[Applause]. Hello everyone I'm Ryan Lackey and Marc Rogers and the Grugq not here as you can see. I think he had severe traveling difficulties and there's sketchy details so I'm not too filled in on it but we worked with him on this project for the last year and awhile have been in contact with him so... I actually work for Cloud Farea company that does CDN DDoS stuff. Marc looks for Look Out. Working on this as kind of a side project, a fun thing. The Grugq is an OpSec consultant and works on a variety of cool projects. >> I'm mostly the head of security here so I apologize for shouting at you. >> Laughter >> So we're excited to be here and show off this cool thing we've been working on. So we're going to go over why you want to hide. We're using software that will let you hide in network traffic. We're going over principles of operational security which is really Grugq's main area of study and he's the pretty much the most interesting person in the field taking how larger organizations learn about op sec and applying it to the hacker and activist community and other groups that don't have a huge intelligence arm or anything. We will go over serious op sec fails and what happens to people then how technical counter measures are used against people, existing tools, travel routers, and how to use these things for safety measures of the tools and then we're going to bring in the exciting new technology the travel routers. So, just to start why would you ever want to hide? If you're doing normal stuff we're not talking about helping people hide from doing all sorts of bad stuff. You're in your normal life. There's a lot of reasons why you would want to hide. A lot has become much more clear in the last couple years. Especially post Snowden. But even before that it was fairly widely understood at least within this community. Part is to avoid a global drag net. You want to make sure that if somebody is monitoring all the communications that you're not swept up in that. Because the problem is, while you might be doing nothing at all wrong somebody next to you or somebody you have a phone call from or in any loosely connected way might do something and due to how software works and scoring that plus another interaction plus something else depending on where you live could actually get you droned. Not just on a watch list but signature strike or something like that. Prevents all sorts of problems but really it's like none of your business. Why would you want to be monitored? It doesn't benefit you in any way so if you can avoid it you should possibly do it. >> There’s also the fact that you are doing something you don’t want people to watch. Maybe it’s illegal, maybe it’s just something you want to maintain OPSEC for your project, OPSEC for your company. People are actively trying to steal secrets for both national security reasons and security reasons and because they want to steal your secrets. >> And the crazy thing is people that were in various illegal activities knew this and people that were in the hacker community knew this but now there's a whole new realm of people that really need to worry about this kind of thing that you would never think of as spies or hackers. Journalists giving any kind of activism in an environment where their adversaries are well resourced these people have this as a serious concern and it's crazy and it's an asymmetric problem where there's people that have problems now and don't have the resources. >> There's two important takeaways we get from this. One number OPSEC not new. We like to talk about OPSEC as though it is a new thing that we've discovered. It's probably as old as mankind. And many of the techniques to protect are just as old. The other one is the tools and stuff we're talking about there's no rocket science here. We are talking about using exiting tools, existing technique. [Inaudible]. The difference is we're showing you how you can use it in a seamless way so you don't have to think about it and you avoid the number 1 problem, human error. >> So Grugq has sort of distilled OPSEC basic principles which are listed here. We're not going to go over them but he's done this many, many times and it's  okay. So Biggy Small actually had a great song about how drug dealers apply OPSEC to selling crack and it's been analyzed by law professors and everyone else as pretty good actionable advice for people involved in any sort of activity and it's not just crack dealers that need these. It's people involved in complaining about spying systems being installed in their loan port system in Oakland or Human Rights abuses or really anything. So it's a pretty universal kind of problem a lot of people have. But on the other hand what happens when it goes wrong? This is a photo from Somalia where the U.S. Marines were going in to intervene and try to distribute aid and food and stuff and get rid of war Lord' s. They did this opposed beach landing which they hadn't done since Normandy in World War II but it was a big opposed beach landing. And unfortunately the media knew about it in advance so they were doing this landing with a bunch of little rubber boats and everything else with a bunch of journalists sitting there with cameras waiting for them on the beach putting the things live on satellite TV that all the war lards saw. So that could definitely have gone a lot worse. And... Yeah. Then we've got other examples of basic OPSEC failures bringing down an organization that many people think was sort of a libertarian commercial market. >> When you look at many of the big busts, issues that have happened recently you will see the OPSEC failures behind them are basic. Really, really basic. Take for example Silk Road, the largest most successful online could not band, 957,000 user accounts, 9.5 million coins and the guy behind it allegedly runs over it. Russ Albrect (sp.) used his personal Gmail account when setting up an account that he then used as the administrator, an account with Altoid. He then used that Altoid account to host jobs, advertise for people to come in and do coding for Silk Road related projects. He also advertised Silk Road using this same account. He later on kind of caught up to this and changed his handle, changed his Gmail handle to Frosty.com but once you've opened the door the information is out there. The internet doesn't forget. And if you start then building it all becomes fruit of the poisonous tree and everything you do from that point onwards is tainted. Next one. Sabu - Even worse. Sabu, a skilled hacker knew what he was doing. Except every now and then he would forget and log into IRC. Just once is enough in this day and age. It used to be you could get away with one mistake but now in this world where it's possible for people to wholesale, capture and store just in case there's something interesting that one mistake will hang you. Perhaps even worse than that he also used his home address to use stolen credit cards to buy car parts and had them shipped to his home address. These kinds of OPSEC failures are really obvious. Not surprisingly he was busted. Mark Karpeles, allegedly we don't know exactly what's going on but we do know around the time that they had completely run out of money there were things he used to prove that they still had liquidity. Those accounts are still around and active. So people started looking at them and guess what? You follow the chain and looked to them, they still had money in them. Way more than he allegedly had. Unsurprisingly when people started talking about it he miraculously found another pile of bit code that he didn't know about. >> So what are the common mistakes and vulnerabilities here? These are just three examples. There's a bunch more. Insider threat is the most difficult to resolve and also the easiest to find in almost any organization. People making mistake, human error and data leakage. People using the wrong channels for the wrong kind of data. Then there's more serious technical threats. You have people tearing down either seizing your hardware or getting semi rather access or going live or cold analysis on it. You have people doing network or RF monitoring of your systems. You have people tearing down remote servers. Then you have acts of tampering. These are pretty sheers threats and maybe it's not worth trying to mitigate the most difficult thing. Start with the easy things. Then of course there's the financial audit trails left by any system people interact with. >> One of the most important things you can't take care of everything. You can't think about everything. But if you can automatically catch the low hanging fruit and protect a certain segment of your stuff that you don't have to thinking about you can then focus the rest of your resources on the more complex problems. >> So network forensic pretty widely understood. Metadata of course being the target of almost everything. Metadata is so much easier to process from the attacker side. They don't need to bother translating it into the native language or normal lies the data. It's there and automated and trusted and reliable. So we've seen a lot of recent attacks where metadata really was the focus of the attack. >> And it is very much the low hanging fruit. As we saw from the talk that was given. Even data that you think is encrypted such as some of your personal information on the iPhone is not because when the device is running certain segments of device are unencrypted. That means it's accessible and in fact the only time the iPhone is secure is when it's powered off. >> So there's all this data you would attack from a desktop system, any sort of server you're attacking. It's pretty clear. And on cell phones which are basically computers you have fairly similar kinds of targets. They have some additional threat factors because they connect to telephone networks and we can tell you horror stories and the fact they're with you at all times and taken out of secure spaces and taken back into secure spaces and taken out over and over again it's a more interesting threat but it's not really terribly novel. >> This is all low hanging fruit. This is easy stuff that can be gotten. Almost every cell phone with commonly available tools without expending too much effort. >> All this stuff used to be hard. People haven't taken that into account that it's changed and become a lot easier to go after. Used to be you had one agency in the U.S. and one in the Soviet Union to worry about. Now pretty much everybody with RF equipment can be your threat. Anybody with a network router in your path can be your threat. Anybody running a service can be a threat. Anybody that gets access to your equipment. So it's a much, much wider population of people tracking you. If you're not attractive to the government as a target, perhaps you are to a different government or to an individual or organization. It’s really the democrazation of SIGNIT and attacks. >> One interesting thing from the slide is everyone is talking about Snowden and how everyone is moving to more encrypted. It has had an effect on the traffic on the internet. We’ve gone from in the U.S. 2.2% was deemed to be SSL traffic. Today it's 3.8. That's a really big increase. Right? >> A lot of that traffic is unencrypted which leaves all this data available. Even if the data is encrypted you can get a lot of information from pure traffic analysis. You can see source and destination of target. You can see the type of traffic in a flow and you can actually in a lot of cases get content information from the size of packets because it’s not data dependent and it's pretty terrifying. >> What you have to realize is you don't have control over this. Vast majority of this traffic is backend traffic. This is your application talking to application server. You don't have a choice to say I’ll only use encryption to the dev that built your app. >> It's pretty bad when you pop up a commercial operating system on a new computer the first time and has all this software you're not familiar with and you don't really know what's phoning home when. Cell phones are even scarier because you actually do have pretty good information that they're phoning home all the time. They're always in contact with the tower and they're relaying an awful lot of information you don't really see as a user but it's there and is a threat. And the scary thing is while you might trust your operator and you might trust your phone vendor over the air a lot of this data can be gathered just from passive monitoring and anybody else over the air can do a lot of the stuff. Then we've got examples of when you travel to places like China. It's a great place to visit but they have a fairly restrictive international firewall. The great firewall and you don't really know where  it's not really one firewall. It's different in every province and different operators have different policies but in addition to being monitored there's just a basic problem of stuff is blocked and it's really annoying when you go and you want to connect to your services. You want to basically operate like you would at home. You would think just a VPN would protect you and allow you to bypass this stuff but it's like a whack a mole game they play where they block things all the time, it’s a pain to deal with. >> One last thing on the Chinese firewall they are getting smart on how they look out for VPN's. Before it was identification VPN end points, then they get blocked. Now as we see with Tor since 2011 they're actively scanning suspected nodes and they're doing things like talking Tor to suspected nodes and they can block it. Now that makes it real difficult, now you have folks who are actively looking for your all your tools and blocking. So whatever you have to do has to be robust enough to protect it. >> So there are a bunch of tools people use to protect themselves. Basic principles that make certain tools easier to use and more privacy protecting than others. Tools generally are tools used by smaller communities rather than a wider tool are going more likely to work in a given scenario. Although there's an engineering quality issue of a tool not used by many users generally not of high quality. Generally I like things that aren't realtime, things asynchronous like email based systems, rather than connection oriented systems. However we really moved to the World Wide Web and everybody was connection based systems. And then encryption even if it doesn't provide you with full protection it provides with you a little bit of contact protection in a lot of cases even if it's not implemented fully. So if you have the choice always add encryption. And there's a lot of common tools that can be reconfigured. VPN's were never intended as an anonymity technology, it just happened to be useful in certain circumstances. They do provide some privacy and some firewall busting just because people don’t want to block all VPNs because it will block a lot of business traffic. It's an interesting thing. And then the really interesting thing is that cheap hardware has gotten so cheap that you can dedicate hardware to a certain task. It's hard to build a secure multiuser multiapplication operating system. It's really much simpler challenge to build a single purpose device and dedicate it to a certain thing. >> Before we move off of VPN's one amusing thing came up in our discovery as we were playing around. We discovered that you can actually weaponize it - great firewall works and detects a node doing something it doesn't like it floods it with reset packets. And it’s not really doing much to validate the source address so...  [Laughing]. It's also quite nice it floods it with reset packets for sometimes up to 30 seconds. So it's an amplifier. So oh I was just playing around like I mentioned and I watched as the great firewall flooded him for the next couple of hours. And he couldn't do anything. [Applause]. >> I think not demoing that live on the stage is a good idea. >> Although,I highly advocate doing this. But carefully. >> So yeah we've got things  the other thing is Java script. You have to have a separation between your data and code, bad things happen with that and when the addressing information is completed with the messages so the OSI stack isn't kept as separate as it should be or where code is mixed with data this leads to bad stuff. As we said cheap hardware is great. Prevents a lot of user errors. The problem with a lot of these secure systems is users use them incorrectly and if you give somebody a single device and say that's to talk to go one other person it's a much easier user model then you need to enter in code every time you use it and authenticate them and do all sorts of other stuff. >> A great real life example of this literally yesterday as part of my goon job, I had to provide protection for John Mc. We were walking around with John who is a colorful character. With his security detail who are even more colorful. Especially the one who remembers faces. And he is talking about security of his phone. He said he always uses burner phones, I’m very careful. Once I used a phone for a certain amount of time I attach it to a (Unknown) and it goes off all around the country and they can follow that and they always track me down within a couple days and they can follow me. I had a chance and I said by any chance do you regularly call the same kinds of numbers. He said yes. That would be why. It doesn't matter if you're changing your phone if you keep calling your mom. >> So one of the issues is again if you go buy this hardware and order, this whole problem if you order hardware if you're receiving it internationally, say you’re the Grugg, it's going to be high that, that hardware will not come as the hardware vendor intended it and you probably want to start buying stuff off the shelf that's preconfigured or sort of a commodity thing. It's unlikely they will back door every hardware but the one piece of hardware that Grugg orders that could very likely be back doored and cash is great. [Indiscernible]. And the same thing applied to accounts. So VPN's are sort of near and dear to my heart. I ran a VPN provider for a year. Then we shut it down when the (indiscernible) happened. They're definitely a useful tool. There are some concerns. They're not really designed for anonymity so they don't give it. You have to use them correctly for stuff like that. Of course there’s the problem if you trust the operator of service to one operating in a certain way. And two it's really, really a bad idea to expect a third party to break the law on your behalf for like $3 a month. It's not going to happen. So you will have data turned over. The third party doctrine in the U.S. means a third party has little tool protect their customer data if it's sought by another customer. Tor is a great tool. It can keep you anonymous. I believe Snowden has it's endorsed, others have endorsed it. It has a recognizable signature, high profile. Lots of people looking for it. And it's pretty complicated and not really so simple for users to understand. So you have to build systems on top of it to make it useable. Tor browser, bundle, are great, but you pretty much need additional tools to make it a useful tool. However it's gotten myself. If you try to use it in like China they're getting better and better at if it’s the default Tor protocal blocking it. D packet inspection can block it and of course if you have exfiltrated data network that logs everything there might be a human analyst and the traffic will be obvious so whoever sent the tour traffic... So people realize this is a problem and there's transports which are great tools. There's 7 alive. Think is still accurate and there's a couple much more popular than the others. >> The benefit of the Tor transports is they're recognized there is no one tool that will solve the problem. There’s no silver bullet. Whatever solution you use needs to be variable because if you keep doing the same thing eventually someone will catch on to it. Plus you will get some real genius and some of these travel transports are phenomenal. The general concept of this is transform traffic so it doesn't look like it and the next level is take the traffic and make it look like some other form of traffic. >> I will go through this really quickly. A lot of the censorship tools out there are quite crude. What they do is use regular expressions to look at the protocol and make judgments as to what they think it is. If you use those same expressions yourself you can play to them and make your traffic look like whatever you want. The screen here is transformed traffic that has been put through a transform that makes I look like an SSH. While it won't stand up to immediate scrutiny. The point is with this vast volume of traffic going through the only people who will get that special extra special scrutiny are people that popped the red flag. This is about not popping up the red flag. So if your traffic hides amongst the general Tor traffic, there's going to be no reason for them to dive deep enough for them to say this is suspicious. >> And there’s an additional tool, where if you have a cooperating end point on the other end, you can actually, like Google App Engine, I’ve talked about this with Cloud Flare. Various providers, you can encode your traffic as normal HTTP traffic, put it inside HTTPS, you can make it look like it's going to a regular website and do cool stuff there so... Then I guess the ultimate thing is to make it look like natural language. Banana phone does this. Obviously it won’t stand up to a human analyst looking at this after the fact. If you aren't routinely sending literature back and forth to someone but you can imagine a scenario where there's an automated or you built a system on top of that. And there's of course the classic network tools that are primarily used for getting around like captive portal, authentication systems where DSL huddle, at a hotel such as the Rio and these are pretty cool. >> The point of going through these is these are the tools we looked at for building the travel router. The travel router itself there really isn't that much to it. We looked at all the best tools out there and built them into this as a library so you have an OS build that's going to sit on a device. You can carry it anywhere. It's tiny and all these things will be available to you to choose. And we're hoping to build some intelligence on to it as well so it makes choices for you to say are you sure you wanted to select that? That might not be the best thing here. >> There’s not silver bullet so it’s a bunch of separate tools combined, So as we were thinking of this, we tried to figure out because we had the practical concern we travel a lot and go to places and we're not the most interesting targets. I know a lot of people that are greater targets and it's really difficult I can build something I can use myself mostly out of existing software. But building something I can have somebody else use that's easy for them to use, simple that I don't have to then go with them all the time is a much harder problem. We looked at a lot of VM systems. VMs are great, but the problem is, if something gets subverted the top level operating system there's problems. Fingerprinting stays the same then there's really no way to know that the system is intac. I work with TPM and it's still not quite there. And the other problem is this stuff is expensive if you build is out of pure software on dedicated high end laptops, virtualization with bunch of 16 giga ram Mac Book Pros, you can't afford it. Most of the people really that need this stuff are also people that are not rich. They're also not willing to throw away a 3,000dollar laptop. So it wasn't really the most ideal target. So we looked at something that would be providing much of the same protection but be a lot cheaper a lot easier to support. Ideally something people already have to use and we came up with a secured travel router being the sweet spot. They're pretty awesome. They're , I have a whole box of them. They’are about $20-100 each. They are about made by a bunch of vendors, TP Link, Linksys, DLink. All the low end network companies make this stuff. They're available everywhere. But a lot of people use them when you go to a hotel and you have to pay per WiFi device this lets you share a wired connection in a hotel with a lot of a lot of connections. There’s a lot of really cool stuff you can do, but they weren’t explored as a security tool very much. >> One of the problems we have is the hardware is variable. So some of them have flash memory, some have no flash memory. So the code, we, the next version is going to have another kitchen tool and what you'll do is put in the version of travel router you're working with, how much resources it has and it will can look it up in the library and it will tell you which modules you can then select. So you can have Tor plus these transforms and if you don't have secure voice you can have these other things added in just enough to squeeze it in without filling it up. >> We've used a lot on that. There's a lot of open source firmware. I think the 54D was the grand daddy where it came with crappy firmware. Fortunately wireless hardware has moved on to newer stuff. That whole wireless hacking community has been going on for a while. The EFF started working on a project to make secure routers for home use. Primarily focused on protecting them from outside threats as opposed to using them for security tools themselves and that's a huge improvement over the status quo even a year ago. The problem with these things is they're embedded systems like a billion different ones of them. They're too weak and it's a pain. It's not a huge pain like dealing with true very minimal resources embedded stuff but still not the easiest thing to use. Other people worked on this before. There's a safe plug which is cool. They have 4. They don't do pluggable transports. It's more for home use. Onion pie which another company has is like a learn how to do something project. It uses a device, raspberry pie and has external hardware and I have been looking at this stuff individually and he talked to Grugq and I realized the guy that was working on it I talked to so it was an obvious thing to do. >> There is only one Grugq. >> It's not that rare of a name. So we worked on this. The original portal from a couple years ago have pluggable transports but it was a pain to install. And it did a lot of stuff but it wasn't like an all in one thing. So out of this full range of hardware we needed to come up with an initial piece that we needed to support. It was awesome but the problem is  it's an awesome piece of hardware. We wanted to have a prebuilt image with multiple ports and wanted to power off the USB because you can use USB batteries and power off your lap top and you can use the Nexis7 or cell phone and you want your mobile phone to talk to this device which has a WiFi connection or a 3G connection plugged into it. So having something that can be battery powered is great but putting a battery in a small cheap device is more of a consumer engineering challenge. So we're not all hardware guys so we try to make it as simple as possible. And obviously needs to be easy to use. But there's some problems. A lot of the hardware is designed to be as cheap as possible when you make it in like million unit quantities. The price difference between like 64mg chip is snacks the quantities so they put the minimum on a ram, absolute tiniest flash they can do and we wanted to have multiple radios and Ethernet. It wasn't really a common use. The other problem is we're in the middle and USB2 is still the most wide spread power protocol we can use so we're limited to 500 milliamps. Quality is really, really bad. They're using antennas and then we wanted to make it ourselves but making quantity like a thousand  making quantities is easy because you can make it yourself. Making a hundred thousand or a million of something is also fairly easy because you can justify amortizing your debt costs but making a thousand of them or 5,000 is still a pain point. And we looked at the cost of making them and you can buy the travel routers for a hundred bucks, $20 or whatever. For us to make a small quantity would be really expensive and if we make the special secret spy router, one we have to distribute it to the people that want it and it's suspicious. So the guy carrying around the super secret spy device will get special attention and that's the last thing you want in any of the states. So we were kind of  >> Speaking of someone who gets special attention every time he goes to the airport I can tell you it's a real drag. >> So we really had no idea I've been working on this as a hardware thing and ended up selling. I was looking at doing something and I ended up selling my company instead. So it was like a back burner thing then I was like oh what are we going to do. Then we were saved by China. There's apparently a company in China that makes the perfect device. It appears to be a clone of a much more popular device but it happens to have a huge amount of ram and rom and they're really cheap. It’s this box, the good life GLI net box. You can buy them for about $215 for 10 of them. You get them in 3 days. They're awesome. It does everything you want. It's pretty much the perfect packing platform for this kind of hardware. It's got two ethernet ports on it, USB and micro spkr power. It’s a pretty good deal, and the RAM that we need. So we have portal.com, we have tools loading up there that will let you use the old portal chain and additional pluggable transports on it. Building the service is maybe a little ambitious at this point but definitely the client side of the hardware will work with existing services. >> That's it. >> We would actually like questions at this point. It would be great to talk to people. >> Obviously we welcome a ton of feedback because we want to shape this into a tool that's genuinely useable. This is no good if it's hard to work with, it doesn't quite meet all the cases. We want this to be the kind of thing you put in your pocket and a journalist can take and go to a foreign country and use it for secure coms without even thinking about it. Thank you. >> Open source of course not commercial. [Applause]. >> If anyone has questions we'll be happy to answer them.