 Boy, this is loud. Okay, so my name is Kat O'Cuda. I'm here to talk today about a piece of software that I've almost got finished. I intended to have it ready for DEF CON and well, things happen. It'll be out about two weeks after. I'm talking today about the program Aura, which is a peer-to-peer reputation system. And as someone so pithily pointed out to me, I've managed to hit two buzzwords in four words. But what I was really intending to do was say I'm talking about reputation systems, which are basically a way of describing social networks through a computer. And peer-to-peer because well, most of the ones that currently exist are based off of things like live journal friends through centralized servers where if the server ain't working, you're not getting there. And I'm much more interested in grassroots ability for everyone to communicate with everybody else and have no dependencies. So most of you have probably seen live journal, Friendster, eBay, Advocado. Who's seen these places? All right, I see some people just don't get around here. So live journal and Friendster, basically, it's a way of saying, hey, these are my friends. It's kind of binary, so it's a very simplistic reputation system. You can either say, yeah, okay, I know this person, they're cool. No, I have no idea who this person is, don't care. eBay's a little more complicated. It's a system where you keep track of how well somebody has behaved as a buyer or a seller. But the system does have one major flaw, which is that there's an incredible amount of pressure to never say anything bad. I mean, people go miles out of their way to make sure that you always say they pay on time, they communicate well, the stuff was cool. If you look at their reputations, just about all of them say a reputation of 99.7 to 100%. And if you can claim that everyone is 99.7 to 100% reliable, I'd like to hear from one of you right now. Silence. So Advogato is really cool if you haven't been there. It's written by a gentleman whose name has suddenly vanished from my head. Ralph Levin, I'm going to attribute it to being nervous that I can't remember names. You could also attribute it to ongoing senility or having been here too long already. But he studies reputation systems and he's implemented one on Advogato to rate postings and generally give you an idea of how worthwhile it is to read someone. Really cool, you ought to go there. It's better than slash code, where there's, as everybody knows, the gentleman in the front laughs, I believe he's had this experience. Slash code, you moderate up, you moderate down, but unless you actually go and look at it, you get a lot of crap. So why do you care about reputation systems in the first place? There's a lot of junk out there. I, for one, would like to know what I'm interested in, tailor stuff to my liking, be able to get an idea of who's worth listening to, who isn't worth listening to, what's worth looking at. So you can use it for this. See, I'm mixing my things, nervous again. So establishing trust, establishing credibility, propagating memes, I'm sure we've all been at the tail end of a, hey, look at this cool webpage or listen to this cool clip, probably a few too many times. Somebody bring us the bomb and we'll all be good. And also for things like spam filtering, which is where you see reputation systems most often right now. Spam Assassin is another version and there was, what was the URL that you sent me? Okay, the gentleman doesn't remember the URL that he sent me, it's catching. So the basic challenges in setting up a reputation system revolve around the same thing as any other sort of system where you're talking about a social network. It's trust, authentication, non-recudiation. If someone says, for example, that the gentleman in the yellow shirt sucks, you'd like to know who said the gentleman in the yellow shirt sucks. She said it, okay. So now we know who said it. But you want to be able to establish this to a reasonable amount of doubt on a computer when you may or may not be sitting beside the gentleman in the yellow shirt. And that's what authentication is about. Trust, of course, if you don't know who the person is, I have no idea who she is. So if she says he sucks, how do I know that she's telling the truth? Do you know her? You don't know her from Adam, does anybody else know her? Okay, so all we know is that a random person says he sucks. So we need to be able to build a web of trust. I know I'm stealing from PGP, but it is essentially the ability to say I trust this person, somebody else trusts this person, and it eventually traces back to me or to them and we know who's who. Pretty straightforward. Questions? You look puzzled. Okay, it's gas. You've been eating with pizza again, haven't you? And non-reputation is, of course, being able to say that the person who said this definitely said it and ain't gonna take it back. Are you gonna take it back? That he sucks? Okay, did everybody else hear her say he sucks? So it's gonna be really hard for her to turn around later and say, I didn't say that. We've got, you know, 45 people here to say that was true. But all of this breaks down. And you know, if the three of you get a room and make a movie, you can make a lot of money. So the problem is all of this breaks down when you start talking about computers and networks and you actually don't get to see the person, you don't have a room there to say, we all heard this, this is true. And that's where you get into the challenges of building something like this. So in terms of design considerations, when I was writing, I had an obsession with fast efficient code. This is not necessarily a bad thing, but it can be a royal pain in the neck when you're trying to build something in a relative hurry. But if you're talking about a peer-to-peer application, you are going to want something that's fast and resource efficient so your local network admin isn't going to turn around and say, you're running that stupid peer-to-peer thing again, how many MP3s have you downloaded has someone else downloaded, et cetera, et cetera. So fast, resource efficient. It needs to be secure so that you don't corrupt information that's being sent back and forth. I need to know that when she sends me the message saying that the guy in the yellow shirt sucks, it's not really the guy over there in the hat masquerading as her. Of course, if they're side by side, they look nothing the same, but on the internet, everybody's a dog. So difficult to corrupt information, difficult to impersonate other people. It needs to be portable. I mean, if you can only use it from your computer at home and you happen to be here, that's not gonna help. If I want to say to a reputation system, I met this chick with red hair, what can you tell me about her? If I can only do this from home, it's totally useless at a conference. It's also totally useless at work. So it needs to be portable. It also needs to be simple to use and extend. Like, I suspect that all of us have had the experience of looking at a command that has 15 million flags. Some of you may have had the experience of having someone ask you with the interview question, what are the flags to LS? This is an evil question and really, it's easier to say what aren't the flags to LS, but that's neither here nor there. Simple to use, easy to extend, straightforward, programmatic interface. Beyond that, as I said when I started, needs to be independent so there's no centralized server that can go down, be compromised, or a centralized server where perhaps the goals of the person that owns the server change over time. And if you're storing information like reputation, you don't want to suddenly discover that the server you're storing it on has become a marketing gimmick and that they're really interested in what your opinions are and who your friends are so they can say, hey, you know, your buddy reads the following book, I'm sure you'd like to read this book too, or other things. So in terms of concerns, this is a hacker convention so oddly enough, attacks on this type of a system were high on my list. And in terms of attacks on a reputation system, depending on how it's built, flooding it with all kinds of spurious information can be a high risk. Now, if you have a system where you're certifying all the people involved, it's much, much harder to flood, simply because that would assume that you were able to certify the large number of people flooding. And if, for example, the gentleman back there are not paying any attention to me and just his badge, okay, he's paying attention to me now. Fair enough. If, for example, that gentleman all of a sudden developed 15,000 friends, the odds that everybody else would say, that's really weird, all of a sudden he's got a lot of connections, I think I'm going to lower his overall reputation. These are pretty high odds because he's looking awfully suspicious to us, in the same way as if the gentleman in the red shirt there decided to go from door to door in the hotel trying doors. This looks suspicious. So it's an automatic choke. Ralph Levion, see I remember the name now, has a really cool paper on that up on Advogato linked off of the main page. And his math is much better than mine so I point you to that for the proof. Trojans are, of course, an issue. If you can corrupt what's being sent out at the source, it's a lot easier than trying to break it in the middle. Identity theft, again, similar to Trojans. If you can pretend to be somebody early off, for example, if I start into a reputation system and I say I'm her, no one's going to be able to tell that I'm not her until we start working at certifications and none of them match. So for example, she could be certified by the gentleman in the yellow shirt whether he sucks or not. And the gentleman on the other side of him who apparently also sucks, but she could still be certified and we'd all say, yeah, they're associated. I, on the other hand, might be certified by the gentleman way over there with the beard and the gentleman beside him. And then you'd find that the social networks wouldn't match up so it's comparatively easy after time to determine that someone isn't who they say they are. It's much easier if you're using something like public private key photography to call someone on the phone or have it certified as per the usual routine you get with PGP. Is everyone familiar with PGP's establishment of identity? Hands? All right, okay, in that case I'll just summarize it as you know there's good ways to identify to establish identity, no matter what you're doing you want to present that. And that's identity theft, impersonation, basically very, very similar. Fairly easy to detect over time, not as easy to detect immediately. This is another reason for when you're having a trust metric, I'm sorry, I'm jumping ahead, aren't I? A trust metric is how much you trust somebody, what their reputation is. So if you set your trust metric as having a slow start to trust, it's much easier to get around things like identity theft and impersonation. You say until I know who these are or until I certify them, I'll kind of treat them as being a little off. And then finally, denial of service, that's just one of those things you live with. If someone has a good solution for how to deal with them, please stick your hand up and tell me now. Okay, large caliber weapons, that is a perfectly good way to deal with them if you can find the target. So in terms of implementation, the way that I've been implementing this program is, as I've said before, buzzword, peer to peer. What this really means is it's designed so that you talk directly to the people you're interested in. You maintain a local data store of information about those people that you are interested in, which is useful in a number of different directions. In my case, I've elected to develop in C using Peter Gutman's Crypt Lib Library and SQL Lite. SQL Lite has won great advantages as far as I'm concerned, which is that it stores its database as a flat file and can be read on damn near any machine, whatever and yet it is. You look dubious, go ahead. It's smaller. It's much, much, much smaller. How does it differ, the question was, how does it differ from my SQL? And the major difference is that it's tiny. The gentleman would like to see someone embed my SQL in an application. I believe my SQL has been embedded, but it's a large application. So hence the design consideration. This gets back to small, fast, portable. So you have your local data store into which you pour the information about who you've talked to, who you talk about, who's talked about whom. And even after saying that I believe in doing things peer to peer, I'm being profoundly wishy-washy, you can also run as an aggregator to pull information from local machines and store it forward. So for example, if you happen to run a reputation server on the edge of your network, rather than having to expose your entire network by saying everybody here can talk, you can have the internals of your network talk to the aggregation host and that aggregation host then talk to the rest of the world. Mileage varies. So in terms of reputation, reputation is basically into three parts. Every entity that you run into, where an entity could be a person, a place, or a thing, this is why I'm saying entity as opposed to user. Identified uniquely by a public-private key combination, nothing unusual there. And you have for them your personal reputation as far as they're concerned. So I, for example, could say, and I'm going to pick on the gentleman in the yellow shirt again because, well, he's wearing a bright colored shirt. I could say, I don't know him from Adam. I'm going to give him a default value of zero because really, I don't care either way. He hasn't done something to make himself profound and interesting. Neither has he done something to make me think that he's really not someone I want to deal with. I could find that everybody else on the other hand says, you know, that dude sucks. Not only does he suck, he sucks so bad we want nothing to do with him. Am I picking on you? Okay. See, I'm giving him a bad reputation by standing up here and saying all sorts of things about him and I don't even know his name. Do you want me to say your name every time I say this or just the gentleman in the yellow shirt? Okay. So you can give people a, you can accumulate a general reputation of what everybody else has to say about them. Clearly, private personal opinion and public opinion vary. I mean, I'm sure all of you can think of someone for whom the general public opinion is good and your opinion is bad or vice versa. No need to name names. So the last section is by specific area and I'm going to get a little confusing here and jump around so feel free to ask questions or point out that I've jumped around really badly. And basically what you have is a template system that describes the type of information you're looking for about an entity. So you could say for example, I'm curious in knowing what everybody else thinks about mail servers. Should I use Q mail? Should I use send mail? Should I use post fix? And I'm sure if I asked everyone to stick up their hands, they'd give me a whole series of different opinions. I'm not going to. So associated with your particular question are a series of attributes where the attributes could be this is good, this is bad, I don't care. But in the interest of being small and fast, rather than exchanging a full set of data saying mail server, this attribute, that, this, that, the other, you just exchange a compressed list of numbers matching to the template. This does mean that respective servers have to have the same templates and this is established by exchanging signatures. It keeps traffic down. So the last category is gossip. Now, I'm sure everyone's gossiped now and again and I'm told reliably that most people think that gossip is only negative and I'm curious for personal curiosity, who here thinks gossip is only negative? Hands, please. Novel, you're completely different from everyone else. This is really cool. So basically what gossip is, is exchanging information about entities you don't know. Someone else says to you, hey, the guy in the green shirt that's shaking his head. He likes to sit in the front of speeches and make faces and make the speaker nervous. Now, I don't know whether this is confirmed or not. Someone's just said this to me. So I filed this under gossip. So later on, I meet the guy in the green shirt and I discovered that low and behold, he sits in the front of talks at conferences and makes the speaker nervous. And at that point, I can assign greater and less credibility to the gossip and the gossip per. See, I'm getting ahead of myself completely. So credibility is one of the great uses for a reputation system. Is anyone here subscribed to Volndev? Volnability, the vulnerability mailing list. So as a quick summary, there was recently a comparative firestorm caused by the list moderator posting to say, as far as he was concerned, you shouldn't post the mailing list unless you posted under your real name from a confirmable address and we're definitely a real person. And oh, by the way, be polite. And if he doesn't like you, he's going to unsubscribe you from all of these security focused mailing lists. I'm sorry, that was pen test. Shoot me, she's right. All right, please consider this a correction. I've besmirched the reputation of the wrong people. File it under gossip. You know, I heard that strange chick, definitely. And what the discussion came down to on penetration testing was, you don't really care who's associated with the address as long as you know that they are a credible source. I mean, you can be a dog on the internet and as long as you post reasonably, nobody cares. And one of the uses for a reputation system is to establish credibility. And it's a perfect way to filter something like full disclosure. You can say, these people are nuts. These people post reliably. These people only ever post to say that somebody is blowing goats. It's full disclosure. People have posted that. And of course, filtering on a personal or a server-based level. In terms of configuration for this, text-based configuration, templates as I jumped ahead of before, public private key photography, already gone here. Future plans, actually delivering the software. I didn't put it in there. I should have, but you know, cross-platform portability. One of the interesting things that people really love about Friendster and actually LiveJournal is the ability to pull out information about social networks. I'm not sure how many people here have used things like LJMatch or the LJMapping software where you can look at who your friends are and how you map out to them. But I'm recently sure that anyone on Friendster has watched their friend count increase every time they add a person. So that, and then automation triggers. As it currently stands, everything's manual. This sucks. Ultimately, once I'm released and once I'm done, if I'm ever done, you should be able to set things up to automatically get updates from people that you know back and forth, yada, yada. Okay, I'm done. I'm speaking awfully fast. People have questions. I think I actually turned it off. Does this mean that we give the gentleman a poor reputation for technology? Okay, so you provided a sort of abstract explanation of what you see the requirements for a reputation system as being, but I'm kind of curious about the specifics of the software that you've implemented. Like is it a architecture? I presume it's an architecture for aggregating reputation in a peer-to-peer basis. Does it also have, is it a file transfer network as well? Does it work over IP or TCP? Or what is the, is it an API that other pieces of software can plug into? The gentleman points out very accurately that I've given a high-level overview and haven't given any useful technical details at all. It's TCP-based. We're talking about a standard daemon and client setup. Let's see, where else had we gone? You're going to have to repeat. I have just flaked out. I guess the biggest question I have is, is it a peer-to-peer file transfer system? Is it an API that interfaces to other applications that actually work with data? It is explicitly a framework into which you can put plugins to interface with other applications. It is standalone. It is not designed to transfer files. There are plenty of things out there that do a perfect job of transferring files already. And if this is going to be small, fast light, portable, and not get squashed by people running networks, it needs to not send files around. I guess, if you don't mind, let me throw one more question in. What is the context in which you're doing this development? Are you like, is this your hobby? Are you doing this as an academic researcher? This is my hobby. Yes, you can point at me and say, I'm lame that I sit at home and tap away on my laptop. Well, yeah, everyone else who wears it too. It's catchy, and I forgot already. I was curious if, never mind. You need to lift the mic closer to your mouth. All right. One question is, can you do it anonymous? Like, or can you have an anonymous reputation where somebody out there, you know, you trust them and everything like that, but you don't know what their IP address is, you don't know anything about them, but you just know that you trust them. It's currently set up to capture IP address, simply because you need to know how to connect to the remote peer. It's very difficult to set up a TCP connection without having a means of establishing the connection. In terms of whether you have to store it or not, I don't see any reason why you couldn't set it up not to store. And in terms of information, what you really need to know about the person is their public key. So it doesn't really matter who's on the other side of it, as long as you establish credibility. Okay, thanks. Hello. And the gentleman speaks loudly, and we all jump. Sorry. How will this interface in with, say, email clients or something of that sort so that you could avoid spam? I had a sneaking suspicion, the spam question was going to come up. Essentially what you'd be looking at is a similar interface to something like spam assassin, or it functions as a plugin that you consult. So you would say, got this, what do you think about it? Good value, bad value, drop it, let it through. So where do you get the information? I mean, is it just from all of your other friends that you have? Basically, yes. Okay. You're talking about extended social networks. It differs from something like a blacklist, in that a blacklist is set by the people running it, sometimes with contribution, sometimes without. In this case, you're talking very much about, the people directly surrounding you, values consider certain things to be spam. Generally, I find that the people I know have a much better idea of what I consider spam than the people that run the blacklists. Since among other things, I've been trying to fish my IP block out of a blacklist because someone else bad owned it before me. This is a non-trivial process as many of you may have encountered. So what about services that you may sign up to get email from? Do you have to go and add them onto your list, or? It's an opt-in list. Okay. I mean, you can say, for this, check that. You could also say, just don't care. I think there was a gentleman over here trying to grab the mic, although I know that you were trying to grab it, but, you know. All right, let me try not to step over myself while I'm trying to ask this question. Reputation system has been starting to pop up in a lot of different applications recently, mostly focused on tracking social networks. I'm curious if you've looked at Conspire. It's a peer-to-peer file sharing app. It's kind of like BitTorrent with channels, but they do have a reputation system built into it for fielding recommendations. I was wondering if you'd seen that or had any thoughts or comments on it. I have not seen it, and thus I have neither thoughts nor comments on it, but now that you've mentioned it, I'll ask you once I'm off the microphone to repeat it so I can put it in my computer and go look. All right, who's next? The gentleman wants to know basically how you find out about someone you don't know about, what the reputation propagates every time you make a connection. When two speakers make a connection, basically what you see is they exchange information about themselves, and then they exchange gossip. So in theory, someone in your network has probably gossiped about the party involved. So the answer is the likelihood that you already know about them, once you get to a certain size, and all of this is size-bounded, the more people involved, both the more average you're going to get and the more accurate you're going to get. It's going to smooth out peaks and valleys dramatically. So yeah, yes I will, but I don't have it right now. Okay, I'm reminded that I need to repeat your questions, although I've been trying very hard to repeat them. The gentleman is asking what exactly the framework does and whether there's going to be information with what I release on how to use it and how to apply it, I believe. The gentleman wants to know if there will be an application involved in the framework to demonstrate use immediately. And the answer is yes. What I have planned for that is actually, and you can feel free to point and laugh, my mother, my mother sends me all kinds of webpages, many of which, frankly, I've already seen it or it's not funny or it was only cute three years ago. I'm sure I'm not the only person with this problem. So what I intend to make available with it first is the, do I want to look at this web page function? Okay, any further questions? The gentleman in the yellow shirt. How do you deal with questions of, you talked about identity theft and I understand that identity is established through the public-private key pair, but how do you deal with someone who needs to revoke their key or expire it? Is there a mechanism built in for repudiation of identity later on down the road? There are two ways of dealing with that. One is, gee, look, weird, this key's been repudiated and all of a sudden their reputations sunk to the floor. The other is a cleaner mechanism and I haven't got it quite down yet. How do you deal with something like a conspiracy where a group, a small group of people have gotten together to basically black with- You need to raise the microphone, you're echoing. Conspiracy, how do you deal with a small group of people who have gotten together to basically black list a third party? When you have a small group of participants, it's really easy to blacklist someone. All it takes is a significant number of people to say the guy in the yellow shirt sucks. However, once you get a larger and larger number of people, it becomes harder for any group to have a significant effect. At that point in time, you start talking about large enough numbers that it's really difficult to get everybody to participate. But if you'll tolerate a follow-up question, any given entity will only have a small number of, if you will, trusted sources that they listen to for reputation. My current estimation is that each person will have between 10,000 and 100,000 known entities. So it's not actually that small. The gentleman behind you is looking for the mic. For this reference designer prototype that you've been talking about, could you give me an idea of the size of the footprint you expect that to take up? Does it require a desk side to put on my laptop? Can I put it on my PDA? I don't know if you'll be able to put it on your PDA, but your laptop won't be a problem. I'm developing on my laptop. Okay, so what about something like a Zorus or something like that with maybe, is the problem storage or do you see the problem as CPU? Because it involves calculating keys, the problem is CPU more than storage. Okay. Although one person suggested what would be a kind of interesting application, which is scanning barcodes and matching the barcodes to produce that you don't want to buy from certain companies. So for example, if you don't want to buy anything from Nike or an Abisco owned company, scan the barcode and have it pop up and appropriate to- That's already being done. There's an application out there right now that lets you scan a barcode and it takes you to the Google page for a company. It shows you basically all of their crimes. Cool. Anybody else or are you going to let me off the stage? The gentleman back there. The one with the bright yellow tag and his hand in the air. I had a question about the product you just mentioned about the barcode scanning. Does it make use of a QCat? Makes it something useful? As far as I know, I think there's just any barcode scanner. So yeah, you could probably use a QCat. I mean, you know, digital convergence should be like one useful thing for it, probably one of the only useful things for it. The main difference you have here is that you could also say, my friends say these chocolate mint cookies are really good, which I don't think you're going to find a webpage on. So anyone else? Okay, I guess I'm done in a hurry. Thank you.