 I'm going to introduce you to our guest from America, which is, I have to say, Quantum Cypher. Please give her a round of applause already. And one more thing that I'd like to say is that this event is only possible because we are helped by a lot of angels, helping angels around who do everything here, like me harrowing or collecting the waste around and doing bar shifts. So if you'd like to be an angel, please come to the Infodesk and sign up for a couple of shifts. You still need more angels and if you do so, you can go to heaven, which is over there in the Orca round. And now I'd like to introduce my guest. Good that you're all here. Our guest, as I said, is from the United States of America. And he has been a security analyst in America, in the American company. And he also worked as a system administration at the university. And over there he learned that the government of the United States gives out a lot of data to students to work on, to research on. And he would like to give some insights on how that works and give his opinion about how that should work. So please give a warm applause and have fun at the talk. How's everybody doing? Are they enjoying camp so far? Yes? All right, good. Okay, so first and foremost, this talk's not going to be as technical as other talks, I'm sure. We're not going to dive too much into the how to build up malware analysis labs through static or dynamic testing. There's a lot of really good books and resources for that. And depending on the type of analysis you want to get into, whether it's reverse engineering a bot or running it and seeing what happens, we can talk more about that later. This talk is generally just geared toward providing some insights in how the United States government speaks with researchers, security researchers in information security, and those lines of communications in the back and forth between them. So I'd like first to say that I'm not really anybody. I'm just anybody that's here. I'm not speaking on the behalf of anybody, no company. I'm just here to share some information that I saw and witnessed that was part of the university I was at. I'm not going to disclose the name of the university, but I'm sure if you Google my name or some type of facial recognition, you would not be too difficult to find out some of these things. I just don't want to say the name personally. So what we'll be talking about is the government agencies that collect the malware samples, the structure of PhD systems in the United States, at least specifically the one I was at, how that works, that type of ecosystem, and what it is to be a researcher, a security researcher, either inside academia or outside completely and doing your own research. So these are the agencies that would come to our university in assistance and asking for help. There would be different types of programs where they would give some of the researchers data and try to find and build better things. We had the FBI, Homeland Security, and the DOD coming and meeting with multiple researchers about many different times throughout the semester or three year. And we know that there's honeypots. They collect malware. This is obvious. But once it's collected, it just doesn't sit in a lab. A lot of times it does. But now they're having researchers look at and piercing through some of this data. But the question is then asked, who gets to access this data? Now, usually the majority of top universities are very highly technical universities that get access to these communication lines. If it's a state school or just a UC system, you're not entirely likely to have agencies come to you. But in some cases, they do. The other thing is you have to be an American citizen for them to give you this data or give you access to this data. I put up him because in the lab, I was at the majority of the researchers were actually from South Korea. And there's one story specifically where one agency would come in and say, OK, if you're not US, you have to leave. And almost everybody left. And there was one or two people left and said, you just let all the good researchers leave. I don't know anything about this subject. So yeah, it's very unique of a system that you have to be a US citizen to be able to even get some access to this data. The last thing is, in some cases, they ask for clearances. The lab, I was at almost everyone had a clearance to be able to be in that room or have access to it, though I did not have access credentials. I mean, I had access, but I didn't have credentials. So my day-to-day, I should talk a little bit more about what I was doing. So it was a lot of, I call it research support. Students would say, I want to build this. I want to break this. I'm like, OK, cool. And I would do procurement, where I would purchase whatever servers they need, any items that they want to break or hack. And then I would give it to them and then talk about what you break in, kind of thing. And I find it really fun, because you're breaking something, this is cool. And then so I would install, configure, rack, monitor, secure about 150 servers at the university specific to the research program. So these are students that are playing with not only government data, but also proprietary companies such as one of the bigger CPU providers and things like that and working with them to find and fix bugs and then patch them directly and speaking with them. The research team would also occasionally do CTFs as well. So I would sometimes play around with them. And that was a lot of fun, because they're really smart. So the structure of these PhD systems, I didn't know anything about any of this, because my university experience is probably that of an undergrad dropout. Most of my education was online. I would go to other universities' websites. I'd look through their curriculum, take a look at what it takes to be a computer science major and to get a degree here. And I started realizing there's a lot of different systems and different coursework that's required per university. And that kind of explains or has a certain type of background of the information you gathered at that university. And at every single one of them, there's always something missing where you should always push off and learn more. So the school I was going to, I just stopped going, because it pushes you right into web development. Like way beyond the scope of what we were talking about. But I had no idea about PhD systems. So going into a school in a university that was not just had one, but had one in information security, I got to see a new type of network that I would never have been exposed to. To be in the system, you have to have a certain number of papers submitted to conferences. These are top tier conferences in your field. So in security, you need four to about six papers submitted. You have to do data. You also have to, oh, this is about just an overview of everything. So yeah, to be accepted, you need a high GPA, high GRE score. You have to find an academic advisor who will approve you in your specific field. So if I'm interested in malware analysis, I will seek out some professor who's really good at malware analysis and say, hey, I want to be a part of your program. This is what I've been doing. This and that here are my grades. And that's a lot of how it is. So then you are then paid to be a researcher in some cases. To stay in the program, usually you have to either grade assignments and stuff like that, work on multiple papers, academic research papers. So if you see someone's name on a paper, they might have contributed a lot or very little to it. But nine times out of 10, you will also have your academic advisor's name on that paper as well. You are also required to take master level courses and stuff. So some of those courses will be just reverse engineering binaries and stuff. And your professor gives you a binary, and you just take it apart, right? Fun, but exercises you can do just online. So like I said, you have other researchers and stuff. You have your faculty advisor, and then you have the director and the person that is overseeing the entire thing. Usually the faculty advisors and professors have multiple classes that you have to attend, go to, get good grades in, yada, yada, yada, yada, while continuing doing your research. So then you get to the paper submission portion of a PhD program, which can be very, very, very difficult. This is because there's only a few handful of conferences that happen a year. Maybe about four or five, and you're required to get a paper in at least four times. And some students will have their research and they're working on something. And you pass that your paper multiple times to your academic advisor. And what I heard a lot of times were they pass up the paper and then the advisor would say, this is crap. This is shit. You don't know what you're doing. Look at this corner case. You didn't think about this. So the student takes it back, redes the research, goes back to the advisor, and it goes back and forth like this for a little while. So until they send a paper, once they finally do, these are the percentages of the top tier ones conferences and the papers that the likelihood of your paper being accepted. It's very minimal. I will give you guys my slides so you guys can see it. It's the accepted rates over the submissions and the number of citations, which for some reason has some type of volume score. But the question is, who are the judges to see who gets these papers accepted? And the majority, it is just other academic advisors in other universities. So if you're a specific school, maybe Harvard, and you want a lot more students to be pumped out through your school, you're going to see their paper and say, yes, let's get this paper approved. So you will have more students coming out of this type of ecosystem. So one thing that was fun is that when some of the malware servers that we used to, well, some of the traffic would be monitored before it went out. We tried to limit some things. But the majority of the time, we would just keep it running. So then we would get abuse complaints from other admins and stuff, something like, hey, you're fucking attacking a stop. I think the funniest one was they said, you're scanning our ports. Please stop your IMCP packets or we'll pursue legal action. Doesn't make sense, but whatever. So we have, every time I'd get these emails or whatever, I'd turn to our advisor. I'm like, well, what do we do this? And he's just like, it doesn't matter. The government says it's fine, so it's fine. So we would just drop them. It's like, OK. So a lot of students get access to these types of data. And I think the initial response is to be your researcher, you have this power to do good with information, stuff like that, and to attack these researchers for the research they do. But after talking with a lot of researchers, I feel that it's not entirely their specific issue in that you're assisting the government doing this. But what you're really doing is you're doing what you like and you like doing research, and they're giving you tools. Now, it's definitely a huge moral and ethical dilemma of what you believe is correct in terms of doing so. And it's different because my personal ideology, my personal belief is that I would not do this. But to see other people that are doing this and still be good people, it's just strange and interesting dynamic. But coming down to the research itself, though, just as something that's fun, while I was there, I was starting to learn more about Bitcoin and blockchain technology. And that got me really excited. So I would conduct my own research just based on that. So I would start mining, gathering data and stuff like that, and then passing them through machine learning algorithms, because I thought it was fun. But one thing that I really did not know, and had I known this maybe four or five years ago, I might have started doing it immediately, is that you don't actually need to be in academia to submit academic papers to conferences. And this kind of just, I don't know, it spoke to me really hard. Because every time I would read a white paper or an academic paper, I'm like, wow, this is so cool. It'd be so great to be at a university to be able to just share my knowledge or build some type of tech, some security tool that utilizes encryption end to end, or anything, right? And have it submitted and other people see it. But the thing is, you don't need to go to university to do this. Anyone can submit one. Anyone can create something, and anyone can share something. So don't ever feel that your education will ever hinder you as a person. I feel that you should always push and learn more as a hacker, as a person, no matter what. Irrespective of your academic backgrounds. So here's the more detailed information about the malware lab, because I kind of felt like if we're talking about malware, I do want to show some resources or give something to you guys. Kaku is a great engine. You can spin up multiple virtual machines, throw some malware in it, compare the registries from the snapshot prior to afterwards, and see kind of what things have changed. And you can have this all on have one specific server collecting all this. Obviously, this would be on one little type network, as well as simulating an entire network as well. You could spoof a DNS server as well, see what calls are made out, and run different types of honeypots as well. And then some more resources for dynamic analysis. These books were really good. Practical malware analysis gives you a few labs you're able to play around with. VirusTotal is really, really cool. They have an API. If you write malware and you don't want, and you want to know how well it is, you can submit a sample, and then they keep it, and then you're fucked, right? You can encode it, and then upload it and try again. Maybe you're still fucked. What you can also do is you can download VirusTotal's entire framework, and then run it locally, cut off of the internet, and see if it gets tested so it doesn't submit the sample, and some other fine tools. And I wanted to give some samples that are already out everywhere, so here's a list of a bunch of malware samples in case you guys want to look around and play with them. Some of them are old, some of them are new, but I'll also publish these slides so everyone can have them. And then for more static analysis, I refer you to Ida Pro for ripping apart something, and if you want to patch some binary's, R2 is really great for that as well. All the debug too. So thank you. That pretty much concludes my talks. Anyone can ask questions and stuff like that. I'm also a Super Intercryptor Currencies, so if anybody wants to talk about coins, that's fun too. So thank you for coming out.