1057 - RICK ASTLEY
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 109 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/36325 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2398 / 109
12
19
20
23
24
29
32
33
36
51
58
60
62
66
67
68
69
70
71
77
82
84
85
88
89
92
98
99
103
104
107
00:00
CryptographyComputer hardwareRow (database)Suite (music)Right angleTouch typingDerivation (linguistics)Term (mathematics)DemosceneBinary codeComputer animation
00:53
Slide ruleNoise (electronics)TrailAreaRSA (algorithm)Presentation of a groupType theoryReading (process)Electric generatorRow (database)Computer file
03:20
VotingSlide ruleReal numberRight angleMultilateration
03:57
FreewareForm (programming)Euler anglesRegulärer Ausdruck <Textverarbeitung>Speech synthesisExistential quantificationMultiplication signMaizeRight angleCryptographySlide ruleDefault (computer science)Software bugLine (geometry)Type theoryPoint (geometry)Information securityRow (database)DemosceneWordNoise (electronics)BitPresentation of a groupHacker (term)Form (programming)
08:12
Hacker (term)CuboidMultiplication sign2 (number)DistanceCryptographyPresentation of a groupLine (geometry)MereologyDot productReal numberTerm (mathematics)Connected spaceTraffic reportingPhysical systemLimit (category theory)Computer animation
10:07
Observational studyBit rateImage resolutionConstraint (mathematics)Observational studyCuboidStudent's t-testRow (database)Multiplication signElectric generatorRight angle1 (number)SpacetimeUniverse (mathematics)Order (biology)Moment (mathematics)InternetworkingHacker (term)Process (computing)Physical systemComputer animation
13:13
Mathematical analysisIntelProcess (computing)Data acquisitionVirtual memoryHill differential equationTerm (mathematics)Abstraction1 (number)Different (Kate Ryan album)Arithmetic meanLevel (video gaming)Formal languageThumbnailCodeCodeObject (grammar)AreaPoint (geometry)Student's t-testBitVideo gameJava appletElectronic mailing listMedical imagingCoprocessorMoment (mathematics)NeuroinformatikSpacetimeDirection (geometry)WordProof theoryComputer hardwareMultiplication signWritingLipschitz-StetigkeitInformationLogic gateComputer programmingComputer fileTelecommunicationGroup actionBlack boxType theoryData conversionRight angleOperator (mathematics)Entire functionData dictionarySystem identificationCloningKeyboard shortcutHacker (term)Bell and HowellCuboidRandomizationFactory (trading post)Process (computing)Fundamental theorem of algebraFunctional (mathematics)Solid geometryVirtual memorySlide ruleDiallyl disulfideProper mapComputer animation
22:10
Witt algebraNP-hardVirtual memoryBitObservational studyTelecommunicationFormal languageLatin squareForm (programming)AreaPhysicalismRootMathematicsCompilerMeeting/InterviewSource code
22:59
Control flowSlide ruleVirtualizationEvolutePoint (geometry)Hacker (term)Software testingData centerPoint cloudExploit (computer security)InformationComplete metric spaceCoprocessorReading (process)Physical systemAuthorizationShift operatorComputer programmingBitPower (physics)SoftwareMultiplication signRight angleProper mapComputer animation
25:37
DemosceneData miningNeuroinformatikAreaInformation securityMultiplication signHacker (term)Interactive television
26:30
ComputerBinary fileCountingMach's principleHexagonCodeCryptographyFundamental theorem of algebraAbstract state machinesDirect numerical simulationComputer networkSource codeVirtualizationLine (geometry)Electronic mailing listRoutingData conversionCopyright infringementCountingBinary codeHacker (term)HexagonDigitizingCryptosystemMultiplication signPhysical systemTangentNumberRepresentation (politics)Visualization (computer graphics)SpacetimeSemiconductor memoryGroup actionMathematicsInformation securityLevel (video gaming)Backdoor (computing)Right angleFuzzy logicFreewareVirtualizationSeries (mathematics)Type theoryArithmetic meanTerm (mathematics)HookingInformationRootLie groupBitRadiusCuboid
31:10
CryptographyFundamental theorem of algebraAbstract state machinesDirect numerical simulationVirtualizationSource codeLine (geometry)Control flowGreen's functionDigitizingKey (cryptography)Greatest elementInformation privacyRight angleHacker (term)Field (computer science)PlastikkarteMereologyMaxima and minimaElectronic mailing listReal numberWindowConnectivity (graph theory)Graph (mathematics)Video gameSlide ruleFreewareScripting languageFigurate numberStudent's t-testMultiplication signPoint (geometry)Computer hardwareSampling (statistics)State of matterWebsiteHoaxAddress spaceSocial engineering (security)Execution unitLibrary catalogCore dump1 (number)ThumbnailBusiness modelGeneric programmingImage registrationPay televisionSpacetimeBitFinitismusPhysical systemDrill commandsDressing (medical)Proof theoryType theoryParameter (computer programming)Observational studyCellular automatonForest
38:22
Chemical equationTranslation memoryInstallation artMereologyPlastikkarte
38:57
Hacker (term)HypermediaPlastikkarteHacker (term)Structural loadInstallation artLie groupWeb pageHypermediaMiniDiscSine
41:11
TouchscreenSign (mathematics)Image resolutionTwitterFreewareHand fanRow (database)Computer hardwareTelecommunicationMessage passingMultiplication signHacker (term)Point (geometry)Video gameCycle (graph theory)Spherical capExistential quantificationMetropolitan area network.NET FrameworkWebsiteDifferent (Kate Ryan album)Real numberCognition
Transcript: English(auto-generated)
00:00
So who am I? Who the hell am I? Who is this weird guy? So I am DefCon's official cryptographer and puzzle master. I created the hardware hacking village. I've been doing puzzles, mystery challenge, that kind of thing for many, many years. 1057 is a derivative of the term lost boy which
00:20
was boiled down to lost and then to 1057 which is in fact a palindrome in binary and consequently was the solution to the very first mystery challenge. So that's who I am. So this is my lovely wife who is up in the front row here. And the reason I put her on here is she is a very much behind the
00:40
scenes person. She is very much involved in the cryptography and art of DefCon as well but doesn't like any accolades. So I put her picture up there. And yes, that is a Dr. Who suit on the left and an Amy Pond cosplay on the right. So who the hell are you? I already had you raise your hands. First DefCon. How many of you have been wanting to come to DefCon and you finally say to hell with
01:01
this, I'm going to go to Las Vegas in the summertime with a bunch of sweaty people who don't shower and rub elbows with people in a hotel. I probably wouldn't have stayed out otherwise. I'm not a Vegas person myself. So for 101 which is what this is, the 101 track, it's generally for noobs, not necessarily to any particular subject area but to
01:23
DefCon. So this is not going to be a giant enlightening talk for those who are technically savvy. What this is generally when I give a presentation at 101, it's kind of my ranting from things that happen throughout the year. I often share what type of research I've been doing throughout the
01:41
year, how I come up with some of the craziness that I do with the puzzle challenges. How many of you have noticed by the way there's a few odd things about the record around your neck? Yeah? Okay. You can make noise by the way. I like it when you guys make noise. Thank you. And I was talking with somebody earlier about you can tell the generation of somebody by how they hold a record. Like this equals like
02:03
born circa 1980s and earlier. This equals born 90s and later with the way they hold the record. Oh, and by the way, those clips, we put the 3D printer file on the conference screen. You already have that. So if you wanted to print a clip to there. So the reason I put this slide on here is this,
02:25
for those of you, how many of you know who Matt Blaise is? Okay. If you're in this community and don't know who Matt Blaise is, look him up. He's one of my heroes. But anyway, he was in my hotel room the other night and we were having a discussion about when he was speaking, I think it was an RSA, he hates giving slides because he thinks
02:41
they distract from what the talk should be. So I don't want to insult everyone's intelligence and read slides. So these are general guidelines for me to guide me through talking with you guys. But I want this to be more of a discussion. I want you to yell stuff out. I want you to question things. I want you to ask questions. I want to talk about what you want to hear about. That's what 101 is for. So don't be
03:04
shy. My daughter says don't be shy. So a quick shout out to the Tribe 949303 APG and a couple others. I've got to give props where props are due. Everyone should do that. And disclaimers. What I won't do, I'm not going to sit up here
03:22
and read slides to you. I will not advocate criminal activity and there's an asterisk for a reason. You can determine what that good. You can probably figure out what that asterisk is for later. So how many of you noticed a certain folder on my desktop when I came in here? How many
03:41
of you want me to open that folder? For real. Let's take a vote. How many want to see that folder open that was on my desktop? What was the folder? All right. You asked for it. Remember, you asked for this. Oh. Oh. Dang. How many of
04:05
you noticed the weird ass name of this talk? How many of you are now going to take another look at the weird ass name of this talk? How many of you are going to now look at the weird ass name of this talk and read just the first letter of each word that's there? Now, I have a bit of a
04:20
confession. If you came to hear what that talk was, first of all, you're full of crap because this is a bullshit title that was made up. So get over yourself. We have too many people that are being pompous and arrogant in the security community. You need to get over yourself. Be approachable because we have to band together. I made a Wacenar comment earlier. How many of you know what Wacenar is when I talk about that? Okay. Every person
04:41
in this room should know what Wacenar is, especially if you're from the United States. Go look it up. So what? Look it up. Basically it's talking about legislating what types of security research are legal and not legal. So that's what I talk about, banding together. So the big joke, ha-ha, everyone came to DEF CON this year and now you all
05:01
have a record. I see what you did there. So back to the person who put 101 together is a hacker who calls himself high wiz. If you see him at the conference, shake his hand and thank him for putting this together. He started it a
05:22
while ago and it was always just a bunch of us giving like impromptu talks the Thursday before con actually officially starts because usually reg takes a lot longer. How many of you have been through the hellacious reg line? Not this year but in years past that took like hours and hours. How many of you have had a reg line that took longer than
05:40
four hours? Five hours? Six hours? Seven hours? So some people have had the reg line literally take seven hours in the past. So how was it this year? Good? So we added a whole bunch of reg folks and tried to create a giant mouse
06:01
trap maze for you guys to make the reg go smoother and I hope it did. Same thing with the swag, right? Swag was okay? Or was it awful? Tell the truth. Better than last year. So anyway, for those of you who are familiar with the contest and puzzles that I do, there are teams working already on the crypto challenge and some of the
06:22
people that come to DEF CON come solely to compete in those challenges and it takes up their entire con time. It takes me as much time as they invest, it takes me almost an entire year to put everything together that I do. So I'm always really busy. So when high wiz decided he was going to do DEF CON 101, he would always bug me for slides
06:42
and a talk title and I kept putting him off and putting him off because I was busy doing other stuff like crypto for the badge, for the lanyards and everything else. And so he would start making up talk titles. So that title of the talk for this time is also now kind of a tradition. High wiz came up with that and so that was high wiz kind of Rickrolling both me and you guys. So I'm the brunt of that
07:02
joke as well as you guys. So anyway, this is how many of you have seen Spinal Tap? Let me get the reference when I say we're going to have a free form jazz. Turn it up to 11. So there's a scene in Spinal Tap where they lose one of the guys and they go up and they're like what the hell are we
07:20
going to talk about? And so their default fall back is the jazz odyssey because you can kind of bullshit your way through that. That's kind of what this 101 talk is. No, I'm kidding. Not really. The point being I want to talk about what you guys want to talk about. That's why I'm encouraging you to make more noise and trying to loosen you up, especially if this is your first DEF CON. DEF CON is not
07:43
like other conferences you've been to. I would encourage you when you go to presentations if somebody is saying something that doesn't sound right to you, challenge the speaker. Challenge me. Love it. I love to have intellectual discussion. That's how we're going to get better with the stuff that we're doing. But that's the whole point of a conference like this. So don't go sit in and hear some guy
08:00
give what is basically a vendor speech. We try to make sure that that doesn't happen. Every now and then something slips through. But challenge people. If something's bullshit, raise your hand and say that is bullshit and call them on it. That's how we're going to get better. I've done it. How many of you have seen my 101 spiel before? Be honest. So I apologize for the parts that I'm going to repeat. And
08:22
there's a reason I'm repeating them, which I will talk about in a second. So one of my pet peeves is because of all of the puzzles and crypto and mysterious things that I do, I'm often accused of thinking outside the box. Most of the time when I talk to reporters and other people, they're like, oh, you're creative, so you think outside the box. It's one
08:40
of my greatest pet peeves right now that people bring up thinking outside the box because of where the term comes from. How many of you know where the term thinking outside the box comes from? It comes from this nine dot problem. You've all heard the nine dot problem. Connect all the dots. Don't lift your pen from the paper. Oh, and by the way, if this is not your cup of tea for this presentation, feel free
09:01
to leave. And I will not be offended for real. So like if you're like this guy's just going to get up here and rant, I will talk about some technical issues. But it is 101, so it is what it is. If you want to leave and go to somewhere else, go ahead, like some people just did. So the nine dot problem, you're often presented with connect all the dots, as few lines as possible, can't lift the pen from the
09:23
paper or you have a limit, et cetera, et cetera. And of course, everyone knows the standard solutions are you have to extend the lines past the distance of the mentally imposed box and the douchebag presenter who is usually some trainer guy like Tony Robbins or something will often come down
09:43
and act very self-aggrandizing like ha ha, I will now bestow upon you knowledge that will help you become magically creative. And especially with us being hackers who are trying to come up with interesting solutions to problems, people often think, oh, as a hacker, you have to think outside the box because you have to come up with some
10:02
creative method to solve a problem or abuse a system that somebody else hasn't thought of. And there's actually been a study, and by the way, there's another solution. So there's an unexamined assumption that basically says, all I have to do to make people solve that nine dot problem is tell them
10:20
that they are mentally constraining themselves by drawing within the constraints of that imaginary box. And there has actually been studies that have shown that that's not true. They have, there have been studies that have found that even with telling people ahead of time, you cannot, you have to draw outside of this imposed space in order to
10:40
solve this problem. The same percentage of people still could not solve that particular puzzle. And so the ones that could do it could do it anyway, and the ones that couldn't, it didn't help. The only thing that they found that helped was quote unquote study of the problem. Now the reason I bring this up is we've got a young generation, how many of you guys are in high school right now? Anyone?
11:02
How many of you are in college? College students. How many of you are fresh out of school that are here? How many of you are looking for jobs? No, I'm serious. It's a great place to get recruited. How many out there are looking to hire somebody? Wow. So let's do that one more time. How many looking for jobs? Raise your hands. The other people look
11:23
around. How many are looking to hire someone? Did everybody see that? Okay. Just trying to help. You're welcome. So the reason I bring that up is we have a generation of wannabe
11:42
hackers that don't want to do the intellectual work or exercise to get good in a problem space. They want it to come very easily. The aha epiphanal moments will come through not thinking outside the box, but through a deep fundamental knowledge of the problem space that you're
12:01
working in. Exposure, too. And the reason I bring that up is I used to teach at a university and I would have students that would come up and ask me questions. Does such and such work or how do I do such and such? And I would always ask them first, have you tried what you're asking me? Have you tested it? And I'm afraid that we're getting a generation of students coming out and hackers, whether
12:21
you've been in school or not, that don't tinker anymore. And look at the Wacinar thing. We're going to make things illegal so you can't study those things. And we're going to put constraints on people that if you do the stuff that I used to do as a kid, exploring all these different systems, you're going to go to jail. You're going to get arrested. You're going to get a record. You're not going to be able to get a job. And so we're terrifying this
12:43
younger generation to where they're not tinkering anymore. So we have to break that or we're not going to have those epiphanal moments or the genius breakthrough things that are going to help us move forward and make the world better. And I have a brand-new baby daughter who is in the front row right now who I want to have a better world and
13:02
I want her to have a safe and free internet. I want her to be able to do and explore like I used to and not go to jail for it and not get a record for it. But anyway, that's my soapbox for that. Thoughts? Bullshit? Would you agree with me? You argue with me? Yeah. That's a very
13:28
good point. And the puzzles that I make, by the way, you'll see the word mystery used a lot in the stuff that I do. I have to Google proof everything that I do because what's going to happen the first time somebody gets a piece of information for something that I'm doing, they're going to throw it in
13:41
Google whether it's image search now or text or whatever and I have to insulate my stuff against that. But you are correct. That goes back to the instant gratification and getting that knowledge means you don't do that leg work that gives you that base foundation that gives you the ability to have these great breakthroughs so you can say aha and invent the next great thing. I agree completely. When I did the very first
14:09
mystery challenge, I was afraid there is no more magic in the world. And literally magic like Sigfried and Roy or Penn and Teller because as a kid when I would see magic tricks, I used to enjoy trying to figure out how they were done. Now a kid sees a magic trick, he goes to
14:22
Google. And I guarantee you there's either a subreddit or somebody who has exposed how a particular trick is done. And so the magic is ruined because they have instant gratification of a solution to thinking about that problem space. So that's why I do the stuff that I do. How many of you have looked at the code on your lanyard already? Yeah? So that code is
14:40
deliberately deceptive. It looks very simple and it looks like hey it might be this and it might even have a red herring path that will take you down that direction. But I will tell you it is not simple. I will also tell you that everything else that I do that you see in my puzzles and challenges require you to talk to other people. They require
15:00
you to have communication with others. Because if you look at where a lot of our great tech came from, it came from places like Bell Labs which doesn't exist anymore. How many of you know what I mean when I say Bell Labs? So because of the way the financial world works these days and corporations work, we don't have something great like Bell Labs. It's not like we used to because nobody wants to
15:22
foot the bill for it. So in places like Bell Labs you had a giant group of people that had a depth of knowledge in different subject areas but they all had direct access to each other very quickly. You have that because of Bell Labs. Now if we don't have a Bell Labs anymore where is the next great thing going to come? Take for example the way we
15:41
even teach students how to code these days. A lot of students, how many of you in here in Java was your first language? Raise your hand. Your first coding language. You don't even know what a freaking object is. How are you going to use a language that everything is an object? I
16:00
don't know. And then you have to think to yourself why do we start with Java? Because we're trying to spit out clones that can go work at some meat factory as far as coding is concerned to spit out code for some giant conglomeration and you're not going to get innovation that way. It's not going to happen. Talk to me. Talk to me. I don't know that I
16:48
agree conceptually but it's a good point and by the way I don't know if you were intentionally making fun of the thing. Everything I do is deliberate. I love the way
17:01
you're thinking. I would love to have a discussion with you about that. Go ahead. If I could interrupt on one point. Sure. Please do. I just came out of a school where Java was my first language that I was taught and a deep or he said that we have an intuitive understanding of objects. That
17:20
is bullshit. Yeah. That is bullshit. I grew up with computers since I was in elementary school. And I was doing random stuff. Deep understanding of objects. When I took Java in school coming out of high school I was with a group of people all about the same type of nerd as me. Our
17:42
minds were melted by what objects were when we had been scripting our entire high school career. And it took about five weeks of doing these labs and everything for us to finally have that epiphany, oh, objects. Even though we knew all the scripting languages. Thank you for that comment.
18:01
Sounds like we need to all get together and have a drink. Thank you for the comment by the way. I want to continue the conversation. I'm not kidding. And by the way people that say stuff like that and they're full of crap I really mean it. So I do have a room on the conference floor. Come over and talk to me. We have couches to sit down and just chill. Everybody turn and say hi to Russ. Russ is the guy in the black hat right here. So Russ is actually
18:25
in charge of DEF CON operations. So he's the one you can throw things at when things don't go right. That's probably not a good thing to ask me because of what my background is. I have mixed feelings. I would argue LISP or assembly.
18:52
So if you take for example a deep understanding, in fact I'm going to talk about that in a minute. Those of you who have been to my one-on-one talks you'll know. I do kind of a little list of skills that I think everyone that is
19:03
considering themselves a hacker, a basic list of reference skills that everyone should have. And you would be amazed at some people who are freaking elite coders in certain things that don't have a fundamental knowledge of certain things which the list is actually in a slide show which I'm going to put up. But in fact when I get to that point I'll explain to you why I think assembly is
19:21
important. It has to do with abstraction because ultimately what are you doing? You're communicating either with a compiler or with a piece of hardware processor. And if you don't understand what's going on under the hood you're not going to code in certain ways. And I believe that if you teach people how that engine actually works, maybe not to the nitty-gritty to where they're going to go be a designer or write in verilog or VHDL or something like that. But just fundamentally I have a
19:42
switch. I have an and, an or and a not gate. How do I make a freaking processor from that? How many people today go in and sit down at their computer and don't have that fundamental knowledge. Not at the deep level but just a general explanation like could you explain to a four-year-old or a five-year-old in general terms how that abstraction works. I have literally a wire and a cutter in
20:02
the back. And I can make that a not gate or turn it off, a switch. Because everyone goes oh, I know that computers use binary. They use ones and zeros. You've all heard people that say I must be very educated because I know computers use binary. And I go okay, what does that mean? And they don't understand fundamentally what it means.
20:21
They're just regurgitating. But anyway, back to what I was going to, and I like this. So at this point I was going to talk a little bit about the life of a DAT file as far as AV is concerned. Yay or nay? Thumbs up, thumbs down. Nay, I got no. And I comment. Just shout it out. Sure. And I can
21:21
also play devil's advocate and say because I have instant gratification to knowledge I'm going to learn quicker and grow faster. And to a point that is true. For example, but what you need to do is you need to learn to use the tool properly. And we as hackers need to learn to use those tools in such a way that still give the benefit of the deep knowledge and understanding but still take advantage of the fact that it's, for example, I study a lot of
21:42
foreign languages. Looking things up in a Chinese dictionary is more time consuming than me taking my finger and drawing it into a text box or using text identification. But I can still use the tool in a way that doesn't shortcut that process where I have just no understanding. It's just a black box function which goes back to the discussion of Java and
22:00
objects which is the whole point of object oriented programming in the first place is to abstract, right? Right. Anyway, so you guys don't want to hear about DAT files. That's full. So let's look past those. Basically I was going to talk about how DAT files are created. Sorry. Give you a little more. So I'll talk a little bit about what I was interested in. Ryan is really funny. So some of the things
22:27
I'm interested in, I'm interested in classifications of things in the language study. By the way, my personal technical philosophy is that all forms of tech are learning communication. Whether I'm learning to speak a language
22:40
to another person or speak to a processor or speak to a compiler and learning that syntax, I believe that mathematics is the language of science and physics. So I'm all about going to the root of whatever that subject area is and trying, like if you're going to learn the romance language, have some knowledge of Latin, for example. But anyway, we don't want to talk about that. So I'm pausing
23:03
just long enough for you to read the slides for those, for the few that were interested in hearing about how to break AV engines. So chip sec, how many of you know what movie this picture is from? What is it? Berry Gordy's last dragon. So in that movie he's trying to seek out this magical power
23:20
called the glow and it's kind of like Dorothy slippers. You've had it all the time, Dorothy. I have been preaching to the hacker community you all need to learn and play with a tool called chip sec and now I have surreptitiously given it to all of you because it is on the conference CD for DefCon this year. So you're welcome. I saved you the trouble of going to go download it. Go play with it. If
23:40
you don't know what it is, how many of you know what Metasploit is? Wow, a lot of you don't know what Metasploit is. So chip sec is basically a framework. And by the way, the authors of this are here at DefCon and everyone always asks me my opinion, who should I go hear talk? If you want to have your mind blown, go see Yuri's talk and I can't remember what the title of this talk is. Look through the
24:01
program, you'll find it. He's a genius. Complete genius. He's genius. Go read about what that is. The reason I bring this up is we as hackers are trying to learn exploitation, whether to fix it or to break it. If you look at the evolution of how we are doing attacks and intrusions and red team pen testing and everything else, we are slowly moving down a
24:21
stack. First we were using stuff in the software. Then we were going down to OS, the network. Now we're kind of getting a little lower. Now you're starting to hear about BIOSes and you're starting to hear about stuff. So we are constantly moving. That shift is happening. And chip stack takes you a little bit lower talking directly to processors. And the reason it's very much applicable, especially this day
24:42
and age, is it's also applicable against hypervisors. How many of you know what a hypervisor is? This is 101. I'm not trying to insult you all by asking stupid questions. For example, a lot of people didn't know what that was. So in dealing with virtualization, you have this thing. This is the cliff notes. Again, take it for what it's worth. I'm
25:02
saying hypervisor is basically the underlying piece that allows you to do virtualization properly. And so because a lot of our systems now are virtualized in data centers and on cloud and everything else, learning how to attack hypervisor and getting down lower in the stack is more important. So anyway, that's why chip stack is on your CD. By the way, the purpose for me up here for
25:23
101 in my mind is to throw nuggets of information into your brains that you may not have thought of or heard of that give you a starting point to start going down the rabbit hole on your own, not to do a deep dive. This is 101. If you want to deep dive stuff, it starts tomorrow. So I'm going to give you all the quick basics that are a pet peeve of mine. Now
25:43
I was thinking about taking this out of the talk this year because I put these in my 101 talk last year. The reason I left them in is I still to this day am having interactions with people. I go to a lot of security conferences and I try and talk with people and some of the weird-ass solutions that I come up with things or the things that I think about use things that require a fundamental knowledge that some
26:03
people are lacking even though they may be a genius or brilliant in a particular area. So these are kind of like tick pet peeves of mine that if you consider yourself a computer person or a hacker, I think you should know these things. It's really fundamental stuff. Here we go. And there's my fry. How am I doing on time by the way? I have no idea.
26:24
Anyone? 328. What are we supposed to go to? 4? Nice. So I talked earlier, binary. Everybody hold up your right hand. We're going to count together in binary. If you don't know how to count in binary, I'm going to cry because
26:42
you're at DEF CON. One, two, three, four. Okay. You've all right. If you can't do a binary count on your fingers, go home and learn how to do that. If you can't take four bits and
27:01
do zero, zero, zero, zero to one, one, one, one and write it out in the series and I mean quickly like then go home and learn how to do that. You need to do that. Especially if you're going to do reversing or you're going to do certain types of root kids or hacking, it's going to help you. Like I said, binary math, same thing. And I talk
27:20
with people who are way above my level on a lot of subjects who can't do simple things like that, that rely on their tools so much. It's amazing. Same thing with hex. How many of you have a general understanding of why we use hex? Tell the truth. Don't lie. How many of you have no fucking clue why we use hex? Tell the truth. Okay. So
27:43
a lot more than I thought. Basically for the few that raised their hands, it boils down to the fact that we don't want to waste space in the memory that we have and ultimately our systems are a collection of on-off switches, right? So it's a much deeper discussion. If you don't, and those of you that were embarrassed and are shy and
28:00
didn't want to admit that you don't know fundamentally why do we use a hex representation, now go look it up so that next time you don't lie. So interesting side tangent. What would be the largest digit in Bart Simpson's
28:23
phone number? I've asked this before. Who knows? What's the largest digit possible in Bart Simpson's phone number? Why? How many fingers does Simpson characters have? So what do they count in? Octal. What number base do you think a
28:50
pirate would count in? Heximal. Radius 6. Why? Five fingers and a hook. So we actually created a thing called the pirate radix. For those of you who know what the
29:01
term radix means it's just referring to the number base. So the pirate radix is base 6, which is also called heximal, not hexadecimal. Anyway, that's nerd speak for later. Things I think you should know about, there's a list for you. If you don't at least know what these things are, I would suggest you look them up. Especially if you're going to
29:21
come and have a conversation here with people at DEF CON. And by the way, I totally encourage you to approach the speakers at DEF CON. I say this every year. If you approach somebody at DEF CON and they are too high and mighty to talk to you, then they're a douche bag and I don't want them here anyway. Thank you. And I don't care who you are
29:41
because everybody started somewhere and built themselves up. We have too many people in this community now who are becoming info sec rock stars that think they are too cool for school to talk to people. And that's got to stop. Because we need to band together. We have enough problems with people trying to cram back doors into our crypto systems and all kinds of other discussions that if we have
30:02
infighting and are too elite to talk to everyone else, it's really going to destroy the community. I really love the hacker committee. I donate tons of my own time and money to make DEF CON happen every year. So another group of the things that I think we should talk about or you should at least know about. By the way, going back to my discussion on
30:23
tinkering, if you do not know how to set up a VM and experiment with stuff that would otherwise put you in jail for doing in the real world, learn. It's not a matter of finance because there are a number of free solutions. VMware player is free. People are now giving out VMs of
30:41
stuff. You can also get virtual box and there's all kinds of stuff out there that allows you to set up a system and attack it, to hack it, to throw metasploited things, to try and fuzz things. I'm trying to get the tinkerers back into the community. One of the ways to do that without going to jail these days is through virtualization which
31:01
also goes back to the hypervisor discussion. Any comments on the list so far? You guys are smart. Can I go back one? Right there? So I don't generally ever give my slides out and this is also the first time that I've allowed my 101 to be recorded. I usually don't let my talks get
31:20
recorded because I think they go stale and then people don't it's not enjoyable past a certain time and I know that I hate when I go find a talk and watch it and realize it's like six years old and I wasted my time. That's why I generally don't like my stuff to be recorded. I will make these slides available on the lost boy website after Def Con. I didn't do it before I left but if you don't get notes
31:42
they'll be available. And if I forget to do that, send me an e-mail and say you said you'd put those slides up and I'll put them up. We good here? So I'm going to make a comment about tinkering as far as hardware is concerned. The bottom one, digikey, how many of you know what digikey is? How many
32:04
of you know about the sad demise of radio shack? Breaks my heart. How many of you remember forest men's green book from radio shack that was printed on graph paper that was hand written? How many of you that book changed your life as a
32:25
soul when radio shack first of all turned into a place that only sold cell phones? Why? Because that was the place you went to buy components, electrical components to experiment with stuff. So these days we have some giant Walmart-esque part suppliers and that's all we have left.
32:41
Digikey is one of them. I would suggest even if you have no interest in hardware just as a passing fancy to keep you well rounded, go to the websites of these companies and request their catalogs. And I say this about digikey because those of you who have it know that it's comically large. It is larger than most phone books and I will tell you what it's
33:01
good for. Even if you don't have any interest in using it, it's great for when you're drilling through things and you need something underneath. But go and you know what? One of the things that I do that helps me come up with the stupid crap that I do in the challenges, by the way, which is hard because I have to stay ahead of all you guys
33:21
that are way smarter than I am every single year. I can't repeat myself. I have to do stuff that's Google proof. I have to do stuff that's fun and interesting for freaking brilliant people like you guys. And I have to do it so it's solvable within a finite amount of time. It's a very difficult problem space. But the way I do that is every year I try to find new things that I had no interest in and said I'm just going to learn a little bit about this.
33:42
Like getting a subscription to a magazine of something that I had no interest in before. So those of you who have no hardware background at all, it's free. Go get the Digikey catalog and put it in your bathroom and when you're going to dump thumb through the Digikey catalog. You'll learn about some crazy stuff that's out there. Yeah, comment, yell it, yell it loud. Yeah, excellent. So this goes a little
34:12
deeper into the secret that how many of you know who Lady Ada is? Lady Ada. So she puts out a list of places you can get free samples from. How many of you know that the
34:23
secret of the hardware people is that you can get free crap all the time. And the way you do it is you say I'm going to make something. I'm going to make 50,000 units of it. And if you really have to social engineer it, you go make a fake Gmail account that sounds like somebody legit. And most chip and part manufacturers will send you
34:41
engineering samples for free. They will even pay shipping. They'll oftentimes put a T-shirt in there with it too. And you can get all kinds of free crap. For real. And so this goes back to my tinkering thing, especially if you're a student and you don't have the money to do this stuff. Get on some of these lists and figure out. And by the way, it's not even just parts anymore. There's people that make enclosures, plastic enclosures for things. I have
35:04
scripts that I run where I get free stuff every so often. I figure out what the window of abuse is for certain places. So and don't get greedy. Usually five is about the max of anything you can request. Like if you go to Maxim and request one of their chips, they won't send you more than five. But you'll learn that kind of stuff. But it's kind of
35:22
fun to get, you know, free stuff that you don't pay for, including the shipping. It's really easy to do. And the other thing is she keeps a list of that stuff. So you can look up hers. Okay. We need to continue moving along. How are we doing? You guys bored? Tell the truth. Am I talking too fast? Do you have comments? Is this guy crazy? What? Louder? Is this
35:42
better? Okay. So here's another fun way of doing an exercise regardless of what field you're in. Pick an illegal activity and try and find a legal way of doing that activity. You will be amazed at the stuff you will learn. I'm not kidding. So how many of you know what this Simon gift card
36:01
is? How many of you have read Brian Krebs' book by the way? Spam nation I think was his one that just came out, right? He talks about the Russian hackers and everything else. So Krebs in that book talks about something that a lot of us know about. If you're trying to procure infrastructure or things and not have it traced back to you. And by the way, I'm not going to have the philosophical debate
36:21
with you guys in here about why I should have the right to privacy. If you're at this conference and don't believe that you have a right to privacy and if I hear the argument I'm not doing anything illegal, I have nothing to hide, well, when you have sex with your wife, that's not illegal. Do you want somebody watching you do that? Do you want somebody watching you take a dump in the bathroom? It has to stop somewhere. So I'm not going to
36:49
have the argument with you that I should have to justify to you why I should be able to have privacy. So the discussion we're going to have right here is a little bit of some of the stuff that I've done in just the past year in trying
37:01
to find legal ways and there's a reason that I'm doing this. If you want to hear more about it come talk to me in the room. I tried to find legal ways of doing illegal activities. And it's a really interesting study. And so I found there are certain magical gift cards that you can get at certain places that are the type that you can go online and register an address for when you purchase them. The reason
37:23
that's interesting and necessary is if you're going to buy things online with a credit card, there are many systems in place that check address of the registration of a card and many just generic gift cards that you buy will get flagged by Max Mind and a lot of those systems and get dumped. And you can't use them to buy things for certain
37:41
things like VPN access or VMs. You can't use them. But certain ones you can. The Simon gift cards are one. I'm going to abuse the hell out of it until they go away because I'm sure they eventually will. But what these allow is you buy that card with cash and then you go online and you register an address for that card. And that address can be anything you want. It can be a completely fabricated address. I
38:03
will tell you a little hint though. Certain sites will actually look at the geolocation of the IP that you come from when you do it and it needs to match what the card is. So you just can find a VPN point in the particular state or wherever that matches with what you registered for the card. It's easy to do. Some of the fun I
38:22
found with this is can you all see that? It's too small. How many of you see the charge on December 9th, 2014? Yeah. That was me playing with the illegal stuff and somebody tried to charge a million dollars to that card. I thought it was
38:41
funny. And the part I thought was the most funny about it was that if you look it's listed as a recurring installment. So I was like wait a second. These guys are completely off the rocker until they did it again. And again.
39:03
So if you look I have two charges on 12-9 for restricted country is one of them. And see this is the stuff you learn when you study this kind of stuff. And one is a recurring installment. And so I have three charges for a million dollars to that credit card which had like $200 credit card. That actually shows. No, that one had 100 if you look at the
39:21
value load on that. So anyway I just thought that was fun. You guys might find that fun and interesting. So become a hacker. Don't get caught up in the stupid media definition of what a hacker is. And by the way is there anyone in the room that's pressed confess your sins. Honestly anyone in this room right now that is pressed tell me the truth. Don't lie.
39:42
How many of you have a yellow badge? So for those who are new to DEF CON we have very special press policies for a particular reason. We try to be hacker and anonymity friendly. And so anyone you see with a big freaking yellow disk around their neck is pressed. And by the way if you get a chance
40:02
ask one of them to turn it around if you've seen the back of it. So the back of the press badge this year is a guy like this. Because the 101 panel probably said it. I wasn't in here so I didn't hear but they usually do. Take this for what it's worth. The press is not your friend. Okay?
40:21
They really aren't. I've seen a lot of friends get burned. I've been burned. There are very few people in the media that I trust. There are a lot of them that are coming here because they want to get a shock piece. They want to get a sound blurb. They want to get a bite that they can throw up on a web page or put something on the news or put something that will shock mom and pop USA. Oh no the scary
40:41
hackers are coming to get me because fear sells. So be careful what you say to anyone that's in the press. Just be aware of the fact that you will be misquoted. And so that's the end of my rant for that. But anyway take it for what it's worth. What do you guys think about that? Think a full crap? Tell the truth. So that's the end of my little
41:08
notes there. I am happy to answer questions about any and everything that you guys have for however much time we have left. Yeah can you use the mic just so people can hear? Stick a hub cap on us this year. So for those of
41:25
you new to Def Con we do a tick-tock cycle where we do an electronic badge every other year. When Joe Grant was doing the original electronic badge designs we were one of the first conferences to do an electronic badge. There are a few others. Now every flipping hacker conference you go to on the
41:41
face of the planet has an electronic badge. It's become passe at this point. Take it for what it's worth. I am a hardware guy and I love some of the badges from some of the other conferences. But we always try and do something new and different and fun. So this is a non electronic year and I was trying to come up with something interesting and it was actually my wife's idea to do the record. Not that I am
42:02
trying to throw the hate at her. But this is actually not the largest badge we have ever had. Yes she is. My wife is way smarter than I am. So these are, I had to go 7 inch. I couldn't do a 5 inch because nobody makes records anymore. It took a lot of work to find someone who could
42:22
handle. By the way, I will tell you guys here. I will talk more in detail about the badges. So I will talk more in detail tomorrow about the badges. But I will tell you that we printed roughly half as many LP records as Taylor Swift has put out in her entire career. I will also tell you that the
42:48
vinyl that is in these when they all came here weighed over two tons. That's how many people are going to be at live con this year. Any other questions? Oh, I almost forgot. Thank you for reminding me. So those of you that follow me on
43:02
Twitter will know that I recently got a tweet back from William Shatner. Any William Shatner fans? I am a fan. Can you fake it if you are not? Any Star Trek fans in the audience? Okay. So I am going to stick with our own policy.
43:21
I am going to ask permission for something. I would like to take a selfie with all of you in the background per request of William Shatner doing the Spock sign. To live long and prosper. Now what I will say is if you do not want your face in this, keep in mind the resolution will be crap anyway. Please cover your face or whatever but I am giving
43:42
you enough warning because I do respect our press policy. So I am going to hold my phone up if you could all do the Spock thing and then I am going to send that to William Shatner. So can you hold that? It has to be a selfie. All
44:02
right. You guys ready? Three, two, one. We will do one more. Three, two, one. By the way if anybody wants that I will put it in. Thank you. And consequently I think that it is
44:24
actually for charity that he is doing that for. And if anybody wants a copy of that picture I will put it up on the screen. I hope you guys have a great con. We put a lot of work into doing this. By the way if you have a bad experience or something is wrong we want to hear about it. We do try and fix it. We do care. Everybody that is here is
44:43
volunteer. I am volunteer. I don't get paid to do this. I spend a lot of my own personal money doing the crazy stuff that I do for the challenges and things like that. So please enjoy yourself. It is for you. We are trying to help build the community. Comment or question? Just one question, man. Who was the speaker you said whose talk we
45:01
might want to attend? Yuri. He is Russian. Okay. And he is brilliant. Other questions? Comments? Boring. Waste of time. Tell the truth. What do you want to hear in a one-on-one talk next year? Three minutes. We have three minutes.
45:21
Anything you would not want to hear next year. So again this is one-on-one talk. Tomorrow is where all the technical stuff starts. No? Nothing else? You want to yell at me? Did I waste your time? Did I waste your time? I am asking a real question. I am serious about that when I ask that. Yes. So I will give you a little teaser for
45:54
tomorrow. I am going to explain in detail. This is this year's uber badge. If you win first place in a competition at
46:01
Def Con you receive a black slash uber badge. It is free entrance at Def Con for the rest of your life. More than that it is status in the community. It is resume building. I know people that will hire you on the spot if you have a Def Con black badge. This year there are six radioactive isotopes on this badge. I will talk about what those are and how these came to be built. So that is tomorrow's
46:23
talk. Thank you guys for coming.