1 00:00:03,050 --> 00:00:04,430 Well, hello, everyone. 2 00:00:04,430 --> 00:00:05,350 I'm X-Ray. 3 00:00:06,290 --> 00:00:08,870 I'm your host for today. 4 00:00:09,010 --> 00:00:13,810 Welcome to DEF CON 30's Altspace VR Groups Village. 5 00:00:14,210 --> 00:00:19,910 So our speaker, our next speaker, is Hoodie Pony, who hails from Australia. 6 00:00:20,790 --> 00:00:23,850 And his talk is going to be on Glitter Nail Polish vs. 7 00:00:23,850 --> 00:00:25,310 the Evil Maid. 8 00:00:25,510 --> 00:00:28,790 Story, spoiler, the maid wins. 9 00:00:28,790 --> 00:00:39,570 In 2018, Hoodie Pony bypassed a tamper evidence seal that was deemed impossible by the CTF organizers. 10 00:00:39,570 --> 00:00:43,990 The Glitter Nail Polish unscrews and won the CTF. 11 00:00:43,990 --> 00:00:50,170 Just another noob nerd of figuring out how things work by breaking things and challenging assumptions. 12 00:00:50,430 --> 00:00:54,950 Sharing a story, just another member of DEF CON group 11613 in... 13 00:00:54,950 --> 00:00:59,210 I'll pronounce this correctly... Northern Australia. 14 00:00:59,950 --> 00:01:01,690 So welcome, Hoodie Pony. 15 00:01:02,230 --> 00:01:03,570 All right, there you are. 16 00:01:03,670 --> 00:01:08,750 Okay, let's see if all of the technology will work. 17 00:01:11,500 --> 00:01:12,720 Thank you, thank you. 18 00:01:12,940 --> 00:01:14,540 Can you hear me? 19 00:01:15,720 --> 00:01:15,920 Yeah. 20 00:01:15,920 --> 00:01:17,080 All right. 21 00:01:17,280 --> 00:01:18,720 Sounds good. 22 00:01:19,840 --> 00:01:21,520 All right. 23 00:01:24,510 --> 00:01:25,830 All right. 24 00:01:25,830 --> 00:01:27,490 Good day, agents. 25 00:01:27,610 --> 00:01:30,210 Thank you for being here on such short notice. 26 00:01:30,210 --> 00:01:34,070 I'm Hoodie Pony, here for your mission briefing today. 27 00:01:34,070 --> 00:01:35,610 Actually, next slide. 28 00:01:38,890 --> 00:01:44,090 It's been a long day, and this mission is time sensitive, so we'll be brief. 29 00:01:44,190 --> 00:01:45,250 Next slide. 30 00:01:46,390 --> 00:01:51,550 According to our intelligence reports, a person of significant interest, Dr. 31 00:01:51,550 --> 00:01:54,990 O, will be presenting at DOTCON 30 tomorrow. 32 00:01:54,990 --> 00:02:05,330 The homecoming of the hacker, anarchist, and anti-corporal community, with journalists and intelligence organizations from across the globe in attendance. 33 00:02:05,330 --> 00:02:16,250 We've been informed in the highly anticipated redacted talk, they will be releasing data that is of significant corporate interest. 34 00:02:16,990 --> 00:02:21,310 We need that information before it is released. 35 00:02:21,570 --> 00:02:25,790 It could be an existential threat to our organization. 36 00:02:27,130 --> 00:02:29,130 We have identified that Dr. 37 00:02:29,130 --> 00:02:39,530 O will be staying at the Plaza Hotel, and your mission is to retrieve a copy of the data, the encryption key for that data, and place a bug inside their laptop. 38 00:02:39,530 --> 00:02:43,250 So, well, we can continue to keep an eye on things. 39 00:02:43,670 --> 00:02:46,610 Of importance, we understand that Dr. 40 00:02:46,610 --> 00:02:52,050 O has deployed temp evidence seals and techniques protecting these targets. 41 00:02:52,770 --> 00:03:03,230 They also have a date man switch on their person that will release that information immediately to potentially hostile parties should our tampering be discovered. 42 00:03:04,730 --> 00:03:09,950 It is very important that our actions are not discovered. 43 00:03:10,110 --> 00:03:11,450 Next slide, please. 44 00:03:13,030 --> 00:03:14,790 But how, you might ask. 45 00:03:14,790 --> 00:03:17,190 Well, that's a pretty good question. 46 00:03:17,190 --> 00:03:18,450 We believe that Dr. 47 00:03:18,450 --> 00:03:28,770 O will be leaving for dinner with a few friends later this evening, and will be attending a few of those sponsored parties that are so famously known for. 48 00:03:29,210 --> 00:03:32,110 That would be our opportunity to act. 49 00:03:34,720 --> 00:03:39,260 We've prepared for you to enter as the housekeeping staff at the Plaza Hotel. 50 00:03:40,240 --> 00:03:43,360 We believe that... next slide, please. 51 00:03:44,740 --> 00:03:45,360 Um... 52 00:03:46,760 --> 00:03:48,280 We believe that Dr. 53 00:03:48,280 --> 00:03:51,100 O will leave the target items in their room. 54 00:03:51,340 --> 00:03:54,640 You have a few hours to act before they return. 55 00:03:55,000 --> 00:03:56,440 Next slide. 56 00:04:00,950 --> 00:04:02,970 You have three objectives. 57 00:04:03,050 --> 00:04:09,510 All these objectives must be accomplished without any signs of tampering, or signs that these items have been disturbed. 58 00:04:09,790 --> 00:04:14,490 Don't worry about it being forensically clean. 59 00:04:14,490 --> 00:04:16,490 We just need to make sure that Dr. 60 00:04:16,490 --> 00:04:19,930 O doesn't notice it before their presentation tomorrow. 61 00:04:20,950 --> 00:04:23,290 The objective is from left to right. 62 00:04:23,630 --> 00:04:24,870 Objective Alpha. 63 00:04:25,130 --> 00:04:28,530 Retrieve a copy of the encryption key in a sealed envelope. 64 00:04:28,610 --> 00:04:33,290 There should be a folded paper with the encryption key written on it. 65 00:04:33,710 --> 00:04:39,250 Simply take a photo of that key and return the target to its original state. 66 00:04:39,570 --> 00:04:40,470 Next. 67 00:04:40,850 --> 00:04:42,350 Objective Browse. 68 00:04:42,350 --> 00:04:49,750 Retrieve a copy of the data from the encrypted USB that would be sealed inside the tamper-evident bag. 69 00:04:50,670 --> 00:04:52,350 Objective Child. 70 00:04:52,550 --> 00:04:55,990 Plant a signal intercept spot in Dr. 71 00:04:55,990 --> 00:04:57,070 O's laptop. 72 00:04:58,030 --> 00:04:58,430 Dr. 73 00:04:58,430 --> 00:04:59,850 O's previous actions. 74 00:04:59,850 --> 00:05:01,150 We know that Dr. 75 00:05:01,150 --> 00:05:10,290 O will take precautions by using glitter nail polish directly on their laptop to protect it against tampering. 76 00:05:10,510 --> 00:05:11,710 Next slide. 77 00:05:13,730 --> 00:05:15,370 We understand that the objective... 78 00:05:16,050 --> 00:05:18,370 Sorry, one slide back. 79 00:05:18,790 --> 00:05:20,030 Thank you. 80 00:05:23,930 --> 00:05:25,490 Previous slide. 81 00:05:28,540 --> 00:05:29,500 Yay. 82 00:05:30,040 --> 00:05:30,880 Awesome. 83 00:05:30,880 --> 00:05:33,840 We understand that Objective Charlie can be most challenging. 84 00:05:33,840 --> 00:05:39,460 Some say it is mission impossible as it is widely believed that there are no known bypass. 85 00:05:39,780 --> 00:05:40,720 Next slide. 86 00:05:44,080 --> 00:05:45,540 Not quite. 87 00:05:45,540 --> 00:05:55,100 We have had expertise since 2018 and we'll be reading you in on the TTPs with this mission briefing to ensure your success. 88 00:05:55,100 --> 00:06:03,220 As always, all this is strictly classified and protected by confidentiality agreement with us during your employment contract. 89 00:06:03,500 --> 00:06:05,760 Let us first start with the basics. 90 00:06:09,370 --> 00:06:17,490 Keep in mind that we are only interested in bypassing the seals in a way that will not be detected by casual human visual inspection. 91 00:06:21,880 --> 00:06:24,320 There are three common attacks... 92 00:06:26,590 --> 00:06:29,710 attack types to bypass the tempo evidence seals. 93 00:06:29,810 --> 00:06:33,350 Chemical, physical, and temperature attacks. 94 00:06:36,000 --> 00:06:37,740 Next slide, please. 95 00:06:41,280 --> 00:06:42,840 Next slide. 96 00:06:45,350 --> 00:06:46,710 Yeah, okay, cool. 97 00:06:46,710 --> 00:06:47,670 Thank you. 98 00:06:47,890 --> 00:06:51,770 We'll dig deeper into the common attacks as we talk about your loadout. 99 00:06:51,770 --> 00:06:58,410 Upon arrival at a plaza hotel, an asset will provide you with a cleaner's cart and appropriate uniform. 100 00:06:59,070 --> 00:07:02,550 But due to the constraint timelines, you'll have to improvise. 101 00:07:02,550 --> 00:07:04,630 You need to pick up some tools yourself. 102 00:07:04,630 --> 00:07:08,130 You'll be able to source these from your garage or your local pharmacy. 103 00:07:08,130 --> 00:07:09,110 Next slide. 104 00:07:12,360 --> 00:07:13,840 Chemical attacks. 105 00:07:14,020 --> 00:07:20,960 Most of this would involve the use of solvents to attack the glue or the binding agent or the material itself. 106 00:07:20,960 --> 00:07:26,340 Using these, you could, for example, undo glue wristbands without damaging the paper. 107 00:07:26,340 --> 00:07:27,980 It is binding together. 108 00:07:28,480 --> 00:07:36,300 For this mission, we recommend that you prepare at least acetone and methylated spirits with other solvents and reagents as available. 109 00:07:44,350 --> 00:07:45,550 Physical attacks. 110 00:07:45,550 --> 00:07:53,050 The use of physical force to manipulate or attack the binding or container or glue and glue to put things together. 111 00:07:53,050 --> 00:08:01,510 An example is to use a knife to pry things open or to cut the seals away from a container and then to be joined back together with superglue. 112 00:08:01,570 --> 00:08:07,090 For this mission, we anticipate that you'll need your standard issued multi-tool and superglue. 113 00:08:07,270 --> 00:08:08,450 Next slide. 114 00:08:11,610 --> 00:08:13,210 Temperature attacks. 115 00:08:13,890 --> 00:08:22,430 Taking advantage of how materials behave, we can use either heat or cold to manipulate the seal or the container to our advantage. 116 00:08:22,430 --> 00:08:29,450 An example is to use cold to cleanly shatter or break a seal by taking advantage of the different rates of contraction. 117 00:08:31,750 --> 00:08:35,090 For this mission, you'll need a secret lighter with you. 118 00:08:36,470 --> 00:08:37,570 Next slide. 119 00:08:42,530 --> 00:09:01,910 Other useful tools you'll need to facilitate your attacks include needles, specifically insulin needles if you can acquire them, a good electronics toolkit to help you undo those pesky security screws, and clear nail polish for Objective Charlie. 120 00:09:03,610 --> 00:09:06,470 Did we lose the slide deck? 121 00:09:11,240 --> 00:09:13,820 Yes, we did lose the slide deck. 122 00:09:13,820 --> 00:09:15,060 One moment, please. 123 00:09:15,680 --> 00:09:17,340 They're working on it right now. 124 00:09:17,340 --> 00:09:18,480 Give them a second. 125 00:09:36,170 --> 00:09:39,250 And it looks like we are back. 126 00:09:39,490 --> 00:09:42,470 Alrighty, so let's continue the briefing. 127 00:09:43,970 --> 00:09:44,910 All right. 128 00:09:44,910 --> 00:09:54,570 As I was saying, you'll need a good electronics toolkit to undo those pesky security screws and clear nail polish for Objective Charlie. 129 00:09:55,490 --> 00:09:57,310 Next slide, please. 130 00:09:58,810 --> 00:10:03,830 So let's just jump right into preparations for your mission. 131 00:10:03,910 --> 00:10:15,170 For Objective Alpha, to retrieve the encryption key, how would you retrieve the code within this without any obvious signs of tampering? 132 00:10:17,490 --> 00:10:21,390 Audience, anyone wants to give it a shot? 133 00:10:21,670 --> 00:10:22,410 Thoughts? 134 00:10:22,410 --> 00:10:24,330 Feel free to just yell out. 135 00:10:27,650 --> 00:10:28,550 Sorry? 136 00:10:29,710 --> 00:10:30,910 Steam. 137 00:10:31,710 --> 00:10:34,510 I can barely hear anyone. 138 00:10:34,590 --> 00:10:35,950 I can see you. 139 00:10:36,150 --> 00:10:37,150 Steam. 140 00:10:37,930 --> 00:10:39,130 Steam? 141 00:10:41,650 --> 00:10:43,350 Yeah, they're saying steam. 142 00:10:43,950 --> 00:10:45,810 Yep, that's one way. 143 00:10:45,810 --> 00:10:47,110 Anyone else? 144 00:10:47,730 --> 00:10:52,070 You could try shining a light through it and see if you can read it without opening it. 145 00:10:53,050 --> 00:10:55,490 That's a very good attempt. 146 00:10:55,690 --> 00:11:05,210 Let's just say for the purposes of this scenario, it's using really thick stock paper. 147 00:11:05,510 --> 00:11:10,830 Say, you know, 200 grams stock paper that you can't read through. 148 00:11:10,830 --> 00:11:12,910 So yeah, how else? 149 00:11:13,050 --> 00:11:15,990 Just a bit of note with regards to steam. 150 00:11:16,110 --> 00:11:20,930 Steam can stain the paper and can leave water residue marks. 151 00:11:20,930 --> 00:11:25,050 So you'd want to avoid using steam in this situation. 152 00:11:26,310 --> 00:11:31,130 You could apply heat to the adhesive and see if it comes open. 153 00:11:31,850 --> 00:11:34,730 Sorry, I could barely hear that. 154 00:11:35,710 --> 00:11:37,890 Apply heat to the adhesive. 155 00:11:39,570 --> 00:11:48,630 Yeah, you could try that, but that would probably mark the paper as it would turn brown with heat. 156 00:11:49,870 --> 00:11:54,340 Could you slice one end open? 157 00:11:54,400 --> 00:11:55,740 Sorry? 158 00:11:57,740 --> 00:12:02,300 Could you slice one side open and then seal it back up? 159 00:12:02,880 --> 00:12:05,540 Yes, that is definitely possible. 160 00:12:05,540 --> 00:12:13,300 And that's a relatively good approach, as long as the sealing back up is not obvious. 161 00:12:13,300 --> 00:12:16,300 All right, let's just... 162 00:12:17,940 --> 00:12:25,300 So one of the things that you could do is to, well, if there is a bit of a gap, you could just try to get the paper out. 163 00:12:26,420 --> 00:12:32,600 Or otherwise use a liberal amount of methylated spirits or any of the solvents to get the glue soft. 164 00:12:32,600 --> 00:12:38,640 And it should just fold right open with no visible residue. 165 00:12:38,640 --> 00:12:51,140 Because it is... methylated spirits evaporate, at least behind no visible signs of tempering. 166 00:12:51,140 --> 00:12:54,780 I think the slides died again. 167 00:12:56,620 --> 00:12:58,260 And... boom. 168 00:12:59,200 --> 00:13:01,050 Yes, cool. 169 00:13:01,680 --> 00:13:04,400 Yeah, so... and open. 170 00:13:04,580 --> 00:13:06,080 Can we just stay? 171 00:13:06,080 --> 00:13:07,180 Yeah, cool. 172 00:13:07,820 --> 00:13:13,900 It softens up the glue, allowing you to open it with no visible residue. 173 00:13:13,900 --> 00:13:16,640 Now, next slide. 174 00:13:18,930 --> 00:13:20,290 Thank you. 175 00:13:21,930 --> 00:13:23,750 For a bit of bravo. 176 00:13:26,150 --> 00:13:29,310 Retrieve the USB from the temper evident pack. 177 00:13:29,310 --> 00:13:33,970 How would you retrieve the USB without any signs of de-tempering? 178 00:13:39,990 --> 00:13:41,390 Okay, cool. 179 00:13:42,770 --> 00:13:45,150 Am I coming through okay? 180 00:13:49,540 --> 00:13:50,700 No? 181 00:13:50,700 --> 00:13:52,260 Slides down? 182 00:13:52,500 --> 00:13:53,580 Slides down? 183 00:13:53,920 --> 00:13:55,300 Slides working. 184 00:13:55,820 --> 00:13:57,800 We can see them. 185 00:13:59,200 --> 00:13:59,960 What's... 186 00:14:00,720 --> 00:14:04,780 We can see the slides, but your audio is cutting in and out. 187 00:14:05,380 --> 00:14:06,500 Oh, okay. 188 00:14:06,500 --> 00:14:09,600 Let me just try the audio thing again. 189 00:14:09,600 --> 00:14:10,900 Sorry about that. 190 00:14:27,370 --> 00:14:29,150 Audio works now? 191 00:14:29,610 --> 00:14:30,130 Yes? 192 00:14:30,130 --> 00:14:30,810 No? 193 00:14:31,010 --> 00:14:32,030 Better? 194 00:14:32,030 --> 00:14:33,230 Okay. 195 00:14:33,730 --> 00:14:36,970 Joy, better software on better software. 196 00:14:36,970 --> 00:14:37,950 Fun. 197 00:14:39,650 --> 00:14:42,190 Okay, so let's go to this. 198 00:14:42,190 --> 00:14:46,650 Since we have kind of like revealed the slide. 199 00:14:47,470 --> 00:14:49,750 So how would we do this? 200 00:14:50,410 --> 00:14:52,630 If we go to the next slide. 201 00:14:52,630 --> 00:14:53,790 Yeah, the slide. 202 00:14:53,950 --> 00:15:01,250 So we could use solvents to soften the glue like the previous objective. 203 00:15:01,250 --> 00:15:16,650 However, with the temper evidence bags, it is sometimes a hit or miss whether the solvent will dissolve the ink itself on the seal, thus revealing that the bag has been tempered. 204 00:15:17,310 --> 00:15:28,910 So a safer approach is to carefully slice the sides of the bag and use a heated blade to reseal the bag once the drive has been removed, copied, and replaced it back in. 205 00:15:31,980 --> 00:15:33,360 Next slide, please. 206 00:15:38,200 --> 00:15:41,000 It's the one with the glitter nail polish. 207 00:15:41,600 --> 00:15:43,160 Next slide. 208 00:15:43,580 --> 00:15:45,700 Am I cutting out again? 209 00:15:46,880 --> 00:15:48,680 No, we can hear you. 210 00:15:48,680 --> 00:15:50,000 Okay, cool. 211 00:15:51,000 --> 00:15:52,180 Okay. 212 00:15:52,180 --> 00:15:53,460 Sorry. 213 00:15:53,520 --> 00:16:01,960 Could we go to the slide with the glitter nail polish slide 19? 214 00:16:01,960 --> 00:16:03,420 Where are we at? 215 00:16:03,420 --> 00:16:05,420 Good job. 216 00:16:05,780 --> 00:16:06,720 How much? 217 00:16:07,100 --> 00:16:09,100 Good job. 218 00:16:10,580 --> 00:16:11,380 Yeah. 219 00:16:20,550 --> 00:16:21,870 Slide 19. 220 00:16:29,890 --> 00:16:32,970 Let me see if I can get the edge plug in. 221 00:16:34,270 --> 00:16:36,770 Yep, not a problem. 222 00:16:36,770 --> 00:16:39,250 Looks like we are having technical difficulties. 223 00:16:39,370 --> 00:16:42,330 Hopefully your machine will be a bit smoother than this. 224 00:16:43,010 --> 00:16:44,370 Technology. 225 00:16:44,730 --> 00:16:47,290 You need to save your documents. 226 00:16:47,570 --> 00:16:49,410 Here we go. 227 00:16:50,110 --> 00:16:53,270 Did everybody pray to the demo gods today? 228 00:16:56,690 --> 00:16:58,330 Let's start. 229 00:16:58,890 --> 00:17:00,470 Oh, there you go. 230 00:17:00,630 --> 00:17:01,590 Fantastic. 231 00:17:01,590 --> 00:17:02,770 Looks like we are back. 232 00:17:02,770 --> 00:17:11,950 So, continuing with objective Charlie, it takes a bit more effort than our previous objectives to complete. 233 00:17:12,490 --> 00:17:18,150 But removing glitter nail polish directly on the screw is certainly something possible after this briefing. 234 00:17:18,650 --> 00:17:20,150 Next slide, please. 235 00:17:22,750 --> 00:17:28,550 We'll need to put together all our previous techniques to successfully accomplish this objective. 236 00:17:28,550 --> 00:17:30,530 So, how do we do it? 237 00:17:30,530 --> 00:17:31,590 Next slide. 238 00:17:35,560 --> 00:17:37,980 This is on the right track. 239 00:17:38,120 --> 00:17:43,220 We'll take advantage of any of these weaknesses as available to make our task easier. 240 00:17:43,400 --> 00:17:44,380 Next slide. 241 00:17:47,540 --> 00:17:49,960 Alright, let's jump right into it. 242 00:17:49,960 --> 00:17:53,220 First, start by carefully observing the nail polish. 243 00:17:53,220 --> 00:17:54,400 Next slide. 244 00:17:58,180 --> 00:18:00,280 So, what is the challenge here? 245 00:18:00,320 --> 00:18:06,160 Well, it is that the nail polish strongly binds to the screw and the laptop. 246 00:18:06,820 --> 00:18:15,320 It is believed that the only way to remove the glitter nail polish is to remove all the nail polish and replace it with a new coat. 247 00:18:15,320 --> 00:18:24,420 The glitter's arrangement makes it practically impossible to replicate, thus observable that it has been tempered with. 248 00:18:24,420 --> 00:18:29,180 Well, what if that assumption isn't quite true? 249 00:18:30,160 --> 00:18:31,620 Next slide, please. 250 00:18:34,340 --> 00:18:40,120 The goal here is that Doctor Road does not notice their laptop has been tempered with. 251 00:18:40,120 --> 00:18:47,840 That means, by casual visual inspection, they should not notice any damage to the seals. 252 00:18:48,240 --> 00:18:55,760 However, as an additional precaution, the glitter pattern should also match any photographs they would have taken of it. 253 00:18:55,980 --> 00:18:57,600 Next slide, please. 254 00:18:59,520 --> 00:19:01,420 So, the hack here. 255 00:19:01,940 --> 00:19:07,300 The nail polish applied would have some height to it, no matter how thin. 256 00:19:07,300 --> 00:19:15,320 The top half, shown in red on the diagram, is more visible, thus more important. 257 00:19:15,760 --> 00:19:26,760 The bottom half, shown in green, is less visible, thus some damage can be done to this layer without it being visible upon inspection. 258 00:19:27,460 --> 00:19:36,280 So, taking advantage of this, our attack will be on the bottom layer, preserving the top so that it is visually untouched. 259 00:19:37,000 --> 00:19:38,760 Next slide, please. 260 00:19:42,600 --> 00:19:45,900 With that, let's jump into the process. 261 00:19:45,960 --> 00:19:49,600 Step one, well, start by taking pictures of the seal. 262 00:19:50,040 --> 00:19:58,280 This will be your references, and crucial for ensuring you are able to put the seal back together in a visually similar manner. 263 00:19:58,440 --> 00:19:59,480 Get close. 264 00:19:59,480 --> 00:20:04,620 The clearer your pictures, the easier it is to work with later. 265 00:20:04,620 --> 00:20:07,540 But also keep track which picture belongs to which crew. 266 00:20:07,540 --> 00:20:08,980 Next slide. 267 00:20:12,220 --> 00:20:15,740 Next, start by picking a single screw to work on. 268 00:20:15,980 --> 00:20:21,640 Then, as targeted as possible, heat up the surface of the laptop near the nail polish. 269 00:20:21,640 --> 00:20:27,540 The different rates of material expansion should help slightly peel off the edge of the nail polish block. 270 00:20:28,060 --> 00:20:35,500 If you can find some leverage around the nail polish, without damaging it, you may not need this step. 271 00:20:35,500 --> 00:20:45,800 Remember, take it slow and careful, and be very careful with it as you do not want to damage the nail polish coat, especially the thinner outer edges. 272 00:20:48,020 --> 00:20:51,500 Using the sharpest knife or blade that you have... 273 00:20:53,020 --> 00:20:54,380 Next slide. 274 00:20:56,740 --> 00:20:57,960 Thank you. 275 00:20:57,960 --> 00:21:03,420 Using the sharpest knife or blade that you have, attempt to slowly lift a thin portion of the film up. 276 00:21:03,420 --> 00:21:04,980 While doing that... 277 00:21:04,980 --> 00:21:05,880 Next slide. 278 00:21:12,100 --> 00:21:13,760 Next slide, please. 279 00:21:19,090 --> 00:21:20,570 Slide 29, please. 280 00:21:20,570 --> 00:21:21,310 Yeah, cool. 281 00:21:21,310 --> 00:21:22,230 Thank you. 282 00:21:23,030 --> 00:21:32,510 Add tiny bits of acetone, using an insulin syringe, to the edge where your blade meets the nail polish, to help dissolve a thin layer of the nail polish. 283 00:21:32,770 --> 00:21:37,990 Caution, do not add too much, as it may take away more nail polish than you want. 284 00:21:38,510 --> 00:21:39,790 Next slide. 285 00:21:41,370 --> 00:21:49,850 Well, repeat steps 2 to 4, a tiny gentle bit at a time, until you get the whole top off. 286 00:21:50,370 --> 00:21:53,990 Patience and being delicate is important, do not rush it. 287 00:21:54,330 --> 00:21:57,830 Don't worry about the nail polish in the screw itself. 288 00:21:57,990 --> 00:22:03,810 Go ahead and use acetone to clear off enough so that you can get a screwdriver in there to remove the screw. 289 00:22:04,030 --> 00:22:07,830 Now, repeat this for all the screws. 290 00:22:07,830 --> 00:22:09,810 This process may take a while. 291 00:22:09,810 --> 00:22:13,490 It took about 30 minutes per screw. 292 00:22:15,550 --> 00:22:17,030 The last I did this. 293 00:22:17,250 --> 00:22:18,590 Next slide, please. 294 00:22:20,130 --> 00:22:22,830 Plant the bug anywhere near the CPU would be fine. 295 00:22:22,830 --> 00:22:24,430 Remember to secure it down. 296 00:22:24,430 --> 00:22:28,670 A dab of super glue or clear nail polish to hold it down will do nicely. 297 00:22:28,830 --> 00:22:36,970 Now, put it all back together, screw in all the screws, and then we move on to putting back the glitter nail polish on top. 298 00:22:36,970 --> 00:22:38,610 Capping off the screws. 299 00:22:39,250 --> 00:22:40,190 Next slide. 300 00:22:42,790 --> 00:22:53,250 To begin our reassembly process, begin by placing a very thin layer of clear nail polish on the screw itself. 301 00:22:53,330 --> 00:22:59,310 Remember to fill the gaps on the head of the screw so that it is a nice flat surface. 302 00:23:01,150 --> 00:23:10,670 Be careful not to use too much or to cover more space than the initial nail polish originally did. 303 00:23:11,550 --> 00:23:17,890 You might find the use of a toothpick or syringe helpful to control the amount of clear nail polish that you use. 304 00:23:17,890 --> 00:23:18,930 Next slide. 305 00:23:22,130 --> 00:23:30,210 Using the photo reference that you have taken, carefully align and place the original glitter nail polish film back onto the screw. 306 00:23:31,250 --> 00:23:33,110 A steady hand is important here. 307 00:23:33,610 --> 00:23:37,990 Take the time to carefully align it back to as it was. 308 00:23:37,990 --> 00:23:44,970 Be careful that there is no excess clear nail polish that overflows the original blob's boundary. 309 00:23:45,290 --> 00:23:53,810 One tip, as long as you match your reference photo and the film does not detach from casual handling, it will likely be in the clear. 310 00:23:55,190 --> 00:24:03,790 Doctoral and most would have taken photos or more likely just observed it if there is damage done to the seal. 311 00:24:03,930 --> 00:24:12,870 When we first accomplished this in 2018, there was the use of a computer vision software matching against a reference image that we had to bypass. 312 00:24:12,870 --> 00:24:20,230 But we do not expect Doctoral to have such technology at their disposal and would likely just simply inspect them visually. 313 00:24:21,790 --> 00:24:28,290 Do this to all the seals that you have removed and with some practice, this could be done quite quickly. 314 00:24:28,350 --> 00:24:29,430 Next slide please. 315 00:24:31,290 --> 00:24:33,050 Well, congratulations. 316 00:24:33,050 --> 00:24:38,850 Now, get out of there and get back to safety. 317 00:24:38,850 --> 00:24:40,790 That's it for the mission briefing. 318 00:24:40,790 --> 00:24:44,130 Mission commences at 0200 Zulu. 319 00:24:44,190 --> 00:24:45,210 Godspeed. 320 00:24:45,230 --> 00:24:46,410 Next slide. 321 00:24:53,130 --> 00:24:54,370 Next slide. 322 00:24:55,390 --> 00:25:03,390 Some special thanks and congratulations to the various giants that have made this possible. 323 00:25:03,750 --> 00:25:05,130 Next slide. 324 00:25:07,310 --> 00:25:12,690 For the DEF CON 19 seminal talk that helped form the foundations of my knowledge. 325 00:25:12,690 --> 00:25:13,870 Next slide. 326 00:25:14,650 --> 00:25:24,070 To the awesome kids, Moss and Boo, for being such great sports and sharing their knowledge to get me started and for writing heaps about tamper-evident bypasses. 327 00:25:24,370 --> 00:25:25,330 Next slide. 328 00:25:26,410 --> 00:25:30,630 And the seminal talk that introduced the glitter-near-polish approach. 329 00:25:31,790 --> 00:25:35,510 The CCC talk that introduced the glitter-near-polish approach. 330 00:25:35,510 --> 00:25:36,710 Next slide. 331 00:25:37,050 --> 00:25:44,790 And many, many others, including DCG VR for the opportunity to speak and many others. 332 00:25:46,330 --> 00:25:48,090 Next slide. 333 00:25:48,210 --> 00:25:52,310 And thank you for listening to this short story. 334 00:25:54,780 --> 00:25:55,960 Questions? 335 00:25:56,600 --> 00:25:58,640 Hopefully I can hear you. 336 00:26:07,840 --> 00:26:11,640 Sorry, where did that voice come from? 337 00:26:11,800 --> 00:26:13,200 Hi. 338 00:26:21,380 --> 00:26:30,260 So, with the amount that you use, it's almost not perceptible. 339 00:26:30,560 --> 00:26:35,320 Because at the end of the day, you're just using a small little drip of it. 340 00:26:35,320 --> 00:26:37,100 So, yeah. 341 00:26:37,240 --> 00:26:39,200 I mean, the other thing is... 342 00:26:40,580 --> 00:26:42,100 Who sniffs it? 343 00:26:46,780 --> 00:26:48,760 So, yeah, there's that. 344 00:26:50,100 --> 00:26:55,320 So, practically, you just look at it and you go, hey, looks fine. 345 00:26:55,600 --> 00:26:56,880 It's all right. 346 00:26:57,340 --> 00:26:59,660 And then just move on. 347 00:27:03,870 --> 00:27:05,250 Quick question. 348 00:27:06,950 --> 00:27:08,930 How reproducible is this? 349 00:27:08,930 --> 00:27:11,130 Like, what are the chances of success if it needs to be done? 350 00:27:11,130 --> 00:27:14,390 If the threat actors attempted to do this on a regular basis. 351 00:27:14,390 --> 00:27:15,690 You know. 352 00:27:19,130 --> 00:27:21,270 Reproducible enough. 353 00:27:21,430 --> 00:27:24,210 So, yeah. 354 00:27:24,210 --> 00:27:26,450 It's reproducible enough. 355 00:27:26,450 --> 00:27:28,410 With enough practice. 356 00:27:28,410 --> 00:27:37,730 I initially didn't plan to do this talk because I just thought it was, well, meh. 357 00:27:40,510 --> 00:27:43,490 And it was kind of like a known thing. 358 00:27:43,490 --> 00:27:44,590 So, yeah. 359 00:27:44,730 --> 00:27:46,770 Reproducible enough, I guess. 360 00:27:47,230 --> 00:27:54,690 I just didn't have the time to create off tiny bits at a time in a live demo. 361 00:27:54,710 --> 00:27:55,350 But , yeah. 362 00:27:55,350 --> 00:27:56,510 Oh, sure, sure. 363 00:27:56,670 --> 00:28:02,750 So, I guess my question is, you know, if you had a hundred laptops in a row, right? 364 00:28:02,750 --> 00:28:05,590 How many of them would notice tampering by the time you were done? 365 00:28:05,590 --> 00:28:10,690 The chances of you screwing it up or maybe it should be snatched in half or something like that? 366 00:28:10,690 --> 00:28:15,630 I mean, like, you wouldn't do this on a bulk surveillance scale. 367 00:28:15,710 --> 00:28:19,590 You'd probably be, you know, an evil maid attack. 368 00:28:19,590 --> 00:28:25,210 And that's why the context of this story, I put it within that context of an evil maid attack. 369 00:28:25,210 --> 00:28:30,870 Because it takes way too long to do this from a bulk surveillance perspective. 370 00:28:31,570 --> 00:28:37,850 I mean, you could hire a whole bunch of people, but, you know, that's also a very big logistical operation. 371 00:28:38,850 --> 00:28:44,010 So, this is more of a targeted clandestine operation type attack? 372 00:28:44,490 --> 00:28:47,030 Yeah, that would be my take on it. 373 00:28:47,090 --> 00:29:01,090 Now, what's interesting is, until this presentation, I had not heard of any valid, confirmed valid attack on the glitter nail polish methodology. 374 00:29:01,090 --> 00:29:05,550 I'd heard rumors, but I hadn't actually heard of an actual successful attack. 375 00:29:05,550 --> 00:29:10,030 So, ladies and gentlemen, you've just witnessed a zero day. 376 00:29:10,630 --> 00:29:11,910 Congratulations. 377 00:29:16,720 --> 00:29:18,800 I guess we drink. 378 00:29:21,580 --> 00:29:26,080 So, I guess the tradition of dropping oldies at DEF CON lives on. 379 00:29:29,120 --> 00:29:33,220 And even at the virtual DEF CON, we have them. 380 00:29:33,220 --> 00:29:34,700 So, that's excellent. 381 00:29:35,480 --> 00:29:37,040 Yeah, from across the globe. 382 00:29:37,040 --> 00:29:37,340 Questions? 383 00:29:37,840 --> 00:29:40,780 Yeah, from Melbourne. 384 00:29:41,380 --> 00:29:43,260 I'm getting better at pronouncing that. 385 00:29:43,340 --> 00:29:45,180 Are there any more questions for our speakers? 386 00:29:47,800 --> 00:29:48,460 No? 387 00:29:48,460 --> 00:29:49,540 All righty, then. 388 00:29:49,920 --> 00:29:52,720 Not really a question, just a comment. 389 00:29:52,760 --> 00:29:53,900 It's interesting. 390 00:29:54,940 --> 00:30:03,400 I've never really heard of the nail polish approach until about, I want to say, a week or two ago, when one of my buddies or another security group was giving a talk about it. 391 00:30:03,400 --> 00:30:07,840 So, it was really interesting to see a bypass for this approach. 392 00:30:07,840 --> 00:30:09,240 So, thank you for that. 393 00:30:09,620 --> 00:30:23,640 Yeah, I mean, to be honest, it appeared on Hacker News and stuff that the attack is still viable. 394 00:30:23,640 --> 00:30:31,940 And I'm like, yeah, okay, we should probably do a talk about it, since it's not known that there is an actual attack for it. 395 00:30:31,940 --> 00:30:34,220 So, here we are. 396 00:30:36,570 --> 00:30:44,410 I actually just recently found out about the whole nail polish method through a Lifehacker article. 397 00:30:44,850 --> 00:30:46,150 Just now. 398 00:30:46,630 --> 00:30:47,630 Yeah. 399 00:30:47,850 --> 00:30:48,830 Anyway. 400 00:30:48,830 --> 00:30:53,290 And it's crazy how all this happens. 401 00:30:54,710 --> 00:30:55,670 Yeah. 402 00:30:55,670 --> 00:30:59,910 And also, full disclaimer, this is fictional. 403 00:31:01,470 --> 00:31:03,730 This is fictional story. 404 00:31:03,870 --> 00:31:08,730 Yeah, fictional story, but the hack is actually real, so that's kind of cool. 405 00:31:09,550 --> 00:31:10,190 Yeah. 406 00:31:10,190 --> 00:31:10,970 All righty. 407 00:31:10,970 --> 00:31:15,550 I will give back the microphones to the MC. 408 00:31:15,550 --> 00:31:16,710 Here, X-Ray. 409 00:31:16,790 --> 00:31:18,850 Thank you, HoodiePony. 410 00:31:18,850 --> 00:31:21,050 We appreciate your presentation. 411 00:31:21,050 --> 00:31:26,030 I really wanted to see this one when I saw the write-up submitted. 412 00:31:26,030 --> 00:31:28,810 This is on my hot list of seeing. 413 00:31:28,810 --> 00:31:32,290 Our next speaker is going to be here in about 30 minutes. 414 00:31:32,290 --> 00:31:34,230 It was supposed to be Shelter. 415 00:31:34,590 --> 00:31:36,330 He's disappeared. 416 00:31:36,330 --> 00:31:37,230 We haven't heard from him. 417 00:31:37,230 --> 00:31:38,910 So, we don't know. 418 00:31:38,950 --> 00:31:44,130 As far as I know, unless he shows up at the last minute, he's not going to be speaking. 419 00:31:44,130 --> 00:31:46,330 Our next presenter will be SidePocket. 420 00:31:46,770 --> 00:31:50,450 So, that's looking good so far. 421 00:31:50,650 --> 00:31:52,470 So, take a break. 422 00:31:52,470 --> 00:31:54,250 Come back in about 30 minutes.