00:00:00.167,00:00:04.571
>> So, thanks for coming out on
a Sunday afternoon here at

00:00:04.571,00:00:07.875
[coughing], at DefCon.
[coughing] And today we'll talk

00:00:07.875,00:00:12.679
a little bit about mouse
jigglers... [coughing] And

00:00:12.679,00:00:19.386
defense and a little bit of
offense as well. So what's this

00:00:19.386,00:00:22.089
talk about anyway? Why should
you be here or some of you might

00:00:22.089,00:00:28.662
be in a hotel room watching
this... [coughing] Uhm, mouse

00:00:28.662,00:00:33.667
jigglers are now a common item
in a toolkit for many law

00:00:35.702,00:00:41.508
enforcement organisations and
also, uhm, for people who like

00:00:41.508,00:00:45.946
to come and grab you stuff.
[coughing] And if you're using

00:00:45.946,00:00:50.751
full disk encryption like you
should be using, it's kind of

00:00:50.751,00:00:56.556
worthless if you're logged into
your computer. So, other reasons

00:00:56.556,00:01:00.093
why this might be interesting is
if you wanna build your own

00:01:00.093,00:01:04.598
mouse jiggler [coughing] it
could be fun. [pause] Uh, just a

00:01:04.598,00:01:09.970
little bit about me, uhm, this
is my seth, seventh DefCon talk

00:01:09.970,00:01:15.142
in the past 5 years so if you've
seen me around and thought...

00:01:15.142,00:01:17.544
[applause] "He looks
familiar..." [applause] Maybe

00:01:17.544,00:01:23.750
that's why and also, uh, funny
story, I have a film credit, on

00:01:23.750,00:01:28.221
IMDB for the DefCon documentary
as "The Professor", uhm...

00:01:28.221,00:01:32.292
[sneeze] I was in the calibrator
the other day who is also credit

00:01:32.292,00:01:36.596
as "The Student" and someone
recognized him and like "You

00:01:36.596,00:01:40.067
look familiar to me for some
reason...". So I teach digital

00:01:40.067,00:01:43.904
forensics and security at a
university that's, my day job.

00:01:43.904,00:01:48.542
Also a hardware hacker, uh, been
known to write a few books, just

00:01:48.542,00:01:53.613
released a really small book on
Windows forensics, last year we

00:01:53.613,00:01:56.950
released a Linux forensics book
and a couple of years before

00:01:56.950,00:02:02.289
that I released this book on
hacking the low part of ISOs, so

00:02:02.289,00:02:07.294
yea... I mean, this is the small
book. [audience noise] [pause]

00:02:14.368,00:02:18.805
[background noise] So, what's
this talk about? First of all

00:02:18.805,00:02:25.178
you don't wanna be like this
guy... [pause] [cough] This FBI

00:02:25.178,00:02:30.117
is knocking on his door, and
he's thinking "Oh, sh*t!", so

00:02:30.117,00:02:33.987
what is he doing? He's running
to all his computers and he's

00:02:33.987,00:02:39.426
launching a nice little deletion
process; he's grabbing drives

00:02:39.426,00:02:43.397
throwing them in the toaster;
[cough] he's putting CDs in the

00:02:43.397,00:02:48.869
microwave... And here's my
favorite part - he's got these

00:02:48.869,00:02:53.707
huge magnets... [laughter] And
he's deleting his hard drives...

00:02:53.707,00:02:57.978
And now he pretends like "Hey...
I, what's, what's going on

00:02:57.978,00:03:02.049
guys?" You know? Right... So you
don't wanna be like this guy for

00:03:02.049,00:03:05.485
a couple of reasons, number one,
what this guy just did is called

00:03:05.485,00:03:08.355
"Obstruction of justice"....
[laughter] And it kinda gets you

00:03:08.355,00:03:14.261
into a bad place, right? The
other thing is as much as it

00:03:14.261,00:03:17.831
looks really cool as you're
going accross your hard drives

00:03:17.831,00:03:21.368
with magnets... it doesn't
really work. Okay? Those suckers

00:03:21.368,00:03:24.704
would have to be super powerful,
but yea... It's Hollywood,

00:03:24.704,00:03:29.543
right? [pause] So what is a
mouse jiggler anyway? Its sounds

00:03:29.543,00:03:31.912
a little dirty, a lot of people
are like "Oooh, that sounds like

00:03:31.912,00:03:35.715
a dirty talk you're giving this
year, Phil..." But, uhm...

00:03:35.715,00:03:39.219
[audience noise] But it's simply
something to use to keep a

00:03:39.219,00:03:46.026
computer awake and unlocked, it
can be used as a prank...

00:03:46.026,00:03:48.428
[pause] Anything could be used
as a prank, right? [audience

00:03:48.428,00:03:51.098
noise] [cough] And there's two
basic types, you have your

00:03:51.098,00:03:54.868
software jigglers, that's not
what we're gonna talk about. And

00:03:54.868,00:03:57.137
then you have your hardware
jigglers... and that's what you

00:03:57.137,00:03:59.406
gotta be worried about. So...
[cough] I've got a couple of

00:03:59.406,00:04:04.845
pictures here of two very common
mouse jigglers that might be in

00:04:04.845,00:04:07.948
somebody's toolkit. So we're
gonna talk about how do you

00:04:07.948,00:04:10.584
detect these; what sort of
things could you do... just

00:04:10.584,00:04:15.388
simple stuff [cough] in order to
fend yourself. So when it come

00:04:15.388,00:04:21.361
to detecting a mouse jiggler you
could use a known vendor ID and

00:04:21.361,00:04:26.633
product ID. Now it turns out
there's pretty much one company

00:04:26.633,00:04:33.373
who makes these and their vendor
ID is 0 E 9 0 and their product

00:04:33.373,00:04:40.013
ID is the most common ones are 2
8 and 4 5 but honestly this

00:04:40.013,00:04:44.151
company makes forensic stuff so
if anything from their company

00:04:44.151,00:04:46.820
is plugged into your computer
[cough] it's probably a good

00:04:46.820,00:04:49.489
idea to do something about it,
alright? [audience noise] You

00:04:49.489,00:04:53.093
could also detect behavior, you
know, what if somebody, you

00:04:53.093,00:04:55.262
know, listens to this talk and
they're like "Well, I'll just

00:04:55.262,00:04:58.532
make me own"? So we will talk
about how you can detect that

00:04:58.532,00:05:04.037
and also you could just... do
things based on a device class,

00:05:04.037,00:05:07.674
you know, any type of device
that could be a jiggler, uhm, do

00:05:07.674,00:05:12.646
something, [coughing] You know,
do something. So the easiest

00:05:12.646,00:05:17.584
detection is detection by a
known VID/ PID combination -

00:05:17.584,00:05:22.455
know the vendor ID and the
product ID. So, since there's a

00:05:22.455,00:05:27.194
single manufacturer this is
super easy, right? And the nice

00:05:27.194,00:05:31.131
thing about it is, very quick,
you can immediately detect it.

00:05:31.131,00:05:34.868
Some of the other things we'll
talk about are not as quick,

00:05:34.868,00:05:41.141
you'll have analyzed stuff a
little bit. It's very easy and

00:05:41.141,00:05:44.344
it's definite, you're like
"Okay, it was definitely one of

00:05:44.344,00:05:47.647
these devices...", you know,
it's not like I's, I think it

00:05:47.647,00:05:53.720
was, alright? So how do we do
this? Well we use udev rules.

00:05:53.720,00:05:57.524
Any, how many of you are
familiar with udev rules?

00:05:57.524,00:06:00.293
[pause] Alright, just a few of
you... Alright. [cough] SO udev

00:06:00.293,00:06:04.798
rules are kinda like the new
thing, I say the new thing,

00:06:04.798,00:06:07.634
they're not super new. I think
like in the last 10 years or

00:06:07.634,00:06:10.937
so... but, you know, for Linux
if it's been around forever,

00:06:10.937,00:06:16.676
uhm, that's "new". And they
determine what happens when a

00:06:16.676,00:06:21.781
new device is attached to your
computer. And they have a set of

00:06:21.781,00:06:25.852
matching conditions and you can
use them to launch various

00:06:25.852,00:06:30.557
scripts. You know, one caveat is
if you launch a script it should

00:06:30.557,00:06:33.727
return right away, otherwise bad
things happen with your

00:06:33.727,00:06:36.930
computer. You don't want to
launch a script that says "Let

00:06:36.930,00:06:40.233
me spend 5 minutes analyzing
this device to figure out if

00:06:40.233,00:06:43.937
it's a mouse jiggler", because
you can't install any other USB

00:06:43.937,00:06:46.373
devices in that time and it's
gonna kind of suck...[coughing]

00:06:46.373,00:06:51.378
alright? So here's an example of
a udev rule, this one will

00:06:54.047,00:07:00.487
detect a known mouse jiggler and
if you look at the rules,

00:07:00.487,00:07:05.492
normally they're set in edc.udev
rules dot d and you just create

00:07:08.295,00:07:12.499
a simple text file with a bunch
of rules, uhm, I believe you

00:07:12.499,00:07:15.902
have to mark it "executable" but
other than that there's no real

00:07:15.902,00:07:22.075
requirements. Normally we name
these rules with a number and

00:07:22.075,00:07:27.547
then a "dash" and then it's name
and then it ha, it should end

00:07:27.547,00:07:32.552
"dot rules", alright? Now, the
reason we use the numbers is

00:07:32.552,00:07:37.190
these things are executed in
alphabetical order so you might

00:07:37.190,00:07:40.994
have something that definitely
has to run right away or should

00:07:40.994,00:07:45.632
run after other things. So
that's how we handle that, we

00:07:45.632,00:07:49.703
just use a different number. So
in this case I used 10, um

00:07:49.703,00:07:52.839
[background noise] which is, uh,
appropriate for this particular

00:07:52.839,00:07:57.610
thing. Alright, so, here's my
rule, my rule just says "action,

00:07:57.610,00:08:01.181
double equals, add "so a double
equals, if you've ever

00:08:01.181,00:08:07.554
programmed in C, C++ etc. you
know means "this is equal to"

00:08:07.554,00:08:11.624
not "please assign something to
this", alright? And the same is

00:08:11.624,00:08:16.262
true with udev rules. So it says
if the action equals add you

00:08:16.262,00:08:21.267
just plugged in a device and the
vendor is 0 E 9 0, which is the

00:08:24.804,00:08:31.244
known vendor ID, [cough] then to
your lists of scripts to run

00:08:31.244,00:08:35.648
please add... That's what the
run plus equals "this". So it

00:08:35.648,00:08:37.650
says etc/udev/scripts/lockscreen
dot SH, alright? So in this case

00:08:37.650,00:08:38.985
the first thing I'm going to do
is just lock the screen, right?

00:08:38.985,00:08:40.320
You know, what was the goal of
mouse jiggler? Don't let your

00:08:40.320,00:08:41.654
screen lock. [pause] Alright,
you plug into my computer, it

00:08:41.654,00:08:48.528
instantly locks... sorry! Now,
when you change these rules you

00:08:48.528,00:08:53.533
have to restart the udev service
so that's why I have the little

00:09:06.846,00:09:11.951
not that says "Don't forget to
run sudo service udev restart!",

00:09:11.951,00:09:17.724
alright. Let me back up for just
one second... so you see here

00:09:17.724,00:09:22.729
where it says "ATTRS" with an
"S", ID vendor, equals equals, 0

00:09:24.998,00:09:30.003
E 9 0? What that is about, is
that you can detect the device,

00:09:35.075,00:09:39.512
now when you plug in a device,
USB devices are layered, right?

00:09:39.512,00:09:43.683
They are device, they could be a
composite device... and so you

00:09:43.683,00:09:49.589
say "When I add an "S" to any of
these matching items, uhm, that

00:09:49.589,00:09:54.461
means that if anywhere in the
chain, you know, my parents,

00:09:54.461,00:09:59.466
anybody has this vendor ID for
this device, or part of it in

00:10:02.101,00:10:06.372
this tree-structure that's gonna
get loaded, please match it.",

00:10:06.372,00:10:10.610
alright? So that's why it's
important to add the "S" in

00:10:10.610,00:10:15.448
there if anyone's wondering...
[audience noise] [cough] You can

00:10:15.448,00:10:21.287
also detect a mouse jiggler
based on behavior. So, what do

00:10:21.287,00:10:25.892
they do? They periodically make
small mouse movements. Now the

00:10:25.892,00:10:29.996
prank version which you can buy
doesn't make just small

00:10:29.996,00:10:33.700
movements periodically, it's
like, makes your machine

00:10:33.700,00:10:39.172
unusable. So this is something
you can prank your friends with,

00:10:39.172,00:10:42.008
although, honestly it's like, if
you have physical access to your

00:10:42.008,00:10:44.777
friend's machine there's a lot
more fun things you could do.

00:10:44.777,00:10:48.047
[laughter] But, they do sell
this device, uhm, I don't think

00:10:48.047,00:10:51.284
your typical law enforcement
person is gonna have this in

00:10:51.284,00:10:54.220
their toolkit because [chuckle]
they couldn't use your machine

00:10:54.220,00:10:57.690
anyway. Uhm, and then there's
the forensic version, the

00:10:57.690,00:11:02.529
forensic version has a much
longer period, usually around

00:11:02.529,00:11:06.499
half a minute to a minute.
Sometimes they're randomized,

00:11:06.499,00:11:10.003
depending on which version you
buy. So, that you can do is you

00:11:10.003,00:11:14.574
can detect these periodic mouse
movements. Now the other thing

00:11:14.574,00:11:19.646
that's a little bit unusual
about these devices is that they

00:11:19.646,00:11:23.216
normally have no "clicks",
right? Why don't they have any

00:11:23.216,00:11:26.286
clicks? Because that could screw
you up, right? If you're working

00:11:26.286,00:11:30.123
on something, if the mouse moves
a little bit, yea whatever...

00:11:30.123,00:11:33.359
But if the mouse is moving and
clicking, [cough] like what you

00:11:33.359,00:11:37.196
might do on the prank version,
uh, [coughing] that's a problem.

00:11:37.196,00:11:40.900
[background noise] So, another
thing that we can detect,

00:11:40.900,00:11:44.938
normally these mice are
two-button mice, so they're

00:11:44.938,00:11:50.076
two-button mice they're never
used to click on anything and

00:11:50.076,00:11:57.016
they move in predictable ways.
[pause] So if you think that you

00:11:57.016,00:12:00.954
might have a mouse jiggler you
should probably, immediately,

00:12:00.954,00:12:05.658
apply some sort of benign
defence. You know, something

00:12:05.658,00:12:11.064
like locking your screen. Yea,
it could be a pain if every time

00:12:11.064,00:12:14.367
you plugged in a possible
jiggler the screen locked but,

00:12:14.367,00:12:17.070
so what? [coughing] I mean
that's, how often do you plug in

00:12:17.070,00:12:22.075
a mouse? Or a Keyboard? Things
like that... Uhm, because this

00:12:22.075,00:12:26.846
will take a couple of minutes.
So here's the udev rule for

00:12:26.846,00:12:32.518
that. And again, this, uh,
another file stored in

00:12:32.518,00:12:38.257
etc/udev/rules dot d, and the
action is "add" again, and it

00:12:38.257,00:12:42.128
says "Oh, you just add in
anything", so I'm gonna be super

00:12:42.128,00:12:45.665
cautious, I'm not gonna check
the vendor ID or anything like

00:12:45.665,00:12:50.403
that, I'm just gonna say "You
added something". So please add

00:12:50.403,00:12:54.007
to your list of things to run,
this little script. It's a

00:12:54.007,00:12:58.745
detection script and I'm gonna
pass it two parameters.

00:12:58.745,00:13:04.784
[coughing] The bus number and
the device number, you'll notice

00:13:04.784,00:13:10.323
that there's also an ampersand
added to the end because I said

00:13:10.323,00:13:13.393
that you shouldn't have
long-running scripts. And I just

00:13:13.393,00:13:16.029
said this might take a couple of
minutes to run, right? So you

00:13:16.029,00:13:20.667
don't want this running and
clogging up your udev system. So

00:13:20.667,00:13:25.838
once you've added this simple
remember you need to restart

00:13:25.838,00:13:32.045
udev with pseudo service: udev
restart. And then you can go on

00:13:32.045,00:13:38.051
to the script. So it's detection
script uses something called

00:13:38.051,00:13:42.822
"USB HID dump" and this will
dump hid reports. HID, if you're

00:13:42.822,00:13:46.826
not familiar, stands for Human
Interface Device. So there are a

00:13:46.826,00:13:52.198
class of USB device you have
keyboard, you have mice, you

00:13:52.198,00:13:56.569
have joysticks, basically, a HID
is anything that [coughing]

00:13:56.569,00:14:01.507
connects a human to your
computer. So, this script has to

00:14:03.776,00:14:09.215
run with root privileges, which
it will be, if it's run by the

00:14:09.215,00:14:14.287
udev system. And it relies on
the no-click behavior, amongst

00:14:14.287,00:14:18.157
some other things, alright? So
here I have a screenshot,

00:14:18.157,00:14:21.461
hopefully you can kinda see
that, this is a couple of

00:14:21.461,00:14:26.199
reports from a mouse, like a
proper mouse and you'll notice

00:14:26.199,00:14:30.503
that this mouse has, I think,
something like 15 buttons on it

00:14:30.503,00:14:36.442
and a couple of axis. It
generally, a mouse report like

00:14:36.442,00:14:41.447
this will start with a byte or
bytes for the, uh, the buttons,

00:14:44.350,00:14:49.856
so each button gets a bit, so
you can have 8 buttons per byte,

00:14:49.856,00:14:53.793
if you will. And then you'll
have the various axis. So this

00:14:53.793,00:14:58.264
is a really nice mouse that has
got, you know, scroll bars and

00:14:58.264,00:15:01.501
all, all kinds of stuff on it.
So it's a bit longer of a

00:15:01.501,00:15:07.774
report. [pause] So, here's the
script itself, it starts out

00:15:07.774,00:15:11.511
with a standard shebang,
bin/bash.. just to make sure

00:15:11.511,00:15:16.082
it's running the bash shell.
And, I have a, I have some stuff

00:15:16.082,00:15:21.654
in this script that obviously if
it's being run as a, uh, [cough]

00:15:21.654,00:15:25.858
non-interactive process it's
printing stuff to the terminal

00:15:25.858,00:15:29.328
which they'll never see but you
can also run it separately,

00:15:29.328,00:15:33.566
that's just there for debugging.
So, yea, normally you don't need

00:15:33.566,00:15:39.172
a usage function in your scripts
that run but, so I had to find

00:15:39.172,00:15:42.341
little usage function and then I
check and can say "Hey, did you

00:15:42.341,00:15:45.378
get me enough parameters?"
Remember, I need the, I need the

00:15:45.378,00:15:49.949
bus and the device number."
Remember when I first do a check

00:15:49.949,00:15:55.521
for the standard el cheapo mouse
jiggler that emulates a two

00:15:55.521,00:16:00.459
button mouse. So what I do is I
look at the address, so I get

00:16:02.662,00:16:07.667
the address, I use "print F" in
order to format that. So you

00:16:09.769,00:16:13.739
might recognize that statement
where I say "device address

00:16:13.739,00:16:19.212
equals", let's see if I can
successfully cursor over there,

00:16:19.212,00:16:24.250
yea here... Alright, and I'm
using a little trick that some

00:16:24.250,00:16:28.688
of you might be aware of
already, in bash shell scripting

00:16:28.688,00:16:32.325
you can run any command and then
take the results from that

00:16:32.325,00:16:36.596
command and use it to set a
variable by enclosing that

00:16:36.596,00:16:40.700
command and parentheses and
preceding those parenthesis with

00:16:40.700,00:16:45.504
a dollar sign. So here I've said
"Please run the command print F"

00:16:45.504,00:16:49.942
and I have a format string and
that format string just says

00:16:49.942,00:16:55.214
"Please give me zero padded,
three byte decimal numbers,

00:16:55.214,00:16:58.351
separated by a colon" and then I
give it dollar sign one and

00:16:58.351,00:17:01.520
dollar sign two which were the
two arguments passed into this

00:17:01.520,00:17:06.526
script. And then I get a report,
I use that same trick - my

00:17:08.761,00:17:13.099
dollar sign parentheses - and I
call timeout one second.

00:17:13.099,00:17:16.202
Timeout, if you haven't used it,
it just runs whatever you give

00:17:16.202,00:17:21.941
it for how long you say and then
it kills the process, okay? So I

00:17:21.941,00:17:26.312
run USB HID dump and I give it
that address [coughing] and it

00:17:26.312,00:17:29.916
will give it another parameter -
dash E S, which says "Please

00:17:29.916,00:17:33.152
give me the strings, not the,
the descriptors that describe

00:17:33.152,00:17:38.691
the device." And then I pipe
that to egrep and I say "Hey,

00:17:38.691,00:17:45.598
did that bullet begin with three
byte of zeros? Or did it not

00:17:45.598,00:17:48.768
begin with three bytes of
zeros?" Because it turns out the

00:17:48.768,00:17:53.072
cheaper mouse jiggler will give
you a lot of null reports, like

00:17:53.072,00:17:56.876
"Yip, didn't click anything.
Yip, didn't more", alright? Over

00:17:56.876,00:18:00.212
and over and over again, now if
you get the, the fancier one it

00:18:00.212,00:18:03.916
doesn't really do that, but, it
works differently. So I get a

00:18:03.916,00:18:08.988
bunch of these and then I check
and I say [coughing] "Alright,

00:18:08.988,00:18:13.092
did I get anything?" That's what
this first statement says, it

00:18:13.092,00:18:19.065
says "If that thing was at zero
then I'll just echo something

00:18:19.065,00:18:22.902
that you'll never see unless you
run it directly and then I will

00:18:22.902,00:18:26.973
start declaring, I declare a
couple array variables which you

00:18:26.973,00:18:32.678
can do in bash. That's where the
"declare dash A", uhm, mouse

00:18:32.678,00:18:37.817
reports and also "no null"
reports. Uh, by the way, just an

00:18:37.817,00:18:42.722
FYI, uhm, you'll notice, I dunno
know how visible it is here,

00:18:42.722,00:18:47.360
that those are separated by semi
colons and the reason I did it

00:18:47.360,00:18:52.598
that way is, uhm, just to put
more in the one command, on a,

00:18:52.598,00:18:57.203
on a line so that I could kinda
fit it on the screen. Obviously

00:18:57.203,00:19:00.806
it's still a little bit
smallish, but... Uh, in the

00:19:00.806,00:19:06.746
materials on the DVD from DefCon
we have all this stuff so don't

00:19:06.746,00:19:08.447
stress too much if you can't
read it. [background noise] So,

00:19:08.447,00:19:09.782
then I, I get two minutes worth
of reports and I store that in

00:19:09.782,00:19:12.818
my array and then I do a little
bit of command line kung-fu

00:19:12.818,00:19:14.153
here... [audience noise]
[coughing] And I say "Okay, are

00:19:14.153,00:19:15.488
any of these "not null"
reports?" and then I look at

00:19:15.488,00:19:18.024
that list and I say "Alright, it
wasn't null..." and there are

00:19:18.024,00:19:20.993
two reports that are exactly the
same. And there's no mouse

00:19:20.993,00:19:24.263
clicking going on - you pretty
much got a mouse jiggler, right?

00:19:24.263,00:19:27.333
At that point. [coughing] Now,
if you have the slightly fancier

00:19:27.333,00:19:29.802
one, then I'm gonna check for,
if it's like a 5 button mouse

00:19:29.802,00:19:31.537
it's 5 button, 3 axis mouse and
once again, there be no clicks,

00:19:31.537,00:19:33.406
right? So that's kind of a big
key and I will look for the

00:19:33.406,00:19:35.674
report that corresponds to that
and if I get a bunch of reports

00:19:35.674,00:19:38.611
that are duplicates or, you
know, nobody's ever clicking on

00:19:38.611,00:19:42.481
anything, then I know this is a
mouse jiggler, alright? [pause]

00:19:42.481,00:19:46.719
Finally I can do detection based
on a device class, so, whenever

00:19:46.719,00:19:50.589
you insert a possible jiggler I
can do something about it.

00:19:50.589,00:19:53.692
Again, this should be benign,
you know, don't start wiping

00:19:53.692,00:19:56.095
your drive just because
something that might be a

00:19:56.095,00:19:58.697
jiggler was installed. Alright?
[chuckles] [audience noise] Uhm,

00:19:58.697,00:20:02.935
this is really a good idea even
if you have the other rules in

00:20:02.935,00:20:06.272
place, you know, you could do
something simple as "Hey, you

00:20:06.272,00:20:10.209
inserted a USB, a USB drive or
any USB device, I'm just gonna

00:20:10.209,00:20:13.112
lock the screen now."
[background noise] I mean if I

00:20:13.112,00:20:15.915
do that, uhm, here's the udev
rule where I say "Alright, any

00:20:15.915,00:20:18.284
HID...", so it's like, "Alright
you inserted a mouse, a

00:20:18.284,00:20:20.386
joystick, a keyboard... your
screen's gonna lock". So what!

00:20:20.386,00:20:23.422
Right? If it's you, so what? You
know your password. You know, by

00:20:23.422,00:20:26.025
the way, you know, [coughing] if
someone storms into your office

00:20:26.025,00:20:28.828
and they're trying, you know,
their first goal is to get you

00:20:28.828,00:20:31.630
away from your computer and
their second goal is to keep it

00:20:31.630,00:20:33.999
from going asleep, right? So
that's where the mouse jiggler

00:20:33.999,00:20:37.369
is gonna come in but.. you know,
I think personally with all the

00:20:37.369,00:20:42.241
stress of armed people in my
office I would temporarily

00:20:42.241,00:20:46.645
probably forget my password
until all my encryption and

00:20:46.645,00:20:51.016
deletion scripts completed. But
that's just me... [laughter]

00:20:51.016,00:20:55.421
[chuckle] Alright, so this
script or this udev rule is

00:20:55.421,00:21:01.193
pretty simple. You say anything
that was in HID subsystem go run

00:21:01.193,00:21:06.098
lockscreen. [coughing] Right,
now when it comes to the scripts

00:21:06.098,00:21:11.470
themselves you have to choose
you level of paranoia, you know,

00:21:11.470,00:21:16.208
do you just wanna lock the
screen, do you wanna encrypt

00:21:16.208,00:21:21.213
some files? Again, I recommend
you use whole disk encryption in

00:21:26.652,00:21:31.657
general... Uhm, do you wanna
start a secure wipe? Do you

00:21:37.129,00:21:42.234
wanna do some physical
destruction? Now there's been

00:21:42.234,00:21:48.874
some other DefCon talks in the
past that I'll reference later

00:21:48.874,00:21:53.879
about that... [pause] So the
first thing I wanna talk about

00:21:55.881,00:22:00.819
is locking your screen from a
script. Now this might sound

00:22:02.821,00:22:08.561
simple but remember you have a
non-interactive process, right?

00:22:08.561,00:22:12.965
So it's like "What screen?",
right? It doesn't have a

00:22:12.965,00:22:16.001
screen... and that's kind of an
issue, so, if you're running

00:22:16.001,00:22:21.006
various windowing systems, it's
gonna vary a little bit. So if

00:22:25.477,00:22:30.482
you're running Gnome you can get
the session ID. By running, uh,

00:22:35.821,00:22:40.826
bin login control list sessions.
You can run bin login [cough]

00:22:45.331,00:22:51.403
control lock session with that
session ID. If you're running

00:22:51.403,00:22:56.308
KDE or LXDE you can look at the
display and you can use the

00:22:56.308,00:22:59.478
X-screensaver command, alright?
So basically you say "Oh, I'm

00:22:59.478,00:23:03.649
gonna log in as root essentially
and lock the screen. And in

00:23:03.649,00:23:07.786
other systems if your just U SU
dash C and then you run...

00:23:07.786,00:23:09.121
[coughing] A command, screen
lock command, whichever it is,

00:23:09.121,00:23:10.456
that'll work. Now here's another
little tip for you if you're

00:23:10.456,00:23:11.790
kinda new to Linux. Notice that
I have "display equals colon

00:23:11.790,00:23:13.125
zero" before my command. This is
a nice little thing you can do

00:23:13.125,00:23:18.664
in Linux so if you want to run a
command and you wanna change an

00:23:18.664,00:23:22.968
environment variable just for
that command and not in general

00:23:22.968,00:23:25.738
you can do this - you can list
all the environment variable you

00:23:25.738,00:23:29.875
wanna set before you run your
actual command and it works

00:23:29.875,00:23:32.878
great. Alright? [pause] So
here's my little lockscreen

00:23:32.878,00:23:38.651
script. In this case I just put
my username in there, [coughing]

00:23:38.651,00:23:43.656
you could, somehow, you know,
try to figure out what your

00:23:49.828,00:23:54.833
username is. But keep it simple,
right, this is your computer,

00:23:58.470,00:24:00.139
you're trying to lock it down,
so, you know, make it applicable

00:24:00.139,00:24:02.741
to you. And I'm running,
actually, Ubuntu on the test

00:24:02.741,00:24:04.710
system that I ran so it's
running Gnome and here's the

00:24:04.710,00:24:09.715
little command. So I run list
sessions and I pipe that to

00:24:14.586,00:24:19.591
grep, right, grep for my
username and I pipe that to auch

00:24:38.811,00:24:43.816
and then I print the first item
from that line, and that is my

00:24:53.492,00:24:58.497
session ID and then I call lock
session with that session ID.

00:25:11.176,00:25:14.380
And it's very similar with some
other windowing systems,

00:25:14.380,00:25:19.551
alright? [background noise] So
it looks kinda like this... I'm

00:25:19.551,00:25:24.690
just minding my own business
here, working.. one my little

00:25:24.690,00:25:31.397
Ubuntu system.. and here comes
some person I didn't boot,

00:25:31.397,00:25:36.402
alright. So, you know, my
computer just locked, now a, a

00:25:38.570,00:25:42.741
little word about this. My
computer just locked its

00:25:42.741,00:25:46.945
encrypting files in the
background. Don't be stupid!

00:25:46.945,00:25:50.048
Okay, don't have a little
graphic going "Hahahaha...

00:25:50.048,00:25:52.418
[laughter] ...I'm like deleting
sha, sh*t..." or you know

00:25:52.418,00:25:55.587
"encrypting files..." right?
That's, that's kind of a bad

00:25:55.587,00:26:00.225
idea, right? You don't want to
alert people as to what you just

00:26:00.225,00:26:03.162
did. Or, I'm sorry, what they
just did because, did you touch

00:26:03.162,00:26:06.832
that computer? >> NO... >> No,
you're not like that first guy

00:26:06.832,00:26:09.368
from the movie, that was from
the movies "The Core", you know,

00:26:09.368,00:26:16.108
that wasn't you... Your forensic
tech - I dunno, I dunno what he

00:26:16.108,00:26:21.013
did. Not my problem, I was
nowhere near it. You know,

00:26:21.013,00:26:24.616
things happen... Oh, I forgot
about that script, yea... we

00:26:24.616,00:26:29.621
have that safeguard, sorry.
[audience noise] Uhm... Alright,

00:26:31.990,00:26:34.493
so encrypting stuff. [coughing]
So if you wanna encrypt your

00:26:34.493,00:26:36.662
personal files, again, you
should be using whole disk

00:26:36.662,00:26:42.501
encryption, you have a couple of
options. You can use GPG which

00:26:42.501,00:26:48.140
is [cough] Gnu Privacy Guard -
it's the same thing as GPG but

00:26:48.140,00:26:53.812
open, [cough] uhm, you can use
openSSL, you can use Bcrypt and

00:26:53.812,00:26:58.016
Scrypt [cough] and you can also
use random encryption key,

00:26:58.016,00:27:01.086
right... So you might
temporarily forget your password

00:27:01.086,00:27:06.658
when people ask you, right, when
people ask you. And then if they

00:27:06.658,00:27:11.864
say "Well, what did you use to
encrypt this file or this set of

00:27:11.864,00:27:16.902
files", [cough] if you can
honestly say "I dunno..."

00:27:16.902,00:27:20.472
[laughter] "I dunno the key. I'm
sorry you can't co-herse me into

00:27:20.472,00:27:24.343
giving you something I don't
know..." But uhm, so I talked a

00:27:24.343,00:27:27.346
little bit about generating
random keys and somewhat

00:27:27.346,00:27:30.782
securely storing them, I mean
obviously, if you wanna stash

00:27:30.782,00:27:36.221
this key somewhere,uhm, it could
be discoverable. So, you know,

00:27:36.221,00:27:39.558
I'll give you some general ideas
- don't, don't be the guy that

00:27:39.558,00:27:42.160
does the exact thing I'm gonna
show you... [laughter] In this

00:27:42.160,00:27:45.464
talk... right, it's kinda like.
I taught a pen testing class a

00:27:45.464,00:27:48.400
couple of years ago and I had
some students in the class and

00:27:48.400,00:27:53.171
they were like "I, I ran all
these commands, to, you know,

00:27:53.171,00:27:57.643
encode my stuff from and Dave
Kennedy's medicine sploit book

00:27:57.643,00:28:00.746
and AVG found it every freakin
time", and I'm like "They read

00:28:00.746,00:28:06.552
that book too!"... [laughter]
You know. [pause] So here's how

00:28:06.552,00:28:12.257
you can use GPG and again, I
have a little usage statement

00:28:12.257,00:28:17.796
and it will take a directory and
for everything in that directory

00:28:17.796,00:28:22.301
it's going to use four to loop
through everything. And it's

00:28:22.301,00:28:25.771
gonna say "Hey, is this file
already encrypted? Does it have

00:28:25.771,00:28:31.443
a GPG extension?". So that's
what you see going on here.

00:28:31.443,00:28:36.715
[pause] Let's see if I, there it
goes... So here I'm saying,

00:28:36.715,00:28:43.121
alright, if you, uhm, get the
file name, get the base name,

00:28:43.121,00:28:48.126
base file... Oooops! Sorry...
Uhm, base file is a co, [cough]

00:28:48.126,00:28:51.096
a command, or base name is a
command that will get you just

00:28:51.096,00:28:54.299
the filename or it could have a
huge path on the front of it and

00:28:54.299,00:29:00.472
you strip that off. And then you
can use base file and the pound

00:29:00.472,00:29:05.310
pound dot! [coughing] That is a
construct where you can take

00:29:05.310,00:29:11.917
that name, that shell variable
base file and get just the

00:29:11.917,00:29:13.251
extension off of it. So it's
kind of a cool little trick. And

00:29:13.251,00:29:14.586
then I check and I say...
"Alright, has this thing...?"

00:29:14.586,00:29:15.921
Oh! This is the wrong script,
they're all about the same...

00:29:15.921,00:29:17.289
alright. [coughing] So if it
doesn't have a GPG extension

00:29:17.289,00:29:22.294
then I'm gonna echo my password
and pipe that to GPG and give it

00:29:36.308,00:29:39.778
a pass phrase which is in file
descriptor zero which is

00:29:39.778,00:29:44.282
standard in. And I'm gonna say
"Please use symmetric encryption

00:29:44.282,00:29:48.887
using that key, and here's the
file name and then as soon as

00:29:48.887,00:29:53.425
I'm done I'm going to remove the
file..." [coughing] So I'm going

00:29:53.425,00:29:58.096
to remove the original file that
is. And that's pretty much it.

00:29:58.096,00:29:59.431
Openssl, very similar, just a
different command. And I'm just

00:29:59.431,00:30:00.766
looking for ENC as the
extension. Now here I'm gonna

00:30:00.766,00:30:05.771
use ASS 2 5 6 CBC. How many
people went to hacker jeopardy

00:30:10.676,00:30:17.115
last night? [cough] [pause] How
many of you were sober enough to

00:30:17.115,00:30:22.120
remember what CBC stands for?
Okay, you can look it up

00:30:28.894,00:30:35.067
later... [laughter] Okay. It was
actually in a question, or I

00:30:35.067,00:30:41.073
guess in an answer, technically.
[pause] Alright, you can also

00:30:41.073,00:30:46.611
use Ccrypt, Ccrypt you pretty
much wanna use that trick where

00:30:46.611,00:30:49.448
you set it in an environment
variable so I set my environment

00:30:49.448,00:30:53.719
variable "Jiggly" equal to
whatever your password is

00:30:53.719,00:31:00.492
[cough] and the I call "cc
encrypt" on, and I give it "dash

00:31:00.492,00:31:07.399
capital E" in that environment
variable and in my file name.

00:31:07.399,00:31:12.003
[coughing] So if I wanna
randomly encrypt stuff.. [pause]

00:31:12.003,00:31:15.340
I can get a, a random password,
well there's a lot of different

00:31:15.340,00:31:19.010
ways you can get a random
password, this is just one. So

00:31:19.010,00:31:22.948
we use our old friend "dd"
[audience noise] if you do any

00:31:22.948,00:31:27.252
forensics you probably know
about "dd" - love- or hate it.

00:31:27.252,00:31:31.556
You know, it's a very easy to
use. My input file in this case

00:31:31.556,00:31:36.361
is "dev/urandom" - uh, urandom
is better than just "random",

00:31:36.361,00:31:40.665
it's more cryptographically
sound. And I give it a block

00:31:40.665,00:31:46.838
size of one and a count of 128.
SO it says "Please go to random,

00:31:46.838,00:31:51.843
u, urandom, that is, and give me
128 random numbers, and then

00:31:54.412,00:32:00.018
I'll pipe that to base 64." And
that's my new password, right?

00:32:00.018,00:32:03.855
So if I wanna get my files back
I have to find a place to put

00:32:03.855,00:32:08.360
this password so, uhm, some
suggestions - again don't do

00:32:08.360,00:32:13.265
exactly what I'm gonna do here.
The middle of a log file, some

00:32:13.265,00:32:16.568
obscure log file that nobody's
probably gonna look at. You

00:32:16.568,00:32:19.204
know, don't make it a, it a
juicy system log that they're

00:32:19.204,00:32:20.739
gonna look at because they're
trying to figure out what's

00:32:20.739,00:32:25.377
going on in your system... Uh,
some random file, you can also

00:32:25.377,00:32:29.481
use a random sector on the desk,
including something that is

00:32:29.481,00:32:34.686
unallocated, you could also use
Slack space in your files. And,

00:32:34.686,00:32:40.392
whatever you do, securely delete
your script when you're done,

00:32:40.392,00:32:43.428
you know, don't just like "Hey,
yea I did all this awesome stuff

00:32:43.428,00:32:45.897
and I stashed it here and I
didn't delete the script that

00:32:45.897,00:32:51.536
stashes it there..." So someone
might find that. Uhm, so, here's

00:32:51.536,00:32:56.641
a simple example of doing a
random encryption, you know, I

00:32:56.641,00:32:59.778
get a random a password using dd
and then I go and I encrypt

00:32:59.778,00:33:05.183
stuff and then [cough] when I'm
done I'm going to securely

00:33:05.183,00:33:10.188
delete my files. Right? [pause]
So, speaking of securely

00:33:13.525,00:33:17.596
deleting files you can use the
secure delete package and it

00:33:17.596,00:33:24.269
comes with SRM it's like RM but
secure, Sfill for filling things

00:33:24.269,00:33:30.208
with zeros or random stuff and
Sswap which will nuc your swap

00:33:30.208,00:33:36.514
partition or file. [pause] Some
common options: dash D says

00:33:36.514,00:33:39.885
"Ignore the dot files, the dot
and dot dot files" which is

00:33:39.885,00:33:44.656
probably a good thing, dash F is
for "fast". I don't recommend

00:33:44.656,00:33:50.128
you use that cause, you know,
says you don't use urandom, uh,

00:33:50.128,00:33:52.297
if you're really in a hurry,
[cough] like if you have a lot

00:33:52.297,00:33:57.302
of files maybe...maybe it's not
such a bad thing. Dash L -

00:33:57.302,00:34:00.205
lessen your security, sounds
like an option you don't wanna

00:34:00.205,00:34:04.743
use. [cough] Uh, dash R will
recursively delete

00:34:04.743,00:34:08.446
subdirectories... Yes please!
Please delete everything in the

00:34:08.446,00:34:12.284
directory that I set up.
Verbose, uh, you're, you're

00:34:12.284,00:34:16.254
running a script I dunno why
you'd want that. And "dash z"

00:34:16.254,00:34:20.091
will zero out things on the last
right so it looks like it's

00:34:20.091,00:34:26.431
empty space, right? So here's a
pretty simple delete script,

00:34:26.431,00:34:30.101
where I'm gonna go to the
directory that you told me to

00:34:30.101,00:34:34.806
burn... and first I'm gonna use
Swap to kill anything in the

00:34:34.806,00:34:39.945
swap file then I'm gonna burn
your files using a "for" loop

00:34:39.945,00:34:44.683
going through that directory.
And then I'm gonna use sfill to

00:34:44.683,00:34:48.086
get rid of the directory itself,
and then I'm gonna hit the swap

00:34:48.086,00:34:53.058
again and I'm gonna shut down
the system. Right? So what if I

00:34:53.058,00:34:56.361
just wanna wipe the whole disk?
I'm just like "I, I'd, I don't

00:34:56.361,00:35:02.200
ever wanna see this stuff
again". Uhm, there you can get

00:35:02.200,00:35:05.837
your data from dev zero or
random or urandom, now if you

00:35:05.837,00:35:10.375
use urandom for this process
it's gonna be slow. Now, one

00:35:10.375,00:35:16.081
thing I should say - yes, it's
possible that if you have, uhm,

00:35:16.081,00:35:19.851
a government that's going after
you... If you overwrite your

00:35:19.851,00:35:25.190
disk a few times they can get it
back if they have specialised

00:35:25.190,00:35:27.592
equipment and they're willing to
spend, you know, a million

00:35:27.592,00:35:30.795
dollars to get your hard drive
back so... Choose your level of

00:35:30.795,00:35:34.599
paranoia here. Uhm, might take,
take a little while so if you're

00:35:34.599,00:35:37.569
gonna do this I recommend you
delete the important stuff

00:35:37.569,00:35:44.009
first... [audience noise] So if
you're gonna wipe a partition it

00:35:44.009,00:35:47.312
helps to have more than one
partition because you can't

00:35:47.312,00:35:50.115
really do this on a mounted
partition, right? So, you gotta

00:35:50.115,00:35:54.119
unmount it first and here's just
a couple of ways that you could

00:35:54.119,00:35:59.357
do that... [pause] [coughing]
PHYSICAL DESTRUCTION!!

00:35:59.357,00:36:02.460
[laughter] Our favorite, right?
Uhm, there's a lot of things you

00:36:02.460,00:36:05.263
could do - charge capacitors,
you could charge up some

00:36:05.263,00:36:09.601
capacitors that are just gonna
fry some circuits if you give

00:36:09.601,00:36:12.837
them the command to discharge.
There's always pyrotechnics,

00:36:12.837,00:36:17.876
uhm, [coughing] hopefully you
don't start a fire. [laughter]

00:36:17.876,00:36:21.179
[coughing] Uh, destructive
edges, you know, things that

00:36:21.179,00:36:24.182
might go explosively through
your hard disk platters and

00:36:24.182,00:36:27.619
things like that. Uh, there's
been some past DefCon talks,

00:36:27.619,00:36:31.423
there was one - DefCon 19 called
"That's how I lost my eye" and

00:36:31.423,00:36:36.494
then aptly named last year -
"How I lost my other eye".

00:36:36.494,00:36:39.431
[laughter] Both very good talks
I recommend you go out to

00:36:39.431,00:36:44.302
YouTube and watch those.
Alright, and the last thing that

00:36:44.302,00:36:49.207
I wanted to talk about very
briefly is how you could make

00:36:49.207,00:36:52.177
your own mouse jiggler. Now I'll
preface this by saying you

00:36:52.177,00:36:55.613
probably don't want to... You
can buy a mouse jiggler for 20

00:36:55.613,00:36:59.617
bucks so what's the point in
building one? Yea, unless you

00:36:59.617,00:37:04.322
wanna just do it for education.
Uhm, if you did wanna make one I

00:37:04.322,00:37:09.327
would probably use the FTDI
VNC2, micro controller, w, FTDI,

00:37:11.362,00:37:17.068
if you don't know them, they
make USB stuff. So if you have

00:37:17.068,00:37:22.073
an older Arduino you would have
an FTDI chip that would be the

00:37:22.073,00:37:27.178
USB, the serial conversions for
you, uh, there's cables if you

00:37:27.178,00:37:30.482
do any hardware debugging you
probably use one of their cables

00:37:30.482,00:37:33.885
that do stuff like that...
Couple years ago they came out

00:37:33.885,00:37:38.056
with a microcontroller that was
really good at USB stuff it's

00:37:38.056,00:37:43.528
kinda like an Arduino but it's,
it also supports two USB devices

00:37:43.528,00:37:49.934
and and or hosts... so if you
wanted to code your own jiggler

00:37:49.934,00:37:54.139
you basically have to create a
USB HID device and send some

00:37:54.139,00:37:59.544
commands. So, creating a USB HID
is like this - you have to

00:37:59.544,00:38:05.517
create a HID descriptor, this
describes that device and the

00:38:05.517,00:38:10.522
types or reports that it sends.
As noted in the slide, I have

00:38:12.857,00:38:17.595
shamelessly from John Hyde's USB
design by example book, so

00:38:17.595,00:38:22.867
here's an example of a mouse
descriptor and it talks about

00:38:22.867,00:38:26.070
where the minimums and maximums
for each of the ranges, you

00:38:26.070,00:38:29.674
know, does it have [cough] this
many buttons or that many

00:38:29.674,00:38:32.877
buttons? What do the reports
look like? Right? So that's what

00:38:32.877,00:38:36.881
this is about. [pause]
[background noise] You can send

00:38:36.881,00:38:43.321
some commands. So you send a,
uhm, HID reports to the host,

00:38:43.321,00:38:47.358
again, the cheapo ones have,
like, a two button mouse with

00:38:47.358,00:38:51.596
two axis so it send a 3 byte
report. You could do something a

00:38:51.596,00:38:58.203
bit longer if you wanted and you
could add other axis if you

00:38:58.203,00:39:04.008
wanted. It doesn't really matter
what you do. [pause] [coughing]

00:39:04.008,00:39:06.844
Right, so if you made your own
you could make a little bit

00:39:06.844,00:39:11.583
harder to detect. First thing I
do is not use either FTDI's VID

00:39:11.583,00:39:14.919
and PID, or, actually, their
VID, you can set your own PID.

00:39:14.919,00:39:19.591
Uhm, or, the one in the
commercial mouse jigglers, just

00:39:19.591,00:39:24.896
pick something random. Righ? You
can also randomize the inputs a

00:39:24.896,00:39:28.766
little bit better than
somebody's doing. Do that and

00:39:28.766,00:39:32.704
you could also randomize the
interval, right. So it's not

00:39:32.704,00:39:38.109
periodic and it's not super easy
to detect. and if you're doing

00:39:38.109,00:39:41.412
this yourself you're probably
doing this as a prank anyway so

00:39:41.412,00:39:46.217
would add, you know, uh, little
keystrokes here and there. Uhm,

00:39:46.217,00:39:51.322
if you wanted to add a keyboard
to your device you would use

00:39:51.322,00:39:55.860
something like this as the USB
HID keyboard descriptor. Again,

00:39:55.860,00:40:00.331
this is shamelessly ripped off
from John Hyde's book which, by

00:40:00.331,00:40:06.437
the way, uh, you can download
for free if you go to ftdi chip

00:40:06.437,00:40:11.943
dot come and just search for USB
design by example. You will see

00:40:11.943,00:40:16.915
this book, it's, it's freely
available with example code and

00:40:16.915,00:40:22.553
all that. Okay. [coughing] If
you do decide to add some

00:40:22.553,00:40:27.392
keystrokes, something that you
should be aware of - you're not

00:40:27.392,00:40:30.495
using ASCII codes, you're
sending keystrokes which are

00:40:30.495,00:40:36.935
different. So you'll have to map
those, uhm, you can suppress

00:40:36.935,00:40:41.139
multiple keys at once. You know,
you can make things happen,

00:40:41.139,00:40:45.076
like, oh, I dunno... You wanna
lock their screen or things like

00:40:45.076,00:40:50.081
that. Yea, uhm, the other thing
is, yea, uhm, you can have those

00:40:52.984,00:40:57.989
keys set,uhm, to specific values
but if you're just messing with

00:40:57.989,00:41:01.859
somebody do you really care what
they are? Just randomise it,

00:41:01.859,00:41:06.130
just like, assign random junk.
[coughing] One that... You can

00:41:06.130,00:41:10.201
get more details. A talk I did
last year was called "One device

00:41:10.201,00:41:14.906
to pwn them all" I actually went
through making a scriptable HID

00:41:14.906,00:41:18.209
keyboard and some attacks and
things that you could do with

00:41:18.209,00:41:23.214
that. [background noise] Some
other ideas, uh, you can convert

00:41:25.516,00:41:28.786
that annoying device into a key
logger pretty easily if you

00:41:28.786,00:41:34.392
bother to make one. And, you
could combine that homemade

00:41:34.392,00:41:37.428
jiggler functionality with some
stuff I talked about last year,

00:41:37.428,00:41:42.433
right? Alright, so with that, if
you have any questions, uh, you

00:41:44.736,00:41:51.442
can always hit me up on [cough]
Twitter at P Pulstro. I'm also

00:41:51.442,00:41:55.146
the handsome guy you might see
sporting a deerstalker hat, uh,

00:41:55.146,00:41:59.784
at a conference. You can also
catch me at BloomCon, little

00:41:59.784,00:42:01.052
plug, it's little conference we
started this year, uh, [cough]

00:42:01.052,00:42:02.387
it's gonna happen next your
March 24th and 25th. We're over

00:42:02.387,00:42:03.721
in Bloomsburg Pennsylvania, I
know most of you are like

00:42:03.721,00:42:05.089
"Where?", uhm, but we're a
couple hours from Philly, New

00:42:05.089,00:42:10.094
York City, DC and all that so...
It's a good time, but... With

00:42:21.172,00:42:24.876
that if you do have any
questions - I was told to ask

00:42:24.876,00:42:29.313
people to come up to the mics so
that it could be heard on the

00:42:29.313,00:42:34.886
recordings. [pause] And I might
have some free stuff to give

00:42:34.886,00:42:38.956
away if you have a good
question.., Just saying.

00:42:38.956,00:42:44.629
[laughter] Wow! Here they go...
>> Would it be possible to

00:42:44.629,00:42:48.166
design the scripts that when a
key jiggler, uh, mouse jiggler

00:42:48.166,00:42:51.903
is plugged in to, depending on
the design of them, it rewrites

00:42:51.903,00:42:54.939
the firmware so than any other
computers it's plugged into

00:42:54.939,00:43:00.111
locks those computers too? >>
Okay, so you're saying, someone

00:43:00.111,00:43:02.914
answered it's a mouse jiggler
and you wanna infect the mouse

00:43:02.914,00:43:09.687
jiggler? >> Yea... >> Uh, I do,
I can't think of a mechanism

00:43:09.687,00:43:12.356
where that would work. I'm not
gonna say it's impossible but

00:43:12.356,00:43:19.096
I'm gonna say probably fairly
difficult. Right? Any other

00:43:19.096,00:43:24.101
questions? [pause] Yea, okay...
>> Does it work for only one

00:43:26.737,00:43:29.740
computer on the entire network?
>> For? Okay, so you could

00:43:29.740,00:43:32.343
deploy these scripts on your
entire network, if that's the

00:43:32.343,00:43:35.913
question you're asking. Okay....
>> Oh, she just answered my

00:43:35.913,00:43:41.652
question. [laughing] >> Okay...
>> Sorry! [background noise] >>

00:43:41.652,00:43:44.856
Have you thought about, uhm,
detecting the mouse jiggler and

00:43:44.856,00:43:47.558
then putting this into a log
file which then gets deployed to

00:43:47.558,00:43:50.761
the other computers so if you
detect one that took a couple of

00:43:50.761,00:43:54.866
minutes the other ones will then
immediately detect it? >> I

00:43:54.866,00:43:57.435
haven't thought about that but
that is a good idea. I think

00:43:57.435,00:44:02.373
that is a mouse-jiggler worthy
question! [laughter] [background

00:44:07.445,00:44:10.014
noise] Alright. Yes sir. >> Uhm,
your talk details a lot on

00:44:10.014,00:44:13.351
Linux. Is there a way to do this
on Windows or Apple computers as

00:44:13.351,00:44:16.787
well? >> Yes it is. Certainly
with Apple computers because

00:44:16.787,00:44:20.291
Apple computers [coughing] are
sorta running Linux, right? I

00:44:20.291,00:44:25.730
mean a different varying,
variant of units in that family

00:44:25.730,00:44:28.966
tree. Windows - I'm not gonna
say it's impossible, I'm just

00:44:28.966,00:44:34.071
gonna say I don't know how to do
it cause, it's, uh, I don't use

00:44:34.071,00:44:37.008
Windows, alright? [applause]
Windows is great for hacking

00:44:37.008,00:44:38.976
on...[laughter] And, uh, doing
forensics on but, uh, actually

00:44:38.976,00:44:44.015
my latest book is about doing
forensics on Windows subjects

00:44:44.015,00:44:49.020
from Linux where you get real
power... so it's basically a

00:44:51.756,00:44:57.862
little, little plug for my...
It's, uhm, how you can do this

00:44:57.862,00:45:02.266
without, uhm, spending
10-thousand dollars on software.

00:45:02.266,00:45:06.270
So like using all the free and
open-source stuff. >> Uhm... >>

00:45:06.270,00:45:11.275
Okay, I'm getting a sign that
I'm done. So... Thank you very

00:45:15.646,00:45:18.049
much! [applause]