 So who am I, who the hell am I? Who is this weird guy? So I am DEF CON's official cryptographer and puzzle master. I created the hardware hacking village. I've been doing puzzles, mystery challenge, that kind of thing for many, many years. 1057 is a derivative of the term lost boy, which was boiled down to lost and then to 1057, which is in fact a palindrome in binary. And consequently was the solution to the very first mystery challenge. So that's who I am. So this is my lovely wife who is up in the front row here. And the reason I put her on here is she is a very much behind the scenes person. She is very much involved in the cryptography and art of DEF CON as well, but doesn't like any accolades. So I put her picture up there. And yes, that is a doctor who suit on the left and Amy pond cosplaying on the right. So who the hell are you? I already had you raise your hands. First DEF CON. So how many of you have been wanting to come to DEF CON and you finally just say, you know what, to hell with this, I'm going to go to Las Vegas in the summer time with a bunch of sweaty people who don't shower and rub elbows with people in a hotel. I probably wouldn't have stayed out otherwise. I'm not a Vegas person myself. So for 101, which is what this is, the 101 track, it's generally for noobs. Not necessarily to any particular subject area, but to DEF CON. So this is not going to be a giant enlightening talk for those who are technically savvy. What this is generally when I give a presentation at 101, it's kind of my ranting through from things that happen throughout the year. I often share what type of research I've been doing throughout the year, how I come up with some of the craziness that I do with the puzzle challenges. How many of you have noticed, by the way, there are a few odd things about the record around your neck? Yeah? Okay. You can make noise, by the way. I like it when you guys make noise. Thank you. And I was talking with somebody earlier about you can tell the generation of somebody by how they hold a record. Like, this equals like born circa 1980s and earlier, this equals born 90s and later, by the way, they hold the record. Oh, and by the way, those clips, we put the 3D printer file on the conference CD, so you already have that. So if you wanted to print a clip to there. So the reason I put this slide on here is this, for those of you, how many of you know who Matt Blazes? Okay, if you're in this community, you don't know who Matt Blazes is looking at. He's one of my heroes. But anyway, he was in my hotel room the other night and we were having a discussion about when he was speaking. I think it was an RSA. He hates giving slides because he thinks they distract from what the talk should be. So I don't want to insult everyone's intelligence and read slides. So these are basically general guidelines for me to guide me through talking with you guys. But I want this to be more of a discussion. I want you to yell stuff out. I want you to question things. I want you to ask questions. I want to talk about what you want to hear about. That's what 101 is for. So don't be shy. My daughter says don't be shy. So a quick shout out to the tribe 949303 APG and a couple others. I've got to give props for props or do. Everyone should do that. And disclaimers. What I won't do. I'm not going to sit up here and read slides to you. I will not advocate criminal activity and there's an asterisk for a reason. You can determine what that good. You can probably figure out what that asterisk is for later. So how many of you noticed a certain folder on my desktop when I came in here? How many of you want me to open that folder? For real. Let's take a vote. How many want to see that folder open that was on my desktop? What's it called? What was the folder? All right. You asked for it. Remember you asked for this. Oh. Oh. Dang. How many of you noticed the weird ass name of this talk? How many of you are now going to take another look at the weird ass name of this talk? How many of you are going to now look at the weird ass name of this talk and read just the first letter of each word that's there? Now, I have a bit of a confession. If you came to hear what that talk was, first of all, you're full of crap because it's a bullshit title that was made up. So get over yourself. We have too many people that are being pompous and arrogant in the security community. You need to get over yourself. Be approachable because we have to band together. I made a waste in our comment earlier. How many of you know what waste in our is when I talk about that? Okay. Every person in this room should know what waste in our is especially if you're from the United States. Go look it up. So what, look it up. Basically it's talking about legislating what types of security research are legal and not legal. So that's what I talk about banding together. So the big joke, haha, everyone came to DEF CON this year. Now you all have a record. So, haha, I see what you did there. So back to the name of the talk. So I never tidal this talk. The person who put one-on-one together is a hacker who calls himself high whiz. If you see him at the conference shake his hand and thank him for putting this together. He started it a while ago and it was always just a bunch of us giving like impromptu talks the Thursday before CON actually officially starts because usually reg takes a lot longer. How many of you have been through the hellacious red line? Not this year but in years past that took like hours and hours. How many have had a red line that took longer than four hours? Five hours? Six hours? Seven hours? So some people have had the red line literally take seven hours in the past. So how was it this year? Good? So we added a whole bunch of reg folks and tried to create a giant mouse trap maze for you guys to make the reg go smoother. I hope it did. Same thing with the swag, right? Shag was okay? Or was it awful? Tell the truth. Better than last year. So anyway, for those of you who are familiar with the contests and puzzles that I do, there are teams working already on the crypto challenge and some of the people that come to DEFCON come solely to compete in those challenges and it takes up their entire con time. It takes me as much time as they invest. It takes me almost an entire year to put everything together that I do. So I'm always really busy. So when highway decided he was going to do DEFCON 101, he would always bug me for slides and a talk title. And I kept putting him off and putting him off because I was busy doing other stuff like crypto for the badge, for the lanyards and everything else. And so he would start making a talk title. So that title for this time is also now kind of a tradition. Highways came up with that. And so that was kind of Rick Rowling, both me and you guys. So I'm the brunt of that joke as well as you guys. So anyway, this is, how many of you seen Spinal Tap? I mean, get the reference when I say we're going to have a free form jazz, turn it up to 11. So there's a scene in Spinal Tap where they lose one of the guys and they go up and they're like, what the hell are we going to talk about? And so their default fallback is the jazz odyssey because you can kind of bullshit your way through that. That's kind of what this 101 talk is. No, I'm kidding. Not really. The point being, I want to talk about what you guys want to talk about. That's why I'm encouraging you to make more noise and trying to loosen you up. Especially if this is your first DEFCON. DEFCON is not like other conferences you've been to. I would encourage you when you go to presentations, if somebody is saying something that doesn't sound right to you, challenge the speaker. Challenge me. Love it. I love to have intellectual discussion. That's how we're going to get better with the stuff that we're doing. But that's the whole point of a conference like this. So don't go sit in and hear some guy give what is basically a vendor's speech. We try to make sure that that doesn't happen every now and then something slips through. But challenge people, if something is bullshit, raise your hand and say that is bullshit and call them on it. That's how we're going to get better. I've done it. I did it. How many of you seen my 101 spiel before? Be honest. So I apologize for the parts that I'm going to repeat and there's a reason I'm repeating them which I will talk about in a second. So one of my pet peeves is because of all of the puzzles and crypto and mysterious things that I do, I'm often accused of thinking outside the box. Most of the time when I talk to reporters and other people, they're like, oh, you're creative. So you think outside the box. It's one of my greatest pet peeves right now that people bring up thinking outside the box because of where the term comes from. How many of you know where the term thinking outside the box comes from? It comes from this nine dot problem. You've all heard the nine dot problem. Connect all the dots. Don't lift your pen from the paper. Oh, and by the way, if this is not your cup of tea for this presentation, feel free to leave. And I will not be offended for real. So like if you're like, this guy is just going to get up here and rant, I will talk about some technical issues but it is 101. So it is what it is. If you want to leave and go to somewhere else, go ahead like some people just did. So the nine dot problem, you're often presented with, connect all the dots as few lines as possible. Can't lift the pen from the paper or you have a limit, et cetera, et cetera. And of course everyone knows the standard solutions are, you have to extend the lines past the distance of the mentally imposed box. And the douchebag presenter who's usually some trainer guy like Tony Robbins or something, will often come down and act very self-grandizing like, haha, I will now bestow upon you knowledge that will help you become magically creative. And especially with us being hackers who are trying to come up with interesting solutions to problems, people often think, oh, as a hacker you have to think outside the box because you have to come up with some creative method to solve a problem or abuse a system that somebody else hasn't thought of. And there's actually been a study and by the way there's another solution. So there's an unexamined assumption that basically says all I have to do to make people solve that nine dot problem is tell them that they are mentally constraining themselves by drawing within the constraints of that imaginary box. And there's actually been studies that have shown that that's not true. There have been studies that have found that even with telling people ahead of time, you cannot, you have to draw outside of this imposed space in order to solve this problem. The same percentage of people still could not solve that particular puzzle. And so the ones that could do it could do it anyway and the ones that couldn't, it didn't help. The only thing that they found that helped was quote unquote study of the problem. Now the reason I bring this up is we've got a young generation. How many of you guys are in high school right now? Anyone? How many of you are in college? College students. How many of you have refreshed out of school that are here? How many of you are looking for jobs? No, I'm serious. It's a great place to get recruited. How many out there are looking to hire somebody? Wow. So let's do that one more time. How many looking for jobs? Raise your hands. The other people look around. How many are looking to hire someone? Did everybody see that? Okay. Just trying to help. You're welcome. Thank you. So the reason I bring that up is we have a generation of want to be hackers that don't want to do the intellectual work or exercise to get good in a problem space. They want it to come very easily. The ah-ha epiphanal moments will come through not thinking outside the box, but through a deep fundamental knowledge of the problem space that you're working in, exposure to. And the reason I bring that up is I used to teach at a university and I would have students that would come up and ask me does it such and such work or how do I do such and such. And I would always ask them first, have you tried what you're asking me? Have you tested it? And I'm afraid that we're getting a generation of students coming out and hackers, whether you've been in school or not, that don't tinker anymore. And look at the ways in our thing. We're going to make things illegal so you can't study those things. And we're going to put constraints on people that if you do the stuff that I used to do as a kid, exploring all these different systems, you're going to go to jail, you're going to get arrested, you're not going to be able to get a job. And so we're terrifying this younger, we're scaring this younger generation to where they're not tinkering anymore. So we have to break that or we're not going to have those epiphanial moments or we're not going to have the genius breakthrough things that are going to help us move forward and make the world better. And I have a brand new baby daughter who's in the front row right now who I want to have a better world and I want her to have a safe and free internet. I want her to be able to do and explore like I used to and not go to jail for it, not get a record for it. But anyway, that's my soapbox for that. Thoughts? Bullshit, would you agree with me? You argue with me? Yeah. That's a very good point. And the puzzles that I make, by the way, you'll see the word mystery used a lot in the stuff that I do. I have to Google proof everything that I do. Because what's going to happen the first time somebody gets a piece of information for something that I'm doing, they're going to throw it in Google, whether it's image search or whatever. And I have to insulate my stuff against that. But you are correct. That goes back to the instant gratification and getting that knowledge means you don't do that leg work that gives you that base foundation, that gives you the ability to have those epiphanal moments to have these great breakthroughs so you can say, aha, and invent the next great thing. I agree completely. When I did the very first mystery challenge, I was afraid there is no more magic in the world. And literally magic like Siegfried and Roy or Penn and Teller because as a kid, when I would see magic tricks, I used to enjoy trying to figure out how they were done. Now a kid sees a magic trick, he goes to Google and I guarantee you there's either a subreddit or somebody who has exposed how a particular trick is done. And so the magic is ruined because they have instant gratification of a solution to thinking about that problem space. So that's why I do the stuff that I do. How many of you have looked at the code on your land you're already? Yeah? So that code is deliberately deceptive. It looks very simple and it looks like hey it might be this and it might even have a red herring path that will take you down that direction. But I will tell you it is not simple. I will also tell you that everything else that I do that you see in my puzzles and my challenges require you to talk to other people. They require you to have communication with others. Because if you look at where a lot of our great tech came from, it came from places like Bell Labs which doesn't exist anymore. How many of you know what I mean when I sell it? So because of the way the financial world works these days and corporations work, we don't have something great like Bell Labs. It's not like we used to. Because nobody wants to foot the bill for it. So in places like Bell Labs, you had a giant group of people that had a depth of knowledge in different subject areas but they all had direct access to each other very quickly. You have that because of Bell Labs. Now if we don't have a Bell Labs anymore, where is the next great thing to do? You don't even know what a freaking object is. How are you going to use a language that everything is an object? I totally disagree with that way of teaching things. And then you have to think to yourself, well, then why do we start with Java? Because we're trying to spit out clones that can go work at some meat factory as far as coding is concerned to spit out code for some giant conglomeration. And you're not going to get innovation that way. It's not going to happen. Talk to me. Talk to me. I don't know that I agree conceptually, but it's a good point. And by the way, I don't know if you were intentionally making fun of the Bucker-Banzai reference, we're talking about solids. Anyway, sorry. Everything I do is deliberate. I love the way you're thinking. I would love to have a discussion with you about that. Go ahead. If I could interrupt on one point. I was in a school where Java was my first language that I was taught. And a deep... He said that we have an intuitive understanding of objects. That is bullshit. Yeah. That is bullshit. I grew up with computers since I was in elementary school. And I was doing random stuff. Deep understanding of objects when I took Java in school coming out of high school, I was a group of people all about the same type of nerd as me. Our minds were melted by what objects were when we had been scripting our entire high school career. And it took about five weeks of doing these labs and everything for us to finally have that epiphany of objects. Even though we knew all the scripting languages. Thank you for that comment. Sounds like we need to get together I want to continue the conversation. And by the way, people that say stuff like that and they're full of crap, I really mean it. Come over and talk to me. Everybody turn and say hi to Russ. Russ is the guy in the black hat right here. Russ is actually in charge of DEF CON operations. He's the one you can throw things at when things don't go right. That's probably not a good thing to ask me because of what my background is. I have mixed feelings. Or assembly. So if you take for example a deep understanding, in fact I'm going to talk about that in a minute, those of you who've been to my one-on-one talks you'll know. I do kind of a little list of skills that I think everyone that is considering themselves a hacker, a basic list of reference skills that everyone should have. And you would be amazed at some people who are freaking elite coders in certain things that don't have a background. But in fact when I get to that point I'll explain to you why I think assembly is important. It has to do with abstraction because ultimately what are you doing? You're communicating either with a compiler or with a piece of hardware processor. And if you don't understand what's going on under the hood you're not going to code in certain ways. And I believe that if you teach people how that engine actually works. Maybe not to the nitty gritty to where they're going to go be a designer and make a freaking processor from that. How many people today go in and sit down at their computer and don't have that fundamental knot? Not at the deep level but just a general explanation. Like could you explain to a four-year-old or a five-year-old in general terms how that abstraction works? I have literally a wire and a cutter and a hat. And I can make that a knot gate or turn it off a switch. Because everyone goes oh I know that computers use binary. They use ones and zeros. How many of you all heard people that say I must be very educated because I know computers use binary. And I go okay what does that mean? And they don't understand fundamentally what it means. They're just regurgitating. But anyway back to what I was good at and I like this. So at this point I was going to talk a little bit about the life of the DAT file as far as AV is concerned. Yay or nay? Thumbs up, thumbs down. Nay? I got no. And I comment. Just shout it out. Sure. And I can also play devil's advocate and say because I have instant gratification to knowledge I'm going to learn quicker and grow faster. And to a point that is true. For example but what you need to do is you need to learn to use the tool properly. And we as hackers need to learn to use those tools in such a way that still give the benefit of the deep knowledge and understanding but still take advantage of the fact that it's for example I study a lot of foreign languages. Looking things up in a Chinese dictionary is more time consuming than me taking my finger and drawing it out or using text identification but I can still use the tool in a way that doesn't shortcut that process where I have just no understanding. It's just a black box function which goes back to the discussion of Java and objects which is the whole point of object oriented programming in the first place is to abstract. Right? Right. Anyway, so you guys don't want to hear about DAT files. That's full. So let's slip past those. Basically I was going to talk about how DAT files are created. Sorry. Maybe a little more if you're there. So I'll talk a little bit about what I was interested in. Ryan's really funny. So some of the things I'm interested in. I'm interested in classifications of things in the language study. By the way, my personal technical philosophy is that all forms of tech are learning communication. Whether I'm learning to speak in language to another person or speak to a processor or speak to a compiler and learning that syntax, I believe mathematics is the language of science and physics. So I'm all about going to the root of whatever that subject area is and if you're going to learn the romance language, have some knowledge of Latin, for example. But anyway, we don't want to talk about that. So, yeah. I'm pausing just long enough for you to read the slides. For the few that we're interested in hearing about how to break AV engines. So, Chipsack, how many of you know what movie this picture is from? Barry Gordy's Last Dragon. So in that movie, he's trying to seek out this magical power called the glow. And it's kind of like Dorothy Slippers. You've had it all the time, Dorothy. I have been preaching to the hacker community, you all need to learn and play with a tool called Chipsack. And now I have surreptitiously given it to all of you because it is on the conference CD for DEF CON this year. So you're welcome. I saved you the trouble of going to go download it. Go play with it. If you don't know what it is, how many of you know what it is? So Chipsack is basically a framework. And by the way, the authors of this are here at DEF CON. And everyone always asks me, in my opinion, who should I go hear talk? If you want to have your mind blown, go see Yuri's talk. And I can't remember what the title of this talk is. Look through the program, you'll find it. He's genius. Complete genius. He's the one who created Chipsack. Go read about what that is. And the reason I bring this up is that it's not just about communication, whether to fix it or to break it. If you look at the evolution of how we are doing attacks and intrusions and red team pentesting and everything else, we are slowly moving down a step, right? First we were using stuff in the software. Then we were going down to OS, the network. Now we're kind of getting a little lower. Now you're starting to hear about biases and you're starting to hear about stuff. And so we are constantly moving that shift is happening. And Chipsack takes you a little bit lower to processors. And the reason it's very much applicable, especially this day and age, is it's also applicable against hypervisors. I mean, you know what a hypervisor is. This is 101. I'm not trying to insult you all by asking stupid questions. I really, like for example, a lot of people didn't know what that was. So in dealing with virtualization, you have this thing. This is the cliff notes. Again, take it for what it's worth. I'm summarizing. I'm oversimplifying, going back to that deep knowledge. The hypervisor is basically the underlying piece that allows you to get a little bit deeper. And so because a lot of our systems now are virtualized in data centers and on cloud and everything else, learning how to attack hypervisor and getting down lower in the stack is more important. So anyway, that's why Chipsack is on your CD. By the way, the purpose for me up here for 101 in my mind is to throw nuggets of information into your brains that you may not have thought of or heard of that give you a starting point to start going down the rabbit hole on your own. I have stuff to start tomorrow. So I'm going to give you all the quick basics that are a pet peeve of mine. Now I was thinking about taking this out of the talk this year because I put these in my 101 talk last year. The reason I left them in is I still to this day am having interactions with people. I go to a lot of security conferences and I try and talk with people in some of the weird ass solutions that I come up with things or the things that I think about people are lacking even though they may be a genius or brilliant in a particular area. So these are kind of like tick pet peeve of mine that if you consider yourself a computer person or a hacker I think you should know these things. It's really fundamental stuff. Here we go. And there's my fry. How am I doing on time by the way? I have no idea. Anyone? 328 what are we supposed to go to for? We're going nice. So I talked earlier. Binary everybody hold up your right hand. We're going to count together in binary. If you don't know how to count in binary I'm going to cry because you're at DEF CON. One, two, three, four. Okay. You've all flipped me off at DEF CON. Literally if you can't do a binary count on your fingers go home and learn how to do that. If you can't do it and do 0000 to 1111 and write it out in the series and I mean quickly like then go home and learn how to do that. You need to do that. Especially if you're going to do reversing or you're going to do certain types of root kiss or hacking it's going to help you. Like I said for binary math same thing. And I talk with people who are way above my level on a lot of subjects who can't do simple things. It's amazing. Same thing with hex. How many of you have a general understanding of why we use hex? Tell the truth. Don't lie. How many of you have no fucking clue why we use hex? Tell the truth. Okay. So a lot more than I thought. Basically for the few that raise their hands it boils down to the fact that we don't want to waste space in the memory that we have and ultimately our systems are a discussion. If you don't those of you that were embarrassed and shy and didn't want to admit that you don't know fundamentally why do we use a hex representation now go look it up so that next time you don't lie. So interesting side tangent what would be the largest digit in Bart Simpson's phone number? I've asked this before. Who knows? What's the largest digit possible in Bart Simpson's phone number? Why? How many fingers does Simpson characters have? So what do they count in? October. October, they say, right? What number base do you think a pirate would count in? Heximal. Radius 6. Why? Five fingers and a hook. Right? So we actually created a thing called the pirate radix because you know what the term radix means it's just referring to the number base. Which is also called heximal not hexadecimal. But anyway, that's nerd speak for later. Things I think you should know about, there's a list for you. If you don't at least know what these things are, I would suggest you look them up. Especially if you're going to come and have a conversation here with people at DEF CON. And by the way I totally encourage you to approach the speakers at DEF CON. I say this every year if you approach somebody at DEF CON and they are too high and mighty to talk to you then they're a douchebag and I don't want them here anyway. Thank you. And I don't care who you are because everybody started somewhere and built themselves up. And we have too many people in this community now who are becoming InfoSec rock stars that think they are too cool for school to talk to people. And that's got to stop. Because we need to band together. We got enough problems with people trying to cram back doors into our crypto systems and all kinds of other discussions and fighting are too elite to talk to everyone else. It's really going to destroy the community and I really love the hacker committee. I donate tons of my own time and money to make DEF CON happen every year. So another group of the things that I think that we should talk about or you should at least know about. By the way, going back to my discussion on tinkering. If you do not know how to set up a VM and experiment with stuff that would otherwise fail for doing in the real world, learn. It's not a matter of finance because there are a number of free solutions. VM where player is free. People are now giving out VMs of stuff. You can also get virtual box and there's all kinds of visual, there's all kinds of stuff out there that allows you to set up a system and attack it. To hack it. To throw metasploited things. To try and fuzz things. And I'm trying to get the tinkers back into the community. And one of the ways I'm going to jail these days is through virtualization. Which also goes back to the hypervisor discussion. Any comments on the list so far? Come on, you guys are smart. Can I go back one? Right there? So I don't generally ever give my slides out. This is also the first time that I've allowed my 101 to be recorded. I usually don't let my talks get recorded because I think they go stale. It's not enjoyable at the same time and I know that I hate when I go find a talk and watch it and then realize it's like six years old and I wasted my time. That's why I generally don't like my stuff to be recorded. But I will make these slides available on the Lost Boy website after DEF CON. I didn't do it before I left, but if you don't get notes, they'll be available. And if I forget to do that, send me e-mail. You said you put those slides up and I'll put them up. We good here? Can I make a comment about tinkering as far as hardware is concerned? The bottom one. How many of you know what Digi-Key is? How many of you know about the sad demise of Radio Shack? Breaks my heart. How many of you remember Forrest Mem's Green Book from Radio Shack that was printed on graph paper that was handwritten? How many of you that book changed your life as a kid? So, it hurt my soul when Radio Shack first of all turned into a place that only sold cell phones. Why? Because that was the place you went to buy components, electrical components to experiment with stuff. So these days we have some giant Walmart-esque parts suppliers and that's all we have left. Digi-Key is one of them. I would suggest, even if you have no interest in hardware, just as a passing fancy to keep these companies and request their catalogs and I say this about Digi-Key because those of you who have it know that it's comically large. It is larger than most phone books and I will tell you what it's good for. Even if you don't have any interest in using it, it's great for when you're drilling through things and you need something underneath. But go and you know what? One of the things that I do that helps me come up with the stupid crap that I do in the challenges, by the way I have to stay ahead of all you guys that are way smarter than I am every single year. I can't repeat myself. I have to do stuff that's Google proof. I have to do stuff that's fun and interesting for freaking brilliant people like you guys and I have to do it so that it's solvable within a finite amount of time. It's a very difficult problem space but the way I do that is every year I try and find new things that I had no interest in and said I'm just going to learn a little bit about this. Like getting a subscription to a magazine and no hardware background at all. It's free. Go get the Digi-Key catalog and put it in your bathroom and we're taking a dump thumb through the Digi-Key catalog. You'll learn about some crazy stuff that's out there. Yeah, comment, yell it loud. Yeah, excellent. So this goes a little deeper into the secret that how many of you know who Lady Aida is? Lady Aida. So she puts out a list of places you can get free samples from. The hardware people is that you can get free crap all the time and the way you do it is you say I'm going to make something and I'm going to make 50,000 units of it and if you really have to social engineer you go make a fake Gmail account that sounds like somebody legit and most chip and part manufacturers will send you what they call engineering samples for free. They will even pay shipping. They'll often time put a T-shirt in there with it too and you can get all kinds of free crap for real. A tinkering thing especially if you're a student and you don't have the money to do this stuff get on some of these lists and figure out and by the way it's not even just parts anymore there's people that make enclosures, plastic enclosures for things I have scripts that I run where I get free stuff every so often I figured out what the window of abuse is for certain places. So and don't get greedy usually five is about the max of anything you can request like if you go to Maximum and request one of their chips like but you'll learn that kind of stuff but it's kind of fun to get free stuff that you don't pay for including the shipping it's really easy to do and the reason I brought Lady Aida but she keeps a list of that stuff so you can look up hers. Okay we need to continue moving along how we doing you guys bored tell the truth am I talking too fast you have comments this guy crazy what louder is this better okay so here's another fun way of doing an exercise regardless of what field you're in pick an illegal activity and try and find a legal way of doing that activity you will be amazed at the stuff you will learn I'm not kidding so how many of you know what this Simon gift card is you've seen these how many of you read Brian Krebs book by the way Spam nation I think was his one that just came out right where he talks about the Russian hackers and everything else so Krebs in that book talks about something that a lot of us know about if you're trying to procure infrastructure or things and not have it traced back to you and by the way I'm not going to have the philosophical debate with you guys in here about why I should have the right to privacy if you're at this conference and don't believe that you have a right to privacy and if I hear the argument I'm not doing anything illegal I have nothing to hide well when you have sex with your wife that's not illegal do you want somebody watching you do that do you want somebody watching you take a dump in the bathroom it has to stop somewhere so I'm not going to have the argument with you that I should have to justify to you why I should be able to have privacy so the discussion we're going to have right here is a little bit of some of the stuff that I've done in just the past year in trying to find legal ways and there's a reason that I'm doing this if you want to hear more about it come talk to me in the room I tried to find legal ways of doing illegal activities and it's a really interesting study and so I found there are certain magical gift cards that you can get at certain places that are the type that you can go online and register an address for when you purchase them the reason that's interesting and necessary is if you're going to buy things online with a credit card there are many systems in place that check address of the registration of a card and many just generic gift cards that you buy will get flagged by MaxMind and a lot of those systems and get dumped and you can't use them to buy things for certain things like VPN access or VMs you can't use them but certain ones you can like the Simon gift cards I'm going to use the hell out of it until they go away because I'm sure they eventually will but what these allow is you buy that card with cash and then you go online and you register an address for that card and that address could be anything you want it can be a completely fabricated address I will tell you a little hint though certain sites will actually look at the geolocation of the IP that you come from when you do it and it needs to match what the card is you just can find a VPN point in the particular state or wherever that matches with what you registered for the card it's easy to do some of the fun I found with this is can you all see that it's too small how many of you see the charge on December 9th, 2014 yeah that was me playing with the illegal stuff and somebody tried to charge a million dollars to that card and that's funny the part I thought was the most funny about it was that if you look it's listed as a recurring installment so I was like wait a second these guys are completely off their rocker until they did it again and again so if you look I have two charges on 12.9 for restricted country and see this is the stuff you learn when you study this kind of stuff and one is a recurring installment and three charges for a million dollars to that credit card which had like 200 dollars actually shows no that one had 100 if you look at the value load on that so anyway I just thought that was fun you guys might find that fun and interesting so become a hacker don't get caught up in the stupid media definition of what a hacker is and by the way is there anyone in the room that's pressed confess your sins honestly anyone in this room right now how many of you have a yellow badge so for those who are new to DEF CON we have very special press policies for a particular reason we try to be hacker and anonymity friendly and so anyone you see with a big freaking yellow disc on around their neck is pressed and by the way if you get a chance ask one of them to turn it around if you've seen the back of it so the back of the press badge this year is a guy like this I said it I wasn't in here so I didn't hear but they usually do take this for what it's worth the press is not your friend okay they really aren't I've seen a lot of friends get burned I've been burned there are very few people in the media that I trust there are a lot of them that are coming here because they want to get a shock piece they want to get a sound blurb they want to get a bite that they can throw up on a web page or put something on the news they're coming to get me because fear sells so be careful what you say to anyone that's in the press and just be aware of the fact that you will be misquoted stuff and so that's the end of my rant for that but anyway take it for what it's worth what do you guys think about that think full crap tell us through so that's the end of my little notes there I am happy to answer questions about any and everything that you guys have for however much time we have left can you use the mic so people can hear do you stick a hubcap on us this year so for those of you new to DEF CON we do a tick talk cycle where we do an electronic badge every other year when Joe Granth was doing the original electronic badge designs we were one of the first conferences doing electronic badges there are a few others now every flippin hacker conference you go to on the face of the planet as an electronic badge it's become passe at this point take it for what it's worth I am a hardware guy and I love some of the badges from some of the other conferences but we always try and do something new and different and fun and so this is a non-electronic year and I was trying to come up with something interesting and it was actually my wife's idea to do the record not that I'm trying to throw the hate at her but this is actually not the largest badge we've ever had she's a lot smarter than he is yes she is my wife is way smarter than I am so these are I had to go seven inch I couldn't do a five inch because nobody makes records anymore it took a lot of work to find someone who could handle and by the way and I'll tell you guys here because I'm going to talk more in detail about the badges so I'm going to talk more in detail tomorrow about the badges but I will tell you that we printed roughly half as many LP records as Taylor Swift has put out in her entire career I will also tell you that the vinyl that's in these when they all came here weighed over two tons that's how many people are going to be at DEF CON this year any other questions oh oh I almost forgot thank you for reminding me so if those of you that follow me on Twitter will know that I recently was got a tweet back from William Shatner any William Shatner fans I'm a fan can you fake it if you're not because it makes me feel better any Star Trek fans in the audience okay so I'm going to stick with our own policy I'm going to ask permission for something I would like to take a selfie with all of you in the background per request of William Shatner doing the Spock sign to live long and prosper now what I will say is if you would not do not want your face in this for whatever and keep in mind the resolutions will be crap anyway please cover your face but I'm giving you enough warning because I do respect our press policy so I'm going to hold my phone up if you could all do the Spock thing and then I'm going to send that to William Shatner so can you hold that it has to be a selfie alright you guys ready three two one we'll do one more three two one by the way if anybody wants that I'll put it thank you thank you and consequently I think that it's actually for charity that he's doing that for and if anybody wants a copy that picture I'll put it up on the lostboy.net website as well so I hope you guys have a great con we put a lot of work into this by the way if you have a bad experience or something is wrong we want to hear about it we do try and fix it we do care everybody that's here is volunteer I'm volunteer I don't get paid to do this I spend a lot of my own personal money doing the crazy stuff that I do so please enjoy yourself it's for you we're trying to help build the community comment or question just one question man who is the speaker you said who is talking I think is how you pronounce his last name he's Russian thank you and he's brilliant other questions comments boring waste of time tell the truth what do you want to hear in a 101 talk 3 minutes anything you would not want to hear next year tomorrow is where all the technical stuff starts no nothing else you want to yell at me did I waste your time I'm asking a real question and I'm serious about that when I ask that so I'll give you a little teaser for tomorrow I'm going to explain in detail this year's uber badge if you win first place in a competition at DEF CON you receive a black slash uber badge it is free entrance to DEF CON for the rest of your life but more than that it's status in the community it's resume building I know people that will hire you on the spot if you have a DEF CON black badge this year there are six radio active isotopes on this badge I'm going to talk about what those are and how these came to be built and so that's tomorrow's talk