 It's an interesting story on how it came up. At first, me and a friend of mine were at Comdex two years ago, right here in Las Vegas, and we were looking at this vendor who had a content-sensitive filtering device, and we couldn't get to any porn sites. We didn't want to go to any porn sites, but the thing was, if you could get skin on a page, you would get this teddy bear with bondage on it, with bondage gear on it, and that's what we wanted, we wanted the teddy bear, we wanted to bring it home. How many of y'all use the defcon proxy server? How many of y'all think it sucks? Well, that's good. Anyway, what happened is we tried everything we could to get past this device, and what we eventually tried to do was go to the site that was basically all images and no text, and even by IP address, we couldn't get past this device, so it kind of planted a seed with me, and I wanted to see if I could do something to get around this, so I started playing with proxy servers. What we're going to talk about today is exactly what is a proxy, because this is the new B-track, but I'm sure most of y'all know what a proxy is, because most of y'all would use it. Why use a proxy server? Why would you want to use such a device? Is it really anonymous, which is a big issue for you guys I know, and a new access policy. There's some things that have come up in terms of present resources that we have available to us, and just network utilization, so there's going to be some policy changes to the proxy server, but don't be alone, we're still going to offer some basic free access. Exactly what is a proxy? Well, in networking or computing, a proxy is a device that separates you from a third party. There are web proxies, there are calnet proxies, FTP proxies, but because web browsers, the predominant application on the Internet, you'll see web proxies more often than that. And this is a high-level topology of how a regular, non-proxied web sessions just go. You have dual point server, or just hacker down there at the bottom, you have a home user up there at the top, and what happens is direct TCP connections are made on port 80, or any other web port that they come and publish ports are 80, and for SSL it's 4403, and you go directly over to the port size. And that's kind of intrusive because you can pass environments over there, your email address, things like that, IP address, who you are, basically, where you came from, and where you come from in terms of what ISP you're using. What the DEF CON proxy does is it acts as an intermediary device. If you'll see the, I'll call the segment over to your left, to the left side of proxy server, segment A, and we'll call the one-on-left segment B. On segment B to the green dotted lines, the proxy server will take your request and then it'll go to the site for you, bring back all the data, and then rewrite the pages and display them to you. And when it does that, it rewrites the link, so any subsequent link that you press on there after will force you through the proxy server, so you don't have to worry about that. There's some things when there's an FTP link or an email link, and it's going to make you leave the proxy, it'll warn you before that, it'll give you the link in case you do want to go there anyway. The real? Well, a lot of issues as well, people are writing, you know, URLs were showing up in corporate proxy filters, and they were concerned that the boss or the government might be able to view the traffic that was going over there, because it is an anonymous. It's anonymous from the all sort of proxy to the destination website, but it's not at all anonymous between all sort of the year. And even the red-byed lines on segment A show those in encrypted session, but even though it's encrypted, it's not really anonymous. From here, your boss, which is a company you work for, the ISP, the government, they can still tell that you're going to the proxy server, but because the session is encrypted, they can't read your traffic, which for some of the years is very important also. And another thing that the encrypted version of the Def Con proxy service is that it blows through content filtering devices, which is what I wanted to do. I wanted to blow through content devices. That was my original goal, because I wanted to get past that device. So if your boss is going to let you go out on 4.43, which is the SSL port, and you can make it to the Def Con proxy server, you're going to be able to pretty much get whatever you want. What happens is you go out of destination port 4.43, and then the Def Con proxy server will go out of destination 80. So you can visit non-SSL sites by using SSL on all sort of... I'm sorry, Def Con, it used to be all sort of, and it became a part of the Def Con organization after a long time. You know who that is? That's Diki on top of the Grand Plaza Hotel in Taiwan. I talked him out of jumping. Why use a proxy server? An amenity. You might want to remain anonymous. That's the biggest reason for all of you guys. Also, we started in the beginning when we were doing this, what happens is turned out as something I wanted to do, and then I told a couple of friends about it, and a couple of friends told a couple of friends, and then Jericho put it on attrition.org, and then Jericho or Diki put it on the Def Con site. So this isn't something that was programmed on purpose. Well, it was programmed on purpose, but it hasn't engineered. This is not something that was planned to be rolled out to millions and millions of people, and it is millions and millions of people believing that. I know it's Sunday and it's early, but it's kind of well, but on a Tuesday, we stopped logging the service, which was about four weeks ago when we stopped testing it. We basically logged to see where people were going. We didn't care where we were. We wanted to know why they used a proxy server. In the vast majority, I'm talking like 90% of you guys use it for porn. I'm serious. We saw people written around in CGI bins and going to government sites and stuff like that, but the vast majority of you guys use it for porn. And what I was going to do today is I set out last night on a mission to go look for the little teddy bear with bondage on it, but I couldn't find it. So what I did is we have goodies today, by the way. In Iowa, where the proxy server was based out of, I got y'all an inflatable pig blow-up doll. You're a lucky guy. But anonymity is the biggest reason why a person would want to use a proxy server, yes, we assume. The second one is you're forced. You might not have a choice to use a proxy server. If you're in a corporate environment and you're sitting on your company land, they may have a proxy server that they force you to go through. And the reason that they do that is, well, there's a couple of reasons they might want to do it. As a consultant, I can tell you that I'll go into a company and I'll recommend a caching proxy server which caches stores web pages locally. So it appears, the perception is that all subsequent accesses are faster, but it really isn't. Well, it is faster because it's coming from a local segment. And what you do by implementing a caching proxy server is you can lower the utilization on your WAN link, which is very important because if you go to a company, and for example, the company's WAN link, say the public internet connection is a key one, it costs $2,700 a month. If you tell them that you can cut down on the utilization of their WAN link and put off upgrading that line for another year or so, they'll say, you know, tens of thousands of dollars over a period of a year and you get a big yarn when you tell them that. But another reason that they force you to go through a proxy and probably the real reason is if you go to the HR director and you tell them by implementing a caching proxy server that you can spy on your employees and see where they're going and back up the pages that they go to and then you get the P.O. sign in like 30 seconds. High pass restrictions. You might have a firewall or filter based on content, I'm sorry, a firewall or filter based on content or site destination. This is really popular with countries like Cuba, China, Russia. They don't want you to go to the CNN site. They don't want you to go to the American government site. And I'm not saying that you can come to America and get the real story. I'm not saying that they can go come to America and get the other side of the story and they can make a decision based on what they've learned. And I recently got a lot from a guy in Russia who said that he very, very likes their proxies over and he uses it all the time. And he sent that to me in email. I said that he uses the encrypted version because he can bypass the government that way. And what happened is he sent it to me in clear text email. So he used the encrypted version of the proxy. Then he sends me the email in clear text. So I envisioned the government going there and I chanted a couple minutes later because I responded to him and I overdid that. Who knows who that is? Microsoft? Here. I don't want to throw it. It's there. You want it? You know? It's a jack-off throw. Anybody else want it? No. No? Yeah, it's a proxy. It was a proxy for your hand. Okay. I got better prizes as we go along. Well, hold on a second. Do you want the pleasure cups instead? Okay. I can't throw them into a hurry. Is it really anonymous? No, but I feel that we've made a good effort in that part. The best effort actually that we can do, I think. It's encrypted. The boss still knows where you've gone but even more importantly to some of you guys is between also, sorry, the DEFCON proxy server and you. There's no way to control who's going to be monitoring that, who's going to be sniffing that, even though they can't see you, they know you're using the server. And the government, I think, can brute force that encryption but I don't think the boss can. So if you're going to use it for points, I think you're fine but if you're up to no good, who knows? Whoops. The clear text version of the proxy is anonymous. As you know from the web server point of view, and the encrypted version is anonymous to the web server as well. And like I just said, they can still sniff your traffic but they can't read it. So a lot of people, I don't want you all to get the impression that it's anonymous from you to also really know it's encrypted. It's not. It's just, they can see your traffic still. And that's a bill and nobody wants to jack off the bill. That's okay. DefCon proxy server is now part of the DefCon organization. And what that means is it's going to have a DefCon URL and it's going to be based out of Seattle. We're going to move it from Iowa. Blue and not the proxy server is running on a Pentium 75 with 32 megs of RAM running crewed yesterday. And it's getting beat to death right now and growing peak periods of machine almost dies. So we're going to upgrade the machine because it's going to go on a door pendant machine and it's going to go to a place where we have an Ethernet connectivity to a DS3. We will continue to offer the clear text version of the proxy server and that's not correct. We're still going to offer the encrypted version as well for free as a community service. And we're going to limit the bandwidth. I think we're going to start off at 256 and I think we're going to go up to 512K for the proxy server, for the free services. So you're always going to be able to get in and you're always going to be able to use it for free but sometimes it's going to be kind of slow during peak times. Yes. What do you use it for? What do you use it for? What do you use it for? Hey, if you don't mind saying. Okay. Okay. Okay. Okay. Mm-hmm. You'll be able to do that. And we have a way of separating them but it's going to be an economic mechanism. I'll get to that. So we're going to continue to offer that for free. The encrypted version of the blah, blah, blah, blah, blah, blah and some other new features will cost a nominal fee per year. And like I said, that's not accurate because we're also going to offer encrypted for free. But unlimited pipe, not full-blown D yesterday. The new domain will be DEF CONnet. We covered that. And what you'll get is you'll get access to all web proxies. Well, also, you're going to be able to open up an account with us and your email address will be at DEF CONnet. And we're going to have a hotmail, well, actually it's already done. It's a hotmail type of interface and it's going to be through SSL. So you can send clear text email but you can go to DEF CON and offer that email via your web browser and it will be encrypted. And we're also going to have CalNet and FTP proxies and they're going to be authenticated using the DEF CONnet login. Because a lot of people actually are requested to tell. Not so much the FTP, but a lot of people are requested to tell on that proxy. The membership is going to be $50 per year. We're going to donate some of that to either EFF or Epic. So it's going to go to a good cause, any leftover that we have. But mostly, we did this to try to separate the people who are looking for free porn, actually. We don't know if it's going to work and because this isn't... Do you think so? No. I'm sorry? No, I know. Also, the sign-up is going to be kind of painful. So the porn guys are kind of instant. It's an impulse buy. They can sign up on the net and it's just instant access. So we think that because the sign-up is going to be kind of painful because the sign-up also has to be anonymous. If you pay me with a credit card or a 900 number, the PTT is going to log that 900 call or the credit card is going to have to be billed somewhere so it's still not anonymous. So what's going to happen is later on in the slide, I think it is, we say that you're going to have to pay over there at the registration booth but we're not going to do that. We're going to have a secure form and on this form all you're going to do is give us a name and a password and you're going to hit the submit button and the firm is going to return the address which is basically a background, a Jeff Moss and you're going to send the money to him and when the money gets there then we'll enable the account and we're hoping that you guys will do that via money order and just write your username in the member section of the money order. Like I said, all of this is subject to change because we're not a big corporation. We're very nimble. If it doesn't work, we're just going to have to fix it some kind of way. Can you come down here and tell us how you think how the consumption is played out? I'm by it. What do you think how the consumption is played out? Well, there's some things we have to address though because like you said, the guy in China channel forward 50 bucks or we just had a hard time getting into it. I mean, there's currency issues and can he walk into a 7-Eleven and get a money order? No, that's quite frankly, that's something that we didn't think of and like I said, this isn't something that was engineered. This wasn't something that was supposed to be rolled out as a product sometime. How about Slim? No, I understand. I'm like, you're next year. What's your assumption? You probably won't play out very well and you should domestically. You bring up a good point but I don't think a lot of porn circles are going to go through the trouble of signing up to use it. And, you know, if somebody is paying for the bandwidth and they send us $50 per year and it's popular and it makes a million or $2 a year and we're just looking to subsidize some of the network utilization so if you can take money out the top and send it to EFF or Epic, do you have anything? If you don't switch to EFF, do you want to come back? We have... I talk with David Silva a lot with Epic. EFF is no real porch just on anything but you... that's a good point as well, you know. I know they do good legislative work and good lobbying work and stuff like that but, you know, they get donations and if somebody is a significant contributor to their cause then maybe they can sponsor some of the people who want to use it. International. Forget that. There was no printer here. That's the reason for that, basically. It's scheduled for rollout 9.15 and all present services will remain free until rollout. And maybe early that's just something I came up with off the top of my head. I got to go home and kick the dog and kiss my wife and take a rest and go back to work at 9.15. And here's the present URLs and the past URLs. I'm sorry that's a present in the future. I'm sorry. So after the 15th you can just go to freeproxy.devcon.net or proxy.devcon.net for the paying services and if you want to write the guys who have run it email, just send them email to proxy.devcon.net And that's it. Q&A. I'm sorry? Wait. Just a little bit here. Okay. I'll get my URLs. This presentation is going to be available. I don't have my speaker notes. There's so much more I want to tell you guys. This presentation will be available on the DevCon Proxy server side. So you can download and take a look at the speaker notes if you want to. Oh, yeah. That wouldn't have went over well at all. There we go. Okay, guys. I can't hear you, sir. No, there's addresses on the site. But the present... Oh, yeah. For the new URLs and the addresses we're going to put something up. It's Monday night. No. DCs-proxy.also.net. Yeah, that's the present URL. Any questions? Okay, who wants to copy a free BSD 3.2? Who knows where URL is? Yeah. Nope, not research. Yeah, we got it. And if anybody wants to jack globe, y'all can just come up and get it. I'm sorry? I'm sorry, this isn't jeopardy. Universal, I think. Hold on a second. Anybody want the pleasure cups? No, really. Okay. Thank y'all very much for coming out this early. I appreciate it.