To defend against modern day hackers, you must train your mind to think like one. Ted Harrington is the author of “HACKABLE: How To Do Application Security Right”, which is an Amazon BEST SELLER in 9 Categories. He is also Executive Partner at Independent Security Evaluators (ISE), the security organization famous for hacking everything from cars to medical devices to smartphones, and more. Ted has been named both Executive of the Year and 40 Under 40. He also co-founded and organizes the popular IoT Village, and currently hosts the “Tech Done Different” Podcast.
He steps into the BarCode to drop knowledge on application security, DEFCON’s IoT Village, and even gives us the inside info on how to hack your way into a bar!
SYMLINKS
LinkedIn
Twitter
TEDHARRINGTON.COM
Hackable: How to do Application Security Right – Amazon Link
ISE
ITSP Magazine | Tech Done Different Podcast
IoT Village
DEFCON SAFEMODE (2020)
Nobile Experiment
The Neighborhood
DRINK INSTRUCTION
THE INFECTION
1 oz Gin
1 oz Midori
Grape Juice
Club Soda
Add gin and Midori to a shaker with ice. Fill with equal parts of grape juice and club soda. Shake and strain over ice in a glass.
CONNECT WITH US
http://www.barcodesecurity.com
Become a Sponsor
Follow us on LinkedIn
Tweet us at @BarCodeSecurity
Email us at info@barcodesecurity.com
Chris Glanden 01:37
Ted Harrington’s mission is to help you get security right. He’s a leader of ethical hackers helping communities build better, more secure software, and established author, keynote speaker, consultant and podcast hosts specializing in penetration testing, secure software development, and other related areas of cybersecurity. Ted, my friend, thank you for joining me. Welcome to BarCode.
Ted Harrington 02:00
Awesome, Chris. Thanks for having me. I’m pumped to be here, dude.
Chris Glanden 02:03
Cool, man. Talk to me about your background and how you got into cybersecurity.
Ted Harrington 02:09
Yeah, I came into security from the entrepreneurial angle, which I think surprises people sometimes when they sort of look at my background, like, wait, you wrote this book, and you did all this stuff. But that’s actually where it came from it. I wasn’t the guy hammering on a terminal at age five, like, a lot of people who actually work for our company are like that, and I’m really fortunate to be around them. But I guess my story was that, I’ve always been inspired to try to solve problems, and I always wanted to run a company and all this stuff, and so, I started my first company, I was in college, and that company was really focused around advanced logistics, which doesn’t sound interesting or sexy at all. But it was a real problem that my fellow college students had, and I went out to go solve it. That was when I learned that I don’t really like dealing with the individual consumer. Individual consumers are emotional and petty, and they make decisions out of emotion, not rather than when you work with companies that make most make decisions out of logic and reasoning, and at least most of the part. There’s still a lot of emotion in business to business.
So, I did that for a few years, and then when I graduated college, I really determined that really wanted some mentorship. So, I joined a company, the founder and CEO of that company, all he wanted to do… he didn’t want to run the company more, he just wanted to mentor and I’m like, yep, let’s do that. I mean, it’s amazing that I found, literally exactly what I was looking for was someone an entrepreneur, who would mentor me on entrepreneurship, that’s probably one of the things that I would recommend to anybody find a mentor as early as you can, and just milk them for every piece of knowledge that they can share. After that, I went on to become the CEO of this tech startup, that’s focusing on water conservation, and you can sort of see these themes start to reveal through my journey, which was, you know, first it was like, I knew I want to start a company, but not any type of company, and then it was like, Okay, I want to do a company that matters, and you realize, okay, well, the company has to matter.
I think water conservation matters, but the market also needs to want it and as important as water conservation is people just weren’t willing to spend money on it, and as I was deciding what to do next, that’s when I connected with who’s now my business partner. He had started our consulting company a few years prior, bought out his co-founders and he was looking for somebody to help him sort of reimagine the company, take it to new heights, and that’s, as soon as we met. It’s like I got on a plane on Saturday morning. I was in San Diego time I flew to Baltimore where he meets me at my hotel like an hour later. 10 hours later, we’re standing out on a street corner beer in hand, we’re like, pretty drunk, and we’re like, let’s do this man. That was almost, that was about nine years ago, and today, we’ve built this security consulting company into something that I’m really proud of, we’ve helped hundreds of companies have 10s of 1000s of security vulnerabilities, and I mean, these are the companies that everybody knows Amazon and Google and Microsoft, Disney and Netflix, list goes on.
So that’s how I got into it was really looking at it in terms of how can I solve a problem, which is what entrepreneurship is at its core, and then, when I was first introduced into security, I realized, wow, this is nothing but hard problems, and it really matters. I mean, security really, really matters, and I knew that I’d found my forever home and securities is my life now for sure.
Chris Glanden 05:54
Nice, man. So, the consulting company you’re referring to is ISE Independent Security Evaluators?
Ted Harrington 06:01
Yep.
Chris Glanden 06:02
Can you talk about the services you provide? Is it strictly security consulting? Or do you perform pen testing as well?
Ted Harrington 06:10
Yeah, the pulsing heartbeat of what we do is ethical hacking, and so that, of course manifests in a number of forms. security research, obviously, being one of those, that’s not a service we’re going to get paid to do. I guess there’s been a few occasions where people have paid us for research. But primarily, that’s an activity that we do in order to publish research and talk about it. Our core offering is security assessments where companies who need to build better more secure systems, they’re trying to understand their vulnerabilities. They’re looking for someone who can apply that malicious mindset, and that’s what we do, and in addition to that, there’s things like you mentioned security consulting, penetration testing, that’s such a difficult term, because it means so many different things to so many different people. I mean, I’ll even tell you a story about that. You know, in my book, I wrote an entire chapter about the problem. That is this confusion about penetration testing, like, what is it? What does it really mean? …An entire chapter, and yesterday, someone reached out to me on LinkedIn, read the whole book, his entire career has been penetration testing, and his question was a really, really good one. He’s like, where’d you get this definition? I’ve actually never heard this definition before, and I kind of had dueling reactions to that because on one hand, I’m like, well, that validates why I needed to write this book. Because if I’m writing, what is the definition of the terms, and people who are the practitioner of that themselves don’t even know, that’s a really big problem, and I’m not this isn’t a value judgment. That guy, I’m not saying he’s, like, ignorant or stupid, or any that far from it, actually. So that was on one hand, that was like, Okay, well, good. This is validating. On the other hand, it’s depressing, because it’s like, wow, the person who’s sitting in the seat of the service sometimes doesn’t know what it is.
So, the short answer to your question is, yes, we do penetration testing, but the person who needs penetration testing might not even realize necessarily what it is. But basically, any service that helps people understand their vulnerabilities and, and fix them, and then we also have a team of software developers who help build products securely. So that’s most development functions are focused on development, ours [phenetic 08:23] is focused on the security aspect of development, and then a big part of that is, of course, management of vendor security risks. So, enterprise A wants to work with vendors, one, two and three, how do they know that vendors One, two and three are secure and managing that process is something we help with to?
Chris Glanden 08:40
Very cool. So, on your website, I noticed is he has done some car hacking as well. Is that true?
Ted Harrington 08:48
Yeah, we’ve done some pretty cool pieces of research that the very first one was car hacking. That’s kind of a fun story. That was all the way back in 2005, and you think about how many lifetimes ago that feels like that was when my business partner Steve, and a couple of his colleagues in the Ph. D. program at Johns Hopkins, they were deciding what research they were going to do next, and they came across this claim that was being made about the, what’s called the immobilizer function in cars, and that basically, it plays a role in the ignition sequence in order to prevent theft, right. It basically says, when you stick the key in and you turn the key is this the authentic key, and there’s a chip in the key it communicates with the computer on the onboard in the vehicle, and that communication was at the time considered to be an A yeah, put this in air codes un-hackable. Like any hacker mind computer scientists, even his colleagues, they were like, “Okay, challenge accepted. Let’s go take a look at this”.
So, they went out and it took a few weeks to reverse engineer the cryptographic algorithm, and then a few weeks to build a weaponized software radio, and then a few weeks later there, they were sitting in this desolate parking lot and a blustery winter Baltimore morning, and they started this car without the authentic key. That was supposedly un-hackable, and that story, I mean, besides being kind of awesome, that story would be newsworthy today, 2021. Back in 2005, there weren’t as many people publishing research, and part of the reason for that is because companies basically just sued security research that was like, they didn’t know how to deal with people of our ilk, and so, they would sue them, and so somehow, we did not get sued, I still marvel at how we threaded that particular needle. But when we go to publish the research, for obvious reasons because it was groundbreaking, and certainly something that was not common at the time, it was picked up by media outlets all over the world, and what happened next was really interesting, because then companies they came calling, they read the story, and they said, Hey, it looks like you guys know how to find these vulnerabilities in software systems, can you help us with what we’re trying to build? And that was really the origin of what our company is today, and you know, 16 years later, here we are, we’re a lot more mature of an organization than a few dudes in, you know, in a PhD lab, just kind of hacking together a piece of research.
But the fundamentals, the ethos, is the same is we’re constantly looking at things to find the weakness, so that we can help companies fix those weaknesses, because the reality is, and this is sort of the premise, in a lot of ways of my book was that the question isn’t, whether or not vulnerabilities exist? They do. The question is, who will find them first? Will it be the attackers? Or will it be the ethical hackers will be the good guys like us, and we think I argue that it needs to be the good guys. Because if you’re building something, you need to ultimately get rid of those weaknesses in order to be successful, and you’re the mission that you’re setting out to achieve. So that’s the car hacking story. It was sort of our origin story.
Chris Glanden 12:16
I love it, man, and I guess you saw Tesla come up during that time, too, and evolution of computer systems within their vehicles. Have you noticed car manufacturers are becoming better at security or are you still hacking cars?
Ted Harrington 12:32
So, we have not focused on the automotive world since that research very much. But I obviously have observed it from afar and like, who’s not interested in what Tesla is doing on like every aspect of their business model, I can give you some generalizations. So generally speaking, I do see on the whole, if you take in aggregate, you know, all companies that build systems, security is getting better.
So, if you looked at on average, all security across all systems today, compared to all security costs, all systems 15 years ago, that level is higher. But that level relative to the scope of attack surface, is not really getting better fast enough, and so, we’re seeing the world really broken into, if you can imagine a bell curve, it’s almost like it’s broken into these three parts, right? a bell curve, you know, starts little on the left hand, and there’s like, it goes up, and there’s a big part in the middle, and then it’s goes down, and there’s a little part on the right, and when we think of the bell curve, the lower right part, the progressive organizations, they’re the ones who are looking at security, they’re doing it right, and they’re turning it into a competitive advantage for their business, and that’s one of the arguments I make in my book. That’s the argument we make to all of our customers.
That’s why many of our customers even hire us as they’re like. Yeah, security is cool, and it’s important, I get that, but we need to make it return value to the business and security done, right, absolutely does do that, and we could talk about that later, if you want. But the problem is, when you think of that bell curve, the company’s thinking that way. They’re the little guys in the right-hand corner, and the majority of the world today is either in the middle, which is like, no security is important doesn’t necessarily know how to do it is trying to see it as like a cost to minimize, and then there’s the people on the other end that are still head in the sand don’t realize that security is even a thing, and so that’s sort of where the world is today, and I think that presents a lot of opportunity, actually. Because companies who do security, who can figure out how to do it, invest in it appropriately, and then get that conversion converted into the business value when you’re in the minority, and everyone else is in the majority, but the buyers want what the minority is providing. That’s an enormous opportunity.
Chris Glanden 14:58
Definitely, although investment is a hard sell in many, many organizations being able to justify that cybersecurity spend.
Ted Harrington 15:08
Oh, that’s a huge problem for sure, and there are lots of smart people writing books and advocating for how to do that, and the way that I advocate for how to solve that problem are a few. So one was; we have to understand the business justification. I’m an idealist, and I look at security, and I’m like, security matters, because security is the right thing to do, and the way I always think about it is being kind of your neighbor, your neighbor slips and falls, you’re going to go run over there, pick your neighbor up. Because it’s the right thing to do, you’re not going to do it out of expectation of some sort of compensation or some sort of return, it’s inherently a good thing. You do it, because it itself is worth doing, and I believe that security is like that. But I’m also a pragmatist, and I realized that we live in a capitalist society, and even things that are the right thing to do. Companies just aren’t going to do them unless there’s a business case for it, and as I was thinking about that scenario, then I started thinking, Okay, well, I looked at our customer base, and I said, Well, why did these companies hire us? Why do they spend a lot of money on us? Because it’s the right thing to do, and pretty much universally across the board. While they do all believe security is the right thing to do. It’s part of their ethos, it’s really clear that almost all of them look at it to say, Well, I need to, I’m trying to gain a competitive advantage, and that competitive advantage is this. Most buyers have solutions or services, like any company that buys anything from someone else, whether that’s a license or a subscription, or even a mergers and acquisition activity. They want that software system to be secure. That’s an expectation. Of course, they want it to do the things that they want it to do.
So, whatever the problem is, but the expectation is this should be secure. So that’s one factor, we have to keep in mind that the buyer expects security. The second factor we have to keep in mind is that almost nobody does it right. Let alone talks about it, right? I actually did a little study in the context of this book; I want to put some data to that point that I just made, and so, I looked at 200 enterprise class applications, so SAS systems, whatever, and of those 200, only 4% of them actually talked about security, right? actually talked about it right and did it right, and so, you look at that and think about that 100% of the buyers want X but 96% of sellers, don’t give it to them. If you can be in that 4% that is an enormous opportunity, and so that’s the case that I make to companies to talk about how do you justify security? Don’t think about it? I mean, you do need to think about it in terms of reducing risk, no doubt not, in any way, saying we should get rid of the field of risk. that’s critically important. But a lot of members in the executive suite, they look at that as like, well, I’m willing to roll the dice. You know, that’s, that’s kind of the attitude.
So, they’re willing to say, well, maybe we’ll spend a little bit less until this bite us in the butt. But if they’re, if instead, they’re presented with something to say, look, here’s how you can make money, you can close more deals faster, bigger deals, you can better differentiate from the competition, you can actually close the door behind you, to your competitors to say, Hey, I’m through the door these guys aren’t. That’s enormously powerful, and that is what gets a lot of companies in gear, and so that’s one of the things that I really advocate for is, while you do need to think about it in terms of avoidance of a bad thing, like, let’s not get hacked, think about it in terms of obtaining a good thing, which is sales, customer market penetration, competitive advantage.
Chris Glanden 19:01
That’s a great perspective, because you don’t see it often. I think you need to start consulting these software developers.
Ted Harrington 19:08
Yeah, I mean, we do in a lot of ways, and it’s funny, because I wrote, when I was setting out to write the book. You don’t want to write a book to everybody. You want to pick a specific audience who has a specific problem that you know how to solve, and go solve that problem. Because when you try to be everything to everybody, you wind up being nothing to nobody, right? You’re kind of it’s too watered down. So, if I could have written a book about the principles of security, and then it would be like, Yeah, but if I write a book about application security, every person building software’s like, that’s my problem right there. Cool.
Chris Glanden 19:41
Exactly.
Ted Harrington 19:43
When I think about the audience for that, I said, Okay, well, who am I talking to? I literally wrote the book as if I’m talking to somebody who’s the person that I’m across the table having a beer with talking to you, and that person was the sort of CTO equivalent, and so that was the primary audience, right? The person who’s responsible for the security of their software system, but it might not even necessarily be their job, right? They might have somebody that reports to them. But nevertheless, if there’s a breach, who’s at the other end of the pointed finger, saying, Hey, what happened here?
That’s sort of the core audience. But then as the book came out, the really surprising thing happened because I was my primary audience was CTOs, and my secondary audience was software developers and security professionals, and I organized it that way, not because those audiences aren’t served by this book. But to say that I had to be really clear on who the primary audience was. But as I thought about him, like these same principles really matter to the developers and to security professionals, and when the book came out, those two audiences are the ones who have really been banging down the door as much as the sort of leadership audience I wrote it for, and that to me has been really rewarding to know that I’m been able to actually address and solve problems for a wide range of people by having such a narrow focus.
Chris Glanden 21:03
Yeah, 100%. I actually wanted to hit on that, you know, Application Security is not only the responsibility of a developer leader, an analyst, you know, each role is critical. In terms of developers, though, do you still believe security is an afterthought or do you see public vulnerabilities causing more pressure for organizations to increase security within the development lifecycle?
Ted Harrington 21:29
I think the problem for developers is a little different than the problem for the exact leadership. The problem with the leadership is they’re trying to make this business case, and they’re like, well, I only have so many resources, they can only go in so many places, and I’ve got to figure out how to balance those constraints, and because most organizations don’t understand how to think about security, in the context of the business value, security winds up being this thing, like okay, well, that’s kind of overhead, that’s kind of taxes, how do we reduce those things? So that’s the problem that leadership has, they don’t necessarily understand how to think about it from a business standpoint, and then because of that, then they don’t know even what the right approach is, and again, I’m not making a value judgment of anybody. I’m not saying that they’re stupid for thinking that’s just the unfortunate reality, they find themselves that situation like, what do I do with this? And that’s why they read a book like this. But developers’ problems are a little different.
So, software developer, they have a few challenges. So, one challenge is that the leadership determines where they prioritize their time and effort, and if the leadership doesn’t necessarily prioritize security, how is the developer ever going to do that? The second problem is that security is typically not core to most training for most software developers. If you look at, I mean, any computer science program in the United States, maybe there’s a class on security, maybe there’s a like club on ethical hacking, but it’s really, it’s not the core, and there are security degree programs popping up. But the point that I’m making is that developers are first trained to develop and then it’s like, oh, also, you got to make it secure.
Now, the ones who are actually because they’re planning, there are plenty of developers who are really good at security, they care about it, they’re they prioritize it, they spend a lot of time and effort studying it, and then for those people, they still don’t have enough time to do everything that they need to do in the way they need to do it. The business kind of breezed down their neck with looming deadlines and stuff. They get really demoralized when they’re like, I just built that thing last year, I now have to go rebuild it. Because it turns out, there’s this big security flaw we didn’t know about, and my boss was forcing me to hit this deadline, I wasn’t able to work with an outside security partner to help me make sure we got it right the first time. So those are obviously related problems to the leadership faces, but they’re really different, and I address I mean, all of those problems in this book, how to think about it.
Chris Glanden 24:03
Yeah, I’m stoked about the new book, “Hackable: How to do application security”, It’s number one on Amazon right now. How was writing the book during the COVID pandemic? Did that have an impact on you?
Ted Harrington 24:14
To some extent, it made certain parts harder, and it made certain opportunities appear otherwise. So, for example, I typically travel a lot, and I just know about myself that while I work on planes really well, that’s not a conducive place for creativity and writing. So, I think that would have really been more disruptive. So, I was able to probably produce the book faster because I was basically at home almost every day, but when I think about why I wrote the book, I noticed a couple things.
So, I mentioned that, I’m a partner in this security consulting company, we work with companies every day trying to solve their security challenges and trying to build better, more secure software systems and I noticed something that was happening and was happening was that pretty much every meeting that I had, whether it was with customers or prospective customers, or just meeting people out in the community when I’m giving talks or whatever, the same 10 problems kept coming up, and not everyone had all 10 problems, necessarily, but everyone had at least some of these 10 problems, and I thought that was really interesting once I first once a that actually permeated my brain, and I acknowledged that, hey, there’s, there’s this trend here, there’s these 10 issues. Then I started thinking about, well, how do you solve those problems? And that was the moment that was the swift kick in my butt to get me into gear to write this book. Because when I looked at what are the conventional solutions, what do people say are the solutions to these common problems? Almost across the board, they were completely backwards, and that to me, I rejected that I found that to be unacceptable. Because think about what that means. That means that you’ve got someone who’s building something, they’re on a mission, right? They want to build this software system that changes the world in some way.
So that’s the first thing, then they realize, hey, this security thing. I got to figure it out. But I’ve got a couple problems, or I’ve got multiple farms, I’ve got 10 problems.
So, then there’s smart people. So, they’re like, Alright, well, let me go solve those problems, then the solution that’s told to them about their problem is incorrect, and they don’t know it. Because how could they know it, they have the problem, the experts are telling them this is the solution, or they’re reading the solution this way online, and I’m like, Man, that is a tragic. I mean, it’s hard enough to build software systems, hard enough to do security, and then to think that the advice on how to approach it is actually incorrect. That was like no more this, I know how to solve these problems. I’ve acquired the knowledge expertise, that I’ve got stories for days, and it would be irresponsible to do anything other than go teach people how to solve those problems.
So, I put it all into the book, I mean, literally the same advice that we give our customers, I mean, the only thing that I couldn’t really put into the book is an actual security assessment. Like, you can’t read a book that’s like, I’m now assessing your custom SAS, but like, you just can’t do that. But I told you how we would do it. I said, you know, this is the step that you should do first, then you do this step, then you do this step, and that’s my hope is that by putting this out in the world, I can’t talk to everybody. Like there’s limits on my time, I can’t talk to every single company that has these problems, but a book can magnify my reach, and so that was really what I was hoping to do was, share the knowledge that I’ve acquired, teach people how to solve these problems that they might not even realize are so complicated and just take this knowledge of our consulting practice our penetration testing and security assessments. How do we the same way we’ve helped these big enterprises and these startups that no one’s heard of yet. Though, same way, we’ve helped them How do I help other people? That was the goal?
Chris Glanden 28:06
That’s awesome, man, and yeah, my copies on the way, I can’t wait to read it. Yes, I still prefer hard copies. So, you mentioned traveling, and I’ve always enjoyed traveling out to Vegas to attend Blackhat, DEF CON, B-sides, unfortunately, I wasn’t able to get to DEF CON Safe Mode last year. But I know you co-founded IOT village, which you see at DEF CON, RSA and other security conferences. For those that aren’t aware. Would you mind explaining what IOT villages?
Ted Harrington 28:40
Yeah, it’s kind of a fun story arc for where we got to. So, first, we have to describe what DEF CON is. So, people know DEF CON is that’s the largest security research conference in the world on and it’s like, the hacker dojo you show up and it’s just bad body odor, and like crazy haircuts, and everyone wears black t shirts, and it’s it feels so underground, and it’s you feel like you’re home, you feel like you’re for security people you feel like you’re home, and you’re not in this big corporate environment. Even though there are obviously companies there you’re like, this is where people come to learn. Practitioners want to calm hands-on people who aren’t yet practitioners, but want to be want to become one someday they show up.
So, DEF CON is an incredible, incredible community as much as it is a conference, and DEF CON has these different content areas, and it’s this concept called villages. So, village is almost like a conference within a conference, and they’re focused on a particular topic area, and so up until this was probably, I want to say like, I forget the exact year but it’s probably around 2015, maybe 2013 somewhere in that range. DEFCON had something like I forget the exact name but it was maybe 15 villages or something, there weren’t really that many, and there was an opportunity that we had where we just published some research that showed all this hacking of all these routers, we showed how the routers that you have at your house I have at my house, everyone has in their small office, they were vulnerable to all these different types of attacks, and DEF CON, I can remember they approached us or we approach them. But somehow, we had this conversation with DEF CON about Well, why don’t we turn that into some sort of contest at DEF CON? And they’re like, Okay, well, you’re proven researchers, but in DEF CON eyes to us, you’re like this, who are you? We don’t know yet, and in terms of producing any content, and so, you know, when you go to a conference, and there’s like the main area where whatever’s happening, and then you go to like, you go down a hallway, and that’s where some of the smaller rooms are, and they go down another hallway and even smaller rooms, and then there’s like another hallway. No, we’re like yet another hallway down from there. We’re in this room, we’re in the back corner of it. Just one table, like three or four of us, literally, behind a trash barrel. I mean, like, people were throwing trash at us, I mean, not meaning to throw trash is.
But there were more than one time where a piece of trash landed on our desk, and we’re like, talking about humble beginnings. But you know, that event in the contest went really well, we did. We figured out some sort of guerilla marketing techniques to figure out how do you get people down the hallway down the hallway, down the hallway, down the hallway to a back corner of a room that’s not ours, we were able to figure that out. Primarily giving away t shirts, we ran like all these contests that got people come in there. So, the contest went really, really well, and then the next year, that was the year when the Internet of Things was starting to recognize like, Hey, this is a thing.
Chris Glanden 31:50
Yeah, I mean, do you think that was because IoT wasn’t as popular then? And people didn’t really own IoT devices at that point?
Ted Harrington 31:58
I mean, I would argue that IoT has been around for a very long time. But the sort of badge of like IoT is a thing. Now was starting to make its way into mainstream nomenclature, I guess, and we had a conversation with DEF CON after that first contest. And, again, I remember they reached out to us or reached out to them. But we had this conversation that was in hindsight, like, pretty damn bold. We’re like, why don’t we create a new village focused on IoT? And DEF CON, like, hey, that contest went great. We like you guys go for it. We’re like, now what? Now we got to actually create a village.
So, we went, and we put together this village, it’s focused on really highlighting security challenges in the Internet of Things, and that’s really how it started. It was like, let’s get routers and let’s get connected washing machines and ovens, and we’ve had ATMs. We’ve had all kinds of stuff like one talk a dude, shot a drone out of the sky by issuing a command he was like kill and then the drone fell out of the sky.
So, all these cool things really happened. We had researchers come present research, we had people give talks, we had workshops, we have a capture the flag contest, and our capture flag contest wound up being really successful in that, it attracted so many people who are so talented. The DEF CON has this concept called the black badge, and the black badge is kind of like the Hall of Fame jacket for the NFL or pick your sports league. It’s like here’s this lifetime designation of your awesomeness.
So, if you get bestowed a black badge, that’s like getting that honor, and our contest wound up being so badass that the winner of it was…… That it was given a black badge by DEF CON, which is this like lifetime designation amazingness, and so that happened actually, not once, not twice, but three years in a row. So that’s like crazy that we created. That’s probably the thing I’m most proud of. We created a platform that enabled others to achieve their pursuit of greatness, level up their professional career share the vision of what IoT security is about and now I’m obviously biased because I’m one of the people who put it together but I would argue that IoT village is the best or at least one of the best villages that happens at DEF CON it just like this purple light that is behind me is actually from DEF CON or from our IoT village traveling circus I was like you I think that’s going to be my home office now.
So, this is an events grade light. This isn’t some like cheap little light bulb. This is an expensive way overkill for my office but that’s what it is. We’ve got this we build a community. We bring people together. Let’s talk about the security challenges in IoT Let’s pack stuff together. Let’s make sure we’re teaching the next wave of entrance into the security community, let’s make sure that we’re highlighting the research of people who are making contributions, and it’s just been a really, really inspiring and enjoyable thing that we’ve done for five or six years now.
Chris Glanden 35:15
That’s awesome, man, and with DEF CON, you already have the elite of the elite. Already on site, you don’t need to hunt them down. They come to you. So, the IoT village is great. I highly recommend stopping by for anyone attending DEF CON, and hopefully, we’ll be able to see DEF CON on site once again in 2021. You know, I’m looking forward to that. Did you guys participate in DEF CON safe mode in 2020? And if so, you know, how did that translate for you guys?
Ted Harrington 35:42
Yeah, the move to virtual wound up being a positive I think for us, which is crazy to think it’s like, wait, you run an event and you can’t run an event, and there was kind of a funny moment to this where we…. The very beginning of last year, we hired this new person to take over running our event series, because IoT village, of course, it started at DEF CON. But now it goes to conferences all over the country, and even places around the globe to and so we wanted to bring someone to make that the dedicated focus for that person, you know, still using other resources across our company, but like your job is you run events.
So, this person joins the company. Literally the week that quarantine that shutdown starts. So, we’re like, welcome to the company, you can’t meet your coworkers, and she’s still actually hasn’t met most of her coworkers in person. Oh, also, we have to change the entire format from an in-person event to a virtual event. Get to know our culture, get to know this event, culture gets an auto run it Oh, and you have to change the format. Also, you can’t interact with anyone in person. Good luck. That’s like crazy, tall barrier, and but the whole IoT village team, they really looked at this as an opportunity, and they said, Okay, well, we can’t physically go to events, and we have sponsors who want to get value out of this, how can we continue to deliver content deliver value to our sponsors, and the shift of virtual wound up being just amazing, because number one, we could reach people across the planet. So, the barrier had been removed of you need to get on an airplane.
So, we did an event in India, where it was maybe one of our most successful events. So far, there was so much interest in appetite for it, and what’s crazy is it’s like, man, those same people to attend that personal they might not have been able to because of exchange rates and things like that, plus the time to travel. Even if it’s like 5% of that audience maybe would have physically traveled to DEF CON, that’s probably a high estimate and think 95% of audiences a completely new audience.
So, we’re able to get around travel restrictions get around any sort of visa requirements or limitations that might prevent someone from coming to the United States. Of course, our material expenses went down because we have to travel or ship things, which meant we could do more. So, we could do more events. And, and our sponsors loved it, because they paid for X, but they got like 3X in terms of reach and impact, and it just wound up being a really good thing. So, I am very much looking forward to live events coming back. But there’s no doubt that we will move into a hybrid of live and virtual because it’s just so good for so many people.
Chris Glanden 38:30
Yeah, I was going to ask you, if you were planning this shift to a hybrid model. I mean, it makes sense. I think both you and the participants would both gain value from that. You know, in many ways, COVID has been detrimental to a lot of people. Although, in other ways it has exposed the possibilities and value for events such as this to go virtual
Ted Harrington 38:55
100%.
Chris Glanden 38:57
So, you also host the tech done different podcast. Can you tell us about that program, and also where our listeners can find it?
Ted Harrington 39:05
Yeah, I knew once I finished writing my book that I was going to do a podcast just because one of the things I really enjoyed about the writing process was talking to people whose problems I was trying to solve, right. So literally part of the writing process was calling up those CTO or equivalent and saying, Tell me about your problem. Why does this suck or why does that like why is that a problem? What do you do and helping put me in their shoes? I’ve really enjoyed that sort of interview process.
So,I was like, man, I could probably do a podcast and so at first the thinking was, Oh, well I’ll call it the hackable podcast and then I’m like that would be a good name for the podcast and you know, obviously put continued, you know, emphasis on the book and everything, but like, but the guests that I want on my show. I really want those, those CTOs or equivalent I want those to be at least like half of my guests and are they going to show up on a show where they think I’m going to be making them talk about their security vulnerabilities, and I’m like, that doesn’t really serve the guest that serves me, which is the exact wrong reason to do anything I want I need to start with how do I serve someone else? And then from once I figure out how I serve someone else, figure out how can I make that serve me that has to be the order of operations, and so that’s why I went with the concept being tacked on different because I’m like, Okay, well, if I’m going to serve the people in technology or insecurity who are responsible for securing these software systems, what do I need to do for them? Okay, well, I need to help them think differently. That’s the big problem that I see in where security system or Yeah, security approaches fail is that they’re thinking in these like, herd mentalities of the wrong approaches.
So, I want to make people think differently. So that’s where the name certainly comes from, you know, tech done different. From there. It’s Yeah, I have about 50% of my guests wind up being those people who are directly that you know, CTOs or even developers or security professionals, and then the other half why not being people completely outside of technology and security in order to inject that different level of thinking. So, I’ve had Olympians, Olympic champions even not just Olympians like gold medalists, I’ve had Las Vegas headliners. I’ve had the guy who runs the FBI behavioral analysis unit. I mean, I’ve had these just like, and let’s be honest, that serves me a little bit too. I’m like, oh, there’s a cool person I want to talk to let’s show. It’s really fun to say like, Okay, wait a minute, so people think X, but they should do Y, that’s essentially what the conversation winds up being.
Chris Glanden 41:34
Nice, man. It sounds like an awesome show. Is it on Apple podcasts or is there a link to it on your website?
Ted Harrington 41:41
Yeah, if you go to TedHarrington.com, backslash podcast, all the information about the show is there and where to get episodes. So, and yeah, it’s on all of the major platforms. There’s a little bit of a weirdness in terms of finding it in that. My podcast is part of a podcast family, that’s called ITSP Magazine. So, it actually posts under ITSP magazine. But the easiest way is just go to Tedharrington.com backslash podcast, and that’s where all the episodes are directly linked.
Chris Glanden 42:09
Cool, man. Well, sounds like a great show. You know, thanks for sharing that information. I’ll get the links up on my site as well, and you know, Barcode, we are a cybersecurity themed bar. We take security very, very seriously, as you probably realized when MFA was required to get through the front door. So, I’m curious, do you have any cool bar hacking stories?
Ted Harrington 42:34
I do. I actually do. Yes. I tell this story. So, this is technically a social engineering story. But I actually write about the story in my book, and I tell it as a way to support the concept to explain the concept of what it means to think like a hacker, like my advocacy is always that, hey, [inaudible 42:54] do security. You got to have the right mindset, you got to think like a hacker, and then people are like, Okay, what does that mean? And, of course, we should first differentiate that hacker is not inherently good or bad. It’s just someone who solves problems, is creative and sees the way things are supposed to work and says, can they work differently? That’s fundamentally what a hacker is. The media has really abused that term to pretty much only mean a bad thing. Attackers are hackers. They look at a system, they try to say, how does it work? Can it work differently and then their motivation is something malicious? Ethical hackers follow part of the same steps. We look at a system, we try to understand how it works, we try to understand can it work differently? And when we find that it can, then what we’re doing is not trying to hurt the system. We’re trying to say, Okay, let’s change that.
So, when people are like, Okay, well explain that to me that I literally use a bar story to explain it, because I know most people went to a bar, and maybe not everybody likes drinking, but at least can relate to the idea of being in a line to then have to pay to have access to something, and I remember this time, a few years ago, when I show up at this bar, that’s not far from here in my…. My home in San Diego, and there’s a long line and there’s a $20 cover charge to get in, and I can’t remember why I needed to go to this specific bar. But I needed to go to the…. Maybe there was a birthday party, or I think maybe friends are in there. But it wasn’t like, I don’t want that line, I’ll just go to this other bar. It was like, I need to go to this bar and this lines in my way.
So, I did what really any hacker would do is I looked at Well, how does this system work? And can I make it behave differently? And so, I understood that there was an authorization model. You could, if you had elevated privileges, you could go on a VIP line, and if you didn’t, you go in this regular line and the VIP line you didn’t have to wait. There wasn’t the line and there wasn’t the cover, and so, I look at this, I’m like, Well, I don’t want to wait in line. I want to escalate my privileges. I want to go in VIP. I’m not VIP, but I need to figure out how do I go in there. So, then I assess, okay, well, how does this system work? So, the VIP process operates under an assumption that if you say you’re on the list, and you’re actually on the list, you can come in. I’m like, Okay. So, I now know what I need to do. My goal is, I need to be associated with that list that I am not associated with.
So, what I did was I walked right up to the VIP hostess, I said, “Hi, I’m on the list”. Now remember, I’m not on the list. But I needed her to think that I was. So, I say, “Hi, I’m on the list”. She says, “Great, what’s your name?” Now, because I’m not on the list, giving her My name is not going to help, and guessing is like, the chances I guess someone’s name off that list is it’s just why even try. So rather than giving her an answer, I give her a vague and misleading statement, and this is what attackers do is they have these, what’s called specially crafted inputs, in order to sort of probe a system to see how it will react.
So, my specially crafted input was I said, “I’m with the group”. Again, she says “Great, which one?” Now, again, I’m not with a group, I don’t know the names of any groups, but I need her to think that I’m with one, and I’m also operating under the assumption that if I can produce a group’s name, that is enough to verify that I’m with the group, and thus I will be able to get in. So, she says, “Oh, great, which group?” I don’t know the group, any of the names of the groups.
So again, I use a specially crafted input, and I say, “I’m with the big group”. I’m making an assumption that one group is larger than another group, and with that, she looks at our clipboard flips through a couple pages, she says, oh, the Smith group, and you know, she opens the velvet rope and escorts me right past the, the cashier and, and I go right into the bar, and that was the exact process that an attacker goes through right evaluate the system, identify the assumptions, issue, some specially crafted inputs to see how the system will behave. When you find a vulnerability, which in this case, I did when she revealed a name on the list, then an attacker exploits it or an ethical hacker identifies it, and don’t worry, even though I didn’t pay my cover, I more than made up for it and my bar tab and I way over tip to everybody.
So, I didn’t feel good about like, defeating that. But I was like, I’m just not waiting in line. It’s not about the money. It’s about the line, but yeah, that’s a good example. It’s obviously social engineering. But the same process applies. If you’re attacking a network. If you’re attacking a software system, it’s essentially the same process.
Chris Glanden 47:34
Dude, that is a wild story, and I think that needs to be the main focus of your next book. Hacking course. I think it would be a hit. Yeah, so you mentioned you’re located out there in San Diego what are the cool bars to go to out there? Are there any secret bars or speakeasies that you know of?
Ted Harrington 47:51
Yeah, there definitely are speakeasies, but I don’t know what’s going to survive right now. But one of the ones that’s pretty cool, it’s called Noble experiment, and it’s inside this other bar called the Neighborhood, and that place is all boarded up right now. But I don’t know if it’s going to come back or not. But the concept was pretty cool. It’s like you walk in, and you’re already in this cool bar. But if you know about the speakeasy, when you go to the bathroom, there’s a wall of like all the empty kegs, and you actually push through it’s a door, you can’t see it, because the door is the seam of the different kegs, and then you’re in there, and it’s like 15 seats. There’s nobody [not clear 48:29], I don’t even think there’s a menu. It’s just custom craft cocktails, and it’s like, only candle lit, and it’s just places like that. There’s a bunch of them.
Chris Glanden 48:40
I love it, man. So, it’s last call here. I have one last question for you. If you opened a cybersecurity themed bar, what would the name be? And what would your signature drink be called?
Ted Harrington 48:54
Well, I’d probably call the bar Un-hackable. Because I want everybody to be like, what? I got to see what this nonsense is about, and then they come in, like, Oh, this is a pretty great bar. You say Un-hackable, and it’s going to attract the security minded folks. So, my bar is called Un-hackable. Then they come in and they’re like, Oh, I get it. I’m getting trolled right now. That’s cool. Let’s have a drink, and my signature drink would be a series of drinks. It would be called the Exploit Chain, and it would be like, I don’t know, a shot of jack, and then a shot of like rumble mints, and then a beer or something like maybe those are nasty together, but they’d have like, a few things together that you’re like, Oh, that’s a great combination of stuff.
Chris Glanden 49:43
That sounds epic man, and if you build it in San Diego, I’m flying out for sure. So, for those listening, check out amazon for the book, check out Tedharrington.com. Which includes your portfolio. A link to ISC 100. Video for the book, which got me amped up about it. You know, it’s the first time I ever saw a hype video for a book, but you pulled it off. Ted, thank you so much for joining me. You know, I wish you much continued success.
Ted Harrington 50:12
Yeah, Chris, thank you so much for having me, and thank everybody for listening. However, I can help you feel free to hit me up on my website. as Chris mentioned, I answer pretty much any question in that sense. So however, I can help you let me help you.
Chris Glanden 50:24
We appreciate you for that. Take care and be safe.
Ted Harrington 50:27
All right. Thank you.