistakes, or at least they can take something from my missteps and be able to use it to help better their own career.
I was speaking to someone this morning who had started out when he was very young. About 18, he dropped out of university and he started working, and he's now doing very well in his chosen profession. But he kept referring to himself in derogatory ways. He's like, oh, I'm not that smart. I'm not this, I'm not that. But the funny thing is, it's like, you're here, you have a seat at the table.
You have to appreciate that you're here for a reason. And one of the things that I always find really interesting is that whenever I give a talk, I have a very bad habit of not identifying myself or introducing myself. Thankfully, that worked out today. This is what my handle used to be on social media and get on what used to be called Twitter, now called dumpster fire.
And I left there about a year ago, and honestly, not because of the nitwit that runs it. It got to the point where it was so caustic, so toxic that I just couldn't take it anymore. And I had to step away. And here we are a year later, and I've gone through a lot of iterations in examining my life, and I've gotten to the point now where I think I can dip your toe back in the pond again.
But you know what? We'll see.
What we're doing in interactive session. Sorry. What was that?
Oh, I figured that, but I was going to curated as much as I possibly could. But yes, you're absolutely right. So I have been traveling so much as a result of my chosen profession that there's this app called flighty, not a sales pitch or anything like that. And somebody turn me on to this, and I said, okay, this is kind of cool.
Let's have a look at it and ingest it. All my flights just for the last decade. Apparently my feet were off the ground for 109 days. Let that sink in for that. That's a third of the year out of the last ten I was in the air. This is not a brag. This is really frustrating to me because I used to build things.
I spent 30 years in this field. The first 20 I was building things, I was a defender, and now I've gotten to the point where I'm sharing stories. Which, don't get me wrong, it's very cool, but it's a little bit frustrating when I see things like this and I go, wow, this is really something. And I find that this is usually me sitting in an airport, sitting in a hotel, reflecting on things.
I have a lot of time to think about stuff after I leave here tomorrow morning at silly o'clock, I'm off to Singapore. That's not a short trip, and it's one of those things where I'm like, what am I doing with my life? Is this what I want to be doing? I've made all these mistakes I've learned from them.
Am I still making mistakes? Answer is absolutely. And it's really amazing when we look at things like, how does the world see us? They don't like us very much. I identify as a hacker because that's how I started things out back in the beginning. Come on, there we go. And I tend to be extremely frustrated because of all the things that I have to contend with and which I know that you have to contend with today.
And of course, I brought my notes and forgot about them through there. And it's really amazing to see these sort of things and look at all of the different things that we have to go through, and most of them end up being these insane meetings. The really crazy thing here is that little device. I was at one company that shall remain nameless, where one of the IT guys put the Polycom, one port outside, one port inside.
Went home for the weekend because he wanted to work on it over the weekend to configure it. Now, for those of you who don't know about Polycom devices. Pardon me if you go through the web interface. Oh wait, you can enable SSH. Monday morning was kicking off our penetration test. The pen testers phoned me at 9 a.m. saying, look, we're going to get started.
I said, fantastic, let me know when you get in because I knew they would get it. And I mean, it's just a matter of time. And this is one of those things where I was one of those folks that didn't say, oh, you can only work on this particular server between 5 and 501. None of that nonsense. I gave them carte blanche.
I said, do what you got to do. They were really excited. 9:14 in the morning, the phone rings. I pick up the phone. I'm like, you got to be kidding me. I didn't even look at the call display. I just knew he goes, yep, we're in. We've got your ad, we've got all your routers, you got all your switches.
How did they get in the Polycom device? Thankfully, nobody else found that way in. It just happened to be exactly when they were kicking off the penetration test. And these are all those frustrations and leads us to be constantly running from all of these types of threats. But meanwhile, most of the threats we got to be worried about are built in-house, happened to ourselves.
We shoot off our own toes, but then sometimes people want to try and do that for us. We see kinetic warfare events all over the place and it's tiresome. I really wish it would go away, but then we also have to worry about, oh, why don't various viruses name whatever it happens to be? Basically, the world's trying to kill us.
It has decided. You know we are a virus wants to get rid of us, going to burn us out. Now, I'm not normally this dour in this dark in my thoughts because I am Canadian, we tend to be a little bit more easygoing about things, and it's really amazing when we talk about these sort of things, about how we're seeing on the world stage.
And one of the really interesting things is, everywhere I would travel in the world, I would get asked, are you an American? I said, no, actually, I'm from Canada. And they said, oh, well, your accent. To be fair, I used to live in South Carolina as well as Washington, D.C. I did pick up bits and pieces. I cannot say pop any more.
In Canada we say pop. Here you say soda. I can't stop saying soda. What was that? Coke. All right, we're this far south. It's Coke, all right. In Miami, Coke's a whole different thing. And it's one of those things where it's like when I'm seen around the world and people mistake me for that. The really crazy thing is, I was in a hotel in Delhi a few years back, actually, quite a few beers back now.
And I was standing there getting ready to go get my car to go off to the airport, and there's well-dressed woman walks up to me and she goes, excuse me, are you an American? I said, no, actually, I'm from Canada. She goes, good. And she walked away. I have never been so scared in my life. What would have happened if I said it was the other way around?
As a result, I actually get a maple leaf tattooed on my arm a month ago, about a month later, because it was very concerning, very vexing. Her question I never got. I was so stunned I couldn't run after and ask her what would have happened or anything like that. But you know what? We tend to look at these things and analyze them after the fact.
For example, when you put software out in the world and you go in about hacking in Canada, we do hacking a little bit differently. And we have to understand that being Canadian is somewhat contagious. Now, I have done all sorts of gigs, I worked at all sorts of different places, and this is just unfortunately, not all the logos that I have had to deal with over the years.
I actually did one presentation in Switzerland a couple of years ago, where I put all of the logos for all the places, and it was actually three sides long. It was nuts. And again, going back to it, most of that was this slide again, going through and having these monotonous meetings over and over again. But the funny thing is, it's like we have to understand that we are defenders.
We are here to make sure that we are protecting our assets, our inventories and our people so that they are not negatively impacted by bad decisions.
Now, back in 1983, I got my first taste of getting into computers. I was very fortunate. We had a teacher that would allow us access to his computer and when we were not in class, and of course, my friend and I got up to no good, and we ended up doing video games and selling them to kids in school.
Had nice little cottage business going there, but I really got into it. When my dad brought home one of these. My dad was about as technical as a wet rock. Loved them to death. He had no idea about computers and I'm like, dad, can I play with it? It's like, what? It's it's a work thing. I said, I promise I won't break it.
So I would sit there and pore over the manuals, go through it. And I became so enamored with Visicalc. Oh, I got one laugh. Somebody knew what I was talking about. That's good. I did that at another conference. Were a lot more graybeards and man, they got it. But this was the really interesting thing is I had that opportunity.
And when you have kids, you want to give them every opportunity because they are going to develop differently based on what they are exposed to. If you give them a science stuff, you give them technology. If your math, whatever it happens to be, some of it will click, some of it won't. And these are the kind of things we have to look at.
And when we're going through and looking at all these different things, we learn that well. Some people start off with a nefarious beginning, even though they have access to things like this. Remember when Sony had protected their CDs? Remember how they were broken? This was fun. I remember doing this and copying them and again selling them to kids in school.
But it's amazing how we have the seeds of things as they begin and we look back to things like 1989. Can anybody tell me what critical piece of malicious software came out in 1989? What was that? I couldn't even hear one more time, Maurice. Well, okay, there was that. I was actually thinking more along the ransomware itself, the Aids virus, which was a piece of malicious software that was on 20,000 DVD or CDs, I guess, at the time, put into bags at a conference for health care.
And when people would reboot their computer for the 99th time, they had to pay a ransom to get the key to unlock their system. They had to send a self-addressed, stamped envelope to a P.O. box in Panama. These are the kind of things this is how ransomware really got started. And now that they have access to things like Bitcoin, obviously it's far more frugal.
And learning all these stories and being able to share them over time led me to build out something called liquid matrix. If you go to liquid matrix.org right now is horribly broken. Is Chris Strunk will beat me about the head and neck again. This is I see him nodding back there. This is a site where we were aggregating information and sharing it.
And at the height of this website, at one point, if I did all the log files, I would see all of the law enforcement and militaries from around the world were using it to get their news. It's pretty amazing. Now it's just a couple of bots and some guy with a windows 98 system. Chris. They keep showing up.
I still have to fix it. I promise I will fix it before the end of the calendar year. Now, when I was younger, I was of that generation that was seen but not heard. It was like, you know, go in and parents are like, oh, it's talking to me again. Off you go. Go play outside. Now they can't really shut me up.
I tend to give talks quite a lot and it is fun being able to have story, share stories with folks, be able to meet with folks to see their perspective wherever they are. So much so that I ended up co-founding a conference in Toronto, and I ended up working as a volunteer for multiple conferences around the world, because a lot of this really comes from the panic that we see in our C-suite.
Executives tend to get very worried about things very, very quickly, and we want to make sure that we're giving them the proper message. We're sharing the proper information, because if we're just running in with our hair on fire, as I did in the past, I will be perfectly admitting to that. We have to make sure that we are getting the message across in the lingua franca that they're going to understand the mistake I made.
I remember running in like, we have a zero day. It's going to be a real problem. It's going to stop the energy market from going live, which was a real thing. And we had five days. In order to remedy the situation. The CIO looked at me, goes, go back out in the hallway, think about how you're going to position us and come back in when you're ready to present.
I went outside and they went out with their architect, and we will sit there and we're like, He didn't understand what we were saying. All right. So we put our heads together, went back in and explained it in terms of risk. Within two minutes he looks he goes, stop, I understand it now. Here's a blank check. Fix it.
That was fantastic. And that was because we spoke in a way that he would understand. Malcolm Gladwell has a fantastic book called Talking to Strangers, where it helps you to understand how you can communicate with others that don't necessarily speak the same language that you do. And as security practitioners, we have to stop staring at her navels. We have to stop talking just amongst ourselves and get that message out to the wider audience, because Luddites are not going to fully understand what we mean by security.
Now, when I was when I was younger, when I got my very first apartment, why my dad drove off in the moving van, it was my roommate and I were just sitting there. He cracks a beer and he looks at me, goes, I want a beer. And I said, yeah, I just grabbed a pair of scissors and no word of a liar ran around the apartment and he's like, you are mad as a hatter.
What are you doing? I said, expressing my independence. And like he goes, what if you trip? I went, I hadn't thought about that. And this really is the root of a lot of the security issues we have to contend with, because we see systems that are put online that should never have seen the light of day. I remember one system at one particular power company that will remain nameless.
They put it live, and then they came and said, we're having some trouble. Can you help us look at this? And I looked at him. I said, what is this system? When did it go live? And they said, an hour ago. Really? The chain of events is they're supposed to go through security to have the application vetted before is promoted into production.
They didn't do this. What's the first thing that I did for this web app view source? Can anybody guess what I found in the HTML commented out. Passwords. Username. Admin. Password. Admin. Plain as day I showed it to them. They said oh my god, you hacked our application.
A little what? And then it hit me. They didn't understand and that was my feeling as a security practitioner, I should be going out of my way to make other folks understand the risks that are involved. And I hadn't taken that step. And as a result, people would see things differently. For example, if we look at sharks, we think, oh my God, they're a horrible thing.
We got to worry about. Realistically, they average about five deaths per year. Cows, on the other hand. Really, 22 deaths per year. These are the kind of things we have to look at. What is the proper perceived threat and how do we articulated to folks so they understand it because people don't default to security. That's not the way we're built now.
My boss, Wendy, neither, bless her heart. She sent me this picture, which unfortunately is a little bit trimmed over to the side here. You can actually just see the tip of the wing off to the left if it's not trimmed there. She sent this to me one day when she's coming back from a conference in Europe, she said, tell me where I am.
It's like, boss, I got stuff to do. She goes, no, tell me where I am. Go, fine. I see where the sun is. I see where the angle is. I see what's going on. And I said, okay, you're on this plane. She said, yeah, not bad, because I knew what conference she was coming from. I knew her preferred airline because she had shared that previously on social media.
The rule was I couldn't use anything that I knew that wasn't publicly available. That's like, fine. All right, good go. And she said, all right, what seat min. So I went to see guru and I said, okay, fine, let's go. You're in five AA based on the where the wingtip is and the angle of the plane. And it turned out that no, she was actually in six.
I was that close. This took less than five minutes. This whole thing while she was sitting on the plane. This just goes to show you how simple it is for an attacker to get information they need in order to cause trouble. And even though we have all the machines that go ping, it doesn't necessarily mean we're secure. If you have all sorts of systems in your environment, what are they necessarily doing?
And yes, I do work for a vendor. I'm not pitching anything. I'm not selling anything. But looking at ways to rationalize within your environment. And one environment I worked at many, many moons ago, and the first week I was there, I found out we had seven different logging and monitoring solutions. I thought this was insane. We were able to consolidate it down to one after much gnashing of teeth, but it turned out that most of these systems were employed because some project had said we need this particular feature rather than look at what was already installed.
They said, you know what, we just got a new system. We got the CapEx for it, let's do it. And that happened time and time again. I thought seven different logging and logging and monitoring solutions were insane, until I met a guy from Calgary, Alberta, who had 21 currently, and that was after they trimmed it back. I know we like to recycle things.
I normally like to reuse things, but passwords stop using the same username and password over and over again. I realized that this is not the audience for that, but it's to take that message beyond this. My mother, bless her heart for the longest time, had the same username password on everything and I explained to her, I said, this is why this is a problem.
She goes, well, why? And I went and I printed out a screen from each one of her apps and I handed them to her and she goes, how did you do that? I said, because it's stuck. The monitor. Oh, wow. And I think and I said, think, what happens if one of those sites got compromised and then the attacker would replay it against the other sites, what could happen?
She's like, oh, that's not good. And this is the kind of thing we have to realize that we're dealing with getting that message across. Now, earlier in my career, I thought I was a superhero. I thought I was like all that in a bag of chips. One of the hardest lessons to learn in this industry is humility. It's tough.
It took me a long, long time to get there because I thought I got all the security tools and all this and all that. Yeah. And then I met Dave. There's always that user that will do something that you don't expect the application with the commented no code with username and password. That kind of thing happened so many times within the course of my career.
Really frustrating. And yet we focus on this, or rather outside of this room. In terms of focus on this. We want to make sure that we're getting beyond that.
Oh, he's got to work in the coffee breaks because the world sees us like this. The hoodies, the like, all that sort of thing. Has anybody ever use really big gloves on a keyboard in a data center at 3:00 in the morning? Doesn't work out so well. I have had to do that because our data center was so incredibly cold that one place I was working at, but I would take them off to tape and then put them back on again.
The reality is an a hacker or an attacker for that matter could be anybody. And we have to understand that the perception that's out there has really been a narrative that was taken over by the media, and we let it happen. We have to manage our own message. Now, back in 2006, this happened to me, where I ended up on the front page of magazine.
I thought it was the most amazing thing ever. I was so excited and I walked in to my wedding rehearsal, showed it to my father, and he said, I would have fired you because his perception was that security should never be seen or heard from. It should be something that is completely seamless. Well, I understand the seamless part.
I also was like, well, dude, this is my wedding rehearsal. At least lighten up a bit. And these are the kind of things we have to worry about. And as a result of that sort of negative feedback, we tend to end up seeing the world like this in very negative sense. And if we're being fair, there's reasons why we think like this.
I have seen so many things on Show Down that just absolutely make my break my brain. And I know this is old news for everybody in the room, but it still happens. Like there are sites where I'd be working with a customer and I go in there and I show it to them. They're like, how'd you find that?
Okay, we have to worry about the law of unintended consequences. When you see apps, web apps being put out there with usernames, passwords commented out. That's a very simplistic one. But things like that do tend to happen. We have to make sure that when we're putting our security solutions in place, that we're not actually inadvertently causing trouble. We want to make sure that we are understanding that our security controls are doing the right thing.
We don't want it to be an impediment to the organization. Passwords or something that I tend to hate in no uncertain terms. For me, passwords are quite simply a control. They're not a security control. They are a control. Think about your house. You lock your house, you go to work for the day. Is everything safe in your house?
You know where your keys. If you lose that key, somebody of nefarious end could find it and go, oh, I know this is Bob's key. Go and unlock the door. The house doesn't know any better. We have to make sure that we're putting controls in that are going to make sense, because we tend to repeat the same mistakes over and over again.
We've been dealing with passwords since 1962. We've been dealing with computer viruses even earlier. This was a paper that was produced in 1984 talking about computer viruses and how this was going to be a real problem in the future. This was discussed at a gathering in Toronto, Ontario, in 1985, and they were like, yes, we have to do something.
Unfortunately, in 1986, this happened has been all downhill from there. Because we tend to be in a firefighting mode consistently. We have to figure out how we're going to be proactive. We have to learn from our mistakes because bad things are going to continue to happen. Skill testing question how long was the vulnerability known about for this particular malicious software before this happened?
And the answers? Ten years. This was a known bad thing for ten years. And yet we're like, oh, everything's fine. We have the firewall. We're going to be good. I like to go back to the slide again. We have to make sure that we're putting in security controls that make sense, but a lot of it is the human element.
We have to figure out how we're going to communicate with folks, how we're going to get our message across, because we can put in all the technical controls. But if Dave is there to go around it, there's a real problem. We have to show them who we really are. We are dedicated professionals that are here to make things better, but we have to stop looking inward.
We have to figure out how we can get the message across in a better way. Problem is, is not all of us are extroverts. I myself am an introvert. It is actually physically painful for me to stand in front of an audience. Not that I don't like you guys, but it's like anxiety central. Speaking of anxiety, one of the things that I see over and over again are data breaches.
Back in, I'll say about 2012, I started tracking data breaches on the website. That doesn't work at the moment, and I was really amazed that the biggest one at the time was with LinkedIn, and that was about 7 million records had been exposed. That's laughable by today's standards. When we're looking at orders of magnitude of billions of records for a site being compromised, it has to get better.
But when we see things like this, this is frustrating. I wrote an article for Forbes on this very topic, creating an S3 bucket that says categorically do not grant public access. There are so many tools available now that you can just scan looking for buckets with open access. Why does this continue to happen? Are we hiring bakers to do security for websites, or are we having doctors do our, you know, voter databases?
Actually, if we did, we probably have better security for our voter databases. Are we having philosophers run our security practice? We have to make sure that we're talking to the right people. Now, if these folks have a right mindset, absolutely. That's just it. We have to figure out ways to bring people in. That may not be security savvy, but they have the right mindset.
They have the right curiosity because we tend to keep worrying about the threats. We worry about the sharks that are constantly nipping at us, and then we end up in an analysis paralysis. It has to get better because, well, there we go. Stupid things can and will happen. This is not the actual photo of this particular incident, but one company I was working at, there was a guy there that suddenly was in a good mood.
This is a guy that was grumpier than me and that's saying stuff. He would constantly come in grouchy, slamming things around, and one day he was really, really happy. Had a brand new car. He was smiling from ear to ear and he was like, oh yeah, it's a good day, right, Dave? And I'm like, sure. And I went back sipping my coffee, and then I noticed he was kept walking to the printer, because that was back when we had a cube farm.
So you go to the printer and he prints us off, and they put them in a box, and you walk away and I'm like, where's he going? I sort of lean back in my chair, sipping my coffee, phone ring, call you back. Click came back a little later, and at that point I have a magazine printed off a whole nother sheaf of paper, put it in the box, walked away.
I was like, okay, this is really weird. What's going on? He filled the trunk of his car with printouts of code from all of our software. The funny thing was, is during this exchange where he kept going back and forth, I talked to our physical security guys because we were at a secured facility with bollards, the whole bit, and they were watching them too.
And they're like, what do you think he's going to do next? I'm like, no, no, let this play out. And he's like, well, he's not going to get out of here. He has to get by the. And so we're good. And he filled it up with code because he knew that we were watching all the egress filtering. We had all the controls in place.
He figured out a way. He pulled a Dave. He figured out a way to go around it. He just didn't realize that, you know, we had a whole bunch of people that had that innate curiosity is like, what is this guy doing? That day did not end the way he thought it was going to end. He did not actually get the new job that he was hired for, because we talked to them as well.
He ended up having a little chat with law enforcement. It was a bad day for him, but this is one of those things where I hope he learned from that mistake. If we had not had egress filtering in place, that could have been a problem. We also had good force protection measures in place as well to look when people were doing silly things.
So not only did I notice it, but our physical security guys noticed it as well and it was like, okay, there's an alert, something's going on. We have to make sure that we're keeping an eye on all the different ways and hacker can get into your environment. It's not necessarily they're going to get a zero day and come in.
That's usually the least of your concerns. Sometimes it's just taking the CEO's and men out for lunch. Give me your password. No, I've got a brick. Here's my password. Back in 2003, we had the blackout, which affected the entire northeast. I was working for a power company at this point. I was at a tennis game, and it was really cool.
It was like, you know, one of those vendor type things. I was, you know, having a great time. All the lights in the stadium went out. It was about four in the afternoons. I didn't really think much of it. I figured, I'll come back on. And then all of a sudden phone started ringing everywhere, including mine. My boss said, get in here, we got a blackout.
I said, where Toronto? And he goes, bigger Ontario. Just keep going, okay? It took me what should have been a 20 minute drive, two hours to get back into the office because all the street lights were out. Everything was down. The really cool thing was, is people adapted and you had random citizens acting as traffic cuffs. It was slow going, but it worked.
And that's just it. They came together, they figured out a way to work together, and after that we had a review of what actually had transpired. I had various different law enforcement agencies, including a member from the RCMP. He was really good. The RCMP officer was had all these great questions. The CSC guy had fantastic questions. The guy from another agency fell asleep, slumped forward, head on the table for a hot minute.
We all thought he had just died. Turned out he was a very heavy sleeper and he just had not taken any notes. And both the other teams jump on him and they went, we have to work together on this. And he was right. He was missing the boat entirely because bad things can and will happen. Now. One of the things that I learned from one of my mistakes was I used to do a lot of security research, and I was working for a power company that had access.
I had built my own lab. It was fantastic. And I went and I was like, okay, we have these usernames and passwords and code and all the rest of it. What happens if I test the security controls that we're using and relying on within our environment? So I went through and I was able to get CVEs for all of these pieces of software or all these companies.
Rather, the really cool thing was websites in less than two hours, fixed the problem and pushed it out to their customers. Mad props to them for that. Symantec e that took 18 months 18 months to fix a problem, because that particular problem that I found was in a language library. And guess what? It was not shared across all the different language sets they had to go through and update each individual language set.
And it took them eight minutes, eight minutes, 18 months to get the fix out. And then, well, Cisco, I work there now, which I never thought would happen. So I found a very rather significant vulnerability in it, in their software and a little remain nameless. And I sent it and they're like, oh, man, this is really bad.
And they sent me a fix and they said, can you test it? I said, sure, and if you remember Perot's proxy, I was running it at the time, and I didn't realize it was still on, and it caught an error and I went, okay, what's this? And I was able to inject directly through this piece of software and get a command line.
And I only found that entirely by accident. So thankfully that never made it to the outside world. But this is one of those things where, you know, they fix it very quickly. But I thought my name was mud with that, with, with Cisco, but turns out they actually still like me. Now, all of those things were really interesting until I got to another company that runs with a steak sauce, and they threatened to sue me into oblivion.
As security researchers, these are the kind of things we have to worry about is, again, the perception getting people to understand. And the thing I didn't learn was I backed away. I stopped doing any and all security research at that point, because I couldn't afford to get sued by a mega company. So I pulled back. I wish I didn't, because nowadays I could make bank.
But bad things can do continue to happen. How many people have had a beige desktop in their production environment running mission critical code written by a summer student and no documentation? I'm seeing hands go up me to. These are the things that we always run into. And again, we're repeating the same problems over and over again. We have to get off this hamster wheel of pain.
Full credit to Andrew Jaquith for that one, because the vulnerabilities will keep coming. We have to figure out a better way to do things. And one of those ways that we do that is you look at how do we democratize security so that the end user feel like they're part of it? If we're giving them tools written by engineers for engineers, guess what?
You're not going to get anywhere if you're putting in extreme security controls that are going to make everybody's life miserable, they're going to pull a Dave and go around it. We have to figure out a better way to do things. How many people here get their parents to use BGP? Exactly. To be clear, I love BGP. I would never get my mother to use this because I like to get invited for dinner.
Now, when we're born into this world, we default to trust. We don't default to security. We default to trust because we're looking for food. We're looking for shelter. All of these elements, and most people never move away from that. Security practitioners. We're a darker bunch because we look at the, you know, the other side of things. And that's good because criminals will continue to crime, they will continue to do bad things.
And the problem is it's after having done this for three decades, this really came to a head where it was affecting me in a very negative way. So about a year ago, I was in Vegas and I fell apart. I came completely unglued. I was basically nonfunctional in my hotel room. I couldn't get out of bed. This is not a good way to be, and unfortunately this happens too often.
I've had too many of my friends go through this. This is why we need to talk to each other. We have to stop being angry all the time. We have to find the upside to what we do. We have a noble purpose. We're here to help secure environments. We're here to help make sure that the wheels keep turning.
And we want to make sure that we don't lose any more security practitioners. I was very, very lucky. I had a lot of good friends that just happened to be during summer camp. I had a lot of good friends there. I was able to talk to, and I was able to work through it. I pulled back from social media I haven't been on Twitter to speak of for about a year, and I pulled back from all of these things because I had to reevaluate myself.
If I had to look at my own priorities and understand how I could improve things. And this is a big thank you to all the people that have helped me along the way. My wife number one amongst them. She's absolutely awesome. When's the last time you've talked to some of your compatriots in the industry? I've had some friends that unfortunately pass for similar reasons that I had not talked to in a year, for no good reason other than happenstance.
Life happens, and this is one of those things where we have to make sure that we're going out and reaching out to folks that we may not have talked to you in a while. That's a simple question. How are you? How are you doing? We have to move away from the way we've been. We need to stop being angry.
We have to figure out how we can view ourselves in a better manner. And not only do we have to have others be the lifeline for others, but you have to be a lifeline for yourself because security takes a toll. I don't have to tell any of you that everybody knows. We've all seen what it's like to be a CSO.
Asleep. Oh wait, never mind. We want to make sure that we're changing our habits and figuring out a way to make things better. And also, we want to make it better so that our end users can feel safe and secure when they're doing their jobs.
Their safety in numbers. This is one of the great things about, as you said, con and other cons like this is that it brings the community together. If you do nothing else in a conference like this, then meet one person you've already won. You're doing a much better job than most. You want to be able to have conversation with others to build them up.
Build yourself up as well. We got to stop tearing each other down. We have to learn from the mistakes of our past. For me, it's been a very long road. It's taken me a year to be able to get up here and even talk about this.
Thank you.
