Rickroll Workshop

If you click on a little

brick rolling, why why would we need a whole talk about brick rolling? It's ridiculous, right? Um, well, it's not as ridiculous as you think because much of the subtle art of rip rolling has, in my opinion, been lost over time. So, in the early days of, you know, chat room links that we naively followed and that sort of thing. Um, some of these links, you know, when you clicked them, yeah, I was going to play Rick Ashley, but your computer starts on fire, too. work. Um, we're not going to do that, but you know, we can we can play around a little bit. So, just going a little deeper into things that that we can do, but it's better

than dropping a YouTube link to doing a dance. Um, and so the way I'm going to do that actually is And I'm gonna just go to this one. All these are on the internet. Um what's the other one? The other one is if I go to

Okay. So, if you ever see me just like drop a link to this site, it's obviously fake. Uh, but this is the site that I usually use. Um, what number? And the reason I do that is because I have a couple little stories on it that are the story of the day that I think, hey, my friend who's the CISO of a security company would probably click this link. Um, and then it's a test to see if like I' have I reestablished enough trust to get the CISO of like an independent security company that trains people on not clicking links and other things to click that link. The answer is often yes. Um, so I won't name

the company, but it's my uh good friend Tre. I got him twice in one day somehow. Um, and all I had to do is I actually it was the it was the Kali Linux one. By the way, I will go beyond the psychology. But let's let's start with psychology. Why do people click links? Well, it's the thing that the link refers to or the story, let's say it's a news story, is something that matters to them. So, you know, I've got like gaming links. So there's the World of Warcraft and people might just be outraged about it. That's ridiculous. There's no World of Warcraft for iPad. Um I've got some, you know, Kali Linux ones. That's a good way to to get your

security friends. Um so you got to think about that, you know, like don't just go find something, make something. We'll talk about how to make them. Um, and then secondly, make sure that wherever you're putting that, it's presentable. Oh, well, you know, the URL can help. Um, sometimes you can get people to click the tiny URLs and that's fine, but then after a while they stop clicking the tiny URLs. So, what you do is you get um I don't know your company or you spend 20 bucks of your own money whatever and you start registering really realistic sounding domains and then you can sell them off later once they're completely destroyed and no one trusts it anymore

but you in the meantime like you need a domain that someone will um you know someone will think oh that's a real website so this one this isn't the best but it's called securitycompliancetools.com okay fine so all the GRC people are like Um, and then if they do happen to click on this one, I got I got no less than 10 ASP.NET developers with this one. But for a minute, you'll notice there's this thing. It's like, oh, but then Rick Gaston comes up. Now, why did I do that? Does anyone know why this gets on? Well, I mean like why why did a news story come up first? >> I want to point something else out too.

By the way, anyone who's got a laptop, do yourself a favor. I I'm not doing any real hacks on you with this. Uh but you'll think I am. If you go to security-pliance-tools.com, click on one of my links that ends up redirecting to Rick, it'll kind of work on an iPhone. It's really great on a laptop in this particular case because I reverse your mouse. So, it makes it really hard to escape from the page. So, that's this little spinning rig head. Um, you know, like I'm moving the mouse left, now I'm moving it. Now I'm moving it right, but it's going left. It's sort of confusing. So that's the the illusion of loss of control.

Like this is part of the problem, right? You guys following me here, like pranking your friends, um pranking your kids if you're um you're sending like a story to your daughter or whatever. Um it's fun. Uh it's screwing up the little scroll bar. So, it's like, what's going on on my computer? Ah, hold on. I have a damn. This is really hard when you're when the mouse is reversed and you're never Oh, here we go. Okay. So, this one is called dynamite. There we go. I don't I think I have like one page that links to this one. I'm not sure. It's a little bit different color. It does the same thing, but in this case,

um, auto play is not turned on. So, there's no thing up here that says auto play was disabled because, you know, now browsers are like, we're not going to let you autoplay because people keep like messing with their friends and annoying to them. Uh but if you do happen to click anywhere on this page and mirror displays but this is amazing. Okay, I know how to drive my computer now. So let's do

doesn't want to do.

>> Quick tip, when you're making Rick roll sites and testing them to uh screw with your friends, always put a hotkey in there to turn the sound off. Uh because when you lose control of the mouse and you're redirecting other hot keys to keep them from escaping from the browser and you're finding ways to like automatically maximize the browser or switch to a different desktop or things like that, none of which I can do right now, but all these exploits exist at various times and people patch them and fix them and then you find more. Um you really want to be able to like have a way to turn off the sound for yourself. Uh so your friends if they can't figure

out how to escape the force they eventually will but um they would have to dig through your JavaScript code to figure out how you silence the silence. We can it's s just press the S key and it stops talking.

So let me go to to item number two. How do you do autoplay if you want to mess up someone's work day by having music come blasting out of their computer at the office while you know this guy's dancing around and their manager just walked up to their like you have a report that you need to do. Um the answer is the little cookie banners, right? Like this is so obvious because if you click anywhere um you still get to essentially autoplay um in your in your site. So, um, and in in summary, for those who aren't following or aren't familiar with these browser rules, like the browser won't let you play sound automatically when

you load a website for the first time that you're like allowed to play sound, but it will let you do that if you click anywhere on the website or if you have any meaningful interaction which I've dug deep into the definitions for that. But they seem they they like to hide the details cuz they're like someone's someone's watching this. All right. Now, I'm going to show you this is a different site and this walks through some of the things. Um I actually I made this for for a um for the 50 is it 502 or 503? I can never remember. 502. Yeah. 502 project. So it was like a kids um coding and security thing and we had a

lot of fun. I was like, we should do basic HTML, JavaScript, CSS stuff because a lot of um I mean honestly people people in no offense but like people in cyber don't even necessarily know all this stuff about the three like pillars of a of any website. I mean there's a website is doing these three things. HTML JavaScript CSS. Um, but the browsers and the languages allow you to cheat and do things that you should not be able to do, but for whatever reason you can. Um, so this is secret-sirl. Feel free to go to it. The code for all these is also on GitHub. Um I pushed to it today as I was like oh I should have

this page but uh so like of course it's like basics. Um the idea of course is that at any time you should probably view source. Let me show you a few ways that it's easy to treat. I know the text is small here but that's what command plus is for. So, let's load that right up. Make it big. Okay. So, of course, you know, as you can see, this just links over to the breakable site to have, but here's one very trustworthy link. Google.com.

You can't really see where it goes, but that's okay because users using a website don't look at that either. So, if they see a goo a a link that says google.com and it's glued like a link and they're like, "Oh, that link goes to google.com." It does not. This link goes to this. Okay. So, this is one like the easiest trick in the book, right? Um, but did any did anyone not know that this works? You can raise your hands and be like, I didn't know that. Let's try this is the one where I either do.

>> So, let's do Bank of America. I log into my bank account. This could say, now this link could say Bank of America.com. Right now, I'm not doing this with people's real Bank of America. I'm just showing you like if you were on the dark side, like this is what how you would do this. It wouldn't go to Rick assa. It would go to this like Bank of America. Um, I'm going to like unminize the screen so you can kind of see the whole thing. I'll tell you what I think is hilarious about this screen is that I literally just screenshotted the Bank of America website and it's the background and then I stuck a user ID and password field

over the actual user ID and password fields on the site. and I stuck a login button over the login button on the site. Now, should you put your Bank of America username and password into this site? >> Yeah. Yeah. >> Will, if you use a password manager, will your password manager allow you to put the Bank of America username and password into the site? >> Probably not easily, which is why you should use a password manager. Um, as you can see, I have passed one password right here. Um, of course, I could screenshot this one password icon and make a little fake one password interface that you can click and it'll be on the console. Find it and

then you type. But one password is not going to put your your password in here. F12. The keys are all gone when you mirror the display. So, give me a second. I'm going to pull out keyboards will come into this proise.

Oh, I know. Surely there's got to be like icons on here, right? Does anyone know how to do this on a Mac? Where are

>> Oh, I know. Let's inspect.

>> Just for those who think that like, oh, I know we got on a tangent, but I do this. This is why the site is called secrets world because um I have a bunch of distraction disorder. So um let's just say you started putting your username and password into one of these sites. You're okay as long as you don't hit login right? >> What do you guys think? >> Who thinks you're okay? >> All right, a couple people think you're okay. I'm just going to start typing in here.

that has high entropy to that password. So, it's obviously a good password because entropy is all that matters. So, you can see in the console like my JavaScript is sitting here sitting out like, "Hey, you did this Um, yeah, because you don't you don't have to hit login, right? You can when you're searching uh Google, you're getting these results returned as you typed. That means that whatever you're typing is going up to a server. So, you don't even have to really get something. They can be like, "Wait a minute, this is sus." But they've already typed in the username and half their password. Oh, yeah. And just for fun, because this is my this is the prank version. You get

this little or IP when you start typing in and but then I love stuff like this. You hit login and like your shoes come off and there's a little um got to have fun. Okay, so why did I do all of that? Because um the point is pranking people, probably scamming them too is about terrible user interface. Um and it's also about, you know, showing them things that they they think are legit, but they're not legit. So, let's do some Okay. Well, in here, this is this is the same thing, but it's obviously the highlighted link that says bank.com and it takes you there. I think that would get me on a bad day. Would that get

anyone? I mean, like, be honest with yourselves. I I've probably done this. So, all right. And then this is an honest. So, links, that's one thing. Links don't necessarily go where you think they're going to go. So, you can trick people with I have anything on image.

Here we go. This is the other one I wanted to show you. Um, how many people know what open graph is? See, this is this is a front end web developer thing. Um,

So, uh Oh, you're thinking of um >> GraphQL. Yeah. So, Open Graph does sound like GraphQL. Um but what it does is it's a protocol that wise people invented and it tells um chat applications, websites, search engines, Twitter, Facebook, etc. It tells them what's on a website and whatever the open graph data that you put in the meta of your page. That is what all of those social media sites believe. Does that sound unbelievable to you? If if you didn't know about open graph, you would think that that's ridiculous. All right, fine. if it's so ridiculous. I happen to have a tiny URL for this page. Tiny URL. Let's Let's open

this right in.

Okay. So, this page is called embed og things. I'm going to copy the tiny URL which is tinyurl.com.

Let's go to Okay, close your eyes for like 5 seconds because when I pull up Discord, it's going to have a spoiler. Oh, it doesn't have a spoiler. Good. Okay, I'm going to go to general. How many people are in the bid safety disorder? Yeah. All right, everyone should be in there. I'm just going to post this little tiny URL. What is this? I'm going to get in trouble. They're never going to invite me again. So, posted it. >> Oh, come on. >> What? >> Someone typing. Hold on. Someone's on to me. Here's here's what it looks like. You can see that I posted it here. tinyurl.com/g-legit. Now, was the site that I was the page

that I just showed you demonic summoning 101? I don't I don't remember that detail with like a crazy. It was not. Well, that's if you click the link. >> So, here's the point. Open graph shows this. The website shows something else. So, I can make a website preview that looks like anything I want. I can make the website preview be bank of America like pretty authoritative or Kali Linux has been owned by San whatever like you know uh just because I can generate those previews. So how do you do that? The answer is F12. It's probably for the better because F12 is criminal offense in some states. Um, but the answer is these. I know they're

like really not very visible, but you can go to the site. Um, OG title something 101. Even though this title is open graph for the win, they're not the same, but a um you know, a chat engine, Twitter, whatever. We'll use what's here. Um URL, you can actually change this and it'll it'll work on some uh sites. So you tell it that the URL is X, they delete the actual URL and they show the preview with the open graph URL. Try it sometime. It's fine. Um, type website. That's just a, you know, basic thing. Tells it it's a it's a website. But you can also put video, audio, etc. here. And it'll try to like embed a

video. And then you can play shenanigans with these other OG attacks. And then open graph image. I put an image here that appears nowhere on my entire site. It's like an image that I found today on some content delivery network called MK. I have no idea what that is. It was like the first thing that came up when I Googled um frightful pictures to not an audience of children. Um, and then OG description. Whatever you put here is the description. Now,

so okay, in summary, if I if I put those OG tags in a page, it will like >> Yeah. Yeah. It'll it'll show a preview. You'll be believed by lots of things including Discord, Slack, uh Microsoft Teams, all of your work chat platforms, Twitter Facebook. Um if your email automatically generates I if it generates previews, yes, pretty much anything that generates previews, this house open. So that is how uh you can mess with graph. Not sure how many other things I actually have. So, hold on. Let me see if I have anything. If not, I already talked for

the Bank of America

raise your hand for a question. I get a hand raise. I'm going to tell you the question here. Oh, ask me. Hey, how do you reverse the mouse? >> Oh, good question. So, he asked, "Hey, how do you reverse the mouse on a web?" Hoping someone's take a look at that. Back to my little dashboard here.

use sublime text. It's a really great text. Okay, let's find a JavaScript file here, which I will then blow up and config. This is the play. So anytime like you click on a page or accept cookies or something my thing to make shut up or song.

So this little function here um any JavaScript programmer using JavaScript this just a a closure this function automatically runs. Um and then we've got this little pointer custom mouse pointer but it's not really a custom mouse pointer. It's actually just an image of a mouse pointer. And um simultaneously in the CSS I make your mouse pointer invisible and the fake mouse pointer is always moving in the opposite direction of your real mouse pointer. So we're doing game programming for basically here and we're playing like um what is it like uh Tyrion or some space game with your with your mouse pointer. your mouse pointer is visible, you get to use this mouse pointer. And of

course, for fun, I added a little spinning head to it, but that's what we're doing. So, like again, the code's on my my u my get my GitHub, but we're just moving the um parameters of this image positive of a mouse pointer. That's all we're doing. moving an image around on a screen as you move your mouse but your mouse is invisible and the image happens to look like your mouse. So that is why you cannot um any other questions I covered. >> Yes. >> I don't know that I have a way right now. Um, you can you can try to call like full screen. I I think you may still be able to do

that if Yes, I know how to do it. Okay, here's what you do. Um, it's a two-step process though. I believe you can do it if you can get interaction and then set a cookie and then have them visit the same root domain again at some point in the future. And the reason I think that that's still possible I can't guarantee it but um and it's probably not going to work on every browser. The reason I still think this is impossible is because the security and web- based games are constantly wrestling with each other. And if people want to log into game to be like, I can hear the music. This is great. I am

playing my game now. So like, oh, and then the other thing is like if you, you know, if you can give it enough permissions or request enough permissions and somehow get that person to say yes, you know, this website can delete my computer and start it on fire. uh then sure. Uh but you know if that there's there is a certain point where it's like the browser doesn't have the permission to do things and then then well then you wait for your friend to walk away without locking the computer and uh you upload a custom version of Firefox or Chrome. Now we do everything. So yeah, so there's a few solutions there. Uh the ultimate one is uh compile

your own web browser that looks just like theirs and remember to change it later because yours end up being updated and eventually you're going to get destroyed by version of Google Chrome. >> Yeah. What was there was another question in the back. Yes, sir. >> Yeah. playing with like that. >> What links? >> AMP to where it's basically like browser browser. Um, so I'm I'm not familiar with the terminology and I'm not the grandmaster expert on all of this anyway, but um I do know that um one of one of the tricks kind of for what what you were talking about that has worked in the past on some um some browsers. This I think it fixed on

most of them is you put in an I frame that goes to like any other website where the user has cookies and then autoplay will work because somewhere on the page a site that they have a cookie for has um uh or somewhere on the page exists a site, you know, or an embedded piece of a site that they haven't. Um it doesn't work anymore because someone was like, "Wait a minute, this isn't smart." the page that's trying to play uh you know the the music or load automatically load the media file whatever it is um is only embedding the page that they have for so but uh I I do know that that has worked

and may there may there's probably still something Has

anyone ever gotten a virus from a from an image or a video? I always think about that when like things want to automatically load. I'm like, man, I sure trust my browser a lot. What can we do? You can't do anything about that. Okay. Um, hopefully that was fun. That's pretty much what I've got. Unless there's any other questions, I'll be happy to answer.