[00:03.050 --> 00:08.870]  Well, hello, everyone. I'm X-Ray. I'm your host for today.
[00:09.010 --> 00:13.810]  Welcome to DEF CON 30's Altspace VR Groups Village.
[00:14.210 --> 00:19.910]  So our speaker, our next speaker, is Hoodie Pony, who hails from Australia.
[00:20.790 --> 00:25.310]  And his talk is going to be on Glitter Nail Polish vs. the Evil Maid.
[00:25.510 --> 00:28.790]  Story, spoiler, the maid wins.
[00:28.790 --> 00:39.570]  In 2018, Hoodie Pony bypassed a tamper evidence seal that was deemed impossible by the CTF organizers.
[00:39.570 --> 00:43.990]  The Glitter Nail Polish unscrews and won the CTF.
[00:43.990 --> 00:50.170]  Just another noob nerd of figuring out how things work by breaking things and challenging assumptions.
[00:50.430 --> 00:54.950]  Sharing a story, just another member of DEF CON group 11613 in...
[00:54.950 --> 00:59.210]  I'll pronounce this correctly... Northern Australia.
[00:59.950 --> 01:01.690]  So welcome, Hoodie Pony.
[01:02.230 --> 01:03.570]  All right, there you are.
[01:03.670 --> 01:08.750]  Okay, let's see if all of the technology will work.
[01:11.500 --> 01:12.720]  Thank you, thank you.
[01:12.940 --> 01:14.540]  Can you hear me?
[01:15.720 --> 01:15.920]  Yeah.
[01:15.920 --> 01:17.080]  All right.
[01:17.280 --> 01:18.720]  Sounds good.
[01:19.840 --> 01:21.520]  All right.
[01:24.510 --> 01:25.830]  All right.
[01:25.830 --> 01:27.490]  Good day, agents.
[01:27.610 --> 01:30.210]  Thank you for being here on such short notice.
[01:30.210 --> 01:34.070]  I'm Hoodie Pony, here for your mission briefing today.
[01:34.070 --> 01:35.610]  Actually, next slide.
[01:38.890 --> 01:44.090]  It's been a long day, and this mission is time sensitive, so we'll be brief.
[01:44.190 --> 01:45.250]  Next slide.
[01:46.390 --> 01:54.990]  According to our intelligence reports, a person of significant interest, Dr. O, will be presenting at DOTCON 30 tomorrow.
[01:54.990 --> 02:05.330]  The homecoming of the hacker, anarchist, and anti-corporal community, with journalists and intelligence organizations from across the globe in attendance.
[02:05.330 --> 02:16.250]  We've been informed in the highly anticipated redacted talk, they will be releasing data that is of significant corporate interest.
[02:16.990 --> 02:21.310]  We need that information before it is released.
[02:21.570 --> 02:25.790]  It could be an existential threat to our organization.
[02:27.130 --> 02:39.530]  We have identified that Dr. O will be staying at the Plaza Hotel, and your mission is to retrieve a copy of the data, the encryption key for that data, and place a bug inside their laptop.
[02:39.530 --> 02:43.250]  So, well, we can continue to keep an eye on things.
[02:43.670 --> 02:52.050]  Of importance, we understand that Dr. O has deployed temp evidence seals and techniques protecting these targets.
[02:52.770 --> 03:03.230]  They also have a date man switch on their person that will release that information immediately to potentially hostile parties should our tampering be discovered.
[03:04.730 --> 03:09.950]  It is very important that our actions are not discovered.
[03:10.110 --> 03:11.450]  Next slide, please.
[03:13.030 --> 03:17.190]  But how, you might ask. Well, that's a pretty good question.
[03:17.190 --> 03:28.770]  We believe that Dr. O will be leaving for dinner with a few friends later this evening, and will be attending a few of those sponsored parties that are so famously known for.
[03:29.210 --> 03:32.110]  That would be our opportunity to act.
[03:34.720 --> 03:39.260]  We've prepared for you to enter as the housekeeping staff at the Plaza Hotel.
[03:40.240 --> 03:43.360]  We believe that... next slide, please.
[03:44.740 --> 03:45.360]  Um...
[03:46.760 --> 03:51.100]  We believe that Dr. O will leave the target items in their room.
[03:51.340 --> 03:54.640]  You have a few hours to act before they return.
[03:55.000 --> 03:56.440]  Next slide.
[04:00.950 --> 04:02.970]  You have three objectives.
[04:03.050 --> 04:09.510]  All these objectives must be accomplished without any signs of tampering, or signs that these items have been disturbed.
[04:09.790 --> 04:14.490]  Don't worry about it being forensically clean.
[04:14.490 --> 04:19.930]  We just need to make sure that Dr. O doesn't notice it before their presentation tomorrow.
[04:20.950 --> 04:23.290]  The objective is from left to right.
[04:23.630 --> 04:24.870]  Objective Alpha.
[04:25.130 --> 04:28.530]  Retrieve a copy of the encryption key in a sealed envelope.
[04:28.610 --> 04:33.290]  There should be a folded paper with the encryption key written on it.
[04:33.710 --> 04:39.250]  Simply take a photo of that key and return the target to its original state.
[04:39.570 --> 04:40.470]  Next.
[04:40.850 --> 04:42.350]  Objective Browse.
[04:42.350 --> 04:49.750]  Retrieve a copy of the data from the encrypted USB that would be sealed inside the tamper-evident bag.
[04:50.670 --> 04:52.350]  Objective Child.
[04:52.550 --> 04:57.070]  Plant a signal intercept spot in Dr. O's laptop.
[04:58.030 --> 04:59.850]  Dr. O's previous actions.
[04:59.850 --> 05:10.290]  We know that Dr. O will take precautions by using glitter nail polish directly on their laptop to protect it against tampering.
[05:10.510 --> 05:11.710]  Next slide.
[05:13.730 --> 05:15.370]  We understand that the objective...
[05:16.050 --> 05:18.370]  Sorry, one slide back.
[05:18.790 --> 05:20.030]  Thank you.
[05:23.930 --> 05:25.490]  Previous slide.
[05:28.540 --> 05:29.500]  Yay.
[05:30.040 --> 05:30.880]  Awesome.
[05:30.880 --> 05:33.840]  We understand that Objective Charlie can be most challenging.
[05:33.840 --> 05:39.460]  Some say it is mission impossible as it is widely believed that there are no known bypass.
[05:39.780 --> 05:40.720]  Next slide.
[05:44.080 --> 05:45.540]  Not quite.
[05:45.540 --> 05:55.100]  We have had expertise since 2018 and we'll be reading you in on the TTPs with this mission briefing to ensure your success.
[05:55.100 --> 06:03.220]  As always, all this is strictly classified and protected by confidentiality agreement with us during your employment contract.
[06:03.500 --> 06:05.760]  Let us first start with the basics.
[06:09.370 --> 06:17.490]  Keep in mind that we are only interested in bypassing the seals in a way that will not be detected by casual human visual inspection.
[06:21.880 --> 06:24.320]  There are three common attacks...
[06:26.590 --> 06:29.710]  attack types to bypass the tempo evidence seals.
[06:29.810 --> 06:33.350]  Chemical, physical, and temperature attacks.
[06:36.000 --> 06:37.740]  Next slide, please.
[06:41.280 --> 06:42.840]  Next slide.
[06:45.350 --> 06:47.670]  Yeah, okay, cool. Thank you.
[06:47.890 --> 06:51.770]  We'll dig deeper into the common attacks as we talk about your loadout.
[06:51.770 --> 06:58.410]  Upon arrival at a plaza hotel, an asset will provide you with a cleaner's cart and appropriate uniform.
[06:59.070 --> 07:02.550]  But due to the constraint timelines, you'll have to improvise.
[07:02.550 --> 07:04.630]  You need to pick up some tools yourself.
[07:04.630 --> 07:08.130]  You'll be able to source these from your garage or your local pharmacy.
[07:08.130 --> 07:09.110]  Next slide.
[07:12.360 --> 07:13.840]  Chemical attacks.
[07:14.020 --> 07:20.960]  Most of this would involve the use of solvents to attack the glue or the binding agent or the material itself.
[07:20.960 --> 07:26.340]  Using these, you could, for example, undo glue wristbands without damaging the paper.
[07:26.340 --> 07:27.980]  It is binding together.
[07:28.480 --> 07:36.300]  For this mission, we recommend that you prepare at least acetone and methylated spirits with other solvents and reagents as available.
[07:44.350 --> 07:45.550]  Physical attacks.
[07:45.550 --> 07:53.050]  The use of physical force to manipulate or attack the binding or container or glue and glue to put things together.
[07:53.050 --> 08:01.510]  An example is to use a knife to pry things open or to cut the seals away from a container and then to be joined back together with superglue.
[08:01.570 --> 08:07.090]  For this mission, we anticipate that you'll need your standard issued multi-tool and superglue.
[08:07.270 --> 08:08.450]  Next slide.
[08:11.610 --> 08:13.210]  Temperature attacks.
[08:13.890 --> 08:22.430]  Taking advantage of how materials behave, we can use either heat or cold to manipulate the seal or the container to our advantage.
[08:22.430 --> 08:29.450]  An example is to use cold to cleanly shatter or break a seal by taking advantage of the different rates of contraction.
[08:31.750 --> 08:35.090]  For this mission, you'll need a secret lighter with you.
[08:36.470 --> 08:37.570]  Next slide.
[08:42.530 --> 09:01.910]  Other useful tools you'll need to facilitate your attacks include needles, specifically insulin needles if you can acquire them, a good electronics toolkit to help you undo those pesky security screws, and clear nail polish for Objective Charlie.
[09:03.610 --> 09:06.470]  Did we lose the slide deck?
[09:11.240 --> 09:15.060]  Yes, we did lose the slide deck. One moment, please.
[09:15.680 --> 09:18.480]  They're working on it right now. Give them a second.
[09:36.170 --> 09:42.470]  And it looks like we are back. Alrighty, so let's continue the briefing.
[09:43.970 --> 09:54.570]  All right. As I was saying, you'll need a good electronics toolkit to undo those pesky security screws and clear nail polish for Objective Charlie.
[09:55.490 --> 09:57.310]  Next slide, please.
[09:58.810 --> 10:03.830]  So let's just jump right into preparations for your mission.
[10:03.910 --> 10:15.170]  For Objective Alpha, to retrieve the encryption key, how would you retrieve the code within this without any obvious signs of tampering?
[10:17.490 --> 10:24.330]  Audience, anyone wants to give it a shot? Thoughts? Feel free to just yell out.
[10:27.650 --> 10:28.550]  Sorry?
[10:29.710 --> 10:30.910]  Steam.
[10:31.710 --> 10:35.950]  I can barely hear anyone. I can see you.
[10:36.150 --> 10:37.150]  Steam.
[10:37.930 --> 10:39.130]  Steam?
[10:41.650 --> 10:43.350]  Yeah, they're saying steam.
[10:43.950 --> 10:47.110]  Yep, that's one way. Anyone else?
[10:47.730 --> 10:52.070]  You could try shining a light through it and see if you can read it without opening it.
[10:53.050 --> 11:05.210]  That's a very good attempt. Let's just say for the purposes of this scenario, it's using really thick stock paper.
[11:05.510 --> 11:12.910]  Say, you know, 200 grams stock paper that you can't read through. So yeah, how else?
[11:13.050 --> 11:20.930]  Just a bit of note with regards to steam. Steam can stain the paper and can leave water residue marks.
[11:20.930 --> 11:25.050]  So you'd want to avoid using steam in this situation.
[11:26.310 --> 11:31.130]  You could apply heat to the adhesive and see if it comes open.
[11:31.850 --> 11:34.730]  Sorry, I could barely hear that.
[11:35.710 --> 11:37.890]  Apply heat to the adhesive.
[11:39.570 --> 11:48.630]  Yeah, you could try that, but that would probably mark the paper as it would turn brown with heat.
[11:49.870 --> 11:54.340]  Could you slice one end open?
[11:54.400 --> 11:55.740]  Sorry?
[11:57.740 --> 12:02.300]  Could you slice one side open and then seal it back up?
[12:02.880 --> 12:13.300]  Yes, that is definitely possible. And that's a relatively good approach, as long as the sealing back up is not obvious.
[12:13.300 --> 12:16.300]  All right, let's just...
[12:17.940 --> 12:25.300]  So one of the things that you could do is to, well, if there is a bit of a gap, you could just try to get the paper out.
[12:26.420 --> 12:32.600]  Or otherwise use a liberal amount of methylated spirits or any of the solvents to get the glue soft.
[12:32.600 --> 12:38.640]  And it should just fold right open with no visible residue.
[12:38.640 --> 12:51.140]  Because it is... methylated spirits evaporate, at least behind no visible signs of tempering.
[12:51.140 --> 12:54.780]  I think the slides died again.
[12:56.620 --> 12:58.260]  And... boom.
[12:59.200 --> 13:01.050]  Yes, cool.
[13:01.680 --> 13:04.400]  Yeah, so... and open.
[13:04.580 --> 13:07.180]  Can we just stay? Yeah, cool.
[13:07.820 --> 13:13.900]  It softens up the glue, allowing you to open it with no visible residue.
[13:13.900 --> 13:16.640]  Now, next slide.
[13:18.930 --> 13:20.290]  Thank you.
[13:21.930 --> 13:23.750]  For a bit of bravo.
[13:26.150 --> 13:29.310]  Retrieve the USB from the temper evident pack.
[13:29.310 --> 13:33.970]  How would you retrieve the USB without any signs of de-tempering?
[13:39.990 --> 13:41.390]  Okay, cool.
[13:42.770 --> 13:45.150]  Am I coming through okay?
[13:49.540 --> 13:52.260]  No? Slides down?
[13:52.500 --> 13:53.580]  Slides down?
[13:53.920 --> 13:55.300]  Slides working.
[13:55.820 --> 13:57.800]  We can see them.
[13:59.200 --> 13:59.960]  What's...
[14:00.720 --> 14:04.780]  We can see the slides, but your audio is cutting in and out.
[14:05.380 --> 14:10.900]  Oh, okay. Let me just try the audio thing again. Sorry about that.
[14:27.370 --> 14:29.150]  Audio works now?
[14:29.610 --> 14:30.810]  Yes? No?
[14:31.010 --> 14:33.230]  Better? Okay.
[14:33.730 --> 14:37.950]  Joy, better software on better software. Fun.
[14:39.650 --> 14:42.190]  Okay, so let's go to this.
[14:42.190 --> 14:46.650]  Since we have kind of like revealed the slide.
[14:47.470 --> 14:49.750]  So how would we do this?
[14:50.410 --> 14:53.790]  If we go to the next slide. Yeah, the slide.
[14:53.950 --> 15:01.250]  So we could use solvents to soften the glue like the previous objective.
[15:01.250 --> 15:05.610]  However, with the temper evidence bags,
[15:05.610 --> 15:13.370]  it is sometimes a hit or miss whether the solvent will dissolve the ink itself on the seal,
[15:13.370 --> 15:16.650]  thus revealing that the bag has been tempered.
[15:17.310 --> 15:21.150]  So a safer approach is to carefully slice the sides of the bag
[15:21.150 --> 15:28.910]  and use a heated blade to reseal the bag once the drive has been removed, copied, and replaced it back in.
[15:31.980 --> 15:33.360]  Next slide, please.
[15:38.200 --> 15:41.000]  It's the one with the glitter nail polish.
[15:41.600 --> 15:43.160]  Next slide.
[15:43.580 --> 15:45.700]  Am I cutting out again?
[15:46.880 --> 15:48.680]  No, we can hear you.
[15:48.680 --> 15:50.000]  Okay, cool.
[15:51.000 --> 15:52.180]  Okay.
[15:52.180 --> 15:53.460]  Sorry.
[15:53.520 --> 16:01.960]  Could we go to the slide with the glitter nail polish slide 19?
[16:01.960 --> 16:03.420]  Where are we at?
[16:03.420 --> 16:05.420]  Good job.
[16:05.780 --> 16:06.720]  How much?
[16:07.100 --> 16:09.100]  Good job.
[16:10.580 --> 16:11.380]  Yeah.
[16:20.550 --> 16:21.870]  Slide 19.
[16:29.890 --> 16:32.970]  Let me see if I can get the edge plug in.
[16:34.270 --> 16:36.770]  Yep, not a problem.
[16:36.770 --> 16:39.250]  Looks like we are having technical difficulties.
[16:39.370 --> 16:42.330]  Hopefully your machine will be a bit smoother than this.
[16:43.010 --> 16:44.370]  Technology.
[16:44.730 --> 16:47.290]  You need to save your documents.
[16:47.570 --> 16:49.410]  Here we go.
[16:50.110 --> 16:53.270]  Did everybody pray to the demo gods today?
[16:56.690 --> 16:58.330]  Let's start.
[16:58.890 --> 17:00.470]  Oh, there you go.
[17:00.630 --> 17:02.770]  Fantastic. Looks like we are back.
[17:02.770 --> 17:11.950]  So, continuing with objective Charlie, it takes a bit more effort than our previous objectives to complete.
[17:12.490 --> 17:18.150]  But removing glitter nail polish directly on the screw is certainly something possible after this briefing.
[17:18.650 --> 17:20.150]  Next slide, please.
[17:22.750 --> 17:28.550]  We'll need to put together all our previous techniques to successfully accomplish this objective.
[17:28.550 --> 17:30.530]  So, how do we do it?
[17:30.530 --> 17:31.590]  Next slide.
[17:35.560 --> 17:37.980]  This is on the right track.
[17:38.120 --> 17:43.220]  We'll take advantage of any of these weaknesses as available to make our task easier.
[17:43.400 --> 17:44.380]  Next slide.
[17:47.540 --> 17:49.960]  Alright, let's jump right into it.
[17:49.960 --> 17:53.220]  First, start by carefully observing the nail polish.
[17:53.220 --> 17:54.400]  Next slide.
[17:58.180 --> 18:00.280]  So, what is the challenge here?
[18:00.320 --> 18:06.160]  Well, it is that the nail polish strongly binds to the screw and the laptop.
[18:06.820 --> 18:15.320]  It is believed that the only way to remove the glitter nail polish is to remove all the nail polish and replace it with a new coat.
[18:15.320 --> 18:24.420]  The glitter's arrangement makes it practically impossible to replicate, thus observable that it has been tempered with.
[18:24.420 --> 18:29.180]  Well, what if that assumption isn't quite true?
[18:30.160 --> 18:31.620]  Next slide, please.
[18:34.340 --> 18:40.120]  The goal here is that Doctor Road does not notice their laptop has been tempered with.
[18:40.120 --> 18:47.840]  That means, by casual visual inspection, they should not notice any damage to the seals.
[18:48.240 --> 18:55.760]  However, as an additional precaution, the glitter pattern should also match any photographs they would have taken of it.
[18:55.980 --> 18:57.600]  Next slide, please.
[18:59.520 --> 19:01.420]  So, the hack here.
[19:01.940 --> 19:07.300]  The nail polish applied would have some height to it, no matter how thin.
[19:07.300 --> 19:15.320]  The top half, shown in red on the diagram, is more visible, thus more important.
[19:15.760 --> 19:26.760]  The bottom half, shown in green, is less visible, thus some damage can be done to this layer without it being visible upon inspection.
[19:27.460 --> 19:36.280]  So, taking advantage of this, our attack will be on the bottom layer, preserving the top so that it is visually untouched.
[19:37.000 --> 19:38.760]  Next slide, please.
[19:42.600 --> 19:45.900]  With that, let's jump into the process.
[19:45.960 --> 19:49.600]  Step one, well, start by taking pictures of the seal.
[19:50.040 --> 19:58.280]  This will be your references, and crucial for ensuring you are able to put the seal back together in a visually similar manner.
[19:58.440 --> 20:04.620]  Get close. The clearer your pictures, the easier it is to work with later.
[20:04.620 --> 20:07.540]  But also keep track which picture belongs to which crew.
[20:07.540 --> 20:08.980]  Next slide.
[20:12.220 --> 20:15.740]  Next, start by picking a single screw to work on.
[20:15.980 --> 20:21.640]  Then, as targeted as possible, heat up the surface of the laptop near the nail polish.
[20:21.640 --> 20:27.540]  The different rates of material expansion should help slightly peel off the edge of the nail polish block.
[20:28.060 --> 20:35.500]  If you can find some leverage around the nail polish, without damaging it, you may not need this step.
[20:35.500 --> 20:45.800]  Remember, take it slow and careful, and be very careful with it as you do not want to damage the nail polish coat, especially the thinner outer edges.
[20:48.020 --> 20:51.500]  Using the sharpest knife or blade that you have...
[20:53.020 --> 20:54.380]  Next slide.
[20:56.740 --> 20:57.960]  Thank you.
[20:57.960 --> 21:03.420]  Using the sharpest knife or blade that you have, attempt to slowly lift a thin portion of the film up.
[21:03.420 --> 21:04.980]  While doing that...
[21:04.980 --> 21:05.880]  Next slide.
[21:12.100 --> 21:13.760]  Next slide, please.
[21:19.090 --> 21:20.570]  Slide 29, please.
[21:20.570 --> 21:22.230]  Yeah, cool. Thank you.
[21:23.030 --> 21:32.510]  Add tiny bits of acetone, using an insulin syringe, to the edge where your blade meets the nail polish, to help dissolve a thin layer of the nail polish.
[21:32.770 --> 21:37.990]  Caution, do not add too much, as it may take away more nail polish than you want.
[21:38.510 --> 21:39.790]  Next slide.
[21:41.370 --> 21:49.850]  Well, repeat steps 2 to 4, a tiny gentle bit at a time, until you get the whole top off.
[21:50.370 --> 21:53.990]  Patience and being delicate is important, do not rush it.
[21:54.330 --> 21:57.830]  Don't worry about the nail polish in the screw itself.
[21:57.990 --> 22:03.810]  Go ahead and use acetone to clear off enough so that you can get a screwdriver in there to remove the screw.
[22:04.030 --> 22:07.830]  Now, repeat this for all the screws.
[22:07.830 --> 22:13.490]  This process may take a while. It took about 30 minutes per screw.
[22:15.550 --> 22:17.030]  The last I did this.
[22:17.250 --> 22:18.590]  Next slide, please.
[22:20.130 --> 22:22.830]  Plant the bug anywhere near the CPU would be fine.
[22:22.830 --> 22:28.670]  Remember to secure it down. A dab of super glue or clear nail polish to hold it down will do nicely.
[22:28.830 --> 22:36.970]  Now, put it all back together, screw in all the screws, and then we move on to putting back the glitter nail polish on top.
[22:36.970 --> 22:38.610]  Capping off the screws.
[22:39.250 --> 22:40.190]  Next slide.
[22:42.790 --> 22:53.250]  To begin our reassembly process, begin by placing a very thin layer of clear nail polish on the screw itself.
[22:53.330 --> 22:59.310]  Remember to fill the gaps on the head of the screw so that it is a nice flat surface.
[23:01.150 --> 23:10.670]  Be careful not to use too much or to cover more space than the initial nail polish originally did.
[23:11.550 --> 23:17.890]  You might find the use of a toothpick or syringe helpful to control the amount of clear nail polish that you use.
[23:17.890 --> 23:18.930]  Next slide.
[23:22.130 --> 23:30.210]  Using the photo reference that you have taken, carefully align and place the original glitter nail polish film back onto the screw.
[23:31.250 --> 23:33.110]  A steady hand is important here.
[23:33.610 --> 23:37.990]  Take the time to carefully align it back to as it was.
[23:37.990 --> 23:44.970]  Be careful that there is no excess clear nail polish that overflows the original blob's boundary.
[23:45.290 --> 23:53.810]  One tip, as long as you match your reference photo and the film does not detach from casual handling, it will likely be in the clear.
[23:55.190 --> 24:03.790]  Doctoral and most would have taken photos or more likely just observed it if there is damage done to the seal.
[24:03.930 --> 24:12.870]  When we first accomplished this in 2018, there was the use of a computer vision software matching against a reference image that we had to bypass.
[24:12.870 --> 24:20.230]  But we do not expect Doctoral to have such technology at their disposal and would likely just simply inspect them visually.
[24:21.790 --> 24:28.290]  Do this to all the seals that you have removed and with some practice, this could be done quite quickly.
[24:28.350 --> 24:29.430]  Next slide please.
[24:31.290 --> 24:38.850]  Well, congratulations. Now, get out of there and get back to safety.
[24:38.850 --> 24:45.210]  That's it for the mission briefing. Mission commences at 0200 Zulu. Godspeed.
[24:45.230 --> 24:46.410]  Next slide.
[24:53.130 --> 24:54.370]  Next slide.
[24:55.390 --> 25:03.390]  Some special thanks and congratulations to the various giants that have made this possible.
[25:03.750 --> 25:05.130]  Next slide.
[25:07.310 --> 25:13.870]  For the DEF CON 19 seminal talk that helped form the foundations of my knowledge. Next slide.
[25:14.650 --> 25:24.070]  To the awesome kids, Moss and Boo, for being such great sports and sharing their knowledge to get me started and for writing heaps about tamper-evident bypasses.
[25:24.370 --> 25:25.330]  Next slide.
[25:26.410 --> 25:30.630]  And the seminal talk that introduced the glitter-near-polish approach.
[25:31.790 --> 25:36.710]  The CCC talk that introduced the glitter-near-polish approach. Next slide.
[25:37.050 --> 25:44.790]  And many, many others, including DCG VR for the opportunity to speak and many others.
[25:46.330 --> 25:48.090]  Next slide.
[25:48.210 --> 25:52.310]  And thank you for listening to this short story.
[25:54.780 --> 25:55.960]  Questions?
[25:56.600 --> 25:58.640]  Hopefully I can hear you.
[26:07.840 --> 26:11.640]  Sorry, where did that voice come from?
[26:11.800 --> 26:13.200]  Hi.
[26:21.380 --> 26:30.260]  So, with the amount that you use, it's almost not perceptible.
[26:30.560 --> 26:35.320]  Because at the end of the day, you're just using a small little drip of it.
[26:35.320 --> 26:37.100]  So, yeah.
[26:37.240 --> 26:39.200]  I mean, the other thing is...
[26:40.580 --> 26:42.100]  Who sniffs it?
[26:46.780 --> 26:48.760]  So, yeah, there's that.
[26:50.100 --> 26:56.880]  So, practically, you just look at it and you go, hey, looks fine. It's all right.
[26:57.340 --> 26:59.660]  And then just move on.
[27:03.870 --> 27:05.250]  Quick question.
[27:06.950 --> 27:08.930]  How reproducible is this?
[27:08.930 --> 27:11.130]  Like, what are the chances of success if it needs to be done?
[27:11.130 --> 27:14.390]  If the threat actors attempted to do this on a regular basis.
[27:14.390 --> 27:15.690]  You know.
[27:19.130 --> 27:21.270]  Reproducible enough.
[27:21.430 --> 27:24.210]  So, yeah.
[27:24.210 --> 27:26.450]  It's reproducible enough.
[27:26.450 --> 27:28.410]  With enough practice.
[27:28.410 --> 27:37.730]  I initially didn't plan to do this talk because I just thought it was, well, meh.
[27:40.510 --> 27:43.490]  And it was kind of like a known thing.
[27:43.490 --> 27:46.770]  So, yeah. Reproducible enough, I guess.
[27:47.230 --> 27:54.690]  I just didn't have the time to create off tiny bits at a time in a live demo.
[27:54.710 --> 27:55.350]  But, yeah.
[27:55.350 --> 27:56.510]  Oh, sure, sure.
[27:56.670 --> 28:02.750]  So, I guess my question is, you know, if you had a hundred laptops in a row, right?
[28:02.750 --> 28:05.590]  How many of them would notice tampering by the time you were done?
[28:05.590 --> 28:10.690]  The chances of you screwing it up or maybe it should be snatched in half or something like that?
[28:10.690 --> 28:15.630]  I mean, like, you wouldn't do this on a bulk surveillance scale.
[28:15.710 --> 28:19.590]  You'd probably be, you know, an evil maid attack.
[28:19.590 --> 28:25.210]  And that's why the context of this story, I put it within that context of an evil maid attack.
[28:25.210 --> 28:30.870]  Because it takes way too long to do this from a bulk surveillance perspective.
[28:31.570 --> 28:37.850]  I mean, you could hire a whole bunch of people, but, you know, that's also a very big logistical operation.
[28:38.850 --> 28:44.010]  So, this is more of a targeted clandestine operation type attack?
[28:44.490 --> 28:47.030]  Yeah, that would be my take on it.
[28:47.090 --> 29:01.090]  Now, what's interesting is, until this presentation, I had not heard of any valid, confirmed valid attack on the glitter nail polish methodology.
[29:01.090 --> 29:05.550]  I'd heard rumors, but I hadn't actually heard of an actual successful attack.
[29:05.550 --> 29:11.910]  So, ladies and gentlemen, you've just witnessed a zero day. Congratulations.
[29:16.720 --> 29:18.800]  I guess we drink.
[29:21.580 --> 29:26.080]  So, I guess the tradition of dropping oldies at DEF CON lives on.
[29:29.120 --> 29:34.700]  And even at the virtual DEF CON, we have them. So, that's excellent.
[29:35.480 --> 29:37.040]  Yeah, from across the globe.
[29:37.040 --> 29:40.780]  Questions? Yeah, from Melbourne.
[29:41.380 --> 29:43.260]  I'm getting better at pronouncing that.
[29:43.340 --> 29:45.180]  Are there any more questions for our speakers?
[29:47.800 --> 29:49.540]  No? All righty, then.
[29:49.920 --> 29:52.720]  Not really a question, just a comment.
[29:52.760 --> 30:03.400]  It's interesting. I've never really heard of the nail polish approach until about, I want to say, a week or two ago, when one of my buddies or another security group was giving a talk about it.
[30:03.400 --> 30:07.840]  So, it was really interesting to see a bypass for this approach.
[30:07.840 --> 30:09.240]  So, thank you for that.
[30:09.620 --> 30:23.640]  Yeah, I mean, to be honest, it appeared on Hacker News and stuff that the attack is still viable.
[30:23.640 --> 30:31.940]  And I'm like, yeah, okay, we should probably do a talk about it, since it's not known that there is an actual attack for it.
[30:31.940 --> 30:34.220]  So, here we are.
[30:36.570 --> 30:44.410]  I actually just recently found out about the whole nail polish method through a Lifehacker article.
[30:44.850 --> 30:46.150]  Just now.
[30:46.630 --> 30:47.630]  Yeah.
[30:47.850 --> 30:48.830]  Anyway.
[30:48.830 --> 30:53.290]  And it's crazy how all this happens.
[30:54.710 --> 30:55.670]  Yeah.
[30:55.670 --> 30:59.910]  And also, full disclaimer, this is fictional.
[31:01.470 --> 31:03.730]  This is fictional story.
[31:03.870 --> 31:08.730]  Yeah, fictional story, but the hack is actually real, so that's kind of cool.
[31:09.550 --> 31:10.190]  Yeah.
[31:10.190 --> 31:10.970]  All righty.
[31:10.970 --> 31:15.550]  I will give back the microphones to the MC.
[31:15.550 --> 31:16.710]  Here, X-Ray.
[31:16.790 --> 31:18.850]  Thank you, HoodiePony.
[31:18.850 --> 31:21.050]  We appreciate your presentation.
[31:21.050 --> 31:26.030]  I really wanted to see this one when I saw the write-up submitted.
[31:26.030 --> 31:28.810]  This is on my hot list of seeing.
[31:28.810 --> 31:32.290]  Our next speaker is going to be here in about 30 minutes.
[31:32.290 --> 31:34.230]  It was supposed to be Shelter.
[31:34.590 --> 31:36.330]  He's disappeared.
[31:36.330 --> 31:37.230]  We haven't heard from him.
[31:37.230 --> 31:38.910]  So, we don't know.
[31:38.950 --> 31:44.130]  As far as I know, unless he shows up at the last minute, he's not going to be speaking.
[31:44.130 --> 31:46.330]  Our next presenter will be SidePocket.
[31:46.770 --> 31:50.450]  So, that's looking good so far.
[31:50.650 --> 31:52.470]  So, take a break.
[31:52.470 --> 31:54.250]  Come back in about 30 minutes.