 Hello, hola. How many of you speak Spanish? Only one, two, three. That's impressive. Well, hello everybody. Thank you for staying here. Talking after Moxie and Danka Miskis, a tough task, but someone has to do it. So that's me. Well, first of all, let me introduce myself. This is the fourth year that I'm talking here in DEF CON. I'm from Spain. Any of you have been one year before in one of my talks? Any of you? Perfect. Well, I'm from Spain. I'm sorry for my accent. I have a horrible accent. That's the problem with all the people from Spain. And I, in my case, it's special because I start to learn English when I was 33 years old. Right now I'm 25, but I started when I was 33 years old. And I got a lot of problems with English, especially with the words that start with S, like my country, Spain. Spanish. I used to say A, Spain, like all the words, Spain, station, and so on. And I got a lot of problems. And my personal teacher, my personal training was telling me not to say A, Spain, Spain. And I tried to fix this problem saying a very small S. And in the end I used to say I'm Spanish. And it sounds very bad also when you are in a party talking to a girl. So I'm sorry for my English. I'm from Spain. How many of you have been to Spain any time in your life? Very well. Well, if not, you have to know some things about the Spaniards. First of all, we know how to do parties. This is one of the most famous parties in Spain. Some feminists, it's a very impressive party. The only party very similar to this is the Mardi Gras in New Orleans. As you can see, there are a lot of people on the street, people from around the world. And it's a seven-days party, 24 hours every day. And every day we need to clean up the city. So we release some bulls across the city and you have to run to get safe. This is real. You have to run. And if not, you will end up with some friend doing special things. This is one of the parties. This is one of the most famous. But we've got parties around the country. This is another one. It's Tomatina. It's a bottle of tomatoes. You can get into the whole city fighting with tomatoes. It's impressive. And it's very funny. In the end, everybody, it's like an orgy, but not an orgy. Well, sometimes it is, but it's like this. Well, another one party that you have to know from Spain is the Fallas. This party is in Valencia every year. And during the whole year, people are constructing this kind of sculptures. Our very nice sculptures, as you can see, are 10 meters tall. And at the end of the day, we need to ban them. All of them, no one survived. This is a tradition, Spanish tradition. Because we need the fire to cook paella, which is one of the most tasty food in the world. And of course, in Sevilla, for religious people, this is the Hollywood in Sevilla. All the people from Andalusia, the south part of Spain, is carrying the images, religious people. But it's not only for religious people, because one week after, there is the April Sphere, which is a different party where you can drink, sing, dancing, and so on. It's very famous. And of course, if you go to Spain, you have to visit my city, which is Madrid, a very nice city, a city that never sleeps like New York. And it's quite nice. So don't forget to visit my country, okay? Understand? This said, I'm going to talk about other things. It was supposed that this talk was where I talk about how to hack terminal services and Citrix environments, but we are going to deliver this talk this afternoon in Track 2. And this talk is about a story on the internet from my point of view, from the point of view of an Spaniard, a guy in a very small country that we could call a small village, because it's like a village. Well, once upon a time, we were very happy on the internet. Everything was beautiful. We got a network in which we could do a lot of things. Everything was perfect, a fantasy world. Internet was a space of freedom, a space where all opinions were allowed, where nobody controls the network. We use words like net neutrality or anonymity, a network with no rules, and everything was perfect. The only problem that we got at that time is that it was created in the age of Aquarius, and everybody thought that the rest of the people will be happy with this kind of network. The only problem that we got was the trolls, you know, that kind of people who has nothing to do that commenting your blog, I don't like this, you are wrong, I don't like this, you are wrong. You know that kind of people? Yeah. Well, even this problem we solve is with some special netiquette. We use rules, but it wasn't imposed, it's just a recommendation. If someone tried to become a troll, you send a file with netiquette rules explaining how to behave on the internet. It was all the problem. But some day, WikiLeaks appeared. With WikiLeaks, we realized that internet wasn't that way. I'm not going to talk about the WikiLeaks project itself, I'm not going to talk about if what they are doing is a crime or not, I'm going to talk about the censorship that they suffered, and what happened after WikiLeaks released the cables from Bradley Manning. The idea is that at that point, we realized that internet wasn't that peaceful place. There was a lot of problems with internet and we discovered all together in only one week, we leave the matrix and watch and see the reality of the internet. First of all, we discovered that some governments could use hacking techniques to shut down computers, to shut down servers. The first thing that they suffered was to distribute the Nail of Service. It was supposed to be done by a powerful country, it's supposed to be Spain, and it was the first step in this story. After that, the second story was that they were kicked out from Amazon in one day. In one day, it's incredible. If you try to get an order from a judge in Spain, you need more than three months. With only one day, they were able to kick out WikiLeaks from Amazon. Then the next problem with the internet domain. That's very important for us. From our point of view, from an Spanish point of view, that's a big problem because most of the companies in Spain are .com. Even my company is a .com company. And even we got .org companies. And in this case, in only one day, this is the 3rd of December, they lost the domain. Of course, after that, the money with PayPal, MasterCapp, and so on. And the most impressive thing is that time after the anonymous group get into the scene and they try to do something against the people who were fighting to WikiLeaks. One of the most important things that they do was the HB Garry federal onage. It was very funny story with the SQL injection, extracting the emails and so on. But after analyzing the email addresses, we discovered that there was crappy services that the governments, not only the U.S. government, the governments from around the world were using. For instance, XB or 12 Monkeys project that were project to control machines of the citizen or computers from, I don't know, companies. Also, the fake, the Facebook profiles, the idea is that there was a war of psychologists managing profiles like playing sims and trying to push ideas on the internet, on the social network. And the last one with the real propaganda using images like the one on the right side to throw ideas across the social networks. After that, we realized that internet has a lot of problems also in the infrastructure. One of them is publicly known is the great firewall in China. I don't know if you were in China, but it's true, it's impossible to watch porn. The BGP attack in Egypt, the idea of this attack is when the revolution starts in Egypt, the government cut off all the network publication in the BGP servers, so the network of Egypt was taken out from the internet. It was a radical decision, but it works. It works. It works for the moment. Of course, the law, every country has a special law on the internet and all the countries are trying to get a bigger piece on the internet. It's supposed to be international laws and of course, American laws that for us, for Spanish people, it's very important, more important than our own law on the internet. Also, problems with the DNS, with WikiLeaks. It was very, very famous, but in Spain, we got a very special case, which was rojadirector.org. This domain was publishing streaming through internet of football match and races and so on. The idea is that a guy with a paid TV connection was recording the event and sending the streaming through internet and this website was publishing that information. That's illegal in the United States of America, but not as illegal in Spain. After a trial in Spain, it was declared not guilty. So nothing was supposed to happen, but without a trial, the domain was completely disappeared. For us from a point of view of five spania, that means that internet is not international. It depends on some law across the network. So for us, with our politicians, the guy on the left side is our president and the guy on the right side is supposed to be the next president. It's supposed to be the next president because this guy is doing the things very bad, so it is very happy. The other one is very happy. I'm not going to be the next president, but after two elections, he didn't was elected. He wasn't elected at all. And this is the other picture. It's Obama with Steve Jobs, Mark Zuckerberg, the CEO of Google, Microsoft. All of these companies are American companies. And they are supposed to accomplish the American law. So if we got in Spain on a Facebook account or Google account or we got in Spain, I don't know, an iPad or an iPhone, what happened with my law? What is the law I need to accomplish to use this service? Well, the problem for this conference is about the blogger. The idea is that if you got a blog and you want to write your thugs about whatever, what happened if someone wants to take you off on the internet? Well, they got a lot of solutions to do this. First of all, they can take off the route. They can do a known niche of your machine. If you got the machine on a service provider, it will be very easy for them. The second one is making it unavailable. As we saw with WikiLeaks, governments or institutions, I don't know who has the tools to perform distributed denial of services. Of course, also they can close the domain and block in your service account or banning from the web's engines or throw over you the law. So there are a lot of solutions to make you silence. Well, some of the people around the world are working on different kind of project to fix this problem, to solve this problem. The first project is OpenNIC, which is another DNS system. It's not depending on ICANN. And as you can see, they are serving, I want to use the phone. They are serving different domains like .bbs, .free, .food, .geek, .guffer, .india and so on. The problem is that right now the DNS network are not connected. So you need to install a special software in your machine if you want to connect to .con, .org domain and also to OpenNIC domains. The second solution that was proposed after WikiLeaks problem was the distributed denial DNS system using P2P network. But it was only one idea. It's very difficult to construct DNS using P2P network and in the end this project was completely abandoned. One of the best projects to solve this problem is OSIRIS. OSIRIS is a CMS from Italy and the idea of this CMS is that it's completely service less. It's a project in which you create your CMS and all the content is PPP signed. So in the end, when you are browsing the CMS, you are browsing the portal, you are sending messages and downloading files from the P2P network. It works very well and it's impossible to take down. The problem with this CMS is that you have to create your website using this technology before you have the problem. But most of the people on the internet don't think that way. At the beginning, everybody creates their blog without any big expectation. I create my blog, I'm starting to publish my thoughts, articles, maybe a tool, maybe whatever. In the end, after two years or three years, probably if you have been doing good things in your blog, you will have an audience, probably 3,000 people, 5,000 people and so on. At that moment, if you get hungry or get tired about something, you cannot shout, you cannot write whatever you want because there are rules. Rules like this, these are the rules from Google, for blogger. As you can see, there are hate speech, crude content, violence, copyright, personal and confidential information, impersonating other illegal activities. All of them sounds very well, but the problem is that where's the limit? If I publish a picture in which a guy is kicking another person and the guy who is kicking to the other person is a powerful person, is a powerful entity, will my blog be closed? Who knows? Probably or not. And the most important with these rules is this. This is the blogger content policy. From time to time, we may change our content policy, so please check back there, here. So the idea is that if you have nothing too high, therefore you have nothing to fear, which is very famous until we change the policy. So you are publishing thing, but tomorrow, what you publish is bad, so I'm going to close your blog. And that's all. It's so easy. And with the XML file, there is a big problem because it's a very easy to analyze file. It's an XML file. You can optimize the analysis of blog posts and so on. So it's easy to create rules or alerts to discover who is someone not wanted on the Internet. So what's the idea? If you got a blog and you are publishing an article, an idea, a thought on the Internet, people who wants to read your thoughts is going to search for you using your domain name. It's the most important right now. Most of the people connect to the Internet. They can read the information. But every day more, RSS subscription are increasing on the Internet. Probably most of you only read information on the Internet using RSS. Hands up. Only RSS. Not browsing the website. That's RSS. Well, the idea is that the RSS is the point of failure. Your audience is connected not to you, not to your blogger is connected to your RSS feed. If your RSS feed is closed, your audience is gone. So in my case, I'm blogging in my personal blog and it's uninformatic on the loudelmouth. It cannot be translated to English. And as you can see, my feed is also in feed burner. So I got a big problem because if Google closed my account, feed burner is also a Google company. So I'm going to lose my blog and also my reader. The idea is that we need to create some special techniques or technologies to avoid this situation, to allow the blogger to always publish their content from different sources. And that's the idea of our project. If not, just closing your RSS feed and everything was fine. Well, what's the idea of this project? The idea is to create a reader, just a reader, but with a special feature. The idea of this RSS reader is that it can retrieve information from different HTTP sources and also from sources published on P2P networks. So the idea is that for the reader, it's only a subscription. But behind the subscription, we'll have a lot of different HTTP sources and also different P2P networks. What's the idea? Let's suppose that we are reading our blogs, like every day. We got four subscriptions. But in our environment with our technology, the idea is that every subscription has behind different sources. As you can see, the subscription one has two HTTP sources and also a P2P source. The subscription three, one HTTP, one P2P, the subscription three, the subscription two the same, and the subscription four only one P2P source. You can do whatever you want. You are reading a post. That's the idea. So in the end, we are going to create a reader like this. It's a proof of concept. And as you can see, we got different sources for each blog. In this example, three from HTTP and one from P2P network. The idea is that it's so easy to add new HTTP sources. RSS, the feed is an XML file. Just adding a line saying, okay, I'm the blogger. I want you to add this new HTTP source. Just a line. If the reader read that comment and ask to the user, okay, the publicator subject you to add a new HTTP source for this subscription. It's okay for you. Just clicking okay, you are going to add new sources to the subscription. That's very easy to migrate from one architecture with only one point of failure to an architecture with no one point of failure. And also, the idea is that if you want to publish your blog and your account is closed, you don't need even to have a blog. You can create the feed from your local machine and distribute it using the P2P network. The idea is that if I got an XML editor and I create my blog post using the XML editor, or I have an internet or whatever, I can take the XML file, use my personal, my public, my private PGP signed this XML file. This is important because in the P2P network, there are a lot of file pollution attacks and we need to create special defense. Then using that, optimally, you can publish on the P2P network in this implementation using Nutella. So the idea is that you can republish all the feeds from a file, from a website, from an intranet, even it's possible to send a TXT file on an email system and just sending an email with an automatic process publish the feed on the P2P network. So the only thing, the only change that we need to do internally, these changes are done by this, is that we create a feed like this. This is the feed, this is the name. As you can see, we got the channel, then the date. It's important to discover the most updated feed. Then we got the Sawaan hash of the public PGP key. This is the token that we are going to use to search for the files on the P2P network. And then the only change that we do is to the images. We, in most, that in most of the cases, are related to a web server. We are going to convert the image from a web server to a P2P link and that link is just in the AL modifier, we are going to add Nutella and the hash of the file in the Nutella network. So in the end, all the images, as you can see, are going to be published also on the P2P network and digital sign. So this is when you publish your feed, it's going to dusterize the complete feed and all the files needed to read your feed are going to be published on the P2P network. So the idea is that the readers are going to subscribe to a public PGP key. But that public PGP key is not necessary to be the author's PGP key. It can be the PGP key of another user who is signing information. To me, I like the information that he is signing and I want to subscribe to that guy. So I'm going to add a source to the PGP network. So let's see this in action with a demo. I got two machines, these and these, of course, all demos are going to fail. But let's try it. The Windows XP machine has a subscription to Uninformatico which is my personal blog. And as you can see, the last blog post is hacking remote apps part two. Okay? Then we go to the other machine with us and we are going to create a subscription for my personal blog. In next example, I got three different feeds. Each of them, it is going to be supposed as a different HTTP source. As you can see, the first one is at 28th of July. The second one is at 29th of July. And the third one is at the third of August. Okay? Now I'm going to take the oldest, which is this. And I'm going to copy the feed. And then I'm going to set up a channel name. Subscribe. And then I'm going to use the other two. As you can see, it's a lot of them all. And the third one is a lot of them all three. So I just, I just need to add new HTTP source a lot of them all. And a lot of them all three. Okay. Right now, in this, in this subscription, in this script error, I got three different HTTP sources. Okay? Well, now I'm going to publish this, this blog with my PGP keys. So I only need to publish the blog, select my private key. What happened? I just select a file. Okay. The key and the public key for the name. We need the public key just for the name of the feed. Okay. That's all. All the files are going to be dusterized and published in the select folder. And now in the other, on the other machine, I'm going to add a new public key. Yes. This, which is the public key of the, of the publicator. Okay. If everything goes fine, I'm going to update this blog and this blog will be updated for different sources for the user will be transparent, completely transparent. No matter from which source this blog has been updated. But in the end, I got the last, the last feed. And as you can see, even the images, in this example, as you can see, the image is related to the Nutella network. But in the end, the image will be download. In this machine, we don't have internet connection. So the image had been passed from the, from the P2P network. So that's the idea. The idea is just to create a reader. As you can see, there is no information about the P2P network because we don't want to construct a P2P client. We want to construct something that people use. So we need to, to create something cool for social media victims, no? People who use the new technology, the new tool, the, the new version. So we are searching for designers to do something cool, no? For that kind of people with a very nice logo, with very nice interface and, and so on. Right now, it's a, it's an open source project. It's under an Apache license. You can download the code from that project dot, dot code plex dot con, of course, from Nutella network. And if you want to, it's, it's right in, in Java. I'm sorry. But if you want to, to use it or you have any question for us, will be a pleasure. Today I'm going to deliver a talk with my company, my, with a friend in the track two at six, 16 o'clock. It's, it was supposed to, to be called terminal application because we are going to do some crappy demos with terminal service and Citrix. But in the end, we call it bosses love Excel hackers too. And tomorrow for FOCA lovers, I'm going to deliver a workshop about FOCA three, which is the new version of FOCA. I don't know if any of you know FOCA. Okay, well, that's all. Thank you very much for your attention.