Looking Back on Disclosure

Marc Rogers

With our second Disclosure conference in the bag, I wanted to take a look back at how things changed and what some of the key takeaways were. This year, like every other conference, we were forced to shift gears into a virtual format. This meant a lot of unknowns for us. For example, how do you preserve social interaction when everyone is isolated and scattered? How do you ensure that everyone gets an authentic conference experience instead of feeling like they are watching a TV program? Finally, and perhaps most importantly, how can we continue to push the bar for compelling content when we knew that content would be more challenging to find.

I’m pleased to say that the resulting event was an incredible success. We had significantly more registrations as word spread about us, and people came from all over the world. Participation was also up significantly, moving us from several hundred active attendees to several thousand. As for the content, well I couldn’t have been happier. We had an excellent group of speakers who delivered riveting talks and who worked tirelessly to engage with the attendees during their sessions. The ability to engage directly with a speaker during the session rather than wait for a traditional Q&A added an extra dimension that worked really well.

So here are my key takeaways from Disclosure 2020:

We managed to make up for last year by opening this year’s event with my good friend, The Grugq. As always, he showed that he is thinking three or four steps ahead of the rest of us and talked about how “Cyberwar” is now largely old news; we are now in an era of “Cybercraft” - state and nation craft empowered by cyber actors and methodologies. This is an enduring struggle where the goal isn’t as simple as “warfare” but rather much more complex and often quite nuanced. Where threat actors seek to influence, divide, and ultimately disrupt enemy states, societies, or groups. This kind of strategic thinking shows why Nation States and social media communities like KPOP fans share the same stage when it comes to strategic influence. Cyber based politics and influence is coming of age and rapidly becoming a key, if not the key strategy behind many political operations. Grugq wrote a brief about his talk here.

You can see Grugq’s talk here: https://youtu.be/_k0MkJMHPi0

SJ Terp covered the continuing evolution of disinformation and most significantly the counter disinformation activities the CTI-League has been working on. She showed how campaigns have matured both in terms of sophistication and the ecosystem that supports them. No longer are these isolated to a few highly sophisticated actors. Instead, we are now seeing disinformation-as-a-service where anyone can pay cash for a highly effective disinformation operation. Whether you want to astroturf your protest to make a group of 20 people look like 2000 or sow seeds of discord inciting violence in otherwise peaceful events, it's all available for a fee. The effect this has had ties directly into the talk Grugq gave about cyber-craft. Groups, and even individuals, now have an unprecedented ability to influence for a fraction of the resources it would have taken before. Most importantly SJ spoke about building strategies, standards, and ultimately active responses that make it possible to respond to this growing threat. From inside the CTI-League, SJ leads a team of disinformation experts who have built and are actively using these tools to track down the groups behind disinformation campaigns and dismantle their operations. As we hurtle closer towards the election in November this work shines a light on what may end-up becoming a front-line defense for the US democracy.

You can see SJ’s talk here: https://youtu.be/xohUFgI0TII

In my own talk, I challenged myself to see how many IoT devices I could hack in three days. In the end, out of a pool of 12 devices, I was able to hack 10. While the hacks were focused on physical hardware weaknesses in nature the implications were far broader than the individual devices. By exploiting these vulnerabilities, which are all too common in almost every single IoT device, I was able to modify devices, extract software, and steal passwords or keys. All of which gave me everything I needed to launch remote software attacks against all of the affected devices wherever they may be located. While the talk was structured as a how-to, in order to encourage more hackers to take up the probe and voltmeter in order to shine a brighter spotlight on hardware vulnerabilities there are more strategic lessons to be taken away from this exercise.

  • Most if not all of the weaknesses could be mitigated with secure-by-design approaches and hardware security guidelines.
  • If we are careful to ensure that we do not store shared secrets or passwords then when a device gets compromised there is no impact on anything else.
  • We need to think about the millions of older IoT devices that are littering our residences and places of business. All of them are vulnerable and it is dangerous to assume that they will fall out of use within just one or two devices.
  • Some hardware I looked at remained on sale for years after its initial release and with no way to fix these issues after release they remain vulnerable and exposed for decades.
  • As we move towards relying on IoT infrastructure for our daily lives with remote working these vulnerabilities represent a significant threat. We need to be able to trust these things for secure operations or to act as the foundation on which we prove our identity. All of that becomes problematic if the very foundation on which it is built is insecure.
  • Ensuring security by design for massively distributed consumer hardware devices is a national security issue that countries are waking up to but we need to work on this together.

You can see my talk here: https://youtu.be/_OGWQqrE47I

In our closing keynote, Samy Kamkar talked about his experiences in creating the MySpace Worm back in 2005. He talked about what it was like to be a young hacker and the shock to his system that came from crossing paths with law enforcement. The lessons he learned from that experience and advice for others following in his footsteps. Samy spoke about the hacker spirit that drives many of us and why it’s so important to recognize, embrace, and feed that curiosity. I started hacking at the end of the ’80s and Samy in the early 2000s. Those times were as he accurately described, like the wild west. There were many things that we did back then which would land you into a lot of trouble now. Yet somehow we have to give the next generation of hackers the opportunity to grow, make mistakes, and learn. Most importantly though, we need to help them to do it ethically and safely. Help them see where the lines, which sometimes can be more than a little blurred, have been drawn and how to stay on the right side of them. For me, this was probably my favorite talk. It resonated deeply with my own experiences as a hacker and is a subject very close to my heart. I believe that future generations of the hacker community will be critical to many aspects of digital life. When it comes to protecting your nation against cyber threats, no one is better equipped than a hacker who has grown up immersed in technology their entire life. We have a long way to go before these kinds of skills are taught responsibly to kids in schools, yet if we want to succeed that is ultimately where we need to end up.

You can see Samy’s talk here: https://youtu.be/nSxiqBKfQG4

Finally, you can see all of the other awesome talks from Disclosure here: https://www.youtube.com/playlist?list=PLshTZo9V1-aF-rS-TyCYgApAEAQI4q2qe

I especially encourage you to check out “Lazy, Stupid, and Unconcerned - Why you are the perfect target” by Rich Jones. Not only is it an excellent secure development talk, but it was brilliantly delivered too.

I hope that we will be able to do this in person next year, and as always we are looking for feedback on how you thought it went. Let us know what you thought the talks were like, and most importantly what you think we can do to make this a better event. Stay safe and healthy out there!

Marc Rogers
Executive Director, Cybersecurity Strategy

Marc Rogers is the Executive Director of Cybersecurity at Okta. With a career that spans more than twenty years, he has been hacking since the 80's and is now a white-hat hacker. Prior to Okta, Marc served as the Head of Security for Cloudflare and spent a decade managing security for the UK operator, Vodafone. He was a CISO in South Korea and co-founded a disruptive Bay Area startup. In his role as technical advisor on “Mr. Robot,” he helped create hacks for the show. And, as if that’s not enough, he also organizes the world’s largest hacking conference: DEF CON.