 Welcome to the annual DEF CON convention. This meeting was held in exciting Las Vegas, Nevada from July 9th through the 11th, 1999. This is video tape number 16, fear and low-wing in cyberspace, the art and science of enemy profiling. This is Angus. Angus is cool. You're doing this because JP sucks, right? I'm going to try to be a little more concerned about some of the things that are happening in the last couple of weeks. We actually were going to speak on something else. DT was kind enough to let us change the subject the last minute. I haven't seen him today, but also thanks for getting us in today so that maybe we can generate some dialogue on the subject. We were actually scheduled for the last session on Sunday. I don't know how many of you were staying until then, but you might not have seen us. So I really appreciate that. D'Artangio, wherever you are, and obviously for holding the conference. Okay, I guess we're going to start it now. The subject today is fear and low-wing in cyberspace, the art and science of enemy profiling. I heard there were some comments in some of the other sessions, unfortunately I didn't see them. Questioning the utility of enemy profiling, at least as it stands today. I think that's good. We want to get a dialogue going so without further ado. Angus Blutter. I'm a hacker. Okay, my guidance counselor told me I could be wrong. I belong to a little computer club called Hackset Clan. We pretty much were private. We're certainly not released in a lot of exploits. We keep a lot of that shit to ourselves. However, we are trying to involve in the community and present some hopefully fun topics. And our topic today is profiling. I'm here to talk about, I'm going to try to talk about where it stands today, and hopefully where it can go in the future and what utility it can bring to bear. And I'm also here to solicit your help. We're actually opening some things up to the world, but I think it's the people in this room and people like you that we're really trying to reach. Because for various reasons you'll hear as we present. Okay, let's start off. What is profiling and what profiling is not? What it is? Well, that's what it is. Classification system. Peace. It is a classification system, much like, you know, when you identify somebody, they're a hermaphrodite or they're a homosexual, a heterosexual, those are characteristics. They have blonde hair, blue eyes. It's a classification system, mollusks, things like that. That's its goal, that's what it is today. There seems to be general consensus that it's something that's needed. Okay, at least people think they need it because they are spending lots of money with people trying to develop it. And this is a fact and we can get you all the government research solicitations that are out there to prove that. We also believe that it's something that's needed. We believe that currently anybody who is effectively using profiling is more of an artist than a scientist, okay? I think there's a lot of us out there, if we're looking at log files, if we see networks coming out of an attack or a probe, or if our phone's starting to click and we think somebody's listening to our calls, we actually go through an internal process of trying to classify, you know, who this is, anybody who's effective at it, it seems that it's more of an art. It's intuitive. I know it's this guy that I, you know, stole his girlfriend or, you know, his car, he hasn't forgiven me. So we go through that process. So there's some latent skills available to all of us there. But it is not. It's not a silver bullet. Like every initiative out there, I think we've gone through, was it phase one, firewall, mania? Now there are appliances. Was it last year's technology du jour intrusion detection? Okay, how many went out in Baltimore? Okay, I downloaded it. We're all looking for a silver bullet because as I think the session before talked about, there's not enough education out there. The people that notice stuff or don't have time or patience to deal with some of the new people that are coming online. And quite frankly, we don't think that the education out there is really up to snuff. So they look for a silver bullet and it's shrink wrapped on a shelf. We can buy it. Hey, let's do it. Let's order a million of them. It's not real time. What we're going to talk about is the need for real time decision support. To me, Profine is a component of a total system. And it's only good for me if it is in real time. I'm not really concerned about going out and arresting somebody or taking retribution as much as making split decisions in real time to protect my assets. We want to turn it into more science. We really think it's not a science now. I'm sure there will be people that argue with me that and we'll open that up here for that. But I don't think that it is a science and we're just striving to make it more of a science. Well, who's doing it? Everybody's doing it. There's been some things recently in the news that I'll talk about concerning New Jersey state police. Anybody heard of this? Am I from the East Coast? And how they're doing using profiling techniques to pull people over? Lots of controversy. We have some stuff that's going on right now. Anybody live in Colorado at school shooting? And it's like, why didn't you stop this? Profiling, profiling. We've heard that a lot of different places. Maybe those are fads. Maybe that's something that's going to start happening. But we really see insurance companies, excuse me, insurance agencies, they're real good at it. They can tell you what the percentage of plus or minus 5% when you're going to die. Possibly how you're going to die. Hard attack. They have to. That's their business. Credit card companies also. Anybody have an experience where you tried to buy something outside of your normal buying patterns and you had to actually call? That's because you got flagged in the computer. It said, hey, this is out of this person's buying profile. We should be concerned, especially since it's a monetary value above what we would like to lose. Credit card companies and banks don't want to lose any money. Airlines. This is one that's been in the news lately, especially with the second wave. I came up to the Reagan era and wore on drugs. Now we're in a war on information and actually rights, I think. We want to take all our rights away. The airlines are engaging in profiling for terrorism. At least that's what they're saying. They know people come up and pay with cash, buy their ticket to less checking, odd-sized packages. They're more of this and they're spending lots of money. If you want to know who's doing what and who's really dedicated to it, any public companies or any government companies through Freedom and Information Act, find out where they're spending their money. That's the key. If you want to know what the next big technology push is going to be in the security realm, look at the government solicitations for research. You will see it. Intrusive detection firewalls, all that stuff are in those documents and they're usually typically a year or two years ahead of schedule. And you figure if you develop it, you'll have a ready customer. Financial verticals, banks. Banks like to do profiling and also trading companies like to do profiling because they use that information to try to ascertain where they should put their investments. Criminal psychologists or friends of science, a la Hannibal Lecter, these are the guys that try to go out and catch, figure out who the next victim's going to be in a mass murder or some kind of serial killer. Also in forensic sciences, we collect evidence and try to figure out, you know, what's the MO, what's the profile of this individual so that we can predict their behavior. And most government agencies engage in profiling of some kind. IRS, obviously, they're looking for abnormalities or anomalies in your income and spending habits. I think the CIA also deals in it from a classification system. You see a lot of these government, is anybody taking one of those psychological tests to figure out if you are going to become an enemy of the state or, you know, hack your family up? Okay. Very bizarre, very bizarre questions. There's no right answer. They give you something like, you have the option of running over a dog or hitting a pedestrian. What do you do? Okay. Well, I guess there is a right answer for that, but I won't tell you what my answer is. So it looks like we have people who are doing this. Okay. The credit card companies are still making money. The airlines are still making money. So maybe it's working for them. It's certainly not going to put them out of business. So there must be somebody at work that exists and there must be some technologies that are being used. So what's the problem? Well, there's lots of theories. I'm going to introduce some of them today. That might be part of the problem. There's all theories. Very few of these things are being discussed openly and, you know, dissecting it and finding out if it's truly valid. You don't have much data. Okay. There's no raw data in my collection that is substantial enough to show trends. Think of all the people that are doing it. Airlines. Lots of travelers. Credit card companies. Lots of transactions. They have the raw data. So they have been able to develop some logic to go against it. But there's no publicly available data. It's proprietary Android's cloistered research. This is a competitive edge, especially in those commercial ventures. This is your family style kung fu. This is stuff you don't want to give up. That's a lot of it. The other reason is the research is very expensive. And that can pose some problems, especially if you're on a limited budget. Which we are, by the way. There's no common methodology. When we talk about it being more of an art form than a science, that's really what we're getting to. There's some trends that you'll see in all these profiling activities. But to my knowledge, there is no true common methodology. And if there is, please turn me on to it because I'd love to read it. And there's no feedback loop. And this kind of goes hand in hand with the methodology in that when you learn something, again, if it's family style, it stays in the house and you know it. But how does that get fed back out there so that other people can look at it and tell you where it's right and where it's wrong and where it needs to be fixed? So this feedback loop does not exist and I think we need that. Let me give you a little idea why I'm up here talking to you about this in the first place. Let me give you some background on me. I have a day job on Moonlight as a consultant. And for like the last year and a half, I've been dealing with some new issues in enterprise security. The reason I started doing this was we went through all those phases. We sold everybody a firewall, everybody and the brothers several firewalls. We also sold them intrusion detection, lots of it, scanning products, lots of services, all that fun stuff, education. And what I'm finding is that there's still a problem. Why aren't we secured? We've got all this technology, we're spending all this money, why doesn't it work? Well, people aren't using it correctly, that's certainly one reason. And I think it comes down, the gentleman said that one of the biggest problems with security in his mind was ignorance. I would say there's two, it's ignorance and laziness. The only way you're going to get people to stop being lazy, you can't stop people from being ignorant. You can train them all you want, but you can't stop people from being lazy by making it their job not to be. And that's what's not happening. So they've got all the technology, maybe some of them have skills, they can certainly pay for the skills, but they still have an issue, some of the problems. The approach that we came up with, simple is better, get back to the basics. I'm going to go out on a limb here and say you can get to a, let's say 90% security, comfortable security, acceptable level of risk, whatever you want to call it, without spending a lot of money, or any money, back to the basics. What would some of the basics be? Don't run services that you don't understand or you don't need. Log everything. These basic things that I think many people in this room, especially if you've been through any one-on-one security class, you've heard it over and over and over again. In reality, are those very simple concepts being executed? My experience has been no. So we've got to get back to basics and a common sense approach to enterprise security. What else? Well, we were developing some things for proactive computer forensics. Now, this was what our talk was originally going to be about, but we decided to actually change the subject matter. But a lot of the research for this project came out of the proactive forensics. And I think if, again, if you're looking out there and you're seeing what presentations are being made, computer forensics will probably be the big business after year 2K. The sheer amount of litigation that's going to be derived from that will definitely point out that there is a shortage of competent and or certified computer forensics technicians. Okay, everybody remember the OJ trial? Okay, remember all the loopholes that were opened up just because they hadn't maintained chain of evidence? All right. So in that game, what we did was we looked at the affirmed approach. Notice it's trademarked. All this stuff is theirs because it's a real product. And this affirmed approach appealed to us. What we have here is a typical mock-up of somebody's network. We've got a bad guy there, the world of threats, going through the internet, coming out to your publicly entrusted network and doing bad things. This rig set up here that we have, we'll see the database. We'll talk about each of these components. You see the database. You see consolidated screen. You see some sane servers. This is an enterprise environment, okay? An enterprise environment is a fancy way of saying. You've got a lot of different computers, different RSSs, and they're geographically dispersed. Oh, and you have an IT budget. So, consolidated security console. What is this? Well, similar to HP OpenView or any of the network management stations, this is, let me also tell you, this is all vendor neutral stuff. So what I'm throwing these terms out here, I'm trying to get some verbiage together so that we have a common lingo. So the CSC is basically where all the information, all your decision support comes into one room. Like war rooms, okay? Well, my war room is only staffed with one individual, or if somebody is over, there's two of us. So I need this consolidated screen. I need a place where I can look in one window and get instant feedback to what's going on in my environment. That's what the consolidated security console is all about. Now you'll see a lot of vendors doing this stuff. I think Checkpoint, the network management concept, I know HP OpenView is looking to put security components, and they should be easily plugged in, right? Because they adhere to certain open standards. We then have data collection points. Data collection points or data control points. Again, a generic term, basically, these are elements of a network that can either collect information and get it to wherever it needs to be processed, or it can be a choke point. It can control that portion of the network. So examples would be firewalls, okay? Firewalls, well, how do they get information back? They can do proprietary methods or log files. Simple's better. Log files are very good, folks. Everybody should log. Routers, syslog readings, gateways, other applications, intrusion detection devices. I mean, those will all be considered data collection points. And I'm sure you could think of others. Then it comes to the heart and soul of this thing, ORB. ORB is an object repository base. It's a database, okay? It doesn't have to be SQL. It doesn't have to be scale. It can be friggin' flat files, all right? It's just a place where we're putting all the raw data. And we got some animation inputs here. Well, basically what you're going to do is you're going to create your own database. It's going to have signatures in there. Constructs, attack signatures, exploits. It's going to have reference material. Pretty much as much information as you can get about whatever your network is and whatever your concerns are. And we get on this big database. Now that we have the database, we can actually start doing some things to the data. So we have discovery engines, okay? And I'm using engines and objects and all that stuff because it makes it look more like a real product. It contains the query routines and logic objects. Basically what this allows us to do is query the backend system and also shop jobs to our object broker. You may not have in-house capabilities to do the exact process that you want on this raw data. So what you can do is, since it's all object oriented, we can go to an object broker and it can go out there and find somebody that can do it for me or other people can write objects that can be utilized by the system. And we have the response engine. I thought there was also some discussion about attacking their enemy. And is that okay? I can tell you for a fact, if you download this white paper, there is a quote from Louis Frisch, French Frisch FBI guy. And he basically talks about how everybody that's coming out of training is being issued a gun, a badge, and a laptop. And that they will, in certain situations, under the government or presidential directive, they will actually attack another network. They have no problem doing that. Civilians, however, are not allowed to do that. It depends on the state then. I think Michigan has it pretty liberal. And then we have the object broker or logic. If we don't have in-house capabilities to process the data stored in our in-house org, we can actually broker those transactions out, out of the system. Or to sub-systems, more protected systems, in-house. All right. Well, that's the pitch for a firm. And that's my day job. But it really led up to us to be able to develop this. Hackset 1 to develop. I go to Hackset a lot to find out if my idea is, you know, if they're crazy, can we do this? They said they thought we could put something together. And at that time, we hadn't decided what we were going to do. And then I saw this. This is a snippet of the manifesto that JP put out where he basically states that he is changing his directive. And I'm not sure what it was all about. But the thing that struck to me was that he was talking about profiling them. And I know that he has this database that's 33,000, whatever, entries. And I know that it's only for the elite government people that pay him for that access. So I was a little bit concerned that there's a lot of smoke and mirrors and not enough open science involved in this. So we felt that this was the way to go. We also thought we could come up with some cool names and graphics to make it look good. Profiling. We have a new profiling definition. I'm going to read this verbatim because I had to go up a couple of times. Profiling. In fact, the profiling is concerned with the collection and analysis of empirical data. These would be those object properties or characteristics that we were talking about. The desired result of this activity is to produce decision support capabilities. You want to be able to predict behavior. That's our definition. So going along with that, what does this affirm approach, and I didn't give you the acronym for affirm, do you guys want it? Let's see if I can remember it. The other thing here, we had actually, we've had some problems getting this out. We've had two attempts to stop this. Anybody that wants to talk about that offline buy me a beer and I'll tell you the whole sort of story. But we had to change the name at the last minute. So we changed it to affirm. We think we came up with a better name, but it stands for active forensics, response method. And it's a total methodology. It's a theory. But we have been actually using it in the field. Keep it simple. That's one of the predicates for affirm. Gotta keep this simple. The more difficult it is, more complicated and more likely it is to get screwed up. We must be able to provide some continuing support for it. If we go and find something that's great and it dies on the vine and it's going out talking to people about get them excited about it. Must have multiple or varied information sources. This is so important. If you make all your decisions based on single source information, you're going to fail. You're going to have problems. That's how you verify. Trust no one verifies everything. It must provide modular logic. When I talk about modular logic, that's just a fancy, and I heard the term mobile code. It's really part of object broken. It's the fact that we're not going to have everything in house. We have to have the ability to bring in other logic and we use that term modular logic. We can also export our logic. If you need some help, we can ship you an object that can do it. We must also have a system for radian and purging the information and its sources. Now we're ready to get to the good stuff. The key success factor is the challenge. What's going on? I don't have the raw data guys. The data that we have in house was never collected to be put into a system like this, so we don't have a database. We need one. We also don't really have any field proof in logic. We've got some things that look good with our limited database, but we haven't had a chance to really run them through a wringer and develop the logic and the algorithms, so that's an issue. Okay, well, am I crazy? Okay, I'm talking to you all guys about this. Maybe. I got a design and classification system. Okay, maybe I'm... Maybe we can do that. I got a creative user interface. Well, that was the least of our worries because we've got IM12 that does all our work for us and he's really good, so we knew he'd come up with something cool. And we have to populate the database. Now, this becomes a problem. You know, I've got a mortgage and a wife and it's difficult to do projects like this, especially when you have to build a large database and you don't have a lot of resources. So that was probably my biggest concern. You have to evaluate the logic and the algorithms, okay? This is stuff that we do day to day, so this wasn't such a big deal and we're assuming that we were going to get there are lots of good research on statistical modeling and things like that, so we have access to those and actually we'd like to talk to anybody that has some of those when this is over. And we must be prepared to defend the methodology and approach, okay? I'm ready to do that. And anybody that's doing profiling today, we can talk about it. If we have things that we agree on, fine. If we disagree, we can do it in a public form. Okay, here we go. So where did I start? Dungeons & Dragons. I went back to the roots. What? AD&D character sheets, all right? I'm dating myself. Actually it was just D&D or chain mail back then. It met all the requirements. Simple. Let's think outside the box. Required very little tweaking, okay? Very classification system. What it's involved with. Provides a common point of reference. Anybody that's ever played D&D or any more games or any other newer games where you have the heads up and all your stats on one side, okay? Provided inspiration for user interface, okay? We didn't need to worry about the layout because it had been involved over a period of time. Now from the gameplay side of things, all objects interact according to rules. You know about it. You know you've got your fifth-level paladin. You know he's got his singing and sword. When he sees a hob problem, you know kind of how he's going to react. And you can throw that into an algorithm, roll your random numbers, and you know how the outcome is going to happen based on the rules. The DM is the tiebreaker. Now that's what we're going to get to because what we're basically doing is decision support. So you're at your consolidated screen. You need to make a decision. Come back and it gives you something, a probability of 50%. What am I going to do? At that point you're still utilizing the art. Hopefully you're making a much more informed decision. So we went from this character data sheets which define the character object property so well to this. This is a screen from the web page that we put up. It should be up hopefully. It's not that we did it before we left. And we're introducing project profiler. This is an internet experiment. Effectively what we've done is we've put up a web page and we are soliciting people to come in and fill our database up. We want to know about certain types characters. I want to know whoever the mage is, and we've got a whole system. You can go through it and look at it. We're going to execute this experiment in three phases and we'll talk about those phases. We're going to make it open. It's extensible because the way we designed it is scalable. And it's free. I think that's the most important thing. I think that open and free are the most important thing. Because that is the only way we're going to find out if, in fact, this is something that we should be doing. For example, phase one we have to build the database. That's where you guys come in. The page is up there. We want people to come in and fill the database up. We're going to open up for questions. I know there's going to be a lot of questions about I think the database will generate the most questions. For 30 days we're going to leave this thing open. If they're not getting hits and nobody fills in the databases we can't really go to phase two. So it's very important that we get this support hopefully from this community especially. Then we go public with the database. This is where everybody that's participated gets to access the database and pull up information. And in phase three we have to refine the profiling logic. That's going to be a very important part of this process. A little more detail. Phase one if you go to the webpage I've got flyers at flyer.com It's got a zero instead of an O. Phase one we'll populate this database. Phase two 30 days later we're going to open up the database for live queries. Now because of the algorithms that we're trying to develop and rate and make sure that they're better we are going to implement an update capability into it. Quite frankly we're not sure exactly how we're going to do that. Obviously I think the thing that comes to mind is you're going to have a lot of people putting bogus data in your database. This is true. We think we figured a way to purge that and rate it and part of that is going to require update capabilities. So when you see something in there that you know is not right update it, change it. And then phase three we're going to introduce specifically some of the algorithms that we're using. And I'll talk a little bit about this and again this is the real theoretical part but you've been talking about it and we think it makes sense. Six degrees of separation ever played that game, the Kevin Bacon thing? I also feel that there's six degrees of separation between pretty much any of the enemies that are wired. Enemy is enemy, okay? I'm not taking a white hat, black hat Enemy is an enemy. Six percent of the degree of separation says that everybody's going to kind of know each other and if you can track people back through that web of the seat you will be able to find connections. Now there's an interesting is it the sex list? The sex chart. I don't know how many people have seen the sex chart. How many people are on the sex chart? Yes, how many of you in this room have seen it? We're going to out every single one of you here. The thing is it's a chart that basically shows everybody who's had sex with each other, right? And it's this huge wrong scroll that's version 9x Yes, it's crazy. But that's what six degrees of separation is by building profiles or data that knows who knows who in what context it might be possible to ascertain very valuable information about who you're doing even though you don't see them doing it directly. What are you doing with it? Who you're doing? The sex list is all in line. We do a lot of this when we track down bank transfers. They go through many different laundering points before they actually get to where they're going. That's a method that is commonly used. Associates. Here's the one. Have you ever seen any of the good mafia movies where the feds are all in the room? They've got all the pictures of the family and they've got the head boss and all his underlings and everything like that and then there's blank pictures. We'd be looking to try to identify who the blank pictures are based on all of their associates. That's one of the theories that we're going to try to put in the play and that'll be in there in the first quiz. The reason we're not showing you any of the algorithms for this right now, they're very sketchy and quite frankly, we will be embarrassed to have you guys look at it. But we will have something for everybody to see after the next 30 days which will be the quiz. Maybe before. We don't know yet. There's also the black hole theory and the black hole theory is this. We have a lot of people that are making decisions based on publicly available information. We all know that we can easily be manipulated. The truth can be fine-tuned, spin doctors and all that stuff. So how do you really find those elusive sprux, the ones, the dangerous ones, maybe the professionals that are no longer part of the Soviet Union? We spent a lot of money bringing in the nuclear scientists because we were worried about dirty bombs but we really didn't do anything about their intelligence agencies and I think we're seeing some of that problem right now. So there are highly guns out there. These type of data mercenaries are sprux. They're not script kiddies. They're probably not at this convention. If they are at this convention, they're working at the hotel as a waiter or something because they do this for whatever reasons. How do you detect something that you can't see that's invisible? The black hole theory. How do people detect black holes? It's not that you can detect the hole itself but you can detect how it affects the things around it. In some respect, it is related to six degrees of separation. However, it's a different application. Anybody seen the program Faces? Have you ever watched America's Most Wanted? Well, this Faces program is pretty cool. It's got a bunch of ears, a bunch of hair, a bunch of eyes and when people are trying to figure out who assaulted them, they can actually pick components out and build a face. It's more expensive and easier than traditional artists. We're going to add some of that. We would like to be able to take an object characteristic of say I don't know you know we'll see some of the names up there. I would say let's take he's a bad guy, he's a professional we're not sure if he's a he even but we do know certain things about him and be able to take these objects again and create a baseline profile of this individual or this type of individual and that really was inspired by Faces so I wanted to give them props on that. Alternative information sources, we need to develop it okay, I know some of the guys in my crew will certainly agree coming out of front door of any network we do some vulnerability testing that's such a pain, why do it that's where they spend all their money into front door alternative information sources go read somebody's corporate profile in the annual report lots of good information there look for information in places that you normally wouldn't it's very interesting to listen am I listening to the BBC? okay, listen to the BBC and listen to one of the other major news outlets and how different the stories are okay, I think you can develop a lot of valuable information by getting two stories that are very different and we get this hybrid and maybe that's those two sources somewhere in the middle is where the truth lies so we want to develop those we're also going to practice full disclosure when I say full disclosure I mean it in the truest sense of the words so here it goes it might not work this might be all a bunch of bullshit I may be crazy we don't intend to regulate the use okay, this has some of some of my daytime people that I deal with a little concerned it possibly has something to do with why we've had some delays in us but we're not going to regulate the use we don't feel that the internet community specifically new folks would participate if we would put censorship on it some of the things good or bad and we do plan to develop some commercial code based out of this not from the database but from the algorithms because that's where the money is at and that's where we want to be we also, since it's going to be open we anticipate hope if it's embraced the other people will be able to develop this modular and mobile logic that can plug into the system okay, in conclusion regardless if this particular project works we know that people are going to still go out and look for the silver bullet we're hoping to add our two cents we're hoping to open this up there's no reason this stuff needs to be hidden it's the same thing with encryption would you trust an encryption algorithm that you didn't see the math to it PKI that makes my head hurt but I know a couple guys that are really good at it and if I'm going to use something I have them look at it and I trust them it has to be open I don't know what some of the other people are doing we're going to try to open all our research and we need your help this will not work without your participation and we'd like you to at least give it a try and that's it folks so I guess we're going to open it up we've got 20 minutes, 15 minutes questions, comments questions the question is it was related to the database and I didn't hear it all Are you looking for personal information? Okay, right. Are we looking about personal information? Right. We are not necessarily looking for names and addresses of people. When we talked about this, we said, well, you know, that's what our own personal database is like. Don't we need that? No. We're looking for more because J.P.'s database looks like that. That's been his big claim to fame, that he knows all of us. He knows where we live and our real names and all that. That doesn't help decision support. If I'm going to come and arrest you, that might help me. If I'm going to set you up and have your systems knocked offline, you know, that gives me leverage. But in decision support capabilities, knowing exactly who you are can help, but I'm more interested in your capabilities. So when we look at the form of the information that we're taking, we're trying to get a feel for the person that's ending the information is going to give us their capabilities, some of their NICs, known aliases. We look for a real name, but we don't go for social security numbers. We're not going for any of that because it's not really germane. What we're trying to do is develop this logic that allows us to make good decisions. We did get some comments on, I'm not giving you any data. Why would I tell you anything about myself? We think many people will tell about themselves, but they would love to tell about somebody else. So we think that the database will get populated. If for no other reason, people ratting each other out. Did that answer your question? Also, are you interested in technical information in a way like a system boss, if you find a way to force it? Okay, so when you hit my rock and roll, it should stay in that and then they get it. That is a bigger goal for the affirm methodology itself. That's something that we're trying to get put in there. For this particular profiling, we will list capabilities and we will try to look at personality traits. There's a couple of computer programs that will take a regular piece of text and they will write it in the style of, say, a Shakespeare. So we are going to be looking for things like that, but that's not really part of the profiler project. Over here on the end. That we're reliable people to be judgmental? You don't. You're just going to have to trust us. No, you don't. That's one of the problems that we feel we're going to have with data collection. Yes. Correct. And that's one of the reasons that we... Okay, I'm sorry. The question is how do you know that the information sources that you're getting are correct? How do we verify that our data is correct? That's a good question. Thank you. That is where the refining process comes in. We're going to look at... We're not going to require that you give us a name or a handle to who submits, but we are going to ask for it. So over a period of time, we're going to have empirical data to find out how good your information is. If you're giving us crap information all the time, we're going to do a statistical modeling. We're going to weight your information at a negative. You have bad information. You can still submit information, but you're not going to have a high rating on yours, and it will probably get lost in the numbers. Now, that's the process that's going to happen over the first 30 days. Just because we haven't opened up the database in those first 30 days doesn't mean that we're not doing something. We're going to be looking for ways to do that. And mostly data, when you look on the queries, will have a plus or minus rating. And that will try to put out there, what's our margin of error? So that is a big challenge, and that's where we think hopefully if people get involved, we're going to get some real good out here. It's an eBay thing. Sorry. First of all, yeah, the app has an actual model of the app working, and it's released for a few months now. We should get that as well. You can get a taste of the same thing. We're very familiar with something like that. You can get a taste of what it's at. All your data is lost, so you can get a certain kind of attack. You know, this is a good place. It's going to be a really good place. It's going to be the motivation to say a guy with that vision who has a T to the T to the T to the T, who has a T-mail to the president of the company who has a T to the T, who has a T to the guy who has a T to the sat, or who is a T to the sat. We think motivation will come out of some of the classes. I'm sorry. The question was are we going to try to track what motivates the attacker? We think that is important characteristic to be able to predict what their next move will be. So, yes, we are going to attempt to gauge that and track it and expose that. That really comes in some of the classification types. You go back to D&D, you know, fighters. There's a reason, essentially, we're expected to either call or remain. And if it's at one of these community towers that's one official thing that we have, there is a way to do it. Let me also say that I did not look at any of the FBI research. I really, this is something that came out of, and that's why it might be all bunk. But I just, I think people's motivations are a little more sophisticated than a yes or no. You're going to generalize this? Certainly. We're going to attempt to try to gauge that. Anybody has suggestions on it, definitely send me offline or send a e-mail. Because we're going to try to incorporate all of that in. I'll get you in a minute. A second way of doing this, which I mean is totally different from what it sounds like when you're talking about sending out these big towers and saying, okay, this looks like maybe a catapult. At least what you need to say is that a database that says, or a lot of it says, this looks like this is a type of catapult. His next attack, the problem would be that part of the system. Well, I'm not just kidding. It's only going to be a database. Now he's going to try to look into the final wall. He's trying to get network access in such a trade. The real problem is he's a serial killer in the tax point. Women, he grates and kills them. Okay, so that's what I'm talking about. That's what I'm talking about. That's what he was. That's, you know, basic, I think the question is actually the difference. Once you're on the course of time, I don't care what you're doing. Once you're done, how long have you been doing it? What kind of companies are you back in? Is this the way to go? Is it age-related? Are you trying to gain money? I think once you generate that kind of database where it doesn't matter what you're doing. That's what you're suggesting. Because anticipation still goes on. You don't care what happens. You just want to know how to stop it. You just want to find that step. Correct. I want to predict your next logical behavior, at least the best percentage of that. And maybe I haven't articulated it correctly. That is exactly what we're trying to do. We are not trying to create this all-million database of the person. Let's face it. We're not going to have a very big database. And we're going to spend a lot of time going after information that does not affect real-time decision support capabilities. Yeah, I see an attack. It's coming from multiple sources. It's using an in-map, or I see some Netbus ports. I know what the next thing they're going to do, they're going to try to get deeper in there, violate some more trust. I want to be able to predict what the next move is so that either I can hopefully stop them. It does have applications for law enforcement, too, I imagine. But real-time, just stopping them from doing whatever they're doing. I'll stay away from my data. I promised him for... A quick question. On the database, if you take some of the background illustrations for all of your web files, what do you do with those files? Okay, everybody hits any of our sites part of full disclosure. We do something like that. Anybody ever see a TetuMans little ball of flags in that one page with the last hundred hits? Okay, we do something similar. It's standard logging procedure. We are not planning on putting that into the database. We could if we think that we want to do that. But we're trying to... Are we talking about the people that are submitting the information? Yeah. Okay, if you submit the information, and we went round and round about this, we would like an e-mail address or a handle. But we are not going to take what we do for logging and incorporate that into the database. Now, we probably should, because that's going to help us on our credibility rating for that whole... Well, that person... It seems like we'll get a lot of crazy hits from Southern California, and their information's just really too concerned with... I don't know. Yeah, if you value more information, we're not going to include it. We're worried about... Some of the questions I haven't heard yet are about privacy information, who owns the database, what happens when you spit out a report, is it copyrighted? To me, the science, the math, it's either going to work or it's not going to work. I'm more worried about, legally, somebody coming and shutting us down. Because I guarantee you, this is something that people do not want everybody to have access to. And it's not the government. It's corporations, mainly, because they can't charge you for it. Question. We've been... Not by much. In previous life, we did a lot of lottery statistics software, and we sold a lot of them. I'm not sure if anybody had won the lottery, but we did pretty well with it. But some of those... It's statistical modeling is what it is. So we actually are recruiting people that are doing this kind of research outside of what we think the security realm. We're going to Wall Street. We're getting some of those guys that can slice and dice and having to make their living on a fraction of a cent. We think they might be good at this. We also are going to some of the universities. Now, when I mentioned I had not done any research on the profiling aspect. I have done lots of research on neural networks, statistical modeling, and there is a wealth of information out there. It's out there. We have to collect it. Hopefully, somebody will bring some of that forward, but we're going to use those same tools. We could. They depend on a real large data set. And we also... In the form that we're trying to fill out right now, we hopefully... Maybe we'll get comments to say, hey, you should be looking for this. You should be looking for that. That's one of the reasons... If we were to take a year and budget this thing, we could probably build it. It would be very expensive. It would never be as good as if we actually get the internet community to come on and start working with it. At least the internet hack and sync security scene. We think those individuals would be very useful. Oh, I'm sorry. Question? Okay, I mean, we just... I have to ask you a question, too. The first question, are we going to be logging what people are looking at and the kind of questions that they're asking the database and the queries? Yes. But in the same lines, that's almost... We have to, and that goes back to the credibility rating. But that information will not be publicly queryable. See, some of this stuff stays kind of as proprietary to the database. And this database, if this thing works, this database isn't the end-all database. This database is only being used to combine two new algorithms. The only database that's going to be any good is the one that's in your environment, right? Who's attacking my network? Who's visiting me? Your database, your internal database will be totally different than this external database. But you'll be able to use the same logic objects. And let's say that you develop an object and I need that. This system should allow me to go out and shop for that object and use it against my database. And that way, I don't have to let the database out, but I can bring the logic in and apply it to that. And because of this consolidated security console concept, the end user or the decision support person doesn't have to know what's going on in the background. If it's not in-house, the system will know enough to go and talk to a trusted information resource of some kind and retrieve those algorithms, those objects. Your second question. My second question You're looking for this in support? Okay, I can always say that this phase in the game, phase one, we will not be allowing that information. Who's coming to Query to be publicly available? We will have to look at it again, like I said, to rate our information sources. Now, that assumes that somebody's giving us a handle of our name. Again, since we're not verifying authenticity of our users, there's some fuzzy logic involved in that too. Yes? Well, we think that would possibly be environmentally influenced. When I'm sitting on my deck, I normally have radio going in the background, several television shows. It's not all consolidated, but I'm getting information from all these sources. When somebody, when I'm looking at something, I see something having been seen before, or we're actually getting attacked by the root servers, then you probably say, oh, it would be in DLS, because I don't have any beef with the root servers, but you still check it out. That's going to evolve, I think. There are certainly things that I think some of the search engines are really nice, put in searches. To me, that would be an alternative information source. We also have some tools that have been developed commercially for some other folks that we've had access to. This is, I'll tell you one of them, it's called Bullseye. And this thing is like a mega search tool. And we've been using it. And what it does is it skims the undernet, everybody knows that with HTTP sites, some people use an FTP, there's lots of other services out there that aren't being utilized. And we feel that that's probably the first, the low hanging fruit, that's where we'll go for. Probably, we're going to see if these guys are going to give us some of their logic to at least put it in. Maybe donate something to us. Some source code. Yes. Yeah, it might not be the best business decision, but this might sound corny. A lot of this has to do with principle. At daytime, I'm a consultant. I consider myself. The question is, from a commercial standpoint, we understand that you want the algorithms, but that big database is something too. You get the database automatically because it's public. The only true value that's going to come out of it, you're going to have to develop your own database. Because ultimately, this is to, why are we doing this? Decision support so you can protect your own information infrastructure. Your database that you create in-house will be more crucial later in the process. Initially, we'll be doing a lot of queries to the public database. Once you start building your own in-house talent, that's what's going to be valuable. And that'll be your proprietary database. If we go down the line in six months from now, we have this great pet project and I go, public access to the database is closed. Okay? I've lost all credibility. And, you know, I definitely don't want to do that. I can't afford it. In this business, everybody knows each other. Your credibility is everything. So, it's very tempting. And this is part of the issues that we're getting with people not wanting us to go forward with this. The other problem is, with not maintaining the database ourselves, we lose control of its integrity. So, we feel it's at least in the beginning stages. But we, even if there's a pay service that comes out of accessing the database for, like, quarter of an hour, we don't want to do that. We don't want to do that. We don't want to do that. Even if it comes out of accessing the database for, like, corporate customers, we feel that it will have to maintain a public database. Even if it's paid for view for certain entities. I'm sorry. Back here? Question to you? Yes. Yeah. That's what could be used for this. Yeah. Remember when I said I'm not going to regulate the use of the database or the tools? You know, that's, that is a real problem. But you know where that problem, that is an HR problem or is a legal problem? Nothing to do with technology. And you've got that problem right now because guess what? All those files are electronic. And you don't think people go through that? What's your HR person do? They're working so hard that they don't have time to flip through the files, especially the people that alienate them or upset them? Yeah, we've dealt with people like that before. But no, that's a valid concern. We've had discussions about that. Quite frankly, it's not our problem. Yep. Yep, especially if they have your DNA in there and they know that your family is prone to some critical disease and you're going to die, deny you insurance. This is the problem with data. But that's not going to make the problem go away. But awareness will. So definitely, that's an issue. I know we're getting, we're a little bit over on time. I have one more question. That's a little bit bigger and it starts getting into a conflict of interest because my company is the one that put together a firm and we are marking that and we're trying to do that. So Profiler does not do that. But the whole system would. So, yes, when I say vendor neutral, those data collection points, they could be firewalls, intrusion techniques. They're going to come into that same database, but the profiling portion of that database was just one slice. Okay, one more. Thank you, thank you, thank you. No. We will not be selling this database. We will not be selling hits. We're going to, if we, I think as long as this, the site doesn't get too big, I mean like mega hits and bandwidth and stuff, we'll be okay. If it starts to get bigger, we're going to have to seek, you know, financing or sponsorship. That would be our first avenue. We will not resort to selling this database. We will not resort to selling this name. We'll shut the product down before we start selling this as marketing. And we've actually had that prominently on our webpage at the top. Okay, this is in the phase three now. Once we find our internal logic and prove to ourselves this is a viable go forward strategy. Meaning that if I spend the next six months on it, I'm not going to lose my house. There'll be some reward at the end. That's just the way it is, guys. It's reality. If it is viable, then what we will do is we will open that database up to people that are using their own objects. So you will be able to do your own queries against the database. And you can maintain your logic in-house or if you want other people to be able to use it, you can post it to our webpage. And maybe you can create something that can, you know, keep you from having to go to work at nine and learn a suit. Alright, I really appreciate you sticking around. I know it's kind of hot. It's actually a lot cooler in here now, though. I don't know exactly what's going on, but it sounds like there's some music. I know there's some pools out there and some cold ones waiting. So anybody who wants to talk to us offline, fine. We have these little... We're going to put the flyers. We have some flyers here with the web pages. Feel free to come by and see us at the booth tomorrow. Thank you.