 First I'd like to thank you all from coming I'm Greg Conti and I'd like to talk to you about the idea of Denial of information attacks and in one sentence the idea is attacking humans through the computer system Not attacking the computer system by attacking humans through their computer system and how we can counteract that And here's one example large shark Currently I'm at Georgia Tech, but I'm also in the Army And I'm here as a free citizen and not as a representative of the government So more specifically Denial of information attacks attack you the human and try and get Consumed the limited resources that you have if you contrast what you can handle Versus what your computer can handle in certain categories. You'll fall over far faster than than your than your box will So if it slows you down or alters your decision-making then that's Then that's the a denial of information attack occurring So I think the best example is spam and I won't ask you but just consider how many of you have deleted email Based on say a subject line that you shouldn't have or you've opened email that you shouldn't have And I know I when I talked with my wife about this We thought it was probably or you guys are at the leading edge. So when email was first spam first Started coming out you probably figured that out pretty quickly But who's received and I'll ask for a show of hands who has received a frantic email from a family member About some virus email that they received or some knows if your local tech support for you or your family or friends Who's received emails like that? Pretty much, you know almost the whole room. So I think spam is an example I mean consider how much time have you wasted on spam and these are just examples So what I'm trying to do to this problem is look at the bigger picture and look at the structure around it and then How people are defending it and defenses to just add some Some structure to the domain I take one step back And there's some interesting statistics that just recently came out of the University of Indiana, I'm sorry Indiana University about about phishing and what they did is they went to a social networking Networking sites like Orkut and found out who was friends with who then they used that information To send out a phishing email to college students and they sent them out to 500 people And with but with the return address of a friend The emails were just like hey check this this site out. It gave a generic link off campus That link prompted them for their credentials or user ID and password from college And they were 72 successful And the students were very mad, but there's some interesting Statistics if you take a look at the gender If a male sent an email to another male only 53 of them fell for it You can see where we're going here If a female sent an email to a male it went up from 53 to 68 percent female to female 76 percent And then they live in a different world than I do but male to female 78 percent of them fell for it. So that was on average it was 72 So male to female was the worst category, but I thought the real insight there was using that social networking information So I don't want you to confuse this with the now of service attacks This is a recent innovation from a major Major operating system manufacturer They've evolved from the blue screen of death to the red screen of death This is from longhorn. I guess it's vista these days Anyway back to the it's it's not What you consider denial of service where you're consuming system resources ram hard hard drive space processing power It's you're consuming the humans resources is the key difference And it's compounded by the idea of information growth If you look I mean this and information is being generated at a prodigious rate And this study is very very good And I'd also like to mention I personally hate bullet slides. So I have very very few in here But on the slides on your disc on the con cd. I've included an extended version that has more information With links and things Anyway, I just wanted to highlight one of these that the this is a study coming out of berkeley from 2003 Entitled how much information and it's it's a very good study except it's like 150 pages, which again is information overload But the surface web at that time they estimated was about 170 terabytes or 17 times the library of us library of congress print collection So a tremendous amount of information in 19 or i'm sorry 2003 And that's just the surface web not the dynamically generated web So we just talked about We just talked about Attacking spam attacking attacking primarily your cognitive decision making Well, there's other attacks that attack your perception. All right. I had this on a web page Can you how much work can you get done with that sitting on the web page blinking? Right, so that was on a real estate web page. I had to slide it off to the side To be able to get any work done and I it just makes me mad. I wanted You know, what were they thinking who's going to go out and buy coffee based on that? So we talked about cognitive resources And perceptual resources then we have motor resources And the idea then if you go back to the the novel information attack if you're slowing the human down You're beginning to win if you're sending them in the wrong direction. You're beginning to win Motor resource attacks often slow you down. You have to stop what you're doing grab the mouse Click the pop up get back to what you were doing And I thought this example from hack proofing your network Again gives an insight into the idea of the decision making by the human versus You know the decision making by the computer and I'll read it for those in the back In the end all the power of the intrusion detection system Is ultimately controlled by a single judgment call on whether or not to take action So if you can get into that decision making cycle you can affect have affect major outcomes I thought it was also relevant to look at information flows So if you consider signal being what you're looking for if you're out on the web for example or in any information space You're looking for certain information That would be the signal Noise would be everything but what you're looking for So the best case would be signals very high And noise would be very low. So that's the best situation. So what you're trying to do is increase your signal to noise ratio If you consider a small amount of signal and a small amount of noise It's still manageable for humans. So you can look at this list of 10 things Maybe if it's 5050 you can still pick out what you're looking for some google results are like that But it starts getting worse when you have low signal to noise And particularly you have a lot of a lot of noise a little bit of signal what you're looking for That's the domain of the not denial of information attack And then you start getting into denial of service if you have lots and lots of information then you start Overcoming your computer's resources. So that's more the denial of service attack So if you consider this web page and this is weather.com I started going to specific news sites and then I thought I'd get in trouble for whatever one I chose So I thought weather would be safe So if you went to this website to get something done and I actually tried to do this to find out Las Vegas weather Yeah, I mean hot and dry. What was I thinking but Anyway, if you say you came to this site and Putting your signals noise ratio goggles on and all you wanted was the the you know, the United States weather and some basic weather information All of that is noise Okay, so it just tremendous amount and I know there's some plugins for various browsers that help But the idea if you can just get down to the signal, it's it's tremendously better experience So besides the idea of the signal to noise ratio And the keynote speaker at black hat was gillman louis who also mentioned this up mentioned this He is the CEO of incutel, which I think is a cia cia startup funding venture capital company pretty interesting But anyway, he mentioned the oota loop and the oota loop is was Observe orient decide and act and it was developed by a colonel john boyd who was in the air force And this came out in the the 60s about how fighter pilots make decisions And if you could make your decisions faster than the other person you could go through this cycle Then you win So if consider if you're in a certain situation or even looking at a web page or any looking at logs You have to observe the data or even your email is probably the best example You have to observe your email And after you observe observe it and orient yourself to it then you have to decide what do I do And if it's it's a puzzling subject line you spend time you're wasting time you're slowing down this loop And then after you do it you have to act and typically action requires some Physical response, which is a motor response, which will slow it down So if you're slowing the other your opponents Oota loop down Again, you're you're conducting a successful attack So you can have people go through cycles unnecessarily or you can slow it down So With that in mind observe orient decide and act. Let's look at the web page again And this time if your task was to just find out find out your local weather, which isn't Available and it took me a while so you observe Observe this and orient yourself to it and find out Where where do you type it in? Where do you get your local weather? So think how how long it would take? Well turns out It's there everything else is noise for the task at hand So you've slowed the person down as I go through that and grant they've got business reasons for doing so They want to show you ads Some some of the news websites are the worst offenders of all Okay, so moving forward. Let's look at then you've seen some of these examples big examples Let's look at how people are defending against these type of attacks And I spent about oh geez three years of my life reading slash dot every day looking for denial of information attacks in the news And certain trends came out of it and clearly there were there were legal responses And you can consider the anti telemarketer legislation for example And as well as regulatory There were moral responses public relation campaigns From the motion picture association of america for example, like you'll put our employees out of their jobs a few pirate pirate movies And I I was particularly intrigued by the the use of violence violence is a if people receiving information They don't want violence has been a proven countermeasure in certain instances and I was particularly intrigued by the Let's see charles bower charles booer case where he received one spam too many And snapped and started sending death threats back to the spammers And he was arrested for his troubles So I wanted to take a harder look at all right. You've got these limited resources. How do they all interplay? so this Is you and I've modeled it and it's hard many or may not be able to see it but those Those boxes represent your cognitive capability short term memory long term memory And that's you and that's you in the red square talking to your computer. So the arrows you see between that actually Along this boundary, that's your vision. You're hearing your speech and your motor. So the input output through your computer Which also has a limited amount of resources cpu ram hard drive space and io And it communicates so you're the information consumer you're consuming information From information producers and you need to pull that information in say from websites over some sort of communication channel Those are servers out there providing you the information. They too have limited resources And often there's a human sitting there, you know the spammer hits the send button But there could be things like unattended machines like sensors So if you take a closer look then you can see where these attacks take place For example, um, if you use very small text like in legal agreements and yulas You will that's attacking us the vision of the recipient Spoofing the browser, you know some of the phishing attacks that have taken place occur along that hci boundary I just found this useful to get a feel for where these things are occurring to look at Where attacks are taking place, maybe where new attacks could take place as well as where some defenses could be put up So if you look at defenses, there's a The the hci boundary between you and your computer There's been a move forward in the notion of usable security like security actually people can It gives them the information they need TCP damping on the communication channel will slow down if a certain number of email exceeds a given threshold They'll slow down the the network pace I believe that's actually There's some penalties and capture the flag on that front Or pushing most of these push the problem back to the attacker So you see computational puzzle shelving attack that requires if you want to send this email for example requires A small amount of cpu space on the attacker And I'm particularly intrigued by Paul Graham's idea of The Eliza spam responder and who's heard of that idea with for spam and Eliza Okay, good. The idea is Eliza is a early Straightforward artificial intelligence and program program that was designed to be like a psychologist So the idea then is you have a listening on a given port or email address the email comes in if they can Uh Craft it in such a way that the spammer buys the response and people all across the internet do that we win So it's a pretty intriguing idea and it shows you again. It's an aisle of information how little resources, you know, the The spammers were relying on a magnet, you know, or Economies of scale 10 million email the press of a button If you can, you know one percent of those people eat up a little bit of time you've won So I thought this was a slash dot. I love slash dot. There's it's like this high of mind and there's always interesting insights So from slash dot on this subject I have a little php script that I use whenever I get a phishing email The script generates fake credit card numbers and expiration dates And repeatedly hits the sites the phishing sites form dumping in random information Any halfway intelligent fisher would record the ip address and just dump all of mine when he saw they were bogus But it makes me feel good that I at least wasted some some of his time So again, you know, you push that back if a lot of people did and I'm not incurably I don't want to get drug off in shackles But it is intriguing the idea of pushing the problem back to the to the spammer So I've I've looked at this well honestly entirely too much this problem But I have there's several papers on it that are on my website Then I'll give you the link at the end and it's on the cd But if you're interested, you know on any of the papers on the website that are like pre-publication You can send me an email and I'll send you a private copy for review or something like that And most of the others are available if you're interested in more. I just tried to hit some highlights I thought you'd find entertaining So given that big problem I wanted to look at a specific domain and I there were a lot of people working in spam So I've looked specifically at network security And in particular the idea of using information visualization as a way to deal with that problem of Denial of information attacks because there's this battle and you see it during capture the flag of hiding your activities from the human who's monitoring the system or the The intrusion detection systems or the defenders. So I was looking at information visualization to do that So I came up with a tool That's a pvr and it monitors network traffic Will load historical data sets and provides different specially crafted windows to hopefully provide you insight I at inner zone. I had a friend we who said they thought they might have to change the rules of capture the flag If all of a sudden you could see network activity in useful ways. So and that's the idea I mean all the space were and everything's one upmanship So I thought okay, you know, we have these windows and that's useful. Well, how How can we attack them? You know that kind of take it one step forward and look at how can we look at the traffic in ways that are useful Then take it another step and say okay knowing this Knowing how we all think okay. This is in place. This is cool. How can we attack it? So this is what the tool looked like and this is just a quick snapshot And it's using the microsoft virtual desktop to show a few different pains at the same time. I'll demo this at the end Okay, so last year at def con I gave a talk on a related subject and the first question was how do we attack it? And so the combined with the interested my interest in in your interest I thought it'd be an interesting space to look at and you'll find in academia Not many. I mean if you're not in the security field Generally, you're not in the security field. So You can make a lot of progress just by you know looking at their stuff and breaking it for them It's pretty fun So that that lets the work on malicious visualizations And then the idea was attacking the human through their computer through their their system that prevents presents information to them in some way So ideally you can understand how these attacks occur then you can design better better ways to protect yourself Ah, I was motivated by pokemon now. I know at a normal academic conference People wouldn't know the answer to this, but why was I motivated with about pokemon as far as attacking people through information technology? seizures, okay, very good In the late 1990s There was a specific pokemon episode that had rapid flashing red Lights in 20 to 30 hertz Okay, well that turns out that people who have photosensitive epilepsy. That's just the right frequency to trigger a seizure and reports vary but Thousands of people went to the hospital with nausea And several hundred went to the hospital with because of seizures. So It got me thinking about reaching out. I know that's a very specific case But I think the prevalence in in the us population is about 2 percent through the lifetime for epilepsy So it's not it's non-zero But it got me thinking about through attacking people through computers But then I wanted to be realistic So yeah, I mean you want just want theoretical attacks that never occur I wanted to look at well How could where can you really insert information into what people see and how can that little bit of information Impact a lot of information or the display of the information So I made some assumptions. I'm not dosing the system I'm just adding a little bit of information trying to skew the results as much as possible and trick people As well as in some cases, I think it's reasonable to assume you could alter the timing of the data Particularly if you had access to the sensor or something or the network somewhere in between you might be able to slow it down But I really focused on adding a little bit of information And I did not assume that you compromise their computer and you had full access to the database to do whatever you want with it I wanted some places where you could really do it So you know network Traffic is where I spent most of my time Particularly in this area because I mean clearly you can spoof packets. You can jet things I mean you're constrained in some ways by protocols or upstream network devices But still the the network you can insert information pretty much at random As well as some of these these other domains any place where you can insert some amount of information Then then there can be a problem So going back to the model, I assume that anywhere in that space Along the communication channel or the information producer could insert a little bit of information And then the timing attack would occur even on the sensor itself, but I was looking more at the between the network in between So how do these things manifest themselves? I looked at all the different places where they could manifest themselves, but I've chosen some highlights here I think would would be best just to show you the idea So I focused on your computer how people can send a little bit of malicious information to your computer So that it'll present you a lot of malicious information You know in a visual display So I What really got me thinking is just some tools and this is a $10,000 visualization tool It labels things only puts 20 labels on the display So if you exceed you know hit a threshold above 20 labels labels start disappearing So I thought uh, you know if there's certain If you can exceed limits of the program Then you're gaining ground you're slowing people down They may miss what you're what you're trying to what do you want them to miss or See what you want them to see And even better in displaying information Oftentimes labeling algorithms are used And you can see here that it doesn't take much To start filling up a display with labels And you know dropped out here, and they're not even sorted in this one So perhaps just a little bit you can start hitting the threshold And even better I think as you see auto scaling algorithms Where uh, this This graphic The left hand side shows ports on external computers That are talking and on the right hand side are ports on your computer So it connects the dots between one to the other what port to what port And on the if you look at the little detail That's those are you have a great deal. That was the initial display. It was like one to 135 And it but this tool auto-scaled so initially I saw exactly what I wanted to see I winged one port one packet to a high port It auto-scaled it reduced all that relevant information down to one pixel So then you have to waste time grab the mouse zoom in zoom out zoom in zoom out just by winging one one packet high Now you may think this is just arbitrary But you see this in real life. This is a very common um web Now the log analysis program. So here and this is from the netty at home project. You see a spike of activity And actually this was slash a site being slash dot so Yes, it's more akin to the Nile service attack, but it does illustrate that you can Impact I mean web logs you can enter information in I mean you probably send ascii art into web logs if you were so inclined But that input in the logs and then you can alter how the information is displayed So you see that on the day of the slash dotting It flatlined everything else. So, you know everything else gone Also, this is the spinning cube of potential doom, which you may have heard about And the idea is it shows network flows in 3d space And in the foreground though if you look at how information is rounded down Then In the this is a whole class b network mapped. So that 2 to the 16th bits Mapped along about 5 or 800 pixels And the entire internet is on the green line So you're mapping 2 to 32nd more or less Along the along the vertical axis. So you're losing a great deal of information And then the z axis blue that they're mapping the target port And it turns out that an attacker if you're using this to watch your network the attacker Would be able to operate with tens of thousands of degrees of freedom as far as destination port Destination ip and source ip and illuminate only a single pixel So again that looking at the scaling in place is very significant And of course just using a little bit. It's you put it with something on the screen It's easy often to put something on top of it Some types are more susceptible than others As well as just inserting some random noise or carefully crafted noise So how do you protect people how do you protect your your users from Small amounts of information having a major impact on what they see Well the first thing and there's no cure all In systems where there's some degree of authentication Then that's better than no authentication or limited where you just basically have to click on an email to verify your identity or something And This I think it's not a for you. I'm just telling you for entertainment purposes this next one I'm telling the other people that this line because they need to do it That that you need to design systems with malicious data in mind Oftentimes they live in a utopian world and design systems where they just think only happy data will arrive So but to design systems with malicious data As well as to train users to be alert for them and we're you train You know people not to give away their passwords over the phone or whatever That you train users to be aware of the weaknesses As well as to allow them to customize the system So again, there's more on this This paper is on your cd. If you're interested in some more detail And as well on the cd. I've got some other links you can go to for more information So this is a tool I released at black hat and the idea is it's a network pvr And each of these windows Each of these black squares is a thumbnail that shows you your network traffic So let me go ahead and load a packet capture data set And this data set is a packet capture from honey net scan of the month And you can see it's loading the packets And there's 3,300 packets. So this is what I was working on. Remember I'm going back to what I said before I wanted to build tools that would raise the bar on what type how visible tax are to the people watching the networks Then I wanted to take a further step and look at well, how could that be subverted? So I'll point you toward my black hat slides and I'd be posting those in a little while Where it goes into more detail on how this works But I'll give you a quick a quick tour and this is also on your cd The idea is there's different views that show you your data Most straightforward and they all operate in tandem. So what you see in one occurs in the net another So if we play it You start seeing the data different views are all operating in lockstep So the most straightforward one is showing you the text in the packets. This is a text view It'll go and show you the ascii or the des of the hex view as well as a decimal view But anyway, things like it has a the strings command built in So you can filter just for the The text strings of a given length in the packets This view shows one packet per line And you can see it tells you it illuminates the pixel on that line if That hex value exists. So for example in this this region Here that's the printable ascii range. So if you hover over it, you can see that that's a b I can't a j and so on so you can see that The the characteristics of it It'll also do the frequency of the bytes per packet And you can set a threshold Anything above a certain threshold will be hot so we can move the threshold down Till we start just kind of finding the tipping point It looks relative to each packet in that case I don't pad I don't pad anything Yeah, this is this is very straightforward. It's kind of like an initial step I mean, there's all sorts of like entropy algorithms I could use to Do all sorts of cool things with this type of view and then you see diagonal lines Which are bytes occurring in each packet but changing with the regular consistency so you can look at the slope So that's one. That's the byte frequency view I think you'll find this one particularly entertaining This is called a parallel coordinate plot and essentially you're connecting the dots on these axes Where where i'm going with it is it's connecting the dots between Every header field that's possible. That's my goal. I've got 17 fields in it now So if I go like this It shows the shows the fields The idea then is you can go through one at a time And see each packet and see its values for every header field Or you can play it and what you see growing on the right. That's the ip identification field You can see the distribution of ip addresses And you know the idea then is you can take 5000 packets Roll them through this and at least get watch them unfold and get a feel for what happens So you can see random activity for a given field. You can see sequential activity. You can see Things that don't change things that change a lot and so on I'm going for a whole model of interaction here like a mixing board that allows you to constrain everything and update the Displays as well So anyway given this tool, let me show you one or two more windows and then I'll show you how to attack it They're using it for capture the flag to show the network so on occasion So you could have some fun This is more of a matrix view And I won't go and it does have some some uses other than just looking cool But I won't we're kind of tight for time. I won't I don't want to blather on about it But what this is one packet per line and it's showing you the bits in the packets So if it's if it's the pixel is on if there's a one on the wire So you can see different types of packets and it's you can see at a glance the length of the packet As well as I've played around with such things as will show me the printable ascii values in there So when I do that it grays out everything that's not printable ascii And this is the blue is printable ascii so you can see at a glance what packets after you've filtered things contain printable ascii I've also played around with the idea of no ops I like the idea of Disassembling code on the fly looking at things as if they are executables and perhaps you as an analyst If it's color coded by common opcodes or something we'll be able to look at the The flow or the packets and say that looks like an executable going across the wire and it's not supposed to be there Perhaps you'll see something your intrusion detection systems or anomaly detection systems won't in the final one Think of this as battle zone for for networks It's connecting the dots between any fields. I don't know if you can quite see it in the back But it's connecting the dots and then it pixels fly off And slide off the screen based on what and this is showing Source ip to destination port tcp port So but as it happens if they fly off the screen so you can see a variety of activities And the way it's set up is you can compare anything to anything So there's all sorts of crazy combinations that might be of use to you And if you have the different windows open, you know all at the same time running lock step You might be able to find things you want to be able to find using today's tools So anyway, this is on your cd I'd encourage you and i'll give you the link to go to the The website where you can download the latest version. I made a a little bit of a fix that'll make it It crashes on a certain header condition So, uh, but it's i'll post that when I get back from defcon Anyway going back to the topic. So that's the tool then I thought how can I attack it? So let's look at some basic attacks apparent It really doesn't take much to bring down a visualization system if you're so inclined So I showed I showed you what normal looked like Now something odd happened here So let's go ahead and see what the attack looked like Now this is only 203 packets. So if you were just playing information looking at a data set watching capture the flag I'm using random ip's and we're only at 30 and it's already becoming crowded And look what's going on on the uh udp. This is color coded. So orange is udp traffic You can see that it's filling up the display pretty quickly With only 180 packets. It's already what a windshield wiper effect. Well as it turns out you don't need to hit every single port You need to know what it's you make a best guess at how it's scaled So I only need to like hit every 60th port With a packet to draw the line and create that solid effect So let's look at another example that totally melts it down So again, just a small amount of information can generate a lot of noise for the human So this is 1300 packets But this is pretty much a nuclear meltdown Now you can change the speed as well. So I'll change the speed to max And look what's happened on the ip address space But you can also see what I haven't messed with so perhaps something is constant in that some way Maybe they have a consistent time to live or or something that you can grab a hold of and create a filter to counter this So again, I try to create the tool and then think about how it would be attacked and then how we can defend and It never ends, but I think this is worth looking at. So that's a meltdown There are other interesting uses Who saw the talk at black hat? Okay, if you saw the talk at black hat, don't give this away, but there are other interesting uses So this is 600 packets And if you look at it say in the parallel coordinate plot display You can get it, you know the 600 packets you can look and see a quick overview of what happened Okay And again, you can run through them Well, it really just looks like a lot of source ip or source supports were in use but other than that not the same ip is We're used So let's play it again though with a different view So if we look at the frequency of the packets then, you notice odd clouds of packets Of bite of groupings of bytes Then if we look at it as a rainfall remember, this is one packet per line And the way this is it takes each Bite on the wire maps it to a pixel as a as a grayscale So you can see the rainfall effect of the bits on the of the bytes on the wire as grayscale It's have I or could you Right now the the There's a degree of flexibility built in the question was how much can you can I change the mapping of colors? Well the extent as it's there's no technical reason you kind of do that as far as what it's coded I have filters built in right now. They're straightforward. I want to go to greater complexity But they'll filter certain streams of tcp udp icmp and you can change the colors by clicking on there and that'll change it But I the degree of customizability isn't there yet But it's certain. There's no technical reason that couldn't occur. So just to wrap up I again on your cd. You've got the talk slides The the rummet tool itself is on the cd The malicious visualization papers on the cd and there's a hacker convention article. I want to point to you point you toward Because I know some of you have difficulty explaining why it's a value to come here Or is it just me? So I was able to get into the communications of the acm Which is like the professional computer societies lead madly journal on why computer scientists should attend hacker conventions So hopefully you can change some perceptions out there And you can wave this around in front of your your husband wife or boss Or parent And that's on the cd as well I'm looking for anyone who could give me feedback on the tool It's at rummet.org and again, it's there. It's on your cd as well I'm trying to I'm in school and I'm trying to graduate so I need feedback to make it better And right now I've got a two page five minute survey if anybody would be kind and see julian I'd be Permanently indebted to you if you could fill take five minutes your time fill that out it would help And it basically if you're a therial user or snort user is just to be some quick questions on How can people mess with your minds if you are using that tool or how they happen? Lots of people to thank I've been I've been iterating through this in In small groups and I've gotten a lot of feedback from a lot of people so too many to thank it one time Finally I wanted to end with I've had a good experience at george attack a very positive experience And I've enjoyed the they've got an undergrad and grad or masters and phd programs and infosec So if you were interested in that you could send me an email And I'd be happy to answer your questions or point you to someone who could As well as they're looking to partner with industry again. This is part of my business case. You're coming out here That they're looking to partner with industry and government So if you're looking to kind of like outsourced Rnd, uh, they're very much up for that and the website or I could point you to more information So with that are there any questions? Yes Okay, the the website is outdated as of now So I wanted to release it at black hat So when I get back the version on the cds like 1.7 something and I have 1.8 something that I'll release as soon as I get back It'll function. There's it's ip header length is if it's not five it'll crash Okay, uh, which is five is the normal value, but if you get other other things then it'll it'll crash But there's so on the cds a sample file and a key point is it doesn't load pcap natively So I have a little conversion tool that converts it to the file format so the tool is on the cd it runs on xp And I have a sample data file on there for you to take a look at and play with Okay, yes I have not but I definitely I don't see any reason why not I mean I want to do I want to show like the picture of what it looked like or whatever with the The pcap file and the file format for my tool Just have them there. I mean there's not sensitive or anything. So yeah, absolutely I want to share them and but I haven't when it's one of those things like the week I get back I'll be working that Well, I'd like to thank you all for coming julians in the yellow shirt If you uh, if you any of you could fill out the survey if you've worked with ethereal and Always wondered how you can mess with people through it or work with snort. I would appreciate it And if anybody's interested I'll be outside