 Blake all right. My name is Adam Bresen. I don't know if you guys have heard me talk before I've talked the last couple years I'm talking tonight about Mananimity, which is a web application that I wrote that's new GPL that you guys can download and install on your own and link up with other servers So mananimity it's who you don't know you'll notice. There's a little GM at the top of it. That's my new creation It's called a new mark. It's a free trademark or copyright that you can hand out as long as you distribute it with the Application so everything is free and everything is for you guys this time as opposed to all the other speakers who are awful and mean To think about PHP distributed encryption. What does that mean? We're gonna talk about what this application does It's written in PHP. I'm sure you guys have seen it I actually talked to years ago on PHP security stuff, so you'll see some of those ideas implemented in here, too think about what is an acceptable level of mass market encryption, so If you were taking it out to the people the consumers who are out there and they're doing their email text and it's like my boss or Your boss or your friend and they don't really know much about encryption And they want a really easy way to do it the easiest way would be via the web And I know that there are other Implementations out there for email like hush mail and other systems like that But this is designed to create as many of these servers as independently as possible Also to make it easier to log in you can log in at any server and it will forward you to the right one How does the average Joe fingerprint and protect their daily communication? Well, I can tell you how they do that because my mom my mom protects her her emails in the following way Dear Adam, I Was wondering if you would like to go out for lunch today. I'll pay Here is my credit card and then she writes it there So I can go ahead and make a reservation and get some food to go I don't think that's right. She's sending her credit card through email, but my mom would love this In fact, this is just for my mom and all of you What are the two benefit? I know make your heart warm makes you cry You're hungry. What are the two benefits of open source first major company owned encryption services hush mail is Owned out of the country. I think an Israeli company created it originally I like something that's open source because as you guys know from looking at Linux and different implementations everyone gets to go through the files and and determine whether there's a security risk or how it could be improved and Part of what we're going to do today in addition to showing you guys an Implementation of it on here is we're going to talk about ways that we can continue to improve it If you guys get interested in it, and I hope you are because by the end of this speech I'm gonna be jumping up and down and waving my hands. This is so exciting What percentage of your daily digital communication is sending cryptid? That's an important question and how do we accelerate the adoption of php at the server level currently? There are about by estimates between 1.5 and 3 million php websites out there But it's actually kind of plateaued over the last year that number hasn't increased So we'll talk about things like this that can bring that number up high very quickly What we're going to talk about we'll do some questions and answers at the end We're going to talk about a general discussion of encryption methods the basics some of the theories and application For it we're going to do an introduction to mananimity And you guys are going to see in-depth how to install mananimity, and then you're going to actually see a demo also of setting up your own server from scratch Also, we're going to go in and Configure mananimity so I divide it into the admin side and the user side So you guys are going to be the admins and hopefully the users as well And you'll see how to administer mananimity look at reports it has alerts built in and tools And you'll also see how to use mananimity as a member and you'll see a demonstration of text encryption and fingerprinting and The extensible nature of it as well and at the end. We'll do a review a future and we'll talk about some questions Who I am I've been doing computers for 10 plus years. I guess I look like a nerd, you know, I got that scruffy Scruffy face there. I am looking incredibly disaffected and And I got the cool shirts from Jinx where I got all that exciting nerd stuff I've been I spoke on palm security talk. Oh, and by the way in case anyone was wondering here I also have achieved the ultimate status symbol a wonderful wonderful girlfriend who accepts the fact that I compute for 16 hours a day I Spoke on palm security in 2000 and in 2001 I spoke about PHP and data mining We actually talked about some proof of concepts in that for PHP based port scanners and things like that Last year I spoke about consumer media protections and it was actually covered by that same news van that's out there. I Started recommend.com which is a web community devoted to what you like connections between movies TV's books and musics and their human-based reviews So it's not as you would think maybe an algorithm based site. It's someone telling someone else what they might like I also started getting a game.com with two other people. We mentioned it last year Maybe you guys have seen the flyers over in the retail booth. We have some of the retailers helping us out We rent video games by mail online and we let you guys send in your old games You don't play and make two dollars every time they rent So you don't have to get that one-time instant gratification of seven to ten dollars My that is a disaffected picture there You want answers? Okay, what is an acceptable level of mass market encryption? 128-bit SSL is standard in the browser in OS. We need fingerprinting encryption and steganography We'll go into a definition of what those are if you guys are just getting started if you have familiarity with it You can just cover your ears for that part. How does the average show fingerprint and protect their daily communication? Well, they can use mananimity, which is M for short for everyone who couldn't figure out my Sophisticated scheme of a shortening the name mananimity from multiple points of access for maximum reliability What this means is when you create a mananimity server from the admin side you actually register the server You have to register with an email address It also has a unique ID and it's stored in a database at mananimity.com Then people can actually find mananimity servers that are close to them So say you log into one that you know you want to log into one in Arizona You can go ahead and go to the main page and as a list of all the servers once they get started And you can see which ones are up and what types of encryption they offer It comes with two types of encryption, which we'll get into in a little bit. I'll discuss some ideas for additional ones What are the true benefits of open source versus major company-owned encryption services open source is expandable Solid reliable free of influence political, etc One of the reasons why I designed this so that you guys can just unzip it click a couple scripts and get it started is so If you're out of the country if you're from Mexico or France or Scott Scotland You could go ahead and start your own server where encryption may or may not be Illegal certain methods of it in addition to that the reason that you plug modules into it are because Maybe you can use blowfish Maybe you can use a you know 1024 bit encryption, but you can't use that in another area of the country or World what percentage of your daily digital communication is sent encrypted the national average is 15% That's just 15% of all communication. That's web browser communication email communication That makes me sad I'd like to see 50% of it because there's a lot of important info like my mom's credit card out there that you Guys can check on how do we deem information important? We test it would elite cause detrimental effect I think this is one of the best tests you can apply for how critical information is and that's you know If someone got that could they do bad malicious things with it? How do we accelerate the adoption of PHP at the server level a lot of high-quality applications that are anywhere deployable? I listen to some of the other talks here over the last few days And I know that some of the things like the lunar correspondence protocol I don't know if you guys said it on that they could be implemented via PHP very easily Then they'd actually be cross-platform instead of having to compile it across like I'm running it on Windows here I have it running on a Unix server mananimity comm and I mean that's the one of the best ways you can do it You can read the code. It's C like and it's easy PHP that pushes the boundaries and innovates and PHP that opens new markets and propels the languages development One of the things I've noticed about the language of PHP is that it has the mCrip library for encryption But it doesn't have simple native calls in it without having to load a library to do encryption I wrote my own very simple one anyone can write their own very simply I'm going to go over what I did here But I would like to see hopefully propel the language to actually develop some basic Two-way encryption in there. There are several one-way encryption schemes in there Why use encryption? Well 40-bit SSL can be cracked by an Intel Pentium 266 in one hour That's where we're at now and that's using I would say like a medium speed attack on it Reduce leaks of competitive company company information and reduce liability. There was a talk earlier about corporate gaining corporate information and gleaning corporate information off their websites I don't know why would you put up there the name of your vice president your CEO in your email scheme? So that someone else could grab it It world comm says encryption provides authentication integrity and accountability. I like this description of it We like authentication. We want to remain anonymous We like integrity some way to ensure that the information being delivered is being delivered in the original format And we also like accountability. We'd like to know that only the person you intend to open or read information can Unencrypted records can be subpoenaed This is very interesting if you do one-way encryption on something like we'll say MD5 or if you do two-way encryption It's much much harder because if they go and they get your memo say you use cut and paste Which is one of the methods here in the simple module. I wrote if someone gets that memo and they can't read it They have to input it. They have to get access to it. You could say I don't know I I don't remember the key I don't remember what I did. I'm not, you know Mananimity is designed not to take your personal information in so it doesn't actually make you accountable for the encryption that you do It adds only the accountability on the receiver side Maintain file integrity over lossy TCP IP One of the things that with the lunar correspondence protocol was talking about was how inefficient ICMP is as an actual protocol I don't know I find sometimes that I get that zip file that I can't open after someone sent it to me in my email I like to know that it's the actual file They sent not been interrupted in the man in the middle as someone was talking about earlier doing men in the middle attacks on webs Mananimity is easy with a quick learning curve and more sophisticated features as the expertise grows It's designed for you guys to decide what you want to offer people if you run your own mananimity server So you can start with something simple. I mean I just use a in my text encryption module. It's just bite-shifting I'm gonna present some ideas that we can go take in a different direction You guys know that with the with the GD graphics library for PHP You could actually use it to read in a graphics file go bite by bite through it and use steganography on it You can transform that live Key concepts and algorithm mathematical formulae used to transfer form information from its original point Fingerprinting representing a file with a one-way key MD5 is 32 bit That only the unique makeup of that file would yield Encryption replacing information with the new representation of that information often using an algorithm Steganography hiding information almost imperceptibly in a picture or other file you guys will find at the end I put some utilities on the Defcon disc to try out some of these tactics Geometric transformation, which is what I'll talk about In my own encryption This is an idea that I've been trying to work with and come up with and try to make it as efficient as possible It's designed to have a quick computation time with hopefully a high level of an unreadable encryption and not as susceptible to many of the attacks Geometric transformation, I'm sorry. That's a little that's a little light Basically use geometric formulas such as the air of a circle as an algorithm to generate strong difficult to Reverse results when encrypting So some of the routines out there would use like factoring to do, you know prime examples pH PGP uses factoring we would then use Common geometric geometric formulas for example the area of a circle given the area of a circle calculate the dot density of the perimeter So you know you can have a circle with a thousand dots a million dots Which would be essentially the similar to the size of a key Use the simple dot density value to reverse for the area the area plus the dot density value gives you a seed and you send the Dot density value via email or you hand it to someone in person could be used with other functions and shapes It could be combined strung together like a chain one of the things you'll see with my mananimity modules here is that You can actually tie them together This is the mananimity logo. It is also a new mark. You guys can use it when you put your own mananimity servers up What is it? It's distributed. It's an encryption system with a centralized server list Used to link logon information facilitate searches and alert installations RE updates One of the things you'll notice is when we get in the tools section of mananimity You'll see that there's an alert section What it'll actually do is tell you if there's an update for it new modules available things that you guys can use In terms of running it from the admin side question You guys might have that might come up right now is how anonymous am I are they really going to trace it back to me? You basically have to come up with a name for your server and a valid email. That's it Go out get yourself a yahoo or a hotmail account It's modular add additional encryption options using secure authenticated delivery as they become available IE steganography for mp3 You'll find that each of the modules that you can get other than the default ones like I'm working on a steganography Right now for J pegs and gifs will actually let you guys you download it You authorize it by using the md5 event. You're ready to go and I hope it's innovative for you guys It's designed to bring encryption to everyone By making fingerprinting and encryption accessible without sacrificing the option of more sophisticated features One of the things that's important about this is that in addition to giving you guys a free tool It's something that I really believe in and it's really exciting I also want it to be something that everyone can use Because you shouldn't have to be able to have command line Linux skills and bash to be able to run something Key points you'll find that it's easier to use than existing add-on windows or Linux apps that compute md5 hashes Quick email links provide one-click accessibility of verification. There's two things you can do with the text You can send it so you can send someone a link or you can save it And then they can return and use your public pin code, which you'll see later to read it or get that md5 hash New methods of encryption ranging from simple bite-shifting or zore to complex geometric Transformation or two fish are immediately usable when you get that module when that module comes out of beta When you guys contribute your own modules to it You'll be able to plug them into any server and anyone will be able to take advantage of them Plug-in modules allow deployments to evolve this fingerprinting encryption methods change Say that there comes about a significant attack on md5 Someone's able to reduce the time it takes to go back through an md5 attack and actually spoof it or something like that Well, we'll be able to change the module really quickly You guys will get a little update alert underneath your alerts in your tool section And you'll be able to download the new module and replace it open source should ensure It's rock solid smooth and fast I want nothing more than you guys to come to me and tell me you guys written your own modules or improved on some Of the security of it you'll see some of the security techniques in a little bit what its requirements are Apache 1.3.x PHP 4.3.x and my sequel 4.0.x and mcrypt mcrypt is actually optional And I think that a lot of people are going to want to take advantage of mcrypt. It's really hard to use I mean even in the latest implementations it requires a lot of effort to get it to work reliably And there's some differences between Windows and Unix Linux. That's why I didn't write it an mcrypt Okay, we're gonna start off with installing mananimity First step is you download the zip or tar from mananimity.com You'll find the latest version of a very important for Apache PHP and my sequel before you guys install it Make sure you guys had the latest versions of it like for example Apache 2.x is experimental with PHP 4 It still is doesn't run as fast as Apache 1.3.x Only turn on PHP options and PHP any that are recommended that are required for example limit the execution time This makes this are some of the methods that we talked about in one of my last talks to improve the security of your PHP MySQL and Apache server move all my SQL user accounts except localhost root and add a strong password Obviously, I don't know this always bug me my sequel comes with like completely open access So you have to go in and modify the user database in there And that's something really important before you put a mananimity server on there to have a secure server implementation Set new values for max execution time and memory limit compatible with your hardware and only open Apache HTTP port 80 through the firewall and watch slash dot for recent patches Okay, you guys can download and unzip From mananimity.com the latest version of it I'm gonna post it up tonight after the talk because I want to get maybe if you guys have some input after the talk I'll be over here for questions. Maybe it makes some quick changes to it and put it up for you It's compatible with Linux and Windows. It's been tested on both and It's pretty much identical the tar and zipper identical comes with two modules t-crypt and MD5 Finger must authorize it and it uses an MD5 hash for the download and you get to unpack it With it's it's built. It's got the WWW directory structure already in place so you guys can just lock it underneath home or a protected user account Now we have the the main file mconfig.php options I actually in the last couple days have automated this so you don't have to Manually set these options, but we're gonna go over the options that are important to the program anyway Verify the master server searches matches the m home page. That's hard coded now Set the server root to your absolute URL. I used PHP environment variable So you guys don't have to do that anymore Create the mySQL database. This is something you guys have to do You'll find in the in the distribution package the SQL structure in a dot SQL file You just basically can pop it in with PHP my admin or from the command prompt in SQL Set the security level it comes to fault set to high. I'm gonna talk a little bit about what that means I recommend leaving it on high, but if that's not something you guys want to do It's completely up to you part of what this does is let you guys create an identity for your own servers and try to get some Interest in getting encryption out there to people Configure the color scheme via hex or word color codes. I actually have now this in drop-down Which I'm gonna show you guys in the preferences section too You're gonna run the test installation tool What you'll see here and make changes accordingly to it Mananimity won't accept logins until the test installation generates zero errors does a little self-check It checks the files checks to make sure the variables are set Make sure you've named your server and then it will actually let it execute and does this all the time Every time a script runs every time someone tries to log into the server. It's actually running the test Installation script also run register server after you guys set up your preferences it will allow you guys to register with the master server you get a unique ID with your server and It will also allow you guys to add your installation to it and allow us to Mananimity.com to pull for availability for you guys All right now I'm gonna show you guys a demo of configuring mananimity Since I have already completed The magic of the internet Okay, this is what mananimity's home page looks like We're gonna open up the tools page You'll find these steps also in a text file inside of it You log in with your admin email And it has a default password to which I recommend of course resetting Okay, this is what the tools section of mananimity looks like here I hope you guys can see it from all angles here at the top of the list You're welcome your email address and things that you have you'll find your mananimity server information here Which is your server ID the name you've given your server the security level in the email for reference Mananimity server alerts underneath it. There are no alerts right now You'll find reports in there one of the reports is the module statistics How many people are using the the t-crypt or the MD5 finger or any other modules you guys do You can also view date range reports members that have signed up their information So you guys can track it and then at the bottom is preferences Underneath preferences you get to say your preferences really quickly here you name your server Well, you name your server at the top you get to name it once so you guys know if you change your server name If you do a new implementation of it, it will actually show up under a different unique ID on the main mananimity.com website So basically the old server becomes orphaned But it's set to actually take servers off the list that they aren't active for 24 hours We should go ahead and set in a noxious color scheme We'll use fuchsia We'll use that's like the grossest color ever lime and we will use Olive Okay, you guys can see after we did this it actually assigns a unique server ID to you It leaves the name so you can't change it again, and it actually goes up to I don't have an internet connection here And I apologize they said it's down But it's actually also registers your server at mananimity.com with your server name your server ID and the available modules that you have and You could see that the obnoxious color scheme we generated is present here fuchsia Disgusting olive and lime Okay, so what you guys have to make sure to do here is have your patchy php my sequel in place download the latest version of mananimity From mananimity.com Unzip it to your WWW root configure the options run the test installation server and the register server and present the opening screen Now we'll get into admitting and maintaining mananimity I That look cool when I do that how can I be even cooler up here on stage than talking about php? I don't know maintaining inter server relationships sometimes my internal monologue comes out Why should you maintain internal relations inter server relationships? This is a question someone might ask why when you have an anonymity an anonymous PHP-based web application would you want it to link somewhere? Well, it's really important that you have a list of mananimity servers It doesn't reveal information it doesn't give your email out It doesn't give anything like that and the and the ID can't be solved backwards either It ensures the universal login via login forwarding so someone tries to log in a server that's not there It actually authenticates it back to mananimity.com Which keeps a list of user names and their registered home servers and will actually forward you on to the registered home server So they don't have to worry about that which might be a point of confusion They can have integrated searches say they want to find servers in their region by their zip code that has the steganography module in it They'll see a server list at the m home page, which communicates the server status popularity and modules Don't forget to add your md5 admin password. Please change that. You know, it's stored md5 one way Doesn't have your password in the database, but you have to change it after registering your server You can run update server info. So if you've already done that if you've already actually added modules or done things like that It will alert you and tell you that you have to run the update server info tool that will register your latest changes at mananimity.com You get reports and alerts with it some of the statistics calculated in real time include the number of active uses of each module member signups and volume indicators Reports include the number and percentage of historical uses of the modules member detail database consistency The alerts are delivered as you guys saw before in a task list format in the admin area and it will highlight Unperformed maintenance for you. That's the alert section and updates most alerts will have an associated link or action too So be able to say it'll say you don't you haven't said a name for your server yet You've added a module and have an update of your server info and you'll see a link to that page that tool Adding modules you can get the latest module lift and met a list at mananimity.com slash mods You'll also find a link to it in your tools section Download a module read the read me text drop it into the modules directory and then you use authorized new module You have to use the MD5 which you get off the website and you tell it to Authenticate the module and then you're ready to go it won't run without that and the reason I did that is so that people can't write You know people can't actually write say rogue modules for it that would capture information or something like that And verify the module availability on the live site. So make sure you guys can get to it You guys have logging names too Tools you'll see customization one of the things you can do is change the news Which is on the front page. I'll just give you a simple example of that while we're here We'll go into the preference section go to the news and change it to Yes, and we'll also change the colors because that gives me great great joy Okay, so now you've done it you changed the news and the news now says my girlfriend is really cute Changed anything you want just gives you guys a little bit of flexibility. It's built into it. He got that's an awful tab color at the top All right You can actually also suspend and deactivate people from it and you can send them emails You can also test and register the server which we talked about you can authorize a new module You choose from the list you enter the auth code that you got off the website It's an md5 and you're ready to go and we'll also catalog your server and upload a modulus and verify when use the update server info tool Now I'm gonna show you guys some mananimity stuff reports alerts and tools here Unfortunately I cannot do a download but I'm show you guys the module because I don't have a live internet connection here So I want to make sure to show you guys that Okay, so this is a typical module it has a very simple structure it has the declarations at the top It has an initialization string it has step one and step two step one's user input step two or is any kind of processing You need to do on it And you guys can write your own modules based on these ones the default ones I also have a module style sheet that's in the zip file for you guys to whoa and Then you'll also see here the module statistics in the reports and you'll see additional reports as well on the live server Okay, from a user perspective, what would someone gain out of using mananimity? Well, it's anonymous in that you only have to use an email address and there are plenty of free email addresses You can use out there you get to create your own pin code You don't have to enter your personal information, but you can perform anything from simple to complex encryption using the different modules From a user perspective the member accounts link encrypted content to a member profile with account rights When you set the security level of mananimity to high medium or low You can actually decide whether they have the option to send and save Which is high or were they option to send save and then email and encrypted to which is medium Or you could set it actually to low and then basically Anyone could read anyone's without using a pin code, which would be kind of silly, but that's there for you Member security the only information required is a valid member name and email and it is linked to the members home server Members can sign up at any mananimity server. However, they're logging encryption Decryption of fingerprinting are only accessible through the home server. That's because they get forwarded to their home server It's important because you guys have set up the modules and the security and things that you would want Hopefully you guys can create an identity for each of your servers as well Okay, you can set account preferences like account rights can only be set on a member's home server After login members can access preferences from the welcome screen. You'll see it I'm gonna run you guys through a whole sample of sign up and everything in a little bit preferences include access to services I like this idea that you could basically tell your boss that they can only access In they can only access the text encryption, but they can't do the MTD five because it's too complex for them Preferences also include open closed encryption and fingerprinting access Which we're talking about our in accordance with the security levels and also actually lets people access forums Which is just a simple php bolt-a-mort script Encrypting your email The sample t-crypt module you log into your home server as a user You would choose encrypt text which is straight up from the welcome screen ready to go the welcome screen actually lists all accessible modules to you And then you follow the three steps choose the encryption method you want create or copy paste text in a window choose save or display if save Then em will save your encrypted text with your account for future decryption and present a link to you to retrieve it and decrypt it if it's Said it will present your encrypted text for copy and paste so it's not just for email You guys could actually also use this for lists and other pieces of text information you guys want to save locally In the fingerprinting and when you fingerprint a file which is binary only Log into your home server choose fingerprint a file from the welcome screen follow the three steps to choose your file Enter a unique ID or label Choose fingerprint And we'll present a link used by the file recipient to match the MD5 fingerprint Let me show you guys a demo of signing up and using the text encryption and the fingerprinting. Oh Let me point something out also before we go in here the question might arise for you guys How are the how's the tool section? Protected it's protected using the HTTP authentication built into PHP So you don't have to rely on setting up HG access or anything like that on your Apache server But say you were to change Say you were to change your email address Because it is HTTP authentication and you were to change it to Scott at getanygame.com And you were to change your password It would immediately expire your HTTP authentication So although it's been changed you now not be able to re-log on to the tools anymore When you reset the server there so now I Would actually have to restart my browser to get into it. We don't have to worry We're gonna go ahead and sign in and use the site Uh-oh except we don't want black there Nothing against black Okay All right, here we go. All right, so you join the website. It's very simple. It lists a mask server ID at the top This is for Their use I mean if they really want they can write down at six characters of the mast a server ID And that's just the server ID on the tools page here that you guys can see Obviously we don't want to give out the server ID to the user because then maybe you could spoof it and spoof updates to the Main site It's all kept internally in the tools section and for the administrators purposes your member name you do a simple member name We'll use Nancy. Oh because easy to remember And use an email address Then you get to set up a public pin and this public pin is used It's a six-digit public pin number if you want to give your boss access to decrypt your text in the link that they see They actually have to click the link use your public pin to get access to it The link contains a randomly generated session That's just for your encrypted text and then also to add it to that because it might be hard to guess the session is done uniquely They also have to access your public pin which you would trade them in another manner such as by email or you could get a List of public pins to We'll go ahead and enter a pin enter a password, which is five to 20 letters You have to say okay, that's great. Make me a mananimity member and you join the website and you get to the welcome page So you can see on the welcome page here that it's all set up and ready to go Get your mananimity logo you get the name of your server in the middle when you guys set it up You get your username on the left and you get a quick link to write us on the right on the welcome page You also have all the modules that are loaded up in a show mod So any authorized modules that you have are checked hashed through and then displayed here very simply encrypt text Why does everyone think hacking is so easy? You click encrypt text. It's reasonably quick. It's just doing bite-shifting on it You can cut and paste your encrypted text. It does it for you right away It doesn't save it by default. It's set to send it and not save it so that people Don't mistakenly get it all their text saved You also have the options below underneath here to send or save it if you choose save I Generate a link for someone you can cut and paste that in your email program say go ahead send it out and They have to come and they have to enter your public pin to decrypt the text that's there The fingerprinting modules doing MB MD5 it has a one-meg limit so that hopefully you guys won't burden your servers We will encrypt a packet sniffer We will choose to send that link you can cut and paste the MD5. It's computed really quickly You can also go back to your main page and you could choose To save the link and then it presents you a unique link where they can come back use the public pin read the MD5 and Verify their file they get a link that says browse to it and they get it right away on the back end of this to show you guys some of the files and scripts that are used we have a See there's a style sheet used in there to create the standard look for the website Which also is extensible through the preferences We have the new images in there the new mark images Simple plugins for about the about page the fact page the new GPL that it's built under you guys You'll see on the main on the main website here. It does full sign-in sign out. Everything's built into it They have write us link which goes to your admin page. They have an about link which tells them about the application They have a fact they have the new GPL listed there so that everyone can enjoy that and Then of course they can join and sign in we'll sign back in Okay We sign back into it The main php scripts are very quick. I mean the entire the entire website Is actually done In 57k All right in php. There's modules in there to manage your members Manage your sessions it protects against session spoofing it protects against it protects it constantly is reevaluate Re-evaluating the user information and setting that up for you guys you should read through and tell me what you guys think of the scripts I designed them There's several. Oh, oh, that's a lot of ice. I just got in there I designed them for several commercial sites some of the ones I mentioned before so they've been out there They've been proven actually it's kind of funny last year one of the guys who did php Session hijacking was trying to do it on the website and they didn't succeed power to the people All right. Come on. Let's get a little power to the people Thank you. Gosh. Am I talking to myself up here? I'm gonna go in the corner and cry now No, no, I'm not gonna cry. Here we go tool section very quick here. You set the preference. It does HCP authentication All the main pages are set as plugins. There's built-in help with it for those users who need it This is what you guys get in a zip file everything underneath here with some configuration information And also a style sheet for how to write your own modules and submit them Okay, so we went over today installing mananimity maintaining it using it from the admin side and the user side Benefits of encryption and fingerprinting, which I'm sure you guys know because you're here Mananimity's goal. I really want to see something that's flexible for encryption distributed geographically and using php and free in The future I had some ideas that I thought throughout there. You guys can help me with them if you want I'd love to abstract the text and adapt it for other languages so I'd like to actually take all the text in it and Make it a set of variables or one sheet that can go ahead and add everything to it and ready to go I'd like to do additional modules steganography other algorithms that are on the cutting edge that are new again They're really easy to plug into it. Basically you get an alert that they're available and you plug them in I'd like to adapt it from the master slave model to p2p I'd like for mananimity servers to discover other mananimity servers out there and not have to rely on a central Mananimity comm interface even though it doesn't store information It's just better because someone tries to shut down one server If someone tried to shut down the main server although it does nothing It doesn't do the encryption or anything else then it would be it would kind of orphan all these servers out there I'd like to do a Windows Linux plugins for major email clients to automatically copy and paste I'd like to do something with ActiveX or possibly some OLE scripting that would allow us to do it And I would also like to try to get 100 international servers. I know it's optimistic I think it's something that you guys can really enjoy and that you will really like and I know that it's free. You unzip it. You try it out in your PHP Apache in my SQL server You'll be ready to go in my director in my directory, which is actually under a Bresin.com On the no, I don't know what they did with it. It's my last name at least on there You'll find this whole presentation You'll find a link to the Mananimity homepage You guys will find a couple freeware applications that I think you'll find useful MaxCrypt Which is a freeware new application that will actually on Windows encrypt your hard drive with different encryption schemes. It's really good It's live. It's very sturdy very well tested. You'll find grl real hidden there, which lets you guys do steganography inside of bitmaps And you'll find cleaner for you guys to clean a race all files of your hard drive if you want and These are three really good solid freeware tools that you guys like I'd like to open it up to some questions now And if there aren't many questions, then maybe we'll stop it and we'll go take the talks locally question sir Can you repeat that? Is there a mechanism to find Mananimity servers? So if I tell my friend another country about this Is there a way for him to find the closest one to him? Yes, whoa at mananimity.com you can actually At mananimity.com you'll see a list of servers But actually if they go there and they type in they say the country of origin and the zip code if they're in the US They can get a list of local servers that are active in the last 24 hours to which almost ensures they'll be up So that people can make discerning decisions and also list the modules that are out there on those servers Does anyone else have any additional questions? Yes, wait, let me come out there because oh good Your goal was a hundred International servers. Yes. Now. Are you trying to set up some sort of? Like an organization like or or can anyone just set up a server and ask to join your little network there? Yes, actually through mananimity.com and you guys will find it if I get chance to update it tonight It will be updated tomorrow the files are sitting back in a protected directory I just have to turn it on but You'll actually I'm trying to do and again. This is all free This is just something that I want to get out there and get everyone to get into But mananimity.com also is a forum section and an area if you want to help develop it where you can actually sign in and Get more information on development like see the modules that are in beta test the code post bugs and things like that There's a whole forum section on there. Okay, so we won't have to give up our anonymity to join man. No exactly Like I mentioned before but that's a really really important point is that all you need is a valid email in order to participate in it I think that uh, you know, I go out there and I like it to download software I have to enter my first name and my last name and my address and my email and I know everyone here probably lies on it like I do but it's like why would you ask for that information so I can demo your software? This is designed to be free software that only ties in with an email address. That's essentially your username for it Yes, up here He's bringing the mic for you. I'm a beep box If I set up a server I contain all the keys correct on that one server for all my users You have the pins in the database. Yes So what would keep somebody from setting up a server just to capture data and sniff around and just poke around and see It's possible But one of the things that it gives you the option for is to send or save So you don't have to save the encrypted text or don't have to save the module's information One of the reasons I designed it that way is for the exact point you want Some people aren't going to ever want to save the information into the database So users not going to want to save their encrypted text for someone else to get so instead They can just cut and paste and send it use another application and never touches you But couldn't I cash the page that they're looking at that says send where they're going to copy it You mean cash the information well the page that's presented that you showed as in the example that had where they would just You know highlight copy. Couldn't I cash that page that's being displayed to them? Well, I Guess you could have a patchy You can write your own module in a patchy to write the data out to a like a log file or something like that But all the pages just as a precaution were set to no cash and stuff for the browser's sake But yeah, I guess you could write a C module to do that, but basically you could write that anywhere I mean if someone wanted to go out to a Starbucks homepage and create a rogue module for a patchy and load it up and compile it and load it in then they could capture That data to and have it sent to them. So yeah, it is susceptible But it's designed to have a reasonable level of precautions against that so well I guess I was just going to take the question one step further and say how does this offer any security at all? Because you're you're trusting everything with a third-party source that you know absolutely nothing about there's no there's no trust mechanisms there's no If you pick up the list of servers and you say give me the nearest server You don't know who's running it. You don't know if other people trust it. Why would you go to a third-party? software Which this is and trust somebody there It's like with all of your data all when you could just do it yourself That's a really good idea and again one of the point two points with that number one is it's designed to be more mass market I mean it's designed for people who haven't taken advantage of increasing offers no security and number two with the no security part Is I like the trust idea? I think that's something that could be incorporated into the main website Someone you know the user is vouching for the security of that site Crypto is all about being paranoid about everything you do I mean every single thing in crypto is about developing not just secure algorithms, but secure protocols So that somebody can't just jump into the system and decide to cheat to to win and in this case Anybody can just start up their own server and say hey, I want some keys I want to see what people are reading. They don't even have to be maliciously targeting one person they can just say I think I'm going to read people's email today and It's it's easy to do with this because everything is on that one server. There's no are there any mechanisms That are in place so that a user like doesn't have to trust the server Is there anything like that in place? Not yet, and I think it's a really good point like I said I mean it would be a good idea to build a trust voting system or a way to verify that into the main page So you could also get a trust rating for the servers. I think that is an important point I definitely do you're right people can go set that up and people could go ahead and Capture information, but again the point about not saving that information. It's set by default not to and also to Actually not store more information about an individual Then it's necessary on the server itself or to address those well, I Think of the trust point again. I think he's just he's reiterating the fact that That because there's no trust of the individual running the server Yet you have to take that either for granted or not want to use it because of that and it's a very very good point I totally understand that I think we should build a trust system into it and I wrote down a note here And I will work on that It's good. We should have everyone else validating that that server is trustworthy or that individual, but I'm sorry Okay, but also It's also important to recognize that this is designed to give you guys The starting point and the tools to kind of increase it and improve it also in the future And I appreciate you guys sitting through my talk very much. I'll be over here if you guys want to ask some questions at the end Thank you guys very much tonight