 The next talk will be about parkour communications and well it's could be described as using the fixtures of the internet to communicate when everything else is blocked or broken or doesn't work. I'm very curious about the topic and I hope you enjoy it, wish you a good time and let's give a warm welcome to Adriano Swarmanhofen, he's just a guy. Here you go. Morning. I'm really happy that you even are here because everybody's taking in their tents and of course you had a couple of days which are really heavy. Who am I? My name is Adriano Swarmanhofen. You get my email address and I work for a company called Red Socks and yes I wear Red Socks. That's what I always get asked. I do research and development in analytics and that is important. We get to that later because I look at metadata on the network and this is also why I came up with this topic. Let's first of course start with a disclaimer. I'm not a lawyer so anything I say and anything you do you may have to check in your country whether it's allowed or not. I think all of the things we're talking about are really normal usage of all the systems so they should not be any problem but sometimes there's some blanket statement in a law saying circumvent a certain blockade to visit specific websites and then any method used well maybe get you into problems. Also I may use a lot of he but whenever I do that of course I mean everyone in the lesbian, gay, bisexual, transgender, queer, intersexual, asexual, pansexual, kink and cis community so I love you all and I mean he is just a way to describe something and the last thing of course which is really important in my disclaimer. I'm trying to get a concept through to you. Not specific full solutions, not something like an exploit but rather a new way of thinking about how you can also use the internet and well I thought because of this last day something really simple and nice and easy to do you can do this literally with your granny in the old people's home or you can do this with children at school so first thing is why parkour communications why even this subject well one thing is I want to do something different with with hacking I like for me hacking was always playing around with things and building new things and having fun with things and well almost all the news I see about hackers nowadays is like these little dr. evils lurking about and they all think like hmm I want to three have 300 bitcoins of you something like that you know that that's a bit bullshit also the other thing about security which we always see is now I find a whole somebody has done something stupid they have misconfigured something they haven't used software correctly or whatever and instead of going to them and helping them fix it I just go to the press or try to get as much karma as possible by just publishing it outside that's one thing another reason is the knowledge and skill gap between security and productivity increases at the moment so we have lots of developers building new applications new stuff all the time and security personnel the knowledge about that well it it focuses on mostly diplomas and other really specific stuff not enough hackers this is really a pet peeve of mine I really involved in education in in schools yeah we get some soldering and and some playing around with robots but what I really want is more education in what is the internet how does it work and how can we play with it and how can we use it and this is also the lack of easy and fun things to do with non-technical people as I said earlier this is what I'm going to propose the parkour communication is something you can do with your grad literally can do with your grandmother in the old people's home or with your children at home or with your friends who are non-technical you can figure things out and have fun with it and of course almost all hackers nowadays well they download Cali Linux they know how to use metasploit they know the offensive security CVE database and they're all the same hackers you know nobody tries to do something new or play around or have fun with it so this is for me is quite an important part parkour communications is well just something I thought up and trying to have some new fun with the internet so I mentioned the name parkour communications well basically what is parkour actually well parkour is these guys you sometimes see which amazing feats in the city they run around in the city and they use the city they use everything that is there they not they don't build new tracks they don't build new things to climb on they just go from a to b in a way they want to do and just use everything that's that's there they don't need anything new they don't need to break anything either they just use whatever is there so just as in the same in the away from keyboard parkour there's a lot of fixtures that make the internet work and with fixtures I mean things like lighting beams like this traffic lights street lights though those are all things and like the plumbing that was what makes the internet work like for the internet it's like name servers it's web servers mail servers search engines and slowly we also get things like all the things that that Facebook provides or whatever and mind you I'm not talking about anything fighting against the NSA here or like the deep web or something like that just about fun things of communication and I know that a lot of things I'm talking to talk about are not really secure in the hardest sense of the word but just bear with me as I said earlier there's no need to break in all to all these systems to just own them or modify them and tracers which are the people that run through the city well as I said they do not rebuild or modify parts of the city and we can use all those items just as they are intended we can use I will show later on we can use the search engines just as they are intended we can use the email just as it is intended for our own purposes so first about metadata I need to give you some context my job is working with metadata I can really see what kind of web page you visit even if you have an encrypted web page even if you have a really good encrypted connection and I can see that because of the size of the web page but also on what other domains you are calling because nowadays you have a lot of JavaScript libraries we have CDNs which call in different libraries there's a lot of extra activity that your browser does which gives to me to me an indication on what you are actually doing and I don't need even need to see the content actually I work with metadata which is called IP fix which is kind of like NetFlow I don't know if anybody knows that but this is just router information about how many packets what size the packets are and what timing it is only from that I can quite confidently deduce what you are doing on the network and content monitoring well content monitoring that's actually when you have the contents it this is why when when people start snooping non-secured communications to get a good idea about the metadata it's an old one but if you go there don't put in your email because they ask that you can put in your email from this is an old MIT project they'll show you lots of intentions that you have and a lot of activities just by who are you contacting why you're emailing with and from whom are you getting emails with this is same if you are on things like LinkedIn but also on Facebook if you are more active with certain people well at that point you can infer intent and goes even so far that you can say well you're going to have a dinner date with this guy at probably next week or something like that or you're going to change your job and you have all heard the stories about Facebook being able to predict when you're going to break up well Facebook also uses a lot of content so without the specific content that's a lot harder but really all the metadata and this is actually what most of the agencies use I can tell you about that all this metadata is actually what gives us a picture about what everybody is doing we don't really need to have the content of that and we don't really need to see what you are saying from a to b we just needed to see who's connected to whom and who's talking to whom so this whole metadata thing that's the first thing we actually have to defeat if you want to do well some specific communications and some hidden communications and this is what I want to do with parkour communication I'll talk to you about that so again the content monitoring the end-to-end encryption well it makes things harder to crack not impossible because there's lots of you've been on the Congress here so you know about this there's been lots of progress on decrypting lots of various encryption algorithms there's men in the middle things there's route certificate attacks it makes it just makes it harder but again I can tell you that most of the agencies don't need to do that to keep a track of what the populace is doing well what we're doing with parkour communications is we're not going from a to b I'm going to give somebody else my communication and really hope that in some way it comes to the intended person one of the things I did in physically which is not in this presentation but maybe on the next presentation is do something like a Chinese whispers with a school you can have lots of small same messages and give them to people and just hope that at some point like a peer-to-peer system they arrive at the intended person and maybe at the next Congress I'm going to do a competition on physical offline communication that would be fun and of course if you're going to do the things we're going to talk about important text you really should encrypt and base 64 encode them but it makes it easier to spot if I'm doing doing content monitoring like any of the agencies I can see I can make something called ngrams or I can do letter counting letter frequencies and I can see if it's a base 64 encoded message or not or even if it's encrypted message or not without looking at the content directly I can just count all the bytes and say okay this is an encrypted message or this is the base 64 encoded message or this is normal text so let's start with some fun things the first thing about parkour communications is we're going to use all the different items on the internet I'm going to give you a couple of examples and I really hope that at the end you can come up with some extra examples or your own examples so let's start with the first one well this is the easiest one which will always work you go to any of the search engines and your buddy has registered some domain dot tld top-level domain and then you say okay search engine you have to archive or crawl some domain dot tld and then your message okay the search engines okay I'm going to do that so at some point and this is where the metadata analysis breaks down where you have defeated metadata analysis I will show you that in a minute at some point the web server their search engine get scrolling that specific URL and then in the log file of your friend well he'll see a 404 which is this page does not exist it says two effects your friend now has the message but the web crawler it says I don't see it so it doesn't index that message so it will not appear anywhere and you have successfully sent the message to your friend without directly contacting him in metadata if I look from a metadata point of view from an agency or from myself it looks like this you connect to the search engine at some point later on that search engine connects to the web server of your buddy at some point later on totally disjunct from each other your buddy connects to that web server and because there's so many of these things going on at the same time the correlation with just metadata is completely lost for any agency it's really hard unless they already suspect that you might be in communication they could do something about it but most of the time your connection to the search engine is encrypted anyway you might be just searching the web pages or doing something else there so for this specific method what are the ingredients for just this way of communicating well you just need any largest and largest because otherwise the metadata again points to you you need search engines which are in the top 100 because they have lots of traffic and then your specific traffic will be lost like google bing yahoo bydo ask well you see archive.org you have to be a bit careful because sometimes they also archive 404 pages and then your message will get archived as well well at the other side your buddy needs to have his own web server and the web server doesn't have to do anything it only needs to have a log file when a crawler comes along to store the 404 message in and the fun part is most of the hosting companies nowadays even if you're not technical you can just buy a server gets installed and you have a control panel where you can see the log files it's all point and click there's nothing to do as a technical person so again this method you could do that with your granny same thing with the cms and you have a visitors plugin which shows you when a web server comes along and which URLs it has crawled so these two items together easily defeat at the moment I'm not saying that this will happen it will still be true in a year or two years they'll easily defeat a correlation of communication between you and me and we have done nothing illegal we have not set up a VPN even if that's illegal in some cities if twitter is down we have done or blocked we can still communicate with each other we can still send message to each other to each other and we're not abusing anything well there's also other methods because if you only use one method of course after a while well the agencies might rise up and then suddenly they think yeah okay everybody's using a search engine now we're going to do something with the search engine or all the isps are provided to give all the logs or something like that so let's figure out the second way this is just again examples I really really really want everybody to come up later on or when they're at home or something with different methods just use the internet because if you use it you're not doing something out of the ordinary and this exactly is what all the agency are looking for anomaly detection and but if you and all I can tell you from experience that if you stay within a norm then even neural networks and machine learning will not be able to find you and this is what I'm trying to convey here is well try to use the internet for your own purposes and then you will not be flagged by all these systems well the other one is another one is just ordered a pizza or go to a complaint form well the order pizza really worked I had really fun with a friend of mine well the problem also is you get the really full belly but you just order pizza online with these delivery services and almost all of these delivery services have a little form where you can say something to the to the pizzeria or eatery where you order and they will also send the whole of it as an email as a confirmation so what you do you go and you order your own fun pizza and in that little message box you write whatever message you want the only problem is of course the guys at the pizzeria will also read that message and if it's really weird then okay and you put your friends your contacts email address in that box well at some point that message simply gets delivered to your friend and you get a pizza again there's no correlation for for any of the agencies between you and your contact to find out so from metadata view it looks a bit like this you are going to the web server of the pizzeria well that happens that web server sends something to the mail server and if you do it on the correct time spot like when it's really busy it will get in batches and so there's nothing out of the ordinary happening and at some point your buddy checks his email and sees a confirmation message from the pizzeria with your message in it so from a metadata standpoint there's no correlation between you and your contact and again we have done nothing out of the ordinary there's no abuse we have nothing developed or broken we have not stepped over any loss so what do you need for this well a vendor that has an email confirmation for purchases don't use the account option because then the account will always be sent in the email that that's not a good idea the complaint forms that this also a nice one i've tried that one as well with every complaint you make with a lot of vendors you get a confirmation back again and you can do the same trick you write a really nice message for your friend and put your friend's email address in there and then the confirmation of the complaint gets sent to them only problem is of course that if you make the message too weird the company getting the complaint will follow up and try to figure out what's going on and if they think something shady is going on they might register it so and it is my third example and basically this is the last example and then later on i'll try to see if you can figure out something or something as well there's these anti spam providers and well 33 mail or email if you want is one of them and if you register with them you get your personal subdomain let's say adrianus at 33mail.com and you can have any prefix in front of that and now the fun part is that you can send a message using the email contact so what i'm doing is i'm sending a message to my contact and my real message is in the ad address not in the content in the content i can put some really innocent stuff in there so if there's any content filter it will just be flag like okay it's normal stuff no problem at all because at the moment none of these systems will check all these email addresses because they're throw away email addresses and throw away email addresses are by nature a lot of random junk a lot of random names you use them once for one side and then you throw them away but if you're clever you can just use that instead of random junk you can just send a message using that email address so again for metadata view i send an email to 33mail at some point that system will send it to you but his email address and he will fetch his email there's no direct correlation between my email provider and the other so what do we need well this is a bit more complicated but not not too hard you can still get your granny to use this a base 64 encoder decoder for the message or if you really don't care you can just put your message plain text as well and you need an email relayer well one of these will do there's many just look for disposable emails i will get there but basically that that's another way of just using systems as they are intended to and not getting any correlation so i'm going really way too fast now okay what else can we do well i've tried a couple of other things i've tried advertisements the fun thing with after and then now we're going getting getting a bit more technical so you have to skip this with your granny you can do this with a couple of friends who are a bit more technical but not there's nothing too involved in here for instance shopping carts and advertisements cookies and log files well a lot of cookies for advertisements are protected that they are not that they shouldn't be stolen by other people like crest forgeries and all those things but there's nothing protecting those cookies if i take it and give it to you or to you and what happens then is really fun you probably have seen this effects sometimes that if in your house you start looking for a new laptop then suddenly all your all the people living in the same house also get advertisements for that new laptop or for a car or something else and that's just if you don't use an ad blocker or if you just buy ip but the fun part is if you take all these cookies or all these hard-coded cookies and just share them together you can have a really worldwide spanning a communication network because then i can say well we use the first letter of each item that comes into in the advertisements and then we really slowly encode and decode and this is almost impossible for any agency to track and also it gives you the real satisfaction that you're using the advertisement networks like these indestructible bulletproof networks for your own use so again what you do is i take my advertisement cookies i just put them on usb stick put them give them to all my friends and whenever i look at something they all get the same result and whenever whenever they say i look at something you all get the same result another one which you can do is shopping cards well we can give shopping card cookies to each other and just use the wish list and and all those kind of things on amazon or whatever and have whole conversations in those wish lists again on metadata level this is almost impossible to figure out what is going on because there's no direct correlation in our communications here well and this was actually something i wanted to have prepared a bit more for for the show but yeah then life happened what if they switch off the internet well we had a couple of tests already and this is really fun you can if you have take toilet roll papers toilet rolls and you paint a couple of them black a couple of them white they leave them white you can stack them just like a qr code and the distance at which they are still really readable is quite large now we did some fun tests where one person at one end had a stack of toilet roll in a qr code you read it you stack your own and then the person further on reach it and what i wanted to do actually was make some bandwidth testing i didn't come to that and some speed testing but this is just one idea which you can use also if you just print out a qr code and hang it in your window like in if you live in a large flat then people can really quickly communicate and then send digital data across without using the internet at all well you have also have barcode readers well if people stand in the correct sequence we also tested that with a picture that didn't work so well you can do it as a barcode but not none of these items we ever changed or abused the things that they were being meant to do so oh yeah and also of course the really old one sneaker net is just giving each other usb sticks and i'm really way too fast i'm sorry i'm sorry about that so let's do some questions thank you for listening on this day so if you have any questions also about the metadata and what i can see because maybe i skipped that part too much or whatever you want yeah thank you for your nice and refreshing talk it was a good way of looking differently at the thing you always use my question is this your premises is that you want to communicate between two persons that do not physically have contact with each other so they're away from each other that is the idea i can send the communication from one to one without you know you can go to a park and talk but that's yeah of course yeah then how is this for example this this seems like a modern way of you know publishing cryptographic advertisements in the newspaper like we used to do before and then the internet came and the first thing that appeared for a communication without being seen was this technique called steak hannography and actually this is this technique is so good that i think that is also very difficult for ages to see because you can put messages in the noise of pictures or you really have to look very hard to do to find that and i don't think they will see that in the metadata so yes this is fun and this is but is it also effective no i wouldn't use it as as your main method if you're an activist i really wanted us to get more people into thinking about it about the internet in this way as just like uh the tracers in parkour they see a city and they see it as the whole a new whole playground they don't need to do to wreck the city to to use it as their playground i want people to see the internet the same way just as we as hackers did in the early days it's your playground play with it um by the way about the steak hannography i can say it's something about that and the metadata as well if for some reason the intensity and rhythm of your image uploads changes i can detect that and uh so if you use steak hannography or any of the cryptographic methods you have to be extremely careful in things like timing in things like intensity um and in things like volume for me not to kind of detect what what is going on because um if i look at your communications if i want to infer what your communication is i'm not only looking at what you're doing but also what is happening to you and to the people around you so um if you suddenly start uh uploading a lot of images and i figured out that uh at somewhere uh there's subpoena against you then i can pretty much put one and one to two uh together and say okay you're communicating with people about this the subject of this subpoena i may not know the content but really be careful about it and one thing uh why i'm just giving giving examples and i really want people to figure out things for themselves or figure out new ways is because of this diversity this is just like um normal economics no company or agency will invest a lot in a possible way of communicating if we all would use the same methods i just showed then of course it's uh economically feasible for any agency or uh company to make a detection for that but if everybody figures out in their own way different methods then it's really hard to figure out then then i really first have to uh tag somebody and well this is what we all want um uh for for lawful interception you really want to have a case first not drag net uh monitoring yes um yeah may i comment shortly on that of course i understand this but i think that's also applies for pizzas because i never ate pizzas and then i start ordering pizzas and then what's happening in this house so i mean this you has to also be uh also be aware how your opponent thinks before before you do something and for example if i want to use something message in in uh in the picture i will not do it myself i could have picked you my daughter put it on facebook because she's putting a lot on facebook so that's not going to be noticed yes something like this okay thanks hello i really like to talk but i um i have a question did you try layering these things like i can put a get request in google for archive.org which requests something else so we have it layered but i think it's awesome yeah you should really try that and you could also maybe um put the qr qr code that is a google link to a search and just put it somewhere and someone else will deliver the message for you yeah that's awesome that's awesome anyone else uh it's the last day so okay and uh thank you and one thing please have a round of applause for all the angels and the heralds and everybody who made this conference