 Okay, this is going to be silly, we're about 10 people here, so come to me, my children, or not. Yeah, it's cool. 3, 5, 1, 2, minus 1. Okay, I'm not funny, okay? Okay, I'll start by introducing myself, which is always a good thing, I guess, but before that I need to ask, was anybody here at my previous lecture a couple of days ago? No, cool, I can use the same jokes again. No, seriously, I don't have that many jokes, and they're usually bad. What you're going to hear about right now, I'm not really sure what lecture you came to because, if you know what lecture you came to, because I was just inserted into the schedule, there are some scheduling problems. I'm going to lecture about the survivability of the internet, and I'm going to make some bad jokes, and go speak about some serious issues, and since there are not many, that many people here allow myself to say a lot of shit and fuck. Now, my name, my name is Gadi Avron, and some of you may know me from the internet as an asshole. Others may know me as a nice guy, but not that many. I mean, there are not that many people here, okay? And that's basically it. What is DA? DA is a mailing list. What is MWP? MWP is also a mailing list. Now, we'll start with the boring stuff. Is there actually a threat to survivability, big word, of the internet today? Now, I don't really expect you to answer me. One, two, three, four, five, six, seven, eight, nine, ten, eleven, twelve. You're not that many people, but seriously, does anybody here think there is a problem today with the internet? Cisco gate. Okay, cool. Yes, I'll answer it. Yes, there is a problem. Is it called botnets? No. Well, kind of, but no. We'll get to that. Now, I'm jumping right in, skipping a few slides, and what I basically wanted to talk about, which I'm not going to, is botnets. But essentially, when you look at the problems of the internet, and you see spyware, you see spam, you see viruses, you see all that shit going around. Why? I mean, seriously, people used to blame everything on hackers, or the bad guys. And that doesn't make any sense to me, really. Boring stuff is, for example, like in any social structure, that's my belief, there are many different kinds of people, duh. And it's not just the bad hacker, the board employee going back home and doing whatever malicious stuff he wants to do, or she wants to do. There are the kiddies, there's the military, there are the criminals, everybody, different people. But still, to sustain such a huge amount of bad stuff on the internet, somebody has to get something out of it. I mean, seriously, so much stuff, just going out of boredom, I don't think so. And I'll try and prove that, even though it's not really the point of the presentation. So where is the ROI? Where is the management talk, return of investment, on investment, sorry. Like I said, social structure, let's start with the kiddies. Are there any kiddies here? Ah, cool. Hey, kitty. Kitty front. Some of you may have read it a few couple months ago on Sons Maybe, or heard it from a guy called Don Hubbard, iframe-dollars.biz. Now, generally, whenever I see a dot-biz domain, I start crying or scratching or whatever. Seriously, biz domains are bad, nearly as bad as CX or WS or whatever else. I mean, seriously, I just see dot-biz domain and I start crying. Areframe-dollars.biz was a business, plain and simple. Some guys said, hey, let's make money off the internet. And you're coming up here, you do know that. Yeah. Dan fucking Kaminsky people, Dan fucking Kaminsky. Now, oh, shit, these are people that actually heard my lecture before. I can't use the same jokes again. Shit. Damn. Okay. Now, iframe-dollars.biz basically said, okay, come into my website, take this code, iframe, I think it was, and put it on your website. Now, for every first click, every user that goes into your website and installs our spyware or whatever it was, you'll get money. You don't get a lot of money, you'll get $0.06. Now, they claimed, you're eating. Bitch. Okay, they claimed, if I have one more bad pizza, I swear I'll puke. They basically said, look, take this code, put it on your webpage, whenever somebody comes inside into your webpage, you'll get $0.06, which is cool. Now, they claimed to pay the week before we saw them $11,000 for that. Now, that amounts to about 220,000 clicks. Again, they claimed. Now, we actually found their statistics page, and yes, apparently they did pay 220,000 people did get, first of all, installed software on their computers, and they did pay $11,000 to people. Now, $11,000 is a lot of sum, but it's not that much money. Now, there is another guy, I would like to give you as an example, and I don't know how to pronounce his name or nickname or whatever we chose to call him. It could be Flowby, it could be Flowby, depending on where you're from. Now, this guy is a botnet controller. Just so we are clear, I'll explain in a couple of lines what I believe a botnet is, and if you think I'm wrong, tough. Trojan horses. We all know what Trojan horses are, I'll repeat anyway, and again, you can argue with me all you like. I don't care. Shut up, Dan. God, he doesn't care. It's on the record. You can't speak if you're not drunk. That's it. Is that beer? No, it's Rockstar. Okay, Flowby, or Flowby, was a botnet controller, and again, Trojan horses, let's say it's some sort of software or hardware or whatever, some sort of thingy. If a user knew what it would do, it would not be so pleased about it. Let's put it that way. And it's usually a remotely controlled device or whatever installed on your machine. That was the worst explanation of what Trojan horses ever gave or heard for that matter. Now, you can do whatever you like on a machine where Trojan horses have been installed. You control that machine. Now, imagine if you had 10 such machines where you installed Trojan horses. Imagine you had 100, and they were on the broad button, of course. Imagine you had 200, 1,000, 10,000, 100,000, a million machines all complicit your control. Well, you would have to control them somehow, and that's basically a botnet, because these drones, bots, whatever, will be reporting to a center point, which is the command and control server. Now, this guy owns many botnets. And on one of the botnets, we can't really prove that we've seen it happening with many different cases, and it's just very easy for me to give it an example. And one of his botnets, which was 35k large, 35,000 bots large, he decided, hey, DDoS is not good enough for me. I don't want to spam. I don't want to DDoS. There is a lot of downtime from a bot, and I want to use that downtime. So basically, what it supposedly did is install a lot of spyware on every single machine. Now, a legal calculation of a page we believed it took the spy from would mean that it gained about 8k a day from a small botnet. So that's the key difference, 8k, 11k, whatever. Now, the big picture. We don't really know what a big picture is. Seriously. We do not see what's happening, and this is definitely, I don't need to explain it to you, because half the lecture is here about conspiracy theories and how the government is spying on us and all that. But we can't see some of that. It's in plain sight, it's in plain sight, it's public, and between a lot of beers, you might actually notice it. I was just looking at you, I didn't mean anything by that. There's plain sight spying by government? Yes. Now, when you see phishing, which is in plain sight, is a little bit ranked, or I'm just not very well understood, which is possible, or likely. You're not implying governments are running legitimate botnets by putting spyware on people's machine? You're unto me. I work for the government, you know. Okay. Now, phishing, seriously, phishing gives us a very, very good picture of what's going on. Phishing is public, you get it in your inbox, you can go to the sites, you see what's going on, which is great, and we can actually see the amounts of money that goes into it, and we'll show you in a minute. And then there are a few minor details, such as, for example, the Trojan Horse Industrial Espionage case, where there were some private investigation companies and some very rich companies that wanted to spy on their competition. So basically, as far as I understand, they paid 17k U.K. pounds per computer, which is a lot of money. So there are things going on behind the scenes. Some of them we can actually prove, because we hear about one or two every year, but let's actually look at what we can see day to day. The APWG, the Anti-Phishing Working Group, says they saw over 13k unique phishing emails in March 2005 alone, in thousands of phishing sites. Now, people usually say, and I'm going to be kind of, okay, we all know this, this guy, okay, they sent so many millions of spam messages out, and then just one person clicks on it and fills the details in. Well, one person clicking and filling the details is clear cut return on investment because email doesn't cost money. We all know that, but it's very important to reiterate that issue. Now, let's give some statistics. In Germany, for example, every phishing attempt, 2000 people fill in their details. Now, that number keeps rising. It's not just one stupid guy. There's a lot of stupid people out there. Now, of them, about six do not get their money back. That's because the banks are very good at moving money around. Money is totally no problem, but six do not get their money back, or rather, the banks have to cover it. Now, on average, that amounts to about 6k euro lost per person, 36k euro for every attack. Now, per year, that's 1.2 million euros, and that's just one group. Each group's attacks are used to attack once every eight days. Now, they do it a lot more often. Quite a few groups out there. Can anybody see the ROI, the return on investment? There is a lot of money going into this now. The Russian mob, and I have to say this again, I always say it in my lectures, I have nothing against Russians. Seriously. I had a girlfriend who was Russian. But really, nothing against Russians. But most of this stuff, there's a lot of small operators out there in Eastern Europe, in Brazil, all around the world. But most of this stuff comes from the Russian mob. Clearly, from the Russian mob. I'll say it again. Hold on. Hold on. I'll answer every question, and if not, hey, I'm on tape. The Russian mob sees the return on investment. Okay? Okay? Cool. And they actually invest in the technological and operational capabilities over time. There are people sitting here who actually watch the binaries and the samples and can tell you how they evolve over time. Now, many of these kiddies just, like I said, it's social structure. It's not all the Russian mob. Many of these kiddies just trade it like candies. They trade these samples like candies. And most of these Trojan horses or bots or whatever, are just the same code, ripped from one another over and over and over again. But still, it's important to note that, and I'll give you an example. Here in the States, this just came out a few months ago. In the States, there was a phishing attempt. It's a phishing attack, actually. And somebody's account got emptied in a branch of the bank on the West Coast, in the West Coast. Now, a week later, a FedEx box came in carrying a fake check, which is what actually got people to look into it, to refuel their account so they can empty it again. Shut up. So basically, you get the lecture in a minute, so don't disturb. You're not allowed. You're not drunk. Now, I'm very happy that you came. Now, I really am happy that you came. Basically, what that means, people, this is not cyberspace anymore. This is meat space. This is happening right here, right now, with real people and real money. That's critical to what I'm going to talk about. Now, at the UK, the last example, the losses are also significant. 1.4 million pounds a month in losses, just at the beginning of this year, and it jumped by 1 million every month. December, January, February, March, you got to 4 million pounds lost. Now, don't take my word on these numbers. You won't find them anywhere. As far as you're concerned, I'm lying, okay, because I'm not going to prove it to you. And anything I'm not going to prove, just believe I'm lying, but these numbers are true. Now, this is why I'm lying. Now, this is by fishing alone. There is a lot of money in this. I'm saying it again. I'm repeating myself, and there is a reason for that. At the US, the story is a bit different. One bank, okay, they say they used to see about 200 victims per scam. Today, they say they see about five, but come on, people, banks, at least in the United States, in the UK, they can't, as far as I know, the ever legitimate reason to actually try and underplay the problem. I mean, do you have any idea? I don't have any idea, by the way. Do you have any idea how much of all their business goes online? How much of any business today goes online? Depending on the bank, it could be 50 to 60%, everything, everything. Again, I don't have hard numbers, and it changes drastically from bank to bank. I don't want to talk about it. I really want to answer that. I honestly don't have time. I know I'm kind of weenie for saying that, but I honestly don't have time. Sorry. Now, other banks actually reporting losses of around 10 to 20 million dollars, but again, don't take my word for it. The Germany numbers, I can sign on, and they're not anywhere you can find. Now, the problem is not botnets. Again, I didn't really want to make this a botnet lecture, although I can't speak about botnets for hours on end. Botnets is the very serious symptom, a very, very serious symptom. It's a problem, okay? Actually, I keep using the same jokes. You are in the last lecture, you bitch. Why were you in my last lecture? Can't you reuse jokes? You're hoping it was funnier. Okay, I know where you live. Okay, I don't. I can find out. Okay, then... Never challenge someone from the Israeli government to find out where you are. The Mossad! The Mossad! Oh, just a Cisco the other day, and they gave, like, name tags that stick on your shirt. Now, I don't know who told them and what the fuck they thought they were doing, but I don't work in Israeli government security, but I said Israeli government security. I immediately photocopied it. Ask for another one, put it in my pocket. That's so great. I'm for the Mossad. Watch out, I'll send people after you. Quads, quads, right? Okay, I don't have time. The problem is not botnets. Botnets are a very serious symptom. What I'm trying to say is botnets are a serious problem. I can tell you from our limited view, and we see quite a bit, but again, we don't see everything. We have 4,000 botnets out there since the beginning of this year, as in command and control servers, and that's just a little bit. I mean, people keep looking at the bot itself, the Trojan horse installed in the machine, and they keep asking me, how many bots are out there? And you know what? I don't give a shit. Seriously, I don't care how many bots are out there. Some people might have to care, but I don't, and I'll explain why in a few minutes. Now, okay, I'll explain why now actually, and wait some time. Why? You people who live in the United States, or most of you do, you know about this thingy of asking, why be able to destroy the world a thousand times over when once is more than enough, right? Well, botnets on the internet are strategic warfare. They are nuclear weapons, and the amounts and numbers out there are unbelievable. Now I can tell you that we've actually seen a 350k botnet, and it wasn't the only one. It's just the best example I have a few months ago. Now, when you have that big of a botnet at your control, you can do pretty much anything on the internet. Now, I'll continue with that in a minute, but really looking at the botnet as a problem of botnet itself, the network installed some bots separately is what I'm talking about. Now, the philosophy of the problem, why I'm looking at botnets as a symptom, okay, I can't say problems, seriously, this is a joke I must reuse. I'm sorry, it's not really a joke. I was sitting with the guy from Adobe, or my boss was, I don't really remember. I reuse jokes all the time, and the guy would refuse for two hours to say the word problem. He would say challenges. For two whole hours I just heard, or he heard, challenges, challenges. And now they changed it, you're supposed to say opportunity, opportunity. Anyway, so there are several challenges. Let me get to the point. If I'm saying botnets are a strategic warfare on the internet, I mean, everybody knows what DDoS is. Why say they're just a symptom? Let's start a little bit about our philosophy of the problem. The internet. Photomorphic monoculture. We all, I mean, whether we like it or not, most of us use Windows, and I'm not talking about the home computer, at work most of us use Windows. Everywhere, it's Windows. And that makes us extremely susceptible to attacks. And I don't have time to talk about it anymore, but just think about it. I'll waste some time later. Now, one bug or one patch can bring us down. Repeating past mistakes. When we left the world of the mainframes, OS development somehow sink down to a new level. And just now we're starting to reach the level where we were with the mainframe in OS development. And I can actually see it as a pattern of things actually repeating themselves nonstop. The PC wasn't the end of it. For example, cell phones. Everything is in default. You can't disable anything. Everything is in automatic. Java, browsers, whatever. Unbelievable. We keep repeating the same mistakes over and over again. And that brings me to killing fires. And before I reach killing fires, I would like to discuss the problems of the internet. We'll get to Casey and who she is in a minute, but everybody keeps saying at the end of the years that companies like Symantec, they do a great job, but they come out and say something like, look, these are the problems that we are going to face in the year of 2005. Okay, great. How do you know that? Well, we have looked at our past genders and logs and histories and we can tell you what we believe the issues are going to be. Okay, so basically f of that is what happened last year. Almost another f is what you believe is going to happen, therefore you're self prophesying or whatever you call it. Some of it will happen and some of it will happen. And some of the stuff will actually surprise you because you can't know what everything is going to surprise you. It's going to be. And I'm saying something different. The problems are out there and we know about them for many years now. Many years. And let's take for example spam. Are you interested in my talk at all? I am. You are? I believe you. Diane fucking Kaminsky everybody. Not drunk for the first time on video. Now, yeah, I'm trying to remember what the fuck I was talking about. Predictions. Predictions, thank you, bitch. I love this guy. But he gave me such hell when I asked him to come and help me in my lecture. And actually, yeah, but I don't need you now. Yeah, I'm going to talk now. Yeah, I'll tell you about the superbugs in a minute. I'm still wasting time. Okay. What was I talking about? No, seriously. Predictions. Predictions, okay. So, basically, the problems shut up. The problems have been around for many, many years now. Now, let's take spam as an example. Yes, tell them we love them. I want that phone later on. It's mine now. The problems of the internet have been around for many years now. Let's take spam. I'm going to completely ruin the history of spam. In the last lecture I met, there was a guy from Spam House here and he wanted to kill me, but it's cool. At first, we didn't really care about spam. Seriously. It's just some emails you get eventually here and there once a day. And you found a good solution for it, too. JHD, just to do it. And it worked. And then it got a little bit more annoying as somebody started working on it, but nobody really cared. Nobody wanted to put the money into it to get rid of the business or at least try to. And then it got to be a problem. Then everybody started caring about it. And then I started finding solutions. And like any human society anywhere, they said, I have to be elected into office. I mean, this is not really it, but seriously, long-term solutions are not part of the business here. It's part of our culture. We have to kill this fire called spam right now. So we'll invest some money and come up with a solution that will kill the fire right now. That solution was, for example, Bayesian filters or Fs, Bayesian filters. And if we see, for example, Viagra within one instance of an eye, all these evasion techniques that bad guys came up with, that's cool. I mean, seriously, we used some Fs, Bayesian filters like bad guys learned and started using one instead of eye. Then I started using mail relays. Again, it could have been the other way, but I don't really care right now. And we started using blacklists, like maps. And then I started using zombies and they can email from all over the world. Any time we actually killed the fire right now, get rid of this problem right now, what we actually accomplished was, hey, we are teaching the bad guys. We're educating them. We're throwing them into an evolutionary route that we are not choosing. We are making things worse. And I can tell you, it's the same with botnets. It's the same everywhere. And that's what brings me to the superbug theory. Now, superbug is not a new theory. I mean, doctors really liked antibiotics. You had a flu. The flu, they gave you antibiotics. You had a cold. They gave you antibiotics. And what they actually did was create some sort of stronger bugs that could resist antibiotics. And they kept doing it. And that brings me back to monoculture. Everything is windows. And we keep just ignoring the problems that are out there for years, and I can give you a list of problems and get to that in a second. They've been out there and getting worse. Eventually, they get so bad that we have to kill them right now. Every time we do something like that, no matter if it's terrorism, no matter if it's botnets, no matter if it's spam, we just kill the problem right now. I'm repeating myself. I know, but it's important to me. And make it worse. Educate the bad guy. So the superbug theory is where I wanted to get to. And that's why botnets are not really the problem now. Who is the enemy? I keep speaking of there are bad guys out there, fud. I'm not giving any facts. Well, it used to be a rival or an opponent really, not really an enemy. Because I'll give you an example for the dynamic DNS providers. Dynamic DNS providers are really, really good for the bad guys. They can run botnets using DNS really easily. They tell all the bad bots, connect that address. Then when somebody kills the server, because that's how you deal with the botnet, you kill the commanding control server, which is bad because then the bad guy just moves up to another server and starts investigating and educating themselves and getting to be better at it. Again, superbugs. But basically, when dynamic DNS providers are perfect for them, they go online, they open a new account, they get some free DNS, free domain, free whatever, and just point the botnet over there. That's basically how it works. And the dynamic DNS providers, one second, dynamic DNS providers really suffer. Because imagine 100,000 bots, and bots are not very nice internet users. They just keep asking the same question, how do I connect over there? Where is that A record? And they really weigh down on the dynamic DNS providers. The dynamic DNS provider says, okay, this is a botnet. It's in breach of my acceptable use policy. I will map this botnet address to 1980 addresses, localhost, whatever. And that's acceptable to the bad guy because it says, hey, I've used the service, but I need it again. They found me out. I'll just use it again, re-register. Now, what if the dynamic DNS provider says, I'm sick of it? So far they've been contesting for the same resources. They live in the same realm, but don't really come to combat, open combat. But what if the dynamic DNS provider says, I'll sink all the botnet. I'll kill the botnet. I'll take the botnet away from the bad guy. The bad guy gets pissed. And that's open warfare. You will deed us the dynamic DNS provider to hell. That makes it an enemy. And why I wanted to stick to this point for a minute, which is not really related to the lecture, is because this is an enemy to the infrastructure. And when I try to think about who the hell owns the internet, and I'm not talking about owning the internet as in who runs the internet, but they're the stakeholders. Seriously, who cares if the infrastructure survives? And I try a lot and I can't really find the people yet, but the infrastructure is at the serious risk. I don't care if somebody is a black hat, if somebody is a white hat, if somebody is a gray hat. Okay, whatever you do at home, whatever you're having fun with, that's cool. But when you go out and take money from Granny, Jane, or when you go out and try to deed us the internet to hell, you're not a nice netizen, and over more you're pretty much, you're not a black hat, you're an idiot. And your idiocy is pretty much what's going to cause the internet to go to hell. And that's fud. That's FUD. That's fear, uncertainty, and doubt. And I didn't want to say that until I could give you some facts. Now, what do we do about it today? Yes, it depends. It could be tens of thousands of dollars a week, it could be millions, it depends on who you are. Okay, the question was why are you relying on dine DNS for something that is critical to your infrastructure when you make millions? You don't rely on only dine DNS, but when you come, I don't have time to cover it right now, but just think about why do botnets use IRC? Seriously, why use IRC? It's perfect for them. I mean, I don't have time to cover it because this is not a botnet lecture right now, but something does not have to be extremely complicated to be good. But how damn fucking Kaminsky is not trying to answer that. Ignore everything I just said, please. There needs to be legitimate services that are using that particular host that it would be a problem if you just killed it entirely. If you go ahead and you put a colo somewhere and it's, you know, the CNC and it's the DNS and so on, pull the plug on it and you've just killed illegitimate services. The idea is to mix the illegitimate botnet with the legitimate dynamic DNS, and that's why they do it. Amen to that. Next issue. And thank you to Dan Kaminsky, who is not drunk. Oh, sorry, Dan fucking Kaminsky. Now, he calls me God fucking everyone. Come on. Hold on, we'll get to that. Now, what do we actually do about it today? Okay, first of all, there are vendors. Anti-virus vendors, anti-spam vendors. Let's even say ISPs, okay? Vendors, a lot of vendors who try to give you solutions. Then there are more vendors who try to sell you stuff. Some of them do good shit. Seriously, there are companies such as Message Labs, Maps, Spamhouse, companies that really do good for the internet. They're still vendors. And they look at their small way of making money and if they can do good with it, that's cool. Then we have research funds and research in general, such as the NSF, Army, Navy, DARPA, whatever. There is symptom-based response. For example, hand spam, okay? The FTC recently came up with something that they claim will report to every ISP, or they will report to ISP the bots. Again, the bots are not the problem. Some are concerned and any infected machine will have 10 more bots on it at least. But the botnets are the problem. But say they will report the bots. So what they do is look at emails, spam emails, and find the zombies that send them. Now, out of all the numbers, out of all the drones and bots out there, how many of them send spam? A lot, but not quite that many from the whole, the entire of the botnet population. Now here I have to discuss the botnet population, how many bots are actually out there, because that's what people keep asking me. So I'll make this quick. I don't really give a shit. As I said, if you can destroy the world a thousand times over, why the hell would you care if you can do it just once? And that's what botnets are. But if I have to answer the question, I'll discuss research that has been happening and related for quite some time now. How often, or how soon, when you start scanning the Internet, when you put the machine on the Internet, will it get scanned? A few years ago it was put the machine on the Internet, it got scanned 36 hours after that. A couple of years ago I checked, and depending on the ISP I checked on, I got scanned once every two seconds to once every 20 minutes. Kevin Mitnick, I believe, made some check and got around the same conclusions. On the site and the sites, the Internet's availability time is about 20 minutes, or something like that. It keeps coming up and down. So basically, say it's not every two seconds like at my house, okay? Say you actually get scanned for the easy vulnerabilities automatically by viruses, worms, whatever you want to call them right now, hacking tools every 20 minutes, once. Now, on broadband providers, out of all their clients, how many would be easily exploitable? Now, when you get to the potential population of that, and how many bots you can get installed on one machine, because basically I count the bots as how many samples are installed or working on each machine per IP address, per machine, you get a huge number. Now, if you wanted to count it another way, say you've seen cold botnets, and that's not my research that somebody else has. Say you've found botnets and you followed them, and you checked and saw that several botnets have the same IP addresses coming back. Again, they're time of day issues, DHCP issues. Sometimes you see a Linux machine and then it's a Windows machine. But you actually see IP addresses returning. If you take that cut between the different groups, you may try and get to the point where you see the entire Omega. This is David Dagdon's research at Georgia Tech. Now, he says, by the limited research he has done, he's seen about 20 million bots, I'm sorry. That's nothing. If I had to give a number, I'd just say 40 million, but that's nothing, people. Seriously. And why would I care about the number? Now, sorry, I had to give a thorough response to this if I didn't explain myself correctly because it's critical. Now, another issue, and symptom-based response crew at the FTC came up with this issue and said, report bots to the ISPs, not bots and bots, and they're reporting the spam bots. They're reporting the symptom of the symptom which is the zombies that send out spam. Great. A for effort, that's about it. I'm glad they're doing it, but it's nothing. Shoot the customer. I really like that. I want to shoot the customer seriously. Blocking port 25 is one of the best things out there that can be done to stop spam. I hope Larish from Spam Els will be here again to explain that. But basically, loss of end-to-end, blocking port 25, blocking all these ports. No matter why now, or if it's a good or bad idea, it's shooting the customer. That's how ISPs are dealing with it. I'm not saying it's bad, I'm not saying it's good. I actually like it, but it's shooting the customer. That's how we deal with it currently. Now to business, why DA? And as we said, DA is a mailing list. Well, it gives us community and industry involvement, basically. I'll discuss what it is exactly as I go. You see the antivirus industry, academia, dynamic DNS providers, law enforcement, ISPs. There are other groups out there that work on the problem, and I'll discuss them in a minute, but none of them have the scope. I'll continue in a second. Long-term study and research. Killing fires is bad. Walking mall was bad. Today, when you actually kill, but it not just jumps to the next IP address, the next compromise host, they actually learn from it. They become better at what they do. It's bad for us. Long-term research study is critical. R&D, ways and means. Finding new solutions, following technological, operational evolution by the other side. Doing all that and still maintaining the vetting, and vetting does not mean secret NSA club where nobody can enter, hey, I'm lecturing in DEF CON for very few people, but still lecturing in DEF CON. The point is getting as many people involved as possible who care about the infrastructure and actually having the internet around. Now, this is not easy, but it's critical. Now, what does that mean? What can we do that this closed group of ISPs can't, or a closed group of antivirus gods can't? Antiviruses care about signatures, libraries, which is great. That's their business plan, model, whatever. ISPs care to get their networks back online without problems maintaining their networks for the kill botnets. What do we do? First of all, we can do trace back. Okay, tracking down the botnet authors, controllers, whatever, creating intelligence database on who they are. Actionable intelligence, law enforcement cooperation. Get the intelligence, give it to law enforcement. Law enforcement does not care. What do I mean by that? I don't give a shit. And not because they are bad people. Actually, it's the opposite. Law enforcement cares. They can't do squat. We see a very large increase in their caring in the recent year, especially. They want to do good, but they care a lot more about the murderers out there than they should. They do not have the resources to invest in this. Plan simple. And it's not really their fault. It's policy. Policy from upstairs that dictates this. And I can tell you we have somebody who actually knows from his hard work who the bagel author is. And he gave them information. He gave them pictures of the guy. And they didn't do squat. Shit. Nothing. So, again, I love the guys in law enforcement, and they are trying, but they can't because their hands are tied. So we can't count on them. Sorry, but that's the way it is. Now, reverse engineering, working actually on the samples rather than just the networks, IDSS, flows, whatever, shows us where they are technologically. What they can do. We can find the buttons better. And it's cool. Financial trace back. If you work with law enforcement or the financial industry, you see phishing. You can actually trace back from all ways, not just on the network, not just on the sample level. Financial trace back. See where the money is going. Which is basically the only thing the feds knew how to do with phishing until very recently. Cooperation. That's a critical part. We have to work together to see the big picture because everybody is an expert. But nobody, except if you work together, can see the macro level image. Seriously, we'll talk about Casey in a minute, but she says, for example, the research community is looking for ideas on what to research. The industry needs solutions and nobody is talking to one another. Now, DA and DA related project, again, DA is a mailing list because we had to start somewhere and that's where we started. Carsnet. That's David Dagon from GA Tech. He does amazing work to study botnets and he can't find funding. The bad guys have millions and he can't find funding. But, that's a database basically for us to follow everything, gather information. Pretty cool. Snort for ISPs. Rather dead project right now, but we're working on it. Getting signatures out to detect botnets not bots. Passive DNS application is critical. I do not have time to talk about it. I'm sorry, but it's critical. If you want, google it. AS based reporting, getting the reports out to ISPs. Monthly shaming. Some ISPs do not give a shit. We need to shame them and we are actually managing to change the map of the internet every month. But, basically it's, okay, we managed to get that ISP to work with us, which means okay, the botnet controls are going to run to another ISP now. But we change the map every month. Some ISPs don't give a shit. We are not sure how to handle that yet. There are some parts of the world we can't reach, but we're working on it. And I'll get to that in a second. Then there's granics. You'll hear about that in the future. I'm not going to talk about it. Drone armies, at least I think so. I have no idea. Any Harry Potter fans here? No? You guys suck. Now, MWP is another mailing list. We had a lot of off-topic posts. There's nearly no noise, only signal on the mailing list until I decide, okay, there's just too much signal and I just said some shit in. But it's a community. It's not completely operational. There are other lists that are operational. Spam it malware sites. You spam it via email. It's malware. We'll take it down. Captures, okay? There are many other companies that see these files online. We'll find them and we'll take them down. Now, I'm not supposed to say kill the site, but that's what we do. We do it legally, which means in lawyer talk I would prefer to say something like, we find the data, collect it, give it to the respectable authority to review and to review, investigate, and validate or whatever themselves and then proceed according to their acceptable policy or whatever. Basically, we kill the sites. Now, worm propagation site takes down. For example, if there is a worm in download samples, updates, whatever from some site, we'll take it down. We'll stop the worm from spreading. Fishing sites take downs. We don't do that anymore right now. I'll explain why later, but we still follow it very, very closely. Global law enforcement coordination and tracking of fishing groups. Law enforcement can work together very good. They have their own ways to communicate, but they suck on the small things. Seriously. And we have managed by giving them the actionable intelligence that they don't have. We managed to get several law enforcement agencies around the world working on taking these guys down because they make money. We can stop them from moving the botnet or the fishing or whatever to just another server by changing the economics and make it not worth their while. That's basically it. And fishing on a net. We want to gather all these fishes, companies such as MessageLabs, Spamhouse, all these guys. Send us the fishes. We'll report them to ISPs. We'll get the shelf life of a fishing server and ask them later. Sorry, I got five minutes. I'm serious. I'm sorry. Other projects. There are other lists out there, other projects. For example, NSP, SECFRI, SP's to Work, you can Google it. The ANINET project, they don't want to work with law enforcement. They're peer researchers. APWG anti-fishing working groups in the United States and APEX in the UK. UNISOG, Digital Finish Net, which is the FBI which is just now starting things done, they basically suck so far. I have high hopes. Microsoft, people. Microsoft is doing a lot. I believe their motives are more like we want to prove to everyone we do with security and we want to fucking take over the industry. That's what I believe their motives are. They're hiring a lot of people. But whatever their motives are, they're not really hiding as far as I see it. They do a lot of good. They actually do something. Now as far as I see it, the stakeholders so far that I've been able to find, I'll get to Casey first, I'm sorry. Internet governance, you might have heard Paul Vicks' lecture. It's a lot of shit and crap and whatever. And the point is we can go lower in debt, it's trust. For example, nothing prevents me from going down with a 5 kilo hammer or kicking the nuts or killing, basically. In real life, okay. Dan, my glock is at home. No, seriously. You guys are watching me. There are laws, there is fear. I don't know what's stopping me from doing that right now. But that's mid-space. On the internet, nothing stops me from doing that. For example, when people threaten sites for take down, 10K right now, I'll take you down. In real life, especially in the States as far as I understand it from movies in Hollywood, protection money is really good. Works really good. And somebody might come to you and say, look, you pay me right now or I'll burn down your store, setting on fire. And you might pay him or he'll set your store on fire. Now once you've paid, it is likely that the guy won't set your store on fire. Further, if anybody else comes to you and say, hey, pay me or I'll set your store on fire, this guy will protect you. On the internet, they say, okay, pay me 10K right now or I'll set your store on fire. How do you know he won't? First off, it's the internet. Second, he can't stop anybody else from doing it anyway. And the point is, if I meet somebody online, say from Korea or Japan, he doesn't know me, I don't know him. Why would he trust me? Why would she trust me? No reason. They may be the bad guy that's trying to take me down. Would I share information with them? The bad guys are sharing information, making money, everything. We do not share information. We do not get things done. Now if we don't get a way to cooperate and get things done, somebody else will find a way to do it for us. According to Casey again, I'm misrepresenting your ideas. That's as to be clear. But as far as I understand their ideas, every network in the world ever built, transportation network, whatever, somebody came and made some order. That somebody was usually or always the government. Do we want the government, your government, my government to come in and try and make the internet fold in place? They're already trying, that's as far as I can see. Here in the States, everywhere. And I doubt they'll succeed. What I see, basically, I'm not worried as Casey is. I believe it will either be Microsoft or the Mob, the Russian Mob. Now you can quote me, that he said the Russian Mob and the Microsoft. But seriously, these are the stakeholders right now. They make money, and Microsoft and the Russian Mob. Exactly. Thank you for asking that question. Now, I love Microsoft. Seriously, they're doing a good job out there. I don't know why they care. They may have their own ideas, but they're doing a good job. They're the only ones. Now, cooperation, trust, just getting things done, basically. We need to solve these problems. And usually, like I said last time, I would have expected a full hold when I said, Get involved, people! We have many projects. Maybe you have some ideas, too. But seriously, you're just like 20 people or something like that. But still, get involved. If you believe this is important, I do. We need help. Yes, I'm coming to DEF CON, and I'm saying we need help. It's about two minutes, so I'll damn come up here with me, because it was very nice to come here anyway. Then, and you will be able to answer your questions instead of me or with me. Go farming. What about farming? Okay, the ITF sucks. I mean, they're good guys. They're good guys, the ITF, but they suck. I mean, seriously, how long have they been dragging their feet on DNS Sack right now? 15 years, 11 years? You answer that. DNS Sack is an interesting scene. Farming basically gets into the idea of attacking the infrastructure. Really, though, when we're already talking about botnets at the size of a quarter million to eventually multi-million infected hosts, the endpoints are getting owned, en masse. There's a thing called a Byzantine problem. You're a Byzantine general, and how do you control your troops when a fairly large portion of them want to turn on you? And there's ways of organizing the networks so they can go kill the generals that turn against you and such. There's a critical mass of hosts that if they're on your network and they're bad, you die. And, I don't know, is it 250,000? Is it a couple million? Is it 50% of your customer base? Eventually, online banking is really going to have to start accepting the possibility that too many of its customers are actually not its customers, but are coming from corrupted hosts. Already, if you go to Kinkos, you will see, they say, please do not use online banking. Or at least they say, please do not use anything with personally sensitive information. This is a result of a case in New York where a Chinese immigrant actually put botnet or Trojan code on all of the publicly available hosts. So there's a couple of things that I wanted to say, because it's going to be on film, and I'm going to be able to say, hey, I totally predicted that. Last year, like I said, the botnet control data right now, DNS directs you to command and control servers. Eventually, they're just going to put commands in the command and control servers. At the scale of when you have all these machines, they can stop saying, okay, I want you to take everyone on this bank and send money, send all the money. They can start doing really intelligent things. When you have multi-million nodes broken into, you can say, let's find everyone who's sending money to everyone else. Let's build a graph and let's find out who are the people who are receiving money from anyone. In other words, all the stuff the bank does to find fraud, the fraud people can use to find targets. So I want to have your baby. I want to have your baby. So, no, I mean, the canonical attack becomes, okay, I find one guy who receives money from 10,000 different people. I put a tax on every transaction of, say, 1%, 10%. I hide the fact that the tax was applied because I control the interface on everyone. The money moves over to the guy. The bank thinks it's normal because the bank's always seeing money move and the guy never actually gets any extra money because he gets his account drained of the extra money. These are the kind of threats that really happen when every single, you know, enlarged numbers of end points are broken into and it stops being about a couple thousand here or there. This kind of stuff is going to happen. And, you know, I don't know if you guys know this, the financial network is kind of converging on sending money instantaneously when all of the security stuff is really saying, hey, slow down. We need to check. We need to go back. So it's a real question, what is going to happen to the speeding up of the financial system? And it's a real, real question, are we going to be able to do online banking with personal computers in a year and a half? This botnet stuff that Gotti is doing every day he does what he does is another day we can use online banking. That's enough. Now, online banking is one issue. Basically, we need to work together. We need to find solutions. We need to get things done because we use the internet no matter who we are. I mean, this sounds like, I want to cure world hunger and cancer and all that, but seriously, come on. And with that, I'll take another question and finish because, yes, I am with Demosad and I'm going to send quads after you. I do send the quads after them. If you watch the MI6 site, by the way, I just heard it last week, you will actually see that they say, mess with us and we'll mess with you. MI6 people, they're cool. It's not just in newsletter. It's a whole effort of trying to get things done. So contact me. You have my email address. Gotti at certgovayeroge.linuxbox.org. Contact me. Talk to me. We need help. That's it. Thank you. And fucking down Kaminsky!