Preventing a Hostile Matrix: A VR and Game Security Call to Arms

so this is preventing a hostile Matrix a game in virtual reality security called arms uh umir Meco uh handle Ali ghost so I want to open with a quote what I thought was 50 years away was only 10 years away and when I thought was 10 years away it was already here I just wasn't aware of it yet Bruce Sterling there's a reason I bring this quote up ultimately in 2012 I was working with a group called real extend and in IRC we were talking about the future of virtual reality everyone was thinking virtual reality was 15 years away in 2013 the Oculus Rift debuted on Kickstarter that was the beginning of commercial virtual reality the cycle what we thought was 15

years away was one year away so let's get started little bit of a parental advisory at first some content may not be appropriate for children or people who cannot realize that we are currently in and walking further into a cyberpunk dystopia so who am I I'm a security consultant with foresight a VR developer and entrepreneur a former collaborator I'm real extend currently diving into Unity 3D I'm currently working on the side on VR applications to make tools for use intelligence and and cyber security and I'm a VR cyber pathogen and of course I'm also a cyber Punk because [ __ ] you that's why so alphabet suit let's get started with some acronyms and definitions

because otherwise everyone's going to be lost VR is virtual reality it's full immersion sensory deprivation think the Oculus R after the HTC VI AR augmented reality it's basically the hollow lens it's essentially overlaying a digital HUD onto the real world using basically goggles or glasses presence a sensation tied to VR which causes your highle brain to realize you're still in VR but your lowle brain thinks you're actually there so because we all have basically primitive monkey brains for lack of a better term our brain starts to think wait I'm actually in this world and because of that after about 10 15 minutes you forget you're in virtual reality ultimately this can cause some very interesting

phenomenons and has been known to allow people to forget their in Virtual R and do stupid stuff like trying to lean on a virtual object or have deeper emotional connection it's also why it's useful in medical Technologies at times and FPS frames per second or how many frames are rendered on the screen within a second 90 is the minimum required for virtual reality otherwise you're going to get sick blame your inner ear uh your inner ear if you have that Distortion between what you see in the senty deprivation combined with what's expected physiologically you're going to get sick nauseous and might throw up not a good thing and MMI man machine interface you'll understand why I'm bringing this

up in a little bit so this is not a technical talk this is a call to action about VR and AR and game security I'm not here to sell you on VR it's something you have to experience for yourself and you have to use a real headset not one of those junk gear vrs or Google cardboards or whatever they push at you know insert cell phone store here you need to use something like an actual HTC Vive or an actual Oculus Rift to truly experience it and this is a warning that the present l in the future is going to be a cyberpunk dystopia and and we need to step in now so why are we here virtual reality

and augmented reality is the next generation of user interfaces and ultimately this is going to be when all those problems we overlooked with game security because it's just a game come back to bite Us in the ass this is where everything starts to fold into game security becoming industrial applications and medical Technologies that's right this is used in medicine and I'll will explain a few and the hardware and software is coming closer to wetware what this means is within a decade or two virtual reality and augmented reality technologies will serve as the basis for cybernetic interfaces that's right if technology goes the way it has gone the code will be reused in cybernetic eyes and things

like that and congratulations that's possible root access on your actual monkey brain so yeah so another quote the future is UNR there are best case scenarios worst case scenarios both them are fun to write about if you're a science fiction novelist but neither of them ever happens in the real world what happens in the real world is always a sideways case scenario world changing Marvels to us are just wallpaper to our children I had a dream you see years ago I had a dream that as Humanity became connected and more technologically advanced we developed new tools not just virtual reality and augmented reality with cybernetics and even other tools like that eventually the virtual real and

augmented reality Technologies we develop now we start to interface directly with our own brains unfortunately this became a nightmare because this was unsecure and poorly designed people were able to be influenced spied on or even controlled by malicious attackers this caused terrorism crime and worse ultimately what we really don't want is our insecure technology now leading to someone being able to crypto Locker your brain 20 years from now that's ultimately the biggest threat we have in this specific area if you know your if you know the enemy and yourself you need not fear the result of 100 BS cliche but appropriate the current AR and VR Hardware set looks pretty much like this you got your Oculus and your Vive which

are your two mainstream high-end headsets you've got your phone pH gear VR Daydream that's all your mobile VR that you would see in a cell phone store or you know also cardboard but you've got the fave which is a experimental F rendering headset it's currently not available and I think I need to explain this fiated rendering uses ey tracking to detect where your pupil is focused so that way it can select where it's going to focus rendering power and then thereby reduce detail in other areas so that way only the areas that aren't affect that are actually in your vision and not in your prary are highly detailed this improves quality and frames per second compared to current

methods this is currently experimental but it's speculated it's going to be in the second generation of consumer headsets so it's coming soon I should also note something very important here it tracking is used for things like marketing purposes Analytics there is a group of people including some people that worked on the original polygraph that's working on using eye tracking to do lie detection anyone who's familiar with the polygraph knows it only has a 50% effective ratio they're claiming with eye tracking it's up to 80% so have fun with that thought you also got the meta and The Meta 2 and the hollow lens which The Meta and The Meta 2 is a tethered meaning HDMI a reality

headset and that plugs directly in your laptop or computer and then you've got the hollow lens which is an Intel atom based basically mini computer on your head with 2 gigs of RAM the problem with the hollow lens is unfortunately it's very restrictive and underpowered and unfortunately Microsoft does not like you creating custom gestures and as a developer that aggravates me that aggravates me a lot because that restricts what I can develop and what I can experiment with and then you've got the bt200 and 300 by Epson which are android-based augmented reality goggles as well the bt300 was like just released like within the last month um then you've got Google cardboard which is well a cardboard box

which you stick your phone in and has some lenses and then you've got other devices as well you know just to lay land for input on the other hand you've got Oculus touch and the Vive WS the Oculus touch I do not have much detail on because those are not publicly available yet those will be publicly available in December and I hope to have more information as the technology grows and as I can get a hold of it the Vive WS come with the HTC Vive the Vive WS I'll explain a little more later uh you've got clickers and remotes stuff like Daydream and gear uh the new gear VR those are based off clickers and remotes not exactly very

Advanced but it gets the job done you've also got gesture motion tracking there are tools like the leap motion which hopefully at least some people in the room have heard of you've also got the Manis VR which is essentially a glove that goes on your a glove that goes on your arm and your hand and it uses sensors to actually detect how your hand is moving and it uses the lighthouse sensor from The Vibes wand to track the movement of the hand itself or rather the arm itself and it can do full inverse comatic and all that stuff uh the problem with the leap motion is that because it's an infrared camera based system and has a

limited field of view if there's anything including tracking it sends it all off the managed VR does not apparently have that problem you've also got ey tracking um like I said fi rendering have phone with the idea of using that for authentication or for marketing data or things like that hello 1984 and you've got wearables Android Wear iatch uh Fitbit all these things have been on some level integrated to un 3D which is the most common virtual reality engine you can pull data from from those devices into Unity 3D to do things like Health tracking and more you also got EEG and other Solutions there are actually devices out there specifically the ones I can think of off top of my

head are the emotive and the Muse which actually read your brain waves that you put on your head and read your brain waves so you can actually control the brain or you can control the computer with your brain there's also versions which can be used for EEG research and stuff like that so you know if you were to a box and someone was wearing one of those you could literally read the person's mind have fun with that thought and you've got others as well and this is only the beginning because there's a lot more coming down the line and there's also stuff from R ranging from treadmills to basically bicycles that are designed for VR and it's going even

further than that this is only the beginning so couple points of interest on the Oculus itself tracking is done with infrared and cameras constellation system it uses infrared detectors in one camera by default but with a touch they're including a second camera and they're suggesting buying a third camera for room scale tracking um I should note that room scale tracking is essentially you set up multiple cameras in a room and as you walk around the room it tracks you and your movements and the movements of the devices in question so you can actually physically walk around and interact with things in the virtual world um you've got HDMI and USB for main connections to the system uh I'm

still waiting on data on their Guardian system which is their movement boundaries and the Oculus touch which is their motion Control Systems because they haven't been released yet I should also note one more thing the Oculus Rift last I checked uses one HDMI and two USB cables I think USB 3 cables for main connections to the system I'll explain why I'm saying this in a minute and I should also note that Facebook's privacy policy on the Oculus allows them to slurp all your computer's data by putting the Oculus drivers and software on your system according to their privacy policy you're basically giving them access to everything on your computer and this is Facebook we're talking about so we all know how that's

going to end hi Zuck have total root kit access on my system I don't give a crap so a couple points of interest on the vibe for Hardware tracking is done with lasers from base stations the lighthouse system the Vive comes with two Lighthouse trackers which are designed to be put on two opposite corners of the room but you can also do them right in front of you or whatever the maximum tracking is supposed to be 5x 5 m that's about 15 x 15 ft uh front camera for pass through and Shop own system the shop own system let's say you're walking up to this table right here it'll actually put a little uh wireframe of the table or any object in

front of you so you don't say walk into a wall because head injuries suck uh you've got HDMI and USB for main connections to the system it goes from a headset to a breakout box to the main system and you plug the headset's cables into the breakout box and then the breakout box has other cables which go into the back of the system now I should note in the actual headset itself you've got a little panel on the top of of it which you can pull out you have one power cable you have one HDMI cable and you have one USB cable by default but you also have a second USB port that you can plug whatever you want into so you

know if you say have a rubber ducky or something like to have appropriate form factor just say a nice little attack vector and you've got a link box between the headset and the computer it also acts as a Bluetooth receiver so this is is important because Bluetooth is used for various components including headset sync with phone and tech phone for calls and text in VR so you are literally using the HTC Vive Android app to take calls and do texting in your VR headset so you are linking your phone to your VR headset which adds another attack Vector there but on top of that Bluetooth is also used for control between the controllers and the base stations and

this is all using Bluetooth 4 or Le and while I think it's encrypted I have to double check because it looked encrypted but I was not completely sure if I just didn't manage to properly tocode it but it looks like it's encrypted thank god um just imagine the kind of man the Mills you could do with that so common virtual and augmented reality engines you got Unity 3D which is your most common one unfortunately because it's heavily based on third party assets and un a lot of game developers don't properly learn how to code and just hey say here's a tutorial let's go jump in and sell a couple things for say $60 on the asset store

and not bother to name space our code or you know not doing integer checking which is rampant heck there's a valve I think it was okay so valve on their steam VR asset as in Steam valve they have not named space their code it gets worse in that I have detected multiple instances where Unity will pop up a little warning saying hey there's a no pointer reference and people ship their plugins and code without making sure they fix the N pointer references and they charge for this [ __ ] um source code requires extra money so you can't really audit if you're an amateur they want full Enterprise access uh the most common virtual R augmented

reality engine it's C and mono base but it's using an old version of mono so yeah they're in the process of upgrading it but for now it's limited to net 3.5 featur set so yeah bit outd it's also using JavaScript and Buu Buu is a bastard version of python which they decide hey I know let's say you know python isn't exactly what we want so let's just create a new implementation that's similar to python has similar syntax but isn't actually python great great job creating your own programming language guys we really need that and you can also plug in additional language support as well there's plugins for things like Lua for example uh Unreal Engine assets tend to

be more expensive but I do not have data on those assets yet because money and source is given when you sign up on GitHub but not actually open source so luckily you just have to sign up for the engine for free and then link your GitHub account and they'll give you access to their GitHub repositories and then give you access to Unreal Engine and unreal tourament source code which is always nice because you can actually audit it and there have been audits done but it's not actually open source you can't redistribute it outside that EA um it's the second most common virtual R and augmented reality engine uh doesn't quite have the support that Unity does though it's C++ based

unfortunately there's a lot of Legacy code in there up until last year there was let's see what was it up until like late La uh up until last year or early this year there was AES code in there which they thought they could actually modify they thought it was a good idea to try and modify the cipher so that way they could try and make it so if the stream was interrupted it wouldn't break things we're talking about stream Cipher people congratulations so blueprints visual scripting is a bakedin option essentially it's node based scripting which you just connect the nodes and expose classes and C Plus+ to that so you can use those but there's also a

third party JavaScript plugin for it from NC soft um the state of game and virtual reality development today uh game asses and tutorials especially tied to Unity 3D are horrible from a security standpoint and horrible from a code quality standpoint a lot of these don't bother to do integer checking or for that matter namespace their code and that is why I want to scream sometimes because unfortunately when you're working with unity 3D you're going to have a lot of assets where you're going to have to just overhaul things for things you paid a good amount of money for just because people can't be bothered to fix their stuff because they didn't know any better uh game

development or game developers usually don't have any security mindset at all or they think it's or they think security is DRM and anti-che rather an anti- shell luckily MMOs seem to be the exception but that is the exception and not the rule luckily um this seems to be changing I recently saw news that Bohemian interactive who made the Arma series as recently added security exploits and vulnerabilities to their bug tracker for private reporting luckily these guys seem to be taking it seriously but I suspect that might be tied to the fact that they had oday dropped at Defcon on their game um a lot of engines don't encrypt their net code in chat luckily this

seems to be changing and people are using SSL more for encrypted net code but people still don't bother to encrypt their chat and unfortunately the primary chat protocol I can think of that would be useful which will go unnamed is GPL implementation based and doesn't have properly documented information on it so the only way to make any sort of implementation is to derive from GPL code and unfortunately the developer who will go unnamed thought it would be a good idea to try to charge an open source project that tried to reimplement that protocol in another programming language $2.5 million for licensing because they didn't want to use the GPL there's now a court case over this

apparently really this isn't helping anyone so technical considerations and game development mentality virtual reality requires 90 frames per second otherwise you're going to get physically sick um this is a physiological response from the inner a this is not a technical limitation um this is a wetwear limitation most game developers have no security background and most CS programs do not bother to teach secure programming or security mindset this extends to game development programs and other programs as well as school and tuto schools and tutorials uh bad habits form early and are hard to break so this is ultimately an application security problem this really ultimately comes down to application security and a lot of bad third party code comes into play

as well uh virtual reality developer mentality in particular needs to be having some specific notes on Virtual re virtual virtual reality requires us to throw the entire user interface and user experience book out the window the objective now is to focus on how the interf interface feels first and build it from there so we do a lot of rapid prototyping user tests are common and are trying to make the interface feel more natural not artificial the idea of oh well I'm going to hit a button or I'm going to check a check box or whatever if it's natural feeling maybe but if it's like oh I'm going to hold a tablin d yada yada yada yada hitting buns or

removing sliders that's not what people are trying to do because ultimately the objective is to make things feel more natural and make it feel more visceral uh programmers are also user experience designers and the Gap is closing every day luckily this is a good thing uh virtual real and augmented real is still very experim still very experimental though and there are very few best practices in place and most of them were along the lines of stay seated and develop for seated environments or make sure the user doesn't get sick there's nothing really there about code quality or anything like that just like basic you know how to make people not get sick and how to do user experience over code

quality uh rapid prototyping is key in a lot of designs and code get thrown out because it fails usability testing uh Google suggested turnaround time for prototyping is two days so you're actually developing these tests for user experience and user interface design in two days and determining whether you're going to keep it or throw it out not much time for code quality there and code quality as I have been saying is often the last thing on developer mind unfortunately because the speed of development most people don't really have time for that so another interesting quote the most interesting thing about virtual reality that you can't find out anywhere is the feeling of act or the actual

feeling of presence and the feeling of being in virtual reality it's not something can be communicated by talking about you very quickly accept the fact that you're in a different place the feeling is something incredibly novel it's a visceral experience to be able to trick yourself and believing you're somewhere else that's a quote by Aaron cin who is a virtual reality developer and he's right ultimately as much as I could stand up here blowing the air saying oh well we need to develop for this hour next thing and it's a totally different thing until you say go to Christiana Mall and go to the GameStop there and try the Vive which I suggest everyone do you're not going to

understand what I'm talking about because ultimately it is a completely different experience to what we've experienced up till now um so very specific note on presence but first I want everyone to watch this gift because it's

perfect so what we just saw here is the kid was so immersed in virtual reality that he forgot that the object in front of him was not physical leaned over and oh so there's a reason for this gift um as much as I talk about presence and stuff the real ity is because you have that process of not realizing you're in virtual reality at one point there's a possibility where say if the shopone system did not detect say the stairs in front of you you might take a fall um just saying if you don't see your cat that could end badly um yeah so ultimately we're Brand New Horizons and virtual reality and augmented reality require new design

methodologies and old design methodologies were Obsolete and must and there must be a more organic and natural feeling in how they work everything is still experimental and no one really knows what works best yet and there's a lot of research and development going on to figure out what works best from everywhere from Google to Facebook to startups ultimately everyone is working on this in the big fields and a lot of people including Mark Zuckerberg himself have been pushing this pretty heavily so ultimately we need to jump on this now before it gets real bad uh virtual reality and augmented reality or web 1.0 stage but that's a good thing because it gives us a chance to step in before

things go horribly wrong ultimately it's better to bake Security in from the early days than to have to bolt it on later um so there's one very specific reason bringing this up this is the partner hype curve which shows from left to right the process of building hype then coming down to earth and then actually building practicality to the plateau of productivity over here so ultimately uh human augmentation is right here augmented reality is right here and virtual reality is right here so augmented reality is just finishing bottoming out and then virtual reality is just starting to come up to being practical virtual reality and augmented reality are 5 to 10 years out from being

at the plateau and human augmentation is more than 10 years out there's a very specific reason bring up human augmentation also I should note that machine learning is 2 to 5 Years From plateau and just approaching Peak hype so I expect to crash on that soon because this has been a very accurate model uh this is basically based on mobile and all that stuff and we are ultimately coming into a new mobile phase um so another thing I need to point out ultimately this is going to be very big financially and business-wise as well Augmented Reality by 2020 is going to be a 90 billion business according to dig capital and according to dig Capital virtual reality will be

30 billion these are going to be extremely big and these are going to be extremely vulnerable unless we act now so the reason I'm bringing this up is because we're looking at the next mobile and ultimately if we don't fix now we're going to be hurting later just like how we're hurting now because Android was a mess security wise at the beginning and no one was bothering so another quote does virtual reality provide us with new ways to augment and exper enhance and experience reality or does it undermine and threaten that reality virtual reality is equally prone to portrayal is either the bearer of Bri utomi possibilities or dark dystopian nightmares and both these views have some basis to recommend them

and that's from Derek stenosi or however you pronounce his name sorry so there are problems on the horizon unfortunately we're going to have shells some of them with ghosts in them uh privacy and other nasties so we're going to obviously have OD day all over the place unfortunately as much as we want to push software development life cycle changes people don't care they really don't not until they get bit then you've got privacy and I'll bring that up in a moment but you've also got other nasties think about malware for example think about iot botn Nets crypto lockers things like that because that's going to be hitting this as well so this is where privacy comes in I'm

sure everyone knows about Pokemon go and how hey let's request access to everything on the phone and everything on the Google account to play Pokemon what I mean sometimes it's not malicious sometimes it's just complete in total fail or QA fail which this apparently was but yeah what uh ultimately what it comes down to is this is ultimately going to be used for spying intelligence and everything everything else I should note explicitly that Sony is working on contact Sony has patented contact lenses which act as both a camera and an augmented reality display device contact lenses and you thought Google Glass was bad um this is going to be a mess privacy wise and we need to act soon we're going

to have to establish some practice to fix this um current uses of virtual augmented reality including entertainment everything from movies to G games to you know music videos uh Commerce uh there's shopping apps there's people using it in uh let's say uh real estate and all those markets and you've got industrial applications such as Cad and you got vehicle interfaces I think it was Mercedes was working on an augmented reality headset for using their cars um medical devices and not just medical devices it's being used to train surgery and perform surgery and it's also being used for treatment of things like PTSD and Phantom limb syndrome so Phantom limb syndrome in case anyone doesn't know if you arm if your arm gets

blown off you have this really nasty sensation because your brain still thinks the arm is there but it's not actually there so it it's really painful virtual reality is being used to help treat this among other things and it's also being used by military intelligence law enforcement Emergency Services apparently law enforcement agencies are even using virtual reality to practice for hostage rescue situations a lot faster than they were because previously they had to build up kill houses to actually practice clearing rooms now they can just scan the room and put in VR and they're done practice that way uh it's also being used for court cases and there was recently a news story about how they're using virtual reality to

hunt down the last Nazi war criminals by recreating owitz to try and determine who is actually telling the truth about what they could actually see so they've actually gone after at least one Nazi war criminal that's still alive well was still alive he died right before being extradited but they've been going after the last remaining Nazi war criminals to chase him down with this technology uh it's not exactly uncommon at this point it's going to be more common but what's the worst that could happen I mean really what could possibly go wrong here I mean this is actually based off a mockup of an actual device that's being developed by a defense contractor I should mention this is actually

something that they're working on this could not possibly go wrong I mean oh no I'm just going to say that the UAV Reaper video was here and I'm going to say there's an enemy right here even though there's none project that enemy right there and I'm going to make it look like he's about to Fire and then all of a sudden you have other guys thinking oh my God I'm being attacked I'm being attacked and then you wind up having people reveal their positions or shooting themselves it could end badly but luckily it's not all bad uh here is actually a picture of virtual reality being used to treat PTSD and Veterans ultimately this is being

used to treat medical problems this also being used to treat people in therapy and things like that there's a lot of research going on right now as far as psychology and therapy and how virtual reality can be used to treat those furthermore augmented reality could be used for things like teaching people social skills um you've got this which is an actual product uh I will redact the name but it actually displays windows and can actually display Windows Windows as in like excel in virtual reality and a virtual reality desktop so you can actually move your windows like this and this and this and just look around all over the place and while unfortunately the technology right now is kind of

limited because the screens are ultimately 1080p in hii so text is really blocky it's projected within 5 years actually was projected like two days ago by Michael Brash over at Oculus then in 5 years it's going to be at 4K in each eye and then soon after that'll probably be an 8K and then you've got tools like Google tiltbrush which is ultimately used for creative stuff such as painting in 3D space and can ultimately possibly be used for other purposes such as making movies music videos whatever um ultimately there are other potentials that actually allow this to be completely awesome this is Elite motion demo right here and they're actually able to detect hand movement and I'm

pretty sure that's a Vive wand where they can actually manipulate a map and do things to look at places this is only the beginning on top of that this is a meta 2 demo from The Meta 2 augmented reality headset where they are able to project 3D interfaces in the real world so ultimately while it sounds bad there are a lot of very interesting use cases we're coming up on and ultimately this is only the beginning and no one really knows where this is going to go yet but all we know is that if this continues the way it is it's either going to be really good or really bad it has the potential to be really good just imagine

that for cyber security so who controls the past or who controls the past controls the future he who controls the present controls the past that's a 1984 quote and it had to be done so a bit of Legacy VR does anybody remember this thing the reason why this sucked is because they skimped on the hardware and they were shining lasers into people's eyes yes how could that possibly go wrong uh virtual reality was a mess ultimately the hardware was not powerful enough back in the 90s when the last boom was even into the early 2000s it was not powerful enough we're only just now getting Hardware powerful enough to truly power these things and virtual

reality ready laptops are literally only just now hitting the market up until now there have been technology limitations such as Nvidia Primus and graphics card power switching and not actually directly interfacing with the graphics card on HDMI which have been causing issues up till now now they're finally starting to fix it on like the laptops that have been releasing in the last month uh historically VR failed because it wasn't the hardware wasn't powerful enough now it is and the hardware is getting more powerful every day luckily the current generation is a lot more power and doesn't have anywhere near as many issues and with gesture controls more powerful hardware and more experience developing means it's going

to be a truly amazing time to be in VR and AR ultimately the big reason why displays specifically for the Oculus and the Vive have come into play the way they have is because they're they initially started using the mobile displays from phones in the headsets so these headsets you're getting now for virtual reality are actually using phone displays uh so technology leapfrogged with mobile and it's now going into virtual reality based on mobile technologies um ultimately you've got the Vive ones the lighthouse base stations and the Vive itself with the pass through camera right there and you've got the Oculus cv1 with the headset and the Oculus touch controllers and you know ultimately future is going to look bright so and

then next 5 to 10 years virtual re augmented real are likely going to become the next user interface of choice for computing ultimately these two technologies will likely merge into one headset and will ultimately likely be two modes of the same headset in the near future they're guessing in certain circles it's likely to be two or three Hardware Generations out before this happens so guess about 3 to four years probably right now we have controllers and gesture right now we have controllers and gesture control is coming soon and by gesture control I mean gesture control without having something in your hand uh we can already do stuff with gesture control with the wands but soon

it's going to be hand tracking based Google recently filed a patent for actual hand tracking in 3D space from mobile VR so it looks like they're going to be using Google Tango to track hands in VR headsets using Daydream within the next few Hardware Generations right now the reason they don't do that is because the hardware is too big to be in the same system um 10 to 20 years out though is where we really need to be worried although we really need to be working on this now the virtual reality and augmented reality systems of today and the code of today is going to be rolled into the interfaces in cybernetics and man machine interfaces later on and this is

what truly scares me because having looked at this code for so long I am truly terrified that someone will get root on my brain if I have cybernetics and it's using this code I am truly terrified of that and ultimately privacy and malware is the near future and cyber cyber is a decade or two away but the cards are all falling to place as we speak and ultimately may seem like it's science fiction but historically technology has shown people reuse C all the time and ultimately uni is currently the most common tool for virtual reality development and because people like to reuse code I have a really bad feeling about this so those who fail to learn from

history are doomed to repeat it wise words from Winston Churchill so historically security has been afterthought money time and ignorance have killed us so far and if this continues this might physically kill us as in like kind of dead uh we have a chance to do it right this time though and ultimately we have to learn from the past historically we've had bolt-on security measures https OTR things like that um and historically security hasn't been usable but now with VR this focused on usability more than anything else anything and everything we do has to be non-invasive we cannot have little check boxes pop up saying oh update your antivirus or stuff like that people aren't going to want that at all and

ultimately usability is going to be bigger more than ever now it has to be completely and totally transparent uh and we have to decentralize distribute secure and encrypt everything ultimately if this technology starts going the way it looks like it's going to go and I'm going to just jump into la la for a second but if we start getting to the point where this starts going into cybernetics do we really want our brains connected to the internet at all times hi Google have fun drawing everything from my brain uh virtual R and augmented reality or next Generation interfaces for military and medical Tech let alone everything else so ultimately we do have to pay attention to this right now the

Navy is actually experimenting with an augmented reality visor for divers in combat situations where they can overlay things like instructions on how to diffuse a bomb so hi let's hack this and change it so you cut the blue wire or the red wire and boom so what can we do now Now's the Time to demonstrate and fix these problems before they become widespread ultimately time is ticking every second we talk time is ticking every second we sit around going oh let's just hunt OD day and whatever and security bugs and gaming and related code those need to be fixed is any way we can get access to them we need to fix it and we need to start establishing a

security and application security mindset in not just virtual R and augmented reality communities but game developer communities as well proper secure programming and design must be hammered into education and it's not optional any more people we can't just say oh it's an elective class no this has to be Baseline programming classes and we can't just say oh well here's how you teach here's how you code now here's how you secure no it has to be all in the same class and all at the same time and teach how to do it properly from the start otherwise this going to end horribly and we have to design the future to be distributed and decentralized and secure we really do

not want to centralize this stuff and we are going to need new specifications and standards and I have a history of working on that stuff I've got something coming so what must we not do and this is important the future is bright but if we bring it down with Doom and Gloom we're done and it's going to end horribly ultimately VR and AR has amazing potential and when we're in the security Echo chamber we start going Doom and Gloom Doom and Gloom nobody wants to hear that nobody wants to hear oh well we need to be careful otherwise we're going to get popped why do they care oh we're going to terrify them well that'll

either stifle Innovation or make them ignore as completely as chicken littles uh we must not alate alienate the game in virtual reality developer communities I'm going to say this right now the virtual reality community in particular is a lot more diverse than infosec is and I hate bringing diversity into this because this is not that talk but we must not be [ __ ] the way we have been because ultimately by being [ __ ] we shut people out uh when we alienate people by acting like Pricks we kind of can't get our point across and we must not push security at any cost because performance is King and we performance is king and the King will

not be dethroned ultimately that 90 frames per second number it's not optional it has to be at least that fast at all times it cannot dip below that or people will get physically sick and then it's game over for that so if we try that welcome to ignore Township population infos SEC so ultimately we're going to need a plan of action the best option we have now is to reach out the game augmented reality and virtual reality developers and those who teach them ultimately we have a chance to fix this now and do it right from the start or at least the start of virtual reality and we can't do this alone as much as we want to say oh

look at me I found OD day ultimately that oday is probably going to have several others like it so just finding one oday is not going to help but if we can get people to properly secure their code ahead of time we can reduce OD days overall and then you know the OD day might be more special and also we have less OD days to worry about which could cause less harm always a good thing unless you you know like to pimp vulnerabilities all day long may be a bad thing then may be a good thing because then it drives the price of OD days up on the market teach people how to securely program and a security mindset this

isn't just buffer over Clow this is for example teaching them that just because something does just because SQL injection is a Hot Topic and I have actually seen this personal personally I had a student from an unnamed School approach me with a project they worked on and they want me to check it for SQL injection they were sending the SQL statement from the client over the wire to the middle server and then running that same SQL statement that they crafted on the client as in the full SQL statement on the back end you don't need to inject that uh all you really need to do is just say hey I'm going to send an SQL statement and you're just going to

execute It Whatever remote code execution done so ultimately you know just because you hear SQL injection is a Hot Topic does not mean you actually have to inject if someone does something like that and unfortunately this was apparently done out of laziness and because they didn't know any better I wound up having to spend 30 minutes trying to explain this to them and we have to root out bugs and mitigate them so they are harder to have happen again and we have to create an enforce standards and specifications for not just secure but also ethical virtual reality auga reality and ging development because ultimately we do not want someone going oh look at me I'm

going to be the Cyber God and everyone using this is going to be forced to worship me or will kill them in real life or oh I'm going to remove the log out button and if you die in game you die in the real world Sword Art Online so one final quote the way technological re revolutions actually happen involve smart people working hard on the right problems at the right time look to your left look to your right everyone in here is working on something and ultimately it may or may not be someone in this room but we are on the Forefront of fixing this we are on the Forefront of developing tools Technologies security everything and if it's not us

it might not get done period because we can't rely on someone else to take action we can't rely on someone else to actually fix this because ultimately someone else might not be thinking about the same things or they might be thinking about the same things but they might think someone else will take care of it ultimately we need to actually get our butts and gear in order to get this done so any questions

yeah htics yeah yeah htics to look at I would what's tactiles tactile and haptics um that's currently being researched but there isn't much Beyond pressure controls and maybe a little bit of I'm guessing electronical stimulation to cause Sensations that's really a very emerging area of the technology and that's only going to become more over time but it's not there yet y uh yeah thing about that is there's a new technology that's coming out in months I think they

basically the suback yeah that's already on Amazon you can already buy those and yeah those are nice but that doesn't cover things like wetness and stuff like that it only covers impact uh anyone else uh yeah

um the hollow lens in particular they restrict you to a certain set of gestures and the certain set of gestures are very much inspired by mobile but the problem is that when you have a restricted set of gestures you're not able to experiment with real natural-based interfaces that

the hardware is extremely weak on the hall lens and it's a limitation of the hollow lens itself ultimately it's only got 2 gbt of ram which means you can't even run unre engine on it and it's extremely limited and using an Intel adom processor it's limitations are not just API but also hardware and the hardware is what makes it go from being potentially really useful if they were to just fix those gesture controls to being extremely limited ultimately a lot of the things we're going to want to do in the virtual real and augmented reality communities are going to require a lot more power than that and the power itself is the problem um tether is going to be a lot

more powerful there's also the bt300 which is Android base but I don't have the technical specs on that Aug yeah also Oculus is working on a mid-range solution which is going to be VR without a tether without a computer so it looks like they're going to be possibly doing that Oculus as well and the VR front uh they only just barely teased that Oculus connect a couple days ago though so no one really has any details on that outside Facebook uh hang on yeah yeah no that's 90 frames per second in both eyes yeah so you're literally running 90 frames per second on two displays simultaneously yeah uh yes I have and it's extremely underpowered and frankly the hardware is

not up to Snuff it seems so when play Sony announced the PlayStation Pro they said that they're intent was to try and compete with PC gaming in order to try and do 4K but it doesn't actually do 4K it just upscales um the problem with PlayStation VR is that the hardware is not powerful enough and it's too low resolution and it looks very smear um the graphics themselves are actually nauseating so that I suspect is going to do more harm than good uh anyone else

yeah um kill it with fire I don't want that why do you think I have a five anyone yeah as far asurity goes how do you think that's actually like manif going to be like something where the community going to have to come up with like a set of Standards or something like that that everybody kind of agrees to it's going to have to be that M further education on secure programming and application security it's also going to require more tooling that we don't have yet possibly stack analysis and other tools just to make sure things are secure as well as getting people to stop being lazy which we know will never happen but you know unfortunately people

like to be lazy and that causes a lot more issues than you would think yeah

ultimately we're going to have to drop some OD days that's my suspicion ultimately it might require a few Defcon talks with a few OD days in order to get them to wake up that's my guess and I mean OD days as in like publicly revealing for the first time not even responsibly disclosing OD days things like that we might need to do some irresponsible disclosure very publicly to get the message across anyone else uh buer buer buer thank

you and stuff like that it only covers impact uh anyone else uh yeah

um the hollow lens in particular they restrict you to a certain set of gestures and the certain set of gestures are very much inspired by mobile but the problem is that when you have a restricted set of gestures you're not able to experiment with real natural-based interfaces

the hardware is extremely weak on the hollow lens and it's a limitation of the hollow lens itself ultimately it's only got 2 gabt of ram which means you can't even run Onre engine on it and it's extremely limited and using an Intel Atom Processor its limitations are not just API but also hardware and the hardware is what makes it go from being potentially really useful if they were to just fix those gesture controls to being extremely limited ultimately a lot of the things we're going to want to do in the virtual real and augmented reality communities are going to require a lot more power than that and the power itself is the problem um tether is going to be a lot

more powerful there's also the bt300 which is Android based but I don't have the technical specs on that aug yeah also Oculus is working on a mid-range solution which is going to be VR without a tether without a computer so it looks like they're going to be possibly doing that Oculus as well in the VR front uh they only just barely teased that Oculus connect a couple days ago though so no one really has any details on that outside Facebook uh hang on yeah no that's 90 frames per second in both eyes yeah so you're literally running 90 frames per second on two display simultaneously yeah uh yes I have and it's extremely underpowered and frankly the hardware is

not up to Snuff it seems so when play Sony announced the PlayStation Pro they said that their intent was to try and compete with PC gaming in order to try and do 4K but it doesn't actually do 4K it just upscales um the problem with PlayStation VR is that the hardware is not powerful enough and it's too low resolution and it looks very smear um the graphics themselves are actually nauseating so that I suspect is going to do more harm than good uh anyone else yeah

um kill it with fire I don't want that why do you think I have a five anyone yeah as far as security goes how do you think that's actually like manifest itself be like something where the community going have to come up with like a set of Standards or something like that that everybody kind to it's going to have to be that and further education on secure program in and application security it's also going to require more tooling that we don't have yet possibly St analysis and other tools just to make sure things are secure as well as getting people to stop being lazy which we know will never happen but you know unfortunately people like to be

lazy and that causes a lot more issues than you would think yeah

ultimately we're going to have to drop some OD days that's my suspicion ultimately it might require a few Defcon talks with a few OD days in order to get them to wake up that's my guess and I mean OD days as in like publicly revealing for the first time not even responsibly disclosing OD days things like that we might need to do some irresponsible disclosure very publicly to get the message across anyone else uh buer buer buer thank you