Tip:
Highlight text to annotate it
X
>> BRENDAN: Hi there, my name is Brendan O'Connor. There are three take‑aways from this talk
I want you to remember, the things we carry on our bodies leak way too much data at every
single level. We as a community have forgotten that privacy not just security needs to be
a goal. Whoops, the Goons are noticed. >> Always!
(Cheers and applause! ) >> Raise your hand if this is your first DEF
CON you liars! (Laughter.) You, the man knows how to speak up, get up
on stage! I got to get somebody tall to do that. The last guy by the way slammed it immediately,
so cool your jets. I want to introduce you to 2500 of my closest friends! (Applause.)
So please, welcome the brand new, first‑time speaker, congratulations! (Applause.)
Up yours! >> Oh my God we have to make this smaller
we're doing this all afternoon! >> BRENDAN: God, I love DEF CON. Now the gentleman with the side burns has left the
stage! We have forgotten to protect ourselves, we have spent years and years, many on the
stage saying we have to protect ourselves, the evil hackers and they're using all our
information and that's true, we have forgotten, it's important to protect the privacy and
the identity of our users and it's become in vogue to dump a huge A. Data into encrypted
streams in order to ‑‑ I don't know really, it's quite odd and we will show you examples
later. Final take‑away, it's no longer possible to blend into the crowd. Everyone has seen
a horror action movie in which hooking up a cell phone to turn off power plants and
someone going, oh my God the bad guy has gone into a mall we'll never find him there are
10,000 people! That doesn't work and it doesn't work for the government and now it's not going
to work for everybody in this room. If you can put together a small computer you
can track everyone in the mall, steal their identities, find out important information
about their lives and use it against them. We need fundamental changes to fix this at
every layer, it's not okay to request too much data and then to store it and I say this
as someone who has worked on software being used for millions of transactions, we can't
leak the private data of our clients because our clients are under attack not just us anymore!
If we don't do this we have lost the only thing we do better than our adversaries and
there is no reason anyone should trust a software developer. Why are we doing this? These guys
have tons of information on us, every day you walk through Rio and there are hundreds
and thousands of cameras. And I was recently told by my sister that security is the government's
area, they know best. This means two things. One, a lot of people actually believe this,
which is terrifying and, two, I am a terrible brother! Not just because I told you this
but because obviously I didn't educate my sister well enough and she is a doctoral student
and it's too late! Those of us in the room know that the government is not good at securing
things other than throwing people in prison for amounts of time. But the government has
no mop reply on surveillance, that's fine, right? The good guys have it.
But that's not true. We may look at Blue Code boxes that are found in a bunch of countries
that are not the "good guys" we know we're helping repressive governments and since the
leaks, I'm hearing "the NSA needs that" and it's okay, it's okay as long as only the government
can spy on us. We hear that sunlight is the best disinfectant. A recent study showed that
cops wearing sunglass cameras were 88% less likely to commit actions resulting in complaints,
and 60% les likely to use force at all. When they did use force those officers wearing
these cameras were consistent in using the least amount of force possible in the situation.
This affect was not duplicated, shockingly, on those officers and their forces refusing
to wear the cameras. If we can see what's going on and look back at our government and
make sure it works as efficiently and safely as possible. If not, we are subject to blackmail,
extortion and threats. See, for example, Aaron Schwartz. So we need sunlight, but we need
sunlight quickly. We don't have time to wait for a new dawn. Anyone know what this photo
is? >> AUDIENCE MEMBER: A nuclear test.
>> BRENDAN O'CONNOR: It's the largest nuclear test ever detonated. Tsar Bomba! We need to
blow up this situation to make it clear to every single developer at every single layer
that this is no longer an acceptable use of our private information. So I get called a
stalker, not this stalker, this is apparently an adorable kitten that is called "Stalker".
I get called this kind of stalker. We all do creepy work in this room, and we do it
because the only way to raise the issue of creeping surveillance and loss of privacy
is to make it clear that anyone, not just the "good guys," such as they are, can use
this technology for good or evil. CreepyDOL is a distributed sensor network that combines
wireless sniffing, distributed command and control 3D visualization and grenade‑style
encryption to do realtime personnel tracking and true identity theft on a major urban area
in realtime for almost no cost. It is stalking as a service. That's what we're here today
to see. There is one complication thought, and that's
Weev, or Andrew Auernheimer. The United States government has declared a holy war against
legitimate security research, and some of us think that's probably not a good idea.
A lot of people in this room don't like Weev very much, because he's a "troll" and he did
horrible things and said horrible things about nice people.
But it doesn't matter. The thing about criminal law is we don't get multiple bites at this
apple. Mighty Casey gets three strikes, to strike out. We get one in the 3rd Circuit,
and it's pending already. We need to take action to protect legitimate security researchers
even when they seem like terrible people, not for them but for all of us. If everyone
in this room isn't going to be in prison by this time next year we need to hope that we
win this appeal. Otherwise, hey that was only in New Jersey, right? Except that Weev was
in Arkansas. They dragged him to New Jersey because they thought they would get a more
favorable hearing, and they were right. Every internet connection goes through every place
in the United States, so if we're not going to end up in prison we better protect Weev.
This affects the way that I do this research. First, this side note: I wrote this Amethyst
brief in conjunction with all the people on this list, and Alex Muniz, down at the bottom,
a great, hacker lawyer, 13 big security researchers, a lot of people in this room, or at this conference,
Dan Cominsky, Matthew Green, professor at Hopkins, Sergey Bratus, professor at Dartmouth,
Jericho "Space Rogan" Mudge. These are people you have heard of and people whose work you
should be supporting even if you think you don't like Weev. This affects everyone one
of us, whether we're program managers, professors or itinerant hackers. And in the meantime
we have a chilling affect, because we cannot trust legal actions to not be prosecuted.
Therefore, CreepyDOL has not been test on the a whole city, because even though every
court in the US has said wireless sniffing is A‑okay, same as sitting in the coffee
shop and hearing the guy next to you talk too loudly on his cell phone about raising
his next round of venture capital funding, which happens way too often, we can't rely
as a community on the government not prosecuting hackers for legal actions.
I leave the next step of world domination to a braver researcher. Since I'm a law student
we have a serious disclaimer. (Laughter.) "This is not intended to be ironic." Let's
talk about DARPA's Cyber Fast Track. CreepyDOL is not CFT work. I had to make this extremely
clear to a few people. DARPA tries real hard not to build stuff that "creeps" people out
because they have had a bit of a PR problem in the last couple decades. But two CFT contracts
did let me build two of the core systems: The radical system, which is the visual command
and control layer and the visualization system, for reasons which are not likely become clear
at the moment called NAUM. So thanks, Mudge, if he's here, and wear those green tee shirts
with his face on 'em with pride. And this is a brief roadmap. First let's talk
about the goals we have for this project. First we want to see how much we can distract
from wireless, that means I don't want to do "man in the middle" partially because I
don't want to go to the "bad" kind of federal prison but partially because design constraints
help us to become creative. And it turns out that doing the active attacks, like the Pineapple
Jasager attack, aren't necessary. We can do this without them. As you turn on a wireless
device, it sends out a list of all known networks, even when it's connected. As soon as a device
thinks it is connected to wifi all of its sync services will kick off again. That means
Drop Box, iMessage and everything. A lot of those after establishing SSL connections we
get cool data from and because we're sitting in coffee shops, that have public wifi, that
means we get a lot of cool data pretty often. Over unencrypted wifi all devices are exposed,
that's what we mean by "unencrypted" which means that we can see everything they're talking
about. Sometimes they're talking over SSL, which means the core data is in theory encrypted,
but it turns out that lazy developers, that is "us" have been leaking this cool data outside
of the SSL envelope, and I don't know why. As they set it up or as we look at things
we're going to see neat data and the cool part is because we have an awesome primary
key we can just sit and wait. So maybe you make one small identity mistake in one cafe,
maybe halfway around the world as long as I'm in multiple places with little boxes you
drop another identity mistake and I start to build up a profile of who you are, where
you are, and I know that wifi is not that long range so if I can hear you you're probable
on top of me. Once we get one to ten to 100 sensors over an area we have time and place
analysis, I know your patterns and practice and I know what things are important to you
and if I want to blackmail you, I will find what's important to you and that you most
don't want exposed. This is what we mean when we say knowledge is power, right? Our second
goal is large goal sensing without communications. It's easy to say I will go to Verizon and
buy 10 USB sticks. The problem is that is expensive and these days I'm a lawsuit student
and when you go to your law school and you say, hello, I would like to apply for a grant
for my research, what is your research, oh I'm doing Distributed sensor network so I
can spy on people they back away slowly and then call your Dean. (Laughter.)
My Dean is a wonderful woman I will not mention her name on stage but suffice it to say they're
not going to fund my work anytime soon. The other reason we're not going to do Verizon
or the other cell provider is it provides the guys with guns to figure out who I am.
They pick up the box, read the ID off the device and say, Verizon. Who has this device,
we would like to throw him in prison, signed the United States government. The tele come
providers have all of this information in their offices just created for this information.
Finally we have a third goal which is intelligence ability, the slides make tough "D" cry it's
a sad thing. When one has an intelligence ability so we can prove to people this is
a problem. It's the difference between writing zero day, and writing a zero day and in metasploit.
When every script kitty sitting in the basement and can stalk the entire city, maybe we will
see improvement on the issue. In the meantime we are not.
Let's talk about background, couple of slides. One, I would like to pour one out for the
academic sensor network people everywhere. This works kind of like one but not exactly
because mostly they're this ultra low power beautiful little devices, they he work well,
do wonderful research with them, and they sacrifice everything else to get there. He
they work in horrible language like net C, it's terrifying. But they sacrifice cost,
academic sensors cost upwards of $600 apiece each. That's not good. I want something that
I can write in real language, preferably works in Linux and an order of magnitude cheaper.
And large scale surveillance, I swear my outline said that one can assume that the intelligence
community has held all of the problems in CreepyDOL for me and they should be ‑‑
which they will be happy to do as soon as they have published their results, so thank
Mr. Snowden, pour one out for the guys at NSA because this stuff is really hard! Let's
talk about the keep architecture. First, hardware 37 this is F‑bomb version 1, it's a terribly
tortured acronym because I used to work for DARPA and they love acronyms. The same thing
that is inside the Pony plug and pogo Plug decided they could sell it if they put it
in a neat case. When those failed I could buy it off Amazon for $25, I would like to
thank them for my research. The other thing is it fits inside a carbon Monoxide detector,
how many of you checked theirs to make sure you weren't working for me? (Applause.)
This is the old version the dev board is twice as big for the F‑bomb version 1 as it is
for two. If you can look at my hand and see it, this little box holds a lot of good hardware.
It holds a Raspberry Pi, model A, for those of you into such things, because every hacker
needs a Raspberry Pi, or ten of them. I would like to apologize to the Raspberry Pi enthusiasts.
I bought 10% of the U.S. supply of the first round of Model As, because I didn't know they
were only going to bring 100 into the United States, so I'm sorry I think I screwed up
a few business models there. There is a cheap plastic case, two wifi dongles and Apple‑power
adapters that occasionally electric cute people. (Laughter.)
It just happened last week, and Apple released a statement saying, "only buy original Apple"
so thanks, guys, but they cost $25, so $3 is better, and hey I plugged it into other
people's apartments, right? That's the idea. (Laughter.)
So why two wifi? I don't want to bring in centralized communications, so instead I'm
going to use your centralized communications. And we connect to local wifi. Brendan, in
this magical place where you live is there municipal wifi that actually works? No, there
is wifi that doesn't work, which is kind of typical, but there is a lot of coffee shops
and bars. Every random dive bar has wifi now in Madison, it's a wonderful thing! A lot
of them have captive portal agreements, though, and captive portal agreements make your imbedded
code sad. So I wrote a library called "Portal Smash". It clicks on buttons so you don't
have to. Available in GitHub right now, www.github.com/portalsmash. And again, thank you DARPA. (Applause.)
Now we're going to talk about the middle wear now, building from the bottom up. We talked
about hardware, now we are going to talk about the middle layer, called REDDI CLE. REDDI
CLE is a leaderless command and control software, designed to work like botnets. This is the
first of the two DARPA CFT contracts I mentioned. I made a whole presentation last year, but
I will summarize. There has been a whole rewrite. It still works the same, but there are not
so many swear words and occasionally it doesn't break because my cat stepped on my keyboard.
Each radical node runs Couch TV, a no staples database which works very nicely, plus Engine
X, Torr, and some custom management software, a couple of Ruby Scripts, in essence, and
all of this is Open Source it let's notes combine in a network and let us it exchange
data to every other node and we can do data exfiltration in the hope that we can get the
data out before the bad guys with guns shoot the box. To make reverse engineering radically
different it has encryption, you boot a node with a USB key that contains a full description
key, reads it, stores it in memory only then you pull the pin out and you throw it at your
adversary, preferably not at their head. Once you've done that, unless somebody actually
runs Cold Boot on it, you're good. If you pull it out from power you lose the encryption
keys. As for Cold Boot, here is the thing. How many people dump liquid nitrogen on every
small block box they find in their house? There's two people who dump liquid nitrogen
on everything! I would love your house! For the rest of you, as soon as we've got people
to dump liquid nitrogen on everything in their house, we have all won and we can go to 303's
party. CreepyDOL is just a mission that REDDICLE
runs, they all do the network thing so as soon as the data gets to one place it's as
good as home. Let's talk about the design of CreepyDOL. It's a creepy doll, right?
It's going to do as much as possible on these boxes. They have 256 RAM we don't need that
much, they work efficiently and the reason we do that is to be nice to TOR, which is
usually overloaded, donate money to those who run exit notes. We don't want to send
them home and partial because it's rude to TOR and ‑‑ no one will track him in a
coffee shop and get noticed at us so Distributed query for distributed data, process all the
data, on the PCaps we save and we send that home, we never send the PCaps home. We do
centralized query for questions and we can do awesome types of questions, like where
do you usually go for coffee at 8:00 in the morning or where do you go for coffee at 3:00
in the afternoon once you drag your butt out of bed? We do these things on a centralized
node because even though Distributed nodes have data they don't have hard drive storage,
8 gigs apiece so we want to do these data mining queries back home and pull the data
out of the grid as fast as possible, once it's propagated we delete it and then we have
a centralized point of visualization only. It's not command and control networks, it's
what we plug our X Box thing into. And I'm serious about the X Box, we'll talk in a minute.
We call this NAUM. Let's talk about the observation filters, they're the stupidest filters and
they are per application and they take in a P‑cap and they say this is for drop box,
okay from drop box we distract ‑‑ something good to know. There is another filter that's
processed as Apple iMessage. Look at the last line this is a screen is shot from Wire Shark,
there is more data than they should be having there. I know exactly what version of iPad
I have which I knew but if you didn't that would be useful. I know what version of ios
they're running and I know how to exploit it remotely and I have the exact build number.
In addition to the facts that they're using iMessage. There is a lot of data and media,
and this is from one service. Observation filters are per service, I've written 10 of
them, the idea is that we build up tiny bits of identifying information and co less them
over summarized identity. We get a little bit from your drop box from the feed reader,
how many of you use that after Google reader collapsed? About a quarter of you. How many
you watch the stuff over the wire to make sure it's secure? Nobody. Turns out the ones
that I switched to and still use transmit everything in the clear. Weirdly they transmit
my real name and email address in the clear and an authentication cookie because they
have never heard of Fire Sheep because a lot of this stuff was spun up really fast with
Google Reader, and we can get stuff out of your online dating profile and you all have
one and you are disgusting! (Laughter.) Back to the NAUM filters. There are the nosiness
filters and the mining filters. Nosiness takes a little bit of data and they look for accounts
with user names, email addresses, so you can submit it to a service, it checks the forgot
password forms and even though we have been screaming about the forgot password accountability
for years they have that system. I could then before break into the systems and I can do
funny things and be more or less within the law! Finally there is mining nodes and we
do the big data here and do pattern and practice. I mentioned before where do they go for coffee
and every day, that's one thing, we can do cooler things. For instance, if I see one
device that moves around a city, I see it everywhere, it goes here and there. What if
I see another device that only exists sometimes, every time it exists it's in the same location
as the first device that I saw. So what happens is if it goes somewhere it stops moving and
a second device turns o works for a while, then the device turns off and I don't see
it again and then moves out. That's what we call a laptop. Once I've seen that for a while,
suddenly I have one profile instead of two. So even if you thought, hey, my probably phone
is trackable, but I only do my creepy stuff on the laptop, that's okay because Brandon
will never see me, now I know it's you and I have seen the shops that you go to, and
I am terrified, I didn't know you could buy them that big (Laughter.)
This is the CreepyDOL architecture, you can see the nodes, they're connected to every
other node. They go to a sync node and the idea is that it's just another node that it
for information propagation but it's not encased in one of these boxes I run it in a virtual
machine. It's job is to send up the leaf commands and store it in another storage mechanism.
I have two different storage that I use in tandem, one is called Shark and it's an all‑in
memory of the Hadup project, which means if I had big data I could throw them in Shark
and I throw the rest in another one and it allows me to do it very fast. Then I have
translation from the Shark format into a saner format. Finally I run them into a visualization
and you see down in parenthesis there it's running Unity I built a video game and my
people are real, which makes it happier! I'm getting GPS data so I might as well use that.
You the Unity game engine it's free for Indie developers and it's cool. The second note,
Java Script as extended by a proprietary games manufacturer then compiled into the dot net
Lang beige with a bunch of C sharp and it's a horrible debugging platform, oh my God you
have never seen where Java script errors until you've seen them interpreted by four other
language in the middle but the advantage is it works well the guys at Unity know their
stuff. If you have ever tried to write utilization, you ‑‑ if you do this everything works
you say put this here and it works well you have one simple translation between latitude
and longitude and it runs on an iPad which I love or Windows, Linux, Android, Wii or
X Box 360. Part of the side affect is you said wait, you said 600 gigs of data, how do you hold that? I don't.
That's why we have the servers, they do all the query lifting so you can run it on an
iPad and don't have to do the heavy processing. They talk to each other because they love
irony over unencrypted HCPD (Laughter.) You can watch close and see this take place.
Before we do that we have test parameters, remember Weev, how we're all terrified? If
you're not terrified you're not paying attention so we can't spy on everybody in the city,
which I hate. This doesn't mean we can't do valid testing but if I stalk myself we only
get to see me so you are going to see a lot of dots it representing necessity in different
places and I have tested up to hundreds of thousands of nodes and it works incredibly
well and scales would he effectively. So we never collected any random stranger at any
time because even though it's apparently legal we can't be sure of anything anymore until
somebody has smacked down the third circuit. Let's watch it, Unity, it's not running on
my screen. Is it running? You are going to see a few things but I'm not going to see
them exactly in time. First you will see the dot move around the map then open street maps
load, and I will zoom in and out, then I draw a box zoom across it, and it zooms the data
and the map in. You can hover over nodes, see how many times I saw them or how many
are in a room at the same time and they're Mac addresses. At the end, and tell me when
this happens you can click on one node and then you see everything in the world! (Applause.)
See, real name and email address from a Google feed ‑‑ it's not Google readers fault,
photo from an online dating sight whose name we're not going to say because I've heard
they have angry lawyers, even though they haven't heard of Fire Chief. You can see that
they used log in which is a replacement for every screen sharing site and we have this
great data. We have the weather app which transmits in the clear exactly what location
the iPad thinks it is so I can make sure my sensors are accurately placed they're helping
me calibrate my own network it's awesome. Let's talk about future work. What other applications
can we do beside decidedly Creepy, Brendan? Well, one, we can do counter infiltration.
Those of you who participated or even read the news about "Occupy Wall Street" and "Occupy"
anything else movements, have noticed a lot of times a mysterious stranger slips into
the group, someone throws a rock, and the mysterious stranger is gone. It's amazing
how this works. You can use counter infiltration though, because you set an alarm and you say,
hey, if anybody new shows up in this area, scream "bloody ***" so when the "bloody
***, bloody ***" alarm goes off, every knows to look for the guy with the Blackberry.
He's the Fed. (Laughter.) (Applause.) You can also use this with apologies to the
Grug for operational securities training. You can say if I throw this over a network
and look for devices that I know my agents are carrying, how much data are they leaking?
How terrified should I be? Here's a hint: Really terrified. You don't need to track
every agent's access. If you are a huge corporation with a "loose" sense of ethics, who wants
to make sure when your employees go home they aren't spreading trade secrets just spread
these over the town where they all live. Every time one of them connects to get their email
or to send your trade secrets off to a competitor, you, too, will know it, so we will have operational
security through the complete and total invasion of privacy! (Laughter.)
This is the trade‑off that we have come to live with and I'm not sure why. We have
accepted that we have no choice in the matter, that our devices are going to continue to
leak increasing amounts of data, that Mark Zuckerberg is going to go on CNN and say "I
don't know why anyone wants privacy, it's dead!"
Here is why. I don't want you going into a sipping gels bar that your wife doesn't know
not because my God you cheated on your wife but because if I stalk a whole area, let's
say I live 6 blocks from the state capitol and I stalk six box around that, I don't need
any particular person to do something wrong, I need one person to do something wrong and
I get maybe small change to a bill. People have been doing this for a long time, right?
Here is the difference. I would have to pay a whole team of surveillance agents a lot
of money to watch senator so and so until he does something stupid. So for the cost
of a medium expensive dinner here in Vegas I can throw 10 or if we want of these things
around and find the person with a weak wallet, a weird sex life or something they don't want
everyone in the world to know. Except for Anthony Wiener because he's invulnerable,
protests and rallies, there is a problem with the accidental destruction of evidence during
crack downs. It's hard to know who was in the kettle when the cops lock you in and take
you off, it's hard for "occupy" to know who they should save in the jails. You can have
it scan your friends continuously and transmit that, you're offloading your data so that
you know where your friend are, which maybe they don't spend two more weeks in jail than
they need to do and unless an adversary knows what this is or why they care, they're probably
going to unplug it to look at it, they are not going to happen how to use it doing a
cold boot and unless they're throwing ‑‑ on random protesters, even like ‑‑ in
Madison we had a cop kill a kid for walking while drunk which is also called "being in
college" we're safe from cold boot attacks for a long time and that means we get all
the data out we need. Let's talk about improvements. We can scale
up, start our con take again networks and because they're not connected directly, over
RF, but over the local coffee shop's wifi we can start a con take again network and
have five or six overlaid networks that don't need to connect to each other in any physical
way which means we can do geographical distribution and eventually you won't be able to delete
it off fast enough, then you probably want to split up the networks. Each network then
has one data sig node and they can throw it all into the visualization. Visualization
is good to a couple of terabytes at least, more if you've got better RAM. As I mentioned,
scaling the back end isn't hard, especially because there is a great script for Shark
that lets you run on Amazon EC2. This means that, yes, we can have stalking as a service.
It's from the cloud so it must be here to help us. (Laughter.)
There is other servers, GO couch, it works efficiently. The visualization is harder in
that there is a limit to how many nodes a couple thousand I can drop simultaneously
but luckily there are hundreds of books by game developers for other game developers
that they don't check your cred at the door to buy. If you saw the black nodes versus
white nodes those are grouped versus single nodes but they also do limited distance of
view and same things in every FPS game you can't see the entire weight of the moon, this
allows us to scale visualization as far as we need and open street map goes everywhere
in the world and you can stalk a whole country for 10, 20, $50,000, which fundamental to
be creepy is not that big of an investment. Won't someone think of the children? (Laughter.)
And everything they're doing every day! (Laughter.) If you are, you're a bad person! (Laughter.)
Finally, we can add a lot of stuff to this. How many of you guys have played with software
to find radio since the RTSLDR came out? Quite a few people. There are $10 to $20 dongles
that allow you to find software‑defined radio from 75 megahertz up to a couple of
gigahertz for not a lot of investment and you can listen to anything, stalk the Goons
for fun and frivolity, or messing with restaurant pagers or anything else you can think of transmitting
over RF. We can work around encrypted wifi that's trivial to do with tools like Refer
or other awesome attacks on wireless security and at the end of the day if you're stalking
in a city you don't really need it but it's something to keep in mind. We could do active
attacks like the Jessica or wifi Pineapple attack to make sure devices connect to us
and run a man in the middle attack. We don't have to, and if you don't recognize a weird
address and you're A 6,000 miles from your home which it says you're connected to, but
you could run it, and then be more subtle. Finally, mitigation. The problem is we have
to sacrifice the things we love in order to mitigate this (Laughter.)
Yes, it a Bible joke. The leaks are at every level of the entire stack. I do mean every,
single level. The bottom layer, the EEE says beaconing your list of networks is an acceptable
way to behave in a crowded noise base, that's a terrible idea, right? That's in the protocol,
we can't ignore the protocol that would be a bad thing and the IEEE will send out engineering
thugs to hurt us! They have to fix this but unfortunately we said it's so convenient to
walk near my apartment and reconnect to wifi without every having to turn on my phone it
can connect to iMessage and download them and some of them won't be from Anthony Wiener,
I'm sure but the IEEE is not going to be promulgate a few protocol to device manufacturers. Hey
it's going to be less convenient and your customers will hate it but you should use
this because it's more secure, next! There is also a problem with the operating
system level. A lot of mobile operating systems, and I'm going to pick on Apple because that's
what I use, won't enforce VPNs, so when I connect to get a new wifi on a laptop it says
turn on the VPN before you let any packets go. That is not possible to do on ios. You
always have those first few messages, and they're rich with data before the encryption
has been set up, and they're transmitting everything else if they're open protocols.
To the o/s 2 has to be protected. I found an online shopping application that transmits
my location in realtime. It's not Groupon right? It's not something that involves my
location, they just want to know so they can send me targeted ads. No one should have unencrypted
access to how much that new Manolo Blahnik pair of shoes costs, but for some reason everyone
in the world should have unencrypted access to what os I'm running where I am exactly
in the world. That's a pretty weird trade‑off. It's our fault, because we have forgotten
to protect our users, in addition too ur servers. This is everyone's fault, so no one is going
to take responsibility for us, right? It's just status quo, right? The status is not
quo, for those of you who like Dr. Horrible: "We cannot tolerate this level of privacy
leakers," there is one Dr. Horrible fan! As consumers we need to do better and we have
a responsibility to the world to do better. One final digression. At Smu Con 2013 there
was a pretty heated panel about academics and researchers. I have split both in my career.
I have an academic degree in computer science, and I'm doing an academic degree in law these
days, and I'm just a hacker without any academic support most of my time.
We need to be able to have a way for the two communities to work together, and part of
that needs to be that hackers need to find a way, any way to stop repeating the same
mistakes over and over. Everybody who has done a long‑term research or development
project knows that you spend the first couple of months you do something and then the next
couple of months you say, oh, God, they already did it and I couldn't find it.
Couple days ago, on Tuesday we launched HARK, a new hacker archive that you can publish
to. Tweets, blog post, or formal academic papers. We will have mentors that will help
you take your paper to the next level, or the next level is one thing, or it's the next
"Woot Conference" which is an awesome title. We want to be able to promote and we want
to be able to have a permanent archive so people know if they publish their work here,
it will live beyond their own time, which especially if we start losing hackers left
and right, it's an important thing. We need to "fail" better. In order to do that, we
need your help. It's at HARK.net. where you can contribute to. Finally to those who have
asked for comments, to Mudge for running the CFT and for my law school for not being hard
enough to make me work on law school most of the time. And I'm finishing law school
in 10 months. If you have an idea that you would like me to do in 10 months drop me an
email, it's on the slide. Seriously, we want to be able to fail better
and to make hackers, not just academics' work, live forever. If you want to live in immortality,
go to the HARK network and join us. Thanks very much. (Applause.)
I have two minutes for questions. >> AUDIENCE MEMBER: (Away from microphone.)
>> BRENDAN: IP cameras? You could do that ‑‑ that's the minimum creepy. Repeat the question?
The question was why don't I integrate cameras so you can do IP cameras and stalk from that.
That would work you need a new application with a parser, one of the O parsers, and you
could integrate a camera into the device which would be cool but it cost another $20 to bring
a Raspberry Pi aboard. >> AUDIENCE MEMBER: Have you thought about
using Unity ID ‑‑ (Away from microphone.) >> BRENDAN: Right. So the question was have
I used Unity's client server to do the networking between independent hackers. I haven't, because
it's not flexible if you're actually building a game, the way to do that would be to go
to one layer beforehand by everybody dumping into the same shared Couch TB and tagging.
So that capability is built in, it doesn't use the architecture. Everybody else grab
me, the Goons are going to rip me off stage in about 30 seconds. Thanks very much.