Alright, so, my name's Mike, thank you for coming to the talk, sorry for the small delay
there. Uh, they make us test our, uh, VGA to HDMI converters in the green room, but it turns
out that the green room equipment is not the same as the equipment in this room. So, it
didn't work. Anyway, um, I'm gonna talk about, uh, loading code from a copier, and now I've
mentioned this title, uh, several times during the weekend, you know, with the blue badge,
people ask me all the time what I'm talking about, so I have to disabuse some notions
right away. I, I'm not infecting the, the, uh, printers I'm talking about here, the
scanners, uh, by doing the firmware, I'm using them as designed as a scanner and moving
documents from the scanner to a target workstation on a closed network and interpreting
those documents in a way to drop binary files onto the, uh, onto the target machine. So, I
just wanted to make sure you understood that right away. Um, this is definitely an insider
attack, this is for something I worked on to do, uh, um, work on a closed network to load
arbitrary tools. Here's what I'm gonna go over.
Um, and it's a, it's a phase attack, and each step of the phase kinda changes the amount of,
uh, data I get per page on the scanner into the machine until I go from basic just text, uh,
analysis down all the way to getting about 80 kilobytes of data, uh, per page onto a target
machine. So that's the different phases, we're gonna go through that all with you. So, the way
this all started is I was at work on a closed network and they had a collaboration portal on
the network, and it was kind of SharePoint based kind of thing. Um, and I was working on a
server and it had these text entry boxes like you can see here, um, and it didn't take me long to
discover that they are being, uh, the, the data was being validated client side with some
JavaScript. And I was like, oh, well, I bet I can beat that and put some cross-site scripting
attacks on my collaboration portal at work. Um, but, uh, and that's easy to do when you're at
home, right? When you're using your machine, you would use something like tamper data or burp
suite to intercept the call and modify it after it's been through the JavaScript modification.
Um, but I was, didn't have any of those tools available to me. So I set, I kept trying to think
through what would I do to make this happen. I was like, well, um, like I said, tamper data, burp
suite to intercept the post call, don't have those. I could forge the post call, but I didn't
have curl or wget available to me. And eventually I came to the conclusion that what I really
wanted to know how to do was put whatever tool I wanted on this machine without making anybody mad.
Without getting caught, really. So, um, so, so, so, so, so, so, so, so, so, so, so, so, so, so,
so, uh, that's kind of where I ended up working on this particular problem. So these are the
conditions I had to work with. I had a closed network, uh, sort of, right? There are no really
truly closed networks anywhere because they're basically not useful. Um, but this is for all
intents and purposes a closed secure network. Uh, in this network the USB ports are secured and
monitored, sometimes they're physically locked. Uh, CD use is secured and monitored, typically
from a, uh, a writing standpoint, not so much a reading standpoint, but nonetheless it, um, it is
monitored.
Uh, there's an endpoint security system on this, on my workstation. Um, and, you know, it's
generating logs for everything I do down in a mouse click, I guess, I don't know. But only
certain things that it logs are gonna draw attention from any kind of security people, right?
So I wanted to avoid those things. There does exist a data transfer point between my, between a
less secure network that's closer to the internet and this secure network, um, but I didn't know
how it worked. Um, uh, I didn't know, um, what it logged, I didn't know what rules it had for
scanning, I didn't know who it alerted.
And I wasn't really in the mood to try and, uh, keep poking at it to see what I could figure out and
raise my noise level until I got through what I wanted to. Um, because I didn't want to get fired.
So, um, I, I didn't want to use that. And basically it's a Windows at Microsoft Office
environment. These are the tools I had available when I got right down to it. I had Microsoft
Office, which provides access to Visual Basic for applications. Uh, I had professional level
printers and scanners, uh, that can, you know, print and scan to a very fine level, which is
really useful for what I was doing. And Adobe Acrobat with optimal character
recognition is what I used. All right, so first is getting Excel into attack mode. And this is
just turning on developer mode in, in Excel. Now, you know, we all get those little pop-ups that
say, hey, don't, you know, don't run the macros, that kind of stuff, or you want to prove these
macros. But if you're the insider writing the macros, that kind of is pointless, right? So, um,
and I call Excel attack mode because inside of Excel, uh, you can write arbitrary script. And
Excel with Visual Basic for applications can modify files at the byte level. Uh, and not only
that, you can call it, you can call it, you can call it, you can call it, you can call it, you can
call arbitrary DLLs with arbitrary functions, with arbitrary inputs to those functions. And
that's an awful lot of arbitrary for any insider to have available to them as an attack surface. So
I call it putting Excel into attack mode. And it's not hard to do, and I'm sure you guys all
know how to do it, but you just go to the file options, you turn on customized ribbon, you turn
on the developer, uh, checkbox, then you get a new ribbon on your, on your Microsoft Excel, um,
page and you click the ribbon there, you click Visual Basic, and then you now have access to a
fully functional integrated development environment on your, your workstation. Now I think
the important point here is you're an unprivileged user and you now have an integrated
development environment. And I know in many places the users who are developers, who are the
ability to write binaries, they, they get, you know, extra monitoring. They get extra scrutiny.
But the point is every user on a Microsoft Office based network, um, can do this. And it's
probably not being watched.
So this is called putting
I call this putting phase zero, getting it set up. Now next thing you want to do is you want to get an
arbitrary script into your Microsoft Excel. Um, and the way I do that is by, uh, printing it and
scanning it, uh, basically. There's some, there's some tricks to it. Uh, let me show you, see
here, this is a max, I'm going to mess this up, but that's alright. Let's see. So this is the
script that I'm going to talk about a little bit later. This is a script that, um, is the phase
one of the attack. Um, and you can see some things you need to do is you don't have any indentation.
Uh, because indentation on the OCR messes up the order of execution in the script. So that's not
super useful. Um, and, uh, a lot of other things, uh, will kind of go wrong here, um, when you do
this. Now, um, let's see. Max me. Alright, now I would show you if my Windows machine were here,
that I would do this live here. I would just cut and paste this whole thing. So basically you scan
this on your work computer, your work scanner. You have it on your computer. You have it on your
computer. You have it emailed to you. That's how typically the documents get to you. You, uh,
just, uh, you OCR it. You highlight all. Um, and then cut and paste it into, uh, Visual Basic.
And let's see what happens if I do that here. Of course, Visual Basic isn't turned on here.
Because this is not my machine. And I don't know how to do it on a, yeah. I don't know how to do it
on a Mac. Alright, so we're not going to do the scripts. Okay, so, um, I have some samples in my
presentation though. So let's go back to my presentation.
Nope, nope. So we're not going to drop out of that anymore. Okay. Alright. Um, so I talked
about how you do it. You can print it down to about 8 point font. You scan it. Nope, no demo
time. So let's skip it. Alright. So these are the screenshots from previous, uh, briefing I did
on this. Um, so when you drop it into Microsoft Excel Visual Basic, it doesn't work exactly
right. Um, you can see here that these, uh, these lines here, these are all, uh, comment
lines. And, uh, the comment delimiter has fallen off. Uh, so that's one kind of error. Let's see,
um, another error, a common one, is right here. It gets rid of an equal sign. Uh, that happens
quite a lot. And let's see if I can find any of the function flow ones. Nope, I don't see it. Um,
other kind of weird errors that happen, um, sometimes it interprets ones as L's. So I had a,
uh, I have a function called, uh, uh, calculate checks, checksum one byte exclusive OR. It
changed it to L byte exclusive OR. Um, so, uh, I don't know how to do this. Um, so, uh, I'm going to
have to look it up again. It is tell, tell, and see what that means. So, uh, I did, uh, a
two byte exclusive OR. But did that for every instance of that word. So, basically, it still
worked, even though it changed the- the name of the function. So, that was kind of a happy
failure. But you have to walk out for, watch out for all of the, um, the change in the program
flow. Uh, then once you go through and re-edit your stuff, um, you just, you know, you'll still
find more errors when you go ahead and click, uh, you know, click F5 to run it. You can see
there's one highlighted right there. The value's kind of in the middle of nowhere there. And,
um, I'm not exactly sure where that came from on this one. Um, so that's a, that's the way
but it'll help you fix it. And the bottom line is you can do
this, you can get an arbitrary script into place, um, using a
scanner without too much of a problem. Now, um, you could also
type them. If you took out the comment lines, my, the hexmagic
stuff I'm gonna talk about in a second isn't that long, it's
only a few pages. So, um, but if you had a really long complicated
script, you could get it in this way. Alright, so, the goal
is to use those methods I just talked about to make a script
that will take an arbitrary file, uh, encoded in binary, uh,
sorry, encoded in hex, um, and make it so you can print it out
really nicely, um, and then take those to work and scan them. And
why'd I go with hex? Well, I did a bunch of experiments, um, I
found that I could get down to a much smaller, uh, size font from
a 12 point to 8 point to get more data on there between hex
encoding and base 64. I didn't have any word length errors,
meaning when it, the OCR ran through the document, it, it
interpreted the length of the words as it was supposed to be,
whereas base 64, about, you know, um, over 10% of my words
got messed up with, uh, code. Um, so, uh, so, uh, so, uh, uh,
so, like, missing symbols or added symbols. Um, transcription
errors, uh, I didn't have any transcription errors in my
initial experiments. It, it, uh, it decoded every word
correctly, every, um, hex code correctly. Uh, whereas base 64
there was a ton of errors. Um, now, other experiments showed me
that there are errors in, uh, in hex encoding, but they're
usually one for one, and they're usually really easy. So it means
it's like a, uh, an 8 goes to an S, and it always does that. It
always interprets 8s as Ss. Um, and so it's easy to fix
that, and it's also easy to realize that an S is not a valid
hex code, so if it's an S, it's actually supposed to be an 8.
Uh, base 64, that won't work, because almost every typable
character is included in the base 64 encoding, and so you
can't tell where your errors are. You don't know what your,
what's going wrong. So I didn't like base 64 encoding, even
though it gave me a lot more data per page. So this is what it
looks like when you encode a file. Um, the script, the hex
attack script, which I would have loved to have shown you
running in real time, um, will create this.
And it generates two columns. This is the data column, uh, the
information in the file there, and this is a, the 2 byte
exclusive or checksum, which I'll talk about here in a little
bit. Um, and then you just export those as a CSV file and
print them, and you can take these pages and scan them, and
uh, transfer your data into your, uh, into your closed
network. As long as the secretary's not watching you
scan. Alright, um, so it, I realized that hex encoding
wasn't going to be perfect. I was going to have errors, so I
built this, uh, kind of compact exclusive or checksum in there.
Um, now, the reason why I used it really, it needed to be
really small, because every byte I give over to my parity, my
checksums, is another byte that I lose in data, and I needed to
get as much on a page as possible. So along with this 2
byte exclusive or, I was taking a gamble that I wouldn't have
that many collisions between, uh, failure modes to show that
the, uh, data would work. And it did work. Um, and when you run
the code, if it can't match the checksums, it'll give you this
little data's corrupt, cannot decode the data. Um, and then
it'll highlight the offending line in red. Um, and, uh,
I'm gonna have a hard time showing you what I usually show.
Now, the, um, what you typically have to do here is, let's see,
I'll do this in a second, but, um, it's, it would, you'd think
it'd be a pain in the butt to find these broken lines in your
printout, but it really isn't. You would just take this, this
exclusive or, and you would find it in your Adobe doc, document
and find that line. And after you do this a few times, you
realize there's, there's a pattern to the failures. Uh,
there's certain, uh, symbols that show up, like tildes and
stuff like that.
Uh, dots that happen to be between the lines of your actual
printout, um, will cause errors. And so you learn to find them
very fast. It doesn't take very long to fix, uh, even a large
amount of dot, hex data, um, uh, using this method. Uh, and
now, since I'm briefing at DEF CON and I was warned that I
have to have pictures of cats, um, if you were to decode this
hex code, it generates this picture of an ocelot. This is
something I was working on at work. I didn't want to actually
drop a binary file, but I figured a formatted file would
work. So, that's what that one does. Now, when I really
took this, took this to next step and I was going to use it to
drop my DLL in place, um, I discovered really quickly that
it didn't work as well as I thought. I had, I had quite a bit
of error. Although it's only about 1% error, it's still a lot
of problems to fix. And so I discovered all these kind of
errors that you see here. Um, you know, b hat turns to 8 a lot,
uh, 1 to l, 5 to s, um, these kinds of things here. Um, and
some of these are pretty bad, right? A b to 8, that's bad
because both b's and 8's are valid hex code. Um, 1 to l's,
uh, not a, not a problem. 5 to s is not a problem. Um, and then,
d to 0 or o, that's, that can be a problem. And 6's, uh, get
changed. So I came up with some alternative characters that
actually show up in the printouts. Um, you get, uh, I
used a hash mark for a b and a question mark for a d. I just
chose them because it didn't look like anything else. So I
thought that they would, uh, OCR pretty well. And I was right.
They did work really good. Um, and then I auto, auto replaced
the other major errors and then, um, I put strong visual
indicators in the, uh, in the, in the decoding to show you
where your problems are. Um, and the only thing I can show you
about that error is that, uh, the, uh, the, uh, the, uh, the
right now is the one you already saw, the red one. Uh, but when I
did this with my actual DLL, I only had one manual correction
in 1210 lines of text. That's about like 19 pages of decoded
text. Um, and so it worked out really well. Um, uh, I don't
think I can show you it. Maybe I can try to show you. Let's see,
I did open it. Where'd it go? Yeah, so here is, um, can you
zoom? Nope. Nope. Nope. There we go. Okay. All right, so, uh,
you can see here, here's the, uh, two byte and here's the data
line with the, uh, the questions for the Ds and the, and the hash
marks for the Bs. Um, I don't think I can find any easy to see
errors real quick, but, uh, nope, not gonna do it too, not
gonna do it fast enough. Um, so it'll scan pretty well. All
right, does anyone know how to make PowerPoint come back to the
slide you just left? Say again?
I'm on it. All right, there you go. Thank you. All right. Okay,
so the hex attack is really, uh, super reliable. Uh, you really
can get data very easily onto a machine and it's not gonna fail,
uh, pretty much at all. Um, and you can, if you really had to,
you can enter it by hand. You can type in those hex lines if you
really wanted to. Um, and, uh, now that gets kind of tedious
after 19 pages, but if you didn't have a scanner available, you can, uh,
you could do this and still get arbitrary binaries on your
system. Uh, the bad part is it doesn't allow data density, about
3.6 kilobytes of data per page. Um, and I put some common tools
here. No, go back. Put some common tools here, uh, between
PowerSploit, Mimikatz, that'd be like 200 pages of data you
would be trying to scan at work. So, that would probably raise
some flags. Um, so that's a little, little too much. Um, and
there's no exfiltration compression advantage. If you
wanted to remove a binary file from this closed network and
print it out in hex code and take it home, uh, that would be
great. If you wanted to take it home and recreate it, um, you
wouldn't really be able to do it, um, with any kind of real, uh,
compression. If that file was 3.6 kilobytes long and you
printed it, it'd probably be a page long and you're not getting
any real benefit unless it's an unprintable, uh, document. So, I
need to do better. And so I got to thinking. What, how could I
possibly put more data on a page? How could it, if there was
just some technology somewhere that would allow me to encode
data, black and white, two dimensionally on a piece of
paper.
At the pixel level, what could I possibly use? Well, yeah, so it
didn't take me too long to figure out that there's an awful lot of
2D barcode stuff out there. And so I went with, uh, uh, some
barcode experiments. First I practiced with data matrices. I
wanted to see how close I could get them down. Um, and I just
took this big one you see here and I kept shrinking it using
PowerPoint, um, and saving it as an image until it got to the
point where the lines between the data bits, uh, started to
blur and it wouldn't work anymore. Um, and I'm just trying
to see how small I could get onto a page that way. But I
kept thinking about it, um, and with the amount of error
correction built into most two dimensional barcodes, uh, I was
only gonna get about 25 kilobytes of data per page. Uh,
they have about 60% error correction that depends on the,
uh, barcode, but it's because they're designed for machine
purposes. They're designed for low light. They're designed for,
for weird orientations, for people using cell phones. Um,
and that's a different design problem than I've got where I'm
basically taking the sheet, putting it on a scanner that
scans very well in a, you know, in a perfect environment and I
control the orientation from the get go.
So, I thought about, well, maybe I can make it better. I took
some features from, uh, from these barcodes, timing lines in
order to help locate the data and read Solomon forward error
correction, but I was like, I can make it better for my
purposes and so, low and behold, I generated the 8 and a half by
11 inch big barcode. And that's what it looks like. Um, and
with that, I can get, um, about 85 kilobytes of data per page.
And this is what it looks like up close when you zoom in. It
has a timing line on all four sides, um, and it has a
data, I call it the data meat in the middle. And if I print that
image at about 72 dots per inch, I can get about 88 bytes of
information across a single pixel line. Um, and, uh, each
of these is a bit, right? I mean, that's an off bit. Those
are on bits. Um, and, uh, and I get about 85 kilobytes of data on
a page. So, I was pretty happy with that. Um, and, so
interpreting it, uh, I basically, I start with a raster
scan going across the image until I find the top, uh, top
leftmost, uh, timing, timing mark. And then I come back to
kind of stop. And from there I do a thing which I, like, uh,
technically call wiggle fit, where I've got my mask and I put
it over the, the timing mark that I found. And I just keep moving
it around until I find the most black part of it. Because you
can see when they scan, the edges get pretty, uh, fuzzed
out. That was cool. The thing got all big. Anyway, um, and so
I wanted to find the most black part. So, this is what it does.
It moves the mask around. It finds the, the, the mask that
has the most dark, picks a center point and moves across to
the next timing line, uh, timing mark and it just finds the
center of the next timing mark. And it works very well. And it,
I do this on all four sides. And in the end I end up with this,
uh, where each of the centers are, are indicated. And, um, and
then you end up with a, just a bunch, a grid of intersections
for each of these lines, you know, matching this mark with the
one all the way at the bottom, uh, makes a straight line. This,
this guy here matched all the way to the right, makes a
straight line. And I just calculate the intersections and
at the, at the intersection of each one is a data pixel. And I
pick the, I pick the data off that pixel and I decide whether
it's an on bit or an off bit. Um, and it works fairly well. I
do get some errors. I didn't expect it to be perfect. My
first test runs I ended up with something like this. This is a
heat map. All the black is, uh, bits that were read correctly in
my scan. Uh, these red ones here are bad bits. And there's a
couple little outliers. There's one here, there's a couple over
here. Um, this is what I really expected it to look like. Uh,
since I start in the upper left I figured it would start getting
bad by the bottom right. Turns out I wasn't really correct. Um,
when I took the eight and a half, eleven, eleven, uh,
document, it, I get this big heat problem in the middle here.
And, um, stop that. So, the, uh, the big problem here is, this is
a lot of error. Can't see the error? The red marks? Yeah,
okay, so imagine red marks where I'm circling. Uh, and I was
afraid you weren't gonna be able to see it, um, when I was
thinking of doing this brief and I'm sorry. But, um, so there's a
bunch of red marks and they're kind of clustered. Now, the
problem is I have to adjust my error encoding. Um, and I'm
circling on the, um, on the, on the big barcode to handle the
worst error, not the best error. So, if you weren't able to see
it, you would be amazed at how clean it is up here. And you'd
be astounded at how nice it is around here. But you see this
giant red stuff in the middle and that's what I have to base
my error correction on, which causes a lot of data loss for
parity bytes. So, uh, I knew I needed, I knew I needed error
correction. I knew it wasn't gonna work so I read Solomon
forward error correction. And I, it turns out I don't understand,
read Solomon forward error correction at all. And I don't
understand the math behind Galois finite field either. So, I was
like, well, I don't want to do this stuff from scratch. I'm
just gonna find a library. There's lots of libraries out
there for forward erasure correction and forward error
correction. Except, upon test, I discovered that the majority of
the forward error correction ones I found out there just don't
work. I don't know who's writing these opaque API
libraries that I can't figure out and I'm, and I actually
contacted university professors and they couldn't
figure out. Um, but, but stop it. If you're gonna put
something out there, make sure it works. So, but there's a lot
of forward erasure correction libraries out there. So I
decided to go with forward erasure correction, see if I
could use it. Now the problem is forward erasure correction is
for a, a data stream where the, uh, you're missing data. That
doesn't make it to the receiver. That's what it's
really for. Um, and it works a bit like this. You have a, you
have a, uh, some data and you shep, separate it into blocks.
You assign a parity byte to each block. Parity bytes. You
assign a parity byte to each block. And then if one of those
blocks turns up missing, um, you use the parity bytes in the
remaining blocks to recreate the, the missing block. And
that's how forward erasure correction works. Now my
problem is not missing data. My problem is corrupted data. So I
decided, well what if I, uh, did a checksum and if the
checksum didn't match I consider that block dead and I just take
it out. So that's what I did. I got my block of data and my
parity data and then I've got my checksum for the whole thing.
And if, if one of the parity bytes turns bad, or one of the
checksums is bad, then I ignore that block and try and recreate
it. But it didn't work. Um, it, uh, I had too many collisions
and so it was actually trying to recreate the, uh, missing data
with corrupt data and, and the math will still work and it'll
generally generate a corrupted, uh, response. It'll generate a
corrupted file. So it just didn't work. So I knew I had to
go, uh, do forward error correction. Forward error
correction is for corrupted data. So you have a word of data, you
separate it into bytes. And then you, uh, you, uh, uh, you, uh,
you add parity bytes to that data. Um, if two of your bytes
go bad, you can use two parity bytes to find the bad data and
then two parity bytes to correct it. And it works very well. And
this is what I needed. But like I said, the problem was there
weren't any working libraries out there for me to use. Uh, so
I had to write one, uh, much against my will. Um, but I found
this really good Python, uh, based, uh, library at
Wikiversity and line for line I just recreated it in C,
basically. C, C++ until I got the thing working. And there's
a lot of debugging and pain and suffering involved in there. But I
finally got it working. Um, and, uh, and this is what I had to do
to get read-solve and forward error correction working for my
big barcode. Alright. So, um, because of the big heat map of
error in the middle that I told you about that you couldn't see
but you're gonna have to trust me, um, I needed about 45% error
correction for it to work. Um, which means I only got about 47
kilobytes of data per page. Which resulted in, um, uh, you
know, it's still order magnitude better. Um, but I
think it's better. So if you power split you can get it in 18
pages versus 232. So you can really get, really start moving
some data now. You have a good kind of, uh, compression
advantage over the previous methods. And the, the demo is
awesome. It really is. So, uh, uh, I show you how it all works.
I show you how you use the script and the DLL to, uh, open
the, uh, um, uh, to, to create the barcodes and to interpret
them. And I do live drops of everything. So, yeah, it was
really good in my room. You guys should have been there last
night. All right. Um, but, so I just decided to give myself a
grade on how this went for me. Um, so my goal was to install
powersploit on a machine, uh, that didn't have it on it using
these methods and not using magnetic media. So, just some
grades. Interpretive page size barcode. Yeah, I could do it.
Uh, the read Solomon encoder decoder. Uh, I was able to make
it work, uh, eventually. Um, there's a yellow mark there.
I'm gonna talk about that in a second. Um, I built the library.
I call it sideloading. Uh, I was able to get the payload and the
payload decoded, uh, onto my target machine except, because
it was like 18 pages of data, I, I just made a portion of
powersploit, so it was only three pages long. Um, so I only
gave myself a yellow on that, or I guess an orange. Um, the
hex encoder works. I was able to emplace the library using the
OCR method and I was able to generate, write my DLL, uh,
hex encode it and drop it on my target machine so I could read
my big barcodes. It all, it all worked after much, much effort.
Um, I have to take my word for it. So, um, so, um, so, um, I
was able to do it. So the POC was a success. And kind of some
stuff I learned from this was that, uh, standard office tools
provide a lot of power to the user, um, that, you know, maybe
we're not fully aware of. We, uh, basically if a user can
code, the system is not secure, but the bottom line is any user
on a Microsoft-based machine can code. Um, and that, uh, is a
big attack surface to pay attention to and a determined
insider can do it. Um, and you can use innocuous input output
systems for creative purposes that weren't intended and that
no one's really monitoring. Uh, so, uh, I, uh, I, uh, uh, I
no one's really monitoring the, the printing and scan load even
on the secure network that I was using. Um, and they're not
watching for information to come in this way. Uh, so it just
provides a, uh, kind of a, a hole there to try and squeeze
through. All right, some future branch research. I like to
reduce the size of the big barcode DLL, sideload DLL. It
was, uh, 19 pages of hex code. I like to make that a lot smaller.
Um, size optimization is not really my thing, but that's
something that, uh, I could, uh, I could work on. The error
rates. Uh, I, I, uh, I, uh, I, uh, I, uh, I, uh, I, uh, I, uh, I
was, I made an experiment to add more timing lines into my big
barcode thinking it would help with the error rates for reading
the big barcode. And I was 100% incorrect. It actually messed it
up. Um, and I still don't know why. It doesn't make any sense.
But I like to improve the error rates so I can use less parity
bytes. But, um, this next line is the real key. If I can use,
pardon me, if I can use 2 to the 16th Reed-Solomon encoding, I
can do a lot better. Um, uh, so, uh, I, uh, I, uh, I, uh, I, uh,
Reed-Solomon encoding at the 2 to the 8th means that your code
words are 255 bytes long and it has to include your parity bytes.
So you have to base your error on the amount of error you're
expecting in 255 bytes. And because of the, the invisible
heat map, um, the, I have to plan that for the high error
areas, not the, not the, not the really nice areas. 2 to the
16th Reed-Solomon encoding means I can have a, uh, a code
word 135 kilobytes long which is longer than my page. Um, and I
only get about 1% of error across that page as a whole. So
I wouldn't need very many parity bytes at all if I could
use, um, 2 to the 16th Reed-Solomon encoding. But I
couldn't get that math to work, um, and, uh, it also runs much,
much slower and so running experiments to debug it was
taking me too long. So, I didn't keep pursuing that. But
if I get that working it would improve the amount of data I can
put on each page by quite a bit. Uh, if I could add color to the
big barcode, um, instead of just black and white, you know, I did
a four color experiment to see, you know, so that way I'm only
using, uh, you know, four blips instead of eight to, to, to find
my bytes. Uh, I was able to get it to work but there's a lot of
error in, in decoding, uh, color from a scan quite frankly. Um,
but I think it's a area for future research. Uh, and also I
got real excited about using Excel to mess with things. Um,
though Visual Basic for applications is kind of a pain,
um, the, uh, it is powerful. The ability to write at the byte
level means you can do anything with it you want. Making a hex
editor out of Visual Basic for applications would be super easy.
I started that a little bit. Um, a steganographic encoder decoder
to, you know, I did that, uh, already so I could send stuff,
myself stuff to work. Um, that's easy to do. Restoring the command
prompt. If you're on a machine where the command prompt is
locked down by security policy, it's just a matter of flipping
a byte to make that work again. Um, and you can do that with
Excel. And I don't know for sure but I think you can get away
with some direct reflexive DLL injection, um, uh, as well, uh,
messing with the way the Excel calls, uh, DLLs. And now, I
don't think any of this stuff is earth shattering new. I mean
people have been running it, uh, macro viruses forever and
they're, you know, all back in vogue now. Um, but the, uh, this
is from a perspective of an insider being able to just do
these things to your machine. Um, and it's something I think
that you should need to watch out for. Um, I don't think I can
show you much more unfortunately. Let's see. I really
wish I could show you the demo. Um, let's see. So here's some
stuff that looks like it's left over from when I was practicing.
See if I can open this here real quick. Oh, I don't know about
that. Yep, you guys are watching me mess up this guy's computer
right here. What the heck's the, uh, text edit. There you go.
Alright. Uh, this thing here, I don't know if you guys can read
it. I don't know if I can zoom in. Nope. Let's say it again.
It's amazingly hard to hear people down there. It's, I don't
know if you can read it or not. A little bit. It dropped a, so
this dat file gets dropped when you do encoding with big barcode
and the, these are the important parts here. You have to have
this encoded data length and you have to have the MD5 sum in
order to decode it with the big barcode on the back side. You
have to provide those as inputs to your, to your script. Um, so
that's important there. Uh, I don't know if I can show you a
little bit. Uh, when you decode the DLL, it also drops this
file here, which is a prototype for using the DLL. Um, because
by, Visual Basic is very, very picky about how DLLs are called
and used. So, uh, this gives you the prototype for it. And
this is all, um, in the, it's supposed to be in the materials
that are delivered with the brief. Um, so that's really
about it. Uh, I'm sorry that, uh, my machine was too old in
order to use these super fancy, uh, screens. Um, uh, that's kind
of all I've got. Any questions? Alright, thank you guys very
much.