I guess some of you weren't out last night with me at Hacker Jeopardy
because you're very quiet. Well maybe later. This is being filmed for
posterity so I'm going to try to be a little bit politically correct as far as
nudity is concerned in this talk. So I'm Big Easy. Sashi is an interesting story
because he doesn't exist. I put in previously 15 CFPs for DEF CON and they've
been rejected every year for the last 16 years. And this year they said, oh, we
really encourage people to put their handles in
and be anonymous when they do the talks. So I used my handle that I've been using for
a very long time and then I invented Sashi because I thought it would be cool to see
if Sashi could get a talk at DEF CON even though he's only a web page.
So I've done talks before about different parts of what this is becoming into going
all the way back to Black Hat two years ago and our current work that we released at B-SAC
last year. And I apologize if my voice is a little rough, but I did win Hacker Jeopardy last
night. We didn't fuck it up. But I want to say a word about that because apparently there was a
shitstorm in Twitter over Hacker Jeopardy and the dick category. And I would like to say that I'm a
hacker. I've been coming out here for a long time. I've been coming out here for a long time. I've been
coming to DEF CON for longer than I'd like to admit. And I'm an introvert. And DEF CON has always
given me a charge to do things. And I hope that I can help get you guys to get a charge, too.
And all I want to say about Hacker Jeopardy is when you get completely humiliated on stage in
front of thousands of people, how can we say that this is a male-dominated game?
When I'm being beaten by women and painted green on the stage? But I'm not here to talk about that.
I want to talk about this motherfucker. So, like I said, when I wanted to do this talk and I put it
in, just like every other good CFP, we had the idea that it would be really cool if we could do some
things because I was concerned about my privacy. I was concerned about the privacy of my work and I
privacy. And, you know, I got this from Chris Olson. I don't know if he's in the audience.
I want to give him a shout out if he is. If he's out in the cyberspace, what an awesome
tweet. And there's old sock camera covered with tape, mic chat covered with tape, and
his email client is Thunderbird. And this really summarizes what I'd like to say about
this idea of, um, I want my privacy back. Keep your code out of my stack. And, you know,
everybody says I might be a little paranoid. So, we put the talk in and, um, I thought I was
going to get rejected and shockingly the talk was accepted. And that means that we then had to
do a shitload of work.
Because,
we actually had to do what we said we were going to do in the CFP. So, we looked at a bunch of
tools. I kind of included these slides in as you navigate through the framework that we're
releasing today. Because we really looked at all the tools that were available regarding what's
happening inside the computer. Because I became very interested in what exactly happens when
data is generated by peripheral devices such as your keyboard and mouse and then what's
happening to your camera.
And microphone. When you aren't aware that perhaps some processes are using those devices. So,
we looked at a lot of the tools that were available. Including the Neurosoft tools. And, um, I
used to have a slide with the author of these tools. But, um, I kind of like maybe deleted it accidentally
when the speaker goons were yelling at me to get on stage. Um, is the author of Neurosoft tools in the audience?
Okay. So, his tools are awesome. And then we all know TCP view from Microsoft. And I looked at these
tools and said, these tools are really all cool, but what we want to do is write these tools from source
codes that when you compile and run these things, you know exactly what's in the code. So, the
framework has these things. And I'll get on that later. We also looked, uh, previously at the IRP track.
Which is a really great tool that works in 32-bit systems. And IRPmon. And I included the links to that in
this talk just so you can have some background as you work and rock through some of the code. But, and
here's a screenshot of that. Um, and then we began to research looking at IRPmon. And one of the things
that was really irritating about, uh, not irritating, but, you know, it's always frustrating when you're
on the command line. Is about, you know, lots of different things. And, um, you know, there's a lot of
different errors that happen when you start to hook every driver that you have in your Windows
operating system. To try and see what's going on. And then you get a lot of weird messages. Because,
uh, IRPmon doesn't last very long. And the other thing is, you have to have your computer in test
mode to even work this. And it's kind of like a scary mode to be in in Windows. Um, but I got a
little bit ahead of myself. Because, uh, you know, there's a lot of, uh, there's a lot of, uh,
uh, this all started from some of the Badger research we did. Where, uh, I'm a really paranoid bastard.
Um, my family can tell you that I record everything at my house. I have multiple taps
running in my house. So that I can track everything that's happening on my network. And, um, I
know everybody else has a Unix box at home with eight Ethernet interfaces. Um, and, um, we don't have a
I use those interfaces to keep an eye on some data and, like, we were doing some research
and I accidentally left a TCP dump running and captured one billion packets in one file.
And we looked at things from the inside and the outside.
I call it the inside because it's inside my protection device and outside.
It's very interesting to me that you see more traffic outside of your firewall than inside.
And it's covered up in my screen, but not yours.
I observed 29,829 test stations outside the firewall, 29,525 resolved via reserved lookup.
So they had good DNS.
So that's it.
So a couple of years later, I looked back at this again and I noticed that the traffic coming out of my web connections was up, you know, about four times.
And it was very disturbing because you'll be opening a web browser and moving around the mouse inside the screen
and then you've got TCP connections opening all over the Internet.
And the data's all secured and you have no idea what it is.
This data is.
And where is it going?
And then I forgot to remove the bullet at the bottom.
So...
But is it 1984 because, you know, our mouse movements are being tracked?
What about keystrokes?
I started thinking, what about the microphone and video?
Because there's just a huge amount of bloat.
Everything in the traces that I'm running now is just a bit bloated.
And somehow this slide got popped into here, you know, the IRP, looking at IRP and in previous projects like IRP Tracker and was limited because it didn't have 64 bits.
But there's a great start in this with Martin Drab.
Thank God I wrote his name in the slides because I couldn't remember it.
I burned all of my remembering points last night.
So Martin has done a great job with IRPmon starting this.
But it's got a couple of things that were a bit of some downfalls if you actually wanted to inject data between, say, the keyboard and the browser.
Because the idea is if I'm not using my keyboard and I want to send keystrokes to the browser anyway,
and if somebody wants to collect...
If somebody wants to collect that and fill up their cloud with it, that's their own business because they shouldn't be peeking inside my window anyway.
And we needed more precise data and information.
And then...
This is really irritating.
There's a little screen popping up in front of my slide here.
Device calls needed...
We needed to have an in-memory data store of device calls.
And IRPmon was a great start, but then we went on and we've been writing things from scratch, just like everything else that we're going to be releasing.
So we wanted to instrument the process list.
And then we were specifically interested initially in the keyboard, mouse, microphone, and video.
Some of these are easier than others, though.
Especially the microphone and video are a little more complicated.
But what processes are actually interested in your mouse movements?
And then what network traffic is then generated as a result of those calls?
And then we wanted to be able to correlate those calls back into the IRP request.
Just to find out where does the forking occur?
Because a lot of the forking occurs inside the browser.
And so that's going to...
That would require something like...
A browser plug-in.
And we really didn't want to support multiple browser plug-ins because there are many, many different browsers.
So it was a very...
It's been a very difficult challenge making a decision about where you actually want to put a man in the middle.
And then we always...
We also had the big question about, you know, why do we start in Windows 7, 8 when there's Windows 10?
You know, we're building this framework from scratch.
And, you know, right now it's just, fuck Windows 10.
Because it's very scary to me.
What Windows 10 is doing, especially in terms of how much data is coming out.
How much of my personal data is coming out in Windows 10.
And then we really wanted to meet our adversary at his own level of abstraction.
Because it really helps us find making breaches of privacy easier to look at and intercept.
Because we have two goals with the project.
Is we want to maybe inject fault.
False data into our...
From our devices into the cloud.
And we also wanted to assert our privacy and block certain connections inside our operating system.
So peeling back this level of abstraction proved to be very challenging to us.
As we became very familiar with the screen over and over again.
Working on this software.
Including until about 15 minutes ago.
And we just kept trying over and over again.
To come up with some things that would actually compile and run.
And in the meantime, I got sucked into playing Hacker Jeopardy this weekend.
Which has been a very interesting weekend for me.
To say the least.
But you didn't come here to necessarily see me talk about this stuff.
And I really wanted to take a page back from old school DEF CON.
And anybody remember the GTE door?
So I talked about pulling the processes.
And so the code for that kind of looks like this.
I want to say 90% at least of the code I'm showing today is already included in the CD.
This is pulling the process list.
So this is the code that we wrote from scratch to get the processes.
Like you would see.
From Process Explorer.
And the reason, again, like I said, we do this is because we wanted to provide two things to users of our software.
Is that there was some kind of assurance.
There was nothing in the software that you didn't know about.
And it's not necessarily anything groundbreaking.
But it just gives you a level of assurance.
Because you want to be able to assert things with some kind of authority.
Inside your own operating system.
That you have some modicum of privacy.
So that you don't have to tape up your microphone jack and your camera like paranoid people do from the beginning of our talk.
But don't panic.
There is a UI.
So the team is bigger than me.
And one of my co-researchers, Kate Davis, happens to be a UI user.
And we're in alpha right now with a UI that will take all of our code and allow you to, we're going to visualize the data streams.
And allow you to click on individual data streams in a UI and not know anything about assembly programming, for example.
But if the demo works out, we will see the client actually have it running in my computer right now.
But more code first.
So there's a command line client that's going to be included in the release.
And this is kind of like the code from that.
To pull up what we built a net filter.
Since we don't know where the data forks inside the browser.
And we didn't want to spend a lot of, we didn't have the time to go into every browser and figure out where this was this summer.
And then if anybody wants to help, I'd welcome them in the project.
So we built a net filter that sat between everything and the network interface cards.
And then if you're a command line kind of guy, this is kind of like the code that pulls up the net filter so that you can shunt.
The processes that you deem undesirable or the TCP connections that, for example, if you're going to foo.com or example.com.
And then you notice there's four other TCP connections going to third party site collection companies.
You can just choose to shunt those connections.
And your connection to foo.com will work just fine.
So.
Some of this was written by Sashi who, by the way, Sashi is a collection of folks that help me.
Because this is a project that's bigger than one person.
And shout out goes to Sashi, you know who you are.
But.
We.
We.
We wanted to make sure that we were providing you with clear and concise code that had a lot of comments in it.
So you knew what exactly all of this stuff was doing.
So you understood, at least peripherally if you're not a programmer, what the code was doing if you were interested in that kind of thing.
Because hiding and overusing privileges is rampant inside the operating system right now.
So.
This is a call out function from the net filter.
And again, it's probably a wall of text or a real eye chart here.
I really just included this in the CD so that you could get a chance to see what was in the code and maybe actually show up to the talk.
So apparently I didn't do very well because there's not a lot of people here.
But oops.
Look at me.
I went too far.
So.
So if you wanted to add a filter that references a call out, as documented in the Windows driver kit, you need to do some things.
We need to call to the register and do some other calls.
And then I've got some slides later that go into a little more detail on this.
But I do want to introduce Sashi a little bit.
If you actually go to this web address right now, you can see this web page.
So when you get the code and you want to try it out.
You can actually see how the man in the middle works.
And due to some Internet difficulties, because we are at DEF CON, I'm not actually going to demo this part.
There's a lot of risk involved in that.
But I do have some screenshots of what the site kind of looks like.
So in the upper left-hand corner, you see XY coordinates.
And that would be where your mouse pointer is.
And the box underneath that is a frame for keystrokes.
And then you can turn on the video.
And then microphone.
But I suggest that you mute your device because there's a bit of feedback involved.
We didn't get that worked out in the code before the release.
But if you hit the mute button, you can see the little blue in the bottom left-hand corner
would strobe to let you know that the microphone is still being streamed to the application.
And you can actually put the website in the background
and notice that the video and mouse are still being streamed to the application
even though you moved an application.
And the web browser is in the background.
And then the website's just out there so that when...
I've used a lot of tools that were released at DEF CON over the years.
And I wanted to really provide something that you could go to.
And then we're also going to release the code for this web page
so that you can just run it locally.
But it kind of looks like when you intercept keystrokes.
They'll appear in the little box.
It showed up there in the upper left-hand corner.
And then I'm going to flashback for a second.
It's www.cadego.com slash sashi.
So...
And again, I'm talking really fast, so that's good.
So the tool chain completely consists of a UI client
and something we call the cone of silence.
And they're both still in alpha.
They kind of work maybe on my computer,
but they're not ready to be released yet.
And then there's been, as always in a talk,
last-minute circumstances.
I'd hoped that the UI client would be a little further ahead
and especially pulling up a lot of the pieces of code
and we were going to compile everything so that we had a nice binary.
But there was an unfortunate accident that prevented one of the coders
from finishing their code.
So we're just going to move right past that.
But the framework will be released when it's ready
and I imagine it will be ready in a, you know, soon TM.
But the source code is ready to go and it's probably going to go
whenever I can find a safe internet connection again.
And then you'll need your reading glasses for the wall of text
that describes how you would actually do
the injection.
And then what we do, or what we decided on,
is the best place to put for injection right now because it's cool
is to build a net filter, not a net, a filter in the driver.
And this is a lot of explanation about exactly what's going on in the code.
These slides are literally,
uh, 32 minutes old.
Um, the people that were helping me,
we were, we were awake all night,
uh, and actually split up across the property.
So, um, I apologize for the formatting of these slides.
Um, and I'm going to, we'll put the slides into the release,
which is probably going to happen later today,
so that you can get an idea.
I don't want to see you read this,
but this comes straight out of the Microsoft site.
They have very good instructions on how to actually write these filter drivers.
And the structure for it kind of looks like this,
and at least this is a little bit less of an eye chart.
Here at the top, we have the upper level class filter drivers
and the upper level device filter drivers
as we push down towards the bus driver.
And, um, whoops,
the code for how you would want to, um,
either intercept the calls that are going out into the operating system
and then perhaps inject into them,
uh, kind of looks like this,
where, and then I didn't bring my glasses either, so,
um, I'm a little bit older now,
and this code is really a wall of text to me, too.
But I'm going to be releasing this code
with everything else later on today,
and hopefully this code that we're looking at right here is
building the net filter and then being able to,
from here we can manipulate all of the data
from the keyboard to the upper layer of Windows.
The callback function that we show here
can intercept, um,
as we, I've already described,
but then we can also create an event in the OS
to call and pass fake data.
So the idea is, this is a user-driven action,
so from the UI,
or from the command line,
if your kung fu is that way,
you can, um, direct the keyboard to type things,
either from a flat file or just randomly,
uh, for anyone who's interested in listening.
And the way I feel about this is,
if somebody wants to listen to what I'm typing on my keyboard
and I fill up their hard drives,
or if we all get together
and fill up their hard drives,
and monkey with their grand plan for Windows,
or if we all get together for advertising,
and, um, making us forget about the things that are important,
um, fuck them.
We all need to do something about this
because it's running out of control.
I want my privacy back.
I don't want to have to worry about
going into a Word document and, um,
having other people see what I'm typing into that document,
or even notepad or something like that,
or if I type into a chat window,
uh, having a company decide that they would like to keep
what was in the chat window,
even though I deleted it and never sent it to anybody.
I think that's something that's personal
and I'd like that to stay inside.
And we want to really try to provide you tools
that helps you do that.
And just one guy, one paranoid guy like me doing this,
is not gonna be enough.
Um, and, um,
we need everybody to really sit and do this,
which is why we're developing the UI.
And, um, gonna...
It's been a very long, successful weekend for me,
and let's see what happens when I do this.
So, the problem really is, um,
in the visualization, the client is kind of all there,
but there's no compiled code hooked to it yet.
And, uh, this is one of the things where
I need to apologize for not finishing in time,
but there was unfortunate circumstances
that prevented the finishing of this code.
Uh, and it will be finished.
Um, the visualizations, um,
what we see is approximately, um,
60 to 150 processes that can be easily visualized.
And then, uh, the primary author of the UI
is, uh, one of my co-researchers.
Her name is Kate Davis.
She's also at the University of Illinois.
I work at the University of Illinois during the day as well.
This talk is not, uh,
in the pinworm framework,
it's not anything to do with my day job.
Uh, this is a hobby that I do at night,
like I've always done,
and, uh, the university has nothing involved
with this presentation whatsoever.
As I accidentally said, where I worked.
Not that it's a big deal. People know where I work.
But, um, so the UI is there.
The code is not compiled into it yet,
and Kate can get to that when, uh,
the crisis, uh, abates.
So, what's in the release?
So, um, you know,
we rely on IRP a little bit for a sniff
for instruments and device,
so we can understand how to build a structure around
anything that you might be interested in getting in the middle.
Provide a framework for, um,
cut and pasting code and writing your own, uh,
customized injectors for data
and anything that you might see fit inside the computer.
The HTTP server code,
uh, to display the metadata so that you can, like,
mess around, and you can,
until somebody maybe hacks my, uh,
Sashi website out of existence,
it'll be online, free to look at,
or you can just run it locally
and, um,
hack away at, uh,
injecting metadata into the little website.
And then we included the man-in-the-middle code
for the interception of this data
so that you can assert your privacy
or perhaps, um,
send white noise out
when you're not using a particular device.
So, um,
I'm gonna take the tinfoil hat off now
and I thank, I thank, uh,
Weird Al for being so gracious
and letting me steal his picture.
And I want to thank you.
So did I make it in 45 minutes?
Good.
So, there might be questions.
I don't know.
But, um,
there was, uh,
there was a demo of the actual injection
and the movie was made an hour ago
and it was gonna be sent to me,
but I was intercepted
by, by,
by these guys.
Wanted to make sure I was gonna make it to stage on time.
So I'll get the,
the movie of the actual injection out,
as soon as possible.
I know that it exists.
I just didn't get to it in time.
I don't know.
I asked for questions.
I, I think I,
I don't see it,
anybody standing, so.
So did it suck?
I mean, holy shit.
It seemed that it was...
Wait a minute.
I, I don't need my voice anymore.
Where, where do you see the most pernicious,
um,
exfiltration of data?
Is it from your keyboard?
Is it from the observations of the mic,
of the cameras?
And things that are hidden in the mouse
that you don't really realize you're giving away?
What, what bothers you most about the privacy in the computer?
Well, that's an interesting question.
Two things.
First off, the thing that was really alarming to me,
and I took the slides out for it,
you can easily Google this.
There are many companies that commercially provide a heat map
of where all the user's mouse strokes go.
And this is, this is a tool
that is being commercially offered
by a lot of different companies.
Just, oh, these are,
these are the places where everybody goes.
And I can understand that functionally
as a website divi, designer.
They may think that that data is interesting,
but as a user,
it really creeps me out because
I don't want anybody to know where my mouse is.
I don't want anybody to know that.
It's not there.
It's not in your business.
But I think the answer to the question is the microphone.
Um, to be frank,
the microphone is so scary,
I had to redact parts of my talk.
There is a lot going on there,
and it will be very eye-opening when you run the code,
what is going on inside your computer,
especially with the microphone.
Thanks for the question.
And again, either I sucked,
or everybody is like,
what the fuck just happened?
This guy, now I want to say,
I survived a B-Sides talk Wednesday
where I released a different set
of open source software.
I sat next to Dan Kaminsky Friday night.
I drank eight beers in 30 minutes.
I sat next to Banshee last night,
drank 10 beers.
I was up all night last night.
And I think I made it through at least 31 minutes of talk
without sucking too bad.
And, but, holy shit, it's Sunday.
I know everybody's all racked out.
Fuck, I know I am.
Um, I think I survived it.
So I want to thank you guys.
It has been a pleasure to be at DEF CON
for the last 16 years as a user,
and I would like to thank every goon
that has made this possible.
They are the true stars of the show.
And, um, just as a parting shot,
who can be louder, you guys or me?
No contest?
All right.
I'll see you at the awards ceremony.