E Hacking, profile picture
Uploaded byE Hacking
2,358 views

Stalking a City for Fun and Frivolity" Defcon Talk

This document discusses the development of a distributed sensor network called CreepyDOL that could track people in an urban area through passive wireless monitoring and analysis of leaked data from devices. The goal is to demonstrate how much information can be extracted without consent and to shape technology development to better protect privacy. CreepyDOL would use inexpensive hardware like Raspberry Pi boards placed in common objects to passively monitor WiFi traffic and device behaviors. While not actually deploying a full surveillance system, the author aims to educate about privacy risks and push for technical and cultural changes to limit unwarranted data collection and transmission. Concerns are also raised about government overreach in surveillance and prosecution of security researchers.

Embed presentation

Downloaded 11 times
Stalking a City for Fun and Frivolity “Pull pin, point toward privacy insurance claimant” Brendan O’Connor Malice Afterthought, Inc. http://www.maliceafterthought.com
Everything leaks too much data. At every level, we’ve forgotten that privacy, not just security, should be a goal.
It is no longer possible to “blend in to the crowd.” Certain assumptions, and many action movies, will have to be adjusted. Every scene where an action hero dives into a mall with 10K people and the Feds say “dang, we lost him?” Yeah, that won’t work anymore.
Fundamental changes are needed to fix this. So we’re probably doomed. But it’s going to be a fun time in the interim. And I mean both technical changes---more on this later---and cultural ones: it needs to *NOT* be OK to request too much data, let alone to store it or transmit it. And I say this as someone who has worked on software that millions of people use EVERY DAY: we *cannot* leak private data, or we have lost the only thing we do better than our adversaries, and the only reason anyone should trust developers.
Foreword: Democratizing Surveillance http://www.flickr.com/photos/68979377@N00/3745750194 I. Foreword: The Democratization of Surveillance A. "Security is really the government's area." 1. This was actually said to me by my sister recently, indicating that I'm failing in my duty to educate my family. 2. Those of us in this room know that the government isn't very good at securing things by means *other* than throwing them in prison for large amounts of time. 3. Nonetheless, the government has a near-monopoly on surveillance.
“Only the Good Guys” http://www.flickr.com/photos/chberge/3753079527 4. When it doesn't, the perception of the general public is that "only good guys" have access to terrifying surveillance technology. This is *our fault* for not correcting this misperception, though groups reporting on, e.g., all the BlueCoat boxes they've found in repressive governments are certainly helping. Heck, PRISM was leaked, and this is *still* the thing I’m hearing: people think “hey, the NSA needs that.”
“Sunlight is the best disinfectant” http://www.flickr.com/photos/andyz/3857625392 B. "Sunlight is the best disinfectant." 1. A recent study showed that cops wearing sunglass cameras were 88% less likely to commit actions resulting in complaints, and 60% less likely to use force; when they did use force, those officers wearing lapel cameras were consistent in using the least amount of force possible in a situation. This effect was not duplicated in officers refusing to wear the cameras. 2. If we can see what's going on---if we can look back at our government---we have the opportunity to make sure it works as efficiently and safely as possible. If not, we are subject to blackmail, extortion, and threats. (See Aaron Swartz.) So we need sunlight---but we need it quickly, and where our natural inclination, our natural sunlight, is not. Those of you who are weapons buffs may know that this isn’t a photo of the sun: it’s a picture of the blast caused by Tsar Bomba, the largest nuclear weapon ever detonated.
So I get called a stalker http://www.flickr.com/photos/simplyjessi/6333279524/ Wait, wrong stalker. This is an adorable cat, apparently named Stalker. People don’t call me an adorable cat.
So I get called a stalker http://www.flickr.com/photos/dcagne/424124810 Much better. As I was saying, C. Why I do "creepy" work. 1. The only effective way to raise the issue of creeping surveillance and loss of privacy is to make clear that *anyone*, not just "the good guys," can use this technology for good or for evil. 2. The only way to make it clear is, of course, to release software that does it in a nice, user-friendly package.
CreepyDOL is: • a distributed sensor network that combines wireless sniffing, distributed C&C, 3D visualization, and “grenade” encryption to do real-time personnel tracking and true-identity theft on a major urban area. It’s Stalking as a Service!
Complication:Weev Or Andrew Auernheimer, if you prefer.
The United States Government has declared a holy war against legitimate security research. Some of us think that’s not a good idea.
It doesn’t matter whether you like Weev or not. Mighty Casey got three strikes, but we get only one;“They claimed it was for the sake of their grandparents and grandchildren, but it was of course for the sake of their grandparent’s grandchildren, and their grandchildren’s grandparents.” (Douglas Adams) The time to fight private ex post facto laws is now---because once ratified by a Court of Appeals, it will be a generation before we get to try again. So set aside any dislike you may have for Weev---perhaps for the best of reasons---and act in your own enlightened self- interest. Or everyone in this room will be in prison soon.
Amicus Brief of Meredith Patterson, Brendan O'Connor, Sergey Bratus, Gabriella Coleman, Peyton Engel, Matthew Green, Dan Hirsch, Dan Kaminsky, Samuel Liles, Shane MacDougall, Jericho, Space Rogue, and Mudge And Alex Muentz, another hacker and a full lawyer, who was willing to take a law student’s brief and submit it to the Circuit Court of Appeals. All of the names on this list are big deals. Meredith Patterson from LangSec, Sergey Bratus, Patron Saint of the Gospel of Weird Machines, Crypto Engineer and Professor Matt Green, Dan Kaminsky, Jericho, Space Rogue, Mudge... the list goes on. And that should tell you how scared the entire community is, and should be; it touches all of us, whether we’re DARPA program managers, professors, or itinerant hackers.
In the meantime, there will be a chilling effect, as we cannot trust legal actions not to be prosecuted anyway. Therefore, CreepyDOL has not been used to take on an entire city. It’s been tested, and parts of it have been tested with extremely high amounts of data, but I leave the next step, world domination, to a braver researcher.
Extremely Serious Disclaimer This presentation does not create an attorney-client relationship. Probably. If it does, it will have said it does.Although it could have created an attorney-client relationship without explicitly saying so, because the law is tricky like that. This presentation may contain confidential and/or legally privileged information. If it does, and you are not the intended recipient, then the sender hereby requests that you notify him of his mistake and destroy all copies in your possession.The sender also concedes that he is very, very stupid. This disclaimer is not especially concerned with intelligibility.This disclaimer has no qualms about indulging in the more obnoxious trademarks of legalese, including but not limited to (i) the phrase “including but not limited to”, (ii) the use of “said” as an adjective, (iii) re-naming conventions that have little to no basis in vernacular English and, regardless, never actually recur (hereinafter referred to as “the 1980 Atlanta Falcons”), and (iv) lowercase Roman numerals. This disclaimer exists for precisely one reason—to make this presentation appear more professional.This disclaimer shall not be construed as a guarantee of actual professionalism on the part of the sender.Any actual professionalism contained herein is purely coincidental and is in no way attributable to the presence of this disclaimer. If you aren’t reading this, then this disclaimer has done its job. Its sad, pointless job.THIS DISCLAIMER IS NOT INTENDED TO BE IRONIC. Adapted, with kind permission from the author and publisher, from http:// www.mcsweeneys.net/articles/alright-fine-ill-add-a-disclaimer-to-my-emails . To be clear: I do not endorse using this software, or any software, for criminal purposes. We're hackers, not criminals. I want the fact of this software's existence to help shape habits and, hopefully, the next generations of mobile devices; perhaps they won't be designed (at the protocol level) to leak so much information so widely.
DARPA Cyber Fast Track • CreepyDOL is not CFT work • DARPA tries hard not to build stuff that creeps people out this much, and they’re very nice people. • That said, two CFT contracts did let me build two of the core systems: Reticle, and the visualization system. • Thanks, Mudge!
Roadmap • Goals • Background • Architecture • Design of CreepyDOL • Future Work • Mitigation
Goal: Passive Wireless http://www.flickr.com/photos/library_of_congress/2163911718 II. Goals A. How much data can be extracted from passive wireless monitoring? 1. More than just from a network trace---remember that when not connected to a wireless network, WiFi devices send out lists of their known networks, asking if anyone can help them. 2. As soon as a device thinks it's connected to WiFi, all its background sync services will kick off again---DropBox, iMessage, all the rest. So we'll immediately know that certain services will be in play. 3. Over unencrypted WiFi, all the traffic sent by a device is exposed. Even if we can't see both sides of every message, we can learn a lot from what we do see---especially if we know how a given protocol operates. 4. How much better could we do if we had not one sensor, but ten? Spread out over an area? Now we have geolocation, time and place analysis, etc. 5. If we're tracking over a large area, we don't just want to know traffic and devices: we want to know people. Can we take data and find people? (I don't want your SSN, I want your name. And really, I want to know enough about you to blackmail you; information is control.)
Goal: Large-Scale Sensing Without Centralized Communications http://www.flickr.com/photos/christmaswithak/2732857205 B. Can we do large-scale sensing without centralized communications? 1. If we centralize communications, life is simple; everyone phones home---but a compromised node gives every attacker the location of the mothership. 2. Centralized communications decrease resistance to attack, and prevent you from responding agilely to attack.
Goal: Intelligibility http://www.slideshare.net/EmilandDC/dear-nsa-let-me-take-care-ou C. Can we present massive amounts of this data in a way that is intelligible by mortals? User-friendly? Still secure? 1. Group One of high security products: incredible technology, terrible UI. This causes low adoption, or (possibly worse) mistakes in use. Systems fail, people die. Examples: Pidgin-OTR, or PGP/OpenPGP. 2. Group Two: Concerns about technology, great UI. This causes adoption, but can cause massive problems later (if the concerns are borne out). Examples: HushMail, Silent Circle. 3. Group Three: Good technology, great UI. This is wonderful, but incredibly hard to do (because UI masters are usually not security wizards). Example: CryptoCat, RedPhone. 4. We would aspire to have CreepyDOL be in Group Three, through a variety of methods to ensure secure communication in relatively-intelligible ways. *This is an ongoing process.* Our code is open source, to allow verification, and will be released in the coming weeks.
Roadmap • Goals • Background • Architecture • Design of CreepyDOL • Future Work • Mitigation
Background:Academic Sensor Networks Rock! http://www.flickr.com/photos/22240293@N05/3912598338 (This is the MIT CS building, if you’re wondering. They have an awesome sensor network, and their papers are always accompanied by the *weirdest* floor plans.) III. Background A. Sensor Networks 1. Academic researchers have spent tons of time and resources on these. MANETs, other advances in technology have resulted. 2. A lot of these have uW power levels, and sacrifice languages, OS, and cost to get there---especially cost, with many nodes costing $500 or more. Each. 3. I can't afford this. I want something I can afford to break, to lose, and even to have stolen. I want it an order of magnitude cheaper, and I want it to run Linux. (Ubuntu or Debian, if possible.)
Background: Large- Scale Surveillance • Remember, we knew this was happening before PRISM was announced • In my original outline:“One can assume that they have solved all of the problems involved in CreepyDOL before me, and that they should, rightfully, be cited as prior art. I'd love to do so; as soon as they publish their work, I'll be happy to cite them.” • Heh heh heh. • Pour one out for the Intelligence Community: a lot of this stuff is a pain to figure out
Roadmap • Goals • Background • Architecture • Design of CreepyDOL • Future Work • Mitigation
Hardware! So now let’s talk about system architecture. First: Hardware.
F-BOMB v.1 (ShmooCon 2012) A. Hardware: F-BOMB, version 2 (Falling/Ballistically-launched Object that Makes Backdoors) 1. Originally presented at ShmooCon 2012. At that time, this was based on the Marvell Sheeva board, the same board used by the Pwnie Plug that’s been selling so well for years. To keep costs down, I was actually buying PogoPlugs, a rebranding of the Sheeva board, as they were being sold as essentially fire sales, and stripping out their guts. Conveniently, (next slide)
It fits in a CO Detector No one ever checks their CO detector to see if it has become a node in a sensor network. The new one fits much better into this case; much less cutting is necessary.
F-BOMB v.2 2. Now based on the Raspberry Pi Model A, because it's awesome, runs an easier version of Linux (Debian vs. Arch), and I can actually get it for cheaper than the salvage PogoPlugs. We also get significantly reduced power consumption, it runs at a better voltage (5v instead of 12v), it’s physically much smaller and lighter, and it actually has more RAM and processing power on board. You can see there’s a bit of cord sticking out of each F-BOMB in this photo; this is because I mis-measured when buying the cas. But the Raspberry Pi is actually much smaller than the Sheeva board, so it fits better into smaller objects. (Hold up one.) These devices use USB power, which means that I can plug them into walls (you can see an Apple-style USB power adapter in the lower-left), but also into USB batteries, MintyBoost kits, or anything else that gives me 5v in this ubiquitous form factor. They do not use that port as a data port.
Total: $57.08 http://www.flickr.com/photos/gijsbertpeijs/7988257583 http://www.polycase.com/lp-51p http://www.targus.com/us/productdetail.aspx?sku=ACH63US http://www.amazon.com/JacobsParts-150Mbps-Wireless-Notebook-TP-WF11/dp/ B0067NFSE2 http://www.newegg.com/Product/Product.aspx?Item=N82E16820147152 http://www.ebay.com/itm/10x-USB-USA-AC-Wall-Charger-for-Apple- iPhone-3-3G-4G-4S-5-5G-iPod-New-White-/271163372744 Raspberry Pi, Model A: $25 Case: $4.61 USB Hub: $5.99 WiFi: 2x $6.52 SD Card: $6.99 USB Power: $1.45 Total: 57.08 per node 3. Per-Node Cost: $57.08 in 10-node quantities, excluding case. a. I bought cheap wall-wart cases and used a drill saw; you can 3D print them, or even buy disposable GladWare and use that. It’s within the price range of any kid who mows lawns energetically for a few weekends to build a group of these.
Wait... why 2 WiFi? • Because I’m cheap and lazy • Introducing PortalSmash: it clicks on buttons, so you don’t have to 4. Nodes don't bring "phone home" communications gear, e.g., a 3G card; that's too expensive and *very* easy to trace (just call VZW tech support!). They use PortalSmash, Open Source software I've developed to look for open (or captive portal) WiFi and use that. In an urban area, that's perfectly sufficient. (No, PortalSmash doesn't look at encrypted WiFi; yes, you could add Reaver etc. No, I'm not planning to.)
C&C Software • “Reticle: Leaderless Command and Control” • This was the first of the two DARPA CFT contracts I mentioned • Whole presentation at B-SidesVegas 2012---but I will summarize B. C&C Software: Reticle, Leaderless C&C 1. Developed under DARPA Cyber Fast Track, Spring 2012 2. Original work presented at BSidesLV 2012, but massive improvements, and a complete rewrite, since then.
Reticle Each Reticle node runs CouchDB, a NoSQL database, plus Nginx, Tor, and some custom management software. This lets nodes combine into a peer-to-peer “contagion” network in which each node sends commands and data to every other node, for both command infiltration and data exfiltration, without any single point of failure. They speak via Tor, to prevent anyone on the network to which they connect from determining where other Reticle nodes are living. To make reverse-engineering of a node much more difficult, Reticle nodes can be configured with what I call “grenade” encryption: pull pin, throw toward adversary. They load their encryption keys for their local storage at boot from removable media, which is then removed to prevent an adversary from recovering the data. A “cold boot” attack is certainly possible, but since most nodes don’t have batteries, it’s physically kind of a pain to do---and it’s not a usual thing for most people to dump liquid nitrogen on the first black box they see plugged into a wall. CreepyDOL, then, is just a mission Reticle runs; it can be retasked at any time.
Roadmap • Goals • Background • Architecture • Design of CreepyDOL • Future Work • Mitigation
CreepyDOL So as I mentioned, Creepy.
Distributed Computation for Distributed Systems http://www.flickr.com/photos/lara604/3164622774 http://www.flickr.com/photos/jenniferboyer/52474490/ http://www.flickr.com/photos/gaelx/1858599144 A. Distributed Querying for Distributed Data 1. Since we don't have independent, high-bandwidth channels for sending data home, it's not a good idea (and may not be possible) to send raw packets home. Nodes should send home data that's already been digested. 2. So: we run any queries on the nodes that can be effectively run on the nodes, *given data that node has collected*. 3. We do not process multi-node data on individual nodes, even though every node has access to all the data (see "contagion network"), because they've got limited processing power---and more importantly, data storage.
Centralized Querying for Centralized Questions B. Centralized Querying for High-Level Data 1. Things that need datapoints from multiple nodes---tracking, pattern analysis, etc., go on the "backend." 2. The backend is just another node, but with a special mission configuration: rather than just sensing and adding data, it receives data from the contagion network, pushes it into another system (a data warehouse), and then instructs the contagion to delete it to make room.
NOM: Nosiness, Organization, and Mining http://www.flickr.com/photos/scjody/5345366096 C. Data Query Methodology: NOM 1. O: Observation. Take as much data out of local traffic as possible; this means names, photos, services used, etc. To make this easy, we've created a large number of "filters" that are designed for traffic from specific applications---DropBox, Twitter, Facebook, dating websites, etc. Now, many of these services encrypt their traffic, which is admirable; however, in many cases, we can still get useful data that they provide in, e.g., their User Agent. And there’s no reason for them to do this. (Next slide)
Why? So this is a screenshot from Wireshark, of a packet being sent to request new iMessages from Apple. Notice at the bottom, where it sends the hardware device and iOS version, as part of the HTTP header? This is unnecessary, and it’s harmful. (If Apple needs this information, it could transmit it inside TLS.)
NOM: Nosiness, Organization, and Mining http://www.flickr.com/photos/scjody/5345366096 2. N: Nosiness. Using data extracted from O queries, there are lots of leveraged queries we can make; for instance, given an email address, we can look for accounts on web services, or given a photo, we can look for copies of that photo pointing to other accounts. This can be run either as distributed or centralized. 3. M: Mining. Taking data found by the nodes, build up larger analyzed products. For instance, is the device (person) usually in one area during a certain time of day? Are there three devices that are almost always seen together, if at all? (The latter may indicate that they are all carried by the same user.) This type of query is exclusively run on the backend.
CreepyDOL Architecture So this is the overall architecture for CreepyDOL. The nodes connect to each other, and one node becomes a “sink node” from which data is pulled and sent to the CreepyDOL storage, so that it can be used in the visualization. The visualization pulls data from the storage and from an OpenStreetMaps provider, to have underlaid maps.
Visualization • Second DARPA CFT Contract • Used the Unity Game Engine • Side note: wow, that’s a fun toy • Side note: wow, I hate writing JavaScript that’s interpreted by C#, then compiled into .NET CLR • Runs on an iPad! Or OSX/Windows/Linux/Android • I think I could make it run on an XBox360, actually (Unity isVery Nice) So let’s talk about visualization. To prevent the user (the person requesting data) from being tied to a particular computer, we use the backend to run queries for visualization, then serve the results to the user's visualization computer. To make it easy to do large-scale visualization, I used an existing engine: the Unity game engine, used in hundreds or thousands of iPad, iPhone, XBox, Wii, and PC games. This let me take advantage of the hundreds of person-years of development they’ve already done to make it fast. As a side effect, it also means I can run my visualization on an iPad; since all the processing is done on a visualization server, it doesn’t need to be able to hold the data in RAM.
DemoVideo! Watch closely: do you see the creepy?
Test Parameters • To prevent badness, we programmed the NOM system to look only for traffic from devices we owned; no “random stranger” data was collected at any time.
So first you can see the plane loading. Then the data loads, and after a brief loading delay, the map comes in from OpenStreetMaps. I’ll zoom the camera in and out a bit; you can see that it’s 3D, and the control interface works much like Starcraft or other real-time strategy games, except with people instead of alien troops. Now you can see I’ll draw a box to select a group of data, and after a brief delay, the data and map will re-draw to allow more focus on the data in question. I can hover over various nodes to see their MAC addresses and locations, but for maximum data, I click on a node, and it shows me everything. I have some of the services I use, I have the hardware and software I’m carrying, I have a real name, email address, and even my photo from an online dating site. Combined with the true location and time of each of these pings, we end up with the same data that you used to use a whole team of surveillance agents to retrieve. Cheap, distributed stalking.
Roadmap • Goals • Background • Architecture • Design of CreepyDOL • Future Work • Mitigation
Other Applications
Counter-Infiltration http://www.flickr.com/photos/igalko/6341182132/ A. Counter-Infiltration 1. There is a persistent rumor, in cases of exceptional police brutality (Occupy Anything, or more protests in Britain) that the police are sending in agents provocateur to cause the disruption that gives them an excuse to crack down. (This rumor is at least 300 years old, by the way.) 2. CreepyDOL would let you set up "known devices" with alarms for new ones, watch as new people come in, or even simply set off a klaxon if a Blackberry shows up (obviously a cop). C. OPSEC Training 1. The ROE for my tests demonstrate limiting data capture to one or several known devices. Use that to test your agents' OPSEC capabilities: set up a wide-ranging capture network (but tied to their stuff) and see what they leak. 2. The advantage is that you don't need to control every network an agent accesses. This lets you test "in the real world," which is much more realistic.
Evidence Logging http://www.flickr.com/photos/decade_null/142235888 B. Evidence Logging 1. Again in fast-moving scenarios like protests and rallies: there's a real problem with destruction of evidence, electronic or physical, during crackdowns. In addition, it's very, very difficult to know who was *in* a kettle in the first few hours afterward; a way to know that could be very comforting and/or helpful to those outside. 2. Since CreepyDOL uses a contagion network, anything it logs will be immediately shipped out of the area to linked nodes anywhere on the planet. If those nodes go offline, the data is preserved. 3. For bonus points, use F-BOMB belt packs (which last a very long time on batteries) to have moving logs---and if you come in range of a WiFi AP somewhere (say, at a stop light), they'll offload their data without any additional interaction. 4. The encryption, and the fact that the nodes don't persist their keys, mean that unless an adversary *already knows what it is and how to cold boot it*, they don't get data. If people on the outside are concerned about the nodes, revoke their device certificates and they'll be cut off immediately.
Improvements
Scaling Up • Sharding Contagion Networks • Scaling backend --- luckily, this isn’t hard • Scaling limits of visualization Sharding the contagion networks: it’s easy, just give them different keys. Each network could have a sink node that throws data into the visualization system. Scaling the backend is similarly easy: the software communications with the visualization engine over HTTP, so it can run in the ubiquitous cloud. Indeed, running the backend on Amazon S3, I’ve tested scaling parts of the backend to over half a terabyte of packet capture data. The visualization is somewhat more difficult; Unity gets fussy if I display more than a couple thousand nodes at once. However, with grouping, and eventually, over large map areas, doing limited field of view and view distance work (as they do in real video games), this can be mitigated.
Enhancements • $20 SDR devices (RTLSDR) • To listen to any frequency, not just WiFi • Encrypted WiFi Workarounds • e.g., Reaver • Jasager (WiFi Pineapple) to make sure wireless devices connect • MitM
Roadmap • Goals • Background • Architecture • Design of CreepyDOL • Future Work • Mitigation
Mitigation:A Sacrifice The leaks are at all levels. The 802.11 protocol asks devices to do this beaconing which means that even with encryption both in the protocol and over the air, I can still do tracking and identifications. The OS won’t enforce VPNs (iOS). The apps leak too much data that they don’t need. This is EVERYONE’s fault, but no one wants to take responsibility for their own actions. It’s the status quo, right?
The Status is Not Quo Image from Dr. Horrible’s Sing-Along Blog, by Joss Whedon We can’t tolerate this level of privacy leakage: as consumers, we should demand better, and as developers at every level, we have a responsibility to do better.
Digression: Hark • Archive for hacker work of all types (not just security) • Mentorship, promotion, and archival forever • New system of unique identifiers, like the academic DOI system, but free • On Kickstarter now: http://thehark.net So a very short final note on Hark. There’s been a back and forth between academic and non- academic researchers for years, where the academics say hackers aren’t rigorous enough and don’t cite their work, and hackers say academics don’t do anything *but* cite other work. After this blew up at ShmooCon 2013, those of us who, like myself, straddle the academic/ nonacademic divide, had some discussions and drew up plans for a way to let hackers archive their work, whether it’s a tweet, a blog post, a conference presentation, or a journal article, and cite previous hacker work regardless of whether it’s been academically published. I don’t have time to go into all the details right now, but if you think it’s important for hackers to stop re-inventing the same wheels every time we have a new research projects, I hope you’ll check out thehark.net. And yes, we encourage corporate donations.
Thanks! • To all those I’ve asked for comments, to Mudge for CFT, and my law school, for letting me spend so much time on other things. • Also, I’m finishing law school in 10 months, and am wondering what I ought to take on next. If you’ve got something interesting, ping me: brendan@maliceafterthought.com. • http://thehark.net

More Related Content

PPTX
Hacktivism 6: Networks and Conspiracy
byPeter Ludlow
 
PDF
2600 v20 n3 (autumn 2003)
byFelipe Prado
 
PDF
2600 v24 n4 (winter 2007)
byFelipe Prado
 
PDF
ClientConnection2015-08
byVic Hemard
 
PDF
2600 v08 n2 (summer 1991)
byFelipe Prado
 
PDF
2600 v19 n4 (winter 2002)
byFelipe Prado
 
PDF
Do we need a new language to describe cybersecurity?
bySherry Jones
 
PPTX
Muso Publishing
bychrisjohnanderson
 
Hacktivism 6: Networks and Conspiracy
byPeter Ludlow
 
2600 v20 n3 (autumn 2003)
byFelipe Prado
 
2600 v24 n4 (winter 2007)
byFelipe Prado
 
ClientConnection2015-08
byVic Hemard
 
2600 v08 n2 (summer 1991)
byFelipe Prado
 
2600 v19 n4 (winter 2002)
byFelipe Prado
 
Do we need a new language to describe cybersecurity?
bySherry Jones
 
Muso Publishing
bychrisjohnanderson
 

What's hot

PDF
2600 v25 n1 (spring 2008)
byFelipe Prado
 
PDF
2600 v16 n1 (spring 1999)
byFelipe Prado
 
KEY
Film 315 project
bycarly315
 
PDF
The next privacy worry is doorbells
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
PPTX
Progscon cybercrime and the developer
bySteve Poole
 
DOCX
Cybersecurity winter is not coming…
byITrust - Cybersecurity as a Service
 
PDF
2600 v14 n2 (summer 1997)
byFelipe Prado
 
PPTX
Defcon23 Talk Classify Targets To Make Social Engineering Easier To Achieve
byHeng Guan
 
PPTX
Online Harassment: Organization for Security and Cooperation in Europe, Vienna
byMichelle Ferrier
 
PDF
2600 v20 n1 (spring 2003)
byFelipe Prado
 
PDF
Insecure mag-33
bycheinyeanlim
 
PDF
Tor talk-prosa-screen
byHenrik Kramshøj
 
PDF
BlueHat v18 || MSRC listens
byBlueHat Security Conference
 
PDF
Paranoia or risk management 2013
byHenrik Kramshøj
 
RTF
Drones and Crime
byTerry Drinkard
 
PDF
Why is cybersecurity important for the entertainment industry
byLisa Stockley
 
PPTX
Online firestorms - A tempest in a teapot
byHimanshuDaga7
 
PDF
Cybersecurity and liability your david willson
byDavid Willson, Attorney, CISSP, Security +
 
2600 v25 n1 (spring 2008)
byFelipe Prado
 
2600 v16 n1 (spring 1999)
byFelipe Prado
 
Film 315 project
bycarly315
 
The next privacy worry is doorbells
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
Progscon cybercrime and the developer
bySteve Poole
 
Cybersecurity winter is not coming…
byITrust - Cybersecurity as a Service
 
2600 v14 n2 (summer 1997)
byFelipe Prado
 
Defcon23 Talk Classify Targets To Make Social Engineering Easier To Achieve
byHeng Guan
 
Online Harassment: Organization for Security and Cooperation in Europe, Vienna
byMichelle Ferrier
 
2600 v20 n1 (spring 2003)
byFelipe Prado
 
Insecure mag-33
bycheinyeanlim
 
Tor talk-prosa-screen
byHenrik Kramshøj
 
BlueHat v18 || MSRC listens
byBlueHat Security Conference
 
Paranoia or risk management 2013
byHenrik Kramshøj
 
Drones and Crime
byTerry Drinkard
 
Why is cybersecurity important for the entertainment industry
byLisa Stockley
 
Online firestorms - A tempest in a teapot
byHimanshuDaga7
 
Cybersecurity and liability your david willson
byDavid Willson, Attorney, CISSP, Security +
 

Similar to Stalking a City for Fun and Frivolity" Defcon Talk

PPTX
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
byAndrew Schwabe
 
PPTX
PL21 - OSINT.pptx
byDavid Busby, CISSP
 
PDF
How private is your privacy?
byJerric Lyns John
 
PDF
Wikileaks: secure dropbox or leaking dropbox?
byhackdemocracy
 
PDF
Ain't Nobody's Business If I Do (Read Serials)
byNASIG
 
PPTX
Privacy and Security in the Internet of Things
byJeff Katz
 
PDF
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
byEnergySec
 
PDF
2600 v13 n2 (summer 1996)
byFelipe Prado
 
PPTX
Avila 3 b
byMichael Chastain
 
PDF
2600 v16 n4 (winter 1999)
byFelipe Prado
 
PDF
Secure encryption in a wiretapped future
byMichael Renner
 
PPTX
2012 Reenergize the Americas 3B: Angel Avila
byReenergize
 
PPTX
Information Literacy, Privacy, & Risk: What Are the Implications of Mass Surv...
byg8briel
 
PDF
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
byNETWAYS
 
PDF
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
byNETWAYS
 
PDF
2014-12-16 defense news - shutdown the hackers
byShawn Wells
 
PDF
Security Solutions for Hyperconnectivity and the Internet of Things
byMaurice Dawson
 
PDF
CERT Data Science in Cybersecurity Symposium
byBob Rudis
 
PPT
Systemic cybersecurity risk
byblogzilla
 
PPT
Cyber(in)security: systemic risks and responses
byblogzilla
 
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
byAndrew Schwabe
 
PL21 - OSINT.pptx
byDavid Busby, CISSP
 
How private is your privacy?
byJerric Lyns John
 
Wikileaks: secure dropbox or leaking dropbox?
byhackdemocracy
 
Ain't Nobody's Business If I Do (Read Serials)
byNASIG
 
Privacy and Security in the Internet of Things
byJeff Katz
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
byEnergySec
 
2600 v13 n2 (summer 1996)
byFelipe Prado
 
Avila 3 b
byMichael Chastain
 
2600 v16 n4 (winter 1999)
byFelipe Prado
 
Secure encryption in a wiretapped future
byMichael Renner
 
2012 Reenergize the Americas 3B: Angel Avila
byReenergize
 
Information Literacy, Privacy, & Risk: What Are the Implications of Mass Surv...
byg8briel
 
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
byNETWAYS
 
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
byNETWAYS
 
2014-12-16 defense news - shutdown the hackers
byShawn Wells
 
Security Solutions for Hyperconnectivity and the Internet of Things
byMaurice Dawson
 
CERT Data Science in Cybersecurity Symposium
byBob Rudis
 
Systemic cybersecurity risk
byblogzilla
 
Cyber(in)security: systemic risks and responses
byblogzilla
 

More from E Hacking

PDF
CEH and Security+ Training Outline - EH Academy
byE Hacking
 
PDF
Threats against the next billion devices
byE Hacking
 
PDF
High Definition Fuzzing; Exploring HDMI vulnerabilities
byE Hacking
 
PDF
New Developments in the BREACH attack
byE Hacking
 
PDF
Exploiting Linux On 32-bit and 64-bit Systems
byE Hacking
 
PDF
Most Important steps to become a hacker
byE Hacking
 
PDF
Penetrating the Perimeter - Tales from the Battlefield
byE Hacking
 
PDF
Website fingerprinting on TOR
byE Hacking
 
PDF
Fuzzing the Media Framework in Android
byE Hacking
 
PDF
Hacking Wireless World, RFID hacking
byE Hacking
 
PDF
Abusing Microsoft Kerberos - Sorry you guys don’t get it
byE Hacking
 
PDF
Malicious Domain Profiling
byE Hacking
 
PDF
Searching Shodan For Fun And Profit
byE Hacking
 
PDF
The Machines that Betrayed their Masters
byE Hacking
 
PDF
Detecting Bluetooth Surveillance Systems
byE Hacking
 
PDF
Unmasking or De-Anonymizing You
byE Hacking
 
PDF
WhatsApp Chat Hacking/Stealing POC
byE Hacking
 
PDF
Building Trojan Hardware at Home
byE Hacking
 
PDF
Social Media Monitoring tools as an OSINT platform for intelligence
byE Hacking
 
PDF
LDAP Injections & Blind LDAP Injections Paper
byE Hacking
 
CEH and Security+ Training Outline - EH Academy
byE Hacking
 
Threats against the next billion devices
byE Hacking
 
High Definition Fuzzing; Exploring HDMI vulnerabilities
byE Hacking
 
New Developments in the BREACH attack
byE Hacking
 
Exploiting Linux On 32-bit and 64-bit Systems
byE Hacking
 
Most Important steps to become a hacker
byE Hacking
 
Penetrating the Perimeter - Tales from the Battlefield
byE Hacking
 
Website fingerprinting on TOR
byE Hacking
 
Fuzzing the Media Framework in Android
byE Hacking
 
Hacking Wireless World, RFID hacking
byE Hacking
 
Abusing Microsoft Kerberos - Sorry you guys don’t get it
byE Hacking
 
Malicious Domain Profiling
byE Hacking
 
Searching Shodan For Fun And Profit
byE Hacking
 
The Machines that Betrayed their Masters
byE Hacking
 
Detecting Bluetooth Surveillance Systems
byE Hacking
 
Unmasking or De-Anonymizing You
byE Hacking
 
WhatsApp Chat Hacking/Stealing POC
byE Hacking
 
Building Trojan Hardware at Home
byE Hacking
 
Social Media Monitoring tools as an OSINT platform for intelligence
byE Hacking
 
LDAP Injections & Blind LDAP Injections Paper
byE Hacking
 

Recently uploaded

PDF
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
PPTX
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
PPTX
BIG DATA it is talking about the big data.pptx
byAbhishekGarg269
 
PPT
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
PDF
Hire-NET-Developers. Dot Net Developers
byDigisoft Solution
 
PPTX
Role of VMware and Cloud Computing in CyberSecurity.pptx
byalehanoor1325
 
PPT
Lecture_3 Network Securityeyeyggegeg.ppt
bysawsan202
 
PPTX
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
PPTX
Computer Science Degree for College .pptx
byHanenek1
 
PDF
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
PPTX
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
PPTX
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
PDF
Xnspy vs FlexiSPY: 2025 Monitoring Comparison
byMichael Carter
 
PDF
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
PPT
Memory Organization In Assembly Language
byumairmuhammad0409
 
PPTX
COĞRAFYA ödevi 70 sayfa güzeldir hayırlı olsun
bydtilter
 
PPT
html-forms in web development-courseICT.
bymadz33
 
PPTX
Introduction Digital Signal Processing.pptx
byumairmuhammad0409
 
PDF
How Social Media Management Tools Work – Step-by-Step Guide
byTurrboo
 
PDF
Micro project .pdf drone technology Report
byRenitaMamgain
 
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
BIG DATA it is talking about the big data.pptx
byAbhishekGarg269
 
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
Hire-NET-Developers. Dot Net Developers
byDigisoft Solution
 
Role of VMware and Cloud Computing in CyberSecurity.pptx
byalehanoor1325
 
Lecture_3 Network Securityeyeyggegeg.ppt
bysawsan202
 
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
Computer Science Degree for College .pptx
byHanenek1
 
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
Xnspy vs FlexiSPY: 2025 Monitoring Comparison
byMichael Carter
 
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
Memory Organization In Assembly Language
byumairmuhammad0409
 
COĞRAFYA ödevi 70 sayfa güzeldir hayırlı olsun
bydtilter
 
html-forms in web development-courseICT.
bymadz33
 
Introduction Digital Signal Processing.pptx
byumairmuhammad0409
 
How Social Media Management Tools Work – Step-by-Step Guide
byTurrboo
 
Micro project .pdf drone technology Report
byRenitaMamgain
 

Stalking a City for Fun and Frivolity" Defcon Talk

  • 1.
    Stalking a Cityfor Fun and Frivolity “Pull pin, point toward privacy insurance claimant” Brendan O’Connor Malice Afterthought, Inc. http://www.maliceafterthought.com
  • 2.
    Everything leaks too muchdata. At every level, we’ve forgotten that privacy, not just security, should be a goal.
  • 3.
    It is nolonger possible to “blend in to the crowd.” Certain assumptions, and many action movies, will have to be adjusted. Every scene where an action hero dives into a mall with 10K people and the Feds say “dang, we lost him?” Yeah, that won’t work anymore.
  • 4.
    Fundamental changes are neededto fix this. So we’re probably doomed. But it’s going to be a fun time in the interim. And I mean both technical changes---more on this later---and cultural ones: it needs to *NOT* be OK to request too much data, let alone to store it or transmit it. And I say this as someone who has worked on software that millions of people use EVERY DAY: we *cannot* leak private data, or we have lost the only thing we do better than our adversaries, and the only reason anyone should trust developers.
  • 5.
    Foreword: Democratizing Surveillance http://www.flickr.com/photos/68979377@N00/3745750194 I. Foreword:The Democratization of Surveillance A. "Security is really the government's area." 1. This was actually said to me by my sister recently, indicating that I'm failing in my duty to educate my family. 2. Those of us in this room know that the government isn't very good at securing things by means *other* than throwing them in prison for large amounts of time. 3. Nonetheless, the government has a near-monopoly on surveillance.
  • 6.
    “Only the GoodGuys” http://www.flickr.com/photos/chberge/3753079527 4. When it doesn't, the perception of the general public is that "only good guys" have access to terrifying surveillance technology. This is *our fault* for not correcting this misperception, though groups reporting on, e.g., all the BlueCoat boxes they've found in repressive governments are certainly helping. Heck, PRISM was leaked, and this is *still* the thing I’m hearing: people think “hey, the NSA needs that.”
  • 7.
    “Sunlight is thebest disinfectant” http://www.flickr.com/photos/andyz/3857625392 B. "Sunlight is the best disinfectant." 1. A recent study showed that cops wearing sunglass cameras were 88% less likely to commit actions resulting in complaints, and 60% less likely to use force; when they did use force, those officers wearing lapel cameras were consistent in using the least amount of force possible in a situation. This effect was not duplicated in officers refusing to wear the cameras. 2. If we can see what's going on---if we can look back at our government---we have the opportunity to make sure it works as efficiently and safely as possible. If not, we are subject to blackmail, extortion, and threats. (See Aaron Swartz.) So we need sunlight---but we need it quickly, and where our natural inclination, our natural sunlight, is not. Those of you who are weapons buffs may know that this isn’t a photo of the sun: it’s a picture of the blast caused by Tsar Bomba, the largest nuclear weapon ever detonated.
  • 8.
    So I getcalled a stalker http://www.flickr.com/photos/simplyjessi/6333279524/ Wait, wrong stalker. This is an adorable cat, apparently named Stalker. People don’t call me an adorable cat.
  • 9.
    So I getcalled a stalker http://www.flickr.com/photos/dcagne/424124810 Much better. As I was saying, C. Why I do "creepy" work. 1. The only effective way to raise the issue of creeping surveillance and loss of privacy is to make clear that *anyone*, not just "the good guys," can use this technology for good or for evil. 2. The only way to make it clear is, of course, to release software that does it in a nice, user-friendly package.
  • 10.
    CreepyDOL is: • adistributed sensor network that combines wireless sniffing, distributed C&C, 3D visualization, and “grenade” encryption to do real-time personnel tracking and true-identity theft on a major urban area. It’s Stalking as a Service!
  • 11.
  • 12.
    The United StatesGovernment has declared a holy war against legitimate security research. Some of us think that’s not a good idea.
  • 13.
    It doesn’t matterwhether you like Weev or not. Mighty Casey got three strikes, but we get only one;“They claimed it was for the sake of their grandparents and grandchildren, but it was of course for the sake of their grandparent’s grandchildren, and their grandchildren’s grandparents.” (Douglas Adams) The time to fight private ex post facto laws is now---because once ratified by a Court of Appeals, it will be a generation before we get to try again. So set aside any dislike you may have for Weev---perhaps for the best of reasons---and act in your own enlightened self- interest. Or everyone in this room will be in prison soon.
  • 14.
    Amicus Brief ofMeredith Patterson, Brendan O'Connor, Sergey Bratus, Gabriella Coleman, Peyton Engel, Matthew Green, Dan Hirsch, Dan Kaminsky, Samuel Liles, Shane MacDougall, Jericho, Space Rogue, and Mudge And Alex Muentz, another hacker and a full lawyer, who was willing to take a law student’s brief and submit it to the Circuit Court of Appeals. All of the names on this list are big deals. Meredith Patterson from LangSec, Sergey Bratus, Patron Saint of the Gospel of Weird Machines, Crypto Engineer and Professor Matt Green, Dan Kaminsky, Jericho, Space Rogue, Mudge... the list goes on. And that should tell you how scared the entire community is, and should be; it touches all of us, whether we’re DARPA program managers, professors, or itinerant hackers.
  • 15.
    In the meantime,there will be a chilling effect, as we cannot trust legal actions not to be prosecuted anyway. Therefore, CreepyDOL has not been used to take on an entire city. It’s been tested, and parts of it have been tested with extremely high amounts of data, but I leave the next step, world domination, to a braver researcher.
  • 16.
    Extremely Serious Disclaimer Thispresentation does not create an attorney-client relationship. Probably. If it does, it will have said it does.Although it could have created an attorney-client relationship without explicitly saying so, because the law is tricky like that. This presentation may contain confidential and/or legally privileged information. If it does, and you are not the intended recipient, then the sender hereby requests that you notify him of his mistake and destroy all copies in your possession.The sender also concedes that he is very, very stupid. This disclaimer is not especially concerned with intelligibility.This disclaimer has no qualms about indulging in the more obnoxious trademarks of legalese, including but not limited to (i) the phrase “including but not limited to”, (ii) the use of “said” as an adjective, (iii) re-naming conventions that have little to no basis in vernacular English and, regardless, never actually recur (hereinafter referred to as “the 1980 Atlanta Falcons”), and (iv) lowercase Roman numerals. This disclaimer exists for precisely one reason—to make this presentation appear more professional.This disclaimer shall not be construed as a guarantee of actual professionalism on the part of the sender.Any actual professionalism contained herein is purely coincidental and is in no way attributable to the presence of this disclaimer. If you aren’t reading this, then this disclaimer has done its job. Its sad, pointless job.THIS DISCLAIMER IS NOT INTENDED TO BE IRONIC. Adapted, with kind permission from the author and publisher, from http:// www.mcsweeneys.net/articles/alright-fine-ill-add-a-disclaimer-to-my-emails . To be clear: I do not endorse using this software, or any software, for criminal purposes. We're hackers, not criminals. I want the fact of this software's existence to help shape habits and, hopefully, the next generations of mobile devices; perhaps they won't be designed (at the protocol level) to leak so much information so widely.
  • 17.
    DARPA Cyber Fast Track •CreepyDOL is not CFT work • DARPA tries hard not to build stuff that creeps people out this much, and they’re very nice people. • That said, two CFT contracts did let me build two of the core systems: Reticle, and the visualization system. • Thanks, Mudge!
  • 18.
    Roadmap • Goals • Background •Architecture • Design of CreepyDOL • Future Work • Mitigation
  • 19.
    Goal: Passive Wireless http://www.flickr.com/photos/library_of_congress/2163911718 II.Goals A. How much data can be extracted from passive wireless monitoring? 1. More than just from a network trace---remember that when not connected to a wireless network, WiFi devices send out lists of their known networks, asking if anyone can help them. 2. As soon as a device thinks it's connected to WiFi, all its background sync services will kick off again---DropBox, iMessage, all the rest. So we'll immediately know that certain services will be in play. 3. Over unencrypted WiFi, all the traffic sent by a device is exposed. Even if we can't see both sides of every message, we can learn a lot from what we do see---especially if we know how a given protocol operates. 4. How much better could we do if we had not one sensor, but ten? Spread out over an area? Now we have geolocation, time and place analysis, etc. 5. If we're tracking over a large area, we don't just want to know traffic and devices: we want to know people. Can we take data and find people? (I don't want your SSN, I want your name. And really, I want to know enough about you to blackmail you; information is control.)
  • 20.
    Goal: Large-Scale SensingWithout Centralized Communications http://www.flickr.com/photos/christmaswithak/2732857205 B. Can we do large-scale sensing without centralized communications? 1. If we centralize communications, life is simple; everyone phones home---but a compromised node gives every attacker the location of the mothership. 2. Centralized communications decrease resistance to attack, and prevent you from responding agilely to attack.
  • 21.
    Goal: Intelligibility http://www.slideshare.net/EmilandDC/dear-nsa-let-me-take-care-ou C.Can we present massive amounts of this data in a way that is intelligible by mortals? User-friendly? Still secure? 1. Group One of high security products: incredible technology, terrible UI. This causes low adoption, or (possibly worse) mistakes in use. Systems fail, people die. Examples: Pidgin-OTR, or PGP/OpenPGP. 2. Group Two: Concerns about technology, great UI. This causes adoption, but can cause massive problems later (if the concerns are borne out). Examples: HushMail, Silent Circle. 3. Group Three: Good technology, great UI. This is wonderful, but incredibly hard to do (because UI masters are usually not security wizards). Example: CryptoCat, RedPhone. 4. We would aspire to have CreepyDOL be in Group Three, through a variety of methods to ensure secure communication in relatively-intelligible ways. *This is an ongoing process.* Our code is open source, to allow verification, and will be released in the coming weeks.
  • 22.
    Roadmap • Goals • Background •Architecture • Design of CreepyDOL • Future Work • Mitigation
  • 23.
    Background:Academic Sensor Networks Rock! http://www.flickr.com/photos/22240293@N05/3912598338 (Thisis the MIT CS building, if you’re wondering. They have an awesome sensor network, and their papers are always accompanied by the *weirdest* floor plans.) III. Background A. Sensor Networks 1. Academic researchers have spent tons of time and resources on these. MANETs, other advances in technology have resulted. 2. A lot of these have uW power levels, and sacrifice languages, OS, and cost to get there---especially cost, with many nodes costing $500 or more. Each. 3. I can't afford this. I want something I can afford to break, to lose, and even to have stolen. I want it an order of magnitude cheaper, and I want it to run Linux. (Ubuntu or Debian, if possible.)
  • 24.
    Background: Large- Scale Surveillance •Remember, we knew this was happening before PRISM was announced • In my original outline:“One can assume that they have solved all of the problems involved in CreepyDOL before me, and that they should, rightfully, be cited as prior art. I'd love to do so; as soon as they publish their work, I'll be happy to cite them.” • Heh heh heh. • Pour one out for the Intelligence Community: a lot of this stuff is a pain to figure out
  • 25.
    Roadmap • Goals • Background •Architecture • Design of CreepyDOL • Future Work • Mitigation
  • 26.
    Hardware! So now let’stalk about system architecture. First: Hardware.
  • 27.
    F-BOMB v.1 (ShmooCon2012) A. Hardware: F-BOMB, version 2 (Falling/Ballistically-launched Object that Makes Backdoors) 1. Originally presented at ShmooCon 2012. At that time, this was based on the Marvell Sheeva board, the same board used by the Pwnie Plug that’s been selling so well for years. To keep costs down, I was actually buying PogoPlugs, a rebranding of the Sheeva board, as they were being sold as essentially fire sales, and stripping out their guts. Conveniently, (next slide)
  • 28.
    It fits ina CO Detector No one ever checks their CO detector to see if it has become a node in a sensor network. The new one fits much better into this case; much less cutting is necessary.
  • 29.
    F-BOMB v.2 2. Now based on the Raspberry Pi Model A, because it's awesome, runs an easier version of Linux (Debian vs. Arch), and I can actually get it for cheaper than the salvage PogoPlugs. We also get significantly reduced power consumption, it runs at a better voltage (5v instead of 12v), it’s physically much smaller and lighter, and it actually has more RAM and processing power on board. You can see there’s a bit of cord sticking out of each F-BOMB in this photo; this is because I mis-measured when buying the cas. But the Raspberry Pi is actually much smaller than the Sheeva board, so it fits better into smaller objects. (Hold up one.) These devices use USB power, which means that I can plug them into walls (you can see an Apple-style USB power adapter in the lower-left), but also into USB batteries, MintyBoost kits, or anything else that gives me 5v in this ubiquitous form factor. They do not use that port as a data port.
  • 30.
    Total: $57.08 http://www.flickr.com/photos/gijsbertpeijs/7988257583 http://www.polycase.com/lp-51p http://www.targus.com/us/productdetail.aspx?sku=ACH63US http://www.amazon.com/JacobsParts-150Mbps-Wireless-Notebook-TP-WF11/dp/ B0067NFSE2 http://www.newegg.com/Product/Product.aspx?Item=N82E16820147152 http://www.ebay.com/itm/10x-USB-USA-AC-Wall-Charger-for-Apple- iPhone-3-3G-4G-4S-5-5G-iPod-New-White-/271163372744 Raspberry Pi, ModelA: $25 Case: $4.61 USB Hub: $5.99 WiFi: 2x $6.52 SD Card: $6.99 USB Power: $1.45 Total: 57.08 per node 3. Per-Node Cost: $57.08 in 10-node quantities, excluding case. a. I bought cheap wall-wart cases and used a drill saw; you can 3D print them, or even buy disposable GladWare and use that. It’s within the price range of any kid who mows lawns energetically for a few weekends to build a group of these.
  • 31.
    Wait... why 2WiFi? • Because I’m cheap and lazy • Introducing PortalSmash: it clicks on buttons, so you don’t have to 4. Nodes don't bring "phone home" communications gear, e.g., a 3G card; that's too expensive and *very* easy to trace (just call VZW tech support!). They use PortalSmash, Open Source software I've developed to look for open (or captive portal) WiFi and use that. In an urban area, that's perfectly sufficient. (No, PortalSmash doesn't look at encrypted WiFi; yes, you could add Reaver etc. No, I'm not planning to.)
  • 32.
    C&C Software • “Reticle:Leaderless Command and Control” • This was the first of the two DARPA CFT contracts I mentioned • Whole presentation at B-SidesVegas 2012---but I will summarize B. C&C Software: Reticle, Leaderless C&C 1. Developed under DARPA Cyber Fast Track, Spring 2012 2. Original work presented at BSidesLV 2012, but massive improvements, and a complete rewrite, since then.
  • 33.
    Reticle Each Reticle noderuns CouchDB, a NoSQL database, plus Nginx, Tor, and some custom management software. This lets nodes combine into a peer-to-peer “contagion” network in which each node sends commands and data to every other node, for both command infiltration and data exfiltration, without any single point of failure. They speak via Tor, to prevent anyone on the network to which they connect from determining where other Reticle nodes are living. To make reverse-engineering of a node much more difficult, Reticle nodes can be configured with what I call “grenade” encryption: pull pin, throw toward adversary. They load their encryption keys for their local storage at boot from removable media, which is then removed to prevent an adversary from recovering the data. A “cold boot” attack is certainly possible, but since most nodes don’t have batteries, it’s physically kind of a pain to do---and it’s not a usual thing for most people to dump liquid nitrogen on the first black box they see plugged into a wall. CreepyDOL, then, is just a mission Reticle runs; it can be retasked at any time.
  • 34.
    Roadmap • Goals • Background •Architecture • Design of CreepyDOL • Future Work • Mitigation
  • 35.
    CreepyDOL So as Imentioned, Creepy.
  • 36.
    Distributed Computation for DistributedSystems http://www.flickr.com/photos/lara604/3164622774 http://www.flickr.com/photos/jenniferboyer/52474490/ http://www.flickr.com/photos/gaelx/1858599144 A. Distributed Querying for Distributed Data 1. Since we don't have independent, high-bandwidth channels for sending data home, it's not a good idea (and may not be possible) to send raw packets home. Nodes should send home data that's already been digested. 2. So: we run any queries on the nodes that can be effectively run on the nodes, *given data that node has collected*. 3. We do not process multi-node data on individual nodes, even though every node has access to all the data (see "contagion network"), because they've got limited processing power---and more importantly, data storage.
  • 37.
    Centralized Querying for CentralizedQuestions B. Centralized Querying for High-Level Data 1. Things that need datapoints from multiple nodes---tracking, pattern analysis, etc., go on the "backend." 2. The backend is just another node, but with a special mission configuration: rather than just sensing and adding data, it receives data from the contagion network, pushes it into another system (a data warehouse), and then instructs the contagion to delete it to make room.
  • 38.
    NOM: Nosiness, Organization,and Mining http://www.flickr.com/photos/scjody/5345366096 C. Data Query Methodology: NOM 1. O: Observation. Take as much data out of local traffic as possible; this means names, photos, services used, etc. To make this easy, we've created a large number of "filters" that are designed for traffic from specific applications---DropBox, Twitter, Facebook, dating websites, etc. Now, many of these services encrypt their traffic, which is admirable; however, in many cases, we can still get useful data that they provide in, e.g., their User Agent. And there’s no reason for them to do this. (Next slide)
  • 39.
    Why? So this isa screenshot from Wireshark, of a packet being sent to request new iMessages from Apple. Notice at the bottom, where it sends the hardware device and iOS version, as part of the HTTP header? This is unnecessary, and it’s harmful. (If Apple needs this information, it could transmit it inside TLS.)
  • 40.
    NOM: Nosiness, Organization,and Mining http://www.flickr.com/photos/scjody/5345366096 2. N: Nosiness. Using data extracted from O queries, there are lots of leveraged queries we can make; for instance, given an email address, we can look for accounts on web services, or given a photo, we can look for copies of that photo pointing to other accounts. This can be run either as distributed or centralized. 3. M: Mining. Taking data found by the nodes, build up larger analyzed products. For instance, is the device (person) usually in one area during a certain time of day? Are there three devices that are almost always seen together, if at all? (The latter may indicate that they are all carried by the same user.) This type of query is exclusively run on the backend.
  • 41.
    CreepyDOL Architecture So thisis the overall architecture for CreepyDOL. The nodes connect to each other, and one node becomes a “sink node” from which data is pulled and sent to the CreepyDOL storage, so that it can be used in the visualization. The visualization pulls data from the storage and from an OpenStreetMaps provider, to have underlaid maps.
  • 42.
    Visualization • Second DARPACFT Contract • Used the Unity Game Engine • Side note: wow, that’s a fun toy • Side note: wow, I hate writing JavaScript that’s interpreted by C#, then compiled into .NET CLR • Runs on an iPad! Or OSX/Windows/Linux/Android • I think I could make it run on an XBox360, actually (Unity isVery Nice) So let’s talk about visualization. To prevent the user (the person requesting data) from being tied to a particular computer, we use the backend to run queries for visualization, then serve the results to the user's visualization computer. To make it easy to do large-scale visualization, I used an existing engine: the Unity game engine, used in hundreds or thousands of iPad, iPhone, XBox, Wii, and PC games. This let me take advantage of the hundreds of person-years of development they’ve already done to make it fast. As a side effect, it also means I can run my visualization on an iPad; since all the processing is done on a visualization server, it doesn’t need to be able to hold the data in RAM.
  • 43.
    DemoVideo! Watch closely: doyou see the creepy?
  • 44.
    Test Parameters • Toprevent badness, we programmed the NOM system to look only for traffic from devices we owned; no “random stranger” data was collected at any time.
  • 45.
    So first youcan see the plane loading. Then the data loads, and after a brief loading delay, the map comes in from OpenStreetMaps. I’ll zoom the camera in and out a bit; you can see that it’s 3D, and the control interface works much like Starcraft or other real-time strategy games, except with people instead of alien troops. Now you can see I’ll draw a box to select a group of data, and after a brief delay, the data and map will re-draw to allow more focus on the data in question. I can hover over various nodes to see their MAC addresses and locations, but for maximum data, I click on a node, and it shows me everything. I have some of the services I use, I have the hardware and software I’m carrying, I have a real name, email address, and even my photo from an online dating site. Combined with the true location and time of each of these pings, we end up with the same data that you used to use a whole team of surveillance agents to retrieve. Cheap, distributed stalking.
  • 46.
    Roadmap • Goals • Background •Architecture • Design of CreepyDOL • Future Work • Mitigation
  • 47.
  • 48.
    Counter-Infiltration http://www.flickr.com/photos/igalko/6341182132/ A. Counter-Infiltration 1. There is a persistent rumor, in cases of exceptional police brutality (Occupy Anything, or more protests in Britain) that the police are sending in agents provocateur to cause the disruption that gives them an excuse to crack down. (This rumor is at least 300 years old, by the way.) 2. CreepyDOL would let you set up "known devices" with alarms for new ones, watch as new people come in, or even simply set off a klaxon if a Blackberry shows up (obviously a cop). C. OPSEC Training 1. The ROE for my tests demonstrate limiting data capture to one or several known devices. Use that to test your agents' OPSEC capabilities: set up a wide-ranging capture network (but tied to their stuff) and see what they leak. 2. The advantage is that you don't need to control every network an agent accesses. This lets you test "in the real world," which is much more realistic.
  • 49.
    Evidence Logging http://www.flickr.com/photos/decade_null/142235888 B.Evidence Logging 1. Again in fast-moving scenarios like protests and rallies: there's a real problem with destruction of evidence, electronic or physical, during crackdowns. In addition, it's very, very difficult to know who was *in* a kettle in the first few hours afterward; a way to know that could be very comforting and/or helpful to those outside. 2. Since CreepyDOL uses a contagion network, anything it logs will be immediately shipped out of the area to linked nodes anywhere on the planet. If those nodes go offline, the data is preserved. 3. For bonus points, use F-BOMB belt packs (which last a very long time on batteries) to have moving logs---and if you come in range of a WiFi AP somewhere (say, at a stop light), they'll offload their data without any additional interaction. 4. The encryption, and the fact that the nodes don't persist their keys, mean that unless an adversary *already knows what it is and how to cold boot it*, they don't get data. If people on the outside are concerned about the nodes, revoke their device certificates and they'll be cut off immediately.
  • 50.
  • 51.
    Scaling Up • ShardingContagion Networks • Scaling backend --- luckily, this isn’t hard • Scaling limits of visualization Sharding the contagion networks: it’s easy, just give them different keys. Each network could have a sink node that throws data into the visualization system. Scaling the backend is similarly easy: the software communications with the visualization engine over HTTP, so it can run in the ubiquitous cloud. Indeed, running the backend on Amazon S3, I’ve tested scaling parts of the backend to over half a terabyte of packet capture data. The visualization is somewhat more difficult; Unity gets fussy if I display more than a couple thousand nodes at once. However, with grouping, and eventually, over large map areas, doing limited field of view and view distance work (as they do in real video games), this can be mitigated.
  • 52.
    Enhancements • $20 SDRdevices (RTLSDR) • To listen to any frequency, not just WiFi • Encrypted WiFi Workarounds • e.g., Reaver • Jasager (WiFi Pineapple) to make sure wireless devices connect • MitM
  • 53.
    Roadmap • Goals • Background •Architecture • Design of CreepyDOL • Future Work • Mitigation
  • 54.
    Mitigation:A Sacrifice The leaksare at all levels. The 802.11 protocol asks devices to do this beaconing which means that even with encryption both in the protocol and over the air, I can still do tracking and identifications. The OS won’t enforce VPNs (iOS). The apps leak too much data that they don’t need. This is EVERYONE’s fault, but no one wants to take responsibility for their own actions. It’s the status quo, right?
  • 55.
    The Status isNot Quo Image from Dr. Horrible’s Sing-Along Blog, by Joss Whedon We can’t tolerate this level of privacy leakage: as consumers, we should demand better, and as developers at every level, we have a responsibility to do better.
  • 56.
    Digression: Hark • Archivefor hacker work of all types (not just security) • Mentorship, promotion, and archival forever • New system of unique identifiers, like the academic DOI system, but free • On Kickstarter now: http://thehark.net So a very short final note on Hark. There’s been a back and forth between academic and non- academic researchers for years, where the academics say hackers aren’t rigorous enough and don’t cite their work, and hackers say academics don’t do anything *but* cite other work. After this blew up at ShmooCon 2013, those of us who, like myself, straddle the academic/ nonacademic divide, had some discussions and drew up plans for a way to let hackers archive their work, whether it’s a tweet, a blog post, a conference presentation, or a journal article, and cite previous hacker work regardless of whether it’s been academically published. I don’t have time to go into all the details right now, but if you think it’s important for hackers to stop re-inventing the same wheels every time we have a new research projects, I hope you’ll check out thehark.net. And yes, we encourage corporate donations.
  • 57.
    Thanks! • To allthose I’ve asked for comments, to Mudge for CFT, and my law school, for letting me spend so much time on other things. • Also, I’m finishing law school in 10 months, and am wondering what I ought to take on next. If you’ve got something interesting, ping me: brendan@maliceafterthought.com. • http://thehark.net