>> Hello, DEF CON. I'm actually going to break with tradition this time and stop one minute early because I have so much shit to show you guys that I'm worried about how much I can fit in here. ( Screaming ) [ Laughter ] I have not counted, but I'm reasonably confident in saying that there are more explosions in this presentation than any other DEF CON presentation in history. [ Applause ] Which is crazy, because it's like nearly a quarter century of DEF CON. Can you believe it? It's totally blowing my mind. Ah, a lot of projects and not solo, but, ah, but this one is very much not solo, I called in like so many favors in working on this project, so a lot of friends went above and beyond to help me out. So this is their old school anti-splash screen hacker thanks. I think the only person who managed to come this year is RF. So hopefully he's a wake and watching. So I was inspired to do this by a talk at DEF CON 19, by Bruce who just spoke in here and Deviant and Shane about, um, they were running some kind of data center that had very valuable stuff, you know, on the hard disk in that data center and they were sort of kicking around some ideas like, you know, it could really be a target for some, for some criminals to come in steal everything so could you have a switch that you could flip to destroy physically all of the disks in your data center? And I thought this was pretty cool. And, um, I really wanted to kind of do a follow-up and do some experimentation of my own and then four years later I thought about like, well, where are we now? We've actually had data centers be physically rated and have all their stuff stolen, torn mail, the multiple silk roads and Snowden taught us that we don't really know how much we can trust crypto because our endpoints are so insecure, your crypto is only as secure as the keys so, think about it, does the NSA when they get rid of the crypted drives, do they just throw the drives away, of course they don't. They destroy them completely. So here are the goals. Flip a switch, drives are gone, no disk left standing. Protect your data center against highly motivated criminal organizations such as the three-letter government agencies. [ Laughter ] And then, of course -- [ Applause ] The big one produced a little bit of destruction prawn for the DEF CON audience, for all of you here. So that means more thermite. More explosives. And more voltage. [ Applause ] So these are the rules that, that Bruce and Shane and Deviant came up with and I'm going to mostly try and follow them. You have a one-use server with your equipment in it. You have one new above and below for whatever you want. I personally want, when I was doing this tried to keep all of the actual distructo equipment in one U so the other two Us could be used for protection, gas extraction and so on. 60 seconds to completion. I really want to make a joke about Bruce and Deviant and Shane here, but I won't. [ Laughter ] Don't set off the fire systems. Don't set off the seismic centers in the nearby banks. I don't really care about that -- so don't worry about that. Um, contain the damage within the equipment and protect any nearby humans. The quick word on how this technology, data centers, still use a lot of spinning platters, um, these tend to be made out of aluminum and now more frequently glass. And glass smashes easily. So most of this stuff is with aluminum. Almost everything I do here will also work on the glass. Um, the coding is really interesting of hard disks. They have underlayers of a cobalt, nickel iron alloy. The magnetic alloy is actually cobalt chromium with platinum. And these layers tend to be separated by four atom layers of ruthenium, so very chemically unreactives, actually, the surfaces of hard disks. Now, of course, not too much in data centers, but seesaw drives so I wanted to do a little bit of stuff with them, too. Here are the results from DEF CON 19. They did, they did three categories and they split it up between the three of them. So Deviant worked on incendiary and the results were they had some regulatory issues with possible deployment 'cause they were working with Tannerite, which is used for making explosive targets and legally to set off Tannerite you have to shoot it. And they did some melting of the aluminum platter hard disks using propane and map gas, what they discovered was the drivers' an excellent heat sink. It is a big chunk of cast aluminum, the platter themselves are aluminum. So they suck up heat like crazy. They are hard to melt. They did some chemical injection, and it was basically a total fail. They injected various corrosives and the, the, the, the -- hard disks are quite chemically unreactive. And then the most fun they had was with physical tools. They used a lot of woodworking tools such as whole saw, spade, bit, and grinding disk. And they got things hot and burned themselves a lot. You should definitely watch the talk. I was going to say that earlier, I don't want to say too much about the actual talk. Just go on-line and watch it, it's very, very amusing. And then they did some electrode depleting of the platters which worked great on the glass platters, completely failed on the aluminum ones. Ah, just a word on how they destroyed drives industrially. When they decommissioned disks, ah, they mostly degust them and then flow them into a shedder -- I was going to turn the sound down or that, but I forgot, sorry. So when you're getting rid of drives, you know, you want to predict your adversary, the TLAs are able to check and exploit physically, destroy drives. I talked to a guy who did, um, EOD work in Iraq and he was under instructions from the NSA that if he found any hard disks that were not crushed and burnt, to send them in. They could get stuff off them. So if you want a nuke a drive from orbit, degust it, crush and shred and burn. So here, to climb in on the one track, even though this is mostly original research, here is my one, 101 slide. So for, for anyone who's here actually for a 101 talk about how to destroy their own hard disks at home, ah, you can leave satisfied after this slide. Open your drive, usually takes a talks T8 bit. Remove the platters, using takes a talks T6. Rub it with a magnet to degust it. Crush, break, deform it, by the method of your choice. Then burn it. Then separate the debris and don't dispose of it all in the same place. Separate it and throw it away. All right. So the rest of this talk, hopefully, interesting to you. Not necessarily useful. [ Laughter ] I, too, decided to use three different technologies with this. So thermal, kinetic, and electric. So the, the goal of doing a thermal method with a drive is basically to exceed the curie point of the magnetic media. So if a cobalt that's 1,115 degrees C. At that point it become magnetically disorganized and, and theoretically nothing can be read from it again. Here's some things that I didn't do -- so that you can either try them or, ah, realize why I didn't do them, I really wanted to look at some flameless chemical reactions. I couldn't find any that got hot enough. Um, of course, you can make a kick ass oven and bake a disk, that's not exciting to watch. Um -- [ Laughter ] You can inductively melt aluminum very easily. You can get a big inductive furnace, it's nice, I've used them before. I, I would have liked, I guess, the drop a hard disk in one and watch it melt, but I didn't do it. So method number one, ah, the good old plasma cutter. So starting off keeping things simple. [Noise] I used plasma cutters plenty of times. I expected it to make much more of a mess with a hard disk. But as you can see, really nice. It completes in about 40 seconds and, ah, very, very easy to contain. You could build an array of plasma cutting heads that would match the disk. So looks, looks pretty good so far. Oh, this drive is powered up and spinning. I wanted to see if the, if it would keep spinning and so just one insertion point will be enough to destroy the top platter. Um, it will start -- to leak out a little bit down the bottom to let you know that it's done. [ Laughter ] Very nice. Ah this drive stayed hot for a long time. So this shot -- [ Laughter ] Is after I repeatedly burned myself taking out the screws. [Noise] and you can see that, ah, it has, you know, killed some of the top of that platter. Here's a close up shot of it. So it spun for a little while, but not for very long. It thermally seized up quickly and there was some damage to the, to the top of that platter all the way around, but then it stopped and it just burned a big fat hole through there. And if you look at the lower platters, then, the hole went through, but they're not damaged anywhere else. So you can't rely on the drive spinning for this method. You have to have multiple cutting head parts. So that's the fully disassembled thing. Didn't make a lot of a mess. Totally feasible in my opinion. Next, I thought, well -- these guys -- use propane torches and gas and so on, in the previous talk, what if we could just use the drive itself as the fuel? Like pump oxygen through the drive and start it off with a little magnesium or something, and you know, just see if the drive will consume itself. So here's oxygen injunction. [Noise] I did, I drilled a little venting hole that you is can see venting out there. Eventually, I melt the oxygen hose and had to turn the oxygen off. So didn't really go to completion. Here's, ah, a high-speed shot with the FS-700. Is it going? No. Here we go. So you know, little, little bit of a containment issue, but, um, I feel like I, I could easily figure out an engineering solution to this with an extra 2U of insulation and air extraction. Um, that's what it looked like before opening. And, ah, inside did make quite a mess. Um, and ah, you know, this -- this was, there were, off to cleaning off the platter. You can see like the platter is nicely melted on one side and, I feel like with some more engineering effort here, um, and you know, like, it just pumping a lot of oxygen through this narrow 1U space that I could make this consume the whole drive. So I'm going to call that potentially feasible, but I know what everyone's here to see. And it's the first thing anyone ever talks about when they talk about drive destruction, which is thermite. So. [ Applause ] What I really wanted to do here was create a slurry thermite that I could pump into the drive when you push the switch and it would just really fuck it up big time. Right? So I experimented with doing some slurries, um, first of all, this is 101, here's the thermite reaction, I know you all know this, iron and aluminum swap their oxygen partners like they're add a swinger's party and it releases -- [ Laughter ] A lot of energy. You can get it up to about 2500C. 31 iron oxide aluminum by weight. If you use iron 3 oxide. So here am I stirring up a slurry. It looks really nice. You know, it's like very, very -- you know, smooth and gooey and you can really easily inject it. So ah, I thought this was great. But in retrospect the bright silver color that you see there, right? Remember it is like silver aluminum plus red iron oxide should have clued me into to what was going to happen next when I tried this. So here I am trying to set off the slurry thermite. Um, with a blowtorch. And -- you can see this is eight times sped up, right? So it's really not reacting very pleasantly. It's not helping me out at all. So that one of -- my theory is that the solvent is forming myceles with the oxide inside and the flake aluminum sticking on the outside, and it is just preventing them from reacting very well. And I tried a bunch of different solvent -- such as glycerin, petroleum naphtha, and kerosene, and you can see afterwards if I run a magnet over it that very small amounts of, of -- of elemental iron are being produced. Not very much at all. So a reaction is not really happening here. Probably the oxide is just being blown out with the smoke. Um, and when I flip over that -- this -- top [noise] that was I burning it on. There is no damage to it at all. It really didn't get hot enough. So total fail. So next idea was, well, if you open the disk, there's quite a lot of space inside it. So you know, if we were like really paranoid running a data center we could hide thermite inside of drives just for when we needed to use it. So I pulled off some unused pins from, from the, the -- from the disk bust connector to use this as an igniter and I found that you can fit about 15 grams of thermite inside a drive. [ Laughter ] And you can still, the heads that need to move into that space, you can still read and write to the drive with that in there. So this kind of thing always makes me feel like some kind of sketchy drug dealer or assassin when I do this. It makes me laugh, you know when you go through the airport and it makes you turn on your electrons, right? Totally worthless, there is plenty room for destructive shit inside of electronics that still function. So here is the shot with the preinserted thermite. >> Three, two, one. [Noise]. >> Not too bad, right? We can deal with this inside one unit. Um, but we open it up and you can see that a lot of stuff has burned and the stuff all over the platters, but, ah -- a little bit closer examination here -- we start to see the nice shiny nonstick chemically unreactive platters coming through. And when it's completely washed off, actually, like, bugger oil has happened to those platters. [ Laughter ] Total fail. So, all right. I wasn't ready to give up yet. And I know that in military thermite grenades they actually don't use straight thermite, they use what they call thermate, which is 70% thermite and 30% barium nitrate, what the titrate does is produce extra gas to move everything around and spread it around and it also burns hotter. So he's 15 grams of thermate. [Noise]. Much, much more violent as you can see. And here is a high-speed shot of that just to titillate everyone. Um, the, the top of this drive, by the way, is screwed on really hard, but that doesn't matter for the thermite it is happy to pop it open a little bit and spray out like crazy. Actually, producing much more sparks and debris and so on than the plasma cutter. But you know, we could still probably deal with this if it works. This just, just goes and goes and goes. Don't remember the frame rate this was shot at. Probably 240 or 480. Anyway. [Noise]. That happens for a long time. Carefully opening it up with a glove this time. >> It did pretty good. >> Yeah. That's, um -- quite impressive compared to the straight up thermite, I guess there's a reason why the military uses this formula. >> So I, I was, I, I had high hopes, I was happy, taking a closer look at the platter there's all kinds of crud all over it and, ah, you know, molten iron has been spread about the place. Um, and then when we clean it off, though, we see some good things, there's some, ah, some iron that's like attached itself, welded itself to the read head. We've got some, ah, pretty, pretty good, um, heat defamation of the platter there. And, ah, we've welded the platters together over here. But ultimately, most of that platter is probably still recoverable by electron microscopy techniques and stuff like that. So once again, fail. Well, there are other types of thermite. [ Laughter ] For example, copper thermite. So exactly the same thing happens. It is copper oxide and aluminum. The oxide switches over. 4-4, 4.4-1, copper oxide to aluminum by weight. It's a very aggressive thermite. [Noise]. So let's see what happens when we stick as much as we can of that, um, oh, first, First of all -- so I thought, wow. That stuff rules. Like really surprised me how fast it went. So like maybe the slurry will work with this stuff. So made up, made up one of the best slurries and -- ah, [noise]. Blowtorched the shit out of it. It, you know, it -- it burns a lot better than the, um, iron thermite slurry. But still the reaction is very much retarded by the slurrifucation agent. Anyway. So let's fix another drive, not slurry version, and see what happens. You know, we can work on the drive delivery mechanism some other way maybe. This is another high-speed shot. [ Applause ] [ Laughter ] So keep watching. [ Applause ] Because right, once again, the lid of this drive is really screwed down tight and you'll see the lid exiting -- [ Laughter ] Stage right. [ Laughter ] But keep watching. Because you will also see the drive eventually coming from somewhere airborne -- [ Laughter ] So this, this, this experiment coded most of Myles Sledlip's workshop in copper. So everything in there now is going to have excellent conductivity. [ Laughter ] So that's, that's the inside of the top of the, of the top plate. You could really make some nice art with this technology. So I'd like someone to tell Eddie Veety to really go and kick things up a notch over in the vendor area and that's what the drive itself looks like. And you can see it's really, really gone everywhere, as you would expect from that shot. And looking closely add the platter, you can see that it's stuck a lot of things to the platter. And you can see elemental copper has pulled, all around the drive, looks pretty nice. So let's wash it off and see how things really look. [Noise]. Yeah. Booed to you copper thermite. [ Laughter ] Some of it sucks. Right? Like it definitely made a bit of a mess, but ultimately, we have to say infeasible, but fun. [ Laughter ] So all right. Time to get serious here. Um, and I thought, well, the way that people who really talk about thermiting drives is they get a whole bunch of thermite in a crucible above the drive and just try to melt straight through it. So I thought, well let's see if we can do this in 1U. So I built a ceramic mold that would fit in 1U if I made it a little bit more carefully. 250 grams of straight up iron thermite. So what I did was, you know, use, use a piece of Styrofoam to fill the interstitial space in that ceramic material, made the match exactly to the drive so I could clamp it on, and there it is holed out. All of that area filled with thermite. So let's, let's, let's see if that's enough. [ Laughter ] So, so as you can see, my careful containment worked perfectly. [ Laughter ] Incidentally, Myles Sledlip's workshop has a large area rug on the floor. This shot set a significant portion of that rug on fire. So -- sorry Myles. [ Laughter ] Well, you know, that, that, that looked so impressive. Surely there can't be too much left of the drive that we just did that to. Once again, I'm not taking no chances with how hot things are after doing this stuff. So we can see plenty of elemental iron that's pulled into little, a little bit nodules in clumps on top of the drive. And it's made its way through the top of the drive. Through that little hole there. And understand it's certainly made a mess of the drive electronics, but we -- yeah. You know, I've already brushed that with my finger and I've seen that yeah. There's still plenty of my clean platter in there. Um, look, look at that. You know, looks almost good as new. So -- unreliable. So next time someone says, oh, yeah. Like drive destruction, thermite. No, no problems. Just remember that there are huge heat sink and you'll need a lot of thermite to do it properly. All right. Moving onto to part two. Kinetic. Goal here was to deform, spindle, mutilate the drive. Basically severely retard any form of mechanical scanning to be done after the fact. And so obviously, as I said at the start, that would have to be used in congestion with the degusting, degust is not fun to watch, so I did not do that. I had, had a bunch of ideas that I didn't do all of them. One was to do a, a horizontal hydraulic crusher that would fit in 1U and just like squeeze the drive to bits. I was pretty sure it would work, so I didn't bother doing it. Um, I wanted to use some other high pressure cutting tools, but again, you know, that was just for fun because it's, you know, to, to -- build a waterjet cutter into your data system as, you know, it is just probably a little bit infeasible. Instead, I wanted to start off with some like precursive method. And one of, one of the tools that I've used a lot in my place is the concrete penetrating nail gun. So this is, uses a propellant charged, basically a .22 caliber blank to drive nails into concrete. This happens so fast at 480FPS you can't even really see the nail. It is just is long gone through this, through this cinderblock. Here's another shot with this. You have to hit it with a hammer, this particular tool, to make it go. Um, which is -- you know, you have to do something a little bit different for actually doing on hard disks, but you can see there the plastic that holds the nail in the barrel fly out and the nail kind of slightly can see it. So I milled the end of the drive so that we can see what happens while its spinning and we hit it with a nail gun. Boom. No problem at all going through the cast aluminum bottom of the drive and all, through all the patterns, it actually cracks the, um, cast aluminum drive part. Ah, there's, there's a close-up of it. And you can see that it's, ah, you know, you could build an array of these things that just punctured the disk in multiple places. So -- I think -- totally feasible. We also had around a pneumatic nail gun. And I didn't have high hopes for the pneumatic nail gun, because it didn't involve any form of chemical propellant or explosives. So I'm like how good is that going to be, so let's give it a shot anyway. I didn't even use a new drive for it. Right? But it turns out, it goes straight through the fucking drive. [ Laughter ] Really nice. And it uses like a big, flat, pancake cylinder, so the one that's on this particular nail gun is big, but you could quite easily build a low profile pneumatic cylinder that would fit in your extra 1U that you have according to these rules and, ah, just punch through the drive in a whole bunch of places. So quite nice. There's close up of those nails just gone all the way through and out the other side. [ Laughter ] Again, totally feasible. So -- thermite zero, nail guns two. [ Laughter ] But this is what we really are excited about, right? This is why we came here. [ Applause ] There's no doubt that we can destroy drives with high explosives. All right? And we, we also get thermal factors as a bonus. We can do explosive welding. So the goals here really, for me, was, all right. Let's see if we really could confine this explosion to the rack equipment and I personally had been wanting for some time to experiment with some new techniques. A binary liquid explosive and 3D printing shape charges. And then, another subgoal here was for me personally, to pass go, collect $200 and not go to jail for this. [ Laughter ] So let me introduce what I'm calling Felix. This is a commercial high explosive liquid binary. It is expensive. I did not want to pay for it. So I decided to clone it. So I'm not going to say its real name, but it rhymes with Felix. And I'm calling it Felix expedient liquid explosive. It's very similar, conceptually to Tannerite and Cinpack, which is ammonium nitrate and aluminum powder as a sensitizer. Um, I reserve engineered it from the commercial product. It's based on nitromethane and you use as a sensitizer stearic acid coated 5 to 50-micron aluminum. So that means these individual components are simply, simple to ship, there's just Hazmat, they're not explosive until their mixed. This is the stoichiometry. We actually, I still don't know the ideal ratios, but that's the reaction. So the nitromethane is the high explosive, it decomposes by itself. The aluminum acts as a sensitizer, but the aluminum is then consumed by the water produced by the nitromethane decomposition. So it adds energy to the mixture. So -- all right. The legal thing. Right? So -- I thought that with my friends who have a high, a federal high explosive manufacturing license that would be all set, because they have possession licenses, they have high explosive manufacturing. It turns out we found right before we were supposed to do this project that it's not just the feds who care about this shit and you have to get a state type II license as well. So we were like -- oh, fuck, right? Are we going to do this in time. We just managed to get it done in time. So we were all legal and ligate and -- we, ah, could do this stuff. The one thing, the big thing that we needed in the end was to have a range where we could do this because the state wants to inspect your manufacturing facility. And we said, well, you know, you understand what's going on here, right? This is these two things and wherever we mix them, that's the manufacturing facility. Too bad. They want to know where you're going to do it. So we ended up, um, very -- very luckily, ah, finding a local bomb squad that would let us use their range. So that was really nice. As a result of all of this stuff, my friends and I are actually forming a consultant group, so little plug here, if you want to, ever do this kind of work, then talk to me, because we can now do it and, even though it's kind of regulatory hell, being in regulatory hell is better than being in prison. [ Laughter ] So the stearic acid turns out to be a really important component of this explosive. And if you don't get that amount right it doesn't work. So this is a test shot using an aluminum -- a pyro aluminum powder with stearic acid coded, but not that much stearic acid. This is a high-speed shot. And what you'll see there, the blasting cap just throws it around. That is a non-detonation. Right? So that is a total fail. When you get the stearic acid content approximately right, this is what it looks like. [ Laughter ] So -- I'm sure many of the people here already know this, but you know, this is 101, so ah, just take a little bit about the effect, so that's what we, it, that's the name, the official name of the effect when we say a shaped charge. What it means is you have a grove often chronically shaped, but it can be linear, for example, like a cutting charge, in your high explosive. So when you put that with the, with the grove facing the material you want to cut, ah, and you set it off, the cavity concentrates the shock wave and forms a kind of a jet. Um and you can actually line the, the, the cavity with copper or tantalum and form a liquid metal jet that will cut through, um, whatever you're trying to cut through. [ Laughter ] Very, very useful technique. A lot of this in tanks and warheads and that stuff uses it. So here are a few design tips for doing it. So what I was doing is I was laying out the, the -- a cup to hold the Felix in open S cad, group open S cad, um, a few rules of thumb. Apex angles should be 40 to 9. The narrower the angle the greater the penetration until your jet collapses and doesn't work. Um, you want to stand, stand it off by about two, two to 3 1/2 cone diameters and your charge, explosive charge height should be a little bit more than the height of the cone. So first of all, what I thought was, what about doing a linear shaped charge in the shape of a ring? And putting that on top of the drive and see you cut through the platters. So ah, I designed this also to fit within 1U. So there it is. View from the top. 3D printed and viewed from the bottom. Um, so we can fit 60 grams of Felix in this little container. And using a plastic cup there for the standoff. [noise] Don't concern yourself too much at this stage with the containment, because I work on that later. [ Laughter ] This is shot at normal speed and then just slowed down. Um, here's another, another shot, same technique. Same amount. [Noise]. You can see a bit of that drive exit stage right. Ah, here's the results. So not as impressive as I'd hoped, unfortunately. First thing you'll notice is there's a lot of unconsumed aluminum, show that matrix mix was not connected. That was over aluminized. Turns out, you know, you don't need too much to sensitize nitromethane. It stripped all of the platters off of the spindle, which is pretty cool. Um, and it has crushed the platters in, in, in, amongst themselves. So you know, definitely has done some damage. Definitely would be difficult to, um, exploit information from this drive. And there's one place where the shape charge has done its job and it's cut through, but that corresponds to where the cap was placed on that shot. So basically, we're doing the right thing with this charge, but we're having a problem capping it because -- the charge is not propagating around the ring that way that we want it to. So -- I thought about another idea, what about if we our shaped charges radial, coming out like that. So here's another open S tab model and also to try and stop everything from flying around we found a lot of aluminum around the place those shots. I made a lid for it as well with a little, little hole to feed some detacord through. So there's a 3D printed charge. 100 grams of Felix this time. It's a bigger, ah, a bigger, ah, physical thing. You can see the detacord that we're using to set it off all around the place. 18 inches of 80-gram detacord. [Noise]. >> Fire in the hole! [Noise] >> Where did it go? [ Laughter ] This, this particular camera, by the way, that's the close camera, it's inside an ammo box with a 1-inch acrylic window on it, but you can see, see it gets a good shake from the shock waves. This is, ah, from GoPro, 120-FPS. And you can see bits of that drive go in all directions. Nothing, nothing very big, um, so we had to search a bit to find the pieces. [ Laughter ] This, this one is interesting because all of the, all of the surface now, components, have been ripped off the board. [ Laughter ] Here's part of the platters. [ Applause ] [ Cheering ] So some more of the platters. And we've actually got some explosive welding happening here. That's actually the top plate and the platters have been welded together. Um, so very, very nice. So that made us think, like, well, let's try and do some compression welding. Let's actually just try and exploit that alone. So this is, ah, just a straight up detacord shot. Um, 100-gram, 100-grain detacord in that top one and then the double-sided version, doing some on each side. So to have the shock wave move from the outside in and compression everything together. So I'm going to show the single shot later on because we did another interesting experiment with that at the same time, but this is the double shot, that's how we set it up. [Noise] So actually the drive -- is not in frame anymore, but it didn't move very far. It was actually quite well-balanced. Here is a slowed down shot. Is it playing? No. Here we go. >> ( Speaker off microphone ). >> So you can just see it, just hop, actually, only a couple of feet, ah, but there's, there's, it is a sloped, ah, piece of land there. So just, it just drops down, ah, to where you can't see it in that shot. Um, there's the, there's the drive. That's still got, you know, the, the, plates on it. Ah, so when we took that top plate off, you can see, um, it did not strip the driver -- oh, so this is the number one shot. This is the single detacord, so it's not the shot we just saw. But the number one shot. It didn't strip the platters off like the Felix shots did, but it did compression together the, very, very nicely, and, explosively well. You can't see, because they are welded together, but you can see that the read head welded to the, to the top platter. [ Laughter ] And this is the double shot, didn't do nearly as much damage. I mean, ah, okay. So the single shot is, ah, 2 1/2 times the double shot in terms of total explosive weight. So this is 40% of the charge of the single shot, um, it did deform the platters quite nicely. Made, made this like really cool grove in them. Um we can see here thought they were not welded together in any way, shape, or form. Um, this is a cGate drive, by the way, so it just goes to show, anything you do to a cGate drive doesn't work. [ Laughter ] But we do know that the charge we use, the charge that we used to, that we need to use to compress the platters and weld them is between those two levels somewhere. Right? So, they taught us something. All right. Moving on -- um, the bomb squads to us, oh, by the way, we have hundreds of these oil well perforators that we want to get rid us, would you like us to? [ Laughter ] These are like down hole perforators. So you know, they drill the well and stick a pipe down it, and then when it's all done they put a pipe with these things on it to blow, blow holes, basically, punch little holes through that pipe and through the concrete surrounding the pipe and let the oil in so they can suck it up. Right? So their designed to go through steel and a foot or so of concrete. And so to paraphrase Ghost Busters if the bomb squad asks you if you want to be friends and share their stuff, you say yes. [ Laughter ] These are set off with detacords so they are like full of a very fast high explosive like maybe HMX. And there's just a little bit of foil at the top to let the shock wave through. And then you can see here the classic, ah, shaped charge. Right? So you got your conchal cavity, lined with copper and this particular one that I'm pointing to there has a standoff so that it's just -- everything is right for it to cut through things. So -- [noise]. This is a shot we did with two perforators pointing up. [Noise]. Just a, just to get rid of them at the end of the day, actually. But I want to draw your attention to a still frame from that. >> OOOO! >> Right. So you could never get this shot if you tried like a thousand times. At 30 frames per second, right? These are the jets from the perforators. That's the blasting cap. The shock wave has gone through the detacord, set off the shape chargers, and it hasn't had time yet to break through the, just the plastic shell of that detacord. Right? This is a miracle still frame. [ Laughter ] [ Applause ] So here's how we set it up. Um, on the edge of the drive to see how much we can cut through. Um, here's a shot. [Noise]. So -- B camera shot. You can see a chunk of the drive go flying off, ah, top left. There you can see how it just basically cuts straight through the -- cast aluminum casing. Here are the platters. >> OOOO! >> Straight through. Um, there's, there's all the bits we could find. Some of them went in the water, but wait a second. Down the bottom right, what is that? [ Laughter ] That is -- where the drive was sitting. That's a hole through the quarter inch steel plate underneath the drive. [ Laughter ] That's the exit hole on the other side. [ Laughter ] That's the hole that dug in the ground. [ Laughter ] [ Applause ] And that's the piece of wire we used to measure the hole. [ Laughter ] 15 inches after going through drive and steel plate. Yikes. [ Applause ] So we, we took the bomb squad was interested in that. They brought the next time the smaller version of the oil well perforators. [ Laughter ] Ah, once again a cGate drive. You remember these 1 1/2 tear bites cGate physical you do anything with disk drives because this is when the Asian tsunami happened and quality control went through the floor because all the facilities weren't working and so every single one of these cGate drives failed, if you look at the statistics. Um, so this time we're going to do two perforators coming in at 90-degree angles. So you see what kind of results we get there. And this time lying the drive down. [Noise] This time we brought the FS-700 so we could shoot it 950 frames per second. [ Laughter ] So you see a bunch of drive exiting to the top of the screen. You get more of an impression of that, um, on this wide shot from the GoPro. Just -- [ Laughter ] So they're out of the ballpark. [ Laughter ] We actually didn't find enough pieces of that drive to really draw too many conclusions about it. [ Laughter ] Um, we found this much and you can see that the drive case just very nicely coursed like that, but we didn't find the platters. So we had to do the shot again. Ah, we, we were -- [ Laughter ] We were all out of 1 1/2 terabyte cGates so we used this one, I'm not ref moving the label from this drive, so I think I'm going to void its warranty anyway. [ Laughter ] And this time we put the steel plate on top just to try to keep the fragments to where we could find them. [ Laughter ] [Noise] The, the GoPro shot is nice of this one. [ Laughter ] Just a little graceful leisurely arc. [ Laughter ] So there's, ah, there's what we found of that drive in terms of the case. Did also a really nice job going through to the center spindle and there are the platters. So we cut through the platters, but not through the spindle itself. So I feel like we could probably tune the shape chargers to go just through the hard disk and no further. So I feel good about shape chargers. But there's one other charge I wanted to try, which is a diamond charge that EOD folks use these a lot for cutting. What you do is you create a flat, high explosive and, um, you cap it at both sides. And when you set it off, ah, the shock wave comes in from both sides, meets in the middle and turns 90 degrees. And you get a jet that comes out either side. And cuts through whatever you want to cut through. And what I wanted to use for this was this stuff, its debtor sheet. It is potent explosive sheet. Kind of like a high explosive fruit roll up. ( laughter ) and I've used it before and we had some to shoot. Yeah. All right. We had some and I wanted to use this on the shoot, but, um, it's -- difficult to transport. You have to be placards to transport this stuff based on the original packaging. No matter how much you had, it is just what was written on the packaging. We had a small amount, but the package said it was a huge roll, like a kitchen roll, we couldn't move it. We could get it, but we couldn't transport it. So, instead I 3D printed again a container and filled it full of Felix and we capped it from both sides with detacord. So here is the setup, 60 grams of Felix and there it is good to go on the drive. And this shot, the diamond charge is underneath the big steel plate and we were also getting rid, again at the end of the day, surplus perforators under the, ah, big steel plate. That's a half-inch steel plate. So that's, I think, three of the small perforates under there. That you'll need to know that for this video. [Noise]. So that's the big plate coming down. The, the, the heavy plate is not in that shot, but it is in this shot. Um, once again, this was, I think, our last shot of the day. So -- wait for it. [ Laughter ] There's, there's the -- the quarter inch steel plate. And there's -- [ Laughter ] Is the half-inch one. [ Laughter ] [ Applause ] So it's a good thing we didn't need that anymore. Because it was gone. [ Laughter ] But there's, there's the drive. It didn't actually do too much it just acted like a platter charge. You can see things of the diamond in it, it didn't cut it. Total failure. Anyway, it was interesting. I'd like to try that again with the deck sheet, because I know that works. So blasts suspension. All right. We had fun blowing things up, but can we actually make this work inside of the equipment. We have it coupled to the drive, we want to decouple it against the equipment. We have the explosive and the drive, and a damping agent between the equipment and shell. What can we damage it with, it would great to get a substance that's compressible maintenance. Maybe like some kind of liquid and gas foam. It would be great if it was inexpensive we could actually inject it into the equipment when we wanted to so we didn't have to have our equipment full of foam. Where could we get such a wonderful high tech magic thing? >> ( Speaker off microphone ). [ Laughter ] >> Yes. Thank you, pyro. [ Laughter ] So we learned this is from the explosive engineering instructors they actually use this when they explosively punch out lock cylinders. They will put a big gulp cup full of this stuff over the explosive, just punch out the cylinder and the shaving cream damps the noise and the frag. So I said I'd return back to this shot, the single 100-grain detacord shot, plus the shaving cream, inside a box. [ Laughter ] Let's see how that did. You can see the A camera there to the left of the shot. [noise]. So all right. No, this was, this was a shot in which the drive was really shredded and stuff definitely flies anywhere. But let's take a look at some still frames from our two cameras on this shot. That is the first detonation frame of the shaving cream shot. Um, with the, with 100-grain detacord. This is the first frame without the shaving cream from a, from a charge that was 40% the size of the left one. Right? So, the left one is 2 1/2 times the explosive as the right. Here it is from the other camera. So if nothing else, we're definitely damping the, the, the flame and heat pulse that's coming out of that. That's really interesting to me. So we tried this again with a, kind of a simulator of the one year rack, his 75 grams of Felix. It is the annular shape charge thing again. This is our one-year rack simulator. The steel plate with the angle pieces welded to it. Um, setup here. Coated in shaving cream and then with the other plate on top of it with a sandbag. So we're just kind of getting an idea about, you know, stuffing stuff into 1U and what's going to happen. >> Three, two, one. [Noise]. >> So I personally think that's pretty impressive. Here is the FS-700 shot. Like, stuff goes flying, um, but markedly different from all those other undamped shots that we did. Here is the steel plate. And yep, it made a dent in the steel plate, that's where the drive was and that's the other side of the steel plate. So it was dented, but totally non-perforated. Here's the other one, didn't clear quite so well. We did actually unfold the angle iron and split it a little bit, but -- you can also see the, the drive imprinted on the plate there. [ Laughter ] Ah, but there's -- the, the summary here, after damping stuff, the high explosives, with enough engineering effort, it just might fucking work. [ Laughter ] [ Applause ] So after, after really fast now with electric, because there's not too many things in there, the goal was we got electricity already in the data center. So let's do it. Especially I wanted to look at SSDs. Things I didn't do, nasty gouting, boring to watch, I didn't want to put you through that, EMP, microwave attacks might be fun to do, I may do that later. First thing I wanted to do was exploding bridge wire, so here's on sketchy capacitor bank and spot depth trigger. This is how we charged up with good old fashioned vacuum tubes and -- I -- could not find anyone that had SSDs that were broken that they would give to me, because -- there's just too new and I am sorry, I love you all, but I am too cheap to spend thousands of dollars on SSDs just to blow them up, so I'm just using flash drives. It is very similar. The SSD looks the same inside, just flash memory chips folded onto the board. So I think we can draw conclusions here. So here's what happens when you dump a lot of high voltage through the wire. >> Three, two, one. [Noise]. >> Here's, ah, a high-speed shot of that. Happens very, very quickly. So first thing I wanted to do is just to physically couple that to a drive and, um, see if we could just use the force of that explosion to -- >> Three, two, one. [Noise] >> High-speed shot. So you can see in the high-speed shot that it didn't work. Right? It didn't, nothing happened to that chip. Although, when we look at it closely afterwards, the memory chip itself, ah, faired just fine, but we did decap the microcontroller on the other side. That's actually blasted the, um, the -- ah, parting material off the chip, but we cannot rely on this method. So what about if we have our drives in our data center and we're hooked up to power and ground and we can deliver a large voltage spike when we went to through like a spout gap or something like that? So I sold another powering ground to these flash drives. Here is the -- >> Three, two, one. >> Realtime. [Noise] Nice shot. High-speed. So we can see in the high-speed shot that we really did some damage there. And there we can see that we blew the flash memory chip right off the board. You can see all the internal leads from the chip. We broke the chip in half and decapped it. So nice, a lot of damage to that. The one thing we don't really know is how recoverable flash memory chips are when that's happened to them. Um, where you can use microscopy technology to get stuff back, but I'll say especially feasible to just, to, to destroy things quickly that way. At least to make it difficult to, to, to do a recovery effort on. Um, for regular drives, that's -- an inductive defamation of a soda can. So you can wrap a coil around something metal and you can do a shot through it and, ah destroy the hell out of it. That's 2,000 frames per second. Here is another shot of that. Obviously, there is a big difference between a soda can and, um, a hard disk. This is 100,000 frames per second. So -- ah, you can see that -- >> OOO! >> This squeezes down very, very quickly. This is the other side. Ah -- so basically, the whole time I've been talking over this slide, 10 milliseconds have not yet elapsed there. So you can destroy things really quickly. And it would be really great to destroy hard disks that way, but the necessary power levels with hard disks are currently unknown, maybe we'll do some real mad science later on. So here's a summary. Um, the most freezable methods in each category. The plasma cutter worked great in femoral. Oxygen injection I think could be feasible, but may require complex injection. Kinetic, the nail guns were great. Damped high explosive was really fun. Possibly failing the seismic part of the rules. Oh, well, who cares? Electric, high voltage power spike was good, but we don't really know the forensic resistance of SSDs. Number of eyes lost -- zero. [ Laughter ] Now -- [ Laughter ] [ Applause ] Just before the goon drags me offstage here, I just want to say one more thing, mobile solutions, right? We've been talking about data centers, but when they picked up Ross Ulbrick, the Dread Pirate Roberts they basically mugged him in a public library. They grabbed him, they dragged him away from this laptop and it was unlocked and they harvested everything that they needed to put him away for life for federal crimes. So we can, these days very easily, with commonly available open source hardware development, um, systems that are approximately connected to our computers. Right? So using blue tooth or whatever. So I just want you to consider this -- ¶ [ Music ] ¶ Thank you much. And feel free to come and talk to me about all your ideas for doing this later on and then maybe we will make another DEF CON talk about this stuff another time. Thank you. ¶ [ Music ] ¶ "This text is being provided in a rough draft format. Communication access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings."