 And I'd like to welcome everyone to the second annual Def Con comedy jam. If anyone who was here last year may recall that basically this was two hours of assorted fail within the industry. This is your opportunity to snark or be snarked, as the case may be. I have an esteemed group of panelists up here who I'll allow to introduce themselves quickly and then we'll dive straight into the action. Hi, I'm Robert Hansen, our snake. I run Sec Theory and Hackers.org and Slackers.org. I'm Dave Maynard. Rich Mogel. I'm Larry Pesci from PaulaCom Security Weekly. I'm James Arlen but you might know me better as Mercurial. Okay, so and I'm David Mortman from Immersion Chaos and from NewSchoolSecurity.com. And before we get started, I just want to comment, let you know that feel free to ask questions throughout the panel. You don't need to wait till the end. There's a microphone over here or you can shout really loudly. I will be over the course of the panel. I'm going to be making bread up here as well. So if you ask a reasonable question or at least a funny one, you might get lucky and get some bread thrown at you. No. That was neither a good question nor a funny one. Sorry. Okay, so we actually, like I said, the theme of the panel is fail. And for those of you who remember last year, Chris Hoff was here and he did some wonderful bulletin for us. And unfortunately he was not able to be here because some other conference called him away instead. So our first fail is that Chris was lame and didn't show up. However, we do have, for those of you who follow him on Twitter know that lately he's been using this whole squirrel motif. So I think it was, was it Jack Daniel? Stand up, Jack. We love you, Jack. Thank you, Jack. We've got a mascot here, a representation of Chris. It's anatomically correct. You must not know Chris. Everybody knows I know. Man crush, that enough said. Okay, so for those of you who have been following Twitter recently in the last couple of weeks, there's been an event coming. I think it's tomorrow night. It is tomorrow night, correct? Tomorrow night there is going to be a women of security pillow fight. And I was like, pillow fight? How do I get in? You have to pay. And there was a lot of controversy about this on Twitter. And it reminded me of a sort of long standing rant that I've been working on, which is that we as an industry, when it comes to welcoming women to our industry, suck. And we're talking beyond fail. Now, the impressive thing is as individuals, I have discovered that we all do a great job being very welcoming, but yet as a group we fail terribly. And in fact, I was talking with a professor at Stanford a while back, and they said, you know, the great thing about hackers is they're just like the beatniks in the 40s and the 50s and so. They love to wear black. They love to smoke. And as a group, they think that they don't hate women. Beer has arrived. Thank you, Martin. Beers are courtesy of Martin McKay from the Network Security Podcast. And we're going to be getting our money back on this from the government. So thank you, Martin. After this much beer, we're going to need billing out, dude. One curse for beer's program. So as I was saying, did anyone bring ice with them? Fail. So as I was saying, as an industry, we really fail here though. As individuals, we try. We could try harder. And I think we could do a lot better as an industry if we were a lot more diverse. So I'm going to take a little survey. If you are male, white, or Asian, please raise your hand. Okay, I did this backwards. I won't put your hands down. If you are a person of color who is not male or have a vagina, please raise your hand. Okay, that's better than it was two years ago, but it's still really lousy. This conference will be a lot more fun if we're a lot more diverse. And the industry as a whole, dude, you just lost bread for the rest of the conference. That was lame. I mean, we're not talking fail, we're just lame. So anyway. Maybe he's a girl. Never know. We never know. But he was smirking. Anyway, so in solidarity, I think it was in Nikita, or there was a shirt on Twitter suggested that if she were to come here, she would make up shirts that said Team Vijayjay. And in solidarity with the 4% women who are here today, I will be wearing this the rest of the day. So you're going to take the same comments out of women do with the, take it off, take it off. You're such a tease. And there ends my fail. Rob. All right. Hello, everybody. Can you hear me? My voice is a little screwed up from yelling at people at the Microsoft party last night. And if I look like I'm in pain, it's because I am in pain. I don't remember doing anything. It might have been a drunken, crazy acrobatic masturbation session, but it's the wrong shoulder. So I was told that I should just stretch before I do it. And everything will be okay. So I'm just going to breeze through this. And I hope you guys find this as funny as I do. This isn't, I'm not actually as dumb as this slide deck makes me sound. But just imagine that I am for a few minutes. So what's that? I know. I know. I know. So 3.5, Firefox 3.5 had a vulnerability very recently. I'm sure a lot of you saw. And, you know, being a security guy, I wanted to go download and get the newest version. The problem with the Firefox normal update mechanism, sometimes on my computer doesn't work all that great. And I personally think there's tons of problems with it. So I personally just like to download the whole binary myself. So I went to a page, and I'm sorry for those in the back. Don't worry. I'll tell you what it says. I use a tool called Request Policy to detect where I'm going to go. So if I'm going to go to a page and it tries to redirect me to another domain, it will tell me that it's about to redirect. So I go to download.mazzilla.org slash blah, blah, blah. And it tries to redirect me to somewhere in Turkey. So I'm not going to download anything from a place that names their country after a bird. So I hit refresh. And now we're going to the Netherlands. And there's two slashes. That guy was high when he built that page. There's just no way I'm downloading it from there. How about this one? Germany. How many World Wars have they started? I'm just not going to download from there either. ZA. Was that South Africa? Is that right? Yeah. South Africa? The apartheid thing? I don't think... No. Brazil. I think they have the highest per capita instance of leprosy in the world. That sounds a little backwards to me. But they have a cool movie named after them. Sweden. So I've hung out with the Sweden, the Hackswee guys. Is anybody here from Sweden? No? You're lying, by the way. You're all from Sweden. I know. I've hung out with these guys. And I know the Irish say they can drink, but the Swedes... Man. I just don't trust those guys. And I try... I'm like, ways... So how do you say something in Swedish, like hello or whatever? He's like... I'm like... Are you trying to tell me to say to other people, like, I love cock? He's like, oh my God, you totally speak Swedish. That's Ireland, yeah? No, Ireland? Yeah. So I've hung out in Ireland, too. Those guys, they like to drink a lot. Don't get me wrong. I still think Swedes drink more. What's that? But I just didn't get the impression that they really cared about my security while I was there. I mean, like everything was just sort of hodgepodge, like show up. Like, oh, you're a speaker, great. I'm like, I don't need a badge or anything. I can just walk in, sure. Yeah, so I don't think so. I don't think so. So Japan. I'm pretty sure... Hey Dave, how many nuclear bombs did we drop on those people? Two. Two? That's smart. Most people will say one. Aren't they pissed? Right? I'd be pissed. Like, fuck you guys, you dropped nuclear bombs on us. I'm not downloading it from there either. CH. Hey Dave, how do you spell Czech Republic? Yeah, right. So I'm not downloading it from there, either. Romania. I think most of the auction fraud came from there. Russia. I mean, no. I mean, Canada. Well, I mean, they're pretty close to us, I guess. Celine Dion, though. Don't blame Canada. No. So said the Canada guy. That's right. It's the ass hat on the topic. So, okay. .edu. All right, so it's in the United States probably, right? Probably. So that's good, except I learned how to hack when I was in college. Didn't you guys? Right? I'm not going to download from somebody. I probably hacked into that. No, I'm not going to do that. ES Spain. So the only thing, I have never been to Spain. I don't know anything about it. But I do know that they have live animals running through the streets. Seems a little backwards to me. So, no. CZ. Which one is that one? That's Czech. Oh, I got the wrong one. What was the previous one? Switzerland. Switzerland. Oh, wow. See, I'm not going to do it either way. If I don't know where it's from. That's bad, too. Like, I don't know anything about Indonesia. Are we friends? I don't even know. Are we a war? I don't know. What's that? Muslim country? I don't know. Largest. All right. Is that good or bad? Neither. Neither. All right. I don't know, so I'm not going to download it. .gov. All right, so I'm tired. .gov, whatever. Fine. They're going to screw me, but at least I know how I'm getting screwed. So I'm going to download it from them. But here's the little problem. It's over HTTP. So that's not particularly secure. So I'm going to have to do something like get a hash. So I start by typing things into Google to try to find hashes. Google, because you guys all use Google, not because I use Google. So I type Firefox hash and nothing on the first page comes back. So I'm like, well, I'm an idiot. I should probably type binary somewhere there. So Firefox binary hash, still nothing there. So someone said your search foo is weak and trust me. It's not that weak. But, you know, if it's not on the first couple of pages, come on. Seriously. You know, their SEO sucks. So I go, my buddy is standing there and I'm like, so what would I type in? What do you type in? He's like, go to Mozilla.org slash Firefox. So we go there. And it redirects from Mozilla.org to slash Firefox to Mozilla.org slash product slash Firefox, then it redirects to Firefox.com. Then from Firefox.com it redirects to Mozilla.com slash Firefox. From there, it redirects to en-usfirefoxpersonal.html with this crazy squid guy on it, which is not particularly useful. So I scroll down a ways and there's an update your Firefox. And that is exactly what I'm doing. So I click on that link because I want to find this hash. And it leads me to a page that looks like it might have a hash on it, but there is no hash on it. So that's not particularly useful. So I tried the search box here. So Google doesn't know where this hash is, but surely Mozilla does. So I type hash in and there's two things that come back, both related to privacy policy. That's not helpful. So I click products. Products, you know, alright. So Firefox, sure. Go there. You know, you could go to the windows section, but I feel like nerds use other operating systems and they're more likely to use hashes, all this crazy stuff. So yeah, I'm going to click on that and see what happens. Okay, there's a picture of a little penguin. So that's got to be good, right? There's going to be something around here somewhere. But it turns out there's nothing on that page of use. So I click on security because hashes are related to security, right? Right? Stands the reason. And then I get some guy on a couch saying that they... My security is their top priority. Okay, that's useful. So I click on community because surely the community knows where it is. And then I'm taken to this page. I'm not particularly useful. But maybe this development developer center thing has it because developers often use hashes, right? So I go to this page. And it's a whole other search box. It looks totally different. Let's try something in there. Let's try hash. So there's a whole bunch of things to come back. Frankly, all of them are probably useful to somebody somewhere, but certainly not me. Hash tables and user hash and all kinds of stuff inside of Firefox. Particularly useful. So I'll try source code, right? Because that's what I'm really looking for is the source code of the page. And at the top of page, nothing, but down a ways, there's downloading source archives and blah, blah, blah. So great. So I'm probably like one or two clicks away at this point, right? I just need... I need to find the source code. So down here, download Mozilla source code. All right. I'll do that. And I go down the page. And okay, there's an FTP server. Okay. So I click on the... I click on that thing and it doesn't work. For some reason, I'm on a network that doesn't allow me to do FTP, which is really lame. I think it was just a security related thing. It was kind of a hostile network anyway. So I was kind of feeling like maybe I probably shouldn't be doing any of this anyway, but with a hash, it should be okay. So it turns out... I actually thought maybe my browser was screwed up, but no, in fact, it's not. But I tried from another machine on another network and in fact it did work later on. So I'm pretty sure it was just that network. So clearly I'm owned, right? That network's owned. So I type in HTTP instead of FTP and I magically end up on something that looks like an FTP, say, but it's HTTP. So good enough, right? They're both insecure, so it doesn't really matter. So click on Firefox, because that's what I want to download. And that takes me to a page that has a bunch of nightly releases, Tinder box probably releases, I would guess. I mean, I know what it is, but... What's this dm-ftp01.mzilla.org? I'm clearly on ftp.mzilla.org. They're different. I mean, maybe they're virtual hosts on it or something, even though I'm on HTTP and it says it's FTP, but it's really dm-ftp01, so whatever. I'm probably hacked at this point, but that's okay. So here we go, right? 3.5.1, that's what I'm looking for, right? One click away, right? So here we go. But wait, what's this down here? What happened? Now I'm on www.gtlib.gatech.edu. How the hell did I end up there? I'm clearly on... What's that? Right, Dave Maynard hacked me, right? Clearly, I'm screwed. I'm actually on releases.mzilla.org, but it's probably using this crazy DNS thing, so I go there from another browser, and now I'm in Nuremberg. Right, something about trials. So... I'm probably screwed, but that's okay. Anyway, I click on the link, and it takes me to a page that says Firefox 3.5.1 is coming soon. I have it already. What are you talking about? It's coming soon. I have it. I'm just looking for the damn hash. It's coming soon, blah, blah, blah. Okay, well, maybe this particular page is just... I don't know. Maybe that mirror didn't update it or whatever. I don't know. So I go back, and I'm thinking, the 3.5 thing will give me a clue of what I should be looking for elsewhere. So I click on 3.5. Aha, aha, right? MD5, SHA-1. We don't trust MD5 anymore, because of collisions. Maybe SHA-1. Maybe they should use something better than SHA-1. I just heard this week that MD2 is also bad. Okay, good. Glad we figured that one out. But wait, what's this key thing? So we went to there and kind of looked at this key. In case I wanted to email one of the administrators over at Mozilla and say, hey, what the hell? Clearly I'm man in the middle, so I don't want to send him plain text because he's going to screw it up on the way back or whatever. So I want to send him an encrypted email. Except for expired. The key for the current version of Firefox has expired already. So I can't actually email him further. There is a mess load of very trustworthy people who have signed it, none of which are actually Mozilla employees, but lotter from Czechoslovakia. So that's not helpful. Wait, is that .ch or CK? CZ. Wait, just so we understand, just talk to us about how much of a nationalist you are, right? No, I'm screwed either way. I just want to know who I'm getting screwed by. Buy me a dinner, right? And ultimately, this is our HTV anyway, so I can't trust any of this stuff as it is anyway. I mean, even though this is not trustworthy to begin with, it's even less trustworthy because it's HTTP. So I go onto the FTP site and I find out that you actually, the July 18th date doesn't actually match the signature date of 7.16. So it was already out of date by the time it was uploaded. So, okay, whatever. We'll deal with that later. So we're going to click on this SHA-1. Aha, hashes. That looks good, promising. You know, still the wrong version, but that's closer than ever. Maybe we can do directory transversal or whatever, end up in the other directory. So we changed 3.5 to 3.5.1 and we should find it. Aha, we're done, right? Way to go Mozilla, right? We got the hashes, right? There's one little problem here. Where the hell are we? We're doing NS lookups on releases.mozilla.org. We do it against their primary name servers, none of which allow me to do that. Okay, well maybe I'm just being an idiot. So I do NS lookup against some random server to figure out where it is, and it's using round robin DNS as a thousand IP addresses. And by the way, do you think anyone has audited all of those IP addresses? Come on, really? You can't break into one of those. You're just not trying. So then I do SOA lookup because maybe I'm just being a total moron. Go.mozilla.org. So I'll do a lookup against go.mozilla.org to figure out where this releases.mozilla.org really is. Aha, except that it doesn't work. It doesn't actually allow me to do that type of lookup. And maybe I'm being really stupid. It should be releases.go.mozilla.org. It also doesn't work. So I have no idea where I am at. And furthermore, I'm over HTTP, which means that all this stuff is useless information as it begins with. And I can't do lookups against them. I mean, I'm doing this arbitrary name server somewhere. I mean, I'm hacked, right? So I try to change it to HTTPS because I figure if I could go from HTTP, I could, you know, maybe from FTP to HTTP. Maybe I can go from HTTP to HTTPS, right? You never know, right? Unfortunately, it doesn't work. So I do a Wget against all of the different IP addresses that come back with that certain DNS request. And none of them support HTTPS. So clearly, clearly I'm hacked, right? I mean, what else are you going to do? So, that's kind of just a gigantic fail. So what ended up happening at the end of the day? I just double clicked on the damn EXE. Well, Dave is setting up if we're following Twitter up here because we're that geeky. You can either address things to any of us directly or you can use the hashtag poundepicfaildefcon. And we will attempt to answer your questions on the fly. And by the way, I want my five bucks. Five bucks for what? Bring it up. That was a waste of money. All right, so I am going to talk about... I don't have nearly as many slides as our snake does. And I feel bad about it now. I feel very unmanly about that. I feel... I'm not going to say I'm intimidated by the size of our snake's deck. But... it's one big-ass deck. Don't be intimidated. I'll use the lube next time. By the way, did you guys know this is a comedy? You're supposed to be laughing out there, right? I think that's indicative of how funny we are. I think that means we're supposed to be funny. Yeah, I was going to say. We'll start upping our game a little bit. I do not want to shit down my computer now. That would be fail. So I'm going to rant about some things and I did a thing I like to call fail parrot. And I wrote... I wrote an article for Dark Reading about Iran because I'm sure as everybody remembers, Iran had a nice democratic election not too long ago. And as everybody recalls, it turned out great. And then immediately people started... for some reason, these dissidents started twittering about a stolen election or something. I don't know. Right. Well, look, elections in the United States government overthrows are always kosher. I just like to say that right now. So I started seeing all this stuff on twitter and people started retweeting stuff that was like, in order to help bloggers or whatever in Iran, you should do this stuff to help them. You should change your location on twitter to Iran. You should change your time zone so you look like you're in Tehran. And the theory behind this was that these government cyber goons in Iran that would be looking at the network would be so confused over who's actually in Iran who's just in New York and pretending to be in Iran to get a girl won't know where you are so they can't come and beat you up. And the first time I saw that I thought it was a joke. I'm going to be honest. I was in bed. It was 2 a.m. and my little twitter thing went off because I do have epic fail in my life. I answered my phone at 2 a.m. and I saw that and I was like oh that's so funny. I'm going to go back to bed now. And then I woke up and everybody was retweeting it. And I was like, oh no, no, this is not good. Because I could just see this guy in Iran whose job it is to check down these dissidents who are looking for TCP connections in this country going out to twitter going, I wonder what all these people were talking about. I mean, there's all the bad guys right here but all these people in New York keep wanting to be in Tehran. That's what the deal is. And I started telling people this and they were like, oh there's no way a country commander, all internet connections going in and out of their country. And then immediately after that the Nokia Siemens deal was made public and they were like, oh so that really did nothing but help us feel better about ourselves while we did actually nothing to help Iran. And what's great is Dave Mortman if you look at his location right now in Tehran. So the epic fell parrot I came up with the idea for that because something starts as a dumb idea on something like Twitter and more people will retweet it. And it seems like the more somebody retweets an idea the more validity it has. So I'm sure somebody can start a meme right now that's like take off your pants and you don't get charged taxes. And if you could get 50 people if you get 50 people to retweet that you will see Dave Mortman without pants on. If we get 50 people to retweet that we'll take off our pants. No. No we won't. But I'm not wearing any underwear. Neither am I. But we expected that. Right. So I thought that was funny and if you go back and you look at the people to retweet it it's like you know supposedly like Tim O'Reilly were like this is how you help the Tehran bloggers get around suppression and I can just imagine like the Iranian secret police beating people up and going oh what are these people in America doing it. I don't get it. Keep beating harder. So you know one of the things before you retweet something I mean it might sound like a good idea but check it out first to make sure it actually is actually viable. What's bringing to my next point the iPhone who here has an iPhone who here was worried you were about to get owned by an SMS virus worm vulnerability that was going to take over your phone kill your kids blow up your house and while it was at it give all your money to Obama. Right. Yeah there's some people out there like you know all that other stuff is fine but not Obama. You know there's one person I saw them right back there like we're above 50 to 20. The virus is called good times right. Good times. So the first thing I saw is it was a fact and people started retweeting that if you jailbreak your iPhone and you go in and you set to permissions on this one application called mobile SMS you're safe and the problem is I mean that sounds great and like if you don't know anything about like this bug or something like that you'll be like all right I'll do that. So the problem is mobile the way the iPhone works is there's an application called Comcenter that reads the SMS out of the baseband puts into a database called sms.db the mobile SMS will take it out of that database and display it for you. So the bug that we're talking about was actually in Comcenter which means that if you stop mobile SMS from running that's like putting on a condom when you're done. It doesn't help you at all. Right. So then the the second one in this article was I'm going to call AT&T and have them disable my I'm going to have them disable my SMS plan and if I can't get SMSs I'm safe. The problem is an SMS plan from someone like AT&T just means that you're now in a computer that will route external messages to your phone. Your phone right now regardless of what you do or what package you have or anything like that is constantly receiving SMS messages from AT&T for various things like voicemail network tuning parameters constantly getting SMS messages. And the problem with this attack is they could in theory spoof the service center which is like the master node for where the SMS messages come from. So calling AT&T and disabling your SMS plan once again you're slapping that condom on after you find out you have gonorrhea. It doesn't help. So the last thing and I like my little parrot actually so this is a true story. This is how Epic Fellow panelists is. I found this picture on iStock Photo at 11am this morning when I wrote the rest of these great slides and I'm sure you can tell. So does anybody here have a Verizon MyFi? Right? So there are these little black access points that you know you power it up and you'll connect to it or route you out over Verizon's network and whatnot. So I got mine and I looked at it and it had an SSID of like MyFi 2200, 3EC4 right and then I looked at the password and I was like oh god there's got to be some way to take that 3EC4 and turn it into like the password and that would be great because then if I ever see like the other person in the world that has one I can totally break into their access point. Right? So it turns out there isn't a way to do that. So that's somewhat Epic Fellow on my part. I wasn't smart enough to figure out a way to do that. But while I was calling Verizon Tech Support they were like yes that password is actually the ESN number of your device. I was like wait what? They're like yeah yeah that's how we keep track of it. If you lose your password you can call in and we can just tell you what it is. I was like whoa. So I immediately clicked hung up call back and was like hi I lost my password and they're like really what's your what's your phone number on it? Well because I don't actually know what my phone number is. But I can tell you the ESN number and they were like oh okay and then they proceeded to tell me everything about myself. I was like well that's not good. So then I went I started collecting more and more my files and these are two examples. So the last four digits are obfuscated but as you notice the first the rest of the digits they look a lot of light for the password right? So although there's no way to take the hexadecimal and turn it into the password there's only four bits of entropy in the password. On some devices five it depends on what model you get. So it's pretty easy to just guess the password and you can write a program to do it in less than a minute or so. Which brings me to my clear Weimax device. If anybody has clear Weimax device I have a little wireless access because they don't have OSX drivers which is a giant epic fail. They'll tell you a little wireless access point you plug your USB card into and it becomes like a wireless access point and it rocks you out much like Verizon Wi-Fi. So I looked at the SSID it was myspot-d43 and I was like ha ha this reminds me of the Verizon thing I just failed at so I'm going to be a little less optimistic. So I then looked at the password which was 05cd43 and I was like wait a minute and I did an ARP-A and if you notice the ARP address the password is the last three octets of the ARP address. Right? So this was great because I actually showed this to somebody earlier in the week at Black Hat who is a technical consultant for something he goes well that's not the same you see the 5 does have a zero in front of it. I was like yep yep we're safe. So that's my epic fail and I didn't you know I just want to do something brief because we we all fail. Yeah. But so thank you very much for listening. We're way past 50 on that retweet about pants way way past 50 way past 50 on the retweet related to pants How many are we up to? Way. So Rich Rich you suggested it at your first buddy No! No wait where's my beer? I'm making sure it's tucked in. We all know there's nothing that are tucked in Rich come on. Wait you didn't just violate some license and like done a lot of gaming commission or something like that. That depends on what happens later. Where's the champagne room? It's under the table. I forgot to put it in. So while we wait for Mr. Muggle to get ready why don't we give someone a beer if he can ask Rich the most embarrassing question possible? Who wants to give this a try? No? So this is actually a true story when my wife and I first started dating. Early on she established a couple of rules. The first two I will never reveal. And the last was that I am not allowed to get naked in public when she is still present. So I'm allowed to if she's not around but if she's actually in the room then no. I've been trying my damnedest but three years in and there's anyway. But he's still not over 5'7". Hey Jack just seriously I'm not sure how many people in the room have seen that picture but there is one that exists out there on the internet and I think Dave might have it. Alright so onto my little section there I'm calling my favorite fails. This is a random collection of Hey Jack do you know what roofing all tastes like? No? Eat up then. And this is brought to us by Evil Squirrel Enterprise's World Domination Specialist. So the first thing I'm going to talk about I'm actually not going to talk about technology to start with. This is still definitely security related but before I got into IT security so I was the security director at the University of Colorado for special events. So I ran all the football games, basketball games and concerts and then I also did some work in Denver and a few other places. So probably the first fail is having a 21 year old kid who weighed 138 pounds running security for some of the biggest bands in the business in the 90s. And in 1991 I think it was 91 we were working the dead and so this was out in Denver and this was like this totally the dead like I'd like the dead until I went to a dead show because dead heads suck. They like hold my fucking god do they suck. Like you have all these people like you meet them and you think like I went to college in Boulder and they're all like oh free love and the world should be all nice to everybody else and then they show up at a concert and they're raging assholes. They're like spinning around and dancing you're like no you're knocking in other people fuck you man you can't tell me what to do go to hell you can't piss on my rights but you pissed on that kid I mean it's like anyway I'll calm down so we're working the dead show and the failure isn't the dead heads I mean beyond the what what's happened to them later in life as they lost their idol but we're walking around and my job at this it was in Denver where I didn't run everything but I was still a supervisor so I'm supervising half of the house which means my buddy had like one half of the crowd I had the other half of the crowd we probably had like 150 people working for us you know making getting people to their seats and stuff and reports start coming in people with tickets for the same seats like oh shit I mean this is like ticket master days when you know they were printing the tickets up it wasn't the barcodes or anything else so we go in and I start looking at the tickets I'm trying to figure out what's going on it was really weird so it's like there were 20 seats and like 2000 people had tickets for the same seats and then we figure out that okay well clearly somebody has been counterfeiting tickets out in the parking lot so the fail was not on our part so we figured out so we're walking up and people would nice to come up and go yeah we both have tickets for the same seat and I'm like oh can I see your ticket sign oh there must be a mistake we're gonna take you down to the floor we're gonna take care of this and so we had this section on the floor which became the corral we had like the barricades and stuff around it we were like funneling down there like tens 20s hundreds at a time until and then they're all waiting and they thought hey maybe I'll get floor seats I'll get to go backstage and we walked them backstage and they got totally psyched and we kicked them out the back door because they bought counterfeit tickets in the parking lot and the reason we knew this was Ticketmaster and again pre-barcode days they used different card stock and this was one of Ticketmaster's tricks to find counterfeit tickets so it was either different fonts or different card stocks were used for different events for this one it was heat sensitive so we take lighters and we hold it under the ticket if it turned black it was counterfeit and if it burned like brownish kind of like regular paper we knew it was real so you know so wait let me just try your your authentication method was to destroy their credentials with a lighter problem solved so rich can I see your license please they're in his pants I don't know if he put them back on yeah so the best part of this the fail wasn't all of that it was the fact that we kicked out 2000 really pissed selfish dead heads and the idiot was still trying to sell the counterfeit tickets out of the back of his truck in his parking lot on to the next one hey rich man you're harassing my mellow yeah it was like anyway sorry if I offended any dead heads in here I don't care so this was about 2005 there's this event in Boulder Colorado called the kinetic sculpture challenge and anybody from San Diego they got one there they do the same kind of thing it's dead now they don't do it anymore I was the security director there for a while I spent 10 years working that thing and so obviously I knew everything about how that worked well the next year we decided to form our own team and see what we could get away with well that went really well and then the year after that the police decided to clamp down on the alcohol because you know the hippies were finally in charge of things in Boulder and that's what happens and so you weren't supposed to bring your alcohol and you had to buy it there and so this is just a picture of the Boulder reservoir where they have it you can see that it's a pretty large piece of property this whole big race goes on and it's one of those things where people build and decorate these craft and it has to go over water and over land and there's a band there like bare naked ladies and all these you know bands you would know about Los Lobos not that huge as well stop blaming Canada blame Canada all that hockey this was kind of cool this was our time to test out everything we learned about security and see if we could do a penetration test on the event that we ran for all these years and so our only goal was to get alcohol in so the year before we buried our kegs in the sand they figured that one out okay so they they got the kegs buried in the sand we did that we brought the kegs in and just buried them there mostly to keep them cool and we put a lawn chair over it so we just sit in the lawn chair and do our thing and they they're like digging out the keg and they're making a big deal about it the new security company that got hired after I left meanwhile there are two kegs stacked under a blanket right next to the hole they're digging and they left them they never fricking saw and a friend of mine who's a cop came over I mean obviously I did this physical security and she just looks and she starts laughing and walks away and so the way it starts with our kegs and yeah this was one of the events where that rule came from so well the stripper flashed me and I had to return the favor anyway I guess it wasn't much of a favor so so we knew ahead of time we were going to have these problems so we're coming up with ideas and so one of the ideas I had is we'd sneak in a week ahead of time we'd take our kegs we'd use scuba gear we'd sink them down in the lake and then we would actually tie ropes to them on the buoys that were about one or two feet below the surface do the GPS coordinates we'd take a raft out we'd put on our scuba gear dive over the edge pull up our kegs this seems entirely too much work to get beer it's all about the fun wait wait how much were they selling the beer for like Vegas prices oh that explains it so a dollar in a blow job so so we're figuring that out and I figured out where to get tanks and who a scuba certified but one of the guys had like a heart problem and I was anyway so we came up with another idea which was to sneak in wait wait wait you're doing something illegal and you had to wait to find somebody who was scuba certified what the fuck yeah we're gonna go in here and kill everybody but first we gotta get the car out of the handicap slot so what we ended up doing was my buddy Scott and Will who I lived with at the time Will is another speaker goon we're gonna try and get him in here a little bit later Scott is but he's out doing something else so they went out the night before and we took coke bottles and mountain dew bottles and we emptied the mountain dew bottles completely in the coke bottles half way coke bottles became rum and coax the mountain dews we filled with margarita mix it was the little like you know the regular little bottles like this drinking up here so like that so we filled a bunch of those up we put them in a mesh bag snuck out there and they like they were getting tracked by the guys who were doing security in the evening but the area wasn't closed and so they managed one of them distracted by digging holes in the sand and then the other one sunk the bottles underneath the dock so into the water and so the race starts and me and my other buddy well first of all the next morning one of my friend who was the cop comes up and she's like you're gonna love this because literally they're walking around digging up our fake holes and they're figure looking for scuba tanks because we let that rumor split so the race starts we run out and there's all these people standing on the dock so it's sunk and so my buddy and I were like get off the dock get off the dock get off that we're screaming all these people are freaking out they don't run off the dock and we lifted up and we pulled out our booze and got on the lake and that was our uh I wouldn't say that was a failure that was a success on our part but it was kind of funny so talked about it anyway let's talk about technology I know it total fucking non sequitur let's talk about technology so I've had a couple of very recent failures by the way we don't audit this stuff at all we have no idea what each other are going to talk about so this crap ends up in the speech and bread and whatever so I've had a bunch of failures lately you may have noticed community got hacks and communications of mine with him got nailed I didn't get hacked but as part of that and the other one that was kind of bugging me are you admitting that you did the hacking because you did get hacked yeah I'm anti-sec there you go fucking ex-gartner analyst what are the odds of that very low I wasn't going to say very high so July 20th I wrote an article for tidbits I write articles for some Mac stuff and it was I was trying to I've been kind of knocking Apple a lot on security and I was kind of excited about the iPhone 3GS it had the hardware encryption on it I'm like well this is pretty cool you have hardware encryption you've got remote wipe you've got pin codes and you've got pin code wipes so if you do your pin code 10 times you don't get it in right the iPhone that's great I mean that's pretty close to what Blackberry has full enterprise class device so I was pretty excited you know I wrote it and again because it's not often I get to write positive security articles about Apple even though I like Apple a lot and Apple stuff so July 23rd unfortunately somebody does this Hacker says iPhone 3GS encryption is useless and what it turns out is yeah it works fine until you jailbreak the iPhone and then you install SSH and you can pull every piece of data off and encrypts it through the hardware on the way out so I'm looking like an ass which happens well it's user friendly Rich they don't want attackers to have to work so this is like the original EFS fault does anybody know what Microsoft EFS when they first came out with that so the deal is she set up for file folder encryption and you link because nobody wants to have to manually type in 128 bit key so what they do is they link the encryption to the logon credentials and that's fine except for Microsoft like on Microsoft where you can take the SAM where you can go in and you can actually directly hack the registry through a Linux boot disk and you can wipe out the password and so the first versions of EFS what you could do is you could wipe out the password and then all you have to do is log in with no password and you have access to all the data because it was encrypted but it was tied to who was logged in so that was fixed by what you do is you set it so that the encryption key the credentials for that are separate from the login credentials so they're synchronized it's the exact same thing but it's only synchronized if you actually change the password through the legitimate mechanism of the operating system if you directly hack the registry because those are in different places then you're not going to be able to get the right key applied to the encrypted file and you won't gain access to it so that's how you solve that particular problem but Apple didn't freaking do that so what they did is it's clear now I'm just assuming because I haven't done the look but when you enter your PIN code that logs you into the device and that gives you unencrypted access if that PIN code is changed or removed outside the normal mechanisms you still get access to all of the data on the device and I think that's how this hack worked so I like to test these things before I write about them yeah I'm like some fluffy analyst dude who doesn't know what he's doing but I want to make sure this stuff works before I write a retraction in my article so I start testing it and I get some interesting results I find an O-Day in the iPhone and it's another really minor issue and I'm going to feel like shit because I'm not going to talk about it because I reported it and didn't disclose it but let's just say it's even dumber than the encryption thing and I'm not trying to knock Apple again because it's it's just a I don't know partial disclosure fail Rich it's okay to knock Apple really Rich won't knock Apple but I will so anyway there are other issues related to the encryption of the iPhone and related to pass codes that care very easy to figure out unfortunately I did it totally by accident while trying to test this other thing so that's reported and I wasn't the first one to report it hopefully it's getting fixed but none of this is like my ultimate fail this year so last year DEF CON 16 I did this kind of like heavier project which was I tried to build the ultimate evil twin and most like I hope everybody here knows what the evil twin attack is but that's basically what? there'll be two gnomes remember mini mogul I'm told that mini mogul will get very big you missed actually you missed that last year so the evil twin attack you make your own access point it's kind of what Carmeta's exploit does some of this you overpower the local access point you go to Starbucks, you boost more power than they do you de-auth everybody you bring them on to your access point you man in the middle of them you do whatever you want a little bit to the next level so I hacked the wireless router I put high gain antennas on it a 500 mW booster on it set it up so that I could disguise it drop it, leave it, battery operated I'll show you pictures in a minute and then multiple multiple exploits so when you connect it to this thing try to exploit it three or four different ways because basically you would connect and I used something called no dog splash so you would get a connection screen that popped up and in that I had like in this thing bam, you get nailed with these two or three when I did the demo last year I did it with core impact, you can do that with Metasploit as well the next thing is is you can do sniffing, go in the details of how I did that and then you can do HTML injection which is some other stuff I did so I had the splash page with the exploits and I think I did both Metasploit and core I can't remember then you have a redirection temporary page and what happened was and Arsenic helped me with this we had it so that it would flash a bunch of pages behind that you don't see or it was actually iFrames that we used and it would just randomly connect to Google and Yahoo and a few other things and if you had ever logged into those we're doing cross-site request forgery and just sniffing all of those credentials sniffing the information, we got addresses and some other stuff out of it this was called rich jacking rich jacking, you got to have like rich jacking or fritching felching, never mind and keep in mind all of this is different than jacking rich which is and now we know what happened to Arsenic's other shoulder how the fuck did I get on this panel I wish we were that simple so then I had TCP dump collecting everything every 30 minutes I would FTP it to my server at home, here's what it would look like I used WRTSL SL, fail, DL, SL with a cradle point router you can actually plug the video you can do the video direct off of that it was like the same size practically as the USB hub it was a little bit more reliable and then a 500 milliamp and you'll notice it kind of looks a weird thing because and I had a separate thing for all the power on it there's the battery to make it battery operated fit in the backpack how I kind of connected all that stuff in and I hid it in some fake books and you can tell here in books because rich can't read yeah so this is it you'd walk in you'd see this maybe with a lamp on top you can add it so you can put a lamp on top we're out of the lamp cord inside plug it in around the cord out the bottom so it looked like it was part of the lamp and then you could just leave this in an airport lounge or something else and just enjoy so I had an idea of what to do this year that was all my last year stuff I had a really really good idea minus the dope I was going to do a robotic evil twin so I'm like hey why don't I take this thing it's a robot and I can just drop it over a fence and it'll drive up somebody's office it'll overpower their local wifi connect them into my stuff and then I own them and so I was thinking this in my head what is that totally had it all playing out well you know if that doesn't work maybe it'll be more like this that's a Roomba and really it looks like this Squirrel I'd like to introduce you to the CIA's next Q everybody he designs gadgets so you don't have to so this is the robotic evil twin so what we've got is everything I had last year a little bit different so I added a compass and sound sensor so the compass sensor was doing the navigation this is all inertial nav based on compass Dave was actually helping me we were trying to figure out how to do GPS via the iPhone and we could send bluetooth commands in remotely then it has the jail broken iPhone which connect to that wireless access point because that's got metasploit on it it's got the dev of metasploit on it so cool now I don't even need to worry about getting I've got metasploit on there I don't have to do that remotely there's the hack work from last year the battery in there, the EVDO and then the lego nxt and the wireless booster and everything else so there were some failures along the way the first failure was I assumed I needed a powered steerable front differential made out of Legos well of course you did, I mean we all did I mean it's only natural and it looked really cool and I spent two or three days building it and I learned something about differentials the other differential is when you make a turn in like a four wheel drive vehicle because there's different turn radiuses of the wheels it powers one differently than it powers the other and that's how you get the turn the problem is when you build it out of Legos and you put a lot of weight on it all it does is not turn so my wife's getting pissed off we got a new baby I'm spending my nights playing with Legos in front of the TV and none of it's working so then there were other fails so I tried to get these high torque motors I got obsessed with this Lego thing and so you get these high torque Lego power function motors the problem is you can't control the rotations on them so there was no way to navigate the distance accurately then I couldn't get the compass to lock on the heading because it would always like it was turning too fast and this is a Lego, it's not a penium or even so it's low and that didn't work and then I was steering I don't have really an engineering background I have a history degree and I don't know how to build a steering mechanism and I'm looking at my car my Ford Explorer and I'm looking at my Legos they're the same, right? no, the Legos were more maneuverable yeah, so that wasn't working real well and then finally my little Lego brains died so the screen on it died not even a warranty which of course will arrive next week and then I bricked the router when I was trying to install Metasploit on it so everything basically the wrap up of this story is you didn't do anything right no, nothing so here's what Doug kind of worked you can actually see it here it does move even with the score oh, I forgot to put a camera on the front of it that's one of those streaming webcams that part actually did work fine so it can drive around I wanted to prove that I actually made this thing drive, here it is, navigate in front of my house that's when the batteries died wow, looks like it does straight go, go speed racer go that looks like it does straight lines really well it's a dodge viper of Lego robot cars it does turn just like shit stealthy and that was the stealth mode so you guys ever see like the video in Iraq and they've got the pack bot and they like throw it over a fence in the middle of Mosul and it flips over and it drives in and that was in my head and it was gonna happen so do we get to see you throw this thing? let's clear off the table oh this doesn't have a recipe for disaster does it the squirrel is going to die this is going to impress no one not one of you I need to get this out of my system you're taking your pants off again after this impresses no one you ever watch a movie like the first five minutes you know how it's going to end it's like a two hour movie but you kind of like the director so you stick with it because you're curious to see how he gets there that's kind of where we are right now sorry beaker it seems to have passed away I harbor no illusions at how uncool that is fucking care I'm a DEF CON and I brought a robot wait, watch this Wingardium Leviosa hey it worked about just as well didn't it it was going to commit suicide but then it didn't we love you beaker we miss you well Larry's setting up beaker sent me some email from Boston he sent some poetry for us go ahead be afraid be very afraid apparently Mortman feels quite virile while wearing he's wearing a pink girl's shirt while dissing the squirrel our snag it seems is up to old tricks fucking up websites with bad java scripts Martin McKay at last found his place providing strange liquids for the whole in Larry's face and then there's the mogul did he leave his robot at home too heavy to carry for such a small gnome that leaves but just one more and we can't forget him don't know if he showed up the chances are slim after last year's failed panel with pictures of a goat tales of pentests and the dragons he smote hey Maynard how's it going you feeling okay got anything worthy to impress us today sorry I can't be there miss my friends and the panel I'll show up next year same DEF time same DEF channel Chris we're doing pushups or something that's a mental image I don't want it's too light it's in there beware of the flying bread you cannot poke out your mind's eye and I've said it before and I'll say it again there are things on the internet that cannot be unseen sometimes you wish you could mogul probably had to pee he's got a bladder the size of a thimble yeah while he's gone he's back everybody should make fun of him for having the smallest bladder a man can possibly have this is the second time he's gone to pee and this is my fourth beer have you seen me leave I didn't think so this isn't the epic win panel we should have the porta potty on stage next time they're just getting one of those little chemical bags sneaky leaker so let me say while we retweeted the no pants for taxes well I'll already say I took off my pants and if you really want to see it I'm not going to do it now because I wasn't lying when I said I wasn't wearing any underwear yeah let me just say two words horse cock um um so go to paul.com.com forward slash ono's with an e.jp onozwert.jpg wait your jpg has the same password as dankominsky's root password what kind of fucked up relationship is that the man's sexy what can I say alright so let's talk about fail so my good friend and cohost at paul.com security weekly mcdouglas and I worked on a little project together on owning identities with peer-to-peer file sharing networks and we affectionately called this presentation peer-to-peer information disclosure or identity theft via peer-to-peer networks is as easy as clubbing baby seals yes yes it is now for a full disclosure have you actually clubbed a baby seal no no this is much easier and much cleaner stop blaming canada stop blaming canada alright so what did we do we were talking about doing some preliminary research for doing some pen tests how can we leverage peer-to-peer file sharing networks to gain information for recon for doing pen tests and all that good stuff so really was there anything good still out there I mean are these boobs really still sharing stuff on peer-to-peer networks how was our as an industry how was our education working to the unwashed masses I mean how stupid or educated are people that are using peer-to-peer file sharing networks I mean do I really need to ask that question yeah so yeah this is wait a minute I have to interpret I'd like to point out the rich mogul is not back oh yeah see told ya he just had a baby cut him some back alright so why is this club like clubbing baby seals it's easy you only need a little bit of patience maybe some warm wear in the club you get quick results yeah and well it's legally yet morally and ethically dubious right come on man that's a cute damn seal oh it gets better really it does yeah and I thought this was supposed to be humor right oh wait I'm harshing everyone's buzz you're mellow you're harshing my mellow man sorry I've been drinking so we took some inspiration from the old see what you share dot com project which is no longer available so you gotta go grab it through archive.org and we sort of had some prompting from the recent strike fighter information release via peer-to-peer networks well at least that's what they told us in the media what happened that it was released via peer-to-peer networks yeah believe what you will so we took that as peer-to-peer networks great so let's go look at it and even just this past Wednesday Brian Krebs at the Washington Post posted an article talking about information that was acquired via peer-to-peer file sharing networks which included missile silo information from the United States and well as a couple of other foreign countries and plans for Michelle Obama's safe house that might be some pretty valuable information that some folks might like and well on peer-to-peer file sharing networks not good so Mick and I started searching peer-to-peer file sharing networks what did we use well we're both Mac users so we used Nutella OSX clients we tried acquisition and poisoned acquisitions better well it was a couple bucks and it was worth it just to see the epic fail that ensues we're looking to at some point complement this with some command line tools Nutella works pretty well and we're going to script some of this stuff and we'll see why so we started searching peer-to-peer file sharing networks using clients and well we spent maybe an afternoon so give you an idea of time frame four hours you know we get home and well now we search a little bit at night now or here you know sit in the couch have a beer or 12 I'd like to point out another coincidence at four hours how long Viagra recommends that if you have an erection you should call a doctor oh yeah we'll get there too so we thought of a bunch of quote evil and common sense file names what would we like to search for on peer-to-peer file sharing networks what would be interesting to us we talked about we thought about some specific document extensions and various combinations of the above we you know searched for all the word documents on peer-to-peer file sharing networks you think we got a couple of results yeah it was something like 30,000 results or more for just word docs so yeah we can download those and start looking for the contents of those but let's target a little more and we can use some creativity here so here's some of the stuff that we actually used just a few so terms word doctor health password lease license passport and visa hmm bunch of file names what about the pornographic ones you search for because I know you search for cock and that was a separate study stuff in Dave's house was it a growing study most certainly two words horse cock we searched for a bunch of extensions you name it we thought of a bunch of evil stuff so we had some issues so when you run the search it searches the entire peer-to-peer sharing network at the time you run it poor kid and now we have the laughter so we were constantly having to re-run the search hence why we want to do some command line stuff that we can script and do it at different times there are multiple peer-to-peer file sharing networks we only focused on one because well we had only had a couple hours to do this and it was just sort of a fun thing to do there's the certainly transitional nature of peer-to-peer file sharing network so what happens when little Johnny gets home from school he turns on his computer and he surfs the web for some porn for a couple of hours while his peer-to-peer file sharing is working and then mommy calls him to dinner so he shuts his computer off and now his files aren't shared anymore so depending on the time of day we were getting different results and seeing more people active on those file sharing networks so we need to have the ability to run these searches at multiple times a day and if you think about geographically that people in other countries other than the US where we were located when we were doing these are going to be searching and having their peer-to-peer file sharing network clients up different times of the day so I'm not going to get up at 3 o'clock in the morning to go do this because well I like to sleep so what's next for us some automated and repetitive searching better criteria for file names and maybe we want to limit this to some specific IP addresses and by about now you'll probably see that I have an unhealthy obsession with law cats it only gets worse ok so the next generation of peer-to-peer file sharing we feel, make and I both feel that this is only going to get worse because well we're driving our networks underground and when we start driving them underground it becomes that whole leetness well you want to participate so let's encrypt your traffic well that's great I'm not sniffing it I'm actually participating so I have all the encryption that I need but when we start going underground well we don't want folks to start leaching from our peer-to-peer file sharing network so we're going to make you share more so we can download more the more you share the more you can download so what's the easiest way for me to share more information yeah set my Nutella client to share the entire route of my drive sweet I like this so you guys are probably saying well Larry that's great and fine and all but you know show me the money let's talk about what we found do you want one no no I'm still really over that you know what I'm going to take another one man I don't even have to take my pants off to get money I feel good though alright so let's see some results aside from the music movies and TV shows and porn lots and lots of porn oh to be honest isn't that recursion pussy looking at pussy or even better as I heard from the audience is that kiddie porn that's you know who ever said that deserves a beer can we get a beer no more kiddie porn so what did we find malware go figure so every search term we looked for we searched for password.text and we got research results back password.text live at the orpheum really so we downloaded it and it had a setup.exe and well yeah the first bunch of hits seemed to be malware so we ran it through virus total and well 35 out of 36 antivirus things found it guess what antivirus you do not use doctor web because it's the only one that didn't find any of this stuff so what does that mean you're endorsing norton antivirus they have a gamer addition now you know really I thought that was for I'm not even going to comment alright so without any further ado let's work our way up from from a really gentle fail to a totally epic fail and well it's humorous in its own right it's also really sad so we found a whole bunch of miscellaneous goodies this was one of mixed favorites it's a scan of someone's exam and at the very bottom you see where the text is sort of going sideways and they're getting really frustrated with the answers because they don't know shit we also found some other miscellaneous goodies how about a doctor's note saying that this particular individual wasn't able to work from these dates and an employee review they did alright the interesting thing is that the name is blank so what do you think they photocopied it and just did it for everyone in the department so not just for the boss no no no so how about this one the 2008 cheerleading world's event schedule wait a minute did you find the 2009 but even better they have all the names for all the judges with all of their travel info and emergency cell phone contacts thank god we can finally take down the cheerleading industry and by take down you mean never mind keep in mind we're only on the miscellaneous goodies here how about someone's rental application including their name, address, social security number monthly salary check numbers and routing numbers signatures it gets worse how about a last will and testament well you know what to be honest they don't really need it yeah now this particular will and testament is sad because the only thing her kids are getting is like a box of photos and a sewing machine and floppy disks no Viagra here retirement planning I really feel sorry for this particular couple because they need something like $877 a month to retire by the time they're 71 that's a lot of, I don't know about you guys but I think that's a lot of money to be putting away in my retirement fund every month $177 if they want to retire by like 61 and have a decent amount of pay they need to save something like $8,000 a month I don't know about you but I don't make $8,000 a month you know what roulette roulette that might be a better gamble every movie I see at the end they put the money down on black and it works done so speaking of clubbing baby seals that was pretty easy I know we do not audit this he's just sleeping right sleeping right that's what I'm going to tell my 2 year old sleeping so it gets better how about taxpayer identification numbers yeah we found those two and not just one but two three four five six yeah I like to play this game thanks were these offered on the same site yeah these are actually all pulled from the same machine and it gets better you want to talk about fail $392,000 $323 earned by this family last year social security numbers of the filers and their children names addresses it gets better how about the account and routing number where their refund was deposited someone in Troy Michigan made $300,000 someone in Troy Michigan made $300,000 almost $400 I think this is fake okay I'll take that here's another one and another one $109,000 that's more realistic for Troy Michigan so this one was Modesto California they got to be poor I don't even think that's a real place $109,000 of Modesto yeah how about another one Luddington Michigan they get a refund of $441 who is Mr. Tumen what's that you tell me okay $10,000 tax return sweet security social security numbers $103,000 effective tax rate at 12% that's not right it's getting better now you think I might want one or two of these yeah I only found one but that's okay all I need is one not two not four not six anyone even want to be an oriental family coming to the US seriously I've always wanted to be an oriental family you too can be an entire oriental family fake ID anyone sure here's four you're saying you just found all this stuff on P2P yeah in about four hours so you notice that one of these licenses doesn't have a name blurred out because it was too precious not two dudes middle name is raunchy yeah I did that's this is just on one network one with that hair tell me you wouldn't do it come on I mean that that's beside the point is this better come on anybody want to go to Hawaii I personally love this one is that that's a silver sword right that's a lead pipe photoshop to the rescue so what you're saying is you lay pipe a lot I lay pipe a lot yes I don't like pipe okay yeah so you remember that family six yeah this one was kind of lame but still why how about a couple more because I had a mohawk in his passport picture that's a mohawk yeah and I got to tell you this next one is actually kind of really lame because yeah we got Paris Hilton's passport but it came from Paris woes.com and it was in someone's peer-to-peer file sharing directory I really don't know why we felt the need to actually redact her information but we did anyways I mean because Lord only knows that she doesn't do a lot of redacting herself right so here's where it gets really so here's where it gets really scary we have the sad tale of Mr. N and that's the best we're going to refer to him as a decent student in Iraq for anesthesiology we've got a copy of his transcript from school he graduated he did pretty well he decided he wanted to help the US coalition forces in Iraq so he made an application we've got his name and address for his family you know he got this guy killed right no I hope not so he applied to assist the coalition forces it worked out really well for him because he got a letter of reference stating what he did including translation services with mobile units while actually in combat so he wrote along with combat units and provided translation services because of this he actually kind of had to pay a little bit of a high price and it's really hard to see so we'll put an excerpt from it because of his involvement he is forced to live a secret life that he must hide from family and friends to protect them as well as himself from torture and certain death at the hands of terrorists we found this on a peer to peer file sharing network so Mr. N applied for asylum here in the US to come to the US and here is his application for his visa including the location of his family who by the way he hides from to protect them from torture and certain death at the hands of terrorists yeah so let's take a minute to really let that sink in and now we have Mr. N in the audience come on now you're the next contestant nevermind so think about this we found in about four hours stuff on peer to peer file sharing networks that this gentleman Mr. N helped the coalition forces put his family at risk and put his stuff on the internet so that the terrorists who wish to kill and torture he and his family can go search for it themselves yeah what's that I can't hear you ice no vanilla ice no longer performs it's a good question I don't know if they know about this and a letter to this gentleman to let him know that his stuff was being shared on peer to peer file share networks so speaking of which talking about the ethics do these folks really know they're sharing it probably not because they're probably a bunch of morons really think about the average computer user that uses peer to peer file sharing yeah we don't think that they do in one of the cases we have addresses for these folks so we've sent them letters via the U.S. Postal Service to let them know that this information is being shared and we have not heard back from anyone at this time so let's say you're sharing your information on a peer to peer network right and you get a letter one day from an anonymous store saying they found your information on a peer to peer network won't you just assume they hacked into your computer we have lawyers and we have insurance so yeah did we leave a forwarding address I had no idea we have not heard back from anyone we have their addresses of the family and so forth from the applications and we're doing the best we can honestly so let's talk about the defense fuck that this is DEF CON yeah alright I'm going to talk about the defense a little bit only because I thought this was really interesting so the Brian Krebs article that came out Wednesday linked to a company called Tversa that will provide professional services for your company you pay them and they search peer to peer file sharing networks for your intellectual property and so forth great they also have services for individuals such as these morons that we found their stuff on peer to peer file sharing networks the problem is in an ironic twist of fate you click on the personal services link and it's 404 wah wah wah so in conclusion apparently our security education isn't reaching the unwashed masses that makes my job really fun and it gets me on a panel at DEF CON okay so really how do we accomplish some of this stuff as an industry I mean or do we care clearly sharing stuff on peer to peer file sharing networks is bad and everybody shares too much there's legislation to change this stuff Jesus Christ Rich you need help Dave will help you I was leaning over to say something really thought provoking about how thought provoking right then I see Rich with his belt it wasn't thought provoking it was provoking in any case the goods are out there and so if you want some more information this presentation will also be available at paul.com.com and you can follow both Mick and I on Twitter and a big thanks to Mick for working on this presentation of this research with me so I hope you had fun and now I'll turn it over to our next guest so remember I told the story before about the kinetic thing and us stashing the alcohol I'd like to bring Bushie up Scott he was the individual who helped me and so he's the guy that was digging the fake holes that the security was trying to pick up and the reason I brought him up here is because he's never going to talk to me again his epic fail is thinking I wouldn't tell all of DEF CON that today is his birthday and he's trying to hide it because he doesn't want to get too drunk tonight can you feel the love? yeah he does have the keys to my house Rich you still got your pants on buddy he does know the alarm code that is all so when you see him around at the parties this evening happy birthday to you happy birthday to you happy happy birthday to you thank you you smell like a monkey and you look like one too RoboCop and for those of you who didn't hear that was Rick we're going to talk later I want to go start for myself on peer-to-peer traffic sorry Dave I already got it all don't worry it's safe with me and in Tijuana and there's a donkey and a thong goats we have a donkey show story what? alright here's my donkey show story so I'm 18 in ORS and this can only go wrong I have not hidden this and so you know you're trying to go look I'm 18 rule number two Rich I was in Navy ROTC at the time so me and my buddy were basically the drivers they're like ridiculous they see the short hair they go donkey show donkey show and finally our friends are like yeah alright we hop in this cab we pay a buck so we're in the back streets of ORS at this point where people disappear and pulls up to a house it's not even a full house and we walk in and it was clearly a bordello and we were told we make our own show with the women with the big dude with the shotgun behind the thing and that's we left so that's the end of the story so we never did go to the donkey show do you know what for that I think you should take your pants off again dear god get away from me so speaking of fail laptop fail I just came in and someone was talking about donkey show can someone fill me in no you really don't want to know I think it's a myth asinine I need the adapter asses and donkeys so how many people are running a peer-to-peer client right now searching for stuff please do please do you'll have fun somebody's got it you know what I would if something gets bad with who's running a peer-to-peer file sharing client right now and searching for stuff but doesn't want to admit it seriously that works alright good if you're sitting next to somebody here's running a file there we go alright so while we're waiting for this has anybody tried different tones with their badges yet because it seems like with my speaker badge if we play an 11,000 200 hertz tone it started blinking in what looked like either Morse code or binary so does everyone realize this is able to listen to you read the source it's Morse code okay they totally hack this all because we're all wearing wiretaps it doesn't matter whether you're not wearing one or not the guy next to you is you're all tapped and that's arsenic on why you're tapped tap that all on the floor tap that from 1 to 4 this is why we let beaker do the poetry for anyone in the audience he's actually making me press who knew it's awesome it's making me see funny things what it's good for you absolutely so hi my name is um this is barely working I can't hear myself anyways my name is James Arlen you might know me better as Mercurial James put the microphone up to your mouth it's kind of like it at the rest area you've self-referential fail as I was saying before I was so rudely interrupted um you might know me better by different names and stuff I have some opinions sorry it's amazing how interestingly you get pwned your first time doing this with these folks I just need to lose any respect of shame whatsoever we're entirely good with that so the security industry well we're completely fucking ourselves that's my whole point right now um the problem is that we never really examine ourselves some of you may have noticed some news that happened this week where we didn't do a good job of examining ourselves that's all I'm going to say about that part so in the past we had lots of security security was easy because you could point at it you could touch it you could feel it you're not talking about security are you I know what you did last summer we had guilds, we had seals we could obfuscate things we occasionally had physical security rich computer security is more difficult we've had great, this bread is awesome we had theories we did a lot of work in the 1970s we had multics we did awesome stuff we had these research micro kernels that were actually secure they would only execute what they were supposed to execute when they were supposed to execute it guess what we did we got religion baby the religion is awesome everybody in this room is completely suckered by the religion well I'm Catholic so I know I am Pwn baby, Pwn so everybody knows what religion is right we had to introduce religion in this talk oh we got a hand up here somebody wants a beer a distraction I might actually buy that everybody has best practices right how many people are in security you do best practices the best you could possibly do you're all friggin wrong you do common practices you do the same shit the other guy is doing because that way you're safe you have habitual responses when you start to salivate as you press the button do you really think that adding more blinky lights and shiny things is making your shit more secure what a different point it is well I'm sorry I'm sorry which religion are you part of find this interesting one of them has three the other one has six the other one has 25 Rich is an ass I am also an ass you're a certified ass you're an application security specialist so is Jack Daniel and in fact he is wearing an ass hat he's got an ass hat yes he does he's got an ass hat and everything cannot underestimate the curmudgeon in the crowd that does not count whether or not you are gold, platinum, silver or whatever that is 25 certs baby do you have any of those certs hell no and you're not certified I am a certified ass in a minute we'll get to a certification problem I have you know you're supposed to tell everybody that they need to be a member of the same thing that you're a member of being a member of a club is very important I'm not sure what else they do besides setting themselves up as members of clubs I tend to question being in a club and at the same time it's almost sad to admit it I'm in a friggin club I don't know how it happened bad day I think but I mean there's this other group of people are there any vendors in the audience anyone there's someone all the way back there who are you with did you say crapshoot mazu cloud shield I'm sorry beaker is not at the panel how many of you are with vendors but won't admit it how many people are sitting next to people who work for vendors nice how many people work in pro-serve I guess one how many people are sitting next to people that work in pro-serve there we go how many people are sitting next to people rich that is disturbing rich don't raise your hand at this point who really cares do you sell hardware or software do you love your blinky lights I love my blinky lights are you part of the pundit and media group shit half his panel is you all know about the dogma thing right the shit monster that's exactly the one your dogma ran over my karma or your karma ran over my dogma it happens it happens to all of us the point is that it's completely frigging arbitrary have you met your ipod data thief in the company that you work for you ever had an ipod connected to a laptop and you freaked on their heads because their ipod was connected to their laptop what do they do with their laptop at the end of the day there we go sec barbie wins with the they take it home which problem are you trying to solve complex passwords how many people memorize their passwords I memorized your password floor bread put it in your mouth floor bread for the win how many people have used flood on the wall metrics to solve a problem that works how many people say no habitually how do you know to what because my instinct is just to say no that's not what you said last night Dave well look I gotta never mind I'm very worried about this guy how many people stop at the end of logical security have you ever walked around and looked at people's desks holy shit wait how do you define logical security only exist in the computer world as soon as you print it you're not responsible it happens we need to fix this um this is my call to all of you to stop failing epically we need lots more individual contributions lots more lots more r&d r&d doesn't lead to blinky lights and shiny things either I refuse to believe that I read in the magazine just a couple days ago let's go back to pundits and media and how they're screwing you over for good says the former Garner analyst please read liquidmatrix.org for your security digest needs we need to move to an age of enlightenment this happened once before don't know that it's worked out so well so I'm gonna give you an easier path and frankly because I fail myself we need to admit that we have a problem how many people are tired of doing the same thing they did last year and yet Dave you're on the panel again well I was I was more referring to guys are terrible um how many people realize that you're doing it to yourselves I like to do it to myself I think that's what happened to my shoulder I do it to myself I do it to myself over and over again wait I gotta be honest I've been saying that's the rich muggle this entire panel I think he just did it to himself which I can't understand why all I'm saying, two words horse cock and if you can't love yourself who can you love a hooker named Barbie oh wait not you, I'm sorry you know that was the first thing they can't see what you can see I don't think number of four applies to anyone on this panel five doesn't either baby seal anyone dog food was only for old people let's actually give a shit for a change I mean you just you're at DEF CON I mean you should go back next week and totally fucking pwn your world right the problem is once you have passion about something somebody with a middle management job wants to take it away from you get rid of them are you advocating are you advocating murder? no I'm advocating that you get the fucking C job fire the bastard quine please come to the front desk paging quine please come to the front desk you need to own the fact that you suck all of us do I own it every friggin day hey so were you a golf kid as a child yes I was still immediately launching to special dance mode for you who would pay to see him do the robot right now I mean come on right here right here I got five bucks if you want to you can do the dance alright give me five bucks easy come easy go do we require music just give me a moment and then I'll give you this back we're all going to beat you up I'm going to put this the same place that Rich put his money keep talking while I have to keep talking but you taking my slides away now I have nothing come on Rich can't your iTunes go faster this is a Mac after all right well he's uh he's just so happy he doesn't have to deal with UAC scrolling madly scrolling I can't believe I've just tucked five dollars into my pants that I got from that guy that I got from that guy transitive trust fail transitive trust that I got for throwing bottle caps at that guy booty like I said paul.com.com forward slash onoeswort.jpg it's just scary and as I said before there are some things on the internet that cannot be unseen so I look to my left I see something horrible then I turn to my right oh that's not gonna be better do I still have to dance for my five dollars at this point you have to dance you have to do the robot everybody sing along this is the part where much like rich mogul I fall off the stage that's a painful personal experience that I choose not to share it's a retarded robot is that what you meant you sir we know that was much more useful than a richest robot I would like to point out that for the first time ever as a newbie to this particular panel I've completely failed you did not regain your self respect speaking of speaking of fail why did you people come listen to us we did this last year and you came back you knew what this was it was horrible last year just as bad this year we were funny last year what does that say about this year you have no one to blame but yourself free bread so every time I look to my left or right and I think that these people are sick I think that you people watched it come get spread we don't have the largest nipple contest and see which one of our panelists has the largest nipples I sure hope there aren't any questions like really no wait who has did we leave anything unquestioned we talked about donkey shows spies in Iraq mobile devices go away there's other shit to watch