Let's do this. So I am a former panelist for what was known as the DEFCON comedy jam, otherwise known as the fail panel. This is not the fail panel. It's really close, though. So the fail panel went away. We decided it was time for it to go away but I wanted to carry the torch. Now the panelist has become the moderator. Hence inception. We're working towards inception. We've gone one level deep. We have a bunch of folks that I thought when I was going to submit the CSP would make a great part of the resurrected formerly, what was known as the fail panel, now the DEFCON comedy inception. We'll see what we call this as we go. We're going to have lots of fun. Not much has changed. We're here to poke fun at the industry, poke fun at ourselves and troll everyone while here. To my right in no particular order we have Dan Tentler. Amanda Berlin. Chris Sistrunk. Chris Blow. Ill will Genovese and yours truly. Larry Pesce. There are a couple of panelists this is their first time on stage at DEFCON. It's time to drink. Cyber. I brought the good stuff. Amanda, into the mic. Get it close to your face, just like in the rest area. All right? All right. So Chris, Amanda, Will, and Chris, technically you spoke earlier at this Con but it's the first time here, so drink up. Dan, would you be so kind as to pass those down. I wouldn't ask you to do anything that I wouldn't do and we'll get back to that. Cheers. >> Cheers. >> Cheers. To fail. Moving along. While we're here we're going to be soliciting for charity? >> Whose charity. >> Charity is out on the strip somewhere soliciting already. Okay? All right. In previous iterations of this panel, we've made waffles on stage and all sorts of other things. We wanted something different because we're different. We're doing hot sauce tasting for charity. I have two varieties of hot sauce that we'll get to in a minute. Consider that, we're going to do hot sauce tasting for charity. If you have to donate something for charity, some of this stuff is hot, consider the value of the antidote. If you can't -- we have four gallons of milk and four loaves of bread. We have you covered. That said I won't ask you to do anything I wouldn't do. When we initially talked about doing this panel we talked about doing donations for the electronic frontier foundation and hackers for charity. I made the executive decision earlier, we changed the charity that we're going to donate to. How many of you know this guy? This is DJ Rantz. He’s been in our community for many years. He does lots of fun things for us on stage. Spinning all sorts of music and he loves this community. And in fact the community loves him. Are you here, Rantz? That's okay. I talked to DJ Rantz last night and Rantz is in an interesting position. I would consider Rantz a good friend even though I don't know him that well. Just because he is a member of our family as hackers and Rantz was recently diagnosed with pancreatic cancer. Undergoing multiple rounds of chemo. I talked to him and he said this is okay. It's sharing a different kind of information. Rantz was diagnosed with pancreatic cancer. This is often a death sentence. There are people that do survive and we really hope that Rantz is one of those people. So in honor of all that Rantz does for our community and to show our love for DJ Rantz we are going to in fact collect donations for Pancan.org, the pancreatic research center. I have done work with these folks in the past. They have worked with all our legal folks and our other charitable organizations to help fund pancreatic cancer research or some cure or ability to prolong or better the life for those diagnosed. I hate to bring this on a downer to begin with but we really love Rantz. Me personally, and no, not like that. Except for that one DEFCON when gave me my first ever white Russian maid in a hotel room. So Rantz, this one is for you, buddy. >> All right. Here's the blanket statement. Tasting this hot sauce is at your own risk. I'm not going to make you sign a waiver. Don't be dumb. This stuff is hot. We have one that is a ridiculous amount of skull units. We have toothpicks. Why? Because some of these you may want just a little. And then again I said I wouldn't ask you to do anything I wouldn't do myself. So bear with me one second. Here is where you (trailed off ...) >> Don't die, bro. >> We have two versions of hot sauce. This is homemade green zombie hot sauce from our garden last season made from green tomatoes and other secret stuff. This is the hot one. Figures I should have opened the toothpicks first. Don't spill it, bro. Don't fuck it up. Hey, I fucked that up. No, that's the other one. >> Audience participation, stick your dick in it. >> That's the not hot one. That's the not hot one. >> I'll ding you all day. >> I can't remember the character name. Breaking Bad. Hector. This is the really hot one. Note this is the cap. This is not the bottle. Yes, there's a little bit on there. That stuff. For those that don't know, Dan makes his own pepper stuff that is amazing. >> That's good. >> This is not fuck around hot. >> Oh my god, no. Put the top back on. If you get that stuff on your hands, don't touch your private areas. >> Or do. >> Or anyone else's privates unless you hate them. >> We don't judge. >> We just film. >> All right. But if you do let us know. >> Let me get my camera. >> So it's time for the kick. So we can go get started with all this fun stuff and get you guys to laugh. Don't forget to drink. While these guys are starting to talk, I'm going to get the hot sauce and other fun stuff ready. I'll be down at the far end of the stage and have a place to give donations and try some hot sauce and have a good time. Let's get in the van and get ready to jump off the bridge. Who wants to go first? >> We think we elected Dan to go first. >> We think we elected Dan to go first. >> If I knew it was going to be that kind of party I would have stuck my dick in the mashed potatoes. >> Dan, I guess you're up. >> All right. You're coming up here, buddy. >> He is vastly unprepared. >> Did we neglect to tell you that. Don't fuck it up. >> I plan on it. >> Dan, did you not know we were doing a panel and stuff? This is the part where we troll you. >> Fuck. >> Oh shit. >> Amanda what is this pink thing you have in front of you, higher, higher. >> This. This is my sexist ban hammer of doom. There is a bolt on one side and a dick on the other. You can be knighted as sexist. >> You can be knighted. Will Will be knighted in 30 seconds. >> I found this app Gircon in the hotel room when we checked in. It made it through four Cons. >> Was it decorated. >> I'm pretty sure not. I'm sure I just ruined some little girl's something. >> A pretty princess hammer. >> The vein work is nice though. >> Very crooked. >> Does it work? >> So. Why, me first? >> This is going to be the best transcript ever. I hope you brought helmets because you need them. I'm going to channel George Caroline. Anybody go to Bruce's talk this morning? It's going to be that. Larry comes to me and says we want you on this panel. Cool. What's the panel. The fail panel. I said I have the perfect thing. For folks that aren't aware of the research I've done which I suspect is everyone in the room. I have made a habitual problem of going and finding stupid bullshit on the internet that shouldn't be on the internet and ranting about it at conferences for the last 3 or 4 years. It will happen. It's DEFCON. This is why I came in with a mask. Over the last 4 years I've done a series of talks at a variety of conferences where I poke fun at the different things I found connected to the internet and there are things online that you will do the whole Jackie Chan what the fuck meme face over and over. The title is the stupid things you put on the internet. Get me a drink. About me, nobody cares. Thank you sir. Cheers. If there can be a thing, and you can put a web server on the thing, should you put a web server on the thing? >> Yes. >> Yes. >> Let me introduce to tonight’s fucking mascot, toast magost. Fuck it, we'll do it live. Some of you may remember my 2014 Twitter rampage pirate ninja thing I did at DEFCON 20. My firehose showdown talk where I did stuff like this. Why the fuck is a TV station online and I can get to it? Why would you give me control of a fucking television station? Why. Who is high and why aren't they sharing? Something German. I don’t know. What the fuck? Drink. Windows EE, why? What are you doing? >> Does that say washing. >> That's my stuff. Oh my god, asterisk, anyone want to make phone calls. I bet we can guess the password. Let's fuck with Korea. They're generating power. Let's fuck with them. Push the button and make some news. It's a really fucking boring Mac desktop. Who gives a fuck. Wait a minute, I wasn't the first one here. I wasn't the first one here either but it looks like you can get some ssh keys off this guy, that is cool. BJMY2 host source. That is fun. Anybody been to the dentist lately because we can go back and learn about drilling people in the skull. You can write some python if that's your thing. Really angry python that makes real developers upset. This just hurt my face. I don't know what to say about it. I don't know what to say about it. VNC that's cool. What? Love stage. Where? >> Enhance. >> Enhance. Apparently I can't read. >> Is this CSI cyber. >> My brain is melting. Second column third one down. Love stage bang bang. Well caught. Should we usurp the mascot. You can go to college here if you want. 702, actually 702 is this area code. Shit. I didn't notice that before. It's Las Vegas. >> That may be the love stage bang bang. >> Anyone know what happens if skate equipment takes a selfie. It might look like that. A picture of building in which system exists. Now I can find it on Google maps. Another host. This one was lonely. HTTP load testers. Give the public access to test things. HTTP server. This is pre-configured to deny service. Bing, well done, good job? >> Don't they do that themselves already? >> Maybe. So you can find solar bullshits on the internet. This could be cool. I'm not sure. I haven't spent a lot of time playing with it. >> Did you say you didn't spend a lot of time playing with it. >> Probably way too much. Many mornings until 5 a.m. This guy played with it more time. Setting up MATLAB to track sports bowl. If you travel to Sidney in the future, there is a dessert place I can recommend and another place you can buy squid. Squid on the internet. Why is there fucking squid on the internet. The fucks love, oh my god, what is that. You are amazing. This is good. Crowd sourcing the fuckery. If you want to buy some avocados I have a place or really piss off some dude. Right? This goes on for ... >> There are certain times I wouldn't want the lights to automatically come on. >> Some of these are ridiculous. A guest room and TV room and game room and hearth. I want these problems. A chest of drawers. A fireplace on the internet, that's fucking smart. Oh my god. Okay. Full disclosures. Who knows Dave Maner? Oh shit, one guy. Me and that guy and Dave Maner had a show down race on the internet this year or late last year. I forget. You're going to love this. CSI cyber, the Twitter account put a question to the Twitter verse, can you set a fire using the internet. To which several of us no shit jumped out of our chairs and thought I'll take that fucking challenge. Really? Challenge accepted. And we began a Twitter race. We found for the next three hours just the most bat shit random crap you could find. If John is here, everybody should point to John and tell him how amazing he is. Without him he wouldn't be able to do half this stuff. >> Don't forget we have hot sauce up here. Don't stick your dick in it, please. >> You can. I will pay you. >> If you stick your dick in it, you have to eat all of it. >> John should have named it show Dan Tentler. Right? People think that I'm the guy that made it because I'm Dan and it's show Dan and they put two and two together. And I have to tell them, no, I wish I was that clever with the code. I make people like Paul M angry. I hear collusion. Things are happening? >> If you want to give us money, you don't have to have hot sauce. Just saying. >> It's not really giving us money. >> You can give me all your money, also. >> We should invest in Rantz's cyber pancreas. Right. On that note, here is a cyber car wash. >> Why? Why. Oil change. Great. Yeah. That's fucking smart. Somebody sat down and decided I need my oil tanks on the internet. It's the future. This is how it must be. Who knows where ride Pier is? This one I posted before. Anybody remember this one? The friendliest -- on the internet. This is a caviar cannery in Sweden and this made news in Sweden and other various component of Europe. England, Europe, same thing, whatever. I only have two firing neurons and they're making me drink. You're behind. So, yes, fun times. This one? We'll make sure it stays warm for you. Can anybody read Swedish? I hear Bork, Bork. It involves temperatures and pumps. This is cooler. It's a coal mine. Why would you -- why would you let me play with a coal mine? What's better than playing with coal mines? >> I can think of a lot of things. >> Potato technology. This was part of my pirate baby cabana battle 2014. Crazy bat shit raged silliness on Twitter after my panel with Paul M and Rob last year. We scanned the internet live on stage and had 3600JPEG at random. And I picked up the interesting stuff and put it on Twitter and got a lot of attention. This is one. I had no idea and I had no idea what it was. Until someone said it's potato climate control. Now you can be very comfortable counting potatoes. Right. Here is an Italian hydroelectric plant that is generating -- >> 1.21Gigawatts. >> There is one line that says 1,087 Kilowatts. 1.087Gigawatta. This one is the same thing. But this is in Swedish I think or maybe Dutch. Looks like an electrical relay station. Same deal. Why in the fuck would you let me into your electrical relay station over the internet. >> Is that the Uni vision logo? >> In door energy control. >> Hey Dan, If you got in would you know what to do with it when you got in? >> Dan never knows what to do when he gets in. >> I know nothing. Why did you let me up here. Prank caller, prank caller. Anybody? You can schedule a meeting in a conference room. There is a portrait project at 8 a.m. This is fun. Who was at Smoocon the last 2 years. Do you remember MS paint as a service. You can do it over the internet. This is a hotel lobby sign on the inter-fect directly essential to the public. What if we said Ebola outbreak? I am not a ham radio ultra nerd. I know enough to make real radio nerds angry. Apparently you can run a repeater off a raspberry buy. Here is another one. It's like a hotel lobby, but it's an office directory. Same deal. Whose pants do you want to make brown today? What can brown do for you? Jenkin's script with VMC on top. You can try boats if you want. I'm not a boat guy. You can watch people day trade. This is -- right? You want to get some insider information from some guy who is broadcasting everything to the world or watch his solar system capture power. That is cool. Yeah, power. I'm not sure what evil stuff you can do with the power stuff except maybe the battery. The dude in the pink helmet can help you. Holy shit a guy brought a helmet. One guy put on a helmet. That dude is prepared. What is this? I feel left out. More hotel lobbies. This is an office building lobby. Another -- >> Drink. >> Next. >> Keep going. >> Oh god. So the echoplex is going to have a bad time. For the sake of convenience, you see people that will put their security workstation like the type of place you walk into that has dudes working the counter with security stuff happening and they manage the cameras and the badge readers. Say again? You can or you can watch them on VMC because it's fucking publicly accessible. I'm not a red it editor. Here is somebody you can mess with. A dude on Reddit who is broadcasting his desktop. I have a funny story about the massive diesel generators. A friend of mine did a security audit for a power generation company and these things for the sake of emissions have urea pumped into the exhaust area? You’re gonna love it. >> What is pumped? >> Urea. And similar to another slide, you can open the valve and fill the exhaust manifold that drowns the generator. Urea is the component in urine and you can literally blast it with piss or make it rain at least for people that are really short. Sprinklers on the internet. I forgot one thing. There were curtains. You can find curtains on the internet, too. That is fiendish I'm sure. Functioning curtains that open and close. Computer controlled curtains. You can open the curtains and switch to manual mode. Japanese radio ham thing that I found. I don't know if they're using ham radio as the back hall for the networking but I guess. I was -- I sadly can't reed. What does it do. Holy shit a thing in Japan that lets nerds talk to each other over the internet. Who thought? Maybe Travis thought of it. The AVG is cool. He didn't find any threats. I ask again, did anybody go to Bruce's talk about risk? Because like, no threats, no you're virus clear. That is cool. I can look at all of your pictures of Chiara and somebody else. I don't know if this was on purpose or if this was because management people need to watch Indian swapping for massive networking equipment but there is that on the internet too. I don't know what an oil celery is. You may not want to tell the world about them or where they are. Or how much oil they have. To make anybody, anybody do medical stuff here? One guy. Check this out. Yeah. Fun shit, right. You're going to say, but, all the fucking nay sayers, it's a demo. What are you doing. Do you see that little thing on the top corner, it's a demo. Fuck you I had a real one with 16 live hospital patients. Come at me, bro. Why? Why? And you know what the fucked up part about this one is, this is RDP, background on the desktop, you RDP into a host and it gives you a login window over the background. You drag the login window off the screen and you see this full frame. You didn't have to authenticate it to the box. You can just sit there and watch. HIPAA. Tell me these guys weren’t compliant. Tell me they didn’t spend a million dollars a year on auditors to come in and fix their shit? >> Back up one slide. >> That one? >> A hospital bed or a fucking hospital bed? >> Ooh, Heart rate will tell you. >> Depends on the person. >> What is that? >> Why do you spoil everything for me? This is cool. I can't tell if it's a giant Lipo battery but you can control it from your iPhone. The icon in the bottom right, the door, this means it's a touch panel. There's a lot of these things on the internet. The schematic HMI stuff and the things that Chris will get into is all weird bullshit tuck panel stuff. These touch panels people buy and put on walls to control things you can VMC in sometimes would you tell us no credential. So this is another what appears to be really boring Mac VNC desktop except not. This one. And it's the same fucking guy. If you look at the name ... It's the same guy. Where is threat butt. I need you, threat butt. >> Sounds like a personal problem. >> No. That is a personal problem. That is a fucking personal problem. What are you doing. This is Chris' slide. His first slide is a back to the future slide. We're time traveling. >> Windows 98. >> Just wait. Just wait. I got you better. It's not window's 98. And it's dumber. Face slappingly dumber. No, just wait. There's more cameras, too. GEO vision does coax and those dome camera type deals that you see. That is cool. But these are boring so you can get to this guy's DMV and watch movies on his tablet. Or go to this Israeli pharmacy and order a bunch of drugs and get really high. And then when you're done you can have Agua power flushing, cheers! Net coffee sounds cool. I don't know what it does but it has my attention. Really camera strike? Holy shit counter strike 16, nice. Well spotted. Los pollos ramanos. And speaking of crazy drug dealing people, here is $300,000. Right on. And here is an Italian something. I don't know. I don't speak Italian. I stared at this thing and I have no idea what this is. We can tap Chris with it. Chris isn't paying attention? >> What? >> Other Chris. My camera is over there. You didn't fucking wait. I can't count on you people for anything, can I? Is that the Spanish mind craft sound. We have Spanish mind craft. Phil is going to have a bad time. I don't know. Like, I don't know, I don't know. You make me drink. But then again you can feel better if you watch him enter a game. The Italians like letting their -- team viewer licenses lapse on their 408 Kilowatt hydroelectric generating facility. But, you know, maybe you can forget about that by fucking with these guy's sprinklers. If you're bored with that, this is another hotel. This one is Oakland if anybody is from the bay area. Voltage sensors are cool. Maybe there is a camera or I can print circuit boards. Who wants to hack some shit? Who needs Oda (ph.). Anybody go to Morgan. Morgan did a presentation earlier today talking about attribution. We can give them a bad time if you want. There is publicly accessible to the internet. You can fuck some shit up that way. Or make Spanish copies of stuff. All the people that were like 98, Windows 98. Windows 2,000. Oh know, Windows 98 is bad. Holy shit. Welcome to my world. It gets worse. It gets worse. Wait for it. Wait. It's the same fucking guy. Again. Can you point out the mistakes he made in his evil, evil hacks and nefarious plots to overthrow the internet. When is the last time you saw system 32 on D operating system. 7 blah, blah, I explore dot EXE on DOS, really? This is what we call our threat landscape. Right. This is what we're up against. I'm going to try to open IE on fucking Dos and why is Dos available VNC. How did you sort that shit out. An FHS tunnel through time. What the fuck. I'm going to print out a bunch of pore on this giant printer and that will make me feel better. Providential. Adjective, occurring at a favorable time. You can't make this shit up. Same guy, I think, I think. Yep, same guy. On a Japanese system. Mcafee is catching his shit. That's Mcafee catching a kid doing some stuff. I think this is the same Korean power generation plant. At this point -- this is No. 4. When people go home after Con there is going to be a lot of shit to play with. Especially more blind skinny (audio blipped) but they're dumb. Or they have scripts that are blinding places scripts into every open VMC place they can because that's what it looks like is happening. Cubs win I guess. I don't know. Sure. Like I said a lot of shouty arm waving, why. What the hell. It's colorful times. There is big German reservoirs. >> This is why German's don't play scrabble. >> I can't pronounce that. This one does something. I don't know if it's Agua power flushing. There is regular ordinary Swedish meal time, it's a show, man. You don’t know about regular ordinary Swedish meal time. It's good for you. Right? But if that distracts you, you can go back to the day traders again, because apparently they’re really happy publishing other shit to the internet in public. Something. If you guys got something, it's measuring it in meters squared ... It's Polish. That's cool. This talk is in English. I don't even know. This, I got nothing -- right? >> Is it a map? >> Yes, it's a map. It's a fucking potato. >> It’s Apple maps man. >> Potato. I will see your potato and raise you a hot parlor wash. >> Is there a happy ending? >> Yes. >> Okay. >> How many fans of VSD are there in the room? How many think it's like the gnarlliest strongest operating system that is the most secure? >> Here is a hint. >> What about now? Good job. Single user mode. No security, nothing. VNC. What about now? Anybody lactose intolerant. We can have you have a really bad time. Here is a dairy plant this one does something involving cows. Wait what? >> They're milking horses. Won't someone think of the children. >> See the really, really interesting shit, the really interesting shit is I had no idea that was there. I didn't notice it. When I find this it's like 4 a.m. and I haven't slept. And then I get on stage and I have all you guys to point out all this stuff that I didn't notice the first time. and it’s like version 2 for me, why the fuck is there a horse setting on the dairy milk plant. Why is there a bull setting. >> I think it's still considered milking. >> Cannibal says it's hides and not milk. >> This is where your children's milk come from in school. >> Standardized testing. That's what that was about. No wonder they were pissed. I would be pissed, too if they wanted to milk my kids at school. User -- whoever is French in the room can pronounce that. That is -- good job. What is it? Jenuo (ph.). Is that the same guy? >> No. >> Right. No rag rats. Yeah. So one easy way to catch skids is leave VMC open and open note pad. They will blindly shove whatever they have into note pad and you can have it. Who knew that note pad could be a honey pot. This is a no pad honey pot. Holy fuck. How much do you have left? >> I can go faster. >> Go faster. >> Here is a TV station that hasn't updated the team viewer license. A god damn ATM. Why is there a camera there. A hydrogen fuel cell. Mario is going to shit his pants when he sees this. He’s going to confess to Luigi he’s been taking shrooms the whole time. He is going to turn off the -- and the entire thing is going to go down. The entire city of Downtown Copenhagen. The ice rink is under there. Webcams, too expensive. Cheap cell phones, better. Shady cops chasing you. Why. I found a hydroelectric plant? >> Breathe. No, I don’t need to breathe. Too bad Anthony is not here. >> He was earlier. >> There is a story with this picture. I'll try to tell it quickly. I found this and put it on Twitter. Michael Toicker is like that is totally legitimate. Look at that art. Now this is owned. You can let the java run. You're java and want shells on my shit. No. I promise it's okay. I spun the VM and I ran java and it said megawatts and I said fuck. I put this picture on Twitter and the next morning the DHS called me. It was like that. This guy is like I'm going to have interesting people call you. 8:30 the next morning. My name is Anthony and I'm calling from the DHS. It was bad. This plant stayed online for like a year. I have a distinct memory of driving somewhere 6 months after doing this presentation 3 or 4 years ago and John is texts me on Twitter and saying that plant is still up. What? Which one. The FOMEL one. And he links me to it and it rendered on my phone. We have a dam in your country that has flooded -- if you Google barrage Damel it flooded people in the past. They're like, we're on vacation, fuck off. No shit they were on vacation and didn't want to fix it. Responsible disclosure kinda works if they give a fuck and this place didn't give a fuck. This place I didn't bother disclosing to. And neither did this place. Up to three now. Now a switching station, so it's up to four. And I give up. Fuck it, car washes. True. There is also speakers which is really fun. Because you can send a rick roll mp3 straight to them. It plays. That's good. How rich do you have to be to have a fridge for the champagne and have the champagne have an alarm. I want those problems, I don’t want these problems. That is CERN. They fixed it. I reported 200 something of these to their security department. At first they said we're this big open system, and academics and things. I said that's cool. But like, no. I shouldn't be able to see this. Cool. That's fine. They fixed it and it was fine. It was CERN and now I found these ski lifts. You can open the doors and turn on the alarm, and I think, I can't remember, shout at people through the PA. So you can send people up in a gondola and stop the doors and shout get the fuck out. Right. Why would you let me do this? Why? But this one is cool. I had a personal interest in this one. I found a fishery in the oxford covered market in England and I went and put my hand on it. It's cool to find something on the internet and then touch it in real space. Then I found something, lobsters. You can fucking control the temperature of lobsters over the internet. There is also swimming pools. That have acid tanks. That you can control over the internet. What the -- why would you do that? I'm going to take a breath, I will exercise George Carlin and I want you all to consider the following. Stop putting shit on the internet or at least count to ten before you decide to do it. I'm out! >> Next. >> Ding. >> Ding. >> Holy shit. >> You made me go first. >> I knew he should have gone last. >> I look better in everything. Don't forget we have hot sauce. We're at 300 bucks. >> Only 300. This room is not really full. >> My name is Chris. If anybody could float I think he could hover with all the energy he has. Chris is drunk. Let's get cyber physical. If you don't recognize that guy, that is Ralph Logner. Love you Ralph. If you read the report on the reverse engineering of Sucksnet, he did it. Smart guy. Let's talk about top ten cyber physical stunts first made planes go sideways -- and then Charlie and Chris made a car go sideways. What is next. Making elevators go sideways? >> It's an elevator. It’s a Wonkavator >> An elevator can only go up and down but a Wonkavator can go sideways, and slant ways, and long ways and back ways, and square ways. up ways and any ways you can think of. It can take you to any room in the factory by pressing one of these buttons. Any of these buttons. Just press a button and zing you're off. Don't press this one. Go ahead, Charlie. >> Me. >> Don't, Charlie. >> What the fuck? No seriously there is an elevator that goes sideways. Don't touch it if you find one. No. 9. Physical security fail. This is at a substation. And this happens all over the place. Also we -- I've seen where you have all the substations that might have the same lock, well a substation had a homeless guy living in it and he had a key. We have a relays and substations and that's a picture of one. All around the world in America -- here’s a picture of an attempt to do port security using a lead meter seal. Yeah, that is real secure. There's a -- something that got shot. In Arkansas that got set on fire, met calf. That is a different one. That is Los Angeles. Yeah. Pretty serious stuff. Physical security is a big fail. Pretty big fail. All right. >> It's dangerous. Take this. >> All right. What is this? Raspberry. That's fancy. Scams equals attacks. There is a couple reports that came out on the news, scams from Iran to these company's sensors and honey pots and they called them attacks. And then a colleague of mine was scamming honey pots to test the new NSE inmap script, and he was from Chattanooga and there is a nation state there and it's called to the hilt. There is an industrial control system with a serial port coming out of it. No. 7. He kind of touched on this. Smartphone apps that you can control systems with. >> What could possibly go wrong? >> Well I have stories of things going wrong. A colleague of mine, they had to go reimage all these machines at a glass plant. What happened was the owner got a new iPad for Christmas and put a Siemans app on there and optimize the settings in the glass plant and everything quit working. She had to go and reimage all of the may sheens back to three years ago because that was the last image they had. And I've seen a hospital, every hospital has a generator. They have a water plant. And I've seen a hospital plant operator have control over the water plant with a smartphone. Not a great idea at all? >> What could possibly go wrong? >> Yeah. No. 6. Anonymous FTP. First one, me and a couple other guys we do this in our spare time. Research anonymous FTPs we found an engineer, maybe not as dumb as me, maybe dumber. Power work laptop on his home terra byte hard drive. We called him on an anonymous Google voice number and said you have your work laptop backed up on the internet. You should probably take it off. He was like what? Who are you. You had one job. Don't bring it home and don't put it on your anonymous FTP back up. We found a city in Florida, backed up the entire Skata system for the electrical grid and all of this on the grid. All of this is found on Google. We called them and they finally took it down. It was pretty serious. We found engineering companies had schematic projects, all these different control systems, prison control system where you could let the control system for the doors open. We found the air force bases and found like the Skiff. The top secret room where they meet. We found all the plans for those and reported those in. That was wild. All kind of thing that you can find on anonymous FTP. We had this thing on Twitter called we are the artillery. We're finding these on our own time and trying to get them taken down. Poor architecture. Any rules, anybody? There's lots of those -- >> CIS is precertified. >> Yes exactly right. We have lots of problems in industrial control systems. Not in the electric sector for these. They still have some failures, too. Also Olan gas and water have flat networks. Not a very good idea at all. And then No. 4. Squirrels. That's the No. 3 cause of power outages. No. 1 is acts of god like weather. Don't listen to Jerico. Okay? Cyber squirrel one and mylar squirrel. Follow those on Twitter and they'll tell you all the power outages that is caused by squirrels, rabbits, snakes. >> I have a picture of a nasty fried squirrel. >> Go faster. 30 minutes. >> Vendor excuses. A Twitter account that a friend and me run. These are actual real excuses that we've gotten from vendors after we found vulnerabilities in their stuff. We decided the best course of action is to discontinue this product. We reviewed the proof of conduct but the engineer says the valid end point wouldn't send that. TVs an open source project we use but do not fund or contribute to in any way. A back door password was found, we changed it. Thank you. And there's a whole treasure-trove of those that we put up on vendor excuses. You can send your own vendor excuses. We have the email set up. And this guy, ICS on the internet. When somebody asks how you control system was breached. He found this. >> Sorry but not sorry. >> Why I found more. But I'm not going to go through all these. I have a few slides left. We found -- wind turbines. I'm telling you. We found Houston's David control center where you could look at their webcam and then you could move and then someone moved it back. And -- >> Busted. >> And then they had -- it's a real control system. And we called them and told them to take that stuff offline. I don't always connect my system to the internet but when I do I use ... That is safe. And No. 1. That is Jack Daniel if you don't recognize the guy. >> His bedder is in Iowa city. >> We had 15,000 hackers at DEFCON last year and they went to the ICS village. How many here have been there? Great. Awesome. We had a bunch of people last year. What do they use to attack this stuff. Birk, sweep. That means they're not using any of the control system protocols at all. They were trying to attack things that didn't really exist. Let's get them on the MOD bust. We even have a cartoon. Robert Emily. We were teaching these people about the protocols. We wrote a script called MOD turn and it turns on the lights and turn up and turn down for what, then you turn the lights off. That's all. I have some shout outs to Adam Crain. Reverse ICS, Robert Emily, Mike tucker and my SKATA brothers and my wife is somewhere here. There she is. I love her. >> Anyways. Any time now. This is great. What the hell, Larry. >> Anybody good with computers? >> There we go. I fixed my shit. Anyways. I have to drink, again? Okay. That was not my original drink. Okay. So as you can see, thanks to ill will for making this slide for me. I appreciate it. It still says Steven Spielberg and shit and I don't Photoshop at all. There is my name. Along with my name, Chris -- that is really my last name. I'm a technical adviser in Indiana. I have no -- I don't do anything really cool. But I love the profession that I do. Certificates, I have none. I have no relation to Joe Blow or Kurtis Blow I just want to get that out of the way now. Feel free to follow me. You get to see stupid pictures of me wearing wizard hat. Pictures of my dog or stuff that I make food wise or see me drink. Usually drink. Follow me if you want. Firewalls. Before I talk about that let's talk about Dan's talk. It's a really good talk about failure. If you want to see more failure after this. I don't think you can get more than me talking up here. But I think it's another fail because the link goes to a certain -- [indiscernible] you get to see this picture like this. More Dan, as if you didn't take up enough fucking time up here? >> What do you want? I'm an asshole. Didn't Dennis Leary do a song on this. >> Early 90s. Let's get into some fails. I'm going to talk about a lot of fails that I encountered myself over the past ten years or five. A lot of these failures are ten plus years old. Going back to Dan's bit. We're talking about international call center here. Call centers all over the world. They wanted a typical pen test. That means we want you to run end map and give a customer report and make it look like you did more than you did. Scan our stuff and give us a report and show us we're great and pass for the year. As we continue on, I find out that these firewalls are running over 90 percent saturation, and I don't feel comfortable talking to these guys saying we're on a scoping call. Do you really want me to do this during the day? Yes, it's fine. We do this every year. I talk faster than ... Okay. We got 90 percent saturation going on and I do a firewall review and find out their operating system is 8 years old if not older. Between that, I took down an entire international calling center by using M map. I dropped over 3,000 calls and they were pissed off and they told me to scan during the day. I'm on the phone with these executive people and they're like what did you do. It was great. They had logging and they had alerts that were set up to look at if a firewall was running over 70 percent saturation, all of those were disabled. And then we found open RDP. Also MS867 and absolutely no DMZ. With all that said, and credentials were easy to find. They are very angry with me still. Social engineering. When I think of social engineering I think of the Social Engineering Toolkit, thanks Dave Kennedy and all the folks at trusted sec. I mean that wholeheartedly. I love that tool with all my heart and love what Dave's done with it over the years. He is a great guy. Awesome. When I think of Dave Kennedy I usually think of clowns. I wish he was in the room but he is not. I need to get that image of the box of social engineering tool kit from him. So quick side note. This is what happens when I go and grab that image from his site. If you want more detail. This stuff is malicious and it comes from the site or whatever but I downloaded anyway, because (audio blipped) and we needed to do that anyway so? >> Were you using IE? >> Yes, what? Okay. So for this next one, a financial institution. They bragged about how they had InfoSec training and response training and set to go and nothing was going to get past them. Say that I had you're going to set up -- like a hey get a free iTunes gift card email and stuff, they were like yea come at me, bro. By the time we got to do I'm going to do, they were like holy shit you can't do that. Do you want a real test or not? >> I feel really sorry for the person transcribing that now. >> I'm really sorry for whoever is it behind the keyboard (I'm real, yes). >> Right there. I'm really sorry but I use the word shit and fuck a lot. Keeping going. Do a little bit of research and find out their VPN is out there in the open. Nothing special about it. The place where this was happening, they had a bunch of current weather events going on. Snowstorms and ice storms and everything else. I put it in an email. Due to recent weather events we're going to have more people work from home. Click on this link. 78 percent, that was awesome. I got their entire password history because people didn't think it worked right. >> What could possibly go wrong. >> Nine slides left. So let's talk about my favorite subject, PCI. PCI is great. I put this slide together. It's a bunch of shit on the screen. Windows XP. And apparently you can get this certificate of compliance with PCI and that is fun, too. That's a -- keep hitting that button. >> We have a winner. >> Top four responses to noncompliance. It's too hard. I can't put that in your report. No. 2, write a compensated control for it. I can't write that for a lock out -- takes 28 fail attempts before it locks out your account. The fact that you do that is really fucking stupid. The QSA last year said it was good. I'm not that QSA. Whatever this mess of a report that I'm reviewing didn't pass. Then they're like we'll accept the risk. That's great but I can't do anything about that. That's fun. Let's talk about -- can I help you? I do not need to drink now. I'm talking a million miles a minute now. Let's talk about a rental car company, a big one. I had to be the technical QSA. Those don't really exist. I'm going through all of the credit cards, credit card applications and one is a terminal they have. That's cool. I need these T logs and application logs, et cetera. So I find credit card numbers in the logs. Hey, I have credit card numbers here. No, that can't be right. We don't store credit card numbers. Great. I have them here. By the way that is trap one data in your logs. And I'm like this is a big problem. We don't store credit card data. That can't be right. I don't know what to tell you but you have them in there. Just to prove the point. I said how recent are the logs. Two or three days. I get a credit card scanner out of the bag and connect it to the laptop and scan it. It was my tract data that I found in those logs. My tract data was in the logs and there was this poor QA -- control process, and those had been storing track data for a couple months before they shut it off. It took going to the vice president before they admitted they stored data and it was something where they implemented a new version and forgot to turn off the debug log function. I'm going. Two more things to talk about. Logistics company. Self-assessments. You can just go through and take a checklist of 12 items, done, done, done, good. They declined to do a PCI discovery data workshop. They say we only have -- applications, OK great. 24 hours later they have at least 15. And then they got angry. We need to change this so we can assess your stuff. There was credit card numbers for everybody. It was in note pad. Red teaming is in quotes because when I do a red team engagement it's never a true red team engagement. So we got a retail chain. They want to perform it on the retail stores. Find out they have this huge party list they do for the Christmas party every year. Manager names, et cetera. A lot of that didn't help because retail can be an employment revolving door. I have no clue what to do. I'm going to be a veriphone guy. I'm in polo and khakis and like I'm here to check the system. I have a wonderful pony express power strip and other things in the backpack. I need to replace the UPS under the desk, can I go in and replace it. No problem. That problem is it was a cellular dead spot in the mall. That was great. I couldn’t a signal to save my life. I found a mobile terminal. Even more fun when the passcode is the store number. As I keep going back and changing all the cellular cards, eventually the -- calls me, they called the store and said all the P operating systems were going down and coming back up, what is going on. They decided to talk and said a Veriphone guy was very friendly and helping out. This might be game over. I got out of there without showing the get out of jail free card but that sucked. Last two slides. I can't make this shit up. This is a failure on the companies and on my own. I do a lot of stuff with memorabilia. I couldn't get in the front door. I went in there as an exterminator. We’ve been using XYZ exterminator 30 years who the hell are you. I was like shit. I failed before I was expecting it. I made up this big story, I'm a contractor. And we kept going on and on. And they never let me in. I went around to the back door, that was open and went from there. All three sites. PII was everywhere. I didn't have to plug a computer in. They had photocopies of driver licenses, photocopies of car registrations and people's credit and debit cards and checks. Photocopies of anything you can imagine. I would have to take a large duffel bag in to get this stuff out but it very easily accessible. The bad part is when I got to the debrief. That was the next week. Hay, look at this. I didn't have to connect to a computer. Wait, go back to that first one. Did you make it to the second floor. No, I just made it to the receptionist's desk and she didn't let me in. Our office is on the second floor. You just owned did one of our competitor's companies. It took every ounce of me not to say the word fuck on that phone call. That is a failure in InfoSec in general. Getting off the stage here. If you want to follow me on Twitter, go ahead. Thank you very much. >> We don't have to dance, right? Is there an unventilated can of varnish somewhere near Chris? >> No, he is always like that. >> How much money have we raised? Not enough. Come on. >> $650. >> Let's get it to 1,000, come on. >> Why is everybody leaving? What the fuck? Come back. >> Come on. >> I swear my part will be way better than theirs. >> That's some hot stuff, I can smell it all the way over here. >> Do I get some more animation music. >> I'm tempted to make fart noises. >> Into the microphone, remember. >> So originally when Larry got me to do this talk, it was a no holds barred talk where we can talk shit about everyone and then there were a couple snow flakes that told me to tone it down. So I'm going to tone it down a bit. Originally I was going to do an offshoot of the joke the Aristocrats. >> Hear you can't speak unless you drop an Oday on stage. >> Originally the first line of the joke is Kaitlyn walks into the office and asks for a raise and I was going to snowball it from there. Boom. I'm illwill. Professional IRC Troll and I run a nonprofit hacker space. I don't have any certs, fuck them and BlackHat is fuck. So when I started off with computers I like to have fun. Me and my crew used to roll around. We brought you the world of Paris Hilton and I'm sorry for that. It's like opening Pandora's box if it smelled like herpes. So unfortunately that brings a lot of attention to yourself. I got in some trouble at some point. When you get in trouble, you get arrested. Yeah. Fame and fortune and you can't talk about bullshit stuff but you get a shitty movie made after you. So basically this is going to talk about -- one of the famous fuck ups is rust on silk road. He got caught because he posted on bit porn forms with his own email address and started up silk road. Everything that goes on the internet stays on the internet. Another fuck up. Is this big snitch, he was doing good until he logged on using his own IP address. And in effect getting this guy in trouble. So he had pretty good -- unfortunately he trusted a snitch. And his password for his computer was chewy 1, 2, 3. You have all the encryption in the world but if you fuck it up with an 8-character password you're fucked. Raise your hand if you think your email address is in this dump? How many of you people shit when you heard that went out? Basically there's 50 million users on there. You break it down, there's a couple thousands federal and state employees and employers that have nudes. All the girls they're talking to. When that shit gets leaked you don't want it to leak. I cloud was another big one over the past year. From all the celebrities over the past years that were hacked into, they still don't learn to trust the cloud with all their nudes. Normal people fuck up, too. So this goes -- this is not celebrity stuff. It's just from my day to day job. Let's see if I can get this to play. >> Wait for the audio. >> How come it's not playing? Oops. >> Tell it to us in braille. >> We can probably ... >> Let's see. Let me get the audio. If any of you can recognize the sound, please shout it out. (muffled)? >> Maybe he is constipated. >> -- this afternoon in the lobby. >> That was -- I was working on a client's laptop, they brought it into me. It was on stand by mode. It was locked and he didn't give me a password. I'm in an office full of a bunch of people and that went off. I had no way of shutting it down. When you bring your computer into somebody to fix, don't have a folder labeled my escort site on top. And in the other folder, classroom material for kids. >> Hot. >> Fail. >> This other lady's laptop. She brought it into me. How powder all over the laptop, the keyboard and everything. She had a user profile that was messed up. Said her kid messed it up. I will turn on the guest account and that way the kid can't mess it up. Two days later she brings it back. Fixed it. She is complaining she shouldn't have to pay again, it was broken. A few days later I get an ass dial from a phone number at 3 a.m. The Google search pulled up her phone number which lead to an adult baby service. It was her adult baby diaper guy. If you're going to use the phone numbers for all that stuff, don't leave it anybody. >> Adult baby diaper guy? >> It's a thing. Google image that. >> So the last thing is health care. My wife's mother-in-law bought a laptop at a flea market for 50 bucks. She said I need a password removed from it. I bought this laptop. I booted it up and it tried to log onto a major health care provider. You can get the MSCache password. I decided to crack it. That lead me to the Citrix framework for them to log into their server. They were curious enough to basically let me get onto their main controller from a link on the desktop. So of course many being curious as I am ... I had done my hacker math and started searching around. Not only were they curious enough to leave the remote desktop link on the desktop but they left an excel spread sheet, every Wi-Fi password on the box. I did that in 2003 and checked in ten years later and I was still able to login with the same user name and password. I saw someone at -- Boston last year and I let him know that I could get on his network and I gave him the information and the card and I checked right before today, and everything is still not changed. So this is just a shout out to one of my buddies here. When I got in trouble, there was somebody that got me into all this stuff. I want to say hi to Dan, if he is in the audience? >> Crickets. >> If you're a CSSP like Boris, last time I seen him at the queer con pool, but just to let you know everything on the internet stays on the internet and someone is going to find it eventually. I had to rush through this because we only have ten minutes left. >> They're supposed to just work, right? Can you see it? >> You did better than me. >> I have 30 seconds. This is going to be awesome. First time speaking at DEFCON and I don't have a drink. I'm not sure how that works. >> Chug it. >> No. I hate beer. That's horrible. A little bit about myself. I'm going to talk about a health care provider that I worked at and ISP that I worked at and a (audio blipped) I'm sick. >> Not here. >> Perfect. My name is Amanda Berlin. I have my fan club in the first couple rows. Yes. I've been doing blue team stuff for a long time. Worked in health care for a while. Windows admin, that kind of stuff. Fixed a lot of shit. Next. So still doing some hot sauce for charity. That isn't charity as far as I know. Get up here and give some money? >> Thanks to those who've given already. >> Supervision required. If you hung out with me at any point in time these guys can probably vouch for that. >> Run. >> Otherwise I wouldn't be up here on this panel. This is one of my favorite kids movies. I have three little boys at home and this explains blue team and red team. Red team is cooler. But fuck it, I've been doing red team for ten years, it's fun. Cover your eyes if your squeamish. That's a thing. That is -- that's what you have to do to get your CISSP I think. >> Describe the CIA ... >> He is corked. A little bit of process. Everything that I mentioned has been fixed already. Don't fuck up my previous employer because I really still like them. I wouldn't be where I am today without them. Imagine walking into an environment, there is absolutely no help. The network engineer has been there for ten, 20 years, complete ass hole. He took an MCSE course just to get up the ladder. They switched to EMR. Completely digitized everything and he had no other knowledge than the one week boot camp they took. And they knew things were bad. I'm a self-proclaimed sexist. I was pregnant when I worked there and this dude came up and said every time I see you, you're eating. You must have an oral fixation with me. Fuck off. So he got fired. Surprisingly. They actually were scared to fire him because he knew, she supposedly knew so much about the infrastructure they didn't want to fire him because they weren't sure what would happen if he left. I got there. Everybody in the entire department is a domain admin. 40 or so people, anywhere from help desk to directors to software administrators to the people that actually needed it and knew what the fuck do main admins were. And we dove in and finally realized what was happening. A couple things we didn't have. We didn't have antivirus on anything. Servers, workstations, nothing. What could possibly go wrong? No W sauce. Windows 2000 servers that weren't patched in four years. No big deal? >> Doesn't that get into windows 2003 territory? >> We had a couple. This was 2008. No biggie. We had a decent data center. Water lines piped above them for the fire suppression system for the entire data center. Open ports everywhere in the hospital. No idea what was in our environment. This was after we spent 40 hours cleaning it up. We had InfoSec but holy shit, fail. >> We're up to $700 by the way, everybody. >> Nice. >> Keep coming. >> I'm trying. >> Go faster. >> Sorry, I have -- I'm half way done. >> 2 minutes. >> Oh my god. >> We know Larry can go in two minutes. >> We have no back ups at all. Running a fucking hospital. 500 beds. 2,000 employees. No back ups at all. Had no DMZ. Not only did we not have a DMZ, our production website was on a windows 2003 box who was dual homed. One had an IP address straight to the internet. The other was in an internal internet. The SQL was on the backend domain controller. Who could possibly go wrong? Not only was that on our domain controller, we had the -- our public Wi-Fi — that's where the DHTP came from. That Wi-Fi had no password. Actually had a lady call me up when I worked at the help desk saying the internet wasn't working. Down the road. So some old lady called, and thought for some reason it was our help desk. We had a splash page to call the help desk and she called to let us know the internet wasn't working. It wasn't supposed to be your internet by it was. She had no idea. If anybody is in health care, this is a cath lab. One of my favorite stories. They do some stuff with heart cath things where they open you up and do certain things. Actually had -- are you going to pull me off stage. Get the fuck out of here. Go. I'm almost done. I swear to god. Next time I'm going first, fuck this. We had our operator call about massively fast locking out after directory accounts. We had to write a script that would reunlock the active directory accounts because the cath lab vendor shipped us something, guess what was on it? >> Enterprise admin access. >> The porn that the COE watches. A variety of colorful dicks. >> That's better than a bunch of colorful dicks. >> So they shipped this with Conficker. We got a really goodies count on this software because we swore we would never say what their name was when they shipped it to us a second time. Sorry. Okay. >> Whoever is transcribing this -- >> I'm sorry. NSO867 everywhere and windows 2000 and XP. No big deal. This was a water fountain in -- wasn't supposed to be a water fountain. It was attached to the boiler or something happened with the power. The squirrel took out the power to the entire data center. >> I told you. >> I'm really scared this dude behind me is going to throw me off stage. >> He is Canadian. >> Literally I walked in at 9 p.m. at night. There was a five fucking foot water spout coming out where our -- where our fiber terminated. I mean in the core switches. I had to daisy chain a UPS and put it on the ladder so it didn't get fried by the water spouting up in the corner. Best alerting system ever. We had no monitoring. Best alerting system ever was the APCs. When you did an end of map scan it would send you an email for every fucking one. I'm going to skip that one. I have some personal fails. Yes, sorry. I don't have any personal -- that is a whole other talk. If you mask [indiscernible] it's a really bad idea. It's very colorful. Takes down the entire school system and everybody that you manage. And checkpoints which I probably shouldn't say. Next generation, great. Last slide, thank god. I did a phishing exercise to train the users in the hospital where I was working at. Went really well. This one was amazing. As soon as I set this out, later I had a lady contact us and let us know that she didn't appreciate it because she had to cancel her paypal and Kohl's card. I felt really bad. I sent this out as a phish. I'm done. Great. Applause.