 Two years ago, I was sitting in the Paris Hotel waiting for DEF CON to start and my phone rang. And it was my doctor telling me that the test came back from my biopsy that I had had literally the day before I flew to DEF CON and had breast cancer. So I share that because it's actually what provoked me to do this research in a very strange roundabout way. So in addition to having a double mastectomy, full reconstruction, everything, I had to go through pretty aggressive chemotherapy. And the regimen that I used, if people are familiar with it, is the ACT, so it's the Adria mycin, the cytoxin, and the taxol. So I know I think most people who have never been through chemo or know someone who's been through it pretty much are like, oh, you lose your hair. You know, there's a lot of additional side effects to chemo that I don't think they really advertise them and I was not prepared for. One of them is something called chemo brain. Has anyone ever heard of this? OK, some of you have. So what happens is the most specifically the Adria mycin, but pretty much all these drugs are toxins and poisons. And I think the best way I heard it described one time is they're trying to kill the cancer before they kill you, basically. So this Adria mycin, or also known as doxorubicin, it kind of messes up your mitochondria, which changes their ability to do things and their energy. And essentially chemo brain is forgetfulness, memory lapses, difficulties concentrating or focusing on. It was like, all right, whatever. But when I started to lose my brain, that was scary. And when I came out of it, I kind of thought it would just all turn back on, and it didn't. And that was a little distressing to say the least, especially if you're someone who uses their brain every day as their work. So it kind of pushed me into this research on how do I heal my brain? How do I fix what the chemo did to me? And as I was doing that research, I stumbled into this entire concept of using the memory as an authenticator. And I thought, oh my God, that is fascinating. How does that work? And that's how we got here today. So a not so happy start to the research, but found this fascinating information, started doing more study into it. Are there ways that I can improve my own brain health? But then I thought this was really neat. And I wanted to really kind of dig into it to see where they were with it. Is it really something viable that we could use soon in the future? And just kind of like understand how does it work? What exactly, how does this work? Because you can say implant a password into your brain. Well, how do you do that? So that's what I'd like to talk about today. So a little bit about me. I'm a security engineer and researcher with Digital Cloak. And my background undergrad work is in sociology. So that's the psychology of groups as opposed to the individual. But they do do a lot of psychology in that, excuse me, my grad work and graduate degrees are in cybersecurity and security management. What I'd like to do, I don't know if anyone's seen me talk on quantum computing or not. But what I like to do is kind of give you kind of a groundwork with some kind of shared vocabulary. Kind of so we can all be on the same page before I get to the research. And then the research will make a little more sense because we kind of all know the basics. So cognitive memory. Cognitive memory is the mental action or process of acquiring knowledge or understanding through your thought experience or your senses or some combination of all of them. It can be subconscious slash unconscious, which I'll go into that in a second. Do we have any psychologists in the room? Okay, I'm a little less nervous now. It can be conscious or subconscious slash unconscious or it can be intuitive, which is kind of like if you think about instinct, acquiring knowledge without really understanding how your knowledge was acquired. Or it can be conceptual based on ideas and concepts like sitting in a class and learning. Consciousness can be defined biologically or it can be kind of defined philosophically. Biologically it refers to the idea of being awake aware of your surroundings and experiences. And philosophically it kind of refers to having a sense of itself or possessing a soul. We will obviously be focusing on the biologic definition here. Unconsciousness occurs when your ability to maintain an awareness of the self and the surrounding environment is lost. Now there's medical unconsciousness and legal unconsciousness. Medically someone can be unconscious and unable to respond to stimulus. But then legally you can kind of have a loss of consciousness and awareness as a result of maybe like an altered state due to drugs, delirium, hypnosis. Has anyone ever been so tired that you are almost kind of like unable to interact with the world? That would be kind of a good example of like being kind of maybe legally unconscious. You're still awake and aware but you can't even process anymore at that point. Subconsciousness, Sigmund Freud, it's like 1893 I think was when this term was first used. And he compared the mind to an iceberg. Pardon me, it's really dry today. He initially used the terms unconscious and subconscious almost interchangeably because in his native German they pretty much the word sounded the same. But when I was doing the research on this there seems to be quite a debate in circles as to what each one means. And that's why I asked if there are any tricks in the audience because it seems like there's like a grammatical aspect to the argument and academic aspect and semantic aspect. The best I can tell is when you use the term unconscious you're typically referring to a state of awareness from a medical perspective. And when we talk about subconscious we're tending to refer to it like when we're talking about psychoanalytical environments or like instinctual kind of stuff. And so I'm going to differentiate between the two here but I will let others debate as they like. I think psychologist Edwin Locke put it the best when he said the subconscious is an alternative storehouse of knowledge and prior experience. And that is where when we start talking about and planning the passwords that's kind of where that's going to go into. So there's two main types of memory. There's explicit and implicit. So explicit memory is conscious intentional recollection of factual information, previous experiences and concepts. So if you think about like when you've taken a test and you're sitting there and you're remembering the stuff to answer the questions, that is explicit memory. And then there's two categories of explicit memory. There's episodic and semantic. Episodic is kind of personal experiences. So that would be remembering a kiss. And then semantic would be storing factual information so it would be remembering like facts about a kiss, data about a kiss, like what temperature was it, you know, were the lips warm or cold. It was like remembering factual items versus kind of the experience. And then we have implicit memory. Is anyone here ride bikes or cyclists? So I train for triathlons and actually do them too. And the reason we train is we're trying to get this like implicit memory train so that when you actually go to a triathlon, you're not, you don't have to think as much. You just, you can do because you've practiced so much. So this is usually acquired and used unconsciously. It can affect your thoughts and behaviors. And one of the most common forms is a procedural type of learning where it's kind of again like riding a bike. You do something enough that you don't even have to think about it anymore. You just do it. And that would be kind of an example of your implicit memory. So this is where we're getting closer to the implanting. We're going to talk about the stages of memory. So we have encoding storage and retrieval. And encoding is when you put the, put the stuff in your head basically. And there are several different ways to encode. You have structural coding. This could be like learning how to like look at a word. It's short. Is it long? How many letters does it have? Things like that. Mnemonic encoding is how it sounds. Semantic encoding would be focusing like on the meaning of it. With storage, there's a three stage model, which I kind of try. I tried to make a chart of. But essentially you have the, the environmental input comes in through sensory input. And then it stays in the sensory memory for, I think it can stay in there for like 20 seconds. And then it's either forgotten or it moves into your short-term memory. And then your short-term memory, it can hold things. Oh, this is where it was 20 seconds. So it can hold things for like 20 seconds. So if you ever like parked your car and tried to remember like where you put your car and you're like P2 P2 P2 blue, you know, you're like kind of trying to get it in there. That would be an example of maintenance and rehearsal, like trying to keep it in there for that like little short-term thing until you can file it into the long-term and then pull it out later when you come out of your event. What I thought was really interesting was once it gets in the long-term memory, supposedly it's always there. The big challenge a lot of people have is getting it back out. This is the retrieval part. So it's not that you lose it, it's just that you really can struggle with trying to retrieve it. That is something chemo-brain will do to you. And I have one of my co-workers here today, they will tell you, I have sat there in meetings literally trying to say something and a simple word like inconsistent or some word like that, I cannot pull it out of my head. I will literally not be able to finish a sentence because I can't find a simple word that most people would know. So there is definitely the retrieval issue. I know it's in there, I eventually found it. It just took about two hours and I wrote it on my whiteboard so I could remember it for a couple weeks. But retrieval is the process of getting the information out. You can have cues, associations, context and mood. So context is when have you ever lost your keys and then you kind of re-walk through where you were to try to remember that context. Association would be like, let's say I ask you to, if I show you a picture of these folks on the beach and I ask you to spell the word bear, you're probably going to spell B-A-R-E versus B-E-A-R, that kind of thing. And then of course mood, you know, it's kind of like nostalgia or like you're somewhere that triggers a certain mood or a smell and then it takes you back to maybe your childhood in a moment that you remember. So moods can be very strong retrieval cues. So passwords and human memory limitations. Human brain consists of about a billion neurons. Each neuron forms about 1,000 connections to other neurons and if each neuron could only help store a single memory you actually probably would run out of space pretty quick. I think you might only have maybe a few gigabytes of storage but neurons combine so each one helps with many memories at a time so it exponentially increases your brain's storage capacity to about 2.5 petabytes. I think they said it would be around 3 million hours of TV shows that you can store with what your brain has if it's healthy and working. Now, I'm going to skip that because we don't have time. Now because you're the biohacking folks you guys are probably pretty good BCI brain computer interface. So translation device. It allows users to compose phrases and sentences just by thinking them. I will have a slide of sources like citations because being a grad student I cite everything. So I'll have a site at the end of these if you're interested in following up some more on it. There's four key pieces of research I really wanted to go over. The first one is called SISL. This one, Serial Interception Sequence Learning this was the one that I stumbled upon first that I thought was pretty fascinating and it kind of pulled me in to look some more into it and I'm going to murder his name so if he's watching this on YouTube in two years like I'm so sorry Haristo Bozhenov at Stanford and he was working with some guys some cognitive scientists at Northwestern University and then there was some dude from SRI I think in the mix he created this program I guess you would call it and it uses implicit learning to put a password into your head and the idea is as you put the password in and then if someone asks you your password you really can't tell them what it is because you can't remember it but you can do it, you can perform it and I think the best way, the easiest example is how many of you have like the proper really long password that you should have, like really complicated, right? Oh, more hands should be up, especially definitely and you know how sometimes like you don't remember your password but if you put your fingers down, you could do it that's basically the gist, it's just way more complicated and fancy so I'm going to actually go through this like I'm going to read this to you because retrieval is not working as far as the details on this so the process for learning the password involves the use of a specially crafted computer game that resembles Guitar Hero and there's six buttons, S, D, F, J, K and L and the user has to hit the corresponding key note when the circle reaches the bottom or where like the fret would be on the game in Guitar Hero during a typical training session would you turn my, I'm sorry my alarm goes off every morning at 10.30, I apologize during a typical training session of around 45 minutes the user makes about 4,000 keystrokes around 80% of these keystrokes are being used to subconsciously teach you a 30 character password so before running the game creates a random sequence of 30 letters chosen from these, these here with no repeating characters and it equates to around 38 bits of entropy so this 30 character sequence is played back to the user three times in a row and then pad it out with 18 random characters and by this point their experimental results suggest the 30 letter password is firmly implanted in the subconscious brain and so the authentication requires that you play a round of the game but this time the 30 letter sequence is interspersed with other random sequences so you're playing the game and they're giving you the stuff but inserted in is the actual password and so to pass the authentication you have to reliably perform your sequence and the research shows that even after about two weeks you're still able to recall the sequence pretty well when you're doing it so I thought that was pretty neat and then the next one was pass thoughts and this is from the guys at Berkeley they came up with this one and it combines three factors something you know which is a thought something you are which are brain patterns and something you have which is the EEG sensor for measuring brain waves so to authenticate you think your secret key while you wear the sensor it can be anything a song, a phrase a mental image the thought itself is never transmitted just the mathematical representation of the electric signals your brain makes while you're thinking the thought but so if someone else were trying to figure out exactly what you're thinking they couldn't impersonate your past thought because even like if you and I are both thinking about Led Zeppelin we're going to think about it differently you know even if we're thinking the same song in our head you know it's still going to be just a little different now this, let's see I'm not going to go into the details on that if you want to hear the rest of the details I'm actually doing a longer talk in 101 tomorrow the next one is on the feasibility of side channel attacks with brain computer interfaces great paper if you have a chance to read it these gentlemen looked at using the EEG types of headsets to see if they can get your private information like your ATM and your bank pin and stuff like that and the problem with their attack set up and again their paper is very long was it was very intrusive and it could easily be detected by the user if they were trying to do it to you but it rolls into this new thing called PEEP this is really neat and this was actually recently in it's on fizz.org and there is an article by Tiffany Womack researches the University of Alabama at Birmingham suggest that brain wave sensing headsets also known as EEG need better security after a study revealed hackers could guess a user's passwords by monitoring their brain waves and these are those headsets like if you could play video games online with your buddies they were using those headsets and they were actually able to put together this thing called PEEP and it's passively eavesdropping it input via brain wave signals and they took the research from the other guys and rolled into it and they created this kind of keylogger and the quote from the gentleman from the team as the use of these devices like the EEG gaming headsets becomes mainstream a user may enter passwords or private credentials to their computers or mobile phones while wearing them and then they have been studying the potential of a malicious app PEEP to capture those signals and then be able to convert them and guess and infer your keystrokes so if you're sitting there and playing a game and then you pause to do something but you still got the headset on they have now come up with this malware app where they can actually steal that and let's see the algorithm with PEEP shortened the odds of a hacker getting a four digit numerical pin from one in ten thousand to one in twenty okay and increase the chance of getting a six letter password from about one in five hundred thousand to roughly one in five hundred just with their thing now let's see go through here quick so there were a couple interesting things I'm going to talk about the hackability but the thing with that that kind of put me off was the and here we go the experiment sizes so if you're graduate students or even college, even high school kids should know this the sisal size the experiment number one was done with 35 people number two had two groups 32 and 80 people so it's a total of 147 participants if there were no duplicates I don't know how good a solid sample 147 people is the past thoughts material from what I could tell was only tested on 15 people and the side channel attack had 28 and PEEP research only had 12 subjects so great research, really excited sample sizes I don't think we're there yet as far as this is going to be a thing next week hackability I know they talk about rubber hose attacks but I really think they're sexifying their papers because as far as I know none of the universities will allow you to beat your I mean I'm being serious I mean you think about it but then also if you think about it if someone's doing something that's very tuned to their brain thinking something and then you start beating them that's going to kind of corrupt how they think about it adding stress, trauma, whatever so it's going to garble it anyway let's see the attack factor I could think of was when they're doing the random generation of what they're going to implant I would probably go after it there like a random generator attack so you don't have to worry so much about this end if you can attack it on the front end with the random generation so you can kind of get to it there SISL was not designed to prevent eavesdropping or shoulder surfing so they did say that that was potentially another avenue of attack and SISL is a flash application for whatever that's worth with you and also my big issue with SISL was great for like kids my daughter's age or but what about people like my dad he's like in his 70s and maybe isn't really going to be able to do stuff like that and then the other big issue I think was it took 45 minutes a session so if you're like Lockheed Martin and you gotta give all your people new passwords okay that's going to take a while you got ten people you're probably okay but is this like really from a big rollout thing I'm not seeing this as being really viable right now so I want to close by saying I will have a lot more information tomorrow because this is just kind of a short teaser and if anyone's super interested I will have these sent out with the citations and you don't have to trust my links you can Google the because I don't click on anything from here even my own stuff and then this if you're really interested it's kind of neat this was a book from 1985 it's called Hard Boiled Wonderland in the End of the World it's by a Japanese author and it's actually interesting and I'm not going to give any spoilers but one narrator is a Calcutek it's a human data processor encryption system who's been trained how to use a subconscious as an encryption key and the other narrator is a newcomer to a strange isolated town so if you're into that kind of stuff you might enjoy this book because I found out about it after I started the research and I thought it was neat that in 1985 they were already thinking about this and I believe I'm out of time do you want me to take questions ok