 Welcome to the sixth annual DEF CON security job! You were supposed to shout free bird, you failed. It's not time for questions yet. Thank you. Room keys throw that way. Underwear that way. We're not doing that again. Give it a few minutes. Anyway, so this is the sixth annual fail panel. Welcome. The asses of ourselves and you. So thank you for coming. It would be much less fun if we didn't have targets. With the flapjacks, we are this year making pancakes, otherwise known as flapjacks as Chris mentioned. So half the money we raise through your generous offerings. We'll go to the EFF. The other half we'll go to Barnaby's family. There's all sorts of crazy sauces and yummies that will be put on the plate for you. You have no choice what you get. If you don't like it, tough luck. I want to introduce themselves as they do their spots. I have a quick fail before we let our next volunteer do their thing. I want to give the award to Logrithm. Who was at Black Hat this year? Raise your hand if you were at Black Hat. If you were at Black Hat, did you stay at Caesars? Did you receive one of these lovely shower hangers in your bathroom on your shower at Caesars? Oh well, you got lucky then. The award for creepiest vendor at Black Hat this year. There's nothing like waking up at far too early in the morning or late in the afternoon and going to take a shower and discovering this hanging on your shower that says, think you're exposed? What about your assets? Because nothing makes me feel like wanting to purchase something from a vendor like being stopped first thing in the morning. In the shower, naked. Hey David, the guy who came in to do it in my room and saw me there and I guess he decided he did not want to go in my shower. So he just handed it to me and he ran. Richard, your slides done yet? I just started. Excellent. So, I'll go last. Okay, as usual. Can we look like we're professionals? He's searching Google for shit. He really is. He really is. I can go whenever you want. Excellent. He's using Bing. Well, actually, Bing Defcon and the Defcon Network, well, Bing that is Defcon and the Defcon Network, he knows that no one else is monitoring what's going to Bing so it's probably pretty safe. There are two things I like to do in private and both have Bing in the phrase. I think you scared Alex. Where's the Bing and Shizer? Or goat's teeth. Or goat's teeth. Are you ready? I'm ready. Okay, Jamie. Take it away. I got a mic, a mic, a mic and a no VGA. It wasn't me. You got too much plugged into it, sir. I got two fucking things plugged in. VGA? Oh hey, look at that. VGA. Please connect directly to NSA. So, last year at the fail panel, much like, this says poisonous mic, labeling here sucks this year. Last year at the fail panel, I did my slides on stage, much as Rich is doing right now. Hey, what are you doing? You know what? I could have done this with just preview, but I wanted to give you guys like a title slide so I could talk about how to discover that hotel internet is funny. We're not projecting what's going on. Now it's over there. Failing over there. Here we fail, there we fail, everywhere we fail. Oh, take it off. Don't be a cyber douche. You're blowing the circuit breaker. I can hold it. Okay, when you all start to see me shake, you'll know it's being electrocuted. In a round motion. Is that good for you, Chris? Alright, so last year I did my slides on stage and that was fun and all. This year I decided to be prepared. So when I got to Vegas, I still had no slides. They're having too much fun. Does anybody stay in a hotel? Anybody stay in a hotel that has no guest protection on its Wi-Fi? Anybody stay in a hotel that has no guest protection on its Wi-Fi? And I just lost my slides. I think we shorted the whole stage. I'm sitting at Caesar's trying to prepare for training with Rich. Did you guys break something? Yeah, we broke a lot. There's no... Hit the breaker down there. Is there a breaker? Or do we blow the whole room? Oh no. Anybody got a lighter? No, there's no power down there out there. Rich and I, we're sitting in Rich's room. We're trying to prepare, we're looking at slides. Out of the complete freaking blue. I have no idea. Alright, so you're just going to hold that circuit breaker open? Why is it still off? These are still off. There's no help. There he is. Half-cooked pancakes are delicious. Sometimes better than a fully cooked. You ever had one of those moments when you knew that somebody else was in your computer? You know, you got to Vegas and you forgot to turn on your firewall, right? Cause you know, failure, that's my modus operandi, bitches. I look over at my machine because somebody else's desktop is on it. Out of an abundance of caution, I asked our local Mac security expert, Rich Mogul, read his articles on Macworld. I can't keep the Mac things straight. The power is on on the fucking thing. Keep talking. Oh, okay. Please don't touch me there. Keep the costs, you're going. Out of habit, when I'm working at home, I have some large number of monitors in my office that exceed sanity. I habitually leave AirServer running. Cause you know, it's an easy way to take what I'm looking at on my phone or my iPad and throw it to one of the monitors in my office. Guess what? People will promiscuously join any frickin' AirServer they can in the hopes that it's the TV in their hotel room. I'm here to promiscuous. Jai Daniel wins on that one. Okay, so this is all funny for the moment. Rich and I are trying to scramble to remember what's the hot key for screen shot and grabbing phones and trying to take a phone picture of it. And then the music starts. So I've been fooling around with this and for reasons that shall remain not astonishing to anyone, I managed to lose a folder full of screen shots but I did catch this lovely one which is the guy troubleshooting why he can't hear his YouTube video anymore. I had perfect fidelity of it. So as a call to action, as a go out and stamp out cyber doucheery wherever, I will ask all of you individually and severally to please run AirServer. Configure your AirServer host name as capital A, small p, small p, small l, small e, capital T, capital V. If you're on a Mac, the keys you're looking for that neither Rich nor I could remember are command shift three. Four makes you draw a window, three takes it in the instant. Just because AirServer by default fills the entire screen, just keep hitting those three keys while they puzzle out why their video disappeared or their audio disappeared or share their corporate secrets with you because they're done. I'm going to say this, as years of a Mac user it is easy to be very secure, it is foolish to just depend on intrinsic security because look at me, I've got a genius to depend on. Oh, not Rich. No, not Rich. Although Rich is a different kind of genius, because he won't talk about it, anybody know who had 90 minutes to prep a black hat talk? First talk of the morning, 90 minutes prep and he killed it for an hour. There are no other professionals like that in our industry. So, my call to action, configure your AirServer as Apple TV. AirServer runs on Raspberry Pi by the way and screen shots, send them to me so that I can post them and we can all titter in glee. And if someone is so enterprising as to take my intellectual property and build such a device, please, someone make me a Raspberry Pi image that connects via Wi-Fi to whatever it can and runs as an AirServer as Apple TV and screen shots once every second. Build it, send it to me, I will give you all the creds in the world times one Majillion. I did not say that. Walked right into it. Can you do it? Can somebody do it? Is anybody better at scripting than me? Oh, you have a box that does that? You're going to make one for me? Can we offer him something in congratulations and thank you? We have half done flapjacks. That's not beer, man. Remember the rule, American beer is like sex in a canoe. It's fucking close to water. Awesome, thanks so much. You can get a pancake. Put beer in the pancakes. We usually do. I'm putting my tongue in his ear this year. Wait, you're not going to put your tongue in my ear this year? I'm out of here. Oh, with sexy results. Hey, Martin, want to try a pancake? Something broken again? There we go. Excellent. Let's hear what you carry over. How do I... Somebody find a really long extension cord to bring it to us. I'm sorry. I need to run over to Caesars. Jason, you do... Alright, just waiting for the other side. The box is looking really empty, so I'm going to put $100. That's it. Oh, that's a Canadian $5 bill, which is currently worth $5 US, because your economy... We have oil and wood, we can sell you. We should like some oil before up to the wood. It is a great value. Oh, here, you should put the buttery spray down there. It's a great value. Butter flavor. I would like some butter for my nipples, please. Also, could I get a little bit of syrup? Alright, so who's going to lick the butter and the syrup off my nipples? Chocolate, caramel, or strawberry? Strawberry. I don't want Canadians licking stuff off my nipples. I have standards. Haha. Why a fork? Any word on slides on this side? Slide schmides. They really want to see these though. Everyone lean over that way. In effort to get you guys moving along so you can hear from some of my other esteemed colleagues, we'll just do slides on one side while they work on the other. Yeah, this should be on the fail panel, right? The projector, fail. Hey! It's small. Wait a minute. That's what she said. I've heard that before. Mostly from Rich though. Alright, so we are so screwed. So a little bit about me. My name is Larry Pesci. I'm a penetration tester, hardware hacker, and I'm currently between jobs. My employer was supposed to send me to DEF CON to come give this presentation as part of the fail panel, and this is all stuff that I discovered while I was working for them, and they laid me off last Monday. But yeah, with an eight week old baby at home, and a five year old, but in any case tweeted and all that good stuff that I got laid off at 10.30 in the morning, and I had an offer letter by 7 p.m. and I took it. Where can we buy it? U-Porn. Wait, no. Alright, so based on the fact that I am currently technically unemployed, because I don't start with the new company until the end of the month, I had to do a little bit of redaction to sort of protect the innocent and the fact that I can't afford a lawyer right now because I'm not getting paid. But he has a lawyer when he gets sued. So to that former network guy in a past life many years ago, certified instructor of the Sands Institute, a member of the Paul.com security weekly group, and I'm also an extra class ham radio operator, which is completely irrelevant to this presentation. Right. Well, I also have kids. Right, Rich? Yes. So what is this whole talk that I'm going to talk about? So I had just changed jobs, really, and again, but I had just changed jobs into the energy sector. So I had been doing consulting for penetration testing in all sorts of industries, but was now specifically tailored to just pen testing and hardware hacking in the energy sector, which was a completely new thing for me. I had never done any work in the energy sector, so those all sorts of new terms and things that I had to understand. It was a whole new industry, and on day one of my new job, I was on a plane to a client site. Excellent. And after about six weeks we find out we're going to come do the fail panel. What am I going to talk about? And this was my impression of the energy sector, security in the energy sector, after about six weeks on the job and sort of why I think that. Alright, so day two on the job. Hi. Howdy. So day two on the job. You don't mind if I rub back, right? You know the rest of us have been telling this great story for years, right? Yes. Do you now understand why we are the way we are? Just wait. Yeah. But wait, there's more. Wait, there's more. He slices, he dices. Yes, and there's more pancakes. Flapjacks. Yay. The first time I ever saw Naked Man and Wireless Router was Larry. I had that picture. Wait, did you bring it? You have the picture but I have the life size cut out. In the basement and it has made many rounds around our house in various closets and you throw it in the closet, the pantry and my daughter goes and opens the pantry and goes, and then closes the door and waits for mommy to go to the pantry. Mommy, why isn't daddy's router bigger? Wow. Wow, I'm not even going to touch that one. It wasn't like this. Yeah, it wasn't like this. Small antenna. He had very small game. Yeah, more than yours though. That's all right. See, I don't even feel it. No, no, no. In order to understand a little bit about some of the reason why I think this whole energy sector security stuff is totally screwed, we need to understand a little bit about AMI and that's advanced metering infrastructure. Not the AMI BIOS folks. And yeah, I didn't know that on day number two of my job either. So I needed to say there's lots of new acronyms and all this type of stuff in the energy sector that I had no idea about and took a little bit of explaining but that's okay. So let's understand a little bit about AMI. Speaking in general sort of terms, no particular vendor and those types of things. So what we end up with is a meter on your house that reads usage, metrology. And that metrology now needs to be reported back to the provider, to the energy company. So they know how much electricity you're using or how much gas you're using. So that metrology gets sent over a network via some sort of mesh network or some sort of aggregation device. And that aggregator connects back to the utility which then connects to a system potentially in a DMZ which then the accounting folks then connect to from their internal network. So now you can start following the path from a meter to a host on the internal network. Great. So these are actual meters and or smart meters. It all depends on the type of device that are installed. So you can multiple different types of meters whether they be smart or otherwise. That do have some sort of wireless technology to be able to contact this quote aggregator. The first week on the job I got to pen test one of these aggregators. Alright so what did I find? Unfortunately crossing your arms doesn't hide the boner. And tweak that in two. Yes. Wait, wait, real quick. How close over to getting a rich mobile naked speaking boner? Sudo take off your pants. Password please. One, two, three, four. Password one. Password one. We'll save that. We need to get more money out of these people before I drop trial. We cross 500 in donations. Thank you people. Let's keep it going. Rich, rich, rich. Rich, rich, rich. Sudo. Do you want this or just now? I think your pants are worth $1,000 this year Rich. So I'm running for Congress. Quick, get your iPhone. Three ones a weiner. District five in Phoenix. District? I don't know. Wait, wait, let me back up. He loses the shorts. We get to tie Dave to a chair with his pants now. Oh, very good. There you go. So Rich, as an analyst, is this your first song you've ever released? No, that's a lot. I believe I may be the only person in the industry to drop my pants at both RSA and get pumped. Multiple times? Well, yeah. It's all about the multiples. You want pancakes? Raise your hands. That's what she said. All right, so speaking of boners, the first aggregator device that I got to test had ethernet and a serial port, externally accessible, winning. However, the ethernet was all shut down, all that good stuff. The serial port had a password on it, which was very good, highly high entropy on that password, so doing some brute force against it wasn't going to work for us. So that was pretty good. However, we can still observe all of the boot process and get all sorts of information about it via the serial port. And then we look and discover this other port. And yes, the Boner police have come for you. Yeah, so we open up this other port and there's an SD card inside. Yeah, what could possibly go wrong? Now this is a device that is hung on a telephone pole 12 feet up, so you just need an extension ladder to go be able to acquire one of these SD cards. Yeah, so great, SD card, but what the heck's on it? So the manual claims that it contains the operating system and configuration files for the device on a hidden file system. Yep, so by the way, day two on the job. Okay, so I removed the SD card and threw it in my Mac with the built in SD card reader. It mounted or attempted to my didn't find any file systems and like crap, hidden file systems, how they do that. So I made a DD image of the SD card, I couldn't identify any of the images on the ISO either, so no big deal, but I ran strings against that ISO image that I had taken from the DD and found all sorts of interesting stuff in what appeared to be configuration from the entire disk image in plain text. So great, hidden file system, unencrypted. Okay, so I put the image on my own SD card as to not damage the original. Put it back, yep, and moved the device over to my Linux workstation so that I could attempt to play with it. And I plugged it into an Ubuntu 1204 system and it auto-mounted six EXT3 file systems. On Windows it is. You realize at this point if the vendor will release a vulnerability they'll say it's hard to understand format so you're fine. Yes, yes, and I think that's why it was hidden. Yeah, at least it's not proprietary. Just you wait, just you wait. Alright, so I start going through the file systems and search for configs and I find that there is a running and a quote golden config. And when you change the running config on the SD card it detects that changes were made and boots the golden config. So I changed both. So I changed the running config, modified that, detected that it was changed on the next boot so it automatically started the golden config which I had also changed to include my own local user and password to one that I knew. So now I'm root on the system, insert, and by the way they were attempting to get away being able to modify some of those files on that SD card by using UNIX file permissions. So they were owned by root, but guess what? It's mounted on my file system and on my system as a file system and I am root on my file system so I have the right to change those files. So I did insert my SD card into the device, reboot it, and I now have a local user account on the device before TACACS accounting starts up because TACACS accounting has to wait for the 3G connection to start. So I now have full control of the device and the device contains Wi-Fi access point which connects outbound over the 3G and because I can configure it, well now I can set up routing and offer free Wi-Fi for everyone in the neighborhood amongst other things. Could I narrate the pictures? Well that's the point. Alright so the initial vendor response was, oh but you didn't use your high security mount for mounting this on the pole. Oh you mean the one with the big hole in it so you can still gain access to the SD card slot? No. And aluminum that we can take out with a curl bar? Awesome. So we contacted the vendor through our client and they said sure how about we just put a password on the config file? I'm not exactly sure what they meant by that but I don't think they were either. Well you can but how are they going to start reading it and then putting the password in memory? So include the password in band? Hey I like that. Not yet, right? Alright so when we talked to the vendor we said guys that was really dumb vendor. How about we maybe work with you on a contract to test your stuff before you deliver it to customers and they said oh well we have a team that does that for us. An internal team. Yes they must be awesome. If my calculations are correct you suck and yes I bet you all read that in Doc Brown's voice. Titty sprinkles. Alright so I finished that engagement spend a week back at home my 10th day on the job and back at another vendor at another customer and I'm pentesting a different device from a different manufacturer but with similar type of function so another one of these aggregator devices. This one was really well secured. Same thing for serial port no exposed SD card. Ethernet was fully shut down you name it. But in due diligence to the customer we asked them to log into the device for us and then we were going to review all the settings on the system and it was a Linux based system. So we wanted to review the Linux config to see if there was anything that maybe they had made some mistakes. Go figure. So Unix based operating system serial and Ethernet were externally accessible. Once we logged in we were taking a look to see what had been done for hardening. The first one was a distinct lack of Etsy shadow and all the passwords were in Etsy password world readable. Thank you. Yeah. So next what I'm like alright well let's do what I just did last two weeks ago and see if I can get a DD image from the system. So I started trying to do DD over NetCat unfortunately the user that I was logged into the device did not have read access to the entire file system so it failed so I could not get my DD image to my local workstation after enabling Ethernet and all that good stuff. And it was also in I don't know what 10 years of pen testing is the first time I ever used NetCat in a pen test. Yeah. Sorry Ed. Alright so starts looking around the operating system and find an application proxy which gives the user the ability to leverage privileged commands from a non privileged account much like the one that I had. And this sounds just like pseudo to me. But it wasn't pseudo. So they kind of reinvented the wheel. Again. Again. So the command has been obscured to protect the vendor. So we start looking at the output of the command for the app proxy. The app proxy the dash A gives us the level of access needed sweet. The dash C is the command that we want to run from a white list of commands. And the dash P gives us the command line options to set command in the white list. Did you guys see any authentication for using a potential system level command in that whole setup? Yeah. No me neither. It didn't require any additional username and password much like pseudo might. And just granted access to those privileged commands in the white list. However it turns out that the dash P flag doesn't do any sanity checks or filtering. So you pipe the output from one of those white listed commands like ipconfig to dev null. And then you pipe another command that you want to do to it. And it executes it happily as system. Yay. So I get a copy of the image via netcat. Via this privilege escalation. And I start doing Uberly strings against the image and find a bunch of databases and database definitions that include commands such as create table, id integer, name text, salt text, password text, update date, date and the primary key. Name, salt and password. Great. So they're storing the password and the salt as text in this database. No. It just gets better. Now that said just pancakes? Pancakes. Anybody want pancakes? Flapjacks. Keep flapping those jacks. Yes. Come on, we want flapjacks. Raise your hand for pancakes. Raise your hand. Keep them up. Wave money if you want pancakes. Mainers still has his shirt on. Don't worry, he will get it off. Another few hundred bucks and that will go. Sweet. So I had no idea what database this stuff was for or what these passwords were used for but either way it's still not good because now I have access to the entire image. I have the databases. I'm from the vendor. Nice. So the vendor response on this one we're still waiting for a response and well I don't work there anymore so I'll probably never find out what the response from the vendor was. I don't know. I'm wondering why they ran out of D on their salad sign though. Tryer Asian Salad they couldn't find the capital D so they had to use the upside down P. I don't know. So here's the final fail. What, too much? Hey who wants pancakes? You can tell how many people here are not parents. That's nothing if you're a parent. Except the ass is a little bit bigger. This one was pointed out to me by my former boss who asked not to be named and helped figuring out some information about utilities and pictures and all that type of stuff and he sent me to Flickr for an interesting government agency that supports energy in Tennessee and I will leave it at that and these did get reported to said government agency and they removed them from their Flickr stream. However you know that saying what some creep has got copy of everything on the internet? Well yeah sometimes that creep is me so once they had already removed them I still had copies so once it's on the internet it's already there. You guys know that. So let's take a look at this particular case study. So here's a picture from their Flickr stream for their marketing purposes. It gets better. So I'll call out some specific things for you. So we've got a picture of a badge. We've got plant control software running on XP. We've got security video cameras and now we can potentially gather their locations and we have a gentleman by the name of Rick's phone number. Two of them. Well look you also have this nifty red jacket right here. Right right. That member's only. Might be. So wait you found the most advanced power plant in North America because they're on XP. Yes. Yes. If any of you think I'm joking look at my resume. Yep he's not. Alright so there was another picture on their Flickr stream as well. Sweet. What could possibly go wrong? Well a whole bunch of stuff. The flyaway book is their DR plan underneath a box of tissues because apparently it makes them cry. Is it crying that the tissues are full? Yeah it's definitely not the other one Dave. Trust me. So we've got XP in the background in the cubicle. We've got XP running on this big display and what appears to me being IE7. We've also got Tennessee Valley Authority. Seriously most advanced control room I've seen. Yep. And so this fine lady is sitting here taking a picture over her shoulder and if we look at the system there are three monitors connected to it. How can I tell? Because the background the desktop background was customized by her to look like a picture of family because we see legs at the bottom and it is the same on two monitors. So at least those two monitors are probably connected to the same system using the same windows background. I don't know what that is. But in any case it looks like there's some sort of plant control or plant monitoring software on one workstation. Yeah I didn't know. You don't want to rub it in too much. Yeah I don't want to rub it in too much. But we're doing some sort of plant control and monitoring on a machine that has access to Outlook. Hey that seems completely safe. And Office running the most advanced power plant in the country. Wait did you see there's a clock up here? I did. But it's analog. Yes. That means there's probably nothing we can do with that. Probably not. Except tell the time. No it's guaranteed incorrect relative to the grid. Seriously. You need to use something better than NTP. You want to find a cesium clock source? Find a power control room. They'll have two. And they're using a battery powered clock on the wall they got from Ikea. Yep. They have cesium source time and they're using a battery powered clock from Ikea. Or Walmart or whatever. And if you zoom into this particular picture this is Microsoft Word on the right hand side which is a procedure with emergency contact numbers. Winning. Alright so based on my six weeks of experience we are so screwed because we're in an industry that we are starting to tell them you guys need to like start at the beginning and stuff. Like by practicing defense in depth because you're not even doing that. 2003 called and they want their security program back Yeah. So last year I brought you guys Afro Circus to make everything better right? Alright. So I don't have anything quite as bad as Afro Circus. I'm not going to plant the earwig for you guys this year. However I do have some dead mouse for you. But it's not going to be the earwig that I plant. It's the eye wig. Okay. So to make it all better Wait wait. Anyone want pancakes? No no it's okay. Oh alright. You'll want pancakes after this because you do not want the dry heaves. You'll actually want something to throw up. Because dead mouse is always better to throw up to techno. Wait for it. Wait for it. Donations for EFF and Barnaby please. I think I saw this guy at one of the DEF CON parties last night. Don't worry this is not the 10 hour video. I'm going to play the whole thing. Flapjacks anyone? I'm going to play the whole thing. And here comes the money shot. Let's see. Cats throwing up to techno always makes everything better. There's something wrong with us. You guys want to see that again? Alright. So with that who's next? I'd like to be Mr. Robert Graham. Mr. Robert Graham to podium. Mr. Graham do you finish your slides already? Do you need my display port adapter? You guys all need it. Thank you very much. You guys will never listen to dead mouse the same way again. So while Rob makes his way to the podium I'd like to give you some background about Rob. He's someone of a cheater. He broke the rules. We all like normal people do our presentations 5 to 15 minutes before this panel. Rob did his last week at home before he even got on the plane to come here. So don't be amazed at anything he talks about. It was all done a week ago. I didn't even pick a topic to like got here. Actually Rich is true. I assume you were Rich there at my right. I'm not Rich. That's why you're looking at my chest. Wait hey Jack how much money do we have and what part of Rich's clothes are coming off next? So anyway Rich seriously we were in the speaker room about an hour before the talk and Rich was saying what should I present? And then he was right here a few minutes ago furiously putting together slides. Hey just a quick update. We have raised about a thousand so far. That's 500 for Barnaby's family. 500 for EFF. Give till it hurts although actually the EFF and Barnaby's family. And give till it hurts even though we're making you hurt up here. Hey Jack don't go away. Because you know what I don't have a job technically because I don't start till the end of the month. But you know what? Here's 100 bucks. No. Would somebody go in the hallway? There's like 100 people out there who didn't hear the call to get some more money. Can we just yell it out louder out there? Because we got a really teensy teensy room this year and there's a lot of people who want to see. Who do we piss off? Everybody. I'm sorry everyone. Actually this was the panel room so all the panels come here that's why. So my talk I'm starting with this picture. So can we, I think we all know what this picture is. It's a gold plated fiber optic cable. And so the gold, this is a monster.com cable. They'll charge you like 150 bucks for it. And it's better than those mere $2 cables because it's got gold plating to make sure the fiber optic connection is better. What's this gold have to do with fiber optics? Is it oxygen free fiber optics? I don't know. Lead free probably and environmentally sound. And we all know the monster company they're marketing around this is that it gives superior lifelike sound. But this is a digital cable. The bits that come in are the same bits that come out. As long as that condition is true every cable is equal. You can't add somehow to the digital signal. Except for monster can apparently. Oxygen free cable. Please. Marketing. But Rob what does gold have to do with fiber optics? I don't know. This is sort of digital astrology that somehow we can add to the bits. That there's some magical mysticism we can add to the bits. And we laugh at monster but fewer of us laugh at television sets. So we all go to Costco when we go down the aisle or Best Buy. We go down the aisle of television sets and we sort of pick the prettiest one. But the thing is in the old days I guess in analog TV, and by the old days I meant before half of us were born, TVs were analog and yeah there was adjustments you can make to the TV to fix things. But with digital TV, digital is the same concept as the monster cable. Bits in. It's 24 frames per second. It's 1080p or 720p. It's 1080i or 720p. 24 bits per pixel. And that's the color. And there's no, any adjustment you make on that is degrading the color. You're not improving it. And so digital is digital. And so anything that it does to make a vibrant, optimized contrast in color it's making the picture worse. And that's why you get these TVs home and you have these nice pretty, in the showroom you have these nice pretty pictures with lots of colors and that color is really vibrant and you really like it. But then you go home and you try to watch TV on it and everything is crap. Like you're watching Star Wars and Darth Vader is this black blob and Luke is this white blob and all the colors are so saturated. And that's just racist. Can you get prescription Google glasses please? Because obviously you're not sitting close enough. But Rob, what does fiber objects have to do with gold? So you watch, you take a movie and watch it on your iPad or your computer monitor and it looks correctly. You can see the folds in Darth Vader's robes. You watch the same movie on TV and you can't make out the details and it really pisses me off because I've bought two TVs now that no matter how many settings I go through, I can't get to what a computer monitor shows. So the factory defaults are the wrong defaults. The factory defaults are the color and the contrast and the sharpness and all this other nasty stuff that they've distorted the digital signal. But it looks great in the store because I bought it, right? It may be... So there's this company called E-Color that produces in case all the distortion already on your digital TV is not enough, they will sell you a box to do more. And you know the preserving skin tones and colors and brightness and contrast, the same nonsense that Bravia or Tonya is advertising. And it's a simple device with just HDMI in and HDMI out just going through some algorithms on FPGA. Again, it's all digital, you run through some mathematical stuff on FPGA and you're great. So I'm here to liberate these chips. You have these FPGAs and the service of Evil. So I want to liberate the chips. So now I'm going to do that and grab the...actually can grab this thing. So this is the box, you go on to Amazon. What's great about this is it's a $300 device. The FPGA itself is a $50 chip. But since in actuality these things suck and only morons buy them, you can always get them used on eBay or closed out on Amazon or something for like $10. So I've got three of these boxes for $10. Each. And so there's like all this crap in here and stuff. You don't want any of this crap. You've got the device, you've got the power supply, you've got the little remote control of the box. So yeah, and you have this device here and it comes with a little protective plastic because you want to keep it pretty because it sucks. You've got your little power supply and the power supply you sort of need, but you don't need this other crap. And so this device, I spent a long time trying to get the case open so I could actually preserve the case, but it's all glued together so you just got to break it. And once you break it, it doesn't go back together again. It's just broken. So you have this device here and what you have is, it's really hard to see so I'm going to try to use the display here, photo booth. Let's try this. So you can see there's three chips on this. There's the HDMI in, HDMI out, and then there's the FPGA in the middle. Now as hackers, what we know is that every device in the world has a JTAG debugging port on it. And usually the first thing we do when we grab a device is go hunting for the chip pads, the pads on the motherboard to go solder on our connectors on it. But luckily these guys right here, you can see they already have the JTAG interface on it. So that's awesome. But Rob, what does gold have to do with fiber optics? These JTAG pins are gold-plated for enhanced sound. So what we're going to do is, can we have JTAG which means it's a back door to the FPGA chip. Could you plug this in on a power supply thing over there? It doesn't work. There's nothing over here that works. Let's take off one of those for a moment. That's fine. Okay, so this is nice powered up. It's probably gold-plated too. It's probably gold-plated too. It's probably gold-plated too. It's probably gold-plated too. It's probably gold-plated too. For those of you who are new in the room, welcome. Bring money down here. Get your flapjacks over there. It sounds like you're giving money. Bring the money over here. Half of the money donated today is going to Barnaby Jack's family and the other half is going to the EFF. To be more specific, Barnaby Jack's family is trying to fly him home to New Zealand, which is where he's from if you didn't know that, so that's rather expensive. Oh, I didn't know that. So anyway, this is just a standard JTAG dongle attached via the USB port. So we just plug into the JTAG port, get to the back door. So we don't care about the HDMI interface and what the hell this device is. Other than it's evil, and we need to expunge the spirit. So we just... I've downloaded the Altera FPGA software. So all I need to do is connect up the chip, scan the bus for the device, and then... It's his first time. He's never presented before. So I practiced. That's what Dave was talking about. I practiced this to make sure I was getting it right. Now I can't even find the upload key. No, we can't give you beer for money in Vegas for some really weird reason. But we can give you beer and you can randomly donate money next to us. Michelle, it's American beer, so it is water. Also remember, Rich Isabel provided that dance. That's guys on the street. They work for me. Oh, come on. I'll get right to your room. I get really interesting responses when I show up to those rooms. I will not throw beer. Next time you need to talk to them. So I practiced this for two weeks, well, two weeks ago, to make sure it would work when I got to Deccan. That's what he said. And all the applications set up and ready to go, all you do is plug it in. Rob, what does gold have to do with fiber optics? And it's not working. If you need a pancake, Jason has some, so raise your hands if you want a pancake. If you need technical support, I'm an analyst. Jason. So I had to plug it in the right way around. So what we see here, we've connected to the device, we've identified the FPGA chip, and a model number here. I downloaded this SOF file. That's the FPGA description from the internet. There's a project up on GitHub that has all the Bitcoin mining software that can just download to the FPGA. So now I'm downloading it, we'll see if it works. It usually doesn't the first time I have to actually hit twice. I don't know why. It appears to have worked. So now we've downloaded Bitcoin mining software to the FPGA and now we're going to use a little control program to do the mining and send the results back up to the internet. By the way, my password for a lot of things is Fubar123. So if you're looking for my last FM password or my Strat4 password that's usually my password. But Rob, what does Fubar123 have to do with gold? What you'll notice here is my username is not Rob Graham. So my password is 123. You can go hunt down what my user names are. My email addresses are. They tend not to be Rob Graham. I've actually used Kevin Mitnick a lot. How about Carlos Danger? Is that going to work? That's slow. It takes a while. But it's actually running here. So yeah, you kind of don't really see it from the live demo. But what you see up above is what had been running for two weeks before I came here. I just put the machine to sleep. Yeah, I'm admitting I'm treating. So you see it's created one since I've been here. It's created one chunk and sent them up to the server. And you can see over time it does about 14 mega seconds per second is the rate at which it does this. It's pretty slow. It's faster than a desktop machine but slower than a GPU. But it's only using two watts of power. And it cost me ten bucks. So that was my chip liberation. It's taking this evil company making evil products and liberating the chips from it and doing something good. And how much money have you made? Less than ten dollars. So this is a very special fail panel. We've expanded the members of the panel. We have a fail panel virgin on the team. And our first female fail panelist. But not both at the same time. So we didn't warn her we were going to put her up on stage right now. But I think it's a good time. Yeah it's all. Mostly because she's not drinking enough into the fucking lemur. Okay here we go. So I said to Rob I said I need to borrow your computer here. I've got a USB drive. And he said seems legit. And he plugged it in. It was gold plated. Yes it was gold plated. Well Wendy what does gold have to do with fiber optics? Wait and see. But Dave why is my penis in your ear? I'm trying to hear you come obviously. I just heard something. It was very small. I'm a white Jewish boy from Jersey. It's not going to impress anyone. It's not the size of the penis. It's the amount of syphilis you have. No it's not the size of the ship. And it's not the motion of the ocean. It's whether the ship can stay in port until all passengers have disembarked. I got three kids. Call me sniper. One shot, one kill. It looks like we're a little over $1,500 right now. And I want to give a special shout out to Skytalks just through 200 in. And let me just say in the security community we often focus on some blow hearts and some fud. They're actually some assholes in this community. I heard you mentioned my name. Fuck them. There are some awesome people sitting around you and maybe even sitting on this panel. Yeah absolutely. So as you're exhausted and trying to focus on getting through it, remember there's some awesome people around you. Have a conversation. And people just open up. So anyway there's a bucket here. It looks pretty good but it'll look better with a little bit more in it. That's what she says. Speaking of she, hey Wendy what's going on? It looks like blah. We did $1,900 last year is that what it was? Okay we can do better this time. Hi everybody I'm Alex Rothman Showstack Esquire. This is the boldest move in the history of the fail panel. Hi mom how are you doing? 2,000 but that's close enough. Hi mom. You still there? You wanted something? We wanted to talk to you guys before you left the country. We hope the rash cleared up. Okay thanks mom. Bye. And take out the garbage. You really have to give it up for him. Seriously who else will let their mother hear this play? Dude at DEF CON everyone had your mother. Hey you with the beer. Come back here. Hey Wendy are you going to be talking about blah? Yes I am Alex Rothman Showstack Esquire and I'm going to talk about well let's just say that I listen to presentations for a living. Bring me some more to drink please. After the first few hundred of those it all starts to look like this and I wanted to share this with you. Vendor after vendor after Vendor. Hey quick pause have you ever seen dead mouse in a presentation? I've heard dead mouse and seen something pretty. Alright. This is still not enough for vendor presentations. We're going to need Wendy to shotgun a beer. We will donate money for her to shotgun a beer. We're giving her fine American beer otherwise known as crap. Can't you give a virgin something a little bit better? Is it a fail panel virgin? No no no. You're a virgin? No the bourbon is bad. Wait there's a virgin. Single malt I'll take it. None of this bourbon shit. Thank you. Wait you're a virgin with bourbon? Drink that one I want this one. Hey look everybody there's a red head with beer. So at Shmucon this year at Shmucon I got up on stage and somebody handed me a really large plastic cup with what I later found out was rum. And 15 minutes later at the end of my talk I went off the stage and was completely wasted. Is somebody going to get a picture of her with the bourbon right there for her RSA photo? Please label it Alex Rothman Showstack Esquire because otherwise I have to explain to my boss why I didn't save some for him. Anyway so this is what it all starts to look like after a while and I wanted to share some of my pain with you because of course every presentation starts with the last key into your computer. But just to make sure we're all on the same page. Are there bad guys out there with big keys? Some of them think they're really big but they're not that big. It's all about key length right? So yeah more blah blah because generations because we don't understand these people but they wear masks. Yeah. Then of course there are scary, scary numbers. Lots of scary numbers. Usually percentages that have nothing to do with anything else but of course they have to wind up with some really big scary numbers. What's the biggest number you've seen? Oh I can't talk about that in public. Unless it's okay with you if I know. And then of course everybody's got a solution. Hey I didn't know you were using my picture. Everybody's got a solution. Have you noticed that every term in security was made up by people who desperately want to be macho? So they use all sorts of law enforcement and weapon and violence things. We have secure ninjas and knights and soldiers and blood and we don't have hair balls. We need security hair balls. My DHS SOP states that I have to secure this presentation as a TSSCI because you haven't went through an SSBI. Yes I do. Thank you. Actually I don't know why they keep going with this macho stuff when this is just as scary. Wait a minute that man just paid $100 for pancakes. So did you have any good meals in Vegas? Yeah I had a steak. What was the most expensive meal you had in Vegas? Well I had a pancake. It was $33 a pancake. I believe at this point we... Hey real quick while we're doing this everybody raise your glasses and say goodbye to our very good friend Barnaby. To Barnaby. I can't help but notice Wendy that you still have some of that left. You did notice that didn't you? I did. He's very observant. I'm stretching it out and that's what she said. Wendy has a failed panel version. I was prepared for was heckling from the onions. It was over quick. But what I wasn't prepared for was heckling. Exactly from the co-panelists. So anyway I found that the angry old lady works really well. At least it works really well for me. I think we should have more of this in security. And then of course everybody wants to tell me that they're the best and the unique and the first one to have done something really really exciting and it's all because it's not antivirus and it's not a firewall. It's shooting down these things and everybody is saying the S word signature. No we don't use signatures. We're better than this because we don't use signatures. We use rules. Well what the rules have to do with fiber optics. The golden rule. The golden rule. Is this like the golden shower? I need another drink for that. We need to raise $3,000 for that. So it's not antivirus. It's not a firewall. Of course nobody is ready to say get rid of your antivirus, get rid of your firewall. But everybody is saying these days they're great because they're not. Also they're the best because they have really big data. Their data is really big. It's much bigger than the other vendors data. Would you like to see our data? We'll show you how big it is. Would you like to measure our big data? And they want to stick their big data in everything. Is the DI for data injection? Wendy and I are both analysts. I've had two big data presentations recently. One was because it was backed by SQL server. So you're a double whore? So nobody else on this crew knows what's coming next because I made this up yesterday in the bathtub. That's coming up. Fastest in real time because of... That says realist. Yes, we're the realist time. We're not just real time. We're the realist time. We're realer time than they are because hardware cloud. I'm just going to throw out an idea here. Bingo, what happens if you get cloud hardware? Then it gets really hard. That's what she said. So all of this makes me do this. It feels lately uncomfortable. I really need a helmet. That would help me during the presentations that I have to watch and listen to. If I had a helmet, I would feel a lot better sometimes. It'd make cleanup easier though, right? So here's my solution to the problem. We need more sound effects in security. Is that how you spell more? Yes, it is. I can't spell so I will go with you. So as you can see, actually we're almost there because a lot of vendor names sound like sound effects now. We've got Hadoop. We've got Splunk. Wait, Splunk's a real thing? Where's Fred? Where's Fred? What's gold got to do with Splunk? Yes, what's gold got to do with Splunk? Well, if you have the gold, you get to Splunk. Yeah, that's right. Oh, last corona we're going to auction it for, I don't know what. Who will take their shirt off for a corona? Oh, I hear 20, 20. Do we have more than 20? 40. Got 40 over there. 40 over there. Very nice gentleman over there with the great cap. Anybody over 40? Over 40. Sold. Corona for 40. Thank you, sir. This is just half a shot glass, Martin. What are you doing? Alright. So sound effects. They're all just Norwegians. They're all just Norwegians? Yes. So yes, sound effects. We really need some sound effects. When you're talking about people telling me about Malware I love it when they pronounce it Malware because then I think of this. Let's go to the Malware. So for Malware, anytime somebody says Malware now I can start thinking Malware and then I can start thinking like elevator music. Any kind of elevator music or late 80s songs, everything that you hear in a mall, you can start thinking about it whenever somebody says Malware. But then we've got... Wait, is there a Victoria Secrets in this Malware? Targeting fail. Not a weapons fail. We need to flap Jack Trebuchet. That's what we need. Anybody want to hear the ultimate fail? I have an ultimate fail. Ultimate fail, everybody. My kids are here so they can see what dad does for a living. They're too busy to come to my talk. Wait, wait. Just to be clear, one of them is teaching Scratch at Roots. He's working. What are they doing? Right now I'm doing a scavenger hunt. My son is teaching. He's doing his own talk so he can't come to mine. That is so awesome. Jamie, I think you misunderstand the word fail then. Chop liver, hi. That man's going to pass fire school and I have to go to Ewo Square. Alright guys, settle down because I got to do some more sound effects here. So for analytics it's kind of like magic. So I think this should be whenever somebody says analytics to you, you should be thinking this. Analytics. It's magic. I'm going to condition a room full of people. I'm going to condition everybody. We overflowed the first donation buckets. We're starting a new one. Excellent. So alright, Jamie, this is the next one is for you. The next sound effect is for you because cyber. Every time you hear cyber, I want you to think cyber. I'm not sure if you know this or not but that sounds like a masturbation sound. Maybe for you it does. It does actually. Cyber. Cyber. Cyber, cyber, cyber, say it with me. Cyber. Cyber. Cyber. But Wendy, what does cyber have to do with cyber optics? Cyber. So next one, I want you to be thinking this. Alright, and then finally, you know, some things are just too big. Yeah, that's what I said. And then you woke up. And then I woke up. Some things, you know, just require a whole different level of sound effect. All the things, yeah, yeah. Alright, so oh geez. Alright, so for the next one, are you ready? Oh my god. Got hairball. Hairball. Rich. Wait, wait. I want at least 20. That's what she said. Alright, so. That pancake should go for at least 20 bucks. Did you say finishing or facial touch? But David, what does gold have to do with it? But what does gold have to do with Rich's pants? Alright, so the very last sound effect. Last sound effect I want to share with you. Hey, hey, cut down. I'm talking. Alright, last sound effect. It's gotta be a big one. Let me see if I can do this at the same time. So that's what I want you to think of when somebody says APT. Yes, oh my god. Because that's back to the whole macho sexual thing too. It's so fluffy. It is. So remember, what did I tell you today? What did I tell you? So I'll just leave that right here with you. Remember, cyber. Cyber. Cyber. Thank you. Oh, shit. There's more than there is. Wait, are we throwing pancakes? No. These are really, really hot. That would have been a fail. Alright, so this took me about 20 minutes to put together. I already did it. Hey, hey, we have something even better. Just wait until the end. Just wait. I say that a lot. They're always disappointed. Alright, so basically this is my top five fails of the last year. And actually the first one isn't from the last year. It was actually from 2011. But I haven't had a chance to share it yet. So 2011 I'm Beijing, China. And I'm teaching a cloud security class. That's not my fucking problem. I'm up here. Donating 60 for the dino toy. Everybody in this half of the room. The cyber dino toy. Cyber. Go ahead. Cyber your little heart out. Cyber. Cyber only cost her $60. Where's our AV people? Alright, everybody over there just stand in the hall. Like the aisle right there and you'll be able to see my slides fine. That's not working, is it? Don't worry, it's coming. So if we can have AV support back there, I'll keep going. You know what happens when you fail in this panel, Rich? You fail? You get something big. You get something big behind you from David. We'll do that at the end. I have my fists. I'm in China and I'm teaching a cloud security class and I'm like alright, this is going pretty good. I said no more than... I'm not going to be approached by any women that have sex with you. Just your mom. You're the only cybersecurity expert that has went to China and not been propositioned by a honeypot. It was a honey net. That means it was both men and women. Alright, I don't know what's up with the AV because I'm sending out. So part of our labs for this is we do a bunch of stuff in Amazon Web Services. I'm sitting with the students and look, this is a little difficult. I said no more than 15 students and they all need to speak English because I don't speak Chinese. And so I had 30 students and most of them didn't speak English. A little challenging. There was no translators. So it was one of those experiences. This was for a large company. And... I'm sorry you cough. What did you say? So blow me. So we do all of our labs in Amazon Web Services. I have everything set up and all of a sudden I'm getting pissed off and I'm yelling at the network guy because none of the students can connect to their virtual servers. The whole thing is falling apart. We're not able to do any of the labs and I'm like what the fuck is going on here? And then I take a step back and I think for a moment. So I had 25 students. We launched 50 instances in Amazon. We were making 50 SSH connections simultaneously from one IP address. And so I'm thinking the dude over at Amazon is thinking this. Maybe this. More likely this. And if it's Dave Maynard this. And really probably this. So the end result was for about a half an hour we were blocked from Amazon. Students couldn't do their labs. And eventually they released it and for some reason they decided we weren't a threat. So it was number five. And I gotta go fast because Dave's got cool stuff so I have to give him a little bit of time. Number four. This occurred four days ago. So I'm teaching a cloud security class at Black Hat. Now you kind of think somebody knows where the Black Hat website is. They probably can type in the URL. They heard of Black Hat. It says four. Yeah. Five, four, three. Top five. So Dave can read by the way. Yeah. It's a new thing and he's totally excited. So don't burst his bubble. And then four comes after three. It's a proud. It's also a great reading level. Yes it is. So I've got a bunch of students in my class and I almost feel bad about this one because the person involved is actually really, really nice. And I feel even worse if she was in this room but she's not. So this person early on we identified that she teaches security at a college. So I don't think a university, community college or something. Sorry man. Jamie was there. He helped me coach the class. So she teaches at a college and super nice person and she said, look, she sat me down and it was very quiet. It was like right as we went to a break she's like, okay, so I hate to admit this. I do mostly like the policy and management stuff but I don't know what you mean by key. I thought for a second and I thought and I'm like, you mean an SSH key? And she goes, yeah. And I'm like, so we had somebody teaching security classes at the college level who doesn't know what an SSH key is. So that was my favorite fail number four. And you would laugh if you weren't so fucking disturbed at the concept. Standing there going I have no response to that question. I admit this is better than the very first one of these classes we taught where I was trying to help somebody find her SSH key for putty and she couldn't find it. I said, oh, well we just need to go ahead pull up file explorer and she goes, I don't know what that is. Okay, so here's file explorer. I click, click, click and I go, okay I need you to search on star.pem. Do you know what she typed in next? S-T-A-R. I guess who she worked for. That would be the federal government using your federal government laptop. Yeah, so number three. This also occurred at our class and Jamie is going to fucking love this one. Look at the preview of what's next. So it's so good. We can't show you until you donate more money. We donate more money for the next slide. That's not working. So we're teaching this class and we have one guy and you know you always have. Has anybody taught before? Yeah, there's always the dude and it's always a guy mostly. And they always know a lot and they really want to impress you with their background. So this individual's- Yeah, you did three years ago here and now there's a full panel. I can't talk over an exploit that he did on the fail panel that nobody noticed. It was a zero day at the time. So this guy- The technical term for that person is ask whole. I spent eight years as an undergrad so apparently I don't know all the technical terms. And charity asshole means enlightened one. Just as my asshole enlightened your penis it's a fail panel it ain't going to get better. So this individual mentioned how he just finished his- wait where's the squeaky thing? I need the squeaky thing. His cyber security graduate degree. He informed us out before the very first talk and then he said in very ominous tones have you ever heard of heap spray? Well yes. I've heard that term before. He goes, you know, we were the guys that heap sprayed the college from Amazon. And I thought about that for a moment. And I thought about it for another moment. And the first words that were going through my head, I didn't have the heart. My name is Inigo Montoya. You killed my father. Prepare to heap spray the college from Amazon. I just, I honestly, it is very rare I don't know how to respond to something along those lines. And so I decided to look for heap spray defenses online and I was pretty much all I was able to come up with later he got frustrated because he couldn't realize that when you enter something into the user interface and if it has a space in there and then you get an error and it says no space is allowed, that you just take the space out. So that was, it was a really good class. But Rich, what does space has to do with fiber op? So, number two like Wendy, I work as an analyst. I'm willing to admit the name of my company. Because I actually own the company and, you know, all these presentations. Yeah, Ron is going to be pissed. Hey look. Fortunately I hit people I know. So we all know APT is a big deal. Rich, I know it. I'm no expert here but that looks racist. Yeah. That's what, that's because Bing is racist. Do you see how high is spelled H-I-G-H? Yeah, so. I can't believe it's not butter. Pour some on me baby. Too soon. Finally. And it goes everywhere. Holy. Yeah. So, now years ago I do remember I was talking to a web application firewall vendor and they were talking about how they were going to prevent the APT. The marketing guy at a reception we were at at RSA. And I said, well you know you don't, that's not how these guys do those things. He goes, I know, but we did a survey and APT. Yeah. Is this our last one? No less than $20. No, no, no, no, no. Hey guys, Mainers got good stuff so I got to get through this kind of quick. And so we get all of these things from vendors about APT. This was by far my favorite. This was the email of the year. I got it about a week ago. And I'm going to let you read this for a moment. I am contacting you on behalf of ISACA. Who would like to speak to you about how IT can form cyber security with COVID-5. And I got one of these too. This is critical for IT teams in the wake of escalating advanced persistent threats. So apparently we can use a control framework known as COVID, which is exactly what this is, to stop APT attacks. Now, my absolute favorite fail occurred literally 30 minutes before this talk. So I walk out to get coffee. I go into the normal area of the hotel. And I'm coming back with my cup of coffee. Just so we know that's the area that's normal, not the area with the normal people. Correct. It was with normal people, not us. Otherwise we refer to them targets. And we're sitting there and somebody comes up to me and he's super nice. He did not look like this, but this is my normal impression of normal at Vegas. And he comes up to me and it's great. And he's nice. And he goes, hey, excuse me, sir. And I go, yeah. I got all the goon stuff on. And admittedly the very batch doesn't mean anything, but the dumbass, tactical vest, too, like whatever, does. And he goes, what's going on over in the convention center? I'm like, oh, it's DEF CON. It's the world's biggest hacker conference. And his face goes like this. And I'm like, and I'm not used to that reaction. Most time people are, oh, that's cool or that's interesting or blah, blah, blah. They ask questions. And I'm like, is something okay? And he goes, wonderful. And I'm like, why? And he goes, I work for the NSA. No bullshit. 30 minutes before this talk. Alright. So you've all come to the fail panel. You've all had a great time, right? I need this because it's sunny here. Go away. Go away. Go away. I almost forgot something. Jack Daniel and I were talking. Whoever gives us $100 gets to roll around in the money right now. Come on. Hands up. Who's going to do it? And for $200 you can roll around in the cash with Rich. Come on, any takers? Alright. I need to go to the ATM, but I'm doing it myself. Hold on. Tell me which ATM you're going to just in case it's mine. So I have here a collection of spoons. Apparently to make pancakes at fail panel you need a lot of spoons. I have had them signed by the members of the fail panel. You can... There's only two spoons. That's right. There are three of them. Three of them. You cannot unsee this shit. Barnaby would be so proud. Holy... You know... My partner over there is Securosis, Rich Mogul. He's rolling around in the dough. Wow, that escalated quickly. There's a lot of money there. So I got these three spoons and I got... I don't know how many of us are there. A lot. You can buy a spoon. You can buy a spoon that comes with certain associated... Thank you. That's a lot of water. Not just the authentication token, but also the authorization. The larger the dollar value, the more authorization is placed upon the spoon, such as the ability to have Chris Hofflick the spoon for you. Or the ability to spank people with spoons. You figure out what your off is. No, there are no SSH keys required. Spoons for the taking. Come up with some money and figure it out. Before Dave starts, I just want to thank you everyone for coming. I want to thank the number of people such as Liz and Martin and Jason Jack who helped make this possible. We couldn't get us pancakes without them. Let's give a round of applause for the helpers. And also for everyone who donated beer for you guys to buy. Thank you everyone. Thank you. So Jack just pointed out to me that when Rich was rolling around in the money he was just reliving his days at Gartner. Gartner jokes are always funny. Hello everybody. My name is David Maynard. Most of you know me. Shit head. That's great. I'd like to start off by asking everybody what do I have to do with fiber optics? The answer is absolutely nothing. So how many people were here last year at the FEL panel? I can't believe you came back. You foolish people. So last year I did this thing. So I had become known to some people as a FEL whisperer because I am very good at inducing FEL in things. In fact, here's a picture of me. That is FEL. Look at that. I have two chins. FEL. I'm also wearing a tie. FEL. So I work with FEL like most artists work in fine oils. I get to pen testing so I fell a lot. One example is that many years ago Jacob Applebaum who is a complete media whore wanted to distribute he has apparently stopped being a media whore and now has become a media darling. But at the time he wanted to distribute something in CCC and he wanted to prove how awesome he was by posting a version of it ahead of time of redacted information. So I thought this was stupid. So I wrote a blog post about it and here's his document that was redacted. So the funny thing about this is that while you can redact large portions of the document you can't redact the font size. So if you went through and measured you could figure out how many letters were in each word of small redacted blocks. It was pretty easy to find out. So we were actually able to, before his big CCC presentation, decipher his message. And what did the message say? I found a new way to apply a product that makes it look like I just rolled out of bed. No seriously. He was actually talking about something with MD5 in collage. It wasn't actually funny. The funny thing was that he posted something he thought was secure and everybody was able to read it ahead of time. So the reason I'm going through this is I'm giving you my credentials for why I'm causing fails. But this year I have no fail to offer. I only have success and unfortunately my success is horrible. So that was some fail, right? So one quick story of a recent pentast we had gone right. I can't really tell you the client but it's a really funny thing. When we came in they were gun-ho. They were ready for us. They let us know right ahead of time how we just weren't doing anything. We weren't getting in, we weren't breaking anything. So the window comes around five to seven minutes into the window we had broken into everything. We had domain admin remotely. So I didn't know what else to do. Normally at this point you start writing a report but if you know me I don't like to write because I can't read which means that I will do anything to avoid writing a report which brings us to calling a registrar. And I can't mention a registrar's name but we called a registrar and I am my latest Southern Hick voice when, oh my god, my boss is in Turks and Caicos and our side just crashed. I have to change our DNS over but I do not have the password. Can you help me out? And the person who sounded like they were in Kansas or Washington or somewhere went, well gosh, I mean you need the password to do that. But I don't have the password. My boss is in Turks and Caicos. I was trying to channel a Baptist minister at the pulpit because nobody wants to disagree with the man of God. He was like, is there anything you can do that you proved that you work for this company? I was like, well what do you want son? What can I do for you? This is a little bit exaggeration but it was not much. And he was like well can you send me an email from your work account or can you do something like can you put a page on the website that proved that you have control over it? I was like, yes son I can. Let me go right ahead. Since I had domain admin it was pretty easy. You just right click in the IIS directory I feel I feel a disturbance in the force. It's a small disturbance. It's more of a ripple actually. So I right click in the IIS directory I create a file called go down. Oh wait, I can't say its name. I right click on a direct create a file and I say redacted. Does this prove that I work for the company? I give him the URL. He goes to it and looks at it and says, yeah sure. And then he gives me the password. So which I spent the rest of the night figuring out how to deduce split routing with their email so I can get a copy of all their email coming in via DNS. So I call them the next morning at 8am and I ask the system admin why he hasn't gotten any email since midnight. They were shocked. They were appalled. Some would say they were shocked and appalled. Were they odd? No, they were pretty normal. They were shocking all? No. Which brings me quickly to why I have no this is all funny but I have no actual fail this year to talk about. Last year I did a trick and it was a very funny magic trick. Yeah, no I did two tricks. Well one guy was named Rich. He didn't pay well but then again I didn't have to do much. It was over quick. So I did this trick with an iPod where I could be within 100 meters of every jukebox that used an app that you could cue music on and I could make all these jukeboxes play umbop. And I thought that was hilarious. For months after that anytime somebody would check you on Foursquare to somewhere I would find that they had a jukebox that would play umbop. I thought that was hilarious. So Chris Hoff tweeted where he was going to a bar and like minutes later Dave had hacked his location on his computer and then played umbop on the local jukebox. So that was funny. If you go back and look at the video and audio from last year the last thing I say before I walk off stage is record executives use jukebox plays to determine how popular a group is. It's my calling in life to get Hanson to release a new album. See I thought I was joking. I didn't believe in the power of the I just wanted to put this picture up again. There was a trick sitting on my lap when I figured all this out she had a gun. I was like you know what it deserves to be a two uh presentation two years in a row. But I didn't believe in the power of the fell panel. So I want to let you all know I am witnessing to you. The fell panel power is real. It is real. It is so real. Released a new album. Look at the date. I want you to know we don't do it because regal sons of bitches like Robert Graham. We do it because we are trying to help everyone have a better life and I believe Hanson will have nothing to do with that. What does Hanson have to do with fiber optics? It burns. Oh it's just him. You know what I have never never seen a crowd throw bono shirt back. I'm going to tell you right there we have some very polite fans.