 I'm not going to get up on this stage. I do a little bit better when I'm wondering around and able to hold a massive phallic symbol up to my face for some reason. Even, thank you. Thank you, even though I, well never mind. I could go off on a whole thing on that. Last year I did do a talk that had lots of flashy graphics and I did music, soundtrack, and the whole bit. I'm not doing as much of that as I did last year. I'm not doing that much this year. And well, just a couple of quick things. About me, I'm with an affiliate with a group known as NMRC. And that's roughly what you could say, the speaking capacity. That's who I'm speaking as, as an NMRC person, as opposed to my, in the interest of full disclosure, my daytime employer, BindView. As you see through, as we go through on some of the slides, some of the images may be somewhat questionable for a corporate type talk. So I'm not going to be speaking as that. But I do work for BindView on the Razor team. The skills you'll need for this to be able to understand what's going on in this talk, basically, what you're going to need to know is, hopefully, a little bit about computer security, you know what an IP address is, that kind of stuff. I am going to cover some areas that do get somewhat technical. And if you have technical questions that you didn't quite understand, that you want to talk to me about later, then feel free to grab me later. I am going to cover a lot of social and political related issues as we go through this as well, though. And also, we're going to have a few, I wouldn't really call them surprises, but just some interesting things that will let you know that kind of go along with the entire theme. And also, if there are any questions doing this, I must ask one of the question. It must be in the form of an answer, OK? Because that really, really simplifies my job here, OK? First off, I wanted to talk a little bit about what's gone on in the past year. Of course, the DMCA muscle was flexed about a year ago as it stands. Poor Dimitri was grabbed up after giving a speech, not exactly after, not right after. They didn't just pump them in handcuffs, as he said, thank you or anything. But nonetheless, it was that muscle was flexed. And we saw a little bit of an example of what the DMCA was all about for whatever it was worth. That was kind of a frightening thing for a lot of people, simply because of the implications for security and security research. There are a lot of provisions in there that say, OK, researchers are exempt from this or that or the other, but then there's not a lot of clarifications just to exactly what entails research, what entails reverse engineering. So there's some scary things there. Another one was something that absolutely ruined my birthday, which is September 11th, an event that happened that just really screwed things up. That has resulted in a whole bunch of emphasis on security. But again, what's happening with our legislation, our leaders and whatnot, if you want to call them that, these supposed people that are running the government, it led them to pass a whole series of what I would call basic major-type legislation. The primary one that I would bring up would be a USA patriot, OK? And I hope everyone here saw Jennifer Granix talk yesterday. Did everyone see that? OK. That was a very, very good and interesting talk. I was very pleased that she did that, and I was somewhat rather frightened. I know she tried to give a little balanced thing, but I mean, there are some serious implications for some of that. She also talked a little bit about some upcoming laws. The one in particular is the Cybersecurity Enhancement Act. This is the one which basically takes most of your penalties for cyber-related crimes and doubles them, and has some interesting provisions so that if you were busted on some type of hacking-related thing, and then you go out and you have a whole lot of elite skills, the higher your skill set, the higher your sentence is the way I read it. Now, maybe reading it incorrectly, but that's how it looks to me. More skills involved in doing the attack, and then that increases your length of time in with a brother in a jail cell, which is kind of sad. Everyone's that are coming up that are kind of scary. You've got this stuff going on in Europe where we're talking about retention of communications, internet communications. This one's kind of creepy. I can't remember the exact one. This one is really, really, really bad because apparently they're all proponents within our government. They actually think it's really, really, really good. The premise is this. Basically, go out there and must save all communications. That's kind of a vague term, but what they're meaning is they're meaning email, they're meaning web, probably something along the lines of instant messaging or whatever, but basically grab that information and then store it so that it's available in case someone needs to go back and do subpoenas and searches and whatnot. This actually is starting. This idea is starting to gain some momentum. I believe it's the house that has been suggesting. I don't know the latest on this. The house has been kind of toying with this whole idea. I'll try to speak over the planes as they go over. And it's where they want to retain, let's say, email for 90 days. OK, now think about that. Copies of all your email retained by your ISP for 90 days. Of course, I think that most of the ISPs would be extremely pissed off at that because that means they're going to have to have more storage, more backups, and everything else. I have a somewhat interesting solution for it. It would be to, for every one of us that wants a mail server, if this does come into law, for every one of us that wants a mail server, just go in there and open up the relaying to go to house.gov and senate.gov. And that way, they can get all the spam, and they can have it. And if you want to be really aggressive, just bounce all your spam to those systems. And then you can just say, hey, man, retain that. You motherfuckers, you go ahead and just have that. Now, what will, of course, be interesting is then you start doing your freedom of information requests and say, I want to know all the senators who are getting bestiality porn email. Well, that's just kind of a fantasy there. But anyway, so there's bad stuff, OK? There's bad stuff on the way. There are things you can do, and I'll kind of go into that at the end. That's the other thing. Trying not to be cynical, I've been talking a lot. And this is why, basically, just so you know, I had a whole speech all typed out for this. And I wonder, or I've been talking with lots of people here. I see some people here that I've been talking with. And they say, what are you going to be talking about? And I tell them, and I just threw out all my notes. I wrote a few down, but I thrown out all my notes because it's just everything is changing so fast. Everything is happening so fast, and we have so many odd things going on. The big criticism I had from last year's talk was that I heard this from probably the people that have helped put on security conferences on down. They said, this is the security conference. This is a hacking conference. Why are you bringing up politics? What does politics have to do with any of this? Someone said everything. That's exactly true. Now, it may not have been true before, but it is true now. There are now extremely serious consequences for your actions, much more serious than before, OK? Well, let me give you some examples. Let's take full disclosure, or just the concept of full disclosure. What are we talking about here? We're talking about, let's say you're going to put a post out on bug track. You found a vulnerability. You're going to put a post out on VellWatch. You've got to advise what's going on. OK, let's say, did you give the vendor enough time? OK, that's debatable as to what that amount of time is. Did you give the vendor any time at all? If you didn't give the vendor enough time, there are people that will flame you. The press will come down on you for being bad things that are said about you. OK, that's one area. If you wait too long, it says, I notified the vendor 35 months ago, and now they're ready to go to the patch. Then you'll be, oh, you waited too long. You left us vulnerable for too long a time, all right? If the patch isn't available in a timely fashion, I mean, in other words, the work arounds don't work. There's all kinds of ramifications that are tied to that, OK? And it doesn't really help when you've got various governmental type agencies and various software vendors who seem to be trying to work together to at least limit the disclosure itself and using what weaknesses they can find as a whole argument to go ahead and meet you on agenda. Let me give you a very quick example of that that's happening right here at this conference. There's a panel, I don't know if it's happened yet or not. I really didn't pay attention to the schedule. Something to do with disclosure, what the feds think? That's today? OK. What the feds think? Why the hell is Steve Lipner of Microsoft up on a panel telling me what the federal government thinks? I really want to know that. I want to know. Someone asked that. I can't go to the talk. I'll end up trying to inside a riot or something. But I mean, that's a very, very telling sign when you think about it, all right? You have a major corporation who's got a vested interest in the control of disclosure. And they're sitting on a panel with feds. The same, maybe not the exact feds, but the same federal government they had gone after them previously on any trust. And they're sitting there and they're saying, this is what we think the policy should be. I want to know when the government says we've contacted security experts and industry experts about this kind of stuff, saying we need to come up with a policy on such things as disclosure or in such things as some of the various tenants of the Cyber Security Enhancement Act and whatnot, why you're continually going to such groups as the major software vendors who have their interest in it is purely financial in the outcome of that. Someone needs to hear, well, I guess we all, raising that question. Someone go there and ask them not at that top. Another thing with why things are political, sorry, or pitiful or whatever you want to do. Releasing a vulnerability 10 years ago, we didn't seem to have nearly as much of an impact as it does now. The amount of computers and network devices is rapidly increasing. And it's just a highly accelerated rate. So now if you release some type of vulnerability information that affects 10% of all systems, 10 years ago you would have attracted a fair amount of attention, probably nothing mainstream. Now, you're bringing down large corporations who have basically, they're doing that whole B2B thing and you've got peer-to-peer stuff happening here and there. You've got intranets, wireless, all kinds of open access points to all kinds of technology, all right? So whenever you release vulnerability information, not even necessarily a vulnerability code itself but just details, and then someone writes a worm that goes out there. You're having a massive impact as a result of your actions. And so you have to rethink this. An example would be Code Red, especially now since some of these laws have been talking about. With Code Red, when it came out, you were a fuck nut, basically. You know, whoever did that, whether one an idiot. You know, I had to patch a bunch of servers and say, well, I don't even run, OK? So this is really sad. OK, now you're a cyber-terrorist, OK? That's the big difference. Now, you can go ahead and say, well, the exploit code that I wrote, the summoner dotted into a worm, it was intended to show people, to demonstrate to people that things were vulnerable, someone would come back and say, I was able to use this in a worm and go and damage all these systems. Therefore, I got it from you. You used somewhat held accountable, potentially. This is still all unclear. It may not come to that. I hope it doesn't. But it's heading in that direction. If you're planning on doing anything, and I don't do this anymore. I haven't done this since USA Patriot, just out of paranoia and nervousness. How many people here scan on the internet? OK, a few brave people go ahead and admit they do, even though probably most of you do. The idea is that I do, as I did, as part of research. OK? It's interesting when you can do fun things like, say, scan the entire address space of China, and then we're up to see how many vulnerable web servers they have, which, by the way, is pretty much all of them, all right? It's interesting to do that. It's wondrous when you find a box that I had no idea that a single server could have 14 different CGI vulnerabilities on it. But somehow, someone managed to do that. But you can't be going around doing that kind of stuff anymore. You really can't, because you might be interpreted as someone performing some type of hostile action. Particularly if we're involved with, when I say we, I mean the United States, are involved with some type of political, diplomatic craziness going on with them. Maybe we're getting ready to go bomb them in our war on whatever that we're warring on that week. See, basically, I wanted to bring up the point that hacking is political. OK? That's the main thing I wanted to get across to everyone. The other criticism I had from last year was that I gave a lot of theory, sorry, the dangers of having long hair. I gave a lot of theory, but I really didn't point anyone in any particular direction. I just said, things are bad, go get them, you know? And that really didn't help much. So because, really, I mean, a technical audience, OK, it's fine to talk in theory and everything. And hopefully, most of you are not still drunk enough from the previous night that some of this is sinking in. If you are still drunk and it's not sinking in, then I can just appear and just say bullshit. And you don't know, that makes my job easier. But nonetheless, I've got to think that at least some of you are sober. I'm going to propose a problem, OK? And I don't know if you can read the red tithe, but I keep forgetting that I may end up on the roof. Even though I do enjoy it, does everyone like the sauna? What's going on? Is there a radio? Yeah. And by the way, that's really the sauna tent thing. That's really Jeff's way of saying, look, are you white, pasty, overweight hackers? We're going to take a couple of pounds off of you, because DEFCON believes in giving back, making people healthy. In 95, there was a paper written called Programming Satan's Computer. And then this basically said, I'm just summarizing if I get the summary wrong, you know, the piss on you. I'm trying to make a point. But basically, how can you trust the code that you're running if you don't control the underlying operating system itself? How do you try and provide safe code on Satan's Computer? The problem that I'll propose today is I call it Packeteering Satan's Network, OK? How do we move packets from point A to point B on the internet without private communications and then make sure that Satan, and in this example I'll be using, and by the way, I'd like to say that out of my NSA friends that are here. In this example, I will be using, for the most part, using the NSA in the role of Satan. And it's probably the fact that many of you will agree, and you can go ahead and fill in your own evil organization, such as the government of the People's Republic of China or some other repressive regime. And just while I'm at it, while I'm staying up here, since we do have representatives from the US government here, I do want to make clear that I do really think that the US does have a pretty good thing going. If I had to pick, and I did actually go through the whole list of countries that signed the WIPO Treaty deciding where I could live and with my MP3s in peace somewhere and couldn't find a country on a planet, I decided, well, I might as well just live here then because I might be here, and it is pretty good. They pay well here and everything. But to the representatives of the intelligence communities of some of those foreign governments who have been rumored to be here, including people like Israel and China and France and whatnot who use a lot of that stuff against their people, fuck you, OK? Fuck you. All right, let's move on to happier things now. Let me get a drink. I hope that's a laser pointer. What can Satan sniff? All right, if we're going to be packaging on Satan's net, what can Satan sniff? I'm not going to read these slides because I hate presentations where you get some boso up there that has an outline and just basically reads the slides to the audience. So these are on the, this presentation is supposed to be on the CD that you got when you signed it unless, of course, you social engineered your way into DEF CON and didn't pay anything. Basically, this is, that's the other thing that's kind of interesting with this talk. I keep referring to things that are really old, all right? Now think about that, paper 95, and I'll first stuff even older than that later on. In 1996, a presentation was made regarding anonymous e-mailers by a man named Paul Strassman, National Defense University, and a gentleman named William Marlowe, who also had some impressive credentials of some kind. Anyway, these guys, during the question and answer session of their talk, did mention that our government, and I believe it was the CIA that they possibly referred to, and you can go back and I put in the web addresses of where these posts are, we can find out more information on this, did say the CIA is running e-mailers, anonymous e-mailers, you remember that whole anonymous e-mailers thing that hardly anyone uses for various reasons. I think probably just out of laziness, myself included. But nonetheless, they also mentioned that the NSA had successfully developed technology to break crypto below 1,000-bit on the key size, and that they themselves personally used at least 10, 24-bit, OK? Now that's an interesting thing. Think about that. That's 96 that they made that statement. Of course, once the press found out about these statements that were made at this presentation, everyone denied everything. Everyone denied these questions were even asked, and that these answers were even given at that presentation. But nonetheless, you had to step up that kind of leaked out. So let's just assume, just for the sake of argument, because we're cautious, paranoid people, OK, that it might possibly be true. Now, moving on, come on. The heat may be getting to this. Hopefully it won't freeze up, because I got really pretty graphics here. There we go. Hopefully won't jump ahead on another slide. Email from a private email from a former Spook. Quoted some stuff, said BGP, and basically pretty much every available crypto that's available to us as individuals is breakable. And roughly between that and a few other informal sources that I've heard, anything that's out there can either be broken through some type of brute force or through some type of flaw in the implementation of the crypto itself. I'm not calling this proof. I'm just letting you know what I heard. So all I'm doing. And the thing is, is that there's been other times in informal communications with me. I had a very interesting conversation last year with three gentlemen who, at the time, they said they were NSA. Now I don't know who they were, but who confirmed some of this type of stuff to me. But of course, then they were saying, but of course, we could be lying. And you'll never know. And you'll waste all your time trying to figure out whether you're telling the truth or not. And no one will believe you anyway. So I've heard that. I've heard it from other researchers who I wanted to name their names, but they don't want their name associated with this type of information. So let's just say that every once in a while in circles you run into someone who's heard some of the same type of rumors. What are they monitoring? All right, let's talk about the types of, and how are they monitoring? What are the techniques that are used? This is leading up to some points, by the way. So I scare you if they can crack everything. Now let's talk about how they're going to monitor those packets that are flying across the network. You've got basically three types of monitoring. You've got invasive, you've got non-invasive, and they're what I call stealth. Non-invasive is extremely obvious where the monitoring nodes are. Okay, you're going through a proxy server and it slows to a crawl, okay? There's, actually I think I skipped a whole slide. This should be the invasive one that's up and not the non-invasive. But invasive things slow to a crawl, very easy to spot the stuff and you can get around. Non-invasive, of course, so there's a minimal amount of impact to what's going on, okay? But they had to wrap you around a certain way to make sure that they can sniff traffic. You know, maybe you know what I'm talking about. This also has to do with, like, say, cache servers and proxies and whatnot. But, and those things are actually fairly easy to avoid. The one that's tough to avoid is the stealth monitoring. And we all know the power of a sniffer. Okay, you put a sniffer in the right place and you're going to get all the traffic. And that's one of the reasons why we do things like we encrypt when we send stuff. And it's fairly hard to avoid. Types of communication, man, you cannot see the text on that screen in the background, I'm betting. Or in the front, in the very front row. Basically, there's not much text in these slides, by the way. Just look at the pictures, okay? Oh, and I do that on purpose. Cause that's why I'm down here, so I can see people's reactions and I can know how to roughly adjust as I go along. There's point to point communications, such as email. I think we all understand that. There's also a broadcast. Usenet is a good example of that. Pressing to a news group is a real good example of type of communication. You do have the anonymous sender. And that's a type of communication where you're going through one of those re-mailers that we mentioned earlier for the CIA peels off a pilot copy. And then you have another thing I call traffic pattern masking. And this is like, a quick example is Loki that came out in the frack. Google is your friend, look it up if you're curious. To avoid our stealth monitoring that's going on by Satan, we're going to have to use some stealth communication techniques ourselves, okay? And this stealth communication, that's basically what we want to be able to use for the sender and the receiver are unknown or close to being unknown. That the communication is not going to be particularly obvious. It's going to look like a regular part of traffic. Or if it is obvious, it is so obscured that you're not going to be able to determine what in the hell you're actually looking at. I want to talk about several different types of concepts. Some of these are real world examples and adaptations. I'm going to go through four of them. One of them I'm going to have someone come up and give me some help on. But I want to go through and give you some examples. And actually only one of them I'm actually officially writing code on. But I want to go into a little bit of detail into some of these. And this is where I'm talking about direction. It's just saying go get her, here's some things that maybe we can work on as a community that might help. And hopefully it just doesn't help first some evil legislation down upon us. But nonetheless, maybe we should go ahead and do that anyway and just poke the beast and see what happens. The first one, did you get a drop box? Does everyone understand what a drop box is as far as that spook spy stuff? They get the spot under the bridge. I'm going to hide my package for the other guy. Yeah, a dead drop is a good example. Yeah, that's essentially the same type of thing. Okay, so I'm talking about a digital version. What would be a good way to do a digital version of this? To give an example of this, let me explain a piece of software called Whole Punch. A colleague I work with at a blind view named Paul Ashton, who I don't know if he's here or not, in the room. But if he is, he's probably going to be pissed off because he hasn't released the software yet. It's not quite ready, but maybe this will help push him along. And send Paul some emails saying, Paul, where the hell is Whole Punch? She has something I'm not telling me all about it, so you're getting ready to come out with it any day now. And maybe he'll get going on it. What Whole Punch does essentially, and this is a good idea, good things to think about, is let's say you have a system set up with no ports open, okay? But you have something running on there, a demon listening, you send in a packet, it's got some crypto type material in there that's going to identify it as, I'm the one that's going to do this thing and inside it in the command structure, of course, all this is all encrypted and everything, and you have to be authenticated as you go in there. This says open up port 22 from this IP address in your built-in IP tables type rules for 60 seconds starting now. Let me see this packet. So it's a really clever way of saying, okay, boom, I'm in, and then with the packet, and then I fire it up with a connection. He's added some extra features in it, including methods of being able to trigger another instance of Whole Punch to route to yet another system. So if you're out somewhere on the internet and you can send a package in, in this packet, it goes through a firewall to a box, but then goes over and then reboots some system that needs to be rebooted or whatever the commanders you need to have done. So it's a cruel thing. Hit up Paul, tell him that he needs to get this thing going. And certainly hopefully it'll help inspire a few others as well. Steg, stegontography, this is going to be a fun one. I love talking about this stuff. This stuff is cruel. And you know who else likes talking about it? The press. The press loves Steg. It's so cruel. It's so sexy. Okay, why? Because they don't like to admit it. Because we can talk about porn when we talk about stegontography. And that's the example I'm going to use right now. I'm going to use an example of porn with stegontography. I was telling everyone as what Steg is, basically I take a message and I hide it in the, in some of the unused bits in a serographic file or a sound file or something. It's like an hide a message in there and it's all encrypted and hidden into the naked eye or naked ear, depending on what the type of file is. You don't know if there's actually a message in there. The example I'll give for stealth communications is one that has been theorized yet it hasn't been proven yet by various media outlets. We're going to talk about like say if I was some evil guy wanting to communicate to my minion out there. And I got a copy of AdGuess. Again, maybe it's your friend. So you can find AdGuess. If I was going to send out a message to all of my evil minion to go do the evil thing such as, you know, it's time where we sell the Microsoft source code, you know. It's, you know, whatever the evil thing is we're going to do. And when you think about it, that would be evil, you know, that would be evil. That would probably such ugly code to look at. I mean, oh my God, that'd be terrible to have to be subjected to that. Yeah. Yeah, the whole thing is in visual basic. Yeah, tell it, it's just, oh, oh my God. Okay, anyway, nice to comment from someone over there yelling out encouragements. Thank you. If you can provide jokes especially in front I'll pass them on. I get some porn, all right? I get a hoax and porn. I put my message in the porn, okay? And believe it or not, I've actually done research into this. I know you're shocked, but in the interest of science and the interest of you, I've gone out and I've collected a shitload of porn. Okay? No, someone asked us to vote on the CD. For Christ's sake, we got a room full of hackers as you guys can't figure out how to get free porn. Anyway, so you go grab your porn and you put your message in it. You post it to Usenet and then there's this phenomena that happens, okay? Where people grab stuff out of Usenet and then put it on their pay site. Someone else grabs it and puts it on their pay site. And I'm sure no one has ever done this, but there's spots where they've got preview sections on those pay sites, right? Where you can go and get a preview of the porn to come. So then all of a sudden some of you almost start appearing in preview type stuff. Now if you had done some sophisticated research, such as myself, into this phenomena, you'll notice that there's certain types of porn that have a repost rate that's higher than others, okay? Asian porn, for example, has an extremely high repost rate. And all you gotta do is make sure that your porn ends up being listed on asianthumbs.org and it's everywhere, everywhere. That's all you gotta do. Throw away GeoCities things set up in Bingo. You get your porn everywhere. So that's how you get the message out and then you're evening and just now you look at you know, Asian porn being listed on asianthumbs.org and Bingo, we got the message out and you'll get it in a timely fashion. It actually is very quick. I've done this. I've posted porn on Newsnet and it's in an Asian news group and Bingo. It's just within a couple of days. It ends up being on Asian thumbs. Interesting. So there you go, you got a distribution method. For those of you in the audience who are of course offended by pornography and I will address all three of you now, let me give you a different scenario, okay? These couple of slides are not in your presentation but I think you'll find them interesting. I love this woman. I love her to death. Sandra Bullock, you can't see this down here at the bottom. It says desktopwallpapers.net, okay? Oh yeah, I love Sandra. So I went out and this is like a couple of years ago I downloaded some backgrounds for my computer of Sandra. Let me get another one up. Cause I just love her to death. Oh yeah, there we go. That's the sweet stuff. The thing is, I actually sent her an invitation to my birthday party and she didn't come. It really made me upset because I went to a lot of trouble. I mean, her name and address were on a bell computer system on an FTP server that was wide open to anonymous access. I just downloaded the data files and looked through their Embingo, found all kinds of people's names and addresses including Sandra and even Michelle Pfeiffer. And you know what, they didn't even show up after I sent them an invitation directly to their house. I can't understand it. But nonetheless, I still care about her, okay? So, yeah, stalker, yeah. No, I'm gonna try to lump it into research is what I'm gonna do. Yeah, I'm researching stalking techniques on the line. What's interesting about this image was I was using Nils Provost's Stead Detect and decided, you know, I'm looking at all my porn and like him, and I've actually found things I thought might be questionable. I've sent him some of my porn and said, hey dude, and of course he doesn't bother at all about it. I don't know why, because you know, you don't really get irritated when people keep sending you email about stuff and asking stupid questions about your software, but he seemed to enjoy it, okay? He was a good sport. But nonetheless, I didn't find anything in any porn. He hasn't found anything in any porn. Guess what? This image right here, there's Stead in it. The one previous, too. If you don't believe me, go ahead and download Stead Detect. Go to, while it still remains up, go ahead and go to desktopwellpapers.net to go find Sandra Bullock in there. Download these images. I believe this one on there is like Sandra Bullock underscore three, whatever, and the other one's, this one's, this is number five, okay? But they're there. Outguess is the one that's detected as being in there. Okay, now I don't know if you've done a lot of work trying to crack stuff with Stead Break, which is now included with Stead Detect. I've thrown a 40-meg dictionary at both of these things. I haven't been able to find out what the past phrase is, maybe someone else will. I didn't include it in your, it's not included in the CD, mainly because, for all I know, it's got some type of top secret things going on in there. Of course, it may just have nothing in it, I don't know, but nonetheless, this actually turned up as a hit. I don't know what to make of that, but we'll just see what happens. So, as a side project, when you're not scanning your porn for Stag, go ahead and feel free to throw a few CPU cycles at Sandra here. Now we're gonna move on, we're just gonna do it on time. All right, I'm gonna have to speed things up. Stealth traffic pattern masking, and the example I'm gonna give here is something I'm working on called Masquerades. This is where you take, and I got the crypto part done, it's now trying to make the thing RFC compliant, which is a pain in the ass. What I'm trying to do is, I'm taking crypto material and I'm shoving it into the header of email, okay? The message ID in particular, shoving it through there into there and then having it go across that way and I'm trying to decide to where you have a client that can run on not as root. The stuff gets sniffed and picked up and I'm trying to add the option of having it fail during the transmission of the email so that it fails in a way to where things don't get logged. It doesn't get logged on an exchange server, it will get logged on a send mail, but it'll look like an error. And so I'm trying to make everything compliant on that. Another idea, throwing stuff into headers. There's been some presentations that both Block Hat and Def Con and I think they've covered some of this stuff. Hey dude, how you doing? Doing good? All right. Okay. I'm getting ready to bring someone up here. I wanna explain this real quickly. This is something that's interesting, very interesting. I don't know how many people are familiar with the paper from 86 I believe, is that correct? Think so. The dining cryptographers problem. The dining cryptographers problem is you have three cryptographers. They've gone to a, we're going out to a dinner. And again, I'm summarizing quickly. I get it wrong. Sorry. They want, one of them is gonna pay for dinner, but they don't want to know which one of them paid for dinner because they're, I guess financially shy, at least some of them. But they wanna make sure if the NSA didn't pay for dinner because the NSA picking up your dinner, that just, that's just apparently a bad thing, at least in this paper it was. So they need to devise a method of being able to communicate between the three of them to ensure that one of them actually paid for dinner. So here's how, this is how the solution works. And that is you flip a coin and you look at it and you only look at yourself and then you show up to the person on your right. Okay, you're with me so far? I'll do a quick example at the end. Now what happens is once the three have done that and they've shown it to the person on the right, everyone does that. So three people, they've each seen two of the coin tosses. They notice where those heads are tails and what they're gonna do is from the two coin tosses that they saw, they're gonna say either same or different. Okay, and they all say that a lot. They're saying whether the two coin tosses were same or different. If you have an odd number of people saying different because the person that paid for dinner is gonna lie. Okay? If you have an odd number of people saying different, then it means that someone at the table paid for dinner. If it's an even amount, means no one at the table paid for dinner and the NSA must have picked up the tab. To give you the little example of this, is all three of them flip heads. Okay? One of the people lies when it comes to saying same and different. They say different. You got one person that said different. That means that one person at that table paid for dinner. Now, you might be saying, oh yeah, well they can determine whether it was heads or tails. No, we're just saying same or different. We didn't say I saw two heads, I saw two tails. Nothing like that. The premise behind the paper that goes into a lot more detail is that you have no way with outside taking a rubber hose and beating people to do any type of traffic analysis on this. Now, what's interesting is when you're sort of applying this on a larger scale, and we know how to reach a good spot. Okay? Okay. We're sort of applying this on a larger scale because with computers, I can start doing things like 256 or 512 coin flips at a single time. And when I'm transmitting my coin flips to the person on my right, I can encrypt them. You know, using RSA or some other thing. That's referred to as a DC net. So I was distracted. The referred to as a DC net. Some of the scaling issues were addressed in a paper that was not too long ago, by the way, there was an extension because I know some of you are probably thinking, what if I purposely participate in that dinner and I, even though I didn't pay for dinner, I lie and say that I did. There was another paper that came out of a year or two after that called The Dining Cryptographers at the Disco which dealing with being interrupted. Now, folks, this is stuff from the 80s. Okay? This is stuff from the 80s that we're talking about here. Now, somewhat fairly recently, some people at Cornell tried to implement a DC net and ran to some scaling issues and tried to solve it using something called Clicknet. And I advise everyone to do a Google search for Clicknet and check that out. And that says, if you can't read in the back, that's a C-O-I-Q-U-E net. Meaning you have small clusters of, you know, let's say seven people or seven or five, whatever they put the cutoff point at. And some of them are adjoining nodes. And then you create this. Now, you can do some pretty cool things with this. Why don't we, I'm going to go and bring up a friend of mine. His name is Jason Larson. He's worked on the hogwash project. And he's going to talk to you just briefly. I'll try to keep this short. But we're probably going to go over it anyway. But nonetheless, he's going to talk a little bit about this in a little more detail. So we're checking for an adapter, since he's using a, actually that's a pretty nice Mac there. Okay. Well, if people didn't like the first two rows, can actually see part of it now. Let's think about things that you could put on top of this if you perfect a DC net. Okay. Think about things you could put on top of this. That's going to become really critical when I ask some questions here at the end of the audience, instead of you asking questions of me. This is somewhat unrehearsed, okay, folks? So bear with this, but I thought it would be fun to get a couple of people up here besides myself to talk about stuff. You want to just go and just talk about it with those slides? So can everybody hear me? Okay, how about now? Okay, simple one over most of it. But basically when you're doing coin flips, that's basically an XOR. So I don't know how many of you guys are familiar with what in crypto and whatnot, but when you start doing coin flips and XORs, that's commonly known as a one-time pad. And a one-time pad is theoretically unbreakable. So the basis of a Dany Cryptographers Network is, yeah, everybody generates a one-time pad, passes it to the guy on the right, and XORs him together. The guy that wants to put in his message, also XORs in his message. And then everybody reveals their pads. So when you reveal your pads, everybody XORs the pads together, and since all the pads have been put in twice, they XOR back out. And who you're left with is a message. And since it's mathematically impossible to tell the difference between two pads XOR together and three pads XOR together, it's mathematically impossible to tell who sent the message. So if you really want to give the NSA and the Homeland Defense or whoever else, Heartburn, then a Dany Cryptographers Network is a really good way to go about it. There are a couple more cool things you can do with it. So especially in the future, if publishing exploits gets to be illegal, then we're going to need a better system to publish with. So let's say that we have a group of people together and I want to send an exploit to BugTrack anonymously. And I don't want anybody else to be able to play with it. Or let's just say I want to send it to one other person anonymously. A cool side effect of Dany Cryptographers Networks is that you can exchange one-time pads anonymously, which is basically perfect crypto. The algorithm's pretty simple. All you do is get it together in circle and have two people agree to put in messages on the same round. So we take me, Nomad, a couple other people, and we all generate one-time pads, throw them to the right, and then me and whoever else I don't know sticks in our one-time pads. When you stick in your one-time pad and you XOR everybody's pads together, you get the simple XOR of the two pads back out. Well, since both pads are masked by another pad, then it's mathematically impossible to pull out either of the pads because every possibility is equally likely. But there are two people that can make sense of the noise. The owners of the original two pads because they know the pads. So you can always XOR back out your own pad and get the other person's pad. So if we want to publish an exploit and we know the NSA or whoever else is listening, then we just get a bunch of people together. We exchange pads, XOR in two pads, throw away one of them, and now I have a pad. I can send a message to everybody with impunity because no matter how many CPU cycles they have, no matter how much research they can throw at it, it's mathematically impossible to figure out the message. I just take my new pad, XOR in my exploit, send it over to Nomad, and nobody can break it. So one-time pads can be, Dynacryptographer's rings can be fairly fun if you want to play with them. So another method that you can combine with it. One of the problems with one-time pads is there's a finite number of participants. So you only have 1,000 people sitting around together exchanging messages. Theoretically, they can come and knock on 1,000 doors and take your computers and life isn't good. So one method to get around that is just to solicit participants from other countries. So one of the nice things is the NSA's of the world don't usually talk to each other, and they don't like people picking on each other's citizens. So to get a few guys from Russia, a few guys from China, then you can be reasonably secure. Okay, thanks, Jason. Now I want to give Jason a hand. Thank you for your shirt. We can kind of, go ahead and step up a little bit. We concocted this idea. He had pushed for the DC NSA. I was talking about stealth communications at Kent's at Rust, and we had the smallest ball favor to con just the two of us talking with paper up. I've got some questions for you guys. We're getting towards the end. I want you to think about some things here. These are what you call rhetorical questions without really an answer here. If you do develop unbreakable crypto, how long do you think, good God, I didn't fall in on me. How long do you think that unbreakable crypto is going to remain legal? Think about it. I mean, I didn't have to speculate on that. If you open source perfect crypto, and it gets you into trouble, I'm wondering if under the Cyber Security Enhancement Act, if you could be put in jail for life as aiding and abetting cyber terrorism. The applications of this are obvious. I mean, you could have dissonance living inside of oppressed countries, being able to get messages out to people, and people will get messages into them using various combinations of all of these techniques you've been talking about. But if bad guys can use it, and it's unbreakable, and we talked about what they were possibly capable of breaking, if you've got stuff that you can't break, how much trouble are you going to get into? Couple of other things I want to bring up is what I'm thinking about it. There's a movement right now to push forward the government version of, it's kind of like a cybercorp. People heard about this. A few people are nodding their heads. Cybercorp, you know, there's some kind of government-sponsored program on this. I want to know, is it possible for me to form a cyber militia in response to that? Something to ponder. A few people seem to like that one. I got a question involving free speech for you to think about. If it's always been questionable whether crypto or code is actually considered free speech, there's been some people say, yes, some people say no, there's court rulings and whatnot. Would it make speeches like this illegal if crypto and code is not considered free speech? And also, one other question, this one I think there is an answer for. If I'm busted on any charge, could someone please call Jennifer Granik on my behalf? Just, you know, just in case. That's pretty much all I have. I've gone over on time. I've got one thing I want to do. I need to get one volunteer. Okay, you right here. Come here. See some of these times of volunteer. There you go. You get a free computer. There's your computer. You have to give one away. That's it? That's it? Go sit down, don't you? Yes, I know. It's made out of fine steel. That's before we got really good on it. There's a few shirts here that I wanted to give away too to some of the people here. This is kind of what I consider this talk and everything else this actually to be about. Okay, hacktivism is not defacing web servers. That's not what it's about. That doesn't get your message out across to anybody in a real positive way. It's trying to do some of the things that we've been talking about here in these directions. A lot of people out there, like I said, I've done only a very little bit of work myself. A lot of people out there have done this or doing work like this and needs to be encouraged. And so we'll just throw one out there for someone to grab. I just want to make the point. I was talking with someone from the EFF over at Hard Rock. There's another one out there. I was talking to someone at the EFF that I was talking a little bit about in my talk and I said, you sound the... Asshole. You sound cynical. So really, I probably do come across as cynical when it comes to this kind of stuff and I don't mean to. I mean to try to be somewhat positive in this and whatnot. And so I always try to pass on this message from the EFF and by the way, our orders are just like EFF and Epic really deserve our support and they actually deserve a round of applause. They do actually try to do a lot of good for us. How many people here have access to $100? Do you think you could probably get to $100? It would be really interesting if every single DEF CON attendee was able to give the EFF $100, okay? Because that adds up to like a whole bunch of dollars. I don't know how many attendees. I've heard any of them from $3,000 to $5,000 this year, which is just phenomenal. Imagine what could be done with that type of money there. Another thing, and I really do encourage you to do this, it makes a huge difference whether you believe it or not. It really does make a difference. Write a letter with your thoughts. Don't do this in email. Do this by hand. That really gets their attention. Write it out by hand to your congressperson if you've got a problem with one of the laws that is being proposed or even a law that's passed because all those congresspeople they're all worried about the people that elected them and they all want to make sure they remain in office. And they've had all kinds of mathematical statistics on the fact that for every one letter, there's a thousand people that think this way, oh my gosh, I'm going to pay attention to it. Those letters do matter. And if they start coming in volume over some of these things you're concerned about, then we can do something. Now I know a lot of you have deferred a code, okay? And I know that some of you have probably even never licked a stamp. And let me tell you, don't lick the stamps because they got sticky stuff in the back now and it tastes like shit. But I mean, you know, and see I caught some of you and say, yeah, yeah, lick a stamp. He's like, oh no, no, they won't do that anymore. That's a long time ago. So you gotta do a few things, you know. Give, you know, try to give back a little bit. And I think we'll make a pretty big difference. And there's pretty much, the rates, there's more. They're gonna kill me for going over on this. It's just, can you do this in like three or four minutes? Yeah, or maybe two. One of the things that's going on that I'm gonna have Steve come up here and give you a quick synopsis on yet another little thing that's going on. And he promises to the people running the place that'd be quick. Okay, we announced this at Black Hat. So you know, if you guys that were there, probably already know about it. But VaughnWatch, in conjunction with Packastorm, the open source vulnerability database project and a few other open source free information sources have announced kind of a little bit of an alliance. Basically what we're gonna do is we're gonna work together to pool our resources and give a centralized spot. I think probably the key part of the whole thing is we are gonna have an open source vulnerability database that everyone can contribute to. Everyone can add to it. Everyone can access it. Everyone can use it. It's gonna be completely free. It's not for profit. You know, it'll never be sold, all that kind of fun stuff. Pretty much it. The website is isi.org. Thank you. Because truthfully information really does wanna be free. And when he says free, I mean, if you're a commercial vendor out there, you can grab the data, pull it in, resell it, do whatever you wanna do. But the raw source of it's gonna be free. Just keep that in mind. Normally I would take questions on this and you're probably gonna wonder, because I worried about a couple of things. DebDreamers.com for all the graphics was where I nabbed him from. Hopefully I didn't violate any of the DMCA by putting him up here in front of you today. I did get him credit, which is what he asked for that. To kind of tie this together, the last thought that I wanna leave you with, okay? And this does, again, we get back to, we get back to a little bit of politics here. Our government, okay? Our government has gone to great lengths to try to protect us and they do a variety of things in their efforts to try to protect us. And those are appreciated by a lot of us, but sometimes in their effort, they're a little bit overzealous. And we have to keep that kind of stuff in check. Now, you currently have a government that is declaring war on concepts, okay? They're declaring war on concepts. Remember the war on drugs? What was that one? Wow, that was a really good war, wasn't it? Did we not successful? What was the big thing? Don't say no, or just say no, that was it. Or yeah, don't say no, there you go, ooh, there. Just say no, what the hell does that mean? That's not going up to a homeless person saying, just get a house, you know? I mean, this is the kind of wonders thinking we got coming from our government. Now we have a war on terrorism, okay? We're not officially and technically constitutionally at war with anyone. But we have in anything else, there's a war on terrorism. Now with the whole rise of these transnational conglomerate corporations that are essentially running everything, and the continued fall of the nation state, as things continue to fall down and the borders start disappearing, in large part to technology, okay? The hacker nation, us, we're increasingly becoming subject to an unspoken war, all right? You wanna be able to communicate securely from one person to another. You wanna be able to do that, whether you're talking about recipes for cracking or some service running on a system or recipes for cookies, and I'm talking about the kind you eat, okay? It doesn't matter. If you want that conversation to be private, then it should be, okay? So I want you all to think about that. If people have got questions, do you wanna try to grab me later? That's great, well I'm not gonna take questions now, we're over and I'm sorry on that, but there you have it. Thanks a lot for coming. Thank you very much. Thanks a lot.