 My name is Mystic, I'm going to be doing a presentation on mimicry and the mimic functions. In order to explain basically what that is, let me just start with the basic concepts and then I'll give you, I'll show you an example of the mimic functions in action and then I'll go into more detail on how to use them, how to write your own things for them and stuff like that and then I'll give you an introduction to a program that I'm developing right now, still in development, that takes this concept into a live chat atmosphere. So first, just basically, what is mimicry? Mimicry is basically the ability to mimic your surroundings as it says up there. So like animals do it, like chameleons would do it in the wild to mimic their surroundings in order to survive. And in the sort of cyberspace world where you have the internet and you have just communications going around and you want to encrypt something, the problem with that is that when you encrypt something, if somebody could run a filter on that network looking for encrypted data and pull it right out and then eventually decrypt it, it's only a matter of time. So what mimicry basically does is it allows you to encrypt data or take any data and encode it in a way that the output does not look like encoded data and in fact it mimics the sentence structure or the sort of likeness of a completely different script and I'll have to sort of show that to you, it's hard to explain. So that's what it says right there, a way to encrypt high data in which the output is statistically or grammatically sound. So if somebody was to use a filter to look for it, it wouldn't come up because it would just look like normal text. And before I go on, I want to show you an example of that. So I'll just give you one second to sort of put it in perspective of what we're talking about. So here's a job applet. I'll give you, at the end of the presentation, I'll give you an address to where you can actually download and use this program. And the source code for this is also on the CD. So basically I want to enter the message here, push mimicry. And now what it says there, basically what it generated is a block of text that mimics the, mimics two people, mimics the announcing of a baseball game. So I'll just read you a little bit of it. It says, well Bob, welcome to yet another game between the Whoppers and the Blogs. You're in the scenic downtown Bolvania. I think it's fair to say that plenty of bubble off, bug fever, it just talks about the game. So then, then taking this text, we can just run, remove mimicry and there's our original text right there. So that's basically what the mimic functions do. And I forgot to mention, the mimic functions were first released in a book entitled Disappearing Cryptography by a man named Peter Weiner. He was the first one to sort of take this concept and create a proof of concept, which are the mimic functions. So this is his code that I'm showing you. And again, I'll give you a link to that where you can go by the book, go to his website. So now the question is, how do you tell the program what to mimic? And mimic does this by what it says, generating text using the syntax described in what's called a context-free grammar and hides data by the choices it makes in that grammar. And I'll go through and explain that more in detail as I go on. First I'll describe what a context-free grammar is. A context-free grammar is basically a very specific way of describing language in general. In order to do that, it uses terminals, which are words or phrases, and they're static as it says there. Variables, which are places where decisions in the sort of phrase can be found. And productions, which describe how a variable can be converted into different sets of variable terminals. And again, I'll show you an example, which puts it on perspective. So here you see a variable. So here's an example of a production. It shows a variable, and it shows phrases or words. So to describe, to show a context-free grammar on paper, you would have the variable, I think the variables are in bold. And then this is what you put between the variable and the rest of the production. And then phrases are words. So this is a series of productions, and describe me a complete context-free grammar. So this is a good way to describe it, okay? So you have start and a noun and a verb. Those are both variables, right? Start is where you start. Nouns can either be Fred, Barney, or Fred and Barney. And the verb can be went fishing or went bowling. So this context-free grammar can generate sentences such as Fred went fishing or Barney went bowling or Fred and Barney went fishing, etc., etc. So that's basically what a context-free grammar is. Putting it very simply, because I don't want to get too technical into it, in order for mimic to hide binary data, it creates a tree of choices based on those context-free grammars. So if you look at here, there's all sorts of different choices that can be made. The noun can either be either of these. So it goes to these choices, and it creates a binary tree. So it starts here, and it creates a one and a zero. Either one could be Fred, zero is Barney. And then it goes on and on and on. So when it creates this tree, the leaves of the tree is what would encode the right bits. So again, I'm going to give you an example so it's easier to understand. So we're going to start out with this context-free grammar. There's start and noun and a verb, and then Fred and Barney, and then verb went fishing, where is also a variable, went bowling, where there's a variable, and then direction. So let's say you want to hide one, zero, one, zero. You want to hide those bits. You want to hide those bits given this context-free grammar. So it's going to go through and say the first is going to start at start, and there's nothing hidden because it's just the start. And then so it's noun and verb, and since it's a one, it'll go to the first choice, which is Barney. And then it'll go on. The next one is a zero, and it's going towards Barney verb, and you see the verb zero is going to be went fishing. So it'll go down went fishing. And then here it says Barney went fishing where? It's a one, so it'll go to here in direction Minnesota. So it'll go here and say went fishing in direction. So it'll say direction zero is northern, so it's northern Minnesota. And so that would give you the sentence down there if you can read it. It says Barney went fishing in northern Minnesota. So MIMIC needs the bits to be encoded, which can be the texts that I entered at the beginning, which are converted into bits. And it needs a context-free grammar. Those are the two things that it needs to encode and also to decode. And the way that MIMIC understands context-free grammars is through what's called a grammar file. And it's something that's unique to MIMIC. Let me give you an example of a grammar file just really quick, as you can see here. Really? Oh, man, I didn't know if you didn't... Okay, well then, you know what, here. All right, then I'll just go through this. You'll see an example as it goes on. Ah, jeez, I did this again. Okay, well, in order to create a grammar file, in order to show the variables, variables always start with an asterisk and must be one word. Productions are separated between numbers and forward slashes. The numbers indicate... The numbers at the end of the reductions, and I'll show you, there'll be a little bit of example, indicate the weight given to that choice. And they don't weigh out each other. Like, just basically the higher the number, the more probable it'll appear in the production. And I'll give you a better example of that. The end of variables indicated double slashes. Starting variable is always one side by the first. So here's an example of what a small grammar file would look like. AA start being, it would always be alphabetically first, so that would be the start. Fred went to con, con is a variable. And you see, I'll just sort of... It's the same way as the context-free grammar looks, but it's done in this sort of grammar file format. And then the numbers at the end give the weight. So here, this number is smaller than the other one, so this one would occur less in the final encoded information. Because of the limitations of MIMIC, you can't have a grammar that is ambiguous. So there can only be one way of producing one phrase. If there were more than one ways, then the encoding wouldn't work. So in order to do that, that's an example of an ambiguous grammar where there's more than one way. In order to do that, all the reductions in a grammar file have to be in a certain format. Basically, it just means that all variables have to be at the end of the reductions. You can't have a variable and then something static afterwards. It helps make sure... There are checks in the program to make sure that there aren't ambiguous grammars, but this helps out just to make sure. Some of the limitations of MIMIC is that, as you saw before, I had a very small text and it generated a huge amount of data. It all depends on the number of possibilities in the grammar file. In that case, if there's only a few number of possibilities and each of the possibilities have a large amount of text, then you're going to generate a huge file because it needs more possibilities in order to generate a larger tree. Also, if it reaches the end of a grammar file, it'll repeat and go back to the beginning. Also, there's also a random misspelled gen, but it's not sophisticated. If somebody really wanted to, they could write some sort of a filter. If they saw enough data, go through. They may be able to write some sort of filter because it's not... The randomness isn't very well done. You'll see bits that'll generate the same encoded data sometimes, but there is randomness there. IRC Mimic. This is the program that I'm working on. It takes this idea of Mimic, of being able to take a grammar file and generating text, but what my program does is I wrote a grammar file that mimics one side of an IRC conversation. It's just simple like, hi, how are you? What's your name? Where are you from? It's just like that. And then it sends that to any sort of... any NIC that you specify. So it waits for... it waits on the server for a connection. It waits on the server for that specific nickname to message them. Once they message them, then the program will start sending... will send one side of the conversation and then wait for something else. And so you send another one and it'll send more of it. And it's built in a way that the end product will look like just any normal IRC conversation. But in that one side of the conversation is an encoded message. And in order to do this right, because that small text generates so much data, I did a few little tricks to get the maximum number of possibilities out of the grammar file. And I didn't write down what I did. But what I did was basically for things like the bot would say, you know, my name is and the possibilities that I would use is I would... I went on the internet and found like the sentence information for the top, I don't know, thousand names in the country. And put that in is all the possibilities. Yeah, question. It's not that advanced right now. All it does is it generates... Basically it does the same thing that that first program I showed you does, but instead of generating a baseball game, it generates one side of a complete conversation. So it'll send that one... So for instance, it'll say, hey, and then you type back, the person will type back, hey, and the computer will bring back, how are you? That's one side of the conversation. Then you'll say, you know, good. The computer will bring back something random like, that's nice. And then you'll say, how are you? And then the computer will say, you know, I'm all right. And those things, hey, how are you? Good, and I'm all right, I've already been encoded. That's what it's sending. So I did... So the maximum possibilities, I did things like that. I also use common grammatical errors that people use in chat. You know, like using R instead of A-R-E, and I use capital letters, lowercase letters, just to maximize possibilities. And you're able to generate, like for instance, if you said this is a test, like I just showed you, that would fit in one conversation that's just maybe about 10 lines long. So things to look at the IRC, if you want... This is still in development. If you want a copy of the source that I have right now, I don't have it on my website right now. But if you want, you can come up and see me. I'll give you a copy, I'll have it with me. But there's ways that you can go... I will have it on our website eventually though. There's ways you can go further. You could have two bots talk to each other. You could actually have two bots have the same grammar file and have actually conversations with each other and be talking about something relevant while they're actually sending maybe a third party some sort of encoded information. You can just add more to the grammar file, give it more options, possibilities to make it sound a little more real. And here are some of my resources. This is where you can go to look at that Java applet that I showed you at the beginning. So also you can learn about... Just bring cryptography at www.wayner.org. That's Peter Wayner's website. You should also check out SPAM Mimic, which takes the Mimic functions and actually you enter a message and it generates text that looks like a random SPAM message on the internet. So you could send that out. It's funny because somebody will read it and it doesn't really say anything. But if you keep on reading it, eventually you get bored. But it doesn't seem like a computer is writing. It really does seem like it's something that you'd actually see as a SPAM message. This is the place to go to get the original Mimic functions, which are actually written in C. This is where you can go to get those. If you want the Java version, I do have... It is on the CD. Yeah, it is on the DEF CON CD. And the GIFs appearing in cryptography, that's that the book is a second edition out. I see Mimic, it's not up yet. Another thing, I'm a member of the Tribal A Security Group and we'll actually be doing a talk tomorrow that you should check out on the box that we built called the Undetectable Packet Sniffer, which is where we took a packet sniffer and stuck it into a stock-looking uninterruptible power supply box. It's really neat, you should go check it out. And that's it. I don't know if I have any time left for questions, but that's it.