 Never never I don't think I've ever done that in any class. My philosophy is you all are here. You're paying tuition to be here We have this time together. We're gonna take up all the time It's gonna be great. If you want to leave you can always leave like I don't care. So Okay, cool. So the syllabus so I'm still not fish in case you're wondering you will hopefully be back next week and Everything will be smooth sailing and you'll be in great hands from here on out So he would like me to go through the syllabus of the next week for you. So you have that all figured out On Monday, you're gonna get a crash course on photography, which is gonna be super fun a history of crypto You're gonna talk about semantic encryption or space Symmetric that wasn't a plan for that company either you'll learn they'll talk about symmetric encryption asymmetric encryption How those work at a high level and then you're gonna get ready for the first and second homework assignments Nice picture from fish Everyone loves to do homework, right? And then on Wednesday, you will have your first in-class CTF and it's gonna be super awesome So I'm actually and don't panic. This is It's not gonna be scored in the sense that I don't know in what sense But it's not scored in that you're I would say the same thing to say is your ranking is not gonna matter So if you end up in last place or whatever that doesn't mean you're gonna get a zero or whatever The idea is to get you exposed to this concept of capture the flags in class It's an hour long. So don't be late. You're gonna start early and the services that you'll be hacking on will be released on 24 hours before the class. So I think there's only 10 people signed up for that. So you should sign up for go to Piazza Look for ASU CSE 545 you can sign up for the course fish has already set that up So we do it really quickly Yes, why not? Yes, I will ask him to do that. Yes, and I also posted on my YouTube channel the video recording of So Monday of Monday, I'll ask him to put that up there as well. So you can go That's a good question. I would say you would probably be So let's we're gonna do this all the time you do a cognitive mode, so it's not CSE 545 Piazza look at us That's fall 2012. That's unlikely to be the right thing See, this is good that we do this all together that way How do I do this students get started? Let's pretend I'm a student. I go to ASU Arizona State University CSE 545 Bang instructor fish Wang 12 students enrolled and sign up for the course everything will be good What was their question? Oh the operating system? I would Well, maybe it's on the next life so it's a checklist for next week So do I have access to a computer? So a couple of you came up to me after class if that was you Please talk to fish. His email is very easy. It's fish w at ASU dot edu Or I'm sure you can contact him through the Piazza thing as well Send him an email if you don't have access to a working functional laptop that you can bring into class I'm also going to help him figure out a better room because this is a great lecture hall It's not a great CTF room So talking to him about that because there are options the department has some computers He'll have to figure out how to bring them and get that to you but that can all be solved But it needs to be proactive. We don't want people showing up on Wednesday being like oh, but I just brought a pencil because that's what I I do So you need to bring your computer to play a CTF So the contact fish that you can't bring it contact fish as soon as possible We'll get it all sorted out everything will be super easy It'll be fun Cool, okay, so you should have at the very minimum a computer that you can run SSH on I would say in terms of hardware So this is putty if you're on Windows if you're on Mac It already has a built-in SSH client if you're running Linux, then that's awesome You should know how to use SSH to access a host because I think that's how this is all gonna work If you can my suggestion would be not knowing anything about what's gonna happen My suggestion is to run a if you're not running Linux natively get access to a Linux virtual machine running on your your machine so Virtual boxes free get virtual box install and move to 1804 I would recommend especially for those I mean my recommendation is always to run the server edition not the GUI Although well, maybe for this that'd be fine Anyways, I mean you're analyzing binaries You don't really need a graphical user interface plus that uses up a lot of CPU in my opinion So I almost always run the server editions of things and then SSH into them from my local machine But your mileage may vary do whatever is best for you that works for you Questions all right, so we're done For the syllabus for next week. All right, cool So now we get into That's actually something I like that I actually really like about this class is talking about history So why do we care about history? Isn't that just something that old people did and we should just ignore and do our own thing? I've seen some heads nodding Anyone thoughts no wrong answers. Yeah, but no, it's not why is why is it important to look at history? Because we can learn from it you can learn from it and maybe apply those lessons in the past into the future Why You don't have to reinvent something that's actually something that happens a lot especially in research areas if somebody comes up with a crazy new thing and then all of the old Timers are like actually that was already kind of the 70s by so-and-so and then Usually just ignore them or do it different or figure out a new way that makes it new and different and unique It's not good hacking. It's really you know part of hacking is not just the oh I don't know. I'm gonna Exploit this buff road and flow to do this stuff There's a whole kind of culture from hacking and that comes from understanding famous hacks famous viruses famous hackers of the past To kind of see how they did things so you can see how the field has evolved So it's actually one thing I really like is talking about hacking but to do that we need to first Start with the internet. What's the internet series of tubes a series of tubes? Incorrect, and then kind of also slightly correct. It's very very confusing. What's that ever said? I don't from Alaska I don't remember the name, but what is the internet and for me? It's always a capital I. I don't care what anyone says It's just a very large hierarchical network a very large hierarchical network. Who's at the top? the ISP Yeah, I mean if it's a hierarchy somebody should be at the top, right? Who's at the top the ISP which ISP? Do you know single one? Yes, there's no single one so the internet, right? You can think of just a connected set of autonomous networks, right? So each ISP runs their own thing as you run their own huge crazy complicated network Would you agree? I didn't say this man. Sorry. I'm teaching two different classes I mean I'm teaching fishes classes than my class so I have no idea what stories I've told in either of them So if I say something and repeat myself stop me, but So ASU has to deal with this problem where every year a quarter of the people using the ASU network leave and then a quarter New students come so they continually have new students with new people with new devices with new things on their network Which makes defending and securing their network insane like I don't even understand how they do that So ASU has their network They're connected probably to some ISPs that interact with other people, right? So that we really break it down, right? An internet is a Connected series of networks and the internet is the big one that we all talk about. Are there any other? Interconnected big networks The what? Let's go data-based or not data base, but Yes, I mean technically you can think of that as a network, but what about like a digital network, let's say It's the internet it Sell your networks that could be a good one. Yeah, they or the phone network that would be another one So you have the cell phones connecting to a tower which has all of the like SS Settling and all this crazy switching signaling architecture from the 80s What else? Air traffic control air traffic control. Mm-hmm. I don't know anything about that. So I can't comment Yeah Web hyperlinks can form a network or web. Yeah Private organizations will have their own networks. Yeah, and crazy complicated at that right they might have incredibly complex networks The military has a completely separate network Milnet is a completely they were actually we'll talk about it Military networks used to be connected to the internet and then a certain point they decided hey That's a terrible idea. So they have a completely separate fully, you know, several completely separate. Yeah, probably okay several See these are things that I don't know about outside. So it's good to learn about and so You can think of this and so the key here is autonomous right every network runs independently This is where I would push back a little bit with this hierarchy idea because Fundamentally as long as you can talk to somebody well Not really I guess the problem with the hierarchy is there's nobody at the top There's no king of the or queen of the internet, right? So there's a set of autonomous systems. Everybody runs their networks independently It's more or less an open architecture and everybody kind of has different goals And I'd say this is probably a true statement. Has everyone used the internet today? Yes, has anybody not Maybe you just woke up ten minutes ago and for a good blast without figuring out how the traffic was or anything Yeah, everybody uses the internet all the time like I actually can't I think there's well One day that I didn't open my laptop where I was like super happy. No, but I still have my phone so It's important to look at the history of the internet and we'll see why in a second But the internet was funded by DARPA, which I think I mentioned on the first day The DARPA is the agency that funds kind of crazy research projects One of those crazy research projects is the internet So kind of very cool to see tax dollars at work impacting kind of not just the military but also civilian networks Very interesting. I love this picture. So the first So the first four nodes So this is actually a picture of a napkin where they drew the diagram for the internet the ARBANET as it was called So you had UCLA UCSB Stanford Research Institute in Utah So Why four do you need four for a network? Do you have one computer? Do you have a network? Not really if you have two computers. Do you have a network? Yeah Two computers talking to each other, right? It's a lot simpler than having a big giant network, right? You have three computers. Do you have a network? Yeah. Yeah, but why is there four? So you're gonna build the first network Why do you build four nodes instead of three? What was it? Guesses, I don't know ideas A backup if one of the nodes is bad. Yeah, but at least here SRI is central So if they go down, there's no way to connect to the other nodes What do you think? Maybe diversity of operating systems or I guess Operating systems or machines Diversity of machines that you're Load balancing in what sense you have four machines. What's the load gonna be? The lower on SRI is too much Yeah, or maybe UCSB or maybe the loads on these links are different maybe you can try different crazy routing things Maybe they're already connected that's a good reason So you don't have to spend money to connect them if there was already a link between SRI in Utah Yeah Where who's building this? DARPA DARPA is funding this. Where's DARPA's money come from? Taxpayers what's different about? well one of those Locations is different than all the others It's in a different state. Yes, so if you had all three This is what you're gonna have with your first network You have people complaining that it's just a California project that you're funding and you're not funding like an interstate project so this is a reason I've heard that Utah was included which I like to talk about because as Computer scientists we often go to technology first and like oh, yeah, these are the technical reasons why this should happen But there are just as good reasons as political reasons so that nobody criticizes your project and shuts it down for being a California only thing Now you can say you're including all these states Of course UCSB and UCLA are both public institutions apart of the same UC system SRI as a private institution and so having the University of Utah there really helps kind of Make it be a well-balanced thing of entities that are getting funding right because each of these people is getting funding to build this thing So from the political perspective if you're the agency doing this you want to make sure nobody can criticize the way you're distributing funds Cool. Anyways, that's a cool side note so it was So they created this and you think about this was in the 19 like late 60s early 70s that they actually started creating this and this is where the entire internet that we Deal with today comes from which is insane to think about I actually don't know that's a good question. I Don't know a ton of the tech that was back then I would guess there's probably some dial up But this ain't been big enough where they had some kind of connections is my guess, but Yeah, that'd be an interesting thing to look at so originally it was always on something called NCP the network control protocol And what they realized is that and if you look you can go back look at the history here I believe was NCP had no congestion control So TCP I think as you'll see later in this course if you haven't taken a networking course If it detects a drop packet it drops its rate of packet sending to slowly build back up right because it says Oh, there must be some congestion in the network time to stop sending let that congestion go NCP didn't have anything like that. And so packets were just sent all the time. They were having massive congestion problems So think about this you started to build So as well as they see you know PCP or NCP at this point was like core protocol of the internet And then you want to upgrade it. So how do you do that think about now? Let's say you right now you're a genius, which you all are and you've come up with some crazy new approach for TCP That's gonna be better. It's gonna save everybody bandwidth. It's gonna be more secure. It is objectively better than TCP How do you roll that out? Okay, it recognizes a standard and then what do you do? You replace every single device that ever talks to the internet To change from TCP to TCP 2.0 make it that you try to make it backwards travel or if you can't you make Roll it out in phases. Yeah, you can try all these things. This is the problem that they came with they wanted to move to this new thing TCP in 1983 and So they actually had what this is January 1st. It's called the flag day where they At this point in 83 they I've actually seen it one of the presses at UCSD has this They call like the I think it's called like the ARPANET phone book or the internet phone book Like this thing every computer that was on the internet with along with the administrator their name their phone number So they coordinated with everybody they shut everything down on January 1st They installed the TCP update and then they brought everything back up Yeah, insane think about doing that now. That's just like crazy like guys. We'll just take I'll take an internet break for one day No Instagram. No Snapchat. No emails. Nothing. We'll just stop and the next day. We'll have Brand new stuff. It'll be awesome. So you can't really do that And I'm gonna skip some of this Cool, okay, so the crazy thing about the internet is What started to happen in the 90s and early 2000s is the size just exploded, but But the web so when we think of the internet we mostly think of the web Would you agree with that? Yeah, what are some non-web internet Applications email. Yeah SMTP. I'm at pop. Those are all standards that are completely separate from the web And go for go for IRC Xbox live all that's a closed protocol. I'd say so I wouldn't count that but yeah, I'm sure somebody's reverse engineer parts of it What's that bolt? What's bolt? It's for interacting. It's crap. Oh cool. Okay, bolts. What else? Remote lock our login VoIP Torrents FTP SSH Before that I'm running out of fingers So all of these things were things that is well not all those things But a lot of those things actually existed before the web at all So if you think about pre early 90s, if you had access to the internet you could tell that into machines You could I don't actually know I guess get on bulletin boards using whatever crazy stuff BBS systems This is actually before my time. So I didn't play with any of that But but it was still a very niche area and it does didn't really take off in the way that we think about it now And so it wasn't really until 1991 when Tim Berners-Lee was at CERN and what does CERN do? Yeah, yeah, they do one of the things is the large Hadron collider where I'm not physicists But they're like throwing particles at each other to generate a lot of data to see what's what while in the process not destroying the earth so At least I guess I'm gonna say so far that I'm not and the problem is is like a big institution a research institution that people Constantly coming and going and working on different things and it was very difficult to understand who was doing what and so Tim Berners-Lee he decided that And this is there's some ideas weren't floating in the top around at the time So he wasn't the only one but basically he said oh wouldn't it be great if we could have a way for you to view a Text document and then at certain places in there You could have like a link to another text document that could have more information with links to other things So you can have a link of who are all the people who are currently working on system x and then each of their names could have links To their home page which would have their offices or whatever and that's literally what started the the web as we know it It's actually kind of insane and after that the internet essentially explodes. So this is a graph From overtime, I believe this is the number of sites on the web Like I think probably 480 on the internet I don't know how this data is actually collected from 1999 to 2006 and you can see that even here the old days right 1990 there was one there's one website one and You can actually go see what that website is. It's a historical website 991 1050 and then now you can see it starts getting into Six million which in 1999 during the first dot-com bubble that seems like a lot and then you fast forward to today We're in what's that? Billions roughly in here. Yeah, I think it's just counting. I think it's Yeah, I would I bet what they're doing is doing an internet-wide scan of port 80 So they're probably not getting a lot of virtual domains and stuff I mean Google would have much better numbers for all of these right They have domain names, but you can have sub domain names, which could be But it's a nice graph that goes And I think we can all agree it's been growing like crazy, so This is an insane graph of the internet All the connections of all the the networks I believe in the traffic So why is this important to hacking? Everything's connected man. No, maybe that's part of it. Was it Finding loopholes in this What is that? I mean that's is your goal, but why do you need an internet for that? Yeah, so now you go from this scenario, so you think about the physical space, right? If you think about okay We'll put on our black hats for a second or I guess our black ski mask maybe in this case Let's say we want to go break into houses But we don't want to like actually break in we just want to go see how many houses are not locking their front door So if you want to take I don't know how many houses could you reasonably expect to do it? Let's say an hour and 20 20 30 maybe after that you have to start like they're physically running up the things and Everything you have to try a door and then run to the next one and you get tired at some point. It's like 20 30 So now what if anyone on earth could try jiggling through your front door? To test if it's locked if anyone on earth could do that We would probably take the security of our locks and keys a lot more Seriously, so this is the world of the internet where exactly you said anyone if you want you can and there are tools now I think it's Z map to that you can scan all the entire IPv4 address range in less than an hour You can there are sites There are all kinds of ways so you can basically so criminals now can basically jiggle all the front doors in a very small amount of time and Anyone can basically attack by anyone in this network So this is an important thing to consider because this greatly changes the way we think about security now cool Any questions on internet the internet? So this is a brief overview just to give you kind of scale right of thinking like how these things this network is and it's basically in the I mean the other crazy thing if you don't have a A king or queen of the internet. There's nobody to say like you cannot access the internet now. You are a bad person It's all Autonomous systems every running their own network individually and then when packets go out they go out so It's crazy. So I Miss give over that so we are gonna start off with talking about something that has very little to do with computers called phone freaking Does anybody has anybody seen recently a? payphone Where New York cool What did it actually work today we check at the airport? Interesting do they work? Yeah, huh? Fuck I interesting. Okay, cool. So they do exist so Most people maybe familiar with the concept at a payphone you go in You lift up you to put money in the device to make a phone call It also used to be back in the day that you didn't have unlimited calling to any number Basically on earth you had to pay like you had unlimited usually had a local calling But long-distance calling costs a lot of money so You're a phone company. How do you do that? How do you charge for a phone call? How do you restrict people from accessing certain things? How do you do the reverse of let people access certain things? Yeah, so you have all these switches kind of used to be old-school like plug things into different things which is I still don't understand how they work but and Along with that so you have switches along the way and they would communicate with each other over some protocol to say like Oh, this is a whatever this person paid this person didn't pay What some people found out is that they were transmitting that data over the same voice channel Because fundamentally you have this problem where somebody needs to speak through the phone It needs to go through some voice channel And then you have all this metadata about the call about who they're calling is the call paid for or not All this metadata and they transmitted that over the same voice line And what hackers eventually figured out for the early hackers are called phone freakers found out is that you could if you made those Same tones because it's frequencies at different frequencies. So if you made that tone you could get a call for free and then it turns out that There's a guy whose story is actually really sad So this guy who became famous and known as Captain Crunch He found out that the whistle that comes in Captain Crunch cereal produced a sound at exactly this frequency of 2600 and this looked like this and that was the frequency to get free long-distance calling and so And this was used by AT&T and this was back when AT&T was a monopoly before they were split up So basically you had like AT&T was the entire phone network for the United States So you think about this finds this toy in a cereal box You blow a whistle into the phone and you get free phone calls from there if you think about the phone calls I mean, I guess I don't have numbers off the top of my head, but it was expensive It's like I don't know 50 cents or if you watch old movies from that time a Common or sitcom the common plot point is like oh my gosh You were calling your long-distance boyfriend or girlfriend and you drove the phone bill up to a hundred dollars in a month Which to us is like insane like why would anybody ever deal with that? and so This and what they realized and so a lot of hackers started doing is They would they built a box Which they call a blue box that a bunch of buttons on it that can make different tones to do different things So they started experimenting learning about the phone system and tried to see What tones do what? and so Draper so he was sentenced for a five-year probation for phone fraud because getting service for free from the phone company is illegal and There's actually a whole lot to this story that you can go look up There was people who became like well known for being able to make these tones and these sounds themselves Without the help of a blue box So they could just literally like whistle into the phone to be able to do things They could do crazy things like bounce a phone signal across multiple switches across the earth So like it would go from like the US to Europe to the US to Asia to Europe to a call and just like crazy stuff just by partly reverse engineering partly, I think they stole manuals like user manuals and So why do we care about phone freaking besides that it's awesome Well, maybe I'm editorializing a bit Yeah, so anyone could hear so that maybe gets into the security aspects what else Yeah, so that's and that's My philosophy really is that so there's a couple reasons a is the So part of this is that One of the early like hacker zines like magazines online zines is called 2,600 and it's because of this a Lot of the early Computer hackers and network hackers came from this phone freaking background So they started as phone freakers and then transitioned So there's a lot of overlap in the community and there's a lot of things there But yeah, it's really a super cool thing about Like why About understanding a system at such a fundamental level that gives you total control over that system And so here this system just happens to be the phone network What we're going to be learning about and focusing here our computer systems and network systems But at the same time it's really the same thing. It's just knowledge about a system Gives you that control over it, which is super cool. All right, so One of the early things so if you think about where we are now And you think about where we were in the 90s with websites kind of starting and then you think about Go all the way back to where the internet was first created in 67. You have in there this awesome So it's an RFC Request for comments is an official RFC. Although it's kind of I think I remember probably I think the December issues were mostly like the fun RFCs or something So Bob Metcalf Wrote this RFC Trying to basically warn people a little bit about the state of security Even in these earlier early days of I can't remember if they call it the internet yet or if it's still the ARPANET There we go, ARPANET, okay so I've done a lot of talking does anybody want to do a dramatic reading of this for us Doesn't have to be that dramatic Reading words on a screen All right for it. All right, you can do this first one. We'll put it off. All right So the ARPA computer network is susceptible to security violations for at least three following reasons one Individual sites used to fiscal limitation on machine access have not yet taken sufficient precautions for securing their system against unauthorized remote use For example, many people still use passwords which are easy to guess the first names their initial their host names filled backwards a string of characters Which are easy to type in sequence example Okay, so why is this Is this still a problem today Yeah, this is 1973 somebody saying hey re-use of passwords is a bad thing easy to use passwords is a bad thing What else is interesting about here about this these are also issues we have today all of them, right? So individual sites used to physical limitations on machine access, right? That's just what we talked about so it used to be a machine You only had to think about who had physical access to it and then you could do things like I don't have the password on a sticky note on the computer, which is not great But at least if it's random and secure that's good But now here you need to take precautions towards securing their systems against unauthorized remote use Right. This is still a huge problem today. So it's so crazy It's like a I don't know like ghost of the future or something going and talking to us about what's gonna What's literally gonna be the next problems or what is this I can't I'm really bad at so 45 years This is 45 years ago. Is that right? So you should never do math in front of a class by the way, unless you're like a math So yeah 45 years ago talking to us about what's gonna be the problem basically for the next 45 years Like this is still a huge problem today Do I have somebody for the next part? All right Just do two not three The TIP allows access to the ARPANET to a much wider audience than is thought are intended TIP phone numbers are posted like those scribbled hastily on the walls of phone booths and men's rooms The TIP required no user identification before giving service thus many people including those who used to spend their time Mabel get access to our stockings in a most anonymous way We're talking about including those who used to spend their time ripping off my bell phone tree phone freakers, right? Deliberately talking about the phone freakers and what's kind of the essence here? I actually have no idea what TIP stands for I Can guess from context, but what's the core idea here? What's the problem? Yeah, how it allows access to the ARPANET to a much wider audience Yeah, with no user identification before giving service Exactly so this is a way that they probably created as a way for them to get remote access to their systems But because there's no remote authentication and because you can access these things over the phone You can get access to these systems. I believe I'm not 100% certain This is what gave rise to the war dialing phenomenon where people would Set up a modem to dial a bunch of numbers seeing if there was a machine on the other end And if there was it would let them in through this This was if you haven't seen war games you should see that movie because it's awesome and because War dialing is actually a core component there and the hacking things are actually really good there So yeah, so this is and they're shared so this there's actually a couple different you know, there's nowadays there's Proxies are kind of shared like this by criminals that will proxy your traffic from one system to another So they'll share these to hide their tracks all kinds of cool Cool stuff. Any way to do number three There is lingering affection for the challenge of breaking someone's system This affection lingers despite the fact that everyone knows that it's easy to break systems and even easier to crash them So what's interesting here? You knew people would just do it for fun. Yeah, yeah that people are doing it for fun Right, and they're yeah, they're doing it for the walls and also You know, and I think this is the last sentence is also key to the thing that thing about here Yeah, so there's two different things right everyone knows that it's easy to break systems There's already like the idea that security wasn't important was already present back in 73 Which is still exists in a lot of places today. You think about IOT devices you think about Even a lot of firmware type things. I mean, these are all things that are are still true today And then the other thing is this notion that we talked about like Combinatiality integrity availability like even easier to crash them right so it's kind of almost saying like I don't know. It's a little bit like oh the new just crash systems, but the really weak people They know how to like break into systems right without causing it to crash So yeah, so this this I think is one that actually has Probably age the most there's still a lot of this like there's still the idea of a hacker I think is still cool But nowadays a lot of the security problems come from people who are financially motivated, right? They don't actually care about street cred or you know, whatever building up Credibility what they care about is getting money right and so that's it's kind of a sad thing in some sense, but Yeah, I don't know I think this is interesting. Oh Cool, okay, so I guess we have one more and I'm gonna you think you're ready for it to finish up number three Yeah, thank you All of this would be quite humorous and cause for Rockus eye-winking and elbow nudging if it weren't for the fact that in recent weeks at least two major serving posts were crashed Or suspicious who's serving house? By people who knew what they were risking on yet a third system the system wheel password was compromised by two high school Students in Los Angeles no less We suspect that the number of dangerous security violations is larger than any of us know The number of dangerous You are advised not to sit and hope that st. Nicholas would soon be there Okay, so couple interesting things that all find out so the wheel password on old systems wheel was the same thing as root So the same thing as administrator person who had access to everything Group maybe Yeah, I'm not really certain but the important thing here, I mean except to translate that and give that context So a the number of dangerous security violations is large. Why is the number larger than they know? These three things are just the reported stuff which is a classic security problem You'll have people that will claim to you that because they don't I mean they'll claim that they're not being hacked And you say why? well, we've never We've never seen any hacking nothing. Nobody's hacking us. You're like, are you really looking hard enough? Like if you're not it's very easy to not and actually this Prevents some companies from putting something like intrusion detection or something in place because then they have to deal with it And they actually know that things are happening, right? So oftentimes ignorance can be blessed especially security Other thing other thing I like about this. It's like he's freaking out that three systems were hacked into right like 83 I guess as a percentage of all the hosts. That's a lot But you think about now when I may write an article because three systems were hacked into in like a two-week span Probably not it's not which I guess it depends on which three I guess if you hacked into maybe simultaneously what Apple Amazon? Google and shut them all down that Credit Bureau, yeah, okay Cool, and so we're trying to say right is that hey look like yes, this is kind of a cool underground thing It's not seeing a super serious, but serious things are happening and it's going to be a problem, which is highly highly Very good predictions of the future because this definitely came to pass Cool any other questions Which led to one of the coolest incidents that I love talking about it's the German hacker incident So to paint the picture 1986 still before the World Wide Web Cliff Stoll was a system administrator at Lawrence Berkeley little more labs in Berkeley, so this was in the Berkeley labs. He was a physics student He was not a computer scientist On his very first day, so think about have anybody had a job where they start their first day You do like probably training and other stuff. I don't know so on his very first day He starts investigating so he was in charge of an admin for a I want to say a Vax machine But I actually don't know if that's right, but some kind of shared computing machine and you had to pay Like every account was charged per CPU cycle or whatever that they used You found out that there is a 75 cent discrepancy between CPU time used and accounts built Put yourself in that situation. I don't know that I would look into a 75 cent discrepancy I don't know about any of you Maybe if your first day, I don't know for me. I just like oh, that's weird and you just like keep going on with your life, right? Luckily, he did not so he found out that account an account was created with no billing address So how could you build them the billing system couldn't build it? So he started digging in more and he found out that there was an unauthorized account on his system Which is crazy so At this point, what do you do? You're an administrator Delete the account Depends on the policy. This is the 80s 86. There's no policy Look at the law or even thinking about how we got in look at the logs to figure out how they got in so that you can try to Fix it right back to be one way Right, so this was a little bit before a honey trap and I think the system that they're using is probably Many hundreds of thousands of dollars, so you can't just make a separate one But you can try to find and try to figure out what there what the attacker is doing right to get more information Maybe find out who they are especially if they're maybe calling into your system through the phone network Maybe you can do that phone trace So I'll link to it in this in the end here But there's a whole book here called the cuckoo's egg, which I highly recommend if you're interested in this stuff So you don't like to get it read it buy it It's a super good read and it's written by cliff stole So it's like a firsthand account of what happens and so he wanted to figure out what was going on So he did all those things except for delete the account So he investigated the logs figured out technically how this was happening. He started contacting people because he had no idea what to do of He eventually Contacted and got a hold of the FBI in order to say hey, this is happening And he had this whole system set up to monitor what this person was doing on the system So what he found out was there was a configuration problem in emacs where emacs as it was installed Would work as a mailer so it could be used as a mail system And it would move a user's email from vars pool mail where all the mail would come into the system to their home directory You'll get into it later, but that can so this is actually so emacs itself was fine There's no vulnerability in emacs no vulnerability in this the problem was with the configuration So the LBL administrators before cliff because he just started right maybe as well They needed the move mail to have root privileges. So they had it as set UID and And basically this allowed move mail to have anybody move files to any directory of the system So the hacker exploited this bug to substitute his own copy of one of the utilities on there in this case the at-run program So after it executed what it would do was copy the original program back So it replaced itself has the old one so that that way the Attacker who get in so we got administrative access. He broke passwords of other user accounts He created accounts. He created backdoor programs. He's all I can say can say he because we find out who it is later And then Cliff started seeing that he used the LBL to connect the military systems in the mill net because LBL worked a lot with the military on a lot of things and The military sites so this is 86 the databases So again those hackers coming into the LBL machine And then from there connecting to mill net computers and everything's in the clear So Cliff can see everything that's happening on those remote systems as well And so he sees that this person searching for SDI Which at the time was that was the key referred strategic defense initiative stealth Sack just be the air command nuclear nor at at this point you should freak out if you're a cliff stall Right. Yeah at this point he was talking in FBI, but then he had I can't remember the exact details But he basically like started talking to Air Force Army people about like what was going on because he's like This is way above my pay grade like I'm involved in all this kind of craziness And so yeah, this is what he called the FBI because he was freaking out so at the help of the FBI what they found out was they were actually able to trace the person to handover to a university there and eventually by working with He worked for that so they found a hacker Marcus Heiss who worked for the Eastern Block that was using machines to break into University like LBL machines and then obviously that and then Trying to steal basically military information and military secrets So Yeah, so anyways, so this the book highly recommend it This is super. This is like a firsthand account of basically like nation-state cyber espionage in 1986 So it's kind of on you to read this and then start projecting into the future about what things are Likely like now, which is super cool Yes, so because it wasn't I don't think A year and eight months. Yeah So this is also I Don't I don't remember all the details here about who he was arrested by Prosecuted where he set the time in because that's not really relevant to the story But it is a little bit in the sense that as we'll see they don't really know what to do with people with They don't know how to prosecute these kind of like cyber like what we would call cyber crime now They didn't know what to do with these people because there were not really any laws in place Cool highly recommend this book. It is amazing The next famous incident I want to talk about is the internet worm Which is super fun. So in 1988 Was the first internet worm. So what's a worm? Did we talk about that before? I don't think so. What's a worm? Yeah, so it's a some kind of essentially say malware malicious software that Yeah, so that exploits vulnerabilities in others so it scans somehow local systems Identifies vulnerabilities in them that it knows about exploits them copies itself over to them and runs a copy on that system Which will scan its local network so it spreads and worms itself basically throughout the network So this is actually a super interesting story So 1988 the internet worm which was eventually as we found we'll find out was developed by Robert Tavimores, who's hacker alias with RTM was released so This pen there's a lot of different versions of this story One story is that he was he was I believe honestly a student at MIT, but I don't remember a hundred percent I think that's right was working on you know, just developing a cool virus and then accidentally got out and It was like a total accident right just doing something for fun in your own network and then an accident accidentally get released There's one problem though, so it did have this ability to it would do crazy kinds of stuff where it would scan the It would scan the network look for other machines It would scan the I think it would parse like EPC hosts It would parse any trusted hosts to figure out what are the hosts that this machine trusts try to propagate that way But one problem it had in there. I think was checking if it was running So if you so you think about any type of virus or worm like a biological sense, right? If you already infected you don't want to like infect people again Especially in a computer system. You don't want a thousand copies of this worm running. You only want one But I believe you have a stake in there where it would like Continually act like take over everything and so all that would be running were copies of this worm So the internet had to be turned off is what happened And this was such a big deal because what happened is your computer would get connected to the internet and then it would just Like halt because you have so many copies of this worm running. You can't do anything. You can't even patch it So they had to distribute patches and then they had to shut off coordinate again shut off all the machines on the internet Fix them and turn them back on and if I believe one of the cool things about this worm was that it was actually a multi-architecture worm because it would Instead of copying over its binary it would copy over its C source code and then compile itself on the new system And then run that new copy there So it's pretty sophisticated and it used a number of different vulnerabilities as we'll see but it was super cool So the damages were estimated on the order of like a hundred thousand dollars which back then is actually I mean It's a decent amount of money So our TM was sentenced to three years probation $10,000 fine and 400 hours of community service An interesting result of that they may have heard of CERT CERT the computer emergency response team so there What they realized was that there's no coordinated way to deal with this, right? Basically, I mean think about it at the time in 88 the entire US computing infrastructure that was connected to the internet was down But there was nobody to try to coordinate things of how to release patches This was all done probably offline through telephones would be my guess And so CERT was basically created as a direct response to this to say okay What do we do in these situations? And so they'll do things like release when there's a new security vulnerability that release bulletin They'll tell people how to patch and how to like stay safe So the worm itself so it worked on Sun 3 and Vax machines running VSD UNIX the worm had two parts the first part had a Buffer overflow in the finger D of the finger daemon so finger used to be this protocol basically if you want to ask Something about a user on a remote system You would run this command which would do this protocol and give you information about them and as You'll eventually see when you study buffer overflows. This is a classic buffer overflow So this is a local buffer on the stack of the size 512 And then calling gets line so gets reads until what is it a new line or It's a new line. Yeah, so if you put in more than 512 characters You're now overriding memory on the stack which you can use to corrupt and execute whatever you want It also used a vulnerability and send a mail so send mail had this debug option has anybody managed a mail server before Like an SMTP server good never do that. It's terrible Because configuring those not I mean now it's terrible because having to not have your thing flagged as a spam bot But in general It's super difficult to debug So there's this nice Sure that you can say debug and run a command and it would just execute that command Just clearly bad. This is a built-in backdoor And so you use these transfer the C code compile it run it and then Yeah, I think most I think it was a fair assumption back then because you basically needed So in order to propagate the main program gathered inner basically looked at all the interfaces looked at all the open connections So what machines was this machine talking to? Tried to break into each of these hosts using rsh, which was the beginning. I believe of SSH Right again remote shell finger or send mail. So it actually so it didn't even need to Use these vulnerabilities if it if it could actually just log into those remote systems It gathered information on all the trusted hosts Because a lot of things that would happen is people in that those days were tired of typing in passwords That still exists today So you go into one machine you type your password to log in and then you need to remote log into another machine So you type that machine's password So instead of doing that what they'd say is hey this IP address is a trusted IP address So if I were to log in from there trust that IP address and so those were specified in these got our hosts file We're the hosts that you trusted So then you could just rsh into those hosts and log in with no problem to propagate the worm without even needing any vulnerability And it would then perform password cracking. So this was like a fully featured worm, right? It's not just a one vulnerability to propagate and spread multiple unknown vulnerabilities unpacked vulnerabilities using this rsh trust and Trying to crack all the passwords of all of the other users on the system so that it could log in as them and get There are hosts and try to propagate from there Pretty crazy So you can read more about this here The interesting thing is you don't have to feel super sorry for RTM There's a couple interesting things there. I believe His dad at the time was the I want to say was very high up in NSA. I think that's true statement He also ended up being a professor at MIT And he also maybe heard of a Y Combinator The start of incubator. Yeah, he helped co-found that so He's doing fine But it's a great like insight into The kind of very first worm and very first you can think of it like internet scale crisis for like everything's going down Everything's being attacked like it's and nobody knows what's going on or how to fix it So there's a lot of good resources out there about reading about the internet worm That I recommend you check out Cool questions so far Think about back then like it's crazy like just like vulnerabilities everywhere like you can't even I mean, that's and that's kind of a lot of Metcalfe was talking about it's like Yeah, everyone knows all these problems exist, but until you actually have these incidents It really doesn't solidify in everybody's mind. They're like, oh, we should be fixing these proactively and not just trusting people Not to do bad things. Was there a reason if he was a college student He didn't report some of these errors as soon as he found them I think it was in the interest of seeing what he could you do with them I don't know because I don't know him and don't want to put words or thoughts in his mouth In my opinion that culture didn't exist at the time So I think if you found something like that there would even be no like who do you even talk to like So yeah, it wasn't really this culture of oh patch this thing or or oh, I found some vulnerability in your Whatever like I don't know. It was very much I think less of that Than there is now like now you'd be like why would you do that the exact I would say like Why wouldn't you tell them so they could fix this and now there's so many nice ways to have private networks If you want to do something like this, but you definitely need to do it very carefully so Cool, okay, so Going on so now we're gonna talk about one of the kind of most famous or well-known hackers so Kevin Mitnick he Yeah, okay, so he has a crazy history, so He got put on one-year probation for trying to break into Some offices to try to get some some things and then he Enrolls at USC to use campus machines to perform illegal activities Which you got six months in juvenile prison He then breaks into a really large company SEO, which you guys said it's a three-year probation for He's expelled from Pierce he breaks into DEC and seal software. He's caught by the FBI He then violates probation and goes into hiding. He had a one million dollar warrant out for his arrest He was accused of invading the San Diego Super Computer Center while apparently in hiding on the run and This attack is super cool, so I'll raise the warrant issued by the Department of Motor Vehicles I don't know that's a good question He was an Al Capone thing that was all they could get him on maybe I don't know I'll have to look that up. That's an interesting point. Thanks So one of the cool things technically about this SDCC attack was it was an incredibly sophisticated for its time GCP spoofing attack, so Basically, let's see if I have a good Okay, so essentially what happened is And This is something that I think you'll get into when we talk about now. We're security. So essentially There were two hosts in this system that trusted each other So one was the server which had a boot image and the other was this X terminal And the idea was this external allowed unauthenticated Logins coming from the server So if you can spoof being the server you could log in and do whatever you want to the X terminal As you'll eventually see TCP has a lot of reasons why this is actually difficult to do Because it uses sequence numbers and so if you can't see that communication You have to basically guess and spoof that that sequence number But he was able to pull it off so he Committed it. He did a denial service attack against the server So you basically take the server down so it doesn't respond and say hey, what are you talking about? We're not talking like stop talking to me he then impersonated the server with respect to the X terminal and then he executed a Basically the equivalent of an rsh X terminal So this is go to the X terminal basically just like I said stage and do echo Plus plus to slash dot our hosts So what we talked about so our host is this trusted file and I believe plus plus means Except any login from any remote system in this rsh format So by doing this because you only have to get this once right so you can continually try Once this happens then you can log in to this X terminal system Without any password or anything because he's been able to execute that one command So it's actually a and apparently I Didn't realize this until I started digging in more but apparently it's a bit of a Controversy if he actually did this or not or if it's somebody else and he's like claiming credit for them I don't know it's super weird, but check out this link if you want to learn more about this because it's a cool interesting story He was finally found so the department of voter motor vehicles got their man as they always do And the FBI arrested him He served a 46 months in prison And then he was finally released in january 2000 with a probation that Forbid him from connecting to the internet or sending the email crazy And so in 2003 he could finally start the internet. He's on twitter if you want to follow him on twitter He still goes to hacker conferences and stuff And kind of the cool thing is this became like a he became like a folk hero for hackers. Yeah I would say uh, it's probably the standard thing of like five years Released after prison from five years And then his probation was probably for three years Yeah, and then the math here, I don't know Like prison math is different, right? It's true. You can be sentenced to something for a year, but only serve, you know, six months or whatever, right? I don't know at least that's what movies tell me so the interesting thing about Kevin Minnet because if he came kind of underground uh, basically like a hacker Folk hero And so one of the things so when you talk about when hacking used to be this kind of like for the lulls and this cool thing Is you'd hack into it. So this is what hid I think this is id's a website which made uh, the people made quake So one of the things you do is break into people's web servers deface their web server to do something like Free Kevin now. So this was somebody some hacking crew broke into this website replaced the default html with Free Kevin mitnick. So this was like a thing embedded in hacker culture through the the early 90s or early mid. I guess on late So more recent ones which I love talking about is alberg and solace and he serves as a very good warning So this is albert. Don't be like albert. He and his crew used What another thing you'll learn in the class sequel injection vulnerabilities to steal credit cards They stole about 170 billion credit cards, which is a lot Um, they were responsible for davin busters. So they broke into basically all of davin busters Uh, tj max heartland payment systems. This was a cool thing They would they actually got into a credit But when you start thinking like a criminal what they would do is they would first start driving around to various like Retail locations like tj max Find an unencrypted wi-fi that they could just log into they'd log in they'd be on the corporate network And from there they propagate and find the machine that was processing credit cards or had process credit cards Use some vulnerability to steal those credit cards They realizes and all those credit cards go through payment processing companies So what if we get inside there then we can steal all those credit cards that they're going through the payment processing company Which they did and which is how they sold uh Roughly 170 million credit cards um And you can see maybe the evolution in punishment because they were found arrested tried I'm guilty and on march 25th. He was sentenced to 20 years in federal prison I also like this story because there's a rolling stone article about this on uh The fast times and hard fall of the green hat gang. So that was their uh gang thing And I just read the very start of this. They've been high all weekend long on ecstasy coat mushrooms and acid So it's a they were like not just a hacking crew. They were apparently a hard partying crazy hacking crew spending their listed money on drugs and hotels and stuff, so It's super crazy uh to read about but They all went to jail Don't do bad things what we'll talk about next Another really is this actually a very sad story, but it's a good example of a different type of threat. So This person uh vitek he So he was I believe a system administrator in this australian queens land sewage sewage system He was let go from his job And but his credentials to the systems were not revoked So being the very upset employee that he was He went on to the physical sewage systems and released the gates to release flue Sewage, I think into the ocean, which then went into the beaches and like caused Not just like for like all the tourists and the hotels are on the beaches But also like ecological problems with wildlife and stuff. So uh, yeah crazy Um hundreds of thousands of liters of raw sewage Uh really insane when you think about it, uh marine life died. It was terrible He was convicted of 30 counts of hacking their system and he was sentenced to two years in prison So this is an australian legal system. I can't really comment. I barely know the american system. So This is a super interesting example of like an insider attack, right? So this is somebody who used to have access who because you had bad controls in place of when to Terminate their employment and terminate their credentials They got into the system. So How long do we have it's 50 years? Okay, perfect. Thank you. Okay other things Web defacement as we saw with the id thing. There's a lot of worms that were flying around in The early 2000s So basically what happened is Microsoft windows was full of holes that were basically remotely exploitable So people would all these ones slammer blaster code red These were all worms that would take advantage of windows software Um blasters author was an 18 year old which was kind of crazy And okay, I want to talk about something else real quick. So I'm gonna skip that last part Cool ethics ethical hacking. So I just hopefully scared you about jail about all of those people who went to jail So Okay, is this a class on hacking? Yes, this is a class on hacking hacking is not a bad word It I think it's Eugene levy has a really good book I think it's just called hackers Which kind of traces this origin of this term hacker which really originally comes from just what actually has two meanings One well when you talk about a hack a hack can be either something that's like so ugly But works and it actually comes from the mit I think it's like the model railroad club Because they would do I don't know I guess model railroads can be super complex with all kinds of switching And so if you wired something up in like a really ugly way that would be called a hack But if you also figured out how to make things work in a way that they shouldn't That was called like a hack but like a cool hack like wow like what a cool hack So hacker kind of has the same meaning it has a lot of connotations In the popular media. It's very much seen as negative as a negative thing Okay, so this is what people usually think when you look at a news article A hacker so like somebody in a hoodie Touching a screen for some reason And oh this is so these are all this is a movie you should watch you should watch hackers I watched that actually recently. I think is this this looks like a matrix And then mr. Robot But this is more like what a hacking team looks like so this is a shellfish from I can't remember what year Okay, so this is in their hotel room during deftcon ctf playing in ctf So it's just people on their laptops In a network so Oh cool. So yeah, so it actually backs up what I was saying. That's awesome So yes, and then hacker started from this crazy model railroad thing But those same people were the first people who had access to computer systems in the 60s And then the term hacker kind of got this computer wizard connotation And it was one of those things like you're not a hacker unless a hacker called you a hacker So you have to kind of wait For that and you can't be Okay, good. So And but it's really I mean now it's kind of so you do have to be careful and this is just a real thing You have to be careful when you talk about yourself and know your audience. So if you're Going around bragging that you're such a cool hacker and you're in this hacking class people will probably get the wrong idea So a couple things you use the term ethical hacking, which is a nice Catch all you put the term ethical in front of it because that is what we're doing and I'm teaching you about ethics now Otherwise you can say I don't know Computer security or something like that that also works too So Okay, so ethics talking about this is malicious hacking legal No, it is definitely not legal. So you cannot hack into something that you do not have permission to do so So it's very very it's actually very simple Thank you. Do I own this system? If the answer is no Then don't do it. You can think do I have permission to break into this system? If the answer is no, do not do it We live in a day where there are docker containers full of every software that you can run on your system You have a virtual machine any software that's running on your local machine is fair game You can do whatever you want to it, but once you start trying to run stuff against other people That's definitely where it crosses a line An important thing is to discuss so why is it important to discuss vulnerabilities and how they're exploited So they can be fixed right because you know, you are all very smart if you find an unknown vulnerability It is likely that you are not the first person to find that But that other person may not have told anybody about it and may have sold it to some government Where they're using it for whatever or sold it to underground hackers who are using it to compromise people's computers to steal their username and passwords so So that's why I think it's important to try to share that information so Avoiding jail is easy. Don't do anything illegal Don't do anything illegal and then say you learned it from fish or I in this class I mean definitely don't do that because I have documentation that I'm doing this to you right now. So basically It sounds like I said don't hang into a system. You don't own or have permission if you find some super awesome remote Mac Zero day that gives you remote execution on somebody's machine You can't just run that against anyone in this class and be like, oh, that's part of the class If you ask them and say hey, I have this thing. Is it cool if I try it against you if they say yes Then you can do it. If not, don't do it the odds are just to not do that If you find something like that tell apple they'll I don't actually know if they'll pay you but that's information is worth a lot of money. So So They do have a bug bug money, right? I didn't want to explain that without knowing for certain. So You have there's open sort. There's so much open source code out there If you want to find bugs go start looking at open source code start running it on your system Start analyzing that for vulnerabilities The other cool thing and especially nowadays as opposed to like 90s and mid 2000s or early 2000s Is that there are a ton of websites and systems out there that have bug bounty programs? They will pay you for telling them about security bugs The other cool way is become an academic like us. So we Oftentimes we do vulnerability analysis because an important research question is how prevalent is this In the real world and so to answer that we may have to do a scan to Which is not something I would ever recommend one of you do But if you're doing it as part of research, we can do it ethically. We can get irb approval We can make sure that we put safeguards in place so that you're covered Um, so there's a lot of websites that have bug bounty programs google facebook att coinbase Um, check these out. Please follow their terms if you ever do this There was a facebook incident where a researcher found the ability to post on anyone's wall Which would you agree that that's a security violation? Yes. Yes, very bad He tried to report this to facebook security team Uh because of a language barrier partly, uh, he didn't the english wasn't his first language There was a breakdown so he decided to post on mark suckerberg's wall to get attention about the vulnerability and Ultimately, so facebook has a policy a bug bounty policy where they say hey, here's a sandbox facebook site You can do whatever you want there Just don't unless you can't do that vulnerability in the test site Then don't mess with the real site and he didn't follow that so they didn't give him his bounty ultimately Um, and so here's the thing where he says him writing on mark suckerberg's wall and it was fixed within three hours so Anyways, um, okay, uh, i'm gonna let Fish take care of this because I think we're over Okay Yeah, I'll stop here. All right