 Hello everybody, first of all I'd like to apologize to my friend Gene for last night. He did his best, but I still ended up sleeping in the hallway. All right, I'm a sysman, this is Mark Lar, we're from the Hacker Pimps, and we're going to be doing a presentation on attacking information gathering systems. So these are systems that collect personal information on you, and we talk about different ways that you can protect yourself, and also about doing research like new cool technologies. Often we end up buying the next biggest coolest thing without much attention to what it could be doing, and a lot of people just don't care what it does. By the way, we have 91 slides, so we're going to try to not kill you with them. Some of this stuff that we talk about will probably get you in jail, so just keep that in mind. So why would you want to create systems and make them unreliable? It seems like the opposite of what we should be doing, but some of these systems are out of your control, so they have your personal information and you have no control over that. I mean, every night when you go to sleep, your personal information is sitting out there somewhere, and the people that are in charge of protecting it, they don't know where it is either, and most likely it's painfully obvious to get to. Technology changes everything, and while we were working on this project, Mark said something very intelligent, which is really rare for him, and he said, we were talking about why this was such a big issue, and he said, we don't have new problems, we have new technology. So if you think a couple hundred years ago, if the technology was there to spy on citizens, it would be used, and now we're getting to the point where we're throwing our privacy away. We seem to like having our freedoms. We trade that for cool factors. Okay, I'm going to turn it over to him for a little bit. So I'm going to talk kind of about the theoretical, why do you need privacy, and maybe some ways that we can start talking together on how we can get some of it back. And I was rather upset a few weeks back. I saw on Slashdot somebody put an article out there saying, I'm going to debunk the idea, why is it that I need my privacy? I'm not doing anything that's wrong, so who am I trying to hide from? And I was upset just kind because he didn't really answer all my concerns, and I thought about it for a while. And I came up with this answer, which is, obviates everything else. I have nothing to hide is the comfortable position of those who are not marginalized. And here's some people that are marginalized. If you have excessive pain and you can't get your doctor to prescribe reasonable medicine to you, if you're gay and you're in the military, 50 years ago, if you're a gay, period, you're getting locked up and beat by the cops and stuff. Or do you just need to express unpopular views that would... Do you need to express unpopular views that would risk your safety? Are you a whistleblower or a security researcher? Are you trying to look up risque porn that you don't want your parents to know about? I mean, we need our privacy and we're putting it on my space and that's fine, but what about keeping what we have? So I was thinking about who is watching me if you don't think it's enough to not care. Well, we've got the executive branch and right now they're signing national security letters where they can subpoena your personal business information and you can't tell anybody that they took it or if you probably will never know, there's no court oversight. And speaking of... Well, and then we have the Department of Justice. Two years ago, I saw Alberto Gonzalez get up in front of the Congress and say, if you want to pass laws about how to run the Iraq war, we will listen to your advice. So he said up front, we are a lawless executive branch. And so we have the other executive branch. Of course, this is Futurama's mom and Mr. Burns. The lesson that we learned a couple years ago was that AOL had a stupid executive. It's not about being malicious, he was dumb. And he took 600,000 people's search records and put them in a tarball and dropped them on the internet. And if you know where to look, that stuff is still available. And then we have DoubleClick, who is being acquired by Google, which doesn't make me very happy. And we have the other imaginary judicial branch. This is out of order. Anyways, I don't know if you guys have seen Harry Potter, but I was really struck by Professor Umbridge being a very close clone to Harriet Meyers. And it's funny, but it's frightening too. The blurb here, she actually said this, the president is the most brilliant man I have ever met. Meanwhile, he was looking at a picture of a banana. And so we also have the branch, which must not be named. And, you know, I forgot something here. The previous slide we were talking about the judicial branch, well, okay, so when the government wants to spy on me because I'm a citizen, they have to get a subpoena. Well, they have to go to a judge and get approval. Well, the FISA court, that's who does that. And they turned down about six requests in 3,000. So they're not really overseeing anything. So who else do you want to protect yourself from? And let's talk, you know, Jesus said the neighbors, the one, the Good Samaritan, the one that helped out. So we're all neighbors, right? Well, inversely, everybody in today's internet connected world is your neighbor because they've got access to packets. And there are blood suckers out there. And, you know, we don't know who's looking at us. And so we just need to be thinking about it. And then we have our nosy neighbors, which is just the guy that lives next door that saw your open share on your wireless that has your bank account records and letters to your mother and your bestiality porn. And whatever it is that you're concerned about. And then your good neighbor is the accidental lawyer. You know, somebody I saw again on Slashdot because I'm kind of like that. I read it a lot. And there was a thing about on HGTV, they weren't encrypting all the channels. And what you're watching shows up on your neighbor's TV as like, you know, channel 1000-1 instead of just 1000. And so even the stuff that people that aren't malicious, they're seeing your stuff. And so we need to be thinking about it. And so I said to myself, well, Nate, of course, said something to me, which was great because I'm looking at the privacy situation we have. And so there's so much arrayed against people that want to just live in peace by themselves. And so, okay. I tried to think to myself, what is the best target that we can come up with? Because who's taking the snapshots? And we were talking about DoubleClick and we got Google. And there's one thing. Whoa. But web search is if you can get a list of everything that you search for, that's kind of a record of stream of consciousness of your thoughts. We've been, you know, just put, we randomly type things into Google and it says something really deep about us. And so Google is the obvious target because every 60% market share, blah, blah, blah. So here's the vectors that when you're just using a web browser, we have your IP address and your cookies and your sessions and your browser add-ons and your flash and your Java. And these are the parts that we need to be concerned about. And so I thought, how can we try to address all these things? And the reason we need to is you can't just turn everything off. If you get rid of your JavaScript, then the web becomes unusable. The things that make it useful are the things that invade our privacy. And so the first order of business, there's probably three or four or five presentations today just on tour. And it's a system where you proxy your web request through it and it hides your IP address from the website you're trying to reach. And so that's a good tool and we've already got it. And then the problem with tour is that this doesn't deal with your sessions, it doesn't deal with your cookies. And so I want my cookies and I want my sessions because they help me, but I want to be able to go into kind of quiet mode when I want to look up things that I don't want the world to know that I'm looking at just because, yes, last night. Oh, it was fun. This first one is obviated, you know, turn off your automated search completion in your Mozilla web browser. Well, that's once you turn on tour, that's shut off. It just stops working and then block in your cookies. One simple step that we can take is if you can just press a button that says right now, the browser can't talk to my cookies. And so I haven't written the code for that, but it's an idea and it's something that I do plan on doing. And then we also have on iMilly.com, there's a Google cookie anonymizer. And that's helpful, but I thought this turn off your cookies is a more general solution because we're not just dealing with Google. We've got Yahoo and whoever you're using. And then the next part is I propose a plug-in to Firefox. I don't have the skill to write this myself, but it's a proposal. And I call it a P2P web search identity diffusion, which is the ability to hide in the crowd when you're trying to search. And I'll be up front. It's nifty and it's helpful and it's insufficient. But this is the outline of it. Basically, when you do a web search, then you put that into a P2P network and then a certain large number of people also pull down that search. And everybody does it. And you order yourself randomly in the search so that it's hard to tell who originated it. And that diffuses your identity and it's not sufficient. And the reason why is because we have this aggregate picture and if you don't look at something often, then it looks like it maybe wasn't you. But if you're always searching for your Swedish beastiality porn, I'm sorry I'm revealing too much about myself. But if you're always doing that, you stand out from the crowd. And the other problem is that the model of the internet changes over time. So I want to give some examples that it's more of a population aggregate than a single person aggregate, but it illustrates the point. Sometimes things aren't what you would think they would. I looked up sheep sex. And the top countries are Ireland, New Zealand, and Australia, UK, United States. Nobody is really surprised by that order because that's where all the sheep are, of course. And so I also looked up goatsy because it's not really goats either. But I thought it was quite fitting that Finland is five times further out than the nearest competitor, which is very appropriate given that that's where Linus Furbalz is from. Anyways, so this is another interesting thing. I want to talk about why it's not what you think. I looked up stocks and nobody's surprised. United States, Canada, well India is a little bit, not what I thought, but it's pretty much what you think. But you change one letter, you look up stock and it turns into Hong Kong seen before, India. And so for some reason they're all searching for stock and we're all searching for stocks. And so I just wanted to point out that this is what gets revealed when you can see everybody's web search is this deep look into how people do things. And I'm not sure I really want to be a part of it. I'm a voyeur. I'll admit right up I like looking at this stuff, but I don't want me in there. And so this slide here is just because I'm going to use the terrorist word several times and I'm not planning on blowing anything up, but I just wanted to, in case I flag the TSA people or whatever. Okay, let me clarify. I didn't mean to say that I'm not planning. I'm not going to do it. I haven't even thought about how to do it. I just want to put that disclaimer here. So I looked up terrorists and this terror issue is so apropos to our lives right now. And I want to use this as an opportunity in the middle of this privacy thing to give a little speech, which is that maybe it's not quite how we think it is. Obviously we're being taught to fear terror and terrorism right now. And so obviously we're not surprised United States, Australia, United Kingdom, our top three allies in Canada are the top searches for that. But it's kind of a little bit self-centered to think that we should be so concerned because we're not the ones getting the terrorist attacks right now and there's lots of them happening. You look at terrorism and it turns into Pakistan, Morocco, the Philippines, Singapore, and these are places where there's real-life terrorism happening today. And then I was really shocked by the next one, which is that if you look up instead of terrorism, you look up terror, you get something that's not even on our charts. It's not even on the radar screen. Peru, Mexico, Chile, Colombia, these are Spanish-speaking countries. Peru, I was like, what the hell is Peru doing at the top? So I go and look it up and they have the Shining Path Marxist Maoist group that is wreaking havoc and they've been mostly tamped down, but all these three slides are from 2007. I didn't do the overall year search. And so I just wanted to say maybe we should change our perspective a little bit and think that we don't really know what's going on in the world because it's a big world. And so this is just to say what the fuck is Peru doing at the top of the list. So the point of this talk is to say two things. One is let's wake up. It's not like they say it is on the news. And the second, my real point, is that defusing a query source isn't sufficient until n gets pretty large. And so if it turned out that millions of people were using this kind of a system, it would be helpful. But until then it's not, which is kind of a hard thing to start up. But our purpose in this talk, and I'm about to turn this over to Nate, we're really here to start a discussion so that we, because I don't hear people talking about these things in public and I just want to see if we can talk about it and help the situation. And I think that's the last one. This isn't, I have no idea. This isn't my slide. That was mine. So, oh, can I do this? This will just take a second. This is funny as hell. I was putting together my slides last week, and this was the first time I ever saw this screen from Google. It says, we're sorry we can't complete your search because you look like you're a virus. Type in these letters. And the reason that it was interesting was because I was searching through TOR and somehow that means now I'm trying to protect to hide who I am and now that means I might be a virus. And really they're just trying to stop me from doing it to make it a pain, is my opinion. Of course, I was talking to a guy last night. I'm really ignorant about some of these things, and a guy tells me, no, Google is used all the time for doing virus stuff, but I still don't see why it's such a big deal. Somebody might disagree with me, and I'd like to hear your view on that. We're going to be in the Q&A session later and let's talk. But why it was really ironic is if you look up here in the corner, the search term was Bill of Rights, and that was the first time I'd ever seen this page on Google. And this is Nate. Alright, it's going to seem like we went out of order a little bit and it's not just because I was hung over and messed up the slides, although I did that too. We just kind of wanted to run through what we had to talk in like one chunk so we could get on a roll and like move along. I really think we need to start. We seem to be really concerned about our IP address and where we're coming from in hiding, basically not letting people know exactly who we are, but this focus is actually really too narrow. We need to look at the big picture. There's a lot more that's going on that's a lot more dangerous than just knowing where somebody comes from. It's somebody actually knowing who and what you are putting those pieces of data together. That's the ultimate goal of these information systems is to gather all this information to basically create almost like a dossier on you. So let's talk about who you are and you could say that, you know, I am a name, possibly an address, my social security number, my phone number. Data like that will identify me, but some of this can be used to steal your identity but in the grand scheme of things you may care more about what you are and having that identified. So there's many things that determine what you are. So whether you're male, female, your race, whether you're a porn addict, veteran, compulsive, masturbator, whatever you are, that's the stuff that we really need to be concerned about. And the scarier prospect is putting all this data together so they know who and what you are. So collected data is multiple things. It can be sold, it can be misused, it's correct. And if the data is incorrect, like let's say somewhere out there in this data, it says I'm a female. Now I can guarantee you, I can tell you that I'm not, but can you imagine trying to correct that in every single place the data sits? So when something is wrong about you, it can be almost impossible to correct. And when you talk about collected data you have basically two types of data, like anybody who is familiar with some of the information security concepts around aggregated and inferred data, aggregated data is data taken from multiple places. So it's matching things like your credit card, your grocery bills, maybe mailing lists for businesses. That data can be taken and put in one spot. Inferred data is taking data from multiple places and making assumptions. So basically you buy multiple packs of Sudafed so you must be cooking meth or you drive through bad parts of town so you must be buying drugs. These are inferences made on the collected data which that can actually be very dangerous. If you take that a step further and create a profile of somebody, you could actually say, you know, statistics show that since you watch shows and download porn and have diabetes you're 30% more likely to kill somebody. That's a statistic or something. You can take statistics and match them to who and what you are and come up with like crazy things. So you might be 40% more likely to be guilty of domestic violence. Now these are made up numbers, I don't know if that's true, but you get the point. So it's hard to have your own cake without people knowing, you know, who you are or what you work for. You shouldn't go out there and like post it all over the web. I mean that seems, you know, to make sense but people do it anyway. So you should decide, that slide shouldn't have been in here. So you need to decide what you want people to know about you. So some interesting things came about in the past couple years. Microsoft is working on technology to basically identify you through your web habits. So the way you type, you know, linguistics items like that. I saw this too. It's a stealth iris scanner. Can you imagine having a stealth iris scanner in a store? So it can identify, you know, I look at 40 items of clothing and I always go in and I buy something else. So I go over here and look at this but I always buy something else. You can actually make inferences based on that. That's something that I want. And if stores start using this technology they're definitely not going to tell you they're using it. It's only going to get worse too. Victor, Mayor Schoenberger just wrote useful void, the art of, you know, forgetting the age of ubiquitous computing. And that's, data sits and doesn't go anywhere. So unless it gets lost very badly. But so something that I post on the web, like say I rant about something on my blog, you know, 30 years from now, that data could possibly still be there. So do you really want to be held accountable for things you say? Like if you have like a drunken rage or something? I mean, I heard that. And also, when people think about privacy it actually affects your freedom of speech because if you're always worried about things being held against you, you're less likely to say what's really on your mind. Qui-Gon and myself did a talk at Hope Number Six about future connected technologies and how these future technologies are going to end up spying on us. So I want to get to more of the other stuff. Can you tell? We already talked about that. So let's talk about systems in general, like systems analysis and attacking these systems. So I had a co-worker who told me that computers haven't changed since they were invented. It's just input processing and output. And I thought that was like very, very, well, it fit him. So, but basically you do, you have some form of input, some form of processing and some form of output on any system that's useful. So let's expand on that a little bit. So if you add a couple more components to a system, you basically have an input method and possibly some sort of storage. And then you have an output. So somebody's going to be making decisions based on that system. So when you talk about analyzing these systems, systems that are collecting our data, you may want to think about several items. So is what you're analyzing installed software? Is it black box technology or is it a system that's out of your control? And it definitely make an impact on how you, you know, choose to go about analyzing the system and attacking the system. So it's not always necessary to know all the pieces of the puzzle to attack a system. You may only need one particular input device to create an attack surface. So you have to take an inventory of what you have to work with. So do these systems, you know, they're most likely going to have to interface with you in some way, shape, or form. They only take one to create a successful attack. So in the case of installed software, I mean, this is software that we buy and install on our systems. So we have a very large amount of tools to be able to analyze software that we install on our own systems. We have access, full access to our systems. But one thing you may want to really think about is reading a eula. I mean, does anybody ever read a eula? I didn't think so. Well, some of them are very interesting. And I think it was... I think Vista has like 23 components in the eula that says it's allowed to collect information on you. Yeah, and it says, oh, by the way, we can collect anything else we want to. So, yeah, nice. So what is the purpose of the software? Take an inventory of the purpose of the software and know what it's doing on your machine. And then you compare the actions. So some of the concerns you may have over installed software is what files or what part of the computer is it accessing? Why is it accessing that? Is it a function of the application? I mean, if you're running a Windows box and your update is accessing your registry, that makes sense. But, you know, if you're using accounting software and it's like going into different parts of your system for no reason, that's definitely a problem. And ultimately, if the data never went anywhere, it really wouldn't be a problem. So is that data going to some form of third party? So use tools at your disposal to analyze the software. Communications, is the software spying on you? Is it going to send the data somewhere? Where is the data going? What protocol is it using and what is the format of the data? So say file access, what files is it accessing? Is it expected to access those files? I realize I'm repeating myself, sorry. And tools you can use. So if it's using standard, you know, network communications, you can use items like Wireshark, TCP dump, et cetera, to find out why your computer is speaking with, you know, some company or some other country. And for file access, you have LSOF, Filemon, et cetera, depending on what platform you're running. So you can actually tie together the network access and the files it's accessing and where it's sending the data. And is the software open source? Somebody may have already analyzed the software for you and wrote something up on it. Research for known issues. And keep in mind that, you know, it's installed software, so you put it on your machine, it's probably going to have a large amount of access to your machine. What about black boxes? So black box technology, you're going to definitely want to read your agreements and other documentation for the black box. Know what the function of the device is. What medium does it use to transfer data? And what interfaces does it have? So you're going to have a significantly lowered attack surface for some form of black box technology. And what type of information does the black box have access to? So if you take, you know, remember it doesn't have to be credit card data to be important and important to you. I mean, if your friends find out that you've like DVR'd like 100 episodes of Will and Grace, that could be actually kind of embarrassing. Is there some sort of visual or audio cues to the black box? Does it have activity lights? Does it have a hard drive that you can hear spinning at certain points in times? Are there times when the activity can be observed being heavier than normal? I mean, these are things we don't typically think about when we're analyzing systems. We get so caught up on protocols and we don't think about the kind of off-center analysis on these devices. And they can actually be a clue that's leading you to something more important. So can you put a device on the medium to listen for communication? So if it's network communication, that's fairly easy. You can put a sniffer in between the device and where it would be sending data. But it's a little harder when you start talking about, you know, different types of technologies, such as cell phones or, you know, DVR, things that interface with the television system. It's not impossible to analyze that, obviously, but it takes more expense in the tools to do so are more rare than just putting a sniffer on the medium. And does it have other interfaces that can be messed with? So if you have a DVR or a cable box, and obviously it has, you know, RF inputs, but there may also be USB or serial ports, you should look at all of those ports and see what happens. I mean, plug something in. What's the worst thing that happens other than you might get in trouble? So let's take an example of a cable box with a built-in DVR. So what information would that have access to? So it has access to television and movie data that you watch real-time and recorded. That's the obvious, that's the obvious one. But what about, what else it knows about you? Like your schedule. So if you basically take this cable box and DVR and say, well, it knows that every, you know, Thursday I record Jerry Springer and I'm not home because I'm DVR-ing it. If I was, you know, at home, I would probably be watching it real-time. So it can actually determine when you go on business trips and all their kinds of data about your schedule. And that's some of the things that we don't really think about. We get embarrassed about the television shows we watch and don't really think about all the other data that it really has access to. And the medium to transfer data, transfers data over coax cable. It has multiple interfaces. So you have IR, USB, serial, multiple coax inputs, miscellaneous video inputs. And it also has, you know, hard drive and lights. So what about systems out of your control? These are items at stores or, you know, so it could be, you know, credit card machines, reward systems, scanners for groceries. You're going to want to read any agreements or documentation or warnings. A lot of times these systems don't have agreements that you really agree to. It's kind of something that would be posted on a wall. Oh, by the way, if you use this system, you know, you give up all of your rights. Most likely you're going to have a severely lowered attack surface to work with. So you're going to have to identify the interfaces that interface with you and identify the data the system has access to. And sometimes the data is painfully obvious. So in a store it's scanning your groceries that you buy and, you know, your credit card and data like that. So let's take an example of a surveillance system with some form of detection, some form of anomaly detection. So the information that that particular system gets on you is identification information because it can see you. You can also get your location at a given point in time. The, you know, the transfer medium could be, you know, wireless or ethernet. And interfaces, it's going to have a video camera and it's probably going to be the only item that you have an interface to. So let's talk about actually attacking these systems. So the goal of attacking one of these systems is to affect its integrity and affect its availability and sometimes confidentiality. Basically making the system's data so it can't be trusted. Simply, sometimes, you know, systems can be attacked by just not using them. So the whole point of our presentation, creating unreliable systems, is if a data for a system cannot be trusted, then it won't be used. So bad data, bad decisions, unreliable systems. Somebody in the background is making decisions based on the data that it's collecting on you. So if you're, if you're some point of sale system, it's going to go back to either some analytics that's going to say, oh, well, you know, you've got 10,000 rolls of toilet paper and now somebody came in and destroyed it so now you got to get more. I mean, if banks had a tendency to lose your money to use them. So let's take a look at attacks. I kind of came up with a classification scheme for attacks on information gathering systems. So there's three levels. A level one attack affects the ability of the input device to perform its function. So an example of a level one attack may be destruction of the input device, disabling the input device, or cause a malfunction under certain conditions with the input device itself. A level two attack affects the accuracy of the data stored. So injecting bad data, injecting massive amounts of data, you know, you may possibly overflow the capacity of the storage media or just useless data. And that's another thing we don't think about too often as well. A lot of these organizations that collect all this data, massive amounts of data are worthless. It's the actual analyzed data, the end result, that's what's important. So if they have too much data to analyze for some reason, that can be a big problem for them. So ISPs, for instance, if they were required to log every single packet that went over their network and keep it indefinitely, that would be almost ridiculous. A level three attack affects the processing decisions of the system. So false positives and false negatives. So if you have cell phone monitoring, you know, you could say, hey, have you heard that new band assassination plot? They're the bomb. And I have this friend who seems to like calling me and saying he seems to always get the word nuclear in our conversation somehow and bomb. And I'm like, how do you even do that? And, you know, he's not even in the tech community, but he just thinks it's funny because he knows I'm paranoid. So I'm definitely sure my conversations have been recorded on multiple occasions. And whoever actually got around to listening to it was like, this guy is stupid. And then hopefully they turned it off and said, don't ever listen to these guys anymore. So let's take a look at examples. Now these examples are very simplistic. So example one is a simple security camera without an active watch. So it may be a security camera that just stores data on a DVR and somebody looks at it only if there's a problem. So the most likely your attack would be on the input device. In example one attack, you can either blind the camera or destroy the camera. And second is the data stored. So you can dress up as a giant banana. I mean, not that that's a very feasible attack because, I mean, how many giant bananas are going to be running around the city, you know? You have to have like 150 million giant bananas and then we all fit into a banana nation or something like that. Now example two is a security camera with some sort of active intelligence. So it would be making decisions based on the data it's collecting and analyzing. So the data it collects are movements and actions. So your movements and actions, and there's actually a few more too, like I said, you know, it could possibly be schedule that you're on. But the input method is the camera. The computer basically analyzes the behavior and there could also be a DVR back there as well. And the output goes to a monitor for human follow-up. So you can take out, you know, blinded or destroyed the input device and you can also falsely trigger events. It's kind of funny they're working on technology that will identify bad behavior in people and draw attention to it. And I really think it's funny because I cannot wait till cameras get fitted with this technology because I'm going to walk around humping the air all the time and just see how many times I can draw attention to myself. See, and that's stupid. If everybody did that, which we would all look very foolish, but it would actually defeat the purpose of that. And then I'm always wondering, like, what behavior are they looking for? I mean, could I just swing at the air all the time? And would it be smart enough to know that I'm, like, swinging at the air and not, like, you know, having a fit or something? So let's talk about an RFID passport now. The data collected is personally identifying information. So we have the input method, which is scanner, computer, centralized database, monitor, and human follow-up. So what if one out of every five passports wouldn't read? And this is not the right slide. So what if one out of every five passports wouldn't read? So, like, say we're frying the, yeah, I know. Got it. Say we're frying the passport. So level one, if there was a way to do that, I mean, people wouldn't count on the passport reading. So we're injecting bad data. So, you know, if, you know, I was somebody else every time I went to the airport and it's like, oh, man, this stupid thing's always messing up. And if I told that enough, it would be enough of an anomaly that they wouldn't count on that data either. And if you think about, like, somebody that was actively going around frying people's passports in the airport somehow, you know, think of all the frequent travelers that would run into that and how many times they would see that. Stealth-threatness scanner, same thing, personal identifying information, the input method, decisions based on behavior, central database, marketing and ordering information. So you could just be cool at the moment and wear sunglasses and that's a level one attack. Or don't shop at the store anymore. And that's also a level one attack. It's kind of a cheesy level one attack, but I don't care. I was tired. So what can you do to avoid becoming a victim of some of these systems? You can avoid using the systems that collect data about you. You can encrypt your communications and ensure you're communicating with who you think you're communicating with, which is something we tend to forget. We worry about encryption and everything else, but we never really check to make sure we're actually communicating with the person we think we're communicating with. You can analyze systems and filter unwanted traffic and contact companies and tell them you refuse to use their service anymore. We really need to start looking at all of our new technology from the eyes of a researcher and not so much as just a consumer with the next cool thing. We can use a new discount card every time we go shopping so they don't have a specific set of data on us. Or we can create new... Oh, I actually... I was in like a CVS pharmacy and they always ask me, hey, do you have a discount card? And I say no. And they'll grab one off the shelf now. They'll swipe it once and throw it in the trash. So I don't know who told them to do that, but if you think about it, you can actually weed out certain types of people by doing that. So it's actually making their data more accurate. You can minimize the use of your credit card, which is hard for people like me who travel all the time. It's just one of those things. You can leave as little data behind as possible. You can use encryption when instant messaging and encryption for email. You can also analyze your new toys for possible backdoor accounts, hidden communication, some of the things that we've been talking about already. And be aware of any technology that can track you and put you in a given place at a given time. It's not about whether you're doing something right or wrong. It's about the fact that it's nobody's business. I like my privacy. Not because I'm doing something wrong. It's just because it's nobody else's business. And I realized that there was a lot of bestiality in sheep sex or whatever in our presentation. But that's your prerogative or whatever. It's nobody else's business. Intrusive storage should be avoided. Remember, I already did that, move on once you have validated your data or your new devices. Now, this URL doesn't work because the DNS got messed up. But it will work here very soon. We're starting a project called the False Life Project. And it's solely dedicated to creating, to fostering discussions in actually creating tools to defeat behavioral based analysis. So we want to hear from everybody. So it's just a message board and we're going to have some topics. We're going to talk about different items and hopefully build the tools to implement some of this stuff. And here's some email addresses. So if you want to tell us how bad we suck, feel free. Just don't send me any more porn in my email. And that's about it. I think we're going to the track 1 Q&A room. So if you have any questions, please come by and see us. And thanks.