Defcon 21 - Stalking a City for Fun and Frivolity

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
my name is Brendan O'Connor there are three major takeaways from this talk I want you to remember every single thing that we carry around in our bodies whether that's the radio to talk to 303 or the eye things we all probably have somewhere lease way too much data at every single level we as a community have forgotten that privacy not just security needs to be a goal woopsie the goons are annoyed always what did I do so in fact we want to change it up a bit raise your hand if this is your first Def Con attendee you liars all right you the man knows how to speak up all right get up on stage that's a I got to get somebody tall to do that all right the last guy by the way slammed it immediately so cool your jets I want to introduce you to 2500 of my closest friends all right so please welcome the brand-new first-time speaker congratulations and oh my god we have to make those smaller we're doing this all afternoon man anyway thank you god I love DEFCON now the gentleman with the sideburns has left the stage we've forgotten as a developer community that it's not okay just not to or just to protect ourselves and to forget about protecting our users that is that we spent years and years many people in the stage of comp instead we have to protect ourselves more the evil hacks ORS they are using all of our app stores and Deponia all of our boxes that's true they have been it's fun but we've forgotten that it's also important to protect the privacy and identity data of our users and it's become somewhat in vogue to dump a huge amount of data into unencrypted data streams the users don't even see or think about in order to I don't really know it's quite odd actually I'll show you some examples of that later final takeaway it's no longer possible to blend into the crowd every person in this room is seen yet another horrifying action movie where when they're not doing a fire sale which apparently a cell phone can hook up to a satellite and reroute the encryption or to turn off whole power plants someone's just going oh my god the bad guy has gone into a mall we'll never find them there are 10,000 people there that doesn't work and it hasn't worked from the government's perspective from a while it's been relatively easy now it's not going to work for everybody in this room if you can put together a small computer you too can track everybody your local mall steal their identities find out what the most important information in their lives is and then use it against them and we need fundamental changes to fix this at every single layer we need both technical changes but we also need cultural ones it's not okay to request too much data and then to store it and I say this is someone whose you work on software that's being used by millions of people every single day for financial transactions we can't leak private data of our clients because our clients are the ones under attack just us anymore if we don't do this we've lost the only thing that we do better than our adversaries and the only reason anyone should ever trust a software developer so why are we doing this well these guys have a lot of information on us right every single day you walk through Rio there's hundreds or thousands of these cameras and I was just recently told by my sister who I thought I'd trained better that really security is the government's area we shouldn't worry when the government does things to secure us because after all they're the government they know best this means two things this means two things one a lot of people actually believe this which is a little terrifying and two I am a terrible brother not just because I told you this but because obviously I didn't educate my sister well enough while she was growing up and now she's a great big doctoral student and it's really a little bit too late those of us in this room know that the government is not very good as securing things by means other than throw him in prison for very long amounts of time but the government has a near monopoly on surveillance let's find right the good guys have it but that's not actually true when we look at for instance blue code boxes found it a whole bunch of countries that are not the good guys we know that actually where we're helping repressive governments and hey even after prism even after every leak that's come since the prism leaks I'm still hearing hey well the NSA needs that I'm sure that's okay right it's okay as long as only the government can spy on us we hear a lot that sunlight is the best disinfectant a recent studies showed that cops whirring Sunglass cameras were 88% less likely to commit actions resulting in complaints and 60% less likely to use force at all when they did use force those officers wearing these cameras working clip consistent in using the least amount of force possible in a situation this effect was not duplicated shockingly on those officers and their forces refusing to wear the cameras if we can see what's going on if we can look back at our government we have the opportunity to make sure it works as efficiently and safely as possible if not we are subject to blackmail extortion and threats see for example Aaron Schwartz so we need sunlight but we need sunlight quickly we don't have time rate for a new dawn and we know what this photo actually is what is it it's the largest nuclear test ever detonated Tsar Bomba we need to blow up this situation to make it clear to every single developer at every single layer that this is no longer an acceptable use of our private information so I could call the soccer not this stalker this is apparently an adorable kitten that is called stalker I had called this kind of stalker but we all do creepy work in this room and we do it because the only way to raise the issue of creepy and surveillance and loss of privacy is to make it clear that anyone not just the good guys such as they are can use this technology for good or evil creepy doll is a distributed sensor network that combines wireless sniffing distributed to command and control 3d visualization and grenade style encryption to do real-time personnel tracking and true identity theft on a major urban area in real time for almost no cost it is stalking as a service that's what we're here today to see there's one complication though that's Weaver Andrew auernheimer the Unites States government has declared a holy war against legitimate security research and some of us think that's probably not a good idea a lot of people in this room don't likely very much because he's a troll and he did horrible things and said horrible things about nice people but it doesn't matter the thing about criminal law is we don't get multiple bites at this Apple mighty Casey gets three strikes to strike out we get one in the Third Circuit and it's pending already we need to take actions to protect we've and legitimate security researchers even when they seem like terrible people not for them but for all of us if everyone in this room isn't going to be in prison by this time next year we need to start hoping that we've wins this appeal because otherwise hey that was only in New Jersey right except that we've was an Arkansas they dragged in New Jersey because they thought they'd get a more favorable hearing they were right every internet connection goes through every place in the United States so if we're not gonna end up in prison we better defend we've and this affects the way that I do this research but first it's a side note I wrote this amicus brief in conjunction with all the people on this list and Alex months down to the bottom a great hacker lawyer 13 big security researcher is a lot of people in this room or at this conference Dan Kaminsky Matthew Green professor at Hopkins Sergey Brad as a professor at Dartmouth Jericho space Rogan Mudge these are people you've heard of they're people whose work you should be supporting even if you think you don't like weave this affects every one of us whether we're DARPA program managers professors or itinerant hackers and in the meantime we have a chilling effect because we cannot trust legal actions to not be prosecuted anyway therefore creepy doll has not been tested on the whole city because even though every court of the United States has consistently said that wireless sniffing is a-ok it's the same as sitting in the coffee shop and hearing the guy next to you talk too loudly on his cell phone about raising his next round of venture capital funding which happens way too often we can't rely as a community on the government not prosecuting hackers for legal actions I leave the next step of world domination to a braver researcher since I'm a law student we have an extremely serious disclaimer one more second little you all read it or get enough this disclaimer is not intended to be ironic so let's talk about DARPA cyber fast track creepy doll is not CFT work I've had to make this extremely clear to a few people DARPA tries very hard not to build stuff that creeps people out because they've had a bit of a PR problem in the last couple decades but to CFT contracts did let me build two of the core systems the radical system which is the distributed command and control layer and the visualization system for reasons that are not likely to be called to become clear at the moment called nom so thank smudge if he's here and where the screen t-shirts with his face on them with pride this is the brief roadmap first let's talk about the goals we have of this project first we want to see how much we can extract from passive only Wireless that means I don't want to do man in the middle partially because I don't want to go to the bad kind of federal prison but partially because design constraints help us become creative and it turns out that doing the active attacks like the pineapple Jessica attack aren't necessary we can do this without them as soon as a device turns on that has Wireless they sit sends out a list of their known networks all of their known networks for years in the past sometimes every couple seconds even when it's connected to a known network as soon as the device thinks connected to Wi-Fi all of its background serve sync services will kick off again that means Dropbox that means iMessage everything and a lot of those as they're establishing the SSL connections we get a lot of cool data from and because we're sensing in places like coffee shops that have public Wi-Fi that means we get a lot of cool data pretty often over unencrypted Wi-Fi all the data sent by advice is of course exposed that's what we mean by unencrypted which means that we can see everything they're talking about sometimes they're talking over SSL which means that the core data is in theory encrypted but it turns out that again lazy developers that is us have been leaking all of this cool data outside the SSL envelope and I don't know why but especially as they set it up or as we look at things that's out the envelope we're gonna see a lot of neat data and the cool part about this is because we have a really awesome primary key we can just sit and wait so maybe you make one small ident you stake in one cafe maybe halfway around the world as long as I'm in multiple places with my little boxes I drop another box and maybe you make another small identity of steak and I start to build up a profile of who you are where you are because I distribute them and I know that paint Wi-Fi is not that long-range so if I can hear you you're probably almost on top of me and then finally once we get one to 10 to 100 sensors spread out of an area we have time and place analysis that means I know your patterns I know your practice I know what things are important to you and if I really want to blackmail you I will eventually find whatever it is that's most important to you and that you most don't want exposed this is what we mean when we say knowledge is power right pretty sure it's what I learned in school our second goal is large-scale sensing without any centralized communications it's really easy to just say for instance I'll go to Verizon and buy 10 USB sticks the problem is that is twofold one of them is that it's really really expensive and these days I'm a law student and when you go to your law school and you say hello there I would like to apply for a grant for my research oh yes what is your research oh I'm doing distributed sensor network so that I can spy on people they back away slowly and then call your Dean my Dean is a wonderful woman I will do the favor of not mention her name on stage but suffice it to say they're not going to fund my work anytime soon so it needs to be cheaper than just right and Verizon you're the reason we're not going to do Verizon or any other cell provider is that it provides the bad bandwidth guns my standard adversary a way to figure out who I am they simply pick up a box read the ID off the back of the device and say ah yes Verizon dear Verizon who has this device we would like very much to throw them in Guantanamo signed the United States government the major telecom providers all have whole offices dedicated to responding to exactly this kind of query so we're not going to have any centralized communications at all so that they can't track us and also so that there's not one single point of failure that if you saw the botnet talk yesterday you know that all the good botnets these days don't have a single point of control they work a lot like reticle does finally we have a third goal which is intelligibility the NSA slides make tough decried it's a very sad thing we want is intelligibility on this large-scale sensor data we can prove to people this is a problem it's the difference between writing a zero day and writing a zero day in Metasploit when every script kitty sitting down to the basement can stock his entire city maybe we'll see some improvement on this tissue and the meantime we're not let's talk a little bit about background just a couple slides one I'd like the you know poor went out for all the academic sensor Network people everywhere this works kind of like a sensor network but not exactly because mostly sensor networks are these ultra-low powerful near the ultra-low power beautiful little devices they work exquisitely they do wonderful research with them and very sorry grating that mic and they sacrifice everything else to get there they work in horrible languages like Nessie which have you ever they've never heard of it look it up it's terrified but they especially sacrifice cost academic sensors cost upwards of six hundred dollars a piece each so that's not good I want something that I can write in a real language that preferably runs Linux Debian would be nice and I wanted at least an order of magnitude cheaper and also background large-scale surveillance I swear my outline back in March for this talk said that one can assume that the intelligence community has solved all the problems involved in creepy doll before me and that they should rightfully be cited as prior art which we'll be happy to do as soon as they publish their results so thank you Edward Snowden you have made it possible for me to give proper academic style due credit to the people who most deserve it and poor went out for the poor guys the NSA because a lot of this stuff is really hard and there's a lot of little fiddly bugs you have to work on so let's talk about the creepy doll architecture first Hardware this is f bomb version one F bomb stands for the falling or ballistically launch to object that makes backdoors it's a terribly tortured acronym because I used to work for DARPA and they loved terribly tortured acronyms I originally presented this shmoocon 2012 at the time this was based on the Marvel Shiva bore the same thing that is inside the pony plug but this board actually comes out of a thing called a pogo plug because Pogoplug decided they could charge an extra 50 bucks off the dev board if they put it in a pink case when that business model failed I could buy hundreds of the things on Amazon for 25 bucks a quarter class of the Dead board so that was very nice I'd like to thank Pogoplug for their contributions to my research the other thing is that it fits inside a carbon monoxide detector how many of you guys have recently checked your carbon monoxide detector to make sure they weren't working for me there's and this is the old version the dev board is about twice as big for the f-bomb version one as it is for the f-bomb version two that's a business card for scale or if you can look at my hand and see it this little D box holds a whole lot of good hardware it holds a Raspberry Pi model A for those of you into those such things because everyone hacker needs a Raspberry Pi or ten of them I actually would like to apologize the Raspberry Pi enthusiast I actually bought 10% of the US supply of the first round of Model A's but I didn't know they were only going to bring 100's United States so I'm very sorry I think I really screwed up a few business models there there's a cheap plastic case which is literally just a cheap plastic case there are two tiny Wi-Fi dongles there is a small SIM card there's USB hub and there's one of those awesome power adapters you can get on eBay for about three bucks that look like Apple power adapters but occasionally electrocute people this just happened last week at Apple released a thing saying only buy original Apple thanks guys but they cost 25 bucks so three bucks is better and hey I plug them into other people's apartments right that's the idea so why to Wi-Fi ones because again I don't want to bring centralized communications so instead I'm going to use all of your centralized communications we connect to local Wi-Fi but Brendan in this magical place where you live is their municipal Wi-Fi that actually works no there's municipal Wi-Fi that doesn't work which is kind of typical there's a lot of coffee shops and bars and in every random dive bar has Wi-Fi now in Madison it's a wonderful thing a lot of those have captive portal agreements though and captive portal agreements make your embedded codes tab so I wrote a library called portal smash it clicks on button so that you don't have to it's available and github right now github.com slash USS join slash portal smash and again thank you DARPA let's talk about the middleware now we're building from the bottom up we talked about hardware now we're going to talk about the middle layer called reticle reticle is a leaderless command and control software designed to work a lot like botnets this is the first the two DARPA CFT contracts I mentioned I made a whole presentation on this last year at V sides offices I guess but I'll briefly summarize because there has been a full rewrite since then they still works the same way but there's not nearly so many swear words in it and occasionally it doesn't break because my cat stepped on my keyboard each reticle node runs CouchDB which is a no sequel database which works very nicely plus nginx tor and some custom simple management software a couple Ruby script in essence and all of this is open source this lets nodes combine into what I call a contagion Network somewhat different than a normal peer-to-peer network because it lets nodes exchange data to every other node it doesn't let them send it to individual nodes this means that we can do data exfiltration as quickly as possible to as many nodes as possible in the hope that we get the data out before the bad men with guns shoot the box to make reverse engineering of a node much more difficult reticle nodes use what I call grenade style encryption that means pretty much what it sounds like you boot a node with a USB key that contains the full disk encryption key it reads the key stores it in volatile memory only then you pull the pin out and you throw it at your adversary preferably not at their head once you've done that unless you somebody actually runs cold boot on it then it's you're pretty good if you pulled it out from power you lose the encryption keys as for cold boot well here's the thing how many people dump liquid nitrogen on every small black box they find in their house there's one gun two people dump liquid I draw on everything I would love your house for the rest of you as soon as we've gotten every person in society to dump liquid nitrogen on everything in their house we have one and we can all go to 303's party creepy doll is just a mission there reticle runs they all talk to each other over tor hidden services and send them as mentioned before they all do this contagion Network thing so as soon as the data gets to one place it's as good as home so let's talk about the design of creepy doll creepy doll right it should be fairly simple one underlying principles we're going to do as much computation as possible on the edges of the networks that is on these little boxes they're not very powerful but they're not bad they've got 256 RAM we don't need that much for couch QB they work fairly efficiently and the reason we do that is to be nice to tor tor for those of you who don't know is usually overloaded please go donate money to those who run more tor exit notes so we don't want to send a whole pcaps home partially because it's rude to tor and partially because we're taking coffeeshops bandwidth and the guy who's trying to download war is in the corner because no one will track him in a coffee shop will get annoyed at us so we're going to do distributed Quarian for distributed data we process all of the data on the nodes the peak apps we save we get as much actionable intelligence out of them as possible we just send that home we never sent the pcaps home we then do centralized query and for centralized questions this is where we can do really awesome types of questions like where do you usually go for coffee at 8 o'clock in the morning or for those of us in this room where do you usually go for coffee about 3 o'clock in the afternoon once you've dragged your butt out of bed we do these things on the centralized node because even though the distributed nodes have a lot of distributed data they don't have a lot of hard drive storage they only had eight gigs apiece so we want to be able to do the kind of long-term data mining type queries back home and what we do is we pull the data out of the grid as fast as possible once it's propagated will be deleted free of hard drive space and then we have a centralized point of visualization only it's not the command and control networks it's just a place we plug our Xbox into and I'm serious but the Xbox thing we'll talk in a minute the way we extract this actionable intelligence is called Nam for noisiness organization and mining and because it's hilarious let's talk first about oh the observation filters observation filters are the stupidest possible filters and they're per application that means they take in a P cap and they say ok this p cap is from dropbox flip to the dropbox filter okay from Dropbox we extract the fact oh we can only extract that they use Dropbox that's something good to know there's another filter that processes Apple iMessage look at the last line of this this is obviously is a screenshot from Wireshark there's a lot more data there than they should be having to outside the nice little TLS encryption thing right I know exactly what version of iPad I have which luckily I knew but if you didn't that would be useful I know exactly what version of iOS they're running which if it's not the newest version means you know exactly which vulnerabilities it has and how to exploit or remotely and in case I wasn't sure enough I've got the exact build number as well in addition to the fact that they're using iMessage that's a lot of data immediately right and this is from one service observation filters are per service so I've written about ten of them they take about five minutes each it's not very hard just look for anything outside the envelope and the idea is that we build up little tiny bits of identity information and coalesce them over time in the CouchDB into one summarized identity so we get a little bit from iMessage we little get a little bit from Dropbox we a little bit from your feed reader how many of you guys have you still use a feed reader after Google Reader collapsed about a third of you a quarter of you how many of you guys actually watched the stuff over the wire to make sure it was secure as Google Reader nobody yeah turns out a lot of the ones that I actually personally switched to and the ones I still use transmit everything in the clear and weirdly they transmit my real name and my email address in the clear in addition to an authentication cookie because they've never heard of Firesheep because a lot of the stuff got spun up really really fast as Google Reader was dying which means we can get a lot of data we can get even funnier data though out of your online dating profile and you all have one and you are disgusting so back to the Nam filters to other things in Nam right there's the no zena's filters in the mining filters noisiness take little bits of data and they submitted to things like online directory services that look for every account with that username that email address usually so you can submit it to a service it checks the forgot password forms of 200 different websites and even though we've been screaming about the forgot password vulnerability for years they still respond differently if you have an account so now we know every service where you use and of course if I were a criminal a terrible person I could then break into those services and take all of your stuff turns out I can do even funnier things and still be more or less within the law finally there's mining nodes and this is where we do the big data we only run this that M type queries on the back end this is where we start doing pattern and practice and I mentioned before where do they go for coffee and do they go for coffee every day that's one thing we can do cooler things for instance if I seen one device that moves around a city I see it everywhere it does goes here it goes yawn that's great what if I see another device that only exists sometimes every time it exists it's in the same location as the first device that I saw so what happens is the first device goes somewhere it stops moving a second device suddenly turns on works for a while then the device turns off and I don't see it again and then the device moves out that's what we call a laptop being used by somebody with a mobile phone once I've seen that for a little while a little bit of data mining a little bit of fuzzy math suddenly I've got one profile instead of two so even if you thought oh hey well my mobile phone is trackable but I only do my creepy OkCupid stuff on my laptop where I get really freaky that's okay right because Brendon will never see be wrong oh now I know it's all you and I've seen the shops you go to and I for one I'm terrified I didn't know you could buy them that big this is the creepy doll architecture pretty much as I've described you can see on the left-hand side of the screens a few different nodes they're all connected to every other node is the basically idea they go to one notice I mentioned before the sync node maybe of the sync node is just another node that still participates in propagation but it's not usually encased in one of these boxes I usually run in a virtual machine its job in life is to pull data off of the wire and send the delete commands to free up the hard drive space on all the other nodes and then store it in another storage mechanism I have two different storages that I use in tandem one is called shark and shark is actually a all in-memory derivative of the Hadoop hive project which means that I can store really big things like when I had 600 gigabytes of packet captures I can throw them in shark and do deep queries on them I also saw the rest of the stuff in CouchDB which lets me run really fast queries I combined them together using a ruby script written or Sinatra which is just a ruby very simple web server which does translation from the completely ridiculous shark format into a much saner JSON format finally I run them into a visualization and you can see down in parentheses there if you see that it's running unity that's right I built a video game it's my first video game so it's not very pretty but all of my little space aliens are real people which makes it much happier finally I pulled data because I'm getting GPS location I might as well pull data from cloud made a nice OpenStreetMaps provider so let's talk about this visualization it's the second DARPA CFT contract it's also called Nam it's a whole thing use the Unity game engine two notes one that's a great toy who've never played that the game engine unity is actually free for indie developers so go ahead and try it it's really cool you can learn the second note JavaScript as extended by a proprietary games manufacturer then compiled into the dotnet common language runtime with a bunch of c-sharp and interpreted at runtime on montt or by mono on an iPhone is a horrible debugging platform oh my god you've never seen where javascript errors until you've seen them as interpreted by for other languages in the middle but images it works really well at the end of the days the guys of unity really know their stuff and this is the cool part about using pre-written game engines if you've ever tried to write your own visualization you know you spend three months trying to draw a box on the screen in the right place and then you spend the extra two weeks before your Def Con talk going crap now what do I do if you do this everything just works you just say put this here it works really well you've got a one simple translation between latitude and longitude and your internal world coordinates and then it runs on an iPad which I love or runs on Windows Linux Android we or xbox360 I've never been the security tool for xbox360 that could pass the developer certification but unity will which is quite fun part of the side effect of this is you said oh wait Brendan you said 600 gigs of data how do you hold that on an Xbox 360 I don't that's why we have the servers that I mentioned in the last slide they do all the heavy query lifting so that you can just run this on an iPad and don't have to do any of the heavy processing they talk to each other because I love irony over unencrypted HTTP so we're have a demo video and you can watch closely you can almost see the creepy take place at a real time but before we do that whoopsie before we do that as I was saying we have test parameters remember we've remember how we're all terrified if we're not terrified you're not paying attention so we can't spy on everybody in the city which I hate this doesn't mean we can't do valid testing but if we just talk me if I stopped myself in essence what this means is we only get to see mean so you're gonna see a lot of dots on the next screen they represent me in different places imagine if instead there were a hundred thousand dots and I've tested up to that many nodes using generated data or data out of academic sources that have been anonymized it works incredibly well and it scales incredibly effectively so we never collected any random stranger at any time because even though it's apparently legal we can't be sure of anything anymore until somebody's smack down the Third Circuit so let's watch it first video powered by unity I'm sure this is not the press release they were expecting to see and it should be running here I hope it's running it's not writing on my screen it is it running okay so for you're going to see a few things but I'm not going to say I'm exactly time first you'll see the dot move around the map then you'll see OpenStreetMaps load you're going to see me zooming in zooming out basically it works like Starcraft then you'll see I draw a box zoom across it again just like Starcraft and that zooms the data in and zooms the map in you can hover over different nodes to see just how many times I saw them or how many nodes are in about the same room at the same time and their MAC addresses at the end and please tell me when this happens you can click on one node and then you see everything in the world so yeah real name an email address from a Google feed or from a Google feed replacement I should say it's not from Google readers fault photo from an online dating site whose name we're not going to save because I've heard they have angry lawyers even though they haven't heard of Firesheep all the rest of the data from all the rest of different sources you can see that they use iMessage we know what kind of device this was you can see that they use login which is a commercial basically it's a replacement for every screen sharing site and we have all this great data we even have the weather app which helpfully transmits in the clear exactly what location the iPad thinks it is so I can make sure that my sensors are appropriately placed they're actually helping me calibrate my own network it's awesome so let's talk about future work well the first thing is well what other applications could we do besides being decidedly creepy Brendan well one we can do counter infiltration those of you who participated or even read the news about the Occupy Wall Street and occupy everything else movements have noticed that a lot of times a mysterious stranger slips into a group then suddenly somebody throws a rock and then the mysterious stranger is gone it's amazing how effectively this works you can use creepy doll for counter and frustration though because you just set an alarm say hey if anybody new shows up in this area scream bloody murder so whenever the bloody murder bloody murder alarm goes off everybody knows look for the one guy with the blackberry he's the Fed you can also use this with apologies to the Grug for operational security training you can say well hey if I throw these over a whole network I just look for devices that I know my agents are carrying how much data are they leaking how terrified should I be here's a hint really terrified and you don't need to control every network an agent accesses if you're a corporation with a very loose sense of ethics who wants to make absolutely sure that you're when your employees go home then I'll leaking trade secrets just spread these over the whole town where they live you'll make sure that every time one of them connects to get their email or to send your trade secrets off to a competitor you too will know it so we'll have actual operational security through the complete and total invasion of privacy the thing is this is the trade-off that we've suddenly come to live with and I'm not sure why we've done this we've just accepted that we have no choice in the matter that our devices are going to continually increasing amounts of data that Mark Zuckerberg is going to be able to go on CNN and say well privacy is dead I don't know why anyone want privacy here's the reason we want privacy and want privacy so that I don't want you going into for instance a bar a singles bar that your wife doesn't know about not just because oh like my god you cheated on your wife but because if I stalk a whole area let's say for instance since I live six blocks from the state capital I stalk a couple blocks around the state capital I don't need any particular person to do anything wrong I just need one person to do something wrong and then I get maybe a small change to a bill people have been doing this for a very long time right this is what we call surveillance and creepiness here's the difference I'd have to pay a whole team of surveillance agents 24 hours a day to watch senator so-and-so until he does something really stupid I can throw a few of these around there 57 bucks apiece so for the cost of a really expensive dinner here in fashion kind of a medium expensive dinner here in Vegas I can throw ten or twenty of these things around and just find the first person with a weak wallet a weird sex life or just something they don't want everyone in the world to know except for Anthony Weiner's apparently he's invulnerable everybody else however is going to have an issue and also you this for evidence logging any kind of fast-moving scenario like protests and rallies there's a real problem with the accidental destruction of electronic evidence during crackdowns it's very hard to know who is in a kettle when the cops lock you all in and then eventually take you off it's hard for occupy to know who they need to save from the jail's since creepy doll uses a contagion network you could easily strap one of these to your belt have it scan all of your friends continuously and transmit that off-site immediately you're constantly offloading and exfiltrating your data so that you always know where your friends are which on the one hand they lose a little bit of privacy on the other hand maybe they don't spend two more weeks in jail than they need it to and again unless an adversary already knows what this is and why they care they're probably gonna unplug it to look at it they're not going to know to take it off and exactly the right way to allow them to do a cold boot so again unless they're just throwing liquid nitrogen on to random protesters which even like you know in Madison we had a cops kill a kid for walking ball drunk which is also known as bead in college but even they're not just splashing liquid nitrogen around we're probably pretty safe from cold boot attacks for a very long time and that means that we get all the data we need sokka but improvements this one thing is that we can scale up the fastest and easiest way is to shard our contagion networks because contagion networks are connecting to each other directly over RF they're all connecting to each other over their local coffee shops Wi-Fi we can chart a contagion Network by having 20 nodes and 20 random places and have five or six overlaid networks that don't actually need to connect to each other in any physical way this means we can do geographical distribution really efficiently with this because eventually you're transmitting so much data that you can't delete it off the nodes fast enough so when that happens you know probably about 50 or 60 nodes if you've got a well-traveled area then you probably want to start splitting up your contagion networks each network then just has one data same node they can all throw it into the same visualization the visualization is good to a couple terabytes at least more if you've got better RAM as I mentioned scaling the backend isn't hard especially because there's a great script for shark that lets you run on an Amazon easy to ec2 right that means that yes we can have stalking as a service it's from the cloud so it must be here to help us there's CouchDB servers as well they even run Geo couch which is a modification of couch TV that I'm using for this it works really efficiently the visualization is a little bit harder in that there's a limit how many nodes a couple thousand I can draw simultaneously but luckily there are hundreds of books by game developers for other game developers that they don't check your game developer cred at the door in order to buy they tell us how to do these things things like group II which actually I'm already doing if you saw the black nodes versus white nodes those are groups or sustainable nodes but we'd also do things like a limited field of view or a limited distance of view the standard things you see in every FPS game you can't see the entire way to the moon this will allow us to scale the visualization pretty much as far as we need OpenStreetMap of course goes everywhere in the world so you can saw the whole country at once for just probably 10 20 50 thousand bucks which if you really really want to be creepy is not that big of an investment won't someone think of the children and everything they're doing every day if you are cure a bad person finally we can add a lot of stuff for this how many of you guys have played with software-defined radio since the rtl-sdr came out quite a few people actually four just kind of a random question there's these ten to $20 dongles you can buy on eBay that allow you to sniff software-defined radio which means basically everything from map on this one I think about seventy-five megahertz up to a couple gigahertz that means you can listen to any wireless protocol not just Wi-Fi for not a huge additional investment put a tiny antenna in but hey what are you talking about tiny antennas it's a tiny box so at that point you can listen to anything whether that's stalking the goons for fun and frivolity until you get thrown in the pool or messing with restaurant pagers or anything else you can think of transmitting over RF we also work around encrypted Wi-Fi that's obviously trivial to trivial to do with tools like Reaper or the other awesome attacks on wireless security that just gives us more ways to connect home in the end of the day if you're talking in a city it's you don't really need it but it's something to keep in mind finally of course we could do active attacks like the Jessica or Wi-Fi pineapple attack to make sure that wireless devices connect to us and run a full man-in-the-middle attack we don't have to and then frankly it makes us a lot easier to detect if you go hey I don't recognize that weird MAC address and I'm definitely six thousand miles from my home access point which it says I'm connected to but we could run it you could be more subtle with modifying that software so something to think about so finally let's talk about mitigation the problem is we have to sacrifice the things we love in order to mitigate this yes it's a Bible joke the leaks are unfortunately at every single level of the entire stack and I do mean every single level at the bottom layer the I Triple E has said that beginning your list of all known networks every second or two is an acceptable way to behave in a crowded noisy space that's a terrible idea right but that's in the protocol we can't ignore the protocol that would be a bad thing the I Triple E will send out their engineering thugs to hurt us they have to fix this but unfortunately we've sample it's so convenient to have to walk near my apartment and immediately reconnect to Wi-Fi without everything to turn on my phone it can automatically connect to iMessage and download all of my new messages and some of them won't be from Anthony Weiner I'm sure but the I Triple E is not going to be able to promulgate a new protocol to to advise manufacturers hey it's going to be less convenient and your customers will hate it but you should really use this because it's more secure okay next there's also a problem the operating system level a lot of mobile operating systems and I'm gonna pick on Apple here cuz that's what I use won't enforce VPNs what that means is that when I can't do a new Wi-Fi on a laptop I can have a setting that says turn on the VPN before you allow any packets to go that is not possible to do on iOS which means that you always have those few messages and those first few messages are rich with data because before the encryption has been set up they're already transmitting this user agent insanity and everything else if they're open source or if they're open protocols and so the os/2 needs to be protected and finally again we have to change the culture we as developers can't be collecting random data I found for instance a online shopping application that for some reason transmits my location in real time it's not a look it's not Groupon right it's not something that actually involves my location they just want to know so they can serve me targeted ads and they serve all their own data over SSL right because nobody should know notably should have unencrypted access to how much that new pair of Manolo Blahnik shoes costs but for some reason everyone in the world should have unencrypted access to what OS I'm running and where exactly I am in the world that's a pretty weird trade-off and it's our fault because we've forgotten to protect our users in addition to protecting our servers this is everyone's fault and so no one's going to take responsibility for us right it's just status quo right the status is not quo those of you like dr. horrible we cannot type tolerate this level of privacy leakers there's one dr. horrible fan as consumers we need to demand better and as developers we haven't responsibility to the world to do better one final digression at shmoocon 2013 there was a pretty heated panel about the interaction between academics and researchers i've actually split both in my career i have an academic degree in computer science i'm doing an academic degree in law these days but i'm also just a hacker without any academic support most of my time we need to be able to have a way for the for the two communities to work together and part of that needs to be that hackers need to stop need to find a way anyway to stop repeating the same mistakes over and over everybody who's done a long term research project or development project in here knows that you spend the first couple months doing something and then six months later you go god they already did it and i just couldn't find it so a couple days ago on tuesday we launched hark a Kickstarter for hark hark is gonna be a new hacker archive that anyone can publish to and they can publish whether it's a couple tweets a blog post or a formal academic paper we're going to have mentors who can help you take your work to the next level or the next level for you is a newbie science or it's the USENIX woot conference which actually exists and it's an awesome title we want to be able to have mentorship we want to be able to have promote we want to be able to have a permanent archive so that people know that if they publish their work here it will be they will live beyond their own time which especially as we start losing hackers left and right is going to be in a very important thing we want to be able to fail better in order to do that we need your help it's at the Harknett there's a Kickstarter you can contribute to finally thank you to all those offer ask for comments too much for running the CFT and for my law school for not being hard enough to make me actually work on law school most the time also I'm finishing law school in ten more months and I don't really know what I'm going to do next if you have an idea that you'd like me to do in about ten more months drop me an email this is a write on the slide and finally seriously we want to be able to fail better and to make hackers not just academics work live forever if you do want to believe in immortality go to the heart net and join us thanks very much then you've got about two minutes for questions so if I could take one or two questions down then you can trail me later yeah IP what cameras you certainly could do that I guess this is kind of the Minimum Viable creepy yeah yeah the repeat the question is that we were saying yeah okay the question was why don't I integrate cameras so you can do IP cameras and stuff from IP cameras that would totally work you just need a new application specific parse or one of the end part 1 of the Oh parsers you could also be rated camera directly into the device which would be cool but it costs another 20 bucks to integrate a Raspberry Pi board both of those are great ideas for future work one other question yeah right so the question was have I used unities client-server architecture to do the networking especially between independent hackers I haven't the reason is it's not incredibly flexible if you're not actually building a game that's said the way to link them up would actually be one layer beforehand by everybody dumping into the same shared couch TV and tagging to be essentially the shardene to the contagion networks work so that capability is already built in it just doesn't use the unity networking architecture everybody else come grab me the goons are going to rip me off stage in about 30 seconds thanks very much
Info
Channel: HackersOnBoard
Views: 216,548
Rating: 4.9158907 out of 5
Keywords: 2013, defcon, 21, defcon21, t124, defcon 21 videos, def con 21, conference, hacking, leaning, learning, los angeles, california, Stalking (Crime Type), Stalking a City for Fun and Frivolity, Defcon 21 - Stalking a City for Fun and Frivolity
Id: ubjuWqUE9wQ
Channel Id: undefined
Length: 45min 19sec (2719 seconds)
Published: Sat Nov 16 2013
Related Videos
DEF CON 22 - Gene Bransfield - Weaponizing Your Pets: The War Kitteh and the Denial of Service Dog
DEFCONConference
381K
Defcon 21 - All Your RFz Are Belong to Me - Hacking the Wireless World with Software Defined Radio
HackersOnBoard
282K
Black Hat 2013 - Exploiting Network Surveillance Cameras Like a Hollywood Hacker
HackersOnBoard
1M
Defcon 21 - Social Engineering: The Gentleman Thief
HackersOnBoard
346K
"Through the Eyes of a Thief" - LMG Basement, 2019-10-10
DeviantOllam
253K
How Smartcard Payment Systems Fail
Black Hat
132K
Radio Hacking: Cars, Hardware, and more! - Samy Kamkar - AppSec California 2016
OWASP Foundation
1.1M
DEF CON 23 - Chris Domas - Repsych: Psychological Warfare in Reverse Engineering
DEFCONConference
127K
Slavoj Zizek debates Jordan Peterson [HD, Clean Audio, Full]
Manufacturing Intellect
2.4M
Defcon 21 - Decapping Chips The Strike Easy Hard Way
HackersOnBoard
60K
Pulling Back the Curtain on Airport Security: Can a Weapon Get Past TSA?
Black Hat
445K
Defcon 21 - Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
HackersOnBoard
274K
I'll Let Myself In: Tactics of Physical Pen Testers
Wild West Hackin' Fest
2.5M
DEFCON 20: Hacker + Airplanes = No Good Can Come Of This
Christiaan008
212K
DEF CON 24 - Hunter Scott - RT to Win: 50 lines of Python made me the luckiest guy on Twitter
DEFCONConference
195K
Black Hat 2013 - Million Browser Botnet
HackersOnBoard
81K
DEF CON 26 - Christopher Domas - GOD MODE UNLOCKED Hardware Backdoors in redacted x86
DEFCONConference
45K
Ochko123 - How the Feds Caught Russian Mega-Carder Roman Seleznev
Black Hat
580K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.