Embedded - 58: Use These Powers For Good
Episode Date: July 2, 2014Joe Grand (@JoeGrand) spoke with us about his life as Kingpin, hardware hacking, hosting a TV show, and being a Hackaday judge. Joe's company is the Grand Idea Studio. His TV show Prototype This was o...n the Discovery Channel. He created an Atari game: SCSIcide. Joe will be giving his hardware hacking training at Black Hat USA in August (as well as some of the other security conferences in also Las Vegas at that time). Joe and Elecia are on the Hackaday Prize judging panel. There are some amazing projects if you want to check out your competition (or vote for the ones you like!).
Transcript
Discussion (0)
Welcome to Embedded, the show for people who love gadgets.
Christopher White and I are your hosts.
Our guest this week is hacker and fellow Hackaday judge, Joe Grant.
Hi, Joe. Thank you for joining us.
Hi, Jo.
Hi. Thanks for having me.
Could you tell us about yourself?
Sure. So I guess the short version is I'm a computer engineer by trade.
I'm a hardware hacker, a product designer, a runner, a daddy, a former TV host,
member of a hacker group, Loft Heavy Industries, that was formed back in the day.
In the early 90s, we were one of the first hacker groups to promote full disclosure of finding security vulnerabilities and forcing or helping companies to fix those problems.
I run a company called Grand Idea Studio, which is basically just me working on projects and coming up with ideas and building prototypes of products and teaching computer security stuff and teaching hardware hacking
and sort of doing any sort of technical stuff that I think is fun to do.
It's quite a number of things.
The books and a TV show and the hacker community.
Do you do consulting now or is it your ideas and then you sell them?
Sort of both.
I do some consulting, but being just one person, it's sort of hard to do that, right?
Because then if I'm doing consulting for a client on one project, I find it hard to break
away to do other things that might be interesting or to go to a conference or do something else.
So I'll do consulting in little bits and pieces if it's something that I think is really cool
or maybe if it comes in highly recommended for a friend
or maybe it is a friend's project or something.
But yeah, I do a little bit of consulting,
but mostly it's kind of internally developed ideas
and building up prototypes of ideas that I have.
Sometimes licensing those to companies to manufacture
is sort of the goal,
but those are sort of few and far between.
So sometimes I'll just design things for the hobbyist communities, for the hacker communities.
Sometimes sell those, sometimes release them open source or both.
And sometimes just give stuff away because it's fun.
So sort of this whole range of things.
It sounds like you have fun.
What is your favorite thing to do um i think it's all fun i mean i think it's sort of i've been kind of lucky where i've been able to
make a living doing what i like or i guess doing what i love and sort of doing what i what i am
right i mean i've always been involved in electronics.
I got involved in computers when I was seven years old.
I had an Atari 400, an Atari 830 acoustic coupler modem,
and I had bulletin board systems and all of this stuff.
So I've just always been involved in computers.
I've always been involved in electronics,
kind of grew up reading various electronics magazines
and building projects out of those.
So just the fact that I can make a living doing this stuff to me is just bizarre. I
love it. It's so much fun and I live it and breathe it. It's just what I do.
There's a lot of times where I would just – I want to do stuff for free. I want to
help everybody and want to design stuff and just do it all for free.
But at some point, I have to make some money.
And it's just awesome that I can do it and have fun doing it.
And basically, at this point, I try to find things that are fun.
And if it's not fun, I don't really want to do it.
Of course, sometimes I have to do things that aren't fun because that's life.
But I just try to stay kind of positive and work on things that are the most fun and the most interesting to me.
So I would say all of it.
I mean, there's not one thing.
It's just sort of being an engineer, being a hacker, kind of pushing, poking people, poking vendors, pushing buttons to try to make you know, make the industry better, teach people about my passion, about electronics,
about engineering and, you know, working on the TV show, building projects and sort of inspiring
mainstream, um, community and stuff. Like it's all just, it's all been pretty fun.
There's been some downsides that I, you know, try not to sort of look at, but, um, in general,
it's been sort of a wild ride what are your two what are
the two most fun projects you you most proud of um i would have to say prototype this which was
the tv show i was on um on discovery channel we filmed a single season that aired um in 2008 i
believe it aired in the u.. And now it's being syndicated
and sort of distributed all over the world.
So it's still airing in various places.
It's available on DVD through Netflix.
I don't think it's available on streaming through Netflix.
You could pick up the DVDs on eBay
for a few bucks for the season.
But that was a really fun project
that I wasn't expecting to be that fun.
And it was a lot of work.
And I have all sorts of stories about how miserable it was
to actually have to get up at 5 in the morning and show up and be on camera
and wait for the camera guy to change the tape and wait for the sound guy
to change the batteries and all these sort of things.
But in the long run, it ended up inspiring this whole,
I don't want to say a whole generation but it inspired a
lot of kids to get into engineering which was not expected at all from us and not expected at all
from from discovery channel and the premise of the show for those who don't know was was four guys
building prototypes of ridiculously complex projects so we built a 30 foot tall computer controlled water slide simulator.
We built a car that could elevate itself and drive over traffic. We built a flying lifeguard,
futuristic lifeguard system that had a UAV now, you know, now called drones that flew over to a
person in distress and dropped a life jacket. So that was all of these crazy projects that were just really fun,
and we tried to show the engineering process.
And showing engineering to mainstream people is sort of hard.
And I was always, when I was giving interviews for the show and stuff,
I would assume that my grandmother was watching the show.
It's that level of technical competency.
And maybe some people's
grandmothers are technically competent, but mine really wasn't. So we had to make it accessible
to people, but also enjoyable and show the real world process. So that was sort of hard,
especially when it's like, well, how do you show yourself coding? Or how do you show yourself
designing a circuit board or soldering? So we had some challenges, but it was super fun. And just
once the show aired,
we just didn't realize how much response we'd get. And it's sort of a cult following because Discovery didn't really promote it too well. But within the community, it ended up being a lot of
fun. So that was a huge win, a huge fun. I don't know. i mean again everything's fine maybe maybe giving maybe teaching classes
um probably being involved in the loft i would say which was fun but that was that was a hacker
group that i was involved in the early 90s and you were the kingpin i was kingpin yeah that's
my handle and uh people still call me that sometimes. It's funny. So people from
that era that I see, you know, I didn't use my real name until 1999 or 2000. So I was always
Kingpin, at least from the loft era up was Kingpin. I had a few handles before then when I was a kid.
My first handle when I was seven years old was Black Ninja, which I thought was cool because I
think, you know, probably every kid thinks ninjas are cool. And most adults think ninjas are cool.
But yeah, so Kingpin was my handle.
So I'll see people from back in the day, and they'll go, hey, Kingpin or KP.
They don't even call me Joe, because we're just so used to calling people our handles
from back then.
But yeah, this was a hacker group where basically it started with a bunch of guys in Boston,
where I'm from, and we wanted a
place to get together and store equipment and go to the electronics flea markets together and kind
of hack on stuff. And it's a very long, long story, but there were seven of us in the group,
and all the guys were at least six years older than me. And I was 15 or 16 when I first got
involved. So to me, these guys were all my mentors and sort was 15 or 16 when I first got involved so to me you know these guys
were all my mentors and sort of shaped the way that I think about things and validated the way
that I think about things um you know where I could actually question what was going on I could
take apart products I could sort of hack on on our own networks and not get in trouble and all
these things where we sort of created this safe environment where nowadays you have hacker spaces and maker spaces and, you know, DorkBot meetings
and all these things where people can go and sort of share their passion of electronics and of
hacking and all of these things and, you know, in a safe way. But back then there was nothing.
So this was really a great way sort of, and it shaped my life in a way that is hard to describe.
So even though it's not, you know, not a singular thing that was
fun, that whole era of being involved in the loft was hugely fun and amazing and wild.
And that led you to be in front of Senate hearings for security. Is that right?
Yeah. So in 1998, which was sort of the, I would say, the peak of the public-facing loft, this was at the point where we had found a bunch of security vulnerabilities in Microsoft products.
A long time ago, we had found some of the first, if not the first, security vulnerabilities and sort of made them public.
I'm sure people had found them before then and not made them public.
But we found some vulnerabilities and went to Microsoft and said, hey, we found some problems. They're like, no, no one's ever going to do that against the system.
So we wrote some exploit code to show them, look, here's how you could actually take advantage of
this vulnerability. And then they go, oh, you're right. Okay, maybe it is a problem. So we've done
that a lot. We've sort of built up this name, this brand, I guess, if you will. We were friendly with
a lot of the media.
So trying to spread the message of being hackers and being good hackers, you know, by helping people understand security vulnerabilities and how they can protect themselves and why it's necessary to do that.
And why you can't just rely on these vendors and these software companies and now hardware companies to design secure products. So we were sort of these, I guess you could say Robin Hood,
like trying to find problems but then educate the masses about them and stuff.
And through a series of media kind of domino effect,
somebody at the U.S. Senate Governmental Affairs Committee had seen an article about us
and said, hey, can you guys come down and testify at our hearing about computer security in government?
We said, sure.
So there's seven of us, seven hackers that we joked at our friend's wedding a few years
earlier, the only time we would wear suits would be at a wedding or a funeral.
And we weren't expecting to actually go to the Senate.
So we all wore suits at the Senate, too, so that was the unexpected thing.
But, you know, seven guys that don't normally wear suits, that aren't normally in the political
arena, that don't just go to Washington, D.C. to, you know, hobnob with people, show up
and got to talk to some United States senators and really open their eyes about vulnerabilities
in government systems and ultimately vulnerabilities in the internet and
larger systems.
And we talked about wireless stuff and satellites and I mean,
just,
we talked about a whole bunch of stuff and it was basically,
they wanted us to give these doomsday scenarios of what could happen if
hackers,
you know,
malicious hackers.
A lot.
Yeah.
And it was awesome.
So we just named off lots of stuff.
But that was a totally, you know, that was just a completely unexpected
and really fun and terrifying experience to show up and have to do that.
We were the first group of people to use pseudonyms in a Senate testimony
who weren't in the Witness Protection Program,
which we were pretty proud about. So, you know, we, so we had our, our names in the public record. Now it says Kingpin and Weld Pond and Mudge. Um, but when we checked into the hotels,
we couldn't use our pseudonyms for some reason. So whoever had set up this whole trip had assigned
us different names. So instead of using Kingpin, uh name was Bob Brown. And I had all these other
names that we each had other, it was awesome, because no one knew our names at the time.
And that's sort of for a good reason. You know, we were doing things that a lot of people didn't
like. Vendors didn't like it. A lot of mainstream, just the mainstream media didn't understand what
we were doing. So we were sort of ruffling a lot of feathers by being hackers in the first place
and sort of questioning authority and pushing the limits of technology
and finding security vulnerabilities and all of these things.
This was such a different time than it is today.
And we pissed off a lot of people.
And we didn't want our name, our real names, to be associated with that
because to us it didn't matter i mean to us no one needed to know our name because the work we were
doing should speak for itself it shouldn't matter that oh it's joe grand a 16 year old kid it's you
know kingpin from the loft even that doesn't matter it's somebody found a problem with the
system that needs to be fixed and that's really what we felt but over time we said okay you know as we as we transitioned from the loft into a company called at stake which
was a vc backed company that we had helped start and the loft was had rolled in to become the
research arm of this company which is a computer security one of the first computer security
consulting companies um we're like okay well you know people know our handles now and maybe it's time we start
using our real names like no one maybe no one will hopefully attack us at this point we've been
around for so long and nothing you know nothing happened when we when we outed ourselves no one
came and like started sending us death threats or trying to hack us or whatever i mean it's
maybe they did i don't know maybe i'm probably owned anyway i sort of assume that my computer is hacked. I don't think that's because anything that I've done is probably just because everybody's computer is hacked. to talk about external threats and vulnerabilities and foreign governments doing stuff to the United States
or bad actors.
And given what we've learned in the last few years,
it's kind of...
Script kiddies?
Well, no, I'm talking about the NSA
and the vulnerability from the government
toward the government or to other governments
or to the people.
Some of that's legitimate spying,
but some of it isn't.
And so it's funny that, you know,
the tables have turned a little bit
and the same kinds of things
you were probably telling them,
like, well, this is how you do
a man-in-the-middle attack here,
or this is how you, you know,
get physical access to a device
to capture, you know, keystrokes or what have you.
That's what's really happening,
but it's happening from the very organization
you were kind of talking to.
And they probably weren't aware of it at the time.
Yeah, right.
I mean, you never know,
but it's definitely this insider threat
ends up being way more of a problem,
I think, than an outside threat.
But a lot of times too,
like I've given talks at various organizations,
government organizations,
and it's sort of, of is funny because I feel like they probably already know the stuff that I'm talking about.
Or my same thing with my friends from the community that also go and give talks at organizations.
It's sort of like you would validate what they already know or to you know maybe learn a new technique or to see how you know what how to see kind of where we are as a community at the
state of the art versus where they are um you say you never know but yeah i mean it was an
interesting time i feel like the senators that we talked to at least at that testimony
this was all new stuff to them. But nowadays it wouldn't be.
I mean, this was the first time really when hackers talked to the government and didn't get arrested.
And because we weren't doing anything illegal, we were doing good stuff, and that's why we got invited.
But, yeah, I mean, it's a completely different world these days.
And what we talked about then isn't any different.
It's just things are way worse because so many more people now are online and so many more things are connected. And now you have nation states and organized crime and there's so much money involved. And it's just insane how insecure the networks are and how insecure applications are and how insecure software is and how much it can be taken advantage of. And it's basically a losing battle.
Unless you're in the security industry, then it's great job security.
So what basic advice can you give to general embedded systems developers about security?
I know you give a day and a week-long class, but can you give us the five-minute version? Yeah, I mean, I would say the main thing really is that engineers
and security people need to mix.
You have to have engineers thinking like hackers.
You have to have hackers thinking like engineers.
But really, if you're a designer, you need to go to hacker conferences,
go to Black Hat, go to DEF CON, go to Recon, go to ShmooCon.
I mean, there's conferences every weekend.
You know, some of them are targeted towards reverse engineering.
Some are targeted for general kind of hacking stuff.
Some are larger.
Some are smaller.
But, you know, getting involved in the security space is really the first step. And I know a lot of times from a development point of view,
being an engineer, I've worked at companies in the past,
so I sort of know the pressures that engineers are under
as far as getting products to market.
You have your whole budget issues.
It's really hard a lot of times to convince the right people
within an organization
to let you go to a hacker conference or to even design security into a product in the
first place.
But really, I think the first step is to kind of merge security and engineering.
So get engineers to security conferences and start learning about attacks that have been
done against systems and just don't make the same mistakes.
Because a lot of the attacks that we see these days are no different than stuff that i've been talking about 10 years ago it's just now you have faster processors and now they're all arm core and
not and you know something else it's just the same sort of the same sort of classes of attack i guess
you know just storing um crypto keys and you know accessible memory or
you know having having um your jtag ports exposed or your debug ports or having uh you know like
serial output or or or you are um console available just very obvious things you know
trivial passwords i i see a lot of trivial passwords. Yeah, well, yeah, deep back doors and bad passwords, all stored in the clear, you know, silkscreen markings on boards that aren't necessary, which give attackers additional information.
I mean, there's just tons and tons of stuff.
And yeah, I teach a two-day hardware hacking training class publicly at conferences, usually the Black Hat Conference in Las Vegas, sometimes
a few others. I also do private trainings for organizations, which makes it easier a
lot of times for me to go in and teach a whole team where the whole everybody I'm teaching
works at the same company. They're a lot of times in the same groups. They all know each
other and it makes it easier for them to work together because a lot of it there's a hands on component to the class
where there's you know they manipulate this
custom board that I've given them
and they have to probe it and create a block
diagram and figure out how it works and find the
security mechanism and defeat it just to
sort of kind of dump a bunch
of information on developers
and have them say okay so this is
these are things that I you know maybe can
do or apply against my own product
and see if it's vulnerable.
But yes, I mean, there's just so much to do, but I think it really starts with engineers
getting involved in security, just seeing what's going on, because there is just not
this mix.
And we start to see it a little bit, like at EE Live, which used to be the Embedded Systems Conference, now has the Black Hat track.
Because UBM, the big company that runs EE Live, among lots of other conferences, just purchased Black Hat a few years ago.
So now it's part of, you know, under their umbrella of conferences.
So there's starting to be this little mix, but it's still, there's a long way to go.
Yeah, you spoke at EE Live live this year didn't you yeah i spoke on let's see what was that talk it was um using superpowers for pc
board reverse engineering uh which was sort of a fun um basically a subset of some work that i had
done for a darpa cyber fast track project uh and and for those who don't know cyber fast track project. And for those who don't know,
cyber fast track was a program put together by actually one of the guys from
the loft,
Mudge ended up after the loft and after at stake,
he did a few other things and ended up at DARPA in the,
in the U S government and the defense,
you know,
the defense organization and was able to essentially hack the system and convince a lot of these, you know the defense organization and um was able to essentially hack the system
and convince a lot of these you know very rigid military government people that look we need to
reach out to the community we need to reach out to individuals into small companies and small
hacker groups that are doing amazing security research but but just don't have the overhead and don't have the skills or the time to go through the ridiculous government bureaucracy to get government contracts.
There's so many people out there other than Raytheon and other than these huge companies that are doing things that could be useful for the government, useful for the public that just aren't being seen. So he was able to create this program, which was amazing,
to fund small companies and fund individuals to do short-term security research. And what I had
done, which is work that will be released, I'll present it at DEF CON, DEF CON 22 in Las Vegas,
and then a week later just found out that my academic
paper called PCB
Deconstruction Techniques is going to be published
at the USENIX workshop
on offensive technologies
conference so my formal paper will be
released then and then all of my research
and photos and videos and stuff will be released but
basically the project I did was
on
deconstructing circuit boards so figuring out
different techniques low-tech and high-tech ways to um access uh layers you know at the top and
bottom layers and then inner layers of circuit boards to basically give me an exact image of
what's going on on the board so then i can kind of continue my reverse engineering process from
there so i did all sorts of kind of fun things.
And the talk at EE Live was sort of a little bit of that work,
but also some of the stuff that didn't work that I tried that ended up working for other things,
like using x-ray or using acoustic microscopy
to look through components that are encapsulated in epoxy,
which sort of wasn't directly related to my PC board work,
but when I went to these vendors
when I was using their x-ray equipment
and using their other stuff,
I just brought extra stuff with me
to sort of do on the side.
So these are sort of like the,
I wouldn't say the B-sides
of the cyber fast track work I did,
but sort of just some fun other things in using lasers and sound waves and x-ray and stuff to to help with pc board
and and hardware product reverse engineering so it was pretty fun that was the first time i gave
that talk and i'll give it a few other times uh throughout throughout the year and those slides
are already up on my site if people are interested. We'll get a link to that.
One of the things I do sometimes when I'm talking to
potential embedded software engineers
to hire them
is to hand them a schematic
that is not well documented
and ask them to tell me what they think
to make a block diagram.
So it's funny to hear you say that.
And I am saddened and surprised by the few number of people who do well on that question.
Yes.
And so you're saying people use all these tools to make what would be easier to come
from the schematic.
And yet I'm boggled by the, wouldn't it be easier to come from the schematic.
And yet, I'm boggled by the, wouldn't it be easier to get a real job?
Yeah, yeah, well, that's right.
That's exactly right.
And I think what your question shows is that people,
a lot of people don't necessarily have that hacker mindset, right?
It's like a lot of engineers are trained to use certain tools and design a certain way. But when it comes time to undesign or to figure out how somebody else has done it,
that's not necessarily something that can be taught. I think it's something that you can
maybe guide somebody, but they have to have that right mindset already and think about it in that
way. So yeah, it's funny because a a lot of the, you know, reverse engineering and kind of hacking techniques and things that I teach and the tools that we use
are not that much different. A lot of them are the same, actually, as you know, regular engineering
tools. So we're using oscilloscopes, we're using logic analyzers, we're using protocol analyzers,
level shifters, you know, I mean, it's all sort of the same stuff. It's just applied in a different way.
And if you understand that, then you can start breaking products.
But yeah, I mean, one of the tasks in my training class is, you know, they have this custom
circuit board and they either need to create a schematic or create a block diagram or something
to help them understand kind of the main subsystems of the board and how things go together.
And yeah, I mean, sometimes it's easier said than done, but unless you sort of understand,
I don't know, I mean, it's a hard thing to sort of wrap your head around until you actually
have to do it.
I've always done it in the context of everybody has left the team for one reason or
another, or I'm the new person and I don't want to ask a lot of questions, and I have to do that
sort of reverse engineering just to do my job. Well, it's a state of mind change too, because
while we think of engineers as children taking things apart and learning, in our jobs that's
not really what we're taught to do anymore.
We're putting things together and we want them to work.
And so our subconscious desire is not to break them
or to figure out what's wrong with them.
And that's an engineering test sort of mentality,
but an engineering creation mentality.
I know I don't like finding bugs in my code.
So it's the same kind of thing if
you're teaching somebody how to secure their device they have to be able to shift mindsets
a little bit to think like somebody who is attacking it and i think that's hard for some
people yeah and i think it's also like it you know if you come into a company and you're you
need to figure out what other people have done i I feel like a lot of times there's this,
I don't know the right word to describe it, but the,
that the work that's already been done is better than you. Right.
Or like if you're the new, the new person coming in,
like that work that exists must already be good. It's sort of like, well,
I think it's bimodal. I mean,
half the people I talk to always want to throw out everything that has been done before the day they started and the other half just assume that that's all golden
and perfect and want to do as little as somebody must have had a reason for this yeah but i seldom
see the person that's like well that kind of worked and it had bugs and now i'm going to figure out
how to make it better it's always one or the other. Yeah, and I think that's right.
That it's like, okay, well, it must be there for a reason,
and that's the thing that hackers think differently about because it might be there for a reason or it might not.
It doesn't matter if it can be sort of manipulated in some way.
That's the important thing.
But yeah, I don't know.
It might be for engineers going into a job,
maybe they don't want to ruffle feathers or anything
and take that risk of like, well, I would have designed it this way.
No, I hear a lot of people, it's like, oh, this is all just bad.
This code is horrible.
I've had that happen to me when I'm still there.
So changing subjects a little bit, but still from a security perspective,
do wearables and the Internet of Things just make you want to rub your hacker hands together in glee?
Yeah, they actually make me really just, I don't know.
Job security.
Yeah, I mean, yes. Well, job security, it's just,
it makes me shake my head a lot of times because I'm not, people have heard me say this before, I'm not really a gadget guy, which is sort of weird, right? Because it's like, well,
you design products and you're a tech guy, you're an engineer, but I'm not a gadget guy.
So to see a lot of these things come out, a lot of the wearables,
all the internet connected stuff to me,
it's like,
why do we even need that stuff?
Like I've been a runner for,
for 20,
22 years since I got in trouble when I was a kid doing computer stuff,
I had to do a sport or get a job.
And so I've been a runner and I wear,
you know,
a time X watch,
a stopwatch.
And now there's the wearables that track you know
everything about you your your movement and your calorie consumption and your you know where you're
where you're walking and what you're doing and all of these things like why do you even need that
people i think i feel like people get so caught up in tracking themselves it's like taking selfies
all the time and it's everyone's caught up in their own data,
whatever it's called.
The,
um,
uh,
quantified self.
Yeah.
Quantified self.
It's like on,
on one hand,
I don't know.
It's completely ridiculous.
Um,
on the other hand,
coming from a hacker point of view and sort of a security paranoia,
privacy point of view,
it's like,
why would you want to track,
have all of that stuff recorded
and captured and blah, I don't know, it's crazy.
So the products that I design tend to be very simple, effective products that do what they're
supposed to do and they're not over-engineered.
So I don't know, I mean, a lot of people would say, well, Joe's an idiot because he's not
designing anything, internet of things,, or not designing any wearables.
But I like to design things that I would use and that I believe in.
And I just don't, you know, I mean, there's tons of money going into that space, too.
And it's like, I don't know, I just don't, I don't feel it.
You know, like there's some neat things about it, but I don't feel it.
I mean, it's not something that really excites me.
And if it doesn't excite me, I'm not going to get involved in it.
From a hacker point of view,
yeah, there's tons of stuff going on
in that space because
the designers of these products don't understand
security. That's okay.
It's just the question you asked earlier, how do
they get involved in security? You've got to go and go
to these conferences because there's people already
breaking things. The Google Nest
had just
been hacked through a a remote device for or not remote but a device firmware um functionality so
you know to reflash the device in the field i don't think there was any sort of code signing
going on there or anything and just lots of very simple basic uh security problems have not been fixed.
And the more companies that come out,
sometimes also I serve as a technical advisor to startup companies, or non-startups, depending,
but normally startup companies,
and help them with manufacturing problems
and talk about security and provide introductions to people
or do design reviews or whatever,
just as an advisory board member.
And a lot of companies I've seen are started by people that basically just want to make
something to get rich. And what better way than design a thing that can detect when you're out
of eggs? Just look in the fridge. No, no, we've already made fun of that on the show.
A couple episodes ago. That's the first thing that came to mind, but it's like, just look in the fridge. No, no, we've already made fun of that on the show.
a couple episodes ago.
That's the first thing that came to mind,
but it's like,
you know,
those types of things aren't needed,
but these companies think that they can just make a product and get rich,
and that's not the right way to do it,
right?
We're engineers because we want to design stuff that we think will help the world or that we think will help somebody.
So it's a different,
it's a different mindset.
These,
you know,
these guys come around and build a product
to get it out there and make as much money as
possible but not necessarily think
about how they're keeping
track of data how they're
designing their
product really it's all about getting it out there
as quickly as possible having great
marketing videos and a great
kickstarter campaign and all this stuff
but it's like the more technology that's out there that's tracking us and just the more technology in
general that's out there that's not really helping us just ends up being, it's just going to end up
being a really bad thing. I see where you're coming from, but I'm not sure I agree. In what way?
I love gadgets. I mean, I do tend to be an early adopter. And when I'm unwilling them, so I like them, of course.
And I do tend to work for things I like.
And I care about security, and I do care about my data.
But I also like some of the social aspects.
Yes, okay, we'll put the data up on the website,
and we'll let me compete with other people, other friends.
And the competition helps me stay in shape.
I love the fact that I can turn the air conditioning on in my car from my office
because that's exactly how long it takes for the car to cool down.
And I accept that there is some security risk there because it is convenient
for me and so i i don't understand there's a balance right there's a balance i mean there's
certain types of information it's a choice everyone has to make of what kinds of information
they're willing to have accidentally hacked you know know, fitness information, I don't care.
You know, somebody wants to turn the AC on in my car accidentally,
okay, fine.
But I don't, I'm not all in, for example, on the Google, you know, framework.
I don't use a lot of Gmail. I don't give them Google Plus stuff because that's a lot of personal information
that I don't want them, you know, sharing around.
So it's a balance.
And I do think that there are gadgets, you know, it's a new, it's kind of a sharing around. So it's a balance. And I do think that there are gadgets.
It's kind of a new field, even though it's not really.
And there's going to be the fly-by-night stuff
that's going to crash and burn because it's useless.
And there's baby monitors that got in trouble.
Right.
And there's going to be useful things,
maybe useful for reasons that the people who made them
don't even understand.
And there's going to be stuff in the middle
that's just kind of wishy-washy.
But from a security standpoint,
it's how do you decide as a purchaser or a consumer,
okay, I'm going to buy this
and I realize there may be some privacy issues,
but do I care about this particular...
I don't think enough people think that.
I don't think so either.
I think most people don't even think about that
at all. I mean, you know, how many people are on Facebook? I don't know how many billions or
something, but I'm not one of them. Right. And it's just, you know, people aren't thinking about
privacy and security that much. I had a great conversation with my wife on a run the other day
about posting pictures of our kids and sort of creating this digital footprint of our kids and they have no say in the matter.
So we stopped doing that.
And now,
you know,
we're showing their,
their hands and feet,
but we're not sort of showing their faces and just,
um,
people aren't really thinking about security or privacy and they think,
yeah,
it's a cool thing to do.
We can share data with our friends.
Um,
it gets me in better shape.
I can turn on my car.
It's fun.
It's social. It's it's community yeah I mean
so I get that part but it's also it's a trade-off I mean security and privacy it's always a trade-off
and it's sort of convenience versus security and you know I think I'm just sort of a grumpy
well you've seen it all you know mean, you're coming from a perspective
of somebody who's experienced
and, you know, knows the kinds of things
that can go wrong.
Yeah, and just cynical.
And it's just never, you know,
I mean, if I was into gadgets more,
I would be all over it.
But it's not, you know,
not something that totally excites me.
But it also reminds me, like,
I feel a lot like on my grandmother
when, you know, my parents were like,
hey, you should really get a microwave.
And she's like, I'm not using a microwave. You know microwave you know that thing whatever fries the food or destroys the food i use
an oven and that's what i grew up using so in one way i'm sort of like that where it's like i don't
need i've gotten by fine without without these various gadgets um so i personally don't need
them but i can see where people like them if they're just major major issues on the other hand too i feel like it it sort of is going to end up being this slippery slope of yes there's
lots of stuff out there now it's sort of the first generation of of you know wearables of internet of
things of stuff being connected and it's like oh wow look i can connect my car i can connect
i can turn on my my ac i can control my house but it's going to just get more and more pervasive
and that's what scares me and maybe the security will end my house, but it's going to just get more and more pervasive. And that's what scares me. And maybe the security will end up being better, but it's still, you know, I don't
want a thermostat that tracks things. I don't want a smart power meter. I don't, I don't, I don't
want, nor do I need those things. Um, though companies are selling it as, look, you can share
your data. You can reduce your power by knowing, you know, it can automatically know when you're not home to turn down the power. It's like, well, I'll just turn
down the AC myself when I leave. So it's a convenience versus, you know, versus security
versus privacy. And most people don't think like I do, right? Most people think it's a great thing.
But I just worry that it's going to be more and more pervasive and less and less escapable
for people like me.
We need to know what the downsides are, and we need to talk about the downsides.
All of these wearable sports watches that have GPS on them, I find very disturbing because if they are uploading where you are real time, you're telling everybody who has access to that data that you are alone and vulnerable. Right. And not home. And not home. Yes. So, I mean, there's the burglary
aspect and then there's the physical safety aspect. And I am worried by that. The convenience
things. Yeah. How in the world am I going to care if somebody knows how many eggs I have in my fridge?
Well, the thing is, yeah, I mean, that's the thing is like, if you look at kind of historical
events, right, even all the NSA leaks, people know that the NSA are, you know, are doing this
bulk capture of data and capturing text messages or listening to calls, all of this stuff. But
nobody really cares, except a small percentage of people, I think. Everybody goes along, you know,
with their daily life.
It's like, okay, fine, the government's doing what they're doing.
It doesn't affect me.
I think from what I've seen in polls,
people are not, in general, very happy about it.
But I don't think the average person knows what to do about it.
There's not a simple way to...
Well, they're not changing their behavior.
Well, they don't know how to, is what I'm saying.
I need to use text
saying as a person who's just
living their life
I need to use text messages to communicate with my family
or work or whatever
how do I secure that?
I'm not an engineer, I'm not somebody technically minded
say there's no way
they're going to find a secure service
or know how to use encryption on their email
or all these
things that we could do that would make things more secure and that's why i think things like
google you know encrypting gmail end to end is a good start but there's stuff that we as engineers
and advocates for technology have to do better to make privacy and security easier yeah the
entry bar lower there's this gap there's this gap of not only
making it easier, but
maybe just making it so
integral that people have to use it.
And they don't care.
It doesn't affect them.
One reason security is so hard is that
it's inconvenient. You need to remember
your 25 character
password and you have to have all these
different passwords and you have to take this extra step
to be more secure or to protect your privacy.
And yeah, you have the hacker community
and the security community that gets it,
but most people don't,
and that's no fault of anybody, really.
It's just technology is sort of here,
and we need a way to figure out how to do that better.
And we need to talk about it.
It's a hard problem.
And we need to talk about what happens when you don't do it,
when you choose the four-letter password that is in the dictionary.
I mean, I'm not going to say it's your fault you got hacked,
but you certainly didn't help the situation, and you could have.
Companies, vendors, on one hand, shouldn't allow you to do a four-character password.
Something like that, too.
It's also the vendor's responsibility.
I feel like it should be the vendor's responsibility or the engineer's
and the company's responsibility more than the end user.
No, if I choose to leave my door unlocked that is my choice yeah but you don't even know it's a door well that's the thing you have to be telling people that there are doors here and that
if they want to lock them they should and here's how and it's really easy here's how you do it
yeah but a door is different than the door can't well i mean a door could tell you hey I'm unlocked but you know as far as a
vendor if if there's a vendor that that is allowing you a four character password instead of a you
know minimum whatever character password which that might not even matter depending on you know
if they get hacked on the other side whatever but um that's's different than a door because you know, as a user, you know,
if the door is unlocked, that's a risk. As a user of a four character password, you probably don't
know that that's a bad thing. You just choose the minimum because it's easier to remember.
And the vendor is responsible to tell you that's not a good thing. So I think it's slightly
different. All right, it's slightly different.
All right.
Let's go on because I want to talk about Hackaday.
All righty.
Hackaday is a little bit more whizzy than security.
It's really less depressing.
Well, yes, because security, I do feel like.
So space.
Space is cool.
Yeah.
Do you want to explain the Hackaday Prize for the three people who haven't heard of it?
Sure. Actually, you know what? It's surprising that I just went to a Dorkbot meeting two weeks ago.
I just moved up to Portland, Oregon.
And Dorkbot is a sort of informal meeting.
They have them all over the country in various cities, and people get together and talk about technology and get food and stuff like that.
But it's surprising that even with as much marketing as the Hackaday Prize has gotten, a lot of guys there just weren't aware of it.
Because I think people a lot of times have their head down and
working on their own projects and they're not online all the time and they're not on these
newsrooms all the time. So there's a lot of people that don't know. The people who are getting things
done aren't finding out. Exactly. The ones that need to know so they can make really cool projects
for the contest. But yeah, so should I give the one sentence description of it? Sure. Okay. So, yeah, we'll see how well I do with this.
So the Hackaday Prize is run by a website called Hackaday,
which features all sorts of cool hacks and projects and stuff.
It's great.
More than one a day.
Yeah.
And it's basically a design contest for people to create amazing new designs.
They say connected designs, which doesn't necessarily mean internet connected, but it could be wireless something or whatever.
Some sort of very, you know, they're looking for unique, very cool, creative projects.
And like any design contest, there's lots of different prizes and stuff. But the grand
prize in this case, which I think is probably the grandest
of grand prize of, at least of design contests, is you get to go to space on one of the private
companies whenever they're ready, which is pretty cool. And lots of designers, lots of engineers,
lots of nerds and geeks love space. And it's a pretty cool thing.
I think it's like a $250,000 value or something like that.
And they'll give you the cash instead if you really want.
But I know that they are sincerely hoping that somebody actually goes to space.
Yeah.
The thing is, if you're an early adopter of technology,
you're probably likely to choose space.
But I personally, if I had won, though I can't because I'm a judge,
if I had won the i can't because i'm a judge um if i had
won the contest at this point since space travel or whatever they call it you know private space
whatever isn't really fully ready i would almost want to wait a few years until things have been
tested and there's been some accidents that they can sort of remedy um before getting on one of
those things but i think they admitted that it wasn't going to be whenever we released the,
you don't get in a rocket the day we released the results.
Nope, you're going to space.
We're going to figure out how.
Well, look at the 787.
We didn't say you're coming back.
For major things, if something could go wrong, I don't know.
I would rather wait.
It's just like, I don't upgrade to the latest os right away i don't i don't upgrade to the latest
version of apps right away either because if there's a bug it's going to surface you know
within the first few whatever months or years of he's very conservative flight what could possibly
go wrong it's only going into space so i'm going to fill in some of the Hackaday blanks.
Hackaday.io is the website, hackaday.io.
And to me, they're kind of like instructables that you get a description of how to put together a project,
but they're all very hardware-y sorts of projects.
And so the prize, the Hackaday prize,
which is the space prize, is you put in
your project to hackaday.io, just as though you were, if there wasn't a prize going on,
and then you mark it with the Hackaday Prize hashtag. And that gets you in the contest and you the i i talked to to supply frame who is the sponsors of all this um because
i knew you and i were talking today and because i i had a lot of questions about the contest that
considering i'm a judge and i should know some of this stuff but the the way you enter is just that
and you don't even have to have a project. You can just have an idea.
And right now, this week, there are more prizes than there are entries.
So, enter.
Wow, I didn't actually, I didn't know that.
But some of the projects that have been entered are pretty amazing.
And, you know, if they're going to get a quarter million dollars or get to go to space, or I know the third prize is a 3D printer and had all sorts of neat other prizes. I think there are five big ones and 50 medium ones and then hundreds of T-shirts and little here have some dev kits sorts of prizes.
Yeah, there's a ton of swag for this one.
Yeah.
So the supply frame wanted to make sure people understood the,
the barrier for entry of,
of getting some of the swag at least is really low.
And,
and then the other thing is there's the community voting,
which I think helps you get swag,
but it doesn't't it doesn't help
you get the big prizes the big prizes mostly go through the judges and an editorial board that
makes sure you followed all the rules yeah we basically for the judging panel which i think
there's eight of us um by that point by the time we see the projects, I think it's narrowed down to some handful.
30.
30 or so, yeah.
So, yeah, don't try to send us money or diamonds or jewelry or anything, because we really don't have any say until it gets to that point.
Are you kidding?
I started taking bribes a long time ago.
Oh, did you?
Are we allowed?
If we're allowed to, then send all the money.
I do have to remind folks that it's not $250,000.
Just nobody gets too excited.
What is it? It's $196,418.
Okay.
Still, that's a lot.
Very specific number.
How many cents?
None.
Okay, but nearly $200,000.
Yeah.
Close enough. If you're talking about $200,000, $250 200,000. Yeah. Close enough.
If you're talking about 200,000, 250 is close enough.
That's right.
Round down.
Yeah, so everybody should do it.
And the other part was that the community judging does get you more swag.
So you can be a community judge without entering the contest and to do that you
just sign up for a hackaday account and then you give people little astro skulls not really which
would be very cool but um metaphorical astro skulls well i think it's a great idea i mean
having the community judging at least as one part of it is awesome, right? I mean, the community as a whole is very opinionated, I think, especially the Hackaday community. And, you know, people know if there's a project that's awesome, they're going to give it props and they're going to like it. And if it's something that's sort of lame, people will know about it. But I think in general, people shouldn't be scared to submit something just because
they might get negative skulls or whatever it is, or down thumbs or whatever. Part of
the fun is if you're working on a project anyway, submit it and see. And even if you
get feedback or comments about it, that's only going to make your project better. Whether
you win the contest or not, it's only going to help you. Even though nobody really likes to get feedback about something they've been working on.
And that's something that we always had to deal with when we find vulnerabilities in products.
Because you're calling somebody's baby ugly.
But on the other hand, if you look at it the right way, take this feedback and make a product better.
But yeah, don't be scared to submit.
Even if you have something that wasn't intended for the contest, if you're proud of it and you think it's cool and you want people to see it do it up
and you don't have to well I guess it comes down to what are your judging criteria they have given
the judges as little direction as they've given the people for what they want from us. Yeah, I'm basically just looking for things that kind of knock my socks off.
You know, I've read a lot of, I grew up again, I grew up reading projects in magazines and
I follow certain people's projects.
I follow websites.
I follow Hackaday.
And, you know, I try to keep up with what's going on.
And once in a while, there's just something that's like, whoa, that is super cool.
Or like, you know, they combined a bunch of different aspects
and they made something even better.
So I'm just looking for something.
It's hard.
I don't really have a particular list of things.
I just want to look at it and go, whoa.
That person put in a lot of effort.
They made something really cool.
Or how the hell did they do that?
That's the sort of thing where I want it to excite me enough where you know it's going to sort of pass
that bar so you're looking at the whizzy factor it's it's it's the whizzy factor but it's the
whizzy factor related to my whizzy bar right so it's not just having this sort of whiz bang but
it's having it's having something that that sort of makes me go, wow, that,
you know, I didn't know that could be done, or I didn't know, I don't even know how we did that.
So yeah, it's a little bit of the whiz, but it has to be not just whiz for whiz's sake,
right? It has to be something that really blows me away. And I'm sure there's going to be tons.
I mean, you know, every time I look on Hackaday, there's something that's like, damn, people are
really smart, and people are really sharing things. And a lot every time I look on Hackaday, there's something that's like, damn, people are really smart and people are really sharing things. And a lot of times I look on
Hackaday and I'm like, I'm not even worthy anymore. Like I'm just going to stop engineering. I'm
going to stop hacking on things. Like people are doing such cool stuff that it almost makes me feel
irrelevant a lot of times. And that's the type of stuff I'm looking for, for the contest to really,
you know, give these people, um, that maybe are, you maybe are sort of just working in their basement
or they don't get recognition a lot of times.
Those are the people that really, I think,
are going to deserve that recognition.
It's funny.
I think I'm looking for almost the opposite.
Well, not the opposite because I really do want wins.
But one of the things that Hockaday said was that they want it, if not open source,
pretty open.
Um, certainly people can have secret sauce, but my goal is, can I build it?
I have, you know, a little bit of, of electrical, a little bit of mechanical, mostly software.
Did you describe it well enough that I could recreate it?
And that is, I did talk to them,
that's a fair judging criteria
since they want it to be about open source
and about connected and having information
in the world that other people can use.
So I think between the two of us,
we're going to eliminate everybody.
No, I think when I say, wow, how did they do that? Doesn't mean that it's closed source. It just
means the first time I look at it, I go, that's pretty awesome. And then of course, having it,
I mean, having it open is part of the whole thing. Sharing the project is, you know, I mean,
sharing projects is basically what I've grown up doing. So, I mean, that has to be it. But that initial reaction of like, holy, like, that's amazing.
And then looking and seeing how they actually reduce that to practice by looking through their code and seeing it.
I don't necessarily want to build it, but I like to look and see, okay, that's pretty awesome what they did.
Yeah.
But I definitely want good enough documentation.
Yeah, which is always the worst part of engineering.
Yeah, and so I want people who are listening who are thinking,
oh, there's no way I'm going to build a $250 pick-and-place machine.
I'm only using that because there's a $300 one up here.
But the people who are like, there's no way I can win.
Well, do something a little simpler and
make the documentation beautiful not not just you know make it whizzy the documentation whizzy but
make it so other people truly can do this and and they don't feel like oh that is so far beyond my
skills um and if you can do that and make it super space whizzy,
then you'll probably win.
How many times are you going to use that word?
Whizzy? It's the new word of the day. I'm sorry.
I had an old word of the day, but I've forgotten it.
It's Joe's fault. I don't think I've used it in like years.
Sorry.
And now, now.
Whizzy, whizzy, whizzy, whizzy.
I'm sorry.
Did you want it to change?
Were you just here to make fun of me?
Pretty much.
All right.
So Joe, you did this open source homebrew video game Atari thing that I've kind of heard about.
And I want you to describe,
because I wonder if that's your frame of reference for the Hackaday entries.
I mean,
because it's what you did.
No,
it's not a frame of reference,
but it was an awesome project.
And basically I,
I've been involved in,
I've loved kind of the classic video game stuff for a while.
I never had an Atari 2600 growing up,
but I just love the concept of the Atari 2600.
So I've been involved in the classic kind of retro gaming community
for 10 or 15 years or so, just as a hobbyist,
kind of going to the conferences and seeing what people have done
and collecting games and trading games.
I suck at playing games.
It's not the playing of the game
that's exciting. It's how the game works on sort of these constrained environments. So I was a big
fan of the Atari 2600. I still am. It's one of the only systems that I actually still have
in my collection. And it's just a very cool 6502, 6507 actually, based platform with very,
very tough constraints.
You have 128 bytes of RAM.
When you're drawing to the screen,
you have to actually keep track of where the scan line is
so you can place your objects, I guess, if you will,
at the right timing,
and you can only do your in-game processing
at the end of the scan line, at the end of the scan line,
at the end of the vertical sync.
So a lot of these really neat things that make it really hard to write a game.
And the system was originally designed to play a few different types of combat,
a tank sort of game.
And then over time, there's a whole documented history of this,
but over time when some of the engineers realized that there was some other
functionality, unintended functionality
within the system
that they could make it do other things.
And so the engineers working at Atari
were essentially hacking the Atari
to create better video games.
And then some of those guys left and started Activision
which made even better video games.
So it's just a really cool history and a really cool
system. And around 2000, there's just a really cool history and a really cool system.
And around 2000, there's been a little homebrew community designing Atari stuff for a while, but it was very small.
But in 2001, I said, well, I want to try to design a game for the 2600.
So I wrote one called Scuzzy Side.
Yeah, Scuzzy, like the hard drive interface.
And it was basically, I guess, a horizontal scroller,
and you control the hard drive head as you move across different tracks,
and you have to read the bits of data as they come across.
And if you miss the bits of data, you have an underflow error,
and eventually your hard drive crashes.
And the score is in hexadecimal, and all just very nerdy.
And I made like 100 of these games by hand, created my own own cartridges um the cartridge design the gerber plots the schematic um for the standard
atari cartridges and then there's a bunch of different bank switching ones that i created later
along with calico vision and other stuff all that stuff is on my website uh so you can go and you
know make your own um physical cartridges and make your own make your own games. But yeah, so I made a bunch of these, shipped them in anti-static bags
like hard drives are shipped in. It was just kind of a fun project
and just a real challenge. And this was at the time when, let's see,
2001. Yeah, I had just started at stake
so I had a real job. I wasn't just sitting around writing
2600 code all day,
but it was most of the day.
And it was just really fun.
It was a hard project and it was an open source sort of thing of,
you know,
posting code on forums and having guys look at it and say,
well,
you could save a few,
save a few cycles.
If you,
you know,
change this operation here,
it's all an assembly.
And it was just,
yeah,
just a really,
really cool,
really, really cool kind of fun community and fun project.
So that ultimately, I had a friend of mine manufacture those for a while
just for fun for the community.
I ended up creating a version called Ultra Skuzzy Side a few years later
to just do some bug fixes and some other stuff.
But, yeah, it was just a fun thing.
But it's by no means any sort of bar for what I expect of, like,
a happy day project or anything.
It's hard because they have given such an open idea set for what can your Hackaday project be.
It doesn't have to be related to space.
It doesn't have to be, I mean, they say connected, but then they didn't say it has to be connected to the internet.
Right, they can be connected to each other or to a person or to something.
I like that it's so open, though.
And I feel like if they tried to constrain it, people might say, oh, I don't quite fit that mold.
I'm not going to submit.
On the other hand, it makes it a lot harder to judge, right?
Because you might have two awesome things from two completely separate industries or something but i feel like it's
better to be more open and vague than than very specific in this case well and i think we want
to see really neat stuff and we want to see it well documented is okay cool let's try it yeah
uh let's see we are almost out of time but I wanted to ask you about this high school cyber security camp.
You're participating, you're teaching.
Yep.
So this is something.
So there's a cyber security camp designed for high school kids and younger by some friends of mine at Dakota State University
in South Dakota.
And the guys that put this on have been longtime DEF CON attendees.
They've been involved in the hacker community for a long time.
And they're both professors and run this group at Dakota State.
And Dakota State University has one of the best computer security programs in the country.
And even though it's this tiny little school in the middle, literally, of cornfields, but just a very cool place.
So I've been out there a few times to introduce kids to computer security and to hacking and to a world that a lot of these kids probably have never seen.
And so they contacted me and said, hey, do you want to come out?
And it was just such a cool thing.
I said, yeah, sure.
You know, we didn't know what I was going to do.
But it was like, yeah, sure, I'll go out for the week and do it.
You know, I love those guys.
I love what they're doing, and it's just a neat thing.
So, yeah, I'm just going to go out there for a few days,
and we're going to watch some episodes of Prototype This.
We're going to talk about hardware hacking.
I'll do a little introduction to soldering class for the kids
and basically just hang out and be the token hardware guy
surrounded by you know a
bunch of other network security people and just sort of you know spread the love and share the
love and see if any of these kids get excited enough to pursue it as a career or as a hobby
or something do you think the goal is to encourage them to get into engineering as a whole or to get
into hacking or just to see the world differently?
I think it's all of the above. A lot of these kids, I think it's like, oh, I want to learn
things that I'm not learning in school and to see the world differently. Or maybe they already see
the world differently, but they don't have an outlet to actually exercise that. So they can go
to this camp and meet kids that are also thinking that same way
and that are also into sort of the nuts and bolts of technology
and kind of the underbelly of technology.
So from my point of view when I go in,
it's going to just be to sort of show my enthusiasm for things
and maybe people will pick up on that and like it and maybe they won't.
But if it turns one kid on to engineering,
whatever form of engineering that is whether it's you know hacking um systems for good or whether it's
designing products or whether it's teaching somebody else about it like that's awesome
if you know if i can inspire one person that's great and i think they're you know maybe it's also
a long-term recruiting tool of like look if you if you get into this stuff you're in high school
four years from now come to our school because you know we're local we have an awesome program
or whatever but people are coming from all over the all over the country and i think even from
out of the country but it's just you know it hasn't really been done before and i thought
it'd be fun to get involved in and and help out my friends and and go to south dakota and
go to the middle of the cornfield normally i go go in the wintertime, so it's going to be fun to actually go in the summer.
I bet it's much prettier in the summer.
But still lots of corn.
Well, that sounds like a great thing because you, I agree.
If you get to convince one person that this is a neat thing to do, then win.
That is totally a win.
Yeah.
I mean, you know, when I was a kid, there was no outlet for this stuff.
I sat in my room.
I had a computer.
But I was doing things that kids shouldn't do and that adults shouldn't do.
You know, I figured out a way to get free phone calls.
And I would do all of these things, you know, break into various systems.
It didn't really take much work because there were, know very little kind of password protection and stuff but i you know i
was doing things in a pretty closed environment until i met up with with the guys from the loft
but it's a different world now and now we can create an environment where kids can go in and
do things without the risk of going to jail and nowadays if you get in trouble for things you will
get in serious trouble a lot of times you know i got a slap on the wrist and I ended up getting really lucky for what I did.
But that was a long time ago. And this is a totally different world. So you almost need to
create an environment because kids are going to be kids anyway. And they're going to do things
that kids do, whether, you know, mischievous stuff. But if you let them do it or you teach them
sort of the proper way to do it,
and the mindset, say, look, if you want to mess around with systems, set up your own environment and do it. Or if you want to, you know, play around with something, go to your local hackerspace and
meet up with other people and, you know, do it in a controlled environment, not against somebody
that's going to actually end up trying to throw you in jail. So we need to do that. And it's almost
a service, I feel like it's our responsibility to provide this service to younger kids so they don't necessarily follow the exact same path that a lot of us did.
Are you going to be talking some about ethics and consequences? it's uh you know one of the things from from defcon kids which is now called roots asylum which was started just by some by some defcon people that wanted to to to uh kind of show off
hacking to kids and they they explore lock picking and social engineering and all of these things
one of the main messages is look you have these you know you're learning these superpowers you're
learning how to pick locks and how to how manipulate somebody, 3D printing or electronics or something.
But you have these powers.
You need to use them for good.
But teaching that is hard.
But it's sort of trying to frame it in some way that they understand because I don't think kids a lot of times realize that what they do might end up – that they might end up in jail for until they're actually faced with that. I'm like, Oh crap, I might go to jail. Uh,
at least that was, that was my situation.
Well, fun now and consequences later. I mean, that is just your brain.
When you're that age, that's how your brain works.
Sure. So, you know, I mean,
there's a lot of people that are listening and I, you know, I've,
I've talked to people at DEF CON about it too.
And they're like, well, you're teaching kids these things.
They're too young to learn these things.
They shouldn't learn about it yet.
But it's like, yeah, but you're teaching them things in school that they don't necessarily want to learn about.
But this is, you know, if they're interested in something, I feel like you should sort of fan that flame.
And if they're interested in learning things, it's like my kids are really into Lego right now.
And I feel like I want to teach them.
I want to provide them more of that kind of building and let them expand their mind.
If they're into mechanical things and want to learn how locks work for lock picking, that's fine.
As long as they don't use it to go, you know,
defeat a lock and break into a house. But teaching the tools and teaching the skills
is not the problem. It's how basically if they're kids, it's how parents are teaching them about
these skills or how, you know, how to use them or not to use them. So a lot of it comes down
to the parenting as well. It's not the fact that they know how to pick a lock, right? Just like
they know how to use a lock right just like they know how
to use a hammer they could hit somebody over the head with it or they can build a house or build a
tree house or something so it's you know it's not necessarily knowing the skill it's it's responsible
using it and that comes down a lot to the teachers and the parents and the mentors that are helping
and having a good mentor is critical to making these choices wisely.
Very, very critical.
So I'm glad you're going to go and talk to them.
Well, thanks.
Any last thoughts you'd like to leave us with?
No, I think that's it.
I appreciate everyone listening.
And if people have questions, feel free to go to my website and contact me.
I'm on Twitter, though I don't respond very much on Twitter.
I sort of use it as a one-way kind of funnel for people to sort of see what I'm up to.
But get in contact with me.
I'm happy to talk and argue or eat lunch or I don't know, anything.
I'm pretty available.
Yeah, you have a contact link on your website, so that'll be in the show notes.
Yeah.
My guest has been Joe Grand of Grand Idea Studio. He will be at Black Hat USA, B-Sides,
DEF CON, Roots Asylum. All of those are in Las Vegas in August
if you'd like to attend his training course, Hands-On Hardware Hacking and Reverse
Engineering. Thank you so much for speaking with us. Yeah, thanks for having me.
Thanks, Joe.
And that about does it. Let's see, my friends at Park are still looking for a few great software engineers to work on the super next-gen routers in what I have to say is a wonderful
environment. And email us at show at embedded.fm if you want to see the rec or hit the contact
link on embedded.fm. Same goes if you want to see the rec or hit the contact link on embedded.fm.
Same goes if you have comments, questions, or just want to say hello.
And if you like the show, but only if you like the show, we get higher rankings in iTunes and whatnot if you write a review.
It helps us hit that top 10 of software how-to podcasts.
And that's how people find us.
And that's exciting because every time we hit the top 10, I take a picture on my phone. Okay, maybe it's only
exciting for me, but still. Okay, final thought for this week. Oh, so many things. Let's see.
Final thought. Helen Keller. Life is either a daring adventure or nothing.
Security does not exist in nature,
nor do the children of men as a whole experience it.
Avoiding danger is no safer in the long run than exposure.