 Can everybody hear me okay? Louder? Should I scream? Should I sing? Somebody's listening to the show. Alright. I will try to speak up, so I'll watch the back if anybody wants me to get louder. Okay. And there's one announcement. They say the tent is running about a half an hour behind schedule, so just to let everybody know that. And I guess I'll get started and I am Sankdog, as you can see on the board there. Great, now I gotta live up to that. And this presentation's on hacking Google AdWords. Then let me clarify right up front this is not Google Hacking. I think Google Hacking's kind of been done to death and I think everybody in here knows what Google Hacking is and we can make databases and lists of stuff all day long. That's not what this is about. So just to say that up front. I got interested in this and started doing research on AdWords in general just because I was curious as to how it worked. I wanted to see if we could get publicity for the magazine and for the website. Not really an advertising thing, exactly. I just kind of wanted to see how it worked and do a little bit of research on it, so I figured what the heck, I'd drop 20 bucks on it. And I kind of, A, I didn't like the way some of the things that it did and B, they made me mad. So I decided to do a little research and that's why I'm doing this presentation. So again it's not Google Hacking and actually disclaimer. I just put this in because of some recent activities by Google. First of all, I'm going to read these out loud but you can see them on the screen. I'm not representing Google or Google AdWords in any way, shape or form. I'm not affiliated with them. I have no association with them whatsoever. This is not condoned or anything by them. I do not have their authorization. The terms Google and Google AdWords are both trademarked of Google Incorporated. No, I do not. I couldn't afford it. Are you kidding? And yeah, this presentation is just research I did as a user, creating an account, trying some different things, trial and error as they kept cancelling my accounts and I kept recreating new accounts. And we went this whole back and forth game. So that's how most of this stuff came about. So I wanted to put that up because, as you can see on the next slide, very recently I've had some activity with this. On the 10th of June, this presentation was listed on the DEF CON website and on my websites and things like that. And shortly thereafter, the end of June 31st, Google AdWords changed their terms of service and they make it very clear that if I want to use the terms, I have to say trademark. So that's why I put that in there to make sure I'm covered from a legal standpoint. And then again on the 15th, which is a couple of weeks ago, they sent out an email saying that they're actually changing some of the characteristics of the AdWords program. So I have made some updates. There's some extra comments in these slides from when I created some things that have changed and I will refer to those when the time comes. For the most part, everything's still fairly accurate, but they are in the process of changing it, which is actually going to be, it's a good thing. So that's really what we want them to do. So to start off with, so I'll try to go through this quickly because I know everybody in here kind of doesn't want to hear what is Google AdWords stuff. So I'll just go quickly through this. First of all, it's just an advertising program. Its biggest competitor is Overture, which is the one that's used by Yahoo and MSN. There's a lot of other ones out there. They all act pretty much the same. It's a pay-per-click system. And pay-per-click, if anybody doesn't know, you might want to hit the exits because it's pretty self-explanatory. You pay every time somebody clicks on one of the ads. So there are a couple other terms that I want to define in here, impressions. Impression is anytime an ad gets shown on a page. Again, kind of self-explanatory, but we're going to refer to these later on in the presentation, so keep them in mind. And impression is anytime the ad actually shows on the side of the screen. And we've got some screenshots coming up to show some of these. And again, a click-through self-explanatory is when they actually click through it. And there's one other term that they use. It's called a click-through ratio, which once again, Common Sense tells you that's out of how many ads get shown, how many do you actually click through. So, yeah, we'll zip through that real quick. It's a customizable system, of course, and it's used by Google, obviously, but also by Gmail. You see the ads in Gmail. That's also pulling from this from Google Groups. Google AdSense also will pull from these now. And a lot of outside sites, and this is an important fact to keep in mind also because, and I'll refer back to this because it actually becomes appropriate, but it's Google AdWords program, but it's not only on Google or Google-owned or affiliated sites. They, of course, sell this out to other companies like Ask Jeeves, for example. It's one that I've noticed them on. I think maybe CNET, although they change contracts sometimes here to there, so you open up an AdWords account, you can get those ads on a lot. Anybody who uses the AdWords or AdSense, so your ads will get a lot. It's a pretty big program. So how does it work? 20 bucks up front. I figured, you know, 20 bucks, that's not a big command. I'll drop 20 bones on that. And it's basically prepaying to another program. You put 20 bucks up front. They're going to take 5 bucks right off the top for an activation fee just to create the account. Why do you charge an application fee to create an electronic account with nobody's hands involved? I don't know. I've been trying to figure that out from banks for years while they want to charge me something, but that's a whole nother topic. And the other 15 bucks you get credited towards your account. And what that means exactly is you're going to have that $15 and as you go through it and your money runs out of it, then you can reload the account prepay it again. And what I mean by going through that money is this is a pay-per-click system, as I mentioned earlier, and it's based on a bidding system. The minimum bid you can put on there might be changing soon. But the minimum bid is $0.05. And for stuff like I'm advertising a hacking site, they don't really... Overture is $0.10. Google AdWords is $0.05. I created my account six months ago or so. So if they've changed since then, yeah, I wouldn't... I don't know if that's the case or not, but... Okay. Let's see. Pay-per-click system, yeah, minimum $0.05. If you're like me in my small sites, I'm getting keywords like Hacking Magazine, Freaking Magazine, Radio Show, things like that. I'm getting them for the lowest bid. There's no competition for those. All right, beenrev.com, b-i-n-r-e-v.com, thank you. I'll put that at the very end. I'll keep the flow going for this pretty well. But yeah, for most obscure keywords, it costs you about a nickel or possibly a dime, whatever the case is now, that's what you bid and if somebody clicks through that ad, basically that's what you'll pay in this scenario. Now, other keywords, obviously it's a different story. It's kind of an auction where the highest bidder gets the highest placement on the website. So when you see, and I'm sure... Did anybody here hasn't used Google? No one? Okay. Just on the right-hand side, of course. And the other thing that's funny about this is you get so you don't even notice the ads anymore, you just block them out anyway. And that's a whole other topic. But on the right-hand side, you'll get those ads, or even at the top, the sponsored links. And again, on other sites, they could be placed anywhere on the page. You've seen ads by Google, sponsored by Google, stuff like that. So they can be in any form, but for the most part, it's the same bidding system no matter what. Now, again, from my words, it's like a nickel or less. And I'm like the only ad, usually, for the most part, a couple, maybe two or three others. A light-hearted presentation, by the way. There's going to be some funny stuff coming up. So I hope everybody's not in too much of a serious mood. I found this interesting. Maybe this is just a trivia kind of a side note. But you know what some of the most... the keywords that get the highest bid are all relating to? I would have thought porn, too. That's the first thing I thought, too. But actually, it's not so much. It's anything legal. Things like class action lawsuit, the phrase slip and fall, things like that are always pretty consistently high. And the highest one, yes, is mesothelioma right there. Mesothelioma, which I had to look up because I had no clue what it was, is actually a form of cancer that comes from asbestos. So it's still related to the lawyers. They're chasing the ambulance, trying to get these class action suits. And they're bidding upwards of $40, sometimes higher. It fluctuates for every click-through on one of these ads. $40 to click-through on that $40 million lawsuit, obviously it becomes worth their while. So... And a couple of the other ones are... which also surprised me is web hosting, search engine, search engine optimization, things like that. They also get consistently high bids as well. Considering there's a lot of markup there, I guess they have some freedom with that. And what else? There is a minimum, excuse me, a maximum daily spending value that you can set. You can tell how much that, you know, you have three bucks on your ad, and you only want one a day. You can only afford one. You can put a limit of $40. Once that click-through is gone, it'll never show up for another 24 hours. So for my nickel ones, you know, you click on those for a long time, it's not really going to cost me all that much. But for the record, if anybody wants to be a smartass, I do have a limit on that. I know some of you. And let's see. Obviously higher bid, that's a common sense. And it also calculates how much you bid with how successful your ad is, or how many click-throughs. If you have a higher click-through ratio, it paid a little less. It'll kind of play around with that a little bit. And let's see. That's about it. If you go on to the next one, I'll talk a little bit about how the campaign system works. Basically, campaigns are just a logical breakdown, just to kind of help you do multiple different topics. You might want to create a different campaign for each one of those topics. And again, I'm going to go through this really quickly, because this is all... Unless you're actually going to make one of these. And this presentation is... I hope there's some people out there that actually maybe want to do this and want to learn how to better use the Google AdWords system. There are companies out there that charge hundreds and thousands of dollars to give you lessons on how to optimize and get your hands on this that they're charging hundreds and hundreds of dollars for. And I've got some that they've... I've never seen addressed by some of them before. So if you're actually considering coming here for some useful information, hopefully I'll have some in here as well as well as some fun stuff. And some questionable stuff, but I'll leave that for later. Let's see. And within the different campaigns, you can create different ad groups. For a campaign, I think of it like you're offering that service for your clients. You'll create a campaign for client A. A campaign for client B and C. A logical breakdown of your different clients. With the ad groups, the best example I can think of is you have a car company, you sell new and used cars. Well, your ads for each one of those is going to be different keywords. If somebody types in used cars, you don't want to show them an ad for new cars. It makes common sense. So that's where you break down and make a different ad group for each one. A different one for radio. A different one for magazine. A different one for a few different keywords. And I show a different ad based on those keywords. So that's basically how it works. Oh, and I do have one update here. It's one of the things I mentioned they've changed since the 15th. They actually have added something called site targeted ads now. Early on when I was testing, you could do a little bit of Google hacking. I said I wasn't going to refer to that, I lied. You do a little bit of Google hacking with a site, a particular site with a site colon to kind of target your ads a little bit. Very mixed success. Well, now they have something called site targeted ads where you can go in there and they give you a list which is actually kind of interesting. They give you a list of everybody that participates in their advertising program which you can't really find that information anywhere but when you go in there you put in a few keywords or an example site and you will get a list of sites that they think are associated with that. So I put in a hacking magazine that might come up with a bunch of different security sites, hacking sites, et cetera, et cetera. So it's kind of interesting to see this gives you a list of people that are using AdSense or that are paying for their program. So that's kind of interesting information. You can know what your competition are they using AdSense, you know, and if so, what keywords do they have associated with them? You can kind of go work backwards and kind of reverse engineer for lack of a better word, kind of work backwards to the system to see what your competitors are doing. So that's kind of interesting. But what's the problem with this? Okay, so now we get into some of my... I'll try not to rant. Again, people who know me know I can go off a little bit. I'm going to try to keep that down. But basically I have some problems with the way they run the thing and some of these, again, have changed for the better. Basically it's... they killed me a couple of times with something called reactivation fees. So again, 20 bucks up front, you get a starter, you only got 15 bucks credit. It doesn't go too awful far. It goes pretty far with the Nickelapot. But what happens is that click-through ratio I mentioned earlier, which is a percentage of people that see the ad, that click-through the ad, you have to maintain a click-through ratio of 0.05. Basically you have to get two clicks for every... I'm sorry, one click for every 200, I think it is, 0.05%. And if you don't, they will do something called slowing your ads. If I set up my account, I'm a noob, I don't know what I'm doing, I'm setting up keywords. I come back the next day, I've got a couple hundred hits on the site, and it generates a lot of hits. No doubt about that. But the click-through ratio wasn't high enough and they had slowed my ad. And slowing it means they're not going to show it to as many people because you're not performing well. Even though there's no competition and there's nobody I'm competing against, I'm not performing as well as blank space, apparently. Thanks a lot, Google, I appreciate that. So... Let's see. I went in, recreated the... There's a little thing in there that says to reactivate the word. It happens three times, they charge you a $5 fee. So I got real mad because I was having to go in every day, sometimes two or three times a day, and reactivate my ads so that they don't get me that $5 fee or take the ad out of my keyword list because if it goes to slow it, and I keep getting these fees. So that kind of made me mad, first of all. The second thing is, and this is an update they've made, they're kind of changing that system, they announced that they're going to go away from the whole slowing thing. And this just happened again. Email went out, I think, on the 15th, I got it saying that they're going to get rid of these slowing accounts and they're going to something called a quality score. What that is, we don't know yet. They haven't really implemented it exactly. It's coming soon, whatever that means, probably today at four o'clock after I'm done with this, maybe. So I don't know what defines a quality score, so hopefully we'll find that out soon. So that is something that has changed since this, so be aware of that. The other problem is, and this is I'll try not to, I'll try to stay calm with this, but basically the terms of service. Now, I'm not naive. I didn't just fall off the turnip truck. I know every site has no hacking or cracking rules in it. We all know that. But the problem with Google, and I'll read you the exact quote. Let's see. We have Google AdWords ad policy in order to maintain the quality of advertising we display and encourage users to continually click on ads and increase advertisers' return on investment. Our goal is to make the information seeking process more efficient and relevant and to protect both our advertisers and users in a fair advertising environment. As a result, we cannot promote ads or ads for websites that promote quote, hacking and cracking. As noted in our advertising terms and conditions, Google reserves the right to exercise editorial discretion when it comes to the advertising we accept on our site. Again, standard. We know that kind of happens. But I guess maybe A, maybe we hold Google to a kind of a higher standard because Google seems to be the kind of act hacker friendly, not directly, but I mean I think everybody kind of knows what I mean. There's so much you can do and it's so flexible and they seem to provide APIs and a lot of code and stuff. So you kind of think of that. But the bigger problem I had is the fact when I said when I did this hacking or cracking, they put that in quotes together. Like there's not a difference between hacking and cracking. They put them together as though they're one synonymous term. I have a problem with that. So I did email them and tried to explain the difference to them. It's a hacking site but we don't promote cracking. We don't promote illegal activity or anything like that on the site in the magazine or in general. I know some people think it's a lost cause to fight that fight for the word hacker but I don't give up that fight. I keep fighting for that. It doesn't always work as I found out. So yeah, and the other thing is, like I said, we kind of hold Google to a different standard a little bit. We probably shouldn't. It may not be fair. But, you know, they have this hacker and everybody's probably seen this joke before, right? They have on Google in their translation services a language called Haxor as one of their languages. Now, I mean, how are you going to have that on there? I mean that's hypocritical to have that on there and promote it, you know, like first of all at our expense with the whole lead speak thing and yeah, don't bring up my article from 2600. I don't want to hear that. But, you know, they've got stuff like this on there and it's not just that. It's just the hypocrisy in general of Google that I've found. I've had kind of a problem with. Another thing that they do on Google is, most of you probably know you can do define colon. You can find definitions on Google from different dictionaries, Wikipedia, stuff like that. You do a define of hacking on Google and it brings up all these definitions and they're mostly pretty accurate. So if you go to Google and define hacker, Google gives you proper information. They have this Haxor translation service on there, so, you know, they're talking all this stuff. They've got the summer of code with this whole open source. We invented open source for God's sakes, you know. That's why they kind of come across like we're one of you. Well, they're not exactly. They're not at all, really. But, again, I'll back off. I told you I tried to stay away from the rants on this. I don't know if I can pull that off. And this is the one that really made me break down is the next thing to have. Well, first of all, I can't advertise the word hacking, but I think everybody's seen eBay and Amazon all the time. Everything that you search for, they can use the word hacking, but I can't. I get a warning letter saying that it's against their terms of service. But if you do a search for hacking radio, you'll say radio on eBay.com, you know, stuff like that. Buy Used Human Heart. So, was that what was in the forums one time? Buy Used Human ... how do you buy a used human heart? I don't want it if it's used. And how do you get a new one? Well, stem cell and ... get controversial on here with the stem cell. I'll back away from that. But yeah, it's ... so, I wrote it, they have something called a keyword tool suggest. This is the thing that made me mad that I started arguing with them, trying them what's going on. That's something called the keyword tool suggest. When you put in a keyword, what it does is it looks through to see what other keywords are related to it. So like if I did used cars, for example, it might pull up a list of makes or look what other people are advertising used cars and give you suggestions of what works for them or what gives them click-throughs. While I put in, you know, typical words, hacking, freaking, stuff like that, it comes back and gives me suggestions. Why don't you try a security magazine? Why don't you hire, try a freaking magazine? Hey, good idea. Thanks a lot. Google, I appreciate that. I put those in there. Next day, cut off. Terms of service. You can't use those words. Why'd you tell me the words were there if you're not going to let me use them? That's ridiculous. And that, honestly, that just, that kind of stupidity made me mad. And that's why I actually sat down. That's the trigger that made me sit down and do this presentation. So, well, they say you cannot contain it in the ad or link to sites that promote illegal activity. Again, I don't promote illegal activity. So, I promote hacking. Hacking is not necessarily illegal. And maybe we'll talk about that after the presentation. I can definitely would be glad to go into a conversation about that. So anyway, enough with the hypocrisy and the ranting and stuff, let me move on to the tech stuff. What's our? The DEF CON staff wants you guys to know that there's going to be a spot the Fed in Parthenon in five minutes. There's going to be a spot the Fed in Parthenon in five minutes. So, that's all. All right. So, now let's get on with some of the tech stuff, some of the fun stuff, enough with the ranting. Well, actually, real quickly, what you can do about it is you can reactivate your ads instantly. You can put your ads, first of all, ads are put into rotation immediately. That's an interesting thing to know. Any one of you can go create an account, create an ad, bam, it's going to be placed up within a couple minutes, a couple minutes. So, that's very important to notice. You can get an ad up there and it'll stay up for until they find it. So, you can get ads up pretty quickly. I suspect they're going to shut that down very, very quickly. The other thing, and this was, I laughed out loud when this happened to me, what they do is, if your ad does get banned, like, for example, my ad said, hacking magazine, radio show, the revolution will be digitized. That's all it said. And the link to benrep.com. And it's part of the presentation. I'm not pimping here. So, you know, I put that in there and they sent it back saying you have the word hacking in the ad. It has nothing to do with what it linked to. It's what's in the ad. So, they didn't like the word hacking. So, I changed it to security. Okay, fine. Whatever. Whatever will get through your system. And that went through. They approved that. No problem. So, it wasn't the content of the site exactly. It also probably depends on who's sitting at the keyboard and says, I don't want to approve him or I don't, you know, however many people they do that. It's, it looks like it's human interaction because sometimes it would be banned within an hour or two. Sometimes it would go for a week. So, that's kind of interesting. Yeah, that's a good question. I did, I get the feeling that it is done through human intervention. And again, and actually that's kind of another point is they claim that a human checks every ad before it goes up. But I know for a fact, I put ads in there, they're up within two or three minutes. Nobody checked that ad as soon as I put it up. They check it after the fact. They want you to get up and running quickly. Which again, that's probably going to change. So, enjoy it while it lasts. Might not be there when you get back from the weekend. So, yeah, so you modify your banned ad by making one small change. And then this is really funny and I'll give you the story of what happened to me. I kept going through this little game with them because I'm stubborn, people who know me know that I can be pretty stubborn sometimes. So, we went through this back and forth game where I changed it to security. Okay, and they approved it and went through the next day. All right, well, being a little butt that I am, watch my language, I went back in there and changed it back to hacking. And it went through for two or three days and then it got turned down again. So, I changed it back to security, no problem. I went back and changed it back to hacking again. We were playing through this game once a while. Not only that, but the individual keywords within the, that's the text of the ad itself. The individual keywords, they would go through once in a while. Every time they banned the ad, they'd go ban a couple of the keywords. So, like, they'd leave security working, but they'd take out hacking or freaking or something like that. All right, we want to play that game. We can play that game. So, I went in there, you delete those keywords out of there. When you try to add them back, it still says disable, they disable the individual keywords. It blew my mind that this actually worked. If you delete the individual keywords and try to add them back, it doesn't work. But what you can do is go in there, select all of your keywords. They only ban two of them, it doesn't matter. Select all 15 of them, copy and paste them, put them over into a text file. Delete it, save it with no keywords. Copy and paste it back in there, put those same 15 keywords back, you're up and running. I swear, I couldn't make that up. I could not make that up. You put them back in there, you're back up and running. Every keyword, they did that to me one time. After this cat and mouse game, they deleted my, they banned my ad, they banned every individual keyword that I had created. I copied and pasted them all out, deleted the ad, recreated the ad, copied and pasted them all back in, back up and running within seconds. So, that is something else I assume they will probably take out. And I'll get some questions if I have time towards the end because I want to make sure I cover everything here. So, yeah, disabling the ads and the individual keywords and fixing it with cut and paste. So, and the daily limit I mentioned earlier, this is kind of, I'm not condoning this or saying anybody should do it, it's kind of sleazy but you can click ads of people you don't like. If you're in a business world, it can get kind of cutthroat. People don't have morals in the business world. You want to go over, and if you work for Ford and you want to go to click the Chevy's ads and make them pay for those clicks, when you run out and hit your daily limit, your ads stop showing. They do not show your ads anymore for that daily limit for the next 24-hour period. Now, there is kind of a caveat to that. They do have what they claim, click quality, they call it, that's supposed to prevent fraud. Like, basically, they check your IP address. I'm speculating, of course, I don't work at Google, so I don't know what they do, but it seems like they probably will check your IP address. If you click 20 times a row from that same IP, they probably know that that's invalid. I think everybody here probably knows what a proxy server is. I'm not going to go into your presentation of that, so I'm not going to go off into that tangent, but a proxy server. Even that, I don't know, not in an offensive way, but I don't know how smart Google is. They seem, sometimes they do great stuff, sometimes they don't. So, they may be smart enough to even watch for proxy stuff, especially if it's repetitious. You keep hitting it over and over in a short period of time. All it takes is a very quick Perl script. Go through proxies with a random timer every five to ten minutes. Click. That's going to be pretty hard to detect. It's going to be really hard to protect. So, and still, it's in 24-hour periods, so you can still get a lot of hits. They're going to end up paying a lot of money for it. So, again, don't do that. It can be done, but don't do that. And if you try to do it to me, let me run you again. I have a limit, and it's really low, so you're not going to do too much. So, yeah, they, again, they claim that they have humans that try to check for invalid clicks. You know, again, I don't know how accurate that can be, because, I mean, we all know how big Google is, and Google AdWords is the biggest advertising program on the global interweb. So, I don't think they're going to be checking. They have too many customers and too many ads, so I think that they can check all that stuff. So, yeah, so theoretically, again, since the ad goes up right away, you can put up an ad, watch me and my girlfriend have elite cyber sex, and it'll go up there, get people to your website for half an hour before they ever cancel it. I actually had an ad up that was, like, a week that had the word hacker in it that they never got around to doing. So, it's hit and miss how often they'll leave stuff up, but you can put up just about anything for a short time period. And you can, you can use words that are invalid because of that. So, I think that's pretty much self-explanatory, but you already have to babysit it? Well, again, they're changing this. I had to, I felt I had to babysit it every day anyway, so I was going in and making all kinds of keywords just to mess with people, just to do funny stuff, and that's how I found out we're going to get into some of the screenshots and some of the actual techniques now that I found some of the stuff was mostly just playing, just to see what I could do. I have to go into babysitting anyway, I might as well go in there. So, we'll move on to some of the tricks, and this is one of my favorite ones, and then this is the kind of stuff, a couple of these things we're going to talk about now is some of the things that they charge you a lot of money to optimize to get your ads to the top. It's really a lot of it comes down to click through ratio and using the proper keywords. One trick I found, and it was purely by accident, mesothelioma. Did somebody spell mesothelioma for me, started spelling the, I couldn't spell mesothelioma, so I put it in there because I wanted to see what the actual top bid was at that time, I just wanted to see if it really was 40 bucks, you know, and it was, it was 40 bucks. I put it in there but I spelled it wrong. So, when I went in there and was searching for my ad, I'm like, why are there only like two ads, because this is a huge thing, there's usually pages of ads, and I'm like, I spelled it wrong. And then I went, wait a minute, I wonder what happens if I intentionally misspell things, kind of backing away from the mic there, but I'm just like intentionally misspell things. This is a great technique, people misspell things all the time on Google, and you know when you do this, Google at the top says, did you mean to say mesothelioma with the proper spelling? Doesn't matter, it's too late, the ad has been delivered at that point, so I put in the incorrect spelling of mesothelioma, and you'll see that this $40 ad comes up. Now there's a couple other people that might have legitimately misspelled, but for five cents on a $40 keyword, right there, I got this ad cheap, all I did was misspell a word, and I saved $39.95, so it's, it works, I don't, so there's proof, I don't make this stuff up. I told you this would be fun, there's some of this stuff's good stuff. Let's see, let's, oh and actually for logical purposes, if you just want to play with that and track it, I would make a separate ad group, like we talked about earlier, logical unit, with misspellings to see how they perform. You might be really, really surprised, because people are obviously looking for that particular thing, and if you're the only ad they see, you might actually get a higher click-through rate on misspellings, which is kind of ironic. Another thing is to use proper names, this is kind of, most people probably would have thought about this, but like if you work for Coke and you want to get somebody who's searching for Pepsi to see your Coke ad, you know, use Pepsi's name. There's copyright issues here, and I think there's been cases in the past. There's nothing that stops you from doing it. If you work for Ford and you want somebody searching for a Chevy S10, and you want to put in an ad for your Ford truck or whatever, something like that, you use those opposite keywords to get the people to see your ad. So keep that in mind that you can use stuff. And this example, now this is not a very good example of that, but I just, just to prove the point I put in America online is my keywords, and you see owned by the DDP ad comes up. Now I really, no offense to any AOL users, but I really don't want the AOL users, so I just put that up just as a proof of concept that this actually works. Again, no offense if you, but just to prove that it works. And I actually noticed this in the hotel room night before last, and I found this funny, I hope you guys too, totally by coincidence. I did this as a proof of concept just for the fun of it, and you see my ad over on the side, the one above it again, eBay. They get every keyword, no matter what. But notice what the AOL at the top, the sponsored link, they're paying for that. If you click through that AOL pays for it. But look at the first actual search result. It's AOL. Why are you paying to get the top spot and being charged for a click through when you're already number one on the list? Where's the logic in that? So make sure you always click on the one that charges them. I'm sorry, I didn't say that. I didn't say that. I did not say that. Make sure you don't. I misspoke, I'm sorry. What else? Oh, for example, I used the name of another hacking magazine to trigger ads for our hacking magazine, which I have a couple I'll give away at the end of the talk as well and some stickers to give away if you want to come up afterwards. And again, AOL, so I mentioned that. So some of the other tricks, use Google hacking techniques. Now this is kind of funny. Somebody might want to go over to Johnny Long, 7 o'clock tomorrow and let him know that this can happen. But basically you can use Google hacking techniques to catch people that are Google hacking. Google ad words techniques, excuse me. All it's really doing is searching for a literal string. And I just picked one example, a very common one, finding index of password to find password files. And notice that it triggered my ad over there. You can actually trigger people and find people that are Google hacking. If they put that in and try to find it, I just triggered an ad for them. So you can actually catch people especially and again, the new site targeted thing is very new. But if you start site targeting it and you see who's attacking what site with what Google hacking techniques, which is kind of an interesting combination. So it'll be interesting to see if they do anything about that. Also, let's see. Oh, it's actually if you go back, if you think about, this is just, again, a made up example, but I came up with the idea of wouldn't it be funny if you put an ad over there to like a coupon code or something on your site or a secret URL that you don't publish anywhere else that you know and basically set up a Honeypot using Google. Anybody that's hacking Google, anybody that comes to that site, you know they got there because they were trying to hack your site. You know they got this coupon code because they were out trying to get into your site and you gave them this coupon. So you really set people up and really draw them in and entrapment I guess is the word. It's Honeypot, Honeypot is different. So, yeah. And yeah, so and another, the next thing is data hiding, which is could be a whole presentation in and of itself. I'm just going to skim over it. It could be a very in depth topic, but it can be as simple as passing a hidden message to somebody, giving them the keyword to search for on Google. And I mean if you see that's a big 80, I don't know how many characters, this is a message for DEF CON attendees only improved. I didn't get any hits because, you know, that's not a keyword that's not out there somewhere, but it did trigger to your ad. You can use any gibberish any kind of string, any characters that you want up there and deliver a hidden message. The only person who's going to know it's, I mean who's going to accidentally type in this message is for DEF CON attendees only as proof of concept of whatever I wrote there. Not many people. So you can pass just plain text hidden messages that way, which is kind of an interesting thing. Who knows if people are already doing that? You know, I'm not going to, I don't want to use the T word at a hacking conventions, but anyway, terrorist. Who knows what they could be doing. Anyway, come on some of you didn't know what I meant by T word. I had to. So yeah, passing messages right under the public's nose. Again, unless they know what they're looking for, they're not going to accidentally stumble. So it's fairly safe. Again, you probably don't want to put passwords or anything. Credit card numbers ain't stupid like that on it. But if you wanted to pass secret messages to people, keep in mind it's an 80 character limit to the keywords. So you might be able to put maybe a public key or something like that in there or it could be a password with no URL. The person has to know the URL ahead of time. And if you change the password, they just always know to go look here, for example, things like that. Or just any kind of secret key. I'll leave the application to you. But there's a lot of stuff. I mean, I'm sure some of you can already kind of think about it, but not that I condone this word or zero day announcements. What's that? Juarez, where? I'm just saying it could be done. Once again, don't do that. Just saying it's possible. So and yes, if anybody wants to memorize that real quick before we go on to the next slide, there is a hidden message on that URL. Just for you all. Again, data hiding. You can't talk about data hiding really without steganography. Again, like I said earlier, whole presentations could be done on that. But basically, I'll just read the Wikipedia definition and I think a lot of you already know it and I don't want to talk down to people. But basically, according to Wikipedia, steganography is the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message. Generally, when people think steganography, they think hiding stuff in an image or a graphic. That's not necessarily the case. I just want to throw that out there. It can be hidden in text, hidden in images, hidden in music files, deals with least significant bits and how you can take advantage. But again, that's a whole another topic. So just the simple fact that these, you know, far as you know, those are images. As far as Google knows, those are images. But they're not just images. I actually did hide them in there. Yes, they're on Google. Yes, Google accepted them. They do not know that there's hidden messages that I've used steganography. How could they? Because I actually can password protect the information inside of it as well. And this is a tool called PUF 1.01. Just there's tons of steganography tools out there you can try. This one was quick and easy. I grabbed it and allowed me to password protect it. And you can see that that is pulling stego.txt, a file that I created and inserted. And if you press the key, you'll see that basically it's just a little text file that I put inside of the image that says DDP owns Google AdWords. So once again, it works. Also just, I don't know if anybody else is the level of geek that I am, but yes, if you count, you see it says 24 bytes. If you count the letters and a blank space is a byte for those of you there are 24 there. So that is, I didn't fake the picture in any way. There's your proof that there's kind of a check sum there if you will. So the only other thing is there is a limit to 50k for the image size. So keep that in mind. You can't, you know, upload an ISO or anything like that hidden inside of a graphic or anything if you're thinking all crazy like. Well, a small ISO maybe. But again, I just put in text. You can actually put another image in. You can put in any binary file. You can put in a URL to a hidden site once again. Maybe put the URL to your hidden site using Steganography into an image and then the password using that other hidden keyword and all you got to do is email the person with those two things. They know to Google for the two of them. They know how to pull them out. You can absolutely, without a doubt, pass all kinds of hidden information through Google, the biggest site again on the entire global interweb. You can pass stuff under the entire public's nose, millions and billions of people and they'll never see it. Really, really kind of scary. It's really, again, application of that. I'll leave to your imagination. This is another, this is probably my favorite slide. This one made me laugh once again. Misleading people. Misleading people. DEF CON official site. You see the ad that I put there? Don't tackle me or anything. It's just a joke. Don't send security up here after me or anything. DEF CON official site. I swear on the DEF CON official site. It even says defcon.com on the ad. You see there on the right. On the left-hand side you see, and this is just built in. They just give you this. This is not like a big hack. They give you this. The display URL and the destination URL. And you see the one string I have DEF CON official site. And when you click on it, it doesn't take you to DEF CON. It takes you to standdog.com. So this example is funny. I think everybody in here also knows what the word fishing is. How dangerous would this be to somebody who wants to go fishing on Google? I could have easily made. I could have easily made. And again, this proves that it's a joke. Keep security back. This proves that it's a joke, but it could have very easily. I could very easily have ripped DEF CON's page. Put it up here. People wouldn't notice the URL. I'll actually just standdog.com or DEF CON with two ends.org if I registered something close to it or something like that. Made it look exactly the same. But when you submit to buy, I don't know if DEF CON doesn't sell you. So this is a bad example, but I could put, I don't know, city bank, yes. And prompt them for their credit card number, password, just any site that sells anything. You know, have them click through, buy something. I get all that information. It really is incredibly dangerous. The potential for fraud for this is horrible. And this is something that I hope Google, I don't know what they, yeah, there's something they can do about it. They can not give that option. This is something that Google really absolutely needs to address because this could be devastating to a lot of people. Because everybody in this room, yeah, okay. Everybody in this room wouldn't fall for phishing emails. I'm sure nobody's ever fallen for one of those. But a lot of people do. And if they fall for the emails with the misspellings and all caps letters and they're sending money, they're gonna fall for this. I mean, come on. This is even more effective because they trust Google. So actually that trust is working against them. So, yeah. So credit card stolen. Our email is, our email systems undergoing maintenance, please, under your password. Again, possibilities of that are endless. And again, you're phishing on the largest pond on the global interweb. So that's really about it. You know, the final parting shot at Google because of this was, you know, never piss off a hacker. Really, and that's what they did. I felt kind of offended. I tried to talk to them like adults. They kept, this is my pet peeve. Don't keep cutting, pasting the same terms of service back to me every time. I got it the first time. I'm trying to explain to you that I don't exactly fall into hacking and cracking. You need to check this out, Mr. Dog, because this is our terms of service. I got it the first time. Don't send it to me again. Will you please, do you realize that you do this, this and this? And eBay's allowed to use it. Please note, our terms of service, section three, part, I saw it the first three times. Stop sending it. So maybe, man, never piss off a hacker. You can see, you know, and I've already basically talked about this, but this is a step through. There's the ad that you create. There's the actual keywords. You put it in quotes. You can use Google hacking techniques, by the way. I don't know if I mentioned that earlier. Putting things in quotes, using plus minus signs. If you don't want, like for example, 2600 magazine. I don't want 2600, Atari 2600 hits people getting my hits because then it lowers my click-through ratio. You put a minus in front of the 2600 or put a minus in front of games or minus in front of Atari to eliminate those. You can use Google hacking techniques in this. So keep that in mind. That's very handy. And that's how you, for those of you who are thinking about this from a business standpoint, use negative keywords and you can isolate and start targeting your hits and increase your click-through ratio. So that's a good thing to keep in mind. So yeah, that's the ad itself and these next couple slides go pretty self-explanatory. When I search for Google, really sucks. You can see the logo there. You know what day. Somebody wants to do some research that I took the screenshot too. And basically, up comes the ad. So, you know, this is, again, this is me being silly. Just, it's kind of a fun presentation. It just says Google owns, you know, DDP owns AdWords or whatever I put. I don't even remember. But not only is this instantly embarrassing for Google, but it could be for anybody. And I'll refer back to like, I'm sure a lot of people here remember, maybe a lot of people here remember the FordSucks.com controversy and stuff like that. This is the new way to protest. This is how you're going to be able to go out there and put, fill in the blank sucks and put an ad that you're going to see to millions and millions of people. Put a minimum daily limit on it of a nickel so that nobody will click through it or whatever, you know, so you don't get charged for it. But you can put that protest up and get a lot more people seeing your site than you would if you just registered the site, you know, and put it out there. So, this is really the new way to protest. I was thinking, I don't know how much you could get in that little space, but remember the DECSS, DECSS where they wouldn't allow you to share that code, that information. Go out there and put it on Google. I mean, you can, you can't stop, I have a phrase I use on the show a lot that I'm not going to do up here, but you can't put stuff back in the horse, is my saying I say on the show a lot. Once it's out there, you know, and you can use Google to get it everywhere. I mean, this huge search engine, take advantage of stuff like that. I mean, I can say that, that's safe, right? Take advantage of Google for what they give you. There's nothing wrong with saying that, just not in a negative way. So, oh yeah, and this is actually, I added this kind of at the last minute I was thinking about this too. Earlier I mentioned you could use keywords from your competitor to put ads, you know, to draw people away from that topic. You can draw them away from that topic. Well now with this new site targeted, and because I haven't had time to play with this yet unfortunately, with this new site targeted stuff, you can actually target that site with that ad. So if Coke.com uses ads provided by Google, they probably don't know. I don't know, they might. If they did, I can start giving them ads as from the company Pepsi or any other, again, made up example, but pick whatever your competitor is of your company, whatever you work, and you want to advertise a company, and you want to get ads from the other person, and they use ad words, site target your ads over to their site, try to pull people away. We are cheaper than these guys, come to us, you know, and give them the URL. So that's kind of a dangerous thing as well, or this site is fake, don't give them the information, and you could be real mean about the whole thing. Give them a link to the Goatsy guys, somebody mentioned anything. Which, so I'm hoping to make it through the weekend without seeing that please, somebody help me please, or the waitlifter. Yeah, score. So anyway, yeah, that's pretty much it, just some parting ideas again that the ad can actually carry more information, whether it's URL, whether it's some steganography I talked about earlier. This is something interesting I just found on July 4th, makes sense. At the top on special holidays, you can click on that link, and like for July 4th, I think it was, I have it written down, it is Independence Day 2005. When you click on the image, a lot of people click on that. If you own a fireworks company, put that as your keyword, on that one day, everybody clicks on that, it's going to get your ad on there. You sell American flags or something like that on a patriotic day. You're having a big Easter sale or something like that. Whatever the keyword that Google uses for that day, you're going to have a 24-hour huge traffic that you're going to drive people in. That's probably something that larger businesses would take advantage of, because they want to get as much publicity as they can for it, but that's another kind of interesting technique. It wouldn't make sense for me to do that again from my magazine on that. I'm going to get a bunch of hits of people who aren't interested in it. But if you own a big store like Amazon and they want to draw people in, that would be a good technique for them to use. So make some mad money that way. And yeah, Google offers ads in text or images, like I said earlier for the steganography. And also one last little thing, and this is kind of going into AdSense, which is not what this is about, but because they're related, I just want to mention that your ads are targeted to whatever the topic of your site is, whatever keywords are used for it. So theoretically you can make a page on mesothelioma, write an article about it, keywords with it, and then put Google AdSense on it. And it's going to get hit by Google and if somebody clicks through it, you're going to get a percentage of that 40 bucks when they click through. You can get as high as 50 or even higher percentage. You can make 20 bucks. And it's very, very sleazy right there. I definitely don't want to do that. I really don't want you guys to do that, but I thought that was interesting enough to mention, you can make, at least not for mesothelioma. You know, that's something serious that people really might be looking for help, so I'd hate to see somebody take advantage of that. But if you wanted to make it for some site you wanted to protest or some site you really had issues with or something like that wasn't, I guess it's all going to be hurting somebody somehow. But I'll just back away from that topic, but you can see what I'm talking about. You can make them click through your site, make it whatever topic, and you can get the money back from that. And I'll just leave this as an open-ended, what if you put your own ads on a friend's site and they click through it or wrote that script we talked about that automatically clicks through and pays you every time they click through, the potential is there for abuse of that as well. So that's it. You can game ad sense by using ad words as I just described, and that's it for me. I don't know if we have enough time for questions or five minutes, if anybody does, I have a couple of people who have questions. Before I go, if I may, thank you. Before you all take it, I do want to send some thanks. Of course, thanks to the DDP, all these guys have helped me do a lot of this research to Decoder. If anybody knows Decoder, I'm still thinking about you, Decoder, and I know you might not see this for a long time, but I'm still looking out for you. Everybody at Benref.com, there's the pimp for the site I was looking for earlier. Benref.com is the main site. Stankdog.com, my personal, if you want to go check any of those out. To DC305, my local DEFCOM meeting, FL2600, my Benref 561 meeting, some of which are here today. And again, required by Google, I am not associated. Google AdWords is a trademark of Google Incorporated. I am not affiliated with them. Please don't sue me. Does anybody here work for Google? I'm like you didn't admit it anyway. So that's it. Don't be evil. Thank you very much.