Kevin McGee (11:05)

Well, it's that time of year again. It's RSA conference week. I'm Kevin McGee and most of the time I'm the global director of cybersecurity at Microsoft for startups. But during RSA I get to live my dream and become a real media influencer. Or at the very least, I get to be the intern to one Mr. David Bittner. Now, the intern budget is not really all that great, so I understand. I had to make four stops on my flight here, but I have no idea why two of them had to be at the same airport. But it's all worth it to be here and part of the show. All week, I'll be covering the stories that don't make the mainstream. I'll be walking the floor, or at least the places my intern badge will allow me access to. I'll be interviewing those unsung heroes that work the SOC and keep us safe and trying to find some of the latest and coolest technology being developed right now. So that's what I'll be doing all week. Well, at least as soon as I'm finished ironing Mr. Bittner's hoodies.

Narrator / Host (11:58)

Our thanks to Kevin McGee from Microsoft for serving as intern Kevin this week here at RSAC conference. Kevin, I like my shirts with extra starch. Keep that ironing going.

Jake Braun (12:10)

Thank you, sir.

Narrator / Host (12:20)

Coming up after the break, maria vermazes speaks with jake braun, longtime def con organizer and former white house official, about defcon 33 hackers almanac. And slow down. You vibe too fast. Stick around.

Vanta Advertiser (12:52)

No, it's not your imagination. Risk and regulation really are ramping up. And these days customers expect proof of security before they'll even do business. That's where Vanta comes in. VANTA automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. So whether you're getting ready for a SoC2 or managing an enterprise governance, risk and compliance program, VANTA helps keep you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits with Vanta. That means less time chasing paperwork and more time focused on growth.

Narrator / Host (13:33)

For me, it comes down to over

Vanta Advertiser (13:35)

10,000 companies from startups to large enterprises trust Vanta to help prove their security. Get started@vanta.com cyber.

Jake Braun (13:53)

Marvel Television's Wonder man, an eight episode series now streaming on Disney plus a superhero remake.

Home Depot Announcer (13:59)

Not exactly what we'd expect from an Oscar winning director.

Jake Braun (14:02)

Action Simon Williams audition for Wonder Man.

Narrator / Host (14:06)

I'm gonna need you to sign this.

Jake Braun (14:08)

Assuming you don't have superpowers, I'll never work again. If anyone found out monolips are sealed.

Home Depot Announcer (14:17)

Marvel Television's Wonder man all eight episodes

Jake Braun (14:20)

now streaming only on Disney plus.

Narrator / Host (14:27)

Rn2k contributing host Maria Vermazes recently sat down with Jake Braun, longtime DEFCON organizer and former White House official to discuss the DEFCON 33 Hackers Almanac.

Dave Bittner (14:41)

It's a fascinating read, Jake, honestly. So I have the PDF right in front of me, and I've read through it a few times, and I know we were chatting about space cyber, given that that's sort of my area of special interest. It does certainly cover a lot of different areas. And I found it especially fascinating coming from a point of view myself, not as a policy person, but recognizing that there is such a. I don't know if animosity is the right word, but especially from a lot in the hacker community of, I feel justified skepticism about, I think, the Hill in general and just folks in D.C. not understanding a lot of the technologies and then potentially creating harmful legislation in the direction of the hacking community. And there's a gap there of understanding in both directions that I think folks like you are working hard to bridge. And that's quite a challenge.

Jake Braun (15:33)

Oh, my God. Yes, it's really amazing when we put these report together, and in fact, we have a lot of folks on the hacker side who are like, oh, but what about this particular hack? It's so cool, and it's amazing that this person pulled it off the way they did everything. And often we're like, yeah, but does that have a public policy implication or. What often happens is we're trying to explain the research folks have done. You know, we're constantly sitting there going, okay, imagine that you're a congressman who can, you know, who can turn on a computer. But after that, like, aside from something that's about what their expertise level is, you know, or even a senior policymaker in the executive branch, we're like, you know, you have to kind of really explain this stuff in a way that these folks who, you know, look, I mean, they didn't train to be cyber professionals, they haven't taken IT or cyber courses in school. Have they ever had to hack a router or mess with a Raspberry PI or any of these things. So, you know, I don't fault them for not knowing these things, but that's kind of the big challenge is how do we explain these things so that policymakers understand it and understand the relevance?

Dave Bittner (16:47)

Yeah, I think people in infosec really should give it a read just so they can see sort of how their work is being understood by a different audience, just to think about things through a different lens, to recontextualize that work. It's a fascinating exercise, honestly. And I know when I was going through it, I found myself surprised in a bunch of good ways of like, oh, these questions are really interesting. I don't know if I've thought of them before. And there are also some areas within the almanac that I'd love to hear you walk me through. Just in general, that category I hadn't thought of. And one of them that I'm thinking of actually was about power down with despots. And that made me go, what? Tell me more about that. It was so fascinating.

Jake Braun (17:33)

One of the things that we believe, and I think a lot of people who've thought about this would agree is likely to be one of the biggest developments in human history is that pretty soon in our lifetime every human on the planet is going to be connected to the Internet one way or the other. We're in the process of connecting basically the last 2 billion people on the planet to the Internet. And you know, those 2 billion are the last 2 billion for a reason, right? Either they're in a country that has purposely kept them from plugging into the modern world, both literally and figuratively, so think like in North Korea, or they're the most underprivileged and oppressed people in modern societies who for whatever reason, you know, don't have, you know, access to the Internet and modern technology either. And what is clear is that the, the despots of the world, you know, whether it be folks dealing with the Ukraine war, whether it be a potential invasion of Taiwan, whether it be migrant communities around, around the world that are being preyed upon, trying to figure out what are the things that we can do to help these people protect their culture. In the case of like, let's say the Uyghur population in China who, who is having cultural genocide committed against them, or to potentially a group of folks in Taiwan or Ukraine who are trying to fight for their right to self determination and democracy and so on and so forth. And so just two examples of that in Ukraine, and we almost didn't include this one because it's so kind of simple technically, but this is my point about it. Maybe it was simple technically, but it's incredibly important from a policy perspective. So, you know, if all information is basically kept on the Internet and all the information about your culture may wind up having the only place it lives on the Internet, then if the government wipes your culture from the Internet like they're doing to the Uyghurs in China, then in 200 years, is your culture even going to exist? I mean, I don't know. If you don't know the stories and the history and all those things, I don't know. And so, in an effort to ensure this doesn't happen to the Ukrainian population, a group of hackers who presented at DEFCON went in right after the war and started digitally, not physically, but digitally, backing up all the artwork in the museums across Ukraine, so that in the event that they get blown up or whatever, or the art gets stolen, that there'll be a record of it for the Ukrainian people so that they can protect their culture and history from digital genocide, or the real or the physical genocide that that's being perpetrated and perpetrated against them. And so that's one example of folks being able to protect their culture and identity from digital genocide. The other thing is just being able to keep fighting. And so one of the things that Jeff Moss actually really encouraged us to take a hard look at was these mesh networks. And for your listeners who maybe don't know about it, although people who listen to your podcast probably do, but still, these are network devices that exist on really low frequency radio waves. So if, like, if the undersea cables in Taiwan are cut, and if what's worked in Ukraine with satellites keeping communication going doesn't work in Taiwan because the Chinese are far more capable and well resourced than the Russians are, then how are they going to keep fighting? How are they going to their resistance going until hopefully the Chinese give up or more folks can come help?

Dave Bittner (21:10)

So these are like meshtastic, Is that that's one of the protocols? Meshtastic?

Jake Braun (21:13)

Yep. And so meshtastic was something we tested, and in great hacker tradition, they found some bugs. But, you know, kudos to the meshtastic people. They fixed them or whatever they couldn't fix at the conference. They agreed to fix later, and I believe they did. And so these are an ability for folks to, to communicate where kind of devices connect to devices based on whose device you're connected to. But you can't basically stop it by knocking out the satellites or cutting the undersea cables, which would mean if the Taiwanese population was in the mountains of around Taipei fighting for, you know, years or longer, that they'd be able to communicate. So that was just two examples of technologies or research that's been done by the DEFCON community that we thought was highly relevant for protecting these last 2 billion as they come online and also trying to thwart the advances of despots and warlords who constantly are oppressing the least empowered among us.

Dave Bittner (22:18)

Yeah, and honestly, this speaks to, I think, the core of so much of hacker culture, of what motivates so many is just kind of the spirit of keeping fighting a power, but also keeping these important subcultures alive. Gosh, I'm thinking back to the 90s on some of this stuff and just sort of that ethos that seemed to have waned a little bit, but it's coming right back and it's kind of awesome to see, to be honest with you. So we've been talking sort of on the policy side, but for folks who are more on the, I'm thinking of security practitioner side, you know, the average DEF con attendee, I suppose, what would you want them to know about the work that you've been doing here?

Jake Braun (22:58)

Okay, so the one thing I want to talk about, just because I think it's so important, is one of the youth hackers. So this particular person was in high school, the handle that he used was Nix. And there was somebody else involved named Reynaldo Buho. But anyway, they were, yeah, good for them. But anyway, they found that a vape tracking device in the school bathroom that the schools had put in and that schools use all over the country, maybe all over the world, had the capability for listening devices in it. Which of course, once this industrious young hacker figured out, was asked a very good question, which is why would anybody who is trying to prevent the vaping need to listen to what people are talking about in the bathroom and pointed out things like, pointed out things like, you know, look, if, if you were maybe a young women woman who was talking about an abortion in one of the states that, you know, since the Roe decision have made it illegal, you know, are you or the school or whatever now in jeopardy because, you know, you were having conversation like that and in, in the bathroom with one of your friends, you know, I mean, it's just, I mean, yeah, it's, it's unbelievable,

Dave Bittner (24:16)

but it's a sacred space, the bathroom. Honestly, you just don't expect surveillance in the bathroom. It's just the absolute last thing anyone wants to. So.

Jake Braun (24:24)

Yeah, exactly. And so anyway, I wanted to highlight that because it was very clever work that these two high schoolers, high schoolers did. And also just because I think DC next gen is so important and this next generation of hackers coming up, if you look at the folks who started this whole thing back in 92 or 93, they're getting a little, they've got some gray hair and they're getting a little long in the tooth at this point. We need this next generation to step up. One of the other things, though, that I thought was like, like, fascinating was research that somebody did. Now, this is theoretical, of course. I don't think they were able to actually do this in practice yet. But theoretically, one of the researchers found that you could store information in human DNA and then use that to get key information that you'd want out of a dictatorship or something like that, whether you're in North Korea or Russia or China or whatever. Yeah, I mean, storing. Yeah, exactly. Tell me about it. Storing information in human DNA is about as cool and cutting edge as it gets.

Dave Bittner (25:36)

That is the kind of thing we love out of DEF con. Honestly, when we hear about stuff like that.

Jake Braun (25:40)

Yes, it's pretty great. I know. So this guy, Dr. James Utley, is the one who did it. And it's funny, he talks about bio cryptography is how he refers to it. So really, really fascinating work. And, you know, there's. I could go on for hours about all the cool stuff. I'll tell you one of my most enjoyable things I do for this is after DEF con, since I don't really have a lot of time to go see the talks when I'm there, because I'm running around to different things. I listen to, I don't know, 40 or 50 talks after DEF CON while I'm like, you know, out running or whatever to try and think about what makes sense to be in the almanac. And it's just some of the most fascinating information you'll listen to in any given year is these talks.

Dave Bittner (26:28)

But yeah, and I know we're coming up close on time, but I wanted to make sure. I also asked you about DEFCON Franklin itself. I know you wanted to mention a bit about the work that you all do. So can you tell me a bit about that?

Jake Braun (26:38)

Sure. So one of the things we do is the almanac. So obviously we talked about that. Bunch of folks, including some of my grad students who run around and compile, you know, chronicle what happens there and then, and then turn into this. I want to give a huge shout out to. To Adam Szostak and Paul Chang, who helped so much with this. And then separately, we recruit folks to support underserved water utilities around the country. This is largely because of our critical infrastructure like power and finance and so on and so forth. Water seems to be both newly a top priority for big adversaries like nation states and ransomware groups, but also one of the least protected. So whereas finance or energy has been improving their defenses for a decade or more now, water's really kind of just starting to get in the cyber game. And so we recruit volunteers to support these local water utilities that but for volunteers would have zero cyber support. It's not like it's us or hiring someone or us or they bring in a contractor. It's us or nothing. And so we've had a whole host of folks from DEF CON step up for this. We've deployed a good amount of folks so far. We're hoping to deploy a lot more. By the way, one thing I would really ask anybody on this call is if you work for a small municipality or or have close ties with one and you think your water utility might be in need of these types of service, please reach out to us. You can go to our Just Google us at DEFCON Franklin and we'll come up with all our contact information because we're all getting the word out to the 50 plus thousand water utilities out there, none of whom thought cyber was in their job jar even a couple years ago is one of our biggest challenges. So really would welcome folks who are interested in this and in particular if you are in a community that you think would benefit from the support and could connect us in with Those folks,

Narrator / Host (28:50)

that's N2K's Maria Vermazes speaking with Jake Braun.

Venmo Advertiser (29:06)

Get in the game with the College Branded Venmo Debit Card Wreck your team with every tap and earn up to 5% cash back with Venmo Stash, a new rewards program from Venmo. No monthly fee, no minimum balance, just school pride and spending power. Get in the game and sign up for the Venmo debit card@venmo.com collegecard the Venmo MasterCard is issued by the Vanccorp Bank NA Select Schools available Venmo Stash terms and exclusions apply at venmo me stashterms max $100 cashb per month.

Indeed Advertiser (29:36)

This episode is brought to you by Indeed. Stop waiting around for the perfect candidate. Instead, use Indeed sponsored Jobs to find the right people with the right skills fast. It's a simple way to make sure your listing is the first candidate. C According to Indeed data, Sponsored Jobs have four times more applicants than non sponsored jobs. So go build your dream team today with Indeed. Get a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply.

Narrator / Host (30:09)

And finally, artist Sam Levine has devised a modestly malicious solution for anyone worried that friends, students or co workers are outsourcing their inner lives to chatbots. Make the bots unbearably slow. According to 404 Media, his tool Slow LLM quietly stretches response times from systems like ChatGPT and Claude by tampering with a browser data retrieval function, creating the impression that the machines themselves have suddenly lost enthusiasm for helping. Levine says the idea came after watching people rely on generative tools for tasks once handled by their own brains. The project can run as a browser extension or, more boldly, as a network wide DNS tweak that spreads the gift of patience to entire households or offices. He frames the effort as restoring friction to learning and creativity, though he admits using Claude to help write the code, at least until his own tools slowed it down. The goal is not prohibition, but reflection, preferably after a long wait. And that's the Cyberwire for links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insight that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.