Um I'm happy to introduce this talk because it's always one of my favorites and because I'm
introducing it I actually get to see it for once. So it's opening ceremonies and the badge
talk and it's got Lost Boy and the Dark Tangent and when the Dark Tangent shows up he'll
show up but for now here's Lost.
How many of you, this is your first DEF CON? Wow. Welcome. How many of you are here from
out of the country? Wow. Thank you for coming. Give them a hand for traveling this far.
So bear with us here. Um Jeff's on his way over. He was over at the DARPA stuff and so uh we
may be a little helter skelter.
Uh for those of you who have come to openings. How many of you have come to an opening
ceremonies before? And you still came back to an opening ceremonies talk huh? So I'm gonna do
something a little different uh this year. For those of you who don't know I am uh Ryan Clark the
Lost, Lost Boy 1057, whatever you want to call me. But I would like to start with a solemn
moment. A letter of apology. Bear with me. First an open letter of apology. To those who start
working long before DEF CON starts as it general is generally frowned upon on the badge
challenge. I'm sorry. I'm sorry for the misdirection. I'm especially sorry to those who go to the
trouble of automating, pulling down all of the index files from my servers. I'm especially sorry
for the cron job that may have been started. That appended random text and or certain strings to
different files that may change. The, the problem is I'm sorry for the misdirection. I'm sorry for
the pull down uh fingerprints that you were doing on the pages. I'm sorry for the extra
bandwidth the day that I decided to make that run every minute. I'm sorry for ruining
the hash comparisons you did to watch for clues and flags that may be put up over the time. I'm
sorry to those who decided to search registrar information for domains that may have been
registered as part of the contest. I'm sorry that I consistently used my Chinese name Lee Dershow
and this time randomly switched to my Korean name Lee Jisung therefore foiling any searches for
said information. I am especially sorry for when I put troll hook misdirection pages up realizing
that you weren't finding them fast enough that your exploits were not as efficient as I believed
them to be that I then in fact changed the name on the registration back to the one that I knew
you were searching for so you would in fact find the troll page.
But I would like to have a moment of reconciliation by a show of hands, how many of you are
familiar with the mystery challenge? So few of you. I used to run a contest at DefCon every year
called the mystery challenge and um oh I everybody turn and say hi to Jeff. Hey. So he did
make it so I'm gonna I'm I'm gonna hold off on what I was about to to tell you because I would
like Jeff to be able to give some words first.
first. As, as he comes up here. Good morning! Dark Tangent everybody.
Good morning! Woo! Sorry I'm late. What do you got?
We're gonna talk secret stuff and we don't trust you to do like that whole 2001 lip
analysis, so we're gonna turn our heads away from you. Holy shit! Yeah.
Oh, that's really cool. We're gonna show that thing off to you in a minute. Um, and show you
what everybody's competing for, uh, for Uber badges. So, when do you want to reveal that?
Um, I got a, I got a flow. You got a whole flow? Yeah, I wanted you to be able to do your
thing first. Okay, yeah, so my thing is just, uh, hello and welcome and thank you for coming
to our biggest conference ever. And, we have some really cool shenanigans going on here.
Um, we've really grown, uh, and for those of you, how many people here is, have you already
done this? How many people are new? It's a huge amount. Huge. Oh, okay, so we can totally
indoctrinate you. Um, so, the theory I've always done with DEF CON is, um, my, my operating
sort of principle is that I try to give, uh, space to people who want to do stuff. So, if you
come to me and you say, I want to do a biohacking village, I say, great, that sounds really cool.
What is that? And then they explain it. And if they can convince me or some other people,
I'm like, okay, we'll give you a shot. We'll find room for you. And if other people think it's
cool, it will grow. And if other people don't think it's cool, or you can't organize it, then
it collapses. And through this sort of Darwinian process, we've ended up with what we've
got. And so, any time you see something new, they had to kind of run through that gauntlet and
they're trying to see if their idea will survive in this community. And if you see something
disappear, it's either they've gotten burned out or they're onto something new. And what I love
about this community is you see people and they'll be doing social engineering one year, car
hacking the next, they'll start a contest, they'll play in a contest, um, and people just keep
hopping around. And sometimes people come in and apologize to me and they'll say, you know, I'm
just, I'm so burned out, I just, I don't want to do this one thing anymore. And you don't have to
apologize to me. This is you. This is your contest. This is your idea. It's about you.
Do what you like to do. And I'm just here to try to provide a stage. So if you're not interested in
that anymore, great. Find something else you're interested in. Or just go play video games. You
know? Re-energize yourself. Just watch talks for a year. Just do something to, to get your
energy back. And so, I just really want it to be this like boiling cauldron of randomness, right?
This entropy. And I think it's been a success because we've got so many people that come each
year. Uh, and so then it's just, you know, it's, it's, it's, it's, it's, it's, it's, it's, it's
just professional cat herding. And I'm not saying you guys are cats, but you're cats. Um, and
maybe this year everybody's like a Pokemon or something. But uh, and apparently Pokemon are
easier to catch here than over at Black Hat. I'm just saying. Um, there's uh, there, we have a
closing ceremony and we always make a bunch of announcements. Top winning teams. Uh, and this
year we're going to have some particularly interesting announcements at the closing
ceremonies.
Oh yeah, that's right. And then um, so for those of you who don't know Lost, he is like the
puzzle master for DefCon. And he's done his own mystery challenge. He's done, he does the badge
challenge that you see a lot of people competing with. Um, he's involved in designing the
Uber badges. Or he, he designs Uber badges. So there's a lot that he does. Well, do you want to
tell the story about the software? We're going to be making an announcement we've never done
before. We normally just tell you and orient you to what's going on at the corner. But, uh, we're
going to be doing a lot of our own stuff. So, um, I wanted to just quickly, uh, to kind of
answer those questions. So, you know, I'm I'm a pro or a pro-con. Ask questions. Um, is one thing I
always like to say. You're here to challenge the speaker. This is not meant to be sort of a
passive. You receive information. Active. I'm telling you the information. I really want it to be
challenge the speaker. And if they're saying something you don't like or you don't agree with or
you think is inaccurate, you've got to say something. Right? Otherwise, you're just letting the
misinformation perpetuate and that's not cool. So just because there's a lot of you and maybe
one or two speakers uh that doesn't mean you have to remain quiet you've got to get engaged.
Um so anyway this year uh we've never announced software before but it was such a compelling
story uh Lost is going to actually release uh a tool that was inspired that somebody had to
build to try to compete in one of his contests. So I don't know if you want to tell everybody
about that before we get going? Yeah why don't you. Yeah so as far as I know this is the
first time in an open ceremonies talk we're going to actually release a tool and and uh to be
fair Jeff and a lot of people tend to give me a lot of credit um there's a lot of people
involved and and I'll talk about that in a minute but uh a lot of what I do would never happen
if it weren't for the support of a few people um such as Echan and Squizgar my brother Clutch
um the uh well I'll do shout outs in a minute sorry I don't mean to bring in Jeremy and Jay
and everybody else.
Okay welcome DEF CON 24 you guys seem a little quiet. Welcome to DEF CON 24.
So as we started talking about uh when I had my open letter of apology to those who I was
trolling um I'd like to finish that letter with an announcement that I don't I didn't even
tell Jeff he's probably going to get mad at me for saying this. But um I've decided because
next year is DEF CON 25 that for one last time.
I'm going to run a mystery challenge and then I'm going to put a nail in that coffin and it's
never going to be resurrected again. So that contest ran for 5 years it inspired what spawned
into the badge challenge. How many people here have actually competed in mystery challenge
before? So a few. How many people are in the badge challenge stuff because you had read about
the mystery challenge stuff? So there's there's a few. Mystery challenge tends to be a little
more hardcore. It's a little more difficult. Badge challenge is meant to be accessible to
everybody. But I'd like to tell a little story.
And that story is about how the badge challenge inspired uh one uh young man to produce a tool
which we will be releasing here. Unfortunately he is not able to be in attendance and gave me
permission to release the tool uh vicariously in his stead. So DC 19 a guy named Kevin Houlin
who goes by Cryptic um who plays in the badge challenge. He decided he was going to compete and
he was going to win the next year. And he joined a team MLF I think that's uh Muppet Liberation.
Front I think is what that stands for. So Kevin noticed that on the back of the DEFCON 20 badge
for those of you who don't know if you win a black badge competition at DEFCON you get an
Uber badge. Which is free entrance into DEFCON for the rest of your life. But more than that
it everyone always talks about that like it's some big thing it's like okay so it's a couple
hundred bucks each year. Really it's the prestige because there's so few of these that have given
out. We have with the thousands of people that we have here we'll give out 10, 12 maybe a year. It's a Jeff, a
Jeff makes that decision. But I like to do a little thing on all of the Uber badges every year. I
place a cryptographic challenge to see of the Uber people who receive these badges who takes the
time to try and break the crypto that's on the back of these each year. And I get about a 50%
return. On the back of the DEFCON 20 badge is what most people would know as an OTP. Who knows
what an OTP is? One time pad. By many accounts the only unbreakable cipher technically if you're
handling the keys correctly and everything else. However this was not an OTP. It was what is
known as a running key cipher. And the difference between an OTP and running key is the fact that
the the key is a chosen text. For example the text like the 5th chapter of a book or or a page in a
magazine or lyrics to a song. But something the reason for that is it makes passing the key easy
because I can text Jeff and I can say oh just go open war and peace and turn to this page and
then there's your key. But in so doing because your key your or your your encryption text and
the text you're trying to send are both from the same language you've introduced a weakness into
that cipher. And so Kevin went home and he started working on a tool to attack RKC and that
method is known as cribbing. Well cribbing on this particular text I actually tested for that. It
doesn't really work. It's a real pain in the ass and it doesn't produce good results. But Kevin
took it a step further. He was just finishing his degree I believe his masters. And he was just
working on a tool and he realized it wasn't good uh to just crib this so he started doing natural
language processing. Um the stuff you might see when you do predictive text when you're typing,
spell checkers that kind of thing. And he started using an Ngram model to calculate
probabilities based on the likelihood of events. For those of you who know what that's called
it's a 5th order Markov assumption. So if you don't know what that is I'd suggest you look it up
cause it's interesting and this is a hacker con. So go look that up. So he took the hidden
Markov chains in the Vita Bernie algorithm and figured out a way to in software
do an attack against running key cipher. And it worked. That is the back of this is the uber
badge from last year. And then that's the crib text that was on the back of that. Now Kevin and
his guys had access to that. And here's a little side story that's fun for you. When I got on
the plane to go home Kevin happened to be on that same plane. And I was up at the front of the
plane he was sitting uh further back. And I saw him as we got on the plane and he goes I'll have
that solved by the time we get to the ground. And I was like there's no way it's running key he
only has his laptop he's not going to be able to use cloud or anything like that to crunch the
cycles. And when we got off the plane he walked over and he shook my hand and he handed me a
napkin from the airplane. I still have it. And on that napkin was written the solution. And he
had solved it because of his software. And he has now given me permission to give you guys the
first attempt at taking his code and improving it using it. He is releasing a tool called the RKC
the running key crypto cracker. And you can get it at that address up there right now he'll
he'll have it up on his site eventually. And there's a beautiful write up and blog post. But for
me this is the the pinnacle of success for what I try to do with the badge challenge is to try and
make people learn and grow. And now we have a new tool out of it. So there you go. Give him a
hand even though he's not here.
Okay so that that's that's that bit of the story. So let let's let's oh and by the way I have to
comment about this badge. This badge is actually not a badge that I made. This badge was presented
to me right before I came up on stage. This is a forgery. And I would like you all to see how
good this forgery actually is. I don't know if you can see that. So for those who weren't here last
year and are curious this badge actually has several different radioactive isotopes in it like
the the glasses uranium. And this is the first time I've ever seen this. So I'm going to show you
what we have here. It's this big old uranium doped and we've got a yellow cake and other
stuff. And these are lictensphere etchings that I had to source. And I asked them because I had
contacted the guy who is the last person in the United States and I believe the cunt in the
world that makes the lictensphere etchings. And I said, how did you get those? Because I bought
all of the ones that he had left. And they told me he ca- I guess he came out of retirement guys
to make them for you and then said he'll never make any more after that. So this is a
is like one of the best forgeries that I've seen now. That being said, I know, Mickey are
you out there? Probably not. Mickey who is here also has a fake and I want to compare the
fakes. So we'll have a battle of the fake badges. But anyway, um I was going, oh where was
I going with that? Oh this year's badge. So what do you guys think of this year's badge?
So, I'm just going to kill the screen for now if that's alright. Um what you're wearing
around your neck is the product of many many hours of blood, sweat and tears and not just from
me. I could not do this without everybody. The support of Jeff and Will and all the folks on
the DEF CON staff. Um the support of Jeremy, Jay, my brother, everyone else. So for all of the
badges that you guys see that are on the screen, I want to thank you guys so much for
being out there right now. Um the artwork was actually done by my wife um and who is not in
attendance. And the the layout I've also worked with uh some people at Intel. Uh John are you an
audience? Are you out there? Yeah so back there. So uh worked with John and some other folks.
So this this couldn't be done without without the help of a lot of people. So please give
just for everyone who's had a hand in the processes, please give them a hand.
I tried to make uh several of the pieces of the cryptographic challenge this year uh more
lighthearted and fun. So that those of you that are just kind of casual, you know the casual gamer
versus the hardcore. Like you may see some little little glyphs on the the signs out in the
halls. They're actually pretty easy to solve if you take a minute and start thinking about them.
You'll notice that there's text on your lanyards. That's uh a puzzle. You've seen some things. How
many of you have looked at the math that's in the program on the second page? Yeah? How many of
you put that in Wolfe from Alpha already? How many of you knew that there was an x-kcd comic which
referenced the tool that I used to generate those equations? Anybody ever did anybody realize
that? How amazing is that right? Yeah so if you don't know about that I'll I'll post about it on
the blog later. Um there's stuff on the back of the badges. Um I I really hope that that you
enjoy them. Uh I apologize for some of the uh problems that I've had with the software. I've been
uh some of the when we snapped them out some of the contact points um maybe a little bit of a
pain in the butt but we tried to move all the components to the front because we knew people
in years past with the electronic badges like this one didn't like the stuff rubbing against
their shirt and things like that so we do take those kinds of things into consideration and if
you have suggestions or things I am very accessible send me an email say hey did you think
about this or did you think about doing this because this really is a community effort and
the badge is for all of you guys and I hope that it's a nice keepsake and thing for you to
take home. Now that being said um we have something to show you that we're only going to
show you a little bit of but before I show it to you um uh uh John and Rick can you raise
your hands? John and Rick there there in the back have actually um I've been working very
closely with them I these badges would not have happened without them so when you look at
this don't think hey man that's a cool thing Ryan built because I don't feel like this is
this is a a group effort especially when on the on the shoulders of Rick. For those of you
that don't know uh Rick and John both live in California and deal with Hollywood you may know
some of Rick's work from things in like Jurassic Park, the Spider-Man movies and and others
uh Rick do you want to just stand up and wave? So yeah. So anybody that's
interested in like professional level Hollywood special effects please raise your hand and
that's the guy. And Johnny Mac next to him is a professional actor that lives and engineer as
well. So John stand up and give a wave. You may remember him. John was actually our our one
year I had a a hidden plant and and I knew John was an actor and I said John can you come and act
like a spy on the floor of DEF CON? And so we did some dead drops and things like that. So for
the first time what I'd like to show is a sneak peak and not full functionality because we want
to we want to hide that from you guys of this years uber
badge. So here's a look and I got a camera right here. So I'll let you do the reveal. So hold on
let me turn it on. Oh wait there's more. More to come. Yeah yeah. So we'll show them back. So
there's some other stuff that's going on in there. Just a little bit. So anyway that's it so I'll show
you from profile. So good luck forging these guys. So anyway. Yeah it'll only take them a year
they'll do it. So that's this year's uber badge.
I challenge you with a 3D printer to reproduce that.
And come to closing ceremonies and there will be just a little bit extra that may have to do with
those servos in the back. Right there. Anyway. We hope you guys have a good conference. Thank you for
coming out. I don't know if Jeff has any other things that he wants to say. Thank you all. Um if
it wasn't for you guys and for the guys that compete and stuff uh it's the community. It's the
only reason I keep doing this. It's a huge uh chunk it's all of my free time basically. And um I
appreciate everybody. So um this is what I've been doing for the past couple of years. Um I've been
doing this for a long time. And I think that's what everybody who's competing in a contest this
year is fighting for. Is they want to wear and this is actually a badge. There's a connection on the
back and you can wear it and be like Flavor Flav. So. So um I want to just leave you with one
thought and this is uh we say it every year so it can sound repetitive but that doesn't mean it's
any less important. And that's just that we say you you get out of Def Con what you put into it.
Um it really is what you make of it. And the conference has gotten so large that um I always a
assume that there's like a natural filtration mechanism. There's just not that many people that
want to get on an airplane, go to Las Vegas in the summer, um spend all that money and at some
point we'll just reach that threshold. And that's it. That's how many people are interested.
And every year there's more and more conferences and InfoSec conferences and hacking
conferences. And so there'll be more regional opportunities and there'll just be less uh reason
for you to come to Vegas. But then every year the convention grows. And so there's a lot of
I don't know why my nose is on the screen right now. Um.
And so uh. It's a very nice nose. I like it very much. But I don't want to share it with
everybody. Um so so I'm always astounded. There's like so many people coming in and what are
they getting out of it? And I try to ask people and some people say well I'm only here for the
people. I don't go to any conference. I don't go to any conference. I don't go to any conference.
I don't go to any talks. And other people say I only go to talks. I'm not here for the people.
Or I'm only here for the music and supporting my friends who are competing in this contest. And
what I quickly found is that there's so many things going on. There's so many interests um that
you can never hope to understand. It's it's larger than a person. It's larger than a group of
people. There's a lot of uh divergent interests. But we all have this sort of desire to learn. We
all have these certain common uh themes. And so that's the themes I try to to work on. And so we
tried to figure out ways to get you kind of split into smaller groups so you can meet each
other. Alright we bought we bought 100 bean bags and we're going to put them in the chill out
areas. And I know the bean bags are going to get stolen. Because I mean who wouldn't want
to steal? I think we already stopped some of our staff from stealing them. So um so why
would we do that? Well okay first of all if you steal a bean bag and we catch you you're
probably going to get kicked out. But if you steal a bean bag and we catch you you're probably
going to get kicked out. But if you steal a bean bag and get away with it I want pitchers.
Right? So there's a little bit of attention there right? I want to see it on Twitter. I want to see
these bean bags traveling the world. Actually I don't because you're not going to get away with
stealing any because we're going to be that good at stopping you. Um so what I want to really
bring is there's this there's this kind of fun tension here and it is what you make of it and I
really encourage you just go up and say hi to people. Um and if you run into somebody with a
big ego guess what? There's plenty of other people without big egos. So you're going to get
lost. I mean lost is super approachable I'm approachable. Everybody is here to get something
out of it to learn to make new connections and so I just want to really encourage you it's a
first year you might be a little intimidated by the size. Because if you've seen there's a lot of
other people that are here for the first time. And you can go to the parties and you can just
talk to somebody and chances are they'll talk back. And we've got it right here at the end of
the hallway we've got the Napoleon's piano bar. We've got that open it's only for us um you
should have a badge to go in there. But it's like one of our chill
out areas as close to the space as possible. And we just want you to have ways of spontaneous
sort of discovery. We want you to have like an a-ha moment. Yeah in his room uh we took uh
Nikita took all of our party favors and decorated the 1057 room so it's sort of like a
really creepy like party room slash couches slash super smart people competing on his contest.
Um just stop by and say hi. And with that I'm not going to keep talking but I want to let you
guys get out a little bit early so you have a jump on everybody else.
Um but have fun. I'll see you at the closing ceremonies and don't forget the uh parties
tonight. We have uh live bands it's like what eight to two in the morning. Tonight and
tomorrow night. Oh you want to give out some super specials? Okay if you haven't caught on
there's five different kinds of lanyards that relate to the contest. Four kinds of the
lanyards are really common. The fifth magical lanyard that I'm wearing is white. Um they're
only made 500 out of like 20,000. Um so I'm going to give out some super special lanyards. Um
we're going to throw them in the audience and then hopefully people who are competing in the
contest are now going to have to hassle you and they have a reason to talk to you. So you could
be like well I'm not going to let you see the lanyard unless you tell me your dog's name. Or
some social opener that's not as awkward as that. Okay so we're going to toss these out and
we'll have a we'll see you around the con. Have a good con everybody. Thank you.
Subtitles by the Amara.org community