 Good afternoon, everyone. Welcome to the first full day of DEF CON. This is the fifth annual fail panel. Momentarily there will be waffles. If you have a waffle, we do request that you please flip off whoever that was right over there. Just under general principle. We are requesting donations. The funds will be split between the EFF and cancer research and we'll go into the cancer aspect later. That's a whole other set of fail that's not actually funny. I'm David Mortman. We have my illustrious panelists and our assistants on stage to make a hopeful afternoon of fun and merriment. The way this pretty much goes is we make fun of industry, we make fun of each other, we make fun of you. It's all for a good time. You about to say something, Rich? No. My personal fail right there. Okay. So I'm going to start off with the least funny part and then we'll get to the really funny stuff. And that is that, so at fail panel two, I made a big deal about the fact that there's way too much sexism in this industry and sadly that's not funny. And this year there's been a tremendous, tremendous amount of stupid sexism going on in this industry. I'm not going to name names for the most part because really that will be, but I'm going to make two exceptions because they're so recent. One is the lovely folks at RSA decided that really it was necessary to bring scantily clad booth babes to Black Hat. And frankly, I just have to take a quick survey. Who decides what, how to purchase their software? Do they base it on features, functionality, or the size of breasts? Breasts! Breasts! Fuck you. Man breast. A good D cup will get me to buy anything. We will get to that. So the other, the other special one which I just have to think, in perva for throwing out this out at the last minute was they decided they were going to post a top ten list of pickup lines for Black Hat. And it's embarrassing on many levels including the fact that they're not even remotely funny and or good or accurate. It was best summed up by a friend who called this a top ten ways of to never get laid at Black Hat. I actually thought that in perva had got known and this was like a baggy pants and I thought it was hilarious. They did get owned. Sadly it was by their own employee thus proving that you do need to worry about the insider. So. What's the D in DLP for? Wait, first of all, are there children present? Are there any children? Are there people who act like children? Are there people under the age of 18? Dave's looking for a date. No, I'm just trying to make sure I don't have to cuddle with Rich later in the Las Vegas jail. He never cuddle. He never calls. I just wanted to be held. So we decided, Jack Daniel had the brilliant idea and we decided to support him in this. The way we have to do this right, if we're going to really be out here in the industry saying fuck you to women, we need to launch a new company. Misogyny networks. Are you going to do it? You should be honest. Our ports are always in promiscuous mode. Hey, I don't know. They didn't give me one. He was last man standing. He's the interface that gets plumbed. How about gnome sizes? Oh yeah, we have no idea. All I know is Larry's wearing long sleeves. We wonder about that often with you. Who's next, by the way? Who is volunteering to follow up this illustrious move? Larry. Larry's next. Obviously you've never seen him naked. No. I can't forget about that. I can't forget about that. All right, please bear with me for one second here. I need power badly. Is this called foreshadowing? That was by Hanson. Fucking mime. You wouldn't remember that, Gilles, because that was before you were born. Okay, now we're good. We're good. There we go. Oh, beer. It's necessary for the presentation. All right. So welcome to fail panel five. Put that there. Don't spill it on my laptop. Okay. And ooh, the sound of waffles. All right, so V for vendena. All right, my name is Larry Pesci. I'm a senior security consultant with NWN Corporation. Spent a long time in healthcare. Did a lot of penetration testing, all that type of stuff nowadays. Authored a couple of books with Singress and the co-host of Paula Com Security Weekly. You don't care about that crap because, well, we're not here to talk about me. I was wearing earlier my Cancer Sucks t-shirt. Hey, Cancer Sucks, thank you very much. Not funny, but don't worry, we're not going to harsh your buzz. This year we lost a very close family friend to pancreatic cancer. And as you well know, we've lost a couple of other folks this year, most notably recently Sally Ride and Steve Jobs, whether you love them, hate them, whichever. But pancreatic cancer is a really big deal. And it's very underfunded from government for research. So go over to pancan.org and I can offer your support if that's what you're into. And no more downers. Let's go have some fun. All right, so I've spent the last two years quoting the trenches, doing penetration testing, vulnerability assessments, physical assessments, all sorts of good stuff. Definitely related to my interests. So I thought about what am I going to do for the fail panel? I haven't done any research. Where did I find the fail? Okay, so I remember this quote from Marcus Random. And you notice the little brackets around the quote. And basically the quote is summarized as an industry, a security industry. We have everything we need to secure our systems. But we're just too damn lazy to do it. Okay? From Marcus Random. And well, the first fail is I can't find the goddamn quote anywhere. Have you heard of Google? Yes. And I don't even really know what the quote is. So that's why it summarized in brackets. But Marcus Random has this thought that, yeah, we have everything we need in the industry to secure our systems. We're just too damn lazy to do it. And I thought, well, all right, yeah. So I go do pen testing and all this type of stuff and, well, spend two years. And in two years, there's one customer that I haven't been able to break into. Okay? That's interesting. All right. So I'm going to challenge Marcus to a duel. Okay? Do we really have all we need or are we just really too lazy to do it? I'd argue maybe a little bit otherwise. And I'm going to show you some examples of some of the things that I've seen over the last couple of years that really make me question why. Okay. So fail number two. Challenging Marcus Random. Okay? Yeah, maybe not such a good idea. Okay, ultra super heavy fun ball does not meet expectations. Hopefully this panel will. So first we need to get in. Right? Okay. Fail. All right. So before we can start doing the task, we need to get into the facility. Don't drop the soap. Okay? So step one. Let's say this is the door to your office. Your corporate office that you've used the shared entrance for the multi-tenant facility with no guard at the elevator and you come off the elevator and here's the front door to the office. For bank. Corporate headquarters. That's a bank. That's a bank corporate headquarters. Yeah. Lots of glass on the front door. Lots of nice padlocks from Home Depot. Thank you very much. Lots of glass. There were no obvious cameras or alarms that I could see. So that one was really easy for us. By the way, these are all stuff from actual customers that I've been on in the last two years. Yeah, they don't know I'm telling you this stuff. But now if you can figure out who it is, it'll be a different story. Only it weren't being recorded. It's okay. I don't mention any names. Nice. So it's almost as bad as our security guard asleep here on the couch. And this one actually was not from the same bank. But it is also ironically from a bank. Okay. All right. So we all know about tailgating, right? You wait for someone by the door. They open it up and then you follow them in, right? Great. So we sit in the parking lot and doing a physical assessment, sit in the parking lot. Do the, you know, observe folks badges so they know what they look like. Spend about an hour, you know, looking at the door, observe patterns, you name it. And then we run into craft time because I don't have a badge. So I need to make one. So I sit in my truck with my Leatherman and a CCDC piece of paper that I flip over and had stolen my daughter's box of 64 crayons earlier and create a badge that looks really bad out of crayons. And paper. Enter craft time. Yes. So fail number four. This works really great for aerospace contractors. And I spent an hour in the facility with this badge after tailgating through the door. And the only reason I got caught after an hour is I had entered a restricted manufacturing area and I didn't have safety glasses on. So it turns out it even gets a little bit better because the first time I tried to tailgate someone in, I got denied. And I turned around and went back to my truck and waited another 20 minutes for someone else to come in. The first time I got denied, I was almost three hours from home. So it was a road trip for me for the day. And the first person I tried to tailgate recognized me. Turns out just down the street from our house, less than a two minute drive. This is a little greasy spoon family owned restaurant where we go to breakfast every Sunday. And well, it's like four tables and well, I have a unique appearance and our daughter practically runs the place. She goes behind the counter and takes orders and she's four. So everybody recognizes her. And I show up and who do I freaking try to tailgate into this office? Some woman that also goes to the little greasy spoon three hours away every Sunday for breakfast. What luck. You know, I know that story is bullshit. They recognize you because you're wearing assless chaps, right? Well, yeah, of course. All right. So also with the same airspace contractor, manufacturing, we had 130% success rate on a social engineering attack that we did. Yes. I don't know if you can do math or not. I can. So yeah, you send them an email. Okay. Send them an email with a link to a website say, hey, yeah, we have a an audit that we've just performed. We need to increase our password complexity requirements. Standard text email. Here's a link. Go to this website, put in your username and password and we'll tell you whether you're going to need to change your password to meet the new password complexity requirements. 130% success rate you say, yes, they tried it more than once. So let's coin a new term now and call it enthusiastically fished. Yes. As Jaded would say, stop clicking shit. Premature fissuation. What's that? Premature fissuation. No, no, no, there was nothing premature about it. So in any case, the website that they go to is really bad. We steal their logo off of their website. And the the HTML formatting is all like web point five. About the only thing that's missing is the blink tag. It's really bad. And no matter. The blink tag is coming back and HTML five. I know. Good. I'm excited. So no matter what they put into the form, it says you're great. No problem. Thanks. And then we go use it for all sorts of other stuff. The site looks really bad. And I want to show you what it looked like. But I forgot to get it and it requires some set up. So fail. So instead, I'll offer you a consolation prize. So first up is this fine gentleman, Chris John Riley in Columbia dancing with a woman. He's apparently a wingman. He looks just like that guy right there. Yeah, right there. So Chris John Riley is playing wingman to distract this very, very nice woman away from James Arlen, who has apparently decided to dance with what appears to be a very, well, young woman. All right. So I mean, James, it's Columbia. I mean, in defense. I think you have bigger boobs in her. I noticed that I still have the shirt on and somebody covered up out of modesty. So here's the thing. They brought in these championship dancers to show us how to do this stuff. And they danced for about an hour on stage and then they started teaching us. You see what happens when you get a bunch of information security people and try to teach them how to dance? Fail. It did not turn out well. I would like to point out though as one of the elders in that group and the not grabby type of human being. We ended up having to dance a whole hell of a lot because some of the other speakers that went to Columbia were all hands. Like this guy? Perhaps. All right. So moving right along. Great. So we're in. We've got access to the facility, right? So what happens from there? So normally when we start looking at assessments, we worry about shared use networking closets. And well, this is maybe not the shared use that we always see. Usually they're sharing network closets with the phone guys or some storage or power and all that type of stuff. And well, that's one of the things that we call out on some audits because we don't like to see that. However, on this one, we saw something very interesting. This is a shared use network closet that was shared with the pharmacy. And you'll notice on the right hand side, there's a set of metal shelves and there's some blue bins on the metal shelves. Yes. Atropine. Speaking of atropine, the default toppings on the waffles are going to be chocolate syrup, whipped cream, sprinkles, peanut butter, Reese's bits. And atropine. And or syrup and or strawberry and we don't have any forks. Are you using these? I'm not quite sure why we would need them. You came to the right place for that. All right. So moving right along. Yes, absolutely drugs in the network closet. Awesome. Normally we worry about other stuff being in there and folks accessing that. No, we were concerned about the network folks accessing the drugs. You also note in the back, there's a dumbwaiter. There's more than one way in this room. One of them without a lock. You have to be really small, however. Needless to say, I couldn't fit. Do you think we could get rich in there? I think we probably not. Have you ever seen an atropine overdose? Well, yeah. Well, all right, you have. Not yet. Not yet. The day's young. Don't try the waffles. No, I mean, it's okay. It's okay. All right, so I've always made some jokes about, well, we've got some other ways in, right? Well, you go and put wireless in your environment and well, wireless is like running ethernet to the parking lot. Well, what happens when you really run ethernet to the freaking parking lot? You win, of course. Look, here's the problem. We as security experts keep telling people over and over again, don't use wireless, it's insecure. And when somebody comes up with a solution that's not wireless, you pick on them. Yeah. So yes, there's definitely a need for running wire to your parking lot, ethernet to your parking lot. For example, in this particular example on the other one that I saw, you have radiology and CT trailers. This equipment is really expensive for hospitals to buy. So they rent or lease it. It comes in like a motor home. And they park this motor home at a loading dock. And of course, these images that you're taking with this stuff are really large. On the, each study is somewhere between one and seven gigs and doing that over wireless is nightmare. So they either use a one or 10 gig wired connection to the trailer and power and all that stuff. So you've got to have wired ethernet to your parking lot. But why do you need to patch them down when they're not in use? Okay. Problem. The first time we did this and found one of these boxes, it wasn't locked. The problem is, is that box was directly across the street from the police substation. So I'm sitting there trying to break into someone's network surrounded by cop cars. I was needless to say, I was like a prom night. Just like my prom night. Yes. Yes. But Dave, I was trying to break into your place. I was trying to break into your box. So speaking of breaking into boxes, note that this ethernet jack is placed inside of this uber secure nice high tensile strength plastic box. Well, we don't want to break our customer stuff. You know, we probably could have dealt with this with a nice swift kick. Instead, we spent 60 more or minute, 60 minutes or more trying to pick the damn lock right by the employee entrance at lunchtime without badges. Looking very similar to this. We got a couple of interruptions, mostly on the line of, we used Jason Street's ultimate social engineering when you're someplace when you're not supposed to. Hey, how you doing? Doing good, thanks. And they keep walking. Not a single question. Did anyone offer to help? No, no one offered to help. They felt that we were struggling enough apparently. We never did get the lock open. It was a little rusty on the inside had been exposed to the elements for quite some time. Do I really even need to say anything on that one? Fail. But it gets worse or better, because we didn't even need to open the lock because you just take the plastic pin out of the hinge. So wait a minute, you spent 60 minutes picking a lock. Fail. Fail. Yeah, we spent 60 minutes trying to pick the lock and then after about an hour realized you just pulled a pin out. It came right out. Weathermen pull it right up. Done. And then you use the lock as the hinge. Yes, and the jacks were all punched down and you notice that there's some black bars on there. Yes, all the telephone numbers for the phone jacks were all labeled nicely and it even had the IDF and port number labeled on the outside of the box. So we knew right where it was going. Thank you very much. All right. So yeah, how about real wireless instead of the fake Ethernet kind? Yeah, we did some work for a facility, showed up at the facility, sat in their lobby at midnight, and cracked their web network in three minutes. Yes, web. And so when confronted with it the next morning when I showed was at the client's site to do rest of the onsite work, said, hey, by the way, you might want to fix this. Oh, how do we do that? Well, let's go log into your single Cisco access point and I'll help you. Oh, but we only use this for executives when they have a meeting in the meeting room next door. Up time. Eight months, 28 days and six hours. That's a really long meeting. So turns out we changed it over to WPA to pre shared key was the best that they could do with the equipment that they had and do it right then they have one access point in this facility. It was wet and we found it and we broke into it and now we're going to help them fix it the best way they can. And not five minutes goes by and one of the executives comes over with their iPad and said, I can't get on the internet anymore with my iPad. They don't support iPads. Yep, so, okay, the fail number eight, I guess, 7a. All right, so this one was lots of fun. Okay, fucking win on this one. All right, so SSH, doing some assessment for a customer, find that they have SSH available to the internet. We're able to determine that when you SSH to this box, you're actually SSHing through their firewall right to their core switch. Cool, right? Fucking win. Okay, so the problem is it's SSH password only, no certificates, all that good stuff. They actually used a halfway decent password. Okay, we tried some password brute forcing against it. It didn't work. So we finished looking at the port scan results and found that HTTP was open on the box, unauthenticated, and you would navigate to the IP forward slash level 15. And sure enough, you have level 15 web interface access to the box. Yes. Now you go and create a user, and now you've got SSH access. So we use that to set up a GRE tunnel from their internal core switch to a switch that we had in our office. And we turned the external pentest into an internal pentest in my jammies. I didn't even need to get out of my pajamas. I know. So thank you internet, welcome Jack Daniel to public transportation, he'll be your guide. Okay. It's not really Jack, but I like to think it is. That's how I think of him in my dreams anyways. Alright, so the biggest fail of all, anonymous. Boy, that got really quiet. Oh no, wait, I'm sorry. Anonymous FTP. Sorry, my bad. So we were doing some work with a Fortune 1000 company discovered that they had an FTP server accessible from the internet. Sure enough, anonymous FTP. And they've got directory listing turned on and all that good stuff. So we start poking through and we get about three levels deep. And we find a backup directory. And then there's a bunch of stuff in the backup directory. And sure enough, they make a bunch of stuff. And in that one of the backup directories for engineering included all of their intellectual property, all of their product formulary and all of the procedures on how to put the stuff together. Winning. So now wait, you're against backups now. Oh no, no, no, I like backups. So says your mother. Okay. Alright, so fail number nine. Alright. So MSL 8067. When I see this, I don't even have to pop the box and I start my ponage dance, right? Okay. So how many of you guys have a ponage dance? So when you pop a box, you do a ponage dance? Alright, I have a request. Stand up and let's see it. Come on, come on, I think there might be beer or waffles in it for you. Nice. Alright, so you've got your ponage dance down, right? If you don't have one, you need to start practicing and find one, okay? Because it's the only way some of us schlubs get exercise. Okay. Yeah, so we go on an internal assessment and these folks have got about 475 internal hosts. And this is the result. Number two critical from Nessus is 122 hosts vulnerable to 8067. So 120 ponage dances later. And if we start looking a little bit more at this there's a whole bunch of other stuff. 470 out of 475 or so internal clients with MS-120, the RDP vulnerability for blue screen of death. Yeah, they had a really bad day in the office. Okay, so fail number 11. MS-03-039 was in that list. Yes, but I was already tired from already having to do it 120 times. Of course. But I'm tired after all that dancing. Alright, so fail number 11. Yeah, do we really have all the patches we need? Yeah, maybe not so much. Alright, so I'm conclude after seeing all this crap and this is just some of the few examples that we've seen over the last couple years. I'm thoroughly convinced that this is what happens in most IT shops. Okay, and this is sort of an audio video one. So bear with me a second here. Do you think I've watched that a couple of times? By the way, this goes on for 10 minutes. Can you survive? Yeah, go to YouTube and search Afro Circus. And there's a 10 minute video of this. There's a loop for 12 hours. By the way, four and a half year olds are invincible to this. Mainer searches for Afro Circus, but for other reasons. Yes. Afro Circus. Afro Circus. I know, I know. Fail. In any case, I do hope I've finally been able to plant an earwig so that I really hope you enjoy singing that for the rest of DEF CON 20. Afro Circus. Afro Circus. My daughter will be so happy. I did it. That's it? Yes. Very similar to the trouble shuffle. So yes, thank you very much. Hit you in the bushes if you have questions, comments, loads of fun. Enjoy some waffles and some beer. I will turn it over to the rest of the panel to have some fun and thank you very much. That just keeps going through my mind. I can't even think now. It's hypnotizing. The zebra doesn't have a penis. Where's the penis? Where's the penis at? Good Lord, back fat. I mean, I've got nothing to complain about, but this is unexpected. So here's my first fail. I actually run Windows most of the time on my MacBook. So I actually know how to make Mac OS show up. Yeah. So as we're trying to raise money, I want you to think about one thing. How much would you pay to not get a lap dance from the girls of misogyny networks? I accidentally all the money. Apparently ball jokes are not popular here. It's interesting. I think there's only one qualified lap dancer on the stage at this point. More money you were in lipstick. Okay. I was wondering why you look so good. He also has a silky smooth hair. You kind of just want to pet him. If you squint, he looks like he has a makeup. Not like James over here with disease. You know, I hate to say it, but I actually feel kind of pretty right now. Okay, so it rubs the waffles on the skin. I'll do this. Rob Graham, everybody. He got his slide deck up. So by the way, I keep seeing this this hot chick out of the corner of my eye with long hair and a pink shirt. And then I keep looking over and it's Jack. There's something wrong with peripheral vision. So my talk is about security terminology. We work in an industry where we think about security. And we use phrases like, well, I need to secure the system or I need like the random quote is we have the stuff to secure our systems. But we really don't. There's no such thing as perfect security. Even if you do everything the best, random also has this other quote about the only perfectly secure computer is one where you cut the wires and he shows these nice little scissors. And even then it's probably not secure enough. You need to turn it off. You need to bury it. And even then it's probably not secure enough. And so you need to like destroy it. So I think we're coming about this from the wrong way. And the way we should be talking about security is not use that word. We should use the word fail. So that's what my talk is about is thinking about this from the other point of view of fail. Thank God you're on a panel about fail. Yeah, thank God. Just so happens by luck that's what we're talking about today. So we have terms like advanced persistent threat. Five second rule. So we should be talking about advanced persistent fail. Like we look at the RSA hack or the Google Aurora hacks and how did they happen? Well, phishing attacks, SQL injection or fail. So here's how we look at security. We think that this is a picture from soccer and there's players out there who are standing in front hoping that their balls don't get hit. So they put their hands in front of the balls. And it's a good strategy and so forth and stuff. But this is how security really works. And the thing is both the attackers and the defenders are subjected to the same sort of chaos. Neither side really knows what's quite happening. When you do a pen test, you don't come in with a certain plan of saying I'm going to do X, Y and Z. You sort of say what's happening? Oh, I find Ethernet out to the parking lot. It's a chaotic sort of a response to a chaotic situation. So instead of talking about things like worst practices, we need to think from the point of view of the fail industry. And that is avoid worst practices. Or we all know this word E-peen. It comes from gaming and so on. But from the fail perspective, we need to have the F-peen, the fail penis. Wait, what? Dave doesn't have a problem with that. Yeah, Dave's got a good example of that. Mine does nothing of the sort. And the fail penis is we're not measuring how big your security E-peen is. We're not measuring how well you do encryption. And this is kind of a funny thing is, is that you talk to a corporation that's got a recent security breach. And because of SQL injection or phishing or bad passwords or something. And they always have, these are spokesmen come on and they always have the same description of, well, yeah, we might have SQL injection, but we have military grade encryption. As if somehow this makes up for their fail. And they could spend a billion dollars on security. But if you have SQL injection, you have fail. And that's what happened like to the Sony breaches and the anonymous breaches. These were kids out there having fun, attacking large corporations that in theory spent a lot of security who just happened to have a very small E-penis. Wait, what are you saying? Or F-penis. You know E-peen, right? No, apparently I don't. Fail. Is that electronic penis? Electronic penis. So it comes from the gaming world, where you have gamers who are trying to show how impressive they are and how big they are. Or from the hacker world here at DEF CON, is he go to any conversation and there's someone saying, Hey, I've got the best tool. We've got the best electronic skills. Yeah, I'm doing the Michael Jackson thing, you know? I do the moonwalk, but yeah, no, you don't want to see that. I can't believe you don't know what an E-penis is. Why would I know what an E-penis is? No. Yeah, there's a story. You know the law against you can't yell fire in a movie theater? I can't whip it out. There'd be like a drove with people stampeding each other for the exit. Apparently you also can't yell shooter in a movie theater. Too soon. So the F-pen, the fail penis, is you measure it the inverse, and that's what this equation is supposed to show right here, is you measure the inverse of the E-penis. E-penis is large. Your fail penis is very, very small. So when a large corporation gets hacked, the next time a military contractor gets hacked, the next time, okay. Take it off. Somebody I don't want to see walking on top of this. So there's a military contractor gets hacked, like a Lockheed Martin or whatever. We need to talk not about their security, but the size of their E-penis. Or the other F-penis, sorry. So many penises, you can't keep them straight. So what you're saying, we really want to have a really small F-pen. No, no, no. You don't want, your small F-penis, your fail. You want your, the size of your, you want, it's the inverse size. Remember, you paid $200 to sit in this room. You know, I'm trying now. You know, where do you begin measuring the F-pen from? Is it from the balls or the tank? My balls, I mean, the spherical, fell. From the anus, of course. Or from the anus. Hey, Dave, you get to, Dave, you get to chug the first glass of maple syrup, by the way. Chug, chug, chug, chug, chug, chug. Are you sure this is maple syrup? This isn't some cream of a lahoff or something, right? There's not, like, one. It is dark and lovely, Dave. Well, I just don't want to chug it and have a picture of you jizzing in, like, in this cup on the screen. Yeah, I get it with sugar and salty at the same time. Is there no protector for the people in the front row? I can't swallow. I need some help up here. You've had a lot of practice. Come on. Dave, I hate it when it runs off your lip like that. I'm just trying to keep my f-peen big. Chew it. Come on. What I gotta say is if Hop did jizzing that, he probably should see a doctor. I cannot tell what he's been eating by his flavor. Dave, you're not diabetic when you chance, are you? I think I am now. No. It's the last thing I need. Isn't that the ass from? So I figured out that I'm a bully. And one of the things I bully these days is the United Nations. Back in 2007, they had a big fail. Huge SQL vulnerabilities, SQL injection vulnerabilities on the website. And this is the home page. You see in the lower right where hackers have defaced their webpage. And so this was a spokesman saying, hey, we're definitely getting right on this. So I noticed a few days later that the SQL injection vulnerability hadn't been fixed. This was back in 2007. So I wrote a little blog post on it. It's a good example of SQL injection vulnerabilities. You want to help people understand the whole Bobby table sort of thing from XKCD. This is a good example. I'm gonna have to stop you there for a second. It's literally like there's a giant ball of rubber in my stomach now. Anything you hurl, you have to lick back up again. You know, this looked funny in Super Troopers, but take it from me. Unhinging your jaw is never funny. So in 2009, two years later, I happened to be on the UN website. And so of course, as usual, when I'm typing in the URL, my finger slipped and I hit the quote key right before the return key. Purely by accident. I don't want to do it. It's just common typing problem I have. So I noticed it has the same failure it had two years ago. So here are the screen disks from... So they were getting right on it, but at sort of UN speed, I think. At the speed of peace. But then it wasn't apartheid because then it'd still be broken. And the funny thing about this was... I trust them to run the internet. So the funny thing about this was it was two years to the days of my previous blog post. It just sort of just happened that way. I didn't actually plan that. But in 2010, I did plan about it. I said, okay, it's August. I need to go take a look at the UN again and see if they fixed the problem. And indeed they had. That URL no longer worked. My injection no longer worked. But they had a little print. Wait, does this mean your F pin was big or small? I can keep it straight. Well, I'm trying to laugh and say it's small. It's the inverse. That was the whole idea. The one over is your inverse of math jokes. Defconn really? Yeah, they don't work. So that's a fail. So in 2010, they fixed that URL, that SQL injection. But they had a print icon. So I hit print on that URL and then added the accidentally again, not in purpose, the quote character, and then got an SQL injection. So they fixed the one problem I blogged about, but they hadn't fixed really pretty much anything. So how long have you enjoyed being a cyber terrorist? Enjoy it all. Just work, work, work. So in 2011, I didn't get around to checking it out. But some hackers did for me. They ran, I don't know, something against the site. And they come up with a whole list of SQL injection problems. So as it stands today, after five years, the UN have not fixed pretty much anything. They're still vulnerable to SQL injection. If you want to go have fun and deface a popular website or a well-known website, great little target for you. Not them recommending it, but sometimes our fingers do slip when typing in URLs. By the way, a quick announcement. So we are taking donations for our two charities, for cancer and for the EFF here. There's a couple of cases of beer down there. There's no relation between the two. But I would just like to express that we are taking donations here for our two wonderful charities and that there's some beer over there. And well, anyway, that's just kind of cool. Under no circumstance would we ever sell you any beer. This brings up a funny thing. Selling beer in a casino is illegal. But we're taking donations here. There's a couple of cases of beer down somewhere in the room. Poorly protected. Whatever. Yeah, so. This brings up an interesting thing I found about Rich's family. I was on genealogy.com for some reason looking up Rich Mogel. It turns out his grandfather was a bootlegger. I don't know if you saw that on there, but yeah, I actually have Jewish mafia connections. For real. You got to remember, fellow peeps, Canada saved you from prohibition. You're welcome. Flame Canada. So the funny thing about the UN story is the persistence of this fail. After five years, they still fail. And that's why we need to use terms like APT or APF is because that's true on injection. How long has that been the number one attack on the internet? How long has fishing been number two on the internet? These things are extraordinarily persistent. So last year around March, there was another interesting fail. This was the number two registrar on the internet, the number two certificate authority. And they had a fun little fail where they had bogus certificates were issued in their name. And this is the certificate. Of course, none of us can read it because we don't read Bay 64, but that's the certificate. Maybe you don't. You know, if you were to get up here and you want to just read it off for us and translate. It says. So here's the quote from the CEO of Komodo. Which by the way, in RSA conference earlier this year, he won the award for the entrepreneur of the year for 2011 when he got hacked. This was his quote. He said, this was extremely sophisticated and critically executed. It was very well orchestrated and very clinical attack. All the above lead us to one conclusion. And one obvious conclusion that only an idiot would disagree with. And that is this was a state driven attack. And some security experts got on board and agreed with them that this was not a random hacker. So I exchanged emails with the hacker back and forth. I tracked down, there's a comment on our blog and he used a handle and then I tracked it down to a Twitter handle that had just been created and found out all visible contact information. So what you're saying is one of the guys in your midget porn chat room hacked Komodo. Is that what this boy was down to? David, remember, you're the one who turned me on to it. So the guy and the only person in there is Rich Mogul. I got two kids to put through college, man. Don't fuck with me. So the guy said he's just a student. He's a computer engineering. He has no relationship to the government or the various oppressive apparatuses in Iran like the besieged. He's just like any other student just hacking. So I asked him, well, how do you do it? What advanced state funded techniques did he use? And he said, well, it's just SQL injection, approval escalation, getting a little shell prompt, getting a remote desktop with RDP, investigating things, running strings on binaries and that's reverse engineering and finding the passwords and then getting the certificate generated. So how did we all know that this was from Iran? Well, the Komodo has logs and it shows a bunch of Iranian IP addresses and he's actually turned out to be true. I talked to the hacker and he said, yeah, he made a mistake in trying to anonymize his connection. Normally, most of his traffic did come through anonymous proxies, but he occasionally made a mistake and some of his IP addresses came from Iran. So Mock's New Marlin Spike last year at Black Hat gave a really cool talk where one of the many things he addressed was the Komodo hack and how he tracked down his log files on his servers, the reference, the refer field from this guy and found out this guy had been browsing his website. And what the guy had browsed coming to Mock's New Marlin Spike's website from was the hack five website, which is for people introductory to hacking. They actually got a lot of good content and but came from a video on how to use SSL strip. And then he would look for the incoming search terms from Google. That's an SSL protocol man in the middle of how to. So this is what these experts are calling not a random hacker must be state funded. Is a guy who comes from hack five wanting to know how to use SSL strip. Rob, if you hack Komodo, you didn't do it by yourself. You didn't wake up one day and just hack Komodo. There was probably a teacher or a president or something that helped you do it along the way. Yeah, they built the roads for me. Fucking Republicans. So what? Wait, you're fucking Republicans now? Now you will do anything to put those kids to college. And what a noble cause that is too. So not all experts were on board saying this must be a state sponsored attack. So in this case, there's a quote from a guy who has said every breach is sophisticated just like everyone is special, which I thought was a really good quote. So what these people imagine is, I don't know, something like this. You've got soldiers in a room with computers, executing cyber attacks and cyber warfare. Aiming their cyber warfare at the enemy and launching them. You have these intercontinental ballistic viruses that then hit them and blow them up. Not a problem. I'm pretty sure that's what most of the internet's about. When I met my wife on IRC back in the 90s, there was cyber and it's nothing at all like what general Alexander wants us to do. That's what you think. It does seem kind of weird that the NSA has gone to a whole cyber sets kind of thing. So this is what the cyber warfare really happens. This is from Kevin Smith from Die Hard 4. It's a guy in his basement. Speaking of fail, Die Hard 4 fits that quite well. That was the greatest movie ever. Every round in all the gas in the northeast to blow up one pumping station. Are you saying that can't happen? Come on. We have experts that can confirm that. So what Dave and I do a lot is, I guess you call them APT pentests. And it's not because of the advance persistent threat. Well, we are pretty good. But it's about the fail. The fail is so great that it makes the pentests so good. And the thing we like most is active directory. Active directory, if you describe it to someone like your mother who doesn't speak computer ease. Or your father or your grandfather, depending on how old you are and how old they are. Active directory is putting all your eggs in one basket and then just dropping the basket arbitrarily. And so we have this site. It's a Fortune 500 company. And they have tens of thousands of employees, computers at the yin and yang. Everything going through active directory with multiple domains, all trusting up to one root domain that's got one ring to unify them all. And so they, every year they hire a different company to do a pentest on the idea that, which is actually a pretty good idea that they get some diversity from the point of view of pentests. And the last two pentests, the last two years had gone well in that the pentesters didn't really find much. And so we came in and there's really no better way of describing this other than we raped them. And so did you yell surprise first? And so when you think of SQL injection, you think normally of like going against their main server, their main website. And we just use Maltiga when found a lot of subsidiary websites that were only casually related to their main website. And I think the one we found, I kind of haze in the details, is one for the retirees union. And so it was in their active directory domain. But yet it was sort of outside their normal IT control because no one in IT really cared about what happened with their retirees. So of course, you had then a typical story, SQL injection, yada, yada, yada, we now own active directory and then own everything in the corporation. And an only active directory means you own everything. It means you own all the payroll systems. You can create new employees. You own all the banking systems. You own the systems that the lawyers use. And by the way, this is the thing that they got the most, the twigged out, is that if we touch any computer that the lawyers use, that means we now have changed evidence. That now means we can get suspended in any lawsuits they have with other companies. So they sort of panicked and behaved poorly. And so we were doing this on site out for the internet and back in again. But they came by with security and escorted Dave from the building. That's not, that's not like a rare thing though. Well, we often don't complete our pen test because we get too many results. But so and then the next day, though, they escorted him back on because he was there on site in the hotel room because this was out of hometown, escorted him back on site and made him read a book, being that they realized that having him with all that control off site out of, you know, not watching him was worse than having him on site. I ate a lot of chili for lunch every day. Pretty bad to be on site too. So then much of the pen test was then spent with Dave just sitting on site reading the book. Not even, not even a kindle because that's a computer at reading a book. No. 50 shades of gray. So, so that was one way. So they said, okay, well, let's not do any more SQL injection. We know it's a problem. Let's just continue with the pen test with doing other techniques. So we went and we took a flash game. And there's all sorts of great examples. See, you grab any flash game and change the art. And so you change the art, like here's this punch the monkey is a common well-known game. You change the art so it's the logo of your competitor. Well, their competitor. And then you change the logo on a flash drive being your own logo. So one might be Lockheed Martin, if that's your enemy and the other one is Boeing, for example. And so, and then you leave this round in the parking lot and then people pick them up and they've got the corporate logo on them so they think, hey, that's a good thing. It's trustworthy. I'll stick them in the USB drive. So I get most of my dates. They then see this game. They load it up and they run it and they have fun punching the logo of the opposing company. And then they email them around and we did stats. We had, when they ran the program course, we trodged in this little flash game and we had stats figuring out where it came from. And it would be employees. It wasn't the USB drives being the most common source. It was employees emailing it to each other, including to the VPs and the CEO. Who by the way, approved this test yet played the game anyway. Yes. And this was a super secret test like only like five people in the company knew that we were doing it. And those five, well four of those five people played the game. And then later on went, oh, we didn't realize it was this thing. But I came from an internal email server. I knew I could trust it. So then the yada, yada, yada own actor directory, you know, cut our own checks. Why do you yada, yada, yada over the best part? So another thing they had, they had laptops from Dell with full disc encryption on them. And they had firewire on them. So of course there's a well-known firewire DNA exploit. And it does some other bad things. Every laptop, even the users did not have root of their own laptops. They didn't have administrator access. But they had the administrator password on every one of those devices that also worked on the active domain controllers. So we firewire, DNA, blah, blah, blah, and very, very short yada, yada, you have active directory again. It wasn't too short, if you know what I mean. That's a sign felt reference for all you young people who don't get it. So here's the fun exploit. So again, you had the configure exploit, which us pen testers really, really like because there's a lot of it open. Their past pen test had not worked, even though they had the configure exploit vulnerable to a lot of machines and a lot of machines. The last pen testers couldn't exploit it. That's because the well-known exploits didn't work. So Dave Desi grabbed a virtual machine, installed the same image they had running on machines. He ran the exploit, ran WIMDGB, found out why the exploit didn't work. It was just a small offset problem. So he added 12 to the offset and then the exploit worked. And then of course yada, yada, yada on the active directory domain. And I point this out because there's so much out there that the difference between active APT and just your normal kids just requires someone willing to go through one extra little step. It requires, in this case, the skills of actually, I guess some reverse engineering skills, which Dave is very famous for, as well as just knowing how exploits work. And so anyway, so that was yada, yada, yada on the active directory. So that's my talk on fail. And my point again is if there's no such thing as security, there's really just only fail. Dave, you're going last. There's a reason Dave's going last. He has a ridiculously cool awesome thing to show. And I'm embarrassed to be on the same stage. And he's even going to leave his pants on. Can I borrow somebody's Mac adapter? I'll find it in the room. Go ahead and plug this in. So while we're waiting for Rich to plug up, why don't we all ask Rich to get naked again this year? Because he's been naked for what, three years in a row now? It's not naked. All right, who wants to see Rich drop his pants? Say rock the house. There we go. I've been working out and for the safety of the audience, I will have to keep my pants on because we're worried about a stampede. This is spectacular. Well, don't be a don't be a coward all day, boy. Take the shot. Drop the pants. Come on, pants dropping. Marky Mark. If we can get $100 in the next 30 seconds in this bin. Wait, wait, wait. No, put it got to put it next to it. 2040 6080. Ah, shit. Ladies and gentlemen, I give you Rich Python. For the record, I believe I'm the only individual on the face of the planet who has taken their pants off at both RSA and DEF CON. We would like to thank Rich Mogul for removing his trousers in support of Hacking Cancer Research and BEFF. Is that a banana in your hammock? Are you just happy to see us? Admittedly, you can see more when I wear my cycling shorts on a ride, but whatever. That's literally called the management consulting post. I remember one time on a stage. He couldn't get it in. Yeah, it was at the fail panel and it was Larry putting money in my pants. You know what? I think that he knew he was going to take his pants off today and he wore a cool underwear. I may have done that. Wait a minute. You're not wearing cool underwear? Just to be safe. They're breezy. You wear the same underwear every day. Too much information. I swim with them on. That's good enough. All right. So this year I decided to go a little old tech. So before I got involved in information security, oh, my name's Rich Mogul. My background was actually in physical security. So I used to run security at concerts, football games, those sorts of things. When I was like crazy young and absolutely shouldn't have been responsible for or shouldn't have had that level of, now they're just bringing money up still. I must have been that good. Yeah. And I spent a lot of time traveling. And one of the things that really pisses me off is for some reason I cannot bring this item on an airplane. Who's got one of these things? The little you kill a key. She put it on your key chain. You bring it on. A friend of mine who's actually in the military was bitching about this because she carries guns a lot and like war zones and everything else and was in uniform. And no, she wasn't one of those cases where she had like her M4 with her. She was just in uniform walking through and couldn't carry this little thing on a domestic flight. And so it got me thinking, well, if they're going after these things, what can we do about it? So fairly soon after these new rules were implemented, I found a way around that. Now, has anybody ever taken your bag and opened it up and it's all metal in the back? So all I did was tape it onto the metal and that was fine. And I went through her security and never had a problem with it until it fell off. Rich in theory, right? I mean, you're not trying to circumvent CSA security or anything. It's only illegal if you get caught. So you're saying that you would sell special limitations? What seven years? This was like 10 years ago. So are you saying that you would sell beer in a casino as long as you don't get caught? I'm not selling beer in a casino. There's beer in a casino and a thing. Yeah, I'm stripping a casino for money. There's a difference. Anyway, apparently the tape wore off and it fell down into the bag and they pulled it off and that was the end of that. And I bought more and then they caught the next one on my key chain after a few trips. And that was the end of that. And then I was on a trip and let me grab my props. So here's my multi tool. It's got, you know, all sorts of blades and stuff on it. And I had accidentally left it in my bag. I went through security at four different airports before I realized this thing had just been sitting in my bag. And I thought about it. So I took it out and then I went to the security guy at the airport and I said, Hey, I just want you to know I've been through here about four or five times in the past month. And my, my multi tool was with knife blades on it was in my bag by accident. I totally didn't mean to do it. But you know, maybe you want to do a little training or something else. He goes, Well, what was it? I go, you know, multi pool, one of those Gerber things. And he goes, Oh, those are really hard. And okay, that instilled me with a lot of confidence. Well, he's accurate. It is hard. Did he say, did he say it's really hard? Or did he say it's really hard? It's like, it's like it shows up as a brick of metal. And I'm like, well, fuck. For Christ's sake. So I thought, huh, well, what else could we do? And that's where I came up with the idea for DEF CON this year, because I didn't have a lot of time to do any coding or anything along those lines. And so I took a different point of view. And I thought maybe if I get a little creative, I could sneak some other things into a bag. Is this going to end with you taking a young girl to like Guatemala? I told you it's not it's not RSA. So I went ahead and I cut a little metal and did a little work. And here's the reason why. How many of you have bags, you know, kind of like this. This is normal travel bag. It's an Eagle Creek. And when I look inside, well, it's kind of cool. So there's the picture of the bag. And one of the things in the bag is it's got this space for the supports. And conveniently, there's Velcro on there. So you can get those out if you want to turn into a completely soft bag instead of a semi rigid bag. It's one of the things that converts into a backpack. So just just so we don't know how long does it take you to go from semi rigid to soft? It depends on if you're in the room. It's hard. So here's the actual real strut. It's a little bit curved. It's made out of aluminum. Insert Bill Clinton joke here. And I thought, well, you know, hey, I did my little thing with the utility. So what would happen if I taped this onto the back? Could I get this through security? And then I went ahead and I did those modifications I was talking about. Oops. And it's totally slipped in. Quick, get it before it's more than the tip. And I made some modifications to it. And put a bit of an edge on it, put a little edge on the tip. My wife was annoyed. She said, no, no, you got to make it look like a real sword. So I went ahead and I made a hilt. Do you hear that a lot there, Rich? And so I went made into the nice hilt out of a non radiation noticeable radio opaque material. And now I have a fucking sword in my bag. I like how it's size appropriate for you to. I think I need to donate for Dave's comment because that was really funny. What? How much did I sharpen it? Yeah, not enough. Now, oops, next part of the story is as it turns out, I went on on Twitter and I said, Hey, does anybody have an x-ray machine I can borrow? And I got a couple of responses on Twitter. Yeah, reasonable. But it also turns out that a friend of mine is captain of a sheriff's department in a state not to be identified and has access to actually one of the high quality machines because he's in charge of the jail is part of his duties. So I went ahead and I said, Hey, what sorts of modifications can I do and get it through airport security x-rays because I got all my shit through back then. But that was like 10 years ago. So this is kind of interesting. It turns out they have really fucking good x-ray machines. So let's take a look at what they've got here. You can clearly see this metal bar with the knife tape to it. You can see the back of the knife. You can clearly see all the other metal bars and you can even see the individual blades on the multi tool. And he decided to use this as a training exercise. He went ahead and ran it at a bunch of different wavelengths. And I've never seen these kinds of images before. So this is really interesting to me. Because how often do you get to run a bunch of weapons through the screening at an airport and get to go home and just once? Only once? Just once. And you don't get to take pictures of the screen. You can see other thing. Anybody notice the other little thing hiding in there? There's no screwdrivers. So those are whatever knife blades. There's also one of these nylon knives. You can see on there. So supposedly I thought, Hey, that'll get through no problem at all. And it's clear as fucking day. As they dig in, they did a little zoom action. You can literally, by the way, this is steel, not aluminum. Like the aluminum bar that comes with it. So you can even tell the difference. The aluminum bar barely shows up on the X-ray. And the steel bar itself, you can still see through it and see the knife blades underneath it. Yeah. So I thought I was going to get all this shit through. And he said, Well, our one junior guy barely saw the hilt of the sword, but pretty much everything else. Yeah. And as we go here, take a look at the multi-tool on the side. I don't have a laser pointer or anything, but you can see that it actually breaks down. You can see the, you know, the little plier blades and everything else within inside of that. You can see the nylon knife I put in there. You can kind of see the outline of the sword hilt in there. Pretty much everything shows up. And at the different wavelengths, you can actually go through and see, you know, a little more clearly or less clearly. So when you see him hit that button and it changes the color, I thought it was changing the colors. And what they're actually doing with the X-ray machines is they're changing the wavelengths so that they can actually go through and they can see a little bit more of what's inside there. And then he went ahead. Rich, can I interrupt you for a second? Of what you're going to. How did you get to Vegas? I flew. So how are you planning on getting home? Can I borrow your car? Yes. Yeah. Checked baggage. Actually, I made one of my partners fly with us. Hey, Rich, did you learn about other techniques that prisoners use to smuggle? You can use those instead. Yeah. We're going to get there. I'm only part way through this presentation. Is there a live demo? There will be a live demo. It's getting a little thin up there. Can I help you with that? It's getting a little thin somewhere else if you want to help out. Literally, Rich Muggle just elicited Jack for Worldset. In case anybody missed that, that's exactly what just happened. I'm married, man. Come on. So, joke. No, won't be married for long. Anyway, you can see all the images pop through with the different colors. When they do this weird black and white thing, you can see it all. So I thought that was pretty fascinating that they can actually pretty much detect anything you can put up. Even the nylon thing really stands out. Now, the fail part of this is if I did look on eBay and you can buy one of these things for about $20,000. Usually it's a used one from a courthouse or a hospital. So if you want to go ahead and buy your own machine and see how you can stack things to go ahead and get it through airport security, you could do that. And I'm pretty sure if you spent more than 10 minutes working on your project, you'd probably be able to come up with those sorts of things. But on the other hand, I got to give them credit. That stuff's not too bad. Now, the part of this is I have a fucking sword, and we're at DEF CON, and we're on stage. So I thought it might make a nice demonstration to show how sharp this thing is. Because one thing is these struts, if I had sharpened the aluminum edge versus putting my own steel bars in, they wouldn't detect that. If you actually go ahead and look at the images, it's not like you can tell what the edge is on this thing. You just know that there is metal in the bag. So... Are we in the Gallagher show now? Does anybody know who Gallagher is? I think the plastic is to keep the blood off the podium. We have a sword, we have plastic, we have a grapefruit. Who's got cash? Anyone? Come on! This is your chance to demonstrate your ninja skills on stage at DEF CON. Martin, we'll sit next to it. Fruit Ninja! Fruit Ninja! We're not talking about David. Hey, Rich, why don't you just get naked again? That seemed to be a crop-leaser. No one? Come on up! It's all yours. Wait, is he coming for the sword or for you being naked? Yeah, it sounds like, is that blade going to come flying out and spear me in the eye? There's a pin. There's always a splash zone at the fail panel. We have a $50 donation. That is going above me on. What's your name? What? Dexter? No, seriously, you have fucking Dexter plastic and a sword? You can't plan that shit. Only... This may be the most perfect moment in DEF CON history. Dexter, I present to you the sword. The gnome sword. This means you're the king of all the gnome people now. Shit, it worked! Yeah, go for it! Side to side, side to side, there you go. Grapefruit! Thank you. Anybody want to buy this and take it home? Because I don't... I don't know why. Hey, Rich, how are you doing? Do you think you can hide that in your anal cavity? We're getting to that. Presentation ain't over yet. Don't jump the gun, man. I was looking up things and I thought... I'm always premature. I saw this article one day that the TSA took away Play-Doh. What does Play-Doh potentially look like on X-ray machines? Seaman. Does not look like the staff of a submarine, Dave. So, you apparently... I did a little bit of research. We're not allowed to bring more than three ounces of fluid or gels on board an aircraft. A little looking around, browsing the web, which might mean they're going to be knocking on my door for terms like explosives, airplane quantity, revealed that... What the hell, it's common. Aren't you glad that you don't have anyone looking at your browser history? Yeah. Shit, did you hack me again? I think it was around four ounces of plastic explosives put on the right part of an airplane would go ahead and do that. So, you know, we have the full body scanners that are supposed to prevent our ability to get those on there. So, this is Larry Pesci. And... Fear six. Not enough fear six. Yeah, so we've got a picture of Larry there. Where'd my dick go? I thought we would put this to the test. So we did a couple of things. Good Lord. He's getting our saran wrap. And we have Plato. Who's got an ass? This is for science, people! No, no, no. Jayden, come on up. No, he is an ass. Okay, the guy wearing the knit mankini doesn't want to have saran wrap wrapped around his ass and the Plato shoved in. This is an external experiment. Yeah. If you want to see the internal, go to Hacker Pimps later tonight. Hey, Rich? Yeah? Don't click shit. Okay, so... So what, you just sit around all day at home thinking this shit up? What are you thinking out of us does? I get bored. Okay, off with the bra. We're going to put it under your boobs. We don't want to get hair in it. All right. How many ounces do we think this is? Okay. So, Rich, you seem to... You say you don't want hair in it as if you've had some good experience with this. With the hair in it. Small e-penis or big one? I think we're going to have to go for the ass. The chest isn't working. You have no idea how often you hear that in horror movies. Or my nightmares. All right, I think this one's not going to work. Nobody's only going to donate their ass to science. Why don't you put it on your ass, Rich? Gillis! You're all creationists. Gillis! Are you making a phallic symbol out of... That's not an ass. Yeah. All right, what's up? Go behind the podium. Do we have some sort of... Do we have some sort of counter for the number of people who drop trow in the fail panel? We're going to need more saran wrap. Gillis, I love you and all, but I'm not going to sleep tonight. Oh. I'm realizing it's not going to stay. If you'd like to take it to the bathroom, though, hey, there you go. All right. Mr. Mogul just sent a young man off to the bathroom. If you rolled that up the right way... He's on the run, and I'm not going... He's a little too excited for that. And I'm wondering if he's going to come back. All right, who's got a stopwatch? Do you really want the Play-Doh back, Rich? Apparently you can roll it up the right way, stick it down the front, and look manly. What did that mean? So, like Mythbusters, I thought, what else could I do to take it over the top? And I thought, what are the odds I could get a rocket launcher on an airplane? Maybe not that. Are you, Rich, in fact, a member of the NRA? No, I gave up. They got all nutty on me. And I'm a liberal. So what I realized is if you look at a model rocket, it is made of no metallic materials. So you have a cardboard tube. You have now plastic or balsa wood fins, which can be removed and just stacked together so they don't actually look like rocket fins. They just slide right off, depending on which models that you buy. And so it just looks like kind of a weird shaped thing. What? Incoming, incoming, incoming. What do we got? Come on up, how much did you get in there? I mean, on there. Two baggy, shit! Time to make the waffles! Rob, do you have any more gloves? Martin, give me two of those. It's too late for gloves, Rich. You're infected. I still have to pee later, and I might not have a chance to wash my hands first. How's your E-peen doing there, Rich? So let me just recap this panel so far. We've had a bunch of overweight people in strappy T-shirts. We had a guy talk for 20 minutes about penises. We found out it's not good to run Ethernet out to the parking lot. And we had a gnome with a sword pick up some ass play-doh. And these people all paid $200 cash at the door to see it. I call that the aristocrats. Yeah. So no metallic parts, the propellants and everything else are the sorts of things that you could... I didn't have enough time to go into all the details, but you could very likely get through. And model rockets, if you pack them with gunpowder, do things like explode. I'd like you to go home without an anal exam that you didn't intend. So we took that. We actually got a whole launch system with no metal parts in it. We went ahead and we placed, put a gunpowder payload in there and decided to go ahead and launch it out of our bag. I live in Arizona, so that's not only legal but encouraged, especially if you point it south. And here's the one where it blows up. So the problem is we launched into the sun, but you get to see a little bit there. The rocket exploded, it completely obliterated all the pieces. Now this, look guys, this isn't exactly realistic, but I like to blow shit up and thought it would be fun. And there's another last view of the rocket launching and you can kind of see the puff up at the top where the payload goes. Tell us more about your payload there. When I mentioned that I was doing some project with explosives, Nikita, who runs... This is the only, one of the only two paid staff members of DEF CON who runs all the speaker stuff said, seriously, no fucking pyrotechnics on stage at DEF CON. I already told one speaker, no. I will give you a dollar. If you put that up your ass and hit the button, do you rich mogul have hemorrhoids right now? Okay, you got to put the safety pin in. Three, two, one. You know, this panel is so bad for a minute there, I really thought you were going to set off a rocket. I was a little excited, a little trembling. Yeah, so that's it for the slides, folks. Thank you. It's coming, Rich. So, I don't know who's next, but I have to wash my hands. Rich, it doesn't matter how hard you scrub, the feeling won't come off. I'm using the gloves to close your laptop and remove it. You touched it. I don't know who that is. The way this is going, I'm just leaving gloves up here on the podium. I would like to point out just for one moment that as much as my compatriots up here on stage take this Misogyny Network stuff seriously, I am the only one wearing a skirt. And a thong. The more money you put in this bowl and or the waistband of my kilt. Oh, crap. The better you will be doing for the world and for our environment. I promise to keep some of my clothes on. There's not room. You know what? That's something in my favor, I think. All right. Whoa, we can feed HD to the monitors here? Cool. I did not plan for that. That's not right. Why are you booing me? What have I done to harm you? That's wrong. Anybody know how to fix that? Yeah, it's the, that I have to find the monitor panel there. Was anybody else going to chug syrup or was that just me? Just me. Yeah, it's dead now. I didn't realize it was an option. You know, every now and then, I did, actually. So I'm going to reboot my computer in the meantime. Eyes are burning. You guys should know better than to suggest things. I might actually do them. I'm just going to prepare for my talk silently. So you guys know that we're collecting donations here for a couple of good charities. Can anybody name the charities? Yeah, none of you can get the stuff in the same order so that what you hear is that there's four charities. I was going to talk about this for a bit during the time when I'm actually supposed to be talking so I'll talk about it now instead. So that cancer thing really sucks, huh? Has anybody not had someone contract cancer in their lives? Why the frack did that just reboot? Oh, sorry. Has anybody been untouched by cancer in their lives? Yeah. We have one hand? Wait, where? You. You are a lucky, lucky man, sir. The rest of us? Not so much. We're out of time. We have to get Dave on as well. Does your computer work, Dave? Yeah. Dave, you're up. We're going to search for Dave for a second. This is what happens when I get closed to him. So I love following the cancer speech. Everything I say now just seems douchey. And I'm going to blame it on that because it wouldn't have sounded douchey before. So I have attention deficit disorder. Really? Really? Yes, it's a horrible thing. I sometimes will start a sentence and forget what... So Dave, how many guys with adults with adult ADD does it take to change the light bulb? Hey, let's go ride bikes. Okay. If he takes longer than me, then you know it's definitely not my fault. All right, so the point is I have attention deficit disorder and I drink a lot. So I'm a perfect wife or a husband for somebody. Apparently I can be a wife, too. All right, whatever. I don't have one of those great slides to tell you who I am. I'm going to work on that for next year. So I am easily amused. So I was at one of my favorite bars one day and I saw this. Everybody's seen this. It's like a Windows error display on something where you don't think it runs Windows. It turns out this was a jukebox. And I walked by and I went, well, hey, that's pretty cool. My jukebox runs Windows. That's pretty neat. What else does it do, right? Oh my God. I can play songs on the jukebox from my phone. Yes, yes, you can. It's called Bar Link. That sure was neat back to my beer. Rook was a woman with an assault weapon and me in a bar. Wait a minute. And this is actually in real time how it happened. Wait a minute. That sure does seem like a lot of work they did to make it able to play music from a phone in this one bar. I wonder how many other bars or locations. How does song submission work? HTTP. Be gone, evil temptress with beer and guns. There's hacking to do. I'd like to say I actually said that. So I jail broke an iPhone. I cracked the app. If you've seen any of my other talks, this is easy. If you haven't, just imagine in your head I'm doing something magical and wizardry like right now. Like leaving it in a cab? Yes. I disassembled the app and I started sniffing it. God. Sure enough, this application that will cue music on a jukebox goes over the network. It goes to a very specific place over HTTPS. And it uses a method called login in the application initially. But what it really wants you to do is tie your location and it will find jukeboxes around you and say, hey, you can play at this jukebox because you're within 150 meters of it. So I then looked for a couple of more strings that actually helped the application use the iOS interface to find out how far you are away from everything. I found out very quickly that I could make it so that I was within 100 meters of every jukebox in the network. So I have an iPod right here. That was step three. Step one, I was going to collect underpants. Step two, hack all the jukeboxes. That's what was left out of software. So this is actually a screenshot earlier of this iPod up in my room. You can see I'm here in Vegas, right? But the application thinks I'm in Atlanta. I could, but why would you do that? When you can play at Umbop places. We got step two covered for you. Is there a new assurance underwear for men? You may have seen the commercial. This is for you. I have seen the commercial. Put them on. Let me call somebody real quick. So we're going to basically, yes. So this application basically lets you play music on any of their jukeboxes. It authenticates you and then when you request a song to be played, you have to specify a location ID. There's nothing stopping you once you've authenticated from just submitting the song ID and every location ID. So I thought it would be really funny to make Hanson popular again. So what I'm doing right now is actually playing Hanson on every jukebox in their network. I'm going to need you to quiet down for a second because we're going to call a bar and ask them why they're playing Hanson. This is why we wanted Dave to go last is because we all suck. I can, but that just doesn't seem very original anymore. Alright, hold on one second. You're an AT&T, aren't you? Why are you guys playing Hanson? Why are you playing Hanson? Thank you. So I do this quite frequently. I have a cron job schedule. I have a cron job schedule to pick a day of the week or pick an hour of the day in a minute and randomly play Hanson. I then found out that the statistics that they're using those jukeboxes actually affect things. People look at it and see what's popular now. So my goal for next year is to have Hanson as the number one selling artist in the United States again. Oh, one more thing. If you look at this app really closely, it allows you to upload your own songs. Dave, where can we get a copy of this application? The Mac App Store. You can get it at the App Store, actually. AMI's bar link. The unhacked one is? I made it turn blue. You're pregnant. How appropriate for misogyny networks? I sure hope you're not asking for any maternity time off. There's room for more money in the bucket. Absolutely. More money in the bucket. There's still room. Is Marsha from the EFF or anyone else from the EFF in the room, please? Bueller. Bullpucky. I'd like to point out I'm sober. So I'd like to encourage everybody, Jamie, when he finishes getting his slides on, if it's before 7 p.m. or 8 p.m. this evening, that's Hacker Pyramid. Number of people on the stage and number of people in the audience will be on Hacker Pyramid tonight. We'll also be raising more money. And at some point, there's a special fail waffle iron that somebody made for us. It's really, really cool. Two are truly a hacker, sir. You, sir, win one internet. Exactly. So I have to go really fast. Apparently I only have like four minutes to do this. So... Keep... That's the best you can do. This is a brief travelogue of fail. So last we met, I was wearing a shirt. After DEF CON last year, I went home and we moved within two weeks of finishing DEF CON. I would strongly recommend that you do not do that. I also discovered that I hated my job. This was my standing desk in my cubicle. They couldn't order the right size standing desk. Apparently I'm the tallest person in the corporation. But Solaris 7 manuals. I finally found a use for Solaris 7 in my daily life. Also... Somewhere Scott McKinley is very happy. Yes. You're taking up my time, sir. Winter? I was starting to get sad. And cancer was starting to affect more and more people in my life. There are entirely too many people who are dealing with it. And I hate to say this, but it's criminal, the number of people who are dealing with it quietly without anyone knowing. So I will tell you this right now. You know someone who is dealing with cancer by themselves. This is not cool. Go to hackcancer.com and learn. What you do when you get sad is you go on vacation. So I went to Disney World with my family. I thought I was having a heart attack. Rich and I are brothers in heart attacks at this point. I got a cool new job in the Bay Area. That's great, except... But there's this thing called the North American Free Trade Agreement that's supposed to allow labor mobility for professionals. So I applied. And I got a work permit. I was happy, but... First time for everything. It expires. So you have to reapply. And I was denied. Come down to Phoenix. We'll take care of you. What the hell does that mean? Arizona is all about the immigrant law stuff. So there's this thing called a management consultant. And it says that you need to either have a bachelor's degree or have five years of experience in a specialty related to the consulting engagement. I have more than five years experience at this shit. In fact, I have a lot when you look at it, the full-blown version. I even am accredited. I can't believe you admitted that. And certifiable. Your government, those of you who are American in the audience, says that I need to be a computer systems analyst if I want to do what I do for a living because I use computers and I'm an analyst. Their suggestion was that I go to a community college and get a two-year diploma. But wait, wait, wait. Haven't you seen what happens there? All kinds of wacky adventures. Like DEF CON. Except that would still only qualify me as a computer systems analyst because that's what Homeland Security has decided. It's interesting, though. They can't seem to get their story straight, whether they want people who know their stuff or not because they're going to build a major cyber army in the next two years. And I'm married to an American. I mean, how harmless can I be? I only live in Canada for one reason. Marijuana? And frankly, my home office is equivalent to a cubicle. Whether I'm working in my home office in Canada or I'm working in a cubicle in Santa Clara, I get paid the same amount of money. There's a lot of cyber generals, cyber senators, and cyber congressmen who, yes, there is the one cyber warrior. I forgot. There seems to be a lot of this sort of cyber infection. And again, remember, I met my wife on IRC and yes, I've only got three slides left. I wish that I was a cyber warrior. Many people dress up like this in the weekend and be cyber warriors. I just want to be a helpful soul and work on this stuff. So I'm going to keep trying. And we'll see you next year. We'll learn what happened. If you want to follow this amazing story, join us on Twitter where you'll see me yell about crap. And I did it!