 My name is Brendan O'Connor. There are three major takeaways from this talk. I want you to remember every single thing that we carry around in our bodies, whether that's the radio to talk to 303 or the i-things we all probably have somewhere leaks way too much data. At every single level, we as a community have forgotten that privacy, not just security, needs to be a goal. Whoopsie, the goons are annoyed. Always. What did I do? So, in fact, we want to change it up a bit. Raise your hand if this is your first DEF CON attendee. You liars. All right. You. The man knows how to speak up. All right. Get up on stage. I got to get somebody tall to do that. All right. The last guy, by the way, slammed it immediately. So cool your jets. I want to introduce you to 2,500 of my closest friends. All right. So please welcome the brand new first time speaker. Congratulations and up yours. Oh, my God, we have to make those smaller. We're doing this all afternoon, man. Anyway, thank you. God, I love DEF CON. Out the gentlemen with the sideburns has left the stage. We've forgotten as a developer community that it's not okay just to protect ourselves and to forget about protecting our users. That is that we spent years and years, many people on the stage of competence that we have to protect ourselves more, the evil hacksores, they are using all of our app zores and ponying all of our boxing. That's true. They have been. It's fun. But we've forgotten that it's also important to protect the privacy and identity data of our users. And it's become somewhat in vogue to dump a huge amount of data into unencrypted data streams that users don't even see or think about in order to ‑‑ I don't really know. It's quite odd, actually. We'll show you some examples of that later. Final takeaway, it's no longer possible to blend into the crowd. Every person in this room is seeing yet another horrifying action movie where they're not doing a fire sale which apparently a cell phone can hook up to a satellite and reroute the encryption in order to turn off whole power plants. Someone's just going, oh, my God, the bad guy has gone into a mall. We'll never find him. There are 10,000 people there. That doesn't work. And it hasn't worked from the government's perspective for a while. It's been relatively easy. Now it's not going to work for everybody in this room. If you can put together a small computer, you, too, can track everyone in your local mall, steal their identities, find out what the most important information in their lives is, and then use it against them. And we need fundamental changes to fix this at every single layer. We need both technical changes, but we also need cultural ones. It's not okay to request too much data and then to store it. And I say this as someone who's worked on software that's being used by millions of people every single day for financial transactions. We can't leak private data of our clients because our clients are the ones under attack, not just us anymore. If we don't do this, we've lost the only thing that we do better than our adversaries. And the only reason anyone should ever trust a software developer. So why are we doing this? Well, these guys have a lot of information on us, right? Every single day you walk through Rio, there's hundreds or thousands of these cameras. And I was just recently told by my sister, who I thought I trained better, that really security is the government's area. We shouldn't worry when the government does things to secure us because after all, they're the government they know best. This means two things. This means two things. One, a lot of people actually believe this, which is a little terrifying. And two, I am a terrible brother. Not just because I told you this, but because obviously I didn't educate my sister well enough while she was growing up. And now she's a great big doctoral student and it's really a little bit too late. Those of us in this room know that the government is not very good at securing things by means other than throwing them in prison for very long amounts of time. But the government has a near monopoly on surveillance. Let's fine, right? The good guys have it. But that's not actually true. When we look at, for instance, blue code boxes found in a whole bunch of countries that are not the good guys, we know that actually we're helping repressive governments. And hey, even after prism, even after every leak that's come since the prism leaks, I'm still hearing, hey, well, the NSA needs that. I'm sure that's okay, right? It's okay as long as only the government can spy on us. We hear a lot that sunlight is the best disinfectant. A recent study showed that cops wearing sunglass cameras were 88% less likely to commit actions resulting in complaints. And 60% less likely to use force at all. When they did use force, those officers wearing these cameras were consistent in using the least amount of force possible in a situation. This effect was not duplicated, shockingly, on those officers in their forces refusing to wear the cameras. If we can see what's going on, if we can look back at our government, we have the opportunity to make sure it works as efficiently and safely as possible. If not, we are subject to blackmail, extortion and threats. See, for example, Aaron Schwartz. So we need sunlight, but we need sunlight quickly. We don't have time to wait for a new dawn. Hey, we know what this photo actually is? What is it? It's the largest nuclear test ever detonated. It's our bomba. We need to blow up this situation to make it clear to every single developer at every single layer that this is no longer an acceptable use of our private information. So I get called a stalker. Not this stalker. This is apparently an adorable kitten that is called stalker. I get called this kind of stalker. But we all do creepy work in this room and we do it because the only way to raise the issue of creeping surveillance and loss of privacy is to make it clear that anyone, not just the good guys such as they are, can use this technology for good or evil. Creepy doll is a distributed sensor network that combines wireless sniffing, distributed to command and control, 3D visualization and grenade-style encryption to do real-time personnel tracking and true identity theft on a major urban area in real-time for almost no cost. It is stalking as a service. That's what we're here today to see. There's one complication, though. And that's Weave or Andrew Ahrenheimer. The United States government has declared a holy war against legitimate security research. And some of us think that's probably not a good idea. A lot of people in this room don't like Weave very much because he's a troll and he did horrible things and said horrible things about nice people. But it doesn't matter. The thing about criminal law is we don't get multiple bites at this apple. Mighty Casey gets three strikes to strike out. We get one in the third circuit and it's pending already. We need to take actions to protect Weave and legitimate security researchers even when they seem like terrible people. Not for them, but for all of us. If everyone in this room isn't going to be in prison by this time next year, we need to start hoping that Weave wins this appeal. Because otherwise, hey, that was only in New Jersey, right? Except that Weave was in Arkansas. They dragged them to New Jersey because they thought they'd get a more favorable hearing. And they were right. Every internet connection goes through every place in the United States. So if we're not going to end up in prison, we better defend Weave. And this affects the way that I do this research. But first is a side note. I wrote this amicus brief in conjunction with all the people on this list and Alex Munce down at the bottom, a great hacker lawyer. 13 big security researchers, a lot of people in this room or at this conference, Dan Kaminski, Matthew Green, Professor at Hopkins, Sergei Brattis, a Professor at Dartmouth, Jericho, Spacerogan, Mudge. These are people you've heard of. They're people whose work you should be supporting even if you think you don't like Weave. This affects every one of us, whether we're DARPA program managers, professors or itinerant hackers. And in the meantime, we have a chilling effect because we cannot trust legal actions to not be prosecuted anyway. Therefore, Creepy Doll has not been tested on a whole city because even though every court in the United States has consistently said that wireless sniffing is A-OK, it's the same as sitting in a coffee shop and hearing the guy next to you talk too loudly on his cell phone about raising his next round of venture capital funding, which happens way too often, we can't rely as a community on the government not prosecuting hackers for legal actions. I leave the next step of world domination to a braver researcher. Since I'm a law student, we have an extremely serious disclaimer. One more second to let you all read it. Are good enough? This disclaimer is not intended to be ironic. So let's talk about DARPA cyber fast track. Creepy Doll has not CFT work. I've had to make this extremely clear to a few people. DARPA tries very hard not to build stuff that creeps people out because they've had a bit of a PR problem in the last couple of decades. But two CFT contracts did let me build two of the core systems, the radical system which is the distributed commanding control layer and the visualization system for reasons that are not likely to become clear at the moment called NAM. So thanks, Mudge, if he's here and wear those green t-shirts with his face on him with pride. This is the brief road map. First let's talk about the goals we have for this project. First we want to see how much we can extract from passive only wireless. That means I don't want to do man in the middle, partially because I don't want to go to the bad kind of federal prison, but partially because design constraints help us become creative. And it turns out that doing the active attacks like the Pineapple Jessica attack aren't necessary. We can do this without them. As soon as the device turns on that has wireless, it sends out a list of their known networks, all of their known networks for years in the past sometimes, every couple seconds, even when it's connected to a known network. As soon as the device thinks it's connected to Wi-Fi, all of its background sync services will kick off again. That means drop box, that means I message everything. And a lot of those, as they're establishing the SSL connections, we get a lot of cool data from. And because we're sensing in places like coffee shops that have public Wi-Fi, that means we get a lot of cool data pretty often. Over unencrypted Wi-Fi, all the data sent by a device is of course exposed, that's what we mean by unencrypted, which means that we can see everything they're talking about. Sometimes they're talking over SSL, which means that the core data is in theory encrypted. But it turns out that again, lazy developers, that is us, have been leaking all of this cool data outside the SSL envelope, and I don't know why. But especially as they set it up, or as we look at things outside the envelope, we're going to see a lot of neat data. And the cool part about this is because we have a really awesome primary key, we can just sit and wait. So maybe you make one small identity mistake in one cafe, maybe halfway around the world as long as I'm in multiple places with my little boxes, I drop another box, and maybe you make another small identity mistake, and I start to build up a profile of who you are, where you are, because I distribute them, and I know that, hey, Wi-Fi is not that long range. So if I can hear you, you're probably almost on top of me. And then finally, once we get one to ten to a hundred sensors spread out of an area, we have time and place analysis. That means I know your patterns, I know your practice. I know what things are important to you. And if I really want to blackmail you, I will eventually find whatever it is that's most important to you and that you most don't want exposed. This is what we mean when we say knowledge is power, right? Pretty sure that's what I learned in school. Our second goal is large-scale sensing without any centralized communications. It's really easy to just say, for instance, I'll go to Verizon and buy ten USB sticks. The problem is that it's twofold. One of them is that it's really, really expensive. And these days, I'm a law student, and when you go to your law school and you say hello there, I would like to apply for a grant for my research. Yes, what is your research? Oh, I'm doing distributed sensor networks so that I can spy on people. They back away slowly and then call your dean. My dean is a wonderful woman. I will do the favor of not mentioning her name on stage, but suffice it to say, they're not going to fund my work any time soon. So it needs to be cheaper than just Verizon. The other reason we're not going to do Verizon or any other cell provider is that it provides the bad men with guns, my standard adversary, a way to figure out what to do with the device. Read the ID off the back of the device and say, ah, yes, Verizon. Dear Verizon, who has this device? We would like very much to throw him in Guantanamo, signed United States government. The major telecom providers all have whole offices dedicated to responding to exactly this kind of query. So we're not going to have any centralized communications at all so that they can't track us and also so that there's not one single point of control. They work a lot like Reddicle does. Finally, we have a third goal which is intelligibility. The NSA slides make Tufti cry. It's a very sad thing. What we want is intelligibility on this large scale sensor data so we can prove to people this is a problem. It's the difference between writing a zero day and writing a zero day in Metasploit. When every script kitty sitting down in the basement can stalk his entire city, maybe we'll see some improvement on this one. Let's talk a little bit about background, just a couple slides. One, I'd like to pour one out for all the academic sensor network people everywhere. This works kind of like a sensor network but not exactly because mostly sensor networks are these ultra-low power, beautiful little devices. They work exquisitely. They do wonderful research with them. And they sacrifice everything else to get there. They work in horrible languages and if you've never heard of it, look it up. It's terrifying. But they especially sacrifice cost. Academic sensors cost upwards of $600 a piece. Each. So that's not good. I want something that I can write in a real language that preferably runs Linux. Debian would be nice. And I want it at least in order of magnitude cheaper. And also background, large scale surveillance. I swear my intelligence community has solved all of the problems involved in Creepy Doll before me and they should be cited as prior art which will be happy to do as soon as they publish their results. So thank you, Edward Stoden. You have made it possible for me to give proper academic style due credit to the people who most deserve it. And pour one out for the poor guys at the NSA because a lot of this stuff is really hard and there's a lot of little stuff. This is F-bomb version one. F-bomb stands for the falling or ballistically launched object that makes back doors. It's a terribly tortured acronym because I used to work for DARPA and they love terribly tortured acronyms. I originally presented this at Schmuckam 2012. At the time this was based on the Marvell Shiva board, the same thing that is inside the Pony plug. But this board actually comes out of a thing called a Pogo plug and if this model failed I could buy hundreds of things on Amazon for 25 bucks, a quarter of the cost of the debt board. So that was very nice. I'd like to thank Pogo plug for their contributions to my research. The other thing is that it fits inside a carbon monoxide detector. How many of you guys have recently checked your carbon monoxide detector to make sure they weren't working for me? And this is the old box. This little box holds a whole lot of good hardware. It holds a Raspberry Pi, model A for those of you into those such things because every hacker needs a Raspberry Pi or ten of them. I actually would like to apologize to the Raspberry Pi enthusiasts. I actually bought 10% of the U.S. supply of the first round of Model A's because I didn't know they were only going to bring 100 in the United States. So I'm very surprised. There are two tiny Wi-Fi dongles. There's a small SIM card. There's USB hub. And there's one of those awesome power adapters you can get on eBay for about three bucks that look like Apple power adapters but occasionally electrocute people. This just happened last week and Apple released a thing saying only buy original Apple. Thanks guys. But they cost 25 bucks. So three bucks is better and hey, I plugged them into other devices. Why two Wi-Fi? Because again, I don't want to bring centralized communications. Instead I'm going to use all of your centralized communications. We connect to local Wi-Fi. But Brendan, in this magical place where you live, is there municipal Wi-Fi that actually works? No. There's municipal Wi-Fi that doesn't work, which is kind of typical. But there's a lot of coffee shops and bars and every random dive bar has multiple agreements that make your embedded code sad. So I wrote a library called portal smash. It clicks on buttons so you don't have to. It's available on GitHub right now. And again, thank you, DARPA. Let's talk about the middle wear now. We're building from the bottom up. We talked about hardware. Now we're going to talk about the middle layer called reticle. It's a first of the two DARPA CFT contracts I mentioned. I made a whole presentation on this last year. There has been a full rewrite since then. They still work the same way, but there's not nearly so many swear words in it and occasionally it doesn't break because my cat stepped on my keyboard. Each reticle node runs CouchDB, which is a node SQL database, which works very nicely, plus engine X, which lets nodes combine into what I call a contagion network, somewhat different than a normal peer-to-peer network because it lets nodes exchange data to every other node. This means we can do data exfiltration as quickly as possible to as many nodes as possible in the hope that we get the data out before the bad men with guns shoot the box. To make reverse engineering of a node much easier, you can use the key that contains the full disc encryption key. It reads the key, stores it in volatile memory only. Then you pull the pin out and you throw it at your adversary, preferably not at their head. Once you've done that, unless somebody actually runs cold boot on it, then you're pretty good. If you pull it out from power, you lose the encryption keys. As for cold boot people, dump liquid nitrogen on everything, I would love your house. For the rest of you, as soon as we've gotten every person in society to dump liquid nitrogen on everything in their house, we have one and we can all go to 303's party. Creepy doll is just a mission that reticle runs. They all talk to each other over tour hidden services and as mentioned before, they all do this contagion network thing. As well. It's a creepy doll, right? It should be fairly simple. One underlying principle is we're going to do as much computation as possible on the edges of the networks that is on these little boxes. They're not very powerful, but they're not bad. They got 256 RAM, we don't need that much for couch TV. They work fairly efficiently. And the reason we do that is to be nice to tour. Tour, for those of you who don't know, is usually full PCAPs home, partially because it's route to tour and partially because we're taking coffee shops bandwidth and the guy who's trying to download war is in the corner because no one will track him in a coffee shop will get annoyed at us. So we're going to do distributed querying for distributed data. We process all of the data on the nodes, the PCAPs we save. We get as much actionable intelligence out of them as possible and we just send that home. We never send the PCAPs or we can do really awesome types of questions like where do you usually go for coffee at 8 o'clock in the morning or for those of us in this room, where do you usually go for coffee at about 3 o'clock in the afternoon once you've dragged your butt out of bed? We do these things on the centralized node because even though the distributed nodes have a lot of distributed data, they don't have a hard drive storage. They only got 8 gigs a piece. So we want to be able to distribute as fast as possible. Once it's propagated, we delete it, free up hard drive space, and then we have a centralized point of visualization only. It's not the command and control networks, it's just the place we plug our Xbox into. And I'm serious with the Xbox thing. We'll talk in a minute. The way we extract this actionable intelligence is called NOM for nosiness organization and mining and because it's hilarious. Let's talk first about, oh, the observation filters. In their per application, that means they take in a PCAP and they say, okay, this PCAP is from Dropbox. Flip to the Dropbox filter. Okay. From Dropbox, we can extract the fact, oh, we can only extract that they use Dropbox. That's something good to know. There's another filter that processes Apple iMessage. Look at the last line of this. This is obviously just a screenshot from Wireshark. There's a lot more data there than they should be having outside the nice version. I know exactly what version of iPad I have, which luckily I knew, but if you didn't, that would be useful. I know exactly what version of iOS they're running, which if it's not the newest version means you know exactly which vulnerabilities it has and how to exploit it remotely. And in case I wasn't sure enough, I've got the exact build number as well. In addition to the fact that they're using iMessage, that's a lot of data immediately, right? And this is from one service. They take about five minutes each. It's not very hard. Just look for anything outside the envelope. And the idea is that we build up little tiny bits of identity information and coalesce them over time into CouchDB into one summarized identity. So we get a little bit from iMessage. We get a little bit from Dropbox. We get a little bit from your feed reader. How many of you guys still use a feed reader after Google Reader collapsed? About a third of you, watch the stuff over the wire to make sure it was secure as Google Reader. Nobody. Yeah. Turns out a lot of the ones that I actually personally switched to and the ones I still use transmit everything in the clear. And weirdly, they transmit my real name and my email address in the clear in addition to an authentication cookie because I've never heard of Firesheep because a lot of this stuff got spun up really, really fast as Google Reader was dying. Which means we can get a lot of data. We can get even funnier and you are disgusting. So back to the NOM filters. Two other things in NOM, right? There's the nosiness filters and the mining filters. Nosiness take little bits of data and they submit it to things like online directory services that look for every account with that user name, that email address usually. So you can submit it to a service. It checks the forgot password forms of 200 different websites and even though we've been screaming about the forgot password vulnerability for years, so now I know every service where you use. And of course, if I were a criminal, a terrible person, I could then break into those services and take all of your stuff. Turns out I can do even funnier things and still be more or less within the law. Finally, there's mining nodes and this is where we do the big data. We only run the M type queries in the back end. This is where we start doing pattern and practice. And I mentioned before where do they go for coffee and do they go for coffee every day. That's one thing. We can do cooler things. The device that moves around the city, I see it everywhere, it goes here, it goes yawn. That's great. What if I see another device that only exists sometimes? Every time it exists, it's in the same location as the first device that I saw. So what happens is the first device goes somewhere, it stops moving, a second device suddenly turns on, works for a while, then the device turns off and I don't see it again, and then the device moves out. That's what we call a laptop being used as a mobile phone. Once I've seen that for a little while, a little bit of data mining, a little bit of fuzzy math, suddenly I've got one profile instead of two. So even if you thought, oh, hey, my mobile phone is trackable, but I only do my creepy okay Cupid stuff on my laptop where I get really freaky, that's okay, right? Because Brendan will never see me. Wrongo. Now I know it's all you and I've seen the shops you go to and I for one am terrified. I didn't know you could buy them that big. On the side of the screens, a few different nodes, they're all connected to every other node is the basic idea. They go to one node I mentioned before, the sync node. The idea of the sync node is just another node that still participates in propagation, but it's not usually encased in one of these boxes, I usually run it in a virtual machine. Its job in life is to pull data off of the wire and send the delete commands to free up the hard drive space on all the other nodes and then store it in another node. This is called shark and shark is actually a all-in-memory derivative of the Hadoop Hive project which means I can store really big things like when I had 600 gigabytes of packet captures I could throw them in shark and do deep queries on them. I store the rest of the stuff in CouchDB which lets me run really fast queries. I combine them together using a Ruby script which is just a Ruby web server which does translation from the shark format into a much shane or JSON format. Finally I run them into a visualization and you can see down in parentheses there if you see it, it's running Unity. That's right, I built a video game. It's my first video game so it's not very pretty but all of my little space aliens are real people which makes it much happier. Finally I pull data because I'm getting GPS location I might as well pull data from cloud beta, nice open street maps provider. So let's talk about that. It's also called NOM, it's a whole other thing. Use the Unity game engine. Two notes, one that's a great toy who's never played with the game engine. Unity is free for indie developers so go ahead and try it, it's cool what you can learn. The second note, JavaScript as extended by a proprietary games manufacturer then compiled into the .NET common language runtime with a bunch of C-sharp and interpreted by mono on an iPhone is a horrible debugging platform. Oh, my God. You've never seen where JavaScript errors until you've seen them as interpreted by four other languages in the middle. But the advantage is it works really well at the end of the day. The guys at Unity really know their stuff and this is the cool part about using pre-written game engines. If you've ever tried to write your own visualization you spend three months trying to draw a box on the screen in the right place and then you spend the extra two weeks before your DEF CON talk just works. You just say put this here and it works really well. You've got one simple translation between latitude and longitude and your internal world coordinates and then it runs on an iPad which I love or runs on Windows, Linux, Android, Wii or Xbox 360. I've never written a security tool for Xbox 360 that can pass the developer certification but Unity will which is quite fun. Part of the side effect of this is you said wait Brandon you said 600 gigs of Xbox 360. I don't. That's why we have the servers that I mentioned in the last slide. They do all the heavy query lifting so that you can just run this on an iPad and don't have to do any of the heavy processing. They talk to each other because I love irony over unencrypted HTTP. So we're going to have a demo video and you can watch closely. You can almost see the creepy take place at a real time. But before we do that, whoopsie before we do that as I was saying attention. So we can't spy on everybody in the city which I hate. This doesn't mean we can't do valid testing but if we just stalk me, if I stalk myself in essence, what this means is we only get to see me. So you're going to see a lot of dots on the next screen that represent me in different places. Imagine if instead there were 100,000 dots and I've tested up to that many nodes using generated data or data out of academic sources that have been anonymized. It works incredibly well and I never collected any random stranger at any time because even though it's apparently legal, we can't be sure of anything anymore until somebody smacked down the third circuit. So let's watch it. First we do powered by unity. I'm sure this is not the press release they were expecting to see. And it should be running here. I hope it's running. It's not running on my screen. Is it running? Okay. So you're going to see a few things but I'm not going to say them exactly time. First you'll see the dot move is zooming in and zooming out. Basically it works like StarCraft. Then you'll see I draw a box zoom across it, again just like StarCraft and that zooms the data in and zooms the map in. You can hover over different nodes to see just how many times I saw them or how many nodes are in about the same room at the same time and their MAC addresses. At the end, and please tell me when this happens, you can click on one node and then you see everything in the world. So yeah, real name and email address from a Google readers fault. Photo from an online dating site whose name we're not going to say because I've heard they have angry lawyers even though they haven't heard of fire sheep. All the rest of the data from all the rest of the different sources. You can see that they use iMessage so we know what kind of device this was. You can see that they use log again which is a commercial, basically it's a replacement for every screen sharing site. And we have all this great data. We even have the things it is so I can make sure that my sensors are appropriately placed. They're actually helping me calibrate my own network. It's awesome. So let's talk about future work. Well, the first thing is what other applications could we do besides being decidedly creepy, Brendan? Well, one, we can do counter infiltration. Those of you who participated or even read the news about the Occupy Wall Street and Occupy Everything Else movements have noticed that a lot of times a group, then suddenly somebody throws a rock and then the mysterious stranger is gone. It's amazing how effectively this works. You can use creepydoll for counter infiltration though because you just set an alarm. Say, hey, if anybody new shows up in this area, scream bloody murder. So whenever the bloody murder, bloody murder alarm goes off, everybody knows look for the one guy with the black berry. He's the Fed. You can also use this with apologies to the grug for operational security training. Hey, if I throw these over a whole network and I just look for devices that I know my agents are carrying, how much data are they leaking? How terrified should I be? Here's a hint, really terrified. And you don't need to control every network and agent accesses. If you're a corporation with a very loose sense of ethics who wants to make absolutely sure that when your employees go home they're not leaking trade secrets, just spread these over the whole town where they live. You'll know it. So we'll have actual operational security through the complete and total invasion of privacy. The thing is this is the trade off that we've suddenly come to live with. I'm not sure why we've done this. We've just accepted that we have no choice of the matter, that our devices are going to continue to leak increasing amounts of data that Mark Zuckerberg is going to be able to go on CNN and say, well, privacy is dead. I don't know why anyone want privacy. Here's one privacy so that I don't want you going into, for instance, a bar, a singles bar that your wife doesn't know about. Not just because, oh, my God, you cheated on your wife, but because if I stalk a whole area, let's say, for instance, since I live six blocks from the state capital, I stalk a couple blocks around the state capital, I don't need any particular person to do anything wrong. I just need one person to do something wrong. And then I get maybe a small change to this for a very long time, right? This is what we call surveillance and creepiness. Here's the difference. I'd have to pay a whole team of surveillance agents 24 hours a day to watch Senator So-and-so until he does something really stupid. I can throw a few of these around. They're 57 bucks a piece. So for the cost of a really expensive dinner here and actually kind of a medium expensive dinner here in Vegas, I can throw 10 or 20 of these things around and just find the first person to do a weird sex life or just something they don't want everyone in the world to know, except for Anthony Wiener because apparently he's invulnerable. Everybody else, however, is going to have an issue. You can also use this for evidence logging, any kind of fast moving scenario like protests and rallies. There's a real problem with the accidental destruction of electronic evidence during crackdowns. It's very hard to know who is in a kettle when the cops lock you all in and then you're safe from the jails. Since Krivedal uses a contagion network, you could easily strap one of these to your belt, have it scan all of your friends continuously and transmit that off-site immediately. You're constantly offloading and exfiltrating your data so that you always know where your friends are, which on the one hand they lose a little bit of privacy. On the other hand, maybe they don't spend two more weeks in jail than they needed to. And again, unless an adversary already knows what this is going to do, they're going to get off in exactly the right way to allow them to do a cold boot. So again, unless they're just throwing liquid nitrogen onto random protesters, which even like, you know, in Madison we had a cop kill a kid walking while drunk, which is also known as being in college. But even they're not just splashing liquid nitrogen around. We're probably pretty safe from cold boot attacks for a very long time, and that means that we get all the things that we can scale up. The fastest and easiest way is to shard our contagion networks. Because contagion networks aren't connecting to each other directly over RF, they're all connecting to each other over their local coffee shops' Wi-Fi, we can shard a contagion network by having 20 nodes and 20 random places and have five or six overlaid networks that don't actually need to connect to each other in any physical way. This means we can do geographical distribution really efficiently with this. Because, yeah, when that happens, you know, probably about 50 or 60 nodes, if you've got a well-traveled area, then you probably want to start splitting up your contagion networks. Each network then just has one dataset node. They can all throw it into the same visualization. The visualization is good to a couple terabytes at least, more if you've got better RAM. As I mentioned, scaling the backend isn't hard, especially because there's a great script for Shark that lets you run on an Amazon EC2, right? That means that, yes, you can just be here to help us. There's CouchDB servers as well. They even run GeoCouch, which is a modification of CouchDB that I'm using for this. It works really efficiently. The visualization is a little bit harder in that there's a limit how many nodes. A couple thousand I can draw simultaneously. But, luckily, there are hundreds of books by game developers, four other game developers that they don't check your game developer cred at the door in order to buy. They tell us how to do these things like grouping, which I'm already doing if you saw the black nodes versus white nodes, groups versus single nodes. We can do things like a limited field of view or a limited distance of view. The standard things you see in every FPS game, you can't see the entire way to the moon. This allows to scale the visualization pretty much as far as we need. Open street map, of course, goes everywhere in the world. You can stock a whole country at once for just probably 10, 20, like an investment. Won't someone think of the children? And everything they're doing? Every day? If you are, you're a bad person. Finally, we can add a lot of stuff to this. How many of you guys have played with software defined radio since the RTL-SDR came out? Quite a few people actually for just kind of a random question. There's these 10 to 20 dollar dongles you can buy on eBay that allow you to sniff from about on this one I think about 75 MHz up to a couple gigahertz. That means you can listen to any wireless protocol, not just Wi-Fi, for not a huge additional investment. Put a tiny antenna in, but hey, we're already talking about tiny antennas. It's a tiny box. So at that point you can listen to anything, whether that's stalking the goons for fun and frivolity until you get thrown in the pool or messing with restaurant pagers or anything else you can think of with an encrypted Wi-Fi, that's obviously trivial to do with tools like Reaver or the other awesome attacks on wireless security, that just gives us more ways to connect home. And at the end of the day, if you're stalking in a city, you don't really need it, but it's something to keep in mind. Finally, of course, we could do active attacks like the Jessica or Wi-Fi pineapple attack to make sure that wireless devices connect to us and run a full man in the middle attack. We don't have to, and frankly it makes us a huge man in Mac address. And I'm definitely 6,000 miles from my home access point, which it says I'm connected to. But we could run it. You could be more subtle with modifying that software. So something to think about. So finally, let's talk about mitigation. The problem is we have to sacrifice the things we love in order to mitigate this. Yes, it's a Bible joke. The leaks are unfortunately at every single level of the entire stack. I do mean every single layer. At the bottom layer, the IEEE has said that beaconing your list of all known networks every second or two is an acceptable way to behave in a crowded noise space. That's a terrible idea, right? But that's in the protocol. We can't ignore the protocol. That would be a bad thing. The IEEE will send out their engineering thugs to hurt us. They have to fix this. But unfortunately, we've said it's so convenient to walk near my phone without having to turn on my phone. It can automatically connect to iMessage and download all of my new messages. Some of them won't be from Anthony Weiner, I'm sure. But the IEEE is not going to be able to promulgate a new protocol to device manufacturers. Hey, it's going to be less convenient and your customers will hate it, but you should really use this because it's more secure. Next. There's also a problem at the operating system level. A lot of systems, and I'm going to pick on Apple here because that's what I use, won't enforce VPNs. What that means is that when I connect to a new Wi-Fi on a laptop, I can have a setting that says turn on the VPN before you allow any packets to go. That is not possible to do on iOS. Which means that you always have those first few messages. And those first few messages are rich with data because before the encryption has been set up, they're already transmitting information. And so the OS too needs to be protected. And finally, again, we have to change the culture. We as developers can't be collecting random data. I found, for instance, a online shopping application that for some reason transmits my location in real time. It's not group-on, right? It's not something that actually involves my location. They just want to know so they can serve me targeted ads. And they serve all their money. And nobody should know. Nobody should have unencrypted access to how much that new pair of monoblonic shoes costs. But for some reason, everyone in the world should have unencrypted access to what OS I'm running and where exactly I am in the world. That's a pretty weird trade-off. And it's our fault because we've forgotten to protect our users in addition to protecting our servers. This is everyone's fault. And so no one's going to take responsibility for us, right? The status quo, right? The status is not quo. Those of you who like Dr. Horrible, we cannot tolerate this level of privacy leakers. There's one Dr. Horrible fan. As consumers, we need to demand better. And as developers, we have a responsibility to the world to do better. One final digression. At Shmukhan 2013, there was a pretty heated panel about the interaction between academics and researchers. I've actually split it up. I have an academic degree in computer science. I'm doing an academic degree in law these days. But I'm also just a hacker without any academic support most of my time. We need to be able to have a way for the two communities to work together. And part of that needs to be that hackers need to find a way, anyway, to stop repeating the same mistakes over and over. Everybody who's done a long-term research project or development project in the past, didn't find it. So a couple days ago, on Tuesday, we launched Hark, a kickstarter for Hark. Hark is going to be a new hacker archive that anyone can publish to. And they can publish whether it's a couple tweets, a blog post, or a formal academic paper. We're going to have mentors who can help you take your work to the next level. Or the next level for you is a new B-Science or it's the use-nix-Woot conference, which is going to be a new market archive so that people know that if they publish their work here, it will live beyond their own time. Which, especially as we start losing hackers left and right, is going to be a very important thing. We want to be able to fail better. In order to do that, we need your help. It's at thehark.net. There's a kickstarter you can contribute to. Finally, thank you to all those who are asked for comments, also I'm finishing law school in 10 more months. And I don't really know what I'm going to do next. If you have an idea that you'd like me to do in about 10 more months, draw me an email. This is right on the slide. And finally, seriously, we want to be able to fail better and to make hackers, not just academics work, live forever. If you too want to believe in immortality, go to thehark.net and join us. Thanks very much. About two minutes for questions. So if I can take some of those cameras, you certainly could do that. This is kind of the minimum viable creepy? Yeah. Repeat the question, is that what you're saying? Yeah, okay. The question was, why don't I integrate cameras? So you can do IP cameras and stock from IP cameras. That would totally work. You just need a new application-specific parser, one of the O parsers. You could also integrate a camera directly into the device, which would be cool, but it costs another 20 bucks per hour. One other question? Yeah. Right. So the question was, have I used Unity's client server architecture to do the networking, especially between independent hackers? I haven't. The reason is it's not incredibly flexible if you're not actually building a game. That said, the way to link them up would actually be one layer beforehand by everybody dumping into the same shared couch GB and tagging. It would be essentially the sharding of the contagion network's work. So that comes off stage in about 30 seconds. Thanks very much.