 Thank you guys, thank you very much tonight for coming out for the talk. I know it's a dinnertime talk and I promise everyone here food afterwards. Not from me. We have a little bit of a problem with the sound but they're going to bring down a cable so you guys know. So before I show you the video a little later in the talk, you'll still get to hear everything that's said. I'm going to talk today about identification, evasion, knowledge and countermeasures. This is everything in the computer world and the real world that we are in every day. So some things to think about before I get started. Are you guys cool? Air conditioned enough here? Yeah? All right. How many times daily do security cameras record to you? Your actions? How many? Just count them. We'll talk about that. What unique identifying features distinguish your face? I mean you would think you just look at someone and you remember their face if you're good at it. You remember your name with that face but how do you identify them in terms of computational terms? What methods are available to obscure and protect your identity? What identification methods are common, fingerprint, biometric, retina scans? How are they used? How much do they cost you? How effective are they? We're going to go over that. What personal information is commonly used to identify you? Not just your fingerprint as we know it's driver's license, social security number and how effective are they? There is an acceptable balance between personal freedom and government necessity. We'll go into that in some detail too. Today we're going to talk about the think about questions. We're going to talk about identity, privacy and the law. We're going to talk about avoiding identification. What methods can you use? We're going to go into depth in the computer world. We're going to talk about applications, data, the internet. We're going to do some IP forensics. We're going to do a real world of brick and mortar stores, phone and people. And then I'm going to show you guys something that I did that was social engineering, something that I did to avoid being identified. I'm going to show you guys the night as Jason Big's video here hasn't been seen in three years and this time the sound works. Now we're going to review it and I'm going to show you guys some steps that you can take after that. So how many times daily are you recorded? Average 13 times a day, everywhere. You work lobby when you enter work, you're elevator, sometimes they have cameras there. Bank, 7-Eleven, lunch, you're always on a screen. People are always looking at you. What unique identifying features distinguish your face? Well there are about 37 unique measurements for the human face and that's just from a 2D perspective. Since cameras look at you from a 2D perspective, that's what you get. You get facial hair, eye separation, colors, shapes, angles. How do they perform this with software? What variables do they use? How do they match a face to a face in a database? What methods are available to obscure and protect your identity? Well, you can change your features but they have to meet the believability test so you don't wear that fake to pay and expect people to believe that it's not you. You can develop alternate info. There's a worksheet which you'll find on your CD which will tell you more how to do that. You can change other characteristics, try changing your walk. That's easy to do like in usual suspects with Kaiser Soce. You can change your voice or you can change your stature. Hunch over a little bit. Turn your shoulders forward. What identification methods, fingerprint, biometric, retina scan are used and how much do they cost? How effective are they? Well, the most common is fingerprint. That's an 80% of the uses. That's just taking your finger down on a pad. The most accurate, though, is the retina scan. Although none are 100% perfect. And I'll show you ways and talk about ways that you can defeat any of these. The cost, the least expensive is a fingerprint. It's about $100, a little less too if it's cheap. Most expensive is the retina scan. That's $350 or more. And the biometric range is according to the method they use. They can use heat measurements. They can use fingerprint measurements that are taken from the bottom head of your finger. Even if you actually scrape off your fingerprint, they can read it underneath the skin. What personal information is commonly used to identify yourself and how do you control that use? Commonly asked for, we all get asked for your phone number. We all get asked for our social security number. We all get asked for our driver's license every single day. The address can be obscured, of course, something as simple as a PO box. Listed as a suite number, not a PO box. It looks like you have an office space. It's legal in all 50 states, even now in California, because they fixed that. The disclosure of personal information can be controlled by observing a few rules. I'll give you guys tips to do that. Give the minimum required. Use an alternate info that's not you and meet the requirements differently. It's amazingly easy, and it's important to protect this information. It's almost priceless in its value, like the MasterCart commercials. What is an acceptable balance between personal freedom and government necessity? You have a right to privacy, and due process is guaranteed by the Constitution and upheld in the courts. That right is being threatened every single day. And I'll tell you why it's important to protect that. You should completely control the information that's revealed and stored. And the government's reasonable minimum requirements for the enforcement of the law should be the prevailing principle instead of compromising how many people here saw Fahrenheit 9-11. Why would they go after the Fresno peace group? Like middle of the film, they go after, they infiltrate this small group of people in Fresno, California, steal their personal information, take a look at their stuff. That's violation of the law, and that's what the government does sometimes. So let me give you guys key concepts. What is identity? You hear about identity theft all the time. It's in the city bank commercials. The set of behavioral or personal characteristics by which an individual identifies you and recognizes you as a member of the group. One second, we're going to connect. Identity theft rose to about 500,000 cases, costing $400 million in 2003. That's $400 million gone, $400 million that was spent to investigate cases, and 500,000 times people went out there and did that. Your identity is how others see you. Your friends, your larger circular friends, your perimeter group of acquaintances. Your identity is your individuality. What sets you apart from other people? Sometimes people at DEF CON are described as extremely individual. We all have this specialty clothes and the spiked hair. But I look out on this audience, and I don't see that. If you have dyed hair, could you please stand up for a moment so I feel a little more at home? You're scared, aren't you? No, no, no, you were going to stand up. Come on. See, it's not. It's a stereotype. And that stereotype is what's used to identify us. Your identity should be protected. We know this every day. We're told that our identity doesn't matter. We're told that we develop our individuality late in life. But that individuality is the reason they're here. So do we own our identity? An important question before we get started. It's kind of iffy. It's a maybe. It's interpreted differently often, but we all afford illegal protections for our personal information. You have to be notified in California, for example, before they reveal something about you. Often public personalities don't own their image, because what's out there is out there. So what is privacy other than a bad Daryl Hall and John Oates song? The state of being free from unsanctioned intrusion, unsanctioned key word, intrusion, another very important word. It's our right to privacy. And 83% of US citizens, 83% of people who live here, believe that right is really important. Intruding on one's rights, such as unsanctioned search and seizure for the amendment protection, is illegal. It's there in the Bill of Rights. It's in the first 10 amendments to the Constitution that it's being threatened right now. Because the right of imprivacy is only an implied right. It doesn't say in the Constitution you have a right to privacy, but court precedent says it does. And it's been upheld by the Supreme Court. Now it's being chipped away at. The right of privacy is a liberty. It's one of the liberties that they decide to etch in the tablet on the Statue of Liberty. It's that important to us. And notification is also very important. So let's talk about where notification doesn't matter. In the law, the Patriot Act, they don't have to notify you before they search your information. The Patriot Act gives sweeping anti-privacy powers to law enforcement across the nation. It doesn't care about who you are. It doesn't care about what you look like, although that seems to figure into it a little bit later on. And the Patriot Act and follow-up legislation is threatens the most basic rights we have as individuals. I know if you've seen Fahrenheit 9-11, you know that the Patriot Act is used for whatever you want, or whatever the government wants. That's why EFF.org said it was the greatest threat ever to personal privacy. What are the negatives? No court order, no notification. Negative number two, the government has no reporting responsibility. There's no log of who they've talked to. There's no log of whose house they went into. There's no information on what the racial makeup of that individual was, what the economic makeup of the individual was. It's not there. And number three, it authorizes sneak and peek. That means someone could walk into your house without a search warrant and take a look at your computer. Just for a misdemeanor. A misdemeanor is anything as simple as theft. They're going to go into your house if they want to and take advantage of that. So what are the reasons and benefits? Prevent unauthorized searches. Really, really important. You have the right to be informed. I mean, if someone is going, you know, let's use the same example from Fahrenheit 9-11 of that small group Fresno Peace. If someone's going to go in your house, if someone's going to observe you, if someone's going to watch you, delve into your personal records, you should be informed. To prevent ethnic racism, just as an example, 75% of those targeted for further investigation were identified as Arab-Americans, 75%. We live in dangerous times, but I don't think as dangerous as this. Prevent unfair targeting. If you are previously investigated for criminal activity but have been exonerated or served time, you may be under constant investigation. You're on a list. They know what you did. They're going to watch to see if you did that again. A great example is Kevin Mitnick. He gets out of jail. He's under constant supervision for using the computer. To prevent stigmatization, being identified as a terrorist or as we know a hacker casts a negative shadow over a person. How many people have seen someone come up on stage here and give a talk where they tried to obscure their identity with a bag over their face, or give their anonymous name? Adam Resson is my real name, and it's important that you know that you have to stand up for what you believe in. So let me tell you guys a little bit about the legal or illegal before we get into the computer world. Countermeasures are often not illegal. For example, selling a radar detector is not illegal. A new identity could be considered expression, and we have many protections ensuring freedom of expression. People can put names. You know, the son of someone else, junior, senior, something like that. But what is illegal, and I don't need to go over it in great detail for you, is that you can't invade systems, the Computer Fraud and Abuse Act, or undue copy protections, which is disassembling code. You can't inflict criminal damage or harm. You can't endanger minors. Let's try not to do that. So this is a very bad George Bush mask I put up here for you guys. That couldn't obscure your identity at all. People would immediately be suspect about that. But in the computer world, how are you identified? How do you increase anonymity while browsing? I'll give you some tips on that. How do you increase your anonymity while emailing? Well, if you've been sitting through the day's talks today here in the tent, you know that that's an important desire of people. How do you use basic encryption? How do you hide your personal information? How do you develop alternate usernames with the right level of detail and persuasiveness? So I'm gonna tell you guys how to do it in the computer world. And I'm also gonna show you some basics of IP forensics. Then I'm gonna show you in the real world how you're identified, how you change your appearance. I'm gonna show you guys how to detect surveillance. I'm gonna show you guys how to defeat organic recognition, how to defeat facial recognition. And I'm gonna show you guys how to develop alternate identities in the real world. And I'm gonna show you guys that I don't look exactly the way that you thought because it's important to recognize if you've seen me talk before, I don't dress in a silly little vest or hat like that. So who am I? I've had 10 plus years of computer experience with PCs, OS Linux security. I've spoken at DEF CON four times and I see some people here that I know have seen some of the other talks. I created a recommend website I've created and working on undermind.org, which is along lines with what we're doing here. A little bit political and very important from personal liberty standpoint. I've also working on creategreat.com. And I certainly wouldn't wear clothes like that. Before I get in the next half of the talk, I would like to give away this vest because I am never gonna wear it again. So whoever screams the loudest and does the funniest dance out of their chair will get this vest. So start dancing, get up, shout. Come on. You don't want a free vest? There you go. Thank you. So how are you guys identified? Well, if you had an Apple TV computer like the one in the picture here, you wouldn't have to worry about that. Since computers are so sophisticated right now, your browser HTTP tag identifies you. It contains your browser version. It contains your OS. It even contains your email address if you're in Netscape 4. And if you're actually using IE6, it actually contains your email address that's JavaScript readable. How do your cookies identify you? Default privacy settings allow unrestricted cookies from the origin site. That means your information is being put out there on the internet anytime you visit a site. And just today, for example, Microsoft came out with new vulnerabilities where people could read cookies from a non-origin site. That means your information in plain text, your usernames, your passwords, and where you like to go is right there, plain readable. Your browser history, where have you been all this time? You can read the history 30 deep, depending on how you have it set. Your email headers contain your routing information. They contain your username. They contain your metadata. Your IP reveals your location and it reveals your Windows data. So, when you're browsing a website, how do you make sure you restrict your anonymity? You can view your user agent with the URL up here. You can see what your browser reveals to other websites. You can use Mozilla with the browser identification plugin. Set your own parameters. Obscure your identity. Use a proxy to strip off information. Take them out of the HTTP get request. Strip as much as you can. This is what you have to do. Use a cookie blocker like Cookie Cruncher. I have a cookie blocker at home. Don't use the built-in Internet Explorer cookie stuff. That doesn't do anything for you. So, at the internet, there was service that guarantees privacy. And as if you stayed for the earlier talk, you know not everything, not everything does. Increase your anonymity while emailing. There was a talk today on crypto mail. Great service, open source, unlike hushmail. It's something you can use. Stagnography, someone will be talking about that on Sunday. Hide your important files and data inside of a picture. This is fantastic. That picture of you wearing that stupid hat on stage and that stupid vest on stage, hide a file underneath it. Use an encrypted Java email service. Chain together three or more services for better protection. Use an anonymous SMTP server. There's a URL of one that gives you a free trial. Wi-Fi war drive, of course. On the DEF CON CD, you'll find a free SMTP server. Go find your favorite wireless hotspot, not at the condition of some of the local hotels, because, hey, they're putting us up for the weekend. But here's a good secret. All of the best Westerns will have, by the end of the year, free Wi-Fi access, unrestricted, no cost. How do you use encryption? Use MaxCrypt. I put it on the CD last year. It's really cool. Blowfish, 448-bit. Crips your files, your folders, you put it away. It's on the DEF CON CD. Encrypt your text via PGP or an app like Kryptonite. That just encrypts plain text. So send your email in the encrypted form. Use an MD5 string, send separately to verify that your content was in tamper with. Using MD5 sum, which is on the CD. It's so easy, but you add that level of protection and you obscure who you are when you're online. And encrypt everything, any information you might use that could be forensically tied to you. And this is a really important point. Don't use your birthday. Don't use your girlfriend's name. Don't use other information when you're on there, because they're going to tie it back to you. And it's about creating a trail, a web of your information. And that's how they connect it to you. How do you hide personal information? When registering your computer, something as basic as that. Use a fake name. Because you know those programs that are shareware like UltraEdit that send your username back? Don't use it. Why would you ever have to? When registering software, you might use an alternate username. I put a PDF file on your CD with information on creating an alternate username and alternate identities, which we'll talk about later. It's something basic, but it goes into depth about trying to persuade people that you're not who you are. But more importantly, protecting your personal information, not creating a history under another name. Use a non-traceable name on your Palm Hot Sync. The first talk I did here at DEF CON was on Palm Pilot Security. And I used a name that wasn't my name, and I remember some people in the audience raised their hand up and asked me why I didn't have Adam on my Palm Pilot, like I had stolen the Palm, and I shouldn't have. So work hard to disassociate your username from your IP address. Use remove hidden data. There's actually a talk on this also on Sunday. How to strip information out of your Word files. Use fake information when you're registering a domain. Service like GoDaddy lets you use anonymous information. But why do you have to list your real address? Why would you have to list your real name? If there's no checks on that, and it will also reduce spam. Develop your alternate usernames rule. Make sure that the alternate username does not relate to anything that's personally identifiable, as we talked about. And record them down. That's why I put the worksheet on the CD. It's very basic. Print it out, write down some stuff, become someone you're not for certain transactions that aren't essential to you. You need to protect your personal information. I mean, I was surprised. I was actually online on one of the email search engines, on 411, which Yahoo owns now. And they had an email address that I had had in college on there. It's not active anymore. But how does that information stay for 12 years online? Record your alternate usernames and where you use them. There's places on that sheet. You create a new history. So for example, you see at the bottom here, I've used the name Not Jason Biggs, Not J. Biggs, on the DEF CON forums. I have posts on other forums that relate to that. So people would think, you know, he's interested in DEF CON. He's interested in Ben Folds 5. And I use this name across all these different forums because it helps flesh out your personality. Use your alternate username when registering for web services. Blind email addresses or vendor accounts online. Like, I used it for PayPal. It's safer to create the, oh, and how do you get past the, you can use the temporary visa number that's generated from your, like, MB&A, generates temporary visa numbers as your PayPal verifiable account. It's safer to create three alternate usernames with different addresses, secret questions, and birth dates. The reason three is important is so that you can remember them. But also, you need to develop different histories. One person is into computer security. One person is into punk music. The next person likes politics. And you can do it right there. So how do you do it in the computer world? Download and use Mozilla right now. And that's quite popular. I'm not telling you guys anything you don't know. Set up a hushmail account or a crypto mail account. In crypto sensitive files using MaxCrypt, I love it. It's easy. It works on every version of Windows. We install your OS with a fake username and company. We probably all do it probably every three months anyway. So do it with a fake name this time. And develop three alternate usernames with your worksheet. OK. I'm not going to do the IP forensics demo right now. I'm going to tell you guys about it because I'm running a little bit short on time. And I want to show you guys the video. An IP forensics is very basic. Find the source IP address. So you can do a ping with a ping-a and get the information off of it and verify it. Is it a Windows computer? Try NetView on a public IP address. I was surprised when I went to go work for the company I'm working for right now. They didn't have that turned off. And when I did a NetView on their domain, it exposed all of their server shares. As we know, don't do that. Does it have open ports when something like SuperScan, it's free on there? And where is it located? You can, of course, go to services online, find out who owns that block of IP addresses, where it's physically located. And does it have any open services? So how are you guys identified in the real world? Well, security cameras in store. Some have night vision, so you get that creepy green hue on you. Some are black and white. Some are color. Facial recognition. At the Super Bowl in Tampa at the All-Star Game, they scanned everyone's face as they walked in the door. They didn't notify anyone. There wasn't a sign. We didn't see it there. But they recorded everyone's face who went into those games. Unique and important information, like we mentioned before, your social security number, your home phone number, your address, your mother's maiden name, biometric data, fingerprint, wetna. And as you'll see in a later talk to RFID, radio chips that allow for tracking and association of data with movement. Walmart, who's featured on the screen here, and I'm sure everyone shops at Walmart here. That was a laughing part. Thank you. Walmart was trying to implement their RFIDs, and they actually had to abandon the plan because they didn't work. And people were exchanging RFIDs with other people, so they couldn't collect data on them. That's a small-scale example of why it's important for alternate usernames or important to obscure your identity. So how do you change your appearance? The features 95% of people look at are the eyes, your hair, and then your nose shape. Several additions work best because they pass a believability test, whereas I like to call it the two-pay rule. If I came in here for you guys and I had my hair spiked up and I wore that vest, you might have thought, eh, it wasn't much of a change. But something as small as that cheap hat I bought at Target earlier today, that might change the way you see me. But anything like William Shatner's hair or like some of those guys I've seen late night on Nightline, that doesn't pass the believability test. Perhaps because the face expresses emotion, false faces look unreal. I mean, you guys saw the freaks in Toy Story 1, those little robot children with their smooth skin and their hair that never moved. It looks wrong to us. And it probably will be impossible to duplicate without just photography to do it. But when it looks wrong, you feel like you're uncomfortable. I know when I was watching Toy Story recently, I felt uncomfortable whenever that little kid came on, more so than the walking toys. So you use a celebrity as a baseline. This is a really great tip. If someone, one of your friends says to you, hey, you know what? You really look like, you know, that Ted Cappell. You really look like that dude in Harold and Kumar go to White Castle. If you look 50% like someone, use that as your building block. What would you need to do to increase the similarities? Are the additions believable? And ask a stranger. You know, when I was walking down the street, as you'll see later on in doing what I did for pretending I was Jason Biggs at the casinos, I didn't really think people would believe it at first. I really didn't think I looked enough like Jason Biggs. Clearly, I was like 50% skinnier than the guy is, you know? I don't have like as much, like the hair isn't right, but if you just look at me, if you just glance and the confidence is there, then you might think that I look like that person. Also, that might not be that flattering because you get asked a lot of apple pie questions. Your walk is intrinsic to your identity. You put your hand on your hip when you see Kaiser's associated unusual suspects and he's walking with a little limp in his legs. It throws you off. You don't identify him with the character you saw on screen. Slow your stride. Increase your pace or step on a different part of your foot. When you change your hair color, blend it in, you know? I mean, use the trick that women have known for years. Don't put blonde in the middle like a Mohawk. Blend it in with your other colors. That's why I wore a hat today. Change your eye color with contacts. You can get them at a costume shop. So how do you detect surveillance? You've changed the way you look. You got into a situation which you might think is dangerous like DEF CON. How do you detect surveillance? Well, US businesses have a legal right to spy on you so don't walk into your work looking like Brad Pitt. Start scanning for cameras though from the outside from the parking lot as you walk in. Look for flashing red lights. Look for mirrored domes. Check the corners of doors eight feet and above because they shine from that height so that you can get a wide angle and get as many faces and individuals in the recording as possible. This I find really helpful. Assemble the location of cameras into a shape in your head. So go, when I'm looking here at this point, there's a triangle of cameras here as I enter the place. This is a good tip for two-way mirrors if you're in your local department store. Use a key chain, a mag flashlight, shine it at what you think might be a two-way mirror. If it's suspect, your light won't reflect off of it. It will diffuse and you'll be able to see depth in it, small. I'll get to the questions at the end really quickly. Playing close to security. They most often walk near high-priced merchandise. They most often walk a beat. You'll see them over and over again hit the same place like that part in the matrix with the deja vu cat. They're always going to the same place over and over again. And as he was pointing out before, after I'm done with the talk, I'm gonna go outside the tent so the next talk can come in. If you guys wanna ask me any questions or talk to me more in depth about what you'll see, I'll have plenty of time to talk to everyone out here. So retina scans can be altered by changing your eye color or layout. How do you defeat organic recognition? Your organic recognition works by taking unique measurements of your face, heat, retina, or fingerprint. However, as was determined in scientific study, a gummy bear can defeat fingerprint sensors four out of five times. Doesn't make sense really that $100 device could be defeated by pressing your finger in a cherry gummy bear. On average, 75% of Americans say that organic recognition is acceptable in high-security situations. Is DEF CON high-security? Is going into your local restaurant high-security buying a candy bar and a soda from your 7-Eleven high-security? I don't think so. And I don't think you should either. Heat recognition relies on the overall pattern of heat emission from your body's surface, and it can be fooled 75% of the time by cooling or heating your skin with an ice cube or blow dryer. 75% of the time, that messes it up. So sample your skin temperature with a simple household thermometer. We're all sweating in the Las Vegas heat out here. I don't imagine there's someone identified you by your regular body temperature. You would identify the same way on organic recognition now. Fingerprint recognition is fooled by gel overlays. You guys have seen it in the movies, like Charlie's Angels and some of the other. They put the little overlay on their fingerprint and there's someone else. That unfortunately works 75% of the time. So how do you defeat facial recognition? I looked into this for you guys because I thought this was really interesting. There are two main systems out there. One is called Identix Facet and another is by a company called Visage. And facial recognition works by creating a single measurement of several key vectors on your face and then comparing that numerical value to something that has been previously stored. So often they'll set the threshold on the system to plus or minus 0.01 or plus or minus 0.02 and that will generate positives. But false positives are very, very common. For example, the Identix Facet technology, which they have a government contract for, starts by measuring your pose angle. So if I'm looking at you guys straight on and then I vary it by just 15%, it couldn't recognize me. Changing your eye color to match your skin color, it won't be able to identify the points on your face. Bloodshot eyes, if you look away from the camera right when you walk in, it won't be able to identify you. There are two different facial recognition systems used at Boston Logan's Airport. They actually used Visage, they actually used Identix at the airport and it was unable to detect people 62% of the time. Plus it required two workers who had to verify when it pulled somewhere out of their line and said that they were suspect. Also, not put up here, but also important is those people were often of darker skin color. Those people were often misrepresented because they didn't look the white European Caucasian manner. So after recognizing surveillance, you can look for the cameras that have Visage or Identix logos. Unfortunately, and this seems kind of stupid to me, on the bottom of the camera, you'll see a very bright badge that says Identix on it. That's stupid. And the Visage one is even worse. It puts a red band around the entire camera. I tried actually to get you guys a sample of this so you can see what these cameras look like. But you have to basically sign an NDA and I wouldn't have been able to talk about it if I showed you guys it. Plus it would have cost me $2,000. If you guys want to put together a collection afterwards, I'll bring a camera next year. So after recognizing the surveillance, you find out that they're domed. If they weren't domed, they would have completed under failure because it actually uses a shading algorithm in it to distinguish the different individuals in any given picture. So how will you develop alternate identities? Well, actually, this is interesting. The other day I went into a smart and final in LA and they had their little grocery cart where they're basically tracking my preferences for what I buy. So they find out that I buy an awful lot of water. I buy an awful lot of iced tea and I have a need for a ton of silverware and plates and all sorts of stuff that you can dispose of. I didn't want them to know that and she asked me to fill out the application and I put my name on there and I didn't put my real name on there. But something that I could remember, another identity and then I asked her, do you need my address? And she said, oh yeah, I need my address. And I'm like, I don't know, what if I just cross this out? She's like, all right, I'll just give it to you. So just pushing a little bit will allow you to protect that personal information. So as I said before, any alterations must pass the believability test. I'm wearing a T-shirt and pants here. Does that pass your believability test? No fake two-pays, no silly sunglasses. The more subtle the change in your appearance, the more it will be accepted and not noticing a change is much more indicative of success than noticing a change would be. You will find the alternate alt-username worksheet and alt-identity worksheet on your DEF CON CD. But you must create a full, well-fleshed out picture. This is really important. How many people have been in line for like getting into a club or a bar and they ask you, where were your parents born? You know, how old are you based on the birthdate that you showed them that idea? You need to be able to answer these questions. You need to know what kind of movie you like. You need to know what kind of food you eat. You need to know what kind of beer you drink. Not that we drink. Use, oh yeah, that was another laugh line. Good job. I'll go slower next time. Okay. So you could use your alternate worksheet. You'll see it in front of you. Print out a copy, write some stuff down. Build a history, connect your alternate identity to a set of likes and dislikes. What you like to buy at the grocery store. What kind of music you listen to if they ask to put your name in a database. When you go into Staples now, I noticed, and even Bed Bath and Beyond, they ask for your zip code. You don't have to give that. You're buying sheets for your bed if you have a bed. Yeah, I know. No, I always ask them why too and they don't have any idea because it's so like second natured to ask that question. Yeah, well I don't want that mailing. So, secret. I'm gonna tell you guys today. You could go online right now to reach me.com and sign up for a free seven day, no credit card, web accessible, voicemail account with an all digital phone number. I have no interest in this company. I just thought it was really odd that they let you do this for free. So for seven days you have a phone number and you can use it to help establish this alternate identity. So how do you do it? Buy different eye color contacts at a costume shop. My parents blessed me with dark brown eyes. But how many people don't want those gorgeous blue eyes that the women love? Practice scanning your local supermarket for cameras. Carry gummy bears with you, you could eat them or use them to evade fingerprint scanners. Adjust your pose angle when you enter buildings. This should become second nature. Sign up for a voicemail at reach me.com. So let me show you guys an example of how I did it and it may take a second for me to get the audio working but I will try to get it working for you guys today. So this is the night as Jason Big's video was one of the social engineering contest at DEF CON three years ago. And so here was the proposal. Use my likeness as Jason Big's to fake our way into Las Vegas nightclubs and achieve free drinks front of the line, VIP status and crowd and recognition. They thought I was Jason Big's. Create the environment, change your clothes by changing my clothes by changing into Hollywood club digs. Something that wasn't a T-shirt, you know in the hot Vegas, hot Vegas hair. Alter your hair, I added hair gel. I changed my buddies. I designated one of them as my manager who is out with me for the evening and setting up locations where Jason Big is gonna tape his MTV show. I designated someone my director to fit people's image. My plan of attack was to first send my manager in then send the director with them and then negotiate with the club's manager to make sure that he would let everyone in. I even went with a posse, a group of friends because of course there's those hang around who are like, damn, someday Jason Big's will do something other than American Pie. So there were barriers. One person didn't believe that I was Jason Big's and they thought I was Ben Stiller. Who's like a foot smaller than I am? When I was talking to, when I was at the MGM Grand I was asked to talk to the VP of entertainment who came down from his office to escort Jason Big's into the club. And I was nervous, but I tried to project confidence because that's what you have to do. Also, I didn't take advantage of the situation and I was asked this when we did it three years ago. Went on the show with you guys today. I didn't go home with anyone who really likes Jason Big's. I thought that would be way beyond the limit. I did sign autographs, but wouldn't you? So this is an excerpt from the Def Con Nine award ceremony. There's captions on here. So if you guys need to, I hope you can see the screens. I'm gonna get the sound working and I'll show you guys what I did. All right, we're gonna give it about another 30 seconds. If it doesn't work, I'm gonna hold the microphone up to the speaker, but it is captioned. It is also on your Def Con CD, but I want you guys to see it up here so you can kind of hear about what we did. We're gonna try about another 30 seconds to get the sound working. They're not coming for me yet. Well, after I show you guys this video, I'm gonna go through the conclusion and I'm gonna give you guys a little information on what you can do. I've really tried to demonstrate for you that protecting your identity in the computer world and in the real world is really important. You're here because you believe that. Something like the Patriot Act. Let me restart the song. Something like the Patriot Act is a threat to our, don't leave yet, this is the good part. Something like the Patriot Act is a threat to our personal freedom and I really believe this. They've called in the big guns. All right, I'm gonna play it for you guys. Please watch the captions too. These, these are actually CDs. Yeah, this is the guy Mike. Yeah, I'm chasing the person. Of course, yeah. You guys are totally being... Oh yeah. Yeah, I'm chasing the person. For me, if I put your name on the screen, I'm gonna start doing the show. Yeah, just like, what do you wanna do? I'll just start with, like, which of the motion for the sequel. Come grab a two-week slab. We've played this couple of times with the Hollywood kind of motion and stuff like that. I was so excited about it. That's the best we've ever had, a crazy experience, you know? Crazy. We've been shooting a lot of films from Milwaukee and Audemars, something like that. Okay, we're gonna do a sequel. We're well, like, crazy up to that one, so... We're crazy, we're doing weird stuff like that, but... All right, we're totally cool, so... Let's say it's RPG13 after all. So, that's Ken. She's our S4 club. We had an S4 take us to the entire club of VI2S. All right, yeah, I tell him. And it's cool. Now he wants to see my ID. I don't know, Jason, do you have an ID on you? What? Oh, yeah, also, there's an S4 club that we've played all of our friends in because they know Jason's digs. They're all wearing tennis shoes. I think I'm gonna show my ID up. I'm telling you, I'm not comfortable showing that. I'm telling him that I don't want to show my ID because it's not my stage name. But we worked that out. Can't get my real name back. Yeah, they just... What? I wouldn't. So, this is us walking into the park. Okay, so here's what we do. We go up to the VIP room. We sit there. We're doing fake interviews for MTV. They just bring women around to talk to us. You recognize Jason Biggs? And this guy is my big manager. He's walking around and going, I don't know if Jason wants to talk to you. Oh, there's the hug. Oh, hey. She's hot, right? She's not hot. Oh, hey, there's Jason Biggs dancing in the studio. We're going to keep going. Yeah, there's Jason Biggs. And we were ruling this city. So you guys can watch this video. It's on your DefCon 9 CD. This is my legal warning up here. So, you know, I guess after three years, the statute of limitations is up. I'm going to get back into the end of my presentation and then I'll stay for some questions afterwards for you guys. Okay. Okay, so now you guys know strategies for obscuring your identity, for protecting your identity, like a beautiful world of applications, data, and the internet. The real world of brick-and-mortar stores, phone, and people. How to wreak havoc, good. How to overcome fear and moathing, very good. And identification of Asian's goal. It is to respect privacy. It is to restore your personal freedom and to ensure equality. Because this is important to me, I want to show you guys one more slide here. I encourage you guys to stay involved. Sign up at misleadered.org. Donate to the Electronic Frontier Foundation. Make sure to vote, please. And try to vote for people who aren't going to enforce more parts of the Patriot Act. Vote progressively. Read your news sources for a more balanced view. I know who I'm voting for November 2nd. And I think it's really important. I'm going to close up by telling you guys something that's really important to me. I came to DEF CON two years ago and I'm sorry, three years ago. Now, and I did a talk called consumer media protections. And at that talk, I was here with a similar group of people. But now I've been in this relationship for a year and a half. And I really learned that it's important to value the people that you're with. Because that's the personal part, that's your identity. And I was wondering if you guys could take one second and help me with something. I'd like to send happy birthday to my girlfriend who's birthday is right now. And I'd like to give her these cupcakes. Happy birthday to stand up and tell you. Happy birthday to you. Happy birthday to Nancy. I'm sorry, my voice is worse and bad. Happy birthday to you. Thank you very much for coming. I'll be outside if you guys want to talk.