I Am The Cavalry at Derbycon 2015

The Cavalry rides again to Derbycon – a meeting of the horsemen, if you will! The organizers have again seen fit to offer us space for the weekend so we can congregate. Two years ago we held the first Hacker Constitutional Congress at Derbycon which helped solidify the vision, mission, and areas of focus. This year we will provide insight into what we’ve learned, as well as workshops so you can learn along with us.

Friday, September 25, 2015
12.00-12.30 | Introduction and Overview | Beau Woods and Katie Moussouris
We will provide a brief overview of I Am The Cavalry, as well as outline the weekend’s activities. Participants who have yet to be introduced to the initiative will be; those who are familiar will be updated on activities and progress over the last year. Even if you miss this first session, you can join for any of the others.

12.30-1.00 | Automotive Overview and Update | Craig Smith
Overview of the Automotive space and update from the past year. This will be a revealing talk where we can give more details of what has been happening around the automotive industry, how the security community has engaged, and what the road ahead looks like.

1.00-2.00 | Automotive Q&A, and Gaming Demo | Craig Smith
Craig Smith will lead a technical discussion and answer questions about automotive security research. For instance: What is the CANBus, how do you tap into it, and how do you decode its protocol? What’s the product development lifecycle, how does the supply chain fit into that, and why does that make it hard to get vulnerabilities fixed? Craig will also demonstrate a game where you race around a virtual track by sending hacked messages to the engine control units, steering, and other car computer components!

2.00-3.30 | Legislative Overview | Jen Ellis and Bekah Brown
Overview of the legislative landscape, and how it affects the stakeholders in the various ecosystems. Be ready to learn to hear the legislative vernacular – that means “cyber” – and learn why you should care about what is going on inside the beltway.

3.30-4.00 | Medical Device Overview and Update | Jay Radcliffe
Overview of the Medical Device space and update from the past year. This will be a revealing talk where we can give more details of what has been happening around the healthcare and medical device ecosystem, how the security community has engaged, and what the road ahead looks like.

4.00-5.00 | An Hour with a Medical Device Researcher | Jay Radcliffe
Curious to how research gets done and the process that occurs? Have you always wanted to ask a researcher why it takes so long to get research done? Here’s your chance! Jay Radcliffe, a medical device security researcher will be on hand to talk about some of the process he takes when doing research on IoT/Medical Equipment. He’ll also field questions from the audience on how research is done so you can go out and advance your skill set to the next level.

Saturday, September 26, 2015
10.00-12.00 | Effective Communications | Beau Woods and Adam Brand
Workshop: Beau and Adam will provide coaching to help improve communications outside the echo chamber. You’ll learn why and how to communicate with others, as a dependency for your career as well as creating change in the world. Exercises cultivate empathy, understanding, and self-reflection to empower you to improve.

12.00-1.00 Lunch

1.00-4.00 | Media Training Workshop | Jen Ellis and Steve Ragan
Free, professional media training. Jen and Steve will help you understand why and how to engage the Media API, and inject technically literate information into the press without getting misquoted. Understand the journalist’s perspective so you don’t end up on the wrong side of an interview. Live fire exercises build muscles needed to stay calm, stay on point, and be a voice of reason to the world.

There will also be several talks that look to be closely related. A few of these are listed below:
Friday, September 25, 2015
12.00-12.50 | APT Cyber Cloud of the Internet of Things | Joey Maresca (@l0stkn0wledge)
3.00-3.50 | Current Trends in Computer Law | Matthew Perry

Saturday, September 26, 2015
12.00-12.50 | Security Hopscotch | Chris Roberts
4.30-4.55 | Latest Tools in Automotive Hacking | Craig Smith
4.00-4.50 | Medical Devices: Pwnage and Honeypots | Scott Erven “windshield wipers” and Mark Collao

Sunday, September 27, 2015
11.00-11.50 | Disecting Wassenaar | Tyler Pitchford
11.00-11.50 | Practical hardware attacks against SOHO Routers & the Internet of Things | Chase Schultz “f47h3r”

We hope to see you there!

I Am The Cavalry Track at BSides Las Vegas, 2015

If you were in Las Vegas last week, you were no doubt there for some combination of BSides Las Vegas, Black Hat, or DEF CON. These three conferences measure the pulse of the information security community and industry. Thanks again to the great support from the BSides Las Vegas team, I Am The Cavalry had a day of sessions at the event. As is always the case, Irongeek has posted them faster than anyone would have thought possible.

To kick off the day, we had Beau Woods, Josh Corman, and Nick Percoco giving an overview of the initiative and the day’s activities. There was a special guest during the talk: Hannes Molsen of the medical device maker Draeger announced a commitment to publishing a vulnerability disclosure program, and commented that researchers are key allies to his company and others.

The second talk of the day was delivered by Keren Elazari. As was true last year, she inspired the audience to tackle the big problems, fueled by the small ones – bits controlling atoms. We must start prioritizing control, trust, and safety over privacy and secrets. With effort, we can manually override our own inhibitions and make a difference. Superheroes without the masks.


The third session was a panel discussion with Tim Krabec moderating, Chris Nickerson, Beau Woods, and Tod Beardsley. Special guests Wim Remes, Keren Elazari, and the entire room were brought into it, as we learned how to lead in a “do”ocracy. Taking on a problem and pursuing it – working towards a solution, not just fluttering by the problem.

After lunch, Beau Woods and Scott Erven gave an overview of the last 12 months in the medical device security space. Special guest Suzanne Schwartz from the FDA joined to recap what she and her agency have done, and why they believe researchers are a valuable part of a healthy medical ecosystem…and hinted that maybe the FDA will come to “summer camp” next year. Beau and Scott also covered a lot of the current and future activities. (Slides for the talk are here.)

The final session of the day was Josh Corman, covering the very busy past 12 months in automotive cyber safety. This included the initial launch of our Five Star Cyber Safety Framework, reaction from the various industry stakeholders, and some of the activities that have gone on. Josh also talked about some of the current events going on like the high-profile talks across town at Black Hat and DEF CON.

I Am The Cavalry at BSides Las Vegas 2015

It’s time to take the wraps off what a few of us have been planning for BSides Las Vegas. We are returning again to do an I Am The Cavalry track on Tuesday, August 4th. This year it’ll be a different room, a different format, and a different objective. Like last year, you’ll be able to drop in and drop out of any of the sessions throughout the day.

Our objective this year is to generate discrete initiatives that will make the most difference the quickest. We will spend the morning introducing the concepts, giving background, and priming participants for the afternoon sessions. Those sessions will be focused on two pillars – automotive and medical devices – where there is both popular interest and multi-stakeholder inertia.

To kick off each of the automotive and medical device sessions, we will first give an overview of the current landscape and progress towards cyber safety. This will be a revealing talk where we can give more details of what has been happening around the industries, how the security community has engaged, and what the road ahead looks like. There will be surprises and unveilings.

During each session, we want to identify 2-3 good projects with strong support and leadership. We will ideate individual initiatives, then break into groups to flesh those out, identify outcomes, constraints, output, and methods. Each team will present their ideas in a lightning talk and facilitate a short discussion. After the ideas are laid out, participants will elect to get involved in making them come to reality, leaders will emerge to manage the initiatives, and others will pledge to support their actions.

People with subject matter knowledge will be available to guide the hand of those ideas to help others avoid mistakes and replicate what has worked. It’s important to capture not just knowledge in Auto and Medical, but also in public policy, media, legal, insurance, and other stakeholder domains. To make sure that coming out of that room, those initiatives have the best chance for success.

We kick off the day after the BSides Las Vegas Keynote. You won’t want to miss that one.

11:00-11:30 Session Introduction and Overview Josh Corman & Nick Percoco
We will provide a brief overview of I Am The Cavalry, as well as outline the day’s activities. Participants who have yet to be introduced to the initiative will be; those who are very familiar will be updated on activities and progress over the last year. And we will describe the vision for the day’s activities. Even if you miss this first session, you can join for any of the others.

11:30-12:00 Hack the Future Keren Elazari
This talk is about inspiring hackers to be the change agents of the future, with practical things hackers can do to create a positive impact. It’s about being a good hacker while staying out of jail and making the world a better place – with things like community outreach projects, crypto parties, voluntary red teams, responsible disclosure and stopping the spread of FUD.

12:00-12:30 Leading in a “Do”-ocracy Chris Nickerson
A man whose talks need no abstract… Prepare to be informed and inspired, the way only Nickerson can do.

12:30-14:00 Lunch

14:00-14:30 State of Medical Device Cyber Safety Scott Erven & Beau Woods
Beau and Scott will give an overview of the medical device space and talk about the things that have gone on in the past year. This will be a revealing talk where we can give more details of what has been happening around the industries, how the security community has engaged, and what the road ahead looks like. They’ll also introduce and walk through the Medical Device workshop.

14:30-16:00 How can we ensure safer Medical Devices? (Workshop)
The goal is to identify 2-3 good projects with strong support and leadership in the Medical Device area. We will ideate individual initiatives, then break into groups to flesh those out, identify outcomes, constraints, output, and methods. Each team will present their ideas in a lightning talk and facilitate a short discussion. After the ideas are laid out, participants will elect to get involved in making them come to reality, leaders will emerge to manage the initiatives, and others will pledge to support their actions.

16:00-17:00 Break

17:00-17:30 State of Automotive Cyber Safety Josh Corman & Craig Smith
Josh and Craig will give an overview of the Automotive space and talk about the things that have gone on in the past year. This will be a revealing talk where we can give more details of what has been happening around the industries, how the security community has engaged, and what the road ahead looks like. They’ll also introduce and walk through the Automotive workshop.

17:30-19:00 How can we ensure safer Automobiles? (Workshop)
The goal is to identify 2-3 good projects with strong support and leadership in the Automotive area. We will ideate individual initiatives, then break into groups to flesh those out, identify outcomes, constraints, output, and methods. Each team will present their ideas in a lightning talk and facilitate a short discussion. After the ideas are laid out, participants will elect to get involved in making them come to reality, leaders will emerge to manage the initiatives, and others will pledge to support their actions.

Related Talks at BSidesSF and RSA 2015

The Silicon Valley convergence of hackers, researchers, consultants, vendors, press and others is nearly upon us. The annual BSidesSF and RSA Conference have returned to the Bay Area, hosted again in San Francisco. These events see some of the most original content presented to some of the largest crowds of the year. Much of the content will be relevant to I Am The Cavalry topics. Listed here is a sample of IATC relevant sessions to help you plan your time at these events. For quick reference, you can also add them to your calendar.


BSidesSF: April 19 – 20, 2015

Date Time Location Title Who
4/19 17:00 OpenDNS Medical Devices Security – From Detection to Compromise Adam Brand & Scott Erven


RSA Conference: April 20- 24, 2015

Date Time Location Title Who
4/21 13:10 North:  Room The Sandbox at 134 Open Garages – Learn How Technology Drives Your Car Craig Smith
4/21 14:20 West:  Room 2007 I Was Attacked by My Power Supply: A Mock Trial Steven Teppler
4/21 15:30 West:  Room 3022 Home Sweet Owned? – A Look at the Security of IoT Devices in Our Homes Billy Rios
4/21 16:40 West:  Room 3004 Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project Daniel Miessler
4/22 09:10 West:  Room 3022 Protecting Critical Infrastructure Is Critical Robert Hinden
4/22 10:20 West:  Room 3018 How Vulnerable Are Our Homes? – The Story of How My Home Got Hacked David Jacoby
4/22 11:30 West:  Room 3022 Don't Touch That Dial: How Smart Thermostats Have Made Us Vulnerable Ray Potter
4/22 11:30 West:  Room 3018 Tools of the Hardware Hacking Trade Joe Grand
4/23 09:10 West:  Room 3010 The Evolution of Threats Targeting Industrial Control Systems Frank Marcus
4/23 09:10 West:  Room 2002 Use of Technology in Preserving and Protecting Humanity Davi Ottenheimer, Alex Stamos, Beau Woods, Bruce Schneier, & Morgan Marquis-Boire
4/23 10:20 South:  Room Viewing Point at Gateway CyberLegislation is Upon Us…But Are We Ready? Joshua Corman
4/24 09:00 West:  Room 2002 Cyber Security and Aviation Erroll Southers & Lawrence Dietz
4/24 09:00 West:  Room 2006 IoT: When Things Crawl into Your Corporate Network Sam Curry & Uri Rivner
4/24 11:20 West:  Room 2018 Medical Device Security: Assessing and Managing Product Security Risk John Lu & Russell Jones
4/24 12:30 West: Room 3022 Security Hopscotch Chris Roberts

DEF CON 22 Videos

DEF CON fans and aficionados– the wait is over. The videos from DEF CON 22 are now available online. While this is not a complete list of all available videos, it showcases many of the ones of interest to the Cavalry and Cavalry followers. If you are looking for the latest that internet security researchers have to offer, enjoy!


DEF CON 22: August 7 – 10, 2014

Hacking US (and UK, Australia, France, etc.) traffic control systems, by Cesar Cerrudo
This presentation discusses how to manipulate traffic signals, including how the devices were acquired, the research, on site testing demos (at Seattle, New York and Washington DC), vulnerabilities found and how they can be exploited, and finally some possible NSA style attacks.

Hacking 911: Adventures in Disruption, Destruction, and Death, by Christian Dameff, Jeff Tully & Peter Hefley

Emergency medical services (EMS) are the safety nets we rely on every day for rapid, life-saving help in the absolute gravest of circumstances, but these services rely on antiquated infrastructures that were outdated twenty years ago with vulnerabilities large enough to drive an ambulance through, little municipal governmental support for improved security, and a severe lack of standardized security protocols.Quaddi, r3plicant, and Peter- two MDs and a security pro review the archaic nature of the 911 dispatch system and its failure to evolve with a cellular world, the problems that continue to plague smaller towns without the resources of large urban centers, how the mischief of swatting and phreaking can quickly transform into the mayhem of cyberwarfare, and the medical devastation that arises in a world without 911.

The Cavalry Year[0] & a Path Forward for Public Safety, by Josh Corman & Nick Percoco

At DEF CON 21, The Cavalry was born. In the face of clear & present threats to “Body, Mind & Soul” it was clear: The Cavalry Isn’t Coming… it falls to us… the willing & able… and we have to try to have impact. Over the past year, the initiative reduced its focus and increased its momentum. With a focus on public safety & human life we did our best “Collecting, Connecting, Collaborating” to ensure the safer technology dependence in: Medical, Automotive, Home Electronics & Public Infrastructure. We will update the DEF CON hearts & minds with lessons learned from our workshops & experiments, successes & failures, and momentum in industry and with public policy makers. Year[0] was encouraging. Year[1] will require more structure and transparency if we are to rise to these challenges… As a year of experimentation comes to an end, we will share where we’ve been, take our licks, and more importantly outline a path forward…

Hack All The Things: 20 Devices in 45 Minutes, by CJ Heres, Amir Etemadieh, Khoa Hoang & Mike Baker

When we heard “Hack All The Things,” we took it as a challenge. So at DEF CON this year we’re doing exactly that, we’re hacking everything. We’ve taken all of our previous experience exploiting embedded devices and used it to bring you a presentation filled with more exploits than ever before™. This presentation will feature exploits for over 20 devices including but not limited to TVs, baby monitors, media streamers, network cameras, home automation devices, and VoIP gateways. Gain root on your devices, run unsigned kernels; it’s your hardware, it’s internet connected, and it’s horribly insecure.

The Internet of Fails: Where IoT Has Gone Wrong and How We’re Making It Right, by Mark Stanislav & Zach Lanier

This presentation will dive into research, outcomes, and recommendations regarding information security for the “Internet of Things”. Mark and Zach will discuss IoT security failures both from their own research as well as the work of people they admire. Attendees are invited to laugh/cringe at concerning examples of improper access control, a complete lack of transport security, hardcoded-everything, and ways to bypass paying for stuff.Mark and Zach will also discuss the progress that their initiative, BuildItSecure.ly, has made since it was announced this past February at B-Sides San Francisco. Based on their own struggles with approaching smaller technology vendors with bugs and trying to handle coordinated disclosure, Mark and Zach decided to change the process and dialog that was occurring into one that is inclusive, friendly, researcher-centric. They will provide results and key learnings about the establishment of this loose organization of security-minded vendors, partners, and researchers who have decided to focus on improving information security for bootstrapped/crowd-funded IoT products and platforms.

How to Disclose an Exploit Without Getting in Trouble, by Jim Denaro & Tod Beardsley

You have identified a vulnerability and may have developed an exploit. What should you do with it? You might consider going to the vendor, blogging about it, or selling it. There are risks in each of these options. This session will cover the risks to security researchers involved in publishing or selling information that details the operation of hacks, exploits, vulnerabilities and other techniques. This session will provide practical advice on how to reduce the risk of legal action and suggest several approaches to responsible disclosure.

Cyberhijacking Airplanes: Truth or Fiction?, by Dr. Phil Polstra & Captain Polly

There have been several people making bold claims about the ability to remotely hack into aircraft and hijack them from afar. This talk will take a systematic look at the mechanisms others are claiming would permit such cyberhijacking. Each of the most popular techniques will be examined myth buster style. Along the way several important aircraft technologies will be examined in detail.Attendees will leave with a better understanding of ADS-B, ADS-A, ACARS, GPS, transponders, collision avoidance systems, autopilots, and avionics networking and communications. No prior knowledge is assumed for attendees.

Just what the Doctor Ordered?, by Scott Erven & Shawn Merdinger

You have already heard the stories of security researchers delivering lethal doses of insulin to a pump, or delivering a lethal shock to a vulnerable defibrillator. But what is the reality of medical device security across the enterprise? Join us for an in-depth presentation about a three-year independent research project, encompassing medical devices across all modalities inside today’s healthcare landscape. Think they are firewalled off? Well think again. Scarier yet, many remain Internet facing and are vulnerable to strategic attack with the potential loss for human life. And yes you will be amazed at what we found in just 1 hour! We will prove that an attacker can access medical devices at thousands of healthcare facilities from anywhere in the world with the potential loss of human life.This discussion will also highlight the fallout from security standards not being a requirement for medical device manufacturers, and our experience in identifying and reporting vulnerabilities. We will provide our insight into what needs to be done for healthcare organizations to respond to the new threat of cyber-attack against medical devices. We are working towards a future where cyber security issues in medical devices are a thing of the past. We will discuss the recent success and traction we have gained with healthcare organizations, federal agencies and device manufacturers in addressing these security issues. The train is now moving, so please join us to find out how you can get involved and make a difference by ensuring patient safety.

A Survey of Remote Automotive Attack Surfaces, by Charlie Miller & Chris Valasek

Automotive security concerns have gone from the fringe to the mainstream with security researchers showing the susceptibility of the modern vehicle to local and remote attacks. A malicious attacker leveraging a remote vulnerability could do anything from enabling a microphone for eavesdropping to turning the steering wheel to disabling the brakes.Last year, we discussed 2 particular vehicles. However, since each manufacturer designs their fleets differently; analysis of remote threats must avoid generalities. This talk takes a step back and examines the automotive network of a large number of different manufacturers from a security perspective. From this larger dataset we can begin to answer questions like: Are some cars more secure from remote compromise than others? Has automotive network security changed for the better (or worse) in the last 5 years? What does the future of automotive security hold and how can we protect our vehicles from attack moving forward?

Learn How to Control Every Room at a Luxury Hotel Remotely: The Dangers of Insecure Home Automation Deployment, by Jesus Molina

Have you ever had the urge to create mayhem at a hotel? Force every hotel guest to watch your favorite TV show with you? Or wake your neighbors up (all 290 of them!) with blaring music and with their blinds up at 3 AM?For those with the urge, I have the perfect place for you. The St. Regis ShenZhen, a gorgeous luxury hotel occupying the top 28 floors of a 100 story skyscraper, offers guests a unique feature: a room remote control in the form of an IPAD2. The IPAD2 controls the lighting, temperature, music, do not disturb light, TV, even the blinds and other miscellaneous room actions. However, the deployment of the home automation protocol contained several fatal flaws that allow an arbitrary attacker to control virtually every appliance in the hotel remotely. I discovered these flaws and as a result, I was able to create the ultimate remote control: Switch TV off 1280, 1281, 1283 will switch off the TV in these three room. The attacker does not even need to be at the hotel – he could be in another country.

This talk provides a detailed discussion of the anatomy of the attack: an explanation of reverse engineering of the KNX/IP home automation protocol; a description of the deployment flaws; blueprints on how to create an Ipad Trojan to send commands outside the hotel; and, of course, solutions to avoid all these pitfall in future deployments. Attendees will gain valuable field lessons on how to improve wide scale home automation architectures and discussion topics will include the dangers of utilizing legacy but widely used automation protocols, the utilization of insecure wireless connection, and the use of insecure and unlocked commodity hardware that could easily be modified by an attacker.


Attacking the Internet of Things using Time, by Paul McMillan

Internet of Things devices are often slow and resource constrained. This makes them the perfect target for network-based timing attacks, which allow an attacker to brute-force credentials one character at a time, rather than guessing the entire string at once. We will discuss how timing attacks work, how to optimize them, and how to handle the many factors which can prevent successful exploitation. We will also demonstrate attacks on at least one popular device. After this presentation, you will have the foundation necessary to attack your own devices, and a set of scripts to help you get started.

Optical Surgery; Implanting a DropCam, by Patrick Wardle & Colby Moore

Video Monitoring solutions such as DropCam aim to provide remote monitoring, protection and security. But what if they could be maliciously subverted? This presentation details a reverse-engineering effort that resulted in the full compromise of a DropCam. Specifically, given physical access and some creative hardware and software hacks, any malicious software may be persistently installed upon the device.Implanting a wireless video monitoring solution presents some unique opportunities, such as intercepting the video stream, ‘hot-micing’, or even acting as persistent access/attack point within a network. This presentation will describe such an implant and well as revealing a method of infecting either Windows or OS X hosts that are used to configure a subverted DropCam.

Playing with Car Firmware or How to Brick your Car, by Paul Such & Agix

A lot of papers have already been done/produced on hacking cars through ODB2/CanBus. Looking at the car firmware could also be something really fun :) How to access the firmware, hidden menus & functionalities, hardcoded SSID, users and passwords (yes, you read right), are some of the subjects we will cover during this short presentation.

Elevator Hacking – From the Pit to the Penthouse, by Deviant Ollam & Howard Payne

Throughout the history of hacker culture, elevators have played a key role. From the mystique of students at MIT taking late-night rides upon car tops (don’t do that, please!) to the work of modern pen testers who use elevators to bypass building security systems (it’s easier than you think!) these devices are often misunderstood and their full range of features and abilities go unexplored. This talk will be an in-depth explanation of how elevators work… allowing for greater understanding, system optimizing, and the subversion of security in many facilities. Those who attend will learn why an elevator is virtually no different than an unlocked staircase as far as building security is concerned!


Circle City Keynote Text

In the spirit of Dan Geer’s keynote addresses I wrote out the Keynote I did for Circle City Con in Indianapolis this year. With lots of copyediting help from @bouncinglime here it is, cleaned up and made much more readable.

Circle City Con Keynote

Friday, June 13, 2014

The witches of infosec

I was talking to a friend the other day, someone who’s not a security person or even a technology person – by his own admission, just an “average person.” Every time he uses a smartphone or the internet, it seems like magic to him. When he reads about hackers, it’s like hearing about people who are so good at magic they can bend it to their own will, and it’s spectacular. Arthur C. Clarke observed that “any sufficiently advanced technology is indistinguishable from magic,” so it’s easy to see how someone who’s not as involved as we are in technology might see our everyday world as magical.

He said being on the internet is like being dropped into The Land of Oz. Everything is in Technicolor instead of black and white, munchkins are running around, somebody hands you a lollipop, people sing and dance and cheer. It’s bizarre and wonderful and kinda confusing and completely unthinkable. But it’s a place he wants to explore and get to know. He doesn’t know the physics or normalities of the place – and he’s fine with that, as long as he can do what he wants to do. It’s fun!

Then in a splash of smoke and a billow of fire comes this haggard green-faced witch, wearing a black hat no less. That’s the evil hacker. And a white witch floats over in a bubble and sends the scary one running away. That’s the world he sees when he’s on the Internet – a wild cacophony of “average people” that is occasionally invaded by witches. The average person can’t necessarily see the difference between good and bad witches, but is glad that the good ones exist to drive the bad ones away.

Technological progress and adaptation

This view of the Internet is really not surprising. In his lifetime computer technology has turned over three times. Computers began as mainframe computers that took up a room, then were PCs that merely took up a desk, and now we have phones and tablets in our pockets, and supercomputers on demand in the Cloud… That’s somewhere over the rainbow, right? In a few short years, we’ve gone from no connectivity, to wired and wireless, now to the global always-on connectivity our pocket devices demand. And we’re about to launch into wearables/implantables, with personal-area and mesh networks.

We’re at a point right now where technology is evolving faster than we are able to adapt to it in a single generation. Only the people who are hyper-specialized can understand it. This massive intra-generational shift has a profound effect on our humanity, culture, and social contract.

Public policy, legal precedent, and law enforcement that was well adapted 30 years ago is now hopelessly antiquated. We have to conduct open debates on whether the Internet is a telecommunications network or an information service, and what that means for established laws, regulations and precedents. Our culture has to get used to pervasive tracking and surveillance, our loss of privacy, and the fact that governments and companies know more about us than we know about ourselves. Whether we like it or not, our metadata is a matter of public record now. The predictive power – and potential benefit – of this information is too much for anyone to ignore. This isn’t maliciousness, it’s simply a case of policy and law being mis-matched with a quickly changing reality.

Given 50-100 years all of these will catch up and our great grandkids, as awkward teenagers, will laugh at us for being so goofy and confused with at this time in our technological development. These growth spurts happen periodically throughout history before settling back down. We are in one of those growth spurts right now, but it will not last forever. One thing that will last forever is the persistence of computer technology into our everyday lives. This gives us, the ones with the ability to make that technology do anything we want, serious superpowers. And with great power comes great responsibility.

We’re at a key moment in history…. Will you watch? Will you heckle? Will you help? Will you lead?

Where cybersecurity meets humanity

I’ve been playing with computers all my life – building them and, more often, breaking them and having to fix what I’d broken. Sometimes even breaking into them to play practical jokes on my friends. Finding and fixing computer flaws was my hobby. I was a security amateur before I was a security professional.

My third day on the job in Infosec was terrifying. I got a call from a physician in the Natal Intensive Care Unit – where the most fragile babies are brought just after they’re born. Their Fetal Heart Monitoring systems were all down. The doctor on the phone said he knew it wasn’t our job to support them but that they needed help. So I did. A quick investigation showed the medical devices had all the signs that they’d gotten hit with the same network worm that had recently been infecting other computers.

I called the manufacturer and asked their first-line support personnel if they could fix the problem since the devices were brand new but, since it was likely malware, they couldn’t. I asked for access to the device to fix it myself. The vendor said that since it’s a medical device we weren’t allowed to modify it or have access. That wasn’t good enough for me; if the network worm could break into the medical device, could I?

Sure enough there a Metasploit module had just been released for the vulnerability that the worm used. I knew I could fix the problem technically, but it’s not enough to know that the we can do something with technology. We must still ask if we should do it.

I worked with my boss to get permission. We put together a plan and a justification which she took to the CEO of the hospital, who read and approved it. Within the day I was able to go in, get rid of the malware, apply the patch, and get the systems stable again. I went back to my job and the doctors went back to saving lives.

I Am The Cavalry inception

Josh Corman and Nick Percoco gave a talk, “The Cavalry Isn’t Coming,” at DEF CON 21. There were three simple but profound ideas behind their talk: our dependence on technology is growing faster than our ability to secure it; our technological capabilities have outstripped our ability to adapt our social contract; and our society has evolved faster than our laws. Security researchers are the key to restoring the balance between all of these aspects.

1. Computing technology is being rapidly adopted into the world around us. We struggle daily – and often fail – to secure our companies. Meanwhile software and networks permeate every aspect of our lives in our cars, our bodies, our homes, and our public infrastructure. When human life and public safety are at stake it is no longer acceptable to have the same failures that are routine in other Information Technology. We must know, not just assume, that the technology we depend on is worthy of our trust.

2. Technology has rapidly changed what we are able to do. We are being watched and tracked by corporations and governments. On the one hand this gives us the utmost convenience; on the other hand it destroys our privacy and allows repression of dissent. There is nothing in our human experience that has prepared us for pervasive surveillance and “Glassholes”. We’re struggling to adapt to the impacts that computer and network technologies have had on us as a society as humans. We no longer need to ask whether technology can do something, but we have not yet begun asking if it should.

3. Our policy and legal apparatus stabilizes society by setting a standardized expectation and reducing harm. It cannot keep pace with the rate of change of our technology. Policy is a tool for defining norms and expectations. Laws are tools to enforce these norms and expectations. When the cultural norms fall so far behind, policies and laws fall out of sync with reality. Our laws today fail to distinguish between those making good faith inquiries into the soundness of these technologies from those who wish to exploit weaknesses for personal or ideological gain.

Surely there must be some task force studying these crucial issues, or some think tank brainstorming on it. One thing has become clear: no one is waiting in the wings to save us. The Cavalry isn’t coming. It falls to us – it falls to you – to lead the charge.

We, as the information security community, know what the problems are. We have the technical knowledge to know what should be changed. We see ourselves as defenders of those who need it. This understanding compels us to do the right thing, and step up to help. Like it or not, we are the adults in the room. And that should scare the hell out of us, but it should never stop us.

I Am The Cavalry today

The idea moved the hundreds of people in the room. A web presence, social media, and discussion list brought people together who believed in helping. The idea became a meme and the meme gathered like-minded individuals to the watering holes. It spawned leadership tendencies in a lot of us who knew we couldn’t just sit here and watch; we had to be the change we wanted to see.

I Am The Cavalry, today, is a global grassroots organization that is focused on issues where computer security intersects public safety and human life. We strive to ensure that these technologies are worthy of the trust we place in them. We are seeking to organize as a non-profit educational foundation, focusing on medical devices, automobiles, home electronics and public infrastructure. We are a movement of collecting, connecting, collaborating, and catalyzing : Collecting existing research and researchers; connecting these resources with each other and stakeholders in media, policy and legal stakeholders; collaborating across a broad range of backgrounds and skillsets; catalyzing research and corrective efforts sooner than would happen on their own.

Our message is that our dependance on computer technology is increasing faster than our ability to safeguard ourselves. As computerization and connectivity become more ubiquitous, it’s important that we protect public safety and human life.

Our mission is to ensure technologies with the potential to impact public safety and human life are worthy of our trust. We will achieve this mission through education, outreach and promoting research, and as an independent voice of reason from the security community.

What we’ve learned

Over the past nine months since the I Am The Cavalry namespace started, we’ve learned a lot of lessons about how to approach getting things done in this space – where to focus, how to engage, whom to engage, etc. We have struck a chord with our focus on devices that have the potential to impact human life and public safety. These are big issues that are not just technical, they span many boundaries. These types of non-technical problems beg for non-technical solutions.

When talking with lawmakers on policies and laws we wanted to see changed, we quickly found out that they our message didn’t interest them. They simply didn’t care about theoretical problems that might come up due to Computer Fraud and Abuse Act (CFAA) or Digital Millenium Copyright Act (DMCA). The perspective we brought was at odds with what they were hearing from their peers and colleagues. They felt like we were “a bunch of whiny brats” complaining just like any other special interest group. In short, we weren’t giving them the “why.”

When we did, everything changed.

“A friend of mine, Jay Radcliffe, almost died when his insulin pump failed. He got a different one and it happened again. Both near-fatal accidents were caused by software flaws in the pumps themselves. Digging into these flaws, he found several critical security issues which could have triggered the failures. Another security researcher, Barnaby Jack, found that he could make these types of medical devices administer a fatal dose of insulin from 300 feet away.”

Those kinds of vignettes gain attention. Demonstrating public good through security research earns us the opportunity to bring up the conflict between the law and exploring the problem space. This experience taught us it was even more important than we thought to focus on the human life and public safety aspect. We need a lot more of these types of proof points if we want to keep getting through to lawyers, policymakers, and others outside the echo chamber.

Policymakers and their staffers also began bringing us in to ask intelligent questions. Recently there has been a perfect storm of several events, beginning with Senator Markey’s letter to automakers asking about ensuring the safety of the computers in the cars. Then the U.S. Food and Drug Administration (FDA) published notification of software security vulnerabilities on 300 medical devices, which could have an impact on patient care. People were “stunt hacking” cars at Black Hat a few months ago. These are the sorts of events and issues that catch the attention of public media outlets, creating instant interest and attention. The world is listening right now, and we need to have something to say.

Inspiration at the heart

A lot of people get inspired by the I Am The Cavalry message. At the heart of the movement is an inspiration and a motive to empower hackers to make the change they want to see.

There’s a great YouTube video by Dan Pink about what motivates and inspires people to take action. The gist of it is that once we get beyond a certain level of satisfying our most basic needs, people are motivated by three things : Autonomy, a feeling of control over your life priorities that allow you to produce your own results; Mastery, an urge to see progress and development in a skill; and Purpose, to have a meaning beyond profit, to “put a dent in the universe.”

For a lot of the most productive people in the world, this is why they get up in the morning. They have all three of these things. This is also what inspired a lot of us to go into security research as well – being self-directed to work on doing this cool elegant hack, learning and exploring, and then showing it off and getting it fixed.

Slowly, though, the joie de vivre of exploration and discovery gave way to something else. Our passion became our day job, and our fun turned into work. 60-80 hours of work a week. Every week. Into forever. At some point in my career I realized that the medical device hack I pulled off was the peak of my professional career. In nearly 10 years I hadn’t done anything as impactful to the real world as I did in my first week. That was a difficult realization. I burned out. Burnout isn’t something we talk about a lot in the industry. We just pour another drink or make another “stupid user” joke and get back to feeling frustrated, powerless, and overworked. It’s had some pretty devastating consequences on us as an industry. Some people never get burned out and I’m happy for them. Others do, and we have to claw out of it.

That’s the inspiration people see in I Am The Cavalry. It inspires hope, and a lot of people haven’t known hope in a long time. To make real progress on something positive and powerful. To prevent problems before they come up. To learn something new and valuable. To move from the trough of despair to the slope of enlightenment and the plane of productivity.

Why it moves us

I Am The Cavalry is one namespace within a much broader movement and community. We aren’t the first people to feel our current path will lead to no good, that we have to do better. Those are the feelings that sparked this movement, and continue to drive it forward.

Curiosity is a hacker prerequisite. This new problem space gives us a chance to once again explore the unknown, one that’s full of interesting new technologies and combinations of existing technologies. This kind of thing is why a lot of us started learning about security in the first place. The problems we are investigating aren’t trivial. We’re trusting our families’ lives with these machines. It’s not acceptable to fail and so we have to persevere.

The problems in the space will first be known, then addressed, then fade into history. You can push that timeline forward, be the one who helps things get better, faster. Whether you choose to talk about that or not, it will bring a sense of accomplishment. If you do want to talk about it there’s plenty of opportunity. Conference CFPs tend heavily towards Android malware and PCI, but a talk about hacking an insulin pump or a car will have fighting people in line to go see that talk. Ask Jay Radcliffe, Charlie Miller, or Chris Valasek. That’s beyond a stunt hack; it’s something that matters.

I think we’re going to see a rapid shift from research of convenience to research that matters. Take a look at the DEF CON tracks this year. Every one of them is something that matters. The world’s most famous hacking conference is shifting the research agenda for the industry. That’s awesome. It’s also a lot faster to research some of the areas we’re talking about. There hasn’t been nearly as much focus on it so there’s more low hanging fruit. You’ll spend the same amount of time finding the bug, but you won’t have to spend any time showing that it’s a big deal. Now your friends and family will know not just what you do but they’ll see why you do it.

Trying to make a change also means building different muscles. Ones for engaging the Media API. Ones for fuzzing the chain of influence. Ones for traversing policy and legal systems. Ones for bridging the interfaces between research and real-world application. We are simply using the methods we know very well, and applying them to a new set of systems – non-technical ones. This brings back the excitement of exploration. These new skills span boundaries into other areas of our lives, too. Explaining security to a journalist builds the same muscles as explaining them to your CEO. Understanding how to navigate complex political and legal systems helps when you want to organize community action for a new neighborhood playground.

We are pursuing a goal that’s bigger than us. This pulls us out of burnout and keeps us from going back. It transforms frustration into progress, futility into accomplishment, atrophy into exercise, and, most importantly, ignorance into education.

All of this is coming at a time when we’ve begun to get a real sense of the power we have. The media is focusing on hacking, and politicians are asking for advice. People are looking to us as if we have superpowers! It is time we stepped up and became those super heroes.


As I said earlier, in 50-100 years all of the things we’re talking about here will be figured out. Our self-driving cars will do it better than we could hope to faster, safer, and with fewer side effects. Our implanted and wearable computers with body area networks will be fast, robust, and stable. Criminal activity will be illegal but legitimate research will be protected by laws. Researchers will be treated with the same respect in security as they are in other fields. And our civil liberties issues will be settled – one way or another. That’s not my witch’s crystal ball, that’s a forward projection of history.

We need to cut down the amount of time we spend in this awkward period before our society has caught up to our technology. It is imperative that we accelerate the process of identifying and dealing with issues before they have more severe and widespread impacts. We should push for resolution of these issues now, instead of just waiting for it to happen on its own.

  1. By being the voice for reason and thoughtful discussion, we can reduce friction and collateral damage.
  2. Our actions will nudge the final position towards openness and freedom.
  3. Avoid a Cuyahoga River moment (but prepare just in case we get one).

Individual Examples

My friend Morgan Marquis-Boire (@headhntr), who’s been working with Citizen Lab, thinks we’re way off base by not pursuing privacy issues more. Morgan has spent a lot of his time dissecting malware that foreign governments use to track and surveil dissidents. For him privacy leaks kill every single day on an individual scale, and are genocide on a mass scale. He and Citizen Lab, as well as other groups like Telecomix and Tactical Tech, are fighting to preserve the Internet and protect those who use it to empower themselves. As he likes to say, that’s his fight but it might not be your fight.

Kyle Osborn took job at Tesla to improve vehicle safety. It began as an internal IT Security role available, but he was able to push the boundaries to turn it into something more. His work has created a coordinated disclosure policy, and large automakers in Detroit are taking notice.

Scott Erven found hundreds of issues in medical devices, but after failing to get the FDA or the manufacturers to fix the problem, notify their customers, or take any action he gave up. Billy Rios knew the solution already and, through his contacts at DHS ICS-CERT, was able to get it published. This caught the attention of the FDA, who issued a public notification of the vulnerabilities. Because of all the attention, the vendor undertook internal reviews from the very top.

Many of the very small “Internet of Things” makers think more about shipping than security, not out of deliberate neglect but because they have no resources for it. Mark Stanislav and Zach Lanier got together and started Build It Securely project which works directly with with chipset makers, vendors, and others to give practical guidance to people using their products. All of the information is published openly on the Internet, giving easy access to those who don’t have time or resources to do the research themselves.

Call to action

Leaders are not born, but self-made. There’s a subtle but important difference there. Leaders make themselves when given the right motivation and opportunity. I used to think that leadership positions were given to people but I’ve come to realize that they’re never given, only taken or accepted.

Leadership is simply initiation and persistence in a particular direction. Start something, even when no one else is. Especially when no one else is. Continue in spite of, and especially after, setbacks. Find direction from whatever inspires you to start and to continue. That’s up to you. It’s not easy, but it’s also not hard.

The challenges we face are daunting but tractable. We have the right set of skills and are here at the right time to solve them, but we must start now. Every day we delay makes the work more difficult and the consequences higher and the likelihood of failure higher.

I Am The Cavalry is not just about joining a common cause under the leadership of others. Although it can be for some. It’s about becoming leaders ourselves. It’s not “I Am The Cavalry. Come join me.” It’s “I Am The Cavalry. And you are too. We are all the cavalry!” It’s not about people following, it’s about people leading. I Am The Cavalry. And you are too. It’s up to all of us to lead the charge.

Thank you.

Related Talks at BSidesLV, Black Hat and DEF CON

The annual Las Vegas convergence of hackers, researchers, consultants, vendors, press and others is nearly upon us. That’s right it’s time again for BSidesLVBlack Hat USA and DEF CON. This trilogy of events sees some of the most original content presented to some of the largest crowds of the year. This year much of that content will be relavent to I Am The Cavalry topics. We have more detail on the day of I Am The Cavalry sessions at BSidesLV.

BSidesLV: August 5th-6th

Date Time Where Title Who
8/5 15:00 Common Vulnerability Assessments on SCADA: How I 'owned' the Power Grid Fadli B. Sidek
8/5 18:00 Proving Back Dooring the Digital Home David Lister
8/6 10:00 IATC Introduction and Overview – I Am The Cavalry and Empowering Researchers
8/6 11:00 IATC Problem Space Overview
8/6 12:00-18:00 IATC Building Skills, Understanding and Influencing People
8/6 12:00-18:00 TBA Drop-In Sessions

Black Hat: August 6th-7th

Date Time Where Title Who
8/6 11:45 Lag K Survey of Remote Automotive Attack Surfaces Charlie Miller & Chris Valasek
8/6 14:15 Palm A Embedded Devices Roundtable: Embedding the Modern World, Where Do We Go From Here? Don Bailey & Zach Lanier
8/6 15:30 SS CD Why Control System Cyber-Security Sucks… Dr. Stefan Lders
8/6 17:00 Palm A Responsible Disclosure Roundtable: You Mad Bro? Trey Ford
8/6 17:00 Lag K Breaking the Security of Physical Devices Silvio Cesare
8/6 17:00 MB D Learn How to Control Every Room at a Luxury Hotel Remotely: The Dangers of Insecure Home Automation Deployment Jesus Molina
8/7 10:15 Palm A Medical Devices Roundtable: Is There A Doctor In The House? Security and Privacy in the Medical World Jay Radcliffe
8/7 11:45 MB D Smart Nest Thermostat: A Smart Spy in Your Home Yier Jin, Grant Hernandez & Daniel Buentello
8/7 14:15 SS E Home Insecurity: No Alarms, False Alarms, and SIGINT Logan Lamb

DEF CON: August 7th-10th

Date Time Where Title Who
8/8 13:00 P & T Hacking US (and UK, Australia, France, etc.) traffic control systems Cesar Cerrudo
8/9 10:00 T 2 Hacking 911: Adventures in Disruption, Destruction, and Death Christian Dameff, Jeff Tully & Peter Hefley
8/9 10:00 P & T The Cavalry Year[0] & a Path Forward for Public Safety Josh Corman & Nick Percoco
8/9 10:00 T 1 Hack All The Things: 20 Devices in 45 Minutes CJ Heres, Amir Etemadieh, Khoa Hoang & Mike Baker
8/9 11:00 T 1 The Internet of Fails: Where IoT Has Gone Wrong and How We're Making It Right Mark Stanislav & Zach Lanier
8/9 12:00 101 How to Disclose an Exploit Without Getting in Trouble Jim Denaro & Tod Beardsley
8/9 12:00 T 1 Home Insecurity: No Alarms, False Alarms, and SIGINT Logan Lamb
8/9 12:00 T 2 Cyberhijacking Airplanes: Truth or Fiction? Dr. Phil Polstra & Captain Polly
8/9 13:00 T 2 Just what the Doctor Ordered? Scott Erven & Shawn Merdinger
8/9 15:00 T 1 A Survey of Remote Automotive Attack Surfaces Charlie Miller & Chris Valasek
8/9 16:00 T 1 Learn How to Control Every Room at a Luxury Hotel Remotely: The Dangers of Insecure Home Automation Deployment Jesus Molina
8/9 17:00 T 1 Attacking the Internet of Things using Time Paul McMillan
8/10 11:00 T 2 Optical Surgery; Implanting a DropCam Patrick Wardle & Colby Moore
8/10 13:00 T 1 Playing with Car Firmware or How to Brick your Car Paul Such & Agix
8/10 15:00 T 1 Elevator Hacking – From the Pit to the Penthouse Deviant Ollam & Howard Payne

The Cavalry In Europe

The Cavalry made our first appearance at a European conference. Josh Corman was invited to The Hague as the closing keynote for the National Cyber Security Center’s One Conference. In his keynote he chose to revisit the theme of his TEDx talk, which highlights issues that The Cavalry is addressing. 

Claus Houmann, a strong supporter of The Cavalry, and someone who has urged us to come deliver our messages in person across the Atlantic, gave us a warm welcome post entitled Call to arms! Fellow Europeans, mount up. Thanks, Claus. We look forward to many good interactions on your Continent.

Security of Things Forum

The first inaugural Security of Things Forum was held May 7th. The forum, organized by The Security Ledger Editor in Chief, Paul Roberts, was keynoted by Dan Geer. Mark Stanislav of Duo Security and BuildItSecure.ly, and Josh Corman of Sonatype also spoke at the conference.

CSO Online wrote an article, predominantly driven by Josh’s talk, an updated version of his Swimming with Sharks TEDx presentation.

In the Digital Ocean, predators outnumber protectors

Just because something is scary doesn’t mean it’s a figment of your paranoid imagination…. There is reason to be afraid because the dangers in the digital “ocean” are as real as swimming in a physical ocean of sharks, with blood in the water.

Editor in Chief of IoT World, Rich Quinnell also took the opportunity to write about security of the Internet of Things and introduced his readers to I Am The Cavalry and BuildItSecure.ly.

Security Cavalry is Coming to the Internet of Things

One of the biggest concerns many people have about the Internet of Things is its security. Each point of connection between our systems and services and the wide area network is a potential point of vulnerability to cyberattack, yet security is at best an afterthought in many IoT designs. Something in the way we handle IoT security has got to change, and that is a key goal for a new grassroots organization [called I Am The Cavalry].

Finally, Channelnomics wrote a detailed account of the forum and the security issues in the Internet of Things. Definitely worth a read.

A Dose of Reality in the Rush to Connect All Our Things

“Security is the absence of unmitigatable surprise,” [keynote speaker Dan] Geer told SECoT attendees. “My design goal is ‘no silent failure’.” It the end, it’s not about raining on the IoT parade, said [Forum organizer Paul] Roberts, but rather moving the conversation into a more prudent and defensible space by bringing the vendors and the often insular communities together.

THOTCON & BSides Chicago 2014

The Cavalry will be holding workshop sessions at both THOTCON and BSides Chicago next week. Details are below. We look forward to seeing you there.

THOTCON – Friday, April 25, 2014

Where/When: Lab 5/6, 2pm to 4pm
Approx. Capacity: 150 people

When What Who
2:00-2:30 WHY The Cavalry Josh Corman & Nick Percoco
2:30-3:00 Medical Device Security Landscape & Challenges Scott Erven
3:00-3:30 IoT Security Landscape & Challenges Mark Stanislav (BuildItSecure.ly)
3:30-3:50 Cavalry Mission, Discrete Progress & Activities Adam Brand
3:50-4:00 Next Steps & How to Get Involved Josh Corman

BSides Chicago – Saturday, April 26, 2014

Where/When: Workshop, 11:00am to 2:30pm (with lunch break)
Approx. Capacity: 25 people

When What Who
11:00-11:15 WHY The Cavalry Nick Percoco & Beau Woods
11:15-11:45 Getting Started with Medical Device Hacking Scott Erven
11:45-12:15 Automotive Security Landscape & Challenges Craig Smith (Open Garages) & Adam Brand
12:15-1:00 Getting Started with Car Hacking Craig Smith (Open Garages) & Adam Brand
1:00-1:30 Lunch & Open Q&A All
1:30-2:00 Car Hacking Demos & Q&A Craig Smith (Open Garages) & Adam Brand
2:00-2:15 Next Steps & How to Get Involved Adam Brand & Beau Woods