BSidesWLG 2017 - Katie McLaughlin - Protect yourself against the bees 🐝

hi this is protect yourself against the bees this is my bedeck it to be on a deck yes hi I'm a thought leader this was tweeted at the hacker chicks event and it keeps on retweeting and I can't actually use my Twitter anymore because it keeps on me tweeting and I was also the first person to use the hashtag so if you need to contact me I met Katie at thought-leader dr. rue real address but I'm more often at self-deprecating but I'm actually Katie at glass and calm I'm glad zone on all the places on Twitter Instagram and github and if you follow me on Instagram you get lots and lots and lots of pictures of bees so many bees bees in

flowers lots of flowers lots of bees even fuzzy ones from Wellington this was taken the the windmills up the way but I like these kind of ease but I also like these kind of ease this is a bee this is an emoji be my slides up and I'll updating over here one moment

there you go okay stop that right this is an emoji B emoji you may be familiar with it poet Ahana is the Maori word for cure a by the way my slides didn't have the translations up here sorry um anyway this is Abby you may recognize it you may not recognize it because depending on what platform you're using your emoji bees look different if you're on iOS it'll buy the first one if you're an Android in the middle and if you're on Windows it'll look like the one on the end it all depends what platform you're running now a lot of the bees are standardized which is great standard bees for everyone they all look

the same they've all got two wings sometimes they have legs have a stinger it's great then it gets a bit confusing so you've got the iOS beep standard be yeah bit of a cartoon yeah 7 out of 10 then you've got this bee which is just cute as heck this is from emoji 1 which is a kick-started open source open licensed emoji said but they keep on updating their B so depending on which version you have you have a different B I like 2.0 it's kind of fuzzy this is the Android B this is my favorite be 10 out of 10 keep buzzing my little friend um sadly this B has been superseded by this B this is the Android Oreo B it's

an exorcist because I've never seen any B with the eyes and the wings good luck getting that one out of your head um this is the LGB if you have an LG phone they supersede your emoji for you this be it's like the B movie but every time you see the B you keep on being reminded that the B movie exists and this is from Samsung so every time you see this B you need to make sure you're not using a Galaxy Note because they explode and of course you have your wonderful successful red team abhi with its honeypot he's playing Quidditch I don't know anyway I'm for these and more emoji takes follow me on Twitter TOCOM slash emoji

right it's like dog rates but for emoji anyway back to the beasts when I'm not taking pictures or grading B's I do conference Docs I've been traveling around just a little bit doing a talk called the power and responsibilities of Unicode adoption which sounds completely super technical but it's basically just me ranting about emoji and not just the B emoji it's great you should go see it ah thing is that's not my top title this is my top title the power bolt and responsibility it's called sweat of Unicode adoption its buckles which makes it really fun when you try to put this as your talk title through every kind of conference software you can imagine

first time I got accepted I got an acceptance email congratulations we have chosen your talk select a talk the power lightning bolt and responsibility where's the rest of my talk title doesn't sup there some places won't even let me submit it because it says that oh we can't handle full byte characters so we're just gonna like drop your talk content so I can't even like put my proper talk title up but then the lovely crew at Kiwi Con yeah sadly it didn't get accepted last year Kiwi Kong could've got accepted here besides Wellington accepting what he tweaked on rejects it's what makes it the best sorry that's a tuna pun I should keep to the beat punks anyway um some

conferences get it right I get in line emoji and it works fine except when they try to print it out and then it just drops or sometimes when you have say the lovely AV people that get printouts um it prints out that and for this particular talk I was introduced on stage as the power box box and responsibility box of Unicode adoption box that was fun but some wonderful conferences actually add a B for me because my talk title was supposed to be protect yourself from the beat the emoji get to the sides thank you um the amount of effort that B sides put in to actually put a B there was great because it's like oh I'm doing the talk about

the B it's about as a be on your schedule here's some I prepared earlier um other times it just works as well like I've had wonderful in line thinking emerging in my talk but this particular character wasn't standardized until 2016 so I've had printouts in communications that look like that we're just being fun but mostly they just tend to drop it out entirely this was a print out put on a wall so I put emoji stickers on it and fixed it but what's really great is when you get the digital bullets cuz this is how my talk came up you may notice something a bit weird that that is a legitimate that is the Windows 8.0 representation of that emoji

which means I know that at the mumble mumble Convention Center in mumble mumble City I know that they're running Windows eight point I and have not upgraded to eight point one so you know exactly what operating system they're running and then you can get your mad zero days from there so that's fun and I don't just do this like I don't just travel the world giving talks about emoji just to try to pop conference software I can just tweet people that decide to leave their internet on in the middle there talk pop ups hi from this we can tell that this wonderful person is running Windows 10 but you know there's still like the actual thing you

there you can tell it's Windows but because of the color you can tell it's Windows 10 and it's not just conference slides I also do it when I order coffee there's a little tiny be there and when I'm not ordering coffee I just order the food that looks like emoji anyway this is delicious by the way this is from sweet release friends of Kiwi con and besides it's amazing but if you can't find emoji fake vegan pork dumplings you can always just get a bee-sting anyway back to the beasts so this is a hacker conf yeah we know bees are awesome but going use bees to hack things well if you have a whole lot of

time and some super glue and little tiny micro processors you could attach the little tiny microprocessor to the back of bees like they did in Manchester so they have these little tiny microchips on the back of these and they can track where they go and see the migrating patterns of bees and work out why all the bees are disappearing maybe it's because people keep on attaching microchips to them and they get really upset but this is fiddly um also known as the Internet of sting spy we should stick to our emoji but what is emerging emoji is used to describe any sort of picture character but it's not emoji is a specific thing these are not

emoji these are terrible terrible things that should not exist they're normally animated and they make me cry when I hear these are called emoji these are also not emoji these are Facebook stickers I have 20 minutes thank you I know these are not emoji these were cool back when yahoo messenger was the thing 15 years ago when you could get the original Shrek stickers in your messenger and annoy people because Ben width is horrible this is not an emoji this is an an emoji this is facial recognition tracking as a gimmick trying to make it popular and also trying to get you to buy the iPhone X or 10 or whatever they want to call it

now this is a perversion of the stuff that sort of takes away your privacy but you know cute anthropomorphic Fox and these are not emoji either these are stickers you can use these stickers in Twitter these these are emoji duck is an official emoji owl as an official emoji however the implementation here is putting stickers on two emoji which means that you can do things like anonymize particular screenshots in your presentation except do not do this to anonymize your information with twitter stickers because the original image will be uploaded to Twitter please don't do this anyway native emoji can also break your phone which is great this is the pride flag this is a legit emoji unicode can

calm being clumpy bump Gandhi bump it is comprised of two existing emoji characters and then a 0 with Joyner in the middle so when it reads it all together in a system that's been specifically updated to understand this set it will change into the pride flag except if you were to say put white flag 0 rainbow you could crash your phone they've since fixed this there's been a whole lot of Unicode bugs in iPhone including the effective that wasn't me that's a bug anyway the the effective power thing has a whole bunch of Arabic text and when it pops up in a notification the notifications automatically truncated except if you're familiar with our big text the more you add the shorter it

gets so it tries to truncate it it goes to longer tries to truncate again and the phone reboots there's also this really interesting bug where you tried to type and it came up as that that's fun on the web it's even greater you know where emoji has to work URLs it has to this is a real URL spoon emoji ws there is an entire RFC dedicated to add I swear that's not me I'm not gonna move anymore okay there is an entire RFC dedicated to describing how to convert that emoji into Unicode to be able to use just Latin characters to be able to describe the URL um you can also use emoji in your crew strings but you

cannot use emoji in specific places otherwise and we'll get to that because ha9 can use emoji you can also use extended characters you can also use your right to left so you can get wonderful URLs like this where depending on the browser it will flip it around and it'll look like that and then it looks like it's encrypted but it's actually that so yeah that's been fixed now which is great um also another thing in Safari which is really interesting you cannot use the lock emoji in your tab bar because it would make it look like say your site was secure so that's cool um also you can pop shells with emoji well you can power shell with

emoji this has been recently going around Twitter as the sunset protocol sunset so you can make some really sick obstacle and then you can make it so you can't actually see the fact that you're calling PowerShell from your things and it's cool because it's like hey look I got PowerShell it's like shell bit powerful anyway but you can't use emoji in PowerShell which is sad but the best thing this is the biggest thing that I've ever seen happening where emoji could have broken the entire Internet who here has heard of WordPress WordPress runs a lot of the internet who here has heard of MySQL who here runs MySQL who he makes sure that they have

strict all tables set great if you don't there's next bits for you let's get back to our be actually this B this B has a particular code point this is our code point this is four bytes there is a particular issue when you do not have strict tables enabled and you use utf-8 in MySQL if you used utf-8 m before you're fine if you use utf-8 assuming it would be actually utf-8 compliant it's not and you get fun stuff like this if I'm on a wordpress blog and with my malicious black hat on I could type in something like this this just turns up like Oh besides Wellington is awesome except I have a been in there if you have a

WordPress version lower than 4.2 I believe and you have MySQL and you do not have strict tables and you have utf-8 it will drop your input at the B which means you could then put in another comment which is the rest of your injection script because the angle bracket script is stopped client-side but you don't need the starting bracket you've got that in your previous comment so as soon as you load the page again you have the first bit and then your quote with no ending double quote and then you have the rest of your script and then your site explodes because you've got cross-site scripting attacks all because of that little B isn't that

wonderful [Music]

this is a particular CV that documents all this this is all patched as of wordpress 4.2 so please patch all your things if you upgrade your WordPress past 4.2 you get emoji and you know you get rid of terrible cv vulnerabilities but you get emoji this was all pushed as like we now natively support emoji and no longer cross-site script your site we need of lisa point emoji now this is why you should update all your systems because you get cool new emoji so yes my skewer strict tables utf-8 mb four would be great because otherwise bad things happen and a really important note really important who here has updated their iphone in the last week please

please do because you'll be changes to something that doesn't look terrible anymore it actually looks really freaking cute so please update your iphones and you get cool new emoji [Applause]