 Can everybody hear me now? So we'll start a little bit early, because I think whoever wants to be here is probably here. Anybody here been to the Internet Wars panel 2006? Not too many people, but okay. I guess we don't maintain our audience. So the idea was to bring up a few slides and talk about things we have seen the past year and then just open the mic to everybody to talk. Can we actually arrange for a mic for everybody so they can ask questions? This will be most of the session. No microphones? Can we take one from the table? Over there? No, no, this one over here. So we can just... Okay. The first guy... Yeah. If you have a question or something. So this year we decided to skip on the actual presentation, because I don't know when to shut up, and if I lecture it just takes a long, long time for me to do so. And just start with questions from the audience. There are a lot of interesting things happening this year. We had the... What did we have this year? Well we had the Estonian information warfare thing going on with Russia, or not Russia. Russians. I'm actually lecturing about this later, but never mind. And that's not the main thing we want to talk about. We want to talk about the mafia. We want to talk about the general fishing, fraud, botnets, didas, all the bad stuff, e-crime, whatever you want to call it that's happening online. We have people on the table that can answer very, very technical questions about malware samples, vulnerabilities, et cetera. People who can answer very general questions about incident response and how things are managed with global task forces. And for example, when we had malware on the Dolphin Stadium website two days before the Tupper Bowl, that was taken care of and operation globally was managed. And we have people from law enforcement here who can answer questions from their side of things. So everybody has beer, except for the feds, good. So I'll let just everybody introduce themselves, please, five words. Let's see. George Bacos, Northrop Grumman, formerly Dartmouth ISTS, Incident Handler, DI at the Storm Center. Tim Casiba with the FBI. Joe Stewart, Secure Works, formerly LERC. Rick Wesson, Support Intelligence. Andrew Freed, Special Agent, Treasury Department. IRS. Mark Socks, Director of the Internet Storm Center. So unless you want me to talk forever, which I'm more than capable of doing, do you guys have any questions you would like to start us off with? Yes, please step up and take the mic. So I assume you guys heard about the ISP who started redirecting connections to a particular IRC server to a kind of dummy server that would try to rid the whoever connects. Yes, Cox, thank you. Go ahead, Don. What are your opinions on that? I would actually like just one of you to answer that because although related to botnets, it's not internet wars. It's response. So who would like to take that? Rick? I had a fun perspective from this. We support intelligence tracks and aggregates data about malicious activity. And so one of the things that we tried to understand is we looked at Cox's network before they did this, and Cox's network after they had done this, and we didn't notice a statistically significant growth. Eat the mic, please. We didn't notice a statistically significant decline in botnet activity from their network. So what it was doing was having people connect to a server that issued five or six different commands that sometimes removed malware from infected machines. So from the outside perspective, we can't tell that there was actually any positive effect. Mark, would you like to actually comment about why you think they did it and if it's a good idea or a bad idea? To approach itself. Yeah, so just in a minute. Who asked the question? Yeah, so you know what they did, right? So Cox took any DNS queries that looked like they were going to CNCs and they just redirect them. A lot of consternation over that's an appropriate thing for an ISP to do. Right, exactly. So from a business perspective, it makes perfect sense it's their network. You don't like Cox, go to Verizon, just switch, right? But from a let's keep the internet pure, it's designed to do the things that we wanted to do, bad Cox. It's like Verisign when they did Sitefinder a few years ago. Did it make the bots go away? No. Did it make Cox's networks a little cleaner? Perhaps. I mean, not much. Is that what you're saying? Right? I think it's the type of business reactions we're going to see in the years that come. The internet's run by businesses. It's not an academic thing anymore. It's a business venture. Consumers vote with their wallet. If you don't like the way your ISP is performing, find another one. Now you sell your house, move to another neighborhood. That's what we all do anyway, right? Well, one second, George. Yeah, one comment. How did you find out that Cox is doing this? I mean, we knew it for many reasons, but how did you find out personally? Flash dot. Flash dot. Did you find out by Cox to tell you that, as a customer, we're going to protect you by taking these additional steps? I don't want to pay a vendor for a service unless I know exactly how they're changing my requests rather than a... That's arguable. Is Jennifer here? Well, they're publishing anyway. You're pulling your DNS service from them, and you can point your DNS's at anybody. Who runs... Anybody here from OpenDNS? Are you guys familiar with OpenDNS? All right. Check out OpenDNS. If you go to them, you don't have the Cox problem. You're completely redirected. But guys, I'll actually have to take this question, mash it around, and bring in something I want to do. We always argue about ISPs not doing enough, and the ISPs argue, well, why should we? Not because they're bad people. They're trying, but it's not our job, et cetera. And there is, on the extreme end, the regulation. And the other extreme end, there is free internet, don't be the internet's firewall. Do you believe, I mean, we know, for spam, you have to maintain your systems. You have to filter. What do you believe would actually work for ISPs to implement as part of the system? You know what? What do you believe works right now that ISPs can implement to maintain their systems and combat this problem? Let's start with Mark. Egress filtering. Nothing leaves the ISP unless it's properly sourced. Basics, yeah. If they would just do the basics, yeah. If ISPs were to globally deploy devices that adhered to BCP38, that would help a lot. That's something that everybody can do today. Basics. Who is that over there clapping? Another IETF or another? Who is that? What's your name? Joe. Joe. Hi, Joe. Everybody together. Three, two, one. Hi, Joe. Hi, Joe. But Joe is right because those of you not in the ISP world, BCP38 has been sitting there for how long now and not really implemented? Okay, let's move on to the, and if somebody wants to chime in here, let's move to another question. Another question. Yes. That's going to be a real vague question. I've heard good arguments on both sides of net neutrality, good or bad thing. Not relevant next. I'm really sorry. Hold on. I apologize to you, but that's politics. We talk operations. So I apologize personally. I'm the evil guy, not them. I'm the asshole. Okay. Another question, please. Yes. Come on. How long do you think it's going to be before we start seeing ISPs do instead of the DNS poisoning stuff, start doing things with like BGB table manipulation, dropping routes for things they consider hostile? I think you're already doing that now. Can we rephrase this question so that we won't fall into the political pitfalls because it is actually interesting? Okay. Go back to the mic. Okay. Yes, yes. Let me back. I'm worried. Okay. How do I deal with ISPs that are doing this to me without my knowledge? Create your own DNS server and use it. Not DNS. No, no. BGP. BGP. Drop it. Great job. Great job. Great job. Great job. Great job. Great job. Great job. Great job. Great job. Great job. Great job. Great job. Great job. Great job. Great job. Great job. Thanks, guys. Thanks for the interview. Great job. It was good to see you. It's actually great to see you again. Great job. Great job. Thank you. Nice work. You worked out the way that you wrote. Okay. Great job. Thank you. Great job. Thank you. Great job. Thank you. The next question is from Madame. That makes sense. What's currently done by ISPs, for example, to maintain their networks to fight the bad guys to somehow survive that he really wouldn't like to be abused? Is that right? Am I? Okay. I think that there's two things that ISPs have done. One is walled gardens where they put up, put a device's MAC address into a different pool so they get a different IP address that has different policy restrictions on the outbound ports. Another one is trend offers a device which they sell to, trend micro offers a device which does this BGP routing inside the core of the network which would, it does a number of things but it essentially inserts information using BGP which doesn't affect the external view of how a BGP routing occurs. And so I don't think that it's really an issue from a policy perspective on what's going on inside the core of a network. I think it's fully within their right. I would like to move on at this point and re-concentrate on a different aspect. We know that ISPs need to protect themselves or us or maybe not but what are they actually protecting us against? So I would actually like to go to Joe Stewart here and ask him about some of the recent stuff we have seen which we haven't been able to handle or the most, the more edgy stuff that we need to handle right now. From the malicious code perspective, what's actually, the stereotypes, what are the actual malware samples that impact the internet when they infect you and stuff like that? Did you even understand what I was saying? Sure. From the perspective of impacting the entire internet as a whole, we don't see as much of the global worms and things like that because people have deployed different countermeasures and everybody's got an anti-worm product now and the bad guys figured that out so they've solely gone to targeting the end users through drive-by downloads so it's a mess out there if you're talking about your grandma or your mom or your dad surfing the internet trying to just go a few pages and maybe do their banking online. It's a mess for them. Does it affect the internet as a whole? Not really, we don't see it on an operational level but still, it's just a massive wave of this type of activity and that's the thing that I'm seeing and trying to deal with in my operations. Can you call it a massive wave? Massive wave. How do you quantify just the endless torrent of these types of impact and malicious JavaScript hacking thousands of sites at once over, you had the Italian job that they called it where they just had a field day just infecting anybody that visited a site almost. They got, you think, well I don't use internet explorer so I'm safe, well that's not true anymore. They're finding bugs in Firefox, albeit they get patched faster but still there's flash, has recent vulnerabilities, Java has some new vulnerabilities so unless you're running without all that completely patched and Windows Update doesn't do that for you, then you have problems. If you have, maybe your Java is patched, well unless you've removed all the old vulnerable versions of Java, the bad guys can script their pages so that they just instantiate the older version that's still on your hard drive and then infect that, so. Well, Mark, I believe you, about a few months ago we responded as a community, the internet security operations community to the Dolphin Stadium incident where suddenly all this stuff, it's immense but it's background noise to us, happened and then we were on a global conference call talking about yeah, that's me today, do we have anything more to do? Well now let's go sleep, it's the weekend and stuff like that. Then you came up with a question, you went to Google and searched for the malicious code and you come up with a question and I believe what you said can really emphasize the point of how large this all is. Do you remember what the question was or you wanted to talk about what we did? I'm trying to see if you remember it. Yeah, I know it's good. Let's just talk about Dolphin real quick. Do you guys remember that? This was right before the Super Bowl back in early February, I guess first weekend in February? So we get at the storm center, we got a contact and said, hey something's goofy with DolphinStadium.com, it's serving up a weird JavaScript, it's pointing to a site in China downloading just a little piece of code which then if you pull it into your browser, nothing patching here, your browser's just executing Java code, redirects it, pulls down another loader, pulls down a keystroke logger, I mean the typical stuff that we're always seeing. What we did though with the storm center is we took those strings what we were finding inside of DolphinStadium and went to Google Form, just kind of playing around with GoogleFoo there and we found close to a hundred other sites that also had that same JavaScript in it. Started following some of them and sure enough it is pointing to the same Chinese sites that's downloading the same piece of code. About a third of them roughly were hospital type sites which we thought this was a directed attack against hospitals. In the end it turned out it was the use of Dreamweaver. People who were using Dreamweaver didn't, they had a little setting, they were screwing up, these guys had abused it. Well what really struck us as odd was the why, what's going on because there's always a motivation behind this and usually it's a criminal financial type of thing, they're going after credit cards or stealing your identity. In this case they were interested in World of Warcraft. That was the identities they were chasing. They wanted to get your World of Warcraft credentials so they could go in and mine some more gold. They have these gold farmers over in China that steal your virtual credentials, go in and then steal your virtual cash and sell it in the virtual world. That blew us away, this was the first time we had seen the bad guys operating in the virtual world now mapping it over to the real world and doing it through the Dolphin Stadium dot com. So then we continued to pull the string and it turned out this attack had been around since back in October. We had never even, hadn't even seen it. Didn't even realize it was there. And the number of websites that, but now that we knew what to look for increases over a thousand or so that had been infected. And it just continues on. We've seen more things like that. Just very novel, real easy. And there's nothing that the user's doing wrong. You don't have an unpatched browser. You're doing nothing but just visiting websites and wind up pulling this trash into your computer. There was actually something extra on that. I mean, yeah, that's cool, by the way. What a work of gold, yeah. But interestingly, once we actually got the incident handled, I was on the phone and I said, guys, let's go to sleep, we're done. And Joe was talking about the malware and what it does. And then you came up with a question that I'd like to really contemplate on. He said, hold on, guy. I just went to Google and there is a ton of other websites out there. They're doing the same thing. How can you call this incident handled and shut the door? And that's what I'm trying to really, I mean, can anybody here try and explain why we all, I mean, we are on the stand talking about all these different incidents and we speak of them as background. There are thousands of websites here, thousands of hacked users over there, millions over here, and you know, this is background knows. And I'm trying to find a way to explain why we only respond, for example, with a global community to Dolphin Stadium incidents or to other such large incidents. How can we explain this? Can you help me up, Rick? Yeah, sorry. We can't contact the people that are responsible for the resources. And as a company that's trying to find the people to educate and the amount of education that has to go on is significant. We track some 2.2 million events a day and I can't find all the people to give the information to so that they can go and do something with it. And the organizations are fast. I mean, you have universities that can do something, you have government that can do something, but you can't usually get it to the person that... We'll just get reinfected anyway, if we could find them. I can tell you one reason why we really keyed on Dolphin Stadium is it was the first time we'd seen the virtual world. Usually when something new comes up, I mean, it is background noise. There's millions of this crap going on right now as we speak. Something new, though, happens. We'll key on it and start talking about it. Once that newness has worn off, it's background noise. Are the bad guys getting in the virtual world today right now as we speak? Yeah, they're doing it all the time, but it's background noise, at least us at the storm center. We guys may not see it. Yeah, we all try to basically respond to all this. Last year. Hold on, Andy. We all try to respond to all this. I love to talk even when I'm moderate. We all try to respond to all this. This is important. But remember, this is all goodwill-based. How can we respond to millions, right? So before we speak, Andy, I would really like this to your FBI's perspective because they really do a lot. The FBI has really advanced in these past few years on online crime and all that. Okay, this is Defconn. I'm allowed to say this. Shit. And we still don't see a difference. As far as I'm concerned, we lost the war. So I'd really like our two law enforcement members to comment on this. Well, first of all, from an FBI standpoint, the predicate behind the FBI getting involved is, first of all, a complaint. It's not that the FBI isn't proactive, but there has to, first of all, be a complaint. If there's not a complaint, then there's nothing, I think it was mentioned earlier, we're not just gonna start calling people unless certain things actually happen. So when you start, and then, of course, based on the complaint, once you actually get past the complaint, then we need to start talking about what minimal losses. Is there a minimal loss threshold that's been achieved before we're gonna expend resources to go after whatever's occurred? So you have two things you have to immediately look at before you're gonna start going down that road. And if there's no complaint, then if somebody didn't follow a complaint in the field office, there's nothing to get started on. So somebody has to complain. Anybody out there wanna complain? I think I just opened it up, right? One of the side effects of this problem, last year at the same session, I mean the comment that like one out of every five machines were infected, everybody took a gasp. And I think that that's probably almost a conservative number at this point. We're running into a problem, is we recently are going after some IRS phishing sites, which is nothing new. It's been a problem we've been dealing with since November of 2005. And in tracing back the source of the phishing site, we ended up executing a search warrant in Chicago two months ago. And just to really quickly summarize, this was a site that had not only access to phishing site, but also downloaded something captured financial data. That's why we targeted this one site. This was one out of about 100 and some addresses we had. So we went into the house, we executed a search warrant, got the computer out. And when we started looking at it, we stopped counting it, we found 104 viruses running on this machine. So not only is some of this noise type stuff caused problems for blips on the internet, it's causing real problems for us, even trying to do real investigations because you basically lose any way of tracking anything at this point. Let me also tell you how severe this problem is. A separate project that we're working on the side, and I'll give you the URL to this in a minute. Piece of darknet space is picking up over 100 new infections per day. And this is not just little trashy stuff, it's the real mean evil botnets, connect back to Russia, download their eggs, execute it, bad stuff. I'll give you the URL later, but we're finding inside of it just every day they're coming up with the coolest, neatest ways to continue these infections. For example, most of you understand about Codex, CODEC. In other words, you go to some website, video won't play. It'll pop up a little thing that says, we don't know how to do this. Do you want to install your own Codex? Do you want to let Microsoft help you? Do you, you know, et cetera. What do most users do? Do you want to let Clippy help you? Let's let Microsoft help me, right? So your browser takes you off to codex.microsoft.com, which is where this stuff sits, or activex.microsoft.com, if it's a ActiveX control that's missing. Bad guys have figured out how to use this. So they'll register malware with Microsoft. They'll register it as a Codex. Your browser then redirects to get the Codex. Microsoft points you off to some malware site, pulls it back as official Microsoft software and now passes it over to you. You then install it because you think it's coming from Microsoft. Microsoft has nothing to do with this. I'm not blaming them. They're just a little redirection here. But the user has no idea what's going on. They're just following some link. Some web page doesn't work. It's asking you to complete the little autocomplete box and off they go. These little darknets that we have out there that can find this stuff, it's picking up again over 100 per day of all this new stuff and it's constantly changing day after day after day. And the guys in the antivirus world, they can't keep up with it. There's no way to publish signatures that fast in order for consumers to keep themselves properly protected. You know, that's a good question. Are you waiting to ask something? Yeah, I have questions specifically. Then one second, I want to continue on this. What are your takes? I mean, this is a very, this is a question we get all the time. Antivirus, everybody uses them or suppose to use them, I don't, but most people have antiviruses. It's the one security tool we know people use. What are your takes, what is your take on this? Do you believe the antivirus really helps out there or should we just get rid of it? Go for it, George. Well, I've spoken to a fair number of webmasters, administrators and owners of systems and users. And more often than not, not necessarily in the word, but you can sense that they really don't care. I've had a number of people, especially when I was at Dartmouth, faculty and students say so what when I informed them that their machine's been attacking things in the network. The storm center, I contact a provider and I'll get, oh, thanks very, very much. We'll take care of that. And they certainly don't for quite some time. Why not? Because it's not negatively impacting their business. I had a very good relationship with an upstream provider when I used to host aldas.org. Any defacement folks in here, any zone age people? Well, we got dust off the face of the earth and we took them on just so we can collect information about the bad guys. And the upstream provider was very, very proactive with us and putting in place ways to manipulate BGP tables so that we would go away but not the rest of his network, if and when, correction, when the attacks came downstream. And his CTO didn't get involved and started screaming at lawyers until after the DOS that came down the pipe was so big that it impacted not only us but other customers of theirs. But there was, up until then, a real lax attitude that I see providers, webmasters, administrators, end users. Now, is antivirus working? To a limited extent until your license runs out and you don't feel like paying any money for it. And my nephew, I just cleaned his machine up, 50 some odd pieces of spyware and malware but it was okay because he could still get his papers in. Now, is there a symbiosis right now? Who in here can tell me they don't have any malware on their end user workstation? Probably about 30% of the room just said that. And the- How many of them use Windows? How many use Macs, right? So then the rest of you in some way, you're not freaking out, you're not calling the FBI. You're allowing this to exist. Now, maybe that's okay. Maybe we aren't going to approach a stasis. If we don't know where you have one. What's like your body? You've got all these parasites and stuff that are inside your bowels. It's helping process your food, but you don't care, right? Andy? I do now. Andy. Yeah. Tell us about your- Okay, I'll tell me. I don't think that antivirus works very much anymore because we're seeing a very significant increase in the number of targeted viruses. And I know that there was a wave of viruses that were going out that were supposedly from the Big Better Business Bureau. And it was an RTF doc that was supposed to download and we saw that migrate now over to the IRS, which is how we got involved. Then it moved over to the Department of Justice. Then it moved back to the IRS again. And in every case, we saw about five or six variations. The first thing I do is I download everything, using a Linux system, because I don't use Windows systems, because I'd be owned in about an hour. And we run it through a virus total and none of the antivirus engines picked it up. And I think that anybody that's under the illusion that antivirus will protect you is very, very mistaken. I think it will help and it will take some noise off, but it's not taking care of the targeted stuff. And I think it's even more interesting to see just how coordinated these bad guys have gotten. Would you like to talk about the storm? Because I think that's just- No, no, not right now. We need to ask this question, but let's just do a yes or no. Do you guys, can you guys confirm what basically has been seen even in the press? Are we actually seeing a huge increase of very much targeted attacks, sometimes there are days going on out there. Absolutely, absolutely. So this is no longer me. Let's go for the question, I'm really sorry you waited. This is actually a multi-part question, so- Go for it, you're owned it. I work in information security for a financial institution, and when A&I came out, there was a whole lot of customers that just got bought and they got completely owned. We started- Did you use a dessert patch, maybe? No? He's never heard of dessert, sorry. No, not us, it was our customer base. So our customer base, they're getting owned and people are getting credentials. And so we start to see anomalies and we start to see lots of money leaving the organization, internal processes are stopping it, we file complaints with the FBI, we ended up finding controlling servers that were hosting this, that were checking balances, that were delegating work to other bots that were actually moving the money and making the transactions, and nothing seemed to happen. The only place as a private company that we could go to was the federal government. We don't wanna just put out a post on full disclosure, hey, I work for BackXYZ and guess what's happening to my customers. But in no offense, I don't know if you were busy fighting terrorists, but three days later, the server in D.C. Hold on, hold on, can we get that ooh in three, two, one. Ooh. Nice. But three days later, it's still all, not our server, we found a controlling server. Your friend's server, I'm sorry. No, no, no, no. It's just an anonymous server on the internet. What? An anonymous server. That's checking balances for customers and then after balances get to certain levels, other bots are from totally different geolocations or actually logging in and moving the money. We could tell it was very intelligent. The person that wrote it knew exactly what they were doing. And you used Ettercap to move that money to your bank account. That was being a gallery. I want to get on a soapbox for a second and tell you. The problem here is that your bank should be using passwords. That's the crux of the problem. That's what makes this part. Problem solved, I'm sorry, I didn't think of that. Ooh. Your friend didn't think of that. Andy, I believe that the one thing you're saying. My real question is what does a private industry do when we don't want to get our name out there, but there's a problem that we didn't cause. It's affecting the customer base and our internal security resources can provide a whole lot of information, but the federal government just doesn't seem to be doing anything about it. Let me ask you a question. Actually, two very quick questions and then I want the feds to answer. One, your entire first question, aside for the amazing complexity of the attackers, are you basically saying we may do the best security but the security of our clients sucks so we get impacted? That's what you were saying? Oh, definitely. Okay, one second, one second. Let's get to the second one which actually we can answer. That was just a statement then. You asked, where can I go as a bank? So before we allow you to ask this question, because you really seem to know what you're talking about, it should be up here. Does your bank send email to its users? No. You're allowed to get the answer now. Unlike most of the banks in the United States of America that educate their users to use email. Let's start with Mark and go all the way. He has a very fair question that you guys need to answer. What happens when the private sector sits on really good actionable intelligence that they need to share with the government but they can't? Do the information sharing restrictions or antitrust or whatever gets going into the lawyer or something? Well, no, we did share it. We had agents come out, we gave them packet logs and everything. But not been? We're involved in infregard. But three days later, it's still going on and of course we're blackholing them at the firewall but it's still going on in this particular. Were these domestic sites? Domestic sites, the server was hosted in a colo space in DC. I thought that maybe an agent could just walk over and pull the plug. Ah. No, no, no, no, no, no, no. Kick the door in. Andy. Well, unfortunately I have a very targeted jurisdiction which is the IRS. And I can tell you if it was an IRS box, I would have walked across the street, taken the box and probably the router was connected to as well. Dan F.B.I. Well, let me qualify. But I know that was coming. In the FBI's defense, I do believe the FBI is running several organizations such as Infregard and a lot of websites to get people to talk to them and conferences. These are actually DHS. Let's be honest here. But what, sorry, you were starting to talk. Not really. I just said I knew that was coming. Well, I guess my question to you is, you said you, I just want to get the facts straight. So you said agents came out, made copies, you shared it. We gave them everything. Okay, so the complaint was made. Complaint was made. Who was that complaint made to? A local field office? Local field office. People that we have a relationship through. FBI, I assume a service by the way. FBI, okay. FBI. In Washington field, you said DC. Well, I'm not saying where I'm from. The server was in DC, but local, major city. And let me qualify by saying we prevented. That's 56. We prevented all the wire transfers or recalled all the wire transfers before there was an actual loss to us, but we still felt we could complain. I wasn't going to count in your bunk. Yeah, seriously. So there was no loss. Yeah, that's the thing. So at the end of the day, because our internal processes caught it and in some cases we recalled wires before they hit the Fed processing deadline at the other bank and actually went overseas where we just lose track of the money. We ended up getting it all back, but that was us being a good security team and with us giving this information to the FBI, there's other organizations that could have been impacted and the servers that were actually performing this work that were casing the accounts, waiting for balances and performing the work and moving the money, they were still up and they were still attempting to attack us. Okay. Days later. So there was no loss initially. I'm not trying to discount the fact that there should have been activity. I'm just saying that there was no loss. We prevented it. Right, you prevented the loss. One second, please. One second. The amount of time he spent to prevent the loss. No, sir, the cut-off is then beside him. No. He has an excellent point because there was a loss. I mean, he was saying there wasn't a loss, but he has an actual excellent point because the time you spent to ensure there wasn't a loss is in fact a loss to your company. So when I bring up the fact, the idea of a loss once a complaint has been established, when I bring up the idea of a loss, that includes any time you spent to prevent a loss or trace a law or all the hours that went into getting that money back. My wife was pissed at me for a week. Oh, I bet. I don't know how to put that in the form of a dollar value. But the waiver will be. I can probably come up with a number. No, but guys, we have seen these problems many times in the past that the FBI, for example, that really is doing an amazing job. I don't mind splitting people down when I need to. This is a real problem. Maybe you can answer it. Yeah, I guess part of the larger question is, what does private industry do? Does it just call a field office? Everybody wants to do it over here, especially Mark. But you're really onto something here. Unless we can show a loss, and how do you show a loss for a botnet, right? How can we even report this? I mean, we want to complain. What's the process for us? What do we need to have before we go and file a complaint? Well, you have the Internet Crime Complaint Center. You have the local field office. You have, and they're expanding that tremendously. So you have a method to be able to call a field office. Now, you also said that nothing was being done. From what I could tell. From what you could tell. But the servers were still up days later. Yes, and that was a very key point. Because, first of all, it takes time after that to go through whatever you turned over, okay, the amount of time it took to go. And if there's something that clearly is time-sensitive or whatever, they may actually elicit the help of you to help target where the issue is. But after that, it's still innocence until proven guilty. So you're not going to go in and pull the plug unless several other factors are met. And again, we're still talking about something right now where essentially there was no monetary loss other than the loss. And I don't know what that was quantified at. So now we have to get a warrant for how to warrant U.S. Attorney or Assistant U.S. Attorney has to be involved and has to want to do that depending on the amount of loss that was attempted to be made. You guys don't need warrants, you got the Patriot Act. Right? Bad comparison. No, no, guys, guys, as much as we're enjoying DEF CON, let's be serious for a second because he's giving them an answer, okay? So, nice shot, though. I'm sorry. Not true. I'm sorry, you're doing a good job. But generally, the FBI looks at a broader perspective and the pleasure that we oftentimes have is looking at, and I think Jim Finch tried to mention this during the Fed panel, they get to see from a perspective of 56 field offices from around the country that you're having this problem and somewhere in Podunk USA is having the same problem and you get to be able to put it together and it may be transferred to another field office or it happens daily, hourly sometimes, every day. So I don't think it's fair to say they weren't doing anything. The other thing is they don't have a responsibility to come back to you and say what they're doing. And I understand the perception here that generally sometimes you say, the FBI's not doing anything. That's a valid complaint, essentially, because you don't get to see what happens. Are we perfect at it? Would it be a good idea to maybe come back and tell you step by step what we're doing to reassure? We can't do that, but we can come out here today and tell you crimes like that, essentially, or in the top three, especially if it involves the infrastructure, and it sounds like a cliche answer after saying that standing up here, but it really is an answer. I mean, we try to expend every amount of resources and we're getting additional resources to be able to do that because there clearly is a concerted attack on our infrastructure and the vulnerabilities, but I commend you for the efforts that you went through to protect your own bank, and we're hoping for that level of cooperation, certainly, from what you folks do. And the talent that I've come across here humbles me, and you guys have, you are the first line and the federal government's gonna depend upon you to do that job, and maybe we can do a better job to help you help us in turning over that information and keeping it, keeping the integrity of that data pure enough to be able to enter into court later should have come do a trial of some sort, but that's a tremendous role that you all play, and I think you're minimizing, to a certain extent, the role that you all have in reaching a certain point because we really are bound, contrary to the little shot across my bow about the Patriot Act, we really are bound by probable cause and being able to swear out a warrant. We do not, never take it lightly to be able to go into a business or someone's house, or Congress for that matter, and you can see all the crap that that started. So it really is a serious issue, and we mentioned it earlier this morning, we all believe in those liberties as much as you do, and when you invade someone's privacy, there's a big issue there, and so we have to prove certain things, and there's, that's oftentimes not very easy to do, and judges are just as skeptical as most people in this room. There's also a lot of that stuff out there, too. We have a limited number of resources. Yes, and the FBI has put forth an old, cutting aside, the FBI probably has more resources per capita of cyber investigators than any other agency anywhere. I'm working on a couple of cases right now and what I'm involved the botnet, and that's way beyond the resources of my agency, the first thing I did was reached out to the FBI because they have those resources. And there's a botnet law enforcement portal, botnet conferences, there's one next week or the following week. I've been to the one in France last time, I mean, there's tremendous resources going in there. And we're very aware of the issues associated with botnets. Is there anything private industry can do to expedite that portion of your job that you just talked about? So once the complaint's made, it helped gathering information or getting you in touch with customers that were personally owned or personally impacted. What can private industry do to expedite that process? You're far better at it than me. No, no, no, no, no, no, no. No, and I'm getting the impression that people are very... Oh yeah, come on. So we need some new questions. Is my first duty as moderator? Everyone come here, my talk tomorrow on hacking online banking. I'm Brendan. Oh yeah, go ahead, we've got a question. Kind of going back to anti-virus and whether or not they're useful anymore, I guess you were talking about that darknet site that was finding and uncovering hundreds of these. I guess your average home user does a Google search, check their email, maybe check their online bank account. How long are you seeing from these darknet sites where they release this stuff to where it gets to the point where it infects your average home user? And do you think that the anti-virus companies are doing a good job of kind of keeping up with that or do they try, I don't know. Okay, let's answer the first part first. At the storm center, we've been running, everybody's familiar with D-Shield, a trust, right? So those of you who are submitting your D-Shield logs, very helpful, thank you and I appreciate it. What that shows though, we can go in and see how long it takes for an infection to infect somebody and we've done this for about three, four years now. The average is a little less than 20 minutes. So across the internet, on average, average ISP, a little under 20 minutes from when you plug into when you're gonna get hit with some malware, just directed to your home router. Does that mean you get infected in less than 20 minutes? Not necessarily, that's an average, okay? So some ISPs will be 20 hours, some will be 20 seconds. It's hard to tell where it's coming from. But the number keeps getting shorter and shorter and shorter in terms of the amount of time. This is the amount of time between different unsolicited flows, hostile flows coming at any given IP address out on the internet. That's somewhat scary that the internet has gotten so hostile that all you do is just connect to it and you guys have all tried this, just hook a naked machine up to the internet, sit back and watch and it'll get owned. I mean, you don't have to do anything, just if you're a little more interactive, it goes a lot faster. Serve a few websites and just infect yourself silly, but the time is getting shorter and shorter. And even for Mac users, while the time may be real wide right now, you're still receiving the love. Even the love doesn't realize what you've got on the other end of it. All you gotta do is click on the wrong link and you're off and running. Great question, though. Yeah, I've got one thing to add to that, Mark. I run this set of scripts called Tiny Honeypot and when I was on dial-up for the longest time, I had a dial-up for God's sakes. I'm in Podong, Vermont, sheep country and on a dial-up, 956K connection, it was 20-some odd K. I was getting about 7,000 content-carrying attacks launched against my box per day on dial-up. How many folks got broadband-persistent connections right now? You're seeing this stuff. Everybody wanna clap for Dan Kaminski who's far too important to be here on time. He's not drunk enough. There was beer here, so I... So I actually did wanna comment on one thing about the 20-minute attack. Yes, you are attacked about every 20 minutes. It's been like three or four years since most of those attacks have worked. And so it's actually really interesting. We get two things from that. First, security has advanced to the point. We actually have a win under our belt. Every single one of you in this room, the most part, you're not gonna be vulnerable if you plug in the box. You'll get attacked, you're not gonna get owned. Where are the attacks coming from? The attacks are coming from everywhere, but that's the interesting thing. They're owned, that's what's so crazy. There apparently are enough machines out there that are still unpatched and still ancient that even though all of us are probably gonna be fine, the attackers are losing nothing by making these huge floods. So machines are getting owned, but they're probably not getting owned by the same things that are causing these traffics to spike out. And that's where we're getting into, like we have a lot of multi-layer attacks going on. Frankly, everything seems to have moved to the web. Sorry, I get to ask a question now. How many, how many owned machines does it take to ruin the internet for everyone? 200. Mine. Unless you have something really cool going on, if you only want to do it very well, got, okay, stupidly, 200. Actually, the internet is not gonna die tomorrow. I don't want anybody quoting me on that. Oh my God. If in 2004, everybody remembers Sassar, right? When Microsoft released the vulnerabilities for Sassar, the day before that, Cisco released a very nice little vulnerability about TCP resets for routers. Do you remember that one? So if the payload in Sassar would have included a little bit of Cisco TCP reset in there, just aimed at the core, 200 machines, could have had a field day. Who wrote Sassar? What the hell is this? Can you imagine if that actually worked? Moderator, you need to take over, you need to cut people off. I mean, you're good at this, you just need to learn how to do it. Don't talk as much? No, you need to do what I do, just not talk as much. So take over, there are questions here. Question. Welcome. I wanted to come back to what the FBI was talking about and how the distribution of the field offices allows you to kind of correlate and see one thing and another play, see patterns emerge. I mean, in a way it sounds like it's what ISC does in terms of the actual raw data. Do you guys talk? I mean, it seems like the FBI field office, if you're going about what people report, it's gonna be what's most notable and you might miss larger patterns. So how do you kind of bridge the notable to the technical reality of what's going on underneath? We have a great infrastructure within the FBI to talk through VTC and conference calls and that's come a long way in the last couple years. I don't exactly know the hierarchy of how it gets up, where it is, but communication obviously is key. I'm sorry Jim Finch couldn't stay today. He would have been the ideal person, but he really did, this was an eye-opening experience for him, a tremendously eye-opening experience and he went back with just a tremendous attitude and he's immediately gonna make some changes from a cyber division standpoint. Many of you, I'll give you an example and I'm not trying to divert from your question, but I wanna- We've got a few minutes left and two more questions. Okay. Good point. But actually, that's a very good way to tell him to, but we actually have a limited time, kinda. But we were made aware of an email, an InfraGuard email that came out yesterday that came up to him and he's immediately gonna demand a response, an apologetic response. So that's the type of attitude he's taking, but there's many different avenues of how things get reported and it's a hierarchy that can somewhat be very complex that's oftentimes, it's basically broken down into good communication and then supervisors and SACs and ASACs in the field pretty much know exactly how to get that to the right level. But again, it's all these different issues involving what the Assistant US Attorneys are doing and minimum thresholds and what the complaint is and so there's not an easy, quick answer for that question. Next question. You can't ask us, let's demotivate your gels and do it. Yeah. We know there's a lot of users out there that think multi-factor authentication is a username and a password. That's true. Right, they're right, both factors, yeah. E-Trade's had RSA token, their thing for a while. PayPal just instituted that. There are tons of banks out there, high value targets, right? They don't do multi-factor authentication. What do you think we can do? You might talk tomorrow with on just that. Yeah, what do you think we can do to get banks to actually, and other high value targets to actually institute something like that or open ID? Move your bank account to those that do it. That's an excellent point. I think you folks are there that can help educate, just much like we try to educate the management within the Bureau, you can educate your corporate officers and your supervisors and the importance, but that's an excellent point. I mean, go to a bank that does do it and once it hits their bottom line, then they'll realize that this is what their public or their customers want is more security. It has to hit the bank in the wallet or the customer in the wallet because right now it's not. The industry's regulating and the regulation does absolutely nothing. I would actually add to that. We can look at Great Britain or maybe even Australia, Canada. They do an amazing job of cooperating on security in the banking industry. In the States they have a lot of cooperation too. I'm not saying no, but in the States you actually compete on security when you know, absolutely know that whether it's another country or another bank, it goes around in a circle and will come back at you. So the first thing I would say banks need to do is understand this is a shared problem, a shared history of problems to be considered in your risk assessment, not just your history, and simply cooperate. That'll be the first step, in my opinion. Well, a depressing number of the online banks can't even get SSL right. Very true. So, I do think it's important to realize something that doesn't come up in the security realm often, which is usability. You take the number of people who can understand how to program and then a small number of them understand security and then a really, really small number of them understand security and usability. In order to get better authentication to be something that people actually use, it kinda needs to be usable. And so there's a lot of energy going on out there to create the next big authentication mechanisms. And I think who's gonna win is who makes the most usable and useful system. It's just our job as security people to make sure it doesn't suck. Next question. All right, so some of you guys have mentioned that a lot of the exploits are starting to move to just almost all client-sized. And we're not seeing these big internet scale events like SQL slammer or stuff like that. Yeah, their worms are gone and these just like super major events don't happen anymore. Oh, they happen. They just happen client-side. Right, that's what I'm saying is that, or that's kinda what I'm wondering about, I guess, is that since you're not seeing this big automated spread that shows up as big traffic spikes and all that kinda stuff, I mean, how is that impacting all of your kind of understanding of the current landscape and how are you discovering the new client-sides that are starting to be real big problems? Joe. Sure, so it's moved away from the scanning activity and stuff like that that DShield was really useful for about three years ago and I almost never go to DShield now. I'm sorry, Mike. It's not on my radar anymore. Everything that we're looking at now is coming from users reporting infected websites. It's coming from honey clients. People need to start deploying more of these systems so that we can catch these infected websites and figure out what's going on and how large the scale is. Because right now, we see it crop up and we say, okay, we can go search Google and we find out how many other sites are infected. But it's just crazy how well they can hide these things and yet how many users they can infect before anybody actually finds out about it. I mean, every day, we turn around and we find stolen data caches in our monitoring and we find anywhere from 1,000 to 50,000 users that they might infect and this is just over the course of a few weeks. So it's very easy for them to just fly under the radar like this. So yeah, the honey client type of technology I think is the next big thing in terms of detecting this and I hope DShield has something in the works for that. But here's what we do. DShield is IP port based. It's gonna be technical, nothing we do about that. There's always still that background radiation. It's interesting. But what's really helped us is the human intrusion detection. In other words, system administrators, users that see something's wrong, they don't understand it, a piece of malware that shows up and then they call and tell or send us a note and tell us. So that level that it's taking malware which is now more of a psychological approach. It's not attacking your machine at the machine level. It's attacking users who can do stupid user tricks. Those users through their system administrators are alerting us. So it's almost like a layer eight type of detection versus a layer two, three, four detection. So we have to change the way we do things because the types of attacks are changed also. Unfortunately that it usually takes a few weeks for it to trickle down before they discover exactly what's going on, figure it out and get somebody technical enough involved to look at it and say, oh, we need to report this to somebody who knows it. But with the targeted attacks also, it's not internet wide. And so things tend to be a little more focused. Little, not as wide as it was. Not just started it, that's actually zero days. Everybody even saying things that have become buzzwords right now, such as Wednesday, zero day Wednesday or zero day Friday and stuff like that. And what we've actually seen, and Mark can probably continue this better, is that this is really ROI related. It will be released on a Friday after patch Tuesday. But only if the ROI requires it, they will not waste a zero day. Mark, you can probably say more on this. I mean the whole thing is business related. Are there any bad guys in the audience? Anybody write malware? I mean, no kidding. Why would you release malware today other than to profit from it? Joe, it's academic, right? I mean, that's fun. Mark, Joe, you're both on dirt, right? And dirt showed up because of all this. Can you elaborate a little bit on this, Joe? Sure. So when the zero day attacks are coming out, we know that there's a window of opportunity for the bad guys to where it's gonna be out there plugging away, infecting everybody, and nobody's got a patch for it. So concerned individuals came together with Gatti and organized the desert. And we're trying to delve into the finer bits of the code and try to figure out if we can release a patch in time to save a few networks for people that want to use it. Some people don't, and I can understand that. But we're trying to get out there and protect the internet as best as we know how. We have the skill, so we wanna volunteer that. Yeah, the last year we've done one, right? Three. Oh, and just in the last 12 months. Total of three since Zert started. And we, by the way, have been working closely with Microsoft on this because it first did upset them. Do you all know what Zert is? Does that hopefully ring some bells, right? So after WMF, last year, this was 18 months ago, roughly, the Windows Metafile problem, a team had already began to crank out this concept of can we issue a patch faster than Microsoft can? An unofficial patch. And so, dropping the guy's name. Who was it that did that? Delphac, yeah, of course. Issued the unofficial patch. Well, many people installed it, and it worked great, Microsoft and others complained, said, no, no, this is not official. We don't warrant, et cetera. Well, the Zert kind of came out of that. It said, you know, there might be the opportunity that if there really is something fairly straightforward that fixes or at least temporarily patches, let's just put it out there, and it's your choice whether you use it or not. You make the business decision. How much is it risked financially should you get infected by the zero day? Does it make a good financial decision to put in this temporary unofficial patch? Once Microsoft comes out with theirs, or whoever, and Microsoft, all three have been Microsoft, if I remember correctly, is that right? All three of ours have been Microsoft, right? I think, yeah. All three of ours so far have been Microsoft, but they're not against Microsoft. No, that's right. It's just the way it's worked, right? But as soon as they come out with theirs, the Zert patch disappears, and we push real hard to do the official patching. So, the Zert function is alive and well. The zero days, though, particularly with office products, magically ended back in about February, March. Did you guys notice that? It's kind of in this drop-off in zero days. Then some neat behind-the-scenes things happening, finding the groups that were writing the zero days over in China, guess where that comes from, and working kind of behind-the-scenes to make that disappear. But there are lots of people you don't see at the table here that do the behind-the-scenes cleanup, largely volunteer effort, some of it's corporate, trying to make the internet a safer place. I don't think it'd be even appropriate to put all these folks up on the stage, because most of them don't want you to know who they are. But it's almost like the cyber vigilantes that really are. Don't use that word. But don't use that term. Any press, please. Don't use the term vigilante. But the good guy. No, this is really bad for us. We win vigilante, as in Neighborhood Watch, because honestly, as much as we want the FBI, the IRS, everyone else to do this, change the economics, make a difference, put these guys behind bars, we need to protect our networks, maintain our livelihood on the internet while we wait. So we may in some cases actually be harming their efforts while we wait for them to do something that they are doing a lot. Just, again, their resources and issues and things we can't see, in the meantime, we need to keep working on this. And Zert, for example, we have been, although this is, of course, one directional, Microsoft has been very nice, though, we have been trying to share whatever we can and tell people, don't use our patches if you have a real patch out there. Wrap it up, Gaddy. You need to wrap it up. Yeah. You're the moderator. I'll speak as much as I want. I'm in the poll now. One more question, though. All right, this is a topic after the moderator's own heart. Back to the original question about banking assistance with children's and viruses and fishing, that sort of thing. In our experience, well, we learned several years ago that the feds were pretty useless at helping us with urgent problems. But now, we do go to you guys, but when we actually request assistance is when we've done most of the legwork and we need help urgently. And then you get that, you know, you report it and several days go by. What's being done to actually help out in terms of getting things done urgently, given the legwork we're already doing to collect evidence and things like that? I think Gaddy wants me to wrap it up. Yeah, look, there's a question. After this question. Okay. Who's the question to? To the feds. To the feds. Who's specifically FBI? So what's been done to more urgently respond to a request? Yeah, given that we do most of the legwork ourselves in terms of collecting the information and attempting to get things shut down. Well, one of the things, one of the methods that we use to come in and actually take the evidence from you or suspected evidence is a consensual warrant. So if an agent comes out, they're gonna ask you to sign a consensual warrant. So at that point, we can take custody of what you've essentially taken, right? So a consensual warrant, a consensual warrant is you're giving us permission to cut, you own that, that's your data, you own that. So you're now giving us permission to take custody of it. I'm just gonna cut you off there. My point is, in our experience, a friendly call from a field agent to an ISP or a hosting company goes a long way in getting things shut down without requiring a warrant. And often that doesn't get done. It goes through the whole legal process, which takes the time when you could have done the incident response work and made a phone call. I don't understand the premise of the phone call, though. As in, can you shut this server down? This is special agent, whatever your name is. Or can you take a look at this server? Yeah, I'm saying that happens a lot. I mean, they'll actually go out to the ISP or send a lead to another field office if it's halfway across the country and ask someone to go out and talk to this ISP. I mean, we're very proactive about having relationships with ISPs, especially major ISPs and major cities. So they'll send someone out to actually talk to that ISP. And generally, sometimes with a phone call, they will do that. Obviously, in the circumstance that you're talking about or a couple or many, I'm not sure, that obviously didn't happen. But I know that happens. I mean, we do shut them down or ask them to be shut down or taken offline or for whatever reason. We will do that. They'll issue F letters, preservation letters. Again, within the bounds of what we can do legally. Do those laws need to be changed? Absolutely. The FBI does not change those laws. All right, we're gonna do- Within the IRS and phishing sites, I can tell you that there's been a big change in ISPs from 2005 to the current time. In the early days, it was sometimes difficult to get an ISP to shut a phishing site down. And I think pretty much worldwide, if I call an ISP and I say, listen, I'm with the government. They have a phishing site. It's hosted on your server. Here's the URL. Here's an email showing them from a.gov. Will you help us by shutting it down? Generally, it's shut down within minutes. And I've done about 370 of them since 2005. And I think that's pretty easy now. Getting the data afterwards isn't necessarily so easy. I need to cut you off. Please don't audit me. We're gonna do 30-second wrap up here. So each speaker, 30-second closing statements, please. Starting over there. Okay. Ultimately, it's up to the users, the folks that actually depend upon these things and value their resources. So all I can say is to win the internet war, every single person out there that values their stuff has to stop being a lame-er. Apply BCPs, all right? Egress filtering if you're a provider. Keep yourself updated. Be aware of what's going on and just don't be a lame-er and they can't win. Here, read these emails to us. Tell us what's on there. You have an incoming call from Riot. Hey, what's up, Ash? You're burning your 30-man. I'll just re-emphasize quickly what I said before. You actually play a tremendous role. Don't minimize your role in what you do. Don't give up hope. There's a lot going on on the federal side. Many of you don't see. Be proactive. Above all, be patient. Understand that we're sometimes as frustrated as you are, but we work within the bounds of what the laws allow us to do, and I know you appreciate that, even though you think the Patriot Act may have expanded those capabilities in many respects, just as an example. But we're certainly very conscious of what those laws allow us to do, and sometimes that takes significant time. But hopefully what we try to emphasize here this weekend is not to minimize what your role is. The talent here, this has been... Five seconds. It's been an incredible experience for me. I must say, Def Con Rocks, and this has been awesome this weekend. Thank you. I'd just like to say that if you expect that the FBI is going to do incident response for you, you're gonna be very disappointed. The thing is that other countries actually have cert teams that actually do incident response and aren't just information clearinghouses. So I think everybody really... Everybody, three, two, one, ooh. I think we could really use some pressure, I guess, on DHS to perhaps turn cert into that, and maybe pass a law that gives cert the authority to go to ISPs and actually say, you've got malicious activity, take this IP down, because they can do that in other countries. They look at South Korea. They, by law, ISP, operating South Korea, has to conform to the cert's demands if they detect malicious activity and report it to them. And so this is the role that people expect the FBI to take, but that's not what their role is. Clean your own backyards. Yeah, I think we have a long road to hoe. It's gonna be at least five years, I think, before we are able to turn the tides on any of this. So it's gonna get a lot worse, much worse if the trends continue, and there's nothing that says that they won't stop. I'm a pessimist at this point, because I haven't seen anything actually change the trend, and I'm ready to find something outside of the box because these things aren't working, and all the major attempts that we've seen were always beat. So I'm in a pretty sad state right now. There's a lot of work to be done, and it's just- You sound sad. Thanks. Oh. Well, it probably is all the beer from yesterday. It's just my hangover talking. So we're five years out, and my prediction is that this will be an issue for heads of state within three to five years. And it's already gone that high in Japan, so. Yeah, I think my perception is that the financial crime is increasing exponentially. And I think that by next year, we're going to refer to this as the good old days. I think short of getting little submarines under the ocean clipping little wires, we're going to see a lot more problems. And I think that we're going to have to rely on you to assist us. We can't do it all. We don't have the records. We don't have the networks. The FBI can't do it all. Secret servers who, for whatever reason, never seems to show up to DEF CON. They do a lot of the banking stuff. They're not here. They can't do it all. IRS can't do it all. It's going to take a lot of work. But I'm sure five years from now we'll still be talking. There will still be an internet. We'll still probably be working doing something, although I'll probably be retired by then. It'll continue. Geography is dead. So all jurisdiction that guides law enforcement is based on the idea that most of the people that you interact with are geographically close to you. And as you get farther and farther away, there are more significant crimes, but less people you're interacting with. Now all of us, we live in a world where geography is dead, but the old model of law enforcement continues. And when we even talk about up to the point of heads of state, states are geographical locations. We actually have a political and law enforcement system that does not interact accurately with the new threats that we're facing. And what I want to have everyone understand is that is why we don't get 24-hour response, like calling 911 on someone hacking you. You know what, they're in Malaysia. 911 doesn't do anything. So that's the problem that we have, and everyone should understand it. So the internet continues to get worse, which it will. All of you who are security professionals will continue to profit, which it will. There are many, many years of prosperity, ladies and gentlemen. Do not let the people outside of this conference know that, okay? Just make them think all as well. Okay, criminals dominate, we know that. Espionage is certainly on the rise. Everything on the internet has value. The bad guys know that. They're off to get it. You are valuable people. You have a valuable commodity, so be sure that you increase your value by staying in touch. Two websites, internet storm center. Y'all know where it is. Make sure it's bookmarked or it should be your homepage when it comes up. Spommer. Yeah, but listen, there's one other thing, and I mentioned it earlier, that's that dark net. I want you to take a look at it. We put a diary out last Tuesday, if you want to go read about it, but go to cyber-ta, c-y-b-e-r-t-a.org. Take a look at that dark net. Look at the malware that's coming in, that 100 new infections per day. It will blow your mind. What you'll also find is all the source IPs where it's coming from. You'll find the DNS queries that it's doing. You'll find the malware itself of packed and unpacked. You can look at the system call traces. You can see what all the evilware is doing just by clicking on some web links. If you would like to infect yourself, keep clicking. All the bad stuff's there. Infect yourself silly if that's what you like to do. Obviously that's a bit of caution because there is evil on that website, so make sure you're running proper prophylactic measures. Otherwise, this is fun. I'm looking forward to drinking Sibirio all y'all tonight. Have a nice evening. Gaddy, cheers. I'm gonna try and do it in 10 seconds, otherwise it'll be an hour. I'm actually an optimist. I believe there is a lot we can do. We know what we need to do. Tomorrow's trends, shut up. Yeah. Tomorrow's trends are things we're currently aware of but are not taken care of, which is kind of sad. And being an optimist, I can tell you, the current situation is completely lost. We are, in fact, in the losing position after World War II, meaning after World War I, I'm sorry. Our terms right now after we lost the war are being dictated by the bad guys. Why am I still an optimist? Because people rise to the cause and there are a lot of people in the room still sitting and if you want to help, if you want to get together with this, you can because as much as the FBI is doing a lot of work, as much as Andy and Iris and everybody's doing a ton of work out there, what the fuck is going on with yourself already? Defcon, I say a little fuck, fuck, fuck, okay. But seriously now, it's a personal vibrator, right? Okay, right, okay. So let's look, seriousness for a second. You can get involved, really, because the FBI can investigate and try to turn the tide if they're given the power to do so and recently they've been given more and more authority policy-wise to take care of this kind of stuff. They don't yet have the right, the big guys upstairs don't let them do their job yet, in my opinion, and we still need to take care of our own business. So get involved, take care of your networks first, then come join the storm center and go to a bleeding edge to work on snort signatures, other stuff, shadow server, working with botnets, a lot of good stuff out there and you can help. So this all idea, all the questions we're trying to answer, all this misery we are giving to you by being on the front lines and seeing all of this shit, and wait, past 10 seconds, is guys, yes, we already lost the war to make the internet safe, it never was safe, it was an open environment, open to abuse to begin with, but it can be used safely if we work for it. Thank you. Thank you.