>> Yeah, alright.  Thanks everbody for coming, it is super exciting to be here. It's been a few years since I had a talk here at DEF CON and it's great to be back. I'm Michael Ossmann of Great Scott Gadgets and I make hardware for hackers.  I spend my time completely devoted to building open source hardware primarily for the information security community and for other innovative people. So this is the NSA play set RF retroreflectors.  Hopefully some of you have noticed this is not the only NSA play set talk on the schedule.  Some of my cohorts are in the front row here, they have talks coming up soon.  The concept of the NSA play set is now that the catalog has leaked and it leaked last winter, we in the open security community suddenly have a glimpse of what the NSA uses or at least in some cases, their hardware and software as attack tools and the implants, hopefully some of you have seen, the concept of the NSA play set is now that we know those things, let's build them ourselves. Let's create similar capabilities using open source hardware and open source software, anything off the shelf, anything that is readily available, very accessible, try to make this stuff easy to use and try to raise awareness about the security implications that ‑‑ of these technologies existing at all. I gave a talk with Dean Pierce, who's in the front row here at tour camp, the URL is up there, you might be able to read it, the color is a little off, but most of my slides are black and white anyway, so who cares.  If you're interested in a little bit of a background in the NSA play set and a broad overview of what is in the ANT catalog and how we think these things can be made in the open community, that's the best place to start, that's the introduction talk to the series. And this weekend here at DEF CON, a number of us are doing talks on specific parts of the NSA play set. Today I'm talking about RF retroreflectors.  And last night, by the way, how many of you were at the EFF Summit?  The Summit last night?  Yeah?  Really?  That's it?  At the Summit, I know a lot of you were there and a bunch of us from the NSA play set donated a whole bunch of hardware.  We made this cool play set bucket, it has hack RF's [indiscernible] in it,it has IME's, PCI express attack tools, thunderbolt attack tools, it has a hard drive full of rainbow tables for GSM on and on and on, a huge kit. And it went for $2,250 in the auction last night. So thanks to everyone who contributed. 
	>> [Applause]. 
	>> And who bid on it. Is the winner of the auction here?  No?  Well, I'd like to shake your hand at some point. That was pretty amazing that we were able to pull together and do that. So my talk today is on RF retroreflectors, similar to those that are in the ANT catalog, and an RF retroreflector, and I never heard the term RF retroreflector before the amp catalog leaked, so I have kind of adopted it, but it's a little implant that modulates an incoming radio signal and reflects it back to the radar device illuminating it. So the attacker is on the left, it fires a radio wave at the target.  The target has a little implant that reflects the radio wave back to the radar unit being used by the attacker. The process of irradiating a target is often called illumination, think of it as shining a light on the target, except the light happens to be radio wavelengths instead of visible wavelengths.  Otherwise it's the same thing. You are shining a radar beam at a target, illuminating it and seeing what gets reflected back.  And then the implant is some very small device that is designed to modulate the reflection. And this can be done at extremely low power, which is one of the reasons that this approach is useful. It can be done with no battery, for example. It can be completely powered just by the radio wave itself. So it's a super simple kind of implant design that is very low power and uses a very small number of components.  So it can be tiny and it can be without any local battery source.  So that's the kind of thing I'm talking about today. I kind of wanted to set the record straight a little bit. One of my earlier talks got some press and some people were writing that I was reverse engineering tools in the NSA AMP catalog and I don't think that's actually correct. I don't have any devices from the NSA. I don't have any inside knowledge of devices used by the NSA.  All I have is the information that's this the public leaked amp catalog that anyone can find leaked on the Internet. So I'm not really, I don't really feel that I'm reverse engineering the NSA's tools.  I'm forward engineering tools that have similar capabilities to those that the NSA uses.  And hopefully this will help us in the open community create a set of tools that we can use to research this kind of capability and find out how it works and how well it works and what the implications are and whether or not these things can be made much ‑‑ in the future, much more sophisticated than we know of now. So in this talk I will cover leaked classified information from the amp catalog. I don't think I've put any screenshots in here from the amp catalog, but I'm going to talk about things that I observed from the amp catalog.  So if you don't want to hear about leaked, classified information, you can leave now. Anyone for a game of spot the Fed?  I am going to show you in this talk a few hardware designs for my own retroreflectors and I'm going to tell you how to build your own retroreflector right here at DEF CON, if you want. I'm also going to do a live demonstration.  And really kind of the reason I'm doing all of this is to lure you here so that you can listen to me rant about the state of emissions security. Emission security is the field of security where we study emissions from devices and a fair bit is known in the public research community, the hacker community, about passive attacks. But not very much has been known historically about active attacks. And today I'm talking specifically about active attacks, where an attacker actually transmits something towards the target. The passive attacks that we know about, you may have heard the code name tempest. And sometimes people apply the word tempest to all emission security, but really it's a code name that relates specifically to unintentional emissions.  Now there are all kinds of different unintentional emissions, there are RF emissions, there are conducted electrical emissions, thermal emissions, audio, all kinds of things.  There are all these different little side channels where somebody might be able to pick up some kind of unintentional emission and from that information figure out something about the state of the target and in some cases figure out extreme information about the state of the target, like reproducing what's on a video screen or capturing key strokes and so forth.  So there's a fair amount of research in the area of passive emissions security attacks.  And if you want to get started reading about these things, probably the best place to start would be the writings of Marcus Coone. I do think there is quite a bit of opportunity in the field of passive emissions security for future research.  There are lots of things that unexplored at this time. However, we at least have a little bit of information and a little bit of public research and you can find papers.  That's not true so much for active attacks: Active attacks, the main thing that we've known about for years is that everybody always talks about being the prime example of active emissions security is the thing, the great seal bug.  This was a bug that was discovered inside a wooden carving of the great seal of the United States in the U.S. embassy in Moscow and information about this bug was released publicly in 1960. It was supposedly discovered in the early 50s and may have been implanted as early as 1945. So this is ‑‑ this is technology from the mid to early 40s. And it's an incredibly simple device. It consists of a microphone and an antenna, and that's it. It doesn't have any active components whatsoever. It simply is a condenser mic, which is a capacitor that changes its capacitance based on the air pressure.  And that is connected to an antenna in such a way that the air pressure, the changes in the air pressure modulates the impedance connected and that modulates a reflection that comes back to a radar unit that is illuminating this device.  In some ways it's very difficult to detect because it's not active most of the time.  If you looked around to try to see, like before a big meeting, if you went around looking for any bugs that were transmitting, you would pick up nothing from this thing, but once the meeting starts, then your attacker starts illuminating the device with the radar, then suddenly it is active.  And it uses no power, no local power supply whatsoever. And it's a pretty incredible invention for the time. The next thing I think everybody has heard about now since we have had these RF retroreflectors in the amp catalog, what happened between the thing and the amp catalog, we have 53 years of rumor and speculation. And I wish I was exaggerating. But really if you look for hard evidence, if you look for example designs, if you look for somebody who did an actual experiment to show how an active emissions security attack works, you'll find almost nothing between 1960 and 2013. It is such an unbelievable gap. We are decades behind the intelligence agencies in our basic understanding in threats against our own systems. Now some people will argue with me, some people will say otherwise, they will say, oh, I know all about these active attacks and they will rattle off code words and mention declassified documents and, you know, I say to them, BOCGGOFO. Because, yeah, we've had a lot of hints, we've had a lot of hints from declassified documents over the years.  We have had a lot of speculation, but show me the one place where someone has done a research paper, show me the one place somebody has given a conference talk, released a hardware design, done an experiment, published the results. And I personally have not found any.  I would love if somebody ran up here and proved me wrong. That would be amazing. I've been looking, but I have not found it.  Now one thing I found, a brief mention in the paper Soft Tempest by Marcus Coone and Ross Anderson, they do mention an attack where a keyboard cable, a computer keyboard cable was irradiated and key presses were detected by the return from that cable.  Now this I would put in the category of rumor and speculation because it is one brief mention in paper about other things.  And it comes from a declassified German document.  As far as I know, no one has actually tested this in a public experiment. And one of the interesting things here is that this is apparently irradiating or illuminating an unmodified keyboard and cable. Unmodified, no implant was intentionally installed in the target. The equipment, out of the box, was vulnerable to this attack, which is quite interesting to me. And there were some hints in the amp catalog that suggests similar attacks are possible on other things. For example, there's a VGA video implant that is retroreflector for picking up the video signal.  And on the page describing that implant, it says that it provides an enhanced return, which suggests to me that they get some kind of return sometimes from VGA cables without enhancing it. That's very interesting, I think. Post ant catalog, just this year, there have been some public, on YouTube, some experiments that this one person, GGPPR has posted, so I recommend you check those out. As far as I know, he and I are the only playing with this stuff and talking about it publicly.  So today I'm releasing open source hardware design for actual implants and I'm teaching you how you can build them yourself and how simple they are.  And I'm going to do a live demonstration on stage, which hopefully will work. And I mentioned just a second ago that there may be capabilities, maybe possibilities of making this kind of retroreflector attack work without actually implanting a target. And so I would consider that a case where we have an unintentional retroreflector, which is my bottom row there. There's also a case where we have an intentional retroreflector, where we have some kind of implant we install in the target. And then there are other cases in these columns. What I'm doing today is I'm intentionally illuminating, firing a radio wave at the target. But there are also other cases where a target could be unintentionally illuminated.  For example, everybody is walking around carrying mobile phones that put out far more radio energy than my test system up here. So if people ‑‑ so if you're walking near a device that is vulnerable to this or is implanted so that it's vulnerable to retroreflection, then you may be unintentionally illuminating it and causing it to create a reflection that an attacker can pick up.  And these types of attacks, you know, we've seen hints of, we've heard rumors about, but I don't know of any research into any of these categories really, I don't know of any publicly demonstrated experiment‑like ‑‑ expect for what I'm doing today, just in that one category. So this is a wide open research area.  There's a lot of opportunity. And what I'm doing today is scratching the surface of that one square in the grid.  A quick note about the term retroreflector. In the ant catalog it's spelled with a hyphen, but I don't know why because you look around at other literature, you'll find that it's actually a fairly common technical term without the hyphen. So I have adopted it without the hyphen, because that seems to be the common usage every why other than the NSA. But I am adopting the term retroreflector, which is a little bit of a stretch maybe. The word retroreflector means reflecting something back to it's source ‑‑ for example, when you are driving down the highway at night and you're headlights hit the roadsign the roadsigns have a retroreflecting coating on them so most of your light from your headlight comes back to you and the road signs look very bright. But somebody standing off to the side of the road who is not back near the source of light, doesn't see the road sign illuminating so brightly because of that retroreflective surface that somehow reflects that light back towards the source that it came from. And this technology, if you want to see a really cool application of that, optical retroreflection, the cast AR project is doing wonderful augmented reality sort of system that takes advantage of that type of optical retroreflection.  So a radio retroreflector, in my opinion, would reflect most of the energy back towards the source. And that doesn't actually appear to be what the devices in the ant catalog are doing.  They appear to be using very small, not very directional antenna. And so they're reflecting, yes, but they are kind of scattering energy in a lot of directions and not particularly back towards to the source.  Now with bigger, more sophisticate antennasin the implant they could be more retroflective.  So, just be aware that that term is used a little bit loosely here but I've adopted the term RF retroreflector just because that's what they are called in the ant catolog.  If you want to find out more about how this method works, then back scatter is probably more the search term you would want to use instead of retroreflector. There's a lot of public research on RF back scatter communication. Can anybody tell me the year of the first paper on RF back scatter communication?  Anybody know did?  Nobody?  I'll give you a free retroreflector. 
	>> [Off mic]. 
	>> I didn't hear it. Sorry, guys. 
	>> [Off mic]. 
	>> 1948. 1948 there was a paper called Communication by Means of Reflective Power.  And realize this was after the thing was deployed.  So the very first public research paper on this means of RF retroreflection or RF back scatter communication didn't happen until well after the thing was deployed.  So that thing was a pretty cool invention for its time. Now there was research into optical back scatter prior to this but this is the first paper I can find on RF back scatter. There's a lot more research over the years since 1948. And in particular, over the last couple of decades, if you look for any UHF RFID technology, UHF is a range of frequencies that is used by the RFID tags that get longer distance, longer range.  The really close range, the stuff that you have to have very close proximity for is down in the low‑frequency, LF or HF. UHF RFID tags are a little more similar to the type of things I'm using and the NSA seems to be using. In fact, most of the NSA implant seem to be working in the UHF band.  So if you look at designs for the UHFRIDF tags, they are very similar to the type of design you would want to use for building a retroreflector.  Now I have to have a retroreflector, but I also have to have radar system. I have to have a means of firing a radar beam or illuminating a target and picking up the return from that target. There's plenty of off the she have radar gear, a lot of it is pretty expensive but you can find things like a police radar. I got an old police radar off eBay for, I don't remember, 50 bucks or something like that, not that much.  However, police radars are typically up above 20 gigahertz, which in the order of magnitude, higher frequency than the NSA seems to be using based on the ant catalog so maybe that's not the best approach.  One of my favorite devices is the Hot Wheels radar gun.  You can find these on eBay for 25 bucks and they operate at 10 gigahertz, which is at least closer to the frequency range that I'm interested in. And they're just fun to play with. The device is made up of kind of three separate parts. There's some ‑‑ there's a battery compartment, the wave guide antenna, the big tube, and on the right hand side of that the circuit board. And then a separate circuit board on the back with the microcontroller and the LCD. The microcontroller board is the part that typically fails.  So if you get a broken one, it doesn't matter because all you really need is that radio board that has that little black cable coming out of the back of it on the right. And that little black cable has 3 wires in it and all you have to do is apply power to it and you get a base band signal on the third wire.  You can plug it into an oscilloscope or you can plug that into a hack RF or into a sound card even and measure the return that it's getting. So it's a pretty cool device for experimentation. And, you know, it's really easy to add that base band output. I recommend checking out that website if you want to find one of those and learn how to take it apart, which is a little annoying.  There's also, I've noticed, quite a few devices that you can find that are very similar to the Hot Wheels radar gun, but in a smaller package, they don't have the whole big wave guide antenna, they don't have the plastic and trigger and everything.  They are designed as modules for people to use in their own little electronics project.  If you search eBay for Arduino radar, you will find a few of these things shipping from Hong Kong and they are only a few dollars so that is an interesting option.  They are at the ten and half gigahertz band, which higher than the devices in the ant catalog. The coffee can radar is pretty cool, from Greg Sharvot, and various other friends that have posted information about that design, or that family of designs.  There was a talk here at DEF CON a few years ago on the subject. It's cool expect it's typically used with capture ‑‑ base band capture using sound card, which is a low bandwidth and isn't sufficient for some of the targets, the higher bandwidth targets that I'm dealing with. So it has potential.  Also it has some circuitry to do FMCW radar, which is more complicated than the simple CW radar that is all you need for this type of application.  So what I'm doing primarily is using hack RFI One which is my own design SDR platform. By the way, if any of you backed hack RF on quick starter, I'm happy to announce they have all shipped. 
	>> [Applause]. 
	>> Yeah, whoa! Although some of the shipment notifications have been delayed, but the units are actually shipped.  So I'm using hacker RF primarily which is a software defined radio peripheral that connects to a host computer.  It's open source hardware so anyone build this, anyone can get them and extend the design and I think that's important when doing anything sciency. The official operating frequency range is from 10 megahertz to 6 gigahertz.  If you want to know a thing about the unofficial operating frequency range, come to my talk at the wireless village tomorrow. The base bandwidth is 20 megahertz, which is 3 orders of magnitude higher speed than a sound card.  I was talking about how the sound card input really isn't fast enough for some of the targets that I'm interested in, but 20 megahertz is quite a bit of bandwidth. Not as much as the ant catalog radar devices, but it's enough to be able to do some really interesting experiments and it's a half duplex transmit receiver which means I can transmit or receive but I can't do both at the same time which is why I have two units up here, one to transmit and one to receive. So my super sophisticated cardboard test apparatus holds two hack RFs and two directional antennas.  These PCB antennas.  I've actually split this up here so I can have these antennas pointing different directions instead of being parallel.  I can make a triangle out of them and we'll see how that goes. And I'm using a frequency of 2482 megahertz, 2.482 gigahertz. It's right at the top end of the 2.4 ISM band used by Wi‑Fi and Bluetooth, however, just above the frequency used by Wi-Fi and Bluetooth in the U.S.  So there's a little bit of room at the top of the band that isn't getting used by a whole lot. And the NSA, according to the ant catalog is using frequencies in the range of 1 to 4 gigahertz, so this is kind of right in the middle there.  And it just so happens that range happens to be in the kind of center area of the hack RF where I get the best hack RF performance around 2.5, 2.4 gigahertz, that band is where I get the best performance and it's also easy to find off the shelf filters and amplifiers if you want to experiment with amplifying these things for example.  Although you have to be careful about that, I'm using unamplified hack RF for my demo here today.  This is a pretty good operating frequency and tThis is what I've done most of my testing at for these variety of reasons.  The first retroreflector that I built is called conga flock. I don't know if you guys can see it very well, but up there across the top, those numbers are centimeters.  And between those two orange pieces of wire, there's a little tiny piece of circuit board.  I know what you guys are wondering, how int he world did this thing get to be so huge?  It's giant. It's giant for a number of reasons. The first retroreflector I made, I very first one, was just a bare transistor that I soldiered some wires to. And then I decided well, it's good to have a PCB, a substrate, that kind of holds everything together and gives it mechanical stability. And then I wanted to have a few extra components so that I could experiment with some things, I'll talk about in just a second, and then even after doing that, it turned out that the circuit board was less than half the minimum size requirement from Osh Park, my favorite PCB maker, so I had to double the size.  But at least that gave me some room to put some silk screen text on it and give it a little bit of a handle so I can put it into my bench vice and work on it a little bit. So I'm going to go over the hardware design here. I usually go over electronic schematics in details in a talk like this, but this one is simple enough that I think it's worth going through in detail.  The first thing you need to know, the thing in the middle, the funny little thing, Q1 is a mosfet, a type of transistor.  And then all of the various long rectangles are resisters or they are places where you can put a resister or some other passive component.  However, the one on the upper right, R1, that's do not populate component. It's just something I put there, it's is footprint I put there just in case I wanted to experiment with putting a different impedance in that spot.  So we can ignore that. It's not populated.  And the two at bottom are not populated, but they have a little bypass through them where you have to cut the bypass if you do want to populate. Those two at the bottom are there in case I want to change the circuit in the future. So we can ignore those, those don't really exist in the circuit.  And then the other resister there, the only purpose of that 10k resister is just to protect the gate of the mosfet and it doesn't really affect the way the circuit works much, other than providing the protection. And the mosfet itself, the one I'm using typically have built‑in protection, so we can ignore that, too. And what we're left with is an incredibly simple circuit with an antenna connected at the top, the target device connected on the left, and the mosfet in the middle. A mosfet is just a transistor and you can think of it as a switch, when the gate, which is the input signal from the target device, when the gate is going up and down in voltage, the mosfet switches on and off the antenna. That's all this thing does.  It just switches on and off the antenna according to a signal that comes from the target. And that creates a change in impedance on the antenna that modulates a reflective signal from that antenna. So it's incredibly simple.  It's a one component circuit. And I can use this as a general purpose retroreflector and connect it into whatever device I want as long as that input is swinging through a couple of volts, at least, when typically target devices will have 3.3 volts or 5 volts, that's plenty to drive this thing.  So I made a few and they are really small.  So I made 1,000. And if you want to make one, I have this whole kit together here that I'm going to deliver to the hardware hacking village that includes the circuit boards, the mosfets, some wire you can use for the antenna and some wire strippers/cutters.  And this is what you do if you want to build your own. All you have to do is, the first step is break off a PCB from the panel.  That's a little more annoying, they are not scored very well, but find a nice sharp edge on a table and you can break these things off.  Then you cut two antenna wires and you want to make them about an inch long for operation in the 2.4 gigahertz band. There's a nice little guide I have Sharpied on to the bin here. And so cut two of those and soldier the mosfet on to the board and solder the antenna wires on to the board.  And then you might as well solder the other two couple of wires on to the other two little pin headers because you're going to need something in there to connect to a target. So if you soldier a short little piece of wire, you can put alligator clips or whatever to it or solder your other end to your target. So it takes a little bit of electronics know‑how. And I apologize, these things are a little harder to solder than they could have been and harder to break apart than they could have been, so if you do try this, you're going to hate me. But hopefully you'll have fun or at least take home a souvenir.  And then I will solder it into something, in this case I took a PS2 cable from a PS2 keyboard and spliced in the conga flack to the middle and I was able to get a return off of it that way.  So flamencoflock was my next retroreflector.  It's taking this same design basically and putting it into a convenient form factor for experimenting with PS2 keyboards.  So all it does it has two PS2 connecters, you can kind of see one of them in the photo there.  I have one up here. It has two PS 2 connecters and a retroreflector in the middle.  So the actual circuit, if you look at the two antenna wires, there's a little black blob right next to them, that's the whole circuit, all the rest is just connecter.  So if I'm going to snip PS2, I'm going to be tapping either the clock line or the data line. The clock line we see in this diagram at the top and the data line we see on the bottom. Now ideally we would tap both to recover the data, but I'm only going to tap one and I'm going to tap the data line.  And what we have here is a diagram of what the voltage on the line should be for the letter Q, if somebody were holding down the letter Q on a keyboard. And so I'm going to see if I can snip this using flamingo flock.  Let's see what happens. I'm just turning on my hack RF to transmit a couple seconds at a time at 2484 megahertz.  And I'm using my other hack RF with this flow graph ‑‑ not this one, this flow graph here.  And the long and short of it is I'm going to be picking up the signal and doing an amplitude demodulation. So I'm doing AM. An AM demodulation.  Let me see if this all works.  Now my ‑‑ I think I'm getting a signal out of it. Now if I were to adjust my target here so everything is well lined up, I'm firing a signal at it with one of these antennas and I am detecting a signal from the other antenna. And I'm running a little short on time here, but hopefully this works.  I'm going to look at triggering this. This is basically an oscilloscope that I'm looking at, a software oscilloscope. And see what happens if I hit some keys. Oh, I'm getting something changing, but it's not looking very good. So this is a total demo fail. Probably because I spent all last night trying to raise money for the EFF and I spent all of this morning trying to help kids solder the land taps at the roots asylum.  Ah‑ha, I think I actually got something. I'm going to can change my accounts per division here. And oh, there we go! Let me see what's going on. If I ‑‑ well, you're not actually seeing what you should be. 
	>> [Applause]. 
	>> So don't clap yet. It's really close to working.  This is a little finicky because I have highly directional antennas and if they are not aimed very well, then this may not work particularly well. I'm definitely getting something, but I'm not sure that I'm actually getting ‑‑ like I'm totally not seeing the letter Q yet. So I'm just going to show you a screenshot from a previous run and move along.  In a previous run I did looked like that. And do you notice the three downward pulses and then the one wide pulse?  This is what it was supposed to look like and it looks like that. It's very recognizable. So I'm running short on time so I'm not going to be able to do a better job at my demo, unfortunately. I'm going to show you the rest of my retroflectors. Tangoflock is a retroreflector for USB. And I use it to monitor USB keyboards in particular because they are low speed USB devices.  I've briefly tested low speed devices and I figured out, yes, I'm getting a signal with characteristics that look like low speed USB, but I have not actually decoded bits. Although I have decoded bits from the PS2 cable. Full speed USB, which is kind of the next step up in speed probably works with this implant.  I doubt that high speed would work and you would need much high bandwidth collection platform than hack RF.  Super speed definately doesn't work, you would need some kind of incredible system for that and I don't even connect the wires.  So Salsaflock is the next one I have. The Def Con speakers ops were totally awesome to get me an extra VGA projector and I'm totally not going to use it because I'm running out of time and it probably wouldn't have gone any better than the PS2 demo.  But I have this little device and again, it's a fairly simple circuit that gives me big connecters, that makes it convenient for experimentation. This circuit is a little bigger, it has more components in it. The reason for that is VGA signalling is for lower voltage. There isn't enough voltage swing in the VGA signal. It's too low voltage to trigger the mosfet's gate. So I have to do some biosing of the mosfet to get it up to voltage. But I have gotten to the point with this that I can detect a VGA signal and I'm in particularly tapping the red signal and I can very easily detect the vertical synch happening every 60 hertz or something if I refresh and I can definitely see patterns within that, so there's some potential for recovering the image on the screen.  Now how much of an image I can get with only doing 20 megahertz sampling with the hack RF, I have not determined yet. It may only be useful when the target has a low screen resolution, which means it has a slower pixel clock and you would need a higher speed sampling rate in order to target higher screen resolutions.  But this is an image, this is just a plot. And you see each of those AMD modulator signal that I got from Salsaflock, you see those tufts there, those individual tufts at the bottom, those happen 60 times per second and this was a 60 hertz screen refresh, so that's why I was seeing the vertical sync.  I don't have a whole lot of time to talk about counter measures which is probably a good thing, because I don't have a whole lot to say about counter measures.  I don't think that we know enough about these threats yet to develop good counter measures, but we think we need to think about how we validate that our equipment works, how we evaluate that it hasn't been modified or had things implanted in it.  We need to know, are we being illuminated or radiated by things?  And are our devices prone to retroreflection without being implanted?  We don't know any of those things, we have a lot of research to do to be able to do that. There is a talk in the next hour by Leah that looks interesting.  He is kind of taking a higher level view of the problem and trying to figure out how to detect this stuff. I want to invite everybody to play along. An invitation to hack. I would love if people built some of these here and started experimenting with them.  I would love if people took my designs from gift hub and started to build some of their own.  If I solder some up this afternoon, we'll have some over the at hack five table in the vendor area. Darrin was kind enough to give the NSA play set crew an area there and other folks who are doing NSA play set talks are also going to have some things there. We are trying to get tools out to people, if we can.  And of course we have the EFF summit last night. I want to remind people, there's a big open field of research.  Do be a good neighbor if you experiment with this stuff, know the laws, try to not interfere with people.  Doing low power experiments is really easy to do.  I have done PS2 sniffing from one meter with unmodified hack RFs that transmit a much lower power than your Wi‑Fi card in your laptop.  So coming soon, later this weekend, Mike Ryan is giving a talk in the wireless village tomorrow on some really cool Bluetooth smart stuff, these are all NSA play set talks, Josh and Teddy are doing a talk on I squared C implant, which is very interesting how you can expose and get to your I squared C without opening up your computer. NSA play set GSM from Dean and Lochi on Sunday and PCI express from Joe & Miles on Sunday.  All of these I'm really excited about. I hope you check them out. Thank you to Dean for coming up with the name, the NSA play set and for the whole NSA playset crew. Everyone has been great and We're a loosely knit group, we take anybody who comes along and has a ridiculous name for a fun project.  Please join us, if you think you have something that fits in the NSA playset we'd love to hear from you.  Thanks Jared Boone for helping me troubleshoot some of my retroreflectors not too long ago. NSAplayset.org is where you can find all information on NSA playset. My retroreflectors are on gethub and that URL.  I recommend waiting a few days before you download and have PCPs made because I do have a couple of minor corrections I need to make.  They are pretty minor.  They are things you can fix easily with a soldering iron. And my url for greatscottgadgets.com is greatscottgadgets.com.  So I'm going to have a little Q&A session out by the pool in 15 minutes, so, you know, after I leave here, go look for me at the pool. I'll be wearing this awesome NSA play set T‑shirt that says my ex key score goes up to 11. If you see anybody wearing these shirts, they are probably people doing awesome NSA play set or they are people who supported the EFF last night. Either way, they are cool people to talk to.  Thank you all for coming.  "This text is being provided in a rough draft format.  Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings."