00:00:00.000,00:00:05.005
>>Woooo! I guess some of you
weren't out last night with me
at hacker jeopardy because

00:00:13.313,00:00:18.318
you're very quiet um >>Take off
your shirt! >>Hm? Well maybe
maybe later this is being filmed

00:00:22.489,00:00:27.327
for posterity so I'm going to
try to be a little bit
politically correct as far as

00:00:27.327,00:00:32.332
nudity is concerned in this
talk. So I'm BigEzy um Saci is
an interesting story because he

00:00:37.971,00:00:42.976
doesn't exist um I put in
previously fifteen CFPs for
Defcon, they've been rejected

00:00:46.113,00:00:51.118
every year for the last sixteen
years, and this year they said
oh we really encourage people to

00:00:55.555,00:01:00.494
put their handles in and be
anonymous when they do the talks
so I used my handle that I've

00:01:00.494,00:01:06.900
been using for a very long time
and then I invented Saci because
I thought it would be cool to

00:01:06.900,00:01:11.905
see if Saci could give a talk at
Defcon even though he's only a
web page. So I've done different

00:01:14.708,00:01:21.081
talks before about different
parts of what this is becoming
into um going all the way back

00:01:21.081,00:01:26.086
to Blackhat two years ago and
our current work that we
released at uh B-Sides last year

00:01:28.855,00:01:33.860
and I apologize if my voice is a
little rough but I did win
hacker jeopardy last night!

00:01:37.831,00:01:42.836
[applause] we didn't fuck it up!
So but I want to say uh a word
about that because apparently

00:01:49.509,00:01:55.015
there was shit storm it Twitter
over hacker jeopardy and the
dick category and I would like

00:01:55.015,00:02:00.020
to say that I'm a hacker, I've
been coming to Defcon for longer
than I'd like to admit, and I'm

00:02:02.255,00:02:07.260
an introvert, and Defcon has
always given me a charge to do
things and I hope that I can

00:02:10.597,00:02:16.136
help get you guys to get a
charge too. And all I want to
say about hacker jeopardy is,

00:02:16.136,00:02:21.141
when you get completely
humiliated on stage in front of
thousands of people, how can we

00:02:24.711,00:02:29.416
say that this is a male
dominated game when I'm being
beaten by women and painted

00:02:29.416,00:02:34.421
green on the stage? But I'm not
here to talk about that, I want
to talk about this mother fucker

00:02:38.792,00:02:43.797
[laughter] so like I said when I
we- wanted to do this talk and I
put it in, just like every other

00:02:49.870,00:02:55.942
good CFP um we had the idea that
uh it would be really cool if we
could do some things because I

00:02:55.942,00:03:02.449
was concerned about my privacy
and um you know I got this from
Chris Olsen I don't know if he's

00:03:02.449,00:03:07.521
in the audience, I want to give
him a shout out if he is, if
he's out in the, in the uh

00:03:07.521,00:03:12.526
cyberspace what an awesome uh
tweet and there's old Zuck,
camera covered with tape, mic

00:03:14.828,00:03:21.435
jack covered with tape, and his
email client is Thunderbird and
this really summarizes what I'd

00:03:21.435,00:03:26.440
like to say about this idea of
um [clears throat] I want my
privacy back. Keep your code out

00:03:32.045,00:03:37.050
of my stack. And you know
everybody says I might be a
little paranoid so we put the

00:03:41.455,00:03:47.794
talk in and um I thought I was
gonna get rejected and
shockingly the talk was accepted

00:03:47.794,00:03:53.900
and that means that we then had
to do a shitload of work because
we actually had to do what we

00:03:53.900,00:03:58.472
said we were gonna do in the CFP
so we looked at a bunch of
tools, I kind of included uh

00:03:58.472,00:04:03.410
these slides in as you navigate
through the framework that uh
we're releasing today because we

00:04:06.046,00:04:10.750
really looked at all the tools
that were available uh regarding
what's happening inside the

00:04:10.750,00:04:16.590
computer because I became very
interested in, what exactly
happens when data is generated

00:04:16.590,00:04:21.928
by peripheral devices such as
your keyboard and mouse and then
what's happening to your camera

00:04:21.928,00:04:27.501
and microphone when you aren't
aware that perhaps some
processes are using those

00:04:27.501,00:04:33.640
devices? So we looked [clears
throat] a lot of the tools that
were available including the

00:04:33.640,00:04:38.645
Nirsoft tools and um I used to
have a slide with the author of
these tools but um I kind of

00:04:41.948,00:04:45.819
like maybe deleted it
accidentally when the speaker
goons were yelling at me to get

00:04:45.819,00:04:50.824
on stage um. Is the author of
Nirsoft tools in the audience?
Okay so. His tools are awesome.

00:04:57.197,00:05:02.569
And then we all know TCP View
from Microsoft and I looked at
these tools and said, these

00:05:02.569,00:05:07.707
tools are really all cool but
what we want to do is write
these tools from source codes

00:05:07.707,00:05:14.014
that when you compile and run
these things you know exactly
what's in the code so the

00:05:14.014,00:05:19.719
framework has these things, and
I'll get on I'll get on that
later, we also looked uh

00:05:19.719,00:05:25.692
previously at uh IRPtracker
which is a really great tool
that works in 32 bit systems and

00:05:25.692,00:05:29.496
IRPmon and I included the links
to that in this talk just just
so you can have some background

00:05:29.496,00:05:34.501
as you work and grock through
some of the code. But [coughs]
here's a screenshot of that. Um

00:05:37.871,00:05:43.810
and then we began to research
looking at IRPmon and one of the
things that was really

00:05:43.810,00:05:48.215
irritating about uh not
irritating but you know it's
always frustrating when you're

00:05:48.215,00:05:53.687
on the command line is about you
know lots of different errors
that happen when you start to

00:05:53.687,00:05:58.692
hook every driver that you have
in your Windows operating system
to try and see what's going on

00:06:01.494,00:06:07.934
and then you get a lot of weird
messages because uh IRPmon
doesn't last very long and then

00:06:07.934,00:06:13.306
the other thing is, you have to
have your computer in test mode
to even work this and it's kind

00:06:13.306,00:06:18.311
of like a scary mode to be in in
Windows um but I got a little
bit ahead of myself [coughs]

00:06:20.547,00:06:25.552
because uh this all started from
some of the badger research we
did where um I'm a really

00:06:28.154,00:06:33.159
paranoid bastard um my family
could tell you that I record
everything at my house, I have

00:06:36.896,00:06:43.136
multiple taps running in my
house so that I can track
everything that's happening on

00:06:43.136,00:06:49.075
my network and um I know
everybody else has a unix box at
home with eight ethernet

00:06:49.075,00:06:54.080
interfaces um and uh we use
those, I use those interfaces to
keep an eye on some data and

00:06:56.316,00:07:01.254
like um we were doing some
research and I accidentally le-
left a um TCP dump running and

00:07:04.524,00:07:09.529
captured one billion packets in
one file and um we looked at
[coughs] things from the inside

00:07:14.200,00:07:18.805
and the outside I call it inside
because it's inside my
protection device and outside

00:07:18.805,00:07:24.711
it's very interesting to me that
you see more traffic outside of
your firewall than than inside

00:07:24.711,00:07:29.716
and um it's coming up on my
screen but not yours, I observed
uh 29,829 destinations outside

00:07:35.922,00:07:40.927
the firewall, twenty woops,
29,525 reserve, resolve via
reverse lookup so they had good

00:07:45.031,00:07:50.036
DNS. Um [clears throat] so two-
a couple years later I looked
back at this again and I noticed

00:07:53.406,00:07:58.411
that the traffic coming out of
my web um connections was up you
know about four times and um it

00:08:02.615,00:08:08.321
was very disturbing because
you'll be opening a web browser
and uh moving around the mouse

00:08:08.321,00:08:14.094
inside the screen and then
you've got TCP connections
opening all over the internet

00:08:14.094,00:08:19.099
and the datas all secured and
you have no idea what it is,
this data is, and where's it

00:08:23.503,00:08:28.508
going? And then I forgot to
remove the bullet at the bottom
so but is it 1984 because you

00:08:35.014,00:08:40.153
know the our mouse movements are
being tracked, what about
keystrokes? I started thinking

00:08:40.153,00:08:44.924
what about the microphone and
video because there's just a
huge amount of bloat. Everything

00:08:44.924,00:08:51.331
in the traces that I'm running
now is just a bit bloated and um
somehow this slide got popped in

00:08:51.331,00:08:56.336
here I mean you know the IR-
looking at IRP and then previous
projects like IRPTracker and uh

00:08:59.305,00:09:05.712
was limited because it didn't
have 64 bits. But there's a
great start in this with uh

00:09:05.712,00:09:10.583
Martin Drab thank god I wrote
his name in the slides because I
couldn't remember it. I I farmed

00:09:10.583,00:09:15.588
all of my remembering points
last night um so Martin is done
a great job with uh IRPmon

00:09:17.891,00:09:22.896
starting this but it's got a
couple of things that uh [clears
throat] were a bit of uh some

00:09:25.698,00:09:30.703
some downfalls if you actually
wanted to inject data between
say the keyboard and the browser

00:09:33.907,00:09:39.212
uh because the idea is if I'm
not using my keyboard and I want
to send keystrokes to the

00:09:39.212,00:09:44.784
browser anyway, and if uh
somebody wants to collect that
and fill up their cloud with it

00:09:44.784,00:09:49.222
that's their own business
because they shouldn't be
peeking inside my window anyway.

00:09:49.222,00:09:54.227
And um we needed more precise
data and information um and then
[coughs] this is really

00:09:59.699,00:10:04.704
irritating, there's a little
screen popping up in front of my
slide here. Device calls needed

00:10:08.708,00:10:13.880
[clears throat] we needed to
have an in memory data store of
device calls and um IRPmon was a

00:10:13.880,00:10:18.918
great start but then we went on
and we we've been writing things
from scratch just like

00:10:18.918,00:10:25.758
everything else that we're gonna
be releasing um [clears throat]
so we wanted to instrument the

00:10:25.758,00:10:31.397
process um the process list and
then we were specifically
interested initially in the

00:10:31.397,00:10:37.904
keyboard, mouse, microphone, and
video um some of these are
easier than others uh especially

00:10:37.904,00:10:42.909
the microphone and video are a
little more complicated. But um
what processes are actually

00:10:45.879,00:10:52.152
interested in your mouse
movements? And then uh what
network traffic is then

00:10:52.152,00:10:58.124
generated as a result of those
calls? Um and then we wanted to
be able to correlate those calls

00:10:58.124,00:11:04.797
back into the IRP request just
to find out where does the
forking occur? Because a lot of

00:11:04.797,00:11:11.571
the forking occurs inside the
browser um and um so that's
gonna that will require

00:11:11.571,00:11:17.644
something like a browser plugin
and we really didn't want to
support multiple browser plugins

00:11:17.644,00:11:23.416
because there are many many
different browsers so it was a
very- it's been a very difficult

00:11:23.416,00:11:28.454
challenge making a decision
about where you actually want to
put a man in the middle [clears

00:11:28.454,00:11:33.059
throat] and then we alw- we also
had the big question about you
know why did we start in Windows

00:11:33.059,00:11:38.064
seven eight when there's Windows
10? Um you know we're building
this framework from scratch and

00:11:40.266,00:11:46.639
you know right now it's just
fuck Windows 10 uh because it's
very scary to me what Windows 10

00:11:46.639,00:11:51.678
is doing especially in terms of
how much data is coming out, how
much of my personal data is

00:11:51.678,00:11:57.350
coming out in Windows 10 um and
[clears throat] then we really
wanted to meet our adversary at

00:11:57.350,00:12:03.756
his own level of extraction
because it, it really helps us
find making breaches of privacy

00:12:03.756,00:12:10.463
uh easier to look at and and
intercept because we have you
know two goals with the project

00:12:10.463,00:12:15.468
is we want to maybe inject false
data into a our um from our
devices into the cloud and we

00:12:18.605,00:12:22.809
also wanted to assert our
privacy and block certain
connections inside our operating

00:12:22.809,00:12:27.814
system. So pealing back this
level of extraction proved to be
very challenging to us as we

00:12:31.451,00:12:37.957
became very familiar with this
screen over and over again
working on this software

00:12:37.957,00:12:42.962
including until about fifteen
minutes ago and we just kept
trying over and over again

00:12:46.733,00:12:51.104
[clears throat] to come up with
some things that would actually
compile and run and in the

00:12:51.104,00:12:56.876
meantime, I got sucked into
playing happer- hacker jeopardy
this weekend which uh which was

00:12:56.876,00:13:02.649
it's been a very interesting
weekend for me and to say the
least but [clears throat] you

00:13:02.649,00:13:08.454
didn't come here to necessarily
see me talk about this stuff and
I really wanted to take a page

00:13:08.454,00:13:13.459
back from old school Defcon. And
um anybody remember the GTE
Door? So um I talked about

00:13:19.766,00:13:26.706
pulling the processes and so the
code for that kind of looks like
this um I want to say 90% at

00:13:26.706,00:13:32.278
least for the code I'm showing
today is already included in
this CD um this is pulling the

00:13:32.278,00:13:37.283
process list um so the this is
the code that uh we wrote from
scratch to get the processes

00:13:39.786,00:13:45.825
like you would see from uh
[clears throat] process explore,
and the reason again like I said

00:13:45.825,00:13:50.830
we do this is because we wanted
to provide two things to users
of our software is that there

00:13:53.466,00:13:58.471
was some kind of assurance there
was nothing in the software that
um you didn't know about and um

00:14:02.875,00:14:07.113
it's not necessarily anything
groundbreaking but it just gives
you a level of assurance because

00:14:07.113,00:14:11.017
you want to be able to assert
things with some kind of
authority inside your own

00:14:11.017,00:14:16.089
operating system that you have
some modicum of privacy so that
you don't have to tape up your,

00:14:16.089,00:14:21.094
your, your microphone jack and
your and your camera like um
like uh paranoid people do from

00:14:23.563,00:14:28.568
the beginning of our talk but
don't panic there is a UI uh so
the team is bigger than me and

00:14:35.875,00:14:40.880
um one of my uh co researchers
Kate Davis, happens to be a UI
expert and we're um in alpha

00:14:43.216,00:14:48.221
right now with a UI that will
take all of our uh code and
allow you to um we're gonna

00:14:50.523,00:14:55.528
visualize the data streams and
allow you to click on individual
data streams in a UI and not

00:14:57.563,00:15:04.137
know anything about assembly
programming for example but um
if the demo works out we will

00:15:04.137,00:15:10.009
see the client I actually have
it running in my computer right
now but [clears throat] more

00:15:10.009,00:15:15.014
code first. Um so so there's a
command line client that's gonna
be included in the release and

00:15:20.553,00:15:25.558
this is kind of like the code
from that uh to pull up the what
we're we built a net filter

00:15:31.631,00:15:36.636
since we don't know where the
data forks inside the browser
and we didn't want to spend a

00:15:38.805,00:15:42.975
lot of we didn't have the time
to go into every browser and
figure out where this was this

00:15:42.975,00:15:47.980
summer um and then if anybody
wants to help I'd welcome them
in the project so we built a net

00:15:50.283,00:15:55.288
filter that sat between
everything and the um network
interface cards and then um if

00:15:57.390,00:16:03.963
you're uh command line kind of
guy this it's kind of like the
the code that pulls up the the

00:16:03.963,00:16:08.968
uh the net filter so that you
can shunt um the uh the
processes that you deem

00:16:11.204,00:16:17.143
undesirable or the TCP
connections that um for example
if you're going to foo dot com

00:16:17.143,00:16:22.815
or example dot com and then you
notice there's four other TCP
connections going to third party

00:16:22.815,00:16:27.820
um site collection um companies
uh you can just choose to shunt
those connections and your

00:16:32.024,00:16:37.029
connection to foo dot com will
work just fine um [clears
throat] so. [sigh] some of this

00:16:47.406,00:16:53.446
was written by Saci who by the
way, there, Saci is a collection
of folks that help me um because

00:16:53.446,00:16:59.051
this is a project that's bigger
than one person and uh shout out
goes to Saci, you know who you

00:16:59.051,00:17:03.990
are um but um we uh we wanted to
make sure that we were providing
you with clear and concise code

00:17:09.929,00:17:14.934
that had a lot of um comments in
it so you knew what exactly all
of this stuff was doing so you

00:17:19.472,00:17:24.076
understood at least peripherally
even if you're not a programmer
what the code is doing if you're

00:17:24.076,00:17:29.081
interested in that kind of thing
because hiding um in overusing
privileges is rampant inside the

00:17:33.252,00:17:38.257
operating system right now so um
this is a callout function from
the from the net filter um and

00:17:44.363,00:17:49.368
again it's probably a a wall of
text or a real eye chart here I
really just included this in the

00:17:51.704,00:17:57.243
CD so that uh you could get a
chance to see what was in the
code and maybe actually show up

00:17:57.243,00:18:00.212
to the talk so apparently I
didn't do very well because
there's not a lot oof people

00:18:00.212,00:18:05.217
here but oops! Look at me, I
went too far [clears throat] So
if you wanted to add a filter

00:18:07.787,00:18:12.325
that references a callout as
documented in the windows driver
kit you need to do some things,

00:18:12.325,00:18:19.298
we need to call to the register
and um do some other calls and
then I've got some slides later

00:18:19.298,00:18:25.271
that go into a little more
detail on this but I do want to
introduce Saci a little bit if

00:18:25.271,00:18:32.078
you actually go to this web
address right now you can see
this web page so when you get

00:18:32.078,00:18:37.083
the code and you want to try it
out you can actually see how the
man in the middle works and due

00:18:37.083,00:18:40.987
to some internet difficulties
because we are at Defcon, I'm
not actually going to demo this

00:18:40.987,00:18:45.091
part uh there's a lot of risk
involved with that, but I do
have some screenshots of what

00:18:45.091,00:18:50.096
the site kind of looks like uh
so in the upper left hand corner
you see uh xy coordinates um and

00:18:52.898,00:18:57.770
that would be where your mouse
pointer is and the box
underneath that is a frame for

00:18:57.770,00:19:02.708
keystrokes and then uh you can
turn on the video and microphone
but I suggest that you mute your

00:19:06.145,00:19:10.649
device because there's a bit of
feedback involved, we didn't get
that worked out in the code

00:19:10.649,00:19:15.955
before the release. But if you
hit the mute button you can see
the the little blue in the

00:19:15.955,00:19:22.895
bottom left hand corner um whi-
would strobe to let you know the
the microphone is still being

00:19:22.895,00:19:27.666
streamed to the application and
you can actually put the website
in the background and notice

00:19:27.666,00:19:32.538
that the video and mouse are
still being streamed to the
application even though you

00:19:32.538,00:19:37.543
moved an application to the
foreground and the web browser
is in the background um and then

00:19:41.814,00:19:46.185
the website's just out there so
that when I've used a lot of
tools that were released at

00:19:46.185,00:19:51.223
Defcon over the years and wanted
to really provide something that
you could go to and then we're

00:19:51.223,00:19:56.462
also going to release the code
for this webpage so that you can
just run it locally but it kinda

00:19:56.462,00:20:01.467
looks like um when you intercept
keystrokes it'll they'll appear
in the little box as shown,

00:20:04.103,00:20:09.975
showed up there in the upper
left hand corner um and then um
I'm gonna flash back for a

00:20:09.975,00:20:14.980
second it's uh www dot kaedago
dot com slash saci so um [clears
throat] And again I'm talking

00:20:22.721,00:20:27.726
really fast so that's good so
the tool chain um completely
consists of a UI client and

00:20:30.429,00:20:35.401
something we call the cone of
silence and they'll both still
in alpha they kind of work maybe

00:20:35.401,00:20:41.240
on my computer but they're not
ready to be released yet and
then um there's been a you know

00:20:41.240,00:20:47.346
as always in a talk last minute
circumstances um I'd hoped that
the UI client would be a little

00:20:47.346,00:20:53.219
further ahead in especially
pulling up a lot of the pieces
of code and we were gonna

00:20:53.219,00:20:59.792
compile everything so that we
had a nice binary but um there
was an unfortunate um accident

00:20:59.792,00:21:04.864
that prevented one of the coders
from finishing their code so
we're just gonna move right past

00:21:04.864,00:21:09.769
that but the framework will be
released when it's ready and I
imagine it'll be ready in a you

00:21:09.769,00:21:16.108
know soon ™ but I'll let, the
source code is ready to go and
it's probably gonna go whenever

00:21:16.108,00:21:22.014
I can find a safe internet
connection again and then you'll
need your reading glasses for

00:21:22.014,00:21:27.019
the wall of text that um
describes how you would actually
do um the injection and then

00:21:32.725,00:21:39.231
what we do or what we what we
decided on is the best place to
put uh for injection right now

00:21:39.231,00:21:44.236
because it's cool is um is to
build a net filter not a net fi-
a filter in the driver and um

00:21:49.942,00:21:55.481
this is a lot of explanation
about exactly what's going on in
the code uh these slides are

00:21:55.481,00:22:00.419
literally uh thirty two minutes
old um the people that were
helping me we were we were awake

00:22:04.323,00:22:10.763
all night uh and actually split
up across the property so um I
apologize for the formatting of

00:22:10.763,00:22:16.802
these slides um and I'm gonna,
we'll put the slides into the
release, which is probably gonna

00:22:16.802,00:22:22.708
happen later today so you can
get an idea on what it sees,
read this, but, this comes

00:22:22.708,00:22:27.146
straight out of the Microsoft
site, they have very good
instructions on how to actually

00:22:27.146,00:22:32.151
write these filter drivers and
the structure for it kinda looks
like this and at least this is a

00:22:32.151,00:22:37.022
little bit less of an eye chart,
here at the top we have the
upper level class filter drivers

00:22:37.022,00:22:42.027
and the upper level device
filter drivers as we push down
towards the bus driver and um

00:22:44.129,00:22:49.134
woops the code for how you would
want to either intercept the
calls that are going out into

00:22:51.971,00:22:56.976
the operating system and then
perhaps inject into them uh
kinda looks like this where and

00:22:59.545,00:23:05.317
then I didn't bring my glasses
either so um I'm a little bit
older now and this code is

00:23:05.317,00:23:11.290
really a wall of text to me too
but I'm gonna be releasing this
code with everything else later

00:23:11.290,00:23:18.063
on today and hopefully this code
that we're looking at right here
is building the net filter and

00:23:18.063,00:23:24.870
then being able to [clears
throat] from here we can
manipulate all of the data from

00:23:24.870,00:23:29.875
the keyboard to the upper layer
of Windows. The callback
function that we show here can

00:23:34.079,00:23:39.084
intercept um as we have already
described but then we can also
create an event in the OS to

00:23:41.420,00:23:46.425
call and pass fake data so the
idea is this is a user driven
action so from the UI or from

00:23:50.095,00:23:55.100
the command line if your kung fu
is that way you can um direct
the keyboard to type things

00:23:57.636,00:24:02.574
either from a flat file or just
randomly uh for anyone who's
interested in listening and the

00:24:04.710,00:24:09.348
way I feel about this is if
somebody wants to listen to what
I'm typing on my keyboard and I

00:24:09.348,00:24:14.353
fill up their hard drives or if
we all get together and fill up
their hard drives oh and and

00:24:16.855,00:24:21.860
monkey with their grand plan for
advertising and um making us
forget about the things that are

00:24:24.096,00:24:29.101
important um fuck them. We all
need to do something about this
because it's running out of

00:24:33.205,00:24:39.611
control I want my privacy back I
don't want to have to worry
about going into a word document

00:24:39.611,00:24:44.616
and um having other people see
what I'm typing into that
document or even notepad or

00:24:47.119,00:24:53.192
something like that or if I type
into a chat window uh having a
company decide that they would

00:24:53.192,00:24:57.363
like to keep what was in the
chat window even though I
deleted it and never sent it to

00:24:57.363,00:25:02.835
anybody I think that's something
that's personal and I'd like
that to stay inside and we wanna

00:25:02.835,00:25:09.441
really try to provide you tools
that helps you do that and just
one guy, one paranoid guy like

00:25:09.441,00:25:14.446
me doing this is not gonna be
enough um and um we need
everybody to really sit and do

00:25:16.882,00:25:21.887
this which is why we're
developing the UI and um gonna
tempt- it's been a very long

00:25:24.289,00:25:29.294
successful window for me and
let's see what happens when I do
this. So the problem really is

00:25:31.830,00:25:36.835
um in the visualization the
client is kind of all there but
there's no no compiled code

00:25:39.304,00:25:44.576
hooked to it yet and uh this is
one of the things where I need
to apologize for not finishing

00:25:44.576,00:25:49.515
in time but there was
unfortunate circumstances that
prevented the finishing of this

00:25:49.515,00:25:54.520
code uh and it will be finished
um the visualizations um what we
see is approximately um sixty to

00:26:00.025,00:26:06.899
a hundred and fifty processes
that can be easily visualized
and then the the primary author

00:26:06.899,00:26:12.504
of the UI is uh one of my co
researchers her name is Kate
Davis she's also at the

00:26:12.504,00:26:16.341
University of Illinois, I work
at the University of Illinois
during the day as well, this

00:26:16.341,00:26:21.346
talk is not uh and the pinword
framework's not anything to do
with my day job uh this is a

00:26:24.016,00:26:30.088
hobby that I do at night like
I've always done and um the
University has nothing involved

00:26:30.088,00:26:35.894
with this presentation
whatsoever 'cause I accidentally
said where I worked not that

00:26:35.894,00:26:41.567
it's a big deal, people know
where I work but um so the UI's
there there's the code is not

00:26:41.567,00:26:46.572
compiled into it yet and Kate
can get to that when uh the
crisis uh abates. So what's in

00:26:49.508,00:26:56.281
the release? [clears throat] so
um you know we rely on IRP a
little bit for sniffer

00:26:56.281,00:27:00.953
instruments and device driver
calls so we can understand how
to build a structure around

00:27:00.953,00:27:05.057
anything that you might be
interested in getting in the
middle. Provide a framework for

00:27:05.057,00:27:10.062
uh cut and pasting code and
writing your own uh customized
injectors for data and anything

00:27:12.064,00:27:18.103
that you might see fit inside
the computer. The HTTP server
code uh to display the metadata

00:27:18.103,00:27:24.576
so you can like mess around and
you can until somebody maybe
hacks my uh Saci website out of

00:27:24.576,00:27:29.581
existence it'll be online for
you to look at and or you can
just run it locally and um hack

00:27:31.617,00:27:36.622
away at uh injecting metadata
into the little website and then
we included the man in the

00:27:39.458,00:27:46.331
middle code for the interception
of this data so that you could
assert your privacy or perhaps

00:27:46.331,00:27:51.336
uh send white noise out when
you're not using a particular
device. So um I'm going to take

00:27:56.375,00:28:02.447
the tin foil hat off now and I
thank I thank uh Weird Al for
being so gracious and letting me

00:28:02.447,00:28:07.452
steal his picture and I want to
thank you [applause] So did I
make it in forty five minutes?

00:28:18.664,00:28:23.669
Good so there might be
questions, I don't know, but um
there was a there was a demo of

00:28:28.206,00:28:33.312
the actual injection and the
movie was made an hour ago and
it was going to be sent to me

00:28:33.312,00:28:39.318
but I was intercepted by by by
these guys who wanted to make
sure I was going to make it to

00:28:39.318,00:28:46.124
stage on time so I'll get the
movie of the actual injection
out as soon as possible I know

00:28:46.124,00:28:51.129
that it exists I just didn't get
to it in time [clears throat]. I
don't know I asked for questions

00:28:56.335,00:29:01.273
I think I I don't see it anybody
standing so. [sighs] So did it
suck? I mean, holy shit, it

00:29:06.411,00:29:11.416
seemed that it was [applause]
[cheering] Wait a minute I I
don't need my voice anymore

00:29:19.391,00:29:25.764
>>Where do you see the most
pernicious um exfiltration of
data? Is it from your keyboard?

00:29:25.764,00:29:31.637
Is it from the observations of
the mic- of the camera, is it
things are hidden in the mouse

00:29:31.637,00:29:35.507
that you don't really realize
that you're giving away? What
bothers you most about the

00:29:35.507,00:29:39.745
privacy in the computer? >>Well
that's an interesting question
two things. First off the thing

00:29:39.745,00:29:45.050
that was really alarming to me
and I took the slides out for
it, you can easily Google this,

00:29:45.050,00:29:50.689
there are many companies that
commercially provide a heat map
of where all the user's mouse

00:29:50.689,00:29:55.894
strokes go and this is this is a
tool that is being commercially
offered by a lot of different

00:29:55.894,00:30:00.799
companies that say Oh these are
the these are the places where
everybody goes and I can

00:30:00.799,00:30:05.604
understand that functionally as
a website designer they may
think that that data is

00:30:05.604,00:30:10.509
interesting but as a user it
really creeps me out because I
don't want anybody to know where

00:30:10.509,00:30:15.147
my mouse is, I don't want
anybody to know that, it's not
their business but I think the

00:30:15.147,00:30:20.152
answer to the question is the
microphone. Um to be frank the
microphone is so scary I had to

00:30:24.022,00:30:29.027
redact parts of my talk. There
is a lot going on there and it
will be very eye opening when

00:30:31.563,00:30:36.001
you run the code what is going
on inside your computer,
especially with the microphone.

00:30:38.336,00:30:43.341
Thanks for the question. And
again, either I sucked, or
everybody's like what the fuck

00:30:49.347,00:30:55.721
just happened? This guy [clears
throat] now I want to say, I
survived a B-Sides talk

00:30:55.721,00:31:02.394
Wednesday, where I released a
different set of open source
software, I sat next to Dan

00:31:02.394,00:31:07.399
Kaminsky Friday night, I drank
eight beers in thirty minutes, I
sat next to Banshee last night,

00:31:10.202,00:31:16.108
drank ten beers I was up all
night last night, and I think I
made it through at least thirty

00:31:16.108,00:31:21.113
minutes of talk without sucking
too bad and but holy shit it's
Sunday, I know everybody's all

00:31:23.849,00:31:28.854
ragged out, fuck, I know I am
[laughter] um I think I survived
it so I want to thank you guys

00:31:34.192,00:31:39.197
it has been a pleasure to be at
Defcon for the last sixteen
years as a user and I would like

00:31:41.233,00:31:46.238
to thank every goon that has
made this possible they are the
true stars of this show

00:31:50.008,00:31:55.013
[applause] And and um just as a
parting shot I want, who can be
louder, you guys, or me?

00:32:05.791,00:32:10.796
[laughter ] no contest? >>WOO!
[audience shouting] >>WOO!
[speaker shouting] >>WOO!

00:32:29.815,00:32:34.820
[applause] Alright! I'll see you
at the awards ceremony.
[scattered applause].