1 00:00:00,179 --> 00:00:04,019 one more year till I address all of my 2 00:00:04,019 --> 00:00:08,420 fears it's not too late 3 00:00:08,850 --> 00:00:27,670 [Music] 4 00:00:27,670 --> 00:00:30,290 [Applause] 5 00:00:30,290 --> 00:00:30,950 [Music] 6 00:00:30,950 --> 00:00:32,720 [Applause] 7 00:00:32,720 --> 00:00:33,410 [Music] 8 00:00:33,410 --> 00:00:36,519 [Applause] 9 00:00:36,850 --> 00:00:42,969 [Music] 10 00:00:46,579 --> 00:00:50,280 wasting my days on people who just don't 11 00:00:50,280 --> 00:00:54,660 care too hard on myself I had to learn 12 00:00:54,660 --> 00:00:56,520 to be fair 13 00:00:56,520 --> 00:01:00,620 I ain't got rules 14 00:01:05,790 --> 00:01:10,520 [Music] 15 00:01:10,520 --> 00:01:12,430 [Applause] 16 00:01:12,430 --> 00:01:13,920 [Music] 17 00:01:13,920 --> 00:01:15,950 no no faker 18 00:01:15,950 --> 00:01:22,000 [Music] 19 00:01:28,670 --> 00:01:32,349 [Music] 20 00:01:42,250 --> 00:01:45,370 [Music] 21 00:01:48,440 --> 00:01:51,299 [Music] 22 00:01:51,299 --> 00:01:54,200 oh yeah yeah 23 00:01:57,110 --> 00:02:07,359 [Music] 24 00:02:09,199 --> 00:02:13,200 it shines in RGB and it's full of blood 25 00:02:13,200 --> 00:02:16,860 I don't know what is wrong with me I'm 26 00:02:16,860 --> 00:02:19,800 scared pissed off and lonely I have 27 00:02:19,800 --> 00:02:23,480 trouble speaking to women 28 00:02:28,379 --> 00:02:31,879 state that I'm 29 00:02:43,200 --> 00:02:46,260 in the Twitter feeds life in the brain 30 00:02:46,260 --> 00:02:50,099 because I have it on dark mode memorize 31 00:02:50,099 --> 00:02:53,640 everything she says so I can use it to 32 00:02:53,640 --> 00:02:57,360 get her passcode she's Beauty she's 33 00:02:57,360 --> 00:03:01,220 great oh no that's okay 34 00:03:01,560 --> 00:03:04,560 try and get more sponsors 35 00:03:04,560 --> 00:03:06,000 try 36 00:03:06,000 --> 00:03:08,599 to sleep 37 00:03:10,220 --> 00:03:14,480 why don't you care 38 00:03:15,840 --> 00:03:19,340 past ten years 39 00:03:41,500 --> 00:03:47,580 [Music] 40 00:03:47,580 --> 00:03:51,299 look no one must sound insane 41 00:03:51,299 --> 00:03:54,239 that's part of the package if she can't 42 00:03:54,239 --> 00:03:57,420 handle me and my words you don't deserve 43 00:03:57,420 --> 00:04:01,440 my mental package I only want six to 44 00:04:01,440 --> 00:04:03,739 four 45 00:04:05,580 --> 00:04:09,980 to wash their eyes shall be your answer 46 00:04:27,199 --> 00:04:30,979 why does she run 47 00:04:31,580 --> 00:04:34,860 monthly giving her fifty percent of my 48 00:04:34,860 --> 00:04:37,280 income 49 00:04:39,960 --> 00:04:45,380 action based around artificial infection 50 00:04:49,500 --> 00:04:53,360 [Music] 51 00:04:55,720 --> 00:05:14,749 [Music] 52 00:05:15,180 --> 00:05:19,259 fun go together we sleep on clothes 53 00:05:19,259 --> 00:05:20,480 together 54 00:05:20,480 --> 00:05:28,799 [Music] 55 00:05:29,820 --> 00:05:32,470 we sleep together 56 00:05:32,470 --> 00:05:33,600 [Music] 57 00:05:33,600 --> 00:05:36,500 all together 58 00:05:41,870 --> 00:06:11,400 [Music] 59 00:06:11,400 --> 00:06:13,758 foreign 60 00:06:19,340 --> 00:06:22,419 [Applause] 61 00:06:24,330 --> 00:06:34,750 [Music] 62 00:06:34,750 --> 00:06:36,530 [Applause] 63 00:06:36,530 --> 00:06:43,508 [Music] 64 00:06:52,670 --> 00:06:55,440 [Music] 65 00:06:55,440 --> 00:06:56,480 obviously 66 00:06:56,480 --> 00:07:15,209 [Music] 67 00:07:15,720 --> 00:07:17,639 thinking that good old sound is ringing 68 00:07:17,639 --> 00:07:21,560 they don't know what they're missing 69 00:07:21,670 --> 00:07:24,440 [Music] 70 00:07:24,440 --> 00:07:28,800 so it's time to get up and let go 71 00:07:28,800 --> 00:07:31,220 okay 72 00:07:43,100 --> 00:07:49,050 [Music] 73 00:07:49,199 --> 00:07:50,600 baby 74 00:07:50,600 --> 00:07:54,449 [Music] 75 00:08:00,270 --> 00:08:03,349 [Music] 76 00:08:08,660 --> 00:08:10,390 thank you 77 00:08:10,390 --> 00:08:13,500 [Music] 78 00:08:18,110 --> 00:08:27,479 [Music] 79 00:08:27,479 --> 00:08:29,039 friends 80 00:08:29,039 --> 00:08:30,599 hello 81 00:08:30,599 --> 00:08:33,360 how are y'all doing today 82 00:08:33,360 --> 00:08:36,140 all right 83 00:08:36,179 --> 00:08:38,580 um happy uh Bastille Day to all who 84 00:08:38,580 --> 00:08:40,020 observe 85 00:08:40,020 --> 00:08:42,360 uh welcome to Summer con 86 00:08:42,360 --> 00:08:46,080 uh 2023 day one 87 00:08:46,080 --> 00:08:50,540 somehow this will do its thing 88 00:08:51,959 --> 00:08:53,820 yeah yeah everybody should you know come 89 00:08:53,820 --> 00:08:55,980 in and like get ready to get get Summer 90 00:08:55,980 --> 00:08:58,279 con 91 00:08:58,380 --> 00:09:00,000 yes 92 00:09:00,000 --> 00:09:02,160 it's like being conned only 93 00:09:02,160 --> 00:09:05,160 you know in the summertime 94 00:09:05,160 --> 00:09:05,880 um 95 00:09:05,880 --> 00:09:08,339 I was assured this was working 96 00:09:08,339 --> 00:09:09,839 and as 97 00:09:09,839 --> 00:09:13,580 as many people know 98 00:09:13,740 --> 00:09:15,839 um I'm not good at computers 99 00:09:15,839 --> 00:09:18,480 none of us are in the org here I don't 100 00:09:18,480 --> 00:09:20,040 know you tell me I don't I just work 101 00:09:20,040 --> 00:09:21,839 here two 102 00:09:21,839 --> 00:09:24,660 oh yeah so uh we this is fine for tap 103 00:09:24,660 --> 00:09:26,640 dancing purposes because uh we need two 104 00:09:26,640 --> 00:09:28,019 minutes 105 00:09:28,019 --> 00:09:30,420 but yeah okay make it negative I don't 106 00:09:30,420 --> 00:09:31,800 know 107 00:09:31,800 --> 00:09:34,560 plug it I don't know 108 00:09:34,560 --> 00:09:37,980 if you try turning it off and on again 109 00:09:37,980 --> 00:09:40,339 team 110 00:09:45,300 --> 00:09:48,800 I too I'm sore searching 111 00:09:53,040 --> 00:09:55,200 searching 112 00:09:55,200 --> 00:09:58,620 try this side it was working I believe 113 00:09:58,620 --> 00:10:00,860 you 114 00:10:02,900 --> 00:10:06,029 [Music] 115 00:10:15,660 --> 00:10:18,920 it's great to see you guys here 116 00:10:40,800 --> 00:10:43,459 oh 117 00:10:46,260 --> 00:10:48,500 yeah 118 00:10:48,740 --> 00:10:52,040 here you go 119 00:10:52,260 --> 00:10:53,640 doing it 120 00:10:53,640 --> 00:10:55,800 all right 121 00:10:55,800 --> 00:10:57,240 uh hiring you'll tell me when we're 122 00:10:57,240 --> 00:10:59,279 ready right 123 00:10:59,279 --> 00:11:01,920 oh we're good we can go okay great so uh 124 00:11:01,920 --> 00:11:04,440 thank you one and all uh John Wayne come 125 00:11:04,440 --> 00:11:06,060 on out 126 00:11:06,060 --> 00:11:07,980 um we're gonna get started 127 00:11:07,980 --> 00:11:10,740 um we are we do have a live stream 128 00:11:10,740 --> 00:11:12,959 um Hiram and the uh the video crew is 129 00:11:12,959 --> 00:11:15,000 doing a great job of getting the video 130 00:11:15,000 --> 00:11:16,800 out there on the you know the internet 131 00:11:16,800 --> 00:11:18,420 so that people can see this they 132 00:11:18,420 --> 00:11:19,800 couldn't come 133 00:11:19,800 --> 00:11:22,440 um Anything could happen with the stream 134 00:11:22,440 --> 00:11:24,180 we've had the stream had some problems 135 00:11:24,180 --> 00:11:27,000 in the past particularly because of the 136 00:11:27,000 --> 00:11:30,720 YouTube AI being really really quick to 137 00:11:30,720 --> 00:11:32,700 say like I think I heard a song in the 138 00:11:32,700 --> 00:11:34,620 background that isn't cleared for 139 00:11:34,620 --> 00:11:37,380 streaming so like we have to shut down 140 00:11:37,380 --> 00:11:39,000 whatever 141 00:11:39,000 --> 00:11:40,880 a lot 142 00:11:40,880 --> 00:11:44,459 I recommend that if you decide to sing a 143 00:11:44,459 --> 00:11:47,640 Disney show tune sing it out of key as 144 00:11:47,640 --> 00:11:50,040 much as possible okay that's how you you 145 00:11:50,040 --> 00:11:52,019 know that's how you get them 146 00:11:52,019 --> 00:11:54,660 all right uh so thank you uh for rolling 147 00:11:54,660 --> 00:11:57,060 with the punches all right 148 00:11:57,060 --> 00:11:58,560 um I am 149 00:11:58,560 --> 00:12:02,100 um required by law okay not by law but I 150 00:12:02,100 --> 00:12:04,500 am required as a part of our Charter as 151 00:12:04,500 --> 00:12:05,820 a charitable Foundation to remind 152 00:12:05,820 --> 00:12:07,680 everybody to 153 00:12:07,680 --> 00:12:11,339 be nice to not be jerks to like you know 154 00:12:11,339 --> 00:12:14,160 to this is a community where we're a 155 00:12:14,160 --> 00:12:16,620 family there are actually many of my 156 00:12:16,620 --> 00:12:18,540 family members here 157 00:12:18,540 --> 00:12:21,360 um be nice you know um 158 00:12:21,360 --> 00:12:24,000 we have a posted code of conduct on the 159 00:12:24,000 --> 00:12:25,500 website and I encourage you to look at 160 00:12:25,500 --> 00:12:28,079 it don't 161 00:12:28,079 --> 00:12:30,360 harass anyone 162 00:12:30,360 --> 00:12:33,899 in any way shape or form if you do 163 00:12:33,899 --> 00:12:37,320 we reserve the right to eject You 164 00:12:37,320 --> 00:12:41,100 Without Pity or remorse like Terminators 165 00:12:41,100 --> 00:12:42,720 um 166 00:12:42,720 --> 00:12:45,000 no refund either I've you know that's 167 00:12:45,000 --> 00:12:46,740 that's the twisting of the knife there a 168 00:12:46,740 --> 00:12:47,700 little bit 169 00:12:47,700 --> 00:12:49,680 um if you if you are being harassed if 170 00:12:49,680 --> 00:12:51,660 you witness harassment if you are if you 171 00:12:51,660 --> 00:12:53,480 just feel like generally unsafe whatever 172 00:12:53,480 --> 00:12:56,040 members of the team in the red shirts 173 00:12:56,040 --> 00:12:58,019 members of the bar staff you can reach 174 00:12:58,019 --> 00:12:59,639 out to any of them if you do not feel 175 00:12:59,639 --> 00:13:00,959 comfortable reaching out to somebody 176 00:13:00,959 --> 00:13:04,200 directly there is a phone number 177 00:13:04,200 --> 00:13:06,260 720 178 00:13:06,260 --> 00:13:09,079 -586 hack 179 00:13:09,079 --> 00:13:12,839 586 of course is the Pentium so you can 180 00:13:12,839 --> 00:13:13,980 remember that 181 00:13:13,980 --> 00:13:17,579 all right so uh let's talk about the 182 00:13:17,579 --> 00:13:19,560 money um and for that conversation about 183 00:13:19,560 --> 00:13:20,700 money 184 00:13:20,700 --> 00:13:23,160 um our financial director executive 185 00:13:23,160 --> 00:13:27,260 Financial director John Terrell 186 00:13:29,940 --> 00:13:33,540 so it's been a tradition for summer con 187 00:13:33,540 --> 00:13:36,480 that we try to be as in maximally 188 00:13:36,480 --> 00:13:40,139 transparent word uh so a lot a lot of 189 00:13:40,139 --> 00:13:41,639 conferences don't show off what's 190 00:13:41,639 --> 00:13:43,139 actually going on with money A lot of 191 00:13:43,139 --> 00:13:44,579 times it goes into people's pockets 192 00:13:44,579 --> 00:13:47,820 that's not going on here uh in fact in 193 00:13:47,820 --> 00:13:49,800 in some past years it's more money 194 00:13:49,800 --> 00:13:52,880 coming out of our pockets 195 00:13:52,920 --> 00:13:54,360 um 196 00:13:54,360 --> 00:13:58,860 okay so basics of the income is 197 00:13:58,860 --> 00:14:01,920 essentially both tickets and sponsorship 198 00:14:01,920 --> 00:14:05,279 uh expenses are what we spend 199 00:14:05,279 --> 00:14:07,320 so that's going to be the venue that's 200 00:14:07,320 --> 00:14:08,760 going to be food and drink that's happy 201 00:14:08,760 --> 00:14:11,940 hours uh the the difference is what our 202 00:14:11,940 --> 00:14:13,980 profit is called that's not actually 203 00:14:13,980 --> 00:14:16,680 profit that just goes back into the fund 204 00:14:16,680 --> 00:14:19,320 uh and the endowment is what's actually 205 00:14:19,320 --> 00:14:21,660 kind of left over 206 00:14:21,660 --> 00:14:23,820 all right so 207 00:14:23,820 --> 00:14:27,899 for this year we came in a bit short in 208 00:14:27,899 --> 00:14:30,120 previous years we've done a lot better 209 00:14:30,120 --> 00:14:33,660 for this year we came in at 22.5 210 00:14:33,660 --> 00:14:37,980 so our our attendee uh tickets were at 211 00:14:37,980 --> 00:14:39,720 twenty six thousand 212 00:14:39,720 --> 00:14:41,160 sorry 213 00:14:41,160 --> 00:14:45,300 um and our total was 48.5 214 00:14:45,300 --> 00:14:47,359 um 215 00:14:49,680 --> 00:14:52,139 yes sorry 216 00:14:52,139 --> 00:14:54,660 okay it's much easier for me to walk 217 00:14:54,660 --> 00:14:56,579 around with this thing all right so 218 00:14:56,579 --> 00:14:59,160 these sponsorships came in at 22.5 the 219 00:14:59,160 --> 00:15:01,860 attendees were at 26. this represents 220 00:15:01,860 --> 00:15:05,220 the ticket sales so at 48.5 that's the 221 00:15:05,220 --> 00:15:07,980 total amount of Revenue that came in 222 00:15:07,980 --> 00:15:11,940 unfortunately and I'll skip this 223 00:15:11,940 --> 00:15:14,040 that meant that with our expenses though 224 00:15:14,040 --> 00:15:18,180 coming out at 54 250. we actually came 225 00:15:18,180 --> 00:15:21,480 in short of about like 7 500. 226 00:15:21,480 --> 00:15:24,120 so we did have an extra Platinum sponsor 227 00:15:24,120 --> 00:15:26,459 they pulled out three days ago 228 00:15:26,459 --> 00:15:29,040 that's 7 500 so that's what that 229 00:15:29,040 --> 00:15:30,660 shortfall is 230 00:15:30,660 --> 00:15:33,300 so that's the gist of it 231 00:15:33,300 --> 00:15:35,579 uh this is what the breakdown on what we 232 00:15:35,579 --> 00:15:37,260 spend is 233 00:15:37,260 --> 00:15:39,660 so as you can see here it's pretty 234 00:15:39,660 --> 00:15:42,180 transparent to break down the bulk of it 235 00:15:42,180 --> 00:15:43,980 this year was on travel 236 00:15:43,980 --> 00:15:47,399 and putting people up in a hotel 237 00:15:47,399 --> 00:15:48,360 so 238 00:15:48,360 --> 00:15:50,639 the t-shirts are also pretty expensive 239 00:15:50,639 --> 00:15:54,680 so please enjoy them 240 00:15:55,199 --> 00:15:59,519 um and what is this ah so this is 5750 241 00:15:59,519 --> 00:16:02,100 is our total deficit 242 00:16:02,100 --> 00:16:04,320 um we're expecting for next year we 243 00:16:04,320 --> 00:16:06,060 would like to be able to fix that that 244 00:16:06,060 --> 00:16:08,940 means more more sponsorships and if we 245 00:16:08,940 --> 00:16:10,560 don't have more sponsorships that means 246 00:16:10,560 --> 00:16:12,360 you all have to pay more 247 00:16:12,360 --> 00:16:15,740 so we don't want to have to do that 248 00:16:16,139 --> 00:16:17,820 um 249 00:16:17,820 --> 00:16:20,519 and this is showing that we are back 250 00:16:20,519 --> 00:16:22,560 into a loss 251 00:16:22,560 --> 00:16:26,959 so we want that to be going up 252 00:16:28,199 --> 00:16:30,899 I like when the market goes up so the 253 00:16:30,899 --> 00:16:33,720 the endowment health is at about 166 254 00:16:33,720 --> 00:16:36,180 grand for full transparency there's 255 00:16:36,180 --> 00:16:38,660 roughly 200 in it right now 256 00:16:38,660 --> 00:16:42,600 that means we haven't paid our bills yet 257 00:16:42,600 --> 00:16:46,079 so we're planning to do a bit more with 258 00:16:46,079 --> 00:16:49,880 it but we don't want to have drawdowns 259 00:16:50,639 --> 00:16:56,519 and we are a 50c a 501c3 so we are 260 00:16:56,519 --> 00:16:58,680 technically federally not supposed to be 261 00:16:58,680 --> 00:17:01,399 paying taxes 262 00:17:03,420 --> 00:17:05,880 and uh I will pass back to Mark about 263 00:17:05,880 --> 00:17:07,799 our sponsors 264 00:17:07,799 --> 00:17:10,260 thanks John appreciate that all right so 265 00:17:10,260 --> 00:17:13,319 uh you you did hear that we need money 266 00:17:13,319 --> 00:17:16,020 to make this run and you this year were 267 00:17:16,020 --> 00:17:17,819 the strongest component of the money so 268 00:17:17,819 --> 00:17:20,280 thank you to all of the attendees you 269 00:17:20,280 --> 00:17:22,500 are all sponsoring it in your small way 270 00:17:22,500 --> 00:17:26,160 but the people who uh put up corporate 271 00:17:26,160 --> 00:17:28,799 funds include our research sponsor trail 272 00:17:28,799 --> 00:17:31,200 of bits we thank them 273 00:17:31,200 --> 00:17:33,480 our Platinum sponsor our Traders 274 00:17:33,480 --> 00:17:35,640 partners 275 00:17:35,640 --> 00:17:37,679 our gold sponsors red balloon security 276 00:17:37,679 --> 00:17:40,200 and mongodb 277 00:17:40,200 --> 00:17:42,679 and our silver sponsors data theorem 278 00:17:42,679 --> 00:17:45,840 Flatiron and thanks to Canary things 279 00:17:45,840 --> 00:17:48,000 Canary is like in South Africa and they 280 00:17:48,000 --> 00:17:49,740 are never here and they can never ship 281 00:17:49,740 --> 00:17:51,240 us anything and they can never like do 282 00:17:51,240 --> 00:17:52,919 anything and they always just give us 283 00:17:52,919 --> 00:17:55,020 money and I'm concerned that it's like a 284 00:17:55,020 --> 00:17:57,539 money laundering operation so I don't 285 00:17:57,539 --> 00:17:58,919 know what's what's up with that that 286 00:17:58,919 --> 00:18:00,299 they just haven't but they do have a 287 00:18:00,299 --> 00:18:02,400 great product in fact I would be remiss 288 00:18:02,400 --> 00:18:06,260 if I did not uh tell everyone 289 00:18:06,260 --> 00:18:10,640 that the sponsors of summercon provide 290 00:18:10,640 --> 00:18:12,900 remarkedly better products and services 291 00:18:12,900 --> 00:18:15,600 than people who do not sponsor summer 292 00:18:15,600 --> 00:18:20,160 cons so I urge you to uh to to to buy 293 00:18:20,160 --> 00:18:23,820 their services uh the thinks QR code is 294 00:18:23,820 --> 00:18:25,980 going to be up uh more later but you 295 00:18:25,980 --> 00:18:27,480 know this would be a good time to scan 296 00:18:27,480 --> 00:18:30,600 it if you wanted to get a surprise from 297 00:18:30,600 --> 00:18:32,700 them I just love blindly scanning QR 298 00:18:32,700 --> 00:18:35,340 codes I don't know about you all right 299 00:18:35,340 --> 00:18:36,600 so 300 00:18:36,600 --> 00:18:38,160 let's bring it home 301 00:18:38,160 --> 00:18:40,860 I do want to give thanks to uh our our 302 00:18:40,860 --> 00:18:44,039 entire organizing team including Dawn 303 00:18:44,039 --> 00:18:46,380 and the production team uh you guys you 304 00:18:46,380 --> 00:18:48,900 guys did it you got us here somehow 305 00:18:48,900 --> 00:18:51,120 there were moments where I was nervous 306 00:18:51,120 --> 00:18:54,660 but um we we did it we got it there I 307 00:18:54,660 --> 00:18:56,640 also want to thank Littlefield who 308 00:18:56,640 --> 00:18:59,900 somehow um is uh 309 00:18:59,900 --> 00:19:02,460 comfortable enough with the chaos that 310 00:19:02,460 --> 00:19:04,679 we bring uh each year so thank you to 311 00:19:04,679 --> 00:19:06,419 Littlefield for continuing to have us 312 00:19:06,419 --> 00:19:07,500 here 313 00:19:07,500 --> 00:19:11,160 um the video team Hiram and his guys uh 314 00:19:11,160 --> 00:19:14,220 who um a cannery Collective who are 315 00:19:14,220 --> 00:19:18,720 keeping us on the air thank you I do not 316 00:19:18,720 --> 00:19:21,360 understand how the internet works but um 317 00:19:21,360 --> 00:19:24,240 but but it is allegedly very complicated 318 00:19:24,240 --> 00:19:26,520 and those guys know what to do 319 00:19:26,520 --> 00:19:28,080 um our amazing and Brilliant speakers I 320 00:19:28,080 --> 00:19:29,940 think we do have an outstanding lineup 321 00:19:29,940 --> 00:19:32,460 this year I'm very excited uh by all of 322 00:19:32,460 --> 00:19:35,520 it uh Emily who is somewhere around who 323 00:19:35,520 --> 00:19:37,900 uh in addition to wrangling 324 00:19:37,900 --> 00:19:39,600 [Music] 325 00:19:39,600 --> 00:19:41,820 she's over there somewhere I've recently 326 00:19:41,820 --> 00:19:43,559 got eye surgery so I can't see anything 327 00:19:43,559 --> 00:19:45,480 anymore it's a whole like you know deal 328 00:19:45,480 --> 00:19:48,240 I'd recommend it to everybody 329 00:19:48,240 --> 00:19:50,340 um Emily uh in addition of wrangling 330 00:19:50,340 --> 00:19:52,020 sponsors actually he's even presenting 331 00:19:52,020 --> 00:19:53,940 for a few minutes in this conference 332 00:19:53,940 --> 00:19:55,260 this year so we're very excited about 333 00:19:55,260 --> 00:19:57,440 that uh Zach 334 00:19:57,440 --> 00:20:01,559 who is uh unable to attend this year but 335 00:20:01,559 --> 00:20:04,860 he has always kept us grounded and calm 336 00:20:04,860 --> 00:20:07,559 through the the Maelstrom of running 337 00:20:07,559 --> 00:20:09,000 this thing 338 00:20:09,000 --> 00:20:12,600 um and uh Barbara Tracy Dave Jimbo all 339 00:20:12,600 --> 00:20:15,000 the volunteers if you if you see 340 00:20:15,000 --> 00:20:16,380 somebody in a red shirt with the White 341 00:20:16,380 --> 00:20:19,140 Stripes consider uh buying them a drink 342 00:20:19,140 --> 00:20:22,080 very important our bartenders let's not 343 00:20:22,080 --> 00:20:23,640 forget to tip your bartender it is the 344 00:20:23,640 --> 00:20:25,799 summer con moto motto 345 00:20:25,799 --> 00:20:29,400 um I I wanted to before I um I I go I 346 00:20:29,400 --> 00:20:32,340 wanted to also remember our friend Kelly 347 00:20:32,340 --> 00:20:33,860 who 348 00:20:33,860 --> 00:20:36,240 ran the volunteer side of the business 349 00:20:36,240 --> 00:20:38,580 and is no longer with us and we're very 350 00:20:38,580 --> 00:20:40,320 sad about that but 351 00:20:40,320 --> 00:20:42,120 um I'm sure she would be very excited to 352 00:20:42,120 --> 00:20:44,400 see you all here and occasionally scream 353 00:20:44,400 --> 00:20:46,740 to shut up to people as they talk too 354 00:20:46,740 --> 00:20:48,600 much in the back in the bar area so 355 00:20:48,600 --> 00:20:50,400 remember her when it gets a little loud 356 00:20:50,400 --> 00:20:53,360 and shut up uh 357 00:20:53,360 --> 00:20:57,059 and of course you this this event is for 358 00:20:57,059 --> 00:20:59,160 the attendees 359 00:20:59,160 --> 00:21:00,600 um and we are delighted that you're here 360 00:21:00,600 --> 00:21:02,160 so thank you you should give your 361 00:21:02,160 --> 00:21:04,140 yourselves all a round of applause thank 362 00:21:04,140 --> 00:21:06,799 you for being here 363 00:21:09,000 --> 00:21:12,179 all right so with that 364 00:21:12,179 --> 00:21:14,039 it is time 365 00:21:14,039 --> 00:21:15,600 to 366 00:21:15,600 --> 00:21:17,400 get our get ready for our next speaker 367 00:21:17,400 --> 00:21:19,860 who probably needs to be 368 00:21:19,860 --> 00:21:22,559 um uh do some tech work to get the thing 369 00:21:22,559 --> 00:21:23,820 going so 370 00:21:23,820 --> 00:21:27,299 uh get ready to dive into the world of 371 00:21:27,299 --> 00:21:29,039 gaming and hacking 372 00:21:29,039 --> 00:21:32,480 our first speaker is Dan alt for Petro 373 00:21:32,480 --> 00:21:35,640 by day he's a security engineer at 374 00:21:35,640 --> 00:21:39,120 Bishop Fox but by by night 375 00:21:39,120 --> 00:21:41,700 he becomes the mad scientist of the 376 00:21:41,700 --> 00:21:43,559 melee world 377 00:21:43,559 --> 00:21:45,659 uh Dan is here to share the thrilling 378 00:21:45,659 --> 00:21:47,760 story of how he hacked the GameCube to 379 00:21:47,760 --> 00:21:50,159 beat professional melee players at Smash 380 00:21:50,159 --> 00:21:52,260 Bros for charity he'll take us through 381 00:21:52,260 --> 00:21:53,760 the technical details of gaining 382 00:21:53,760 --> 00:21:56,520 arbitrary code execution exfiltrating 383 00:21:56,520 --> 00:21:58,860 data and the custom build Hardware 384 00:21:58,860 --> 00:22:02,600 involved so grab your controllers 385 00:22:02,600 --> 00:22:05,100 and get ready for an unforgettable 386 00:22:05,100 --> 00:22:06,840 journey into the realm of hacking and 387 00:22:06,840 --> 00:22:09,439 gaming again 388 00:22:13,740 --> 00:22:16,080 so my abstract did say to bring your 389 00:22:16,080 --> 00:22:20,820 controller did anyone bring a controller 390 00:22:20,820 --> 00:22:23,460 well I got a couple 391 00:22:23,460 --> 00:22:25,620 that's cool uh yeah they already plug 392 00:22:25,620 --> 00:22:27,860 into 393 00:22:32,940 --> 00:22:35,299 cool 394 00:22:41,059 --> 00:22:45,918 so the way this is going to work is 395 00:22:46,140 --> 00:22:48,659 we're gonna 396 00:22:48,659 --> 00:22:49,740 see 397 00:22:49,740 --> 00:22:53,120 to restart this probably 398 00:23:00,240 --> 00:23:02,159 you can almost hear the GameCube booting 399 00:23:02,159 --> 00:23:04,700 up can't you 400 00:23:09,299 --> 00:23:11,340 alas you can't literally hear it booting 401 00:23:11,340 --> 00:23:13,799 up since the HDMI does not hook up to 402 00:23:13,799 --> 00:23:16,400 the speaker system 403 00:23:21,059 --> 00:23:25,500 and Works cool 404 00:23:25,500 --> 00:23:26,820 all right so the way this is gonna work 405 00:23:26,820 --> 00:23:30,840 is uh we're going to start with the demo 406 00:23:30,840 --> 00:23:32,100 um somebody 407 00:23:32,100 --> 00:23:34,860 is going to come up and play 408 00:23:34,860 --> 00:23:37,699 who wants to play 409 00:23:43,559 --> 00:23:45,120 if there was anybody that brought their 410 00:23:45,120 --> 00:23:46,320 own controller then they were definitely 411 00:23:46,320 --> 00:23:49,039 going to get to go first 412 00:23:50,220 --> 00:23:54,860 I uh alas I was trying to uh 413 00:23:55,679 --> 00:23:56,570 I came down there or something 414 00:23:56,570 --> 00:23:59,220 [Laughter] 415 00:23:59,220 --> 00:24:02,100 uh the yeah you pick any character and 416 00:24:02,100 --> 00:24:03,539 smash ball will pick the stage for you 417 00:24:03,539 --> 00:24:04,740 I'm just going to kind of commentate as 418 00:24:04,740 --> 00:24:06,299 this is going on we'll go on for about 419 00:24:06,299 --> 00:24:08,220 like 10 minutes or so and then we'll get 420 00:24:08,220 --> 00:24:10,200 to a proper presentation and 421 00:24:10,200 --> 00:24:13,080 um well I'll kind of do another section 422 00:24:13,080 --> 00:24:15,059 at the end here where people can uh play 423 00:24:15,059 --> 00:24:17,100 whatever so just hit start and it'll 424 00:24:17,100 --> 00:24:18,480 pick the stage 425 00:24:18,480 --> 00:24:21,419 cool so uh Hey everybody Welcome to uh 426 00:24:21,419 --> 00:24:23,100 summer con glad to get to go first here 427 00:24:23,100 --> 00:24:25,080 this is smashbot this is a project that 428 00:24:25,080 --> 00:24:26,640 I've been working on for a really long 429 00:24:26,640 --> 00:24:28,260 time it's been sort of a passion project 430 00:24:28,260 --> 00:24:30,780 of mine I'm a super old school uh melee 431 00:24:30,780 --> 00:24:31,679 player 432 00:24:31,679 --> 00:24:33,659 um from like the back when the game 433 00:24:33,659 --> 00:24:35,340 first came out 434 00:24:35,340 --> 00:24:37,980 um the I'll sort of talk about uh like 435 00:24:37,980 --> 00:24:40,140 what is happening uh like on the screen 436 00:24:40,140 --> 00:24:41,880 here so smashbot as you can probably 437 00:24:41,880 --> 00:24:44,460 tell is the fox player 438 00:24:44,460 --> 00:24:47,760 um and uh it is a AI that I built for 439 00:24:47,760 --> 00:24:49,980 the game that kind of came out of a 440 00:24:49,980 --> 00:24:51,720 series of conversations with some like 441 00:24:51,720 --> 00:24:53,340 really old players 442 00:24:53,340 --> 00:24:54,840 um like from way back in the day we're 443 00:24:54,840 --> 00:24:56,760 like What if you could remove the human 444 00:24:56,760 --> 00:24:58,260 element to the game what if you could 445 00:24:58,260 --> 00:25:00,299 play the game as fast as possible Right 446 00:25:00,299 --> 00:25:01,860 without having to worry about all the 447 00:25:01,860 --> 00:25:04,020 like Tech skill stuff like how good 448 00:25:04,020 --> 00:25:06,000 could you make an AI at the game and a 449 00:25:06,000 --> 00:25:08,039 friend of mine once said like like nah I 450 00:25:08,039 --> 00:25:09,240 just don't think that you could like 451 00:25:09,240 --> 00:25:11,159 make an AI that'd be very good at it 452 00:25:11,159 --> 00:25:12,780 like it requires too many like high 453 00:25:12,780 --> 00:25:14,580 level too much high level thinking too 454 00:25:14,580 --> 00:25:17,520 much strategy I thought well the 455 00:25:17,520 --> 00:25:19,799 challenge accepted yeah 456 00:25:19,799 --> 00:25:22,100 go and give it another one 457 00:25:22,100 --> 00:25:25,320 [Applause] 458 00:25:25,320 --> 00:25:27,840 unfortunately the projector does lag a 459 00:25:27,840 --> 00:25:28,559 lot 460 00:25:28,559 --> 00:25:29,820 um so that is a hinders you gotta hit 461 00:25:29,820 --> 00:25:32,360 the start button 462 00:25:32,520 --> 00:25:34,799 um I was originally trying to get a CRT 463 00:25:34,799 --> 00:25:37,140 um here on stage like the original TVs 464 00:25:37,140 --> 00:25:39,539 that you would play melee on but uh alas 465 00:25:39,539 --> 00:25:40,740 they do not fit in the overhead 466 00:25:40,740 --> 00:25:42,659 compartment of an airplane 467 00:25:42,659 --> 00:25:44,279 um and a sourcing one locally turned out 468 00:25:44,279 --> 00:25:46,919 to be hard too so uh the projector will 469 00:25:46,919 --> 00:25:49,279 have to do 470 00:25:50,460 --> 00:25:51,299 so 471 00:25:51,299 --> 00:25:52,740 um some of the things that you'll notice 472 00:25:52,740 --> 00:25:54,539 that oh this is gonna be good this is 473 00:25:54,539 --> 00:25:55,919 what's called the infinite wave shine 474 00:25:55,919 --> 00:25:59,159 combo uh so uh fox has this move called 475 00:25:59,159 --> 00:26:01,320 shine it's his downbeat attack and he 476 00:26:01,320 --> 00:26:03,480 can it's a one frame move so it the 477 00:26:03,480 --> 00:26:05,039 attack comes out the very frame you 478 00:26:05,039 --> 00:26:07,440 press it and the opponent uh slides when 479 00:26:07,440 --> 00:26:09,059 they get hit by it and then Fox can 480 00:26:09,059 --> 00:26:11,460 cancel his attack and wave Dash along 481 00:26:11,460 --> 00:26:13,440 the path that you're getting hit and 482 00:26:13,440 --> 00:26:14,700 just sort of get you caught in this 483 00:26:14,700 --> 00:26:17,460 infinite wave shine combo or what did we 484 00:26:17,460 --> 00:26:19,380 lose feet oh what happened that was 485 00:26:19,380 --> 00:26:20,640 weird we sort of lost the feed for a 486 00:26:20,640 --> 00:26:22,760 moment 487 00:26:24,120 --> 00:26:26,940 and oh you're not quite stuck in the 488 00:26:26,940 --> 00:26:29,480 blender yet 489 00:26:32,400 --> 00:26:35,279 there's the blender 490 00:26:35,279 --> 00:26:37,440 um strictly speaking it is possible to 491 00:26:37,440 --> 00:26:39,000 get out of it if you smash the eye 492 00:26:39,000 --> 00:26:40,620 basically if you hit the control stick 493 00:26:40,620 --> 00:26:43,440 on the very frame that you get out uh do 494 00:26:43,440 --> 00:26:45,059 you get hit by the attack but you don't 495 00:26:45,059 --> 00:26:46,620 have to either president not just once 496 00:26:46,620 --> 00:26:49,320 but in fact three times I'm in the span 497 00:26:49,320 --> 00:26:51,120 of three frames so you have to hit it 498 00:26:51,120 --> 00:26:53,480 and then within a 60th of a second 499 00:26:53,480 --> 00:26:55,679 unpress the joystick and then press it 500 00:26:55,679 --> 00:26:57,120 back in and then do that three times in 501 00:26:57,120 --> 00:26:58,140 a row 502 00:26:58,140 --> 00:27:00,200 um 503 00:27:02,700 --> 00:27:04,380 so um one of the things you might be 504 00:27:04,380 --> 00:27:06,539 noticing here that this is playing on a 505 00:27:06,539 --> 00:27:09,720 GameCube like an actual literal GameCube 506 00:27:09,720 --> 00:27:12,240 um which you uh might notice uh has a 507 00:27:12,240 --> 00:27:14,159 whole bunch of uh electronics hooked up 508 00:27:14,159 --> 00:27:16,080 to it that is probably not very friendly 509 00:27:16,080 --> 00:27:18,059 with the humidity of New York City 510 00:27:18,059 --> 00:27:19,440 um so uh we're gonna get to that in a 511 00:27:19,440 --> 00:27:21,000 minute 512 00:27:21,000 --> 00:27:23,460 cool so now for the our next bit we're 513 00:27:23,460 --> 00:27:25,440 going to take a second volunteer or 514 00:27:25,440 --> 00:27:28,820 maybe two different volunteers 515 00:27:29,760 --> 00:27:33,059 2V1 versus the Box 516 00:27:33,059 --> 00:27:36,000 uh two people 517 00:27:36,000 --> 00:27:37,740 surely we've got to have somebody who's 518 00:27:37,740 --> 00:27:39,480 not too embarrassed to get destroyed by 519 00:27:39,480 --> 00:27:42,720 a bot playing 2V1 520 00:27:42,720 --> 00:27:44,279 yeah come on down 521 00:27:44,279 --> 00:27:47,059 come on down 522 00:27:49,440 --> 00:27:52,100 there you go 523 00:27:59,400 --> 00:28:01,010 I'm just glad that this is working 524 00:28:01,010 --> 00:28:04,129 [Laughter] 525 00:28:05,220 --> 00:28:06,900 go and pick the state pick your 526 00:28:06,900 --> 00:28:08,760 character and then just hit start and 527 00:28:08,760 --> 00:28:12,500 smash bottle pick a random stage for you 528 00:28:15,600 --> 00:28:17,880 it is really laggy I'm very sorry about 529 00:28:17,880 --> 00:28:20,120 that 530 00:28:29,520 --> 00:28:32,240 all right 531 00:28:33,059 --> 00:28:35,700 so this is going to be a lot more chaos 532 00:28:35,700 --> 00:28:37,500 um as there's a lot just more going on 533 00:28:37,500 --> 00:28:40,620 on the screen smashbot is a has a clever 534 00:28:40,620 --> 00:28:43,020 trick to play 2V1 so it actually only 535 00:28:43,020 --> 00:28:45,720 sees one person at a time 536 00:28:45,720 --> 00:28:47,100 um it's only capable of like fighting 537 00:28:47,100 --> 00:28:49,320 1v1 but I came up with a clever hack to 538 00:28:49,320 --> 00:28:51,240 make it fight a two and three V one 539 00:28:51,240 --> 00:28:53,460 which is just two uh only consider the 540 00:28:53,460 --> 00:28:56,279 closest enemy as existing and the other 541 00:28:56,279 --> 00:28:58,440 person is just sort of invisible 542 00:28:58,440 --> 00:29:00,000 um but it just switches back and forth 543 00:29:00,000 --> 00:29:01,860 so fast that it's like hard to even 544 00:29:01,860 --> 00:29:04,260 notice we're going to get into a little 545 00:29:04,260 --> 00:29:06,480 bit later on like how smashbot works and 546 00:29:06,480 --> 00:29:08,100 both in terms of attack like the whole 547 00:29:08,100 --> 00:29:10,440 journey of making this work but also 548 00:29:10,440 --> 00:29:12,360 sort of like what it's thinking how it's 549 00:29:12,360 --> 00:29:15,439 programmed and stuff like that 550 00:29:17,100 --> 00:29:19,440 cool so you might have um realized that 551 00:29:19,440 --> 00:29:20,760 like you know this is all well and good 552 00:29:20,760 --> 00:29:22,140 and you've sort of seen this before but 553 00:29:22,140 --> 00:29:24,000 maybe you haven't seen this before I'm 554 00:29:24,000 --> 00:29:25,140 going to press a button on my laptop 555 00:29:25,140 --> 00:29:26,940 right now 556 00:29:26,940 --> 00:29:29,899 and this happens 557 00:29:30,720 --> 00:29:32,159 so um one of the things that's going to 558 00:29:32,159 --> 00:29:33,480 be coming up that will describe it a bit 559 00:29:33,480 --> 00:29:36,840 is that uh the there's a uh speed 560 00:29:36,840 --> 00:29:38,220 running competition coming up soon 561 00:29:38,220 --> 00:29:40,559 called the esa where this is going to be 562 00:29:40,559 --> 00:29:42,059 taking place and people are going to be 563 00:29:42,059 --> 00:29:44,340 donating live it's a it's like charity 564 00:29:44,340 --> 00:29:46,080 speedrun Marathon 565 00:29:46,080 --> 00:29:47,880 um for the Alzheimer's Foundation which 566 00:29:47,880 --> 00:29:48,799 is a 567 00:29:48,799 --> 00:29:51,779 charity that means a lot to me that uh 568 00:29:51,779 --> 00:29:52,860 where people are going to be donating 569 00:29:52,860 --> 00:29:55,740 money so they can spawn items like this 570 00:29:55,740 --> 00:29:59,960 um in the game and also like this 571 00:30:02,159 --> 00:30:05,480 a bunch of Bob bombs 572 00:30:07,980 --> 00:30:09,659 there we go 573 00:30:09,659 --> 00:30:12,500 cool thanks a lot 574 00:30:15,000 --> 00:30:18,299 cool I'm gonna switch over to 575 00:30:18,299 --> 00:30:20,760 representation we'll come back to this 576 00:30:20,760 --> 00:30:23,340 at the end if anybody wants 577 00:30:23,340 --> 00:30:25,939 where is 578 00:30:36,799 --> 00:30:39,980 really hard 579 00:30:44,820 --> 00:30:48,260 it's on the other side of my laptop 580 00:30:50,340 --> 00:30:52,939 cool 581 00:30:58,799 --> 00:31:01,380 yeah go and take photos 582 00:31:01,380 --> 00:31:03,899 that's fine oh there we go I need to 583 00:31:03,899 --> 00:31:07,139 switch to 584 00:31:08,039 --> 00:31:10,380 oh that it really does lag 585 00:31:10,380 --> 00:31:13,220 displays 586 00:31:16,260 --> 00:31:18,980 apply 587 00:31:21,179 --> 00:31:23,720 yes 588 00:31:23,820 --> 00:31:25,799 very good all right so one of the things 589 00:31:25,799 --> 00:31:27,600 you should know about me is that I hate 590 00:31:27,600 --> 00:31:30,080 slides 591 00:31:30,419 --> 00:31:32,940 um uh don't worry does that say 139 592 00:31:32,940 --> 00:31:35,840 slides don't worry about it 593 00:31:37,740 --> 00:31:41,159 on console how 594 00:31:41,159 --> 00:31:43,679 so already I want to congratulate all of 595 00:31:43,679 --> 00:31:45,539 you for accomplishing something that no 596 00:31:45,539 --> 00:31:47,159 melee player has ever done before which 597 00:31:47,159 --> 00:31:51,320 is to wake up before noon for an event 598 00:31:51,680 --> 00:31:54,979 [Applause] 599 00:31:56,279 --> 00:31:58,500 so as I was mentioning on smashbot is 600 00:31:58,500 --> 00:32:01,320 going to be uh showcased at the esa 601 00:32:01,320 --> 00:32:04,260 coming up here and uh that's not right 602 00:32:04,260 --> 00:32:06,960 the esa the esa 603 00:32:06,960 --> 00:32:09,000 that's still not the right one uh nope 604 00:32:09,000 --> 00:32:13,200 nope nope no no no no no that's the one 605 00:32:13,200 --> 00:32:15,360 the European speedrunning assembly 606 00:32:15,360 --> 00:32:18,600 um that uh the European sepsis Alliance 607 00:32:18,600 --> 00:32:20,940 is my favorite um these the esa a great 608 00:32:20,940 --> 00:32:22,679 speedrunning organization are really bad 609 00:32:22,679 --> 00:32:25,140 at SEO though 610 00:32:25,140 --> 00:32:26,820 um so this is all running on a Nintendo 611 00:32:26,820 --> 00:32:28,919 GameCube hooked up to the Internet you 612 00:32:28,919 --> 00:32:30,179 might be wondering how on Earth that's 613 00:32:30,179 --> 00:32:32,460 even possible the Nintendo GameCube came 614 00:32:32,460 --> 00:32:35,340 out in 2001 of making it I guess pretty 615 00:32:35,340 --> 00:32:36,539 ancient at this point there may be 616 00:32:36,539 --> 00:32:38,460 audience members that are younger than 617 00:32:38,460 --> 00:32:41,340 this GameCube here 618 00:32:41,340 --> 00:32:44,279 and it has no networking connectivity so 619 00:32:44,279 --> 00:32:46,260 making this all like you know hook up to 620 00:32:46,260 --> 00:32:48,059 the Internet making this work from my 621 00:32:48,059 --> 00:32:49,200 laptop 622 00:32:49,200 --> 00:32:51,000 um it took some doing it was sort of a 623 00:32:51,000 --> 00:32:52,559 passion project of mine for a few years 624 00:32:52,559 --> 00:32:53,940 now I've been working on it more or less 625 00:32:53,940 --> 00:32:55,620 since covid smash mode I've been working 626 00:32:55,620 --> 00:32:57,899 on since like 2015 or 16 or something 627 00:32:57,899 --> 00:33:00,059 but um specifically making it work on 628 00:33:00,059 --> 00:33:01,020 Console 629 00:33:01,020 --> 00:33:03,059 um kind of like since covid locked up 630 00:33:03,059 --> 00:33:04,380 and figured this would be a fun thing to 631 00:33:04,380 --> 00:33:06,480 do so there's an asterisk next to the um 632 00:33:06,480 --> 00:33:08,760 a no network connectivity um thing here 633 00:33:08,760 --> 00:33:10,740 oh actually as a quick aside this is a 634 00:33:10,740 --> 00:33:12,299 small enough crowd where if you have any 635 00:33:12,299 --> 00:33:14,820 questions comments insults or abuse just 636 00:33:14,820 --> 00:33:16,620 kind of yell them out it's probably fine 637 00:33:16,620 --> 00:33:17,880 if you're gonna throw anything just 638 00:33:17,880 --> 00:33:21,200 don't throw them in this area 639 00:33:22,019 --> 00:33:24,240 uh so uh the asterisks is because 640 00:33:24,240 --> 00:33:26,279 technically this exists 641 00:33:26,279 --> 00:33:28,559 um this absolute Abomination is an 642 00:33:28,559 --> 00:33:31,500 official Nintendo product uh that uh was 643 00:33:31,500 --> 00:33:33,779 made for the game Fantasy Star online so 644 00:33:33,779 --> 00:33:36,360 it's like a legit GameCube controller um 645 00:33:36,360 --> 00:33:38,100 with a full query keyboard in the middle 646 00:33:38,100 --> 00:33:39,000 of it 647 00:33:39,000 --> 00:33:40,080 um and on the right there you actually 648 00:33:40,080 --> 00:33:42,659 notice there's a a network adapter 649 00:33:42,659 --> 00:33:44,640 there's like a RJ45 Jack plugin right 650 00:33:44,640 --> 00:33:46,140 into the GameCube 651 00:33:46,140 --> 00:33:48,260 um the problem with it is that it sucks 652 00:33:48,260 --> 00:33:50,940 uh that uh for reasons we'll describe a 653 00:33:50,940 --> 00:33:52,140 little bit later a performance is 654 00:33:52,140 --> 00:33:53,700 actually kind of important in order to 655 00:33:53,700 --> 00:33:55,380 like turn around things and sort of into 656 00:33:55,380 --> 00:33:58,620 the the frame timings uh and uh the 657 00:33:58,620 --> 00:33:59,760 performance of this is just absolutely 658 00:33:59,760 --> 00:34:02,220 miserable it was it sucked even when it 659 00:34:02,220 --> 00:34:03,899 like existed 660 00:34:03,899 --> 00:34:05,580 um uh the other reason that I didn't go 661 00:34:05,580 --> 00:34:07,740 this route uh was because of this 662 00:34:07,740 --> 00:34:09,239 um these are hard to get these days and 663 00:34:09,239 --> 00:34:10,560 I love you all but I don't love you that 664 00:34:10,560 --> 00:34:12,679 much 665 00:34:13,139 --> 00:34:15,060 um so instead uh there's another option 666 00:34:15,060 --> 00:34:17,639 there is the Nintendo Wii so you see the 667 00:34:17,639 --> 00:34:20,580 Wii can play GameCube games but the Wii 668 00:34:20,580 --> 00:34:22,679 uh has this like fun backwards 669 00:34:22,679 --> 00:34:24,300 compatibility thing where it's not 670 00:34:24,300 --> 00:34:26,280 backwards compatible backwards 671 00:34:26,280 --> 00:34:28,260 compatible per se it doesn't have like a 672 00:34:28,260 --> 00:34:30,119 compatibility layer or whatever it 673 00:34:30,119 --> 00:34:32,040 literally just contains a mini GameCube 674 00:34:32,040 --> 00:34:33,780 they just said it and just like how 675 00:34:33,780 --> 00:34:36,359 to completely separate processor inside 676 00:34:36,359 --> 00:34:38,280 of the Nintendo Wii Just for playing 677 00:34:38,280 --> 00:34:39,960 GameCube games like that's kind of 678 00:34:39,960 --> 00:34:41,879 intense that's really good so if you 679 00:34:41,879 --> 00:34:43,440 ever wondered why like the Wii like 680 00:34:43,440 --> 00:34:45,060 plays gamecube8s really well you're like 681 00:34:45,060 --> 00:34:47,159 wow it like this is a great 682 00:34:47,159 --> 00:34:49,080 compatibility layer emulation or 683 00:34:49,080 --> 00:34:50,219 something that's not how it works it's 684 00:34:50,219 --> 00:34:52,500 not emulation it's just it's actually 685 00:34:52,500 --> 00:34:53,879 just two in one 686 00:34:53,879 --> 00:34:56,399 and this does have networking so maybe 687 00:34:56,399 --> 00:34:58,140 that's an option however you might see 688 00:34:58,140 --> 00:35:01,260 where this is going it sucks 689 00:35:01,260 --> 00:35:04,680 um uh I actually uh went this route so 690 00:35:04,680 --> 00:35:06,480 there's just massive Network latency 691 00:35:06,480 --> 00:35:09,060 through the built-in uh both the Wi-Fi 692 00:35:09,060 --> 00:35:11,160 which is just absolutely unusable and 693 00:35:11,160 --> 00:35:13,260 you can plug into USB ethernet adapter 694 00:35:13,260 --> 00:35:15,480 um if there's any um uh enterprising 695 00:35:15,480 --> 00:35:16,980 members of the audience that really feel 696 00:35:16,980 --> 00:35:18,780 like rewriting the networking stack 697 00:35:18,780 --> 00:35:20,460 inside of the Wii's proprietary kernel 698 00:35:20,460 --> 00:35:22,740 that would be awesome uh but I did not 699 00:35:22,740 --> 00:35:23,880 do that 700 00:35:23,880 --> 00:35:25,140 um I actually got the entire thing 701 00:35:25,140 --> 00:35:27,480 working in air quotes on the Nintendo 702 00:35:27,480 --> 00:35:29,339 Wii using this method and had to throw 703 00:35:29,339 --> 00:35:31,380 the entire thing out because like the 704 00:35:31,380 --> 00:35:32,760 network latency was just massive there's 705 00:35:32,760 --> 00:35:35,220 like 30 to 40 milliseconds of latency 706 00:35:35,220 --> 00:35:37,980 per sys call in the networking kernel on 707 00:35:37,980 --> 00:35:40,740 the Wii it's just miserable 708 00:35:40,740 --> 00:35:43,140 it's not even obviously doing it I don't 709 00:35:43,140 --> 00:35:45,180 know what it's doing 710 00:35:45,180 --> 00:35:47,760 so back to the Nintendo GameCube 711 00:35:47,760 --> 00:35:48,780 we're going to need to get code 712 00:35:48,780 --> 00:35:51,839 execution on this thing uh and uh it was 713 00:35:51,839 --> 00:35:53,820 not entirely clear off the beginning how 714 00:35:53,820 --> 00:35:56,220 to do that so let's explore arbitrary 715 00:35:56,220 --> 00:35:58,680 code execution on the Nintendo GameCube 716 00:35:58,680 --> 00:36:00,359 we're going through this through melee 717 00:36:00,359 --> 00:36:02,040 so we do actually have to be running the 718 00:36:02,040 --> 00:36:03,720 game Super Smash Brothers Melee for the 719 00:36:03,720 --> 00:36:05,760 Nintendo GameCube on the GameCube at the 720 00:36:05,760 --> 00:36:07,619 time we did a code execution so let's 721 00:36:07,619 --> 00:36:10,140 talk about melee glitches now melee has 722 00:36:10,140 --> 00:36:12,599 a ton of glitches not by like cyberpunk 723 00:36:12,599 --> 00:36:15,599 2077 levels of glitches but like you 724 00:36:15,599 --> 00:36:17,280 know for the time anyway like a lot of 725 00:36:17,280 --> 00:36:18,660 glitches 726 00:36:18,660 --> 00:36:21,060 uh there's a couple here that are of 727 00:36:21,060 --> 00:36:22,500 potential interest the first is the Home 728 00:36:22,500 --> 00:36:24,960 Run contest so melee has this uh like 729 00:36:24,960 --> 00:36:26,700 mini game where you can beat up this 730 00:36:26,700 --> 00:36:28,680 little sandbag guy and then hit him with 731 00:36:28,680 --> 00:36:30,480 a baseball bat neck flies off the stage 732 00:36:30,480 --> 00:36:32,040 and that's you know cool when it 733 00:36:32,040 --> 00:36:34,320 measures how far you can hit it and you 734 00:36:34,320 --> 00:36:35,760 can like compare scores with your 735 00:36:35,760 --> 00:36:37,079 friends or whatever 736 00:36:37,079 --> 00:36:38,640 um the thing about this is that the 737 00:36:38,640 --> 00:36:40,800 developers didn't anticipate uh melee 738 00:36:40,800 --> 00:36:42,540 players getting as good as they did and 739 00:36:42,540 --> 00:36:44,339 hitting the the bat or hitting the bag 740 00:36:44,339 --> 00:36:47,099 as far as they do and so they uh 741 00:36:47,099 --> 00:36:48,960 programmed it so that after about like I 742 00:36:48,960 --> 00:36:50,760 think it's ten thousand feet uh the 743 00:36:50,760 --> 00:36:52,140 stage just ends 744 00:36:52,140 --> 00:36:54,540 and if a sandbag goes off the stage it 745 00:36:54,540 --> 00:36:57,420 just Falls like off of a like level goes 746 00:36:57,420 --> 00:36:59,520 down into Oblivion and just crashes the 747 00:36:59,520 --> 00:37:02,579 game so uh this starts to sound like a 748 00:37:02,579 --> 00:37:04,500 thing or like okay we can crash the game 749 00:37:04,500 --> 00:37:06,599 and like we can kind of do it on purpose 750 00:37:06,599 --> 00:37:08,820 but there's not really any input we're 751 00:37:08,820 --> 00:37:10,680 like if we're trying to like shove Shell 752 00:37:10,680 --> 00:37:12,060 Code into this like what would our 753 00:37:12,060 --> 00:37:14,339 inputs even be so I this is it's 754 00:37:14,339 --> 00:37:16,020 possible it's feasible 755 00:37:16,020 --> 00:37:17,339 um that we could use this but I think 756 00:37:17,339 --> 00:37:18,720 it's unlikely 757 00:37:18,720 --> 00:37:21,000 the next up in terms of uh possible 758 00:37:21,000 --> 00:37:22,680 in-game glitches is the black hole 759 00:37:22,680 --> 00:37:23,579 glitch 760 00:37:23,579 --> 00:37:25,800 um this is describing the exact 761 00:37:25,800 --> 00:37:27,599 parameters of how to do this is not 762 00:37:27,599 --> 00:37:29,280 important and also really complicated 763 00:37:29,280 --> 00:37:31,020 but involves like throwing a bunch of 764 00:37:31,020 --> 00:37:32,820 turnips from Peach all together at each 765 00:37:32,820 --> 00:37:34,079 other and then reflecting them with like 766 00:37:34,079 --> 00:37:36,119 Fox and they kind of get stuck into this 767 00:37:36,119 --> 00:37:38,460 black hole and every item that you throw 768 00:37:38,460 --> 00:37:41,460 into it just gets also stuck into it 769 00:37:41,460 --> 00:37:42,960 um and it just eventually grinds the 770 00:37:42,960 --> 00:37:45,660 game to a halt and crashes so this has 771 00:37:45,660 --> 00:37:47,339 the Hallmarks of an exploitable memory 772 00:37:47,339 --> 00:37:49,200 corruption vulnerability it's got too 773 00:37:49,200 --> 00:37:51,540 many of a thing you do have some 774 00:37:51,540 --> 00:37:53,040 selection into what you can put into 775 00:37:53,040 --> 00:37:55,079 that thing and it's largely unexplored 776 00:37:55,079 --> 00:37:57,000 in terms of its potential for uh code 777 00:37:57,000 --> 00:37:59,480 execution 778 00:38:01,140 --> 00:38:03,000 so if there's again any enterprising 779 00:38:03,000 --> 00:38:04,560 members of the audience that would like 780 00:38:04,560 --> 00:38:06,780 to improve upon the exploits that we 781 00:38:06,780 --> 00:38:08,460 will go through here this one would I 782 00:38:08,460 --> 00:38:10,260 would consider to be an improvement on 783 00:38:10,260 --> 00:38:11,520 the method I went through because it 784 00:38:11,520 --> 00:38:13,440 would be entirely through the controller 785 00:38:13,440 --> 00:38:15,119 Port of the game that you could get code 786 00:38:15,119 --> 00:38:17,760 execution which is pretty cool but 787 00:38:17,760 --> 00:38:20,900 that's not what we went with 788 00:38:21,780 --> 00:38:24,240 so there's name entry 789 00:38:24,240 --> 00:38:28,020 so melee allows you to insert a like a 790 00:38:28,020 --> 00:38:30,660 name tag for yourself like a four 791 00:38:30,660 --> 00:38:32,400 character string to like represent you 792 00:38:32,400 --> 00:38:34,200 and it tracks your stats and stuff and 793 00:38:34,200 --> 00:38:35,520 obviously if you're a teenager and 794 00:38:35,520 --> 00:38:37,680 you're offered to give a four-letter 795 00:38:37,680 --> 00:38:39,599 word to represent yourself hilarity 796 00:38:39,599 --> 00:38:40,740 ensues 797 00:38:40,740 --> 00:38:42,180 um but that's not what we're doing here 798 00:38:42,180 --> 00:38:43,440 at least 799 00:38:43,440 --> 00:38:45,900 in addition to the normal polarity 800 00:38:45,900 --> 00:38:48,540 um they're uh when the the game copies 801 00:38:48,540 --> 00:38:51,240 these uh name tags into like from the 802 00:38:51,240 --> 00:38:53,220 memory card into into memory it just 803 00:38:53,220 --> 00:38:55,020 does a straight up string copy 804 00:38:55,020 --> 00:38:56,760 um so it just takes the name tag and 805 00:38:56,760 --> 00:38:59,040 just yellows it right into memory 806 00:38:59,040 --> 00:39:00,599 um like there is there's no bounds 807 00:39:00,599 --> 00:39:03,000 checking whatsoever this is on the stack 808 00:39:03,000 --> 00:39:05,880 and this is a 2001 console there is no 809 00:39:05,880 --> 00:39:07,800 aslr there is no data execution 810 00:39:07,800 --> 00:39:09,660 prevention this is just like baby's 811 00:39:09,660 --> 00:39:12,000 first exploit it's just like the easiest 812 00:39:12,000 --> 00:39:13,560 stack based buffer overflow you've ever 813 00:39:13,560 --> 00:39:15,480 overflowed 814 00:39:15,480 --> 00:39:16,800 um there's just one problem with this 815 00:39:16,800 --> 00:39:18,420 process and that's at the front end 816 00:39:18,420 --> 00:39:21,240 enforces this limit so if you try to go 817 00:39:21,240 --> 00:39:23,520 into the game and like input a fifth 818 00:39:23,520 --> 00:39:25,980 letter it just won't let you because 819 00:39:25,980 --> 00:39:29,040 like why wouldn't right like so 820 00:39:29,040 --> 00:39:31,140 this like presents a logistical problem 821 00:39:31,140 --> 00:39:34,140 of how to actually like put in a long 822 00:39:34,140 --> 00:39:35,579 enough string how to actually put that 823 00:39:35,579 --> 00:39:37,980 in so we have a side quest 824 00:39:37,980 --> 00:39:40,380 because there is a memory card attached 825 00:39:40,380 --> 00:39:42,480 to the GameCube the memory card stores 826 00:39:42,480 --> 00:39:45,480 these name tags right so you can pull 827 00:39:45,480 --> 00:39:47,040 that memory card and hold it in your 828 00:39:47,040 --> 00:39:49,560 hand that's where the string goes 829 00:39:49,560 --> 00:39:51,180 so our side quest 830 00:39:51,180 --> 00:39:53,160 is to write arbitrary contents to a 831 00:39:53,160 --> 00:39:55,140 memory a GameCube memory card 832 00:39:55,140 --> 00:39:56,760 this isn't as easy as you might think 833 00:39:56,760 --> 00:39:59,160 because the GameCube has like a memory 834 00:39:59,160 --> 00:40:00,839 management mode or whatever but you 835 00:40:00,839 --> 00:40:02,460 can't just write arbitrary bytes to it 836 00:40:02,460 --> 00:40:04,079 with that thing all it does is let you 837 00:40:04,079 --> 00:40:06,720 like save and back up and move files 838 00:40:06,720 --> 00:40:08,280 from one GameCube card to another one 839 00:40:08,280 --> 00:40:10,380 it's very opaque we can't write 840 00:40:10,380 --> 00:40:12,180 arbitrary contents to the memory the 841 00:40:12,180 --> 00:40:14,760 GameCube memory card that way 842 00:40:14,760 --> 00:40:16,200 so in order to exploit the Nintendo 843 00:40:16,200 --> 00:40:17,820 GameCube we first have to exploit a 844 00:40:17,820 --> 00:40:20,480 Nintendo Wii 845 00:40:20,579 --> 00:40:22,800 um so this part is uh pretty well 846 00:40:22,800 --> 00:40:24,660 trodden this is more or less the process 847 00:40:24,660 --> 00:40:27,420 for getting Homebrew up and running on a 848 00:40:27,420 --> 00:40:30,119 Nintendo Wii uh the so I had nothing to 849 00:40:30,119 --> 00:40:31,560 do with the creation of any of these 850 00:40:31,560 --> 00:40:32,760 exploits but we'll just kind of go 851 00:40:32,760 --> 00:40:34,619 through it for of the sake of it since 852 00:40:34,619 --> 00:40:36,240 it's fun 853 00:40:36,240 --> 00:40:37,859 um and is also necessary for this whole 854 00:40:37,859 --> 00:40:38,880 thing 855 00:40:38,880 --> 00:40:41,040 um so the Nintendo Wii has a Eula 856 00:40:41,040 --> 00:40:42,000 program 857 00:40:42,000 --> 00:40:45,660 um so the as all legal as all legal the 858 00:40:45,660 --> 00:40:47,880 best legal agreements I have um it has 859 00:40:47,880 --> 00:40:49,680 just a quick accept button that has no 860 00:40:49,680 --> 00:40:51,540 record of you ever like actually signing 861 00:40:51,540 --> 00:40:52,740 anything 862 00:40:52,740 --> 00:40:54,839 um but uh this is actually not just an 863 00:40:54,839 --> 00:40:56,820 application it is a web browser it just 864 00:40:56,820 --> 00:40:59,400 runs in Opera and loads uh remote 865 00:40:59,400 --> 00:41:02,760 content from this URL uh so you there's 866 00:41:02,760 --> 00:41:05,099 a there's a um uh like the x's and the 867 00:41:05,099 --> 00:41:06,780 Y's are your country code and language 868 00:41:06,780 --> 00:41:08,400 code you can actually visit it right now 869 00:41:08,400 --> 00:41:09,900 if you wanted to 870 00:41:09,900 --> 00:41:11,339 um you'll also notice that this is over 871 00:41:11,339 --> 00:41:14,820 HTTP this is not https again oh this is 872 00:41:14,820 --> 00:41:16,980 a even the Wii is like pretty old by 873 00:41:16,980 --> 00:41:18,720 this point 874 00:41:18,720 --> 00:41:21,119 so we can go into the DNS settings of 875 00:41:21,119 --> 00:41:23,579 our Wii and change it to whatever we 876 00:41:23,579 --> 00:41:26,460 want to reroute the uh the website to 877 00:41:26,460 --> 00:41:29,280 whatever we want so now instead of the 878 00:41:29,280 --> 00:41:31,740 Nintendo Wii visiting our remote like 879 00:41:31,740 --> 00:41:33,240 ulo website where it's going to like 880 00:41:33,240 --> 00:41:34,619 have the contents and you hit the OK 881 00:41:34,619 --> 00:41:36,660 button we can redirect it to whatever 882 00:41:36,660 --> 00:41:38,880 website we want 883 00:41:38,880 --> 00:41:40,619 okay so now at this point we're running 884 00:41:40,619 --> 00:41:42,960 arbitrary malicious JavaScript in the 885 00:41:42,960 --> 00:41:45,000 Opera browser running in the Nintendo 886 00:41:45,000 --> 00:41:46,619 Wii but that's still not good enough 887 00:41:46,619 --> 00:41:48,000 right we actually need to get code 888 00:41:48,000 --> 00:41:50,820 execution on the Wii itself so we have 889 00:41:50,820 --> 00:41:54,000 to break out of the sandbox of Opera to 890 00:41:54,000 --> 00:41:57,599 do that we have to use CV 20090689 which 891 00:41:57,599 --> 00:41:59,339 is well beyond the scope of this 892 00:41:59,339 --> 00:42:01,200 conversation to go into the details of 893 00:42:01,200 --> 00:42:03,420 is actually a low-level C library 894 00:42:03,420 --> 00:42:05,520 exploit it's not specific to opera or 895 00:42:05,520 --> 00:42:07,260 the Nintendo Wii it was a big deal back 896 00:42:07,260 --> 00:42:08,339 in the time it's like something 897 00:42:08,339 --> 00:42:10,980 something floating point conversion I 898 00:42:10,980 --> 00:42:13,140 it's not important but what is important 899 00:42:13,140 --> 00:42:14,579 is you can do it from JavaScript because 900 00:42:14,579 --> 00:42:15,780 you can do a whole bunch of like 901 00:42:15,780 --> 00:42:17,040 floating Point operations in the 902 00:42:17,040 --> 00:42:18,960 JavaScript and then get cause a heap 903 00:42:18,960 --> 00:42:21,119 overflow in the Opera browser which like 904 00:42:21,119 --> 00:42:23,820 lol has no memory protections and then 905 00:42:23,820 --> 00:42:26,579 gain code execution through that 906 00:42:26,579 --> 00:42:30,000 so what do you do if a genie grants you 907 00:42:30,000 --> 00:42:32,880 one wish you of course wish for more 908 00:42:32,880 --> 00:42:34,619 wishes 909 00:42:34,619 --> 00:42:36,839 so now we're running arbitrary code on 910 00:42:36,839 --> 00:42:38,400 the Nintendo Wii and we load The 911 00:42:38,400 --> 00:42:40,680 Homebrew Channel onto our Nintendo Wii 912 00:42:40,680 --> 00:42:43,260 so the Wii comes up in the age of like 913 00:42:43,260 --> 00:42:45,180 the iPhone where like everything had to 914 00:42:45,180 --> 00:42:46,859 be an app and even like really looks 915 00:42:46,859 --> 00:42:48,300 like iPhone apps 916 00:42:48,300 --> 00:42:49,619 um so what we do is we load up this 917 00:42:49,619 --> 00:42:51,240 Homebrew Channel they call them channels 918 00:42:51,240 --> 00:42:52,800 because probably for legal reasons they 919 00:42:52,800 --> 00:42:54,359 can call them apps 920 00:42:54,359 --> 00:42:56,880 um where uh this is just like a Play 921 00:42:56,880 --> 00:42:58,500 Store app like a custom Play Store app 922 00:42:58,500 --> 00:43:00,660 so it's an app that lets you like run 923 00:43:00,660 --> 00:43:02,400 new apps 924 00:43:02,400 --> 00:43:04,680 so from this app we're going to load the 925 00:43:04,680 --> 00:43:07,619 Wii GameCube memory card manager this 926 00:43:07,619 --> 00:43:09,839 lets you copy contents from an SD card 927 00:43:09,839 --> 00:43:12,480 into a GameCube memory card now we're 928 00:43:12,480 --> 00:43:15,359 talking because the Wii has an SD card 929 00:43:15,359 --> 00:43:16,920 slot I'm pointing down here as I've as 930 00:43:16,920 --> 00:43:18,180 if I had a Wii but there isn't one 931 00:43:18,180 --> 00:43:20,099 there's a the SD cards it's behind this 932 00:43:20,099 --> 00:43:21,060 little door 933 00:43:21,060 --> 00:43:23,099 um has like SD cards capability I'm not 934 00:43:23,099 --> 00:43:24,960 sure what the Wii even does with SD 935 00:43:24,960 --> 00:43:26,760 cards come to think of it I've only ever 936 00:43:26,760 --> 00:43:30,680 used it for exporting the game View 937 00:43:31,079 --> 00:43:33,240 so it's important that the Wii can have 938 00:43:33,240 --> 00:43:35,460 both an SD card and a mem card plugged 939 00:43:35,460 --> 00:43:36,720 into it at the same time because of 940 00:43:36,720 --> 00:43:39,720 course the Wii can play GameCube games 941 00:43:39,720 --> 00:43:42,359 and natively too so wrapping this all up 942 00:43:42,359 --> 00:43:45,119 we have a GCI file GCI file is just the 943 00:43:45,119 --> 00:43:47,880 like GameCube image it's like GameCube 944 00:43:47,880 --> 00:43:49,680 save file 945 00:43:49,680 --> 00:43:52,560 running up onto your laptop 946 00:43:52,560 --> 00:43:55,380 load that up onto an SD card place that 947 00:43:55,380 --> 00:43:57,780 SD card into your Nintendo Wii 948 00:43:57,780 --> 00:44:00,599 place the GameCube memory card into the 949 00:44:00,599 --> 00:44:02,099 Nintendo Wii 950 00:44:02,099 --> 00:44:04,500 use the Homebrew app to copy the GCI 951 00:44:04,500 --> 00:44:06,660 file onto the SD card and then onto your 952 00:44:06,660 --> 00:44:08,520 GameCube memory card 953 00:44:08,520 --> 00:44:10,859 and then plug that GameCube memory card 954 00:44:10,859 --> 00:44:13,380 into your Nintendo GameCube 955 00:44:13,380 --> 00:44:15,480 thus completing our side quest to write 956 00:44:15,480 --> 00:44:17,520 arbitrary contents to a GameCube memory 957 00:44:17,520 --> 00:44:19,640 card 958 00:44:20,310 --> 00:44:24,900 [Applause] 959 00:44:24,900 --> 00:44:27,119 thus giving us a second side quest to 960 00:44:27,119 --> 00:44:29,040 develop a GCI payload so we still 961 00:44:29,040 --> 00:44:30,480 haven't actually figured out what the 962 00:44:30,480 --> 00:44:32,520 hell to put onto this GCI file we can 963 00:44:32,520 --> 00:44:34,859 load an arbitrary GCI file onto our 964 00:44:34,859 --> 00:44:37,859 GameCube memory card it's the um the one 965 00:44:37,859 --> 00:44:40,079 with the red flashy light is my uh that 966 00:44:40,079 --> 00:44:44,420 you see there is my custom GCI 967 00:44:45,480 --> 00:44:46,619 so let's talk about the basic 968 00:44:46,619 --> 00:44:48,420 construction of the exploit at first 969 00:44:48,420 --> 00:44:51,000 there's a four characters that is our 970 00:44:51,000 --> 00:44:52,140 name tag 971 00:44:52,140 --> 00:44:54,000 then there's a bunch of padding uh this 972 00:44:54,000 --> 00:44:55,020 just kind of doesn't matter you have to 973 00:44:55,020 --> 00:44:57,300 blow past a bunch of random nonsense 974 00:44:57,300 --> 00:44:59,579 then there's just a jump uh this is 975 00:44:59,579 --> 00:45:01,260 where you're going to LEAP to jump to 976 00:45:01,260 --> 00:45:03,119 the rest of the payload um it's not the 977 00:45:03,119 --> 00:45:05,579 EIP this is all in powerpc assembly by 978 00:45:05,579 --> 00:45:07,680 the way I'll mention later 979 00:45:07,680 --> 00:45:09,480 um a PPC is basically a dead 980 00:45:09,480 --> 00:45:11,060 architecture at this point unless you're 981 00:45:11,060 --> 00:45:14,220 like Melee modding um or for whatever 982 00:45:14,220 --> 00:45:16,020 reason you're trying to exploit a really 983 00:45:16,020 --> 00:45:18,960 old Mac before they went to Intel 984 00:45:18,960 --> 00:45:20,700 um and then you just have to stick your 985 00:45:20,700 --> 00:45:22,319 shell code in here and that's really it 986 00:45:22,319 --> 00:45:24,240 like I did say this was like baby's 987 00:45:24,240 --> 00:45:25,619 first exploit right 988 00:45:25,619 --> 00:45:27,240 this is all of course within the 989 00:45:27,240 --> 00:45:29,819 constructs of a GCI file so there's 990 00:45:29,819 --> 00:45:32,160 still some trappings of like the actual 991 00:45:32,160 --> 00:45:34,500 file structure because the the GameCube 992 00:45:34,500 --> 00:45:37,140 will expect this to be a valid uh 993 00:45:37,140 --> 00:45:39,780 GameCube save file and so it has to have 994 00:45:39,780 --> 00:45:41,640 the right hashes here and there and it's 995 00:45:41,640 --> 00:45:42,720 got to have the right structure or 996 00:45:42,720 --> 00:45:44,160 whatever so it's got to have all this 997 00:45:44,160 --> 00:45:45,660 stuff inside of that 998 00:45:45,660 --> 00:45:47,579 luckily a lot of the work for that was 999 00:45:47,579 --> 00:45:49,859 done by a great melee hacker called Dan 1000 00:45:49,859 --> 00:45:51,960 salvato who wrote this melee GCI 1001 00:45:51,960 --> 00:45:54,180 compiler that does a lot of this 1002 00:45:54,180 --> 00:45:56,160 structure for you to build the GCI file 1003 00:45:56,160 --> 00:45:58,440 you give it some gecko codes um gecko 1004 00:45:58,440 --> 00:46:00,300 codes are this fun thing so most of the 1005 00:46:00,300 --> 00:46:02,640 melee Community doesn't like we're doing 1006 00:46:02,640 --> 00:46:03,900 modding and stuff we don't actually 1007 00:46:03,900 --> 00:46:07,140 write arbitrary assembly per se the 1008 00:46:07,140 --> 00:46:09,180 assembly is packaged up into this format 1009 00:46:09,180 --> 00:46:10,859 called the gecko code 1010 00:46:10,859 --> 00:46:13,980 um it's a useful in modding since uh the 1011 00:46:13,980 --> 00:46:15,720 gecko codes can run like once per frame 1012 00:46:15,720 --> 00:46:18,359 not just all at one shot off the 1013 00:46:18,359 --> 00:46:19,800 beginning of the exploit so there's like 1014 00:46:19,800 --> 00:46:22,500 a gecko code Handler then uh that is 1015 00:46:22,500 --> 00:46:23,640 like a little piece of code that 1016 00:46:23,640 --> 00:46:25,920 basically is an injected interpreter in 1017 00:46:25,920 --> 00:46:27,540 the game that can interpret gecko codes 1018 00:46:27,540 --> 00:46:30,119 so this will take gecko codes which is 1019 00:46:30,119 --> 00:46:32,160 for our purposes basically just PPC 1020 00:46:32,160 --> 00:46:36,720 assembly stick it into our uh uh our 1021 00:46:36,720 --> 00:46:38,880 shell code area right into the GCI but 1022 00:46:38,880 --> 00:46:42,240 run it into the um exploit the name tag 1023 00:46:42,240 --> 00:46:43,800 exploit now I know what you're thinking 1024 00:46:43,800 --> 00:46:45,180 you're thinking wait a minute Dan 1025 00:46:45,180 --> 00:46:47,700 salvato isn't that the guy who made Doki 1026 00:46:47,700 --> 00:46:49,740 Doki literature club and the answer is 1027 00:46:49,740 --> 00:46:51,960 yes that's the same dude 1028 00:46:51,960 --> 00:46:55,560 uh the melee Community knows no bounds 1029 00:46:55,560 --> 00:46:57,839 all right so as I was mentioning uh the 1030 00:46:57,839 --> 00:47:00,540 the GameCube is running on a power PC 1031 00:47:00,540 --> 00:47:02,040 which is like pretty dead at this point 1032 00:47:02,040 --> 00:47:03,900 so that's already kind of a hindrance 1033 00:47:03,900 --> 00:47:06,599 but what actual code are we trying to 1034 00:47:06,599 --> 00:47:09,240 run so we have an exploit we can run 1035 00:47:09,240 --> 00:47:11,700 arbitrary gecko codes or you know 1036 00:47:11,700 --> 00:47:14,040 assembly basically but what do we want 1037 00:47:14,040 --> 00:47:17,220 to do with that superpower to like run 1038 00:47:17,220 --> 00:47:18,839 smashbot 1039 00:47:18,839 --> 00:47:20,640 so let's take a bird's eye view and look 1040 00:47:20,640 --> 00:47:22,920 at it from a one higher level so over 1041 00:47:22,920 --> 00:47:24,960 here we've got the Nintendo GameCube and 1042 00:47:24,960 --> 00:47:26,760 over here we've got smashbot running on 1043 00:47:26,760 --> 00:47:29,460 a laptop what we need is to Output the 1044 00:47:29,460 --> 00:47:32,280 game state from the Nintendo GameCube to 1045 00:47:32,280 --> 00:47:34,380 the laptop so we need to gather up all 1046 00:47:34,380 --> 00:47:35,880 the information about what's going on in 1047 00:47:35,880 --> 00:47:38,099 the game so smashbot doesn't see the 1048 00:47:38,099 --> 00:47:40,200 game visually I was in like with pixels 1049 00:47:40,200 --> 00:47:41,819 with the way that we do 1050 00:47:41,819 --> 00:47:43,440 um it's going to like get the game State 1051 00:47:43,440 --> 00:47:45,119 information so we need to know what 1052 00:47:45,119 --> 00:47:47,099 stage we're playing on with the X Y 1053 00:47:47,099 --> 00:47:49,260 coordinates of each of the players like 1054 00:47:49,260 --> 00:47:51,300 what character they're playing uh what 1055 00:47:51,300 --> 00:47:52,680 animation they're in what frame of the 1056 00:47:52,680 --> 00:47:54,180 animation they're in all that stuff 1057 00:47:54,180 --> 00:47:55,920 every possible bit of information that's 1058 00:47:55,920 --> 00:47:57,900 on the screen but just in a digital 1059 00:47:57,900 --> 00:47:59,880 format right 1060 00:47:59,880 --> 00:48:01,500 so for that 1061 00:48:01,500 --> 00:48:03,420 um okay also we need to do this on each 1062 00:48:03,420 --> 00:48:04,859 frame so this happens 1063 00:48:04,859 --> 00:48:06,839 um the game runs at 60 hertz so that's 1064 00:48:06,839 --> 00:48:09,359 uh each frame runs at around 16.6 1065 00:48:09,359 --> 00:48:12,420 milliseconds and so uh it's a tight-ish 1066 00:48:12,420 --> 00:48:13,859 timing requirement 1067 00:48:13,859 --> 00:48:15,599 um when I very first wrote smashbot I 1068 00:48:15,599 --> 00:48:17,280 wrote it in C plus plus partly because I 1069 00:48:17,280 --> 00:48:19,619 was familiar with C plus plus 1070 00:48:19,619 --> 00:48:20,880 um and I was also had this like 1071 00:48:20,880 --> 00:48:23,460 misguided notion in my head that 16 1072 00:48:23,460 --> 00:48:25,079 milliseconds was this like really tight 1073 00:48:25,079 --> 00:48:26,460 timing requirement and we had to be 1074 00:48:26,460 --> 00:48:27,780 super fast 1075 00:48:27,780 --> 00:48:29,339 um and uh turns out that 60 milliseconds 1076 00:48:29,339 --> 00:48:31,319 is an eternity for a computer 1077 00:48:31,319 --> 00:48:33,240 um and I would later wind up rewriting 1078 00:48:33,240 --> 00:48:35,099 the entire thing in Python and the 1079 00:48:35,099 --> 00:48:37,560 python version actually runs faster 1080 00:48:37,560 --> 00:48:40,440 um so uh it is true that in theory C 1081 00:48:40,440 --> 00:48:42,060 plus plus is faster than python but 1082 00:48:42,060 --> 00:48:45,540 you're a shitty programmer and uh 1083 00:48:45,540 --> 00:48:48,720 so am I and so uh the python uh is a lot 1084 00:48:48,720 --> 00:48:50,160 harder to up 1085 00:48:50,160 --> 00:48:53,220 it's not impossible but it's harder 1086 00:48:53,220 --> 00:48:55,920 so that is um part of the the reason 1087 00:48:55,920 --> 00:48:57,720 that like the things do have to happen 1088 00:48:57,720 --> 00:48:59,460 in a reasonable Pace we can't take 1089 00:48:59,460 --> 00:49:01,260 forever for like each step of the way 1090 00:49:01,260 --> 00:49:03,480 because the game is going to send us on 1091 00:49:03,480 --> 00:49:05,099 this Frame and then we have to respond 1092 00:49:05,099 --> 00:49:07,500 within 16 milliseconds uh like the 1093 00:49:07,500 --> 00:49:09,119 button presses basically have to get to 1094 00:49:09,119 --> 00:49:12,000 the game in that time otherwise uh like 1095 00:49:12,000 --> 00:49:14,579 nothing works um if the button presses 1096 00:49:14,579 --> 00:49:16,440 come in late uh smashbot just kind of 1097 00:49:16,440 --> 00:49:17,819 fails miserably 1098 00:49:17,819 --> 00:49:19,319 um since a lot of what it's doing is 1099 00:49:19,319 --> 00:49:21,000 writing on a knife's edge of timing 1100 00:49:21,000 --> 00:49:22,619 where it's like going to wait till the 1101 00:49:22,619 --> 00:49:24,300 very last moment to do something because 1102 00:49:24,300 --> 00:49:26,099 it's strictly optimal to do it that way 1103 00:49:26,099 --> 00:49:28,260 and if we're late by even a single frame 1104 00:49:28,260 --> 00:49:31,020 a 60th of a second then like 1105 00:49:31,020 --> 00:49:33,000 the bot just blows up and like Yates 1106 00:49:33,000 --> 00:49:35,700 itself off stage 1107 00:49:35,700 --> 00:49:37,140 so now it's time to talk about project 1108 00:49:37,140 --> 00:49:39,839 slippy so project slippy is this a great 1109 00:49:39,839 --> 00:49:41,700 project run by a guy named fizzy who 1110 00:49:41,700 --> 00:49:43,980 actually lives here in Brooklyn and is 1111 00:49:43,980 --> 00:49:45,180 actually not in the audience because 1112 00:49:45,180 --> 00:49:46,740 he's out of town this week 1113 00:49:46,740 --> 00:49:47,819 um so that really sucks he was 1114 00:49:47,819 --> 00:49:49,140 definitely going to be here 1115 00:49:49,140 --> 00:49:50,760 um but uh project slippy um if you're 1116 00:49:50,760 --> 00:49:52,920 familiar with Mela you might know it as 1117 00:49:52,920 --> 00:49:55,020 this thing that gave melee a rollback 1118 00:49:55,020 --> 00:49:57,780 net code and the ability to play online 1119 00:49:57,780 --> 00:49:59,520 um like automatic matchmaking gets like 1120 00:49:59,520 --> 00:50:00,920 this fantastic system 1121 00:50:00,920 --> 00:50:03,300 now this all runs inside of an emulator 1122 00:50:03,300 --> 00:50:06,180 all the like rollback net code stuff 1123 00:50:06,180 --> 00:50:09,060 um but at the heart of uh project slippy 1124 00:50:09,060 --> 00:50:10,740 is a replay system so I've actually been 1125 00:50:10,740 --> 00:50:12,720 involved with project slippy for God 1126 00:50:12,720 --> 00:50:14,220 like like five six years or something 1127 00:50:14,220 --> 00:50:15,720 like that now maybe 1128 00:50:15,720 --> 00:50:17,700 um if you go to slippy.gg about you see 1129 00:50:17,700 --> 00:50:20,220 my face grinning's like an idiot I 1130 00:50:20,220 --> 00:50:21,300 occasionally do um cheating 1131 00:50:21,300 --> 00:50:23,280 investigations as well since I you know 1132 00:50:23,280 --> 00:50:25,740 like uh hacker guy I mean post stuff to 1133 00:50:25,740 --> 00:50:27,119 YouTube to shame people for cheating 1134 00:50:27,119 --> 00:50:29,359 online 1135 00:50:29,460 --> 00:50:31,560 um so one of the core technologies that 1136 00:50:31,560 --> 00:50:34,920 makes slippy work as a melee mod is this 1137 00:50:34,920 --> 00:50:37,140 replay system so he was sort of thought 1138 00:50:37,140 --> 00:50:39,960 of that it's really sad that all these 1139 00:50:39,960 --> 00:50:41,520 old games of melee that used to be 1140 00:50:41,520 --> 00:50:43,380 played in tournament uh kind of got lost 1141 00:50:43,380 --> 00:50:45,240 to time maybe there's some old grainy 1142 00:50:45,240 --> 00:50:48,180 VHS tape of them I actually had some VHS 1143 00:50:48,180 --> 00:50:49,740 tapes from tournaments 1144 00:50:49,740 --> 00:50:52,920 um that predate YouTube uh since uh me 1145 00:50:52,920 --> 00:50:54,059 and a friend of mine used to run like 1146 00:50:54,059 --> 00:50:55,680 most of the melee events out in Phoenix 1147 00:50:55,680 --> 00:50:57,900 for like a lot of years 1148 00:50:57,900 --> 00:50:59,940 um but uh project slippy does a lot of 1149 00:50:59,940 --> 00:51:01,440 this work for us so what it does is it 1150 00:51:01,440 --> 00:51:03,300 takes a lot of the game State the things 1151 00:51:03,300 --> 00:51:04,619 that are happening in the game as well 1152 00:51:04,619 --> 00:51:05,760 as all the buttons that everyone's 1153 00:51:05,760 --> 00:51:07,980 pressed and outputs them to a slippy 1154 00:51:07,980 --> 00:51:10,500 file dot SLP file this is just a very 1155 00:51:10,500 --> 00:51:12,839 brief uh screenshot of some of the data 1156 00:51:12,839 --> 00:51:14,400 that's contained inside of one of these 1157 00:51:14,400 --> 00:51:16,740 um slippy files 1158 00:51:16,740 --> 00:51:19,500 so one of the other things that 1159 00:51:19,500 --> 00:51:21,960 prod terminism so we're for a replay to 1160 00:51:21,960 --> 00:51:24,540 work the game has to be deterministic so 1161 00:51:24,540 --> 00:51:26,280 that means that every time you press the 1162 00:51:26,280 --> 00:51:27,839 same buttons in the exact same sequence 1163 00:51:27,839 --> 00:51:29,700 given the same startup the game has to 1164 00:51:29,700 --> 00:51:31,200 behave exactly the same way 1165 00:51:31,200 --> 00:51:33,780 unfortunately melee it is not set up for 1166 00:51:33,780 --> 00:51:35,280 this out of the box I'm going to give 1167 00:51:35,280 --> 00:51:36,900 you just one example of the of this 1168 00:51:36,900 --> 00:51:39,660 there's dozens of these so um one of 1169 00:51:39,660 --> 00:51:42,240 these is the Luigi Cyclone so Luigi when 1170 00:51:42,240 --> 00:51:44,400 he presses his down B in the air uh like 1171 00:51:44,400 --> 00:51:45,660 down B attack it's called the Luigi 1172 00:51:45,660 --> 00:51:48,359 Cyclone I don't know he spins around uh 1173 00:51:48,359 --> 00:51:50,220 can either go up or down depending on 1174 00:51:50,220 --> 00:51:52,020 whether the attack is charged or 1175 00:51:52,020 --> 00:51:54,180 uncharged um it's kind of like supposed 1176 00:51:54,180 --> 00:51:55,859 to be used as a recovery move to like 1177 00:51:55,859 --> 00:51:57,960 help you get back onto the stage so um 1178 00:51:57,960 --> 00:51:59,940 if you could just keep on going upwards 1179 00:51:59,940 --> 00:52:01,140 over and over again you could kind of 1180 00:52:01,140 --> 00:52:02,940 just fly indefinitely and that would be 1181 00:52:02,940 --> 00:52:04,500 stupid so the developers thought of that 1182 00:52:04,500 --> 00:52:05,819 and they figured so you have to do it 1183 00:52:05,819 --> 00:52:07,980 once on the ground and then that's 1184 00:52:07,980 --> 00:52:09,720 considered charged it has a little State 1185 00:52:09,720 --> 00:52:11,940 variable that keeps track of whether the 1186 00:52:11,940 --> 00:52:14,160 Luigi Cyclone is charged or uncharged 1187 00:52:14,160 --> 00:52:15,900 and if it's uncharged and you just fall 1188 00:52:15,900 --> 00:52:17,220 like a rock 1189 00:52:17,220 --> 00:52:19,079 problem is that this starts out 1190 00:52:19,079 --> 00:52:21,900 uninitialized 1191 00:52:21,900 --> 00:52:24,000 so when you first boot up a game on 1192 00:52:24,000 --> 00:52:25,859 whether Luigi is going to go up or down 1193 00:52:25,859 --> 00:52:28,319 when you do this is dependent on like 1194 00:52:28,319 --> 00:52:31,200 just random arbitrary memory contents 1195 00:52:31,200 --> 00:52:33,480 has in practice has much to do with like 1196 00:52:33,480 --> 00:52:35,520 the order you pressed things in the menu 1197 00:52:35,520 --> 00:52:39,440 leading up to the game it's awful 1198 00:52:40,740 --> 00:52:42,000 it's one of the things that project 1199 00:52:42,000 --> 00:52:44,400 slope we had to do was to modify the 1200 00:52:44,400 --> 00:52:46,200 code in the game to fix this bug to 1201 00:52:46,200 --> 00:52:48,960 initialize the memory before loading it 1202 00:52:48,960 --> 00:52:50,220 um that way like the game has a 1203 00:52:50,220 --> 00:52:51,720 consistent starting point and there's 1204 00:52:51,720 --> 00:52:54,059 just like dozens and dozens of instances 1205 00:52:54,059 --> 00:52:56,480 like this 1206 00:53:01,980 --> 00:53:03,839 the question was are all those instances 1207 00:53:03,839 --> 00:53:05,760 based off of uninitialized memory um the 1208 00:53:05,760 --> 00:53:07,920 answer is no there's some things that 1209 00:53:07,920 --> 00:53:10,800 are like uh there's one really recent 1210 00:53:10,800 --> 00:53:15,180 uh-ish instance of like the Fox's tail 1211 00:53:15,180 --> 00:53:18,000 moves in a random like way it just kind 1212 00:53:18,000 --> 00:53:20,400 of like Flaps in the breeze but um for 1213 00:53:20,400 --> 00:53:21,480 whatever reason it doesn't use the 1214 00:53:21,480 --> 00:53:25,020 in-games RNG so the game has this like 1215 00:53:25,020 --> 00:53:26,579 in-game random number generation 1216 00:53:26,579 --> 00:53:29,640 function that isn't like managed within 1217 00:53:29,640 --> 00:53:31,200 project slippy so it's random but it's 1218 00:53:31,200 --> 00:53:32,280 like just a pseudo random number 1219 00:53:32,280 --> 00:53:34,319 generator and so it's stateful and so 1220 00:53:34,319 --> 00:53:36,059 the random number generator behaves the 1221 00:53:36,059 --> 00:53:37,440 same way every time but for whatever 1222 00:53:37,440 --> 00:53:39,240 reason it was just like using some other 1223 00:53:39,240 --> 00:53:42,000 like RNG system and we just 1224 00:53:42,000 --> 00:53:44,700 yeah it was just like yoloing something 1225 00:53:44,700 --> 00:53:46,980 um and uh it's very very subtle because 1226 00:53:46,980 --> 00:53:49,500 like it almost never matters and like 1227 00:53:49,500 --> 00:53:52,200 the exact position of Fox's tail but 1228 00:53:52,200 --> 00:53:54,660 every once in a blue moon like Fox's 1229 00:53:54,660 --> 00:53:56,280 tale is actually part of his hitbox like 1230 00:53:56,280 --> 00:53:58,500 you can hit him on his tail so it's the 1231 00:53:58,500 --> 00:54:00,359 exact position of a tail sometimes 1232 00:54:00,359 --> 00:54:02,220 matters and can cause a desync if it 1233 00:54:02,220 --> 00:54:03,780 like hits on one person's screen and not 1234 00:54:03,780 --> 00:54:05,640 the other and uh these things took 1235 00:54:05,640 --> 00:54:07,440 forever to iron out 1236 00:54:07,440 --> 00:54:10,260 so importantly this replay file is more 1237 00:54:10,260 --> 00:54:11,819 or less the game state that smashbot 1238 00:54:11,819 --> 00:54:13,980 wants um in practice there was a few 1239 00:54:13,980 --> 00:54:16,319 things that I had to add into this 1240 00:54:16,319 --> 00:54:18,180 um ecbs were one of them environmental 1241 00:54:18,180 --> 00:54:20,099 Collision boxes basically a little box 1242 00:54:20,099 --> 00:54:22,140 that like denotes where your character 1243 00:54:22,140 --> 00:54:25,619 can touch the stage as well as a menu 1244 00:54:25,619 --> 00:54:27,180 support was not there so I had to add 1245 00:54:27,180 --> 00:54:29,280 support for menus in order for um 1246 00:54:29,280 --> 00:54:31,079 smashbot to be able to pick its own 1247 00:54:31,079 --> 00:54:32,640 character and select the stage and all 1248 00:54:32,640 --> 00:54:35,400 that stuff I had to add support for the 1249 00:54:35,400 --> 00:54:37,380 stages by uh default slippy only does 1250 00:54:37,380 --> 00:54:39,300 the game State information for when 1251 00:54:39,300 --> 00:54:42,000 you're in a game itself 1252 00:54:42,000 --> 00:54:43,200 so 1253 00:54:43,200 --> 00:54:45,119 this completes our side quest develop a 1254 00:54:45,119 --> 00:54:46,619 GCI payload it's more or less going to 1255 00:54:46,619 --> 00:54:48,480 be What's called the um slippy recording 1256 00:54:48,480 --> 00:54:50,760 codes the with a bunch of custom 1257 00:54:50,760 --> 00:54:52,859 additions to it 1258 00:54:52,859 --> 00:54:54,240 all right so let's return to our bird's 1259 00:54:54,240 --> 00:54:57,660 eye view so we have smashbot getting the 1260 00:54:57,660 --> 00:54:59,520 game State information but you might 1261 00:54:59,520 --> 00:55:00,839 still be think looking down at the stage 1262 00:55:00,839 --> 00:55:02,760 and going all right but 1263 00:55:02,760 --> 00:55:05,819 like how like physically how like sure 1264 00:55:05,819 --> 00:55:07,859 we have the game State gathered up into 1265 00:55:07,859 --> 00:55:10,380 the GameCube right but like again 1266 00:55:10,380 --> 00:55:12,000 there's no never connectivity in this 1267 00:55:12,000 --> 00:55:14,400 thing like how do we like physically get 1268 00:55:14,400 --> 00:55:17,160 the data over to the laptop so slippy 1269 00:55:17,160 --> 00:55:19,440 normally runs on top of dolphins that as 1270 00:55:19,440 --> 00:55:21,420 you can clearly see depicted here slippy 1271 00:55:21,420 --> 00:55:22,980 on top of dolphin 1272 00:55:22,980 --> 00:55:25,859 um the running on top of uh which is the 1273 00:55:25,859 --> 00:55:27,599 dolphin by the way is the the GameCube 1274 00:55:27,599 --> 00:55:29,880 slash Wii Emulator I'm running inside of 1275 00:55:29,880 --> 00:55:32,880 your PC and so if we need to save a 1276 00:55:32,880 --> 00:55:34,859 slippy file of one of these save files 1277 00:55:34,859 --> 00:55:36,900 we can just do it it's running on your 1278 00:55:36,900 --> 00:55:38,460 computer it's just a save file on your 1279 00:55:38,460 --> 00:55:40,500 computer 1280 00:55:40,500 --> 00:55:43,200 but this again has no networking so like 1281 00:55:43,200 --> 00:55:44,520 how the hell are we going to get the 1282 00:55:44,520 --> 00:55:46,440 data off of the GameCube and onto the 1283 00:55:46,440 --> 00:55:48,300 laptop 1284 00:55:48,300 --> 00:55:49,440 again 1285 00:55:49,440 --> 00:55:51,359 the GameCube does have a memory card 1286 00:55:51,359 --> 00:55:53,819 Port which if you think about it is 1287 00:55:53,819 --> 00:55:57,540 external and it is writable 1288 00:55:57,540 --> 00:56:00,720 so uh this is where uh this thing came 1289 00:56:00,720 --> 00:56:03,480 in uh this uh something that a a fizzy 1290 00:56:03,480 --> 00:56:05,160 or Jazz uh referred to as the original 1291 00:56:05,160 --> 00:56:07,740 slippy This was um what the project 1292 00:56:07,740 --> 00:56:09,540 slippy was originally supposed to be so 1293 00:56:09,540 --> 00:56:11,099 it's this little uh it's a bit difficult 1294 00:56:11,099 --> 00:56:12,599 to see from the picture but it's a 1295 00:56:12,599 --> 00:56:14,400 memory card device you stick into the 1296 00:56:14,400 --> 00:56:16,440 memory card and then uh it's running a 1297 00:56:16,440 --> 00:56:18,839 microcontroller that you can write to to 1298 00:56:18,839 --> 00:56:21,359 save files so the game the idea is that 1299 00:56:21,359 --> 00:56:22,920 you just plug this little Gizmo into 1300 00:56:22,920 --> 00:56:24,540 your GameCube you play a bunch of fun 1301 00:56:24,540 --> 00:56:26,880 games of melee and it's saving the files 1302 00:56:26,880 --> 00:56:28,980 the replay files as you're doing it to 1303 00:56:28,980 --> 00:56:31,619 this little Gizmo but we can kind of 1304 00:56:31,619 --> 00:56:34,559 hijack this exact process to copy the 1305 00:56:34,559 --> 00:56:36,900 game State over the the GameCube refers 1306 00:56:36,900 --> 00:56:39,000 to as the exi interface though I don't 1307 00:56:39,000 --> 00:56:40,200 even know what ex I stands for it's 1308 00:56:40,200 --> 00:56:42,720 probably external interface I don't know 1309 00:56:42,720 --> 00:56:44,400 um the memory card port 1310 00:56:44,400 --> 00:56:47,339 so um this uh this awful contraption 1311 00:56:47,339 --> 00:56:49,980 that luckily TSA did not flag as a bomb 1312 00:56:49,980 --> 00:56:52,920 um a TI microcontroller that was 1313 00:56:52,920 --> 00:56:54,599 designed by onosaurus who is one of my 1314 00:56:54,599 --> 00:56:56,640 the primary collaborators um for this 1315 00:56:56,640 --> 00:56:57,900 project 1316 00:56:57,900 --> 00:56:59,520 um what it does is it can talk the 1317 00:56:59,520 --> 00:57:02,400 memory card protocol over the ti 1318 00:57:02,400 --> 00:57:03,960 microcontroller 1319 00:57:03,960 --> 00:57:06,300 um and uh get the game State information 1320 00:57:06,300 --> 00:57:08,760 out over the memory card so the GameCube 1321 00:57:08,760 --> 00:57:10,920 thinks it's like saving the game it's 1322 00:57:10,920 --> 00:57:13,920 like sending data to the like what it 1323 00:57:13,920 --> 00:57:15,420 thinks is a memory card Port which is 1324 00:57:15,420 --> 00:57:17,700 actually just a microcontroller that is 1325 00:57:17,700 --> 00:57:18,900 then going to send all that information 1326 00:57:18,900 --> 00:57:21,720 to my laptop over ethernet 1327 00:57:21,720 --> 00:57:23,819 and this is uh running with enough juice 1328 00:57:23,819 --> 00:57:27,300 to do that in a pretty quick uh pace 1329 00:57:27,300 --> 00:57:29,579 but the game still can't be 1330 00:57:29,579 --> 00:57:31,380 smashbot still can't actually play the 1331 00:57:31,380 --> 00:57:32,819 game because it can't push any buttons 1332 00:57:32,819 --> 00:57:35,400 so at this point Smashbox can see the 1333 00:57:35,400 --> 00:57:37,260 game it can get the game state from the 1334 00:57:37,260 --> 00:57:39,119 GameCube to the microcontroller to the 1335 00:57:39,119 --> 00:57:41,339 laptop but we can't push any buttons so 1336 00:57:41,339 --> 00:57:43,380 how do we actually push buttons so the 1337 00:57:43,380 --> 00:57:45,480 naive way of course would be to like get 1338 00:57:45,480 --> 00:57:46,920 some actuators and take a little 1339 00:57:46,920 --> 00:57:48,900 controller and like like press the 1340 00:57:48,900 --> 00:57:50,579 buttons like but that would just be I 1341 00:57:50,579 --> 00:57:51,960 think everybody in the audience is like 1342 00:57:51,960 --> 00:57:54,059 that would be awful and that like would 1343 00:57:54,059 --> 00:57:55,380 not work at all 1344 00:57:55,380 --> 00:57:56,520 um so there's obviously a much better 1345 00:57:56,520 --> 00:57:58,500 way to do that which is just to like 1346 00:57:58,500 --> 00:58:00,660 um Talk the GameCube memory card the 1347 00:58:00,660 --> 00:58:04,440 GameCube uh protocol over the uh 1348 00:58:04,440 --> 00:58:06,960 controller Port so this is a task tm32 1349 00:58:06,960 --> 00:58:09,300 also bionosaurus um from the taskbot 1350 00:58:09,300 --> 00:58:10,079 community 1351 00:58:10,079 --> 00:58:12,240 um if you've ever seen uh taskbot Play I 1352 00:58:12,240 --> 00:58:13,740 Like A Games Done Quick 1353 00:58:13,740 --> 00:58:15,420 um the this is one of this is a task 1354 00:58:15,420 --> 00:58:17,700 spot here sitting next to uh Duane oacy 1355 00:58:17,700 --> 00:58:19,619 who's a friend of mine a former 1356 00:58:19,619 --> 00:58:21,660 co-worker as well I'm also one of the 1357 00:58:21,660 --> 00:58:23,359 collaborators on this project 1358 00:58:23,359 --> 00:58:25,920 the inside of taskbot is one of these 1359 00:58:25,920 --> 00:58:28,200 little gizmos it's a task 1032 that is 1360 00:58:28,200 --> 00:58:30,780 the like portion of taskbot that is 1361 00:58:30,780 --> 00:58:32,220 responsible for pressing the buttons 1362 00:58:32,220 --> 00:58:34,260 it's able to do this over a variety of 1363 00:58:34,260 --> 00:58:35,220 means 1364 00:58:35,220 --> 00:58:37,339 um 1365 00:58:43,799 --> 00:58:47,700 presses this over a fun cable that is uh 1366 00:58:47,700 --> 00:58:50,400 this is a GameCube port on one side and 1367 00:58:50,400 --> 00:58:52,680 RJ45 on the other um it does not 1368 00:58:52,680 --> 00:58:54,720 actually talk over IEP it just uses this 1369 00:58:54,720 --> 00:58:56,819 as a convenient like mechanism to plug 1370 00:58:56,819 --> 00:59:01,260 into uh the uh into the of the taskbot 1371 00:59:01,260 --> 00:59:03,119 to potassium 32. 1372 00:59:03,119 --> 00:59:04,619 um I had to crimp this myself I had to 1373 00:59:04,619 --> 00:59:06,000 do it a couple times crimping is 1374 00:59:06,000 --> 00:59:08,599 actually not easy 1375 00:59:09,299 --> 00:59:12,540 um so the this allows us to then send a 1376 00:59:12,540 --> 00:59:15,900 USB button command over uh over USB from 1377 00:59:15,900 --> 00:59:18,359 the laptop to the tasty M32 1378 00:59:18,359 --> 00:59:21,059 which you then press buttons over on the 1379 00:59:21,059 --> 00:59:22,619 GameCube 1380 00:59:22,619 --> 00:59:24,960 and now smash ball can actually play the 1381 00:59:24,960 --> 00:59:27,180 video game 1382 00:59:27,180 --> 00:59:30,440 that's completing our Loop 1383 00:59:31,070 --> 00:59:36,619 [Applause] 1384 00:59:38,040 --> 00:59:39,900 so let's talk a little bit about 1385 00:59:39,900 --> 00:59:41,940 smashbot itself so who does smashbot 1386 00:59:41,940 --> 00:59:43,740 play Smash Mouth plays Fox if you've 1387 00:59:43,740 --> 00:59:46,020 ever played melee um for any duration of 1388 00:59:46,020 --> 00:59:47,099 time especially in the competitive 1389 00:59:47,099 --> 00:59:47,940 Community 1390 00:59:47,940 --> 00:59:49,500 um it's pretty obvious to you that 1391 00:59:49,500 --> 00:59:51,660 smashbot would play Fox he's by far the 1392 00:59:51,660 --> 00:59:53,400 fastest has the most potential 1393 00:59:53,400 --> 00:59:55,020 um shine is just a completely broken 1394 00:59:55,020 --> 00:59:56,940 move it's this down B move like I 1395 00:59:56,940 --> 00:59:58,980 mentioned before it's a one frame attack 1396 00:59:58,980 --> 01:00:00,599 there's only a couple of those and of 1397 01:00:00,599 --> 01:00:03,299 the one frame moves it's the most useful 1398 01:00:03,299 --> 01:00:05,579 um there are however um two other 1399 01:00:05,579 --> 01:00:07,500 possibilities two other characters that 1400 01:00:07,500 --> 01:00:08,460 like 1401 01:00:08,460 --> 01:00:10,980 um maybe could be arguable like the best 1402 01:00:10,980 --> 01:00:12,480 in the game not from a human perspective 1403 01:00:12,480 --> 01:00:15,180 but from like a a bot perspective are 1404 01:00:15,180 --> 01:00:17,640 there any uh anybody want to shout out 1405 01:00:17,640 --> 01:00:19,859 any uh options who you think might be a 1406 01:00:19,859 --> 01:00:21,780 character that could be uh possibly the 1407 01:00:21,780 --> 01:00:22,880 best in the game 1408 01:00:22,880 --> 01:00:25,559 maybe Jigglypuff does have a frame one 1409 01:00:25,559 --> 01:00:27,480 move but it's tiny and the rest of her 1410 01:00:27,480 --> 01:00:30,079 moves are terrible 1411 01:00:30,299 --> 01:00:32,880 I think I heard there's Falco so um 1412 01:00:32,880 --> 01:00:35,460 Falco is a lot like FOX also has a shine 1413 01:00:35,460 --> 01:00:38,640 move um it's also one frame but Falco is 1414 01:00:38,640 --> 01:00:42,059 a kind of slower the combos aren't 1415 01:00:42,059 --> 01:00:43,619 really true because it pops you up and 1416 01:00:43,619 --> 01:00:46,319 so you can di them really far so like 1417 01:00:46,319 --> 01:00:49,200 this isn't a possibility but I think not 1418 01:00:49,200 --> 01:00:50,819 um the surprise 1419 01:00:50,819 --> 01:00:53,040 um uh second place for or maybe even 1420 01:00:53,040 --> 01:00:55,619 first place is actually the Ice Climbers 1421 01:00:55,619 --> 01:00:58,200 um so because there's two of them and 1422 01:00:58,200 --> 01:01:00,240 that just like throws everything way off 1423 01:01:00,240 --> 01:01:02,940 like even if you were to try to attack 1424 01:01:02,940 --> 01:01:04,859 the Ice Climbers and you successfully 1425 01:01:04,859 --> 01:01:06,780 hit one of them the other one can just 1426 01:01:06,780 --> 01:01:08,579 go back and hit you and they have insane 1427 01:01:08,579 --> 01:01:10,200 combo potential if they ever get a grab 1428 01:01:10,200 --> 01:01:12,540 you're basically just dead so Vice 1429 01:01:12,540 --> 01:01:14,700 climber is actually super tricky and 1430 01:01:14,700 --> 01:01:16,319 there's a possibility that they might be 1431 01:01:16,319 --> 01:01:17,819 secretly the best character in the game 1432 01:01:17,819 --> 01:01:20,220 but actually programming that out would 1433 01:01:20,220 --> 01:01:23,099 be super tricky and maybe as a potential 1434 01:01:23,099 --> 01:01:26,099 for a future project 1435 01:01:26,099 --> 01:01:28,920 so how does smashbot work so Smashbox 1436 01:01:28,920 --> 01:01:31,079 Works in this like the tiered hierarchy 1437 01:01:31,079 --> 01:01:33,240 of goals system um this was a technique 1438 01:01:33,240 --> 01:01:34,859 that I'm not sure if it has a name but I 1439 01:01:34,859 --> 01:01:36,299 learned it in AI course one time in 1440 01:01:36,299 --> 01:01:37,799 college it's sort of like a hand Jam 1441 01:01:37,799 --> 01:01:39,299 neural network 1442 01:01:39,299 --> 01:01:42,180 um at the very base layer is uh button 1443 01:01:42,180 --> 01:01:44,520 presses and it gets more like abstract 1444 01:01:44,520 --> 01:01:48,599 as the layers go um so this is a uh like 1445 01:01:48,599 --> 01:01:50,040 an expert system there's no machine 1446 01:01:50,040 --> 01:01:52,020 learning involved in this process but it 1447 01:01:52,020 --> 01:01:53,579 sort of looks like a neural network so 1448 01:01:53,579 --> 01:01:55,380 the very base level of button presses 1449 01:01:55,380 --> 01:01:57,540 that's pretty obvious so the next 1450 01:01:57,540 --> 01:01:59,339 highest level what I refer to as chains 1451 01:01:59,339 --> 01:02:01,740 chains are like things that Smashers 1452 01:02:01,740 --> 01:02:03,900 would recognize as like Tech skill 1453 01:02:03,900 --> 01:02:06,240 things like multi-shining wave dashing 1454 01:02:06,240 --> 01:02:08,099 um shuffles which is a short hop fast 1455 01:02:08,099 --> 01:02:10,020 fall l cancel with an attack in the 1456 01:02:10,020 --> 01:02:10,920 middle 1457 01:02:10,920 --> 01:02:13,559 um so these are all like things that uh 1458 01:02:13,559 --> 01:02:16,440 like uh like are scriptable that are 1459 01:02:16,440 --> 01:02:19,079 like short and concrete that consist of 1460 01:02:19,079 --> 01:02:21,599 button presses these are for the most 1461 01:02:21,599 --> 01:02:23,880 part uninterruptible so the idea is that 1462 01:02:23,880 --> 01:02:25,140 like if you're in a wave Dash you have 1463 01:02:25,140 --> 01:02:25,859 to 1464 01:02:25,859 --> 01:02:27,720 um commit to that action for a certain 1465 01:02:27,720 --> 01:02:29,280 amount of time and so you're stuck in 1466 01:02:29,280 --> 01:02:31,260 that animation so you can't like be in 1467 01:02:31,260 --> 01:02:32,220 the middle of a wave Dash and then 1468 01:02:32,220 --> 01:02:33,240 suddenly change your mind to do 1469 01:02:33,240 --> 01:02:34,319 something else 1470 01:02:34,319 --> 01:02:35,880 um so you're kind of stuck into it and 1471 01:02:35,880 --> 01:02:37,859 then the context is assumed so if you're 1472 01:02:37,859 --> 01:02:40,319 wave dashing right now then it's assumed 1473 01:02:40,319 --> 01:02:41,880 that you should be doing that it's not 1474 01:02:41,880 --> 01:02:44,520 up to you at this layer to decide that 1475 01:02:44,520 --> 01:02:46,020 you should or shouldn't be doing this 1476 01:02:46,020 --> 01:02:49,500 that's a that's for the next layer 1477 01:02:49,500 --> 01:02:51,119 so the next layer is what we call 1478 01:02:51,119 --> 01:02:52,200 tactics 1479 01:02:52,200 --> 01:02:54,599 um so these are uh these have one job 1480 01:02:54,599 --> 01:02:55,859 which is to pick a chain they don't 1481 01:02:55,859 --> 01:02:57,960 press buttons they don't decide well 1482 01:02:57,960 --> 01:03:00,180 when to be in this tactic you have one 1483 01:03:00,180 --> 01:03:01,859 job of one job only which is to pick the 1484 01:03:01,859 --> 01:03:03,480 next layer down 1485 01:03:03,480 --> 01:03:05,280 so for instance if suppose we're this 1486 01:03:05,280 --> 01:03:07,500 purple Fox down here um we're in a bad 1487 01:03:07,500 --> 01:03:09,780 spot we need to recover we're off the 1488 01:03:09,780 --> 01:03:11,400 stage if we have a jump we should 1489 01:03:11,400 --> 01:03:13,020 probably use our double jump if we don't 1490 01:03:13,020 --> 01:03:14,040 have a double jump we should probably 1491 01:03:14,040 --> 01:03:16,640 just upbeat a Firefox uh is it like 1492 01:03:16,640 --> 01:03:19,920 Fox's recovery move and you can kind of 1493 01:03:19,920 --> 01:03:22,140 even hear it in my head as like a series 1494 01:03:22,140 --> 01:03:24,780 it's like a flow chart of uh different 1495 01:03:24,780 --> 01:03:27,059 chains you're going to execute like if 1496 01:03:27,059 --> 01:03:28,500 this then that and that's more or less 1497 01:03:28,500 --> 01:03:30,480 how the chains are the tactics are 1498 01:03:30,480 --> 01:03:32,220 implemented whereas if you're this box 1499 01:03:32,220 --> 01:03:33,480 and you probably want to Edge guard 1500 01:03:33,480 --> 01:03:35,579 you're going to want to like try to keep 1501 01:03:35,579 --> 01:03:37,200 this other guy from getting back onto 1502 01:03:37,200 --> 01:03:38,880 the stage 1503 01:03:38,880 --> 01:03:40,319 um similarly if we're in this sort of 1504 01:03:40,319 --> 01:03:41,339 situation 1505 01:03:41,339 --> 01:03:43,140 um the Falco is flying up here clearly 1506 01:03:43,140 --> 01:03:45,180 and it's done uh so we're just going to 1507 01:03:45,180 --> 01:03:46,680 want to turn around and charge and up 1508 01:03:46,680 --> 01:03:49,140 smash for the exact amount of time so um 1509 01:03:49,140 --> 01:03:50,520 there is actually quite a lot of 1510 01:03:50,520 --> 01:03:52,980 planning involved in these so smashbot 1511 01:03:52,980 --> 01:03:55,740 knows for instance that this uh Falco is 1512 01:03:55,740 --> 01:03:57,299 in hits done it'll know that it's in 1513 01:03:57,299 --> 01:03:59,400 it's done for the next seven frames and 1514 01:03:59,400 --> 01:04:01,319 knows this exact trajectory and can do 1515 01:04:01,319 --> 01:04:03,420 the physics calculations to know exactly 1516 01:04:03,420 --> 01:04:05,160 where he's going to be at the end of 1517 01:04:05,160 --> 01:04:07,140 those seven frames and can charge a 1518 01:04:07,140 --> 01:04:09,540 smash attack for that exact frame so 1519 01:04:09,540 --> 01:04:11,220 that the very moment that he gets out of 1520 01:04:11,220 --> 01:04:12,720 hits done he'll be like hit by an attack 1521 01:04:12,720 --> 01:04:15,259 and killed 1522 01:04:16,140 --> 01:04:18,359 and then the next higher level is just 1523 01:04:18,359 --> 01:04:20,220 higher level strategies which is more or 1524 01:04:20,220 --> 01:04:22,319 less devoted to picking which of those 1525 01:04:22,319 --> 01:04:24,359 tactics we should be in so like we're 1526 01:04:24,359 --> 01:04:26,400 off the stage should we try to recover 1527 01:04:26,400 --> 01:04:28,020 now or should we be trying to hit the 1528 01:04:28,020 --> 01:04:29,760 opponent or like are we in neutral 1529 01:04:29,760 --> 01:04:31,740 should I be trying to defend against an 1530 01:04:31,740 --> 01:04:33,720 attack should I be trying to attack all 1531 01:04:33,720 --> 01:04:37,440 that stuff is um at the strategy level 1532 01:04:37,440 --> 01:04:39,480 so it's sort of like a neural network 1533 01:04:39,480 --> 01:04:41,339 um this was I learned this well before 1534 01:04:41,339 --> 01:04:43,020 neural networks sort of blew up and 1535 01:04:43,020 --> 01:04:45,660 became like the thing that like AI is 1536 01:04:45,660 --> 01:04:46,859 all about now 1537 01:04:46,859 --> 01:04:48,420 um in fact you can actually replace any 1538 01:04:48,420 --> 01:04:49,859 one of these layers with a neural 1539 01:04:49,859 --> 01:04:51,660 network an actual neural network and it 1540 01:04:51,660 --> 01:04:53,160 would suffice just fine 1541 01:04:53,160 --> 01:04:54,180 um though this is something that I 1542 01:04:54,180 --> 01:04:55,680 intend on doing later 1543 01:04:55,680 --> 01:04:58,079 um specifically leaving the uh the 1544 01:04:58,079 --> 01:05:00,240 chains intact so that it kind of has all 1545 01:05:00,240 --> 01:05:03,720 the low level uh like uh Tech skills it 1546 01:05:03,720 --> 01:05:05,579 would look fast and cool like smashbot 1547 01:05:05,579 --> 01:05:07,319 does now but the high level thinking 1548 01:05:07,319 --> 01:05:08,880 would all be done by a neural network so 1549 01:05:08,880 --> 01:05:09,900 it would be sort of The Best of Both 1550 01:05:09,900 --> 01:05:11,700 Worlds and uh this is something I intend 1551 01:05:11,700 --> 01:05:14,359 on doing in the future 1552 01:05:14,640 --> 01:05:15,780 oh 1553 01:05:15,780 --> 01:05:18,000 bombs so something that happened 1554 01:05:18,000 --> 01:05:19,740 demo was they just spawned a whole bunch 1555 01:05:19,740 --> 01:05:21,299 of ball bombs in the middle of the stage 1556 01:05:21,299 --> 01:05:23,220 what's up with that 1557 01:05:23,220 --> 01:05:26,940 so the ti microcontroller down here is 1558 01:05:26,940 --> 01:05:30,059 able to read from the memory card Port 1559 01:05:30,059 --> 01:05:32,880 of the GameCube but it can also write 1560 01:05:32,880 --> 01:05:35,220 too the memory card can read and write 1561 01:05:35,220 --> 01:05:37,619 to the GameCube so we actually can take 1562 01:05:37,619 --> 01:05:40,740 from the laptop uh send an item command 1563 01:05:40,740 --> 01:05:43,319 to This Ti microcontroller 1564 01:05:43,319 --> 01:05:44,940 and then the ti Market controller can 1565 01:05:44,940 --> 01:05:47,040 then forward that over to a bit of code 1566 01:05:47,040 --> 01:05:49,200 that's running on the GameCube to handle 1567 01:05:49,200 --> 01:05:51,359 that item request 1568 01:05:51,359 --> 01:05:54,119 so this is some really dirty pseudo code 1569 01:05:54,119 --> 01:05:55,859 that is more or less how item spawning 1570 01:05:55,859 --> 01:05:57,960 like random item spawning works in the 1571 01:05:57,960 --> 01:06:00,480 game this runs once per frame there's a 1572 01:06:00,480 --> 01:06:02,460 global timer which is just an integer 1573 01:06:02,460 --> 01:06:06,119 that decrements uh once per frame and if 1574 01:06:06,119 --> 01:06:08,339 the timer is equal to zero it generates 1575 01:06:08,339 --> 01:06:10,440 a random integer that is just going to 1576 01:06:10,440 --> 01:06:12,119 be our item that we're going to spawn 1577 01:06:12,119 --> 01:06:14,339 and then spawns that item and then 1578 01:06:14,339 --> 01:06:16,559 chooses a new random number for our 1579 01:06:16,559 --> 01:06:18,960 timer that way we're going to spawn a 1580 01:06:18,960 --> 01:06:21,299 different item at a kind of a random 1581 01:06:21,299 --> 01:06:23,760 time at a random item 1582 01:06:23,760 --> 01:06:26,940 so what I do is I clobber that code and 1583 01:06:26,940 --> 01:06:28,980 replace it with this which is going to 1584 01:06:28,980 --> 01:06:31,020 take our time or we're going to read it 1585 01:06:31,020 --> 01:06:32,700 from the exi interface from the memory 1586 01:06:32,700 --> 01:06:35,099 cardboard and if no data is received we 1587 01:06:35,099 --> 01:06:37,200 just get a zero so nothing happens if 1588 01:06:37,200 --> 01:06:38,880 the data is greater than zero then we 1589 01:06:38,880 --> 01:06:40,020 assume that it's going to be an item 1590 01:06:40,020 --> 01:06:42,539 command and just spawn that item so that 1591 01:06:42,539 --> 01:06:45,180 way we can spawn items live into the 1592 01:06:45,180 --> 01:06:47,520 game and we can even spawn some items 1593 01:06:47,520 --> 01:06:48,660 that the game never really thought 1594 01:06:48,660 --> 01:06:50,339 you're supposed to spawn 1595 01:06:50,339 --> 01:06:54,599 um so the uh the Goombas and like OCTA 1596 01:06:54,599 --> 01:06:56,160 rocks and stuff like that probably the 1597 01:06:56,160 --> 01:06:57,359 first time you've ever seen that in a 1598 01:06:57,359 --> 01:06:58,980 versus mode because you're not supposed 1599 01:06:58,980 --> 01:07:01,260 to spawn those inverses mode there for 1600 01:07:01,260 --> 01:07:02,579 whatever reason programmed into the game 1601 01:07:02,579 --> 01:07:04,260 as items as if you could spawn them 1602 01:07:04,260 --> 01:07:06,059 randomly but they never actually appear 1603 01:07:06,059 --> 01:07:08,160 in the game randomly they only appear in 1604 01:07:08,160 --> 01:07:09,660 like Adventure mode in the single player 1605 01:07:09,660 --> 01:07:11,760 game so um that actually be something 1606 01:07:11,760 --> 01:07:13,079 that people be seeing for the first time 1607 01:07:13,079 --> 01:07:15,539 uh in versus mode or I suppose you all 1608 01:07:15,539 --> 01:07:18,380 are seeing for the first time 1609 01:07:18,539 --> 01:07:22,440 so now uh we can spawn items from the 1610 01:07:22,440 --> 01:07:24,900 laptop so then we can take the laptop 1611 01:07:24,900 --> 01:07:26,640 and hook it up to a system called crowd 1612 01:07:26,640 --> 01:07:27,359 control 1613 01:07:27,359 --> 01:07:30,059 um crowd controls this like web API 1614 01:07:30,059 --> 01:07:32,160 um where people can go to the internet 1615 01:07:32,160 --> 01:07:34,380 and throw money at them again remember 1616 01:07:34,380 --> 01:07:36,059 this is a charity event and this is for 1617 01:07:36,059 --> 01:07:38,700 people can donate money to the charity 1618 01:07:38,700 --> 01:07:41,280 and then the crowd control Ford's a 1619 01:07:41,280 --> 01:07:43,680 little Handler back to our laptop piece 1620 01:07:43,680 --> 01:07:44,940 of code listening for item spawn 1621 01:07:44,940 --> 01:07:46,740 commands sends them to the to the ti 1622 01:07:46,740 --> 01:07:48,180 microcontroller sends them to the 1623 01:07:48,180 --> 01:07:50,460 GameCube and that's how random idiots on 1624 01:07:50,460 --> 01:07:51,839 the internet can throw money out of 1625 01:07:51,839 --> 01:07:55,880 Charity and spawn items on my GameCube 1626 01:07:56,819 --> 01:07:59,660 ah 1627 01:08:00,059 --> 01:08:01,559 we had a question was can we spawn 1628 01:08:01,559 --> 01:08:03,480 another smash bot we don't spawn it this 1629 01:08:03,480 --> 01:08:05,160 way this is only items but you can have 1630 01:08:05,160 --> 01:08:07,200 multiple smash Bots um in fact if you if 1631 01:08:07,200 --> 01:08:08,400 you go to my YouTube you can find a 1632 01:08:08,400 --> 01:08:10,200 bunch of stuff about smashbot fighting 1633 01:08:10,200 --> 01:08:11,640 itself um I don't have it configured 1634 01:08:11,640 --> 01:08:13,140 right now but you can actually do like 1635 01:08:13,140 --> 01:08:15,240 2V1 like two people against two 1636 01:08:15,240 --> 01:08:18,479 smashbots or uh like two and like two 1637 01:08:18,479 --> 01:08:20,100 like one and one and one in one so like 1638 01:08:20,100 --> 01:08:22,080 two people each with a smashbot on their 1639 01:08:22,080 --> 01:08:23,580 team playing against each other however 1640 01:08:23,580 --> 01:08:25,319 you want to configure it 1641 01:08:25,319 --> 01:08:27,540 um in practice uh the it'll beat you so 1642 01:08:27,540 --> 01:08:29,759 you like yeah 1643 01:08:29,759 --> 01:08:33,960 so some shout outs before we um head out 1644 01:08:33,960 --> 01:08:36,719 uh shout outs to onasaurus who was my 1645 01:08:36,719 --> 01:08:38,580 Prime collaborator on this project did a 1646 01:08:38,580 --> 01:08:39,839 lot of the hardware work 1647 01:08:39,839 --> 01:08:41,040 um wrote the firmware for the 1648 01:08:41,040 --> 01:08:43,979 microcontroller um fizzy medic meta uh 1649 01:08:43,979 --> 01:08:46,020 Nikki and Uncle punch are all um project 1650 01:08:46,020 --> 01:08:48,660 slippy dudes who helped out a ton with 1651 01:08:48,660 --> 01:08:50,580 assembly uh there's a lot of just like 1652 01:08:50,580 --> 01:08:53,040 low-level reverse engineering of melee 1653 01:08:53,040 --> 01:08:55,140 code to know what to clobber and where 1654 01:08:55,140 --> 01:08:57,899 uh Chronos also for uh doing some 1655 01:08:57,899 --> 01:09:00,839 assembly work for us and the duango AC 1656 01:09:00,839 --> 01:09:03,359 um for uh on the taskbot community for 1657 01:09:03,359 --> 01:09:05,759 uh actually running the the thing over 1658 01:09:05,759 --> 01:09:09,679 at Esa and helping out as well 1659 01:09:10,939 --> 01:09:13,319 play The Master Hand you can make 1660 01:09:13,319 --> 01:09:15,238 Mastery I've never tried it uh Master 1661 01:09:15,238 --> 01:09:17,040 Hand flies up in the air though so it 1662 01:09:17,040 --> 01:09:19,259 might be difficult to like make that 1663 01:09:19,259 --> 01:09:20,279 work 1664 01:09:20,279 --> 01:09:22,080 but in theory yeah sure you could you 1665 01:09:22,080 --> 01:09:23,640 can make Master Hand play like in versus 1666 01:09:23,640 --> 01:09:25,560 mode that is the thing you can do 1667 01:09:25,560 --> 01:09:26,880 um do we have any more time how much 1668 01:09:26,880 --> 01:09:29,299 time do we have 1669 01:09:30,420 --> 01:09:31,799 actually what I'll do is I'll boot uh 1670 01:09:31,799 --> 01:09:35,719 smashbot back up and we'll do a q a 1671 01:09:36,710 --> 01:09:45,970 [Applause] 1672 01:09:55,820 --> 01:09:59,000 thank you 1673 01:10:03,850 --> 01:10:10,049 [Music] 1674 01:10:11,100 --> 01:10:14,000 very much 1675 01:10:17,240 --> 01:10:23,460 [Music] 1676 01:10:23,460 --> 01:10:26,460 tomorrow 1677 01:10:28,140 --> 01:10:44,939 [Music] 1678 01:10:45,060 --> 01:10:46,679 when in doubt just try turning it off 1679 01:10:46,679 --> 01:10:48,170 and on again 1680 01:10:48,170 --> 01:10:50,219 [Music] 1681 01:10:50,219 --> 01:10:51,540 um gosh this is actually going to be 1682 01:10:51,540 --> 01:10:53,760 hard to do this while answering 1683 01:10:53,760 --> 01:10:54,780 questions I didn't consider that 1684 01:10:54,780 --> 01:10:57,120 possibility so the uh it's not so much 1685 01:10:57,120 --> 01:11:00,480 like a series of states 1686 01:11:00,480 --> 01:11:01,500 foreign 1687 01:11:01,500 --> 01:11:07,600 [Music] 1688 01:11:11,130 --> 01:11:14,199 [Music] 1689 01:11:16,460 --> 01:11:25,079 [Music] 1690 01:11:28,320 --> 01:11:30,000 is it gonna work 1691 01:11:30,000 --> 01:11:33,260 I must have unplugged something 1692 01:11:45,600 --> 01:11:48,749 [Applause] 1693 01:11:58,860 --> 01:12:00,420 yeah so the question was when I started 1694 01:12:00,420 --> 01:12:02,219 programming neural network would I 1695 01:12:02,219 --> 01:12:04,260 consider like putting in like a human 1696 01:12:04,260 --> 01:12:07,100 reaction time 1697 01:12:11,550 --> 01:12:16,100 [Music] 1698 01:12:22,500 --> 01:12:23,890 something 1699 01:12:23,890 --> 01:12:25,440 [Applause] 1700 01:12:25,440 --> 01:12:29,239 make your own Smash Brothers 1701 01:12:29,970 --> 01:12:35,759 [Music] 1702 01:12:49,440 --> 01:12:56,719 [Music] 1703 01:12:56,719 --> 01:13:02,179 like without the human limitations 1704 01:13:06,780 --> 01:13:09,320 okay 1705 01:13:09,400 --> 01:13:17,460 [Music] 1706 01:13:17,460 --> 01:13:18,860 [Applause] 1707 01:13:18,860 --> 01:13:28,559 [Music] 1708 01:13:32,640 --> 01:13:35,600 foreign 1709 01:13:40,990 --> 01:13:45,938 [Music] 1710 01:13:48,460 --> 01:13:51,670 [Music] 1711 01:13:56,760 --> 01:13:59,820 to PPC is that part of the go Arch like 1712 01:13:59,820 --> 01:14:02,219 outputs it's kind of dead so I don't 1713 01:14:02,219 --> 01:14:04,140 know it might not be so I have a half of 1714 01:14:04,140 --> 01:14:06,060 mind to rewrite and go 1715 01:14:06,060 --> 01:14:07,800 um because I've been getting more to go 1716 01:14:07,800 --> 01:14:10,940 lately and if it does 1717 01:14:17,080 --> 01:14:17,490 [Applause] 1718 01:14:17,490 --> 01:14:23,540 [Music] 1719 01:14:24,719 --> 01:14:27,260 all right 1720 01:14:27,740 --> 01:14:29,060 [Music] 1721 01:14:29,060 --> 01:14:31,739 uh like you have to hit that framing 1722 01:14:31,739 --> 01:14:33,120 like the timing requirement it's 1723 01:14:33,120 --> 01:14:34,800 actually worse when you're doing the 1724 01:14:34,800 --> 01:14:36,960 computation on the GameCube because the 1725 01:14:36,960 --> 01:14:39,000 GameCube itself has to like do a bunch 1726 01:14:39,000 --> 01:14:41,659 of computations 1727 01:14:47,460 --> 01:14:48,770 out of here 1728 01:14:48,770 --> 01:14:51,799 [Music] 1729 01:15:04,460 --> 01:15:13,189 [Music] 1730 01:15:16,560 --> 01:15:18,800 oh 1731 01:15:24,090 --> 01:15:26,940 [Music] 1732 01:15:26,940 --> 01:15:29,940 thanks 1733 01:15:34,070 --> 01:15:34,910 [Applause] 1734 01:15:34,910 --> 01:15:42,080 [Music] 1735 01:15:42,080 --> 01:15:47,010 [Applause] 1736 01:15:49,010 --> 01:16:03,239 [Music] 1737 01:16:03,239 --> 01:16:05,480 foreign 1738 01:16:22,140 --> 01:16:24,960 you have six minutes to get drinks 1739 01:16:24,960 --> 01:16:28,820 before the next presentation 1740 01:16:29,480 --> 01:16:33,239 don't forget to tip your bartender thank 1741 01:16:33,239 --> 01:16:35,419 you 1742 01:16:42,340 --> 01:16:49,129 [Music] 1743 01:16:56,700 --> 01:17:07,580 [Music] 1744 01:17:07,580 --> 01:17:09,180 thank you 1745 01:17:09,180 --> 01:17:12,279 [Applause] 1746 01:17:12,570 --> 01:17:17,460 [Music] 1747 01:17:17,460 --> 01:17:18,080 thank you 1748 01:17:18,080 --> 01:18:09,920 [Music] 1749 01:18:09,920 --> 01:18:12,770 a human 1750 01:18:12,770 --> 01:18:16,869 [Music] 1751 01:18:23,140 --> 01:18:38,600 [Music] 1752 01:18:38,820 --> 01:18:40,440 fine 1753 01:18:40,440 --> 01:18:42,400 it's all you've ever known 1754 01:18:42,400 --> 01:18:45,610 [Music] 1755 01:18:46,340 --> 01:18:51,199 but you don't ever let it go 1756 01:18:54,659 --> 01:18:57,860 you left the door 1757 01:18:57,860 --> 01:19:01,219 [Music] 1758 01:19:07,920 --> 01:19:11,780 there was still awake 1759 01:19:12,410 --> 01:19:17,880 [Music] 1760 01:19:29,480 --> 01:19:32,660 [Music] 1761 01:19:36,300 --> 01:19:39,560 [Music] 1762 01:19:41,580 --> 01:19:51,760 [Music] 1763 01:19:52,920 --> 01:19:55,640 again 1764 01:19:58,460 --> 01:20:36,609 [Music] 1765 01:20:39,360 --> 01:20:42,559 [Music] 1766 01:20:51,540 --> 01:20:54,800 call me love things 1767 01:20:56,160 --> 01:21:05,759 [Music] 1768 01:21:05,760 --> 01:21:08,420 I know you know 1769 01:21:08,940 --> 01:21:11,900 you never lost 1770 01:21:13,050 --> 01:21:16,169 [Music] 1771 01:21:24,690 --> 01:21:27,799 [Music] 1772 01:21:31,620 --> 01:21:33,960 okay 1773 01:21:33,960 --> 01:21:35,940 we are 1774 01:21:35,940 --> 01:21:38,159 back in business 1775 01:21:38,159 --> 01:21:41,940 it is time for the next 1776 01:21:41,940 --> 01:21:44,300 presentation 1777 01:21:44,300 --> 01:21:47,699 uh I had one I had a couple of quick 1778 01:21:47,699 --> 01:21:50,280 things I wanted to mention if you could 1779 01:21:50,280 --> 01:21:54,840 all put eyes and ears on me for a moment 1780 01:21:54,840 --> 01:21:57,600 after this presentation 1781 01:21:57,600 --> 01:22:00,000 uh we will have our lunch break the 1782 01:22:00,000 --> 01:22:02,460 lunch break is one hour 1783 01:22:02,460 --> 01:22:05,040 um people generally flee here during 1784 01:22:05,040 --> 01:22:08,100 that hour there will actually be a small 1785 01:22:08,100 --> 01:22:10,260 event that takes place here that you can 1786 01:22:10,260 --> 01:22:12,000 participate in which I'll talk about in 1787 01:22:12,000 --> 01:22:15,420 a second but to entice you to return 1788 01:22:15,420 --> 01:22:19,320 from the lunch break on time 1789 01:22:19,320 --> 01:22:22,500 at 2PM on the DOT 1790 01:22:22,500 --> 01:22:25,620 I will be making a random drawing from 1791 01:22:25,620 --> 01:22:28,500 the list of attendees who have who have 1792 01:22:28,500 --> 01:22:33,239 gotten here today for a flipper zero 1793 01:22:33,239 --> 01:22:35,820 so come on back 1794 01:22:35,820 --> 01:22:37,739 and in SD card so you can actually start 1795 01:22:37,739 --> 01:22:39,120 using it immediately you're not just 1796 01:22:39,120 --> 01:22:40,679 like screwed with this thing and you're 1797 01:22:40,679 --> 01:22:41,820 you know your hand you can't do anything 1798 01:22:41,820 --> 01:22:45,360 with so be back by 2PM at the lunch 1799 01:22:45,360 --> 01:22:46,500 break 1800 01:22:46,500 --> 01:22:47,940 all right 1801 01:22:47,940 --> 01:22:49,620 okay 1802 01:22:49,620 --> 01:22:51,360 so 1803 01:22:51,360 --> 01:22:54,540 our next dynamic duo needs no 1804 01:22:54,540 --> 01:22:55,860 introduction in the world of 1805 01:22:55,860 --> 01:22:57,900 investigative journalism 1806 01:22:57,900 --> 01:23:00,120 please welcome Dan golden and Renee 1807 01:23:00,120 --> 01:23:03,060 Dudley Pro publica journalists and 1808 01:23:03,060 --> 01:23:05,699 authors of the highly acclaimed book The 1809 01:23:05,699 --> 01:23:08,159 ransomware Hunting team a band of 1810 01:23:08,159 --> 01:23:10,980 Misfits improbable crusade to save the 1811 01:23:10,980 --> 01:23:13,080 world from cyber crime 1812 01:23:13,080 --> 01:23:16,020 which incidentally I recently heard has 1813 01:23:16,020 --> 01:23:18,960 been optioned for production on the 1814 01:23:18,960 --> 01:23:21,420 television screen so very exciting could 1815 01:23:21,420 --> 01:23:23,159 be made into a movie could be made in a 1816 01:23:23,159 --> 01:23:25,320 TV series I don't know but you get to 1817 01:23:25,320 --> 01:23:28,080 you get to to meet him here today 1818 01:23:28,080 --> 01:23:30,719 uh they will take us on a thrilling 1819 01:23:30,719 --> 01:23:32,699 Journey as they narrate their remarkable 1820 01:23:32,699 --> 01:23:35,340 story discussing the hunt for cyber 1821 01:23:35,340 --> 01:23:38,280 criminals and the moral dilemmas the 1822 01:23:38,280 --> 01:23:41,219 hunters faced along the way presentation 1823 01:23:41,219 --> 01:23:43,920 is a must attend for anyone in this room 1824 01:23:43,920 --> 01:23:46,380 because you're in the room but also for 1825 01:23:46,380 --> 01:23:48,480 anyone interested in the battle against 1826 01:23:48,480 --> 01:23:51,420 ransomware and the future of malware 1827 01:23:51,420 --> 01:23:52,199 um 1828 01:23:52,199 --> 01:23:55,620 stick around after they are done for a 1829 01:23:55,620 --> 01:23:58,020 book signing session where you can 1830 01:23:58,020 --> 01:24:00,300 acquire your own copy of their 1831 01:24:00,300 --> 01:24:02,159 compelling work 1832 01:24:02,159 --> 01:24:05,400 please give a warm summer con welcome 1833 01:24:05,400 --> 01:24:07,690 to Renee Dudley and Dan golden 1834 01:24:07,690 --> 01:24:16,150 [Applause] 1835 01:24:19,920 --> 01:24:22,020 hi everyone we're 1836 01:24:22,020 --> 01:24:23,640 that's all right it's fine we're so 1837 01:24:23,640 --> 01:24:25,800 happy to be here today it's our first 1838 01:24:25,800 --> 01:24:28,679 tack or con so it's a different crowd 1839 01:24:28,679 --> 01:24:30,360 than we're used to but it's it's great 1840 01:24:30,360 --> 01:24:32,699 because you're the key audience for our 1841 01:24:32,699 --> 01:24:34,560 book and we'll hope you check it out 1842 01:24:34,560 --> 01:24:35,400 later 1843 01:24:35,400 --> 01:24:36,960 um before we dive in I just want to say 1844 01:24:36,960 --> 01:24:39,300 thanks to Mark and his whole family they 1845 01:24:39,300 --> 01:24:41,040 all seem to be here for inviting us to 1846 01:24:41,040 --> 01:24:43,500 be here I'm in a dawn for organizing 1847 01:24:43,500 --> 01:24:45,360 this awesome event 1848 01:24:45,360 --> 01:24:47,340 so I wanted to talk a little bit before 1849 01:24:47,340 --> 01:24:49,739 we get into the book about how I got 1850 01:24:49,739 --> 01:24:52,199 interested in ransomware which may 1851 01:24:52,199 --> 01:24:54,420 resonate with some of you 1852 01:24:54,420 --> 01:24:57,719 um back in 2018 I was a corporate 1853 01:24:57,719 --> 01:25:01,020 reporter for Reuters and covering you 1854 01:25:01,020 --> 01:25:03,440 know looking into trying to to find out 1855 01:25:03,440 --> 01:25:05,940 interesting things to report on from Big 1856 01:25:05,940 --> 01:25:08,159 household name companies Fortune 500 1857 01:25:08,159 --> 01:25:11,520 companies and I got to know some csos at 1858 01:25:11,520 --> 01:25:14,179 those companies who at the time 1859 01:25:14,179 --> 01:25:17,280 regularly complained to me that they 1860 01:25:17,280 --> 01:25:18,600 wanted to invest in cyber security 1861 01:25:18,600 --> 01:25:21,179 upgrades for their companies but they 1862 01:25:21,179 --> 01:25:22,560 couldn't get their Boards of directors 1863 01:25:22,560 --> 01:25:23,940 interested 1864 01:25:23,940 --> 01:25:26,940 they would explain to their boards 1865 01:25:26,940 --> 01:25:29,400 we need 20 million dollars 30 million 40 1866 01:25:29,400 --> 01:25:31,800 million 100 million for cyber security 1867 01:25:31,800 --> 01:25:34,980 upgrades to keep our company safe 1868 01:25:34,980 --> 01:25:37,679 and the boards weren't interested 1869 01:25:37,679 --> 01:25:40,080 um they would say things like you want 1870 01:25:40,080 --> 01:25:42,060 us to give you 50 million dollars for 1871 01:25:42,060 --> 01:25:43,560 something that at the end of the year 1872 01:25:43,560 --> 01:25:45,120 we're not going to have anything to show 1873 01:25:45,120 --> 01:25:46,560 for it we can't write a press release 1874 01:25:46,560 --> 01:25:48,239 off it we won't have a new product we 1875 01:25:48,239 --> 01:25:50,400 won't be able to announce r d and of 1876 01:25:50,400 --> 01:25:52,620 course the csos would say yeah that's 1877 01:25:52,620 --> 01:25:54,120 the point right that we don't want 1878 01:25:54,120 --> 01:25:55,620 anything to show for it we want no 1879 01:25:55,620 --> 01:25:59,880 attacks and as I was going along I would 1880 01:25:59,880 --> 01:26:01,920 ask what's what's the biggest threat 1881 01:26:01,920 --> 01:26:04,380 you're worried about and without fail 1882 01:26:04,380 --> 01:26:07,139 they'd say ransomware ransomware is the 1883 01:26:07,139 --> 01:26:08,880 thing that is going to absolutely blow 1884 01:26:08,880 --> 01:26:11,219 up over the next few years 1885 01:26:11,219 --> 01:26:13,560 um you know as I'm sure you know it had 1886 01:26:13,560 --> 01:26:15,780 gone from a kind of a little-known crime 1887 01:26:15,780 --> 01:26:17,760 you know you know 1888 01:26:17,760 --> 01:26:19,620 hackers attack malicious attackers 1889 01:26:19,620 --> 01:26:21,420 attacking home users for a few hundred 1890 01:26:21,420 --> 01:26:23,639 thousand dollars and around this point 1891 01:26:23,639 --> 01:26:26,580 it was the era became the era of the 1892 01:26:26,580 --> 01:26:28,620 bigger ransoms and the bigger threats to 1893 01:26:28,620 --> 01:26:30,900 bigger companies and they were really 1894 01:26:30,900 --> 01:26:33,540 worried and so 1895 01:26:33,540 --> 01:26:37,380 um when when I joined uh Dan at Pro 1896 01:26:37,380 --> 01:26:39,120 publica which is where we both work now 1897 01:26:39,120 --> 01:26:41,580 the investigative news site Dan asked 1898 01:26:41,580 --> 01:26:43,860 what I was interested in covering and I 1899 01:26:43,860 --> 01:26:46,280 brought it up 1900 01:26:46,860 --> 01:26:48,780 hi everybody 1901 01:26:48,780 --> 01:26:51,960 um yeah so uh uh just to pick up that 1902 01:26:51,960 --> 01:26:55,320 story so uh in 2018 I had been a pro 1903 01:26:55,320 --> 01:26:57,480 public a couple years and they made me 1904 01:26:57,480 --> 01:27:00,060 the tech editor even though I am no Tech 1905 01:27:00,060 --> 01:27:02,159 expert certainly not by the standards of 1906 01:27:02,159 --> 01:27:04,260 this audience I mean for this book I 1907 01:27:04,260 --> 01:27:06,840 learned about asymmetric and symmetric 1908 01:27:06,840 --> 01:27:08,699 and hybrid encryption enough to write 1909 01:27:08,699 --> 01:27:11,580 about it but that's about it but um I 1910 01:27:11,580 --> 01:27:12,960 knew more than anybody else the other 1911 01:27:12,960 --> 01:27:14,699 editors of propublica so I became Tech 1912 01:27:14,699 --> 01:27:18,120 editor I set about assembling a team uh 1913 01:27:18,120 --> 01:27:20,040 Renee because she's a great reporter was 1914 01:27:20,040 --> 01:27:22,800 a first person I hired so the team got 1915 01:27:22,800 --> 01:27:25,080 together in my living room up in the 1916 01:27:25,080 --> 01:27:27,780 Boston area and I said well what are we 1917 01:27:27,780 --> 01:27:29,880 going to write about and Renee brought 1918 01:27:29,880 --> 01:27:32,580 up ransomware and uh everybody else 1919 01:27:32,580 --> 01:27:35,580 pooh-pooed it they said oh it's for 1920 01:27:35,580 --> 01:27:37,920 small amounts of money and the attackers 1921 01:27:37,920 --> 01:27:39,780 are not in the United States you know 1922 01:27:39,780 --> 01:27:43,380 we're a U.S oriented publication why do 1923 01:27:43,380 --> 01:27:46,260 we care and you know 1924 01:27:46,260 --> 01:27:48,060 they were a little out of date and that 1925 01:27:48,060 --> 01:27:49,679 it was starting to get bigger as Renee 1926 01:27:49,679 --> 01:27:51,300 mentioned there had just been the first 1927 01:27:51,300 --> 01:27:54,360 major attack on a U.S city Atlanta and 1928 01:27:54,360 --> 01:27:56,880 the amounts of money were going up and I 1929 01:27:56,880 --> 01:27:59,639 was very confident that any cyber 1930 01:27:59,639 --> 01:28:01,560 problem this big would have to have some 1931 01:28:01,560 --> 01:28:05,400 kind of American angle so I said okay 1932 01:28:05,400 --> 01:28:08,159 Renee dig into it and she'll tell you 1933 01:28:08,159 --> 01:28:11,239 what happened from there 1934 01:28:11,460 --> 01:28:15,600 so so as I started digging in 1935 01:28:15,600 --> 01:28:17,639 pretty much everybody that I asked about 1936 01:28:17,639 --> 01:28:20,280 ransomware said that there's one guy in 1937 01:28:20,280 --> 01:28:21,960 particular I need to talk to before 1938 01:28:21,960 --> 01:28:24,120 anybody else and maybe some of you know 1939 01:28:24,120 --> 01:28:27,540 him he goes online by demon slay 335 1940 01:28:27,540 --> 01:28:29,520 and his his real name is Michael 1941 01:28:29,520 --> 01:28:32,400 Gillespie and you know I tracked him 1942 01:28:32,400 --> 01:28:35,760 down to his his workplace which was a 1943 01:28:35,760 --> 01:28:38,460 nerds on call I.T repair shop in the 1944 01:28:38,460 --> 01:28:40,199 town of Normal Illinois 1945 01:28:40,199 --> 01:28:45,420 and he um he was he was very humble and 1946 01:28:45,420 --> 01:28:48,179 just direct about the facts 1947 01:28:48,179 --> 01:28:50,239 um and helped me learn about ransomware 1948 01:28:50,239 --> 01:28:53,699 and the various players and how it 1949 01:28:53,699 --> 01:28:55,320 worked and 1950 01:28:55,320 --> 01:28:57,780 um just some of the players in the whole 1951 01:28:57,780 --> 01:29:00,900 economy and as time went on he was 1952 01:29:00,900 --> 01:29:03,300 really helpful in the stories that I was 1953 01:29:03,300 --> 01:29:05,580 writing and Dan was editing 1954 01:29:05,580 --> 01:29:06,960 um about the players in the ransomware 1955 01:29:06,960 --> 01:29:09,659 economy and he was instrumental in 1956 01:29:09,659 --> 01:29:12,000 helping me figure out uh you know find 1957 01:29:12,000 --> 01:29:14,580 the evidence of who these bad players 1958 01:29:14,580 --> 01:29:15,960 were 1959 01:29:15,960 --> 01:29:17,699 um you know on on the U.S side of things 1960 01:29:17,699 --> 01:29:21,000 these Shady companies that claim to 1961 01:29:21,000 --> 01:29:24,300 um be able to restore your data without 1962 01:29:24,300 --> 01:29:26,159 having to pay hackers they had these 1963 01:29:26,159 --> 01:29:28,320 secret Solutions but in reality they 1964 01:29:28,320 --> 01:29:29,400 were just 1965 01:29:29,400 --> 01:29:31,739 paying the hackers and slapping on a 1966 01:29:31,739 --> 01:29:33,420 huge fee on top of that and Michael 1967 01:29:33,420 --> 01:29:35,760 helped me help me find find the evidence 1968 01:29:35,760 --> 01:29:37,980 of that and as we were talking about 1969 01:29:37,980 --> 01:29:39,300 that 1970 01:29:39,300 --> 01:29:41,639 um he mentioned how he's a part of this 1971 01:29:41,639 --> 01:29:44,159 Global ransomware hunting team that does 1972 01:29:44,159 --> 01:29:47,520 the very thing that these that these you 1973 01:29:47,520 --> 01:29:50,159 know phony scam companies claim to do 1974 01:29:50,159 --> 01:29:53,040 but really really didn't which is he and 1975 01:29:53,040 --> 01:29:57,600 this team of 12 people across the world 1976 01:29:57,600 --> 01:29:59,940 um crack crack ransomware they have 1977 01:29:59,940 --> 01:30:02,940 decrypted hundreds of strains saving 1978 01:30:02,940 --> 01:30:05,100 millions of people from paying billions 1979 01:30:05,100 --> 01:30:07,320 of dollars to hackers and I thought that 1980 01:30:07,320 --> 01:30:09,060 was fascinating so 1981 01:30:09,060 --> 01:30:12,060 around the summer of 2019 I went to go 1982 01:30:12,060 --> 01:30:13,800 meet Michael in person because I wanted 1983 01:30:13,800 --> 01:30:15,719 to learn more about him learn more about 1984 01:30:15,719 --> 01:30:17,280 this team 1985 01:30:17,280 --> 01:30:19,800 and you know by this point I knew 1986 01:30:19,800 --> 01:30:21,960 Michael was the most prolific member of 1987 01:30:21,960 --> 01:30:24,060 this team cracked more ransomware than 1988 01:30:24,060 --> 01:30:25,980 anybody else 1989 01:30:25,980 --> 01:30:29,639 um and so when I when I when I flew out 1990 01:30:29,639 --> 01:30:32,280 to rural Illinois to meet him you know I 1991 01:30:32,280 --> 01:30:34,679 was expecting to see the you know I know 1992 01:30:34,679 --> 01:30:36,179 he's the greatest in the world at what 1993 01:30:36,179 --> 01:30:38,639 he does and he's done more of this than 1994 01:30:38,639 --> 01:30:41,100 anybody else and you know usually when 1995 01:30:41,100 --> 01:30:42,600 somebody is the best in the world at 1996 01:30:42,600 --> 01:30:44,820 what they do they have handlers and PR 1997 01:30:44,820 --> 01:30:47,219 people and executive assistants they 1998 01:30:47,219 --> 01:30:48,900 sort of have the trappings of being the 1999 01:30:48,900 --> 01:30:50,100 best 2000 01:30:50,100 --> 01:30:52,560 um but not Michael and that's what I 2001 01:30:52,560 --> 01:30:54,600 found out when I went to go visit him I 2002 01:30:54,600 --> 01:30:57,360 he greeted me from the front porch swing 2003 01:30:57,360 --> 01:30:59,940 of his modest home in rural Illinois and 2004 01:30:59,940 --> 01:31:02,760 this working class neighborhood and you 2005 01:31:02,760 --> 01:31:04,080 know as you may know from his Twitter 2006 01:31:04,080 --> 01:31:06,659 profile he loves cats bunnies and coding 2007 01:31:06,659 --> 01:31:08,880 and sure enough you know there were like 2008 01:31:08,880 --> 01:31:10,860 nine cats and a couple dogs and the 2009 01:31:10,860 --> 01:31:13,860 rabbit hopping around his his house and 2010 01:31:13,860 --> 01:31:15,960 we just started talking about ransomware 2011 01:31:15,960 --> 01:31:17,820 and 2012 01:31:17,820 --> 01:31:20,520 as we were talking he would open up his 2013 01:31:20,520 --> 01:31:22,080 Twitter and there'd be 40 direct 2014 01:31:22,080 --> 01:31:24,840 messages from people just desperate for 2015 01:31:24,840 --> 01:31:26,340 his help you know I lost my University 2016 01:31:26,340 --> 01:31:29,820 thesis uh I'm a lawyer in my firms 2017 01:31:29,820 --> 01:31:32,820 client files are locked up I lost all my 2018 01:31:32,820 --> 01:31:36,060 family photos just the the horrible 2019 01:31:36,060 --> 01:31:38,159 stories went on and on and on and he 2020 01:31:38,159 --> 01:31:39,600 would respond to these as we were 2021 01:31:39,600 --> 01:31:42,179 talking we talked some more he'd open up 2022 01:31:42,179 --> 01:31:44,280 his phone there'd be another few dozen 2023 01:31:44,280 --> 01:31:45,840 messages of people with the same kind of 2024 01:31:45,840 --> 01:31:47,639 thing and he responded to all of these 2025 01:31:47,639 --> 01:31:50,820 and I was really struck by that but as 2026 01:31:50,820 --> 01:31:53,100 the day wore on he got more comfortable 2027 01:31:53,100 --> 01:31:56,100 and he started telling me about his life 2028 01:31:56,100 --> 01:31:58,080 outside of ransomware you know he was 2029 01:31:58,080 --> 01:31:59,639 working at nerds on call during the day 2030 01:31:59,639 --> 01:32:02,100 cracking ransomware both there and in 2031 01:32:02,100 --> 01:32:05,159 his free time but it was taking a toll 2032 01:32:05,159 --> 01:32:07,080 um he wasn't making that much money at 2033 01:32:07,080 --> 01:32:09,120 nerds on call he and his wife were 2034 01:32:09,120 --> 01:32:11,400 struggling to pay their bills one month 2035 01:32:11,400 --> 01:32:13,800 they'd pay one utility and then have 2036 01:32:13,800 --> 01:32:15,420 another shut off and then the next month 2037 01:32:15,420 --> 01:32:17,400 they would reverse those because they 2038 01:32:17,400 --> 01:32:18,780 couldn't afford to pay all their bills 2039 01:32:18,780 --> 01:32:20,520 every month they had to surrender one of 2040 01:32:20,520 --> 01:32:22,560 their cars to the bank they started to 2041 01:32:22,560 --> 01:32:24,300 fall behind on their mortgage payments 2042 01:32:24,300 --> 01:32:27,060 they almost lost their home and all the 2043 01:32:27,060 --> 01:32:28,860 while he's cracking ransomware 2044 01:32:28,860 --> 01:32:31,080 developing these free tools that are 2045 01:32:31,080 --> 01:32:32,580 allowing millions of people to recover 2046 01:32:32,580 --> 01:32:34,639 without having to pay 2047 01:32:34,639 --> 01:32:37,199 billions to hackers and doing all of 2048 01:32:37,199 --> 01:32:39,300 this with no Fanfare 2049 01:32:39,300 --> 01:32:42,540 um just in you know just humbly 2050 01:32:42,540 --> 01:32:44,460 um and um 2051 01:32:44,460 --> 01:32:47,100 you know for the benefit of society and 2052 01:32:47,100 --> 01:32:49,199 so I I call Dan from the airport and I 2053 01:32:49,199 --> 01:32:51,780 said you know he's he's he's in really 2054 01:32:51,780 --> 01:32:53,699 interesting and special guy I think we 2055 01:32:53,699 --> 01:32:56,100 should do a profile of them and so it 2056 01:32:56,100 --> 01:32:58,380 became a profile and then the basis of 2057 01:32:58,380 --> 01:33:00,900 the ransomware hunting team which tells 2058 01:33:00,900 --> 01:33:02,639 the story of the rise and evolution of 2059 01:33:02,639 --> 01:33:04,860 ransomware as well as the story of this 2060 01:33:04,860 --> 01:33:07,860 amazing team of ransomware hunters that 2061 01:33:07,860 --> 01:33:09,840 are fighting it and what's so 2062 01:33:09,840 --> 01:33:12,239 fascinating about them is they all have 2063 01:33:12,239 --> 01:33:14,460 interesting stories to tell um like 2064 01:33:14,460 --> 01:33:16,500 Michael's they don't seem to be 2065 01:33:16,500 --> 01:33:18,840 motivated by the things that motivate 2066 01:33:18,840 --> 01:33:22,080 most people like fame or success or 2067 01:33:22,080 --> 01:33:24,540 money they're motivated by this almost 2068 01:33:24,540 --> 01:33:27,300 urge to help people you know they know 2069 01:33:27,300 --> 01:33:28,980 that they're some of the only people in 2070 01:33:28,980 --> 01:33:30,719 the world who 2071 01:33:30,719 --> 01:33:33,540 um are willing and able to spend the 2072 01:33:33,540 --> 01:33:36,540 time to crack this cryptography and 2073 01:33:36,540 --> 01:33:38,699 develop these tools so they just have 2074 01:33:38,699 --> 01:33:41,280 this sense of urgency in this compulsion 2075 01:33:41,280 --> 01:33:44,400 to do that they're fascinating too but 2076 01:33:44,400 --> 01:33:47,400 because you know this may this may feel 2077 01:33:47,400 --> 01:33:49,080 feel familiar to you but a lot of them 2078 01:33:49,080 --> 01:33:50,580 have never met in person even though 2079 01:33:50,580 --> 01:33:52,139 they're working together all day every 2080 01:33:52,139 --> 01:33:53,460 day 2081 01:33:53,460 --> 01:33:56,699 um to develop these free tools they live 2082 01:33:56,699 --> 01:33:58,320 their lives online where they feel the 2083 01:33:58,320 --> 01:34:00,300 most comfortable and they really upend 2084 01:34:00,300 --> 01:34:04,440 the traditional stories of success 2085 01:34:04,440 --> 01:34:07,139 um you know many of them came from 2086 01:34:07,139 --> 01:34:09,480 backgrounds of poverty some of them came 2087 01:34:09,480 --> 01:34:11,520 from backgrounds of abuse 2088 01:34:11,520 --> 01:34:15,120 um only one or two went to college one 2089 01:34:15,120 --> 01:34:16,500 of the most prolific members on the team 2090 01:34:16,500 --> 01:34:18,120 even dropped out of high school you know 2091 01:34:18,120 --> 01:34:20,179 they're mostly self-taught 2092 01:34:20,179 --> 01:34:23,820 and they they have this sense that they 2093 01:34:23,820 --> 01:34:25,920 told us about that the internet is 2094 01:34:25,920 --> 01:34:27,840 really their intellectual home in the 2095 01:34:27,840 --> 01:34:30,060 place where they feel safe and 2096 01:34:30,060 --> 01:34:32,760 since this is their territory their Turf 2097 01:34:32,760 --> 01:34:34,620 they want to protect it and they see 2098 01:34:34,620 --> 01:34:37,560 they see fighting ransomware as as their 2099 01:34:37,560 --> 01:34:40,020 way to do that and also perhaps to get 2100 01:34:40,020 --> 01:34:44,219 back at the boys of their youths another 2101 01:34:44,219 --> 01:34:46,020 more troubling similarity among the 2102 01:34:46,020 --> 01:34:47,880 members of the team is that a lot of 2103 01:34:47,880 --> 01:34:50,880 them have have have encountered 2104 01:34:50,880 --> 01:34:53,580 financial and personal hardship in doing 2105 01:34:53,580 --> 01:34:56,159 what they do they spend so much time 2106 01:34:56,159 --> 01:35:00,060 tackling ransomware that they they're 2107 01:35:00,060 --> 01:35:02,219 struggling to make ends meet 2108 01:35:02,219 --> 01:35:05,760 um when one when one is runs into some 2109 01:35:05,760 --> 01:35:07,260 kind of financial hardship usually 2110 01:35:07,260 --> 01:35:09,480 another person steps up 2111 01:35:09,480 --> 01:35:11,940 so they're really a fascinating group of 2112 01:35:11,940 --> 01:35:14,699 people who are there for each other in a 2113 01:35:14,699 --> 01:35:17,340 very real way and you know have helped 2114 01:35:17,340 --> 01:35:18,780 the world 2115 01:35:18,780 --> 01:35:21,239 um fight back against ransomware filling 2116 01:35:21,239 --> 01:35:24,799 uh avoid in society 2117 01:35:26,219 --> 01:35:29,820 so while Renee uh cultivated her 2118 01:35:29,820 --> 01:35:32,159 friendships with the hunt hunting team I 2119 01:35:32,159 --> 01:35:33,420 looked into some of the history of 2120 01:35:33,420 --> 01:35:36,480 ransomware and I found that the man who 2121 01:35:36,480 --> 01:35:39,179 invented ransomware about a little more 2122 01:35:39,179 --> 01:35:42,000 than 30 years ago around 1990 was a 2123 01:35:42,000 --> 01:35:44,580 crazy guy named Joe Pop I don't know if 2124 01:35:44,580 --> 01:35:46,380 any of you have heard this story it got 2125 01:35:46,380 --> 01:35:48,780 a lot of attention 30 years ago but not 2126 01:35:48,780 --> 01:35:52,020 much since then but pop was one 2127 01:35:52,020 --> 01:35:54,960 brilliant eccentric nutty guy and he 2128 01:35:54,960 --> 01:35:56,880 grew up in Cleveland you know even 2129 01:35:56,880 --> 01:35:58,620 though a lot of the hackers are you know 2130 01:35:58,620 --> 01:36:01,860 from Europe or or the Middle East he was 2131 01:36:01,860 --> 01:36:03,239 he was an American he grew up in 2132 01:36:03,239 --> 01:36:05,520 Cleveland went to Ohio State then he got 2133 01:36:05,520 --> 01:36:08,520 a PhD at Harvard in anthropology he was 2134 01:36:08,520 --> 01:36:10,260 supposed to be the next great you know 2135 01:36:10,260 --> 01:36:12,780 Diane Fosse or Jane Goodall the next 2136 01:36:12,780 --> 01:36:15,000 brilliant you know researcher his 2137 01:36:15,000 --> 01:36:17,100 specialty was baboons he was a big 2138 01:36:17,100 --> 01:36:19,980 darwinian theorist and so on so he went 2139 01:36:19,980 --> 01:36:23,040 to do his field research in Kenya and 2140 01:36:23,040 --> 01:36:25,860 Wally was there studying the baboons he 2141 01:36:25,860 --> 01:36:27,600 discovered that it really wasn't his 2142 01:36:27,600 --> 01:36:29,040 thing he just wasn't that interested in 2143 01:36:29,040 --> 01:36:30,600 researching it he was much more 2144 01:36:30,600 --> 01:36:32,280 interested in making money and it didn't 2145 01:36:32,280 --> 01:36:34,679 his graduate student stipend didn't pay 2146 01:36:34,679 --> 01:36:37,800 him enough so he had all these crazy get 2147 01:36:37,800 --> 01:36:40,380 rich quick schemes for example he would 2148 01:36:40,380 --> 01:36:43,320 put on a uh you know a pith helmet and 2149 01:36:43,320 --> 01:36:45,659 hunting outfit and they put an elephant 2150 01:36:45,659 --> 01:36:47,760 gun over his shoulder and charge all 2151 01:36:47,760 --> 01:36:49,440 these tourists outrageous amounts of 2152 01:36:49,440 --> 01:36:51,360 money and lead them on some tour of the 2153 01:36:51,360 --> 01:36:54,480 uh the game preserved that he was in 2154 01:36:54,480 --> 01:36:57,000 um he he contemplated setting up an 2155 01:36:57,000 --> 01:36:59,219 elephant graveyard because there was 2156 01:36:59,219 --> 01:37:01,800 this myth that um elephants know where 2157 01:37:01,800 --> 01:37:03,600 they're going to die and they all crawl 2158 01:37:03,600 --> 01:37:05,580 to die at the same place which is not 2159 01:37:05,580 --> 01:37:07,440 true but he was going to take elephant 2160 01:37:07,440 --> 01:37:09,300 Bones from all over the area put them in 2161 01:37:09,300 --> 01:37:11,400 one place put up a sign saying here's 2162 01:37:11,400 --> 01:37:13,380 the elephant graveyard 50 bucks to watch 2163 01:37:13,380 --> 01:37:15,540 visit it you know so he had all these 2164 01:37:15,540 --> 01:37:17,760 get rich quick schemes and finally this 2165 01:37:17,760 --> 01:37:19,020 got him in trouble with the Kenyan 2166 01:37:19,020 --> 01:37:20,820 government they kicked him off the Game 2167 01:37:20,820 --> 01:37:23,580 Preserve he goes to Nairobi he gets into 2168 01:37:23,580 --> 01:37:26,280 health health research stuff uh at the 2169 01:37:26,280 --> 01:37:28,620 peak of the AIDS epidemic and what he 2170 01:37:28,620 --> 01:37:31,500 does is he he he he actually did this 2171 01:37:31,500 --> 01:37:34,320 from London he sent out like 20 000 2172 01:37:34,320 --> 01:37:37,320 floppy disks to to come to most of the 2173 01:37:37,320 --> 01:37:38,760 health researchers also the computer 2174 01:37:38,760 --> 01:37:41,639 science magazines and so on and the disc 2175 01:37:41,639 --> 01:37:43,620 set out at AIDS education you know 2176 01:37:43,620 --> 01:37:45,360 supposed to be what you don't know about 2177 01:37:45,360 --> 01:37:47,580 AIDS but if you put it in your computer 2178 01:37:47,580 --> 01:37:49,920 the computer froze and the sign would 2179 01:37:49,920 --> 01:37:52,980 come up saying send 378 dollars to this 2180 01:37:52,980 --> 01:37:56,699 post office box in Panama and so uh he 2181 01:37:56,699 --> 01:37:58,199 sends this all over the country all over 2182 01:37:58,199 --> 01:38:01,139 the world and um it caused a panic you 2183 01:38:01,139 --> 01:38:02,940 know nobody ever heard of any crime like 2184 01:38:02,940 --> 01:38:06,000 this before made all the front pages he 2185 01:38:06,000 --> 01:38:07,739 realized that you know he was a dead 2186 01:38:07,739 --> 01:38:10,500 duck he he went he got caught went back 2187 01:38:10,500 --> 01:38:12,600 to they brought him back to U.S he was 2188 01:38:12,600 --> 01:38:14,340 extradited to England because that's 2189 01:38:14,340 --> 01:38:17,400 where they um investigated uh that's 2190 01:38:17,400 --> 01:38:19,620 where he had committed the crime and 2191 01:38:19,620 --> 01:38:22,320 there he pretended to be insane he like 2192 01:38:22,320 --> 01:38:24,360 did all kinds of crazy things he wore 2193 01:38:24,360 --> 01:38:27,659 like condoms on his nose and stuff and 2194 01:38:27,659 --> 01:38:30,719 and the judge eventually decided I don't 2195 01:38:30,719 --> 01:38:32,280 want to try this guy it's too much of a 2196 01:38:32,280 --> 01:38:34,500 circus if he goes back to the United 2197 01:38:34,500 --> 01:38:36,360 States and stays there we'll just you 2198 01:38:36,360 --> 01:38:38,400 know we won't do anything about him just 2199 01:38:38,400 --> 01:38:40,800 get him out of England so that's what 2200 01:38:40,800 --> 01:38:43,440 they did he went back to the U.S he 2201 01:38:43,440 --> 01:38:45,060 never did anything like ransomware again 2202 01:38:45,060 --> 01:38:47,520 he wrote a couple of nutty books and for 2203 01:38:47,520 --> 01:38:49,440 about that was in the early 90s for 2204 01:38:49,440 --> 01:38:52,139 about 20 years what he had done kind of 2205 01:38:52,139 --> 01:38:55,380 lay fallow because there was not a uh a 2206 01:38:55,380 --> 01:38:57,840 good delivery system for paying you know 2207 01:38:57,840 --> 01:39:00,480 the hackers and then Bitcoin came around 2208 01:39:00,480 --> 01:39:02,580 all of a sudden you could you know pay 2209 01:39:02,580 --> 01:39:05,580 with cyber currency relatively uh safely 2210 01:39:05,580 --> 01:39:09,480 and um from then on you know ransomware 2211 01:39:09,480 --> 01:39:12,480 exploded to the point where the the uh 2212 01:39:12,480 --> 01:39:15,060 the ransoms became millions of dollars 2213 01:39:15,060 --> 01:39:17,219 tens of millions of dollars of tax on 2214 01:39:17,219 --> 01:39:20,159 government agencies and universities and 2215 01:39:20,159 --> 01:39:23,340 hospitals and oil pipelines and you know 2216 01:39:23,340 --> 01:39:25,380 all the other ones you're familiar with 2217 01:39:25,380 --> 01:39:29,159 and now they don't just uh uh you know 2218 01:39:29,159 --> 01:39:32,820 uh freeze your files they also go in 2219 01:39:32,820 --> 01:39:34,920 there and steal the data so even if you 2220 01:39:34,920 --> 01:39:36,480 have backups or your files you still 2221 01:39:36,480 --> 01:39:38,280 have to pay so it's became this world 2222 01:39:38,280 --> 01:39:40,980 crisis but it all started with Joe pop 2223 01:39:40,980 --> 01:39:43,620 back in the day in uh having ideas in 2224 01:39:43,620 --> 01:39:46,440 this game Park in Kenya he no longer is 2225 01:39:46,440 --> 01:39:49,020 uh is uh living by the way he died in a 2226 01:39:49,020 --> 01:39:51,840 traffic accident in 2005 just as he was 2227 01:39:51,840 --> 01:39:54,480 about to open a butterfly conservatory 2228 01:39:54,480 --> 01:39:56,880 in Upstate New York and it still exists 2229 01:39:56,880 --> 01:39:58,620 it's called the you know the Joseph pop 2230 01:39:58,620 --> 01:40:01,560 Butterfly Conservatory you can visit it 2231 01:40:01,560 --> 01:40:03,719 as a tourist I did his his former 2232 01:40:03,719 --> 01:40:05,639 girlfriend runs it and there's a 2233 01:40:05,639 --> 01:40:07,920 beautiful plaque there saluting his 2234 01:40:07,920 --> 01:40:10,679 legacy as a as a genius and a scientist 2235 01:40:10,679 --> 01:40:13,020 and humanitarian and but nowhere does it 2236 01:40:13,020 --> 01:40:14,820 mention his biggest Legacy which is that 2237 01:40:14,820 --> 01:40:17,960 he invented ransomware 2238 01:40:20,460 --> 01:40:22,920 one of the things we wanted to do 2239 01:40:22,920 --> 01:40:25,440 um in the book is look on who's on the 2240 01:40:25,440 --> 01:40:27,480 other side of the equation because of 2241 01:40:27,480 --> 01:40:29,940 course we spent um you know a lot of the 2242 01:40:29,940 --> 01:40:32,480 book talking about the hunters and their 2243 01:40:32,480 --> 01:40:35,219 incredible work but who who's on the 2244 01:40:35,219 --> 01:40:36,719 other side who are who are the malicious 2245 01:40:36,719 --> 01:40:39,600 hackers hackers behind this and I 2246 01:40:39,600 --> 01:40:42,440 personally got to know um one of them in 2247 01:40:42,440 --> 01:40:47,040 2021 who went by the name of Adrian and 2248 01:40:47,040 --> 01:40:50,159 we talked over Telegram and he told me 2249 01:40:50,159 --> 01:40:51,960 about the ransomware that he was running 2250 01:40:51,960 --> 01:40:56,040 called Ziggy and Ziggy I mean by 2021 2251 01:40:56,040 --> 01:40:57,659 things had really taken off for 2252 01:40:57,659 --> 01:41:00,900 ransomware and sort of by contrast 2253 01:41:00,900 --> 01:41:03,900 um Ziggy was almost quaint you know it 2254 01:41:03,900 --> 01:41:06,540 would charge two hundred dollars 2255 01:41:06,540 --> 01:41:09,420 um Ransom to its victims 2256 01:41:09,420 --> 01:41:12,000 um and you know even at the time that 2257 01:41:12,000 --> 01:41:14,460 that was hardly anything 2258 01:41:14,460 --> 01:41:16,260 um and when I talked to Adrian about his 2259 01:41:16,260 --> 01:41:19,920 motivations uh he he described to me 2260 01:41:19,920 --> 01:41:21,780 um his living situation he was in the 2261 01:41:21,780 --> 01:41:25,380 Middle East uh and where where he was 2262 01:41:25,380 --> 01:41:28,080 there wasn't a lot of job opportunities 2263 01:41:28,080 --> 01:41:30,719 for people who were interested in in his 2264 01:41:30,719 --> 01:41:33,840 field which was I.T and cryptography 2265 01:41:33,840 --> 01:41:36,719 um that was his expertise and so he 2266 01:41:36,719 --> 01:41:39,540 turned to ransomware to help put food on 2267 01:41:39,540 --> 01:41:42,840 the table and earn a living so uh Adrian 2268 01:41:42,840 --> 01:41:44,400 went along he said he was mostly 2269 01:41:44,400 --> 01:41:47,580 politically motivated uh in his targets 2270 01:41:47,580 --> 01:41:49,679 he went after victims in the U.S and 2271 01:41:49,679 --> 01:41:51,480 Israel to achieve his political 2272 01:41:51,480 --> 01:41:52,980 objectives 2273 01:41:52,980 --> 01:41:56,639 um and eventually Adrian started to feel 2274 01:41:56,639 --> 01:41:59,060 guilty about what he was doing 2275 01:41:59,060 --> 01:42:01,500 coincidentally or not it was around the 2276 01:42:01,500 --> 01:42:03,239 same time as a global law enforcement 2277 01:42:03,239 --> 01:42:06,719 Crackdown but in any case Adrian decides 2278 01:42:06,719 --> 01:42:08,820 to to shut down to shut down his 2279 01:42:08,820 --> 01:42:10,440 ransomware 2280 01:42:10,440 --> 01:42:11,880 um so like everybody else in the 2281 01:42:11,880 --> 01:42:14,580 ransomware world he turns to demon slay 2282 01:42:14,580 --> 01:42:18,840 335 Michael Gillespie and asks if he can 2283 01:42:18,840 --> 01:42:21,239 dump his keys on Michael for Michael to 2284 01:42:21,239 --> 01:42:23,400 create a decrypter tool for victims to 2285 01:42:23,400 --> 01:42:25,699 use and of course Michael 2286 01:42:25,699 --> 01:42:29,520 obliges and and creates that and in a 2287 01:42:29,520 --> 01:42:31,020 very bizarre twist 2288 01:42:31,020 --> 01:42:33,840 um unusual twist Adrian actually gives 2289 01:42:33,840 --> 01:42:36,960 refunds to people who had already paid 2290 01:42:36,960 --> 01:42:39,420 um he he was feeling quite sorry about 2291 01:42:39,420 --> 01:42:42,600 what he did and uh also indicated that 2292 01:42:42,600 --> 01:42:45,300 this might help if he were ever be 2293 01:42:45,300 --> 01:42:47,460 discovered by law enforcement Authority 2294 01:42:47,460 --> 01:42:51,480 is a very long shot but never know and 2295 01:42:51,480 --> 01:42:53,760 so Adrian really represents the equator 2296 01:42:53,760 --> 01:42:56,699 days of ransomware 2297 01:42:56,699 --> 01:42:58,800 um and as you all know it's evolved into 2298 01:42:58,800 --> 01:43:01,920 something so so much more than that 2299 01:43:01,920 --> 01:43:05,280 um you know over the past decade I'm 2300 01:43:05,280 --> 01:43:07,619 sure many of you familiar with the fact 2301 01:43:07,619 --> 01:43:09,480 that ransomware gangs have really 2302 01:43:09,480 --> 01:43:12,119 organized and in many ways mirror 2303 01:43:12,119 --> 01:43:14,159 legitimate corporations in the 2304 01:43:14,159 --> 01:43:16,380 organizational structures 2305 01:43:16,380 --> 01:43:17,940 um they'll have 2306 01:43:17,940 --> 01:43:20,639 um sort of payroll departments and Human 2307 01:43:20,639 --> 01:43:23,760 Resources they post ads on the dark web 2308 01:43:23,760 --> 01:43:25,679 looking for people with very specific 2309 01:43:25,679 --> 01:43:28,080 skills like proficiency and Cobalt 2310 01:43:28,080 --> 01:43:30,840 strike so that they can use 2311 01:43:30,840 --> 01:43:33,560 um those skills to get into ever bigger 2312 01:43:33,560 --> 01:43:36,540 organizations with deeper pockets they 2313 01:43:36,540 --> 01:43:38,460 Outsource tasks beyond their purview 2314 01:43:38,460 --> 01:43:41,100 they work with crypto providers they 2315 01:43:41,100 --> 01:43:44,239 work with Bitcoin tumblers they work 2316 01:43:44,239 --> 01:43:47,840 with with any of a variety of 2317 01:43:47,840 --> 01:43:50,340 specialty organizations that have 2318 01:43:50,340 --> 01:43:53,119 cropped up to feed the the the 2319 01:43:53,119 --> 01:43:56,699 underworld ransomware economy um in all 2320 01:43:56,699 --> 01:43:58,860 of this specialization has allowed the 2321 01:43:58,860 --> 01:44:00,960 gangs to focus on the cryptography 2322 01:44:00,960 --> 01:44:03,360 itself which has become better and 2323 01:44:03,360 --> 01:44:05,400 better and better and harder and harder 2324 01:44:05,400 --> 01:44:07,800 for the ransomware hunting team to crack 2325 01:44:07,800 --> 01:44:10,260 and 2326 01:44:10,260 --> 01:44:13,619 as as this has evolved you know there's 2327 01:44:13,619 --> 01:44:16,380 been gangs that have have really become 2328 01:44:16,380 --> 01:44:18,480 absolutely prolific 2329 01:44:18,480 --> 01:44:20,639 um and the one that comes to mind is the 2330 01:44:20,639 --> 01:44:22,920 appropriately named evil Corp uh 2331 01:44:22,920 --> 01:44:25,800 ransomware gang run by a man named 2332 01:44:25,800 --> 01:44:27,300 Maxine mccubitz who's now under 2333 01:44:27,300 --> 01:44:29,639 indictment in the U.S but will probably 2334 01:44:29,639 --> 01:44:32,159 never face Justice because he's in 2335 01:44:32,159 --> 01:44:34,800 Russia where he seems to enjoy 2336 01:44:34,800 --> 01:44:36,840 um the protection of Putin 2337 01:44:36,840 --> 01:44:40,820 um but it it evil Corp is is is 2338 01:44:40,820 --> 01:44:45,060 indicative of of um of how ransomware 2339 01:44:45,060 --> 01:44:47,219 has really evolved 2340 01:44:47,219 --> 01:44:50,639 um it runs this this sort of structure 2341 01:44:50,639 --> 01:44:52,920 this organization with all of the 2342 01:44:52,920 --> 01:44:55,139 attributes that I mentioned 2343 01:44:55,139 --> 01:44:58,380 um and they they're they're yakubits 2344 01:44:58,380 --> 01:45:01,560 although he um you know he feels so 2345 01:45:01,560 --> 01:45:03,960 secure in his freedom 2346 01:45:03,960 --> 01:45:05,940 um that he actually drives around Moscow 2347 01:45:05,940 --> 01:45:08,400 with in a Lamborghini with a license 2348 01:45:08,400 --> 01:45:10,920 plate that translates to thief and you 2349 01:45:10,920 --> 01:45:12,540 know you can understand why he would 2350 01:45:12,540 --> 01:45:15,000 feel protected because his father-in-law 2351 01:45:15,000 --> 01:45:17,880 is a known friend of uh Putin they were 2352 01:45:17,880 --> 01:45:20,040 in the KGB together 2353 01:45:20,040 --> 01:45:22,619 um and it it really reflects another 2354 01:45:22,619 --> 01:45:24,900 alarming Trend which is like Dan 2355 01:45:24,900 --> 01:45:27,480 mentioned increasingly ransomware gangs 2356 01:45:27,480 --> 01:45:30,119 before they encrypt data are stealing it 2357 01:45:30,119 --> 01:45:31,800 and 2358 01:45:31,800 --> 01:45:34,080 when you think about who their targets 2359 01:45:34,080 --> 01:45:36,900 are people like evil Corp 2360 01:45:36,900 --> 01:45:39,060 um you know we're talking about every 2361 01:45:39,060 --> 01:45:41,040 segment of society from Health Care to 2362 01:45:41,040 --> 01:45:43,380 defense contractors 2363 01:45:43,380 --> 01:45:46,440 um and the kind of of of material that's 2364 01:45:46,440 --> 01:45:48,960 getting stolen could be intellectual 2365 01:45:48,960 --> 01:45:51,840 property National Secrets 2366 01:45:51,840 --> 01:45:53,699 um so it's it's it's it's an alarming 2367 01:45:53,699 --> 01:45:55,679 Trend to think about the kind of people 2368 01:45:55,679 --> 01:45:59,600 who are behind this data theft and 2369 01:45:59,600 --> 01:46:01,800 increasingly the thought is that 2370 01:46:01,800 --> 01:46:04,199 ransomware may be used as a cover for 2371 01:46:04,199 --> 01:46:07,460 intelligence gathering operations 2372 01:46:07,460 --> 01:46:12,500 affecting you know all of society 2373 01:46:17,400 --> 01:46:19,020 uh one of the 2374 01:46:19,020 --> 01:46:19,860 um 2375 01:46:19,860 --> 01:46:22,080 issues that we wanted that I wanted to 2376 01:46:22,080 --> 01:46:24,480 address in the book the underlying issue 2377 01:46:24,480 --> 01:46:27,000 is the kind of moral dilemma that 2378 01:46:27,000 --> 01:46:30,900 ransomware presents basically to pay or 2379 01:46:30,900 --> 01:46:34,380 not to pay you know and neither one it 2380 01:46:34,380 --> 01:46:35,639 turns out is a very appealing 2381 01:46:35,639 --> 01:46:37,679 alternative and this comes up of course 2382 01:46:37,679 --> 01:46:39,840 for the cases that the hunting team 2383 01:46:39,840 --> 01:46:42,179 can't crack I mean Michael Gillespie and 2384 01:46:42,179 --> 01:46:44,159 his and his cohorts can crack a lot of 2385 01:46:44,159 --> 01:46:46,080 ransomware which is a way out of that 2386 01:46:46,080 --> 01:46:49,100 dilemma but if the coding is is perfect 2387 01:46:49,100 --> 01:46:51,000 basically they're helpless they 2388 01:46:51,000 --> 01:46:53,159 capitalize on flaws and mistakes which 2389 01:46:53,159 --> 01:46:55,679 which often occur but often also don't 2390 01:46:55,679 --> 01:46:58,080 so if they can't do anything and nobody 2391 01:46:58,080 --> 01:47:00,600 can crack it you face this question 2392 01:47:00,600 --> 01:47:02,699 do I have do I should I pay the ransom 2393 01:47:02,699 --> 01:47:05,100 or shouldn't I now paying The Ransom of 2394 01:47:05,100 --> 01:47:07,639 course you're abetting you know 2395 01:47:07,639 --> 01:47:10,920 criminals who often are associated with 2396 01:47:10,920 --> 01:47:12,780 countries hostile to the United States 2397 01:47:12,780 --> 01:47:16,080 and you're encouraging more ransomware I 2398 01:47:16,080 --> 01:47:17,699 mean in the big picture it's hard it's 2399 01:47:17,699 --> 01:47:20,699 it's kind of you know difficult to 2400 01:47:20,699 --> 01:47:23,040 forgive which is why you know the FBI in 2401 01:47:23,040 --> 01:47:26,460 places like that encourage everybody uh 2402 01:47:26,460 --> 01:47:28,920 you know don't pay the ransom but not 2403 01:47:28,920 --> 01:47:32,940 paying the ransom uh is can be caused it 2404 01:47:32,940 --> 01:47:35,400 can be disastrous you know businesses 2405 01:47:35,400 --> 01:47:37,980 may not be able to you know maybe shut 2406 01:47:37,980 --> 01:47:39,900 down for weeks or months may not be able 2407 01:47:39,900 --> 01:47:43,679 to survive uh you know classes may not 2408 01:47:43,679 --> 01:47:45,840 be able to be held at least online at a 2409 01:47:45,840 --> 01:47:48,360 school or university and sometimes it 2410 01:47:48,360 --> 01:47:50,699 can have life or death consequences like 2411 01:47:50,699 --> 01:47:53,040 at a hospital so we wrote about a 2412 01:47:53,040 --> 01:47:55,440 hospital in Alabama which was hit by 2413 01:47:55,440 --> 01:47:58,980 ransomware and it uh knocked out the 2414 01:47:58,980 --> 01:48:00,540 sort of electronic monitoring system 2415 01:48:00,540 --> 01:48:03,360 systems and a woman was having a baby 2416 01:48:03,360 --> 01:48:06,239 there they failed to detect you know 2417 01:48:06,239 --> 01:48:09,480 fetal distress the boy the the baby was 2418 01:48:09,480 --> 01:48:11,460 born severely brain damaged and died 2419 01:48:11,460 --> 01:48:13,800 soon after you know in these kind of 2420 01:48:13,800 --> 01:48:16,760 cases can happen I I talked to a couple 2421 01:48:16,760 --> 01:48:20,280 uh that lived in Oregon and in a 2422 01:48:20,280 --> 01:48:23,159 mountainous part of Oregon and 2423 01:48:23,159 --> 01:48:26,760 um the husband had a very severe brain 2424 01:48:26,760 --> 01:48:28,679 tumor and 2425 01:48:28,679 --> 01:48:30,900 um you know he was about to go in for 2426 01:48:30,900 --> 01:48:33,719 his radiation and treatment at the local 2427 01:48:33,719 --> 01:48:35,400 hospital when it was hit by ransomware 2428 01:48:35,400 --> 01:48:37,560 so he they had to send him to another 2429 01:48:37,560 --> 01:48:39,840 hospital like a hundred miles away his 2430 01:48:39,840 --> 01:48:42,060 wife had to drive him there there and 2431 01:48:42,060 --> 01:48:43,679 back every day in the winter over the 2432 01:48:43,679 --> 01:48:47,100 mountains in Oregon and it just added an 2433 01:48:47,100 --> 01:48:50,760 extra level of uh hardship to what was 2434 01:48:50,760 --> 01:48:53,280 already a distressed situation so the 2435 01:48:53,280 --> 01:48:56,219 consequences can be very serious and 2436 01:48:56,219 --> 01:48:58,920 I focused in particular on the ex the 2437 01:48:58,920 --> 01:49:01,080 example of an attack on the city of 2438 01:49:01,080 --> 01:49:06,000 Baltimore in 2019. now uh it had there 2439 01:49:06,000 --> 01:49:07,500 was this ransomware attack on Baltimore 2440 01:49:07,500 --> 01:49:11,159 just as a new mayor was being about to 2441 01:49:11,159 --> 01:49:13,920 be sworn in so he comes in there's this 2442 01:49:13,920 --> 01:49:16,560 ransomware attack it stopped housing 2443 01:49:16,560 --> 01:49:18,300 sales in the city of Baltimore because 2444 01:49:18,300 --> 01:49:21,000 it knocked out the city's records of 2445 01:49:21,000 --> 01:49:23,040 taxes and liens and things like that so 2446 01:49:23,040 --> 01:49:25,380 without that information the ownership 2447 01:49:25,380 --> 01:49:26,880 could not be 2448 01:49:26,880 --> 01:49:28,920 you know proven the the amount to be 2449 01:49:28,920 --> 01:49:30,960 paid the taxes weren't known and so 2450 01:49:30,960 --> 01:49:32,580 insurers refused to ensure the 2451 01:49:32,580 --> 01:49:35,040 transactions and housing sales came to a 2452 01:49:35,040 --> 01:49:37,260 halt they couldn't do uh parking tickets 2453 01:49:37,260 --> 01:49:39,719 because uh you know the parking 2454 01:49:39,719 --> 01:49:42,179 enforcement was electronic they the the 2455 01:49:42,179 --> 01:49:43,920 towing Lots were put out of action 2456 01:49:43,920 --> 01:49:45,600 because nobody could keep track of what 2457 01:49:45,600 --> 01:49:47,820 spaces the cars were being placed in 2458 01:49:47,820 --> 01:49:49,440 they they couldn't build they couldn't 2459 01:49:49,440 --> 01:49:51,659 send out water bills so all these range 2460 01:49:51,659 --> 01:49:53,639 of unglamorous but important city 2461 01:49:53,639 --> 01:49:57,300 services were knocked out and yet the 2462 01:49:57,300 --> 01:50:00,360 mayor had strong feelings he did not 2463 01:50:00,360 --> 01:50:02,219 want to pay the ransom he did not want 2464 01:50:02,219 --> 01:50:04,440 to reward criminals The Ransom was maybe 2465 01:50:04,440 --> 01:50:08,280 75 000 but it could easily been paid the 2466 01:50:08,280 --> 01:50:10,080 city's business Community particularly 2467 01:50:10,080 --> 01:50:12,420 in real estate were begging this mayor 2468 01:50:12,420 --> 01:50:14,639 to pay the ransom like just pay it and 2469 01:50:14,639 --> 01:50:16,860 forget it who cares and he said no you 2470 01:50:16,860 --> 01:50:19,500 know this is not morally what we do and 2471 01:50:19,500 --> 01:50:22,199 so um the city ultimately took months to 2472 01:50:22,199 --> 01:50:24,960 recover cost about 18 million dollars to 2473 01:50:24,960 --> 01:50:28,679 recover and the the populace of the city 2474 01:50:28,679 --> 01:50:30,719 did not seem to look gratefully to the 2475 01:50:30,719 --> 01:50:33,239 mayor for his Brave stand he ran for 2476 01:50:33,239 --> 01:50:35,340 re-election the next year he got six 2477 01:50:35,340 --> 01:50:36,900 percent of the vote 2478 01:50:36,900 --> 01:50:39,420 so you know the I don't I'm not sure 2479 01:50:39,420 --> 01:50:41,400 what the moral of the story is you know 2480 01:50:41,400 --> 01:50:43,320 because I still admire the guy and 2481 01:50:43,320 --> 01:50:45,239 actually I visited him and he was doing 2482 01:50:45,239 --> 01:50:48,179 fine out of office he he was uh you know 2483 01:50:48,179 --> 01:50:49,800 actually becoming a baker he was 2484 01:50:49,800 --> 01:50:52,560 practicing he was his grandmother had 2485 01:50:52,560 --> 01:50:54,300 left him all these recipes and he was 2486 01:50:54,300 --> 01:50:56,159 making them and when I interviewed him I 2487 01:50:56,159 --> 01:50:58,080 kept being distracted by these wonderful 2488 01:50:58,080 --> 01:51:00,239 odors you know emanating from the 2489 01:51:00,239 --> 01:51:02,340 kitchen until he finally gave me like a 2490 01:51:02,340 --> 01:51:05,100 cinnamon bun or something but uh anyway 2491 01:51:05,100 --> 01:51:07,619 but it was it is disturbing and the fact 2492 01:51:07,619 --> 01:51:08,760 is 2493 01:51:08,760 --> 01:51:11,820 um there's no uh uh there's no real good 2494 01:51:11,820 --> 01:51:13,920 way out you know that obviously the best 2495 01:51:13,920 --> 01:51:16,320 way out is is preventative as far as 2496 01:51:16,320 --> 01:51:19,560 possible but as uh many in the audience 2497 01:51:19,560 --> 01:51:21,179 know you know the sentence Renee 2498 01:51:21,179 --> 01:51:24,060 mentioned the cyber security is often um 2499 01:51:24,060 --> 01:51:26,760 not to the level that it can be helpful 2500 01:51:26,760 --> 01:51:29,460 against these attacks and Renee will now 2501 01:51:29,460 --> 01:51:31,980 talk about the FBI and sort of how 2502 01:51:31,980 --> 01:51:34,020 effective or otherwise it's been in in 2503 01:51:34,020 --> 01:51:38,360 dealing with the uh the criminals thanks 2504 01:51:43,139 --> 01:51:44,880 you know one one of the questions we 2505 01:51:44,880 --> 01:51:48,060 wanted to address in the book is how did 2506 01:51:48,060 --> 01:51:50,760 ransomware get so out of control and you 2507 01:51:50,760 --> 01:51:51,960 know there's a lot of there are a number 2508 01:51:51,960 --> 01:51:53,639 of factors behind that but one of the 2509 01:51:53,639 --> 01:51:55,739 ones that cannot be ignored 2510 01:51:55,739 --> 01:51:57,659 um is the shortcomings of the federal 2511 01:51:57,659 --> 01:52:00,060 government in in tackling the ransomware 2512 01:52:00,060 --> 01:52:02,460 problem notably the FBI which as you 2513 01:52:02,460 --> 01:52:04,800 know is the federal Authority 2514 01:52:04,800 --> 01:52:06,719 responsible for containing containing 2515 01:52:06,719 --> 01:52:08,820 the threat and there's a number of 2516 01:52:08,820 --> 01:52:11,100 issues to unpack there but 2517 01:52:11,100 --> 01:52:13,500 um a lot of it comes down to the fact 2518 01:52:13,500 --> 01:52:17,159 that the FBI has long ignored the 2519 01:52:17,159 --> 01:52:19,980 ransomware up until recently it it 2520 01:52:19,980 --> 01:52:22,139 characterized it as an ankle biter crime 2521 01:52:22,139 --> 01:52:24,239 even as it was evolving into so much 2522 01:52:24,239 --> 01:52:27,179 more of that and I actually traced the 2523 01:52:27,179 --> 01:52:29,940 issues back to the the very beginning of 2524 01:52:29,940 --> 01:52:32,280 the FBI before cyber was on anybody's 2525 01:52:32,280 --> 01:52:34,440 Minds there there was a founding 2526 01:52:34,440 --> 01:52:36,600 principle by the legendary first 2527 01:52:36,600 --> 01:52:39,179 director Jake or Hoover that agents in 2528 01:52:39,179 --> 01:52:41,340 the FBI should be able to do any job 2529 01:52:41,340 --> 01:52:45,600 anywhere and that works okay if you're a 2530 01:52:45,600 --> 01:52:47,520 white-collar crime investigator who move 2531 01:52:47,520 --> 01:52:50,100 gets moved to a gang crime squad or vice 2532 01:52:50,100 --> 01:52:53,100 versa it's a lot harder to make a gang 2533 01:52:53,100 --> 01:52:55,440 crime investigator a Top Flight computer 2534 01:52:55,440 --> 01:52:57,360 scientist you know because those are 2535 01:52:57,360 --> 01:53:00,619 skills that are honed over a lifetime 2536 01:53:00,619 --> 01:53:04,080 and what the FBI tried to do was turn 2537 01:53:04,080 --> 01:53:07,380 people with a background in law or 2538 01:53:07,380 --> 01:53:08,639 accounting 2539 01:53:08,639 --> 01:53:10,920 um into a computer scientist in a Flash 2540 01:53:10,920 --> 01:53:14,040 they would send people to Sans courses 2541 01:53:14,040 --> 01:53:16,800 with titles like cyber security Boot 2542 01:53:16,800 --> 01:53:20,340 Camp or cyber Essentials 101 which gave 2543 01:53:20,340 --> 01:53:22,320 them a level of understanding but not 2544 01:53:22,320 --> 01:53:24,600 enough to move the needle on these 2545 01:53:24,600 --> 01:53:27,659 complex Global investigations into into 2546 01:53:27,659 --> 01:53:29,760 sometimes very sophisticated sometimes 2547 01:53:29,760 --> 01:53:31,699 state-sponsored hackers 2548 01:53:31,699 --> 01:53:36,719 but they they they clung to this Mantra 2549 01:53:36,719 --> 01:53:39,780 um and tried to turn tried to do exactly 2550 01:53:39,780 --> 01:53:41,040 that 2551 01:53:41,040 --> 01:53:43,860 um what that's not to say that there 2552 01:53:43,860 --> 01:53:45,480 aren't talented computer scientists in 2553 01:53:45,480 --> 01:53:47,520 the FBI there are there's just not 2554 01:53:47,520 --> 01:53:50,219 enough of them and they often feel 2555 01:53:50,219 --> 01:53:52,920 overwhelmed by the amount of work and 2556 01:53:52,920 --> 01:53:54,900 having to chip in on 2557 01:53:54,900 --> 01:53:56,639 um cases you know some of which don't 2558 01:53:56,639 --> 01:53:58,860 have anything to do with with cyber 2559 01:53:58,860 --> 01:54:01,260 crime or cyber security 2560 01:54:01,260 --> 01:54:03,179 um and there's also this feeling you 2561 01:54:03,179 --> 01:54:06,239 know the FBI is a very Macho place and 2562 01:54:06,239 --> 01:54:08,820 they they they they told me that they 2563 01:54:08,820 --> 01:54:11,280 often felt like their skills were viewed 2564 01:54:11,280 --> 01:54:14,760 as lesser than you know in the FBI you 2565 01:54:14,760 --> 01:54:16,380 know people who are on the SWAT team are 2566 01:54:16,380 --> 01:54:19,440 at the top of of um you know the top of 2567 01:54:19,440 --> 01:54:21,480 the Heap when it comes to respect and 2568 01:54:21,480 --> 01:54:23,100 people doing counterintelligence 2569 01:54:23,100 --> 01:54:26,159 encounter terrorism and cyber 2570 01:54:26,159 --> 01:54:28,980 Specialists agents who you know have 2571 01:54:28,980 --> 01:54:30,600 degrees in computer scientists are sort 2572 01:54:30,600 --> 01:54:32,580 of at the bottom and they have to deal 2573 01:54:32,580 --> 01:54:34,800 with jobs like you know of course as you 2574 01:54:34,800 --> 01:54:36,420 know like there's you know there's all 2575 01:54:36,420 --> 01:54:38,219 kinds of physical fitness requirements 2576 01:54:38,219 --> 01:54:40,020 to be an agent and they would deal with 2577 01:54:40,020 --> 01:54:42,119 jobs like do you have to do push-ups 2578 01:54:42,119 --> 01:54:44,760 with a with a keyboard in your backpack 2579 01:54:44,760 --> 01:54:47,280 and everybody's like but you know 2580 01:54:47,280 --> 01:54:49,199 rolling their eyes and it just 2581 01:54:49,199 --> 01:54:52,260 underscores this this sense that their 2582 01:54:52,260 --> 01:54:54,480 skills are viewed as 2583 01:54:54,480 --> 01:54:56,040 um less important 2584 01:54:56,040 --> 01:54:58,199 even though they're you know more 2585 01:54:58,199 --> 01:55:00,480 important than ever so the people who 2586 01:55:00,480 --> 01:55:02,340 are good don't stay long they don't need 2587 01:55:02,340 --> 01:55:04,980 the aggregation aggravation they can 2588 01:55:04,980 --> 01:55:06,600 make probably five times their 2589 01:55:06,600 --> 01:55:09,300 government's salary by moving to the 2590 01:55:09,300 --> 01:55:11,400 private sector where their skills are in 2591 01:55:11,400 --> 01:55:14,159 immediate demand so they just leave 2592 01:55:14,159 --> 01:55:17,100 um but it only serves to exacerbate the 2593 01:55:17,100 --> 01:55:19,199 FBI's problem 2594 01:55:19,199 --> 01:55:20,520 um you know they would have they would 2595 01:55:20,520 --> 01:55:22,980 talk about having to dumb down reports 2596 01:55:22,980 --> 01:55:24,780 for their supervisors who really didn't 2597 01:55:24,780 --> 01:55:26,760 know the first thing about cyber having 2598 01:55:26,760 --> 01:55:28,980 to relate everything to something you 2599 01:55:28,980 --> 01:55:31,860 know an analogy you know making some 2600 01:55:31,860 --> 01:55:34,980 cyber problem uh relatable to cars or 2601 01:55:34,980 --> 01:55:36,600 mechanics and 2602 01:55:36,600 --> 01:55:38,520 um they just get they just get tired of 2603 01:55:38,520 --> 01:55:40,380 it and they leave 2604 01:55:40,380 --> 01:55:43,320 um what has happened is the FBI tries to 2605 01:55:43,320 --> 01:55:45,000 fill the void with civilian computer 2606 01:55:45,000 --> 01:55:48,960 scientists but these people I found get 2607 01:55:48,960 --> 01:55:51,420 even less respect than the agents 2608 01:55:51,420 --> 01:55:53,040 themselves you know if the AIDS if 2609 01:55:53,040 --> 01:55:54,600 computer scientists agents can't get 2610 01:55:54,600 --> 01:55:56,040 respect there's no way that these civil 2611 01:55:56,040 --> 01:55:58,500 million computer scientists will get 2612 01:55:58,500 --> 01:56:01,020 respect in the bureau so they too leave 2613 01:56:01,020 --> 01:56:03,239 you know I'm told that a three to five 2614 01:56:03,239 --> 01:56:05,820 year tenure for a civilian computer 2615 01:56:05,820 --> 01:56:08,580 scientist in the FBI is seen as really 2616 01:56:08,580 --> 01:56:10,320 good because they just can't convince 2617 01:56:10,320 --> 01:56:12,540 these people to stay around long enough 2618 01:56:12,540 --> 01:56:14,940 because of the aggravation and and the 2619 01:56:14,940 --> 01:56:16,260 money 2620 01:56:16,260 --> 01:56:19,380 um so who does it right well 2621 01:56:19,380 --> 01:56:22,440 it's useful to contrast the FBI to the 2622 01:56:22,440 --> 01:56:25,139 Dutch national police which is really 2623 01:56:25,139 --> 01:56:27,060 seen as the world's leading law 2624 01:56:27,060 --> 01:56:28,679 enforcement Authority when it comes to 2625 01:56:28,679 --> 01:56:31,560 fighting to fighting cyber crime 2626 01:56:31,560 --> 01:56:33,179 um and one of the reasons I found that 2627 01:56:33,179 --> 01:56:36,060 they were they've been so successful is 2628 01:56:36,060 --> 01:56:39,000 that from from its early days of its 2629 01:56:39,000 --> 01:56:41,100 high-tech crime unit 2630 01:56:41,100 --> 01:56:42,960 um first of all they put a priority on 2631 01:56:42,960 --> 01:56:45,060 fighting ransomware even 10 years ago as 2632 01:56:45,060 --> 01:56:48,239 it was just emerging as a threat but one 2633 01:56:48,239 --> 01:56:51,179 of their founding principles was 2634 01:56:51,179 --> 01:56:54,300 we're going to have a one-to-one ratio 2635 01:56:54,300 --> 01:56:57,080 of traditional Law Enforcement Officers 2636 01:56:57,080 --> 01:57:00,060 to computer scientists this is the only 2637 01:57:00,060 --> 01:57:02,520 way that people who will actually 2638 01:57:02,520 --> 01:57:04,380 understand the technical underpinnings 2639 01:57:04,380 --> 01:57:06,060 of a case will have a strong enough 2640 01:57:06,060 --> 01:57:08,159 Collective voice as if we put a lot of 2641 01:57:08,159 --> 01:57:11,159 them there so that's what they did 2642 01:57:11,159 --> 01:57:13,980 to get the right people in place they 2643 01:57:13,980 --> 01:57:16,020 did unconventional hiring they had 2644 01:57:16,020 --> 01:57:18,599 Capture the Flag competitions 2645 01:57:18,599 --> 01:57:19,920 um they would put this Capture the Flag 2646 01:57:19,920 --> 01:57:22,260 competition posted on the Dutch National 2647 01:57:22,260 --> 01:57:24,840 Police website and anybody was invited 2648 01:57:24,840 --> 01:57:26,940 to join people who solved it were 2649 01:57:26,940 --> 01:57:29,400 invited to interviews and what that did 2650 01:57:29,400 --> 01:57:32,520 was it got the attention of people who 2651 01:57:32,520 --> 01:57:34,020 thought it was cool who had the right 2652 01:57:34,020 --> 01:57:36,300 skills and it immediately weeded out 2653 01:57:36,300 --> 01:57:39,840 people who lacked the skills that they 2654 01:57:39,840 --> 01:57:41,580 really needed to fill the jobs on this 2655 01:57:41,580 --> 01:57:44,460 high-tech crime unit while also 2656 01:57:44,460 --> 01:57:46,980 highlighting people whose skills might 2657 01:57:46,980 --> 01:57:50,520 not jump off of a traditional resume and 2658 01:57:50,520 --> 01:57:51,960 it gave them something to talk about in 2659 01:57:51,960 --> 01:57:54,960 interviews and as time went on the 2660 01:57:54,960 --> 01:57:56,520 people who they were hiring through this 2661 01:57:56,520 --> 01:57:59,639 they didn't want you know they found 2662 01:57:59,639 --> 01:58:02,099 that they didn't want to carry guns or 2663 01:58:02,099 --> 01:58:04,320 handcuffs or chase suspects down the 2664 01:58:04,320 --> 01:58:06,840 street like is required of traditional 2665 01:58:06,840 --> 01:58:10,380 FBI agents so the Dutch said forget it 2666 01:58:10,380 --> 01:58:12,239 you don't need to do that anymore but 2667 01:58:12,239 --> 01:58:14,300 you're still eligible to the same 2668 01:58:14,300 --> 01:58:17,280 promotions and raises the same titles 2669 01:58:17,280 --> 01:58:18,900 and this is just something that you 2670 01:58:18,900 --> 01:58:21,599 could not envisioning happening uh with 2671 01:58:21,599 --> 01:58:25,020 the cyber division of the FBI but it's 2672 01:58:25,020 --> 01:58:27,480 exactly the kind of of people that are 2673 01:58:27,480 --> 01:58:30,420 needed to to fight the crime 2674 01:58:30,420 --> 01:58:34,440 um and you know I think about people 2675 01:58:34,440 --> 01:58:37,800 like members of of the hunting team you 2676 01:58:37,800 --> 01:58:40,080 know these are the folks that have the 2677 01:58:40,080 --> 01:58:42,420 kinds of skills that are needed to fight 2678 01:58:42,420 --> 01:58:44,340 ransomware and other types of cyber 2679 01:58:44,340 --> 01:58:47,520 crime and they first of all wouldn't 2680 01:58:47,520 --> 01:58:49,560 want to become agents they wouldn't want 2681 01:58:49,560 --> 01:58:50,820 to hold a gun and you wouldn't want them 2682 01:58:50,820 --> 01:58:52,920 holding a gun but they would never get 2683 01:58:52,920 --> 01:58:55,320 hired by the FBI you know some of them 2684 01:58:55,320 --> 01:58:58,940 the FBI wants college educated 2685 01:58:58,940 --> 01:59:02,520 athletic recruits who will move around 2686 01:59:02,520 --> 01:59:04,500 the country wherever they need to to to 2687 01:59:04,500 --> 01:59:07,020 to to fill jobs and who will be willing 2688 01:59:07,020 --> 01:59:09,300 to shift off of cyber 2689 01:59:09,300 --> 01:59:11,420 um as the agencies 2690 01:59:11,420 --> 01:59:14,280 needs evolve and they just would not 2691 01:59:14,280 --> 01:59:17,580 there's not a kind of apparatus in place 2692 01:59:17,580 --> 01:59:21,179 to get the right people into these jobs 2693 01:59:21,179 --> 01:59:21,960 um 2694 01:59:21,960 --> 01:59:25,380 one thing that I wanted to close on 2695 01:59:25,380 --> 01:59:28,080 um was to point out you know some of you 2696 01:59:28,080 --> 01:59:30,300 may be familiar with Michael Gillespie's 2697 01:59:30,300 --> 01:59:33,000 website which is ID ransomware 2698 01:59:33,000 --> 01:59:34,619 um it's the site that anybody can use 2699 01:59:34,619 --> 01:59:36,840 upload a sample encrypted file and he 2700 01:59:36,840 --> 01:59:39,719 tells you his site tells you what kind 2701 01:59:39,719 --> 01:59:41,219 of ransomware it is whether there's a 2702 01:59:41,219 --> 01:59:44,460 free tool to decrypt it and just showing 2703 01:59:44,460 --> 01:59:47,159 you know how essential this team's 2704 01:59:47,159 --> 01:59:49,440 efforts have been over the years 2705 01:59:49,440 --> 01:59:53,099 you know on a normal day Michael's site 2706 01:59:53,099 --> 01:59:55,619 gets two thousand to three thousand 2707 01:59:55,619 --> 01:59:58,080 submissions that's about the same number 2708 01:59:58,080 --> 02:00:01,080 of complaints of ransomware that the FBI 2709 02:00:01,080 --> 02:00:03,480 gets an entire year 2710 02:00:03,480 --> 02:00:04,699 um so 2711 02:00:04,699 --> 02:00:07,820 he and the team are are filling this 2712 02:00:07,820 --> 02:00:10,560 gaping societal void when it comes to 2713 02:00:10,560 --> 02:00:12,900 fighting ransomware and helping victims 2714 02:00:12,900 --> 02:00:16,739 and while their skills haven't been 2715 02:00:16,739 --> 02:00:20,699 fully embraced um by the FBI and by sisa 2716 02:00:20,699 --> 02:00:23,119 and other parts of the government 2717 02:00:23,119 --> 02:00:25,920 more historically I'll end on the 2718 02:00:25,920 --> 02:00:27,840 positive note by saying that more 2719 02:00:27,840 --> 02:00:31,380 recently they have been and they're 2720 02:00:31,380 --> 02:00:33,239 they're they're sharing what they know 2721 02:00:33,239 --> 02:00:36,480 and it's being taken seriously and it's 2722 02:00:36,480 --> 02:00:39,239 helping victims because when they are 2723 02:00:39,239 --> 02:00:41,040 able to share with 2724 02:00:41,040 --> 02:00:43,139 um people in law enforcement who you 2725 02:00:43,139 --> 02:00:44,699 know may have access to the victims 2726 02:00:44,699 --> 02:00:46,920 first they're able to get their 2727 02:00:46,920 --> 02:00:49,139 decryption tools to the right people 2728 02:00:49,139 --> 02:00:51,840 um and this helps prevent you know more 2729 02:00:51,840 --> 02:00:54,780 money from going to to criminals so 2730 02:00:54,780 --> 02:00:57,060 thank you very much for your time we've 2731 02:00:57,060 --> 02:00:59,340 loved being here and we are glad to take 2732 02:00:59,340 --> 02:01:02,119 any questions 2733 02:01:08,040 --> 02:01:10,020 I thought before we get the questions I 2734 02:01:10,020 --> 02:01:12,060 just mentioned because this audience 2735 02:01:12,060 --> 02:01:14,159 that you know some of the techniques 2736 02:01:14,159 --> 02:01:16,860 that the hunting team uses to crack the 2737 02:01:16,860 --> 02:01:19,080 codes are very interesting and you'd 2738 02:01:19,080 --> 02:01:21,000 find them in the book If you read it and 2739 02:01:21,000 --> 02:01:22,619 uh but like for example they will 2740 02:01:22,619 --> 02:01:24,060 sometimes do a little bit of hacking 2741 02:01:24,060 --> 02:01:26,699 back as Renee could describe there was 2742 02:01:26,699 --> 02:01:28,739 one case of a ransomware strength called 2743 02:01:28,739 --> 02:01:31,500 stop DJ Vu which is very very prevalent 2744 02:01:31,500 --> 02:01:36,060 and uh uh it one of its flaws was that 2745 02:01:36,060 --> 02:01:38,940 it's key included or it left in 2746 02:01:38,940 --> 02:01:41,280 computers uh it can include the MAC 2747 02:01:41,280 --> 02:01:43,880 address of the computer that it was 2748 02:01:43,880 --> 02:01:47,699 attacking and so uh Michael was able to 2749 02:01:47,699 --> 02:01:50,340 use this Mac address to pretend to the 2750 02:01:50,340 --> 02:01:52,380 server where which was sending the key 2751 02:01:52,380 --> 02:01:54,480 that he was you know they use the MAC 2752 02:01:54,480 --> 02:01:55,679 address to identify the different 2753 02:01:55,679 --> 02:01:57,719 victims keep them apart he was able to 2754 02:01:57,719 --> 02:02:00,179 use this Mac address to pretend that he 2755 02:02:00,179 --> 02:02:01,739 was you know a computer that was sending 2756 02:02:01,739 --> 02:02:03,719 back for the key and that's the way he 2757 02:02:03,719 --> 02:02:05,760 got the the key to decrypt the the 2758 02:02:05,760 --> 02:02:08,099 compute you know the computer so it's a 2759 02:02:08,099 --> 02:02:10,440 lot of interesting stealth techniques 2760 02:02:10,440 --> 02:02:13,580 that go beyond just uh uh you know 2761 02:02:13,580 --> 02:02:16,139 cryptographic analysis but yeah we so 2762 02:02:16,139 --> 02:02:18,239 we'd love to take uh any questions that 2763 02:02:18,239 --> 02:02:20,460 you have um 2764 02:02:20,460 --> 02:02:23,060 yeah 2765 02:02:25,980 --> 02:02:28,139 Renee and I yeah 2766 02:02:28,139 --> 02:02:29,580 um well you know it's interesting the 2767 02:02:29,580 --> 02:02:31,320 question was have 2768 02:02:31,320 --> 02:02:33,360 the question was have Renee and I ever 2769 02:02:33,360 --> 02:02:35,280 experienced any retaliation for doing 2770 02:02:35,280 --> 02:02:37,860 this work we haven't personally but just 2771 02:02:37,860 --> 02:02:40,800 before publication our publisher was uh 2772 02:02:40,800 --> 02:02:43,800 you know uh attacked by ransomware and 2773 02:02:43,800 --> 02:02:46,500 its operations went down for a week we 2774 02:02:46,500 --> 02:02:49,139 don't know if that was connected but 2775 02:02:49,139 --> 02:02:51,960 um the timing was you know coincidental 2776 02:02:51,960 --> 02:02:54,300 and some of the hunting team members 2777 02:02:54,300 --> 02:02:59,639 have you know uh experienced uh uh you 2778 02:02:59,639 --> 02:03:02,340 know touchy dangerous circumstances one 2779 02:03:02,340 --> 02:03:04,320 of them a guy named Fabian who's who's 2780 02:03:04,320 --> 02:03:06,960 now in England he was in he worked from 2781 02:03:06,960 --> 02:03:10,139 Germany which is where he grew up and he 2782 02:03:10,139 --> 02:03:12,719 he was very well known as a ransomware 2783 02:03:12,719 --> 02:03:17,520 uh breaker and uh he sent you know the 2784 02:03:17,520 --> 02:03:19,739 Russian mob was following him you know 2785 02:03:19,739 --> 02:03:22,199 he saw a bunch of suspicious faces there 2786 02:03:22,199 --> 02:03:24,300 were some worrisome things attacks on 2787 02:03:24,300 --> 02:03:26,940 him online and so on and so that's why 2788 02:03:26,940 --> 02:03:28,440 one of the reasons why he moved to 2789 02:03:28,440 --> 02:03:30,900 England and he keeps his whereabouts 2790 02:03:30,900 --> 02:03:34,699 very much um secret 2791 02:03:35,639 --> 02:03:38,040 if I say I have a question I hate to be 2792 02:03:38,040 --> 02:03:41,179 this guy because 2793 02:03:43,260 --> 02:03:47,540 the popularity of like 2794 02:03:48,659 --> 02:03:50,400 like beginning examples of that and how 2795 02:03:50,400 --> 02:03:52,879 much is this 2796 02:03:57,840 --> 02:04:00,840 I'll let Renee handle that 2797 02:04:00,840 --> 02:04:03,599 there there is some evidence that that 2798 02:04:03,599 --> 02:04:06,480 AI is already being used to write to 2799 02:04:06,480 --> 02:04:08,580 write ransomware 2800 02:04:08,580 --> 02:04:10,920 up but on the other side it's also being 2801 02:04:10,920 --> 02:04:15,000 used to counter it so I I think the uh 2802 02:04:15,000 --> 02:04:19,260 the the the AI revolution could help 2803 02:04:19,260 --> 02:04:22,020 both sides but there's certainly uh 2804 02:04:22,020 --> 02:04:23,340 evidence that it's it's already 2805 02:04:23,340 --> 02:04:26,179 happening 2806 02:04:28,380 --> 02:04:29,880 yeah 2807 02:04:29,880 --> 02:04:33,840 oh sorry uh I should do this here it is 2808 02:04:33,840 --> 02:04:36,119 it's called The ransomware Hunting team 2809 02:04:36,119 --> 02:04:40,139 a band of Misfits improbable crusade to 2810 02:04:40,139 --> 02:04:42,540 save the world from cyber crime right 2811 02:04:42,540 --> 02:04:44,520 after this there's a book purchasing and 2812 02:04:44,520 --> 02:04:47,340 signing ceremonies so you can get your 2813 02:04:47,340 --> 02:04:51,179 own copy and uh has Mark alluded it's 2814 02:04:51,179 --> 02:04:53,040 doing very well and you know it's an 2815 02:04:53,040 --> 02:04:55,980 option for a TV series and I've got very 2816 02:04:55,980 --> 02:04:58,199 good reviews and so on so we we think 2817 02:04:58,199 --> 02:05:01,320 it's a good read both for the expert and 2818 02:05:01,320 --> 02:05:02,639 the Layman 2819 02:05:02,639 --> 02:05:05,060 yeah 2820 02:05:21,119 --> 02:05:23,280 just repeat the question 2821 02:05:23,280 --> 02:05:26,159 so the question is is it it is more 2822 02:05:26,159 --> 02:05:27,900 ransomware on the way or if is it 2823 02:05:27,900 --> 02:05:29,520 plateaued 2824 02:05:29,520 --> 02:05:30,500 um 2825 02:05:30,500 --> 02:05:33,060 there was a lull for a while and now it 2826 02:05:33,060 --> 02:05:35,580 seemed to be back in bigger Force than 2827 02:05:35,580 --> 02:05:36,500 ever 2828 02:05:36,500 --> 02:05:39,780 and you brought up a good point which is 2829 02:05:39,780 --> 02:05:41,580 the next evolution of it what are the 2830 02:05:41,580 --> 02:05:43,679 hackers going to do next well 2831 02:05:43,679 --> 02:05:45,540 you know one of one of the things that 2832 02:05:45,540 --> 02:05:47,280 we unpacked in the book is this group 2833 02:05:47,280 --> 02:05:49,500 maze pioneered the strategy of double 2834 02:05:49,500 --> 02:05:51,480 extortion where instead of just 2835 02:05:51,480 --> 02:05:53,040 encrypting the files they're 2836 02:05:53,040 --> 02:05:55,679 exfiltrating them first you know and 2837 02:05:55,679 --> 02:05:57,119 then using that as leverage and 2838 02:05:57,119 --> 02:06:00,300 negotiation so even if people I mean 2839 02:06:00,300 --> 02:06:02,159 there's there's certainly evidence that 2840 02:06:02,159 --> 02:06:04,199 people's backups are getting better and 2841 02:06:04,199 --> 02:06:07,739 more robust and better tested but that 2842 02:06:07,739 --> 02:06:09,599 that helps you less than ever because 2843 02:06:09,599 --> 02:06:11,099 now 2844 02:06:11,099 --> 02:06:13,739 the hackers have your stolen data which 2845 02:06:13,739 --> 02:06:15,960 they leak on these leak sites if you 2846 02:06:15,960 --> 02:06:17,820 don't pay up so people who have the 2847 02:06:17,820 --> 02:06:20,040 ability to recover from backups or who 2848 02:06:20,040 --> 02:06:21,659 are able to be get the help of the 2849 02:06:21,659 --> 02:06:24,060 hunting team to recover still feel 2850 02:06:24,060 --> 02:06:27,060 pressured to pay because they've got you 2851 02:06:27,060 --> 02:06:29,099 know their their most sensitive data 2852 02:06:29,099 --> 02:06:31,080 their corporate Trade Secrets you know 2853 02:06:31,080 --> 02:06:32,340 their intellectual property their 2854 02:06:32,340 --> 02:06:33,780 patient health records are going to be 2855 02:06:33,780 --> 02:06:36,000 released if they don't pay well the 2856 02:06:36,000 --> 02:06:38,520 latest twist that is taken off like in 2857 02:06:38,520 --> 02:06:41,699 the past month or two is that hackers 2858 02:06:41,699 --> 02:06:43,400 are skipping encryption altogether 2859 02:06:43,400 --> 02:06:46,500 they're just there it's like a cyber 2860 02:06:46,500 --> 02:06:48,560 Ransom attack but without the actual 2861 02:06:48,560 --> 02:06:51,540 ransomware execution so now they're just 2862 02:06:51,540 --> 02:06:53,340 going in if you've been following this 2863 02:06:53,340 --> 02:06:57,780 move it file transfer Saga they're using 2864 02:06:57,780 --> 02:07:00,500 this vulnerability and move it software 2865 02:07:00,500 --> 02:07:05,400 to steal data from you know dozens and 2866 02:07:05,400 --> 02:07:07,739 dozens probably hundreds of high profile 2867 02:07:07,739 --> 02:07:10,800 users of the software and skipping 2868 02:07:10,800 --> 02:07:13,260 encrypt and just going right to Ransom 2869 02:07:13,260 --> 02:07:16,440 demands and this seems to be the latest 2870 02:07:16,440 --> 02:07:19,739 twist and it's um you know I I've seen 2871 02:07:19,739 --> 02:07:21,659 reports it's you know this is just this 2872 02:07:21,659 --> 02:07:24,420 is it's after a while it's back you know 2873 02:07:24,420 --> 02:07:26,760 worse than ever and demands 2874 02:07:26,760 --> 02:07:28,440 um you know are continuing to stretch 2875 02:07:28,440 --> 02:07:31,020 into the tens of Millions 2876 02:07:31,020 --> 02:07:32,699 believe 2877 02:07:32,699 --> 02:07:34,920 I believe there were recently a couple 2878 02:07:34,920 --> 02:07:37,860 of attacks big attacks by a Russian 2879 02:07:37,860 --> 02:07:40,139 group called klopp if I'm not mistaken 2880 02:07:40,139 --> 02:07:42,659 and they shut down and stole data from 2881 02:07:42,659 --> 02:07:44,820 parts of the federal government state 2882 02:07:44,820 --> 02:07:47,580 governments a major hospital where we're 2883 02:07:47,580 --> 02:07:50,159 from which is the Boston area and it was 2884 02:07:50,159 --> 02:07:51,780 you know one of the biggest and most 2885 02:07:51,780 --> 02:07:54,420 devastating attacks on record and so as 2886 02:07:54,420 --> 02:07:56,460 Renee said yeah it just seems to be 2887 02:07:56,460 --> 02:07:59,099 picking up more and more momentum and of 2888 02:07:59,099 --> 02:08:00,900 course whenever you see an attack from 2889 02:08:00,900 --> 02:08:03,060 Russia you have to wonder you know to 2890 02:08:03,060 --> 02:08:05,099 what degree is it state-sponsored and 2891 02:08:05,099 --> 02:08:07,560 and the answer is probably at least to 2892 02:08:07,560 --> 02:08:08,960 some degree because 2893 02:08:08,960 --> 02:08:12,540 Russia allows these people to operate 2894 02:08:12,540 --> 02:08:14,460 there you know there was a time when 2895 02:08:14,460 --> 02:08:16,619 after the colonial pipeline attack when 2896 02:08:16,619 --> 02:08:18,780 the Biden Administration was kind of 2897 02:08:18,780 --> 02:08:21,300 negotiating with Putin to try and get 2898 02:08:21,300 --> 02:08:22,619 him to crack down on some of the 2899 02:08:22,619 --> 02:08:24,840 ransomware gangs and they did you know 2900 02:08:24,840 --> 02:08:26,940 make some token arrests and stuff but 2901 02:08:26,940 --> 02:08:28,679 the deal seemed to be in Russia's mind 2902 02:08:28,679 --> 02:08:30,599 if you don't do anything about Ukraine 2903 02:08:30,599 --> 02:08:32,460 we'll help you with ransomware so when 2904 02:08:32,460 --> 02:08:35,159 the us made clear that it was you know 2905 02:08:35,159 --> 02:08:38,159 actively supporting Ukraine all all uh 2906 02:08:38,159 --> 02:08:40,860 all pretense to cooperate on ransomware 2907 02:08:40,860 --> 02:08:43,020 disappeared 2908 02:08:43,020 --> 02:08:45,619 yes 2909 02:08:59,940 --> 02:09:03,019 let me make one point 2910 02:09:03,420 --> 02:09:05,460 we're never know more knows more about 2911 02:09:05,460 --> 02:09:07,080 this than me but I'll make one point the 2912 02:09:07,080 --> 02:09:09,599 question is why are the ransomware gangs 2913 02:09:09,599 --> 02:09:11,580 better at innovating than the people who 2914 02:09:11,580 --> 02:09:14,520 are trying to stop them and one 2915 02:09:14,520 --> 02:09:16,020 interesting thing is that the ransomware 2916 02:09:16,020 --> 02:09:19,139 hunting team it helps like countless 2917 02:09:19,139 --> 02:09:21,719 victims but in the long run it 2918 02:09:21,719 --> 02:09:23,340 contributes unfortunately to the 2919 02:09:23,340 --> 02:09:25,619 Improvement of ransomware because you 2920 02:09:25,619 --> 02:09:29,040 know every time you know it it fixes a 2921 02:09:29,040 --> 02:09:32,460 it finds a flaw and it distributes that 2922 02:09:32,460 --> 02:09:34,920 flaw and people stop paying the 2923 02:09:34,920 --> 02:09:36,960 ransomware gang goes wait a minute why 2924 02:09:36,960 --> 02:09:38,699 aren't people paying us we must have a 2925 02:09:38,699 --> 02:09:40,679 mistake so they go back over their 2926 02:09:40,679 --> 02:09:43,139 coding and they improve it so in a weird 2927 02:09:43,139 --> 02:09:45,000 way the the hunting team kind of like 2928 02:09:45,000 --> 02:09:47,400 beta testing for the uh for the 2929 02:09:47,400 --> 02:09:49,380 ransomware hackers so that's one reason 2930 02:09:49,380 --> 02:09:52,820 Renee can speak I'm sure more 2931 02:09:53,820 --> 02:09:56,400 the reason is just how organized that 2932 02:09:56,400 --> 02:09:58,199 they've become come 2933 02:09:58,199 --> 02:10:01,619 um you know in the earlier days it was 2934 02:10:01,619 --> 02:10:03,900 sort of a One-Stop shop like one guy 2935 02:10:03,900 --> 02:10:06,540 we're doing the encryption and also 2936 02:10:06,540 --> 02:10:08,699 doing uh you know finding the vulnerable 2937 02:10:08,699 --> 02:10:10,980 networks and you know doing the actual 2938 02:10:10,980 --> 02:10:13,560 spreading and now it's become so 2939 02:10:13,560 --> 02:10:16,020 specialized so there's the people who 2940 02:10:16,020 --> 02:10:18,000 actually develop the encryption and then 2941 02:10:18,000 --> 02:10:20,099 there's the people who go out and find 2942 02:10:20,099 --> 02:10:22,440 the vulnerabilities and 2943 02:10:22,440 --> 02:10:24,000 um then there's the people who actually 2944 02:10:24,000 --> 02:10:26,880 do the negotiations and all of the 2945 02:10:26,880 --> 02:10:30,119 specialization has what I I mean it's 2946 02:10:30,119 --> 02:10:32,880 like any great you know cyber security 2947 02:10:32,880 --> 02:10:34,560 company 2948 02:10:34,560 --> 02:10:36,599 um they've got people who are experts in 2949 02:10:36,599 --> 02:10:40,020 one tiny element of it going very deep 2950 02:10:40,020 --> 02:10:41,940 on that element 2951 02:10:41,940 --> 02:10:45,179 um so that the whole organization works 2952 02:10:45,179 --> 02:10:47,460 works better and more efficiently and 2953 02:10:47,460 --> 02:10:50,239 more effectively 2954 02:11:05,460 --> 02:11:09,440 yeah well you know after um 2955 02:11:09,440 --> 02:11:12,900 so the question was are the um you know 2956 02:11:12,900 --> 02:11:14,940 the the members of the hunting team have 2957 02:11:14,940 --> 02:11:16,980 struggled financially over the years and 2958 02:11:16,980 --> 02:11:19,800 do they seem to be in a better place now 2959 02:11:19,800 --> 02:11:20,820 um 2960 02:11:20,820 --> 02:11:22,739 you know one of the things that has has 2961 02:11:22,739 --> 02:11:24,540 come up along the way is that there 2962 02:11:24,540 --> 02:11:26,340 always seems to be stepping up for one 2963 02:11:26,340 --> 02:11:27,780 another 2964 02:11:27,780 --> 02:11:30,420 um you know Fabian wosar is uh you know 2965 02:11:30,420 --> 02:11:34,860 he he he was a CTO at emsasoft and it 2966 02:11:34,860 --> 02:11:36,659 seemed like anytime somebody like 2967 02:11:36,659 --> 02:11:38,340 Michael you know couldn't pay his 2968 02:11:38,340 --> 02:11:41,460 mortgage magically msoft had a you know 2969 02:11:41,460 --> 02:11:43,500 an opening for a part-time consultant 2970 02:11:43,500 --> 02:11:46,320 that you know he would take the job 2971 02:11:46,320 --> 02:11:48,239 um you know I'll say that 2972 02:11:48,239 --> 02:11:49,260 um 2973 02:11:49,260 --> 02:11:52,679 it is after the after the propublica 2974 02:11:52,679 --> 02:11:55,920 profile on Michael Gillespie ran 2975 02:11:55,920 --> 02:11:58,560 um offer started coming in for him 2976 02:11:58,560 --> 02:12:01,739 um and now he and a number of members of 2977 02:12:01,739 --> 02:12:03,119 the team 2978 02:12:03,119 --> 02:12:05,219 um are you know either work directly for 2979 02:12:05,219 --> 02:12:08,040 or affiliated with a company called Cove 2980 02:12:08,040 --> 02:12:09,179 wear 2981 02:12:09,179 --> 02:12:11,400 um that that handles uh Ransom 2982 02:12:11,400 --> 02:12:13,139 negotiation 2983 02:12:13,139 --> 02:12:15,540 um and transaction for people who have 2984 02:12:15,540 --> 02:12:17,460 no choice but to pay 2985 02:12:17,460 --> 02:12:19,260 um and they they still feel like they're 2986 02:12:19,260 --> 02:12:20,580 fulfilling 2987 02:12:20,580 --> 02:12:24,239 um their goal of helping victims because 2988 02:12:24,239 --> 02:12:26,040 what happens is you know sometimes when 2989 02:12:26,040 --> 02:12:28,020 you pay you get a decryption tool back 2990 02:12:28,020 --> 02:12:29,820 from the hackers that either doesn't 2991 02:12:29,820 --> 02:12:32,219 work or you're worried about its quality 2992 02:12:32,219 --> 02:12:35,580 and so they they in their new work for 2993 02:12:35,580 --> 02:12:37,380 which they you know have enough money to 2994 02:12:37,380 --> 02:12:39,659 to live more comfortably 2995 02:12:39,659 --> 02:12:42,540 um are fixing these tools uh so that 2996 02:12:42,540 --> 02:12:44,340 victims who are on the unfortunate 2997 02:12:44,340 --> 02:12:46,440 position of having to pay at least have 2998 02:12:46,440 --> 02:12:48,659 a safe and reliable and quick easy to 2999 02:12:48,659 --> 02:12:51,138 use tool 3000 02:12:54,360 --> 02:12:55,860 oh yes hi 3001 02:12:55,860 --> 02:12:58,519 mentioned that 3002 02:13:11,880 --> 02:13:14,099 are you in your research did you hear 3003 02:13:14,099 --> 02:13:16,679 about maybe moving beyond Bitcoin or 3004 02:13:16,679 --> 02:13:19,880 moving to another payment model 3005 02:13:22,440 --> 02:13:25,679 well the so the question was you know 3006 02:13:25,679 --> 02:13:28,320 Bitcoin helped helped ransomware get off 3007 02:13:28,320 --> 02:13:30,840 the ground but it's not totally 3008 02:13:30,840 --> 02:13:33,179 Anonymous uh you know there's ways to 3009 02:13:33,179 --> 02:13:34,320 trace it 3010 02:13:34,320 --> 02:13:36,300 um so there's a few things there one is 3011 02:13:36,300 --> 02:13:39,599 you know a few years ago we were seeing 3012 02:13:39,599 --> 02:13:41,760 um instances of you know Dash or Monero 3013 02:13:41,760 --> 02:13:44,880 other types of cryptocurrency being used 3014 02:13:44,880 --> 02:13:46,860 um but there's enough tumblers and 3015 02:13:46,860 --> 02:13:49,260 mixers out there that you know the the 3016 02:13:49,260 --> 02:13:51,780 people who want to you know get their 3017 02:13:51,780 --> 02:13:55,560 Bitcoin laundered are are able to do so 3018 02:13:55,560 --> 02:13:58,560 um but it it you know it is you know a 3019 02:13:58,560 --> 02:14:00,780 dicey question and there has been 3020 02:14:00,780 --> 02:14:02,820 um you know there have been examples of 3021 02:14:02,820 --> 02:14:04,980 you know payments being traced and law 3022 02:14:04,980 --> 02:14:07,139 enforcement you know getting to the root 3023 02:14:07,139 --> 02:14:09,719 wallet and returning money that's that's 3024 02:14:09,719 --> 02:14:12,360 rare and for now it seems like this is 3025 02:14:12,360 --> 02:14:17,119 still a pretty safe bet for hackers 3026 02:14:19,320 --> 02:14:21,719 you know one other interesting thing is 3027 02:14:21,719 --> 02:14:23,340 that um 3028 02:14:23,340 --> 02:14:25,199 in you you'd find in the book is kind of 3029 02:14:25,199 --> 02:14:27,599 the tension of the struggle between the 3030 02:14:27,599 --> 02:14:29,460 hackers and the hunting team and one of 3031 02:14:29,460 --> 02:14:31,500 the interesting things is they seem to 3032 02:14:31,500 --> 02:14:33,239 be very similar in a lot of ways in 3033 02:14:33,239 --> 02:14:35,760 terms of their personalities and their 3034 02:14:35,760 --> 02:14:37,980 interests you know they they they like 3035 02:14:37,980 --> 02:14:40,079 the same Disney movies like The Lion 3036 02:14:40,079 --> 02:14:43,500 King you know and they uh uh they they a 3037 02:14:43,500 --> 02:14:46,260 lot of the the hackers did not have 3038 02:14:46,260 --> 02:14:49,320 any more formal education than the 3039 02:14:49,320 --> 02:14:50,880 hunting team and it's the kind of thing 3040 02:14:50,880 --> 02:14:52,980 where there's this weird love-hate 3041 02:14:52,980 --> 02:14:55,260 relationship there's a kind of tension 3042 02:14:55,260 --> 02:14:58,139 they're on opposite sides one side is 3043 02:14:58,139 --> 02:14:59,760 greedy and going for the money the other 3044 02:14:59,760 --> 02:15:02,099 side turns down all money but yet 3045 02:15:02,099 --> 02:15:04,800 there's a kind of sneaking respect that 3046 02:15:04,800 --> 02:15:07,079 goes back and forth and we we have some 3047 02:15:07,079 --> 02:15:09,480 very entertaining exchanges between them 3048 02:15:09,480 --> 02:15:12,360 uh in the book but I think 3049 02:15:12,360 --> 02:15:14,639 you know at this audience particularly 3050 02:15:14,639 --> 02:15:17,400 you guys might relate to the hunting 3051 02:15:17,400 --> 02:15:18,780 team you might also relate to the 3052 02:15:18,780 --> 02:15:20,699 hackers on the other side and this kind 3053 02:15:20,699 --> 02:15:23,400 of uh uh War that's going on between the 3054 02:15:23,400 --> 02:15:25,380 two of them where you know it's not 3055 02:15:25,380 --> 02:15:28,199 unlike soldiers on opposite sides of the 3056 02:15:28,199 --> 02:15:30,000 trenches but you know they take a truce 3057 02:15:30,000 --> 02:15:32,460 at uh Christmas Eve and toast each other 3058 02:15:32,460 --> 02:15:35,699 you know so it's uh it's a fascinating 3059 02:15:35,699 --> 02:15:38,360 dynamic 3060 02:15:41,699 --> 02:15:43,860 thank you so much for having us we've 3061 02:15:43,860 --> 02:15:48,559 really enjoyed it great questions and uh 3062 02:15:50,040 --> 02:15:52,320 and and we hope you'll stick around for 3063 02:15:52,320 --> 02:15:54,780 the the book uh purchase and signing 3064 02:15:54,780 --> 02:15:57,199 thank you 3065 02:15:58,380 --> 02:16:02,460 um yeah uh so uh as as Dan just said uh 3066 02:16:02,460 --> 02:16:04,679 book signing 3067 02:16:04,679 --> 02:16:06,719 um you can you can purchase and and and 3068 02:16:06,719 --> 02:16:09,719 get get autographed copies which you 3069 02:16:09,719 --> 02:16:11,040 know 3070 02:16:11,040 --> 02:16:13,199 it's better than Bitcoin 3071 02:16:13,199 --> 02:16:15,259 um 3072 02:16:15,719 --> 02:16:19,139 so that's that's the one thing second 3073 02:16:19,139 --> 02:16:22,500 um we are going to the lunch break now 3074 02:16:22,500 --> 02:16:27,060 um during lunch you know 3075 02:16:27,060 --> 02:16:29,280 sky's the limit but Park life is around 3076 02:16:29,280 --> 02:16:31,260 the corner they got tacos they're very 3077 02:16:31,260 --> 02:16:33,540 nice you can go there check it out love 3078 02:16:33,540 --> 02:16:35,398 those guys 3079 02:16:35,398 --> 02:16:38,398 and finally be back 3080 02:16:38,398 --> 02:16:43,200 by two for the flipper zero drawing 3081 02:16:43,200 --> 02:16:45,420 um if you are not here 3082 02:16:45,420 --> 02:16:48,179 when we call your name 3083 02:16:48,179 --> 02:16:50,879 you do not get the flipper zero we will 3084 02:16:50,879 --> 02:16:52,799 go to the next person on the list until 3085 02:16:52,799 --> 02:16:55,500 we find a person who is actually here so 3086 02:16:55,500 --> 02:16:59,120 do not miss your chance 3087 02:16:59,280 --> 02:17:01,620 oh and I am reminded that there is 3088 02:17:01,620 --> 02:17:05,398 merchandise available for sale like hats 3089 02:17:05,398 --> 02:17:07,379 and sweatshirts on a day like today a 3090 02:17:07,379 --> 02:17:10,040 sweatshirt would be great 3091 02:17:10,040 --> 02:17:12,840 uh there are tank tops there are 3092 02:17:12,840 --> 02:17:14,398 t-shirts there's other stuff that are 3093 02:17:14,398 --> 02:17:17,040 exclusive that are not the things that 3094 02:17:17,040 --> 02:17:18,959 you were given is a complimentary you 3095 02:17:18,959 --> 02:17:20,398 know part of your of your your 3096 02:17:20,398 --> 02:17:23,280 registration please hit the merch table 3097 02:17:23,280 --> 02:17:25,320 thanks everybody we'll see you after 3098 02:17:25,320 --> 02:17:27,619 lunch 3099 02:17:27,859 --> 02:17:30,240 yeah yeah 3100 02:17:30,240 --> 02:17:32,240 yeah 3101 02:17:42,520 --> 02:17:49,909 [Music] 3102 02:18:38,359 --> 02:18:41,218 so I made up my mind 3103 02:18:41,218 --> 02:18:43,759 up to 3104 02:18:44,420 --> 02:18:45,660 [Music] 3105 02:18:45,660 --> 02:18:48,000 up to it look at me now 3106 02:18:48,000 --> 02:18:52,679 will I ever learn I don't know how but I 3107 02:18:52,679 --> 02:18:55,379 suddenly lose control 3108 02:18:55,379 --> 02:18:59,080 There's A Fire Inside My Soul 3109 02:18:59,080 --> 02:19:10,320 [Music] 3110 02:19:10,320 --> 02:19:11,990 Here I Go Again 3111 02:19:11,990 --> 02:19:17,519 [Music] 3112 02:19:17,519 --> 02:19:19,379 does it show again 3113 02:19:19,379 --> 02:19:25,239 [Music] 3114 02:20:07,220 --> 02:20:11,040 too long you 3115 02:20:11,040 --> 02:20:13,380 you have strong 3116 02:20:13,380 --> 02:20:16,820 Just One Look and I can hear a bell ring 3117 02:20:16,820 --> 02:20:21,859 one more looking I forget everything 3118 02:20:22,859 --> 02:20:24,060 up 3119 02:20:24,060 --> 02:20:25,840 Here I Go Again 3120 02:20:25,840 --> 02:20:33,200 [Music] 3121 02:20:33,200 --> 02:20:37,550 I might just how much 3122 02:20:37,550 --> 02:20:45,200 [Music] 3123 02:20:45,200 --> 02:20:49,399 did I ever let you go 3124 02:20:49,660 --> 02:20:56,770 [Music] 3125 02:20:57,120 --> 02:21:01,380 it's a game we play goodbye 3126 02:21:01,380 --> 02:21:04,220 foreign 3127 02:21:05,650 --> 02:21:18,159 [Music] 3128 02:21:19,740 --> 02:21:23,060 will let you go 3129 02:21:27,770 --> 02:21:32,490 [Music] 3130 02:21:45,230 --> 02:21:48,369 [Music] 3131 02:22:04,770 --> 02:22:07,740 [Music] 3132 02:22:07,740 --> 02:22:10,070 again 3133 02:22:10,070 --> 02:22:13,700 [Music] 3134 02:22:13,700 --> 02:22:18,500 sweeter than candy ten times between 3135 02:22:19,040 --> 02:22:23,180 thinking about you 3136 02:22:23,520 --> 02:22:26,760 ding dong trick or treat I was knocking 3137 02:22:26,760 --> 02:22:29,340 at your door every week and I saw you in 3138 02:22:29,340 --> 02:22:31,979 my fortune cookie what a great gift like 3139 02:22:31,979 --> 02:22:34,859 a basket of goodies 3140 02:22:34,859 --> 02:22:37,640 it's a nice 3141 02:22:38,880 --> 02:22:41,779 gotta book your language 3142 02:22:43,320 --> 02:22:50,940 [Music] 3143 02:22:58,080 --> 02:22:59,939 ended up being a predator a horrible 3144 02:22:59,939 --> 02:23:02,180 person 3145 02:23:05,399 --> 02:23:10,920 I'm gonna keep the doctor away cause 3146 02:23:10,920 --> 02:23:17,850 you're my Apple every day every day 3147 02:23:17,850 --> 02:23:23,350 [Music] 3148 02:23:26,660 --> 02:23:27,859 [Music] 3149 02:23:27,859 --> 02:23:29,600 over there 3150 02:23:29,600 --> 02:23:37,709 [Music] 3151 02:23:49,200 --> 02:23:51,560 foreign 3152 02:23:55,970 --> 02:24:08,119 [Music] 3153 02:24:12,050 --> 02:24:15,150 [Music] 3154 02:24:30,910 --> 02:24:34,000 [Music] 3155 02:24:43,580 --> 02:24:46,989 [Music] 3156 02:24:50,530 --> 02:24:53,620 [Music] 3157 02:24:58,220 --> 02:25:01,349 [Music] 3158 02:25:03,000 --> 02:25:06,430 myself down 3159 02:25:06,430 --> 02:25:18,950 [Music] 3160 02:25:44,460 --> 02:25:50,000 you're a server admin just got served 3161 02:26:07,240 --> 02:26:16,200 [Music] 3162 02:26:16,200 --> 02:26:19,560 for you to know 3163 02:26:19,560 --> 02:26:22,460 yourself 3164 02:26:26,580 --> 02:26:39,670 [Music] 3165 02:26:42,850 --> 02:26:48,909 [Music] 3166 02:26:50,760 --> 02:26:53,960 got the right one 3167 02:26:54,250 --> 02:26:58,200 [Music] 3168 02:26:58,200 --> 02:27:00,260 radio 3169 02:27:00,260 --> 02:27:04,439 [Music] 3170 02:27:04,439 --> 02:27:07,050 crying now 3171 02:27:07,050 --> 02:27:10,140 [Music] 3172 02:27:11,460 --> 02:27:12,410 out of me 3173 02:27:12,410 --> 02:27:15,869 [Music] 3174 02:27:22,550 --> 02:27:28,499 [Music] 3175 02:27:29,880 --> 02:27:32,720 to come 3176 02:27:34,260 --> 02:27:36,859 back 3177 02:27:40,790 --> 02:27:52,660 [Music] 3178 02:28:22,660 --> 02:28:25,780 [Music] 3179 02:28:36,370 --> 02:28:41,350 [Music] 3180 02:28:44,000 --> 02:28:46,140 [Music] 3181 02:28:46,140 --> 02:28:49,220 discover me 3182 02:28:50,060 --> 02:28:54,080 I try to call you everything 3183 02:28:55,020 --> 02:29:00,469 [Music] 3184 02:29:04,760 --> 02:29:14,810 [Music] 3185 02:29:18,930 --> 02:29:28,290 [Music] 3186 02:30:16,260 --> 02:30:18,439 foreign 3187 02:30:23,870 --> 02:30:26,949 [Music] 3188 02:30:35,470 --> 02:30:41,989 [Music] 3189 02:30:57,490 --> 02:31:05,770 [Music] 3190 02:31:28,979 --> 02:31:31,640 thank you 3191 02:31:36,780 --> 02:31:39,680 foreign 3192 02:31:44,470 --> 02:31:47,650 [Music] 3193 02:32:27,920 --> 02:32:31,040 [Music] 3194 02:32:33,670 --> 02:32:38,450 [Music] 3195 02:32:46,500 --> 02:32:52,080 and it's hard to not think about that 3196 02:32:52,080 --> 02:32:56,150 I love the school and I miss it so much 3197 02:32:56,150 --> 02:32:59,309 [Music] 3198 02:33:00,060 --> 02:33:02,700 still feels like your love feels like a 3199 02:33:02,700 --> 02:33:05,160 constant move up to us girl you've ever 3200 02:33:05,160 --> 02:33:07,560 seen from the blueness of her eyes to 3201 02:33:07,560 --> 02:33:09,660 the dimple on the cheek to her openness 3202 02:33:09,660 --> 02:33:12,060 of mine how simple it is to speak to it 3203 02:33:12,060 --> 02:33:14,520 keep me on track when I get on a detour 3204 02:33:14,520 --> 02:33:16,560 she's nothing less than my best friend 3205 02:33:16,560 --> 02:33:18,720 but much more and every night I think 3206 02:33:18,720 --> 02:33:21,479 those lucky stars above four if one fell 3207 02:33:21,479 --> 02:33:23,700 as obvious what my wish will be that 3208 02:33:23,700 --> 02:33:25,560 you'll be back home I just want you here 3209 02:33:25,560 --> 02:33:27,920 with me 3210 02:33:30,359 --> 02:33:32,220 not that long 3211 02:33:32,220 --> 02:33:34,460 race 3212 02:33:43,460 --> 02:33:45,780 fingers crossed like I hope we don't get 3213 02:33:45,780 --> 02:33:48,359 tacitored low-key she got the badass 3214 02:33:48,359 --> 02:33:51,000 curves I love her bubbly company Spirit 3215 02:33:51,000 --> 02:33:52,800 the way she held with my lyrics so 3216 02:33:52,800 --> 02:33:55,680 inadvertently she loves 3217 02:33:55,680 --> 02:33:57,840 me not be about hurting me lady made me 3218 02:33:57,840 --> 02:33:59,700 strong like I think I might be Hercules 3219 02:33:59,700 --> 02:34:01,800 swerving in a burgundy whip sipping he's 3220 02:34:01,800 --> 02:34:03,359 nursing with bliss hitting each other 3221 02:34:03,359 --> 02:34:05,280 with whips we just talking that's 3222 02:34:05,280 --> 02:34:07,500 on the regular might just hit her with 3223 02:34:07,500 --> 02:34:09,780 that ring on the cellular we steady 3224 02:34:09,780 --> 02:34:12,740 doing our own thing 3225 02:34:16,800 --> 02:34:22,938 and it's hard to not think about that 3226 02:34:23,899 --> 02:34:27,019 so much 3227 02:34:28,680 --> 02:34:31,200 girl I'm just waiting for the day to 3228 02:34:31,200 --> 02:34:34,160 come back 3229 02:34:55,260 --> 02:34:56,280 yes 3230 02:34:56,280 --> 02:34:59,409 [Music] 3231 02:35:10,210 --> 02:35:12,260 [Music] 3232 02:35:12,260 --> 02:35:16,020 love make me fall in love why don't you 3233 02:35:16,020 --> 02:35:19,319 just make me fall in love again I can't 3234 02:35:19,319 --> 02:35:22,880 deny it I'm in love 3235 02:35:22,880 --> 02:35:26,240 with flowers 3236 02:35:28,140 --> 02:35:31,439 ask too many questions say to complicate 3237 02:35:31,439 --> 02:35:33,660 things so baby won't you help me 3238 02:35:33,660 --> 02:35:38,119 understand just what it means to be 3239 02:35:42,410 --> 02:35:45,510 [Music] 3240 02:35:47,580 --> 02:35:49,580 again 3241 02:36:08,600 --> 02:36:10,740 showers in the morning how the rain 3242 02:36:10,740 --> 02:36:13,740 starts pour in my imagination 3243 02:36:13,740 --> 02:36:17,580 the world opens always 3244 02:36:17,580 --> 02:36:19,380 happens to talk 3245 02:36:19,380 --> 02:36:21,679 whatever 3246 02:36:28,859 --> 02:36:32,479 that is my heart but it's all just 3247 02:36:39,780 --> 02:36:42,380 what is that 3248 02:36:44,120 --> 02:36:47,300 no other 3249 02:36:57,180 --> 02:36:59,540 people 3250 02:37:10,210 --> 02:37:13,289 [Music] 3251 02:37:20,640 --> 02:37:23,119 that hurts 3252 02:37:27,720 --> 02:37:29,960 I'm smart 3253 02:37:31,939 --> 02:37:34,140 appreciation why you sat just like a 3254 02:37:34,140 --> 02:37:37,640 Dragon I'm the one appreciating 3255 02:37:41,399 --> 02:37:43,380 and this is how 3256 02:37:43,380 --> 02:37:45,240 I'm the one that's baking tell me how 3257 02:37:45,240 --> 02:37:46,200 the you're so fake and you're 3258 02:37:46,200 --> 02:37:49,640 thinking about stopping your mistakes 3259 02:38:09,840 --> 02:38:12,000 I'm not that much of a ninja cause I'm a 3260 02:38:12,000 --> 02:38:13,620 bit of a sinner I'm not that much of a 3261 02:38:13,620 --> 02:38:14,399 loser 3262 02:38:14,399 --> 02:38:17,060 cause I'll stay with it 3263 02:38:19,439 --> 02:38:21,420 I call me cheddar all we do is make a 3264 02:38:21,420 --> 02:38:23,600 place 3265 02:38:58,080 --> 02:39:02,240 I'm doing me and they will never 3266 02:39:03,300 --> 02:39:05,700 close up it's 3267 02:39:05,700 --> 02:39:08,359 it's on the coffee 3268 02:39:14,700 --> 02:39:16,180 please 3269 02:39:16,180 --> 02:39:19,290 [Music] 3270 02:39:27,240 --> 02:39:29,780 into all 3271 02:39:32,399 --> 02:39:34,760 the way 3272 02:39:47,850 --> 02:39:52,329 [Music] 3273 02:40:14,280 --> 02:40:16,560 look I won't pretend I understand it 3274 02:40:16,560 --> 02:40:18,359 babe the afterlife and all but as you 3275 02:40:18,359 --> 02:40:19,979 died you promised me that you would try 3276 02:40:19,979 --> 02:40:21,660 to write or call and I've been waiting 3277 02:40:21,660 --> 02:40:23,760 ever since every Sunday I hold seances 3278 02:40:23,760 --> 02:40:25,500 with like-minded adults and roll your 3279 02:40:25,500 --> 02:40:27,240 corpse into the living room and try to 3280 02:40:27,240 --> 02:40:28,920 find your pulse and then repine at the 3281 02:40:28,920 --> 02:40:31,020 results I've even my window sills lined 3282 02:40:31,020 --> 02:40:32,640 up with ultraviolet bulbs Trucking 3283 02:40:32,640 --> 02:40:34,319 shrines of human skulls and other signs 3284 02:40:34,319 --> 02:40:36,060 of the occult but now I'm at a 3285 02:40:36,060 --> 02:40:37,680 loss cause honey nothing seems to work 3286 02:40:37,680 --> 02:40:39,479 like I've been actually projecting my 3287 02:40:39,479 --> 02:40:41,160 body Beyond My Dreams through the fabric 3288 02:40:41,160 --> 02:40:43,080 is facing time so you can spot me at the 3289 02:40:43,080 --> 02:40:44,399 seams I've entered through the upside 3290 02:40:44,399 --> 02:40:45,960 down hoping you'll caught me in between 3291 02:40:45,960 --> 02:40:48,380 but maybe 3292 02:40:48,780 --> 02:40:51,060 like you should infiltrate my newsfeed I 3293 02:40:51,060 --> 02:40:52,439 swear no one would notice you could 3294 02:40:52,439 --> 02:40:54,180 float beside some bogus BuzzFeed quiz 3295 02:40:54,180 --> 02:40:56,220 about the police be a pixelated Phantom 3296 02:40:56,220 --> 02:40:58,140 Ghost on clickbait propaganda post and 3297 02:40:58,140 --> 02:40:59,460 dictate what you're thinking through a 3298 02:40:59,460 --> 02:41:01,260 catchy headline like 3299 02:41:01,260 --> 02:41:03,300 the reason why it's great to be ethereal 3300 02:41:03,300 --> 02:41:05,100 are 20 signs you're dead now when your 3301 02:41:05,100 --> 02:41:07,200 soul is immaterial or if it's late at 3302 02:41:07,200 --> 02:41:08,640 night then you could swoop in from the 3303 02:41:08,640 --> 02:41:10,200 shadow realm and talk to me through Papa 3304 02:41:10,200 --> 02:41:12,240 bags that show up over adult films on 3305 02:41:12,240 --> 02:41:14,040 anything you're into we can start with 3306 02:41:14,040 --> 02:41:16,740 facial you could be me 3307 02:41:16,740 --> 02:41:18,120 you're interracial if you're feeling 3308 02:41:18,120 --> 02:41:19,979 sort of formal we could paint today on 3309 02:41:19,979 --> 02:41:21,660 Skype and I could call it a corner Rover 3310 02:41:21,660 --> 02:41:23,340 and we could share the corner slice but 3311 02:41:23,340 --> 02:41:24,840 it's time to go to bed then we could 3312 02:41:24,840 --> 02:41:26,340 leave our cameras on and if the 3313 02:41:26,340 --> 02:41:28,080 Netherworld has one day shipping free on 3314 02:41:28,080 --> 02:41:29,939 Amazon then you can slumber 3315 02:41:29,939 --> 02:41:31,439 yourself I swear this delivers 3316 02:41:31,439 --> 02:41:33,300 quick or send me the address and I could 3317 02:41:33,300 --> 02:41:34,859 meet you by the river stairs on Twitter 3318 02:41:34,859 --> 02:41:36,479 beef what's now I'm tired by the Tigers 3319 02:41:36,479 --> 02:41:38,100 and Euphrates I can snap you while I'm 3320 02:41:38,100 --> 02:41:40,340 snagging 3321 02:41:40,859 --> 02:41:42,899 into the photocopy pirate 3322 02:41:42,899 --> 02:41:44,399 the records and then have a Facebook 3323 02:41:44,399 --> 02:41:46,979 flame war with Osiris and either way I 3324 02:41:46,979 --> 02:41:48,720 can't wait to talk or reunite I've been 3325 02:41:48,720 --> 02:41:50,280 so lonely since you died I've tried to 3326 02:41:50,280 --> 02:41:53,120 walk towards the light 3327 02:41:58,740 --> 02:42:02,220 it's been far too long that you and I 3328 02:42:02,220 --> 02:42:03,920 have been alone 3329 02:42:03,920 --> 02:42:07,920 you could rectify that if you haunt me 3330 02:42:07,920 --> 02:42:11,760 through my phone no I don't wanna deal 3331 02:42:11,760 --> 02:42:16,439 with voodoo dolls and figurines 3332 02:42:19,399 --> 02:42:21,960 frustrated I guess I forgot to countless 3333 02:42:21,960 --> 02:42:23,460 graveyards draw pentagrams and 3334 02:42:23,460 --> 02:42:24,780 slaughtered goats and even took a course 3335 02:42:24,780 --> 02:42:27,120 on goes from Pentecostal folks folks 3336 02:42:27,120 --> 02:42:28,620 never once have gotten close last month 3337 02:42:28,620 --> 02:42:30,180 I sat with local psychics in their 3338 02:42:30,180 --> 02:42:31,740 Crystal jewels and tried to find my old 3339 02:42:31,740 --> 02:42:33,300 T-Mobile Sidekick phone for Middle 3340 02:42:33,300 --> 02:42:35,160 School just so maybe if you're bored or 3341 02:42:35,160 --> 02:42:36,780 fortune telling tarot cards and magic 3342 02:42:36,780 --> 02:42:38,880 words then you can tweet 140 characters 3343 02:42:38,880 --> 02:42:40,920 so I could throw away my voodoo dolls 3344 02:42:40,920 --> 02:42:42,720 and stop chanting my little mantras that 3345 02:42:42,720 --> 02:42:44,340 my Guru taught us and if you slide into 3346 02:42:44,340 --> 02:42:46,080 some YouTube comments you can scroll the 3347 02:42:46,080 --> 02:42:47,580 comment page or you could leave it blank 3348 02:42:47,580 --> 02:42:48,420 if you 3349 02:42:48,420 --> 02:42:50,160 if he's perceptible we tell them it's a 3350 02:42:50,160 --> 02:42:52,080 prank if you still don't send responses 3351 02:42:52,080 --> 02:42:54,120 I'd assume the problems Technical and I 3352 02:42:54,120 --> 02:42:55,680 would call Verizon just so someone could 3353 02:42:55,680 --> 02:42:57,720 inspect it all I tell them I just want a 3354 02:42:57,720 --> 02:42:59,280 close encounter with a spectral kind 3355 02:42:59,280 --> 02:43:00,899 he'd asked if we turned on our modem 3356 02:43:00,899 --> 02:43:02,700 router for a second time and plugged it 3357 02:43:02,700 --> 02:43:04,620 in correctly to the voltage power socket 3358 02:43:04,620 --> 02:43:06,420 line and tried to tear a portal hole 3359 02:43:06,420 --> 02:43:08,160 through to your paranormal Soul so mean 3360 02:43:08,160 --> 02:43:09,840 you could catch up on a toll-free Spirit 3361 02:43:09,840 --> 02:43:11,580 mortal caller we could see a witch 3362 02:43:11,580 --> 02:43:14,000 doctor she 3363 02:43:16,520 --> 02:43:18,960 metaphysical the convalescent soulless 3364 02:43:18,960 --> 02:43:22,640 at first your diagnosis could be 3365 02:43:22,979 --> 02:43:24,540 hypnosed the way that you're reborn I 3366 02:43:24,540 --> 02:43:27,359 hope you use the 3D phone 3367 02:43:27,359 --> 02:43:29,220 and point I don't really know why I 3368 02:43:29,220 --> 02:43:31,560 learned esp4 when you can descend and 3369 02:43:31,560 --> 02:43:34,620 settle in my USB port or my Nvidia G4 so 3370 02:43:34,620 --> 02:43:36,420 my video AV cord there's no need for 3371 02:43:36,420 --> 02:43:38,220 Santa Muerte when I've got a qwerty 3372 02:43:38,220 --> 02:43:40,140 keyboard we can play a game of Esports 3373 02:43:40,140 --> 02:43:41,819 you would not be on a team and 3374 02:43:41,819 --> 02:43:43,740 then audio so I'll put my audio on 3375 02:43:43,740 --> 02:43:45,920 stream 3376 02:43:52,020 --> 02:43:55,520 far too long 3377 02:43:57,120 --> 02:44:00,720 you could rectify that if you haunt me 3378 02:44:00,720 --> 02:44:06,319 through my phone no I don't wanna deal 3379 02:44:06,660 --> 02:44:08,280 green 3380 02:44:08,280 --> 02:44:12,000 I could do without them if you'd hold me 3381 02:44:12,000 --> 02:44:15,140 through my screen 3382 02:44:31,380 --> 02:44:33,858 you found 3383 02:44:41,550 --> 02:44:44,619 [Music] 3384 02:44:46,859 --> 02:44:49,460 all myself 3385 02:45:32,840 --> 02:45:36,000 or maybe I could watch certain Shores 3386 02:45:36,000 --> 02:45:37,800 smiling past a long night and drinking 3387 02:45:37,800 --> 02:45:41,060 and the lights above the island watch 3388 02:45:50,340 --> 02:45:53,000 watched you change 3389 02:45:55,979 --> 02:45:57,720 the thought there'd be a problem that we 3390 02:45:57,720 --> 02:46:00,560 couldn't solve when we 3391 02:46:00,950 --> 02:46:04,040 [Music] 3392 02:46:05,700 --> 02:46:08,359 break up those 3393 02:46:11,160 --> 02:46:13,160 words 3394 02:46:52,240 --> 02:46:57,399 [Music] 3395 02:46:58,319 --> 02:47:00,500 foreign 3396 02:47:40,850 --> 02:47:43,950 [Music] 3397 02:47:51,430 --> 02:47:54,639 [Music] 3398 02:48:03,190 --> 02:48:07,059 [Applause] 3399 02:48:11,020 --> 02:48:12,479 [Music] 3400 02:48:12,479 --> 02:48:14,100 between 3401 02:48:14,100 --> 02:48:16,100 me 3402 02:48:23,820 --> 02:48:26,949 [Music] 3403 02:48:34,930 --> 02:48:38,190 [Music] 3404 02:48:38,780 --> 02:48:44,290 I can't help but repeat myself 3405 02:48:44,290 --> 02:48:47,339 [Music] 3406 02:48:56,860 --> 02:48:59,490 [Applause] 3407 02:48:59,490 --> 02:49:02,860 [Music] 3408 02:49:03,070 --> 02:49:06,229 [Applause] 3409 02:49:07,230 --> 02:49:10,490 [Music] 3410 02:49:14,940 --> 02:49:18,249 [Music] 3411 02:49:21,510 --> 02:49:24,579 [Applause] 3412 02:49:29,130 --> 02:49:32,269 [Music] 3413 02:49:37,020 --> 02:49:39,680 foreign 3414 02:49:44,530 --> 02:49:47,679 [Music] 3415 02:50:29,660 --> 02:50:34,930 [Music] 3416 02:50:43,020 --> 02:50:46,140 first and dying 3417 02:50:46,140 --> 02:50:49,208 [Music] 3418 02:51:00,680 --> 02:51:05,540 he's sick he gave me asthma 3419 02:51:07,200 --> 02:51:11,780 to last one leaving 3420 02:51:14,340 --> 02:51:18,140 the son gave me cancer 3421 02:51:19,920 --> 02:51:24,380 the pavement hurt my feelings 3422 02:51:27,190 --> 02:51:30,829 [Music] 3423 02:51:34,240 --> 02:51:37,350 [Music] 3424 02:51:39,859 --> 02:51:43,560 through the world 3425 02:51:43,560 --> 02:51:45,000 yeah I don't wanna 3426 02:51:45,000 --> 02:51:47,840 Touch Somebody 3427 02:52:07,380 --> 02:52:09,720 that's my department let's go 3428 02:52:09,720 --> 02:52:11,399 no appointment 3429 02:52:11,399 --> 02:52:15,260 no service or whatever 3430 02:52:27,100 --> 02:52:34,029 [Music] 3431 02:52:46,620 --> 02:52:48,420 hey Neil you could 3432 02:52:48,420 --> 02:52:51,200 can you hear that 3433 02:53:00,050 --> 02:53:02,040 [Music] 3434 02:53:02,040 --> 02:53:05,939 sounds good okay 3435 02:53:08,130 --> 02:53:11,289 [Music] 3436 02:53:11,340 --> 02:53:15,200 yeah I I hear it 3437 02:53:16,500 --> 02:53:17,640 okay 3438 02:53:17,640 --> 02:53:20,720 good I'm good 3439 02:53:21,680 --> 02:53:25,560 yeah yeah yeah okay neat 3440 02:53:25,560 --> 02:53:28,460 we are good 3441 02:53:30,500 --> 02:53:33,960 uh sure I mean I've half an hour right 3442 02:53:33,960 --> 02:53:36,740 yeah 3443 02:53:55,260 --> 02:53:58,100 I'll be safe 3444 02:53:58,110 --> 02:54:01,249 [Music] 3445 02:54:12,800 --> 02:54:15,890 [Music] 3446 02:54:27,200 --> 02:54:30,319 [Music] 3447 02:54:32,430 --> 02:54:35,509 [Music] 3448 02:54:40,600 --> 02:54:43,319 [Music] 3449 02:54:43,319 --> 02:54:46,460 here so we're gonna figure 3450 02:54:53,460 --> 02:54:55,460 out 3451 02:55:37,600 --> 02:55:40,679 [Music] 3452 02:55:59,060 --> 02:56:02,240 you think 3453 02:56:24,359 --> 02:56:28,100 she would go 3454 02:56:42,540 --> 02:56:43,920 to the majors 3455 02:56:43,920 --> 02:56:46,880 just fade the bad energy 3456 02:56:59,399 --> 02:57:01,560 I feel so hard like I'm chilling on the 3457 02:57:01,560 --> 02:57:03,619 beach 3458 02:57:07,399 --> 02:57:10,819 and it costs a lot 3459 02:57:24,490 --> 02:57:27,819 [Music] 3460 02:57:32,130 --> 02:57:36,689 [Music] 3461 02:57:43,020 --> 02:57:46,419 [Music] 3462 02:57:50,440 --> 02:57:55,430 [Music] 3463 02:57:58,040 --> 02:58:08,079 [Music] 3464 02:58:18,260 --> 02:58:23,060 Girl I Wanna Give You a ring 3465 02:58:23,939 --> 02:58:29,000 I'm spinning on the side 3466 02:58:32,040 --> 02:58:34,700 space 3467 02:58:53,680 --> 02:58:56,950 [Music] 3468 02:59:02,620 --> 02:59:06,139 [Music] 3469 02:59:09,270 --> 02:59:15,359 [Music] 3470 02:59:15,359 --> 02:59:18,359 because 3471 02:59:20,690 --> 02:59:34,940 [Music] 3472 02:59:47,340 --> 02:59:49,760 I 3473 02:59:51,060 --> 02:59:53,060 don't know 3474 02:59:58,660 --> 03:00:01,809 [Music] 3475 03:00:08,250 --> 03:00:11,420 [Music] 3476 03:00:15,800 --> 03:00:19,080 [Music] 3477 03:00:23,660 --> 03:00:28,200 [Music] 3478 03:00:28,200 --> 03:00:30,250 sometimes 3479 03:00:30,250 --> 03:00:33,360 [Music] 3480 03:00:37,690 --> 03:00:42,919 [Music] 3481 03:00:45,240 --> 03:00:49,199 so please 3482 03:01:08,880 --> 03:01:19,829 [Music] 3483 03:01:22,020 --> 03:01:24,180 do you mind if we try uh 3484 03:01:24,180 --> 03:01:26,100 turning it on I'm using it as a second 3485 03:01:26,100 --> 03:01:28,939 display Maybe 3486 03:01:29,530 --> 03:01:32,579 [Music] 3487 03:01:34,080 --> 03:01:35,220 the guys 3488 03:01:35,220 --> 03:01:38,000 hard to believe 3489 03:02:08,279 --> 03:02:10,399 thank you 3490 03:02:15,660 --> 03:02:18,800 there's the full screen 3491 03:02:22,610 --> 03:02:25,749 [Music] 3492 03:03:41,760 --> 03:03:44,000 foreign 3493 03:04:30,180 --> 03:04:32,420 foreign 3494 03:05:58,020 --> 03:06:00,260 foreign 3495 03:07:15,720 --> 03:07:18,500 right now 3496 03:07:37,490 --> 03:07:44,019 [Music] 3497 03:09:16,500 --> 03:09:19,500 foreign 3498 03:10:31,880 --> 03:10:37,699 requires okay so now we don't have 3499 03:11:57,800 --> 03:12:00,920 thank you 3500 03:12:38,640 --> 03:12:41,420 take a laugh 3501 03:12:55,520 --> 03:12:58,640 all right 3502 03:13:02,510 --> 03:13:05,709 [Music] 3503 03:13:10,990 --> 03:13:14,639 [Music] 3504 03:13:15,460 --> 03:13:18,589 [Applause] 3505 03:13:36,780 --> 03:13:39,870 [Music] 3506 03:13:47,460 --> 03:13:48,970 thank you 3507 03:13:48,970 --> 03:13:52,070 [Music] 3508 03:13:58,439 --> 03:14:01,439 foreign 3509 03:14:06,970 --> 03:14:18,839 [Music] 3510 03:14:23,890 --> 03:14:31,208 [Music] 3511 03:14:34,590 --> 03:14:40,260 [Music] 3512 03:14:44,320 --> 03:14:47,469 [Music] 3513 03:14:51,810 --> 03:14:54,869 [Music] 3514 03:14:54,920 --> 03:14:57,979 thank you 3515 03:15:08,110 --> 03:15:10,020 [Music] 3516 03:15:10,020 --> 03:15:12,260 foreign 3517 03:15:12,470 --> 03:15:16,199 [Music] 3518 03:15:29,650 --> 03:15:41,820 [Music] 3519 03:15:47,540 --> 03:15:53,030 [Music] 3520 03:15:54,420 --> 03:15:56,540 thank you 3521 03:15:59,310 --> 03:16:04,128 [Music] 3522 03:16:09,180 --> 03:16:14,069 [Music] 3523 03:16:16,440 --> 03:16:19,599 [Music] 3524 03:16:20,819 --> 03:16:22,939 thank you 3525 03:16:24,020 --> 03:16:27,139 [Music] 3526 03:16:32,060 --> 03:16:39,230 [Music] 3527 03:16:42,620 --> 03:16:45,839 [Music] 3528 03:16:49,300 --> 03:16:52,410 [Music] 3529 03:16:55,450 --> 03:16:58,519 [Music] 3530 03:17:21,660 --> 03:17:24,660 foreign 3531 03:17:32,840 --> 03:17:36,530 [Music] 3532 03:17:36,899 --> 03:17:39,080 foreign 3533 03:18:07,380 --> 03:18:10,529 [Music] 3534 03:18:24,200 --> 03:18:27,559 [Music] 3535 03:18:36,340 --> 03:18:41,680 [Music] 3536 03:18:56,520 --> 03:18:59,520 foreign 3537 03:19:38,500 --> 03:19:42,389 [Music] 3538 03:19:46,280 --> 03:19:46,520 [Music] 3539 03:19:46,520 --> 03:19:50,219 [Applause] 3540 03:19:50,280 --> 03:19:54,309 [Music] 3541 03:19:58,140 --> 03:20:01,699 [Applause] 3542 03:20:24,300 --> 03:20:27,619 [Applause] 3543 03:20:39,390 --> 03:20:45,000 [Music] 3544 03:20:45,000 --> 03:20:46,310 your family 3545 03:20:46,310 --> 03:21:26,479 [Music] 3546 03:21:26,479 --> 03:21:29,220 thank you 3547 03:21:29,220 --> 03:21:38,250 [Music] 3548 03:21:38,250 --> 03:21:40,020 [Applause] 3549 03:21:40,020 --> 03:21:46,910 [Music] 3550 03:21:47,420 --> 03:21:48,550 thank you 3551 03:21:48,550 --> 03:22:09,590 [Music] 3552 03:22:09,590 --> 03:22:12,700 [Applause] 3553 03:22:14,960 --> 03:22:24,480 [Music] 3554 03:22:24,480 --> 03:22:27,559 [Applause] 3555 03:22:31,859 --> 03:22:34,859 foreign 3556 03:22:36,160 --> 03:22:46,239 [Music] 3557 03:22:55,800 --> 03:22:58,500 all right it's two o'clock 3558 03:22:58,500 --> 03:23:00,779 on the nose 3559 03:23:00,779 --> 03:23:03,180 uh I don't know if you want to uh you 3560 03:23:03,180 --> 03:23:04,920 know get set up up here you just wanna 3561 03:23:04,920 --> 03:23:06,960 you know I can I can I can use the the 3562 03:23:06,960 --> 03:23:09,560 microphone 3563 03:23:11,880 --> 03:23:14,580 okay so I I do have 3564 03:23:14,580 --> 03:23:16,380 um a prize 3565 03:23:16,380 --> 03:23:22,640 for a lucky person it is not this laptop 3566 03:23:23,399 --> 03:23:25,739 um it is uh I will need your help with 3567 03:23:25,739 --> 03:23:27,840 the laptop I need you to hold it I need 3568 03:23:27,840 --> 03:23:29,939 to open it so I can read the name off 3569 03:23:29,939 --> 03:23:33,060 we took the list of people who are in 3570 03:23:33,060 --> 03:23:34,859 attendance today that were processed 3571 03:23:34,859 --> 03:23:38,779 through the Eventbrite check-in process 3572 03:23:39,899 --> 03:23:42,420 I assigned a random number to each 3573 03:23:42,420 --> 03:23:46,700 person we sorted by smallest 3574 03:23:49,140 --> 03:23:52,920 so that we have the number one person on 3575 03:23:52,920 --> 03:23:56,300 the list if you are here 3576 03:23:58,859 --> 03:24:03,840 Ken Chow no no I I swear this is not 3577 03:24:03,840 --> 03:24:07,500 this is the fix is not in I there's a 3578 03:24:07,500 --> 03:24:09,359 lot of people that 3579 03:24:09,359 --> 03:24:12,000 um I know at this conference I do know 3580 03:24:12,000 --> 03:24:15,120 Ken Chow full disclosure I swear to you 3581 03:24:15,120 --> 03:24:19,200 this was not this was not rigged 3582 03:24:19,200 --> 03:24:20,819 okay 3583 03:24:20,819 --> 03:24:23,040 um I will say that Ken deserves a little 3584 03:24:23,040 --> 03:24:25,140 bit of like you know luck to go his way 3585 03:24:25,140 --> 03:24:28,260 for a minute uh We've uh you know we've 3586 03:24:28,260 --> 03:24:30,359 we've we've we've we've seen we've seen 3587 03:24:30,359 --> 03:24:33,660 a few pretty exciting uh months um 3588 03:24:33,660 --> 03:24:35,580 um in the in the coal mine that we both 3589 03:24:35,580 --> 03:24:38,520 work in so you know congratulations Ken 3590 03:24:38,520 --> 03:24:40,020 um and thanks to everyone for getting 3591 03:24:40,020 --> 03:24:43,880 back on time that is the reason 3592 03:24:43,920 --> 03:24:46,620 um use that flipper zero in good health 3593 03:24:46,620 --> 03:24:49,979 do not get arrested 3594 03:24:49,979 --> 03:24:52,800 all right uh get ready to be amazed by 3595 03:24:52,800 --> 03:24:55,500 the Ingenuity of our next speaker on 3596 03:24:55,500 --> 03:24:57,540 here is uh the founder and chief 3597 03:24:57,540 --> 03:25:00,180 scientist of red balloon security he's a 3598 03:25:00,180 --> 03:25:02,880 leading cyber security expert with a 3599 03:25:02,880 --> 03:25:04,620 focus on protecting embedded devices 3600 03:25:04,620 --> 03:25:06,720 today he's going to take us on an 3601 03:25:06,720 --> 03:25:10,100 extraordinary journey into the world of 3602 03:25:10,100 --> 03:25:13,500 cryo mechanical robots in the extraction 3603 03:25:13,500 --> 03:25:15,979 of ram from Modern embedded devices 3604 03:25:15,979 --> 03:25:18,540 discover the Practical engineering 3605 03:25:18,540 --> 03:25:20,640 challenges and solutions behind adapting 3606 03:25:20,640 --> 03:25:23,520 the traditional cold boot attack 3607 03:25:23,520 --> 03:25:25,859 the good doctor here will even guide you 3608 03:25:25,859 --> 03:25:28,439 on building your own cryo-membrig 3609 03:25:28,439 --> 03:25:30,420 prepare to be inspired by the 3610 03:25:30,420 --> 03:25:32,819 possibilities as we dive into the 3611 03:25:32,819 --> 03:25:34,560 fascinating world of embedded system 3612 03:25:34,560 --> 03:25:38,600 Security on take it away 3613 03:25:40,500 --> 03:25:43,140 thank you for that thank you 3614 03:25:43,140 --> 03:25:45,859 um and yeah let's go for a 3615 03:25:45,859 --> 03:25:48,720 inspiration all right I think that audio 3616 03:25:48,720 --> 03:25:50,640 works I'm going to play a video that 3617 03:25:50,640 --> 03:25:54,199 Neil made that's super cool 3618 03:25:55,620 --> 03:25:59,340 does it work yeah 3619 03:26:03,040 --> 03:26:04,739 [Music] 3620 03:26:04,739 --> 03:26:07,859 wait wait wait wait un unhear that 3621 03:26:07,859 --> 03:26:10,700 that didn't happen 3622 03:26:11,760 --> 03:26:13,020 um 3623 03:26:13,020 --> 03:26:16,920 oh yeah okay how do I swap this place 3624 03:26:16,920 --> 03:26:19,880 swap display 3625 03:26:23,100 --> 03:26:24,479 yes 3626 03:26:24,479 --> 03:26:26,460 all right okay all right let's do that 3627 03:26:26,460 --> 03:26:28,580 again 3628 03:26:31,859 --> 03:26:33,479 okay now you can hear it now you can 3629 03:26:33,479 --> 03:26:35,840 hear it 3630 03:26:40,279 --> 03:26:42,439 VIP 3631 03:26:42,439 --> 03:26:45,979 let's kick it 3632 03:26:51,200 --> 03:26:54,779 all right stop collaborate and listen I 3633 03:26:54,779 --> 03:26:56,460 sit back with my brand new inventions 3634 03:26:56,460 --> 03:26:59,640 all right so uh Neil made that is he's 3635 03:26:59,640 --> 03:27:02,160 back over there somewhere and um that 3636 03:27:02,160 --> 03:27:04,800 this is a documentary so that's exactly 3637 03:27:04,800 --> 03:27:07,140 how the research happened that's that's 3638 03:27:07,140 --> 03:27:09,300 that's all there is to it 3639 03:27:09,300 --> 03:27:12,060 um but yeah let's talk about kobud robot 3640 03:27:12,060 --> 03:27:13,800 machine thing 3641 03:27:13,800 --> 03:27:15,779 um so this is uh from RE balloon it's 3642 03:27:15,779 --> 03:27:17,340 special presentation by the Revlon 3643 03:27:17,340 --> 03:27:20,040 security special effects Club yeah 3644 03:27:20,040 --> 03:27:23,100 um okay but before I get into this uh 3645 03:27:23,100 --> 03:27:25,859 there is a alarming Trend that I must 3646 03:27:25,859 --> 03:27:28,800 address and talk about with all of you 3647 03:27:28,800 --> 03:27:31,020 dear friends colleagues and other 3648 03:27:31,020 --> 03:27:33,899 peoples and things the trend that I'm 3649 03:27:33,899 --> 03:27:36,420 talking about of course is this current 3650 03:27:36,420 --> 03:27:38,660 unchecked replication 3651 03:27:38,660 --> 03:27:41,580 of Jordan so for those who know John 3652 03:27:41,580 --> 03:27:44,399 kataria uh he had a he had a baby last 3653 03:27:44,399 --> 03:27:47,830 week uh so Luca well done 3654 03:27:47,830 --> 03:27:49,920 [Applause] 3655 03:27:49,920 --> 03:27:54,060 all right okay so cryo mechanical memory 3656 03:27:54,060 --> 03:27:56,399 X traction 3657 03:27:56,399 --> 03:27:58,020 um what is it 3658 03:27:58,020 --> 03:28:00,479 it looks like this so just to give you 3659 03:28:00,479 --> 03:28:02,399 an idea the robot that we built is 3660 03:28:02,399 --> 03:28:04,439 actually back over there if you want to 3661 03:28:04,439 --> 03:28:06,000 you know come look at it and play with 3662 03:28:06,000 --> 03:28:08,100 it I definitely encourage you to do that 3663 03:28:08,100 --> 03:28:11,520 but this is um what the thing does 3664 03:28:11,520 --> 03:28:13,800 it stays completely still without moving 3665 03:28:13,800 --> 03:28:15,000 okay all right 3666 03:28:15,000 --> 03:28:18,139 [Music] 3667 03:28:32,240 --> 03:28:35,330 [Music] 3668 03:28:39,680 --> 03:28:42,680 thank you 3669 03:28:44,520 --> 03:28:46,260 all right so now we're going to talk 3670 03:28:46,260 --> 03:28:48,120 about why why build this machine what 3671 03:28:48,120 --> 03:28:49,739 does it do you know what what is its 3672 03:28:49,739 --> 03:28:51,899 purpose so the thing underneath the the 3673 03:28:51,899 --> 03:28:54,840 copper block on the Piston is a DDR3 3674 03:28:54,840 --> 03:28:56,760 memory chip 3675 03:28:56,760 --> 03:28:59,160 um and we're cooling it we're taking it 3676 03:28:59,160 --> 03:29:00,960 putting it onto a computer we're letting 3677 03:29:00,960 --> 03:29:02,760 the computer do its thing to the memory 3678 03:29:02,760 --> 03:29:04,560 and 3679 03:29:04,560 --> 03:29:07,020 when it's done we pull it off and we put 3680 03:29:07,020 --> 03:29:10,080 it onto an fpga so we can you know get 3681 03:29:10,080 --> 03:29:11,760 some insight into what the computer is 3682 03:29:11,760 --> 03:29:13,859 thinking and doing and stuff by 3683 03:29:13,859 --> 03:29:16,020 extracting physical memory 3684 03:29:16,020 --> 03:29:17,819 all right so 3685 03:29:17,819 --> 03:29:21,120 um and this is uh I'll do this again 3686 03:29:21,120 --> 03:29:22,680 um work that 3687 03:29:22,680 --> 03:29:24,840 a number of us at Red Balloon have been 3688 03:29:24,840 --> 03:29:27,060 working on over the last 18 months it's 3689 03:29:27,060 --> 03:29:29,220 really nice to kind of reflect back and 3690 03:29:29,220 --> 03:29:31,260 talk about the process that we took 3691 03:29:31,260 --> 03:29:32,760 because um 3692 03:29:32,760 --> 03:29:34,920 it's 18 months of failure so the 3693 03:29:34,920 --> 03:29:36,540 greatest philosopher of all time once 3694 03:29:36,540 --> 03:29:37,979 said you know I can't 3695 03:29:37,979 --> 03:29:39,899 you know see him coming down my eyes I 3696 03:29:39,899 --> 03:29:42,359 gotta make these slides 3697 03:29:42,359 --> 03:29:45,859 cry yo 3698 03:29:46,200 --> 03:29:48,660 one person left that's good all right so 3699 03:29:48,660 --> 03:29:50,399 uh like I said you know so this is the 3700 03:29:50,399 --> 03:29:51,720 thing that we did 3701 03:29:51,720 --> 03:29:53,880 for the last 18 months or you know two 3702 03:29:53,880 --> 03:29:56,160 years this is a small portion of the 3703 03:29:56,160 --> 03:29:59,399 failure inside a larger story of more 3704 03:29:59,399 --> 03:30:01,200 failure 3705 03:30:01,200 --> 03:30:03,779 um but what do we win in the end we did 3706 03:30:03,779 --> 03:30:06,479 get some really interesting results uh 3707 03:30:06,479 --> 03:30:09,840 like a little drizzle of a win so here's 3708 03:30:09,840 --> 03:30:11,340 um you know on the surface that the 3709 03:30:11,340 --> 03:30:14,040 output right the outcome of what we did 3710 03:30:14,040 --> 03:30:16,080 so we wrote two papers um there are a 3711 03:30:16,080 --> 03:30:17,580 lot of details in in both of these 3712 03:30:17,580 --> 03:30:19,380 papers I definitely encourage you guys 3713 03:30:19,380 --> 03:30:21,960 to check them out and the uh the wood 3714 03:30:21,960 --> 03:30:24,960 paper is much more about just you know 3715 03:30:24,960 --> 03:30:26,939 the the engineering that went into 3716 03:30:26,939 --> 03:30:28,560 building this cardio mechanical memory 3717 03:30:28,560 --> 03:30:31,800 robot thing and the second paper that we 3718 03:30:31,800 --> 03:30:34,680 published that host is uh about all the 3719 03:30:34,680 --> 03:30:36,720 technical details that we found uh 3720 03:30:36,720 --> 03:30:41,880 inside the um the Siemens S7 1500 PLC so 3721 03:30:41,880 --> 03:30:43,800 what is that about so what is what is 3722 03:30:43,800 --> 03:30:47,520 this so here is um on the left side you 3723 03:30:47,520 --> 03:30:49,739 hear the in the burgundy kind of color 3724 03:30:49,739 --> 03:30:52,859 right you have the Siemens uh PLC market 3725 03:30:52,859 --> 03:30:55,560 share in North America and the bottom 3726 03:30:55,560 --> 03:30:58,080 one is uh in Europe but if you kind of 3727 03:30:58,080 --> 03:31:00,000 average out all the different major uh 3728 03:31:00,000 --> 03:31:02,880 markets the PLC that Seaman makes that's 3729 03:31:02,880 --> 03:31:05,340 their Prime Time offering is the S7 1500 3730 03:31:05,340 --> 03:31:07,500 and it makes up about I don't know like 3731 03:31:07,500 --> 03:31:10,800 30 35 maybe 40 percent of the the 3732 03:31:10,800 --> 03:31:13,319 world's uh sort of Market of currently 3733 03:31:13,319 --> 03:31:16,020 deployed plc's 3734 03:31:16,020 --> 03:31:18,060 um and this is the the version of the 3735 03:31:18,060 --> 03:31:20,220 PLC that they made after the host ducks 3736 03:31:20,220 --> 03:31:22,020 that thing if we remember that right so 3737 03:31:22,020 --> 03:31:25,620 they redesigned it put more Security in 3738 03:31:25,620 --> 03:31:26,640 place 3739 03:31:26,640 --> 03:31:28,800 um and uh and that's the that's the 3740 03:31:28,800 --> 03:31:30,840 platform that we looked at and the the 3741 03:31:30,840 --> 03:31:32,819 problem or the vulnerability that we 3742 03:31:32,819 --> 03:31:35,640 found and disclosed is um missing 3743 03:31:35,640 --> 03:31:38,819 immutable root of trust thing so secure 3744 03:31:38,819 --> 03:31:41,279 boot is broken and this is the the list 3745 03:31:41,279 --> 03:31:45,359 of devices that it affects 3746 03:31:45,359 --> 03:31:48,120 and then there's the second page 3747 03:31:48,120 --> 03:31:50,040 there's a third page 3748 03:31:50,040 --> 03:31:52,439 and a fourth page right there's a fifth 3749 03:31:52,439 --> 03:31:55,500 page six seven eight nine I think 3750 03:31:55,500 --> 03:31:57,779 there's 13 Pages all right so basically 3751 03:31:57,779 --> 03:31:59,340 at the time that we disclosed this I 3752 03:31:59,340 --> 03:32:00,840 think every single version of the S7 3753 03:32:00,840 --> 03:32:04,800 1500 plc's processor was vulnerable to 3754 03:32:04,800 --> 03:32:06,600 uh the thing that we're going to talk 3755 03:32:06,600 --> 03:32:08,460 about so 3756 03:32:08,460 --> 03:32:11,100 um and here's the uh the official sort 3757 03:32:11,100 --> 03:32:15,479 of um uh advising right so the basically 3758 03:32:15,479 --> 03:32:17,460 like every 1500 in the ground right now 3759 03:32:17,460 --> 03:32:20,220 is broken so what do you do about it uh 3760 03:32:20,220 --> 03:32:22,620 nothing so I read this email and my head 3761 03:32:22,620 --> 03:32:25,020 literally kind of exploded 3762 03:32:25,020 --> 03:32:25,800 um 3763 03:32:25,800 --> 03:32:28,020 yeah that's it's kind of nuts but their 3764 03:32:28,020 --> 03:32:29,880 official sort of workaround is we're not 3765 03:32:29,880 --> 03:32:31,200 going to fix it 3766 03:32:31,200 --> 03:32:33,600 that's it there's no second sentence or 3767 03:32:33,600 --> 03:32:36,000 a paragraph and then after that their 3768 03:32:36,000 --> 03:32:39,800 mitigation recommendation is 3769 03:32:39,960 --> 03:32:42,060 all that sneaky people near your PLC 3770 03:32:42,060 --> 03:32:43,200 right 3771 03:32:43,200 --> 03:32:45,899 I it 3772 03:32:45,899 --> 03:32:49,859 we can we can we can laugh at it but um 3773 03:32:49,859 --> 03:32:52,800 yeah well you know so but but here's the 3774 03:32:52,800 --> 03:32:54,779 right so you know if you look at the 3775 03:32:54,779 --> 03:32:55,920 market share you look at all the 3776 03:32:55,920 --> 03:32:57,779 different devices that that this thing 3777 03:32:57,779 --> 03:33:00,660 affects and the response to it right 3778 03:33:00,660 --> 03:33:03,899 this is probably actually 3779 03:33:03,899 --> 03:33:07,140 maybe 10 ish maybe even more of 3780 03:33:07,140 --> 03:33:09,000 literally all the plcs that are in the 3781 03:33:09,000 --> 03:33:10,560 ground in operation that controls the 3782 03:33:10,560 --> 03:33:12,540 world today right and if you look at the 3783 03:33:12,540 --> 03:33:14,460 the average lifespan or the service life 3784 03:33:14,460 --> 03:33:17,160 of these plc's and the fact that now 3785 03:33:17,160 --> 03:33:19,800 this vulnerability is is publicly known 3786 03:33:19,800 --> 03:33:22,439 and that there will not be a fix this is 3787 03:33:22,439 --> 03:33:23,520 the thing that's going to sit in the 3788 03:33:23,520 --> 03:33:26,220 ground and become basically a forever 3789 03:33:26,220 --> 03:33:28,439 day for the probably the next 10 12 3790 03:33:28,439 --> 03:33:29,460 years 3791 03:33:29,460 --> 03:33:31,920 and that's not okay I I think this is a 3792 03:33:31,920 --> 03:33:34,500 really big problem so you know there was 3793 03:33:34,500 --> 03:33:36,420 a win in here for for us as researchers 3794 03:33:36,420 --> 03:33:38,399 but I think this is actually a 3795 03:33:38,399 --> 03:33:39,960 problematic lose for the world right 3796 03:33:39,960 --> 03:33:42,600 like this is just not okay but this is 3797 03:33:42,600 --> 03:33:45,779 the state of the art of what 3798 03:33:45,779 --> 03:33:48,140 now 3799 03:33:53,700 --> 03:33:55,260 we didn't drink his actual trick so now 3800 03:33:55,260 --> 03:33:57,300 he's being forced to drink one okay all 3801 03:33:57,300 --> 03:33:59,460 right yeah 3802 03:33:59,460 --> 03:34:01,080 where would I be without friends you 3803 03:34:01,080 --> 03:34:04,399 know oh meow 3804 03:34:04,680 --> 03:34:07,200 meow meow meow 3805 03:34:07,200 --> 03:34:09,420 what you know 3806 03:34:09,420 --> 03:34:12,600 anyway so we drink we talk we think 3807 03:34:12,600 --> 03:34:14,640 about things all right so um that's 3808 03:34:14,640 --> 03:34:16,739 that's that I'm gonna get off my soapbox 3809 03:34:16,739 --> 03:34:18,239 and talk about the technical thing so 3810 03:34:18,239 --> 03:34:21,779 what did we actually win uh we we had to 3811 03:34:21,779 --> 03:34:23,760 stare at this stupid board for like two 3812 03:34:23,760 --> 03:34:26,100 years until he cried uncle right and if 3813 03:34:26,100 --> 03:34:27,479 you look at it you know it doesn't seem 3814 03:34:27,479 --> 03:34:30,479 like much it's kind of small it's the 3815 03:34:30,479 --> 03:34:32,279 size of like a I don't know like a 3816 03:34:32,279 --> 03:34:34,080 graphics card from 20 years ago and 3817 03:34:34,080 --> 03:34:35,939 right like it's tiny and it's got some 3818 03:34:35,939 --> 03:34:37,920 black rectangles in there and and those 3819 03:34:37,920 --> 03:34:39,840 are the chips and the rest of it you 3820 03:34:39,840 --> 03:34:42,479 don't have much but but why why did we 3821 03:34:42,479 --> 03:34:43,560 have to 3822 03:34:43,560 --> 03:34:46,620 stare at this for so long so this is um 3823 03:34:46,620 --> 03:34:49,439 okay so the the things that they did 3824 03:34:49,439 --> 03:34:51,000 okay so looking at the the hardware 3825 03:34:51,000 --> 03:34:53,340 design what I can say is they actually 3826 03:34:53,340 --> 03:34:55,560 did a really good job not at Hardware 3827 03:34:55,560 --> 03:34:57,720 security per se but but product 3828 03:34:57,720 --> 03:35:00,000 finishing so what what I mean by that is 3829 03:35:00,000 --> 03:35:01,560 you know they've taken away all 3830 03:35:01,560 --> 03:35:03,479 basically any useful introspection 3831 03:35:03,479 --> 03:35:06,120 interface so no debugging no no Ur 3832 03:35:06,120 --> 03:35:08,939 output of any kind uh the firmware is 3833 03:35:08,939 --> 03:35:11,580 stored encrypted at rest right and 3834 03:35:11,580 --> 03:35:14,220 decrypted at boot time and the key that 3835 03:35:14,220 --> 03:35:16,979 does all of that is uh in in practice 3836 03:35:16,979 --> 03:35:18,540 and in theory you know somewhere hidden 3837 03:35:18,540 --> 03:35:20,700 inside the hardware so 3838 03:35:20,700 --> 03:35:22,680 you can look at this thing boot up and 3839 03:35:22,680 --> 03:35:24,300 the little LEDs will turn on you know 3840 03:35:24,300 --> 03:35:26,279 once it's ready to go but aside from 3841 03:35:26,279 --> 03:35:28,260 that there was basically no way for us 3842 03:35:28,260 --> 03:35:30,420 to introspect or look into the device at 3843 03:35:30,420 --> 03:35:32,580 all let alone you know analyze their 3844 03:35:32,580 --> 03:35:34,620 firmware to see what the the at the 3845 03:35:34,620 --> 03:35:36,840 thing actually is doing at any given 3846 03:35:36,840 --> 03:35:38,340 time so 3847 03:35:38,340 --> 03:35:40,859 so that's uh that's the problem right 3848 03:35:40,859 --> 03:35:44,100 like no debugging no useful output uh 3849 03:35:44,100 --> 03:35:47,040 like I said when it once it turns on LED 3850 03:35:47,040 --> 03:35:49,020 blinks and then then you're done with 3851 03:35:49,020 --> 03:35:52,080 the the whole boot process so 3852 03:35:52,080 --> 03:35:54,960 you know it's in the secret is in the 3853 03:35:54,960 --> 03:35:57,600 computer but how do you get into the 3854 03:35:57,600 --> 03:35:59,340 computer right when you can't have any 3855 03:35:59,340 --> 03:36:01,920 sort of useful output and um the 3856 03:36:01,920 --> 03:36:04,140 standard sort of game plan at this point 3857 03:36:04,140 --> 03:36:05,939 I think is usually 3858 03:36:05,939 --> 03:36:07,739 I don't know let's poke let's poke the 3859 03:36:07,739 --> 03:36:09,239 thing with a weird stick of some kind 3860 03:36:09,239 --> 03:36:11,399 really let's cause a failure or a glitch 3861 03:36:11,399 --> 03:36:14,700 or something uh so standard approach one 3862 03:36:14,700 --> 03:36:16,739 would be you know let's uh let's sort of 3863 03:36:16,739 --> 03:36:18,300 try to inject some kind of fault right 3864 03:36:18,300 --> 03:36:21,479 so em clock power whatever it is 3865 03:36:21,479 --> 03:36:23,220 um but the problem there is um you know 3866 03:36:23,220 --> 03:36:25,560 you can if you crash the thing what do 3867 03:36:25,560 --> 03:36:27,060 you see you see nothing right like the 3868 03:36:27,060 --> 03:36:29,460 thing just kind of resets and you get 3869 03:36:29,460 --> 03:36:31,319 that stupid LED that like kind of turns 3870 03:36:31,319 --> 03:36:35,220 on uh it's just one pixel uh but not at 3871 03:36:35,220 --> 03:36:36,899 all useful information in terms of a 3872 03:36:36,899 --> 03:36:37,800 crash 3873 03:36:37,800 --> 03:36:41,279 okay so the second approach might be you 3874 03:36:41,279 --> 03:36:43,979 know take the the main sock right Decap 3875 03:36:43,979 --> 03:36:46,200 it uh and then question mark question 3876 03:36:46,200 --> 03:36:49,380 mark like do some fancy ninja stuff 3877 03:36:49,380 --> 03:36:51,600 um the problem is uh I don't we don't 3878 03:36:51,600 --> 03:36:53,160 have a scanning electron microscope 3879 03:36:53,160 --> 03:36:56,819 right so our chip decapping program is 3880 03:36:56,819 --> 03:36:59,300 basically me with Tupperware things 3881 03:36:59,300 --> 03:37:01,979 after everybody has gone home in the 3882 03:37:01,979 --> 03:37:03,600 office so 3883 03:37:03,600 --> 03:37:06,479 well yeah that that too yup yup so but 3884 03:37:06,479 --> 03:37:09,660 you know like and then this main sock is 3885 03:37:09,660 --> 03:37:12,600 also super duper proprietary a lot of 3886 03:37:12,600 --> 03:37:14,520 this is integrated so that whole thing 3887 03:37:14,520 --> 03:37:15,779 just screamed you know complicated 3888 03:37:15,779 --> 03:37:17,460 expensive 3889 03:37:17,460 --> 03:37:18,120 um 3890 03:37:18,120 --> 03:37:21,359 and maybe not doable for us 3891 03:37:21,359 --> 03:37:24,600 all right so the third one is um reject 3892 03:37:24,600 --> 03:37:26,819 reality right and and just go back and 3893 03:37:26,819 --> 03:37:28,500 say like okay I'm gonna try even harder 3894 03:37:28,500 --> 03:37:30,660 to find the JTAG port or the uart or 3895 03:37:30,660 --> 03:37:32,580 something but the problem here is like 3896 03:37:32,580 --> 03:37:34,380 this quickly devolves into an infinite 3897 03:37:34,380 --> 03:37:36,120 Loop you know like you say like ah it's 3898 03:37:36,120 --> 03:37:37,500 got to be there where is it I don't know 3899 03:37:37,500 --> 03:37:39,060 let's look more 3900 03:37:39,060 --> 03:37:41,399 um so that didn't really work either and 3901 03:37:41,399 --> 03:37:42,840 then the last one is just I don't know 3902 03:37:42,840 --> 03:37:44,819 say mean things to it and hope that 3903 03:37:44,819 --> 03:37:46,500 something falls out which wasn't 3904 03:37:46,500 --> 03:37:47,880 effective 3905 03:37:47,880 --> 03:37:50,100 so you know we looked at this Hardware 3906 03:37:50,100 --> 03:37:51,960 you know like we were defeated for like 3907 03:37:51,960 --> 03:37:53,819 a few weeks of just trying to get the 3908 03:37:53,819 --> 03:37:56,580 thing to tell us stuff that it it didn't 3909 03:37:56,580 --> 03:38:00,779 and then I sat down and I said maybe we 3910 03:38:00,779 --> 03:38:01,920 can get rid of all of this Hardware 3911 03:38:01,920 --> 03:38:05,160 finishing stuff if we can just like what 3912 03:38:05,160 --> 03:38:07,439 if we can just read its mind right what 3913 03:38:07,439 --> 03:38:09,960 if we take the memory of the thing when 3914 03:38:09,960 --> 03:38:13,979 it's running and then we rip it and we'd 3915 03:38:13,979 --> 03:38:16,739 take its face 3916 03:38:16,739 --> 03:38:18,960 uh which is um you know kind of what we 3917 03:38:18,960 --> 03:38:21,120 did and also right there all the other 3918 03:38:21,120 --> 03:38:23,939 ways are are valid but you know this uh 3919 03:38:23,939 --> 03:38:27,359 at the time and I still think this is 3920 03:38:27,359 --> 03:38:29,580 yeah yeah yeah I mean it's valid it 3921 03:38:29,580 --> 03:38:31,439 doesn't work great but you know it's a 3922 03:38:31,439 --> 03:38:34,560 valid thing uh but you know just looking 3923 03:38:34,560 --> 03:38:36,960 at some of the other Hardware that we're 3924 03:38:36,960 --> 03:38:39,359 seeing the trend certainly is you know 3925 03:38:39,359 --> 03:38:41,160 much more integrated sort of compact 3926 03:38:41,160 --> 03:38:43,739 right the devices with a single sock 3927 03:38:43,739 --> 03:38:45,420 that you can't really look inside or 3928 03:38:45,420 --> 03:38:48,840 touch the bus so maybe one so sort of 3929 03:38:48,840 --> 03:38:51,779 the device having encrypted memory maybe 3930 03:38:51,779 --> 03:38:53,640 one approach that can solve a lot of 3931 03:38:53,640 --> 03:38:55,680 these things would be to just physically 3932 03:38:55,680 --> 03:38:58,020 read the content of memory at a specific 3933 03:38:58,020 --> 03:39:00,060 time and if we can do that we can 3934 03:39:00,060 --> 03:39:01,739 actually get around a lot of this sort 3935 03:39:01,739 --> 03:39:03,180 of Hardware finishing things and solve 3936 03:39:03,180 --> 03:39:05,220 the problem for you know more than just 3937 03:39:05,220 --> 03:39:06,840 this one device but lots and lots of 3938 03:39:06,840 --> 03:39:08,100 other commercial devices that we're 3939 03:39:08,100 --> 03:39:09,600 seeing you know over the last two three 3940 03:39:09,600 --> 03:39:10,560 years 3941 03:39:10,560 --> 03:39:11,880 so 3942 03:39:11,880 --> 03:39:13,800 uh all right so I started thinking about 3943 03:39:13,800 --> 03:39:15,600 the idea and you know I talked to people 3944 03:39:15,600 --> 03:39:17,100 right and they say oh yeah of course 3945 03:39:17,100 --> 03:39:19,260 like kobut has been done like it's well 3946 03:39:19,260 --> 03:39:21,000 understood and that there's a paper you 3947 03:39:21,000 --> 03:39:23,040 check it out and this is the paper this 3948 03:39:23,040 --> 03:39:26,100 is um well so explaining data remnants 3949 03:39:26,100 --> 03:39:28,680 right in Dynamic like volatile storage 3950 03:39:28,680 --> 03:39:30,540 uh has been a thing I think people have 3951 03:39:30,540 --> 03:39:32,279 been talking about it since like the 70s 3952 03:39:32,279 --> 03:39:35,040 right so it's not all that new but you 3953 03:39:35,040 --> 03:39:37,020 know this was the first paper that I was 3954 03:39:37,020 --> 03:39:38,700 aware of that I read that you know 3955 03:39:38,700 --> 03:39:40,739 basically said hey if you take you know 3956 03:39:40,739 --> 03:39:44,279 like if you freeze memory like dram it's 3957 03:39:44,279 --> 03:39:47,640 uh and remove it from the device 3958 03:39:47,640 --> 03:39:49,319 um instead of the data evaporating you 3959 03:39:49,319 --> 03:39:50,700 can actually preserve the content of the 3960 03:39:50,700 --> 03:39:52,200 data inside the ram chip without power 3961 03:39:52,200 --> 03:39:54,779 for like maybe a few minutes the tens of 3962 03:39:54,779 --> 03:39:56,640 minutes and and from that you can 3963 03:39:56,640 --> 03:39:58,200 physically extract 3964 03:39:58,200 --> 03:40:01,020 the content of RAM and the advantage 3965 03:40:01,020 --> 03:40:02,460 there is okay like if you can do that 3966 03:40:02,460 --> 03:40:04,319 right like it doesn't matter if you have 3967 03:40:04,319 --> 03:40:06,060 I don't know trust Zone and blah blah 3968 03:40:06,060 --> 03:40:07,859 blah right like if the data and the 3969 03:40:07,859 --> 03:40:09,479 thing you're looking for is inside the 3970 03:40:09,479 --> 03:40:11,460 ram chip right at any kind of security 3971 03:40:11,460 --> 03:40:13,979 level uh you can take it and read it 3972 03:40:13,979 --> 03:40:16,439 right in in your own fixture 3973 03:40:16,439 --> 03:40:18,899 so that sounds great you know like 3974 03:40:18,899 --> 03:40:21,239 that's a cool thing but let's look 3975 03:40:21,239 --> 03:40:23,580 deeper into a closer at this right so 3976 03:40:23,580 --> 03:40:25,319 this was the original paper this was 3977 03:40:25,319 --> 03:40:28,020 like the graphic and um 3978 03:40:28,020 --> 03:40:29,700 I didn't Photoshop this this is 3979 03:40:29,700 --> 03:40:31,560 literally the person like upside down 3980 03:40:31,560 --> 03:40:34,380 can of air right spraying at the memory 3981 03:40:34,380 --> 03:40:36,660 chip like you know like like an abusing 3982 03:40:36,660 --> 03:40:39,600 that think pad which um yeah it worked 3983 03:40:39,600 --> 03:40:41,580 for for that for that purpose for that 3984 03:40:41,580 --> 03:40:43,620 for that thing but here's the problem 3985 03:40:43,620 --> 03:40:46,260 right like I don't have a laptop this 3986 03:40:46,260 --> 03:40:48,239 thing doesn't have a dim slot this is a 3987 03:40:48,239 --> 03:40:50,040 embedded device with the memory soldered 3988 03:40:50,040 --> 03:40:53,580 on it's DDR3 so the first problem that 3989 03:40:53,580 --> 03:40:55,380 we saw was uh 3990 03:40:55,380 --> 03:40:58,080 why come you have no dim slot right so 3991 03:40:58,080 --> 03:41:00,300 how how do you get the memory off the 3992 03:41:00,300 --> 03:41:01,979 thing you know like memory is still 3993 03:41:01,979 --> 03:41:03,720 memory right so data remnants effect 3994 03:41:03,720 --> 03:41:05,460 like by freezing the memory it should 3995 03:41:05,460 --> 03:41:08,700 still work but how do you how do you do 3996 03:41:08,700 --> 03:41:10,739 it right and then so that's the first 3997 03:41:10,739 --> 03:41:12,120 problem 3998 03:41:12,120 --> 03:41:13,920 um and then the lots and lots of other 3999 03:41:13,920 --> 03:41:15,960 problems came up right when we started 4000 03:41:15,960 --> 03:41:18,180 thinking about it for like two minutes 4001 03:41:18,180 --> 03:41:21,060 and here's one here's a specific problem 4002 03:41:21,060 --> 03:41:24,120 so unlike your modern you know desktop 4003 03:41:24,120 --> 03:41:26,460 or server or laptop well actually not 4004 03:41:26,460 --> 03:41:28,920 laptop those are glued in now but you 4005 03:41:28,920 --> 03:41:30,239 know like general purpose computers 4006 03:41:30,239 --> 03:41:32,399 right so you might have multiple sticks 4007 03:41:32,399 --> 03:41:34,560 or modules of ram that you can take out 4008 03:41:34,560 --> 03:41:37,080 from the interface one at a time 4009 03:41:37,080 --> 03:41:39,180 um this device not only had a single uh 4010 03:41:39,180 --> 03:41:41,700 piece of ram you know soldered onto the 4011 03:41:41,700 --> 03:41:44,939 board it had five right and they were 4012 03:41:44,939 --> 03:41:47,460 all used in parallel at the same time 4013 03:41:47,460 --> 03:41:49,140 you know with some error correction data 4014 03:41:49,140 --> 03:41:51,960 being stored on the you know across the 4015 03:41:51,960 --> 03:41:54,359 chips and then on top of that instead of 4016 03:41:54,359 --> 03:41:56,819 a five on like on the same side three on 4017 03:41:56,819 --> 03:41:58,920 top and two are on the bottom right so 4018 03:41:58,920 --> 03:42:00,479 if you think about how to actually go 4019 03:42:00,479 --> 03:42:04,200 about mechanically removing the thing 4020 03:42:04,200 --> 03:42:06,120 um that's that was hard so short of 4021 03:42:06,120 --> 03:42:08,100 building like a pie made like five 4022 03:42:08,100 --> 03:42:10,620 memory Ripper thing of death uh which is 4023 03:42:10,620 --> 03:42:13,080 mechanically super complicated right we 4024 03:42:13,080 --> 03:42:14,460 needed to um 4025 03:42:14,460 --> 03:42:16,380 maybe not do that but solve the problem 4026 03:42:16,380 --> 03:42:18,239 some other way so 4027 03:42:18,239 --> 03:42:20,700 basically here's the plan right so the 4028 03:42:20,700 --> 03:42:22,979 plan is you know we have we have cnc's 4029 03:42:22,979 --> 03:42:24,720 we have a little robots for like you 4030 03:42:24,720 --> 03:42:26,580 know like carving metal and then I'm 4031 03:42:26,580 --> 03:42:28,920 making things out of wood 3D printers so 4032 03:42:28,920 --> 03:42:30,899 what if we can Frankenstein you know 4033 03:42:30,899 --> 03:42:34,439 acnc machine right uh that at least 4034 03:42:34,439 --> 03:42:36,380 positions some kind of mechanical 4035 03:42:36,380 --> 03:42:39,540 Grabber thing at the right place at the 4036 03:42:39,540 --> 03:42:41,580 right time and then remove the memory 4037 03:42:41,580 --> 03:42:43,439 when we want to then we can at least 4038 03:42:43,439 --> 03:42:45,420 repeatably like repeatedly do the same 4039 03:42:45,420 --> 03:42:47,460 thing over maybe multiple chips all 4040 03:42:47,460 --> 03:42:48,660 right so that's number one if we can 4041 03:42:48,660 --> 03:42:50,819 break a CNC that could work and then we 4042 03:42:50,819 --> 03:42:53,340 have to figure out a way how to rip five 4043 03:42:53,340 --> 03:42:55,560 memory chips you know if you can't do 4044 03:42:55,560 --> 03:42:57,540 them all at the same time the other 4045 03:42:57,540 --> 03:42:59,399 approach is to find you know some period 4046 03:42:59,399 --> 03:43:03,300 of deterministic execution and rip the 4047 03:43:03,300 --> 03:43:05,460 the each one memory chip at a time at 4048 03:43:05,460 --> 03:43:07,620 the specific point of execution because 4049 03:43:07,620 --> 03:43:09,960 you can imagine like if you're you know 4050 03:43:09,960 --> 03:43:11,760 like half a second of it's ridiculous 4051 03:43:11,760 --> 03:43:13,680 you you feel like you know 100 4052 03:43:13,680 --> 03:43:15,720 milliseconds off all the bits are not 4053 03:43:15,720 --> 03:43:17,340 going to match up so reconstructing 4054 03:43:17,340 --> 03:43:19,319 memory is going to be really tricky but 4055 03:43:19,319 --> 03:43:21,540 if you can do it at the same time 4056 03:43:21,540 --> 03:43:23,460 over and over again repeatably that that 4057 03:43:23,460 --> 03:43:26,340 could work right and then after that you 4058 03:43:26,340 --> 03:43:28,319 have to maybe just figure out where the 4059 03:43:28,319 --> 03:43:29,939 error correction bits are and then smash 4060 03:43:29,939 --> 03:43:31,800 the memory content into something that 4061 03:43:31,800 --> 03:43:33,660 you can analyze and then all of a sudden 4062 03:43:33,660 --> 03:43:35,640 in theory if all that worked you would 4063 03:43:35,640 --> 03:43:37,620 have you know the code region the the 4064 03:43:37,620 --> 03:43:40,620 stack the Heap and and maybe be able to 4065 03:43:40,620 --> 03:43:42,779 reconstruct the bootloader code and all 4066 03:43:42,779 --> 03:43:44,760 of the intermediate data that the blue 4067 03:43:44,760 --> 03:43:46,620 loader uses so maybe it's whatever 4068 03:43:46,620 --> 03:43:48,540 crypto key and whatever crypto operation 4069 03:43:48,540 --> 03:43:50,760 it's doing right we can maybe get access 4070 03:43:50,760 --> 03:43:53,760 to the the content of that and who knows 4071 03:43:53,760 --> 03:43:56,479 what other thing we have to do and then 4072 03:43:56,479 --> 03:43:58,739 you know even if we did all of this 4073 03:43:58,739 --> 03:44:00,420 stuff right we didn't know that there 4074 03:44:00,420 --> 03:44:02,520 was a vulnerability in there at all so 4075 03:44:02,520 --> 03:44:04,800 you know let's see what the code says 4076 03:44:04,800 --> 03:44:05,700 but 4077 03:44:05,700 --> 03:44:07,319 I don't know maybe go from there and 4078 03:44:07,319 --> 03:44:09,899 maybe win right so here's what we did 4079 03:44:09,899 --> 03:44:11,760 so we started doing that 4080 03:44:11,760 --> 03:44:13,500 and this is the paper that talks a lot 4081 03:44:13,500 --> 03:44:15,479 about the uh sort of the engineering 4082 03:44:15,479 --> 03:44:17,819 challenges that we had but today I want 4083 03:44:17,819 --> 03:44:19,859 to you know keep this much more on a 4084 03:44:19,859 --> 03:44:21,899 practical level of if you want to do 4085 03:44:21,899 --> 03:44:23,100 something like this you can actually 4086 03:44:23,100 --> 03:44:24,359 build this machine for about two 4087 03:44:24,359 --> 03:44:26,399 thousand bucks and this is something 4088 03:44:26,399 --> 03:44:28,380 that's small enough that you can keep in 4089 03:44:28,380 --> 03:44:30,420 your office or apartment or garage or 4090 03:44:30,420 --> 03:44:32,460 wherever you guys live and it's really 4091 03:44:32,460 --> 03:44:35,040 doable from cod's Hardware 4092 03:44:35,040 --> 03:44:37,439 okay so here's uh basically what we need 4093 03:44:37,439 --> 03:44:40,200 right so this is a very early version of 4094 03:44:40,200 --> 03:44:43,140 of this robot but basically come up with 4095 03:44:43,140 --> 03:44:45,660 a precise-ish uh movement system that 4096 03:44:45,660 --> 03:44:47,100 picks up the thing and puts it down 4097 03:44:47,100 --> 03:44:50,460 right and then you know somehow if you 4098 03:44:50,460 --> 03:44:52,439 if you think about like a ram and Chip 4099 03:44:52,439 --> 03:44:54,960 text fixtures right they're usually like 4100 03:44:54,960 --> 03:44:58,020 hunky clamshell kind of things which is 4101 03:44:58,020 --> 03:44:59,340 kind of hard if you need to build a 4102 03:44:59,340 --> 03:45:01,319 robot that like unlatches that the 4103 03:45:01,319 --> 03:45:02,640 clamshell put the thing in the right 4104 03:45:02,640 --> 03:45:04,260 tension and put the show back on right 4105 03:45:04,260 --> 03:45:06,060 so maybe there's a better you know 4106 03:45:06,060 --> 03:45:09,000 socket that we can use uh but then on 4107 03:45:09,000 --> 03:45:10,620 top of that right so the third one is 4108 03:45:10,620 --> 03:45:13,500 important closed loop cooling so usually 4109 03:45:13,500 --> 03:45:15,540 you know this whole area of attack for 4110 03:45:15,540 --> 03:45:17,460 data remnants is referred to as cold 4111 03:45:17,460 --> 03:45:19,920 boot uh and the reason for that is first 4112 03:45:19,920 --> 03:45:21,960 you spray the can of cold onto the 4113 03:45:21,960 --> 03:45:23,939 memory chip and then you stop doing that 4114 03:45:23,939 --> 03:45:25,739 and then you take the memory off while 4115 03:45:25,739 --> 03:45:27,720 the memory is still cold but basically 4116 03:45:27,720 --> 03:45:29,340 you know as soon as you start executing 4117 03:45:29,340 --> 03:45:31,620 if you're not actively cluing the chip 4118 03:45:31,620 --> 03:45:33,060 right the thing's obviously going to 4119 03:45:33,060 --> 03:45:35,760 warm up over a period of minutes right 4120 03:45:35,760 --> 03:45:37,739 the things obvious going to warm up over 4121 03:45:37,739 --> 03:45:41,100 a period of minutes so if you had a 4122 03:45:41,100 --> 03:45:43,439 active cooling system right which is a 4123 03:45:43,439 --> 03:45:45,000 keeping the thing cold 4124 03:45:45,000 --> 03:45:48,000 for the entirety of runtime you don't 4125 03:45:48,000 --> 03:45:51,359 just you get the ability to 4126 03:45:51,359 --> 03:45:53,399 to do this not just a boot but pretty 4127 03:45:53,399 --> 03:45:55,319 much whenever you want so this is a way 4128 03:45:55,319 --> 03:45:57,000 that you can actually also rip like user 4129 03:45:57,000 --> 03:45:58,979 space you know program physical memory 4130 03:45:58,979 --> 03:46:01,439 content over the kernel so with cold uh 4131 03:46:01,439 --> 03:46:03,600 close active cooling you can pull the 4132 03:46:03,600 --> 03:46:05,160 mermaid trip up whenever you want right 4133 03:46:05,160 --> 03:46:06,540 so that gives us a whole lot of other 4134 03:46:06,540 --> 03:46:09,899 places to to do this sort of attack on 4135 03:46:09,899 --> 03:46:12,000 right and then get the timing and then 4136 03:46:12,000 --> 03:46:14,479 prove that we can do this for uh ddr1 4137 03:46:14,479 --> 03:46:18,540 lpddr1 ddr2 DDR3 uh and if it works then 4138 03:46:18,540 --> 03:46:19,800 great so 4139 03:46:19,800 --> 03:46:21,960 let's talk about how we did all this 4140 03:46:21,960 --> 03:46:23,580 stuff right so the first thing before 4141 03:46:23,580 --> 03:46:25,620 anything else uh you need something that 4142 03:46:25,620 --> 03:46:27,180 gives you like precise-ish sort of 4143 03:46:27,180 --> 03:46:29,700 mechanical linear movement right and um 4144 03:46:29,700 --> 03:46:31,319 the good news is uh 4145 03:46:31,319 --> 03:46:33,359 this you can just buy this this is like 4146 03:46:33,359 --> 03:46:35,640 500 bucks it's actually really good for 4147 03:46:35,640 --> 03:46:37,920 what it is people use it as like a hobby 4148 03:46:37,920 --> 03:46:39,840 as sort of like a wood router kind of 4149 03:46:39,840 --> 03:46:42,359 thing so if you want like an owl or 4150 03:46:42,359 --> 03:46:43,920 something carved out of wood this thing 4151 03:46:43,920 --> 03:46:46,319 can do it right uh and it's really cheap 4152 03:46:46,319 --> 03:46:48,660 so what for what you're getting 4153 03:46:48,660 --> 03:46:51,120 um the the controller is really that big 4154 03:46:51,120 --> 03:46:54,180 and it has like a parallel 25 port a 25 4155 03:46:54,180 --> 03:46:56,460 pin parallel port in the back that I 4156 03:46:56,460 --> 03:46:58,319 didn't know what to do with but like 4157 03:46:58,319 --> 03:47:00,660 that's not important but basically by 4158 03:47:00,660 --> 03:47:03,239 this and you take out the stuff that 4159 03:47:03,239 --> 03:47:04,800 really shouldn't be there so you junk 4160 03:47:04,800 --> 03:47:06,660 like pretty much all of this right so 4161 03:47:06,660 --> 03:47:08,640 you take off the motors you don't need a 4162 03:47:08,640 --> 03:47:10,560 spindle because the spindle like is the 4163 03:47:10,560 --> 03:47:11,939 thing that just you know carves things 4164 03:47:11,939 --> 03:47:14,399 right uh and this controller box is just 4165 03:47:14,399 --> 03:47:16,439 awesome and nonsense so you don't want 4166 03:47:16,439 --> 03:47:18,899 that what is good in here is you know 4167 03:47:18,899 --> 03:47:20,819 this is a platform that's basically you 4168 03:47:20,819 --> 03:47:23,040 know solid and it has a really good ball 4169 03:47:23,040 --> 03:47:25,620 screw like a ball lead screw uh and 4170 03:47:25,620 --> 03:47:27,960 these things are you know produced in 4171 03:47:27,960 --> 03:47:30,420 mass now so uh you for this money you 4172 03:47:30,420 --> 03:47:32,819 actually get something mechanically can 4173 03:47:32,819 --> 03:47:34,319 be really good 4174 03:47:34,319 --> 03:47:37,979 okay so so that's basically uh there and 4175 03:47:37,979 --> 03:47:39,899 then the thing to know about this is you 4176 03:47:39,899 --> 03:47:41,399 know when you buy this thing right it 4177 03:47:41,399 --> 03:47:43,380 gets shipped across the ocean and comes 4178 03:47:43,380 --> 03:47:46,439 to you and the thing looks like it's 4179 03:47:46,439 --> 03:47:48,960 solid and it's Square in parallel but it 4180 03:47:48,960 --> 03:47:51,540 is not right so every so basically you 4181 03:47:51,540 --> 03:47:53,460 get a collection of mini screws and all 4182 03:47:53,460 --> 03:47:55,020 of them are the random value of not 4183 03:47:55,020 --> 03:47:57,840 tight and for the kind of position that 4184 03:47:57,840 --> 03:48:00,239 we want uh you're gonna have to spend 4185 03:48:00,239 --> 03:48:01,920 some time to make sure that each of 4186 03:48:01,920 --> 03:48:03,359 these things are parallel and vertical 4187 03:48:03,359 --> 03:48:05,040 because otherwise you're going to get in 4188 03:48:05,040 --> 03:48:06,359 Precision that's going to just kill you 4189 03:48:06,359 --> 03:48:08,700 all the time right turn it into kind of 4190 03:48:08,700 --> 03:48:09,779 a nightmare 4191 03:48:09,779 --> 03:48:12,899 right so once we do that the next thing 4192 03:48:12,899 --> 03:48:15,720 that I did was I took the uh so instead 4193 03:48:15,720 --> 03:48:17,880 of using a stepper motor for the z-axis 4194 03:48:17,880 --> 03:48:20,100 where we're putting basically moving the 4195 03:48:20,100 --> 03:48:23,220 memory chip up and down uh we used a air 4196 03:48:23,220 --> 03:48:25,859 linear piston and the main reason for 4197 03:48:25,859 --> 03:48:27,600 this is because um you know that piston 4198 03:48:27,600 --> 03:48:29,460 is driven by air pressure so it has a 4199 03:48:29,460 --> 03:48:32,100 really nice soft pressure curve right so 4200 03:48:32,100 --> 03:48:36,239 this is a way for us to not have our 4201 03:48:36,239 --> 03:48:38,460 stepper motor like smash the the chip 4202 03:48:38,460 --> 03:48:39,960 into the board and destroy the whole 4203 03:48:39,960 --> 03:48:42,000 thing right so this is a really natural 4204 03:48:42,000 --> 03:48:44,819 way for us to apply the right amount of 4205 03:48:44,819 --> 03:48:46,800 pressure onto the socket with the memory 4206 03:48:46,800 --> 03:48:49,140 and the one thing that you control with 4207 03:48:49,140 --> 03:48:51,300 this is basically the pressure the PSI 4208 03:48:51,300 --> 03:48:53,220 right so we found this thing we 4209 03:48:53,220 --> 03:48:55,500 generally run it at like 10 psi which is 4210 03:48:55,500 --> 03:48:57,600 really little for what this thing is 4211 03:48:57,600 --> 03:48:59,460 actually supposed to do but it is really 4212 03:48:59,460 --> 03:49:03,000 good it is super cheap and very reliable 4213 03:49:03,000 --> 03:49:05,160 and you know talking about making sure 4214 03:49:05,160 --> 03:49:06,540 like things are parallel and true right 4215 03:49:06,540 --> 03:49:08,819 so what we're going to need is a shim 4216 03:49:08,819 --> 03:49:10,920 stock lots and lots of shim stock and 4217 03:49:10,920 --> 03:49:13,739 this is a activity that you you have to 4218 03:49:13,739 --> 03:49:16,380 do by yourself because if you're doing 4219 03:49:16,380 --> 03:49:17,880 this with a friend or any other person 4220 03:49:17,880 --> 03:49:19,560 for like you'd be doing this for like 4221 03:49:19,560 --> 03:49:21,239 five hours and by the end you want to 4222 03:49:21,239 --> 03:49:24,180 kill each other because you know let me 4223 03:49:24,180 --> 03:49:25,739 just shim this thing right everybody 4224 03:49:25,739 --> 03:49:27,300 does a little bit differently but lots 4225 03:49:27,300 --> 03:49:29,939 of patience uh and an indicator and we 4226 03:49:29,939 --> 03:49:31,560 actually got it to basically be pretty 4227 03:49:31,560 --> 03:49:32,340 good 4228 03:49:32,340 --> 03:49:33,359 um 4229 03:49:33,359 --> 03:49:37,700 yeah yeah I mean 4230 03:49:37,739 --> 03:49:39,720 no this is so boring all right now 4231 03:49:39,720 --> 03:49:41,640 anyway I have P I have not I have a lot 4232 03:49:41,640 --> 03:49:43,800 of patience okay anyway so once you have 4233 03:49:43,800 --> 03:49:45,300 the machine that in theory can move 4234 03:49:45,300 --> 03:49:47,399 reliably you know in vertical in 4235 03:49:47,399 --> 03:49:51,060 parallel like a X Y and Z axis 4236 03:49:51,060 --> 03:49:52,739 um the next thing is like okay so how do 4237 03:49:52,739 --> 03:49:57,420 we drive the the actual uh lead screw in 4238 03:49:57,420 --> 03:49:59,640 order to move the the thing to very 4239 03:49:59,640 --> 03:50:01,859 specific distances and a lot of people 4240 03:50:01,859 --> 03:50:03,300 would say like look man just get a 4241 03:50:03,300 --> 03:50:05,040 stepper motor step or step right like 4242 03:50:05,040 --> 03:50:08,100 you you tell it this is up like 20 you 4243 03:50:08,100 --> 03:50:10,380 figure out the revolution distance and 4244 03:50:10,380 --> 03:50:12,600 from there you're you're good but but 4245 03:50:12,600 --> 03:50:14,819 here's the problem you know like this is 4246 03:50:14,819 --> 03:50:17,160 like a very specific like you know 4247 03:50:17,160 --> 03:50:20,040 that's ideal case but what if you tell 4248 03:50:20,040 --> 03:50:22,560 it to go like you know 20 steps and it 4249 03:50:22,560 --> 03:50:24,479 loses a step right so you you can't 4250 03:50:24,479 --> 03:50:27,300 actually verify where you are in terms 4251 03:50:27,300 --> 03:50:29,939 of the expected place if you don't have 4252 03:50:29,939 --> 03:50:32,520 some other sensors and and also this is 4253 03:50:32,520 --> 03:50:34,560 uh in the real world right like backlash 4254 03:50:34,560 --> 03:50:36,779 is a thing leads Cruiser bent you know 4255 03:50:36,779 --> 03:50:39,060 so this is a all the sources of in 4256 03:50:39,060 --> 03:50:41,040 inaccuracy or in position that's going 4257 03:50:41,040 --> 03:50:42,720 to kill you over you know like a long 4258 03:50:42,720 --> 03:50:44,640 period right and also multiple 4259 03:50:44,640 --> 03:50:47,399 Dimensions so there is a standard answer 4260 03:50:47,399 --> 03:50:49,979 for this problem it's really simple so 4261 03:50:49,979 --> 03:50:51,899 you just take money 4262 03:50:51,899 --> 03:50:54,060 and then you convert it into Hardware 4263 03:50:54,060 --> 03:50:56,040 that works right so you buy the right 4264 03:50:56,040 --> 03:50:58,620 hardware and it becomes much more 4265 03:50:58,620 --> 03:51:00,899 precise and typically when it comes to 4266 03:51:00,899 --> 03:51:02,819 linear motion systems 4267 03:51:02,819 --> 03:51:05,100 um resolvers and encoders right so the 4268 03:51:05,100 --> 03:51:06,779 encoder is like pretty standard way to 4269 03:51:06,779 --> 03:51:09,180 do this and what it is is basically a 4270 03:51:09,180 --> 03:51:10,979 quadrature encoded sort of like a little 4271 03:51:10,979 --> 03:51:13,620 reading thing as we move uh your your 4272 03:51:13,620 --> 03:51:16,560 actuation system uh it basically counts 4273 03:51:16,560 --> 03:51:18,840 how many steps over the each of those 4274 03:51:18,840 --> 03:51:21,060 little ticks it has traveled so this is 4275 03:51:21,060 --> 03:51:23,100 a closed loop feedback system that tells 4276 03:51:23,100 --> 03:51:25,560 you okay I want you to go like 15 4277 03:51:25,560 --> 03:51:28,380 millimeters uh have you actually gone 15 4278 03:51:28,380 --> 03:51:30,000 millimeters and if not I can then 4279 03:51:30,000 --> 03:51:32,220 compensate and and change the the 4280 03:51:32,220 --> 03:51:33,899 stepping sort of commands that I give it 4281 03:51:33,899 --> 03:51:36,060 but you know so these are not terribly 4282 03:51:36,060 --> 03:51:38,160 expensive but like for a nice one you're 4283 03:51:38,160 --> 03:51:40,260 talking like 100 plus dollars plus you 4284 03:51:40,260 --> 03:51:42,060 have to write the code to actually drive 4285 03:51:42,060 --> 03:51:43,439 the thing and there are commercial 4286 03:51:43,439 --> 03:51:44,700 solutions for it but you know like 4287 03:51:44,700 --> 03:51:46,500 things can get pretty expensive pretty 4288 03:51:46,500 --> 03:51:48,840 quickly so 4289 03:51:48,840 --> 03:51:51,000 so the first thing that kind of was a 4290 03:51:51,000 --> 03:51:52,680 game changer for this sort of thing is 4291 03:51:52,680 --> 03:51:55,439 like there are all of these like really 4292 03:51:55,439 --> 03:51:57,060 interesting Motors that are coming onto 4293 03:51:57,060 --> 03:51:58,859 the market now so this is actually for 4294 03:51:58,859 --> 03:52:01,500 you know like small size CNC machines uh 4295 03:52:01,500 --> 03:52:03,420 mostly hobbyists but people make like 4296 03:52:03,420 --> 03:52:05,939 micronic stuff with with this and what 4297 03:52:05,939 --> 03:52:08,040 this is is it's the same form factor in 4298 03:52:08,040 --> 03:52:10,620 the same control basically as a stepper 4299 03:52:10,620 --> 03:52:13,020 motor but it has all this actual 4300 03:52:13,020 --> 03:52:16,319 real-time sensors encoders uh and and 4301 03:52:16,319 --> 03:52:18,239 the code that basically controls this 4302 03:52:18,239 --> 03:52:21,720 thing in a closed loop way right and it 4303 03:52:21,720 --> 03:52:24,420 basically is the same footprint as any 4304 03:52:24,420 --> 03:52:26,460 sort of drop-in replace stepper motor 4305 03:52:26,460 --> 03:52:28,739 and uh you know instead of like 20 bucks 4306 03:52:28,739 --> 03:52:31,439 this is 300 but what would you get this 4307 03:52:31,439 --> 03:52:33,359 thing is actually really really good 4308 03:52:33,359 --> 03:52:36,120 all right so that's one approach the 4309 03:52:36,120 --> 03:52:37,319 other approach is something that I 4310 03:52:37,319 --> 03:52:39,300 actually super like 4311 03:52:39,300 --> 03:52:41,520 um so instead of doing all of that with 4312 03:52:41,520 --> 03:52:42,840 all the sensors and monitoring the 4313 03:52:42,840 --> 03:52:44,460 current and the torque and stuff and the 4314 03:52:44,460 --> 03:52:47,220 real-time control right there was this 4315 03:52:47,220 --> 03:52:48,899 uh open source project that you know I 4316 03:52:48,899 --> 03:52:50,399 think a lot of Chinese manufacturers 4317 03:52:50,399 --> 03:52:53,040 have kind of adopted but basically you 4318 03:52:53,040 --> 03:52:55,979 have a board uh you have um a kind of 4319 03:52:55,979 --> 03:52:58,380 like a stm32 that does real-time control 4320 03:52:58,380 --> 03:53:01,380 and you have a hall effect sensor right 4321 03:53:01,380 --> 03:53:03,300 that keeps track of rotation through a 4322 03:53:03,300 --> 03:53:05,880 magnet and then you glue a round magnet 4323 03:53:05,880 --> 03:53:07,560 to the bottom of the shaft of your 4324 03:53:07,560 --> 03:53:08,939 stepper motor that costs you like 30 4325 03:53:08,939 --> 03:53:10,680 bucks so you can buy this right now on 4326 03:53:10,680 --> 03:53:14,640 Amazon for like yeah 20 27 and it comes 4327 03:53:14,640 --> 03:53:17,040 with all of that and basically gives you 4328 03:53:17,040 --> 03:53:19,560 real-time closed loop control at least 4329 03:53:19,560 --> 03:53:21,779 as far as rotation goes right so the 4330 03:53:21,779 --> 03:53:22,859 next thing you have to do is make sure 4331 03:53:22,859 --> 03:53:24,960 that you know once you rotate your lead 4332 03:53:24,960 --> 03:53:27,359 screw one turn that thing actually is 4333 03:53:27,359 --> 03:53:29,819 well made and manufactured correctly and 4334 03:53:29,819 --> 03:53:32,220 if you don't lose any steps uh this will 4335 03:53:32,220 --> 03:53:34,260 be pretty accurate so code 4336 03:53:34,260 --> 03:53:37,500 here's uh some videos all right so let's 4337 03:53:37,500 --> 03:53:39,359 look at this 4338 03:53:39,359 --> 03:53:42,359 so this is uh the CNC machine moving 4339 03:53:42,359 --> 03:53:44,700 with the Technic motor that I talked 4340 03:53:44,700 --> 03:53:46,319 about and that's a little indicator 4341 03:53:46,319 --> 03:53:48,479 we're basically moving the thing twice 4342 03:53:48,479 --> 03:53:50,580 uh and hitting you know basically 4343 03:53:50,580 --> 03:53:53,520 measuring the position right of that 4344 03:53:53,520 --> 03:53:56,100 edge and basically that's what they call 4345 03:53:56,100 --> 03:53:57,779 like dead nuts right so like for 300 4346 03:53:57,779 --> 03:54:00,239 bucks and the CNC where this little 4347 03:54:00,239 --> 03:54:02,279 mechanical machine we were able to get 4348 03:54:02,279 --> 03:54:05,880 reproducibility Precision around I mean 4349 03:54:05,880 --> 03:54:07,319 this is half a thousandth of an inch 4350 03:54:07,319 --> 03:54:09,840 which is like 12 and a half microns and 4351 03:54:09,840 --> 03:54:12,000 it basically is dead nuts so you know 4352 03:54:12,000 --> 03:54:14,220 like single digit Micron repeatability 4353 03:54:14,220 --> 03:54:16,140 on this machine that basically was like 4354 03:54:16,140 --> 03:54:18,840 800 bucks right so that's pretty cool 4355 03:54:18,840 --> 03:54:22,859 but so this one is uh essential another 4356 03:54:22,859 --> 03:54:25,560 little machine that we we built for 4357 03:54:25,560 --> 03:54:28,020 um doing a high resolution sort of like 4358 03:54:28,020 --> 03:54:29,819 photos of pcbs that we can then 4359 03:54:29,819 --> 03:54:31,739 reassemble right and we're getting 4360 03:54:31,739 --> 03:54:34,140 exactly the same result uh and these 4361 03:54:34,140 --> 03:54:36,359 motors are 30 bucks each right so this 4362 03:54:36,359 --> 03:54:37,920 is the hall effect sensor version of it 4363 03:54:37,920 --> 03:54:39,899 so you know you can go either way but 4364 03:54:39,899 --> 03:54:41,939 there are really affordable solutions 4365 03:54:41,939 --> 03:54:43,800 that allow you to take you know 4366 03:54:43,800 --> 03:54:46,020 mechanically something that's decent and 4367 03:54:46,020 --> 03:54:47,640 then add this kind of close loop control 4368 03:54:47,640 --> 03:54:49,760 to it to give you really really 4369 03:54:49,760 --> 03:54:52,500 impressive sort of precision and linear 4370 03:54:52,500 --> 03:54:53,880 actuation 4371 03:54:53,880 --> 03:54:56,699 okay so that's basically um the first 4372 03:54:56,699 --> 03:54:58,380 problem solved 4373 03:54:58,380 --> 03:55:00,899 all right so the second problem is okay 4374 03:55:00,899 --> 03:55:03,960 so if we can move the the memory like we 4375 03:55:03,960 --> 03:55:06,479 if we have the ability to position the 4376 03:55:06,479 --> 03:55:08,460 thing right how do we get the memory 4377 03:55:08,460 --> 03:55:09,720 chip like 4378 03:55:09,720 --> 03:55:12,660 onto the test pads or into the the 4379 03:55:12,660 --> 03:55:14,040 socket 4380 03:55:14,040 --> 03:55:14,880 um 4381 03:55:14,880 --> 03:55:17,640 in a in a repeatable way so here's the 4382 03:55:17,640 --> 03:55:20,399 game changer here right so uh unlike a 4383 03:55:20,399 --> 03:55:23,699 clamshell sort of test socket setup what 4384 03:55:23,699 --> 03:55:25,859 they have is um this is a like an 4385 03:55:25,859 --> 03:55:28,859 elastic polymer test socket which 4386 03:55:28,859 --> 03:55:31,560 basically is just silicone right that's 4387 03:55:31,560 --> 03:55:34,260 an insulator and then 3D printed Columns 4388 03:55:34,260 --> 03:55:37,199 of silicone with like dope silver or or 4389 03:55:37,199 --> 03:55:39,540 gold particles right they literally look 4390 03:55:39,540 --> 03:55:42,359 like little cupcakes right and the and 4391 03:55:42,359 --> 03:55:44,699 the thing over here is uh what that test 4392 03:55:44,699 --> 03:55:47,460 socket looks like under microscope just 4393 03:55:47,460 --> 03:55:48,840 you know with a standard Cisco phone 4394 03:55:48,840 --> 03:55:51,239 that we have back over there and so this 4395 03:55:51,239 --> 03:55:53,040 um it's compliant so it's squishy right 4396 03:55:53,040 --> 03:55:55,859 it has like the consistency of like a 4397 03:55:55,859 --> 03:55:57,540 little bit denser than Gummy Bear right 4398 03:55:57,540 --> 03:55:59,880 and what it does is basically if you 4399 03:55:59,880 --> 03:56:02,399 press like just hard enough then the 4400 03:56:02,399 --> 03:56:04,920 balls will compress the the vertical 4401 03:56:04,920 --> 03:56:08,520 Columns of conductive material and um 4402 03:56:08,520 --> 03:56:10,979 it it just works and the way you put the 4403 03:56:10,979 --> 03:56:12,779 socket on we literally just position it 4404 03:56:12,779 --> 03:56:15,359 uh with our fingers under microscope and 4405 03:56:15,359 --> 03:56:17,100 we add a little bit of Capstone tape to 4406 03:56:17,100 --> 03:56:19,739 keep it there on the surface no 4407 03:56:19,739 --> 03:56:21,540 soldering nothing right it's actually 4408 03:56:21,540 --> 03:56:24,540 super duper awesome and this has been 4409 03:56:24,540 --> 03:56:26,580 around for probably 20 years but you 4410 03:56:26,580 --> 03:56:28,500 know in the past uh you can get one of 4411 03:56:28,500 --> 03:56:30,720 these and they're really you know rated 4412 03:56:30,720 --> 03:56:33,359 for like awesome specs but you have to 4413 03:56:33,359 --> 03:56:35,160 like these are super expensive you know 4414 03:56:35,160 --> 03:56:37,080 Japan and Germany makes them but you're 4415 03:56:37,080 --> 03:56:38,699 talking probably about like a few 4416 03:56:38,699 --> 03:56:39,840 hundred dollars to a few thousand 4417 03:56:39,840 --> 03:56:40,979 dollars to get something like this 4418 03:56:40,979 --> 03:56:42,180 working 4419 03:56:42,180 --> 03:56:45,000 but we're in the future now so that's no 4420 03:56:45,000 --> 03:56:47,699 longer true we found I mean this is a 4421 03:56:47,699 --> 03:56:49,080 basically a standard supplier on 4422 03:56:49,080 --> 03:56:50,880 AliExpress or taobao one of these things 4423 03:56:50,880 --> 03:56:52,439 so we bought 4424 03:56:52,439 --> 03:56:53,040 um 4425 03:56:53,040 --> 03:56:55,500 what is it 40 of those sockets and they 4426 03:56:55,500 --> 03:56:58,560 do like short run custom socket fixers 4427 03:56:58,560 --> 03:57:00,540 because these are essentially 3D printed 4428 03:57:00,540 --> 03:57:02,460 so we got 40 of those for like a 4429 03:57:02,460 --> 03:57:03,600 thousand bucks 4430 03:57:03,600 --> 03:57:05,880 right and these things you know have uh 4431 03:57:05,880 --> 03:57:07,380 like a lifespan of you know something 4432 03:57:07,380 --> 03:57:08,760 ridiculous like a hundred thousand 4433 03:57:08,760 --> 03:57:11,220 compression cycles and they take up to 4434 03:57:11,220 --> 03:57:13,500 like you know Amsterdam's of power at 4435 03:57:13,500 --> 03:57:16,199 normal voltages and they can basically 4436 03:57:16,199 --> 03:57:18,000 do like up to 40 gigahertz blah blah 4437 03:57:18,000 --> 03:57:20,279 blah testing bandwidth not exactly 4438 03:57:20,279 --> 03:57:21,420 something we need but definitely 4439 03:57:21,420 --> 03:57:24,060 definitely enough for memory ripping and 4440 03:57:24,060 --> 03:57:26,520 also for uh it's definitely cheap enough 4441 03:57:26,520 --> 03:57:28,800 so once we have that right the next 4442 03:57:28,800 --> 03:57:30,960 thing is how do we make a thing that's 4443 03:57:30,960 --> 03:57:32,819 like close loop cooling right so you 4444 03:57:32,819 --> 03:57:35,399 know this is uh you would think this is 4445 03:57:35,399 --> 03:57:37,319 like a solved problem and it kind of is 4446 03:57:37,319 --> 03:57:39,960 but you know we need the temperatures 4447 03:57:39,960 --> 03:57:41,819 for this to be down like negative 50 4448 03:57:41,819 --> 03:57:45,120 Celsius and water freezes at zero right 4449 03:57:45,120 --> 03:57:46,859 so you know but I thought like if 4450 03:57:46,859 --> 03:57:48,120 there's one group of people that has 4451 03:57:48,120 --> 03:57:50,100 solved this problem it would be the 4452 03:57:50,100 --> 03:57:51,600 gaming sort of like overclocking 4453 03:57:51,600 --> 03:57:53,160 community and I started doing some 4454 03:57:53,160 --> 03:57:55,199 research and here's the state of the art 4455 03:57:55,199 --> 03:57:57,960 of how we cool computers like that 4456 03:57:57,960 --> 03:58:00,899 all right so 4457 03:58:00,899 --> 03:58:03,660 yeah like the thing on the right upper 4458 03:58:03,660 --> 03:58:06,420 right hand corner is a liquid nitrogen 4459 03:58:06,420 --> 03:58:08,760 evaporator cup and I was like I don't 4460 03:58:08,760 --> 03:58:11,819 understand how how how work right you 4461 03:58:11,819 --> 03:58:14,939 you what does it do so the way people do 4462 03:58:14,939 --> 03:58:16,500 this for overclocking high performance 4463 03:58:16,500 --> 03:58:19,199 Computing thing is you take a thermos of 4464 03:58:19,199 --> 03:58:21,300 liquid nitrogen and a torch okay you 4465 03:58:21,300 --> 03:58:23,040 have to have both and you pour the 4466 03:58:23,040 --> 03:58:25,319 liquid nitrogen well first you put the 4467 03:58:25,319 --> 03:58:26,939 evaporator cup which is a piece of metal 4468 03:58:26,939 --> 03:58:28,859 right on top of the thing you want to 4469 03:58:28,859 --> 03:58:30,120 cool which is generally like the 4470 03:58:30,120 --> 03:58:33,120 processor of the CPU or the GPU and then 4471 03:58:33,120 --> 03:58:35,640 you pour the liquid nitrogen by hand and 4472 03:58:35,640 --> 03:58:37,140 then you kind of like go with your gut 4473 03:58:37,140 --> 03:58:39,120 and say huh if it gets too cold 4474 03:58:39,120 --> 03:58:41,220 condensation will form so you take the 4475 03:58:41,220 --> 03:58:43,199 torch and then you heat the other side 4476 03:58:43,199 --> 03:58:45,479 of the board uh and that's the state of 4477 03:58:45,479 --> 03:58:46,260 the art 4478 03:58:46,260 --> 03:58:49,199 yeah I I know I know like it took me 4479 03:58:49,199 --> 03:58:50,580 like two nights to figure out like this 4480 03:58:50,580 --> 03:58:52,859 is this is how you guys do it so like we 4481 03:58:52,859 --> 03:58:54,720 can't do that right like I wanted and 4482 03:58:54,720 --> 03:58:57,239 needed something that uh doesn't require 4483 03:58:57,239 --> 03:59:00,479 this level of manual intervention so we 4484 03:59:00,479 --> 03:59:02,040 went to the machine shop and we built 4485 03:59:02,040 --> 03:59:03,060 this thing 4486 03:59:03,060 --> 03:59:05,340 it looks like a little piggy face but it 4487 03:59:05,340 --> 03:59:07,800 really is like a copper like a brass uh 4488 03:59:07,800 --> 03:59:09,479 water block 4489 03:59:09,479 --> 03:59:12,120 um and this thing gets uh so the liquid 4490 03:59:12,120 --> 03:59:14,460 inside can't be you know water it can't 4491 03:59:14,460 --> 03:59:15,840 really even be anti-freeze because 4492 03:59:15,840 --> 03:59:18,540 antifreeze generally freezes at like -30 4493 03:59:18,540 --> 03:59:21,300 ish Celsius so we ended up using 4494 03:59:21,300 --> 03:59:24,960 isopropyl alcohol like IPA 99 IPA which 4495 03:59:24,960 --> 03:59:26,819 I think free has a freezing point of 4496 03:59:26,819 --> 03:59:28,979 like minus 60 Celsius which is you know 4497 03:59:28,979 --> 03:59:31,620 pretty good uh and then uh basically you 4498 03:59:31,620 --> 03:59:34,319 push the liquid inside this uh tube 4499 03:59:34,319 --> 03:59:36,600 through a pump and you have a heat 4500 03:59:36,600 --> 03:59:39,300 exchanger that sits inside a bath of IPA 4501 03:59:39,300 --> 03:59:41,160 as well right and then you just toss 4502 03:59:41,160 --> 03:59:43,859 whatever cold thing into that ice bath 4503 03:59:43,859 --> 03:59:46,920 right or IPA bath as long as it's cold 4504 03:59:46,920 --> 03:59:49,500 it exchanges heat you know with the the 4505 03:59:49,500 --> 03:59:50,880 liquid inside and then the pump 4506 03:59:50,880 --> 03:59:53,939 circulates uh the liquid to the the 4507 03:59:53,939 --> 03:59:55,859 brass block and there you go right so 4508 03:59:55,859 --> 03:59:58,680 this is um this works so the thing that 4509 03:59:58,680 --> 04:00:01,620 you have to watch out for is uh well so 4510 04:00:01,620 --> 04:00:04,380 um dry ice it has a vapor point of I 4511 04:00:04,380 --> 04:00:06,000 think something like minus 50 which is 4512 04:00:06,000 --> 04:00:08,760 kind of perfect liquid nitrogen was 4513 04:00:08,760 --> 04:00:10,979 easier to get for us but has a vapor or 4514 04:00:10,979 --> 04:00:13,920 has a vapor point of 100 minus 198 4515 04:00:13,920 --> 04:00:15,899 Celsius right so that's like way past 4516 04:00:15,899 --> 04:00:17,279 the freezing point of any of these 4517 04:00:17,279 --> 04:00:19,140 liquids that you know we had access to 4518 04:00:19,140 --> 04:00:21,120 and then the stuff that doesn't really 4519 04:00:21,120 --> 04:00:23,399 freeze at that temperatures like crazy 4520 04:00:23,399 --> 04:00:25,380 Benzene stuff that I just didn't want to 4521 04:00:25,380 --> 04:00:27,960 touch so uh basically like you need to 4522 04:00:27,960 --> 04:00:30,180 have a pump that is 4523 04:00:30,180 --> 04:00:32,479 almost always like pushing ice or 4524 04:00:32,479 --> 04:00:35,100 isopropyl alcohol slushy 4525 04:00:35,100 --> 04:00:37,020 through the tube right because it's 4526 04:00:37,020 --> 04:00:39,000 generally not really all that liquid 4527 04:00:39,000 --> 04:00:41,160 but um but we did it and then another 4528 04:00:41,160 --> 04:00:42,899 thing that we found out is uh any kind 4529 04:00:42,899 --> 04:00:45,779 of impeller pump right creates heat and 4530 04:00:45,779 --> 04:00:47,040 it creates more heat than we can take 4531 04:00:47,040 --> 04:00:48,660 away from the diameter of the liquid 4532 04:00:48,660 --> 04:00:51,479 flowing through the thing so the only 4533 04:00:51,479 --> 04:00:53,460 type of pump that kind of works for this 4534 04:00:53,460 --> 04:00:55,380 is uh this thing called the parasolic 4535 04:00:55,380 --> 04:00:56,880 pump so this is the sort of thing that 4536 04:00:56,880 --> 04:00:59,939 they use in like uh dialysis machines 4537 04:00:59,939 --> 04:01:02,760 and stuff like that basically it this 4538 04:01:02,760 --> 04:01:04,260 machine pushes liquid through without 4539 04:01:04,260 --> 04:01:06,300 ever having the impeller or the 4540 04:01:06,300 --> 04:01:09,239 mechanical setup touch the liquid that 4541 04:01:09,239 --> 04:01:11,040 you're pushing through and it has like 4542 04:01:11,040 --> 04:01:13,439 basically this roller that is just 4543 04:01:13,439 --> 04:01:15,420 squeezing the tube and moving the water 4544 04:01:15,420 --> 04:01:17,699 or the liquid through that and it has 4545 04:01:17,699 --> 04:01:19,439 this really nice uh sort of effect of 4546 04:01:19,439 --> 04:01:21,120 not imparting too much heat right into 4547 04:01:21,120 --> 04:01:22,800 the liquid which is uh the thing that we 4548 04:01:22,800 --> 04:01:25,859 needed so that totally worked and this 4549 04:01:25,859 --> 04:01:27,600 is what it looks like 4550 04:01:27,600 --> 04:01:30,300 and we went liquid nitrogen last year 4551 04:01:30,300 --> 04:01:31,140 because I don't know if you guys 4552 04:01:31,140 --> 04:01:33,120 remember but like New York City had a 4553 04:01:33,120 --> 04:01:34,739 dry ice shortage because of the cold 4554 04:01:34,739 --> 04:01:36,600 chain it was really hot so we couldn't 4555 04:01:36,600 --> 04:01:38,760 even get dry ice when we wanted so we 4556 04:01:38,760 --> 04:01:40,680 built the system they handle both dry 4557 04:01:40,680 --> 04:01:43,560 ice and uh liquid nitrogen 4558 04:01:43,560 --> 04:01:46,080 so the thing goes Burr right like the 4559 04:01:46,080 --> 04:01:48,420 the water block gets cold and if you 4560 04:01:48,420 --> 04:01:50,819 keep the the ram chip on it it keeps the 4561 04:01:50,819 --> 04:01:53,460 the chip certainly below minus 50 4562 04:01:53,460 --> 04:01:55,260 degrees Celsius when things are just 4563 04:01:55,260 --> 04:01:56,399 working right 4564 04:01:56,399 --> 04:01:58,699 condensation is always a problem 4565 04:01:58,699 --> 04:02:00,840 and we have some practical ways of 4566 04:02:00,840 --> 04:02:02,220 solving that but basically like unless 4567 04:02:02,220 --> 04:02:04,859 you're in a really dry room you're going 4568 04:02:04,859 --> 04:02:06,779 to get ice build up on your memory right 4569 04:02:06,779 --> 04:02:08,520 and the way to prevent that is 4570 04:02:08,520 --> 04:02:10,680 essentially uh keeping the the memory 4571 04:02:10,680 --> 04:02:13,260 chip on the elastomer's socket so that 4572 04:02:13,260 --> 04:02:15,899 way ice doesn't get a chance to form on 4573 04:02:15,899 --> 04:02:17,460 the surface of the metal because it's 4574 04:02:17,460 --> 04:02:18,779 being compressed on the socket when 4575 04:02:18,779 --> 04:02:20,580 you're not using it and that was a kind 4576 04:02:20,580 --> 04:02:22,500 of like a pretty easy way to solve that 4577 04:02:22,500 --> 04:02:23,220 problem 4578 04:02:23,220 --> 04:02:27,120 okay all right so now we have the CNC we 4579 04:02:27,120 --> 04:02:29,160 have the magical socket we have a way to 4580 04:02:29,160 --> 04:02:31,979 cool it right how do we pull a five 4581 04:02:31,979 --> 04:02:34,560 memory chips off at the same time in the 4582 04:02:34,560 --> 04:02:36,720 same point of execution uh and 4583 04:02:36,720 --> 04:02:38,640 reconstruct the memory so we're doing 4584 04:02:38,640 --> 04:02:40,979 this at the bootloader and we've through 4585 04:02:40,979 --> 04:02:44,220 basically like guesses uh we confirmed 4586 04:02:44,220 --> 04:02:45,600 that this is essentially very 4587 04:02:45,600 --> 04:02:47,939 deterministic execution of code because 4588 04:02:47,939 --> 04:02:49,680 it is just a bootloader right it doesn't 4589 04:02:49,680 --> 04:02:52,620 have random weights so think about this 4590 04:02:52,620 --> 04:02:54,840 though right like this is probably the 4591 04:02:54,840 --> 04:02:57,660 800 megahertz processor Uh custom you 4592 04:02:57,660 --> 04:02:59,399 know like memory manager but you know 4593 04:02:59,399 --> 04:03:01,560 how do you pull the same well how do you 4594 04:03:01,560 --> 04:03:04,080 pull memory chip off at the same time in 4595 04:03:04,080 --> 04:03:05,699 execution you know even on something 4596 04:03:05,699 --> 04:03:07,500 like that's 800 megahertz you're 4597 04:03:07,500 --> 04:03:08,699 probably talking about like less than 4598 04:03:08,699 --> 04:03:11,399 100 nanoseconds of time where you have 4599 04:03:11,399 --> 04:03:13,199 some chance of basically pulling the 4600 04:03:13,199 --> 04:03:15,840 memory off right so that's that's really 4601 04:03:15,840 --> 04:03:17,699 fast and you know we don't have that or 4602 04:03:17,699 --> 04:03:19,260 we don't want to really have to engineer 4603 04:03:19,260 --> 04:03:20,699 out that precision 4604 04:03:20,699 --> 04:03:22,800 so here's what we did 4605 04:03:22,800 --> 04:03:24,899 we took a near field probe and we put it 4606 04:03:24,899 --> 04:03:27,779 onto the thing right and what we're 4607 04:03:27,779 --> 04:03:29,819 looking for is basically memory 4608 04:03:29,819 --> 04:03:31,199 stability right like we want to pull the 4609 04:03:31,199 --> 04:03:33,300 memory chip off when the memory doesn't 4610 04:03:33,300 --> 04:03:35,460 change that much and what does that look 4611 04:03:35,460 --> 04:03:37,380 like it looks like CPU bound operation 4612 04:03:37,380 --> 04:03:38,880 right so if you're bound by CPU 4613 04:03:38,880 --> 04:03:40,439 operations guess what you're not doing 4614 04:03:40,439 --> 04:03:43,199 you're not writing to memory so using 4615 04:03:43,199 --> 04:03:46,979 the the spec hand and EM uh emissions we 4616 04:03:46,979 --> 04:03:49,500 just basically found periods where the 4617 04:03:49,500 --> 04:03:51,660 execution is completely CPU bound where 4618 04:03:51,660 --> 04:03:54,060 we have memory stability so this took 4619 04:03:54,060 --> 04:03:56,040 the thing from like maybe tens of 4620 04:03:56,040 --> 04:03:58,800 nanoseconds of timing requirement to I 4621 04:03:58,800 --> 04:04:00,000 don't know like 4622 04:04:00,000 --> 04:04:02,760 had dozens of milliseconds right so like 4623 04:04:02,760 --> 04:04:04,680 a long time for us to be able to just 4624 04:04:04,680 --> 04:04:06,600 pull the memory off one chip at a time 4625 04:04:06,600 --> 04:04:08,399 where we have memory stability 4626 04:04:08,399 --> 04:04:11,220 okay and then we did that it worked 4627 04:04:11,220 --> 04:04:13,380 and 4628 04:04:13,380 --> 04:04:15,540 uh the next thing we have to do is build 4629 04:04:15,540 --> 04:04:17,580 the physical thing that actually reads 4630 04:04:17,580 --> 04:04:20,460 the the ram chip once we've called it 4631 04:04:20,460 --> 04:04:23,760 how to run on the computer Target uh and 4632 04:04:23,760 --> 04:04:26,100 and it's frozen so basically we just 4633 04:04:26,100 --> 04:04:29,279 wrote a like we made a little fpga board 4634 04:04:29,279 --> 04:04:30,960 so we actually wrote our first one 4635 04:04:30,960 --> 04:04:34,380 ourselves for lpddr1 for the uh the 4636 04:04:34,380 --> 04:04:37,380 Siemens PLC but we that sucked and it 4637 04:04:37,380 --> 04:04:39,000 was really hard and you have to keep you 4638 04:04:39,000 --> 04:04:41,279 know the inductance and the timing of 4639 04:04:41,279 --> 04:04:43,859 all of these lines uh the same or 4640 04:04:43,859 --> 04:04:45,660 controlled but then we saw that like 4641 04:04:45,660 --> 04:04:47,880 once we are talking about ddr2 and three 4642 04:04:47,880 --> 04:04:50,699 like fairly cheap modern fpga dead 4643 04:04:50,699 --> 04:04:52,739 boards just have that memory interface 4644 04:04:52,739 --> 04:04:54,660 built into it so we started using these 4645 04:04:54,660 --> 04:04:57,180 digital and uh you know like fpga dead 4646 04:04:57,180 --> 04:04:59,580 boards that uh had exactly the same 4647 04:04:59,580 --> 04:05:02,580 memory physical memory footprint layout 4648 04:05:02,580 --> 04:05:04,800 as the the chip that we wanted and all 4649 04:05:04,800 --> 04:05:06,720 we had to do was basically desolder the 4650 04:05:06,720 --> 04:05:09,180 chip put the socket on and and use this 4651 04:05:09,180 --> 04:05:10,979 thing which is like 200 bucks right 4652 04:05:10,979 --> 04:05:12,420 versus a custom board that we had to 4653 04:05:12,420 --> 04:05:13,439 roll out 4654 04:05:13,439 --> 04:05:15,600 all right and then the last thing we 4655 04:05:15,600 --> 04:05:17,399 have to do is 4656 04:05:17,399 --> 04:05:20,880 write some verilog right 4657 04:05:20,880 --> 04:05:23,160 I am not an fpga person so like other 4658 04:05:23,160 --> 04:05:25,199 people way smarter than me help helped 4659 04:05:25,199 --> 04:05:27,479 us do this uh 4660 04:05:27,479 --> 04:05:29,100 there's nothing more to say about this 4661 04:05:29,100 --> 04:05:31,319 that's it like 4662 04:05:31,319 --> 04:05:33,420 it was easy you know like nothing went 4663 04:05:33,420 --> 04:05:34,800 wrong at all like the timing was all 4664 04:05:34,800 --> 04:05:37,080 cool but yeah it took a lot of tweaking 4665 04:05:37,080 --> 04:05:39,600 but basically what we're doing is this 4666 04:05:39,600 --> 04:05:43,199 so this is the actual diagram for uh the 4667 04:05:43,199 --> 04:05:45,899 state transition diagram for DDR3 memory 4668 04:05:45,899 --> 04:05:48,120 so it's not as simple as just power the 4669 04:05:48,120 --> 04:05:50,100 thing up and then like send it to 4670 04:05:50,100 --> 04:05:51,899 command for read right there there's a 4671 04:05:51,899 --> 04:05:53,520 whole lot of State here for refresh 4672 04:05:53,520 --> 04:05:55,859 cycos for writing and reading right and 4673 04:05:55,859 --> 04:05:58,620 for idle but essentially you know if you 4674 04:05:58,620 --> 04:06:00,960 had to uh for the reader you don't 4675 04:06:00,960 --> 04:06:02,760 really want to you don't have to enforce 4676 04:06:02,760 --> 04:06:04,439 this as long as the chip gives you data 4677 04:06:04,439 --> 04:06:07,560 from the physical you know device so we 4678 04:06:07,560 --> 04:06:09,540 basically wrote our own little verilog 4679 04:06:09,540 --> 04:06:11,640 thing that had some of the state machine 4680 04:06:11,640 --> 04:06:14,359 stuff uh requirements less strict 4681 04:06:14,359 --> 04:06:16,500 basically as soon as we can pop the 4682 04:06:16,500 --> 04:06:19,319 memory chip on it will just try to put 4683 04:06:19,319 --> 04:06:22,319 it out of idle and continue to read 4684 04:06:22,319 --> 04:06:24,720 and and it worked actually so that was 4685 04:06:24,720 --> 04:06:26,160 pretty cool all right so here's what we 4686 04:06:26,160 --> 04:06:29,220 did right we uh built a CNC thing that's 4687 04:06:29,220 --> 04:06:30,979 pretty precise we found the magical 4688 04:06:30,979 --> 04:06:33,479 elastomer compression socket that worked 4689 04:06:33,479 --> 04:06:36,180 super awesomely and they're very cheap 4690 04:06:36,180 --> 04:06:38,399 and then we figured out this way to do 4691 04:06:38,399 --> 04:06:41,040 actual like close loop cooling with uh 4692 04:06:41,040 --> 04:06:43,439 that takes either dry ice or liquid 4693 04:06:43,439 --> 04:06:45,420 nitrogen we figured out how to extract 4694 04:06:45,420 --> 04:06:47,580 the thing at the right time and we 4695 04:06:47,580 --> 04:06:49,680 basically reassembled the memory chip 4696 04:06:49,680 --> 04:06:52,620 data across the five chips saw the blue 4697 04:06:52,620 --> 04:06:54,660 loader did the thing and then and then 4698 04:06:54,660 --> 04:06:56,640 it basically all worked 4699 04:06:56,640 --> 04:06:58,800 um and uh 4700 04:06:58,800 --> 04:07:00,779 you know so the actual robot is like 4701 04:07:00,779 --> 04:07:02,340 back over there is instead of me showing 4702 04:07:02,340 --> 04:07:04,080 you the the video like you should go 4703 04:07:04,080 --> 04:07:06,420 play with it but um after all of that 4704 04:07:06,420 --> 04:07:09,060 right then it became the the task of 4705 04:07:09,060 --> 04:07:11,939 like figuring out how the the PLC worked 4706 04:07:11,939 --> 04:07:14,040 and the Heart of the vulnerability is 4707 04:07:14,040 --> 04:07:15,720 this and this is you know super duper 4708 04:07:15,720 --> 04:07:16,800 interesting maybe for another date 4709 04:07:16,800 --> 04:07:20,100 another talk but um what we found is the 4710 04:07:20,100 --> 04:07:23,279 Siemens S7 1500 PLC like the secure boot 4711 04:07:23,279 --> 04:07:26,640 algorithm uses symmetric encryption 4712 04:07:26,640 --> 04:07:30,120 instead of signature verification 4713 04:07:30,120 --> 04:07:33,540 think about that right like I 4714 04:07:33,540 --> 04:07:37,500 you know like I how to express so 4715 04:07:37,500 --> 04:07:39,899 yeah instead of taking the signature of 4716 04:07:39,899 --> 04:07:42,060 the thing that it wants to boot if the 4717 04:07:42,060 --> 04:07:44,939 thing decrypts then it boots 4718 04:07:44,939 --> 04:07:47,340 that's it right and you know that's a 4719 04:07:47,340 --> 04:07:48,779 kind of dumb but like you know they're 4720 04:07:48,779 --> 04:07:50,880 like hold on hold on hold on right it's 4721 04:07:50,880 --> 04:07:53,760 symmetric encryption true but we have an 4722 04:07:53,760 --> 04:07:56,279 external security chip that escrows that 4723 04:07:56,279 --> 04:07:58,319 key right it's the A-Tech chip this is 4724 04:07:58,319 --> 04:08:00,600 like very frequently used I've seen you 4725 04:08:00,600 --> 04:08:02,640 know this used in like I don't know 4726 04:08:02,640 --> 04:08:04,439 security at several different radios and 4727 04:08:04,439 --> 04:08:07,620 car fobs uh and and things like this and 4728 04:08:07,620 --> 04:08:09,180 basically this is an external security 4729 04:08:09,180 --> 04:08:11,520 module that does a lot of what TPM does 4730 04:08:11,520 --> 04:08:14,220 but this speaks i2c and it's like a 4731 04:08:14,220 --> 04:08:15,720 hundred times cheaper and easier to 4732 04:08:15,720 --> 04:08:17,279 integrate and it does have the 4733 04:08:17,279 --> 04:08:18,960 functionality of like escrowing the keys 4734 04:08:18,960 --> 04:08:20,220 so you can't actually read out the 4735 04:08:20,220 --> 04:08:23,460 decryption key right which is fine 4736 04:08:23,460 --> 04:08:25,739 except like if we just remember one 4737 04:08:25,739 --> 04:08:26,819 second how 4738 04:08:26,819 --> 04:08:29,040 symmetric encryption works right so like 4739 04:08:29,040 --> 04:08:31,439 the same firmware has the boot on all of 4740 04:08:31,439 --> 04:08:33,899 the PLC instances so they have to use 4741 04:08:33,899 --> 04:08:36,239 the same symmetric key it has to be 4742 04:08:36,239 --> 04:08:40,319 literally inside the PLC right and this 4743 04:08:40,319 --> 04:08:41,819 is a whole thing about like mistress and 4744 04:08:41,819 --> 04:08:44,279 trust that secured chip is built into 4745 04:08:44,279 --> 04:08:46,260 the circuit board of the PLC but it 4746 04:08:46,260 --> 04:08:48,420 speaks i2c and it doesn't actually do 4747 04:08:48,420 --> 04:08:51,540 any uh authentication or security at on 4748 04:08:51,540 --> 04:08:54,600 that interface and basically it trusts 4749 04:08:54,600 --> 04:08:56,880 whatever speaks iqc to it so we just 4750 04:08:56,880 --> 04:08:58,260 bought one of these things and we 4751 04:08:58,260 --> 04:09:00,000 soldered the pin over there and we speak 4752 04:09:00,000 --> 04:09:02,100 i2c to it and we use this as an oracle 4753 04:09:02,100 --> 04:09:04,979 to encrypt whatever we want and as soon 4754 04:09:04,979 --> 04:09:06,420 as we do that you can make the thing 4755 04:09:06,420 --> 04:09:09,060 that's one block like one 4K block of 4756 04:09:09,060 --> 04:09:11,460 code that Boots the system so again 4757 04:09:11,460 --> 04:09:14,460 right this is like single digit possibly 4758 04:09:14,460 --> 04:09:16,500 double digit percentage of the entire 4759 04:09:16,500 --> 04:09:19,680 world's PLC infrastructure in the ground 4760 04:09:19,680 --> 04:09:20,699 today 4761 04:09:20,699 --> 04:09:23,040 there's no fix for this and this is 4762 04:09:23,040 --> 04:09:24,840 probably going to be around for like I 4763 04:09:24,840 --> 04:09:26,040 don't know yeah seven to twelve years 4764 04:09:26,040 --> 04:09:28,859 that's the situation of all of this and 4765 04:09:28,859 --> 04:09:30,840 we would have not been able to look into 4766 04:09:30,840 --> 04:09:32,939 this code and do this research without 4767 04:09:32,939 --> 04:09:35,160 our little robot friend who you know 4768 04:09:35,160 --> 04:09:37,500 helped us a lot so basically yeah that's 4769 04:09:37,500 --> 04:09:39,600 what we found that's the problem 4770 04:09:39,600 --> 04:09:40,380 um 4771 04:09:40,380 --> 04:09:41,819 I think that's it that's that's that's 4772 04:09:41,819 --> 04:09:43,739 all that's how I got 4773 04:09:43,739 --> 04:09:46,260 it oh yeah and right if you want to play 4774 04:09:46,260 --> 04:09:47,760 with the robot back over there like you 4775 04:09:47,760 --> 04:09:51,620 should come in and poke at it so 4776 04:09:56,220 --> 04:09:59,179 all right yeah 4777 04:10:05,460 --> 04:10:09,000 I mean not only yeah because like it 4778 04:10:09,000 --> 04:10:10,260 requires a lot of attention you know 4779 04:10:10,260 --> 04:10:11,699 like you have to like watch the thing 4780 04:10:11,699 --> 04:10:15,359 Sweat Right and it is so dumb like it's 4781 04:10:15,359 --> 04:10:17,040 it's not a good way to do it 4782 04:10:17,040 --> 04:10:21,560 um this way is better so yeah 4783 04:10:24,899 --> 04:10:26,640 do I okay so the question is um do I 4784 04:10:26,640 --> 04:10:27,960 have any insights on why they engineered 4785 04:10:27,960 --> 04:10:29,640 this so 4786 04:10:29,640 --> 04:10:32,220 the answer is like I don't have any 4787 04:10:32,220 --> 04:10:34,380 actual data like here's in my mind 4788 04:10:34,380 --> 04:10:36,359 though like me trying to think about 4789 04:10:36,359 --> 04:10:39,660 like how a lot of like many many very 4790 04:10:39,660 --> 04:10:41,279 competent Engineers designed this thing 4791 04:10:41,279 --> 04:10:44,040 with security in mind and somehow they 4792 04:10:44,040 --> 04:10:46,680 still made this so here's my hypothesis 4793 04:10:46,680 --> 04:10:48,899 right and this is a thing that's much 4794 04:10:48,899 --> 04:10:51,120 more interesting that speaks things 4795 04:10:51,120 --> 04:10:52,739 about the organization the way people 4796 04:10:52,739 --> 04:10:55,319 kind of work in engineering rather than 4797 04:10:55,319 --> 04:10:57,840 like technology but there was a group 4798 04:10:57,840 --> 04:11:01,080 that wrote like the user space code and 4799 04:11:01,080 --> 04:11:03,359 they said like we write the firmware 4800 04:11:03,359 --> 04:11:05,520 update OTA you know algorithm right and 4801 04:11:05,520 --> 04:11:08,040 we checked the signature right and once 4802 04:11:08,040 --> 04:11:09,359 we check the signature we then 4803 04:11:09,359 --> 04:11:11,100 re-encrypt the thing and put it on flash 4804 04:11:11,100 --> 04:11:14,220 so if we did this already like bull load 4805 04:11:14,220 --> 04:11:15,660 our group why do you need to do it again 4806 04:11:15,660 --> 04:11:17,760 right so I think there was a sort of 4807 04:11:17,760 --> 04:11:20,460 organizational boundary BS that 4808 04:11:20,460 --> 04:11:22,439 basically made people say like well we 4809 04:11:22,439 --> 04:11:23,819 checked the signature ones we trust that 4810 04:11:23,819 --> 04:11:26,160 group and because of that we just 4811 04:11:26,160 --> 04:11:27,660 decrypt the thing for performance and 4812 04:11:27,660 --> 04:11:29,040 reliability 4813 04:11:29,040 --> 04:11:31,080 that doesn't really actually answer the 4814 04:11:31,080 --> 04:11:33,180 question but like that's that's what I 4815 04:11:33,180 --> 04:11:35,580 think happened but yeah go figure you 4816 04:11:35,580 --> 04:11:37,979 know this is horrible 4817 04:11:37,979 --> 04:11:40,620 all right any other there was a any 4818 04:11:40,620 --> 04:11:43,040 other questions 4819 04:11:44,220 --> 04:11:45,540 huh 4820 04:11:45,540 --> 04:11:48,920 no homage is good what 4821 04:11:51,779 --> 04:11:53,279 oh yeah that's right that's right yeah 4822 04:11:53,279 --> 04:11:55,199 look at that oh you forgot you know I 4823 04:11:55,199 --> 04:11:56,460 run a company called Rebel and security 4824 04:11:56,460 --> 04:11:58,199 and we're hiring people so this is the 4825 04:11:58,199 --> 04:11:59,880 sort of embedded security that you want 4826 04:11:59,880 --> 04:12:03,239 to do we're in Manhattan uh we're hiring 4827 04:12:03,239 --> 04:12:04,680 people who wanted to do embedded 4828 04:12:04,680 --> 04:12:06,180 security stuff 4829 04:12:06,180 --> 04:12:07,439 um and there's a bunch of us over there 4830 04:12:07,439 --> 04:12:10,580 so please come talk to us 4831 04:12:11,340 --> 04:12:14,540 all right that's it thank you 4832 04:12:35,520 --> 04:12:37,199 really good 4833 04:12:37,199 --> 04:12:39,060 really good get it trust me when I tell 4834 04:12:39,060 --> 04:12:42,198 you there ain't no one else 4835 04:12:48,180 --> 04:12:59,809 [Music] 4836 04:13:06,120 --> 04:13:11,420 don't wanna be my best friend baby 4837 04:13:13,590 --> 04:13:16,690 [Music] 4838 04:13:34,739 --> 04:13:37,399 baby 4839 04:13:45,960 --> 04:13:49,399 say that I'm happy 4840 04:14:03,530 --> 04:14:06,629 [Music] 4841 04:14:12,359 --> 04:14:15,410 can't wait to be your number 4842 04:14:15,410 --> 04:14:19,819 [Music] 4843 04:14:24,350 --> 04:14:29,600 [Applause] 4844 04:14:30,470 --> 04:14:53,920 [Music] 4845 04:14:53,920 --> 04:14:55,300 [Applause] 4846 04:14:55,300 --> 04:15:04,490 [Music] 4847 04:15:06,479 --> 04:15:10,580 I might just be the one 4848 04:15:18,540 --> 04:15:19,590 before 4849 04:15:19,590 --> 04:15:22,729 [Music] 4850 04:15:33,859 --> 04:15:36,899 where everything's 4851 04:15:36,899 --> 04:15:39,619 but don't change 4852 04:15:45,239 --> 04:15:49,439 and it didn't take forever to find it 4853 04:15:49,439 --> 04:15:53,040 I was all on my own almost glad to be 4854 04:15:53,040 --> 04:15:57,380 alone until love came in 4855 04:15:57,380 --> 04:15:59,300 on time 4856 04:15:59,300 --> 04:16:02,660 off time 4857 04:16:06,479 --> 04:16:09,239 to be so hard to see 4858 04:16:09,239 --> 04:16:11,540 and loving is easy 4859 04:16:11,540 --> 04:16:14,960 everything's perfect 4860 04:16:16,260 --> 04:16:18,060 for me 4861 04:16:18,060 --> 04:16:29,739 [Music] 4862 04:16:35,120 --> 04:16:38,520 when you can't even hide it 4863 04:16:38,520 --> 04:16:42,600 and it didn't take forever to find it 4864 04:16:42,600 --> 04:16:46,380 I was all on my own almost glad to be 4865 04:16:46,380 --> 04:16:51,120 alone until love came in 4866 04:16:51,120 --> 04:16:52,730 time 4867 04:16:52,730 --> 04:16:52,930 [Music] 4868 04:16:52,930 --> 04:16:54,420 [Applause] 4869 04:16:54,420 --> 04:16:59,100 loving is easy you haven't up 4870 04:16:59,100 --> 04:17:01,580 history 4871 04:17:08,840 --> 04:17:11,880 for me 4872 04:17:11,880 --> 04:17:14,239 me 4873 04:17:18,840 --> 04:17:22,059 [Music] 4874 04:17:47,730 --> 04:17:48,860 [Applause] 4875 04:17:48,860 --> 04:17:54,329 [Music] 4876 04:17:55,380 --> 04:17:57,200 Express 4877 04:17:57,200 --> 04:17:59,880 [Music] 4878 04:17:59,880 --> 04:18:01,938 place 4879 04:18:04,200 --> 04:18:08,100 [Music] 4880 04:18:08,100 --> 04:18:13,760 you're a server admin just got served 4881 04:18:15,280 --> 04:18:18,429 [Applause] 4882 04:18:40,010 --> 04:18:48,120 [Music] 4883 04:18:52,160 --> 04:18:54,120 what you saying 4884 04:18:54,120 --> 04:18:57,219 [Music] 4885 04:18:58,000 --> 04:19:01,100 [Applause] 4886 04:19:02,670 --> 04:19:07,829 [Music] 4887 04:20:26,040 --> 04:20:29,960 I ran away from my feelings 4888 04:20:39,620 --> 04:20:43,340 my baby love songs 4889 04:21:06,000 --> 04:21:09,170 [Music] 4890 04:21:11,520 --> 04:21:14,180 hi everybody 4891 04:21:14,399 --> 04:21:16,560 uh thank you for tipping your bartender 4892 04:21:16,560 --> 04:21:19,800 uh we'll get some kind of a count on 4893 04:21:19,800 --> 04:21:21,840 where we are and the amount of drinking 4894 04:21:21,840 --> 04:21:23,640 we're supposed to have done by this 4895 04:21:23,640 --> 04:21:25,620 point in the conference 4896 04:21:25,620 --> 04:21:28,080 there is a there is a benchmark number 4897 04:21:28,080 --> 04:21:29,580 actually 4898 04:21:29,580 --> 04:21:33,359 um part of the uh way we we arrange our 4899 04:21:33,359 --> 04:21:36,300 agreement with Littlefield is in terms 4900 04:21:36,300 --> 04:21:37,739 of the bar 4901 04:21:37,739 --> 04:21:40,680 expense expenditure here and we have a 4902 04:21:40,680 --> 04:21:43,199 number we have to hit every day and I 4903 04:21:43,199 --> 04:21:45,060 don't know if we're doing a good job or 4904 04:21:45,060 --> 04:21:46,859 not but we'll get some details for you 4905 04:21:46,859 --> 04:21:48,540 soon 4906 04:21:48,540 --> 04:21:50,760 um one other announcement I wanted to 4907 04:21:50,760 --> 04:21:51,899 make 4908 04:21:51,899 --> 04:21:56,040 um a member of our of our of our family 4909 04:21:56,040 --> 04:22:00,899 here some some guest uh evidently lost a 4910 04:22:00,899 --> 04:22:02,640 stud earring 4911 04:22:02,640 --> 04:22:05,399 so if you find a stud earring you will 4912 04:22:05,399 --> 04:22:10,859 you will be saving someone's life 4913 04:22:10,859 --> 04:22:13,920 by turning it into a person with a red 4914 04:22:13,920 --> 04:22:16,140 summer con staff shirt and they will 4915 04:22:16,140 --> 04:22:19,199 help reunite it with its owner thank you 4916 04:22:19,199 --> 04:22:20,880 for your vigilance 4917 04:22:20,880 --> 04:22:23,460 now 4918 04:22:23,460 --> 04:22:27,420 our next speaker 4919 04:22:27,420 --> 04:22:29,460 Julian vennig 4920 04:22:29,460 --> 04:22:32,340 is a brilliant security researcher who 4921 04:22:32,340 --> 04:22:34,680 specializes in applying logic to offense 4922 04:22:34,680 --> 04:22:36,000 and defense 4923 04:22:36,000 --> 04:22:39,000 today Julian will introduce us to a new 4924 04:22:39,000 --> 04:22:41,899 kind of formal logic called 4925 04:22:41,899 --> 04:22:44,520 incorrectness logic 4926 04:22:44,520 --> 04:22:47,220 this under approximate program analysis 4927 04:22:47,220 --> 04:22:50,100 guarantees 4928 04:22:50,100 --> 04:22:52,460 let me repeat that 4929 04:22:52,460 --> 04:22:56,640 guarantees the detection of every bug 4930 04:22:56,640 --> 04:22:59,460 making it a powerful tool for formal bug 4931 04:22:59,460 --> 04:23:02,040 finding yeah that got the room quiet 4932 04:23:02,040 --> 04:23:04,939 foreign 4933 04:23:06,300 --> 04:23:08,640 Julian will also discuss an exciting 4934 04:23:08,640 --> 04:23:11,160 extension called adversarial logic which 4935 04:23:11,160 --> 04:23:13,380 brings explicit adversaries into the 4936 04:23:13,380 --> 04:23:15,060 equation 4937 04:23:15,060 --> 04:23:17,520 join us as we explore the world of 4938 04:23:17,520 --> 04:23:19,319 reasoning and exploit detection and 4939 04:23:19,319 --> 04:23:22,319 buggy programs please give a warm summer 4940 04:23:22,319 --> 04:23:27,140 con welcome to Julian vennig 4941 04:23:31,979 --> 04:23:34,640 hello 4942 04:23:38,699 --> 04:23:41,340 welcome to my talk my name is Julia and 4943 04:23:41,340 --> 04:23:45,000 I'm gonna work with you throughout some 4944 04:23:45,000 --> 04:23:47,040 interesting topic about 4945 04:23:47,040 --> 04:23:48,779 formal logic 4946 04:23:48,779 --> 04:23:51,720 to some I'm a mathematicians to others 4947 04:23:51,720 --> 04:23:53,880 I'm a hacker but truth is I love to talk 4948 04:23:53,880 --> 04:23:57,500 mathematics with hackers like you guys 4949 04:23:59,160 --> 04:24:02,040 the goal really for me is to try to 4950 04:24:02,040 --> 04:24:03,960 share knowledge as much as possible so 4951 04:24:03,960 --> 04:24:05,640 in this particular talk I will actually 4952 04:24:05,640 --> 04:24:07,380 go over 4953 04:24:07,380 --> 04:24:07,939 the 4954 04:24:07,939 --> 04:24:10,380 fundamentals first and not lose you into 4955 04:24:10,380 --> 04:24:12,060 technical detail that do not really 4956 04:24:12,060 --> 04:24:13,859 matter for your understanding 4957 04:24:13,859 --> 04:24:16,380 do a little bit of history about what 4958 04:24:16,380 --> 04:24:18,479 those mathematical techniques for 4959 04:24:18,479 --> 04:24:21,720 security has have been about in the last 4960 04:24:21,720 --> 04:24:24,660 20 25 years 4961 04:24:24,660 --> 04:24:26,220 and really 4962 04:24:26,220 --> 04:24:27,359 um 4963 04:24:27,359 --> 04:24:30,000 also share the latest three years of 4964 04:24:30,000 --> 04:24:31,739 research I've been up to with some of my 4965 04:24:31,739 --> 04:24:33,899 collaborators and before I started this 4966 04:24:33,899 --> 04:24:35,939 journey I was kind of feeling like that 4967 04:24:35,939 --> 04:24:38,340 a little monkey and I thought maybe if I 4968 04:24:38,340 --> 04:24:40,560 duplicate myself a million times I'd be 4969 04:24:40,560 --> 04:24:43,460 able to write Shakespeare 4970 04:24:46,080 --> 04:24:48,899 so before before we do we start with uh 4971 04:24:48,899 --> 04:24:51,060 some interesting interesting stuff I 4972 04:24:51,060 --> 04:24:52,739 want to really talk about some some of 4973 04:24:52,739 --> 04:24:55,380 the basic definitions that you guys may 4974 04:24:55,380 --> 04:24:57,859 probably be familiar with 4975 04:24:57,859 --> 04:25:00,060 what I love to do with these two find 4976 04:25:00,060 --> 04:25:02,399 bugs and especially those words that are 4977 04:25:02,399 --> 04:25:04,080 exploitable 4978 04:25:04,080 --> 04:25:06,180 and in order to 4979 04:25:06,180 --> 04:25:08,819 do this at scale back in the days I was 4980 04:25:08,819 --> 04:25:10,739 doing lots of code reviews I was looking 4981 04:25:10,739 --> 04:25:12,960 for bugs manually and try to write 4982 04:25:12,960 --> 04:25:14,819 exports manually 4983 04:25:14,819 --> 04:25:16,859 and really I love doing that but at some 4984 04:25:16,859 --> 04:25:19,560 point I really wanted to to do this as 4985 04:25:19,560 --> 04:25:21,840 at scale and in order to be able to do 4986 04:25:21,840 --> 04:25:24,080 this you need to write tools you need to 4987 04:25:24,080 --> 04:25:27,000 really sharpen up your programming 4988 04:25:27,000 --> 04:25:29,399 skills and make your hands dirty try to 4989 04:25:29,399 --> 04:25:31,140 understand the kind of bugs that are 4990 04:25:31,140 --> 04:25:32,760 true security vulnerabilities versus 4991 04:25:32,760 --> 04:25:36,239 those that are just benign bugs 4992 04:25:36,239 --> 04:25:38,699 in order to do this there are a few 4993 04:25:38,699 --> 04:25:40,800 fundamental concepts that you need to be 4994 04:25:40,800 --> 04:25:42,060 familiar with 4995 04:25:42,060 --> 04:25:43,860 the first one is the concept 4996 04:25:43,860 --> 04:25:46,260 [Music] 4997 04:25:46,260 --> 04:25:48,779 of program State let's let's assume you 4998 04:25:48,779 --> 04:25:50,399 have a little function function is 4999 04:25:50,399 --> 04:25:52,500 called func takes the Boolean argument 5000 04:25:52,500 --> 04:25:54,239 count 5001 04:25:54,239 --> 04:25:55,920 it's got a variable a local variable 5002 04:25:55,920 --> 04:25:58,859 let's say x you initialize these to zero 5003 04:25:58,859 --> 04:26:02,040 and if the condition is true 5004 04:26:02,040 --> 04:26:04,080 you increment this variable and if the 5005 04:26:04,080 --> 04:26:06,180 condition is not true it's false in that 5006 04:26:06,180 --> 04:26:08,520 case you recommend a variable 5007 04:26:08,520 --> 04:26:11,760 well what what are the program states of 5008 04:26:11,760 --> 04:26:13,620 this little function 5009 04:26:13,620 --> 04:26:15,300 first of all we'd like to differentiate 5010 04:26:15,300 --> 04:26:17,220 between the three states and the poor 5011 04:26:17,220 --> 04:26:19,620 states the pre-states are those program 5012 04:26:19,620 --> 04:26:22,319 variable values that are 5013 04:26:22,319 --> 04:26:24,960 before you execute a piece of code 5014 04:26:24,960 --> 04:26:27,120 and the post States is really the values 5015 04:26:27,120 --> 04:26:29,340 of those variables after you execute a 5016 04:26:29,340 --> 04:26:31,760 piece of code 5017 04:26:31,979 --> 04:26:33,779 for example in this particular program 5018 04:26:33,779 --> 04:26:36,060 we start the code we don't know what the 5019 04:26:36,060 --> 04:26:38,040 value of cone is could be zero it could 5020 04:26:38,040 --> 04:26:39,960 be one but one thing we know pretty much 5021 04:26:39,960 --> 04:26:41,880 for sure that x equals zero because you 5022 04:26:41,880 --> 04:26:45,479 initialize X to Zero at the beginning 5023 04:26:45,479 --> 04:26:47,580 and after you execute those two lines of 5024 04:26:47,580 --> 04:26:50,100 code you have two states possible either 5025 04:26:50,100 --> 04:26:52,560 x equal one because cone whatever was 5026 04:26:52,560 --> 04:26:55,800 one so you incremented x x plus plus E2 5027 04:26:55,800 --> 04:26:57,840 the state that contains the two 5028 04:26:57,840 --> 04:27:01,319 variables x with value one and the con 5029 04:27:01,319 --> 04:27:03,420 with value one or 5030 04:27:03,420 --> 04:27:07,199 in case the condition was Zero was false 5031 04:27:07,199 --> 04:27:09,720 then you're going to the else branch and 5032 04:27:09,720 --> 04:27:12,300 in that case the post state will be the 5033 04:27:12,300 --> 04:27:15,239 value of x minus one and the value of 5034 04:27:15,239 --> 04:27:16,800 the condition zero 5035 04:27:16,800 --> 04:27:19,020 and this is not much more complicated 5036 04:27:19,020 --> 04:27:21,720 than that a program state is just a 5037 04:27:21,720 --> 04:27:24,479 vector of value that contain the value 5038 04:27:24,479 --> 04:27:26,279 of variables at that point in the 5039 04:27:26,279 --> 04:27:28,399 program 5040 04:27:29,100 --> 04:27:30,600 so that's interesting to talk about 5041 04:27:30,600 --> 04:27:33,540 individual states of a program but it's 5042 04:27:33,540 --> 04:27:35,699 very cumbersome of course you have very 5043 04:27:35,699 --> 04:27:37,439 large programs these days we work with 5044 04:27:37,439 --> 04:27:39,180 programs that are not anymore just a few 5045 04:27:39,180 --> 04:27:40,500 hundred and thousand lines of code we 5046 04:27:40,500 --> 04:27:42,120 work on programs that have millions of 5047 04:27:42,120 --> 04:27:43,739 lines of code tens of millions of lines 5048 04:27:43,739 --> 04:27:45,840 of code so do we want to enumerate a 5049 04:27:45,840 --> 04:27:47,399 reprogram state to make sense of what 5050 04:27:47,399 --> 04:27:48,960 the program is supposed to do probably 5051 04:27:48,960 --> 04:27:51,600 not so there is a way to abstract this 5052 04:27:51,600 --> 04:27:53,300 understating abstract 5053 04:27:53,300 --> 04:27:56,640 the how you will look at the program and 5054 04:27:56,640 --> 04:27:58,680 that's where logic comes into play and 5055 04:27:58,680 --> 04:28:00,180 particularly I want to talk about this 5056 04:28:00,180 --> 04:28:02,760 notation course sequence calculus 5057 04:28:02,760 --> 04:28:06,840 the sequence calculus is really a 5058 04:28:06,840 --> 04:28:10,140 on the left hand side here it's a a 5059 04:28:10,140 --> 04:28:12,600 two-fold structure where you have the 5060 04:28:12,600 --> 04:28:14,279 premises meaning that what you assume 5061 04:28:14,279 --> 04:28:15,659 your assumptions 5062 04:28:15,659 --> 04:28:17,699 and the big line was under the big line 5063 04:28:17,699 --> 04:28:20,040 is the conclusion so when I whatever you 5064 04:28:20,040 --> 04:28:21,960 actually know something and you want to 5065 04:28:21,960 --> 04:28:24,840 derive you want to infer some new 5066 04:28:24,840 --> 04:28:26,760 knowledge based on the fact that you 5067 04:28:26,760 --> 04:28:28,859 know you want to derive more knowledge 5068 04:28:28,859 --> 04:28:32,399 you write that line to say premise what 5069 04:28:32,399 --> 04:28:35,279 I assume what I can deduce from that 5070 04:28:35,279 --> 04:28:36,899 knowledge I have 5071 04:28:36,899 --> 04:28:39,420 an example of such rule is very famous 5072 04:28:39,420 --> 04:28:41,520 it's called emojisponents 5073 04:28:41,520 --> 04:28:43,560 which specifically means late input in 5074 04:28:43,560 --> 04:28:46,140 place for example in the Modi spawn is a 5075 04:28:46,140 --> 04:28:48,479 bonus rules what it tells you or it 5076 04:28:48,479 --> 04:28:50,100 allows you to do is to say if I have the 5077 04:28:50,100 --> 04:28:54,239 knowledge that a holds that a is true or 5078 04:28:54,239 --> 04:28:55,920 a is provable depending on your 5079 04:28:55,920 --> 04:28:58,439 interpretation and I also know that from 5080 04:28:58,439 --> 04:29:01,800 a I can't derive B 5081 04:29:01,800 --> 04:29:03,420 I can derive B 5082 04:29:03,420 --> 04:29:05,399 meaning another way to take a look at 5083 04:29:05,399 --> 04:29:09,720 that if I have a a Coke machine and I 5084 04:29:09,720 --> 04:29:11,760 put a one dollar bill in that cook 5085 04:29:11,760 --> 04:29:14,699 machine is a and if I put a dollar bill 5086 04:29:14,699 --> 04:29:17,220 in the cook machine a that gives me a 5087 04:29:17,220 --> 04:29:20,580 coke B then I have a Coke B 5088 04:29:20,580 --> 04:29:23,060 okay 5089 04:29:23,520 --> 04:29:25,680 and interestingly you can combine you 5090 04:29:25,680 --> 04:29:28,620 can combine those Concepts so what a 5091 04:29:28,620 --> 04:29:31,800 triple a semantic triple actually is is 5092 04:29:31,800 --> 04:29:33,659 this notion of free condition and post 5093 04:29:33,659 --> 04:29:36,060 condition typically where you try to 5094 04:29:36,060 --> 04:29:38,159 characterize the pre-states of the 5095 04:29:38,159 --> 04:29:40,319 program and the post states of the 5096 04:29:40,319 --> 04:29:42,600 program using a relation and that 5097 04:29:42,600 --> 04:29:44,279 relation is really a function or a 5098 04:29:44,279 --> 04:29:46,439 mapping if you will between what the 5099 04:29:46,439 --> 04:29:48,899 states of the program actually are at 5100 04:29:48,899 --> 04:29:50,399 the beginning versus what they're going 5101 04:29:50,399 --> 04:29:52,140 to be after you execute your piece of 5102 04:29:52,140 --> 04:29:53,220 code 5103 04:29:53,220 --> 04:29:57,120 and typically we know that pcq saying 5104 04:29:57,120 --> 04:29:59,159 that the fragment of code C or the 5105 04:29:59,159 --> 04:30:02,939 program C executes in a pre-stage that 5106 04:30:02,939 --> 04:30:06,060 satisfy the precondition p and the 5107 04:30:06,060 --> 04:30:08,040 program piece of code C terminates that 5108 04:30:08,040 --> 04:30:10,199 is going to end up in a post state that 5109 04:30:10,199 --> 04:30:12,479 satisfy post condition queue 5110 04:30:12,479 --> 04:30:14,640 for example if I start in a state where 5111 04:30:14,640 --> 04:30:17,460 x equals 42 and I execute X plus plus I 5112 04:30:17,460 --> 04:30:19,920 increment X well my post height is going 5113 04:30:19,920 --> 04:30:21,239 to be that 5114 04:30:21,239 --> 04:30:24,300 um is basically the value of memory that 5115 04:30:24,300 --> 04:30:27,840 satisfy x equals 43. the beauty of that 5116 04:30:27,840 --> 04:30:29,580 first of all it doesn't necessarily talk 5117 04:30:29,580 --> 04:30:32,340 about any part any program in particular 5118 04:30:32,340 --> 04:30:34,380 those are rules that you can use for any 5119 04:30:34,380 --> 04:30:35,699 programs 5120 04:30:35,699 --> 04:30:39,840 and in fact some folks describe those 5121 04:30:39,840 --> 04:30:42,960 rules for every possible program grammar 5122 04:30:42,960 --> 04:30:45,300 programming language grammar that you 5123 04:30:45,300 --> 04:30:47,399 can come up with and basically Define 5124 04:30:47,399 --> 04:30:49,140 the semantic of a programming language 5125 04:30:49,140 --> 04:30:51,000 or programs written in that programming 5126 04:30:51,000 --> 04:30:52,859 language based on the rules and chaining 5127 04:30:52,859 --> 04:30:54,720 of those rules 5128 04:30:54,720 --> 04:30:57,239 so if you combine this concept of triple 5129 04:30:57,239 --> 04:30:59,100 and this concept of 5130 04:30:59,100 --> 04:31:01,140 inference or this concept of sequence 5131 04:31:01,140 --> 04:31:03,600 calculus you have what happens at the 5132 04:31:03,600 --> 04:31:04,620 bottom left 5133 04:31:04,620 --> 04:31:06,600 you have something known as the 5134 04:31:06,600 --> 04:31:09,060 consequence rule the consequence rule 5135 04:31:09,060 --> 04:31:11,100 say the following 5136 04:31:11,100 --> 04:31:14,159 if you know that a program starts in a 5137 04:31:14,159 --> 04:31:16,979 state satisfying precondition p executes 5138 04:31:16,979 --> 04:31:19,260 and terminate and end up in a state 5139 04:31:19,260 --> 04:31:22,080 satisfying post condition queue and I 5140 04:31:22,080 --> 04:31:23,880 know that I have a logical inference or 5141 04:31:23,880 --> 04:31:26,699 a logical consequence that tells me that 5142 04:31:26,699 --> 04:31:29,640 if Q holds an S holds as well 5143 04:31:29,640 --> 04:31:32,460 then I can derive a new triple and that 5144 04:31:32,460 --> 04:31:35,159 triple is PCS 5145 04:31:35,159 --> 04:31:37,080 a little example if I have a program 5146 04:31:37,080 --> 04:31:39,899 where the state is x equals 42 and I do 5147 04:31:39,899 --> 04:31:42,600 X plus plus then I know that x equals 43 5148 04:31:42,600 --> 04:31:45,300 we've seen that before but I also know 5149 04:31:45,300 --> 04:31:48,359 that if x equals 43 then X is bigger 5150 04:31:48,359 --> 04:31:50,399 than zero right it's a logical 5151 04:31:50,399 --> 04:31:52,859 consequence of x equals 43 to be bigger 5152 04:31:52,859 --> 04:31:55,380 than zero therefore I can derive a new 5153 04:31:55,380 --> 04:31:58,739 triple that says if I start in a state 5154 04:31:58,739 --> 04:32:02,220 satisfying x equal 42 and I execute a 5155 04:32:02,220 --> 04:32:05,040 piece of code fragment X plus plus then 5156 04:32:05,040 --> 04:32:07,380 I can know that X is bigger than 0 after 5157 04:32:07,380 --> 04:32:09,619 that 5158 04:32:10,859 --> 04:32:14,819 and in fact somebody called Tony 5159 04:32:14,819 --> 04:32:17,040 in 1969 wrote a paper called an 5160 04:32:17,040 --> 04:32:18,960 axiomatic basis for computer programming 5161 04:32:18,960 --> 04:32:21,960 for which he won a touring award 5162 04:32:21,960 --> 04:32:25,859 and what Tony Hawk did in 1969 5163 04:32:25,859 --> 04:32:28,620 was that he actually created a logic 5164 04:32:28,620 --> 04:32:30,840 like this based on derivations and he 5165 04:32:30,840 --> 04:32:33,180 basically defined every 5166 04:32:33,180 --> 04:32:35,159 you know conditional 5167 04:32:35,159 --> 04:32:38,340 and assignments in various program 5168 04:32:38,340 --> 04:32:39,899 constructs like this the semantic of 5169 04:32:39,899 --> 04:32:42,359 such construct based on this notion of 5170 04:32:42,359 --> 04:32:45,359 triple for example in order to model an 5171 04:32:45,359 --> 04:32:46,620 if else 5172 04:32:46,620 --> 04:32:49,560 if I have a piece of code C1 let's say 5173 04:32:49,560 --> 04:32:51,779 in that piece of code C1 if executed in 5174 04:32:51,779 --> 04:32:54,540 a pre-state satisfying p and B 5175 04:32:54,540 --> 04:32:57,060 leading to post opposed to a satisfying 5176 04:32:57,060 --> 04:32:58,739 q1 5177 04:32:58,739 --> 04:33:00,840 and I have also another piece of code C2 5178 04:33:00,840 --> 04:33:03,779 if executed in a pre-stay satisfying p 5179 04:33:03,779 --> 04:33:06,719 and not b and provided C2 terminate 5180 04:33:06,719 --> 04:33:09,118 terminate in a state a post-state 5181 04:33:09,118 --> 04:33:11,759 satisfying post condition Q2 5182 04:33:11,759 --> 04:33:15,299 then I can actually form I can combine 5183 04:33:15,299 --> 04:33:18,660 that knowledge to explain why the 5184 04:33:18,660 --> 04:33:21,061 semantic Governor if statement is 5185 04:33:21,061 --> 04:33:23,759 what the symmetic code if statement if B 5186 04:33:23,759 --> 04:33:27,660 is an SLT basically says if I start in a 5187 04:33:27,660 --> 04:33:30,379 pre-state satisfying precondition P 5188 04:33:30,379 --> 04:33:32,699 independently of whether or not B holds 5189 04:33:32,699 --> 04:33:35,160 B is true or B is false I know that I'm 5190 04:33:35,160 --> 04:33:37,320 going to end in a state satisfying 5191 04:33:37,320 --> 04:33:39,719 either post condition q1 or post 5192 04:33:39,719 --> 04:33:41,699 condition Q2 either I'm going to go into 5193 04:33:41,699 --> 04:33:43,618 the if Branch or I'm going to go to the 5194 04:33:43,618 --> 04:33:45,778 else branch 5195 04:33:45,778 --> 04:33:47,580 for example if I take my little program 5196 04:33:47,580 --> 04:33:50,039 here down there my function f that takes 5197 04:33:50,039 --> 04:33:52,799 an argument Y and I start doing x equals 5198 04:33:52,799 --> 04:33:55,618 zero I have a little conditional if Y is 5199 04:33:55,618 --> 04:33:59,458 smaller than 10 X plus plus otherwise 5200 04:33:59,458 --> 04:34:03,840 x minus minus or apologies for the typo 5201 04:34:03,840 --> 04:34:06,359 else minus minus and then I want to know 5202 04:34:06,359 --> 04:34:08,580 whether that defi that um 5203 04:34:08,580 --> 04:34:10,799 that particular that particular line of 5204 04:34:10,799 --> 04:34:14,641 code x equal y divided by X is is safe I 5205 04:34:14,641 --> 04:34:16,320 want to know for example if x can be 5206 04:34:16,320 --> 04:34:18,419 zero otherwise I would have a division 5207 04:34:18,419 --> 04:34:21,599 by zero and division by zero is bad 5208 04:34:21,599 --> 04:34:23,699 right for those of you who've done some 5209 04:34:23,699 --> 04:34:24,840 programming I'm sure you had some 5210 04:34:24,840 --> 04:34:26,759 division by zero errors or exception in 5211 04:34:26,759 --> 04:34:29,219 the past or signals sent to you or your 5212 04:34:29,219 --> 04:34:30,061 program 5213 04:34:30,061 --> 04:34:31,740 and so the way you derive the 5214 04:34:31,740 --> 04:34:33,240 symmetrical program like this is in 5215 04:34:33,240 --> 04:34:34,680 Google logic and the rules of whole 5216 04:34:34,680 --> 04:34:36,539 logic is that that you start with the 5217 04:34:36,539 --> 04:34:39,900 precondition assuming I know that or I'm 5218 04:34:39,900 --> 04:34:42,359 just stating that the value of variable 5219 04:34:42,359 --> 04:34:45,000 Y is V independently of what the value 5220 04:34:45,000 --> 04:34:48,799 of V actually is just a value I go 5221 04:34:48,799 --> 04:34:52,020 pre-state to pole State using the rules 5222 04:34:52,020 --> 04:34:55,740 of the program construct that my program 5223 04:34:55,740 --> 04:34:59,219 is made of and I derive a new 5224 04:34:59,219 --> 04:35:01,199 condition for my program let's say that 5225 04:35:01,199 --> 04:35:04,740 x y equals V and X equals zero so far 5226 04:35:04,740 --> 04:35:07,618 not complicated the little hat means and 5227 04:35:07,618 --> 04:35:10,320 in logic if you confuse you can just 5228 04:35:10,320 --> 04:35:12,180 think of an end it's vertically logical 5229 04:35:12,180 --> 04:35:13,618 end 5230 04:35:13,618 --> 04:35:16,020 and then I continue I continue to 5231 04:35:16,020 --> 04:35:17,820 interpret my program and I say okay now 5232 04:35:17,820 --> 04:35:20,820 what if I enter the if well if that's 5233 04:35:20,820 --> 04:35:22,980 the case and there's a very convenient 5234 04:35:22,980 --> 04:35:25,080 way of encoding those conditionals in 5235 04:35:25,080 --> 04:35:27,419 logic is to use the implication 5236 04:35:27,419 --> 04:35:30,919 I can say things like Y is more than 10 5237 04:35:30,919 --> 04:35:35,520 implies x equal one right I rewrote X 5238 04:35:35,520 --> 04:35:38,039 which was 0 to a new value X plus plus 5239 04:35:38,039 --> 04:35:40,740 which is equal one so my new post 5240 04:35:40,740 --> 04:35:44,099 condition after the if if is y equal v 5241 04:35:44,099 --> 04:35:47,520 and y is smaller than 10 implies x equal 5242 04:35:47,520 --> 04:35:49,980 one and then I keep going I keep going 5243 04:35:49,980 --> 04:35:52,919 or I may actually want to know what's 5244 04:35:52,919 --> 04:35:55,740 happening in the else Branch y equal v 5245 04:35:55,740 --> 04:35:59,039 and y is more than 10 implies x equal 5246 04:35:59,039 --> 04:36:03,118 one or Little V on the other side you 5247 04:36:03,118 --> 04:36:07,340 say or or Y is bigger or equal to 10 5248 04:36:07,340 --> 04:36:10,980 implies x minus one so again little typo 5249 04:36:10,980 --> 04:36:14,099 here this should be a x minus minus 5250 04:36:14,099 --> 04:36:15,539 and then I want to know if that's safe 5251 04:36:15,539 --> 04:36:17,580 well yes it is safe right the possible 5252 04:36:17,580 --> 04:36:20,520 values the state of X in that case are 5253 04:36:20,520 --> 04:36:22,859 minus one or one and it's perfectly fine 5254 04:36:22,859 --> 04:36:24,840 to divide by minus one or by one 5255 04:36:24,840 --> 04:36:28,340 therefore no problem 5256 04:36:30,061 --> 04:36:32,039 little scale problem however as you can 5257 04:36:32,039 --> 04:36:34,320 see for five lines of code we already 5258 04:36:34,320 --> 04:36:36,719 have a formula that basically takes the 5259 04:36:36,719 --> 04:36:37,799 entire screen 5260 04:36:37,799 --> 04:36:40,080 if I imagine this on a million lines of 5261 04:36:40,080 --> 04:36:41,641 code obviously you're going to have very 5262 04:36:41,641 --> 04:36:44,278 very large formulas and that becomes too 5263 04:36:44,278 --> 04:36:47,219 large to actually be practical to solve 5264 04:36:47,219 --> 04:36:49,919 so how do we solve that 5265 04:36:49,919 --> 04:36:52,080 and as he stage I started to understand 5266 04:36:52,080 --> 04:36:54,061 a little bit more about program analysis 5267 04:36:54,061 --> 04:36:56,160 although I didn't look 5268 04:36:56,160 --> 04:36:57,958 not much more than you know somebody 5269 04:36:57,958 --> 04:37:01,020 from a Disney Channel movie 5270 04:37:01,020 --> 04:37:04,760 um any questions so far 5271 04:37:05,039 --> 04:37:06,660 everybody is an expert in program now 5272 04:37:06,660 --> 04:37:09,438 this is beautiful 5273 04:37:09,958 --> 04:37:12,000 all right so how do we solve this 5274 04:37:12,000 --> 04:37:14,520 problem of of having very large programs 5275 04:37:14,520 --> 04:37:17,480 in tracking the states of a program 5276 04:37:17,480 --> 04:37:20,820 based on those free and post conditions 5277 04:37:20,820 --> 04:37:22,561 well 5278 04:37:22,561 --> 04:37:24,660 a little while ago but program 5279 04:37:24,660 --> 04:37:27,419 abstractions were introduced where now 5280 04:37:27,419 --> 04:37:29,160 not only we're working on concrete 5281 04:37:29,160 --> 04:37:30,900 values of the program but we're working 5282 04:37:30,900 --> 04:37:33,000 on abstract values and those 5283 04:37:33,000 --> 04:37:35,458 abstractions can be anything 5284 04:37:35,458 --> 04:37:36,958 as long as they satisfy certain 5285 04:37:36,958 --> 04:37:38,278 criterias 5286 04:37:38,278 --> 04:37:40,561 one abstraction I want to talk about a 5287 04:37:40,561 --> 04:37:42,061 little bit is the interval abstraction 5288 04:37:42,061 --> 04:37:43,799 because interval abstractions are 5289 04:37:43,799 --> 04:37:45,660 extremely popular 5290 04:37:45,660 --> 04:37:47,520 in here instead of actually having a set 5291 04:37:47,520 --> 04:37:49,080 of values that my variables actually 5292 04:37:49,080 --> 04:37:53,039 hold I have an interval of values in 5293 04:37:53,039 --> 04:37:55,080 which my variable is located so 5294 04:37:55,080 --> 04:37:56,820 obviously there's a kind of formula you 5295 04:37:56,820 --> 04:37:57,539 can 5296 04:37:57,539 --> 04:38:00,958 generate or you can derive are much 5297 04:38:00,958 --> 04:38:02,699 smaller when you use an abstraction like 5298 04:38:02,699 --> 04:38:04,259 that because you don't need to track the 5299 04:38:04,259 --> 04:38:06,539 value of every single possible path you 5300 04:38:06,539 --> 04:38:09,061 just need to track intervals of values 5301 04:38:09,061 --> 04:38:10,859 so you do exactly the same thing same 5302 04:38:10,859 --> 04:38:14,039 program you start y equal v y equals V 5303 04:38:14,039 --> 04:38:16,740 and X equals zero y equal v and y 5304 04:38:16,740 --> 04:38:19,980 smaller than 10 implies x equal one 5305 04:38:19,980 --> 04:38:24,299 y equals v and y smaller than 10 implies 5306 04:38:24,299 --> 04:38:27,061 x equal 1 or Y big or equal to 10 5307 04:38:27,061 --> 04:38:29,580 implies x equals 1 is 1. 5308 04:38:29,580 --> 04:38:31,618 and at the end when you merge you have 5309 04:38:31,618 --> 04:38:33,480 the you know these diamond shape right 5310 04:38:33,480 --> 04:38:35,099 in the control flow graph you have 5311 04:38:35,099 --> 04:38:36,539 you're like you start and you have the 5312 04:38:36,539 --> 04:38:38,458 if you have the else and then you merge 5313 04:38:38,458 --> 04:38:40,500 the program so what do you do do you 5314 04:38:40,500 --> 04:38:42,299 actually keep track of all the values 5315 04:38:42,299 --> 04:38:45,299 for every path or you do some merging 5316 04:38:45,299 --> 04:38:47,039 and these are interval abstraction 5317 04:38:47,039 --> 04:38:49,799 allows you to do that where simply 5318 04:38:49,799 --> 04:38:51,419 you'll have one particular numerical 5319 04:38:51,419 --> 04:38:53,580 object to track every possible values of 5320 04:38:53,580 --> 04:38:56,099 that variable for every path 5321 04:38:56,099 --> 04:38:58,259 well in that particular case we can say 5322 04:38:58,259 --> 04:39:01,080 that X is an interval minus 1 1. 5323 04:39:01,080 --> 04:39:04,379 well is it safe now of no because zero 5324 04:39:04,379 --> 04:39:06,359 is part of the interval minus one one 5325 04:39:06,359 --> 04:39:08,879 and therefore what we just discovered is 5326 04:39:08,879 --> 04:39:10,500 that when you introduce abstraction in 5327 04:39:10,500 --> 04:39:12,180 program analysis then it leads to 5328 04:39:12,180 --> 04:39:14,400 something called incompleteness which 5329 04:39:14,400 --> 04:39:17,400 basically introduce false positives 5330 04:39:17,400 --> 04:39:19,740 you've used static analysis before and 5331 04:39:19,740 --> 04:39:22,020 you you probably hate all your species 5332 04:39:22,020 --> 04:39:24,240 for uh for spot achieve or that's 5333 04:39:24,240 --> 04:39:26,099 exactly why they show up because people 5334 04:39:26,099 --> 04:39:29,599 use two strong abstractions 5335 04:39:33,480 --> 04:39:35,340 and what's what's key a key inside 5336 04:39:35,340 --> 04:39:38,100 around abstraction is this notion of 5337 04:39:38,100 --> 04:39:42,000 over versus Under approximation 5338 04:39:42,000 --> 04:39:43,378 and 5339 04:39:43,378 --> 04:39:45,240 this notion of over approximation has 5340 04:39:45,240 --> 04:39:46,020 been 5341 04:39:46,020 --> 04:39:47,940 studied for a very long time with 5342 04:39:47,940 --> 04:39:49,378 abstractions abstractions are typical 5343 04:39:49,378 --> 04:39:52,260 typically over approximation of the 5344 04:39:52,260 --> 04:39:55,560 program Behavior because in some sense 5345 04:39:55,560 --> 04:39:58,260 the number of program behaviors that you 5346 04:39:58,260 --> 04:40:00,540 are allowing the program to take 5347 04:40:00,540 --> 04:40:03,780 is a bigger is a superset of the real 5348 04:40:03,780 --> 04:40:06,060 possible program behaviors like for 5349 04:40:06,060 --> 04:40:07,500 example I had a program behavior that 5350 04:40:07,500 --> 04:40:10,560 led to my variable X having value 0 at 0 5351 04:40:10,560 --> 04:40:12,718 by is else and I know it's not possible 5352 04:40:12,718 --> 04:40:14,458 according to my program 5353 04:40:14,458 --> 04:40:16,920 so I over approximated the semantic of 5354 04:40:16,920 --> 04:40:18,420 the program 5355 04:40:18,420 --> 04:40:20,700 in the other hand I can also do under 5356 04:40:20,700 --> 04:40:22,620 approximation 5357 04:40:22,620 --> 04:40:25,860 so if you look at the top left you see 5358 04:40:25,860 --> 04:40:28,080 the exact tracking of the state you 5359 04:40:28,080 --> 04:40:30,000 start with a state where value of x 5360 04:40:30,000 --> 04:40:31,798 equals zero and you do X plus plus you 5361 04:40:31,798 --> 04:40:33,298 go to a state where a value of x equal 5362 04:40:33,298 --> 04:40:35,760 one on the other side if you do minus 5363 04:40:35,760 --> 04:40:37,260 one is you go to a state where value of 5364 04:40:37,260 --> 04:40:38,760 x equal minus one there is no State 5365 04:40:38,760 --> 04:40:41,760 merge you track all states separately 5366 04:40:41,760 --> 04:40:44,700 and you that leads up to very very large 5367 04:40:44,700 --> 04:40:47,160 State space for your program 5368 04:40:47,160 --> 04:40:49,140 or you can actually be smarter than that 5369 04:40:49,140 --> 04:40:51,900 you can try to to merge nodes as we 5370 04:40:51,900 --> 04:40:54,060 explained say I have intervals and I'm 5371 04:40:54,060 --> 04:40:55,200 saying you know what I don't want those 5372 04:40:55,200 --> 04:40:56,520 nodes to be separated in my 5373 04:40:56,520 --> 04:40:58,200 representation I'm going to just use one 5374 04:40:58,200 --> 04:41:00,718 node and I'm going to call that minus 5375 04:41:00,718 --> 04:41:02,280 one one for you know the value of the 5376 04:41:02,280 --> 04:41:04,378 interval so 0 would be the value the 5377 04:41:04,378 --> 04:41:07,260 interval 0 0 1 would be the interval one 5378 04:41:07,260 --> 04:41:09,298 one minus one would be interval minus 5379 04:41:09,298 --> 04:41:12,000 one minus one and then finally after you 5380 04:41:12,000 --> 04:41:13,920 emerge minus one one 5381 04:41:13,920 --> 04:41:18,298 that's over approximating or o x 5382 04:41:18,298 --> 04:41:20,760 as you can notice over approximation 5383 04:41:20,760 --> 04:41:23,040 doesn't mean you have more nodes you 5384 04:41:23,040 --> 04:41:25,980 typically means you have less nodes 5385 04:41:25,980 --> 04:41:28,560 either the hand I can also 5386 04:41:28,560 --> 04:41:31,320 do under approximation using a technical 5387 04:41:31,320 --> 04:41:34,200 path dropping 5388 04:41:34,200 --> 04:41:36,840 let's say I really care about one 5389 04:41:36,840 --> 04:41:38,120 particular behavior of the program 5390 04:41:38,120 --> 04:41:40,260 because I'm trying to basically do some 5391 04:41:40,260 --> 04:41:42,240 testing or maximize my cooperation I 5392 04:41:42,240 --> 04:41:43,620 really want to go on the left side of 5393 04:41:43,620 --> 04:41:46,020 the if else well I can decide just to 5394 04:41:46,020 --> 04:41:49,260 drop the entire right or bottom path 5395 04:41:49,260 --> 04:41:51,360 here and focus on the one where the 5396 04:41:51,360 --> 04:41:53,638 value of x equal one well what's 5397 04:41:53,638 --> 04:41:54,840 interesting about that is that I 5398 04:41:54,840 --> 04:41:56,638 diminish the amount of nodes that is 5399 04:41:56,638 --> 04:41:59,160 needed to represent my program and I 5400 04:41:59,160 --> 04:42:01,980 introduce no abstraction no approach no 5401 04:42:01,980 --> 04:42:03,840 over approximation 5402 04:42:03,840 --> 04:42:05,940 right I still have the same state as 5403 04:42:05,940 --> 04:42:08,040 before I just have less States 5404 04:42:08,040 --> 04:42:10,440 and that's a key insight for the modern 5405 04:42:10,440 --> 04:42:11,760 Logics we're going to talk about a 5406 04:42:11,760 --> 04:42:14,120 little bit later 5407 04:42:17,638 --> 04:42:20,100 another really key idea so instead of 5408 04:42:20,100 --> 04:42:22,020 doing these abstractions 5409 04:42:22,020 --> 04:42:24,840 what can we do to manage those very 5410 04:42:24,840 --> 04:42:27,480 large program analysis there are two 5411 04:42:27,480 --> 04:42:29,458 particular techniques I want to talk 5412 04:42:29,458 --> 04:42:32,040 about one is based on something called 5413 04:42:32,040 --> 04:42:33,958 separation logic 5414 04:42:33,958 --> 04:42:35,400 and the second one is incorrectness 5415 04:42:35,400 --> 04:42:36,718 logic which I'll talk about just after 5416 04:42:36,718 --> 04:42:37,798 that 5417 04:42:37,798 --> 04:42:41,100 separation logic is also a formal logic 5418 04:42:41,100 --> 04:42:43,138 using the same secret calculus notation 5419 04:42:43,138 --> 04:42:45,540 where you derive new Knowledge from 5420 04:42:45,540 --> 04:42:48,480 premises to conclusions and it allows 5421 04:42:48,480 --> 04:42:51,420 you to do three things one it allows you 5422 04:42:51,420 --> 04:42:55,138 to manipulate or analyze programs with 5423 04:42:55,138 --> 04:42:56,940 pointed data structures such as list 5424 04:42:56,940 --> 04:42:59,940 trees graphs and all that 5425 04:42:59,940 --> 04:43:03,900 it does this by introducing a new 5426 04:43:03,900 --> 04:43:07,260 conjunct a new end and that new end is 5427 04:43:07,260 --> 04:43:08,878 the star end 5428 04:43:08,878 --> 04:43:11,940 so instead of writing a little Hat B to 5429 04:43:11,940 --> 04:43:14,820 say A and B in separation logic we write 5430 04:43:14,820 --> 04:43:18,480 a star B that you can read by a and 5431 04:43:18,480 --> 04:43:20,940 separately B 5432 04:43:20,940 --> 04:43:22,798 for example on the right hand side here 5433 04:43:22,798 --> 04:43:26,280 if I start a program in the precondition 5434 04:43:26,280 --> 04:43:27,420 p 5435 04:43:27,420 --> 04:43:30,540 or stay satisfying for condition p and I 5436 04:43:30,540 --> 04:43:32,820 execute an allocation say x equal alloc 5437 04:43:32,820 --> 04:43:36,120 of n n bytes well what I can derive from 5438 04:43:36,120 --> 04:43:38,218 that in separation logic is that 5439 04:43:38,218 --> 04:43:39,480 p 5440 04:43:39,480 --> 04:43:42,480 is still holds provided actually X was 5441 04:43:42,480 --> 04:43:44,458 not part of P 5442 04:43:44,458 --> 04:43:47,400 and separately I know that X point on a 5443 04:43:47,400 --> 04:43:49,320 valid location l 5444 04:43:49,320 --> 04:43:51,900 or let's say L1 in that particular case 5445 04:43:51,900 --> 04:43:54,060 you know one here 5446 04:43:54,060 --> 04:43:56,340 and I execute another allocation y equal 5447 04:43:56,340 --> 04:43:59,160 m well I know that the Y is going to be 5448 04:43:59,160 --> 04:44:02,160 a separate location and x and provided Y 5449 04:44:02,160 --> 04:44:05,160 is not part of p i can now derive the 5450 04:44:05,160 --> 04:44:07,320 post Collision that P and separately 5451 04:44:07,320 --> 04:44:10,200 exponent on value location L1 and 5452 04:44:10,200 --> 04:44:12,780 separately again I know that exponent 5453 04:44:12,780 --> 04:44:14,718 value location L2 5454 04:44:14,718 --> 04:44:16,798 there's no initialization of those 5455 04:44:16,798 --> 04:44:18,718 variables here so I didn't actually put 5456 04:44:18,718 --> 04:44:22,378 any value they just point on a location 5457 04:44:22,378 --> 04:44:25,260 so what's interesting about that is that 5458 04:44:25,260 --> 04:44:26,940 what you're doing when you introduce the 5459 04:44:26,940 --> 04:44:30,120 star of star conjunct is to basically 5460 04:44:30,120 --> 04:44:32,580 say you know what I can express my 5461 04:44:32,580 --> 04:44:35,638 programs internal logic by having sub 5462 04:44:35,638 --> 04:44:37,980 formulas and those sub formulas they 5463 04:44:37,980 --> 04:44:39,660 don't have any common variables between 5464 04:44:39,660 --> 04:44:40,980 them 5465 04:44:40,980 --> 04:44:43,740 so if I see a piece of code and that 5466 04:44:43,740 --> 04:44:46,020 piece of code touch variable X I just 5467 04:44:46,020 --> 04:44:47,520 have to actually select which of that 5468 04:44:47,520 --> 04:44:49,320 sub formula this is a part of the big 5469 04:44:49,320 --> 04:44:51,540 formula the sub formula part that 5470 04:44:51,540 --> 04:44:54,480 contains X and update that thing and I 5471 04:44:54,480 --> 04:44:55,680 don't need to touch anything else 5472 04:44:55,680 --> 04:44:58,138 because nothing else actually contains X 5473 04:44:58,138 --> 04:45:02,040 knowing that it's a separated conjunct 5474 04:45:02,040 --> 04:45:03,900 so this basically allows me to do local 5475 04:45:03,900 --> 04:45:06,360 reasoning it's called where you can 5476 04:45:06,360 --> 04:45:07,740 actually 5477 04:45:07,740 --> 04:45:08,638 um 5478 04:45:08,638 --> 04:45:11,638 derive the pre to the post from the pre 5479 04:45:11,638 --> 04:45:14,040 and just update specific sub formulas of 5480 04:45:14,040 --> 04:45:15,120 your logic 5481 04:45:15,120 --> 04:45:16,680 this is one way that you can actually 5482 04:45:16,680 --> 04:45:19,080 tame this 5483 04:45:19,080 --> 04:45:21,540 um this state space explosion because 5484 04:45:21,540 --> 04:45:23,638 instead of having a big product space of 5485 04:45:23,638 --> 04:45:25,920 every possible value you have more like 5486 04:45:25,920 --> 04:45:28,320 a union space right you is a union 5487 04:45:28,320 --> 04:45:31,798 between the sub programs 5488 04:45:31,798 --> 04:45:34,560 the state of the sub programs 5489 04:45:34,560 --> 04:45:37,020 another really important 5490 04:45:37,020 --> 04:45:39,120 um core idea of separation logic is 5491 04:45:39,120 --> 04:45:41,040 something called a frame role 5492 04:45:41,040 --> 04:45:42,780 the frame rule allows you to do two 5493 04:45:42,780 --> 04:45:44,820 things what I call begin anywhere 5494 04:45:44,820 --> 04:45:47,700 analysis and also compositional analysis 5495 04:45:47,700 --> 04:45:49,440 begin anywhere now this is what you 5496 04:45:49,440 --> 04:45:52,020 expect it to be compositional analysis 5497 04:45:52,020 --> 04:45:54,180 is really that you can analyze typically 5498 04:45:54,180 --> 04:45:57,000 each function separately and Stitch the 5499 04:45:57,000 --> 04:45:58,980 logic at the end so you don't need to 5500 04:45:58,980 --> 04:46:02,700 follow every call Path and go and come 5501 04:46:02,700 --> 04:46:04,860 with a return and the calls and the 5502 04:46:04,860 --> 04:46:06,780 return Etc that leads to very long 5503 04:46:06,780 --> 04:46:09,060 traces what you can do is to basically 5504 04:46:09,060 --> 04:46:11,340 analyze each function separately and 5505 04:46:11,340 --> 04:46:13,260 Stitch it at the end because you're 5506 04:46:13,260 --> 04:46:15,060 using those separating conjunction you 5507 04:46:15,060 --> 04:46:17,400 know that each of those function logic 5508 04:46:17,400 --> 04:46:20,160 are independent from one another 5509 04:46:20,160 --> 04:46:23,340 and particularly when you have these 5510 04:46:23,340 --> 04:46:25,798 function call say function G being 5511 04:46:25,798 --> 04:46:27,780 called with argument X 5512 04:46:27,780 --> 04:46:32,760 and you know that p g of x q hold 5513 04:46:32,760 --> 04:46:36,420 well if x if there is 5514 04:46:36,420 --> 04:46:41,100 a sub formula of p and Q say let's say f 5515 04:46:41,100 --> 04:46:42,420 where 5516 04:46:42,420 --> 04:46:45,480 X is not part of f 5517 04:46:45,480 --> 04:46:46,920 is 5518 04:46:46,920 --> 04:46:51,180 preserved across the call GX 5519 04:46:51,180 --> 04:46:52,740 for example 5520 04:46:52,740 --> 04:46:55,798 if F describes the value of x at the 5521 04:46:55,798 --> 04:46:59,700 bottom here I'm calling p g x of Q 5522 04:46:59,700 --> 04:47:02,820 and then I know that P star x equals V 5523 04:47:02,820 --> 04:47:06,840 holds and I call G of X well I know that 5524 04:47:06,840 --> 04:47:11,040 x if x is a local variable to my caller 5525 04:47:11,040 --> 04:47:13,260 X the value of x is not going to change 5526 04:47:13,260 --> 04:47:15,840 by calling G therefore I know that the 5527 04:47:15,840 --> 04:47:18,420 whatever value was in X before the call 5528 04:47:18,420 --> 04:47:22,200 will also even be in X after the call 5529 04:47:22,200 --> 04:47:25,860 so I have these frame F this Frame 5530 04:47:25,860 --> 04:47:29,160 condition or this uh 5531 04:47:29,160 --> 04:47:31,620 the sub formularity that allows me to 5532 04:47:31,620 --> 04:47:33,420 really make sure that I don't have to 5533 04:47:33,420 --> 04:47:35,280 rewrite the entire formula every single 5534 04:47:35,280 --> 04:47:36,180 time 5535 04:47:36,180 --> 04:47:39,020 I factor those three and post conditions 5536 04:47:39,020 --> 04:47:41,760 independent from one another 5537 04:47:41,760 --> 04:47:44,218 so those are two main IDs of Separation 5538 04:47:44,218 --> 04:47:46,560 logic where you can begin anywhere you 5539 04:47:46,560 --> 04:47:48,780 want you can compose local analysis 5540 04:47:48,780 --> 04:47:49,740 together 5541 04:47:49,740 --> 04:47:53,340 and you have this notion of of locations 5542 04:47:53,340 --> 04:47:56,218 where now you're able to deal with heat 5543 04:47:56,218 --> 04:47:57,900 variables and hip data structures by 5544 04:47:57,900 --> 04:48:00,718 having this concept of locations and the 5545 04:48:00,718 --> 04:48:02,580 points to set that correspond to that 5546 04:48:02,580 --> 04:48:03,840 location 5547 04:48:03,840 --> 04:48:07,218 so that's a very very important advance 5548 04:48:07,218 --> 04:48:10,798 in large-scale analysis for some of you 5549 04:48:10,798 --> 04:48:12,780 who may know some tools for example like 5550 04:48:12,780 --> 04:48:13,860 meta 5551 04:48:13,860 --> 04:48:15,298 infer 5552 04:48:15,298 --> 04:48:17,218 which is pretty pretty famous it's all 5553 04:48:17,218 --> 04:48:20,480 based on separation logic 5554 04:48:25,980 --> 04:48:28,560 these State space explosion is to use a 5555 04:48:28,560 --> 04:48:30,180 technique 5556 04:48:30,180 --> 04:48:31,798 um from incorrect nostalgic 5557 04:48:31,798 --> 04:48:34,138 incorrectance logic was created by Peter 5558 04:48:34,138 --> 04:48:35,638 o'herne 5559 04:48:35,638 --> 04:48:37,020 and published the principle of 5560 04:48:37,020 --> 04:48:40,620 programming languages 2020 2012. I'll 5561 04:48:40,620 --> 04:48:42,920 dragon 2020. 5562 04:48:42,920 --> 04:48:45,420 Jake has two concepts that are really 5563 04:48:45,420 --> 04:48:47,580 makes it new and really Innovative 5564 04:48:47,580 --> 04:48:49,920 fundamentally Innovative the first one 5565 04:48:49,920 --> 04:48:51,958 is that it has pass dropping on the 5566 04:48:51,958 --> 04:48:53,100 right side 5567 04:48:53,100 --> 04:48:55,138 pass dropping is basically just 5568 04:48:55,138 --> 04:48:57,240 formalizing what we have seen here a 5569 04:48:57,240 --> 04:48:59,458 little couple of sides before the bottom 5570 04:48:59,458 --> 04:49:01,378 right where you can basically decide to 5571 04:49:01,378 --> 04:49:03,360 draw a path that you don't care about 5572 04:49:03,360 --> 04:49:05,760 and that still make you analysis correct 5573 04:49:05,760 --> 04:49:08,160 right you just analyze less behaviors of 5574 04:49:08,160 --> 04:49:10,260 your program 5575 04:49:10,260 --> 04:49:12,420 and what you're saying is that if I have 5576 04:49:12,420 --> 04:49:14,458 a piece of code C that starts in a 5577 04:49:14,458 --> 04:49:17,400 precondition p and it finishes by either 5578 04:49:17,400 --> 04:49:20,100 q1 or Q2 let's say you know C was an if 5579 04:49:20,100 --> 04:49:23,580 else okay it finishes in state q1 if he 5580 04:49:23,580 --> 04:49:25,620 goes to the if or if you should say Q2 5581 04:49:25,620 --> 04:49:27,180 if it goes to the Earth 5582 04:49:27,180 --> 04:49:29,280 well it happened that you can drop 5583 04:49:29,280 --> 04:49:33,480 whatever q1 or Q2 you want with AI being 5584 04:49:33,480 --> 04:49:34,980 either one or two in that particular 5585 04:49:34,980 --> 04:49:37,920 case so you can Define this derivation 5586 04:49:37,920 --> 04:49:40,260 in your logic that goes from a triple 5587 04:49:40,260 --> 04:49:47,340 that says p c q one or Q2 to p c q1 or p 5588 04:49:47,340 --> 04:49:49,860 c q two you don't have to keep the 5589 04:49:49,860 --> 04:49:52,378 entire disjunction the entire or in your 5590 04:49:52,378 --> 04:49:54,180 logic you draw a path 5591 04:49:54,180 --> 04:49:55,500 and that doesn't introduce any 5592 04:49:55,500 --> 04:49:57,420 abstraction in fact it's an under 5593 04:49:57,420 --> 04:50:00,120 approximation 5594 04:50:00,120 --> 04:50:02,580 and similarly if you have two paths that 5595 04:50:02,580 --> 04:50:05,878 leads to the same conclusion Q P1 or P2 5596 04:50:05,878 --> 04:50:07,920 those two path and that leads to the 5597 04:50:07,920 --> 04:50:09,958 same result Q well you can drop either 5598 04:50:09,958 --> 04:50:12,320 P1 or P2 because you know that the past 5599 04:50:12,320 --> 04:50:15,780 p1cq is valid and the path P2 CQ is 5600 04:50:15,780 --> 04:50:17,878 valid as well so you can actually keep 5601 04:50:17,878 --> 04:50:20,520 one of the two P ones or p2s in your 5602 04:50:20,520 --> 04:50:24,180 derivation path dropping by the 5603 04:50:24,180 --> 04:50:26,458 precondition 5604 04:50:26,458 --> 04:50:28,798 and one additional 5605 04:50:28,798 --> 04:50:30,660 characteristic of incorrect nostalgic is 5606 04:50:30,660 --> 04:50:33,180 that it has two kinds of post conditions 5607 04:50:33,180 --> 04:50:35,340 it has what's called the OK post 5608 04:50:35,340 --> 04:50:37,760 condition and the error post condition 5609 04:50:37,760 --> 04:50:41,820 where if C succeeds you can actually 5610 04:50:41,820 --> 04:50:44,218 derive The Logical facts of your program 5611 04:50:44,218 --> 04:50:47,638 in queue well if C fails you actually 5612 04:50:47,638 --> 04:50:50,160 derive the error conditions in post 5613 04:50:50,160 --> 04:50:51,540 condition r 5614 04:50:51,540 --> 04:50:53,520 and that is key 5615 04:50:53,520 --> 04:50:54,840 if you want to actually start 5616 04:50:54,840 --> 04:50:56,520 understanding what can be made of those 5617 04:50:56,520 --> 04:50:58,020 errors for example if you're a security 5618 04:50:58,020 --> 04:50:59,280 researcher and you want to know you 5619 04:50:59,280 --> 04:51:00,958 don't want to track possible error 5620 04:51:00,958 --> 04:51:02,700 states of your program you don't want to 5621 04:51:02,700 --> 04:51:04,260 just say oh I'm sorry there's a bug in 5622 04:51:04,260 --> 04:51:06,480 your program stop right here no you want 5623 04:51:06,480 --> 04:51:08,218 to basically continue analysis statement 5624 04:51:08,218 --> 04:51:10,080 after statement and track those error 5625 04:51:10,080 --> 04:51:12,000 conditions that you can reach well 5626 04:51:12,000 --> 04:51:13,920 that's why the Air Attack here allows 5627 04:51:13,920 --> 04:51:15,840 you to do it allows you to basically 5628 04:51:15,840 --> 04:51:18,180 keep going and keep deriving more and 5629 04:51:18,180 --> 04:51:19,680 more knowledge not just of what the 5630 04:51:19,680 --> 04:51:21,780 expected behavior of the program is but 5631 04:51:21,780 --> 04:51:25,579 also the error behavior of the program 5632 04:51:27,298 --> 04:51:28,798 and after I've learned about that about 5633 04:51:28,798 --> 04:51:31,260 three years ago I felt like I was you 5634 04:51:31,260 --> 04:51:33,298 know almost ready to go for a planet of 5635 04:51:33,298 --> 04:51:36,298 the ape casting 5636 04:51:36,298 --> 04:51:37,798 so I felt a little bit better about 5637 04:51:37,798 --> 04:51:39,600 myself but still I couldn't make sense 5638 04:51:39,600 --> 04:51:41,218 of all of these mathematical symbols 5639 04:51:41,218 --> 04:51:42,840 behind 5640 04:51:42,840 --> 04:51:45,920 any questions so far 5641 04:51:48,300 --> 04:51:51,480 [Music] 5642 04:51:53,280 --> 04:51:55,940 speak louder 5643 04:51:57,840 --> 04:52:00,740 oh boy 5644 04:52:02,638 --> 04:52:05,718 it requires it 5645 04:52:06,840 --> 04:52:09,860 nice good luck 5646 04:52:27,298 --> 04:52:29,040 kimina it's very hard for me to hear 5647 04:52:29,040 --> 04:52:33,298 what but we can we can take this offline 5648 04:52:33,298 --> 04:52:35,100 so if you want to ask a question please 5649 04:52:35,100 --> 04:52:37,020 Shout 5650 04:52:37,020 --> 04:52:39,798 any other question 5651 04:52:46,980 --> 04:52:48,540 the question was if you have multiple 5652 04:52:48,540 --> 04:52:49,860 branches how do you choose the interval 5653 04:52:49,860 --> 04:52:51,540 is that the means in the max yes that's 5654 04:52:51,540 --> 04:52:53,520 what it is it's typically the union you 5655 04:52:53,520 --> 04:52:55,920 take you you want the interval to be 5656 04:52:55,920 --> 04:52:59,160 dense right so you basically want to 5657 04:52:59,160 --> 04:53:00,840 have just a Min and a Max you don't want 5658 04:53:00,840 --> 04:53:02,878 to have a union of intervals so you have 5659 04:53:02,878 --> 04:53:05,160 two intervals from zero to ten and from 5660 04:53:05,160 --> 04:53:08,100 10 to 20 then unionizing that makes one 5661 04:53:08,100 --> 04:53:11,420 interval of zero to twenty 5662 04:53:12,900 --> 04:53:15,680 more questions 5663 04:53:26,520 --> 04:53:28,260 very good 5664 04:53:28,260 --> 04:53:31,877 why can't we be the questions as well 5665 04:53:47,180 --> 04:53:49,620 what is what if you have a very large 5666 04:53:49,620 --> 04:53:51,240 program that has a potentially 5667 04:53:51,240 --> 04:53:52,920 unbalanced amount of executions for 5668 04:53:52,920 --> 04:53:55,980 example a loop that never terminates 5669 04:53:55,980 --> 04:53:57,900 good question what's interesting about 5670 04:53:57,900 --> 04:54:00,600 under approximation is that empty set is 5671 04:54:00,600 --> 04:54:02,878 a valid under approximation 5672 04:54:02,878 --> 04:54:05,280 right so as long as you are a subset 5673 04:54:05,280 --> 04:54:08,218 maybe a finite subset 5674 04:54:08,218 --> 04:54:10,138 that is under approximately potentially 5675 04:54:10,138 --> 04:54:13,680 an infinite set of execution that's the 5676 04:54:13,680 --> 04:54:15,298 valid under approximation so you can do 5677 04:54:15,298 --> 04:54:17,480 that 5678 04:54:20,160 --> 04:54:22,940 last question 5679 04:54:35,580 --> 04:54:37,500 do you have to rely on the user to 5680 04:54:37,500 --> 04:54:40,260 Define what the error behavior is 5681 04:54:40,260 --> 04:54:42,000 yes and no 5682 04:54:42,000 --> 04:54:44,160 if you have the semantic of a 5683 04:54:44,160 --> 04:54:45,780 programming language that is defined 5684 04:54:45,780 --> 04:54:47,100 once and for all 5685 04:54:47,100 --> 04:54:48,900 the user doesn't have to actually modify 5686 04:54:48,900 --> 04:54:50,700 the defining it's like for example if 5687 04:54:50,700 --> 04:54:52,378 you have a pointer and that pointer 5688 04:54:52,378 --> 04:54:55,680 value is null and you do star P equal 42 5689 04:54:55,680 --> 04:54:57,780 while the user doesn't have to tell you 5690 04:54:57,780 --> 04:54:59,940 anything to know that star P equal 42 is 5691 04:54:59,940 --> 04:55:01,920 a bad thing when p is equal no 5692 04:55:01,920 --> 04:55:06,000 right if however you want to do you know 5693 04:55:06,000 --> 04:55:07,560 you want to use that too as more like a 5694 04:55:07,560 --> 04:55:11,360 cyborg like AI assistant let's call well 5695 04:55:11,360 --> 04:55:14,700 you you may insert have some assertions 5696 04:55:14,700 --> 04:55:16,320 right you may add a session in your 5697 04:55:16,320 --> 04:55:18,060 program and you try to say okay what 5698 04:55:18,060 --> 04:55:19,940 paths can lead to that assertion being 5699 04:55:19,940 --> 04:55:22,860 violated being unsatisfied 5700 04:55:22,860 --> 04:55:25,740 so you can combine you can do both 5701 04:55:25,740 --> 04:55:28,260 okay and in fact in many programs people 5702 04:55:28,260 --> 04:55:30,120 actually create their own specification 5703 04:55:30,120 --> 04:55:32,040 you create a specification and then you 5704 04:55:32,040 --> 04:55:34,798 use a logic to derive facts and you see 5705 04:55:34,798 --> 04:55:39,060 if those facts imply your assertions 5706 04:55:39,060 --> 04:55:41,100 okay 5707 04:55:41,100 --> 04:55:42,680 next 5708 04:55:42,680 --> 04:55:45,060 concrete Logics are we getting to the 5709 04:55:45,060 --> 04:55:47,340 serious stuff 5710 04:55:47,340 --> 04:55:49,680 another another operator that people 5711 04:55:49,680 --> 04:55:52,020 started adding to program logic is the 5712 04:55:52,020 --> 04:55:54,180 parallel composition operator noted two 5713 04:55:54,180 --> 04:55:55,320 bars 5714 04:55:55,320 --> 04:55:58,920 okay if I say C1 two bars C2 it 5715 04:55:58,920 --> 04:56:01,138 basically means that C2 C1 is partly 5716 04:56:01,138 --> 04:56:03,240 composed with C2 5717 04:56:03,240 --> 04:56:05,340 for example if I have a program C1 I 5718 04:56:05,340 --> 04:56:07,138 start in precondition P1 ends up in the 5719 04:56:07,138 --> 04:56:09,200 post condition q1 and I have another one 5720 04:56:09,200 --> 04:56:11,940 C2 that start in precondition P2 and 5721 04:56:11,940 --> 04:56:14,520 goes to post condition Q2 well the way I 5722 04:56:14,520 --> 04:56:17,580 write that triple is by saying P1 and 5723 04:56:17,580 --> 04:56:22,378 separately P2 C1 parallel P2 C2 5724 04:56:22,378 --> 04:56:26,700 post condition q1 and separately Q2 5725 04:56:26,700 --> 04:56:28,920 and I can track the state of a pilot 5726 04:56:28,920 --> 04:56:32,040 program like that of course here there 5727 04:56:32,040 --> 04:56:34,020 is an assumption we say that the 5728 04:56:34,020 --> 04:56:36,120 variables appearing in P1 are strictly 5729 04:56:36,120 --> 04:56:37,560 this drawn from the variables appearing 5730 04:56:37,560 --> 04:56:38,820 in P2 5731 04:56:38,820 --> 04:56:41,760 and same between q1 and Q2 so those two 5732 04:56:41,760 --> 04:56:43,320 programs can execute in parallel but 5733 04:56:43,320 --> 04:56:45,780 they can never share anything 5734 04:56:45,780 --> 04:56:48,600 it's pretty Limited 5735 04:56:48,600 --> 04:56:49,920 and so 5736 04:56:49,920 --> 04:56:51,840 how can you analyze programs that are 5737 04:56:51,840 --> 04:56:53,700 potentially sharing ownership right they 5738 04:56:53,700 --> 04:56:55,440 have variables where some variables 5739 04:56:55,440 --> 04:56:57,180 actually shared across the threads you 5740 04:56:57,180 --> 04:56:58,138 know they're not there's no clear 5741 04:56:58,138 --> 04:57:00,240 ownership between thread one or thread 5742 04:57:00,240 --> 04:57:03,120 two says there's a variable X that's 5743 04:57:03,120 --> 04:57:05,638 manipulated into two different parts of 5744 04:57:05,638 --> 04:57:07,260 the multi-thread program 5745 04:57:07,260 --> 04:57:10,458 well a few last year as a matter of fact 5746 04:57:10,458 --> 04:57:13,740 Azalea arrived and her like her 5747 04:57:13,740 --> 04:57:15,900 collaborators created neurological 5748 04:57:15,900 --> 04:57:17,878 Sizzle concurrent and correctness 5749 04:57:17,878 --> 04:57:20,218 separation logic and this allowed you to 5750 04:57:20,218 --> 04:57:22,320 actually combine the incorrectness 5751 04:57:22,320 --> 04:57:24,120 principle with this concept of 5752 04:57:24,120 --> 04:57:25,920 concurrency where now you don't 5753 04:57:25,920 --> 04:57:28,680 necessarily require that those variables 5754 04:57:28,680 --> 04:57:31,440 are actually separated for example you 5755 04:57:31,440 --> 04:57:32,940 can start analyzing programs like that 5756 04:57:32,940 --> 04:57:35,340 with race conditions where you have one 5757 04:57:35,340 --> 04:57:37,138 program on the left it's allocating a 5758 04:57:37,138 --> 04:57:40,320 variable x x equal alloc n and then you 5759 04:57:40,320 --> 04:57:43,080 write something into X star x equals V 5760 04:57:43,080 --> 04:57:45,360 well too bad if you have a parallel 5761 04:57:45,360 --> 04:57:47,520 program composed with your program and 5762 04:57:47,520 --> 04:57:49,500 that does 3x and we're talking about the 5763 04:57:49,500 --> 04:57:52,320 same x what happens when if you do one 5764 04:57:52,320 --> 04:57:54,600 three two if you execute one the 5765 04:57:54,600 --> 04:57:56,280 scheduler actually swap to this other 5766 04:57:56,280 --> 04:57:59,040 thread execute free x and then comes 5767 04:57:59,040 --> 04:58:01,500 back to your your previous thread and uh 5768 04:58:01,500 --> 04:58:04,260 star x equal V well you have a bug right 5769 04:58:04,260 --> 04:58:06,298 because then you try to run into a 5770 04:58:06,298 --> 04:58:08,100 pointer that was free 5771 04:58:08,100 --> 04:58:09,840 so these concurrent incorrectness 5772 04:58:09,840 --> 04:58:11,280 separation logic allows you to reason 5773 04:58:11,280 --> 04:58:14,480 about programs like that 5774 04:58:15,360 --> 04:58:18,320 even further 5775 04:58:18,660 --> 04:58:23,160 last year I took the same concept of 5776 04:58:23,160 --> 04:58:24,240 parallel 5777 04:58:24,240 --> 04:58:26,700 parallel or concrete logic except that 5778 04:58:26,700 --> 04:58:29,340 this time I wanted to start analyzing 5779 04:58:29,340 --> 04:58:31,378 exploit programs 5780 04:58:31,378 --> 04:58:33,780 where I say okay that's fun you can have 5781 04:58:33,780 --> 04:58:36,780 two programs P1 is in parallel to P2 but 5782 04:58:36,780 --> 04:58:38,638 what if in fact I have a program that's 5783 04:58:38,638 --> 04:58:41,820 an adversarial program a in that program 5784 04:58:41,820 --> 04:58:44,340 just as an encoding trick for the logic 5785 04:58:44,340 --> 04:58:46,980 I'm going to compose in parallel with my 5786 04:58:46,980 --> 04:58:49,020 programs I'm trying to Target 5787 04:58:49,020 --> 04:58:52,680 well say P1 in parallel with a or P1 and 5788 04:58:52,680 --> 04:58:55,020 P2 in parallel is a well it's kind of an 5789 04:58:55,020 --> 04:58:56,940 at least in Bob logic but except that 5790 04:58:56,940 --> 04:58:59,040 the Alison bar representation typically 5791 04:58:59,040 --> 04:59:01,560 used for cryptographic protocol analysis 5792 04:59:01,560 --> 04:59:04,320 can also be used for implementation of 5793 04:59:04,320 --> 04:59:08,520 protocols as such so instead of actually 5794 04:59:08,520 --> 04:59:10,080 analyzing necessarily just raise 5795 04:59:10,080 --> 04:59:12,540 conditions using this concrete logic 5796 04:59:12,540 --> 04:59:14,520 you start to use 5797 04:59:14,520 --> 04:59:16,560 that encoding in the logic to actually 5798 04:59:16,560 --> 04:59:18,600 analyze the interactions between a 5799 04:59:18,600 --> 04:59:21,859 program and an adversible program 5800 04:59:22,620 --> 04:59:26,218 for example you may have a program all 5801 04:59:26,218 --> 04:59:28,560 it does is to actually write X and read 5802 04:59:28,560 --> 04:59:32,700 Z in another program that read why and 5803 04:59:32,700 --> 04:59:35,458 then write write y plus one 5804 04:59:35,458 --> 04:59:37,760 let's say you execute one two three four 5805 04:59:37,760 --> 04:59:39,540 in fact 5806 04:59:39,540 --> 04:59:42,298 I mean one three four two I'm sorry in 5807 04:59:42,298 --> 04:59:44,100 fact it says the only execution you can 5808 04:59:44,100 --> 04:59:47,218 actually do because the read at line 5809 04:59:47,218 --> 04:59:49,980 three expects the right at line one and 5810 04:59:49,980 --> 04:59:51,900 the reader line two expect the right at 5811 04:59:51,900 --> 04:59:52,798 line four 5812 04:59:52,798 --> 04:59:54,900 so you can start shading execution 5813 04:59:54,900 --> 04:59:57,840 between multiple programs composed in 5814 04:59:57,840 --> 04:59:59,520 parallel potentially with shared 5815 04:59:59,520 --> 05:00:02,280 variables or not 5816 05:00:02,280 --> 05:00:03,958 and then you can start to say okay what 5817 05:00:03,958 --> 05:00:05,700 does that mean to do execution one three 5818 05:00:05,700 --> 05:00:07,680 four two what that means I start in a 5819 05:00:07,680 --> 05:00:10,740 pre-stage satisfying x equal v and y 5820 05:00:10,740 --> 05:00:13,020 equal whatever value doesn't matter and 5821 05:00:13,020 --> 05:00:14,700 also Z equal whatever value doesn't 5822 05:00:14,700 --> 05:00:16,798 matter and then I execute my program 5823 05:00:16,798 --> 05:00:19,920 this final composition of write X read X 5824 05:00:19,920 --> 05:00:24,600 write y read write y plus one and the 5825 05:00:24,600 --> 05:00:27,420 result is guaranteed to be that if I had 5826 05:00:27,420 --> 05:00:30,120 x equals V at the beginning then I'm 5827 05:00:30,120 --> 05:00:32,458 gonna have that Z equal V plus 1 at the 5828 05:00:32,458 --> 05:00:33,298 end 5829 05:00:33,298 --> 05:00:34,920 so he started allowing me to actually 5830 05:00:34,920 --> 05:00:37,740 reason about interactive programs and 5831 05:00:37,740 --> 05:00:40,378 with the reads and write Primitives and 5832 05:00:40,378 --> 05:00:42,360 that start to become interesting to 5833 05:00:42,360 --> 05:00:45,000 study exploits let's take a small 5834 05:00:45,000 --> 05:00:46,920 example it's a quite straightforward 5835 05:00:46,920 --> 05:00:49,920 example for the sake of of this 5836 05:00:49,920 --> 05:00:51,600 let's assume that you have these program 5837 05:00:51,600 --> 05:00:53,760 on the left this program on the left is 5838 05:00:53,760 --> 05:00:56,218 a little server piece of code and all it 5839 05:00:56,218 --> 05:00:58,500 does it basically reads on the socket 5840 05:00:58,500 --> 05:01:01,820 into this cred this credential 5841 05:01:01,820 --> 05:01:05,940 byte and if uh the specific secret was a 5842 05:01:05,940 --> 05:01:07,260 randomly generated value is actually 5843 05:01:07,260 --> 05:01:09,600 what I provided my error code is going 5844 05:01:09,600 --> 05:01:13,798 to be zero or if my secret was too was 5845 05:01:13,798 --> 05:01:15,480 smaller than what I provided it's going 5846 05:01:15,480 --> 05:01:18,000 to write error equal one and if my 5847 05:01:18,000 --> 05:01:19,500 secret was bigger than credit he's gonna 5848 05:01:19,500 --> 05:01:21,298 write R2 5849 05:01:21,298 --> 05:01:23,100 of course if I provided the right value 5850 05:01:23,100 --> 05:01:24,718 for the secret it's going to serve the 5851 05:01:24,718 --> 05:01:26,700 client as it should 5852 05:01:26,700 --> 05:01:29,100 and no matter what is going to write the 5853 05:01:29,100 --> 05:01:31,080 error code back into the socket that it 5854 05:01:31,080 --> 05:01:32,340 reads from 5855 05:01:32,340 --> 05:01:34,620 well there is a little problem with this 5856 05:01:34,620 --> 05:01:37,400 program right well 5857 05:01:37,400 --> 05:01:39,718 we're standing the fact that the secret 5858 05:01:39,718 --> 05:01:43,500 is on 8 Bits which is ridiculously small 5859 05:01:43,500 --> 05:01:45,298 the problem is that there is a 5860 05:01:45,298 --> 05:01:47,520 information disclosure variability I'm 5861 05:01:47,520 --> 05:01:48,840 not going to call it a side Channel 5862 05:01:48,840 --> 05:01:51,180 because I got picked on for that but 5863 05:01:51,180 --> 05:01:52,920 let's call it indirect information 5864 05:01:52,920 --> 05:01:55,200 disclosure where somebody can actually 5865 05:01:55,200 --> 05:01:57,840 guess the value of the cred or the 5866 05:01:57,840 --> 05:01:58,760 secret 5867 05:01:58,760 --> 05:02:00,600 based on a very small amount of 5868 05:02:00,600 --> 05:02:02,100 interaction you can have with the 5869 05:02:02,100 --> 05:02:04,080 program that's why the program on the 5870 05:02:04,080 --> 05:02:06,780 right side does which is the adversarial 5871 05:02:06,780 --> 05:02:08,760 program The Air Resource program's goal 5872 05:02:08,760 --> 05:02:10,138 is really to 5873 05:02:10,138 --> 05:02:11,820 find a state 5874 05:02:11,820 --> 05:02:15,718 for the program a compose B well P 5875 05:02:15,718 --> 05:02:17,820 compose a the my program composed with 5876 05:02:17,820 --> 05:02:20,520 my adversarial program for which this 5877 05:02:20,520 --> 05:02:22,378 particular assertion can be satisfied at 5878 05:02:22,378 --> 05:02:25,260 line 14 where I basically have radical 5879 05:02:25,260 --> 05:02:27,958 zero meaning I guess the right Secret 5880 05:02:27,958 --> 05:02:29,878 so one interesting change that you can 5881 05:02:29,878 --> 05:02:31,798 notice in other serial logic is that 5882 05:02:31,798 --> 05:02:34,260 assertions in adversary logic they are 5883 05:02:34,260 --> 05:02:35,940 attack assertions they are not 5884 05:02:35,940 --> 05:02:37,680 verification assertions they are not 5885 05:02:37,680 --> 05:02:41,100 program contracts call contract they are 5886 05:02:41,100 --> 05:02:42,420 conditioned that the attacker actually 5887 05:02:42,420 --> 05:02:45,180 drives in order to bring the program in 5888 05:02:45,180 --> 05:02:47,458 an error state 5889 05:02:47,458 --> 05:02:49,620 so you only need to have one particular 5890 05:02:49,620 --> 05:02:51,660 path satisfying this particular 5891 05:02:51,660 --> 05:02:53,340 assertion for your program to be 5892 05:02:53,340 --> 05:02:54,360 vulnerable 5893 05:02:54,360 --> 05:02:55,860 hence 5894 05:02:55,860 --> 05:02:58,040 such analysis fundamentally 5895 05:02:58,040 --> 05:03:00,240 underapproximate because you don't care 5896 05:03:00,240 --> 05:03:01,920 about all possible behaviors of the 5897 05:03:01,920 --> 05:03:04,080 program what you care about is to 5898 05:03:04,080 --> 05:03:06,000 isolate one particular behavior of the 5899 05:03:06,000 --> 05:03:08,040 program for which your attack assertion 5900 05:03:08,040 --> 05:03:10,458 holds 5901 05:03:11,100 --> 05:03:12,900 so let's look at the program on the 5902 05:03:12,900 --> 05:03:14,580 right side a little bit 5903 05:03:14,580 --> 05:03:16,378 what it does is that you start by a 5904 05:03:16,378 --> 05:03:18,240 random value or a guess get a random 5905 05:03:18,240 --> 05:03:20,700 guess let's say maximum on on of you 5906 05:03:20,700 --> 05:03:22,980 into eight and then it's got the step 5907 05:03:22,980 --> 05:03:24,060 variable 5908 05:03:24,060 --> 05:03:26,520 where what it does is I basically divide 5909 05:03:26,520 --> 05:03:29,040 the step by two 5910 05:03:29,040 --> 05:03:33,180 and add one as an initial step value and 5911 05:03:33,180 --> 05:03:36,718 until my step is not zero what I do is 5912 05:03:36,718 --> 05:03:38,820 that I keep dividing the step by two so 5913 05:03:38,820 --> 05:03:41,638 it will eventually reach zero 5914 05:03:41,638 --> 05:03:45,120 here what you can do is uh in a in fact 5915 05:03:45,120 --> 05:03:47,520 in a linear amount of attempt in the 5916 05:03:47,520 --> 05:03:49,440 side of the secret and in that case 5917 05:03:49,440 --> 05:03:51,600 let's say eight in eight plus one 5918 05:03:51,600 --> 05:03:53,760 attempt you'll be able to discover the 5919 05:03:53,760 --> 05:03:56,100 value of the secret because you you can 5920 05:03:56,100 --> 05:03:58,320 leak one bit of the secret per 5921 05:03:58,320 --> 05:04:00,840 interaction every time I'm actually 5922 05:04:00,840 --> 05:04:03,120 trying a value a credential value either 5923 05:04:03,120 --> 05:04:05,160 it's going to be the right value or it's 5924 05:04:05,160 --> 05:04:06,540 going to be too big or it's going to be 5925 05:04:06,540 --> 05:04:07,560 too small 5926 05:04:07,560 --> 05:04:09,360 and if it's too small 5927 05:04:09,360 --> 05:04:10,740 when I'm going to do that I'm going to 5928 05:04:10,740 --> 05:04:13,200 diminish my guess by the value of the 5929 05:04:13,200 --> 05:04:15,360 step if it's 5930 05:04:15,360 --> 05:04:16,138 um 5931 05:04:16,138 --> 05:04:18,060 if it's too big you might guess it's too 5932 05:04:18,060 --> 05:04:19,260 big I'm going to diminish that very by 5933 05:04:19,260 --> 05:04:21,180 the side of the step if my value is too 5934 05:04:21,180 --> 05:04:23,340 small my guess I've got to add this step 5935 05:04:23,340 --> 05:04:26,520 and I divide this step by two 5936 05:04:26,520 --> 05:04:28,980 and if I do this a little amount of time 5937 05:04:28,980 --> 05:04:30,718 it's gonna lead to me actually 5938 05:04:30,718 --> 05:04:33,120 understanding what Rand uh the rent 5939 05:04:33,120 --> 05:04:35,820 eight the random value for the secret or 5940 05:04:35,820 --> 05:04:37,378 actually was in a very small amount of 5941 05:04:37,378 --> 05:04:38,700 Step 5942 05:04:38,700 --> 05:04:41,040 of course this particular scale 5943 05:04:41,040 --> 05:04:43,080 this particular example scales very well 5944 05:04:43,080 --> 05:04:45,540 as end growth for example if if the 5945 05:04:45,540 --> 05:04:48,480 secret was a 64-bit number or 128 bit 5946 05:04:48,480 --> 05:04:50,040 number or more 5947 05:04:50,040 --> 05:04:51,958 then you would only need that amount of 5948 05:04:51,958 --> 05:04:55,080 attempt to actually derive the secret 5949 05:04:55,080 --> 05:04:57,718 so in fact the the fact that the the 5950 05:04:57,718 --> 05:04:59,400 secret was just on 8bit for this 5951 05:04:59,400 --> 05:05:00,958 particular case was just for the sake of 5952 05:05:00,958 --> 05:05:03,420 explanation 5953 05:05:03,420 --> 05:05:06,000 so I call this one the oscillating beat 5954 05:05:06,000 --> 05:05:08,040 protocol because what's happening is 5955 05:05:08,040 --> 05:05:10,080 that you overshoot you on the shoot you 5956 05:05:10,080 --> 05:05:11,218 overshoot a little bit less you 5957 05:05:11,218 --> 05:05:12,660 understood a little bit less and you end 5958 05:05:12,660 --> 05:05:16,340 up converging towards the credential 5959 05:05:16,680 --> 05:05:18,360 and this kind of example can be 5960 05:05:18,360 --> 05:05:21,680 expressed in adversary logic 5961 05:05:24,240 --> 05:05:26,400 one level further 5962 05:05:26,400 --> 05:05:30,180 what if what if we took all of that that 5963 05:05:30,180 --> 05:05:31,860 we just thought about and we put into 5964 05:05:31,860 --> 05:05:34,080 one logic 5965 05:05:34,080 --> 05:05:35,700 I want to have the Chrome currency I 5966 05:05:35,700 --> 05:05:37,260 want to have the adversarial reasoning I 5967 05:05:37,260 --> 05:05:38,878 want to have the separation logic and I 5968 05:05:38,878 --> 05:05:41,340 want to have it in one log on logic that 5969 05:05:41,340 --> 05:05:44,040 can reason up with for everything I can 5970 05:05:44,040 --> 05:05:45,958 deal with sports programs I can deal 5971 05:05:45,958 --> 05:05:48,240 with concurrency issues I have this 5972 05:05:48,240 --> 05:05:49,920 notion of addressing or reasoning where 5973 05:05:49,920 --> 05:05:52,080 I have somebody trying to sabotage my 5974 05:05:52,080 --> 05:05:55,740 program within the logic 5975 05:05:55,740 --> 05:05:59,580 well it happens that we can actually 5976 05:05:59,580 --> 05:06:00,958 prove quite a lot of things with that 5977 05:06:00,958 --> 05:06:03,420 with that particular logic as I earlier 5978 05:06:03,420 --> 05:06:05,760 rad myself is George Berlin and Peter 5979 05:06:05,760 --> 05:06:07,620 Orrin just 5980 05:06:07,620 --> 05:06:09,540 um got a paper accident at the 5981 05:06:09,540 --> 05:06:10,940 International 5982 05:06:10,940 --> 05:06:14,160 Conference on concurrency Theory concur 5983 05:06:14,160 --> 05:06:17,820 where we actually uh explain quite a 5984 05:06:17,820 --> 05:06:19,260 number of examples including information 5985 05:06:19,260 --> 05:06:21,298 disclosure and things related to 5986 05:06:21,298 --> 05:06:23,940 pointers that can all be done within 5987 05:06:23,940 --> 05:06:25,200 that framework 5988 05:06:25,200 --> 05:06:27,540 and you can actually take a look at the 5989 05:06:27,540 --> 05:06:31,280 preprint on my Twitter 5990 05:06:31,740 --> 05:06:34,260 at this stage I'm you see I'm almost 5991 05:06:34,260 --> 05:06:36,900 almost not a nape anymore actually 5992 05:06:36,900 --> 05:06:38,878 pretty much near the final stage of this 5993 05:06:38,878 --> 05:06:41,100 Kafka is transformation 5994 05:06:41,100 --> 05:06:43,080 I'm not an animal even though I have 5995 05:06:43,080 --> 05:06:45,240 some ears and my dog is actually tagging 5996 05:06:45,240 --> 05:06:47,420 along 5997 05:06:49,980 --> 05:06:52,200 so are we done there's nothing else for 5998 05:06:52,200 --> 05:06:53,400 us to do 5999 05:06:53,400 --> 05:06:55,798 is as formal logic solve our problem of 6000 05:06:55,798 --> 05:06:58,200 adversarial exploitability analysis can 6001 05:06:58,200 --> 05:06:59,940 actually start generating exploit from 6002 05:06:59,940 --> 05:07:00,660 that 6003 05:07:00,660 --> 05:07:04,378 for everything I want well not quite 6004 05:07:04,378 --> 05:07:07,440 some of those some historical properties 6005 05:07:07,440 --> 05:07:09,600 are well known to be undecidable for 6006 05:07:09,600 --> 05:07:10,980 example 6007 05:07:10,980 --> 05:07:13,080 for I cannot for any program tell you 6008 05:07:13,080 --> 05:07:14,040 whether that program is going to 6009 05:07:14,040 --> 05:07:16,138 terminate eventually that's also known 6010 05:07:16,138 --> 05:07:17,940 as the Turing halting problem between 6011 05:07:17,940 --> 05:07:20,160 machine altering problem 6012 05:07:20,160 --> 05:07:23,218 and in Logic on computer heroes are 6013 05:07:23,218 --> 05:07:25,920 entering in Kurt color in the 1930s 6014 05:07:25,920 --> 05:07:30,180 actually uh worked quite had some 6015 05:07:30,180 --> 05:07:32,520 fundamental seminal work on this topic 6016 05:07:32,520 --> 05:07:34,260 where Kurt girl came up with his 6017 05:07:34,260 --> 05:07:36,060 incomplete theorem while Alan drink of 6018 05:07:36,060 --> 05:07:38,580 course came up with this halting problem 6019 05:07:38,580 --> 05:07:41,218 that is very known by everybody we ever 6020 05:07:41,218 --> 05:07:43,860 took a look at I guess a 6021 05:07:43,860 --> 05:07:45,540 complexity Theory 6022 05:07:45,540 --> 05:07:49,080 so what we wanted to do and we which we 6023 05:07:49,080 --> 05:07:51,298 have done is to understand whether we 6024 05:07:51,298 --> 05:07:52,740 could actually tackle this termination 6025 05:07:52,740 --> 05:07:56,458 property in the under proximate subject 6026 05:07:56,458 --> 05:07:59,040 meaning that we're not pretending to 6027 05:07:59,040 --> 05:08:00,600 actually tell whether a program is going 6028 05:08:00,600 --> 05:08:04,560 to stop for any input it means that we 6029 05:08:04,560 --> 05:08:06,540 are potentially we are able to actually 6030 05:08:06,540 --> 05:08:09,298 extract those subsets of behavior of the 6031 05:08:09,298 --> 05:08:10,980 program for which the program is 6032 05:08:10,980 --> 05:08:13,740 guaranteed to not terminate 6033 05:08:13,740 --> 05:08:16,020 so can I actually have some Magic by and 6034 05:08:16,020 --> 05:08:17,878 I send it to your service to your server 6035 05:08:17,878 --> 05:08:19,138 and your service is going to basically 6036 05:08:19,138 --> 05:08:21,780 get stuck into an infinite flow 6037 05:08:21,780 --> 05:08:24,298 or can I actually 6038 05:08:24,298 --> 05:08:26,458 exhibit this particular execution that 6039 05:08:26,458 --> 05:08:28,740 leads to a termination bug without me 6040 05:08:28,740 --> 05:08:30,120 necessarily having to prove termination 6041 05:08:30,120 --> 05:08:32,218 on the termination of a program 6042 05:08:32,218 --> 05:08:34,138 well the answer is yes 6043 05:08:34,138 --> 05:08:35,400 and 6044 05:08:35,400 --> 05:08:39,240 stay tuned for uh for this work that is 6045 05:08:39,240 --> 05:08:40,740 not released quite yet but you submitted 6046 05:08:40,740 --> 05:08:41,820 to the principle of programming 6047 05:08:41,820 --> 05:08:45,000 languages 2024. 6048 05:08:45,900 --> 05:08:47,218 if you want to learn more about this 6049 05:08:47,218 --> 05:08:49,620 topic you can read the seminal papers 6050 05:08:49,620 --> 05:08:51,718 and some of those recent papers of 6051 05:08:51,718 --> 05:08:53,520 course Tony horror and axiomatic basis 6052 05:08:53,520 --> 05:08:55,080 for computer programming probably a 6053 05:08:55,080 --> 05:08:56,940 really good introduction for anybody who 6054 05:08:56,940 --> 05:08:59,100 is not familiar with this topic you can 6055 05:08:59,100 --> 05:09:01,138 look at the concept or the theory of 6056 05:09:01,138 --> 05:09:03,060 abstract interpretation by Patrick and 6057 05:09:03,060 --> 05:09:07,080 rajakuzo came out quite a while ago and 6058 05:09:07,080 --> 05:09:08,520 you probably have about 100 different 6059 05:09:08,520 --> 05:09:10,560 papers to read on this topic if you like 6060 05:09:10,560 --> 05:09:12,480 or more 6061 05:09:12,480 --> 05:09:14,280 separation logic by John Reynolds and 6062 05:09:14,280 --> 05:09:16,440 Peter O'Hearn in back more 20 years more 6063 05:09:16,440 --> 05:09:18,480 than 20 years ago conquering separation 6064 05:09:18,480 --> 05:09:20,458 logic by Owen Brooks gave them the 6065 05:09:20,458 --> 05:09:21,958 guttle award 6066 05:09:21,958 --> 05:09:25,020 in 2016 from the work on concurrent 6067 05:09:25,020 --> 05:09:26,900 separation logic 6068 05:09:26,900 --> 05:09:29,760 still Peter or her in a few years back 6069 05:09:29,760 --> 05:09:32,458 incorrect on separation logic Azalea rod 6070 05:09:32,458 --> 05:09:34,500 and her collaborators concurrent anger 6071 05:09:34,500 --> 05:09:36,718 consideration logic mixing out the CSL 6072 05:09:36,718 --> 05:09:38,280 the concurrent separation logic and the 6073 05:09:38,280 --> 05:09:39,360 incorrectness 6074 05:09:39,360 --> 05:09:41,520 the adversial logic and finally the 6075 05:09:41,520 --> 05:09:44,700 latest evolution of those Logics Castle 6076 05:09:44,700 --> 05:09:46,500 for concurrent adversarial separation 6077 05:09:46,500 --> 05:09:48,920 logic 6078 05:09:49,920 --> 05:09:51,540 so as you go through your journey to 6079 05:09:51,540 --> 05:09:53,458 learn about program analysis bug finding 6080 05:09:53,458 --> 05:09:55,620 and exploitability to remember there are 6081 05:09:55,620 --> 05:09:58,138 always two sides to every story 6082 05:09:58,138 --> 05:10:00,360 Choose Wisely 6083 05:10:00,360 --> 05:10:01,980 and I'd like to sing sphere Martin and 6084 05:10:01,980 --> 05:10:03,480 chocolate for having piggy with the 6085 05:10:03,480 --> 05:10:06,180 dally images 6086 05:10:06,180 --> 05:10:08,100 and after all that I think there is just 6087 05:10:08,100 --> 05:10:09,900 one logical conclusion 6088 05:10:09,900 --> 05:10:12,240 we need more drinks 6089 05:10:12,240 --> 05:10:14,900 thank you 6090 05:10:21,718 --> 05:10:23,820 I have maybe five ten minutes for 6091 05:10:23,820 --> 05:10:26,000 questions 6092 05:10:37,378 --> 05:10:40,020 absolutely I didn't actually write large 6093 05:10:40,020 --> 05:10:41,638 scale examples here for the sake of you 6094 05:10:41,638 --> 05:10:43,200 know the presentation however if you 6095 05:10:43,200 --> 05:10:45,540 really look at any of those references I 6096 05:10:45,540 --> 05:10:48,860 listed you'll see plenty of those 6097 05:11:05,100 --> 05:11:06,780 temporal logic a really good question 6098 05:11:06,780 --> 05:11:08,040 has there been any attempt to actually 6099 05:11:08,040 --> 05:11:10,378 encode temporal properties in those 6100 05:11:10,378 --> 05:11:11,760 languages 6101 05:11:11,760 --> 05:11:14,100 temporal property like LTL linear 6102 05:11:14,100 --> 05:11:16,138 temporal logic or CTL computational tree 6103 05:11:16,138 --> 05:11:19,620 Logics is another logic part of family 6104 05:11:19,620 --> 05:11:22,798 called moral Logics where that have no 6105 05:11:22,798 --> 05:11:25,740 connectivity new connectors diamond and 6106 05:11:25,740 --> 05:11:27,718 square that says 6107 05:11:27,718 --> 05:11:29,718 roughly 6108 05:11:29,718 --> 05:11:34,020 eventually and necessarily 6109 05:11:34,020 --> 05:11:35,580 to my knowledge there is no 6110 05:11:35,580 --> 05:11:39,860 underapproximate temporologic to them 6111 05:11:39,958 --> 05:11:42,540 it's a very interesting Avenue for more 6112 05:11:42,540 --> 05:11:45,260 research however 6113 05:11:49,560 --> 05:11:52,400 last chance 6114 05:11:54,660 --> 05:11:56,540 well that's it then thank you 6115 05:11:56,540 --> 05:12:05,919 [Applause] 6116 05:12:06,840 --> 05:12:09,718 so uh two very quick announcements let's 6117 05:12:09,718 --> 05:12:13,378 take 10 for uh you know to to hydrate 6118 05:12:13,378 --> 05:12:16,860 very important to tip your bartender 6119 05:12:16,860 --> 05:12:17,480 um 6120 05:12:17,480 --> 05:12:22,320 also if you were interested in a place 6121 05:12:22,320 --> 05:12:25,100 where you could hear the presentations 6122 05:12:25,100 --> 05:12:28,378 and scream at the top of your lungs well 6123 05:12:28,378 --> 05:12:31,200 maybe not exactly that but be noisy 6124 05:12:31,200 --> 05:12:35,340 um Park life is running the stream of 6125 05:12:35,340 --> 05:12:38,760 the the conference you can go there you 6126 05:12:38,760 --> 05:12:39,540 can 6127 05:12:39,540 --> 05:12:42,000 drink there 6128 05:12:42,000 --> 05:12:43,798 and you can get food 6129 05:12:43,798 --> 05:12:47,420 thank you we'll see you in 10. 6130 05:12:58,040 --> 05:13:01,220 [Music] 6131 05:13:48,900 --> 05:13:51,320 foreign 6132 05:13:51,710 --> 05:13:54,820 [Music] 6133 05:13:59,010 --> 05:14:02,079 [Music] 6134 05:14:04,290 --> 05:14:09,550 [Music] 6135 05:14:17,490 --> 05:14:20,679 [Music] 6136 05:14:30,060 --> 05:14:32,780 thank you 6137 05:14:36,500 --> 05:14:39,619 [Music] 6138 05:14:40,740 --> 05:14:42,980 foreign 6139 05:14:44,980 --> 05:14:48,549 [Music] 6140 05:14:54,480 --> 05:15:25,989 [Music] 6141 05:15:26,638 --> 05:15:29,638 foreign 6142 05:15:29,840 --> 05:15:32,979 [Music] 6143 05:15:35,260 --> 05:15:55,138 [Music] 6144 05:15:55,138 --> 05:15:55,540 foreign 6145 05:15:55,540 --> 05:16:44,600 [Music] 6146 05:16:44,600 --> 05:16:46,250 thank you 6147 05:16:46,250 --> 05:16:51,590 [Music] 6148 05:16:56,070 --> 05:17:01,060 [Music] 6149 05:17:03,780 --> 05:17:05,060 foreign 6150 05:17:05,060 --> 05:17:08,119 [Music] 6151 05:17:15,560 --> 05:17:17,390 [Music] 6152 05:17:17,390 --> 05:17:20,450 [Applause] 6153 05:17:20,870 --> 05:17:43,918 [Music] 6154 05:17:44,458 --> 05:17:46,579 thank you 6155 05:17:52,090 --> 05:17:55,139 [Music] 6156 05:18:25,200 --> 05:18:26,230 foreign 6157 05:18:26,230 --> 05:18:33,009 [Music] 6158 05:18:46,140 --> 05:18:49,309 [Music] 6159 05:18:52,010 --> 05:18:55,660 [Music] 6160 05:19:03,420 --> 05:19:05,839 thank you 6161 05:19:06,680 --> 05:19:31,269 [Music] 6162 05:19:44,820 --> 05:19:47,120 foreign 6163 05:20:25,960 --> 05:20:33,689 [Music] 6164 05:20:33,980 --> 05:20:35,540 [Applause] 6165 05:20:35,540 --> 05:20:40,849 [Music] 6166 05:20:41,980 --> 05:20:48,668 [Applause] 6167 05:20:57,960 --> 05:21:01,059 [Applause] 6168 05:21:03,600 --> 05:21:06,019 Target 6169 05:21:07,960 --> 05:21:11,079 [Applause] 6170 05:21:21,430 --> 05:21:25,110 [Applause] 6171 05:21:28,980 --> 05:21:33,509 [Music] 6172 05:21:35,620 --> 05:21:42,120 [Music] 6173 05:21:42,120 --> 05:21:43,950 s 6174 05:21:43,950 --> 05:22:21,590 [Music] 6175 05:22:21,590 --> 05:22:23,060 [Applause] 6176 05:22:23,060 --> 05:22:25,690 [Music] 6177 05:22:25,690 --> 05:22:28,218 [Applause] 6178 05:22:28,218 --> 05:22:30,700 thank you 6179 05:22:30,700 --> 05:22:49,300 [Music] 6180 05:22:49,300 --> 05:22:50,140 [Applause] 6181 05:22:50,140 --> 05:22:53,800 [Music] 6182 05:22:53,800 --> 05:22:54,270 [Applause] 6183 05:22:54,270 --> 05:22:57,060 [Music] 6184 05:22:57,060 --> 05:22:59,540 [Applause] 6185 05:22:59,540 --> 05:23:02,060 very much 6186 05:23:02,060 --> 05:23:04,378 all right we're ready to get this thing 6187 05:23:04,378 --> 05:23:06,900 going again we have a tight tight 6188 05:23:06,900 --> 05:23:08,580 timeline 6189 05:23:08,580 --> 05:23:10,200 so here we go 6190 05:23:10,200 --> 05:23:13,080 I am just gonna hand directly over 6191 05:23:13,080 --> 05:23:16,080 two uh so we need to I guess switch the 6192 05:23:16,080 --> 05:23:17,820 inputs or something so that this screen 6193 05:23:17,820 --> 05:23:19,620 and that screen and whatever like I 6194 05:23:19,620 --> 05:23:21,298 don't know what the 6195 05:23:21,298 --> 05:23:22,980 I don't know what the the deal is here 6196 05:23:22,980 --> 05:23:27,180 but he's plugged in so we gotta you know 6197 05:23:27,180 --> 05:23:29,940 that's the one there's that's what I was 6198 05:23:29,940 --> 05:23:32,820 looking for okay good work everybody 6199 05:23:32,820 --> 05:23:34,440 it takes a village 6200 05:23:34,440 --> 05:23:37,080 a video Village in our case 6201 05:23:37,080 --> 05:23:40,280 um okay uh the relationship between 6202 05:23:40,280 --> 05:23:44,400 summer con and the pony Awards is uh it 6203 05:23:44,400 --> 05:23:48,360 it goes It goes back many many years 6204 05:23:48,360 --> 05:23:49,378 um 6205 05:23:49,378 --> 05:23:51,000 not enough time to talk about that 6206 05:23:51,000 --> 05:23:53,340 history but 6207 05:23:53,340 --> 05:23:58,200 the nominees have been uh released 6208 05:23:58,200 --> 05:24:00,600 at summercon and then voting can happen 6209 05:24:00,600 --> 05:24:02,700 and then people receive their Pony 6210 05:24:02,700 --> 05:24:04,020 Awards 6211 05:24:04,020 --> 05:24:06,360 or the news that they did not win the 6212 05:24:06,360 --> 05:24:07,860 pony award 6213 05:24:07,860 --> 05:24:12,540 at black hat in Las Vegas so we're very 6214 05:24:12,540 --> 05:24:15,180 excited to have 6215 05:24:15,180 --> 05:24:18,958 Ian and Sophia here to talk about 6216 05:24:18,958 --> 05:24:21,240 this year's this is it like this is the 6217 05:24:21,240 --> 05:24:23,340 world premiere 6218 05:24:23,340 --> 05:24:27,310 this year's nominees take it away 6219 05:24:27,310 --> 05:24:29,400 [Applause] 6220 05:24:29,400 --> 05:24:31,740 thank you 6221 05:24:31,740 --> 05:24:33,840 how is summercon feeling are we like 6222 05:24:33,840 --> 05:24:35,340 Tipsy yet are you still kind of working 6223 05:24:35,340 --> 05:24:36,298 on it 6224 05:24:36,298 --> 05:24:37,920 you're working on it all right I think 6225 05:24:37,920 --> 05:24:39,718 they're is there still a happy hour 6226 05:24:39,718 --> 05:24:40,980 all right 6227 05:24:40,980 --> 05:24:44,638 uh can you turn Sophia's mic on as well 6228 05:24:44,638 --> 05:24:45,840 please 6229 05:24:45,840 --> 05:24:47,520 awesome thank you all right all right we 6230 05:24:47,520 --> 05:24:49,680 got it okay so um you're gonna notice 6231 05:24:49,680 --> 05:24:52,620 that I'm just stepping through a uh like 6232 05:24:52,620 --> 05:24:56,040 docs document and don't worry about it 6233 05:24:56,040 --> 05:24:58,920 um so yeah this is the pony Awards uh to 6234 05:24:58,920 --> 05:25:02,458 get some things off uh right off the bat 6235 05:25:02,458 --> 05:25:05,638 um I want to say a huge shout out as uh 6236 05:25:05,638 --> 05:25:08,280 uh Mark mentioned uh we rely very 6237 05:25:08,280 --> 05:25:09,900 heavily on summer con they offer a 6238 05:25:09,900 --> 05:25:11,520 massive amount of support whether it's 6239 05:25:11,520 --> 05:25:15,020 like hosting a website uh infrastructure 6240 05:25:15,020 --> 05:25:18,900 uh you know like holding me while I cry 6241 05:25:18,900 --> 05:25:22,860 about this um uh but um this year 6242 05:25:22,860 --> 05:25:24,420 they they want the extra mile and they 6243 05:25:24,420 --> 05:25:27,000 were able to provide some uh materials 6244 05:25:27,000 --> 05:25:28,860 or they offered to provide some material 6245 05:25:28,860 --> 05:25:31,920 Security in order to stop 6246 05:25:31,920 --> 05:25:34,860 um Google tag from sending 6247 05:25:34,860 --> 05:25:37,320 assassins after us after that stuff 6248 05:25:37,320 --> 05:25:39,120 happened last year it's a long story 6249 05:25:39,120 --> 05:25:41,218 five years after it turns out it wasn't 6250 05:25:41,218 --> 05:25:42,540 an issue because they all got laid off 6251 05:25:42,540 --> 05:25:43,440 but 6252 05:25:43,440 --> 05:25:44,480 um 6253 05:25:44,480 --> 05:25:48,718 so uh let's get into it um 6254 05:25:48,718 --> 05:25:51,180 so uh over we had over 80 nominations 6255 05:25:51,180 --> 05:25:52,560 this year and you have to understand 6256 05:25:52,560 --> 05:25:55,620 what that means is we uh I also have 6257 05:25:55,620 --> 05:25:57,540 like around 30 nominations to go through 6258 05:25:57,540 --> 05:25:59,520 in about 30 minutes so we're gonna kind 6259 05:25:59,520 --> 05:26:01,138 of fly here 6260 05:26:01,138 --> 05:26:03,120 um all those have like research papers 6261 05:26:03,120 --> 05:26:04,500 attached to them so if you feel like we 6262 05:26:04,500 --> 05:26:05,638 didn't do an effective job of 6263 05:26:05,638 --> 05:26:07,020 characterizing how important your 6264 05:26:07,020 --> 05:26:09,900 special bug was it's because we didn't 6265 05:26:09,900 --> 05:26:10,620 um 6266 05:26:10,620 --> 05:26:13,378 so let's get going 6267 05:26:13,378 --> 05:26:16,138 um uh yeah uh bring out the yeah oh 6268 05:26:16,138 --> 05:26:17,980 these are the ponies 6269 05:26:17,980 --> 05:26:20,940 [Music] 6270 05:26:20,940 --> 05:26:21,840 um 6271 05:26:21,840 --> 05:26:25,740 so one of those is uh one that uh Neil 6272 05:26:25,740 --> 05:26:28,440 Durkin put some very hard work into from 6273 05:26:28,440 --> 05:26:32,580 Red Balloon and the other one is uh well 6274 05:26:32,580 --> 05:26:35,100 you'll find out uh but it's another uh 6275 05:26:35,100 --> 05:26:37,500 very special Pony award and if it looks 6276 05:26:37,500 --> 05:26:40,560 like a spray painted Candlestick with a 6277 05:26:40,560 --> 05:26:43,080 plastic horse glued to it uh it's not 6278 05:26:43,080 --> 05:26:45,840 it's a pony award all right so chill 6279 05:26:45,840 --> 05:26:48,480 um all right let's get into this stuff 6280 05:26:48,480 --> 05:26:50,580 um so first off we've got a count 6281 05:26:50,580 --> 05:26:52,620 exposure it's a local previsk and 6282 05:26:52,620 --> 05:26:55,920 windows performance counters by b2a hex 6283 05:26:55,920 --> 05:26:59,040 uh what's important about this 6284 05:26:59,040 --> 05:27:00,660 um was the first bug that's been 6285 05:27:00,660 --> 05:27:02,520 released at least in you know last 6286 05:27:02,520 --> 05:27:05,760 decade about performance counters in uh 6287 05:27:05,760 --> 05:27:08,638 in Windows oh I'm glad you read these um 6288 05:27:08,638 --> 05:27:12,420 all right so we've got uh OPN and rce 6289 05:27:12,420 --> 05:27:14,638 and render dock uh from our good friends 6290 05:27:14,638 --> 05:27:16,620 at qualis uh they always submit a lot of 6291 05:27:16,620 --> 05:27:18,120 really good stuff it's a One-Shot remote 6292 05:27:18,120 --> 05:27:21,600 exploit against g-lib C malloc in 2020. 6293 05:27:21,600 --> 05:27:22,980 I think the cool thing to shout out here 6294 05:27:22,980 --> 05:27:26,520 is qualis has made Pony nominations for 6295 05:27:26,520 --> 05:27:28,080 at least the last like five years yeah 6296 05:27:28,080 --> 05:27:30,420 they do some great work 6297 05:27:30,420 --> 05:27:32,638 and then we have a very we love some you 6298 05:27:32,638 --> 05:27:34,138 know video game hacking it's always very 6299 05:27:34,138 --> 05:27:35,458 close to our heart and they're like no 6300 05:27:35,458 --> 05:27:37,320 some of the best guys out there um 6301 05:27:37,320 --> 05:27:41,400 or individuals uh so this is a CS go uh 6302 05:27:41,400 --> 05:27:43,020 o day where they're using some logic 6303 05:27:43,020 --> 05:27:46,680 bucks uh to rce Counter-Strike uh very 6304 05:27:46,680 --> 05:27:48,718 very fun um there will be additional 6305 05:27:48,718 --> 05:27:50,160 information about all of these posted on 6306 05:27:50,160 --> 05:27:51,420 the website later on if you want to read 6307 05:27:51,420 --> 05:27:52,980 the research for yourself life hacks for 6308 05:27:52,980 --> 05:27:54,060 money when you can hack for internet 6309 05:27:54,060 --> 05:27:56,160 points exactly very important 6310 05:27:56,160 --> 05:27:59,100 then we have uh some mobile bugs 6311 05:27:59,100 --> 05:28:01,620 um it's uh I know Sophia has uh some 6312 05:28:01,620 --> 05:28:03,180 stuff to say here but we didn't get any 6313 05:28:03,180 --> 05:28:05,878 nominations for this this year uh but we 6314 05:28:05,878 --> 05:28:07,798 did get a nomination from Eric who 6315 05:28:07,798 --> 05:28:09,480 pointed out that he moves around a lot 6316 05:28:09,480 --> 05:28:12,060 and bugs people so he qualifies as a 6317 05:28:12,060 --> 05:28:14,280 mobile bug so we can thank you Eric for 6318 05:28:14,280 --> 05:28:16,378 dominating something and thankfully 6319 05:28:16,378 --> 05:28:17,160 there aren't going to be any 6320 05:28:17,160 --> 05:28:20,100 opportunities for a uh hit piece from a 6321 05:28:20,100 --> 05:28:22,798 voice about a supporting NSO group so 6322 05:28:22,798 --> 05:28:25,200 sorry guys but the neat thing about this 6323 05:28:25,200 --> 05:28:27,420 category is over the last few years 6324 05:28:27,420 --> 05:28:29,340 we've seen a decrease in the amount of 6325 05:28:29,340 --> 05:28:31,020 bucks for 6326 05:28:31,020 --> 05:28:32,700 um nominated for the pony Awards also 6327 05:28:32,700 --> 05:28:35,458 just publicized a line uh related to 6328 05:28:35,458 --> 05:28:38,340 mobile specifically I mean we estimate 6329 05:28:38,340 --> 05:28:39,540 that this is probably due to the fact 6330 05:28:39,540 --> 05:28:41,580 that Mobile's getting harder uh there's 6331 05:28:41,580 --> 05:28:43,260 less you know bugs that you can just 6332 05:28:43,260 --> 05:28:46,020 burn on a tweet or a blog post or 6333 05:28:46,020 --> 05:28:47,298 something 6334 05:28:47,298 --> 05:28:51,000 basically right uh so this category 6335 05:28:51,000 --> 05:28:53,520 we're now officially nuking because no 6336 05:28:53,520 --> 05:28:57,360 one uh submitted anything this year this 6337 05:28:57,360 --> 05:28:59,878 doesn't mean mobile bugs don't exist it 6338 05:28:59,878 --> 05:29:02,760 just means you're using them right now 6339 05:29:02,760 --> 05:29:05,280 you're not public yeah you don't know it 6340 05:29:05,280 --> 05:29:06,718 but you're using them right now it all 6341 05:29:06,718 --> 05:29:08,940 comes down to Mark incentives you know 6342 05:29:08,940 --> 05:29:11,760 it's all economics yeah all right so now 6343 05:29:11,760 --> 05:29:13,200 we have our favorite difficult to 6344 05:29:13,200 --> 05:29:16,080 understand a cryptographic uh attacks we 6345 05:29:16,080 --> 05:29:17,340 always need some extra help for this 6346 05:29:17,340 --> 05:29:19,440 category yeah and we did uh shout out to 6347 05:29:19,440 --> 05:29:22,260 Kai uh who helped us uh dig through a 6348 05:29:22,260 --> 05:29:23,340 lot of that I don't know where you 6349 05:29:23,340 --> 05:29:25,798 are but you can wave at you oh look at 6350 05:29:25,798 --> 05:29:26,700 this 6351 05:29:26,700 --> 05:29:27,298 um 6352 05:29:27,298 --> 05:29:30,718 uh so very fun uh interesting one 6353 05:29:30,718 --> 05:29:32,580 straight up uh practically exploitable 6354 05:29:32,580 --> 05:29:34,798 cryptographic vulnerabilities and Matrix 6355 05:29:34,798 --> 05:29:38,340 um from Martin Albrecht from Clary of 6356 05:29:38,340 --> 05:29:41,240 course clause 6357 05:29:46,280 --> 05:29:49,680 there you go um this is fun because uh 6358 05:29:49,680 --> 05:29:51,120 they found cryptographic vulnerabilities 6359 05:29:51,120 --> 05:29:55,920 in Matrix and element which is you know 6360 05:29:55,920 --> 05:29:57,718 I mean those are widely used pieces of 6361 05:29:57,718 --> 05:29:59,040 software for encrypted communication 6362 05:29:59,040 --> 05:30:02,458 we've seen mostly about Al-Qaeda 6363 05:30:02,458 --> 05:30:05,100 I'm not joking 6364 05:30:05,100 --> 05:30:07,740 um uh Mega uh very cool you guys 6365 05:30:07,740 --> 05:30:10,080 remember that like kim.com like weirdo 6366 05:30:10,080 --> 05:30:14,218 uh that's his thing I think still 6367 05:30:14,218 --> 05:30:16,378 so you know they were hacking at that a 6368 05:30:16,378 --> 05:30:18,360 little bit uh Ben Nasi with some video 6369 05:30:18,360 --> 05:30:20,940 game Crypt analysis uh yeah with the 6370 05:30:20,940 --> 05:30:22,560 video games yeah this is a really cool 6371 05:30:22,560 --> 05:30:25,740 one um they basically recorded an LED on 6372 05:30:25,740 --> 05:30:28,500 a phone and then through the RGB values 6373 05:30:28,500 --> 05:30:31,138 we're able to uh cryptographically break 6374 05:30:31,138 --> 05:30:32,458 it 6375 05:30:32,458 --> 05:30:34,378 then apparently it works 6376 05:30:34,378 --> 05:30:36,780 um so that's we believe him that's what 6377 05:30:36,780 --> 05:30:38,820 we determined from the reason so it's a 6378 05:30:38,820 --> 05:30:40,020 tough we don't always have time to like 6379 05:30:40,020 --> 05:30:42,420 vet these things so please don't lie in 6380 05:30:42,420 --> 05:30:45,019 your nomination 6381 05:30:45,360 --> 05:30:49,260 um don't tell the daddy yeah sorry 6382 05:30:49,260 --> 05:30:51,180 we have uh some songs I don't think 6383 05:30:51,180 --> 05:30:54,180 we're gonna like have the timer ability 6384 05:30:54,180 --> 05:30:55,620 to play them 6385 05:30:55,620 --> 05:30:57,958 but uh you want me to like beatbox it 6386 05:30:57,958 --> 05:31:00,840 it's no I know I'm I'm dressed for the 6387 05:31:00,840 --> 05:31:02,638 part but it's not going to deliver uh 6388 05:31:02,638 --> 05:31:05,400 got get in it from YT cracker which 6389 05:31:05,400 --> 05:31:07,620 sounds like an angry British person 6390 05:31:07,620 --> 05:31:08,820 um 6391 05:31:08,820 --> 05:31:13,080 clicking from Omi uh just uh describing 6392 05:31:13,080 --> 05:31:15,840 a phishing attack a theoretical fishing 6393 05:31:15,840 --> 05:31:18,600 the theoretical fishing attack no one I 6394 05:31:18,600 --> 05:31:21,320 I miss the scam wrappers 6395 05:31:21,320 --> 05:31:23,638 they were literally recording themselves 6396 05:31:23,638 --> 05:31:25,740 like doing credit card fraud in a 6397 05:31:25,740 --> 05:31:28,378 Walmart and that was the music video and 6398 05:31:28,378 --> 05:31:30,360 it was with complete location 6399 05:31:30,360 --> 05:31:33,240 information and everything spectacular 6400 05:31:33,240 --> 05:31:35,218 um and then we have Pegasus from 6401 05:31:35,218 --> 05:31:38,878 laughing Manus he does a lot of music 6402 05:31:38,878 --> 05:31:41,160 um and shout out to Hugo from Recon for 6403 05:31:41,160 --> 05:31:45,200 taking the time to submit like 10 yeah 6404 05:31:45,200 --> 05:31:49,080 which weren't necessarily songs 6405 05:31:49,080 --> 05:31:50,060 um 6406 05:31:50,060 --> 05:31:53,218 but it's the thought that counts and it 6407 05:31:53,218 --> 05:31:55,020 kind of delivered so um it takes the 6408 05:31:55,020 --> 05:31:56,580 community to make the pony Awards happen 6409 05:31:56,580 --> 05:31:58,500 exactly a lot of these were actually 6410 05:31:58,500 --> 05:32:00,840 from uh Recon as well uh there's a lot 6411 05:32:00,840 --> 05:32:01,980 of good research that happens there 6412 05:32:01,980 --> 05:32:04,680 shout out to Montreal 6413 05:32:04,680 --> 05:32:06,240 um you've got most Innovative research 6414 05:32:06,240 --> 05:32:09,120 now uh inside Apple's lightning uh 6415 05:32:09,120 --> 05:32:10,740 jtagging the iPhone for fuzzing and 6416 05:32:10,740 --> 05:32:13,020 profit from guidra Ninja this is a 6417 05:32:13,020 --> 05:32:15,000 really really cool one uh as I 6418 05:32:15,000 --> 05:32:17,100 understand you basically built uh like 6419 05:32:17,100 --> 05:32:20,580 iPhone uh jtagger using a lightning 6420 05:32:20,580 --> 05:32:24,240 connector for like 10 bucks which is 6421 05:32:24,240 --> 05:32:26,458 baller it's a good return on investment 6422 05:32:26,458 --> 05:32:28,320 yeah 6423 05:32:28,320 --> 05:32:30,420 it's a very common one 6424 05:32:30,420 --> 05:32:31,680 um so this is single instruction 6425 05:32:31,680 --> 05:32:33,180 multiple data leaks and Cutting Edge 6426 05:32:33,180 --> 05:32:36,240 CPUs AKA downfall from some folks at 6427 05:32:36,240 --> 05:32:37,500 Google 6428 05:32:37,500 --> 05:32:39,600 um it's embargoed and you can't know 6429 05:32:39,600 --> 05:32:43,260 about it so keep an eye out at uh it's 6430 05:32:43,260 --> 05:32:45,480 coming out at black hat on I think 6431 05:32:45,480 --> 05:32:47,160 Tuesday and then we're presenting Awards 6432 05:32:47,160 --> 05:32:49,260 Wednesday so 6433 05:32:49,260 --> 05:32:51,060 yeah and the interesting thing about 6434 05:32:51,060 --> 05:32:52,440 this submission that's a good point 6435 05:32:52,440 --> 05:32:53,820 actually yes 6436 05:32:53,820 --> 05:32:57,298 this year over the last two we've seen a 6437 05:32:57,298 --> 05:33:00,298 lot of of Chip related uh submissions 6438 05:33:00,298 --> 05:33:02,638 which makes sense because we you know 6439 05:33:02,638 --> 05:33:04,260 instead of seeing a critical 6440 05:33:04,260 --> 05:33:05,820 vulnerabilities or a lot of those and 6441 05:33:05,820 --> 05:33:08,340 major pieces of software the last year 6442 05:33:08,340 --> 05:33:10,500 seems to have had a trend of 6443 05:33:10,500 --> 05:33:13,200 people doing research on ships I know 6444 05:33:13,200 --> 05:33:14,878 the quarks lab guys had their research 6445 05:33:14,878 --> 05:33:17,760 on the the pixel uh phone and their 6446 05:33:17,760 --> 05:33:21,420 chips they presented at Recon actually 6447 05:33:21,420 --> 05:33:23,100 um but a few others like that and so we 6448 05:33:23,100 --> 05:33:24,718 were seeing a bunch of that this year 6449 05:33:24,718 --> 05:33:28,260 and speaking of uh we have another 6450 05:33:28,260 --> 05:33:30,120 really interesting one uh row Hammer 6451 05:33:30,120 --> 05:33:32,040 fingerprinting where these guys figure 6452 05:33:32,040 --> 05:33:35,160 out a way to uh take row hammer and then 6453 05:33:35,160 --> 05:33:38,160 use it to fingerprint a device 6454 05:33:38,160 --> 05:33:41,340 um which you know is cool and just kind 6455 05:33:41,340 --> 05:33:43,200 of weird so 6456 05:33:43,200 --> 05:33:47,840 um love that uh I'm not gonna 6457 05:33:49,260 --> 05:33:51,718 we're back we're back 6458 05:33:51,718 --> 05:33:53,218 Google Tags shooting around 6459 05:33:53,218 --> 05:33:54,540 again 6460 05:33:54,540 --> 05:33:56,820 I'm kidding I'm not man uh Shane Huntley 6461 05:33:56,820 --> 05:33:58,500 please don't like beat me up outside or 6462 05:33:58,500 --> 05:33:59,940 some um 6463 05:33:59,940 --> 05:34:03,660 so most underhyped research once again 6464 05:34:03,660 --> 05:34:05,400 qualis 6465 05:34:05,400 --> 05:34:07,620 um I guess we hype them up a lot but you 6466 05:34:07,620 --> 05:34:08,340 know 6467 05:34:08,340 --> 05:34:11,340 um we love you yeah we have no clue who 6468 05:34:11,340 --> 05:34:14,760 we are uh LP and rce in render doc uh 6469 05:34:14,760 --> 05:34:17,218 it's a One-Shot remote exploit against 6470 05:34:17,218 --> 05:34:18,120 um 6471 05:34:18,120 --> 05:34:21,120 oh this got nominated twice I guess 6472 05:34:21,120 --> 05:34:23,760 unless I scrolled up 6473 05:34:23,760 --> 05:34:25,860 no that's correct that's right yeah all 6474 05:34:25,860 --> 05:34:26,878 right 6475 05:34:26,878 --> 05:34:28,740 um 6476 05:34:28,740 --> 05:34:30,958 yeah cool stuff uh yeah the interesting 6477 05:34:30,958 --> 05:34:32,940 thing about this one again is 6478 05:34:32,940 --> 05:34:35,458 in terms of vulnerability patterns 6479 05:34:35,458 --> 05:34:38,218 the days of One-Shot rces are few and 6480 05:34:38,218 --> 05:34:40,860 far between now and this is one of the 6481 05:34:40,860 --> 05:34:42,840 few that that we've seen submitted at 6482 05:34:42,840 --> 05:34:44,940 least this year which is an interesting 6483 05:34:44,940 --> 05:34:47,700 Trend and then we've got um activation 6484 05:34:47,700 --> 05:34:50,580 contacts cash poisoning from uh Simon 6485 05:34:50,580 --> 05:34:53,040 Zucker Braun at Trend Micro 6486 05:34:53,040 --> 05:34:54,480 um this is interesting because it's a 6487 05:34:54,480 --> 05:34:57,780 new type of Prevost one uh there's 6488 05:34:57,780 --> 05:34:59,958 activation context cash poisoning 6489 05:34:59,958 --> 05:35:03,420 mouthful uh and as I understand it uh 6490 05:35:03,420 --> 05:35:06,360 the technique was attributed to an 6491 05:35:06,360 --> 05:35:08,400 actively used uh 6492 05:35:08,400 --> 05:35:10,740 uh campaign from an Austrian hacker hire 6493 05:35:10,740 --> 05:35:13,200 group identified as not weed and when I 6494 05:35:13,200 --> 05:35:14,700 first read this I read Australian and 6495 05:35:14,700 --> 05:35:17,218 I'm like really yeah 6496 05:35:17,218 --> 05:35:19,260 Austrian which makes Austria is somehow 6497 05:35:19,260 --> 05:35:20,160 weirder 6498 05:35:20,160 --> 05:35:24,079 but yeah I guess so it's very odd 6499 05:35:25,138 --> 05:35:27,900 so uh then we have the apparelson 6500 05:35:27,900 --> 05:35:30,120 mitigation of security risks and of 6501 05:35:30,120 --> 05:35:33,798 cooperation and mobilize Gateway iot 6502 05:35:33,798 --> 05:35:36,480 uh by these guys 6503 05:35:36,480 --> 05:35:38,878 um and the side note here we do uh 6504 05:35:38,878 --> 05:35:41,280 prioritize submissions with more 6505 05:35:41,280 --> 05:35:44,040 information but succinctly presented yes 6506 05:35:44,040 --> 05:35:47,160 so please be kind simply it's a lot of 6507 05:35:47,160 --> 05:35:49,500 this got compressed by chat GPT and it 6508 05:35:49,500 --> 05:35:50,760 might not have done you all the favors 6509 05:35:50,760 --> 05:35:52,680 you hoped um 6510 05:35:52,680 --> 05:35:55,138 it's not me you know you know uh 6511 05:35:55,138 --> 05:35:57,600 so uh yeah found a lot of 6512 05:35:57,600 --> 05:35:59,700 vulnerabilities in Mobile as a Gateway 6513 05:35:59,700 --> 05:36:01,860 devices and then also built a bunch of 6514 05:36:01,860 --> 05:36:03,360 secure cryptographic protocols to help 6515 05:36:03,360 --> 05:36:05,280 protect those users 6516 05:36:05,280 --> 05:36:06,780 um and the interesting one there of 6517 05:36:06,780 --> 05:36:08,580 course is just the wide the spread that 6518 05:36:08,580 --> 05:36:11,218 they got and the coverage of of the bugs 6519 05:36:11,218 --> 05:36:13,620 that they found all right now we're off 6520 05:36:13,620 --> 05:36:16,680 to best privilege escalation nominees uh 6521 05:36:16,680 --> 05:36:18,900 right off the bat very interesting fun 6522 05:36:18,900 --> 05:36:22,080 one that I like a lot uh you RB 6523 05:36:22,080 --> 05:36:24,000 Excalibur slicing through the gordian 6524 05:36:24,000 --> 05:36:28,020 not a VMware VM escapes from Dennis Jung 6525 05:36:28,020 --> 05:36:30,718 and uh some hexadecimal 6526 05:36:30,718 --> 05:36:31,378 um 6527 05:36:31,378 --> 05:36:32,940 so 6528 05:36:32,940 --> 05:36:37,138 I love this because uh VM VMware escapes 6529 05:36:37,138 --> 05:36:40,080 are really difficult and these guys 6530 05:36:40,080 --> 05:36:42,240 manage to find one and then for some 6531 05:36:42,240 --> 05:36:44,100 reason decide to use it upon to 6532 05:36:44,100 --> 05:36:45,780 own because they got paid or something I 6533 05:36:45,780 --> 05:36:47,958 don't know 6534 05:36:48,200 --> 05:36:51,240 it'll change the subject but 6535 05:36:51,240 --> 05:36:54,780 um they uh it's very hard work to do 6536 05:36:54,780 --> 05:36:57,660 they pulled it off uh props 6537 05:36:57,660 --> 05:36:59,100 um right after that we have bypassing 6538 05:36:59,100 --> 05:37:00,660 cluster isolation and databricks 6539 05:37:00,660 --> 05:37:04,160 platform from Florian Roth and Marius 6540 05:37:04,160 --> 05:37:07,620 bartholdi uh this is cool because it's 6541 05:37:07,620 --> 05:37:10,020 uh you know you're punching between 6542 05:37:10,020 --> 05:37:12,958 different databricks compute clusters uh 6543 05:37:12,958 --> 05:37:16,320 again very hard target and uh they did 6544 05:37:16,320 --> 05:37:17,700 it and they published some research if 6545 05:37:17,700 --> 05:37:19,040 you think you're forgetting that they 6546 05:37:19,040 --> 05:37:22,200 also nominated themselves 12 times oh 6547 05:37:22,200 --> 05:37:24,480 you're right yeah uh so we don't 6548 05:37:24,480 --> 05:37:27,240 get really like formal sponsorships um 6549 05:37:27,240 --> 05:37:28,500 you know we'll throw some bones around 6550 05:37:28,500 --> 05:37:30,060 but uh 6551 05:37:30,060 --> 05:37:33,060 maybe pay I don't know like 6552 05:37:33,060 --> 05:37:36,180 12 times from one company just shot 6553 05:37:36,180 --> 05:37:37,440 you're supposed to get other people to 6554 05:37:37,440 --> 05:37:39,420 at least pretend to nominate you yeah I 6555 05:37:39,420 --> 05:37:40,920 love seeing it when I mean 6556 05:37:40,920 --> 05:37:42,540 self-promotion is always important and 6557 05:37:42,540 --> 05:37:45,480 great but uh you know it's it's nice 6558 05:37:45,480 --> 05:37:47,760 when you see uh people support other 6559 05:37:47,760 --> 05:37:49,200 researchers that they think really just 6560 05:37:49,200 --> 05:37:51,000 aren't getting enough 6561 05:37:51,000 --> 05:37:52,620 um attention yeah I think a few of our 6562 05:37:52,620 --> 05:37:53,820 submissions at least were people 6563 05:37:53,820 --> 05:37:55,378 submitting from their phones in a 6564 05:37:55,378 --> 05:37:57,420 conference Hall like being blown away by 6565 05:37:57,420 --> 05:37:59,340 a talk which yeah that's the spirit of 6566 05:37:59,340 --> 05:38:01,080 the pony 100 6567 05:38:01,080 --> 05:38:01,860 um 6568 05:38:01,860 --> 05:38:03,718 so I don't know how our mobile 6569 05:38:03,718 --> 05:38:06,958 optimization is Mark you know you want 6570 05:38:06,958 --> 05:38:09,000 to weigh on that yeah get the website 6571 05:38:09,000 --> 05:38:11,100 design going okay 6572 05:38:11,100 --> 05:38:13,798 um all right so we've got uncontained uh 6573 05:38:13,798 --> 05:38:15,600 uncovering container confusion the links 6574 05:38:15,600 --> 05:38:16,798 kernel 6575 05:38:16,798 --> 05:38:19,200 um this is a really kind of fun one 6576 05:38:19,200 --> 05:38:22,440 um from Jacob casual Peter Pietro urello 6577 05:38:22,440 --> 05:38:24,360 I think has a Pony 6578 05:38:24,360 --> 05:38:27,240 um Danielle conodalia Herbert boss and 6579 05:38:27,240 --> 05:38:28,620 Cristiano yeah they've been raking in 6580 05:38:28,620 --> 05:38:30,860 the ponies 6581 05:38:30,860 --> 05:38:34,320 yeah uh so this is a fun one just using 6582 05:38:34,320 --> 05:38:35,820 a container of macro and the Linux 6583 05:38:35,820 --> 05:38:37,860 kernel uh basically if it's a really 6584 05:38:37,860 --> 05:38:39,420 large project it becomes really 6585 05:38:39,420 --> 05:38:40,920 difficult to kind of remember where you 6586 05:38:40,920 --> 05:38:44,280 are and there's a lot of bugs in the 6587 05:38:44,280 --> 05:38:47,218 Linux kernel because of this so that was 6588 05:38:47,218 --> 05:38:49,260 fun and they found most of them which 6589 05:38:49,260 --> 05:38:51,060 sucks but 6590 05:38:51,060 --> 05:38:53,458 um next we have uh the best remote code 6591 05:38:53,458 --> 05:38:55,920 execution nominees uh I'm covering 6592 05:38:55,920 --> 05:38:57,660 vulnerabilities and windows Network load 6593 05:38:57,660 --> 05:39:01,138 balancing uh b2a hex 6594 05:39:01,138 --> 05:39:04,620 they found rce in Windows Network load 6595 05:39:04,620 --> 05:39:05,820 balancing 6596 05:39:05,820 --> 05:39:07,798 um 6597 05:39:07,798 --> 05:39:10,920 yeah that you know good job um 6598 05:39:10,920 --> 05:39:14,160 next we have uh clam AV rce clam AV is 6599 05:39:14,160 --> 05:39:17,218 always kind of fun and aslr bypass uh it 6600 05:39:17,218 --> 05:39:19,740 gives you kind of a zero click is always 6601 05:39:19,740 --> 05:39:23,280 fun we hate aslr get rid of it 6602 05:39:23,280 --> 05:39:25,798 actually it's a terrible idea um 6603 05:39:25,798 --> 05:39:29,160 uh check check mark Checkmate uh rce 6604 05:39:29,160 --> 05:39:33,840 chain from scray H uh so it's a limited 6605 05:39:33,840 --> 05:39:36,480 ssrf full-blown rce chaining five 6606 05:39:36,480 --> 05:39:38,878 vulnerabilities together 6607 05:39:38,878 --> 05:39:40,740 um pretty hard extra points because they 6608 05:39:40,740 --> 05:39:43,980 had great graphics on their blog posts 6609 05:39:43,980 --> 05:39:46,440 um come on you guys like rce that you 6610 05:39:46,440 --> 05:39:50,940 think Chrome browsers uh chat apps 6611 05:39:50,940 --> 05:39:52,440 things like that 6612 05:39:52,440 --> 05:39:54,718 clam AV and check mark That's the best 6613 05:39:54,718 --> 05:39:57,180 the QD could do 6614 05:39:57,180 --> 05:39:59,160 what are you guys doing all day or 6615 05:39:59,160 --> 05:40:00,900 everyone has a full-time job now I guess 6616 05:40:00,900 --> 05:40:02,878 all right now for 6617 05:40:02,878 --> 05:40:05,218 everyone's well maybe favorite a word 6618 05:40:05,218 --> 05:40:07,620 out Lamas vendor because you're all a 6619 05:40:07,620 --> 05:40:10,138 bunch of bloodthirsty bastards 6620 05:40:10,138 --> 05:40:13,200 um so first up we've got uh Mira 6621 05:40:13,200 --> 05:40:15,540 software uh these guys claimed credit 6622 05:40:15,540 --> 05:40:18,120 for a bug that was disclosed to them and 6623 05:40:18,120 --> 05:40:19,920 then charged their customers five 6624 05:40:19,920 --> 05:40:22,260 thousand dollars to fix it 6625 05:40:22,260 --> 05:40:24,660 which they received for free so you know 6626 05:40:24,660 --> 05:40:26,280 that sounds like a great SAS product 6627 05:40:26,280 --> 05:40:28,860 incredible 6628 05:40:28,860 --> 05:40:31,320 pin duo duo uh some of you may be 6629 05:40:31,320 --> 05:40:33,480 familiar kind of blew up on CNN 6630 05:40:33,480 --> 05:40:35,580 they got knocked off the Android store 6631 05:40:35,580 --> 05:40:38,400 for installing actual back doors into 6632 05:40:38,400 --> 05:40:40,378 their own app in order to spy on their 6633 05:40:40,378 --> 05:40:42,740 users 6634 05:40:42,780 --> 05:40:43,440 um 6635 05:40:43,440 --> 05:40:46,320 oops uh they got exposed by everyone 6636 05:40:46,320 --> 05:40:49,440 denied it uh interestingly the entire 6637 05:40:49,440 --> 05:40:51,540 team in charge of that got fired shortly 6638 05:40:51,540 --> 05:40:52,860 after we were just trying to make better 6639 05:40:52,860 --> 05:40:55,560 ads and yeah it's our targeting you know 6640 05:40:55,560 --> 05:40:56,700 we're just selling sneakers out here 6641 05:40:56,700 --> 05:40:58,138 it's a service 6642 05:40:58,138 --> 05:41:00,958 um and then we've got uh three lessons 6643 05:41:00,958 --> 05:41:03,180 from threema in which uh this company 6644 05:41:03,180 --> 05:41:06,360 posted a very cranky blog post uh 6645 05:41:06,360 --> 05:41:09,000 dunking on some Holdings reported from a 6646 05:41:09,000 --> 05:41:11,040 student's Master's thesis which is like 6647 05:41:11,040 --> 05:41:14,218 you know kind of you're a student be 6648 05:41:14,218 --> 05:41:16,500 kind they were very mad it's definitely 6649 05:41:16,500 --> 05:41:18,480 worth a read uh check it out on the 6650 05:41:18,480 --> 05:41:20,878 website later on is it still up that 6651 05:41:20,878 --> 05:41:22,440 would be insane it doesn't go to it 6652 05:41:22,440 --> 05:41:25,039 right now Ian 6653 05:41:27,958 --> 05:41:31,039 don't read my tabs 6654 05:41:32,580 --> 05:41:37,458 yeah it is it's still up oh my gosh okay 6655 05:41:37,680 --> 05:41:39,360 um if you're a company in the audience 6656 05:41:39,360 --> 05:41:40,980 this is not the right solution the 6657 05:41:40,980 --> 05:41:42,420 solution is just to ignore it and hope 6658 05:41:42,420 --> 05:41:44,760 the problem goes away 6659 05:41:44,760 --> 05:41:47,160 yeah 6660 05:41:47,160 --> 05:41:49,860 unusual cooperation by the targeted user 6661 05:41:49,860 --> 05:41:50,520 you're right 6662 05:41:50,520 --> 05:41:54,360 [Laughter] 6663 05:41:54,360 --> 05:41:56,760 so moving on um another very fun one 6664 05:41:56,760 --> 05:41:59,458 Epic Fail nominees so you're reading 6665 05:41:59,458 --> 05:42:00,420 ahead 6666 05:42:00,420 --> 05:42:03,000 um uh the bug is titled a holy 6667 05:42:03,000 --> 05:42:05,820 Bingo we have the no-fly list uh 6668 05:42:05,820 --> 05:42:08,878 you remember uh the TSA uh kind of had a 6669 05:42:08,878 --> 05:42:10,500 little oopsie Daisy 6670 05:42:10,500 --> 05:42:12,600 um so this nomination goes to Maya kramu 6671 05:42:12,600 --> 05:42:15,480 uh uh who discovered the entire TSA 6672 05:42:15,480 --> 05:42:17,458 no-fly list lying on around on the 6673 05:42:17,458 --> 05:42:20,878 internet and then shared it which very 6674 05:42:20,878 --> 05:42:23,700 uh very fun read though yeah the TSA got 6675 05:42:23,700 --> 05:42:25,260 nominated for something did anyone else 6676 05:42:25,260 --> 05:42:27,540 like search for themselves 6677 05:42:27,540 --> 05:42:32,240 did anyone find themselves no all right 6678 05:42:32,280 --> 05:42:34,680 um uh I was sentenced to 18 months in 6679 05:42:34,680 --> 05:42:36,600 prison for hacking back uh this guy 6680 05:42:36,600 --> 05:42:40,378 Jonathan manzi who retaliated against an 6681 05:42:40,378 --> 05:42:41,878 employee quitting and joining a 6682 05:42:41,878 --> 05:42:44,218 competitor by hacking the employee and 6683 05:42:44,218 --> 05:42:46,080 the competitor and actively defaming 6684 05:42:46,080 --> 05:42:47,160 them 6685 05:42:47,160 --> 05:42:50,280 um he did 18 months in prison uh it was 6686 05:42:50,280 --> 05:42:52,020 pretty much unrepentant and the blog 6687 05:42:52,020 --> 05:42:54,480 kind of concludes I read that blog too 6688 05:42:54,480 --> 05:42:59,638 he found yoga and um Peace he he talked 6689 05:42:59,638 --> 05:43:01,920 he had a come to God moment with a 6690 05:43:01,920 --> 05:43:04,860 homeless woman in San Francisco and ends 6691 05:43:04,860 --> 05:43:07,620 it with a bad metaphor about quantum 6692 05:43:07,620 --> 05:43:09,780 physics there was quite over there it's 6693 05:43:09,780 --> 05:43:11,580 worth a read I mentioned it we should 6694 05:43:11,580 --> 05:43:13,020 send them back and we should send Kevin 6695 05:43:13,020 --> 05:43:15,780 with him I think 6696 05:43:15,780 --> 05:43:18,780 bringing that dead meme back um 6697 05:43:18,780 --> 05:43:20,878 and then of course our favorite uh the 6698 05:43:20,878 --> 05:43:24,840 disreputable kick the job of Scott 6699 05:43:24,840 --> 05:43:27,600 um a quote from one of the Consultants 6700 05:43:27,600 --> 05:43:29,040 on the pony Awards the only reason he 6701 05:43:29,040 --> 05:43:31,378 hasn't violated uh pharah the foreign 6702 05:43:31,378 --> 05:43:33,958 agents registration Act is because he's 6703 05:43:33,958 --> 05:43:35,340 probably too stupid to be a foreign 6704 05:43:35,340 --> 05:43:36,840 agent in the first place 6705 05:43:36,840 --> 05:43:39,420 which is a better position than the 6706 05:43:39,420 --> 05:43:41,040 alternative that's true 6707 05:43:41,040 --> 05:43:44,580 um you can still get in trouble yeah uh 6708 05:43:44,580 --> 05:43:46,620 we're thinking about just asking him to 6709 05:43:46,620 --> 05:43:48,120 stop tweeting 6710 05:43:48,120 --> 05:43:51,600 um but you know maybe we all should 6711 05:43:51,600 --> 05:43:54,298 um now uh we're pretty good time 6712 05:43:54,298 --> 05:43:56,958 actually we 6713 05:43:57,900 --> 05:44:00,480 um and first one up uh we've got Clem 6714 05:44:00,480 --> 05:44:03,298 one who uh burned 33 in the wild o days 6715 05:44:03,298 --> 05:44:05,700 since 2014 and found eight so far this 6716 05:44:05,700 --> 05:44:07,378 year though he didn't find them all 6717 05:44:07,378 --> 05:44:09,780 himself oh no 6718 05:44:09,780 --> 05:44:11,638 well if you find it in the wild I don't 6719 05:44:11,638 --> 05:44:13,020 know if that counts as your bug or not 6720 05:44:13,020 --> 05:44:14,760 oh that's a good one just Keepers maybe 6721 05:44:14,760 --> 05:44:17,520 I don't know that's a very good point 6722 05:44:17,520 --> 05:44:18,298 um 6723 05:44:18,298 --> 05:44:20,458 yeah I don't know it's like uh worth a 6724 05:44:20,458 --> 05:44:21,958 debate at least it's all about 6725 05:44:21,958 --> 05:44:24,540 collections voting starts today 6726 05:44:24,540 --> 05:44:26,878 um we have a branch history injection uh 6727 05:44:26,878 --> 05:44:30,240 inspector BHB uh it was someone at v v u 6728 05:44:30,240 --> 05:44:33,718 SEC um they didn't tell us who but 6729 05:44:33,718 --> 05:44:36,120 um it's the micro architecturally 6730 05:44:36,120 --> 05:44:39,000 tampered with a branch history buffer uh 6731 05:44:39,000 --> 05:44:41,160 in order to leak arbitrary kernel memory 6732 05:44:41,160 --> 05:44:42,900 I don't know about you guys but I'm 6733 05:44:42,900 --> 05:44:45,000 tired of hearing about variants of 6734 05:44:45,000 --> 05:44:46,620 Specter 6735 05:44:46,620 --> 05:44:48,660 yeah oh you've had a different feature 6736 05:44:48,660 --> 05:44:53,160 of the CPU great and then uh swap GS 6737 05:44:53,160 --> 05:44:54,360 um 6738 05:44:54,360 --> 05:44:56,700 talking about punching down uh decided 6739 05:44:56,700 --> 05:44:58,920 to beat the out of PHP 6740 05:44:58,920 --> 05:44:59,760 um 6741 05:44:59,760 --> 05:45:04,138 and which you know like it found a 6742 05:45:04,138 --> 05:45:05,760 pretty prolific one uh hundreds of 6743 05:45:05,760 --> 05:45:07,680 millions of devices you know 6744 05:45:07,680 --> 05:45:11,400 but um cool so that is uh all of the 6745 05:45:11,400 --> 05:45:13,740 nominees we are not done yet 6746 05:45:13,740 --> 05:45:17,280 um first off uh want to do a huge uh 6747 05:45:17,280 --> 05:45:19,558 thanks uh to summarcon 6748 05:45:19,558 --> 05:45:21,600 um Mark uh particularly has helped us 6749 05:45:21,600 --> 05:45:24,540 out a ton 6750 05:45:24,540 --> 05:45:26,400 you give us a space to hold the awards 6751 05:45:26,400 --> 05:45:28,638 every year 6752 05:45:28,638 --> 05:45:31,558 thank you Sophia for helping out with 6753 05:45:31,558 --> 05:45:33,120 this presentation also yeah American 6754 05:45:33,120 --> 05:45:35,400 Research responsibility like dig through 6755 05:45:35,400 --> 05:45:36,780 and understand some of these uh 6756 05:45:36,780 --> 05:45:39,298 vulnerabilities uh red balloon for uh 6757 05:45:39,298 --> 05:45:41,760 helping out with manufacturing the pony 6758 05:45:41,760 --> 05:45:43,620 Awards and also building out some arts 6759 05:45:43,620 --> 05:45:46,320 and crafts for Media stuff like that and 6760 05:45:46,320 --> 05:45:48,360 of course thank all of you for 6761 05:45:48,360 --> 05:45:50,040 submitting all these things in the first 6762 05:45:50,040 --> 05:45:52,860 please submit more yes we were very 6763 05:45:52,860 --> 05:45:55,200 disappointed at this message shouting 6764 05:45:55,200 --> 05:45:57,600 out um we have a light sponsorship from 6765 05:45:57,600 --> 05:46:01,580 the new book on Amazon CNO for babies 6766 05:46:01,580 --> 05:46:03,780 CNE for babies 6767 05:46:03,780 --> 05:46:06,600 um you can find it now and the discount 6768 05:46:06,600 --> 05:46:08,458 five bucks off that's a good deal yeah 6769 05:46:08,458 --> 05:46:10,378 exactly you got to jump on that um now 6770 05:46:10,378 --> 05:46:13,200 we have one more thing so uh sometime 6771 05:46:13,200 --> 05:46:14,638 last year we kind of realized that we 6772 05:46:14,638 --> 05:46:16,798 had an extra Pony lying around and we 6773 05:46:16,798 --> 05:46:17,878 were like well what the hell do we do 6774 05:46:17,878 --> 05:46:18,840 with this thing it was kind of 6775 05:46:18,840 --> 05:46:20,340 interesting looking at some wings on it 6776 05:46:20,340 --> 05:46:22,320 and we thought well you know we should 6777 05:46:22,320 --> 05:46:25,740 probably like celebrate some of the like 6778 05:46:25,740 --> 05:46:26,878 people that kind of fundamentally 6779 05:46:26,878 --> 05:46:28,440 support the entire industry in the first 6780 05:46:28,440 --> 05:46:31,320 place so we decided to give that pony to 6781 05:46:31,320 --> 05:46:32,940 dino as the first ever Lifetime 6782 05:46:32,940 --> 05:46:35,160 Achievement Award for the pony Awards 6783 05:46:35,160 --> 05:46:37,620 and since then we've decided that we're 6784 05:46:37,620 --> 05:46:40,680 going to keep doing that and uh this 6785 05:46:40,680 --> 05:46:41,580 year 6786 05:46:41,580 --> 05:46:43,558 um we're giving out another one right 6787 05:46:43,558 --> 05:46:45,600 now so 6788 05:46:45,600 --> 05:46:48,240 this is going to go to someone that 6789 05:46:48,240 --> 05:46:50,520 honestly kind of had in mind when I was 6790 05:46:50,520 --> 05:46:52,378 thinking about the notion of a Lifetime 6791 05:46:52,378 --> 05:46:55,020 Achievement Award in the first place 6792 05:46:55,020 --> 05:46:56,100 um they 6793 05:46:56,100 --> 05:46:58,218 don't need it um 6794 05:46:58,218 --> 05:47:00,780 uh they they've kind of fundamentally 6795 05:47:00,780 --> 05:47:02,820 supported and built the industry from 6796 05:47:02,820 --> 05:47:05,280 the ground up and turned it from what 6797 05:47:05,280 --> 05:47:07,260 was like basically a bunch of people 6798 05:47:07,260 --> 05:47:09,180 kind of doing vaguely criminal things to 6799 05:47:09,180 --> 05:47:10,558 a bunch of people with full-time jobs 6800 05:47:10,558 --> 05:47:13,080 doing vaguely criminal things 6801 05:47:13,080 --> 05:47:16,200 um so uh if you haven't already guessed 6802 05:47:16,200 --> 05:47:18,780 uh we are going to give the Lifetime 6803 05:47:18,780 --> 05:47:21,180 Achievement Award for 2023 for the pony 6804 05:47:21,180 --> 05:47:24,298 Awards to Mudge 6805 05:47:24,298 --> 05:47:26,580 where's much it's in the green room we 6806 05:47:26,580 --> 05:47:30,440 know he's here has to be here 6807 05:47:39,558 --> 05:47:42,680 all right 6808 05:47:45,298 --> 05:47:47,340 this is a Lifetime Achievement Award for 6809 05:47:47,340 --> 05:47:48,840 everything you've done to kind of invent 6810 05:47:48,840 --> 05:47:51,600 the industry and put it into a place 6811 05:47:51,600 --> 05:47:54,120 where you know it exists and it's real 6812 05:47:54,120 --> 05:47:56,760 so thank you 6813 05:47:56,760 --> 05:47:58,877 oh 6814 05:48:00,420 --> 05:48:02,638 do you wanna 6815 05:48:02,638 --> 05:48:05,480 you wanna say anything 6816 05:48:05,540 --> 05:48:08,760 no I just um I 6817 05:48:08,760 --> 05:48:10,980 it's the community and it's everybody 6818 05:48:10,980 --> 05:48:14,940 else who's enabled all of this uh and I 6819 05:48:14,940 --> 05:48:16,620 love this community this is this means a 6820 05:48:16,620 --> 05:48:18,540 lot to me it's been tough at times but 6821 05:48:18,540 --> 05:48:20,878 you've always been there and I hope I've 6822 05:48:20,878 --> 05:48:22,620 been there for you as well 6823 05:48:22,620 --> 05:48:25,399 all right thanks 6824 05:48:28,860 --> 05:48:30,840 all right that's it 6825 05:48:30,840 --> 05:48:32,458 all right all right then we have one 6826 05:48:32,458 --> 05:48:36,859 brief word from the CDC 6827 05:48:37,218 --> 05:48:39,298 apparently there's some CDC thing 6828 05:48:39,298 --> 05:48:42,360 happening oh CDC 6829 05:48:42,360 --> 05:48:45,240 is that you are you the CDC person oh 6830 05:48:45,240 --> 05:48:47,100 you're the all right all right not 6831 05:48:47,100 --> 05:48:50,480 exactly from the CDC 6832 05:48:51,000 --> 05:48:55,040 Center for Disease Control thank you 6833 05:48:55,080 --> 05:48:57,920 what you thought as much 6834 05:49:00,058 --> 05:49:02,718 Dear God 6835 05:49:07,378 --> 05:49:09,958 yeah four reasons 6836 05:49:09,958 --> 05:49:12,718 that are either legal legal or aesthetic 6837 05:49:12,718 --> 05:49:14,940 I don't know which uh we will not be 6838 05:49:14,940 --> 05:49:17,218 live streaming this specific 6839 05:49:17,218 --> 05:49:19,940 announcement 6840 05:52:33,500 --> 05:52:36,360 all right 6841 05:52:36,360 --> 05:52:39,840 right on schedule it is amazing we are 6842 05:52:39,840 --> 05:52:42,240 like a Swiss Train here I can't believe 6843 05:52:42,240 --> 05:52:44,540 it 6844 05:52:44,878 --> 05:52:47,160 all right ladies and gentlemen it's time 6845 05:52:47,160 --> 05:52:49,620 to delve into the exciting world of 6846 05:52:49,620 --> 05:52:51,958 security and cryptography 6847 05:52:51,958 --> 05:52:55,280 bringing crypto back 6848 05:52:55,680 --> 05:52:58,138 our speaker 6849 05:52:58,138 --> 05:53:01,440 our speakers Nick Sullivan and Doug 6850 05:53:01,440 --> 05:53:04,558 McKenzie in today's round of spot the 6851 05:53:04,558 --> 05:53:06,600 Canadian I don't know which one is the 6852 05:53:06,600 --> 05:53:09,058 Canadian here 6853 05:53:09,058 --> 05:53:09,900 um 6854 05:53:09,900 --> 05:53:14,458 our um uh gonna provide a a really 6855 05:53:14,458 --> 05:53:17,638 Illuminating presentation Nick is a 6856 05:53:17,638 --> 05:53:19,500 renowned technologist with a wealth of 6857 05:53:19,500 --> 05:53:21,718 experience in enhancing encryption and 6858 05:53:21,718 --> 05:53:24,058 secure network protocols having made 6859 05:53:24,058 --> 05:53:26,218 significant contribution to Apple's 6860 05:53:26,218 --> 05:53:28,558 security Technologies and playing a 6861 05:53:28,558 --> 05:53:31,378 vital role at cloudflare Nick's 6862 05:53:31,378 --> 05:53:34,200 expertise is unmatched 6863 05:53:34,200 --> 05:53:36,600 join them as they take us through a 6864 05:53:36,600 --> 05:53:38,878 recap of the latest developments in the 6865 05:53:38,878 --> 05:53:40,320 crypto landscape 6866 05:53:40,320 --> 05:53:42,058 with their extensive knowledge and 6867 05:53:42,058 --> 05:53:43,740 passion for internet standards and 6868 05:53:43,740 --> 05:53:46,400 sleight of hand 6869 05:53:46,440 --> 05:53:48,540 Nick and Doug are here to share 6870 05:53:48,540 --> 05:53:50,700 invaluable insights with all of us give 6871 05:53:50,700 --> 05:53:53,360 the warm welcome 6872 05:53:55,200 --> 05:53:58,218 all right thanks everybody 6873 05:54:19,218 --> 05:54:22,218 thank you 6874 05:54:25,440 --> 05:54:28,500 okay hello everybody it's great to be 6875 05:54:28,500 --> 05:54:30,660 back here at summercon 6876 05:54:30,660 --> 05:54:33,000 uh 6877 05:54:33,000 --> 05:54:36,080 so this year in crypto 6878 05:54:39,420 --> 05:54:41,820 yeah so um 6879 05:54:41,820 --> 05:54:43,980 I will make the signal okay great so 6880 05:54:43,980 --> 05:54:48,240 quick aside before we start here 6881 05:54:48,240 --> 05:54:50,900 my favorite show 6882 05:54:51,120 --> 05:54:54,620 something's not aligning properly 6883 05:54:59,400 --> 05:55:02,160 one second 6884 05:55:02,160 --> 05:55:05,058 no I think we're good 6885 05:55:26,700 --> 05:55:29,458 all right so quick aside uh so summercon 6886 05:55:29,458 --> 05:55:31,860 is you know the one of the longest 6887 05:55:31,860 --> 05:55:34,458 running hacker conferences starting in 6888 05:55:34,458 --> 05:55:38,040 1986 but cryptography has its own 6889 05:55:38,040 --> 05:55:40,080 long-running conference it's called 6890 05:55:40,080 --> 05:55:43,080 crypto and it's been held every summer 6891 05:55:43,080 --> 05:55:47,218 in Santa Barbara since 1981. so uh you 6892 05:55:47,218 --> 05:55:50,280 know it's 2023 cryptocurrency is you 6893 05:55:50,280 --> 05:55:51,900 know rotting in the sun it's time to 6894 05:55:51,900 --> 05:55:54,480 reclaim the word so from now on during 6895 05:55:54,480 --> 05:55:56,638 this talk crypto means cryptography 6896 05:55:56,638 --> 05:55:58,138 all right 6897 05:55:58,138 --> 05:56:00,739 yes 6898 05:56:01,260 --> 05:56:03,360 okay so 6899 05:56:03,360 --> 05:56:05,218 um the theme of this talk is because 6900 05:56:05,218 --> 05:56:07,080 crypto is Magic and and you'll see why 6901 05:56:07,080 --> 05:56:10,378 so uh cryptography is about hiding 6902 05:56:10,378 --> 05:56:12,200 information with mathematics using 6903 05:56:12,200 --> 05:56:13,980 cryptographic algorithms you can 6904 05:56:13,980 --> 05:56:15,718 scramble data in a way that's hard to 6905 05:56:15,718 --> 05:56:18,120 unscramble unless you have you know a 6906 05:56:18,120 --> 05:56:21,000 special hint or a mathematical ability 6907 05:56:21,000 --> 05:56:25,200 that is beyond the best mathematicians 6908 05:56:25,200 --> 05:56:27,120 who are you know are able to share their 6909 05:56:27,120 --> 05:56:29,400 work at least and this is what makes 6910 05:56:29,400 --> 05:56:32,160 cryptography magical it leverages 6911 05:56:32,160 --> 05:56:34,558 information asymmetry so things like a 6912 05:56:34,558 --> 05:56:37,260 password or 128 bits of information and 6913 05:56:37,260 --> 05:56:41,218 bootstraps it with hard problems like 6914 05:56:41,218 --> 05:56:41,820 um 6915 05:56:41,820 --> 05:56:46,020 factoring numbers and and from there 6916 05:56:46,020 --> 05:56:47,400 um 6917 05:56:47,400 --> 05:56:49,620 this is how you get the get get some 6918 05:56:49,620 --> 05:56:51,840 some of the perfect things that 6919 05:56:51,840 --> 05:56:53,700 cryptography brings you so 6920 05:56:53,700 --> 05:56:54,718 um one of the fun Parts about 6921 05:56:54,718 --> 05:56:57,540 cryptography is that 6922 05:56:57,540 --> 05:56:59,100 um in fact this is a this is a tweet 6923 05:56:59,100 --> 05:57:01,680 from Matthew green a previous uh speaker 6924 05:57:01,680 --> 05:57:04,340 here at summercon 6925 05:57:04,340 --> 05:57:06,600 cryptography might not even exist most 6926 05:57:06,600 --> 05:57:08,160 of it might not even exist there are no 6927 05:57:08,160 --> 05:57:09,540 proofs that 6928 05:57:09,540 --> 05:57:11,340 um the hard problems that we rely on are 6929 05:57:11,340 --> 05:57:13,378 actually unable to be solved in 6930 05:57:13,378 --> 05:57:16,680 polynomial time and uh so this ignorance 6931 05:57:16,680 --> 05:57:18,900 of the world around us it's what gives 6932 05:57:18,900 --> 05:57:20,280 cryptographers 6933 05:57:20,280 --> 05:57:23,458 uh the power and that's what makes 6934 05:57:23,458 --> 05:57:25,260 cryptography really the ultimate version 6935 05:57:25,260 --> 05:57:28,020 of security by obscurity 6936 05:57:28,020 --> 05:57:30,240 um and so this liminal space is what 6937 05:57:30,240 --> 05:57:31,080 makes 6938 05:57:31,080 --> 05:57:32,700 practitioners of cryptography and 6939 05:57:32,700 --> 05:57:35,580 magicians uh it's the ultimate sleight 6940 05:57:35,580 --> 05:57:37,980 of hand and uh just to convince you that 6941 05:57:37,980 --> 05:57:40,620 this talk isn't just isn't a gimmick 6942 05:57:40,620 --> 05:57:42,298 um this is something that I believe for 6943 05:57:42,298 --> 05:57:43,638 a long time I've actually had 6944 05:57:43,638 --> 05:57:46,500 mathematician as as my job title in a 6945 05:57:46,500 --> 05:57:48,420 former role 6946 05:57:48,420 --> 05:57:49,680 um so since this is summer con we're 6947 05:57:49,680 --> 05:57:50,638 going to talk about vulnerabilities 6948 05:57:50,638 --> 05:57:52,020 right 6949 05:57:52,020 --> 05:57:53,878 um and it when it comes to cryptography 6950 05:57:53,878 --> 05:57:56,878 they fall into usually three categories 6951 05:57:56,878 --> 05:57:59,638 something is wrong with this thing um 6952 05:57:59,638 --> 05:58:02,100 in any case um they boil down to 6953 05:58:02,100 --> 05:58:04,500 mathematics so sometimes something new 6954 05:58:04,500 --> 05:58:06,840 is discovered in math that obsolete's 6955 05:58:06,840 --> 05:58:09,120 previous assumptions and this happens 6956 05:58:09,120 --> 05:58:10,878 more frequently than you would expect 6957 05:58:10,878 --> 05:58:13,558 hash functions for example is a recent 6958 05:58:13,558 --> 05:58:15,120 example so 6959 05:58:15,120 --> 05:58:17,400 um that's one one aspect the second is 6960 05:58:17,400 --> 05:58:19,980 implementation bugs so perfectly 6961 05:58:19,980 --> 05:58:23,820 translating math to code is also uh is 6962 05:58:23,820 --> 05:58:25,320 something that's very difficult to do 6963 05:58:25,320 --> 05:58:28,260 keeping these secrets uh in your code 6964 05:58:28,260 --> 05:58:30,840 hiding them from side channels very very 6965 05:58:30,840 --> 05:58:31,798 difficult 6966 05:58:31,798 --> 05:58:33,900 um and the third part is composition so 6967 05:58:33,900 --> 05:58:35,820 taking these mathematical Primitives and 6968 05:58:35,820 --> 05:58:37,680 combining them into a protocol that 6969 05:58:37,680 --> 05:58:41,040 can't really be exploited uh these this 6970 05:58:41,040 --> 05:58:43,378 basically covers 99 of the issues in 6971 05:58:43,378 --> 05:58:46,520 cryptography and uh if doing 6972 05:58:46,520 --> 05:58:48,660 cryptography is akin to doing magic 6973 05:58:48,660 --> 05:58:51,420 trick these three categories of volts 6974 05:58:51,420 --> 05:58:54,058 correspond in ways that Illusions can 6975 05:58:54,058 --> 05:58:57,480 fail you can design a trick in a way 6976 05:58:57,480 --> 05:59:00,000 that uh information asymmetry is 6977 05:59:00,000 --> 05:59:03,900 leveraged and you can do that poorly you 6978 05:59:03,900 --> 05:59:08,340 can perform the illusion improperly and 6979 05:59:08,340 --> 05:59:10,798 uh and and this you know breaks 6980 05:59:10,798 --> 05:59:12,660 everything breaks sort of the the view 6981 05:59:12,660 --> 05:59:14,580 of the folks in the audience what they 6982 05:59:14,580 --> 05:59:17,160 see and and the third is is choreography 6983 05:59:17,160 --> 05:59:19,440 so are the steps of the trick done in 6984 05:59:19,440 --> 05:59:23,520 the right order and if not uh you you 6985 05:59:23,520 --> 05:59:26,458 don't get the the the real solution 6986 05:59:26,458 --> 05:59:29,520 okay so with that in mind there are a 6987 05:59:29,520 --> 05:59:31,558 ton of topics I could talk about 6988 05:59:31,558 --> 05:59:33,540 um these are these are just four of them 6989 05:59:33,540 --> 05:59:37,200 I don't have a a whole hour or two hours 6990 05:59:37,200 --> 05:59:38,940 or whatever so we're just gonna pick 6991 05:59:38,940 --> 05:59:40,620 these two 6992 05:59:40,620 --> 05:59:43,378 um starting with uh Quantum cryptography 6993 05:59:43,378 --> 05:59:45,480 quantum computers right post Quantum 6994 05:59:45,480 --> 05:59:47,100 cryptography this is like a buzzword you 6995 05:59:47,100 --> 05:59:49,320 might have heard for a while 6996 05:59:49,320 --> 05:59:51,540 um and uh they're they're just computers 6997 05:59:51,540 --> 05:59:53,638 that rather than using binary logic 6998 05:59:53,638 --> 05:59:55,440 gates they use properties of quantum 6999 05:59:55,440 --> 05:59:58,440 mechanics to perform calculations so in 7000 05:59:58,440 --> 06:00:00,958 a quantum computer instead of bits being 7001 06:00:00,958 --> 06:00:03,480 represented by ones and zeros in 7002 06:00:03,480 --> 06:00:05,280 transistors and on and off States 7003 06:00:05,280 --> 06:00:07,920 they're represented by physical states 7004 06:00:07,920 --> 06:00:11,580 of Elementary particles like photons and 7005 06:00:11,580 --> 06:00:13,558 uh and electrons 7006 06:00:13,558 --> 06:00:17,638 and uh these bits are called qubits and 7007 06:00:17,638 --> 06:00:20,458 so well what you can do 7008 06:00:20,458 --> 06:00:23,760 with these bits rather than just you 7009 06:00:23,760 --> 06:00:26,340 know ones and zeros xores and ands and 7010 06:00:26,340 --> 06:00:28,558 all these logical Gates what you can do 7011 06:00:28,558 --> 06:00:30,860 is you can entangle these bits together 7012 06:00:30,860 --> 06:00:34,320 and apply Quantum functions on them so 7013 06:00:34,320 --> 06:00:38,218 uh just like uh 7014 06:00:38,218 --> 06:00:41,280 just like you have the the concept here 7015 06:00:41,280 --> 06:00:42,840 of Schrodinger's cat 7016 06:00:42,840 --> 06:00:44,580 um that's what a quantum computer can do 7017 06:00:44,580 --> 06:00:47,340 it's uh you take your bits you can 7018 06:00:47,340 --> 06:00:49,020 scramble them up and then you can look 7019 06:00:49,020 --> 06:00:51,180 at them and then they represent 7020 06:00:51,180 --> 06:00:53,760 um a certain distribution based on the 7021 06:00:53,760 --> 06:00:55,980 quantum superposition of state so having 7022 06:00:55,980 --> 06:00:59,340 n qubits qubits doesn't give you these 7023 06:00:59,340 --> 06:01:01,500 magical ability to do two to the end 7024 06:01:01,500 --> 06:01:03,780 parallel operations at once or anything 7025 06:01:03,780 --> 06:01:05,218 like that it just gives you the ability 7026 06:01:05,218 --> 06:01:08,700 to perform some algorithms that 7027 06:01:08,700 --> 06:01:11,218 um okay just so slightly faster than you 7028 06:01:11,218 --> 06:01:12,080 can with a classical computer 7029 06:01:12,080 --> 06:01:15,058 asymptotically so these include 7030 06:01:15,058 --> 06:01:18,360 searching through a list and uh 7031 06:01:18,360 --> 06:01:19,680 strangely enough 7032 06:01:19,680 --> 06:01:23,160 factoring numbers and so 7033 06:01:23,160 --> 06:01:24,840 factoring numbers being one of the 7034 06:01:24,840 --> 06:01:25,980 problems that you can solve in 7035 06:01:25,980 --> 06:01:28,138 polynomial time no or at least the ones 7036 06:01:28,138 --> 06:01:30,780 that we've deployed but we haven't built 7037 06:01:30,780 --> 06:01:32,160 quantum computers yet that are big 7038 06:01:32,160 --> 06:01:34,440 enough we're basically in the 1940s with 7039 06:01:34,440 --> 06:01:35,940 respect to these 7040 06:01:35,940 --> 06:01:37,920 um so what is post Quantum cryptography 7041 06:01:37,920 --> 06:01:40,558 well this is just cryptography that's 7042 06:01:40,558 --> 06:01:42,840 resistant to all known algorithms that 7043 06:01:42,840 --> 06:01:44,878 run on a quantum computer that that's 7044 06:01:44,878 --> 06:01:47,160 about it and quantum computers they 7045 06:01:47,160 --> 06:01:49,260 really can't do that much uh compared to 7046 06:01:49,260 --> 06:01:50,878 regular computers and they're very slow 7047 06:01:50,878 --> 06:01:53,878 so what's the what's the big deal right 7048 06:01:53,878 --> 06:01:55,680 and what why would you want post Quantum 7049 06:01:55,680 --> 06:01:57,298 cryptography 7050 06:01:57,298 --> 06:01:59,280 um so you know even if a quantum 7051 06:01:59,280 --> 06:02:01,440 computer is that's big enough to break 7052 06:02:01,440 --> 06:02:05,458 RSA or ECC is 10 years away a 7053 06:02:05,458 --> 06:02:07,620 conservative view is that we as a 7054 06:02:07,620 --> 06:02:10,378 society should start this process of 7055 06:02:10,378 --> 06:02:13,080 swapping out current algorithms for 7056 06:02:13,080 --> 06:02:15,120 resistant algorithms as soon as we can 7057 06:02:15,120 --> 06:02:17,520 so that our current Secrets things that 7058 06:02:17,520 --> 06:02:19,020 we encrypt today everything's 7059 06:02:19,020 --> 06:02:21,000 transmitted over the Internet is safe 7060 06:02:21,000 --> 06:02:22,500 from 7061 06:02:22,500 --> 06:02:24,958 attackers 10 years into the future and 7062 06:02:24,958 --> 06:02:26,700 so this really started in Earnest in 7063 06:02:26,700 --> 06:02:30,180 2015 when the NSA made this strange 7064 06:02:30,180 --> 06:02:33,000 announcement to stop 7065 06:02:33,000 --> 06:02:35,520 um basically anybody who's transitioning 7066 06:02:35,520 --> 06:02:38,700 from uh to Suite B which is their uh 7067 06:02:38,700 --> 06:02:40,980 Security Suite of cryptography to stop 7068 06:02:40,980 --> 06:02:43,740 just stop wait you know just transition 7069 06:02:43,740 --> 06:02:46,080 to post Quantum when it's ready and at 7070 06:02:46,080 --> 06:02:48,958 that time nist uh started this process 7071 06:02:48,958 --> 06:02:50,580 to 7072 06:02:50,580 --> 06:02:53,280 um decide hey which which algorithms 7073 06:02:53,280 --> 06:02:54,540 should we use which one should we 7074 06:02:54,540 --> 06:02:56,878 standardize which of these uh potential 7075 06:02:56,878 --> 06:02:58,740 Replacements that are not based on 7076 06:02:58,740 --> 06:03:01,080 factoring or on you know similar 7077 06:03:01,080 --> 06:03:03,058 problems elliptic curves 7078 06:03:03,058 --> 06:03:05,520 um could happen so this has progressed 7079 06:03:05,520 --> 06:03:07,740 pretty pretty significantly 7080 06:03:07,740 --> 06:03:11,280 um uh to the point where in 2019 it was 7081 06:03:11,280 --> 06:03:13,740 down to two different types of 7082 06:03:13,740 --> 06:03:15,360 algorithms one that was based on a hard 7083 06:03:15,360 --> 06:03:18,600 problem based on lattices another based 7084 06:03:18,600 --> 06:03:22,020 on isogenase and uh we don't have to go 7085 06:03:22,020 --> 06:03:24,780 into there's there's not that deep of 7086 06:03:24,780 --> 06:03:25,920 math in this so we don't have to go into 7087 06:03:25,920 --> 06:03:27,840 what what each of those are but um an 7088 06:03:27,840 --> 06:03:29,520 example here is is called psych and 7089 06:03:29,520 --> 06:03:31,440 another one's called in true and these 7090 06:03:31,440 --> 06:03:33,180 were tested wide scale on the internet 7091 06:03:33,180 --> 06:03:36,480 in 2019 and uh it turns out that the 7092 06:03:36,480 --> 06:03:38,820 lattices actually work you can you can 7093 06:03:38,820 --> 06:03:41,400 deploy lattice based cryptography online 7094 06:03:41,400 --> 06:03:44,400 um and and it's totally fine and so in 7095 06:03:44,400 --> 06:03:47,040 July in the last year or so this year in 7096 06:03:47,040 --> 06:03:49,740 cryptography this is one year ago uh 7097 06:03:49,740 --> 06:03:51,360 nist announced the finalist which is 7098 06:03:51,360 --> 06:03:53,638 called kyber and uh kyber has been 7099 06:03:53,638 --> 06:03:55,138 deployed 7100 06:03:55,138 --> 06:03:58,138 um in these production environments and 7101 06:03:58,138 --> 06:04:00,740 so that's a lattice algorithm what about 7102 06:04:00,740 --> 06:04:02,820 isogenase well one of the biggest 7103 06:04:02,820 --> 06:04:05,100 vulnerabilities that was found in the 7104 06:04:05,100 --> 06:04:08,100 year was uh having to do with isogenes 7105 06:04:08,100 --> 06:04:13,400 and the ironically named algorithm Psych 7106 06:04:13,400 --> 06:04:16,680 which is very new and very cool uh it 7107 06:04:16,680 --> 06:04:20,280 had you know small keys and it was by 7108 06:04:20,280 --> 06:04:21,780 far the smallest keys of any PQ 7109 06:04:21,780 --> 06:04:24,420 candidate although it's expensive 7110 06:04:24,420 --> 06:04:26,760 um but you know alas mathematicians 7111 06:04:26,760 --> 06:04:28,798 found a way to get from the public key 7112 06:04:28,798 --> 06:04:31,798 to the private key using very Advanced 7113 06:04:31,798 --> 06:04:34,620 algebra and uh it took them less than 10 7114 06:04:34,620 --> 06:04:37,440 minutes on One Core to do that so Psych 7115 06:04:37,440 --> 06:04:40,798 is absolutely dead dead as can be at at 7116 06:04:40,798 --> 06:04:42,240 age 11. 7117 06:04:42,240 --> 06:04:45,840 and um to help demonstrate this time of 7118 06:04:45,840 --> 06:04:47,878 this type of algebraic trick I'd like to 7119 06:04:47,878 --> 06:04:52,378 introduce uh Doug McKenzie who is 7120 06:04:52,378 --> 06:04:54,600 going to be demonstrating thank you 7121 06:04:54,600 --> 06:04:56,820 thank you hi everybody my name is Doug I 7122 06:04:56,820 --> 06:04:59,340 am a magician I'll be showing a card 7123 06:04:59,340 --> 06:05:02,160 trick to the analogous to the uh 7124 06:05:02,160 --> 06:05:05,520 demonstration of how that was broken so 7125 06:05:05,520 --> 06:05:07,200 we could turn that screen on so we get 7126 06:05:07,200 --> 06:05:10,340 the camera right here that'd be great 7127 06:05:22,138 --> 06:05:24,480 are some secrets that we will be 7128 06:05:24,480 --> 06:05:26,958 revealed 7129 06:06:48,500 --> 06:06:51,500 thank you 7130 06:11:52,500 --> 06:11:56,458 thanks so what this is demonstrated in a 7131 06:11:56,458 --> 06:11:59,520 very crude way it was analogous to what 7132 06:11:59,520 --> 06:12:02,100 what attack was found on 7133 06:12:02,100 --> 06:12:07,680 um sidh so uh the they found a way to uh 7134 06:12:07,680 --> 06:12:10,260 look at the permutation and reverse it 7135 06:12:10,260 --> 06:12:12,900 uh using a very short application so 7136 06:12:12,900 --> 06:12:15,920 let's go back to the slides 7137 06:12:18,360 --> 06:12:20,900 if we can 7138 06:12:22,820 --> 06:12:24,660 slides 7139 06:12:24,660 --> 06:12:27,180 can we magic time all right magic time's 7140 06:12:27,180 --> 06:12:29,940 over all right thanks um Okay so we've 7141 06:12:29,940 --> 06:12:32,760 covered mathematics this is uh this is 7142 06:12:32,760 --> 06:12:35,340 one of the one of the big categories and 7143 06:12:35,340 --> 06:12:36,298 um 7144 06:12:36,298 --> 06:12:37,798 you know I wouldn't be able to explain 7145 06:12:37,798 --> 06:12:41,458 with even an hour uh the math behind how 7146 06:12:41,458 --> 06:12:43,320 that worked because you know super 7147 06:12:43,320 --> 06:12:45,840 singular isogeneity helmet is a is a 7148 06:12:45,840 --> 06:12:48,660 super uh mouthful and uh and the mouth 7149 06:12:48,660 --> 06:12:50,458 is even worse so 7150 06:12:50,458 --> 06:12:52,020 um once we've covered this math but 7151 06:12:52,020 --> 06:12:53,760 there's actually more in PQ in this time 7152 06:12:53,760 --> 06:12:57,718 in implementation so uh kyber kyber was 7153 06:12:57,718 --> 06:13:00,298 the chosen candidate right it was uh 7154 06:13:00,298 --> 06:13:01,798 very long keys that are actually really 7155 06:13:01,798 --> 06:13:04,500 fast to compute faster than ECC 7156 06:13:04,500 --> 06:13:06,240 um and they were shown to work on the 7157 06:13:06,240 --> 06:13:09,958 internet and uh you may have seen this 7158 06:13:09,958 --> 06:13:14,040 headline about kyber being broken by AI 7159 06:13:14,040 --> 06:13:16,260 um so kyber is actually based on an 7160 06:13:16,260 --> 06:13:19,440 older mathematical problem it's um it's 7161 06:13:19,440 --> 06:13:21,718 been known since 1996 the category 7162 06:13:21,718 --> 06:13:23,760 problems which is you know three years 7163 06:13:23,760 --> 06:13:25,500 before the crypto Nomicon was published 7164 06:13:25,500 --> 06:13:30,298 so uh no card tricks there but 7165 06:13:30,298 --> 06:13:32,340 um uh and you know I had big Keys one 7166 06:13:32,340 --> 06:13:34,080 kilobyte but this is the this is the 7167 06:13:34,080 --> 06:13:36,120 single public key algorithm chosen by 7168 06:13:36,120 --> 06:13:38,340 Miss how did this 7169 06:13:38,340 --> 06:13:39,660 um publication 7170 06:13:39,660 --> 06:13:41,280 how did security week say that was 7171 06:13:41,280 --> 06:13:42,840 cracked right 7172 06:13:42,840 --> 06:13:44,878 um and in fact it wasn't broken the math 7173 06:13:44,878 --> 06:13:46,500 wasn't broken the math was is still 7174 06:13:46,500 --> 06:13:48,600 found to be sound but this was just a 7175 06:13:48,600 --> 06:13:51,298 flesh wound um and we saw this this is a 7176 06:13:51,298 --> 06:13:52,680 great series of talks to lead up to this 7177 06:13:52,680 --> 06:13:55,020 but um there was a problem in the 7178 06:13:55,020 --> 06:13:57,900 implementation and uh we saw how power 7179 06:13:57,900 --> 06:14:00,540 analysis work Works 7180 06:14:00,540 --> 06:14:02,340 um and you look for patterns to extract 7181 06:14:02,340 --> 06:14:05,580 data uh secret data ones and zeros a 7182 06:14:05,580 --> 06:14:08,580 very very common counter 7183 06:14:08,580 --> 06:14:10,860 um countermeasure for this is called 7184 06:14:10,860 --> 06:14:13,620 masking you effectively take random bits 7185 06:14:13,620 --> 06:14:15,240 and random bytes and you xor them into 7186 06:14:15,240 --> 06:14:17,820 the data so that uh the power 7187 06:14:17,820 --> 06:14:20,040 signature of a computation doesn't 7188 06:14:20,040 --> 06:14:22,500 reveal the structure of the numbers 7189 06:14:22,500 --> 06:14:25,440 um this is this is applied in kyber and 7190 06:14:25,440 --> 06:14:28,200 uh what happened in this attack this 7191 06:14:28,200 --> 06:14:29,638 publication 7192 06:14:29,638 --> 06:14:33,958 um was that they basically trained a 7193 06:14:33,958 --> 06:14:36,600 neural network with a new method called 7194 06:14:36,600 --> 06:14:39,000 recursive learning and we're able to 7195 06:14:39,000 --> 06:14:42,080 even though things were masked 7196 06:14:42,080 --> 06:14:45,120 find the little tiny gaps that uh 7197 06:14:45,120 --> 06:14:48,780 Illustrated what bits were in the key so 7198 06:14:48,780 --> 06:14:52,500 this was a power analysis attack slash 7199 06:14:52,500 --> 06:14:54,120 timing analysis attack if you want to do 7200 06:14:54,120 --> 06:14:56,700 it that way on steroids 7201 06:14:56,700 --> 06:14:58,558 um powered by AI but in the end it 7202 06:14:58,558 --> 06:14:59,878 didn't break the math it just break 7203 06:14:59,878 --> 06:15:03,000 broke this one counter proposal so kyber 7204 06:15:03,000 --> 06:15:05,160 is still the choice it's still secure 7205 06:15:05,160 --> 06:15:06,718 it's just you have to be very careful 7206 06:15:06,718 --> 06:15:08,700 when implementing it 7207 06:15:08,700 --> 06:15:12,600 um and so to uh demonstrate this type of 7208 06:15:12,600 --> 06:15:16,080 issue uh side Channel attacks uh Doug I 7209 06:15:16,080 --> 06:15:18,058 would like to invite Doug back to uh do 7210 06:15:18,058 --> 06:15:21,780 another magic trick perfect thank you I 7211 06:15:21,780 --> 06:15:23,040 need someone knows how to riffle Shuffle 7212 06:15:23,040 --> 06:15:24,660 so riffle shuffles where you Shuffle 7213 06:15:24,660 --> 06:15:26,940 like this anybody know how to roof a 7214 06:15:26,940 --> 06:15:29,359 shuffle here 7215 06:22:02,700 --> 06:22:05,760 and and in their pockets uh end-to-end 7216 06:22:05,760 --> 06:22:08,820 secure messaging uh so you know signal 7217 06:22:08,820 --> 06:22:10,980 the protocol was created 10 years ago 7218 06:22:10,980 --> 06:22:12,958 that you know the same year that Snowden 7219 06:22:12,958 --> 06:22:15,058 came out with his uh 7220 06:22:15,058 --> 06:22:17,400 um Revelations or whatnot 7221 06:22:17,400 --> 06:22:19,378 um and uh actually this picture right 7222 06:22:19,378 --> 06:22:22,260 here is from Snowden swag website so you 7223 06:22:22,260 --> 06:22:24,420 know it's been 10 years since then and 7224 06:22:24,420 --> 06:22:27,058 uh the world has changed so here's a not 7225 06:22:27,058 --> 06:22:29,520 so secret secret practitioners hate 7226 06:22:29,520 --> 06:22:31,620 using the signal protocol you know it 7227 06:22:31,620 --> 06:22:33,840 doesn't scale to Big groups uh source 7228 06:22:33,840 --> 06:22:35,878 code is kind of poorly documented and 7229 06:22:35,878 --> 06:22:38,160 it's not really designed for 7230 06:22:38,160 --> 06:22:40,320 interoperability and Federation which is 7231 06:22:40,320 --> 06:22:42,600 the new hotness with things like 7232 06:22:42,600 --> 06:22:45,120 Mastodon and now threads so trying to 7233 06:22:45,120 --> 06:22:47,218 shoehorn Signal into other systems has 7234 06:22:47,218 --> 06:22:48,900 proven a little bit challenging 7235 06:22:48,900 --> 06:22:51,120 um even for the best Engineers so like 7236 06:22:51,120 --> 06:22:53,458 in some signal is is quirky but it works 7237 06:22:53,458 --> 06:22:54,660 for the signal app and it's it's 7238 06:22:54,660 --> 06:22:57,180 fantastic it does have it's it's like a 7239 06:22:57,180 --> 06:22:59,878 Trailblazer in the uh secure end-to-end 7240 06:22:59,878 --> 06:23:01,980 messaging world but 7241 06:23:01,980 --> 06:23:04,320 um you know the the last category of 7242 06:23:04,320 --> 06:23:05,580 vulnerability we haven't gone into yet 7243 06:23:05,580 --> 06:23:08,638 which is uh exploit systems that have 7244 06:23:08,638 --> 06:23:11,700 good math implemented correctly but uh 7245 06:23:11,700 --> 06:23:13,798 are insecure because of the way that 7246 06:23:13,798 --> 06:23:15,780 things are assembled into a protocol so 7247 06:23:15,780 --> 06:23:18,540 signal was proven secure but that can't 7248 06:23:18,540 --> 06:23:22,080 be said for other attempts so you know 7249 06:23:22,080 --> 06:23:24,240 WhatsApp and Facebook Messenger made the 7250 06:23:24,240 --> 06:23:26,638 effort to implement signal but those 7251 06:23:26,638 --> 06:23:28,740 that couldn't or wouldn't you know pay 7252 06:23:28,740 --> 06:23:31,138 the Moxie tax or whatever have uh tried 7253 06:23:31,138 --> 06:23:32,820 to roll their own and this hasn't always 7254 06:23:32,820 --> 06:23:37,020 gone well uh just like in Magic good 7255 06:23:37,020 --> 06:23:40,620 choreography is uh is is hard to do good 7256 06:23:40,620 --> 06:23:42,900 Protocols are hard to invent so there's 7257 06:23:42,900 --> 06:23:45,600 three examples here one iMessage which 7258 06:23:45,600 --> 06:23:46,980 this was actually presented here at 7259 06:23:46,980 --> 06:23:49,680 summercon in 2016 my Matthew green so 7260 06:23:49,680 --> 06:23:51,540 summer con 7261 06:23:51,540 --> 06:23:54,840 um and uh and you know matrix.org which 7262 06:23:54,840 --> 06:23:56,820 was just mentioned in the ponies uh 7263 06:23:56,820 --> 06:23:58,980 there was a huge issue there Matrix 7264 06:23:58,980 --> 06:24:01,138 which is all about Federation uh had 7265 06:24:01,138 --> 06:24:04,020 their own end-to-end secure messaging 7266 06:24:04,020 --> 06:24:06,240 protocol and uh and and now you know 7267 06:24:06,240 --> 06:24:08,940 Elon musk's Twitter the uh they said 7268 06:24:08,940 --> 06:24:10,440 they just just implemented and deployed 7269 06:24:10,440 --> 06:24:11,700 a new one if you have a blue check you 7270 06:24:11,700 --> 06:24:12,958 can use it 7271 06:24:12,958 --> 06:24:16,260 um but uh while you know the details of 7272 06:24:16,260 --> 06:24:18,000 both the of these attacks first by green 7273 06:24:18,000 --> 06:24:20,340 and then by Albrecht and then um well 7274 06:24:20,340 --> 06:24:22,440 just by reading the code for the for the 7275 06:24:22,440 --> 06:24:23,520 Twitter one 7276 06:24:23,520 --> 06:24:25,680 um and the documentation honestly um 7277 06:24:25,680 --> 06:24:27,840 while the details differ they were all 7278 06:24:27,840 --> 06:24:30,420 major issues that allowed impersonation 7279 06:24:30,420 --> 06:24:32,820 of some sort uh and none of these 7280 06:24:32,820 --> 06:24:35,878 protocols had a formal list of security 7281 06:24:35,878 --> 06:24:37,920 requirements and formal proofs of 7282 06:24:37,920 --> 06:24:39,600 security and gone through the whole 7283 06:24:39,600 --> 06:24:42,058 industry and all these sort of things so 7284 06:24:42,058 --> 06:24:44,218 um you know in Twitter's case they even 7285 06:24:44,218 --> 06:24:46,620 if you read the documentation this is a 7286 06:24:46,620 --> 06:24:48,840 quote from it currently we do not offer 7287 06:24:48,840 --> 06:24:50,458 protections against men in the middle 7288 06:24:50,458 --> 06:24:53,160 attacks okay so 7289 06:24:53,160 --> 06:24:54,020 um 7290 06:24:54,020 --> 06:24:57,420 in in this case the party controlling 7291 06:24:57,420 --> 06:24:59,700 the distribution of of authentication 7292 06:24:59,700 --> 06:25:01,320 Keys is Twitter itself and they can 7293 06:25:01,320 --> 06:25:03,058 silently inject their own keys and this 7294 06:25:03,058 --> 06:25:05,218 is this is a very um common thing to 7295 06:25:05,218 --> 06:25:06,958 happen I know we're 7296 06:25:06,958 --> 06:25:10,740 we're a little bit over but but um 7297 06:25:10,740 --> 06:25:12,298 this 7298 06:25:12,298 --> 06:25:15,138 is also demonstratable by magic 7299 06:25:15,138 --> 06:25:18,360 Doug magic uh I need someone to pick a 7300 06:25:18,360 --> 06:25:19,980 card 7301 06:25:19,980 --> 06:25:22,218 foreign 7302 06:26:34,218 --> 06:26:37,138 here's how it works 7303 06:26:37,138 --> 06:26:39,600 this is your signature that's not what I 7304 06:26:39,600 --> 06:26:40,798 showed you guys 7305 06:26:40,798 --> 06:26:43,340 okay 7306 06:26:46,500 --> 06:26:49,798 I am the man in the middle here so 7307 06:26:49,798 --> 06:26:51,900 I have two cards that have the same 7308 06:26:51,900 --> 06:26:53,580 signature 7309 06:26:53,580 --> 06:26:56,780 one goes to Nick's Park 7310 06:27:02,040 --> 06:27:03,958 I forced him a card I make him pick it 7311 06:27:03,958 --> 06:27:05,580 whole different discussion he picks a 7312 06:27:05,580 --> 06:27:07,798 six of Hearts I show it to everyone he 7313 06:27:07,798 --> 06:27:10,740 signs it okay 7314 06:27:10,740 --> 06:27:12,298 here's where choreography comes in I 7315 06:27:12,298 --> 06:27:13,500 make sure he's all the way over here so 7316 06:27:13,500 --> 06:27:15,000 I can show all of you a different card 7317 06:27:15,000 --> 06:27:18,620 and not everyone here okay 7318 06:27:20,638 --> 06:27:22,798 for the duplicate card over here and I 7319 06:27:22,798 --> 06:27:24,000 show everyone in this side of the room 7320 06:27:24,000 --> 06:27:25,680 this duplicate signature so you think 7321 06:27:25,680 --> 06:27:27,600 this is signed card 7322 06:27:27,600 --> 06:27:29,878 goes back in the deck 7323 06:27:29,878 --> 06:27:33,080 into Nick's pocket 7324 06:27:34,260 --> 06:27:37,760 careful not to show him the card 7325 06:27:41,580 --> 06:27:43,920 he switches it when he shows it to him 7326 06:27:43,920 --> 06:27:47,340 mitm monster man in the middle machine 7327 06:27:47,340 --> 06:27:49,378 in the middle 7328 06:27:49,378 --> 06:27:53,340 yeah whole different discussion 7329 06:27:53,340 --> 06:27:54,900 all right 7330 06:27:54,900 --> 06:27:58,440 so yeah group messaging is hard 7331 06:27:58,440 --> 06:28:02,218 and uh and so this is the last slide 7332 06:28:02,218 --> 06:28:03,600 here so like what what is the solution 7333 06:28:03,600 --> 06:28:04,980 for the industry 7334 06:28:04,980 --> 06:28:07,798 um well five years ago several Engineers 7335 06:28:07,798 --> 06:28:10,378 from Cisco Mozilla Facebook and Academia 7336 06:28:10,378 --> 06:28:13,200 decided to take a collaborative approach 7337 06:28:13,200 --> 06:28:16,558 and develop a new protocol that scales 7338 06:28:16,558 --> 06:28:19,980 to larger groups uh this effort LED uh 7339 06:28:19,980 --> 06:28:22,200 it leaned in on The View that strength 7340 06:28:22,200 --> 06:28:24,058 comes from diversity so it took lessons 7341 06:28:24,058 --> 06:28:26,040 from the development of things like TLS 7342 06:28:26,040 --> 06:28:29,520 1.3 and it's called MLS and 7343 06:28:29,520 --> 06:28:32,638 um well it wasn't announced today but it 7344 06:28:32,638 --> 06:28:34,260 will be announced soon that the timing 7345 06:28:34,260 --> 06:28:36,180 didn't line up perfectly 7346 06:28:36,180 --> 06:28:39,180 um but uh take a look this is an RFC 7347 06:28:39,180 --> 06:28:41,420 it's got some institutional credibility 7348 06:28:41,420 --> 06:28:44,400 ads formal proofs designed for use and 7349 06:28:44,400 --> 06:28:46,740 Federated systems it kind of fills in 7350 06:28:46,740 --> 06:28:48,840 some of the gaps that um we're missing 7351 06:28:48,840 --> 06:28:51,420 from signal for something that can be 7352 06:28:51,420 --> 06:28:53,160 used across all sorts of platforms it's 7353 06:28:53,160 --> 06:28:57,080 also deployed in in Cisco WebEx so 7354 06:28:57,080 --> 06:28:59,878 this isn't ended to be the intend 7355 06:28:59,878 --> 06:29:03,298 encrypted messaging protocol and uh and 7356 06:29:03,298 --> 06:29:06,120 and and and and it's coming out soon so 7357 06:29:06,120 --> 06:29:08,878 uh with that uh that's just a part of 7358 06:29:08,878 --> 06:29:10,740 what happened in the magical world of 7359 06:29:10,740 --> 06:29:12,120 cryptography this year thanks for 7360 06:29:12,120 --> 06:29:12,910 listening 7361 06:29:12,910 --> 06:29:22,860 [Applause] 7362 06:29:22,860 --> 06:29:27,360 all right uh we are in the home stretch 7363 06:29:27,360 --> 06:29:30,240 we have 7364 06:29:30,240 --> 06:29:33,780 very little time to get through the last 7365 06:29:33,780 --> 06:29:36,798 two speakers 7366 06:29:38,940 --> 06:29:43,740 I can't see God damn it okay there we go 7367 06:29:43,740 --> 06:29:46,320 do 7368 06:29:46,320 --> 06:29:49,218 you work 7369 06:29:55,340 --> 06:29:57,058 uh 7370 06:29:57,058 --> 06:30:00,420 uh there we go great thank you okay 7371 06:30:00,420 --> 06:30:03,600 um our next speaker has a lightning 7372 06:30:03,600 --> 06:30:06,600 presentation 7373 06:30:06,780 --> 06:30:09,298 are you ready to challenge your digital 7374 06:30:09,298 --> 06:30:11,340 forensics knowledge our next presenter 7375 06:30:11,340 --> 06:30:13,920 Emily Wiki is a prominent member of the 7376 06:30:13,920 --> 06:30:16,620 NYC digital forensics community 7377 06:30:16,620 --> 06:30:19,378 it has an expert working in a famous 7378 06:30:19,378 --> 06:30:21,360 financial institution 7379 06:30:21,360 --> 06:30:23,458 whose name is not on the screen right 7380 06:30:23,458 --> 06:30:25,558 now I assure you 7381 06:30:25,558 --> 06:30:27,420 Emily knows the ins and outs of the 7382 06:30:27,420 --> 06:30:30,058 field in her spare time she's been a 7383 06:30:30,058 --> 06:30:32,400 valuable contributor to Summer con today 7384 06:30:32,400 --> 06:30:34,020 in addition to those contributions 7385 06:30:34,020 --> 06:30:36,240 Emily's going to set the record straight 7386 06:30:36,240 --> 06:30:37,920 on a few things unraveling the 7387 06:30:37,920 --> 06:30:40,620 misconceptions and outdated practices in 7388 06:30:40,620 --> 06:30:43,680 digital forensics get ready to have your 7389 06:30:43,680 --> 06:30:46,878 perspectives adjusted and your 7390 06:30:46,878 --> 06:30:48,620 understanding 7391 06:30:48,620 --> 06:30:51,718 challenged as Emily Wiki takes the stage 7392 06:30:51,718 --> 06:30:53,780 welcome Emily 7393 06:30:53,780 --> 06:31:00,120 [Applause] 7394 06:31:00,120 --> 06:31:03,718 all right hey guys thanks Mark uh like 7395 06:31:03,718 --> 06:31:06,420 Mark said I'm Emily Wiki I'm the global 7396 06:31:06,420 --> 06:31:08,780 digital forensic Fleet at Morgan Stanley 7397 06:31:08,780 --> 06:31:12,180 and today I want to use this time to 7398 06:31:12,180 --> 06:31:14,160 have like a large scale heart to heart 7399 06:31:14,160 --> 06:31:16,740 with all of you about digital forensics 7400 06:31:16,740 --> 06:31:21,120 role in the cyber security space and 7401 06:31:21,120 --> 06:31:23,400 also cover a few things that your 7402 06:31:23,400 --> 06:31:25,020 neighborhood for educator wishes you 7403 06:31:25,020 --> 06:31:28,440 knew as non-forensics people 7404 06:31:28,440 --> 06:31:30,660 all right so a lot of you have actually 7405 06:31:30,660 --> 06:31:33,000 heard had this conversation with me but 7406 06:31:33,000 --> 06:31:34,980 we're gonna do it on a bigger scale when 7407 06:31:34,980 --> 06:31:37,440 I say hi I'm Emily and I do digital 7408 06:31:37,440 --> 06:31:39,540 forensics what do you what comes to mind 7409 06:31:39,540 --> 06:31:41,820 when you hear the digital forensics part 7410 06:31:41,820 --> 06:31:44,400 just start shouting things out it can be 7411 06:31:44,400 --> 06:31:45,900 mean and 7412 06:31:45,900 --> 06:31:49,638 yeah the FBI okay what else 7413 06:31:50,700 --> 06:31:52,080 what 7414 06:31:52,080 --> 06:31:54,180 vlogs 7415 06:31:54,180 --> 06:31:56,040 what else 7416 06:31:56,040 --> 06:31:59,298 incident response 7417 06:32:00,000 --> 06:32:02,400 browser history 7418 06:32:02,400 --> 06:32:04,440 nice 7419 06:32:04,440 --> 06:32:06,739 nice 7420 06:32:10,200 --> 06:32:12,860 great 7421 06:32:13,798 --> 06:32:17,340 all right so you yelled out most of them 7422 06:32:17,340 --> 06:32:19,260 um and here are some that I often get 7423 06:32:19,260 --> 06:32:21,298 and I crowdsource some of my team for 7424 06:32:21,298 --> 06:32:25,020 these two but forensics uh you just sit 7425 06:32:25,020 --> 06:32:27,900 in DD all day or you're working out uh 7426 06:32:27,900 --> 06:32:30,360 waiting for a disc to decrypt so that 7427 06:32:30,360 --> 06:32:32,820 you can sit in DD all day it takes 7428 06:32:32,820 --> 06:32:35,340 forever you just start looking at awful 7429 06:32:35,340 --> 06:32:36,958 things all day if you work for someone 7430 06:32:36,958 --> 06:32:39,058 like the FBI 7431 06:32:39,058 --> 06:32:42,480 um oh I use the smooth kit ones but it 7432 06:32:42,480 --> 06:32:44,580 was in college like 15 years ago that's 7433 06:32:44,580 --> 06:32:46,980 forensics right it is we love the smooth 7434 06:32:46,980 --> 06:32:48,480 kit but 7435 06:32:48,480 --> 06:32:51,000 um oh P caps you have peacaps for 7436 06:32:51,000 --> 06:32:52,558 everything right it must make your job 7437 06:32:52,558 --> 06:32:54,298 so easy 7438 06:32:54,298 --> 06:32:55,980 so these are all the things that you 7439 06:32:55,980 --> 06:32:57,900 kind of smile and say excuse me I need 7440 06:32:57,900 --> 06:32:59,280 to either go to the bathroom and get 7441 06:32:59,280 --> 06:33:00,600 another drink whichever one works in 7442 06:33:00,600 --> 06:33:02,520 that conversation 7443 06:33:02,520 --> 06:33:06,120 um so ideally uh in this few minutes the 7444 06:33:06,120 --> 06:33:07,798 lightning talk on Lightning friends like 7445 06:33:07,798 --> 06:33:10,200 well I'll sort some of that out 7446 06:33:10,200 --> 06:33:14,400 15 30 50 years ago you're right it was 7447 06:33:14,400 --> 06:33:16,860 slow all you did is image all the 7448 06:33:16,860 --> 06:33:18,120 computers you needed to do different 7449 06:33:18,120 --> 06:33:20,520 forensics there's the only way we didn't 7450 06:33:20,520 --> 06:33:22,680 have targeted collections we didn't have 7451 06:33:22,680 --> 06:33:25,260 tools to enable targeted collections so 7452 06:33:25,260 --> 06:33:26,638 you kind of had to grab everything 7453 06:33:26,638 --> 06:33:29,580 because there's the only way uh to 7454 06:33:29,580 --> 06:33:31,020 ensure that you had everything you 7455 06:33:31,020 --> 06:33:33,240 needed 7456 06:33:33,240 --> 06:33:35,280 and it's kind of great because you just 7457 06:33:35,280 --> 06:33:37,020 click one button and you have everything 7458 06:33:37,020 --> 06:33:38,878 you need if only it really worked that 7459 06:33:38,878 --> 06:33:41,058 way 7460 06:33:41,218 --> 06:33:43,680 but of course the cons in this that are 7461 06:33:43,680 --> 06:33:45,600 what are mostly coming to mind when we 7462 06:33:45,600 --> 06:33:47,520 lament about how slow and sluggish 7463 06:33:47,520 --> 06:33:50,040 digital forensics is is that it's really 7464 06:33:50,040 --> 06:33:52,980 time consuming it doesn't scale even if 7465 06:33:52,980 --> 06:33:54,780 let's say you're working on a one and a 7466 06:33:54,780 --> 06:33:57,420 half terabyte drive which is unrealistic 7467 06:33:57,420 --> 06:34:00,540 for storage sizes these days 7468 06:34:00,540 --> 06:34:02,160 um and things are working at Optimum 7469 06:34:02,160 --> 06:34:04,378 speeds right and Optimum configurations 7470 06:34:04,378 --> 06:34:06,540 which is never what happens in reality 7471 06:34:06,540 --> 06:34:08,458 only in textbooks and file system 7472 06:34:08,458 --> 06:34:10,440 forensic books 7473 06:34:10,440 --> 06:34:13,378 um Imaging that drive alone will take at 7474 06:34:13,378 --> 06:34:15,360 least four hours right if all of your 7475 06:34:15,360 --> 06:34:17,520 conditions are perfect and beautiful and 7476 06:34:17,520 --> 06:34:19,200 that gives us a bad wrap right because 7477 06:34:19,200 --> 06:34:21,360 that doesn't scale 7478 06:34:21,360 --> 06:34:24,000 um there's no definitive retention of 7479 06:34:24,000 --> 06:34:25,740 the artifacts you could go through that 7480 06:34:25,740 --> 06:34:27,840 process of Imaging all of those drives 7481 06:34:27,840 --> 06:34:29,458 and you still don't even have everything 7482 06:34:29,458 --> 06:34:31,080 you need it's not there anymore it's 7483 06:34:31,080 --> 06:34:33,420 overwritten you have these huge chunks 7484 06:34:33,420 --> 06:34:35,878 of data to copy back and forth over 7485 06:34:35,878 --> 06:34:38,820 places process blah blah blah you're 7486 06:34:38,820 --> 06:34:40,440 right forensics is old it's things it's 7487 06:34:40,440 --> 06:34:42,298 time consuming it's just what you do for 7488 06:34:42,298 --> 06:34:44,660 cleanup 7489 06:34:44,700 --> 06:34:47,820 but then finally our trusty in-house 7490 06:34:47,820 --> 06:34:50,100 security Engineers 7491 06:34:50,100 --> 06:34:51,718 um started to have these really great 7492 06:34:51,718 --> 06:34:54,360 ideas to make their lives easier blog 7493 06:34:54,360 --> 06:34:56,820 repositories who here uses something 7494 06:34:56,820 --> 06:34:59,600 like Splunk 7495 06:35:00,260 --> 06:35:03,540 is great we can put our logs in a 7496 06:35:03,540 --> 06:35:06,660 repository and analyze them there what 7497 06:35:06,660 --> 06:35:09,660 that's so cool they're at our fingertips 7498 06:35:09,660 --> 06:35:11,820 um but at the same time they're still 7499 06:35:11,820 --> 06:35:13,680 segregated by different repositories 7500 06:35:13,680 --> 06:35:17,280 organized which means more processing 7501 06:35:17,280 --> 06:35:20,400 time uh independent searches so instead 7502 06:35:20,400 --> 06:35:22,440 of getting a nice pretty disk image at 7503 06:35:22,440 --> 06:35:24,120 the end of our four hours we have now 7504 06:35:24,120 --> 06:35:27,180 all these disparate data sources so it's 7505 06:35:27,180 --> 06:35:31,080 great but like is it really that great 7506 06:35:31,080 --> 06:35:32,820 um 7507 06:35:32,820 --> 06:35:34,558 oh and you're in control of your 7508 06:35:34,558 --> 06:35:36,840 retention so you kind of know exactly 7509 06:35:36,840 --> 06:35:39,000 when you're going to search your data uh 7510 06:35:39,000 --> 06:35:40,680 what data you're going to get back so 7511 06:35:40,680 --> 06:35:42,298 this is an improvement it makes things a 7512 06:35:42,298 --> 06:35:43,860 little bit faster we're not sitting 7513 06:35:43,860 --> 06:35:46,020 around twiddling our thumbs or banging 7514 06:35:46,020 --> 06:35:47,580 our heads on the keyboard while we're 7515 06:35:47,580 --> 06:35:50,400 waiting for TV to finish or realize that 7516 06:35:50,400 --> 06:35:52,440 we just corrupted all our data or erased 7517 06:35:52,440 --> 06:35:54,240 it instead 7518 06:35:54,240 --> 06:35:56,160 um we have our centrally accessible 7519 06:35:56,160 --> 06:35:59,160 on-demand blogs 7520 06:35:59,160 --> 06:36:01,920 and as I already alluded to there are 7521 06:36:01,920 --> 06:36:04,020 cons to that too it's really great to 7522 06:36:04,020 --> 06:36:06,540 have all of your organized logs at your 7523 06:36:06,540 --> 06:36:08,458 fingertips in and out analytics platform 7524 06:36:08,458 --> 06:36:11,040 but at the same time uh there is 7525 06:36:11,040 --> 06:36:14,160 post-processing involved in segregation 7526 06:36:14,160 --> 06:36:15,718 um and lots don't give you the whole 7527 06:36:15,718 --> 06:36:17,878 picture I am I guess a little 7528 06:36:17,878 --> 06:36:19,558 old-fashioned despite the theme of this 7529 06:36:19,558 --> 06:36:22,260 talk and I love having all of the data I 7530 06:36:22,260 --> 06:36:24,120 could possibly need 7531 06:36:24,120 --> 06:36:26,700 um and nothing really deep having access 7532 06:36:26,700 --> 06:36:29,340 to an endpoint in addition to logs about 7533 06:36:29,340 --> 06:36:32,000 the endpoint 7534 06:36:32,100 --> 06:36:34,740 so the new way we're all moving to the 7535 06:36:34,740 --> 06:36:37,320 cloud and we all think we're not we all 7536 06:36:37,320 --> 06:36:39,058 necessarily in this room but all of 7537 06:36:39,058 --> 06:36:41,100 those people above us think this is the 7538 06:36:41,100 --> 06:36:42,718 coolest thing in the world and it's 7539 06:36:42,718 --> 06:36:44,160 going to make our lives so much easier 7540 06:36:44,160 --> 06:36:48,120 and so much more efficient but alas 7541 06:36:48,120 --> 06:36:49,860 um well no we're not gonna go to the 7542 06:36:49,860 --> 06:36:51,840 last part yet it does make our lives 7543 06:36:51,840 --> 06:36:53,760 better and more efficient we have dozens 7544 06:36:53,760 --> 06:36:56,040 and dozens of log types available for 7545 06:36:56,040 --> 06:36:58,920 our fingertips so instead of using like 7546 06:36:58,920 --> 06:37:00,840 application Level logs and system level 7547 06:37:00,840 --> 06:37:03,180 logs for forensics we actually have 7548 06:37:03,180 --> 06:37:05,878 utilities that people have designed uh 7549 06:37:05,878 --> 06:37:09,058 two log user activity and things that we 7550 06:37:09,058 --> 06:37:12,180 care about doing forensics on not just 7551 06:37:12,180 --> 06:37:13,580 making best 7552 06:37:13,580 --> 06:37:17,160 with something that's not intended to be 7553 06:37:17,160 --> 06:37:19,200 used for the purpose of figuring out 7554 06:37:19,200 --> 06:37:22,200 what a user has done on an endpoint 7555 06:37:22,200 --> 06:37:24,420 uh so for example if we're talking about 7556 06:37:24,420 --> 06:37:26,580 Azure now you have this fancy Microsoft 7557 06:37:26,580 --> 06:37:29,160 portal that you can log into see all the 7558 06:37:29,160 --> 06:37:31,200 fancy native Microsoft logs that tell 7559 06:37:31,200 --> 06:37:33,120 you exactly what the person did with the 7560 06:37:33,120 --> 06:37:34,980 Microsoft products 7561 06:37:34,980 --> 06:37:36,600 um and there's documentation about it 7562 06:37:36,600 --> 06:37:38,580 and there are definitions like what is 7563 06:37:38,580 --> 06:37:40,138 this this is no more 7564 06:37:40,138 --> 06:37:43,100 what's that sorry 7565 06:37:44,180 --> 06:37:49,200 that is a perfect segue thank you into 7566 06:37:49,200 --> 06:37:52,020 some of the cons 7567 06:37:52,020 --> 06:37:53,878 um so 7568 06:37:53,878 --> 06:37:56,280 um some of the cons there yes of course 7569 06:37:56,280 --> 06:37:57,840 with having these portals and these 7570 06:37:57,840 --> 06:37:59,760 access to these native Logs with great 7571 06:37:59,760 --> 06:38:01,558 documentation 7572 06:38:01,558 --> 06:38:03,240 um is that if you're a DFI or a 7573 06:38:03,240 --> 06:38:06,958 consultant uh you don't have access to 7574 06:38:06,958 --> 06:38:09,320 these pretty portals on some on your 7575 06:38:09,320 --> 06:38:12,718 clients network with all the permissions 7576 06:38:12,718 --> 06:38:14,160 you could possibly want to leverage 7577 06:38:14,160 --> 06:38:16,260 these things so you're kind of out of 7578 06:38:16,260 --> 06:38:18,780 deficit there and if you're on a budget 7579 06:38:18,780 --> 06:38:22,620 you also don't necessarily uh have that 7580 06:38:22,620 --> 06:38:26,280 portal that level licensing 7581 06:38:26,280 --> 06:38:28,020 um so you're kind of out of deficit 7582 06:38:28,020 --> 06:38:29,400 there 7583 06:38:29,400 --> 06:38:31,440 um so if you don't have in-house dfir 7584 06:38:31,440 --> 06:38:33,958 and you're or you are a DFI or a 7585 06:38:33,958 --> 06:38:35,940 consultant here's where we're getting to 7586 06:38:35,940 --> 06:38:37,680 the real Crux of what modern digital 7587 06:38:37,680 --> 06:38:40,378 forensic should be is having a digital 7588 06:38:40,378 --> 06:38:42,900 forensics team in-house it's not 7589 06:38:42,900 --> 06:38:44,760 practical for everyone it's not scalable 7590 06:38:44,760 --> 06:38:47,580 for everyone but it makes a huge 7591 06:38:47,580 --> 06:38:48,958 difference in your overall security 7592 06:38:48,958 --> 06:38:51,240 posture so doing the front doing 7593 06:38:51,240 --> 06:38:53,340 forensics the right way is doing it 7594 06:38:53,340 --> 06:38:54,900 in-house 7595 06:38:54,900 --> 06:38:57,360 um this is because it enables you to 7596 06:38:57,360 --> 06:39:01,138 create a feedback loop of the Intel from 7597 06:39:01,138 --> 06:39:03,900 your investigations uh logs you need 7598 06:39:03,900 --> 06:39:06,000 resources you need stumbling points you 7599 06:39:06,000 --> 06:39:06,840 have 7600 06:39:06,840 --> 06:39:09,480 feeds back into your organization and 7601 06:39:09,480 --> 06:39:11,940 improves your overall security posture 7602 06:39:11,940 --> 06:39:15,180 to by providing that feedback 7603 06:39:15,180 --> 06:39:18,740 and input into the overall design 7604 06:39:18,740 --> 06:39:21,360 and accessibility of your logs what 7605 06:39:21,360 --> 06:39:24,718 you're logging even your personnel right 7606 06:39:24,718 --> 06:39:26,700 so I specifically focus on Insider 7607 06:39:26,700 --> 06:39:29,280 threat investigations so as an Insider 7608 06:39:29,280 --> 06:39:31,138 I'm very well positioned to understand 7609 06:39:31,138 --> 06:39:33,900 maybe why someone circumvented a control 7610 06:39:33,900 --> 06:39:37,040 and now I can prove it fix the control 7611 06:39:37,040 --> 06:39:39,480 uh give them maybe the support they need 7612 06:39:39,480 --> 06:39:42,120 to do something in a safer way 7613 06:39:42,120 --> 06:39:45,420 um and in overall make the company more 7614 06:39:45,420 --> 06:39:48,260 secure every day 7615 06:39:49,100 --> 06:39:52,020 so the Aging way in the new way really 7616 06:39:52,020 --> 06:39:54,420 are the way forward right no it's not 7617 06:39:54,420 --> 06:39:56,580 practical necessarily to have the best 7618 06:39:56,580 --> 06:39:58,378 licenses that give you all of the access 7619 06:39:58,378 --> 06:40:00,718 to all of the logs 7620 06:40:00,718 --> 06:40:02,760 um but having that one centralized 7621 06:40:02,760 --> 06:40:06,120 location of logs that are actually uh 7622 06:40:06,120 --> 06:40:08,160 created for the point of investigating 7623 06:40:08,160 --> 06:40:11,520 and for security not just for just 7624 06:40:11,520 --> 06:40:13,558 admins 50 years ago to try to put 7625 06:40:13,558 --> 06:40:15,840 together a puzzle really having forensic 7626 06:40:15,840 --> 06:40:17,760 artifacts that are meant to do forensics 7627 06:40:17,760 --> 06:40:19,620 and support them 7628 06:40:19,620 --> 06:40:21,780 um means that we really drive more 7629 06:40:21,780 --> 06:40:23,400 intelligence from our investigations 7630 06:40:23,400 --> 06:40:26,760 forensics can be done a lot faster and 7631 06:40:26,760 --> 06:40:28,260 if you're feeding it back into your 7632 06:40:28,260 --> 06:40:30,540 organization your investigations come 7633 06:40:30,540 --> 06:40:32,520 out a lot smoother quicker and everybody 7634 06:40:32,520 --> 06:40:34,740 gets along 7635 06:40:34,740 --> 06:40:36,958 all right 7636 06:40:36,958 --> 06:40:39,840 so that's pretty much why uh you should 7637 06:40:39,840 --> 06:40:42,120 be doing forensics in-house and really 7638 06:40:42,120 --> 06:40:45,600 quickly and just for fun because uh this 7639 06:40:45,600 --> 06:40:47,400 is summer con and I don't believe most 7640 06:40:47,400 --> 06:40:50,218 of you do digital forensics here are the 7641 06:40:50,218 --> 06:40:52,260 top five things that your neighborhood 7642 06:40:52,260 --> 06:40:53,878 forensicator wishes you would think 7643 06:40:53,878 --> 06:40:56,218 about when you're either designing 7644 06:40:56,218 --> 06:40:58,620 something or implementing it 7645 06:40:58,620 --> 06:40:59,218 um 7646 06:40:59,218 --> 06:41:02,540 and great 7647 06:41:02,940 --> 06:41:05,899 thanks very much 7648 06:41:10,160 --> 06:41:14,218 [Applause] 7649 06:41:14,218 --> 06:41:16,440 all right we're very close to being on 7650 06:41:16,440 --> 06:41:20,878 schedule which uh is weird uh but in an 7651 06:41:20,878 --> 06:41:23,280 effort to ruin that 7652 06:41:23,280 --> 06:41:25,860 um I have a 7653 06:41:25,860 --> 06:41:28,020 um a small 7654 06:41:28,020 --> 06:41:30,718 thing I would like to do before our next 7655 06:41:30,718 --> 06:41:33,840 presentation if you all don't mind and 7656 06:41:33,840 --> 06:41:36,000 you can indulge me for a moment 7657 06:41:36,000 --> 06:41:37,138 um 7658 06:41:37,138 --> 06:41:40,320 I was wondering if I could get Chris 7659 06:41:40,320 --> 06:41:42,360 valasek 7660 06:41:42,360 --> 06:41:45,120 and much to come up on stage for a 7661 06:41:45,120 --> 06:41:47,100 minute are you guys around are you guys 7662 06:41:47,100 --> 06:41:49,620 somewhere 7663 06:41:49,620 --> 06:41:50,740 yeah uh 7664 06:41:50,740 --> 06:41:52,920 [Applause] 7665 06:41:52,920 --> 06:41:55,558 okay you look you look exactly like I 7666 06:41:55,558 --> 06:41:57,480 remember you that's for sure 7667 06:41:57,480 --> 06:41:59,340 uh back when we used to do this thing 7668 06:41:59,340 --> 06:42:03,360 together a lot Chris is the yeah it's 7669 06:42:03,360 --> 06:42:05,520 true he is very nervous on stage Chris 7670 06:42:05,520 --> 06:42:06,620 Chris 7671 06:42:06,620 --> 06:42:10,440 is the chairman emeritus of uh the 7672 06:42:10,440 --> 06:42:13,378 summer con Foundation uh we're proud of 7673 06:42:13,378 --> 06:42:15,780 uh all the work that he did to get 7674 06:42:15,780 --> 06:42:18,360 Summer Khan into a position where it 7675 06:42:18,360 --> 06:42:21,360 could be the event before you now uh and 7676 06:42:21,360 --> 06:42:23,218 into a position of being a charitable 7677 06:42:23,218 --> 06:42:26,820 Foundation even where we can do things 7678 06:42:26,820 --> 06:42:30,240 that the IRS allows us to do 7679 06:42:30,240 --> 06:42:32,458 um oh there you are 7680 06:42:32,458 --> 06:42:35,160 I see you 7681 06:42:35,160 --> 06:42:37,920 um he's coming he's coming yeah yeah 7682 06:42:37,920 --> 06:42:42,260 he's going to come through this way yeah 7683 06:42:42,298 --> 06:42:45,900 Mudge doesn't require a lot of uh 7684 06:42:45,900 --> 06:42:47,700 introduction although I will do that 7685 06:42:47,700 --> 06:42:50,340 because his presentation is next 7686 06:42:50,340 --> 06:42:53,040 but one of the things that we have 7687 06:42:53,040 --> 06:42:54,840 wanted to do for a long time here at 7688 06:42:54,840 --> 06:42:57,900 summarcon is to develop something that 7689 06:42:57,900 --> 06:43:02,160 we call the summer con Hall of Fame 7690 06:43:02,160 --> 06:43:04,260 and our two 7691 06:43:04,260 --> 06:43:06,540 the first two inductees into the summer 7692 06:43:06,540 --> 06:43:10,920 con Hall of Fame are Chris balasek 7693 06:43:10,920 --> 06:43:13,740 foreign 7694 06:43:13,740 --> 06:43:15,840 much 7695 06:43:15,840 --> 06:43:19,378 so with that if we can please make the 7696 06:43:19,378 --> 06:43:21,920 presentation 7697 06:43:23,360 --> 06:43:26,300 of of the official 7698 06:43:26,300 --> 06:43:28,138 [Music] 7699 06:43:28,138 --> 06:43:31,080 summer con jacket 7700 06:43:31,080 --> 06:43:33,298 the Blazer 7701 06:43:33,298 --> 06:43:36,980 congratulations to you both 7702 06:43:37,340 --> 06:43:40,020 please wear them with pride we expect to 7703 06:43:40,020 --> 06:43:42,718 see you here every year with them 7704 06:43:42,718 --> 06:43:43,798 hey 7705 06:43:43,798 --> 06:43:46,080 you are the first class and you were 7706 06:43:46,080 --> 06:43:48,298 always first class in my book so you 7707 06:43:48,298 --> 06:43:50,878 know that makes sense all right thank 7708 06:43:50,878 --> 06:43:53,040 you both beautiful again a round of 7709 06:43:53,040 --> 06:43:55,700 applause again 7710 06:43:55,740 --> 06:43:59,340 okay now 7711 06:43:59,700 --> 06:44:02,280 it is 7712 06:44:02,280 --> 06:44:05,160 um as you can imagine an honor to 7713 06:44:05,160 --> 06:44:08,218 introduce our next speaker who is trying 7714 06:44:08,218 --> 06:44:10,620 to work out one last tiny logistical 7715 06:44:10,620 --> 06:44:14,520 wrinkle for his presentation uh maybe 7716 06:44:14,520 --> 06:44:17,600 you are aware of his background in music 7717 06:44:17,600 --> 06:44:21,360 and his reputation as a skilled guitar 7718 06:44:21,360 --> 06:44:23,280 player 7719 06:44:23,280 --> 06:44:26,340 uh but I I strongly suspect you know him 7720 06:44:26,340 --> 06:44:28,440 for other exploits 7721 06:44:28,440 --> 06:44:30,058 um as one of the pioneers of the 7722 06:44:30,058 --> 06:44:31,980 security Community he has made 7723 06:44:31,980 --> 06:44:33,780 significant contributions to 7724 06:44:33,780 --> 06:44:35,820 vulnerability research the full 7725 06:44:35,820 --> 06:44:38,400 disclosure movement and he's been 7726 06:44:38,400 --> 06:44:40,378 building bridges between hackers 7727 06:44:40,378 --> 06:44:42,660 government and Industry 7728 06:44:42,660 --> 06:44:45,780 today Mudge is here to share his hot 7729 06:44:45,780 --> 06:44:48,420 takes on so-called 7730 06:44:48,420 --> 06:44:52,260 best practices in security so brace 7731 06:44:52,260 --> 06:44:54,000 yourself for a thought-provoking session 7732 06:44:54,000 --> 06:44:56,160 that will challenge conventional wisdom 7733 06:44:56,160 --> 06:44:59,100 let's give them a warm welcome 7734 06:44:59,100 --> 06:45:02,160 Mudge will share his unconventional 7735 06:45:02,160 --> 06:45:03,900 thoughts on tried and true security 7736 06:45:03,900 --> 06:45:07,500 beliefs wherever he is give him a give 7737 06:45:07,500 --> 06:45:09,980 him a hand 7738 06:45:10,920 --> 06:45:15,240 [Applause] 7739 06:45:15,240 --> 06:45:17,280 he's uh he's he's trying to work out 7740 06:45:17,280 --> 06:45:19,200 this one logistical wrinkle I think 7741 06:45:19,200 --> 06:45:21,360 Jimbo is gonna like take care of that 7742 06:45:21,360 --> 06:45:22,620 take care of the business though it's 7743 06:45:22,620 --> 06:45:25,260 pretty good the teamwork the dream work 7744 06:45:25,260 --> 06:45:26,700 okay here you go 7745 06:45:26,700 --> 06:45:28,100 thank you 7746 06:45:28,100 --> 06:45:31,558 all right so it does it's it's perfectly 7747 06:45:31,558 --> 06:45:34,378 tailored you guys are amazing 7748 06:45:34,378 --> 06:45:38,520 okay uh I am the talk between you and an 7749 06:45:38,520 --> 06:45:40,920 open bar we are going to try to figure 7750 06:45:40,920 --> 06:45:42,718 out some way of getting a bunch of 7751 06:45:42,718 --> 06:45:45,600 drinks up here that will be comped to 7752 06:45:45,600 --> 06:45:48,138 try and ease that way into the open bar 7753 06:45:48,138 --> 06:45:51,718 uh for you and also to make this talk a 7754 06:45:51,718 --> 06:45:54,540 little less painful 7755 06:45:54,540 --> 06:45:57,780 um and I think you'll understand why I 7756 06:45:57,780 --> 06:46:00,480 say that in just a moment so 7757 06:46:00,480 --> 06:46:03,500 this talk is about data actually 7758 06:46:03,500 --> 06:46:07,080 contradicting and refuting a lot of our 7759 06:46:07,080 --> 06:46:11,820 industry's prize beliefs best practices 7760 06:46:11,820 --> 06:46:13,740 um and you know just what our foundation 7761 06:46:13,740 --> 06:46:15,298 is built on 7762 06:46:15,298 --> 06:46:18,000 I took it from the approach of something 7763 06:46:18,000 --> 06:46:20,280 called the tenth person rule the tenth 7764 06:46:20,280 --> 06:46:22,200 man rule and that's something that was 7765 06:46:22,200 --> 06:46:23,700 created for 7766 06:46:23,700 --> 06:46:25,860 intelligence to prevent intelligence 7767 06:46:25,860 --> 06:46:28,080 failures when an organization or a 7768 06:46:28,080 --> 06:46:30,718 country in this case it was Israel 7769 06:46:30,718 --> 06:46:33,120 um was stuck in an incorrect belief 7770 06:46:33,120 --> 06:46:36,240 system based on stale data 7771 06:46:36,240 --> 06:46:39,900 the 10th person rule is simple if nine 7772 06:46:39,900 --> 06:46:42,180 people all say like well yeah that's how 7773 06:46:42,180 --> 06:46:44,040 that works this is how we've always done 7774 06:46:44,040 --> 06:46:46,860 it or this is the Assumption the tenth 7775 06:46:46,860 --> 06:46:50,760 person has to take a contrarian point of 7776 06:46:50,760 --> 06:46:53,940 view whether they disagree or not and 7777 06:46:53,940 --> 06:46:57,240 work to refute the beliefs to make sure 7778 06:46:57,240 --> 06:46:59,218 it's not a stale belief system 7779 06:46:59,218 --> 06:47:01,620 So today we're going to do that on a 7780 06:47:01,620 --> 06:47:03,540 bunch of things and the data uh doesn't 7781 06:47:03,540 --> 06:47:05,638 look good for a lot of our Industries 7782 06:47:05,638 --> 06:47:07,200 best practices 7783 06:47:07,200 --> 06:47:10,440 uh I like the adage of it's not what you 7784 06:47:10,440 --> 06:47:12,660 don't know that'll get you 7785 06:47:12,660 --> 06:47:14,580 it's what you know to be true that just 7786 06:47:14,580 --> 06:47:16,320 ain't 7787 06:47:16,320 --> 06:47:18,298 so 7788 06:47:18,298 --> 06:47:20,100 I think earlier today you heard some 7789 06:47:20,100 --> 06:47:24,420 comments on you know cisos and infosec 7790 06:47:24,420 --> 06:47:26,638 teams asking for some pretty large sums 7791 06:47:26,638 --> 06:47:28,978 of money to the executives and the 7792 06:47:28,978 --> 06:47:30,780 boards and the boards kind of being well 7793 06:47:30,780 --> 06:47:32,340 I'm not sure that's the right way to 7794 06:47:32,340 --> 06:47:33,780 invest it 7795 06:47:33,780 --> 06:47:36,478 every other part of the company you know 7796 06:47:36,478 --> 06:47:38,218 goes in and says 7797 06:47:38,218 --> 06:47:39,900 we're going to show you what the return 7798 06:47:39,900 --> 06:47:42,058 on the previous quarter or previous 7799 06:47:42,058 --> 06:47:44,580 year's investment was sales is like hey 7800 06:47:44,580 --> 06:47:46,320 with the extra sales people we have a 7801 06:47:46,320 --> 06:47:48,240 bigger pipeline we have we we close this 7802 06:47:48,240 --> 06:47:50,940 many more sales we upsold engineering 7803 06:47:50,940 --> 06:47:52,558 the efficiency of the number of patches 7804 06:47:52,558 --> 06:47:54,180 the number of versions the number of new 7805 06:47:54,180 --> 06:47:57,000 products even HR it's like well what's 7806 06:47:57,000 --> 06:47:58,620 our retention what's our diversity 7807 06:47:58,620 --> 06:48:02,160 numbers how did it improve but you'll 7808 06:48:02,160 --> 06:48:04,920 find that what an executive asks uh you 7809 06:48:04,920 --> 06:48:08,820 know the infosec leader like hey give me 7810 06:48:08,820 --> 06:48:09,718 a number 7811 06:48:09,718 --> 06:48:12,718 how what is our security number this 7812 06:48:12,718 --> 06:48:15,958 month and what was it last month or last 7813 06:48:15,958 --> 06:48:19,138 year so not just oh I think we're 7814 06:48:19,138 --> 06:48:20,520 getting better because we're spending 7815 06:48:20,520 --> 06:48:22,860 money quantify it and if you can't 7816 06:48:22,860 --> 06:48:26,340 quantify that movement quantify the 7817 06:48:26,340 --> 06:48:28,260 Lesser you know the the lower 7818 06:48:28,260 --> 06:48:31,320 probability of these scary things that 7819 06:48:31,320 --> 06:48:34,138 you're telling me about 7820 06:48:34,138 --> 06:48:35,700 so 7821 06:48:35,700 --> 06:48:37,440 the next slide is real quickly going to 7822 06:48:37,440 --> 06:48:39,620 hit the high level of like the sort of 7823 06:48:39,620 --> 06:48:42,360 reasoning or excuses as to why cyber 7824 06:48:42,360 --> 06:48:44,400 just can't be measured and can't be 7825 06:48:44,400 --> 06:48:46,440 treated like these other disciplines or 7826 06:48:46,440 --> 06:48:48,600 other parts of the company and then 7827 06:48:48,600 --> 06:48:50,940 we're going to go into the technical 7828 06:48:50,940 --> 06:48:52,040 examples 7829 06:48:52,040 --> 06:48:56,360 and larger data sets 7830 06:48:56,400 --> 06:48:59,280 I guarantee just about everybody in here 7831 06:48:59,280 --> 06:49:01,020 has heard 7832 06:49:01,020 --> 06:49:04,680 at least one of these four if not all of 7833 06:49:04,680 --> 06:49:07,320 them and probably even has said some of 7834 06:49:07,320 --> 06:49:09,718 them I know I have in my past you know 7835 06:49:09,718 --> 06:49:11,160 the first one is well one of the reasons 7836 06:49:11,160 --> 06:49:13,440 why cyber is different is that the 7837 06:49:13,440 --> 06:49:15,058 fields just riddled with unknown 7838 06:49:15,058 --> 06:49:17,458 unknowns you know we can't tell what's 7839 06:49:17,458 --> 06:49:19,200 going to blow up and fundamentally 7840 06:49:19,200 --> 06:49:22,500 change how we view the scariness and it 7841 06:49:22,500 --> 06:49:24,718 could be company ending Etc et cetera so 7842 06:49:24,718 --> 06:49:27,298 how could you measure for that 7843 06:49:27,298 --> 06:49:31,440 the second one is um hey only an infosec 7844 06:49:31,440 --> 06:49:34,260 does the defender fundamentally start at 7845 06:49:34,260 --> 06:49:36,840 a disadvantage and the adversary unless 7846 06:49:36,840 --> 06:49:38,520 the boogeyman they've got all these 7847 06:49:38,520 --> 06:49:40,920 powers and capabilities and time is on 7848 06:49:40,920 --> 06:49:42,780 their side but we have to figure out how 7849 06:49:42,780 --> 06:49:45,120 to defend against all of them that's a 7850 06:49:45,120 --> 06:49:46,620 little strange because no other field 7851 06:49:46,620 --> 06:49:50,400 has that and the third which I find a 7852 06:49:50,400 --> 06:49:53,280 little interesting throws in this hey 7853 06:49:53,280 --> 06:49:57,000 attribution is an unsolved problem we 7854 06:49:57,000 --> 06:49:58,978 don't know who it is that's actually 7855 06:49:58,978 --> 06:50:00,718 attacking us they could be pretending to 7856 06:50:00,718 --> 06:50:02,760 be another place that wants to attack us 7857 06:50:02,760 --> 06:50:04,798 why they're doing it or what they're 7858 06:50:04,798 --> 06:50:07,798 even after so how do you quantify or 7859 06:50:07,798 --> 06:50:09,360 measure for that 7860 06:50:09,360 --> 06:50:11,940 and all of those lead to the statement 7861 06:50:11,940 --> 06:50:15,600 of cyber is fundamentally different and 7862 06:50:15,600 --> 06:50:17,580 you just can't put a number on it like 7863 06:50:17,580 --> 06:50:21,920 you can all of these other fields 7864 06:50:22,440 --> 06:50:25,440 let's quickly challenge these before we 7865 06:50:25,440 --> 06:50:27,420 move on to some big numbers 7866 06:50:27,420 --> 06:50:29,400 so oh I'm sorry the red is a little 7867 06:50:29,400 --> 06:50:30,958 difficult there 7868 06:50:30,958 --> 06:50:33,840 unknown unknowns 7869 06:50:33,840 --> 06:50:36,660 if the field is littered with them 7870 06:50:36,660 --> 06:50:38,400 why is it 7871 06:50:38,400 --> 06:50:39,840 that 7872 06:50:39,840 --> 06:50:42,958 all of the zero days for the past 10 20 7873 06:50:42,958 --> 06:50:44,160 years 7874 06:50:44,160 --> 06:50:46,740 have been variations on a theme 7875 06:50:46,740 --> 06:50:50,940 they've been known classes they might be 7876 06:50:50,940 --> 06:50:53,820 novel variations and they manifest in 7877 06:50:53,820 --> 06:50:56,820 places where we know they can happen oh 7878 06:50:56,820 --> 06:50:58,798 there's a buffer overflow and a new 7879 06:50:58,798 --> 06:51:01,378 program we're using it was a you know 7880 06:51:01,378 --> 06:51:04,320 not a strongly typed language or wow a 7881 06:51:04,320 --> 06:51:06,718 command injection go figure we took in 7882 06:51:06,718 --> 06:51:09,058 information and data yep line them up 7883 06:51:09,058 --> 06:51:10,500 here and people can come up to the stage 7884 06:51:10,500 --> 06:51:13,200 and help themselves I think they can 7885 06:51:13,200 --> 06:51:14,820 open them themselves you're just asking 7886 06:51:14,820 --> 06:51:16,440 for 7887 06:51:16,440 --> 06:51:19,699 give us one moment 7888 06:51:26,040 --> 06:51:28,200 delegate I just I just have to do things 7889 06:51:28,200 --> 06:51:30,298 so I'm delegating all right 7890 06:51:30,298 --> 06:51:31,920 and then there's a lot more wants to 7891 06:51:31,920 --> 06:51:34,378 talk uh ends 7892 06:51:34,378 --> 06:51:35,760 um so 7893 06:51:35,760 --> 06:51:38,878 zero days are actually known unknowns 7894 06:51:38,878 --> 06:51:41,340 and you can you can plan for that you 7895 06:51:41,340 --> 06:51:43,500 can account for that the big giveaway is 7896 06:51:43,500 --> 06:51:45,780 that most of the patches and fixes for 7897 06:51:45,780 --> 06:51:46,920 them 7898 06:51:46,920 --> 06:51:49,680 are known patches and fixes we do the 7899 06:51:49,680 --> 06:51:52,260 same thing to fix them that is not what 7900 06:51:52,260 --> 06:51:54,360 happens with an unknown unknown 7901 06:51:54,360 --> 06:51:57,240 it's okay no unknown unknowns in the 7902 06:51:57,240 --> 06:51:59,040 past 10 20 years and I'd love to have 7903 06:51:59,040 --> 06:52:01,080 conversations if people have examples of 7904 06:52:01,080 --> 06:52:01,860 them 7905 06:52:01,860 --> 06:52:05,280 the defender being at a disadvantage 7906 06:52:05,280 --> 06:52:07,500 there are some people in here I know who 7907 06:52:07,500 --> 06:52:10,860 have seen if not been on the pro teams 7908 06:52:10,860 --> 06:52:15,180 of the attackers we're talking state or 7909 06:52:15,180 --> 06:52:17,218 even organized crime 7910 06:52:17,218 --> 06:52:19,138 um you know a little bit beyond red team 7911 06:52:19,138 --> 06:52:22,138 because it's a different sort of attack 7912 06:52:22,138 --> 06:52:25,080 the attacker has tremendous resource 7913 06:52:25,080 --> 06:52:26,340 constraints 7914 06:52:26,340 --> 06:52:28,080 they have to hit a whole bunch of 7915 06:52:28,080 --> 06:52:31,940 targets they have risk 7916 06:52:31,940 --> 06:52:36,600 concerns they have to learn a new 7917 06:52:36,600 --> 06:52:38,760 environment they have to gain initial 7918 06:52:38,760 --> 06:52:40,320 access they have to figure out where 7919 06:52:40,320 --> 06:52:42,298 everything is and they have to do this 7920 06:52:42,298 --> 06:52:44,218 without knocking anything over or 7921 06:52:44,218 --> 06:52:45,780 breaking anything or drawing attention 7922 06:52:45,780 --> 06:52:48,360 to themselves you know the defender gets 7923 06:52:48,360 --> 06:52:50,820 those for free they create the 7924 06:52:50,820 --> 06:52:54,120 environment they own it now the defender 7925 06:52:54,120 --> 06:52:57,958 can not do those things and hence seed 7926 06:52:57,958 --> 06:52:59,878 or give away that Advantage by going I 7927 06:52:59,878 --> 06:53:01,620 don't know where everything is you know 7928 06:53:01,620 --> 06:53:03,600 and I don't know like you know who's got 7929 06:53:03,600 --> 06:53:06,360 access or I keep granting new uh 7930 06:53:06,360 --> 06:53:08,340 privileges and never pulling them back 7931 06:53:08,340 --> 06:53:10,860 so it just grows out of control but the 7932 06:53:10,860 --> 06:53:13,080 attacker actually is at the disadvantage 7933 06:53:13,080 --> 06:53:16,260 at least initially and actually 7934 06:53:16,260 --> 06:53:17,878 quite a lot through most of the 7935 06:53:17,878 --> 06:53:19,500 operation 7936 06:53:19,500 --> 06:53:22,020 and then cyber being fundamentally 7937 06:53:22,020 --> 06:53:23,218 different 7938 06:53:23,218 --> 06:53:25,378 every other field 7939 06:53:25,378 --> 06:53:28,440 has that has had that same thought 7940 06:53:28,440 --> 06:53:31,860 medicine was magic you know put the put 7941 06:53:31,860 --> 06:53:33,478 the leeches on your eyeballs it's the 7942 06:53:33,478 --> 06:53:36,600 black bile buy this Elixir uh same thing 7943 06:53:36,600 --> 06:53:37,558 with 7944 06:53:37,558 --> 06:53:41,180 um uh everything from economics to 7945 06:53:41,180 --> 06:53:44,100 astronomy you know we're not nailing as 7946 06:53:44,100 --> 06:53:47,520 many people up to uh doors and crosses 7947 06:53:47,520 --> 06:53:49,700 and burning them at this point as many 7948 06:53:49,700 --> 06:53:52,860 and even insurance insurance was like 7949 06:53:52,860 --> 06:53:54,240 how do we measure risk because that's 7950 06:53:54,240 --> 06:53:56,458 often the hey cyber is risk and how do 7951 06:53:56,458 --> 06:53:58,500 you really quantify that go talk to 7952 06:53:58,500 --> 06:54:00,600 Warren Buffett you know go talk to 7953 06:54:00,600 --> 06:54:02,638 anybody who's made fortunes and built 7954 06:54:02,638 --> 06:54:05,400 out the models for it so 7955 06:54:05,400 --> 06:54:08,160 okay that's at the high level that I've 7956 06:54:08,160 --> 06:54:11,280 heard personally in boardrooms uh in 7957 06:54:11,280 --> 06:54:14,638 executive meetings as to like look these 7958 06:54:14,638 --> 06:54:15,600 aren't 7959 06:54:15,600 --> 06:54:18,600 valid reasons why cyber can't be 7960 06:54:18,600 --> 06:54:19,558 measured 7961 06:54:19,558 --> 06:54:22,138 let's actually dive into some of the 7962 06:54:22,138 --> 06:54:23,638 technical examples and some of the 7963 06:54:23,638 --> 06:54:27,540 numbers and data behind them 7964 06:54:27,540 --> 06:54:31,260 I'm going to start with a little story 7965 06:54:31,260 --> 06:54:33,478 oh it's actually not a GameStop thing I 7966 06:54:33,478 --> 06:54:35,040 just realized I'm like why do I have 7967 06:54:35,040 --> 06:54:37,860 GameStop there I'm I want you to picture 7968 06:54:37,860 --> 06:54:41,638 a kind of rainy August morning on the 7969 06:54:41,638 --> 06:54:44,100 northeast of the United States and we 7970 06:54:44,100 --> 06:54:46,798 have this protagonist named Oscar 7971 06:54:46,798 --> 06:54:48,900 and Oscar is about to walk into a 7972 06:54:48,900 --> 06:54:50,400 T-Mobile store 7973 06:54:50,400 --> 06:54:53,340 and he's going to social engineer 7974 06:54:53,340 --> 06:54:56,580 his Target's phone number to be given to 7975 06:54:56,580 --> 06:54:58,138 his Sim 7976 06:54:58,138 --> 06:55:00,660 okay now 7977 06:55:00,660 --> 06:55:03,840 in order to do this there was a lot of 7978 06:55:03,840 --> 06:55:06,240 Prior work and I want you to keep track 7979 06:55:06,240 --> 06:55:10,080 of the costs to the attackers here 7980 06:55:10,080 --> 06:55:11,700 um 7981 06:55:11,700 --> 06:55:14,040 and the costs start to add up 7982 06:55:14,040 --> 06:55:18,360 so he had to identify who was worthwhile 7983 06:55:18,360 --> 06:55:21,240 to simslam and in this case it was 7984 06:55:21,240 --> 06:55:23,638 somebody who had five million dollars in 7985 06:55:23,638 --> 06:55:27,240 their Bitcoin wallet okay to find that 7986 06:55:27,240 --> 06:55:30,298 person Oscar worked with a team for 7987 06:55:30,298 --> 06:55:32,638 months they scoured the crypto message 7988 06:55:32,638 --> 06:55:35,638 boards they walked the blockchain to 7989 06:55:35,638 --> 06:55:39,240 verify things they even set up fake tech 7990 06:55:39,240 --> 06:55:42,840 support websites for bitfie binex 7991 06:55:42,840 --> 06:55:44,820 coinbase all of the other ones that 7992 06:55:44,820 --> 06:55:47,280 probably no longer exist anymore and 7993 06:55:47,280 --> 06:55:48,840 that was just to get the username and 7994 06:55:48,840 --> 06:55:51,000 the passwords that were associated with 7995 06:55:51,000 --> 06:55:53,760 a particular wallet 7996 06:55:53,760 --> 06:55:54,298 um 7997 06:55:54,298 --> 06:55:56,638 from that point they still had to become 7998 06:55:56,638 --> 06:55:58,558 classic private investigators because 7999 06:55:58,558 --> 06:55:59,940 they needed the social security number 8000 06:55:59,940 --> 06:56:01,978 they needed to the home address all the 8001 06:56:01,978 --> 06:56:04,378 other stuff so that Oscar can walk in 8002 06:56:04,378 --> 06:56:07,200 and say hey I lost that phone it's 8003 06:56:07,200 --> 06:56:09,478 really my number I could convince you 8004 06:56:09,478 --> 06:56:11,160 for it you know it could convince you of 8005 06:56:11,160 --> 06:56:15,718 that and you know put it on my SIM card 8006 06:56:15,718 --> 06:56:19,798 oh not for me thanks yep 8007 06:56:22,320 --> 06:56:24,000 yeah you could go around like a like 8008 06:56:24,000 --> 06:56:25,680 like one of those movie theaters where 8009 06:56:25,680 --> 06:56:27,718 you kind of serve them meals during the 8010 06:56:27,718 --> 06:56:31,680 the presentation I like it so Oscar did 8011 06:56:31,680 --> 06:56:34,558 manage to get that phone number and from 8012 06:56:34,558 --> 06:56:36,660 that point there's still more work 8013 06:56:36,660 --> 06:56:39,298 because what did Oscar have to do 8014 06:56:39,298 --> 06:56:41,100 well he needed to take over the email 8015 06:56:41,100 --> 06:56:43,138 account which he could do now because he 8016 06:56:43,138 --> 06:56:45,600 could answer the SMS challenge once 8017 06:56:45,600 --> 06:56:47,100 you've taken over the email account then 8018 06:56:47,100 --> 06:56:48,780 you could go to coinbase or whoever it 8019 06:56:48,780 --> 06:56:51,540 was and say hey I lost my password send 8020 06:56:51,540 --> 06:56:53,760 the password reset email over to that 8021 06:56:53,760 --> 06:56:57,000 other email account and now the wallet 8022 06:56:57,000 --> 06:57:00,420 is compromised and this was a true story 8023 06:57:00,420 --> 06:57:02,638 um you know based on that the five 8024 06:57:02,638 --> 06:57:04,138 million dollars with the Bitcoin was 8025 06:57:04,138 --> 06:57:05,878 drained 8026 06:57:05,878 --> 06:57:08,458 Oscar and his team also got caught a few 8027 06:57:08,458 --> 06:57:10,558 months later but the takeaway here is 8028 06:57:10,558 --> 06:57:13,138 two things one that was a lot of effort 8029 06:57:13,138 --> 06:57:16,020 even just to identify the target 8030 06:57:16,020 --> 06:57:19,020 and the second thing was the media 8031 06:57:19,020 --> 06:57:22,378 coverage was unified and their takeaway 8032 06:57:22,378 --> 06:57:25,978 was SMS is broken 8033 06:57:25,978 --> 06:57:30,360 because SMS was bypassed and look five 8034 06:57:30,360 --> 06:57:32,040 million dollars were lost because 8035 06:57:32,040 --> 06:57:35,100 somebody relied upon SMS as an 8036 06:57:35,100 --> 06:57:37,200 authentication uh there was even a 8037 06:57:37,200 --> 06:57:39,780 headline saying Microsoft says don't use 8038 06:57:39,780 --> 06:57:41,700 SMS 8039 06:57:41,700 --> 06:57:43,620 um so 8040 06:57:43,620 --> 06:57:45,958 now let's go into the data because I 8041 06:57:45,958 --> 06:57:48,180 agree SMS is flawed there are better 8042 06:57:48,180 --> 06:57:50,700 Solutions there's u2f yubikey and 8043 06:57:50,700 --> 06:57:52,680 everything 8044 06:57:52,680 --> 06:57:55,440 luckily we have large amounts of data 8045 06:57:55,440 --> 06:57:57,840 this should um this was a Google study 8046 06:57:57,840 --> 06:58:01,138 where they took an entire year 8047 06:58:01,138 --> 06:58:02,878 and they 8048 06:58:02,878 --> 06:58:05,940 looked at account takeover attempts 8049 06:58:05,940 --> 06:58:08,058 and in that one year time 8050 06:58:08,058 --> 06:58:12,600 3.3 billion username and passwords were 8051 06:58:12,600 --> 06:58:16,020 dumped or compromised or revealed every 8052 06:58:16,020 --> 06:58:18,718 single one of those immediately was 8053 06:58:18,718 --> 06:58:22,378 plugged into automated uh uh password 8054 06:58:22,378 --> 06:58:25,680 you know uh Bots for password stuffing 8055 06:58:25,680 --> 06:58:28,638 SMS was a hundred percent 8056 06:58:28,638 --> 06:58:31,080 successful at preventing the account 8057 06:58:31,080 --> 06:58:32,520 compromise 8058 06:58:32,520 --> 06:58:35,218 for those which I'm like hey that's not 8059 06:58:35,218 --> 06:58:38,218 bad that's the most common attack it's a 8060 06:58:38,218 --> 06:58:40,020 cheap attack but that's probably what 8061 06:58:40,020 --> 06:58:42,058 everybody's dealing with 8062 06:58:42,058 --> 06:58:44,340 they looked at bulk fishing you all know 8063 06:58:44,340 --> 06:58:45,540 what bulk fishing is because this is 8064 06:58:45,540 --> 06:58:46,920 where you're getting an email or you're 8065 06:58:46,920 --> 06:58:49,260 getting a text that says hey your UPS 8066 06:58:49,260 --> 06:58:50,940 package couldn't be delivered or a 8067 06:58:50,940 --> 06:58:52,620 problem with your Amazon account or hey 8068 06:58:52,620 --> 06:58:55,500 I'm the IRS you know we're going to find 8069 06:58:55,500 --> 06:58:57,478 you you know log into this website and 8070 06:58:57,478 --> 06:58:59,580 it's a horrible link but the website 8071 06:58:59,580 --> 06:59:01,260 looks a little bit like it and they want 8072 06:59:01,260 --> 06:59:03,120 your username and account 8073 06:59:03,120 --> 06:59:06,478 only 12 million in the entire year 12 8074 06:59:06,478 --> 06:59:08,580 million sounds like a lot 8075 06:59:08,580 --> 06:59:12,240 that's minuscule compared to 3.3 billion 8076 06:59:12,240 --> 06:59:14,700 why because it takes a lot more cost and 8077 06:59:14,700 --> 06:59:16,260 effort for an adversary to do it there's 8078 06:59:16,260 --> 06:59:18,780 a reduced number of adversaries that can 8079 06:59:18,780 --> 06:59:21,780 pull this off with the resources 8080 06:59:21,780 --> 06:59:22,620 um 8081 06:59:22,620 --> 06:59:26,400 and SMS this part you know 8082 06:59:26,400 --> 06:59:29,420 curls My Curls my toes 96 8083 06:59:29,420 --> 06:59:32,520 effective against this 8084 06:59:32,520 --> 06:59:34,860 and we can explain later as to why 8085 06:59:34,860 --> 06:59:37,798 that's so high but it is valid the 8086 06:59:37,798 --> 06:59:39,600 targeted attacks 8087 06:59:39,600 --> 06:59:42,478 this is the tailored access this is the 8088 06:59:42,478 --> 06:59:44,160 stuff that you read about like Oscar 8089 06:59:44,160 --> 06:59:46,080 beforehand 8090 06:59:46,080 --> 06:59:48,780 not a lot of these happen per year 8091 06:59:48,780 --> 06:59:50,638 the study showed it was somewhere 8092 06:59:50,638 --> 06:59:53,760 between seven thousand and nine thousand 8093 06:59:53,760 --> 06:59:55,978 per year 8094 06:59:55,978 --> 06:59:57,240 but 8095 06:59:57,240 --> 06:59:59,160 they've got to be against targets that 8096 06:59:59,160 --> 07:00:00,958 are actually worth it so you want you 8097 07:00:00,958 --> 07:00:02,520 know like a multi-million dollar payoff 8098 07:00:02,520 --> 07:00:04,378 because you're going to spend months as 8099 07:00:04,378 --> 07:00:08,280 the attacker going after it it's a mess 8100 07:00:08,280 --> 07:00:12,900 was successful at preventing 76 of these 8101 07:00:12,900 --> 07:00:16,020 it raised the cost just enough to the 8102 07:00:16,020 --> 07:00:19,680 adversary that it put it Out Of Reach 8103 07:00:19,680 --> 07:00:22,378 so we're seeing a few things here we're 8104 07:00:22,378 --> 07:00:25,138 starting to see economics of attackers 8105 07:00:25,138 --> 07:00:27,660 the capabilities the breadth the 8106 07:00:27,660 --> 07:00:30,000 specific specificity 8107 07:00:30,000 --> 07:00:32,520 and we're also seeing that defensive 8108 07:00:32,520 --> 07:00:34,860 Solutions even when flawed you can 8109 07:00:34,860 --> 07:00:37,320 measure the efficacy 8110 07:00:37,320 --> 07:00:39,420 because it's a Mini Max game which we'll 8111 07:00:39,420 --> 07:00:40,920 talk about a little bit later it's 8112 07:00:40,920 --> 07:00:42,840 what's the minimum amount I can spend as 8113 07:00:42,840 --> 07:00:45,000 a Defender to move the greatest amount 8114 07:00:45,000 --> 07:00:48,440 of cost to the attacker 8115 07:00:48,718 --> 07:00:51,180 and here we are if you want to make it 8116 07:00:51,180 --> 07:00:54,120 look difficult and math-like you know 8117 07:00:54,120 --> 07:00:56,940 sure go grab some Game Theory but all 8118 07:00:56,940 --> 07:01:00,180 that means is as an attacker what's the 8119 07:01:00,180 --> 07:01:01,680 least amount of effort and resources I 8120 07:01:01,680 --> 07:01:03,420 can use to realize the greatest amount 8121 07:01:03,420 --> 07:01:06,540 of gain and as a Defender what's the 8122 07:01:06,540 --> 07:01:08,520 minimal amount of effort I could expend 8123 07:01:08,520 --> 07:01:11,280 to move cost and friction to the 8124 07:01:11,280 --> 07:01:13,500 adversary 8125 07:01:13,500 --> 07:01:16,740 we heard about ransomware earlier and I 8126 07:01:16,740 --> 07:01:20,760 think that's a really good uh example uh 8127 07:01:20,760 --> 07:01:23,638 here so the headlines are pretty 8128 07:01:23,638 --> 07:01:26,100 Sensational wow they're like 500 8129 07:01:26,100 --> 07:01:27,900 ransomware attacks you know in this 8130 07:01:27,900 --> 07:01:30,240 particular interest industry or some of 8131 07:01:30,240 --> 07:01:33,120 them are asking for millions of dollars 8132 07:01:33,120 --> 07:01:35,040 on attribution which was one of the 8133 07:01:35,040 --> 07:01:36,240 earlier ones 8134 07:01:36,240 --> 07:01:38,520 attribution is a solve problems in many 8135 07:01:38,520 --> 07:01:41,580 ways it's not solved for Espionage but 8136 07:01:41,580 --> 07:01:44,280 for the business World Espionage isn't 8137 07:01:44,280 --> 07:01:46,260 something they can quantify the losses 8138 07:01:46,260 --> 07:01:48,000 about very easily 8139 07:01:48,000 --> 07:01:50,400 effect based operations 8140 07:01:50,400 --> 07:01:52,558 title 10 for those who are paying 8141 07:01:52,558 --> 07:01:54,780 attention in that particular world 8142 07:01:54,780 --> 07:01:57,240 have after attribution as a requirement 8143 07:01:57,240 --> 07:01:59,340 of the attack 8144 07:01:59,340 --> 07:02:03,478 if you are being ransomed and you don't 8145 07:02:03,478 --> 07:02:06,478 notice it and it doesn't impact you who 8146 07:02:06,478 --> 07:02:11,340 cares if Gru is going after Ukraine and 8147 07:02:11,340 --> 07:02:13,378 Ukraine's like yeah I'm not feeling any 8148 07:02:13,378 --> 07:02:16,620 impact or you know problem it's a failed 8149 07:02:16,620 --> 07:02:20,160 effort from the attacker similarly if 8150 07:02:20,160 --> 07:02:22,740 you don't know who's doing it it's a 8151 07:02:22,740 --> 07:02:25,378 failed effort because hey I'm ransoming 8152 07:02:25,378 --> 07:02:27,298 you yeah I can tell my systems are 8153 07:02:27,298 --> 07:02:28,620 locked up 8154 07:02:28,620 --> 07:02:29,760 um but I'm not going to tell you who I 8155 07:02:29,760 --> 07:02:31,620 am or where you should send the money 8156 07:02:31,620 --> 07:02:34,020 okay you kind of need that for part of 8157 07:02:34,020 --> 07:02:36,360 the effect similar for like let's say a 8158 07:02:36,360 --> 07:02:39,420 military offensive effect based Gru if 8159 07:02:39,420 --> 07:02:41,580 they're knocking down the I.T systems or 8160 07:02:41,580 --> 07:02:43,860 the satellite modems in Ukraine but 8161 07:02:43,860 --> 07:02:46,138 Ukraine doesn't know it's Russia it's 8162 07:02:46,138 --> 07:02:47,760 like well there's no incentive to 8163 07:02:47,760 --> 07:02:49,798 capitulate to whatever Russia's demands 8164 07:02:49,798 --> 07:02:52,440 are so attribution is solved from the 8165 07:02:52,440 --> 07:02:54,600 business point of view that folks care 8166 07:02:54,600 --> 07:02:55,740 about 8167 07:02:55,740 --> 07:02:57,600 real quickly 8168 07:02:57,600 --> 07:03:01,138 the top 21 ransomware teams the you know 8169 07:03:01,138 --> 07:03:03,180 the actual kind of pro teams if you want 8170 07:03:03,180 --> 07:03:04,978 to you know look at them that way the 8171 07:03:04,978 --> 07:03:06,780 organized crime this ones that are 8172 07:03:06,780 --> 07:03:09,360 staffed with people working on it you 8173 07:03:09,360 --> 07:03:12,360 know they're hitting on on Max in many 8174 07:03:12,360 --> 07:03:15,660 cases 200 targets 200 victims a year 8175 07:03:15,660 --> 07:03:18,718 many of the top 20 really haven't even 8176 07:03:18,718 --> 07:03:21,240 hit 200 over the past five years yes 8177 07:03:21,240 --> 07:03:24,600 Conti hit 390 or whatever but if you 8178 07:03:24,600 --> 07:03:26,058 look at it that way 8179 07:03:26,058 --> 07:03:29,940 there are 516 8180 07:03:29,940 --> 07:03:32,400 000 manufacturing businesses in the 8181 07:03:32,400 --> 07:03:34,138 United States 8182 07:03:34,138 --> 07:03:36,360 so let's do the math real quickly that's 8183 07:03:36,360 --> 07:03:38,638 if we say you know let's let's assume 8184 07:03:38,638 --> 07:03:40,798 there's a dozen teams hitting 200 8185 07:03:40,798 --> 07:03:44,120 targets uh victims a year that's 2400 8186 07:03:44,120 --> 07:03:48,540 2400 out of 516 000. that's point zero 8187 07:03:48,540 --> 07:03:50,820 zero six 8188 07:03:50,820 --> 07:03:54,120 so yes ransomware is scary and maybe 8189 07:03:54,120 --> 07:03:56,340 your team is asking for a few million 8190 07:03:56,340 --> 07:03:58,740 dollars for a ransomware solution but if 8191 07:03:58,740 --> 07:04:01,558 you already have like a a two-factor 8192 07:04:01,558 --> 07:04:03,058 authentication in place and you're not 8193 07:04:03,058 --> 07:04:05,160 flopping the internal networks you know 8194 07:04:05,160 --> 07:04:08,280 wide open on the Internet or whatever as 8195 07:04:08,280 --> 07:04:09,780 we saw in the SMS stuff you've already 8196 07:04:09,780 --> 07:04:13,200 raised the cost and the likelihood of 8197 07:04:13,200 --> 07:04:14,940 one of these pro teams hitting a 8198 07:04:14,940 --> 07:04:16,798 particular industry assuming all other 8199 07:04:16,798 --> 07:04:18,298 things are equal 8200 07:04:18,298 --> 07:04:23,040 is point four percent 8201 07:04:23,040 --> 07:04:26,820 so 99.6 chance that 8202 07:04:26,820 --> 07:04:28,920 if you do nothing other than what you've 8203 07:04:28,920 --> 07:04:30,298 already put in place 8204 07:04:30,298 --> 07:04:32,218 you're not getting hit 8205 07:04:32,218 --> 07:04:34,020 that part of the context with these 8206 07:04:34,020 --> 07:04:36,360 numbers is not normally brought forward 8207 07:04:36,360 --> 07:04:39,180 and we see a lot of this like the 8208 07:04:39,180 --> 07:04:41,400 targeted attacks seven thousand of those 8209 07:04:41,400 --> 07:04:43,798 there are how many billions of people in 8210 07:04:43,798 --> 07:04:45,298 the in the world how many different 8211 07:04:45,298 --> 07:04:47,580 Industries if you put it in context it 8212 07:04:47,580 --> 07:04:48,780 doesn't mean 8213 07:04:48,780 --> 07:04:51,478 it's not something to care about but you 8214 07:04:51,478 --> 07:04:53,160 can start to show what the likelihood of 8215 07:04:53,160 --> 07:04:54,360 a problem is 8216 07:04:54,360 --> 07:04:56,878 and what the effect of things that you 8217 07:04:56,878 --> 07:04:58,260 were putting in place is going to do 8218 07:04:58,260 --> 07:05:01,320 because I'm not driving I'm not going to 8219 07:05:01,320 --> 07:05:03,540 brag to the executive team that I 8220 07:05:03,540 --> 07:05:06,298 reduced our likelihood of being hit from 8221 07:05:06,298 --> 07:05:09,840 point four percent to 0.2 for 10 million 8222 07:05:09,840 --> 07:05:12,058 dollars I'm gonna brag to them that I 8223 07:05:12,058 --> 07:05:13,860 rolled out something as 8224 07:05:13,860 --> 07:05:18,298 flawed as SMS and I reduced 3.3 billion 8225 07:05:18,298 --> 07:05:20,400 I reduced everything except for the 8226 07:05:20,400 --> 07:05:24,240 let's say targeted attack so I moved an 8227 07:05:24,240 --> 07:05:27,240 80 likelihood of roll the dice down to 8228 07:05:27,240 --> 07:05:30,058 like two percent likelihood 8229 07:05:30,058 --> 07:05:32,520 so that's the Mini Max Maxim in there's 8230 07:05:32,520 --> 07:05:35,760 an easy way first adversaries are 8231 07:05:35,760 --> 07:05:38,458 already doing this two-part two-party 8232 07:05:38,458 --> 07:05:42,058 Game Theory if if you don't understand 8233 07:05:42,058 --> 07:05:44,420 why ransomware hits 8234 07:05:44,420 --> 07:05:47,700 manufacturing as a biased Target it's 8235 07:05:47,700 --> 07:05:49,978 because it's real easy for the executive 8236 07:05:49,978 --> 07:05:52,440 team to say how much is it going to cost 8237 07:05:52,440 --> 07:05:54,660 if our assembly lines are offline for 8238 07:05:54,660 --> 07:05:57,600 the next two weeks or three weeks okay 8239 07:05:57,600 --> 07:06:00,000 how does that compare to the 10 million 8240 07:06:00,000 --> 07:06:01,440 dollar Ransom 8241 07:06:01,440 --> 07:06:04,500 the attackers already did that otherwise 8242 07:06:04,500 --> 07:06:06,058 it wouldn't be worth their while to 8243 07:06:06,058 --> 07:06:08,940 spend two three weeks as Conti sometimes 8244 07:06:08,940 --> 07:06:10,798 does to like you know put things in 8245 07:06:10,798 --> 07:06:12,420 place 8246 07:06:12,420 --> 07:06:15,000 you can break yourself of of not doing 8247 07:06:15,000 --> 07:06:17,520 it by just going through the different 8248 07:06:17,520 --> 07:06:20,820 best practices take oh wasp take miter 8249 07:06:20,820 --> 07:06:24,000 attack take whatever and just say one to 8250 07:06:24,000 --> 07:06:26,100 five for each of these how much does it 8251 07:06:26,100 --> 07:06:28,500 cost my organization to put it in place 8252 07:06:28,500 --> 07:06:32,580 okay one to five on the attacker hat on 8253 07:06:32,580 --> 07:06:34,620 how much friction was introduced by that 8254 07:06:34,620 --> 07:06:35,820 being in place 8255 07:06:35,820 --> 07:06:37,798 the ones where you spend a one and it 8256 07:06:37,798 --> 07:06:39,840 moves a five to them that's a good buy 8257 07:06:39,840 --> 07:06:41,520 the ones where you're spending a five 8258 07:06:41,520 --> 07:06:43,378 and it's only a one to them 8259 07:06:43,378 --> 07:06:46,500 Maybe reevaluated 8260 07:06:46,500 --> 07:06:49,378 okay now let's offend everybody who's 8261 07:06:49,378 --> 07:06:52,500 building software security products 8262 07:06:52,500 --> 07:06:55,200 so there's a software security product 8263 07:06:55,200 --> 07:06:57,298 for everything out there 8264 07:06:57,298 --> 07:07:00,298 and very few of the companies or the the 8265 07:07:00,298 --> 07:07:02,340 vendors will come in and say yeah here's 8266 07:07:02,340 --> 07:07:03,900 how you measure the effectiveness and 8267 07:07:03,900 --> 07:07:06,600 the change to your environment 8268 07:07:06,600 --> 07:07:08,820 um and they'll just instead say like oh 8269 07:07:08,820 --> 07:07:10,440 well if you don't buy us and you get hit 8270 07:07:10,440 --> 07:07:12,718 by something you'll wish you had sort of 8271 07:07:12,718 --> 07:07:14,340 set up so well if they're not going to 8272 07:07:14,340 --> 07:07:15,660 quantify that 8273 07:07:15,660 --> 07:07:18,000 can we quantify how much extra 8274 07:07:18,000 --> 07:07:21,058 vulnerability putting security software 8275 07:07:21,058 --> 07:07:25,080 into our environment actually introduces 8276 07:07:25,080 --> 07:07:28,978 yes we can so first I should point out 8277 07:07:28,978 --> 07:07:32,100 that um there's a company that for many 8278 07:07:32,100 --> 07:07:34,978 years has done security code analysis 8279 07:07:34,978 --> 07:07:36,478 like looking at 8280 07:07:36,478 --> 07:07:38,400 products from companies and trying to 8281 07:07:38,400 --> 07:07:40,200 figure out where vulnerabilities are the 8282 07:07:40,200 --> 07:07:42,478 hygiene and helping improve it a little 8283 07:07:42,478 --> 07:07:44,760 while back they did a study and they 8284 07:07:44,760 --> 07:07:47,340 released stats they said out of all of 8285 07:07:47,340 --> 07:07:49,680 the industries that make software out of 8286 07:07:49,680 --> 07:07:51,958 all of the different sort of categories 8287 07:07:51,958 --> 07:07:54,780 which categories are the strongest most 8288 07:07:54,780 --> 07:07:57,180 hygienic best security written code and 8289 07:07:57,180 --> 07:07:59,280 which ones are the worst 8290 07:07:59,280 --> 07:08:01,378 I give you two guesses as to which one 8291 07:08:01,378 --> 07:08:04,020 was the worst by a long shot well it's 8292 07:08:04,020 --> 07:08:06,180 actually QA software but I'm not putting 8293 07:08:06,180 --> 07:08:07,558 that in production and I'm not putting 8294 07:08:07,558 --> 07:08:09,540 that like in Ingress egress positions 8295 07:08:09,540 --> 07:08:12,000 the second one and this was a huge step 8296 07:08:12,000 --> 07:08:13,500 function to the next one is just just 8297 07:08:13,500 --> 07:08:15,478 how far down it was were the security 8298 07:08:15,478 --> 07:08:17,340 products themselves 8299 07:08:17,340 --> 07:08:18,900 since that's a large amount of the 8300 07:08:18,900 --> 07:08:20,878 customer this country I'm not of of that 8301 07:08:20,878 --> 07:08:23,100 company I'm not surprised they stopped 8302 07:08:23,100 --> 07:08:25,200 releasing that stat 8303 07:08:25,200 --> 07:08:28,500 but let's take a look at security 8304 07:08:28,500 --> 07:08:30,660 software this is a slide that I've used 8305 07:08:30,660 --> 07:08:33,240 in various forms for a while but what 8306 07:08:33,240 --> 07:08:37,138 you have here is on the y-axis lines of 8307 07:08:37,138 --> 07:08:40,558 code and in the blue line it's security 8308 07:08:40,558 --> 07:08:44,280 products and on the red line it's 8309 07:08:44,280 --> 07:08:47,400 malware offensive kit you know exploits 8310 07:08:47,400 --> 07:08:50,400 uh and implants and stuff like that and 8311 07:08:50,400 --> 07:08:55,680 it's tracked on the x-axis for 20 years 8312 07:08:55,680 --> 07:08:58,440 and from 20 years the security products 8313 07:08:58,440 --> 07:09:01,860 went from a thousand lines of code up to 8314 07:09:01,860 --> 07:09:04,200 10 million and that's several years ago 8315 07:09:04,200 --> 07:09:07,378 it has continued to go up 8316 07:09:07,378 --> 07:09:09,718 the attacker code 8317 07:09:09,718 --> 07:09:12,958 remained relatively constant 8318 07:09:12,958 --> 07:09:14,600 at 8319 07:09:14,600 --> 07:09:19,080 125 measly lines of code 8320 07:09:19,080 --> 07:09:21,600 and before some people so the takeaway 8321 07:09:21,600 --> 07:09:22,920 but then I'll go in because some people 8322 07:09:22,920 --> 07:09:24,420 are like that's wrong I've seen 8323 07:09:24,420 --> 07:09:25,860 something that's got more lines of code 8324 07:09:25,860 --> 07:09:27,298 than that 8325 07:09:27,298 --> 07:09:27,900 um 8326 07:09:27,900 --> 07:09:30,298 the takeaway is the shape 8327 07:09:30,298 --> 07:09:32,700 so the shape is a very disturbing shape 8328 07:09:32,700 --> 07:09:35,900 and lines of code isn't the magic value 8329 07:09:35,900 --> 07:09:38,638 the magic of lines of code is that it's 8330 07:09:38,638 --> 07:09:41,900 a beautiful proxy it's a proxy for time 8331 07:09:41,900 --> 07:09:46,798 money uh expertise level of effort it's 8332 07:09:46,798 --> 07:09:48,540 resources 8333 07:09:48,540 --> 07:09:51,718 and this is the resource Gap that's been 8334 07:09:51,718 --> 07:09:54,420 going on and continues to go on so real 8335 07:09:54,420 --> 07:09:56,100 quickly for folks who are like hey that 8336 07:09:56,100 --> 07:09:57,840 red line is because I've seen 8337 07:09:57,840 --> 07:10:00,840 like a 125 000 you know line of code 8338 07:10:00,840 --> 07:10:02,520 there are recent studies that are 8339 07:10:02,520 --> 07:10:04,138 showing that a few are there the 8340 07:10:04,138 --> 07:10:06,600 majority is less than that still 8341 07:10:06,600 --> 07:10:09,120 um but it does appear to be going up 8342 07:10:09,120 --> 07:10:11,940 if you look at where I put the red line 8343 07:10:11,940 --> 07:10:16,260 it's it's not at 125. if I had it at 125 8344 07:10:16,260 --> 07:10:18,120 you wouldn't be able to differentiate it 8345 07:10:18,120 --> 07:10:22,260 from the x-axis that's already at 125 8346 07:10:22,260 --> 07:10:23,458 000. 8347 07:10:23,458 --> 07:10:27,180 so yeah the shape doesn't change 8348 07:10:27,180 --> 07:10:28,378 okay 8349 07:10:28,378 --> 07:10:30,660 that's talking about sort of a like well 8350 07:10:30,660 --> 07:10:32,820 yeah that's potential vulnerabilities 8351 07:10:32,820 --> 07:10:35,100 you know maybe there are exploits there 8352 07:10:35,100 --> 07:10:37,620 and we know it's a crappy you know sort 8353 07:10:37,620 --> 07:10:40,798 of like industry for code hygiene and we 8354 07:10:40,798 --> 07:10:42,478 also know that they're put in very 8355 07:10:42,478 --> 07:10:45,540 important spaces with significant uh 8356 07:10:45,540 --> 07:10:49,138 permissions and visibility but how does 8357 07:10:49,138 --> 07:10:51,740 that actually map to real world 8358 07:10:51,740 --> 07:10:55,080 vulnerabilities and problems 8359 07:10:55,080 --> 07:10:58,280 glad you asked 8360 07:10:59,218 --> 07:11:02,458 over four month period this measurement 8361 07:11:02,458 --> 07:11:04,440 was taken from 20 8362 07:11:04,440 --> 07:11:07,740 000 networks millions and millions of 8363 07:11:07,740 --> 07:11:09,900 computers on them this was actually 8364 07:11:09,900 --> 07:11:13,200 across the Department of Defense 8365 07:11:13,200 --> 07:11:14,638 um this was the national vulnerability 8366 07:11:14,638 --> 07:11:16,978 watch list and 8367 07:11:16,978 --> 07:11:19,080 the really disturbing part was at any 8368 07:11:19,080 --> 07:11:20,218 given time 8369 07:11:20,218 --> 07:11:22,558 a third of all the security 8370 07:11:22,558 --> 07:11:24,780 vulnerabilities that they were tracking 8371 07:11:24,780 --> 07:11:26,878 down that were actively being exploited 8372 07:11:26,878 --> 07:11:28,978 or being attacked were in the Security 8373 07:11:28,978 --> 07:11:31,680 Solutions that they had deployed to 8374 07:11:31,680 --> 07:11:34,760 protect themselves 8375 07:11:36,900 --> 07:11:38,218 so 8376 07:11:38,218 --> 07:11:41,218 one of the beliefs obviously was hey the 8377 07:11:41,218 --> 07:11:42,900 more security software I deploy the 8378 07:11:42,900 --> 07:11:46,080 safer I'm going to be right and a lot of 8379 07:11:46,080 --> 07:11:48,718 expectations that security software is 8380 07:11:48,718 --> 07:11:51,240 secure software and that's just not the 8381 07:11:51,240 --> 07:11:53,040 case 8382 07:11:53,040 --> 07:11:55,920 um I recognize a few faces from some 8383 07:11:55,920 --> 07:11:58,320 particular teams that will get a kick 8384 07:11:58,320 --> 07:12:00,478 out of this so I'll share 8385 07:12:00,478 --> 07:12:02,940 there were a few times when I was 8386 07:12:02,940 --> 07:12:05,638 working with let's just say pro teams 8387 07:12:05,638 --> 07:12:07,860 Pro attackers 8388 07:12:07,860 --> 07:12:10,260 um and they had a few targets to choose 8389 07:12:10,260 --> 07:12:11,218 from 8390 07:12:11,218 --> 07:12:15,240 one target had a bunch of the latest and 8391 07:12:15,240 --> 07:12:17,280 greatest Security Solutions deployed 8392 07:12:17,280 --> 07:12:19,260 throughout it and they had all the 8393 07:12:19,260 --> 07:12:21,240 dashboards up and running 8394 07:12:21,240 --> 07:12:24,360 the other Target had about three 8395 07:12:24,360 --> 07:12:27,478 Security Solutions of mean of 8396 07:12:27,478 --> 07:12:30,000 meaningfulness deployed 8397 07:12:30,000 --> 07:12:32,700 um authentication kind of a privacy-ish 8398 07:12:32,700 --> 07:12:34,080 stack 8399 07:12:34,080 --> 07:12:36,000 um and they weren't using the dashboards 8400 07:12:36,000 --> 07:12:38,100 they were connected in it entirely 8401 07:12:38,100 --> 07:12:40,200 through the apis for these different 8402 07:12:40,200 --> 07:12:41,520 ones 8403 07:12:41,520 --> 07:12:44,878 which one did the pro team know was the 8404 07:12:44,878 --> 07:12:46,620 softer Target and which one was the 8405 07:12:46,620 --> 07:12:48,000 harder Target 8406 07:12:48,000 --> 07:12:50,638 yeah the one with the minimal amount of 8407 07:12:50,638 --> 07:12:53,820 security products uh deployed because a 8408 07:12:53,820 --> 07:12:55,500 few things 8409 07:12:55,500 --> 07:12:57,840 the first organization that had all of 8410 07:12:57,840 --> 07:12:58,680 them 8411 07:12:58,680 --> 07:13:01,978 that's indicative of a company that says 8412 07:13:01,978 --> 07:13:04,378 I have a bunch of things I don't know 8413 07:13:04,378 --> 07:13:06,958 about my network and I don't know how to 8414 07:13:06,958 --> 07:13:08,700 solve them I'm going to buy a solution 8415 07:13:08,700 --> 07:13:10,440 and throw it in place and hope that that 8416 07:13:10,440 --> 07:13:13,020 will magically make the problem go away 8417 07:13:13,020 --> 07:13:15,540 or give me the visibility I'm hoping for 8418 07:13:15,540 --> 07:13:17,760 that I don't even know how to scope 8419 07:13:17,760 --> 07:13:20,580 and the second one was the default 8420 07:13:20,580 --> 07:13:22,680 dashboards well that means they didn't 8421 07:13:22,680 --> 07:13:24,360 need one of those things can go down and 8422 07:13:24,360 --> 07:13:26,638 not be working correctly and you know 8423 07:13:26,638 --> 07:13:28,320 unless you're actively manually looking 8424 07:13:28,320 --> 07:13:29,878 at the dashboard each day you're not 8425 07:13:29,878 --> 07:13:31,020 going to see it 8426 07:13:31,020 --> 07:13:33,120 when an API is wired into your 8427 07:13:33,120 --> 07:13:35,520 operations and your operational Cadence 8428 07:13:35,520 --> 07:13:37,558 and you know exactly what you are using 8429 07:13:37,558 --> 07:13:39,420 these products for 8430 07:13:39,420 --> 07:13:41,400 it's going to be a lot more difficult to 8431 07:13:41,400 --> 07:13:45,920 be in there with and remain unnoticed 8432 07:13:46,290 --> 07:13:47,840 [Applause] 8433 07:13:47,840 --> 07:13:50,040 two more here 8434 07:13:50,040 --> 07:13:51,058 um 8435 07:13:51,058 --> 07:13:53,100 this one was funny just because I have a 8436 07:13:53,100 --> 07:13:56,340 a real world example but uh and this 8437 07:13:56,340 --> 07:13:58,080 isn't a ransomware talk but it's such a 8438 07:13:58,080 --> 07:14:00,540 good example it's accessible for folks 8439 07:14:00,540 --> 07:14:03,600 for effect based attack 8440 07:14:03,600 --> 07:14:05,878 um and a lot of experts as you'll see 8441 07:14:05,878 --> 07:14:10,020 this person is cited as a uh senior a 8442 07:14:10,020 --> 07:14:13,500 Senor director of security strategy and 8443 07:14:13,500 --> 07:14:16,500 some sort of Professor in cyber at a 8444 07:14:16,500 --> 07:14:18,780 university and the takeaway and the 8445 07:14:18,780 --> 07:14:20,878 common belief is hey one thing about 8446 07:14:20,878 --> 07:14:23,760 ransomware if you pay a ransom 8447 07:14:23,760 --> 07:14:26,100 you identify yourself as a chump and a 8448 07:14:26,100 --> 07:14:27,840 mark and everybody else is going to 8449 07:14:27,840 --> 07:14:30,000 Target you to Ransom you as well maybe 8450 07:14:30,000 --> 07:14:32,160 even some of the people in the actual 8451 07:14:32,160 --> 07:14:34,440 team Ransom in you 8452 07:14:34,440 --> 07:14:36,780 a lot of folks here already know the 8453 07:14:36,780 --> 07:14:38,218 problem with that but that's a common 8454 07:14:38,218 --> 07:14:40,740 belief uh and then the second one is 8455 07:14:40,740 --> 07:14:43,500 that hey even if you pay the ransom 8456 07:14:43,500 --> 07:14:46,200 these are dirty unwashed criminals and 8457 07:14:46,200 --> 07:14:47,638 you can't even know that they're going 8458 07:14:47,638 --> 07:14:49,440 to live up to their statements and 8459 07:14:49,440 --> 07:14:51,120 Promises they might not unlock your 8460 07:14:51,120 --> 07:14:53,580 systems and maybe they'll still DDOS you 8461 07:14:53,580 --> 07:14:56,218 anyway and spend the money in resources 8462 07:14:56,218 --> 07:14:58,260 to do that for no reason I don't 8463 07:14:58,260 --> 07:14:59,638 understand why 8464 07:14:59,638 --> 07:15:01,320 those were two things that were 8465 07:15:01,320 --> 07:15:04,378 literally told to me by the FBI when I 8466 07:15:04,378 --> 07:15:06,000 went to them when a company brought me 8467 07:15:06,000 --> 07:15:07,558 in who was being threatened with 8468 07:15:07,558 --> 07:15:11,040 ransomware and they said you know much 8469 07:15:11,040 --> 07:15:13,740 give us the stats and the data how many 8470 07:15:13,740 --> 07:15:15,958 other companies pay How likely is it for 8471 07:15:15,958 --> 07:15:17,638 them to do this you know et cetera et 8472 07:15:17,638 --> 07:15:19,740 cetera I'm like great I'll go ask the 8473 07:15:19,740 --> 07:15:21,600 feds and those were the two things they 8474 07:15:21,600 --> 07:15:23,340 said and I said can you give me data 8475 07:15:23,340 --> 07:15:24,840 backing up those statements they're like 8476 07:15:24,840 --> 07:15:27,420 no no we don't we don't have that data 8477 07:15:27,420 --> 07:15:29,400 okay 8478 07:15:29,400 --> 07:15:33,360 we've seen the inside Communications 8479 07:15:33,360 --> 07:15:36,240 of ransomware teams sometimes they've 8480 07:15:36,240 --> 07:15:38,160 been frustrated and they've released 8481 07:15:38,160 --> 07:15:40,978 them intentionally other times go cyber 8482 07:15:40,978 --> 07:15:42,478 command cnmf 8483 07:15:42,478 --> 07:15:44,040 sorry 8484 07:15:44,040 --> 07:15:44,940 um 8485 07:15:44,940 --> 07:15:47,040 hypothetically or allegedly who knows if 8486 07:15:47,040 --> 07:15:48,958 it was if it was them 8487 07:15:48,958 --> 07:15:54,058 and when a ransomware organization 8488 07:15:54,058 --> 07:15:56,940 Ransom somebody and doesn't live up to 8489 07:15:56,940 --> 07:16:00,180 the promise of releasing them or 8490 07:16:00,180 --> 07:16:03,000 following through or when a ransomware 8491 07:16:03,000 --> 07:16:06,958 company hits a Target and then hits them 8492 07:16:06,958 --> 07:16:09,420 again immediately afterwards guess what 8493 07:16:09,420 --> 07:16:12,600 the inside emails show 8494 07:16:12,600 --> 07:16:16,798 the big boys and the Heavy Hitters 8495 07:16:16,798 --> 07:16:20,218 would go after them and put them out of 8496 07:16:20,218 --> 07:16:23,100 business the way organized crime does to 8497 07:16:23,100 --> 07:16:24,000 people 8498 07:16:24,000 --> 07:16:28,200 so not just a Stern no no no it's like 8499 07:16:28,200 --> 07:16:32,878 yeah they're not a problem ever again 8500 07:16:32,878 --> 07:16:37,020 why it's a business it's an industry 8501 07:16:37,020 --> 07:16:39,718 look at any organized crime look at any 8502 07:16:39,718 --> 07:16:42,900 payment racket if uh if if a crime 8503 07:16:42,900 --> 07:16:45,478 family is making companies you know pay 8504 07:16:45,478 --> 07:16:47,340 for protection 8505 07:16:47,340 --> 07:16:50,520 and you know they all pay protection and 8506 07:16:50,520 --> 07:16:51,900 then there's no protection or the crime 8507 07:16:51,900 --> 07:16:54,718 family itself you know vandalizes the 8508 07:16:54,718 --> 07:16:55,558 store 8509 07:16:55,558 --> 07:16:58,200 pretty soon they stop paying 8510 07:16:58,200 --> 07:17:00,240 and the industry knows this so they 8511 07:17:00,240 --> 07:17:02,638 self-police and they self-regulate the 8512 07:17:02,638 --> 07:17:03,780 other thing 8513 07:17:03,780 --> 07:17:06,058 about measurements and I'm not gonna you 8514 07:17:06,058 --> 07:17:07,978 know walk you through this this was a 8515 07:17:07,978 --> 07:17:09,840 payout Matrix and a probability Matrix 8516 07:17:09,840 --> 07:17:13,320 from a company that was being uh 8517 07:17:13,320 --> 07:17:15,478 threatened for ransom and it had been 8518 07:17:15,478 --> 07:17:18,180 demonstrated that the organization was 8519 07:17:18,180 --> 07:17:21,180 capable of doing it and first off I'm 8520 07:17:21,180 --> 07:17:23,340 not saying don't pay ransoms and I'm not 8521 07:17:23,340 --> 07:17:25,200 saying to pay ransoms this is a talk 8522 07:17:25,200 --> 07:17:27,298 about data 8523 07:17:27,298 --> 07:17:29,700 um you know I won't judge I will a 8524 07:17:29,700 --> 07:17:31,200 little bit 8525 07:17:31,200 --> 07:17:34,260 um and they said hey 8526 07:17:34,260 --> 07:17:37,138 what what cost to us you know do we 8527 07:17:37,138 --> 07:17:39,360 incur if we don't pay and they hit us 8528 07:17:39,360 --> 07:17:42,000 what cost do we incur if they hit us and 8529 07:17:42,000 --> 07:17:44,878 even if they hit us repeatedly after it 8530 07:17:44,878 --> 07:17:47,458 and you can plug in your your beliefs 8531 07:17:47,458 --> 07:17:49,620 your percentage your probabilities you 8532 07:17:49,620 --> 07:17:50,878 could plug in the num you know the 8533 07:17:50,878 --> 07:17:53,160 amount lost and everything else and you 8534 07:17:53,160 --> 07:17:55,680 know there's I I xed out most of it but 8535 07:17:55,680 --> 07:17:57,000 you know there are simple equations 8536 07:17:57,000 --> 07:17:59,760 behind the cells and you can see this is 8537 07:17:59,760 --> 07:18:00,900 how much you're going to lose this is 8538 07:18:00,900 --> 07:18:02,280 how much it's going to cost this is the 8539 07:18:02,280 --> 07:18:03,900 you know the pros and cons just from a 8540 07:18:03,900 --> 07:18:05,360 financial perspective 8541 07:18:05,360 --> 07:18:10,080 in every case it was just from the bean 8542 07:18:10,080 --> 07:18:11,820 counter point of view the right thing to 8543 07:18:11,820 --> 07:18:14,700 do to pay the ransom now this company 8544 07:18:14,700 --> 07:18:17,400 was able to we figured out a way of not 8545 07:18:17,400 --> 07:18:19,378 having to pay the ransom and still avoid 8546 07:18:19,378 --> 07:18:22,378 this but they made that as an ethical 8547 07:18:22,378 --> 07:18:23,280 choice 8548 07:18:23,280 --> 07:18:25,320 but they made it as an informed decision 8549 07:18:25,320 --> 07:18:27,240 you know they literally said hey you 8550 07:18:27,240 --> 07:18:28,860 know we'll just make our customers whole 8551 07:18:28,860 --> 07:18:31,440 from whatever if this happens 8552 07:18:31,440 --> 07:18:32,040 um 8553 07:18:32,040 --> 07:18:34,378 but if you're making decisions without 8554 07:18:34,378 --> 07:18:36,958 them being informed by data 8555 07:18:36,958 --> 07:18:39,120 well you're right back into that 10th 8556 07:18:39,120 --> 07:18:40,500 person problem where you're one of the 8557 07:18:40,500 --> 07:18:42,920 nine people 8558 07:18:43,138 --> 07:18:46,260 and now for my favorite controversial 8559 07:18:46,260 --> 07:18:47,820 one 8560 07:18:47,820 --> 07:18:49,558 what could be wrong with software 8561 07:18:49,558 --> 07:18:51,600 updates or the advice that software 8562 07:18:51,600 --> 07:18:53,160 updates are the most important thing 8563 07:18:53,160 --> 07:18:55,798 that you can do to keep your systems uh 8564 07:18:55,798 --> 07:18:59,400 and networks secure and safe 8565 07:18:59,400 --> 07:19:01,920 and the data that I found here that 8566 07:19:01,920 --> 07:19:04,978 we're going to 10th person approach was 8567 07:19:04,978 --> 07:19:08,280 a study uh non-experts advice and 8568 07:19:08,280 --> 07:19:10,200 recommendations and experts advice on 8569 07:19:10,200 --> 07:19:11,700 the right hand side it was 300 Security 8570 07:19:11,700 --> 07:19:13,558 Experts 8571 07:19:13,558 --> 07:19:16,798 um and first off when you find that a 8572 07:19:16,798 --> 07:19:19,080 lot of the data supporting one of these 8573 07:19:19,080 --> 07:19:22,260 basic beliefs ends up being a survey of 8574 07:19:22,260 --> 07:19:25,260 opinions even expert opinions 8575 07:19:25,260 --> 07:19:27,180 that should be a little bit of a flag to 8576 07:19:27,180 --> 07:19:30,240 say let's let's play 10th person on this 8577 07:19:30,240 --> 07:19:32,520 and you know five four three and two are 8578 07:19:32,520 --> 07:19:34,520 all password related including like 8579 07:19:34,520 --> 07:19:36,478 two-factor sort of stuff and we've 8580 07:19:36,478 --> 07:19:39,740 talked about that the number one 8581 07:19:39,740 --> 07:19:42,718 recommendation from Security Experts 8582 07:19:42,718 --> 07:19:46,138 this is uh the usenix uh paper was 8583 07:19:46,138 --> 07:19:48,780 always update all your software as soon 8584 07:19:48,780 --> 07:19:53,360 as available immediately full stop 8585 07:19:53,820 --> 07:19:56,100 well what sort of data do we have that 8586 07:19:56,100 --> 07:19:58,320 contradicts that 8587 07:19:58,320 --> 07:20:00,840 well we have the first ever longitudinal 8588 07:20:00,840 --> 07:20:04,320 study of what is the impact of software 8589 07:20:04,320 --> 07:20:07,320 updates on improving or not improving 8590 07:20:07,320 --> 07:20:09,478 the software hygiene and base software 8591 07:20:09,478 --> 07:20:12,600 configurations and status of products 8592 07:20:12,600 --> 07:20:16,680 and across 22 companies 15 years of 8593 07:20:16,680 --> 07:20:19,378 their products over a thousand products 8594 07:20:19,378 --> 07:20:22,080 with more than 3 million binaries and 8595 07:20:22,080 --> 07:20:24,420 libraries you know uh affected by this 8596 07:20:24,420 --> 07:20:28,020 here's the takeaway most updates have 8597 07:20:28,020 --> 07:20:31,200 zero impact on the security of the 8598 07:20:31,200 --> 07:20:32,458 product 8599 07:20:32,458 --> 07:20:35,218 the ones that do were more likely to 8600 07:20:35,218 --> 07:20:37,558 make the security worse 8601 07:20:37,558 --> 07:20:40,260 than it was to make them better 8602 07:20:40,260 --> 07:20:43,200 and that's really confusing 8603 07:20:43,200 --> 07:20:44,700 because you know we all know it's like 8604 07:20:44,700 --> 07:20:47,000 no no no 8605 07:20:48,780 --> 07:20:50,458 you better how could this be possible 8606 07:20:50,458 --> 07:20:52,920 you know everybody knows that and you 8607 07:20:52,920 --> 07:20:55,200 look around and you say well wait a 8608 07:20:55,200 --> 07:20:56,458 second 8609 07:20:56,458 --> 07:20:59,218 big businesses that have to do this they 8610 07:20:59,218 --> 07:21:01,500 already don't patch immediately they 8611 07:21:01,500 --> 07:21:03,000 already don't roll out updates 8612 07:21:03,000 --> 07:21:04,978 immediately they put them in a holding 8613 07:21:04,978 --> 07:21:07,378 area they bake them for a few days or if 8614 07:21:07,378 --> 07:21:09,420 it's a third party software like an npm 8615 07:21:09,420 --> 07:21:11,878 or something else several weeks to make 8616 07:21:11,878 --> 07:21:13,200 sure that it's not going to break things 8617 07:21:13,200 --> 07:21:15,540 it's not going to roll out we also know 8618 07:21:15,540 --> 07:21:17,878 as attackers or even red team that you 8619 07:21:17,878 --> 07:21:21,240 know uh well mostly attackers that once 8620 07:21:21,240 --> 07:21:22,860 you're inside an environment you're 8621 07:21:22,860 --> 07:21:24,958 normally not using a novel exploit to 8622 07:21:24,958 --> 07:21:26,878 get to the next system inside you've got 8623 07:21:26,878 --> 07:21:30,058 your initial credentials for it 8624 07:21:30,058 --> 07:21:35,040 it turns out that it does correlate to 8625 07:21:35,040 --> 07:21:36,478 better security and there were some 8626 07:21:36,478 --> 07:21:39,420 studies showing that strong update 8627 07:21:39,420 --> 07:21:42,360 capabilities and practices correlate 8628 07:21:42,360 --> 07:21:44,700 with companies being less likely to 8629 07:21:44,700 --> 07:21:48,298 experience significant impacts but it's 8630 07:21:48,298 --> 07:21:49,978 not causal 8631 07:21:49,978 --> 07:21:51,660 and that's what these figures show so 8632 07:21:51,660 --> 07:21:55,080 what is the causal aspect well if you 8633 07:21:55,080 --> 07:21:57,840 can roll out patches because you know 8634 07:21:57,840 --> 07:22:00,420 where everything is you have positive 8635 07:22:00,420 --> 07:22:02,580 control over everything and you've got 8636 07:22:02,580 --> 07:22:04,500 the operational bandwidth and Cadence 8637 07:22:04,500 --> 07:22:06,120 that you're not running around grabbing 8638 07:22:06,120 --> 07:22:07,798 all of the engineers off their products 8639 07:22:07,798 --> 07:22:09,420 going help me figure out what's in 8640 07:22:09,420 --> 07:22:11,040 production help me figure out what needs 8641 07:22:11,040 --> 07:22:12,840 to be passed and everything else 8642 07:22:12,840 --> 07:22:15,600 that is the positive control of your 8643 07:22:15,600 --> 07:22:18,360 environment and that is the causal 8644 07:22:18,360 --> 07:22:22,978 aspect the patching and updates are a 8645 07:22:22,978 --> 07:22:25,920 secondary possibly tertiary feature for 8646 07:22:25,920 --> 07:22:27,058 correlation 8647 07:22:27,058 --> 07:22:28,740 now 8648 07:22:28,740 --> 07:22:31,978 security updates are a subset of 8649 07:22:31,978 --> 07:22:35,218 software updates importance to say some 8650 07:22:35,218 --> 07:22:38,218 of those it's a race how can I get my 8651 07:22:38,218 --> 07:22:40,020 new code for the security update on a 8652 07:22:40,020 --> 07:22:41,878 system before somebody else gets their 8653 07:22:41,878 --> 07:22:44,400 new code on the system 8654 07:22:44,400 --> 07:22:47,160 and the other thing is that there were 8655 07:22:47,160 --> 07:22:48,900 three 8656 07:22:48,900 --> 07:22:51,180 um products slash companies that were 8657 07:22:51,180 --> 07:22:53,940 not in this study 8658 07:22:53,940 --> 07:22:56,100 and they're actually interesting because 8659 07:22:56,100 --> 07:22:58,740 they're outliers oh one of the reasons 8660 07:22:58,740 --> 07:23:01,200 they're outliers is not a single one of 8661 07:23:01,200 --> 07:23:03,600 these companies or product lines showed 8662 07:23:03,600 --> 07:23:06,298 a positive trend of the basic hygiene of 8663 07:23:06,298 --> 07:23:08,760 their products improving over time it 8664 07:23:08,760 --> 07:23:10,798 was random in most case most cases they 8665 07:23:10,798 --> 07:23:12,780 actually declined it was easier to 8666 07:23:12,780 --> 07:23:15,298 remove a fundamental security feature 8667 07:23:15,298 --> 07:23:17,160 than it was to take the risk of turning 8668 07:23:17,160 --> 07:23:18,718 it on what would that break for some 8669 07:23:18,718 --> 07:23:20,760 customer somewhere 8670 07:23:20,760 --> 07:23:23,458 the three outliers 8671 07:23:23,458 --> 07:23:25,680 Google Chrome 8672 07:23:25,680 --> 07:23:28,260 not all of the other Google products but 8673 07:23:28,260 --> 07:23:30,180 Google Chrome 8674 07:23:30,180 --> 07:23:33,240 mic uh Microsoft's Windows 10 and 8675 07:23:33,240 --> 07:23:36,540 Windows 10 applications basically all of 8676 07:23:36,540 --> 07:23:37,320 them 8677 07:23:37,320 --> 07:23:39,900 and Apple's IOS 8678 07:23:39,900 --> 07:23:43,798 those had positive Trends across updates 8679 07:23:43,798 --> 07:23:46,740 for multiple years 8680 07:23:46,740 --> 07:23:49,920 they are not the rest of the world 8681 07:23:49,920 --> 07:23:53,878 uh and hence you know but that is a bias 8682 07:23:53,878 --> 07:23:57,180 of uh of of visibility and presence and 8683 07:23:57,180 --> 07:23:59,638 you know that we see that so we biased 8684 07:23:59,638 --> 07:24:00,900 to thinking that's how everything else 8685 07:24:00,900 --> 07:24:04,500 is Microsoft Google and Apple spend more 8686 07:24:04,500 --> 07:24:07,138 money and resources and time and effort 8687 07:24:07,138 --> 07:24:09,058 and have the ability to run this 8688 07:24:09,058 --> 07:24:10,860 patching systems and processes I forget 8689 07:24:10,860 --> 07:24:13,320 how many thousands of patches Google is 8690 07:24:13,320 --> 07:24:15,900 rolling out like per week on Google 8691 07:24:15,900 --> 07:24:17,638 Chrome as they do this sort of like 8692 07:24:17,638 --> 07:24:20,400 rolling a b testing and everything 8693 07:24:20,400 --> 07:24:22,500 almost no other company can match that 8694 07:24:22,500 --> 07:24:26,458 and it's unrealistic to expect them to 8695 07:24:26,458 --> 07:24:28,138 here's why I'm actually okay with 8696 07:24:28,138 --> 07:24:30,000 telling most people yeah go ahead update 8697 07:24:30,000 --> 07:24:31,860 all your software all the time 8698 07:24:31,860 --> 07:24:33,660 most English-speaking people in 8699 07:24:33,660 --> 07:24:35,280 English-speaking countries and five eye 8700 07:24:35,280 --> 07:24:36,780 countries and everything 8701 07:24:36,780 --> 07:24:39,840 Google Chrome Windows 10 and Apple iOS 8702 07:24:39,840 --> 07:24:42,240 that's their entire world so yeah take 8703 07:24:42,240 --> 07:24:44,100 those 8704 07:24:44,100 --> 07:24:45,660 okay 8705 07:24:45,660 --> 07:24:48,000 the closing what do we do with this well 8706 07:24:48,000 --> 07:24:49,440 there are a few takeaways we talked 8707 07:24:49,440 --> 07:24:51,420 about how if there's something that 8708 07:24:51,420 --> 07:24:52,860 you're like we always do it that way 8709 07:24:52,860 --> 07:24:54,660 that's a really good opportunity to 8710 07:24:54,660 --> 07:24:55,920 challenge it and say where's the data 8711 07:24:55,920 --> 07:24:58,500 behind that is the data just surveys of 8712 07:24:58,500 --> 07:25:00,900 opinions is it a few anecdotes you know 8713 07:25:00,900 --> 07:25:03,000 the the plural of anecdote is not 8714 07:25:03,000 --> 07:25:04,680 evidence 8715 07:25:04,680 --> 07:25:06,540 um and you know starting to bring data 8716 07:25:06,540 --> 07:25:08,520 to it and it's not difficult to get a 8717 07:25:08,520 --> 07:25:10,138 lot of this data 8718 07:25:10,138 --> 07:25:11,878 when you don't have data that's what 8719 07:25:11,878 --> 07:25:14,218 Bayesian statistics are for 8720 07:25:14,218 --> 07:25:17,520 um the other thing is that there is a 8721 07:25:17,520 --> 07:25:20,400 silver lining to all of this 8722 07:25:20,400 --> 07:25:22,740 and the Silver Lining is 8723 07:25:22,740 --> 07:25:26,580 we're facing a global recession 8724 07:25:26,580 --> 07:25:29,700 that's right that's the silver lining 8725 07:25:29,700 --> 07:25:33,620 what that means is we're already seeing 8726 07:25:33,620 --> 07:25:38,040 infosec orgs getting huge cuts in their 8727 07:25:38,040 --> 07:25:40,260 budgets and I know you're like much this 8728 07:25:40,260 --> 07:25:41,878 doesn't sound like a silver lining yet 8729 07:25:41,878 --> 07:25:43,978 huge cuts of the budgets we're seeing 8730 07:25:43,978 --> 07:25:47,458 entire teams being lost and dropped 8731 07:25:47,458 --> 07:25:49,500 what's going to happen is part of the 8732 07:25:49,500 --> 07:25:52,020 evolutionary process the teams and 8733 07:25:52,020 --> 07:25:54,240 companies that make it through are the 8734 07:25:54,240 --> 07:25:55,320 ones that are going to be able to 8735 07:25:55,320 --> 07:25:57,600 quantify and understand which things 8736 07:25:57,600 --> 07:26:00,000 they're doing that are actually yielding 8737 07:26:00,000 --> 07:26:02,638 disproportionate value and impact to 8738 07:26:02,638 --> 07:26:05,218 their environment not the amount of 8739 07:26:05,218 --> 07:26:06,780 effort they put into rolling out a 8740 07:26:06,780 --> 07:26:08,700 product but what that product actually 8741 07:26:08,700 --> 07:26:12,180 did for changing in a quantifiable and 8742 07:26:12,180 --> 07:26:14,520 easy to convey way to the executives of 8743 07:26:14,520 --> 07:26:16,020 the board and they're going to keep 8744 07:26:16,020 --> 07:26:17,520 those and they're going to cut the other 8745 07:26:17,520 --> 07:26:19,080 ones 8746 07:26:19,080 --> 07:26:21,478 the majority of teams in leadership out 8747 07:26:21,478 --> 07:26:22,558 there 8748 07:26:22,558 --> 07:26:23,160 um 8749 07:26:23,160 --> 07:26:24,900 aren't doing that they're not going to 8750 07:26:24,900 --> 07:26:26,520 do that and at best they're going to 8751 07:26:26,520 --> 07:26:28,260 randomly choose what to do or they're 8752 07:26:28,260 --> 07:26:29,760 just going to look and see what their 8753 07:26:29,760 --> 07:26:31,138 next door neighbor is doing or the other 8754 07:26:31,138 --> 07:26:33,540 or the other company is and they're the 8755 07:26:33,540 --> 07:26:36,718 ones that are at risk of going extinct 8756 07:26:36,718 --> 07:26:39,540 so there is an opportunity right now 8757 07:26:39,540 --> 07:26:41,400 to go get some data go get some 8758 07:26:41,400 --> 07:26:44,100 measurements you don't need 8759 07:26:44,100 --> 07:26:46,680 ultimate very fancy stuff this is basic 8760 07:26:46,680 --> 07:26:49,260 math stats probability 8761 07:26:49,260 --> 07:26:52,020 and use it to try and evolve the 8762 07:26:52,020 --> 07:26:55,320 industry so that's it there are one two 8763 07:26:55,320 --> 07:26:57,298 three four something like that Beer's up 8764 07:26:57,298 --> 07:26:59,820 here please help yourself enjoy the 8765 07:26:59,820 --> 07:27:02,820 happy hour thank you all so much for 8766 07:27:02,820 --> 07:27:04,440 everything you've done for the industry 8767 07:27:04,440 --> 07:27:06,000 for myself 8768 07:27:06,000 --> 07:27:06,810 um I love you 8769 07:27:06,810 --> 07:27:13,060 [Applause] 8770 07:27:14,298 --> 07:27:16,920 all right folks so that is the last 8771 07:27:16,920 --> 07:27:20,040 speaker for tonight uh or today it's 8772 07:27:20,040 --> 07:27:22,860 it's it's still light up uh but this 8773 07:27:22,860 --> 07:27:25,138 does kick off the happy hour 8774 07:27:25,138 --> 07:27:28,320 um it starts now it goes till seven we 8775 07:27:28,320 --> 07:27:30,120 are going to kick you out at seven the 8776 07:27:30,120 --> 07:27:33,058 bartenders will stop serving you uh but 8777 07:27:33,058 --> 07:27:36,240 very graciously uh Mudge and our 8778 07:27:36,240 --> 07:27:38,520 sponsors have covered this we want to 8779 07:27:38,520 --> 07:27:40,740 thank the sponsors the speakers and of 8780 07:27:40,740 --> 07:27:43,740 course all of you uh number one rule 8781 07:27:43,740 --> 07:27:46,860 though is to help your bartenders 8782 07:27:46,860 --> 07:27:49,230 thank you we will see you all tomorrow 8783 07:27:49,230 --> 07:27:55,259 [Applause] 8784 07:28:01,330 --> 07:28:14,159 [Applause] 8785 07:28:20,660 --> 07:28:33,460 [Applause] 8786 07:28:44,020 --> 07:28:47,189 [Applause]