BsidesLV 2025 - Common Ground - Tuesday
Show transcript [en]
[Music] Hey, hey hey. [Music] Yeah,
down. [Music]
Down down down down.
[Music]
[Music] [Music] Down. [Music] Do [Music] Hey, [Music] hey hey. Heat. Heat.
[Music]
Heat. Heat. [Music] Heat. Heat. Heat. Heat.
[Music] Heat. Heat. [Music] Heat. Heat.
Heat. Heat. Heat. [Music]
Heat. Heat. N.
[Music] Heat. Heat. [Music] Heat. Heat. [Music]
[Music]
Hey.
[Music]
[Music]
Woo! Wow! [Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music] Don't forget We definitely don't want that. [Music]
Oh, you're not PowerPoint. >> No, but I think >> so. Go back to where you were. Go back to the other window. >> I don't know where this is. Is not it. I don't even know. >> Just go back to your program. Like close their speaker notes. >> Okay. >> And then go back to So we're going to present the present button. So there's if you hit the drop down there's presentation display options. Oops. >> And usually I don't do much on this device. >> So you got full screen. Um so slideshows on current screen. You'll have to you have to hit allow to allow it to attach to a different and then I think you'll have to turn the
plug it back in. So now if you do slideshow to see
you have to change your display again. It's now it's duplicating it instead of stretching. So go back to your display settings
>> this one.
change that to extend.
>> Oh >> yeah. and then uh should be keep chang
>> Yes. So now if you hit okay, it should start the correct way. >> Thank you. >> I owe you a drink. Okay. >> How do I pronounce your name? >> Good morning everyone. We're about to get started with our first talk of the day. I'd like to remind you all to silence your cell phones and there's no photography at all in the conference space. Um, and without further ado, here's Kia. >> Thanks. Good morning. Thanks for attending this talk. Uh, this is a start of an exciting week out of the year where we all get to come converge on Las Vegas and learn and do a bunch of really cool things. So, this talk, can you hear me? Okay.
This talk is the unbearable weight of commercial licensing combining closed systems with open-source defense. Who am I? I'm Kia Ard. I've been working in infosc for about 10 years. I started out with a vendor neutral security consulting company where we did a little bit of everything. Um they would say things like, "Hey Kia, go into this network and check the status of monitoring. Figure out how to get in. This is the VPN you need to use. uh go and check if OSC is working on these devices. Uh no stress. It is a production environment and lives can be lost if something goes wrong. So but no stress but get it done within the next two days please. Um from there I went on
to endpoint detection um looking at various types of events investigating if an event is malicious or suspicious and working with within the detection engineering space. From there I went on to be yet another security analyst in doing all the things. Um when you work for a consulting company you essentially do whatever they ask you to do. Um so well-rounded um experience but it is opinionated and these opinions are my own after working within the security space. It's not necessarily for or against open or closed source even though it may seem that way. Um, we'll jump in. So, this is me. Who are you? You can just yell it out or you can raise your hand. How many people are
security analysts or consider themselves that? How many people work with incident response? Cool. How many people are researchers? Cool. I'm glad you're here. Oh. And we're done. >> Oh no. Oh no.
What happened? We have no slides now. Did I step on anything?
Well, plug Plug it back in.
>> Oh no. Somebody tell a joke. All the things appear to be connected. >> This is audio. >> It's never happened before.
Is that your home screen? What are we seeing up here? >> Uh, that's your background screen. Yeah. >> Yeah. >> Okay. >> So, we need to bring the >> presentation. >> So, here's the problem is your your network. It's the Wi-Fi. >> Okay. So, I can get off of Wi-Fi because it is cash. I mean, it is uh >> Yeah. All right. Uh >> I mean it's it should be fine offline. >> Okay. >> But it's not.
presentation is >> okay. >> So you if you go back to your presentation >> I can't. >> So move this way. >> There you go. Your mouse when you go off the right side, it goes up there. >> Ah, okay. Yeah. Yeah. Yeah. >> Escape. Let's get out of this. >> It looks like the slideshow might still be running because it's all grayed out. Do you have >> Yeah. Why isn't Click on your Chrome down there. [Music] Heat. Heat. N. [Music]
Heat. [Music] Heat. [Music] During all
[Music] Baby, [Music] baby. [Music] It And >> we are past this. So yeah, so why this talk again back we're going to go really fast with this open background of the internet open source current state and mist why use it? So in the past and it wasn't too terribly long ago they were trying to figure out how to send packets through the network. So going from this handdrawn thing of four nodes going to skip past the stories of it. The background of the internet is based in open source. So we have three heavyweights here. Richard Stallman, uh Lionus Torvald and Elizabeth Jocelyn Jake Feiner who so we have the person who developed the Linux kernel along
with git. Uh Elizabeth Feinler wrote the resource book for Arpanet. Um she also made it possible to navigate it. So she was behind the DNS system. Um and wrote the wrote and created the first who is and any of those protocols are also driven by RFC. So request for comment where they put it out to the community and get everybody's input. And the internet slowly grew from uh this was three or four years later a logical map of ARPA which went on to become DARPANET but you can see some of the universities in here are Illinois or Utah. Some companies that are quite older uh Xerox I think is in there, Carnegie, Harvard Aberdine. At this time the internet was used only
for uh the purposes of communication. So there were some rules in place like you couldn't you couldn't use it for personal use kind of like ham radio. Um and so somebody made a joke I looking back that they attended a conference in England left his his shaver there and so he asked for it back and he was like haha I was the first one who abused the internet. and we think about where we are today and the many nodes. This is from the opta.org website. It's really nice. It it sort of diagrams and puts the nodes of the uh different nodes in the internet throughout uh time and it's put to really nice music. If you feel a little
bit overwhelmed, you can go to your hotel room or watch this on YouTube and it is really beautiful. But it has really come a long way. how we use it and what we connect to it has also grown exponentially. The average US household now has 17 internet connected devices. We probably have more working in this space. So it has cyber security has grown. I wanted to find one one slide that would show this but essentially when I did a Google search I found that every one of these are very similar. There's a lot of money to be spent in this space and the main point is that it's it's growing, it's expanding. So when you go to a
conference like RSA, this was from this spring, all the commercial vendors are represented and there's a lot of really good products out there. Uh but open source often isn't as is promoted as much in these security spaces. So, I'm going to cover a few things that could be seen as being prohibited toward blue team or protecting uh protecting ourselves. You may have seen this if you're familiar with any sort of Microsoft licensing. This is made by Aaron Denage um who according to his LinkedIn does work for Microsoft but in Australia. this he he runs a really great site that does a good job of helping people try and understand what it is that they want
to get. Also in his site, now this is just one section of it, like you have to scroll down through it. This is like one of 10 scrolls to try and figure out which thing that you need to get. Point being that increased complexity can also while it increases revenue, it can also lead to security emissions and errors. So when we're looking at security products, we uh have to often get past sales into the technical talks before we can start to really understand how a product works. But another thing that I think is quite difficult as an analyst is that you get these alerts and sometimes there's not that much context. Whack Attack. What is Wack Attack? This
is something that's plagued me for a very long time. If you search for it, you find legitimate businesses who are like, "Yeah, this false POS, we make software, but and we've done all the right things that you've asked us to do, but you still detect on it. Like, this is impacting our business." You also find other people who are like, "Oh, it's just detected on my machine. Like, what do I do? I downloaded all these other AV products to try and figure out what it is." And you're like, "Oh, you got you probably got malware in the process of trying to figure out what this detection was." Uh, but ultimately I would get back to
Microsoft marketing that tells me that Defender will detect it and stop it, but I still don't know what it is. Licensing can be another sore point in the sense that when you're locked in as a company for one to three years, sometimes you're not able to really find solutions. And when that particular company comes up with another type of product, you might sort of be locked into only checking out that one product. And after going through that, I think that similar to the worlds of Marvel and DC, sort of dueling, but we're really all trying to defend. So trying to find the right things, uh, the right tools that can integrate with it. And what
would be awesome? It would be awesome to see patterns of alerts over time. So when when you have any sort of SAS solution, EDR, NDR, often the data will time out. So after say 30 days, 90 days, even half a year, you won't be able to get to your data anymore. So would be cool to see the correlation between the entities if they don't time out. So be to be able to see the threats over even years of time would be awesome. Um as well as increased efficacy of those security tools so that uh you can trust what you what kind of alerts you get. So for that whack attack F5 is also like that's that's one of our products.
Sorry it's a false positive but do check the hash when you before you use it. Um, so being able to trust the alerts is also I think really important. So there is something that works in that way and it is MISP. Um I was talking to some security colleagues um earlier last week and I was like hey have you guys looked have you guys looked at MISP? And they were like h no I don't even I've tried to do it before and I like I no I don't know. So I was like, "No, it's really awesome." And it is. It is open source as this slide can kind of show. Um, but it can do a lot. And I want to
jump into a little bit of the history and then what it can do. And I have a running demo that will al hopefully work. It started in 2011 when Christopher Vanlas, he wanted to make the process of malware research more efficient. So he found that he was like, "Hey, I'm looking at this malware. What are you seeing?" and he's like, "Oh, colleagues, I I did exactly the same thing and came up with the same hash, came up with the same thing." So, we wanted to create something that would avoid duplicative work. Um, he was pondering the inefficiencies of the current system and at the time he was working for the Office of Belgium Defense. Um, news spread about it and pretty soon
NATO got in touch with him and was interested in it. Who knows what NATO is? >> Oh, great. What is it? Just yell it out. >> Treaty. >> Yes, it is a treaty organization that came out of World War II. It's made up of 30 European countries and two other North American ones, Canada and the United States. NATO looked around and saw what was available for threat intelligence and was like, hm, this is actually filling a void. This is the most efficient system that we've seen thus far. And so NATO, which this picture was from a joint exercise last year with 900,000 troops, so they do know something about defense. NATO funded the MSP project. They they essentially exist
to defend. MISP is now managed by the European Union uh and an organization called Circle out of Luxembourg. It's a community. It's fully community project. It's and it's led by volunteers and driven by feedback from the users. So when you actually see what what is inside of there because they're like, "Ah, we're open. Other other people from other industries can even use MISP." Um so there's really interesting things when you do the default when you load up MISP. It's actively supported and the latest release was last month um in July of 2025. But I wanted to understand who's using it and it turns out it is about 6,000 organization. This is a map from Showdown
and it's if you you know you can export the results of who has MISP in their name. There are a lot of governmental organizations. There's a lot of huge security companies. A lot of the companies that are down the down a few blocks for black hat also have their own MISP instances. You can just see it by domain name. There are also a lot of ISACs. Do you know what ISACs are? Information sharing and analysis centers. Turns out in uh 20 in 1999 there was a presidential directive um that came out that said, hey, we want to be able to have industries work together. So defense works together, retail and hospitality works together. ICS has their own ISAC.
Um, we want to build our security ups. So, we want you all to create these ISACs so you can share information. Um, it's hosted on a mix of things. It's on GCP, Azure, AWS, uh, Linenode. It also can be airgapped. So, it has many different uses. A lot of its uses are as a database because of their trusted IoC's. And then the various companies can then push it off to their SIMs sore edr firewalls to take action. So there is a lot of automation in it. But before MISP it was essentially an email or a list serve. So people would this is from Obsidian. So people essentially the Isac would manually maintain the email thread. It would like
list IPs and URLs. Then it would be emailed out to the different businesses. The different businesses would then some probably didn't do anything. EDR was barely even a thing at that point, but they would put it toward their firewalls, but it was even if they had a script, it would be a still an automated process of being able to take action on them. But with MISP because each MISP instance has a lot of built-in features to because you're sharing IoC's and because automation is happening they want to have a system in place and they do have a very good system in place where IoC's have already been vetted and they are feeding into the firewall and immediately taking
action or feeding into EDR be it defender or Sentinel or Crowdstrike. I found this handy dandy diagram and this is kind of so it does all of this after when I first looked at this I was like oh god this doesn't make any sense but after learning about it and playing with it it really does make sense so you have all these closed source or commercial vendors there's some open source ones in there as well so it feeds that thread intelligence into mist at the same time there's a sock or some sort of team that's looking at the indicators and they are then like oh this is a true positive this is an OC that then goes into a trustbased sharing
and then it's also fed via REST API a web hook to these other devices services that can then take action bunch of different use cases but I want to just point out some very cool things about it um when you're adding different attributes or objects, there's a little check box that says for intrusion system for IDS. If that's checked, then other you it's it's an indicator that it's something that's serious and should be blocked. Other people can and should take action on it. Um, this is within a an event and the different blue blocks are objects. So there are things that can be grouped together. You can see that there's an inherit that has to do with the sharing that can
be done. So if you have something that's private and the main event is private or say red uh TL TLP red traffic like protocol red then it'll stay private within your organization because you could put a lot of information in here like you could put in social security numbers you can put in bank account numbers routing for analysis it can be associated with the user um and there's also a correlate checkbox box and it's really intuitive like you can take whole blocks of text and IOC's stick it in as a te text blob into mist and it'll intelligently group it out like oh this is a URL this this can be an IOC so it's
already checked for you it's really smart I want to try and get to the demo but also wanted to focus on a few things that are really smart about it under taxonomy There's it's already integrated in with the MITER attack framework and about 80 other ones that you can automatically pull in and associate with a particular event based on the tags. Then you as an organization can also take action on it. So correlation can also happen automatically which is nice because I had that use case where uh you have a user that typically clicks on events and you're like yeah I feel like this guy like I feel like he just did it like seven months ago but it's
aged out of the the SAS platform so you can't remember like but did he really do it in here it'll automatically make a correlation on the the object type. So there's a person object type. So you can plug in their name and you're like, "Oh yeah, he's done it three other times in the last 18 months." Galaxies are another way of organizing information. Um it's a container that can group together context by type. So this if you can read at the very top it's other organizations have gotten into using it as an as a platform that can provide the structure for their data that they're working with. So the the top one I think it's 90 999
that's uh different bacterial types like so that other hospitals and other organizations that are looking at germs can make sense of it. it's still heavily rooted in infosc and so it it has a v vocabulary already within it.
This is for say the ICS the people who are working with industrial control systems like again the vocabulary is already there. Um all of these little icons in there do amazing things of correlation. uh more of the MITER attack. I'm going to skip through now because it's an active um it's actively being developed. People can add their opinions. So, they found the analysts sometimes when they get an OC, they're like, I don't know about this OC. This this probably shouldn't be within here. So, they can then put their opinion. That opinion then gets attached to the object and it also travels and gets synced to the other trusting MISP instances. Then after a while, so that
gets sent back to the original person as well as all the other sharing organizations and they can take action on it. So the original organization can look at it and say, "Oh yeah, that's yeah, maybe I should change that." Um the other thing about this platform is that it can make your offsec better in the sense that once you integrate with say Joe's sandbox or any other any other activity that you want it to the analyst can then be work within it and do instead of going to Joe's sandbox or instead of going to virus total like in a separate b browser window potentially uploading something that they shouldn't it's already can be integrated in with
MISP. Um, all of these little buttons in there are huge drop downs of various clusters or various tags that you can put in and associate with that object. Uh, more on taxonomies. Uh, another type of tagging. So, it's all within there. You can just start the actions the column over to the very uh right hand side. You can there it makes it easy to set up because you can start clicking on things and it'll automatically be brought in like the frameworks are already integrated. You can mess up though which I've also done. Um if you click the little arrow or the triangle for play, it can bring in all of the indicators that another organization has
added in as events. So that's why in the demo instance all my numbers start at like four or 500 because I deleted a whole bunch of other ones. We want to know about the roles and permissions there. It's really welldeveloped and you can also create your own and give say a service its own limited permissions set. Makes it really easy to create your own roles. App logging is also very good. This happens to be the application logs from a few days ago. Anything that's internet exposed is going to get pounded. So there's various APIs and other things that are trying to get in. Um but logging every single change is logged. Every single change associated with the
user is also logged and you can modify that depending on whether I think they have paranoid mode of logging. So you can get all the things if you want to see them. Workflows and automation. There's workflows and automation inherently within MISP that you can uh harness to do simple things or you can do a web anything that has a web hook that's exposed you can also hook into and do
cross instance information. This is another cool thing that allows you can essentially cache indicators. So you probably may have thought of heard of MISP as a threat intelligence feed tool because a lot of organizations uh purchase intelligence feeds or they use the open source ones and feed it into another like say their firewall to take action. What you can do within MISP is instead of putting it in your own database, you can just cache it and it starts to do instant it starts to do any lookup with any object or attribute that you put in with an event so that you can see oh hey this threat that we have in our environment there are other three other
organizations who say that this ILC is a true positive positive. Okay, I'm going to try and show you this. We can drive around within it if I can get to it. Ah, okay. Uh, I need to share a different screen.
And I may need help. Can I >> Can I show this one? Oh, >> are you going back to the presentation? >> I am, but maybe I should just do it right now. >> Yeah, because then can you go back to your display and set it back to uh duplicate and then it'll show the same thing on here. >> Uh yeah, let's just do duplicate now. So, go back to your settings, your display settings. >> Sorry, I'm technically I usually don't use this device. >> So, just change that back to uh duplicate >> duplicate. >> And now you'll see the same thing on both screens. >> Uh keep keep. >> Okay, cool. Thank you.
Okay. So, this is MISP. This is uh self-hosted. It's on the internet. Um, and I wanted to see how it does correlations. So, here you can see the different attributes that are in this column. Well, we'll get past the colorful tags one and the dates are all fairly recent, but you can see that under correlation there's a number here. And so,
Mr. Pink, let's look at this one. Looks like Mr. pink has has gotten fished and gotten down there down uh downloaded malware a couple of times. So, let's just take a look at this.
Oh, okay. Great. Um so you can this has already been published but over here sorry over here in the on the right hand side under related events you can see Mr. Orange downloads malware and Mr. Pink does a copy and paste PowerShell compromise. Uh these are the different indicators of compromise that are associated with that user. This one's Mr. Pink. Um, the IDS is appropriately checked for things that you would want your firewall probably not to go to this domain. The feed hits. You can also see that there's related events as well as related feed hits. So other organizations, URL house in this case have also said this is a really malicious URL. So this is open
source and it's just built into the platform.
If you are working with any sort of file, when you upload that file, I mean, you have to think of opsec as well, like you don't necessarily want analysts downloading malware on their device and then uploading it. They really should be doing this on a different device. But when any sort of binary is uploaded, MISP will automatically create the hash. If you check the box that says it is malicious, then it will create the hash for you. It'll encrypt it and it'll give you a password that you need you need to use. You can also do things like populate from and I tried a free text import earlier and I just grabbed a whole swath of IoC's from the
unit 42 uh the unit 42 research group. Um, and I it they're they're defamed in the writeup. It automatically cleaned it up. Automatically tagged what it was, IP, URL, whatever, and it brought it in appropriately, like, oh, this is something that should be blocked on an IDS.
Um, >> we're getting close to time because I just started off not really that well, but if you're interested in this, I'm happy to give you a login so you can check it out. Um, if you have any questions, feel free to ask. Let me go back to Oh, this is where we are actually in the the presentation. So, there are many awesome open source tools But uh and and there's a lot of cool commercialization of open source tools like Zeke is uh sponsored by Corlite now. Um so there's a lot of integration. Um there are also a lot of really cool closed source commercial tools as well. A lot of them are out there.
Oh, I'm stuck now. But do you have any questions or comments? Thanks for sitting through my talk because it was had a bit of a rough start. [Applause] >> Yes. >> Okay. How long have you had it up and what's the maintenance like running the software? >> Uh the question was how long has it been running and how what's the maintenance? The maintenance is really cool. It actually audits itself and so it told me I did the default Ubuntu install. Um I hardened the server like you know don't let root log in anymore. Um, and I thought I took all the right steps, but when I audited it, it told me that the PHP config was world readable, and I was
like, "Oh, I should So then, you know, you go into the server and like, let's change the permissions on that." Um, so, so, so far it's only been up for about a week, but it's I think regular maintenance of a server. >> Yes. Is there how is trust established?
>> That's a really good question. How is trust established? So, Isax already have that trust established between organizations. Um, I felt really alone when I launched mine because I didn't have anybody to trust or work with. Um, the MISP organization, they have their own feeds that they're like, "Here, these are open. this is TLP clear or white like you can take our feeds and there's a lot of other open source feeds but trust needs to be established so if there was another sock out there that uh trusted that I well I'm not if if if I was a threat researcher then you can create that by essentially um adding a key and that establishing that trust
>> so maybe for those don't directly use my firewall actually have Yeah. So the question or comment is like so it would be a good idea to review those IOC's before you automatically start pushing. Yes. Absolutely. You need to trust the organizations that you're working with. If they're if I think the relationship has been long established and they can trust each other and they're like, "Yeah, that's a really good analyst team over there." Um we trust them and they're open to our feedback. Um, I think that helps. Um, but yeah, you need to have trust in this relationship, in any relationship. Any other questions? Have a great week. Thank you to those that helped me with my presentation.
Thanks for your patience and getting through this presentation.
[Music] Woohoo! [Music] Bye-bye. [Music] Baby, [Music] daddy. [Music] Heat. Heat. [Music] Hey. [Music] Hey.
[Music] Hey.
Hello.
Down. [Music]
[Music]
Heat. Heat. Heat. Heat. N.
Heat. Heat.
[Music]
Heat. Heat. Heat. Heat. [Music] [Applause] Heat. Heat. Heat. [Music] Heat. [Music] Heat.
Heat. Heat. Heat. [Music]
Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. N. [Music]
Heat. Heat.
[Music]
[Music] Heat. Heat. [Music] Heat. [Music] Heat. [Music]
Wow. [Music] Wow. [Music] Heat. Heat.
[Music]
Heat. Heat. [Music] Heat.
[Music] Heat. [Music] Heat. [Music]
Heat.
[Music]
Good morning. Good morning and welcome to besides Las Vegas Common Ground. This talk is small vulnerability management given by the speaker um a few announcement. Before we begin, we would like to thank our sponsor especially our diamond sponsors Adobe and Iikido and our co-sponsor Jobs on AI and Foromo. It's their support along with our other sponsors, donors and volunteers that make this event possible. These talks are being streamlined except in Sky talks and as a courtesy to our speakers and audience, we ask that you check to make sure your cell phone are set to silent. If you have any question, use the audience microphone so YouTube can hear you. With that, let's get started. Please welcome.
>> Thank you. >> All right. Hello everyone. Hope I'm audible. >> Yes. >> Yeah. Okay. So this is my first time talking so please bear with me. I'm Aminash. I work as a vulnerability analyst at discover. Uh so currently I work in application security team and as uh we have a separate vulnerability management team for application security and we have a separate one for infrastructure. Yeah. So today I'm going to discuss about uh some of the frameworks that we are currently using. We might be using but we might not be aware of that like that we are actually using those frameworks on our day-to-day operations especially in the vulnerability management space and also there are some newer frameworks probably
new like SSVC and VX frameworks which really help us uh prioritize the vulnerabilities. So I would like to get a quick uh show of hands. Uh how many are familiar with uh SSVC and VEX? Okay. Yeah, we have a room full of audience but not many are familiar with it. So I would hope that I can bring uh good information out of this talk for you guys so that you can take this back to your uh company like kickstart conversations on these topics. um probably head in that direction. I want to put up a uh strong disclaimer that this is not something that we have implemented at discover. Um this is more of uh a talk based on uh the available
publicly available frameworks where uh security teams can like make use of these in their organizations and I'm not going to like uh disclose our talk on uh discover strategy. So hope uh that is clear. Um on today's agenda, I'd like to mention something about uh like today's challenges dealing with vulnerabilities and what are the new scoring systems that are available and also there are some things called as decision trees and there are some contextualization tools. I'd like to go over that and uh I'd like to try to provide some kind of real world example. uh uh I'd like to take an example of a zero day and how we can use these frameworks to like um uh kind of
like address a zero day and um obviously the most important thing metrics executive reporting and the communication and strengthening our own teams. So I would like to provide some kind of example strategies uh that can uh that we can make use of this. And lastly the questions. So what is the current challenge that we have with CVSS version three mostly nowadays we are seeing version four but uh most of the companies are still uh reliant on uh version 3es. So severity scores in isolation that means a vulnerability is only exploitable if there is a context just that uh some security researcher or like a vendor has done and exploiting his sandbox that doesn't mean that it can be exploitable
in a company's environment which is actually secured which can be internal systems. uh so things like that and also lack of uh environmental relevance same like that and also mixed ex uh exploitability insights that means um uh when the CV was out there might not be exploit POIs P because available but uh at a later time let's say after 2 years or after 3 years some um bad vector or a security research might actually create an exploit uh which can be automatable and um like people can make use of that. So these are missing in current uh CVSS version v3s and always remember the theoretical maximum impact is not equals to like actual u uh exploitation and u
you know this concept of vulnerability chaining. So when an attacker wants to attack uh a system, they just do not exploit a single vulnerability but they find a chain of vulnerabilities. So CVSS version 3 is missing this aspect and this needs to be considered so that we can lower our noise or reduce the um high number of vulnerabilities and better prioritization type of things and obviously the resources uh should be directed on the proper space not that we have to deal with thousands of vulnerability on a single day. uh and um regulatory scrutiny is um high over the vulnerabilities especially when it comes to PCIDSS compliance. So that's why we need to kind of clear our minds uh when
it comes to vulnerability management and focus on what's most important. So now there is this CVS version 4 available in the market. So what does that mean? So why there is a need for uh version 4 and what are the new things that's included? So too many criticals are there in version three and uh no threat context as we have discovered discussed and also lack of flexibility. Lack of flexibility means if the exploit uh is changing uh uh the the mode of exploitation changes it might be a automatic one or a manual exploit. So CVSS version 3 do not have any context to like uh to put these factors in. But version 4 has these uh
we can actually like put in concepts like attack requirements and user interaction can be like nonp passive active these can be like added into version 4 and um there is this new feature of like uh impact on subsequent systems uh that is included in the version 4 right now and also u uh there are um so CVS version 4 is from June 2024 uh that was included uh in NVD and the analyst are actually working on that. So there is also a plan for NVD to kind of convert all CVSS version three strings to version four strings by end of this year but yeah I'm not sure u how much of that can be possible by then but it's on
their website. Um and also there are some vendors uh nowadays they are releasing their uh CVS uh on CVSS version 4 strings and it's actually dependent on the security researcher or the reporter on what string that they are going to like um provide to NVD. So it's basically that it's not yet there but it's just coming in. So CVSS version 4 is a better one than version three in short. And uh how many here are familiar with EPSS? Okay. Yeah. So that is also not a great number but uh I believe uh the most important uh aspect of the talk today is EPSS. Uh because um it is kind of a machine learning algorithm that kinds of u predicts the
exploit in next 30 days. So that is CPSS scoring. So it is basically uh trying to take the data of that given particular vendor and their CV and their historical aspect like if that particular vendor has a CV in the last two years or last three years how it was exploited how many exploits were made available of that. So they kind of take that data into considerate consideration and they would be predicting the next 30 days score of that and there is this EPSS percentile thing. So based on the EPSS score the percentiles are given. So that scoring system is a direct like straightaway shot to like prioritize the most or highest number of EPSS
percentile or percentage we should concentrate that first. So that's basically and there are also versions of EPSS um and let's say if you are using any venda tool for EPSS or you are getting open source data make sure that you are getting EPSS version 4 data there. So this is developed by organization called as first uh the same one as CVS uh developers. So they have this API integration link available on their website. You can uh directly go over there and get um EPSS data and integrated into your pipelines. And if you can see this diagram over here uh the difference between version three and version four of EPSS is majorly the scoring. So in version three most of the
findings ended up having the highest score but uh there were significant improvements made in version four. You can see that score is like u up and down kind of like evenly distributed. This is really helpful to like prioritize better and u okay so exploitability context uh so vx so vx you might be already doing in your company uh basically triaging sbomb uh trying to see if it is actually exploitable or not if the component is existing or not there's a slight difference between call flow analysis and vx call flow analysis is runtime um uh analysis this but vx is kind of a manual analysis where analyst goes and looks into the oss component and see if
that uh particular vulnerable component is actually used or not and there are four outcomes for a vex framework which is um which are not affected affected fixed and under investigation. So based on these uh these could be included to like better prioritize our things and I would like to call like have a call out or like shout out for all the security companies over there and also all the financial companies that make sure that you are requesting your sbombsh from your vendors uh because um if we are not impacted by a vulnerability that doesn't mean that our vendors are not impacted by it right like it is always a risk for us. So if you have the data of Sbombs,
it should be publicly available for most of the tools. So try to push your vendors in the direction. Try to ask uh their Sbomb so that we are aware of the threat that our company is facing. Uh so that is about Vex and SSVC. So this is a qualitative approach. There is no scores in this. This is also like um oh okay this is not um uh first organization this is CISA. So Carig Melon uh University kind of researched this first and then um uh CISA kind of adapted this. Um so there are four major outcomes for SSVC basically track and again track with an asterisk that is like um kind of um prioritize more uh
and attend and act. So act is the highest severity one over here. So in the next slide I'll explain like how we can come to this um end states but um mostly h I'd like to mention one point about this is that please note uh this SSVC can be changed for any given organization like it can be customizable um not uh like CISA provided um decision tree is like actually not good with financial industry because there are some aspects of that which would not like properly align with financial industry but we can always customize that um by getting an idea of it. So this is the actual SS SSV decision tree like it's available in their website. Uh
so if you can see uh to your um uh right bottom there are only four mentions of act. That means if the exploitation is active and if it is automatable uh then if it is having a real technical impact or not and then um actually understanding between the uh differences between that. So if you if you like figure out that the impact is high or like medium then we might have to act on that but if it's not that then kind of like track or like attend to it or go after one week and like again review the exploitability status of that vulnerability kind of that. So if you notice here there is this thing called
as um u mission and well-being u uh so this is apt for healthcare industries but not actually apt for some other technological companies or of that sort. So definitely we can customize that example um we can customize it based on internal versus external facing or um if it's any like PCI impacting or um things like that the data classification of it. So you can definitely customize that based on the organizational needs and this can be made use of that. Uh please note that VX and SSVC are more of like manual uh uh triaging uh efforts like for now like I I don't uh see a company which is which has automated this but this can
definitely uh be automated automatable. So that is basically about the four frameworks. Hope I'm able to give some like overview of that. There are so many resources out there like really good YouTube videos u from CSI itself that can actually dive deep into that given the time constraints. So I'm not going much deeper into that but um I'd like like to like focus on the process aspect like vulnerability management is all about operations like okay there are frameworks available there are like lot of processes available we have people available but how to put everything into a place and like take the most out of these frameworks. So I would like to present some kind of idea or a process
that we can actually implement. Uh so firstly um there are three major uh types of vulnerability management. You might be using your third party vendor uh to um like kind of aggregate and um have it in a single tool that's called as um ASPM tools or something and also you might have in-house um u vulnerability pipelines or Excel sheets based. So anything works uh just make sure that you have all the vulnerability data at one place including the CVE and the affected component and then uh try to integrate um that CVE in a way that you have its EPSS score coming in and and also u some other details like if it is CESA KEV impacted like true or false
that data can be like integrated into that data. So now you have the vulnerabilities data and you have CVSS, EPSS scores and also uh the CISA key status. make sure that um these are on a day-to-day update basis like EPSS score updates on day-to-day basis and also CISA KV can be updated day-to-day basis and u uh I don't think that we can like directly start with Vex it requires good amount of u um manual efforts but u there might be some processes existing in your company already which are kind of like doing this application security engineers might be doing this process So kind of integrate uh this with that uh if you figure out if a component is not
affected then that can be ruled out like right. So that way we can include that and also there are there is something called as EBPF based analysis and call flow analysis. These are runtime automatic analysis. So these are offered by some security vendors out there. So in case you have those tools u that can be a replacement of vx but not exactly a replacement like those are two different process but there is an overlap um and also once you have these things like you can rule out um um EPSS like if there are having like very low EPSS scores that doesn't mean that we should completely ignore them but if it has a high EPSS score then we definitely need
to act on that. So if it is not affected by vx uh like the outcome of ef vx is not affected so we can ignore that but if it is affected or any other of the outcomes then it needs to be prioritized. So if you can imagine like you can already see uh the filtering down of the vulnerabilities based on CVSS eps and um vx and now comes the ssvc. So once you have this list of findings where there is like uh high criticality then you can pass it through this SSVC uh from your customized already customized um decision trees and act on only the ones where there's an act outcome like that could be a 15 SLA
or 30 days SLA that should be treated as critical and um always uh the security tool severity is not uh the organization severity so that's why um we can definitely like uh risk rate our process using these four frameworks in a better way and definitely yeah as I've mentioned act attend and track based on the SSVC outcomes uh kind of a filtering process due to time constraints again I'm not going much deep into those um especially when it comes to a company some quick wins can be um first of all integrating EPSS codes and then integrating the KEV um so this this can can be shown as a huge wins when it comes to vulnerability
management and also any company should have their sbomb trials. So start with a pilot take one or two applications or a system and then start with um u gathering its sbombs trying to develop a platform of sbombs and kind of uh integrating that um somewhere so that you have uh a dashboard view of uh sbombs should be updated on uh day-to-day basis and also and I'm trying to give some kind of timelines um over here on the right um so for in the first uh two months you can use UPS like you can integrate EPSS and KEV and then Sbomb piloting and then CVSS version 4 integration. Version 4 integration means NVD kinds of um uh provides version 4.
So make sure that your pipelines are integrated with that and you are getting the version 4 details whenever available and um obviously in the next 5 to 6 months VX integration and code reachable team. This is some annual work would need more number of analysts and this is just based on like 5,000 to 10,000 company um 5,000 10,000 employee company and later at the end of this um then SSVC comes into place SSVC again it needs lot of understanding so uh piloting needs to be done and uh at last full integration so yeah saying is easy implementing is hard so just trying to provide an idea or an overview so that we kind of at least start the uh
discussion towards this direction. So that's all is my intent and um there needs uh an involvement of a lot of teams in this u uh like development teams, application security teams, even soft teams for threat intelligence and audit teams like um you should update your audit teams on on your new risk rating methodology kind of thing so that you just don't end up um having an audit finding on uh critical vulnerability just that tool tarity says it's a critical it's not a critical one. So that and um try to like automate um um KV tag tagging, EPSS coding, Sbomb generation, ticket creation. So if these are automated then it reduces lot of workload for the analysts at the end of
the day. So if um it is possible in your organization try to do that. There are also vendors available out there who can do that and also advanced Excel skills might help. Uh that is that let me quickly look at the time. Okay, I guess I'm at time. I'll just uh breeze through it. Uh just in a minute. Okay, so there are some example metrics out here. I'll do something I'll try to like share this uh presentation on my LinkedIn or something with my company's appro so that you can also go through this. I have tried to like u uh include some uh ways of executive reporting. It is really important and there are some
resources out there where you can like gain your knowledge or train your teams on that. So, EPSS and SSVC are available on the first.org website. So, all these resources are from that and vex is available out there on the CISA website and also there is the cyclonedx.org website coming in from like OASP. They also provide very good information on vex and obviously there are organizational resistance when changes always hard to implement and u there are like tooling limitations and things like that. So make sure that you have um uh that listed beforehand and u uh make sure your uh uh staff is trained on uh these frameworks. They should have complete knowledge and also the executive
committees or the leadership should have an overview of what these uh frameworks are. So yeah overall um that is my talk. Huh. So thank you. [Applause] So >> any questions? >> Yes. >> How do you [Music] how do you priorize between a fast and Yeah. So that's a really good question. >> Huh? >> Can you repeat the question? >> Yeah. So the question is um so there if there is a dashed finding there is no CV associated with that. So how do I prioritize that using these frameworks um if I understand it right. So obviously SSVC and VEX comes into place uh when there is no CVE. So uh SSVC could be a better option but VX needs
customization because VX is actually uh trying to understand u if there's the component available or not. it's more focused towards an SBOM but if you can customize it like you can try to understand that um um with the manual process if a dashed finding let's say SQL injection um so is it actually exploitable security tool can say it's exploit exploitable an IAS tool or a uh some other tool can say but what's the actual environmental context if it's an internal uh website which nobody can access so it can be prioritized like less manner and obviously these frameworks are more focused towards a CVE uh rather than that. But yeah, it's it's a good question. >> Yes.
>> Uh how uh how successful have you been in actually getting sbombs from vendors and the availability of them that that they're willing to >> Yeah. So obviously that's a good question. Um obviously I cannot disclose uh about a discount strategy on that and I I really do not work in that area. So I do not have much information on sbomb's gathering but um u there were some talks that I've been to and this is kind of a norm in financial industry that uh JP Morgan Chase first started this uh uh to ask it and u I understand it's kind of hard but um the direction needs to be set in that way so that if
all companies start asking for sbombs for these tools maybe like uh things will start but if you do not start in the direction it would never like start right. So kind of trying to just start the conversation in that direction that's all. Yes. So how do you measure this like new method is better than existing method like what would be the main major matrix to evaluate this method? >> Major risks you mean? Uh it's like some like seeable like measurable some matrix I mean like some cost maybe or like human resources. Uh-huh. So I believe uh human resources uh is something because you need a skilled team who can actually understand these uh frameworks and also
they should be able to like read the CV and understand what's what's the CV is talking about. just do not blindly take a security reporter's uh insight and uh consider it's a critical one. We have to actually able to like map it to our own environment and try to like analyze that. So that is a major part of that human resources definitely skilled staff is required but also on the other side the technological aspect. Um um the better the integration works like the better it's automated then the better it can be implemented. If you are just uh doing it on an Excel uh spreadsheet, let's say you do not have any in-house pipeline or any ASPM vendor, then it's
going to be difficult uh to actually like automate all these frameworks and all. So kind of both technological and resource. Yep. Both. >> Thank you. >> All right. Thank you all. Thank you one and all. [Applause] Thank you. [Music] Heat. Heat. [Music] Heat. Heat. [Music] D. Oh. [Music] Data. [Music] Born. [Music] Heat. Heat. [Music] Fire. [Music] Down. [Music] Heat. Heat. [Music]
[Music]
[Music] dirty. By far. [Music] D. [Music] Boo. [Music] Fire.
Damn. [Music] Do
[Music] I love [Music] Down.
Down. [Music]
[Music]
Heat. Heat. [Music] Heat. Heat.
[Music] Heat. Heat.
[Music] Heat. Heat.
Heat. Heat. Heat. [Applause] [Music] Heat. Heat.
Heat. Heat. Heat. [Music] Heat. Heat.
[Music] Heat. Heat. [Music] Heat. [Music] Heat.
[Music]
[Music]
[Music] Oh. [Music]
[Music] Heat. [Music] Heat. [Music]
Wow. [Music]
[Music] Heat. Heat. [Music] Heat. Heat. [Music]
Heat. Heat. [Music] Heat. Heat.
[Music] Heat. Heat. Heat. Heat. N.
[Music] Heat. [Music] Heat.
[Music] Heat. Heat. [Music] Yeah, [Music]
down. [Music] Hey hey hey hey hey hey hey hey hey hey hey. [Music]
down. [Music] Down. [Music]
down.
[Music] Woohoo! [Music]
[Music] [Music] Heat. Heat. N. [Music] Down. [Music] Down. [Music] Donn [Music]
[Music] Heat. [Music] Heat.
Heat. Heat.
[Music]
Heat. Heat.
[Music] Heat. Heat.
Heat. Heat. Heat.
Heat. [Music] Heat.
Heat. Heat. Heat. [Music]
Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. N. [Music]
[Music]
[Music]
[Music] Heat. Heat. [Music]
Wow. [Music] Heat. Heat. Heat. [Music]
[Music] Heat. Heat.
[Music] Hey hey hey. Heat. Heat.
Heat. [Music] Heat. [Music]
Heat. Heat.
[Music] Heat. [Music] Heat.
[Music] Yeah, [Music]
[Music]
down. [Music] Hey hey hey hey hey hey hey hey hey hey hey. [Music] Yeah, [Music] down down.
Down down down down down Black
[Music]
[Music] D. [Music] Fire.
Fire. Heat. Heat. [Music]
Hey. Hey. Hey. [Music]
Heat. Heat. [Music]
Heat. Heat.
[Music]
Heat. [Music] Heat.
Heat.
[Music] Heat.
Heat. Heat. Heat. [Applause] [Music] Heat. Heat.
Heat. Heat. [Music] Heat. Heat. N.
[Music] Heat. Heat. [Music] Heat. [Music] Heat.
[Music]
[Music]
[Music] Yeah. [Music]
[Music] Heat. Heat. [Music] Hey,
wow. [Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat.
Heat.
Heat.
Heat. Heat. [Music]
Heat. Heat.
[Music] Heat. Heat. [Music]
Yeah.
Heat. [Music] Yeah,
[Music]
[Music] down. [Music] Down. [Music] Hey. Hey. [Music] Hey hey hey hey hey hey hey hey hey hey hey. [Music] Yeah, [Music] down
down down down down down down down down down down down down down down down down down down down down
1 2 3
[Music]
[Music] [Music] Doo doo doo doo doo. [Music] Black. [Music] Hey. Hey. [Music] Heat. Heat. N. [Music] Heat. Heat.
[Music]
Heat. Heat.
[Music] Heat. Heat. [Applause] Heat. Heat. [Music] Heat. Heat. [Music]
Heat. Heat.
[Music]
Heat. Heat. Heat. Heat. N. [Music] Heat. Heat. N. [Music] Heat. Heat. [Music]
[Music]
Hey.
[Music] Hey [Music] baby. [Music]
Woo! Wow! [Music] Heat. Heat.
[Music] Heat. Heat. [Music] Heat. Heat.
Heat. Heat.
Heat.
[Music] Heat. Heat. Heat.
[Music]
Heat. Heat. [Music] Heat. [Music] Heat. [Music] Heat. Heat. N. [Music]
[Music] Yeah, [Music] down. [Music] Hey hey hey. [Music]
Down [Music] down down down down down down down down down down down down down down down down down down down down down down down down
[Music] Hey everybody, hey [Music] Woohoo! [Music] Boo!
[Music] Baby, [Music] hey. [Music] Hey hey hey. [Music] Heat. Heat.
[Music] Hey, [Music] hey, hey. [Music] Heat. Hey. Hey. Hey. Heat. [Music] Heat. [Music] Heat. Hey. Hey. Hey. Heat. Heat. N. [Music] Heat. Heat. [Music] Heat. Heat. [Music]
Heat. Heat.
[Music] Heat. Heat. Heat. Heat. N. [Music] Heat. Heat. N. [Music] Heat. Heat. [Music]
[Music]
[Music] Oh. [Music] Heat. Heat. [Music]
Wow. [Music] Heat. Heat. N.
[Music] Heat. Heat. [Music]
Heat. Heat. [Music]
Heat. Heat. [Music]
Heat. Heat. N.
[Music] Heat. [Music] Heat.
[Music] Heat. Heat. [Music] Yeah, [Music]
[Music] down. [Music] Hey hey hey hey hey hey hey hey hey hey hey. [Music] Yeah, [Music]
down [Music] down
Yeah, Yeah.
[Music] Heat. Heat. [Music] Woohoo! [Music]
[Music] No five. [Music] for [Music] doo. [Music] down.
[Music] Down.
[Music]
Heat. Heat. [Music] Heat. Heat.
[Music]
Heat. Heat. [Music] Heat. Heat. [Applause] [Music] Heat. Heat. [Music]
Heat. Heat.
[Music] Heat. Heat. [Music] Heat. [Music] Heat.
Heat. Heat. N. [Music] Heat. Heat. [Music]
[Music]
[Music] Oh. [Music] Hey. [Music]
Wow. [Music] Heat.
[Music] Heat. [Music] Heat. Heat. [Music]
Heat. Heat. [Music]
Heat.
Heat.
Heat. Heat. [Music]
Heat. Heat.
[Music] Heat. Heat. [Music]
Yeah.
Heat. [Music] Yeah,
[Music]
[Music] down. [Music] Down. [Music] Sh. Yeah, [Music] down. [Music] Down
down down down down down down.
[Music]
[Music]
Heat. Heat. [Music] Hey, [Music] hey hey. [Music] Heat. Heat. [Music]
Heat. Heat. [Music] Heat. Hey. Hey. Hey. Heat. Heat. [Music] Heat. Hey, Heat.
Heat. Heat. Heat. [Applause] [Music] Heat. Heat.
Heat. Heat. Heat. [Music] Heat. Heat.
[Music] Heat. Heat. [Music] Heat. Heat. N. [Music]
Heat. Heat. N. [Music]
[Music]
[Music] Hey, hey, [Music] hey. Heat. [Music] Heat. [Music]
Wow. [Music] Heat. [Music]
Heat. Heat. [Music] Heat.
[Music] Heat. [Music] Heat. [Music]
Heat.
[Music] Heat. Heat.
[Music] Heat. Heat. N. [Music]
Heat. Heat.
Yeah, [Music]
[Music]
down. [Music] black
hey [Music] you Yeah, [Music] down down down down down. [Music] Down down down down.
[Music] Heat. Heat. [Music]
[Music] [Music] Hey, hey, hey.
[Music] Heat. Heat.
[Music] Heat.
[Music] Heat.
[Music] Heat. Hey, heat. Hey, heat. Heat. Heat. [Music] Heat. Heat. N.
Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. N.
Heat. Heat.
[Music]
Heat. Heat. [Music] Heat. Heat. N.
[Music] Heat. Heat. N. [Music]
[Music]
[Music] Hey, [Music] hey, [Music] hey. Heat. [Music] Heat. [Music]
Wow. [Music] Yeah. Heat. Heat. [Music]
[Music] Heat. Heat.
[Music] Heat. Heat.
Heat.
[Music] Heat. [Music] Heat. Heat. Heat. Heat. [Music] Heat. Heat.
Heat. Heat. [Music] Yeah, [Music]
down. [Music] Hey hey yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey [Music]
down. [Music] Down. [Music]
Black
[Music]
[Music] [Music] Baby [Music] boo. [Music] Heat. Heat. [Music] Do you [Music] buy hey? [Music] Heat. Heat. [Music]
Heat. Heat. [Music] Heat. Hey. Hey. Hey. Heat. Heat. [Music] Heat. Heat.
Heat. Heat. N.
[Music] Heat. Heat.
Heat. Heat. Heat. [Music] Heat. Heat.
[Music] Heat. Heat. [Music] Heat. Heat. N. [Music]
[Music]
[Music] Hey, [Music] hey, [Music] hey. Heat. [Music] Heat. [Music]
Wow. [Music] Yeah. [Music]
[Music] Heat. Heat. [Music]
Heat. Heat. [Music]
Heat. Heat.
[Music] Heat. Hey, heat. Hey, heat. Heat. Heat.
Heat. [Music] Heat.
[Music] Heat. Heat.
Yeah, [Music]
[Music]
yeah yeah. [Music] Hey hey hey hey hey hey hey hey hey hey hey hey. [Music] Heat. Heat. N. [Music]
down. [Music] down down down
Yeah,
[Music] Oh,
hey.
[Music] [Music] be. [Music] All right, good afternoon everybody and welcome to Besides Las Vegas in the common ground. This is thorting key extraction and supply chain attacks by detonating GPUs given by MEMT. And a few announcements before we begin. We'd like to thank our sponsors, especially our diamond sponsors Adobe and Iikido and our gold sponsors Formal and Profit. It's their support along with our other sponsors, donors, and volunteers that make this event possible. These talks are being streamed live on YouTube. And as a courtesy to our speakers and audience, we ask that you check to make sure your cell phones are set to silent. If there is still time by the end of the talk, we will have time for audience
questions where I will bring the mic around the room to whoever wants to ask a question. And just a reminder for besides cell phone policy, we do not allow photography in here. just as a quick reminder. But with that, I think we'll hand it over to Memed. Please take it away. >> All right. Thank you guys for showing up and liking this, I guess. I hope you like it. So, yeah, it's a thing we've been doing for about eight months now. And and I've been in the security field for about a year. Before that, I was injecting people with computer chips. We can talk about that if you want later, but it's detonating GPUs is what what
you want to see. And yes, this is about as much fire as we are showing in this presentation. Uh the idea is to keep things contained, but oh well, there's a video of that. So, first things first, be safe. Keep your limbs life and freedom. A lot of people have lost limbs working with explosives. So, if you want to try these at your facilities, please work with a licensed professional at a uh like we did. We worked with John Norman of ACCX Research. He's no stranger to these conferences and the scene anyway. And just work with someone who knows what they're doing, please. Or don't blame if you don't. So, uh yeah, we're talking about like why
would you want to have self-destruct? Someone who possesses the device does not necessarily is the trusted party for that device. Uh how not to self-destruct. Thermite doesn't work. Just long and short of it. And explosives do. And I'll Yeah. So that's the talk. Thermite doesn't work. Explosives do. You don't trust people who hold the devices necessarily. And uh in more details, hardware is vulnerable to physical site channels. You can extract keys from things pretty convincingly. So if someone uh extracts keys from a device, they can pretend to be that device and so on and so forth. So it's important to actually risk physical access uh limit physical access to a device from an inspection point onwards
or from when secrets are injected onwards. Uh it also uh is important if you're going to deploy your device to a place where it's in a neighborhood that you don't trust it. Say you're building a data center in a country where you have good relationships today but maybe not tomorrow. and you want to be able to make sure that uh someone who you know betrays your trust only pisses you off but does not actually have access to your devices. So like these are the kind of motivations we have in mind and one way of making sure people don't get to your chips is keep a big honking metal on them and make sure that it can't come
off. So that's basically what we're doing. Uh you keep the heat sink on. You have some temper sensor which is out of scope for this talk but we can discuss this afterwards if you like. And in order for this to be applicable, this destruction needs to be fast like milliseconds if not nanconds fast scalable. So you can actually deploy this in a large, you know, thousands of GPUs, hundreds of thousand GPUs data center or your SSDs or what have you. And you need to contain the damage so that people who install these things don't lose their digits if these things actually misfire or fire detonate and so so on and so forth. So we have basically
one option but we tried two. We tried thermites and explosives. Um there is other things you could think about and we can discuss afterwards but the these seemed fast and decisive. Um it turns out uh thermites uh are actually somewhat promising in that you can use you can actually manufacture them in a nanop fabrication facility. Same places where these chips are being manufactured. you just uh aluminum and copper oxide is stuff you can deposit easily except it takes if you want to do nano layers it takes about 10 hours to to actually have the stack that you see uh and and that is you know going a little too fast and we had one ignition out of like eight
wafers just because of how fast you deposit it heats up so I don't know if it's that feasible in terms of manufacturing but we tried And we did fire it. And when we fired the chips, they actually em got embedded into the plastic, the acrylic stage, but they the chips were intact after we actually fired nano deposited nanoothermite on the chips. So you can get nanoothermite on a chip, you can manufacture it, but it doesn't seem to break things. So no go. We added powder and then so powdered nanootherm you know grams of about a gram of nanoothermite as opposed to whatever you can deposit and we honestly it was hard to ignite. So we had to put insulating tape on top
of this to actually get an ignition. It turns out these heat sinks actually can rob a lot of heat. So it's hard to actually ignite thermite. Like thermite is notoriously difficult to ignite and when you put a heat sink on top it even gets worse. But you know, we wanted a picture. So we got a tape on top of it. And we got a dignite so that you can see this slow motion fire.
Yeah. So that's we got that. It turns out the chip got unscathed. It's perfectly fine. It's just fire. It's turns out silicon is basically rock. So, but it's crystallin rock which will exploit. So, again, we want something faster uh so that we actually want to generate a shock wave and get some destruction going. And we did we put a detonator behind uh we put a detonator on the back side of a GPU and you got product launch. As you can see, there's the GPU on the left side. After ignition, there is no GPU. So, it just launched straight off. Um, we figured, hey, maybe you want to keep a heat sink on. So, we did put a heat
sink on. It's This isn't Barto Stove Desert, by the way, if you ever want to visit us. Uh, this is the uh detonator behind the GPU and a rock on top so things don't fly. Yeah. And the heat sink absorbed all the shock. So, the GPU was intact. It turns out if you have an SXM card, those are pretty thick. And the the card itself is not useful afterwards because you know all the electronics are shattered. But if someone can like delaminate this GPU and use it on something else, they can uh on the like back side doesn't seem to work. So we tried front side. I mean there's a bunch of tests in the middle,
but we put a uh detonator on the top of a heat sink and detonated the heat sink came apart and absorbed the shock. So that didn't work as much. We put it the detonator inside the heat sink so that there isn't an air cavity. Uh like the the copper cold plate itself became our hammer as opposed to like fins getting in the way and we got a detonation and that actually drove the point home quite literally. There's nothing left after that. And this is sort of the damage the you can see the copper behind uh that's the interconnects between the chips. So or the interposer whatever. So in within the heat sink detonators are useful that's something we can do and
the heat sink itself can act as your uh act as your hammer. We detonators need to be stable. Uh if this is going to be in a data center it'll be 80 80 Celsius for five years. So, we figured we'll certify these or test these for 105 Celsius for 5 years, which means we did 130 Celsius for 47 days. That's how the math works out. And they still fired. We were still in love with the backside for a little bit. So, we tried it again with this detonator. Nope. We have a crack. It's a little stronger of a detonator. It's 450 migrams of RDX. So we cracked the chip but we didn't get a complete destruction
which is still useful if you want to deny access to a chip but if you want to also deny imaging it's not useful. The back plate of course the came in be came in pieces which is wasn't very helpful to us because you don't want this mess in your data center which we'll come back to. So front side is better. So you make a little hole for your uh detonator on the on the heat sink as you see on the bottom. and it works complete destruction of the GPU layer. One thing you see is that the GPU is uh the GPU computing die is very thin. It's the it's the middle die and it gets completely evaporate like
pulverized. The HPMs actually don't get pul pulverized. I think it's because of the way the DDR is structured. It's layers of layers upon layers of metal. Uh so it's I don't think you can read anything off of it, but I haven't tried. I don't have the means. But I I'll ship you if you if you want to image these things. Uh I'll ship your chips. But the GPU itself is destroyed. And we also tried this with a Von 100 uh PCI Express GPU. Uh again made made a hole uh where where where the detonator can fit. Close it up. Complete destruction. Front side works. Now, of course, you don't want to destroy your hands. And one way
to not destroy things that contain destruction is actually like metal foam. This is available. It's dual cell foam from ERG out of IR space in Nevada. Thank you. And uh they we actually put it on put little bit of um aluminum tape just to keep it in place. And in between there's a thin 1 millm carbon fiber layer and we put a kevlar sock on that. This is a butcher sleeve so that you can actually contain the damage and things stay in place and damage seems to be contained. We still have some work to do but it seems like we can contain damage. Same thing with the PCI Express card and it works. So this is uh after an
initiation uh the uh the detonator is right behind this plate the back this back plate. We had a little hole but uh the carbon fiber plate was intact and nothing really reached the the cavlar even. So what's next? Uh the next is actually make this look neat uh and make it and go for an ATF special device exemption. It's a it's a kind of exemption you get for your pyrochnic fuses and such. If you have if if any of you have seen an electric car or driven one, there there's actually a powerful bus bar just a piece of copper and that's very difficult to fuse uh normally because there's a huge amount of power going through. So they actually
have small explosive charge so that actually uh blows up as a one-time fuse in case there's a fire or an anomaly. So we want to get that kind of exemption for the for these things. So we can actually you know provide these to people who don't have training and they'll be safe and same goes for transport. You need to have a transport exemption so that you can actually ship these things without placards and same with export controls. So yeah, the questions comments thoughts? [Applause]
>> Yes, sir. >> Have you published a formal paper on this? >> Uh, not yet. No. >> Repeat the question. >> Oh, have I publish Have you published a formal paper on this? though we published I mean in the uh submission page I guess uh we put a lot of information out there but no not a formal paper just yet. >> Are you planning to release the slides? >> Uh I'll be happy to I'll be happy to anything else right I'll be around. Oh yes >> few more questions but I wanted to give other people opportunity as well. Um, have you looked into uh like detecting when someone opens a case and then tying it into like a full system so that you
could you could um cause the explosion uh before someone opens a case and and tries to tamper with the device? >> Yes. Yeah, we have. So, we worked with we're working with like Temper out of uh San Francisco and other players to actually like integrate this into a full system. In fact, you probably want that anyway because you don't want an accessible detonator in there. So, it's like two use cases we see is one is a scram button. You have a data center and it's being stormed. So, you press the big red button and there's no more a data center, but it's not a big explosion. It's just like everywhere. Uh the other is uh having what you said a
temporary response temporary detectives enclosure and then this is the temporary response. Uh, and where can we read more about your work uh on on this uh research? >> So, we have our website irrand.ai which has nothing of this. Uh, I should probably put uh at least an archive paper up there. Stay tuned. >> Thank you. >> Oh, there's a question back there. >> Thank you. Um I'm curious just from the applicability and use cases you're talking about um whether or not like why wouldn't you have something that just kind of overwrote the built you know the secrets that are stored in there why do you need to destroy the whole chip are you trying to
protect is this specifically for protecting like the IP of the chip because it's a specialized chip or beyond the secrets just trying to understand. So it's twofold. One is protecting the IP of the chip. Uh beyond like the IP itself may be a secret. Uh the other would be uh this can be faster than override. Uh and if your attackers are strong enough to use say a shape charge to destroy your override circuitry, this might be a thing. Um but yeah, >> are you getting requests for that saying that like there's current methods that are ins like overwrite methods are insufficient because of that they take too long. So you have customers who specifically want to destroy like the
whole thing. >> So actually the request we get is about denying access to chips more more than more than anything else. It's >> more about protecting the whole chip itself. >> Protecting the chip itself, protecting like repurposing of the devices. Uh that that's mostly the requests we get. >> Thank you. >> Thank you. There's a question over there. >> Just a quick one. Are you looking into at all combining this with using location data? I'm thinking about export controls and pieces like that. Like I don't know if that's part of the impetus for this or not, but >> yeah. Yeah. So people have uh actually come up with us come up to us discussing this in a different different settings
saying uh people some people might want location limiting and if you want that chip enforced actually it's very important to make sure that the the uh keys secrets in in the chip can't be extracted or rewritten and uh for for for these GPUs it's uh the compute fabric is is is the hard part it seems. So if people can actually inject their own keys or or spoof keys, they can actually get around hardware backed export controls. So a self-destruct would be very useful for that. >> And are you working on making a form factor that would work with that versus like a data center kind of Yeah, >> sure. So that's kind of why we actually
went with both SXM and PCI Express. So the idea is to actually have ships have the chips ship with their heat sinks which in PCI Express is already the case. Uh of course it's not going to be a sock. We're working on it but that's that's the idea like have the containment on the PCI Express form factor or the SXM form factor so that it's actually useful. Thank you. Anything else? I'm around. I'll be around and you could reach me at Oh, go back all the way to the first slide. Memed airendel.ai. Should have put this in the first. Yeah. Oh, mehmed at aendandel.ai or if you have signal, it's uh mehmed72. You can reach me there as well. Thank
you. >> All right, let's give me another round of applause. [Applause] [Music] Mhm. [Music] [Music] Doney. [Music] Heat. Heat. [Music] Black fire.
[Music] Hello. Hey. Hey.
[Music]
[Music] Heat.
[Music] Heat. [Music]
Heat. Heat. [Music] Heat. Heat.
Heat. Heat. [Music]
Heat. [Music] Heat.
Heat. Heat. Heat. [Music] Heat. [Music] Heat.
Heat. Heat. [Music]
Heat. Heat. N. [Music] Heat. Heat. [Music] Heat. Heat. N. [Music]
[Music]
[Music]
[Music] Hey, [Music] hey hey. Heat. Heat. [Music]
[Music] Heat. Hey. Hey. Hey. [Music]
[Music] Heat. [Music] Heat. [Music] All right, welcome everybody. Good afternoon. Welcome back to Bides Las Vegas and the common ground. This talk is The Art of Concealment, CVE's Challenge with Transparency by Jerry Gamblin. And a few announcements before we begin. We'd like to thank our sponsors, especially our diamond sponsors, Adobe and Iikido, and our gold sponsors, Drop Zone AI and RunZero. It's their support along with our other sponsors, donors, and volunteers that make this event possible. These talks are being streamed live to YouTube. And as a courtesy to our speakers and audience, we ask that you check to make sure that your cell phones are silent. If there is time after the talk, I will
be passing around the mic for any audience questions. And just as a quick reminder, as per the besides cell phone policy, there is no photography allowed. And with that, I think we'll kick it off and hand it over to Jerry. Take it away. >> Thank you so much. >> Let's give him a welcome. >> Thank you. We'll get right into this. We only have 20 minutes today, so I think we'll be able to get through it in plenty of time. But a little bit about me. Um, my name is Jerry Gamblin. I come from a government background. spent my first 10 years in the government. Um I spent a lot of time running VM programs.
I went to Carfax after my government term and then I worked for a small startup called Kinn Security who you know kind of pioneered riskbased vulnerability management. I then went to Cisco where I'm at presently. Uh I'm a principal engineer there in their threat detection and response. So I handle the CVE data that we get in for our customers. So I'm on the other side of the board where you'd think a Cisco's at, right? Like we have our PERT that is for Cisco that publishes all the CV for the routers. We have Talos who publishes all their independent work and then I'm kind of the third leg over here complaining about the data. So I showed them this
talk before uh before I'm showing it to you guys. So any questions you ask me cannot hurt my feelings after what they said about the talk. So So we are we're good to go. Um, I'm a member of the EPSS SIG, too. Uh, I like to throw that in there because that's an open SIG, and if you're interested in exploit prediction and data science, it's a great place to kind of to get your feet wet there. Jay Jacobs runs that. He's in the room. I'm sure he'll be happy to talk to you guys afterwards if you're interested in that. So, I am moving some stuff around. I have officially moved all of my open-source vulnerability intelligence
software kind of projects under Rogo Labs because I got I have four of them now and that's too many to to just run under my personal GitHub and GitHub who we also have in the room was super nice enough to give me a free co-pilot organization. So So now I have that. So it's all under there. So CVE.icu is under there. It just pulls in the data and runs through that every day. I have cveforcast.org because I'm a big nerd and I want to know how many CVEes are going to be published each year. So that goes through every every night and predicts how many CVs are going to be published by the end of the year. Um and I have
patched this.app which is just a simple answer to the CISA Kev. Um I thought the CEVA was missing a few places where there were data. So I just went out and pulled all those in from metas-ploit etc. So it just builds a list there about 8,000 CVEes in there now that you should use. Um it does use the CISA Kev. I am a big fan of the CISA Kev but I don't think it it presents a full picture of all the exploited vulnerabilities on the internet. So the promise of the CVE uh there are a lot of very smart CVE people in this room. So I so talking about this here is is a little weird but in 1999 it started
and simple thing was we are going to put all the CVEEs in one place. We're going to give them a standard name. They're all going to be CVE with some identifier and then another identifier. Right? And so it started out super simple. there was, you know, 300 of them in 1999, so not a big deal. Um, last year we broke 40,000 and I got a lot of press saying we broke 40,000 and then 30 people went and rejected the CVEEs that they published. So, we ended the year with 39,970 published CVEes. So, it was close uh rounding error basically and a common schema. The common schema was supposed to say what this vulnerability does and
kind of give you some information on it. Todd's in the room. He'll tell you it's not how you're supposed to fix the vulnerability. It was just for publishing. But that that's a different question. So I feel that there the broken promise of the CVE program is this right the poor data quality. So I was first going to give this talk when I when I submitted it. I was going to talk about how CNAs like Microsoft have over 125 CVE published this year with the exact same description name. Um, but I didn't think that that was worthy of the full talk. So, I thought I would so I changed it up a little bit. Um, it also cripples
automation. You started noticing this after NVD had their funding issue uh in 2024. That's when people finally realized where where the most majority of the CVE data they rely on came from and it wasn't the CNAs or the CVE program it was the NVD. So when that broke we started to see that and then we have research fatigue and I'll talk about this a little bit later. Uh there are 460 individual organizations now that can publish CVEEs. That means there are 460 different data definitions that you would need to learn and understand to be able to easily understand the data that's coming into CVE because everybody says, "Oh, we do it this way. We do it a little different
here. Here's where you get this information." So, it really broke the promise of a standard language for CVEes. So, people are going to disagree with me on this, but as somebody who spent my life in in the blue team, a CVE needs four things to be a CVE. It needs what kind of weakness it is. We use C.WE for that, right? We use what's affected, what product this is, right? We use CPE. Everybody hates CPE, but there's nothing better. It's the standard. I will put Pearl on on this list as soon as the CVE board approves the schema change that has been in progress for three months at a minimum. >> Yeah. Um, how to fix it. I know people
will say this isn't part of the original thing, but as somebody who needs to know how to fix it, I want to know what the patch information is and the severity. Once again, you can all tell me how much CVS sucks and that it's not great, etc., etc., but everybody uses it and everybody needs it, right? So, the first pillar is obviously the CWE and it is needed for people to understand what the overall vulnerability situation is in their network. It might seem like a little thing, but mature vulnerability management programs track this information so that they can tell where they're most likely to be vulnerable and to decide where to spend their money externally outside of the of the VM
program, right? So if I know that I have a bunch of DDoS based vulnerabilities that I might not be able to patch, I can then say, hey, maybe I need to increase my DDoS protection through Cloudflare or whatever. Cross- site scripting is the same way. Um, that's why CWE is important. CWE is also ran by MITER and they've done an amazing job over the last three years. They're actually up to 80% of all CVEes now have a CWE on there. Um, I think that's the tipping point. I think if we have 80% of them, that should easily become a required field, right? Like just click it over and say now we require these all to have
them. The product, this is this one gets me all the time. CPEs are the only machine read machine readable way to get product information out of a CVE record today. Um, but they're not required to publish a CVE. Uh, and most people do not do it. Does anybody want to guess how many what percentage of CVEes in the last six months from a CNA has a CPE on it? >> 2%. So CNAs are only providing 2% of the CVs they publish with CPS. Um, they'll tell you it's not required. They'll tell you they put that information in the description. They'll tell you they put it in the affected field. Um, very smart CVE board members
will tell you that you really don't have to have this information, but it can be in the re like there are only three required fields to publish a CVE one. And they will tell you that you can munge one of them into the description and not have it. Um, my next question to them is always, how do you check that the data is in there before they publish it? Because the schema validation for CVE description is one character. That that's all it that's that's all the schema validation for CVEES as of today. The severity CVSS. Does anybody in here like CVSS scores? All right. Couple of people. All right. So, it's not bad, but you
know, most people if you run a PCI shop, you know, you got to patch everything that's high and above, right? And we need that information in the CVEes. How many people who need CBSS scores have had a hard time finding them recently since NVD stopped producing that data? Right. Same deal. We're getting close. I think it was 70% last time I looked. more and more CNAs are starting to put that data in there. It's really skewed towards the bigger CNAs are doing it, but but we're missing that data as a normal data point that we need. And the last is the patch info, which I know is probably the most, you know, the one that most people want
to fight me on. It's because they say the data is there somewhere, but it's not in a reference in the CVE record so that I can just look and say, "Okay, here's the link I clicked for the patch." Right? I have to look at eight or 10 different links in the references and figure out which one of these is it. I got to know that Cisco puts their patches here, Microsoft puts their patches here, and it really doesn't need to be that hard. The CVE program has a patch tag that everybody should be using. So let's just go to the impact on security operations. It's without CPEs, most of your scanning tools break. It's it's as simple as that.
The NVD was propping up a billion plus dollar a year industry for security scanners because they would fill in that data and then scanners would take that data and scan your networks and says here's what it is. I was part of those conversations. I was part of that scramble last year to figure out how do we do this? and everybody came up with a different answer and none of them were really great. So we're now back to relying on CNAs to do that and even NVD to some point. We have to have that data to be, you know, to be valuable and we have wasted time and resource drain. I know that I know that people say the
CBE program is a volunteer program and that people publish these voluntarily, but this information is not consumed voluntarily. It's consumed by people who need to know where the data is and how to get to it. So, incomplete records, half records, buried records make it super hard for people to do their job in a day in dayout basis. So the CNA ecosystem problem, if you were at the CVE panel, you heard Chris say that from the last 10 years, I think from 2016, they tried to increase it and they've done an amazing job. They went from 30 CNAs to over 460 CNAs this year. That's great. But nobody here has time to learn 460 different data models and understand how each one
of these CNAs are going to publish this data.
So a path forward, it's been said, I couldn't even figure out who to say this to, but you can't improve what you can't measure. And we've never measured CNA quality in a way that makes sense. So about four months ago, I started to build CNA scorecard. Um I went to work on it. I built a first model. It used machine learning and AI and it was really really cool. And then Bob Lord sent me an email and said, "Hey, can you explain what this 82.67% means?" And I'm like, uh, not in an easy way, right? Like, like I could sit down and do it. So, I went back and said, we're we're going to step away from that
and we're just going to count fields at first, right? Like, if you have the field, we're going to say it's good. We're not going to look at quality yet. We'll get there, but we've started to build a project to help manage that. So, today I'm super happy to announce the public launch of cascorecard.org. It's a website that gets updated three or four times a day using GitHub actions. What it does is it goes pulls down the CVE v5 list uh processes all the CVEEs published in the last five years, lists them and then tells you or last sorry last six months and then tells you which of those four four objects they're missing, right? Do
they have the CWE? Do they have the patch info? do they have the CVSS score etc. You can go in and you can tell by CNA which ones are filling in which information and I only have two minutes left so I am going to jump right to there. So here is the overall as of today right I wanted to be nice so we have 100% for completeness right this is the minimum stuff you have to have to publish a CVE right so everybody has published is great right root cause awareness it was better than I thought 87.4% 4% of all CVEes published has have a C.WE. Only 2% of all CVE published in the last
six months have a CPE. If you need that data to figure out which vulnerabilities on your network, that number should scare you. Um 88% have CVSS. Super great. Um that one's pretty wide. So it's from 3, 31, and four. I break it down on the site a little more in depth if you want to look on who's doing what. Um, and the last one is only about 5% of CVEes have an easy way to tell where the patch is for the vulnerability. That that should be be easy table stakes for people is to say here's exactly where I go to get this patch. Here's what a little breakdown looks like. Octa who is leading today. Um
they have you can tell they do all the foundation awareness all the root quality all the CPEs they do sorry they don't do any CPEs but they get all the other four. So they get a 90% overall score. So that's great. So you can go to the website right now type in which CNA you want to look up and it'll tell you here's how they're performing. And well, this is interesting. You guys are all consumers in here mostly and you buy stuff from these companies. If I typed in somebody's name here and they weren't in the top 10% and they were asking me for, you know, a renewal of $150,000 or whatever, along with my request for I
need this feature, I should also have this request like, hey, I need this, right? Like I would love to have better CVE records. That's part of the product you guys pay for when you buy software is the vulnerability records. It's all part of the life cycle. And I need more people to help me hold CNAs, not accountable because that's the wrong word. but to let them know that we're looking at the data they're providing and that while in the past the CVE program has been optional and you didn't need to publish stuff and like it was just people doing it in their spare time in 2025 we're beyond that and this data is serious. It helps protect our
companies. It helps protect our infrastructure and it helps protect our nation. Um outside of that um that is about it. I would love for you guys to look at the CNA scorecard and take a look and check it out and let me know what you guys think. It's open source and it's open source on purpose. I would love for issues. If you think that I'm wrong, put it in the issues and we can have a community discussion about it. Uh if you need find a bug, let me know. I'll try to fix it, right? Like I'm trying to build this stuff in open publicly so people can see the data and see where it's coming from and help improve it. I
I don't want spoken mirrors. I I just want to fix this problem for everyone. And with that, I think we have time for maybe one question.
Uh earlier you talked also about the EU cyber zillion sect and how that would impact uh the number of CVS being released. um in terms of uh quality of the data as well because there's now a mandate for that how many new vendors will come into this uh new area and just put out information with the minimum requirements and let's let the rest sort itself out. Yeah, I that that's a very important question and and something that we have to figure out, right, with the EU's new regulations on publishing. If the publishing bar is so low that that basically, you know, a simple sentence and a link will get you published, that's all that they have to to provide. It's going to
be it's going to have both teams are going to have to work together, right? the EU legislature going to have to say, "Hey, you're going to need these more informations." And the CVE program needs to raise the bar about where publication is, right? Like especially when you get to that point where you have 80 plus% of CNAs providing a a field that should be an easy field to switch to to mandated, right? Like you've already you've already made critical NAS there and you just flip it over. So I think that I think that there's going to be a lot of maturing in the vulnerability database space in the next five years. Um I'm giving another talk at EPSC Village at
Defcon on Friday afternoon at 1 that really dives into that. If you're interested, I would love to see you guys there. So with that, thank you guys very much for your time and I'll let the next person have the room.
[Music] Heat. Heat. [Music]
[Music] [Music] Baby, [Music] hey. [Music] Hey, [Music] hey hey. [Music] down. Down. [Music]
Heat. Heat. [Music] Heat. Heat.
Heat. [Music]
Heat. Heat. [Music] Heat. [Music] [Applause] Heat. Heat. [Music] Heat. Heat. Heat. [Music]
Heat. Heat.
[Music]
Heat. Heat. Heat. [Music] Heat.
[Music] All right, welcome back everyone. Good afternoon and welcome back to Bsides Las Vegas in the Common Ground. This is You Want to Build Your Own Hacking Device by Alex. And before we begin, I'd like to give a few announcements. We'd like to thank our sponsors, especially our diamond sponsors, Adobe and Iikido, and our gold sponsors, Drop Zone AI and Profit. As their support along with our other sponsors, donors, and volunteers that make this event possible. These talks are being streamed live to YouTube. And as a courtesy to our speakers and the audience, we ask that you check to make sure that your cell phones are set to silent. If there is time at the end of the talk, there will
be time for audience questions. And I will pass the mic around to anybody who wants to ask. And as part of the cell phone policy, there is no photography allowed. But with that, I think we'll pass it off to Alex. Let's give him a warm welcome.
Uh, hi. Awesome. Can you hear me? My name's Alex. As you just mentioned, uh, this talk is going to be on how to create your own hacking device. So, just a brief rundown of how the talk is going to go. I'll introduce myself. Why are we why am I giving this talk? There's a little bit of background information for it. And then first part is essentially the components of how you actually select what you want. And then after you get the components, you have a general idea of the different things that you might want to do. We have some project workflows. So that way you can see kind of what the price points is for
some of these things along with some applications and some of the devices I've actually built using the more or less methodology that we show. So to start it off with uh again name's Alex Lines. I work with Precient Security where I'm a senior penetration tester. Uh in short, if it's on port 443, I usually test it and it's been a lot of fun. I've worked as both a defensive and offensive consultant. I have way too many certifications. Uh please don't do that yourselves unless you decide you want to waste a lot of money. Uh but I have 23 right now. uh and probably going to be more by the end of the year. I love programming. That's part of the
reason why I started giving this talk. Uh my languages that I really prefer are Python, Golang, and JavaScript. And then because of video game hacking and other things that I've been doing, I've been getting better at C++, C, and Java. I have a fixation every month slashquarter. So, this quarter was more hardware stuff. And also I do a lot of uh video game playing which actually really helps with different talk ideas. So why in my opinion I think y'all might be here. Well making your own stuff is a lot of fun. Uh does anyone here know what a flipper zero is? Lot of people. All right so that flipper zero is really awesome but it's $200
more or less. And I like to put stuff on drones. As much fun as it is to put a $200 device on a drone, I don't want to fly that device into a building and then break not only my drone, which is like $200, but also that flipper zero. I have no problem launching a drone 100 miles hour into a building and breaking a $5 piece of equipment. That's perfectly fine. I'm not crying over that. And also another reason for this talk, IoT devices are life. There's IoT devices around us everywhere. And the more you get an understanding of how they're made and how you can make your own, your life gets a lot cooler in my opinion. You can
go and make different devices. Like for example, if you want to be off-grid, you can use Meshtastic. If you want to have a homemade present sensor that isn't sending stuff to the cloud, awesome. You can use different pres sensing devices. So, there's a lot of different things you can do if you learn how to make it yourself. Lastly, uh last year there was actually a talk that I gave at Sky Talks and different other talks where I made a drone that could act as a mobile hacking platform where we would actually fly the drone in somewhere, land it, drop off a device, and it would act more or less like an evil twin where it would go and
try to get people to type in their credentials to a portal that looked the exact same as the Wi-Fi except they added underscore Wi-Fi extender or something of that means get them to type in their password and now all of a sudden you can connect to their network. Couple caveats with ex uh 802.x if I'm not 802.1.x but for the general purposes that's a way to get Wi-Fi passwords that are a lot more secure and it's a little bit easier than trying to crack it with like hashcat or aircrackeng. So, just a general overview for those who don't know what a um flipper zero is. It is this device right here. It is a pretty much a Swiss Army knife of
different attacks that you can do, whether it be radio frequency, uh if you put an extender board on it, you can do Wi-Fi attacks. There's RFID. There's almost no limit to what you can do with this thing because it has GPIO pins up there. It's also supported by a pretty decently sized community. So because of that, you can have a lot more functionality added to these devices because other people are working on them. But again, $160 USD other places in the world, that is way more money than anyone will probably want to spend on a device like this. Another tool that I really liked that actually inspired a lot of stuff is the Wi-Fi or USB nugget.
Uh, so this device, it looks like a tomagotchi in a way and it's like a little cat and it's super cute. Uh, and it does Wi-Fi attacks and there's different ways because it uses an ESP32 or an ESP 8266. They have different pros and cons with them, but in short, it's this device that, you know, you can get through TSA and they're not going to be like, why do you have a hacking device on you? They're just going to see some pink or purple toy and they're like, I really couldn't care less about this. and go on through. But actually a good note thing to note about this does not have GPIO pens exposed as far as I'm aware of. Later
models might, but they are not as robust as the flippers. So you can't expand it nearly as much, but at the same time it is a lot cheaper. So let's get a little bit more into actually making these devices. So, one of the first things you need to decide when you're trying to make your own little hacking device is what board are you going to use? For example, for me, I love using ESP32s and ESPs 8266. They have a lot of pros with them. One of which is, relatively speaking, they're kind of cheap on Amazon. $16, you can get three of them. It changes, but essentially, you can just go and get them for a rather decent price. Uh, I
have a micro center in Dallas, so they they're a little bit more expensive there, but at the end of the day, it's not groundbreaking at the price. Their power needed is 5 volts, which is very important to know if you're using a different power bank to actually provide power. Sometimes they don't provide 5 volts, sometimes they're 3.3 volts, or the throughput of the power is not enough. So knowing the power requirements can be super important not only here but in later when you're actually using different devices with it. Um my favorite part about them is ESPs usually have Wi-Fi and Bluetooth capability by default. That means for most of your functionality that you're doing you have
the tools. I like to use the Wi-Fi a lot more than I do Bluetooth admittedly but you still have that Bluetooth option. Raspberry Pos are really cool too. They're cheaper usually. However, you have to then worry about wireless functionality. And that's mostly just Wi-Fi. You don't even really get Bluetooth unless you add another device onto it. So, if you want to be cheaper, a little bit leaner, yeah, you can use the Pico. It is definitely not terrible. The power requirements are also lower. They only need 3.3 volts. That may not sound like it's a huge difference, but when you're plugging in components and powering stuff and you don't have a solar battery or a way to recharge it,
it definitely comes in handy for the longevity of the device. I like to buy them from MicroEnter. They're cheaper than they are on Amazon when I looked it up. The last one that I don't have that much experience with to be completely transparent because I'm not a fan of them is the Arduino Nanos. They're 5 volts, so they have the same power requirements that the ESPs do. However, they don't have wireless functionality. You have to add everything to it. That is cool. That is nice, but sometimes I like to be lazy and just have all the functionality ready for me. And the nanos are not exactly the best thing for that. But it is an option if you don't want to use
the other ones for whatever reason. So again, what project or which board should you get? In my opinion, there's a really easy way of looking at this. If you want to make something simple, let's say I want a device that I can put by the door, it shoots a laser and then once something breaks that laser, it sends a message to my server saying, "Hey, someone is here." Awesome. You can just use a pico. That's very simple. It's not complex. You can just get a wire or a wireless one. Very simple requirements. You just have to make sure that the sensor can be powered with 3.3 volts. If you want something a little bit more complex, uh
like for example a talk I gave yesterday where you want your device to be using a mmwave sensor to then grab the data, take the data, parse it, then send that data to an LED ring and then to a web server to do something similar to a wall hacks. uh you might want ESP for that because that's a lot of different components I just listed off and it needs a little bit more memory. It needs a little bit more power to do all of those features. Uh again, the Nano I've I've never seen many I have not seen many people use them. They seem cool, but again, you have to go and buy extra peripherals,
which means you have to worry about more energy consumption, compatibility, and more things to debug that when I'm making stuff. I don't think more debugging is ever really the answer. So, I have listed off three devices here, and I'm sure many of you all know that there are a lot more than those three devices. There's Raspberry Pies, there's Pi Zero, Zema boards, Uno boards. Why have I not mentioned those? So the reason for that is mainly because those boards are in many ways in of themselves their own little computers. They're ARM devices. So you can load like Kali Linux on them, Ubuntu, I believe Arch as well. So you can load them and they're their own operating
systems. They're not very small in size for that. So, I didn't necessarily want to use any of those boards in my talks just because at the time I was putting this on a drone and the drone had a weight capacity of around 100 g to power the Raspberry Pi itself is a little bit heavy, believe it or not. But the real issue becomes in powering it with a power bank. Power banks are heavy and if you only have a 100 grams to spare to have decent performance on a drone, you're not going to want to use that. Versus a lipo cell battery, super easy. They're super light and you can get one depending on what
your use cases are for it. Um, that being said though, Pi Zeros, Zemo boards, and all that, those do serve a purpose. I think you should definitely look into those, especially if you need what I've used of them as is more like a processing server. For example, the ESP, you're not going to use AI on that. You're not going to use computer vision on that. You're not going to load up a UDP web server and an HTTP web server. You're you're not doing that. But on the values, you can very easily. They actually have great performance for that. And then also soldering, you don't have to do that on a Raspberry Pi. On these other devices, sometimes you do.
So, another thing that you need to decide once you figure out what board is best for you is the language that you're going to use. I love Python just mainly because I like to have an easy life. Uh, Python also comes in another variant. There's circuit Python and MicroPython. You can use those languages. If you already know Python, congratulations. You know 99% of MicroPython. The only difference is getting the libraries on the board is different and they don't have all the same libraries just because it's a smaller board. So, they have to be a lot more lean about it, but and also the PIP uh is different. It's very different and you have to figure that
one out, but it's not that bad and honestly is a great starting point. Then if you want to get a little bit more advanced, there's Arduino which is essentially like C that is way stronger and it has a lot more features and a lot more capabilities than MicroPython does usually. Um that is definitely something to consider but there are a lot of pros and cons with it. Uh the big ones for me at least is for micro python I can just tell it hey go into your own codebase go into your file system and rewrite this main.py so that that way your functionality can change that is super nice easy to do and it does not require any advanced
infrastructure it's quite literally just making your Python program rewrite itself not the same. you actually have to do uh some flashing over the air and that is a little bit more complex and if I don't want my things to break while I'm rewriting them because they're let's say 500 meters away I don't want to have something that's a little bit less reliable for me versus Python I can just make three different use cases of like hey if you fail go back to this go back to this so that way I always have it constantly running something versus a compiled language I have to hope for the So another important thing to consider is the boards themselves. So easiest way
of looking at this, you have three different boards. They have very different use cases that we'll go over in a second, but a good thing to know is what they actually do. I'm sure most of you all are familiar with breadboards. They're super cheap. They come in a lot of really cute colors, and you don't have to solder with them. Usually you have female to head or female to male different wires and you can just plug everything in and you don't have to worry about the fact that oh I have to solder and if I solder and I make a mistake then I have to go and desolder everything and it makes a huge mess or
bridging connections which can be very difficult if you're new. So I like breadboards for very rapid uh proof of concept devices. Another thing with it they are again cheap as [ __ ] I love that. Uh, but the really big issues with it is first off, you're just plugging it into the little holes. They are not secure. If you smack it or if you move the devices too much, they will just get unplugged and then you have to go through and rewire everything. Not fun. Another thing is they're bulky. Uh, my desk is filled with them and you can't even see the desk anymore because it's just covered by breadboard, wires, and components. So, a way to go a little bit more
advanced once you're out of the very rapid um portion is you can use the PF board. Perf boards are a little bit nicer. You do have to solder. So, there is that skill uh part that you have to work on, but it is soldered. It is probably not going anywhere unless you break the component or the wire, which is really nice because at this point you can put it on something. You can make it more mobile. It doesn't need an enclosure like a case. So, you can put it on a drone, fly the drone 100 miles an hour, and you're not worrying about that, which is really awesome because again, I don't want to break $200
devices. They're still cheaper. They have different colors. Some of them have it so that they are quite literally independent where you have to bridge connections. One that I'll show in the next slide, you actually can have it so that they're bridged for you already. Kind of like the breadboard configuration, which is really, really nice. I actually recommend those more. Last is the fabricated board. This requires the most planning. It is the nicest looking board by far, but you can't get it like today. You have to wait a little bit and depending on which service you use, you know, it can take a couple times. If you really want to figure out which uh fabric or which
company to use, honestly, go on to YouTube, type in board and IoT devices. You're going to get 15 people pop up and they're all going to be sponsored by the bread makers, the PCB makers, and it's awesome. You can pick your favorite one and go with it. They can do different colors, different designs, and some actually put the boards together. So, it is a very nice option. They are a bit more expensive than just the breadboards and the perforated boards, but if you're trying to actually make this device and sell it, that is definitely what you want to go. This is actually the board for the USB and Wi-Fi Nugget. So, as you can see, this board looks way better
than these two and these two, uh, just off the rip. So, lastly, the board that I was talking about, uh, I would recommend these for everything that you're actually doing where you want it to move. The main reason for that is because these connections are bridged and you don't have to do that manual bridging yourself because it is unbelievably annoying and it is a great way to destroy your components if you don't keep track of where the 5volt power is and the receiver. Ask me how I found out about that. or if you don't want to see smoke. If you do want to see smoke, like a little poof and it smells like toast, uh, then bridge your own connections and
just have fun figuring out which one it is, just know if you smell the smoke of doom, that component is now fried. But it doesn't smell that bad, honestly. So again, why would you pick one of these boards over the other? Bread board, early stage of development, you want quick proof of concepts to prove that what you're saying isn't completely unbelievable. and it's temporary. Like you're not going to be using components, you're not going to be heating up the components and it's really nice. Uh if you're doing something really fast when you have a little bit more of an idea of what you're doing and now you're just refining it or you wanting to make it
mobile. Perforated boards, they're great. They're more secure. You're going to, you know, you can still do it rapidly. It's just you have to solder it, make sure the connections are good. And that is going to be super helpful again when you want to like show your boss, hey, I made this device. It's going to help us on our red team so we can track the person in the security guard of room. It's really helpful. I touched it. Awesome. Uh the last one is the uh the actual developed board. So that one's really nice because again everything is secure. It's going to look the best. And sometimes again you can get these with the pieces already
assembled depending on the pieces very polished and if you want to actually sell these devices this is probably the route that you want to go. So going through this now we now have an understanding of what board we want to get uh what we want to put it on and what language you want to program in. Now what now you get to ask yourself the really fun questions. What do I want to do with this device? For example, do I want a trip sensor that will be watching a door? So that way if someone goes through it, I get alerted on it. Awesome. I now get to make the choice sonar or LAR. And then after that, do I
want it to report somewhere else like to a web server? Awesome. I need something that can do Wi-Fi capability, Bluetooth capability, meshtastic, really just some kind of outbound communications. So that's a simple idea. Another one is if you want it to do something like you know it trips a wire then it makes an alarm. Awesome. Now you need a component that can make the sound. So really at this point it is up to your imagination how you want it to work whether it's you want it to be local remote something that you interact with. You have to just figure out what you want and you can then just start doing stuff which is something I recommend just buying
components uh and just experimenting. You never know uh what you don't know and then once you once you start finding out you don't know this stuff then you can start googling it. You can start doing research on how to actually make these different things work together or you can cheat and I don't recommend this that much but you can use chat GPT to help you out 50/50. Sometimes it gives good advice, sometimes it hallucinates and you are now doing some random project and you're going to fry all your components. Very unfortunate for those. So for getting the components, there's two options that you can really do. The first one is if you know specifically what you want, you can go to Amazon
Sparkfruit Adafruit and get the individual components. It is cheaper that way because you're getting specifically what you want. But if you're a beginner and you're just trying it out, I actually wouldn't recommend that. I would recommend buying a STEM or project starter kit. Uh Aligu is someone that's on Amazon a lot. They have a bunch of different components, bunch of different price points. So for that, you can actually go buy a kit and figure out what you want. And the best part is they actually include documentation usually, which is something that's very important for parts. and it actually assists you in the programming process just because if you have a sensor and you don't understand
um how it works and you need to get example code if you only have example code in C, you're going to have a really hard time programming that in MicroPython because the two languages are not the same and they're going to use different libraries. But igloo, they tend to have every single instruction and both in multiple languages. So that way you don't really have to pick. Another option again, MicroEnter. Love them so much. Uh they have something called Inland where they do very similar things and if you have one by you, you can just go and pick it up. So again, things to consider when you're actually selecting the parts, whether it be buying the parts individually or
going to get the kit. What documentation documentation exists? If there's documentation again in C but not MicroPython, congratulations. If you want to program in MicroPython, you probably cannot use that component or you have to reverse engineer how it works and recreate it in Python. Not impossible, but it is kind of annoying. Is the product end of life? I actually had this issue with a gyroscope. I was using a model from four years ago and the documentation was not all that great. I tried to buy it. I got it. It wasn't working very well. Then I did a little bit more research that I should have done. Found out, oh no, there's a newer model. The flaws with the
gyroscope stopped working or were fixed and the documentation's better. Price of time versus arrival. This is a big one for me. I am fairly impatient when it comes to buying stuff. I kind of want it yesterday. So if you go to MicroEnter, if you have one near you, you can get it today or you have to wait for Amazon or some other thirdparty service to go get it and then ship it. Sometimes it takes forever or you can get it from AliExpress. Again, cheaper on AliExpress, just you have to wait a very long time. Amazon, less time. Micro Center are probably the least amount. And then the last part that's really important is powering the
components. So for a Raspberry or sorry, the Pico device that was 3.7 volts. If you have a device that needs more than 3.7 volts, unfortunately, you're going to have to do something to either step up the voltage or use a a separate power source for that device. And it kind of sucks. Uh if you're using a 5volt and it needs 5 volts, awesome. The ESP32 is just going to run it. You just have to make sure that you have enough power supplied to the system to actually make the device work. So this has been super fun and I'm sure all of you enjoy the lovely little slide presentation of all theoretical stuff. So let's actually make something because
that's a little bit more fun. So for examp I made I was playing World of Warcraft and for whatever reason my internet decided to drop every 5 seconds. I didn't know why it was happening but drop for 5 seconds and then come back. If any of you all played World of Warcraft, you know it can do 5 seconds and it's a little bit sketchy. But when it goes up to 20, 30 seconds, you lose connection and it is not fun during a raid where a DPS all of a sudden has no connection and gets kicked. So I thought I was going insane. So I made a little device that would check my internet connection and then if I did lose
internet, I got a little blue light saying, "Hey, you are not going insane. you legitimately do not have internet. And then it turned off the light when I regained internet so that way I could actually, you know, track it. And then eventually I added more stuff. Like for example, I wanted it portable. So that way if a network technician came over, we'd be able to do something about it. Easy way to spot it because again, a very bright blue light is a lot easier than a little screen saying, "Hey, you have internet. You don't have internet." Logs. Uh because I was a blue team analyst, I love logs more than anything. And logs need timestamps.
So what do you need? So I for me, I like the ESP32. It has network capability so I can connect to my internet then ping Google MicroPython. Again, super easy. A breadboard, SSD 306 screen, and uh some wires. Essentially, this device did not need to really go anywhere special, so I could just use the temporary stuff. Big thing to note, the device cost me per unit about $18 in total for all the components $78. So, it is relatively cheap per unit. And then I have components to make other projects as well. So, uh, for programming, what I love to do is break down every individual component to its little piece. So, that way it's not some giant project. It's
something small that's easy to look at. So, what I want my wants translated into actionable items are I need something that can connect wirelessly, check if I have a connection, see the status, and then go through two and three just looping to check. Do I have connection? Yes. Cool. Let's wait. I don't have connection. pool check a little bit faster. The likes make it easy to transport external batteries or power source in a screen so that that way I can see remotely and I don't have to be connected to a terminal on my computer. LEDs again bright blue light flashing saying hey I'm on is really helpful getting trying to get the current time it's just connecting to you know an NTP
server and then updating its internal server so it knows what time it is and then print the information to a serial port that was super helpful but when it was moving not as much because now I lost the terminal connection to see it printing out but I had other stuff so that way it compensated So, here's what it looks like. Or proving that it's possible. Connecting to Wi-Fi. Hey, I'm connected to Wi-Fi. Here's my IP address. Subnet mask. Uh, what was it? That one is default gateway. And then that is a DNS server if I'm not mistaken. Checking. Awesome. I have connectivity. It was 1:38 in the morning. One of my packets made it. I live. Uh, one of the things I
do want to shout out to is this person, uh, Sean. They made ping functionality for uh, Python, which is amazing because apparently Python, you can't ping something by default, which I didn't know. And then painting the screen. So, this will update if I have internet or not. And then error handling. There's a [ __ ] ton of error handling that is helpful. For example, you can't get your NTP server for whatever reason. your Wi-Fi isn't as fast or you're too far, it's helpful to make little steps to go step by step on how to actually make sure everything works correctly. Then here's what the prototypes actually look like. No bright blue light, so it could
connect. Bright blue light, it can't connect. Uh in short, uh there's where the software is located because uh in case any of y'all have issues and you would like to see an example, there it is. So upgrades, how could we make that better? For example, I could use a better board. Uh for example, I use an ESP32. I used the breadboard. I could use a Perf board and I can make it a lot more presentable. I could have 3D printed a case so that way it didn't look quite as ugly as that, but I didn't really need to. But I could use actual le uh LEDs instead of the onboard. Send it to syslog on UDP 514. Make it
configurable remotely. There's a bunch of little things that you can do that I highly encourage when you're making a device. It's awesome that you made it work. How can you make it better? If you try to constantly improve your stuff, that's how you get better. Just make it do something stupid that no one else really cares about, but you get to learn a new technology in the process, and that's how you can grow and grow and make more advanced projects. So, I'm going to show youall the next device. This was the device that was used for the hacking drone. I would highly recommend, first off, you're going to get context for where I uh came
up with this idea. Please don't copy that. uh the FAA will not be happy with you and you're going to be in a met you're usually in a metal tube with uh flight attendants there. So don't copy that. So let's say I wanted to make a device that would clone Wi-Fi and then after I clone the Wi-Fi set up an access point to try and get from credentials so that that way I can connect to a password protected Wi-Fi without actually knowing the credentials and having to do more advanced attacks. Well, simple ways of doing it. What do I want? Clone Wi-Fi. I need to get someone to submit a password to me. That makes sense. And I want to
grab those credentials remotely. If I am, let's say, here I and I have a device planted in a literal plant. I don't want to go over there to grab my device to check if I have information and I don't want it remotely visible because safety ops is going to be a little bit concerned like, hey, why is he obsessed with that plane? What's in that plane? Why is that plane all of a sudden glowing blue? It should not be glowing blue. So something remote is a little bit more helpful. Then again, I'd like it to automatically check passwords. I don't want it to just grab all of them. That being said, I do want to know if it
submitted it correctly. And then I want to know all the passwords submitted in case we had a user that's like, hey, I'm going to type in my Active Directory credentials. Okay, that didn't work. I'm going to type in my Jira credentials because they're not tied together. And they could go down through a bunch of their credentials. And now congratulations, you have compromised a little bit of their network just because they couldn't connect to a Wi-Fi. So the prices notice that is the exact same. So it is helpful when you're making stuff. Think about how you can use it for other use cases. It is definitely going to make that $77 go a lot further. So, breaking down the idea, let's make
it something a little bit more tangible because it doesn't sound super tangible at first. Well, I need to set up a wireless access point. I need a web page. I need to get a captive portal. That isn't necessarily the easiest thing in the world unless you find the right libraries. So, it's something that you have to research. And then adding an obscure endpoint to read the information. Um, that's going to be super helpful, especially I doubt anyone will do it, but if someone's running Derbuster or Gobuster against your web server to see if they can find endpoints, you want to make sure it's not going to show up there just for security sake and opsac safe because if
all of a sudden this access point you go to a really random URL or URI and then you see a bunch of passwords, your IT department or their IT department is going to get upset. They're like, "All right, what are these? Are these valid? We have a threat actor around us who is now doing physical attacks against our infrastructure. Then lastly, uh again, I wanted to check the passwords. So I need to go from an access point to a client. I need to have LEDs. Sometimes you like LEDs, sometimes you don't. And then I also need to save all this data to a form so that way I can recover it later and see if I need
to make a password list from it. So proving it's possible. Uh y'all, if any of y'all play League of Legends, you're going to notice some interesting comments from here. So, for the once, all right, how do I set up a Wi-Fi access point? Setting it up, loading HTML, routing DNS traffic. So, uh in case you don't know, when an Apple device or an Android device connects to a network, they tend to go to two different web pages. So, you have to capture both. And then the other issue is if you are connecting and it has the wrong host name, you have to have a DNS server that will actually reroute it to the correct host name or the correct IP address. So
you can do a catchall and that will make sure that they're all redirected to the same place. Then setting it up so that you can see it. Uh for example, run it down midlane. That is not going to be in a password list. That's going to be in someone else's list. But most people don't think run it down mid lane and then it can go it reads the file and it presents it. If it doesn't work, it just throws a 500 error. So that way you can be more aware of that prototypes. I didn't have a banana, but I did have a muffin and an orange. So again, the device very small. You can plant that somewhere and you can't you
can barely see it, but on the other side of there, it actually has the battery included. So that that way you can plug it in, drop it somewhere, whether it be manually or with a drone and it works. Screen optional at this point because again you want to look at it remotely. You don't want to look at it in your hand. Software breakdown is what we're going to do next. Going over the individual components of it. So lot of text, lot of text. Uh this is going to be honestly all on my GitHub anyways. So y'all don't need to copy or like try to memorize all this code. It's publicly available. So iOS goes for hotspot detected. Wrong
host is just if I'm running on 192.16825 and you're going to local host for whatever reason, it's going to say, "Hey, wrong IP address. Go here instead." uh re plus uh that just says, "Hey, I need to restart the server because something happened and I need a factory reset." Super helpful to have those because you never know if something breaks and you definitely want that catch all making sure that it's going to the right host. Apparently, in this case, it's 4.1. And then just a bunch of different reds to help you make sure that you're actually connecting to the right place. All right, the the fun part is the index. When you land on the page, it
just depends on where you're landing. Uh, for this instance, I don't think I actually have the access point that I was using just because it was American Airlines in-flight entertainment Wi-Fi and I presented this to some college students, so I didn't want to give them ideas there. But the general idea is it serves a page that is checking to see, hey, have I been pawned or have they been poned? No. Cool. Show them the captive portal that makes it look like, you know, whatever the company's login page might look like and then change the verbiage so that way it says, "Hey, give me your Wi-Fi credentials and I'll connect you straight to the Wi-Fi because you're really far out and you
have shitty signal." Then if it does work and they are in fact giving me credentials, it will send a page that pretty much says uh congratulations, you got got because it's a little bit funny to let someone know that they've actually been hacked. Uh in reality, it shows it too fast and it just redirects it, but you can make it so they can't see it. Checking credentials. This is a fun part. So for credential checking and wireless access points, you can usually either only be in an access point mode or in a s or in a client mode. So a way to get around that is this function right here. It will actually time out for 15 seconds in
JavaScript. 15 seconds is usually in my testing long enough to throw down the access point, access the client, go type in credentials, wait for them to give you an error message, and come back with the results, which is definitely something that's helpful for this because you don't want to have them waiting forever. And this is what's shown so that that way they're not getting frustrated. And that is a thread trying to actually do it back into the code. So this is how it's actually transitioning and doing it. So as you can see here, hey, turn off my access point, turn off the client mode or turn on the client mode. Connect. Awesome. It's able to connect. I got an
IP address and we can return that this was successful. Lastly, grabbing the credentials, it is saved here. Run it down mid. If you go to that URL instead of login, you will get to see a text file of everything that was tried. So, as before, how can we make this better? Again, the standard ones for me, you can make a better case. The board can be nicer looking. Uh, this one had a was a straight through connection with the lipo cell battery to the power. You can give it a recharging capability. Uh, the device you can have it upgrade itself. So, for now, it just says, "Hey, I have Wi-Fi access. That's awesome." And stops.
But you can have it then go to let's say GitHub, go to a repository that only it really knows and say hey download this Python code and now we can do more advanced attacks. We can run end mapap or we can try to do some light responder work. After that you can have it beacon itself. I actually use uh want to use that for an engagement for a test soon. Uh so that that way I know I can just go and grab it. One of my things that it can do that was actually why we used MicroPython is that you can actually set the BSID or BSSID and the SSID manually. So that that way if you have the BSS ID,
the SSID, the security level and then finally the password, you can actually pull off the evil twin attack and it will make the devices connect to it instead of the actual access point if it discovers it first. There's a little bit more annoying caveats with it, but I was able to get my work computer with that. And then lastly, you can upgrade the hardware. I like to use ESP32, but if you want more advanced tool sets, Zerow W Y or Pi 4 and a Pi 5. So, with those two projects, those were very use case specific for me. What about y'all? Some just random ideas. a Wi-Fi access point scanner so that that way you can see all access points around you
and get a better understanding of how they're working. You can actually use a finder. So, um it's really fun when you look at a Wi-Fi, there's usually a signal strength. You can play hot and cold with that signal strength in your device and it will more or less lead you. It's like, "Hey, signal's getting stronger. Cool. You're getting hotter, hotter, hotter. Move the wrong way. Colder, you're moving further away." Enterprise Link Sprinters. Those things cost $400 to connect it to a Wi-Fi to a Ethernet cable and then get see if you can get an IP address, DNS, and DHS or DHCP. You can make one of those and it's not $400. I promise you that. Uh you can do
a wireless version where you just connect it to the Wi-Fi, get information helpful for network technicians. a Discord or Slack notifier so that that way again someone walks through the door I get a Discord message saying hey someone walked into room F can be super helpful for monitoring hardware password managers uh it's not secure would not recommend this necessarily but if you're lazy you can have it load all of your passwords then change it to say hey I'm a keyboard when you plug it into a device click uh accept and it'll type in your password for you Not secure in the slightest, but if you're lazy enough, it is a method. And then I like a mini
picture frame to like show pictures. You can make your own and you don't have to spend a lot of money on that. Again, where you can get some of the boards are some of the parts. ESP32 dev board, starter kit, ultimate kit, relatively ship fasting if you do it on Amazon. Uh again summary why I think it matters. You know some of these projects not super helpful for everyone and you want to do more advanced topics. Well to get there you have to start somewhere and for me when I was trying to make devices I was just overwhelmed with the options. So I wanted a way to have it so that way I would have very short like ideas of what
I needed to do. And since I had short ideas or shorter list of options, I could actually spend more time making it versus not making it and just freaking out. Uh inspections again, flipper zero, take that through TSA nowadays. You might get someone who knows what it is and they treat it as a weapon and they seize it. 160 to $200 device getting seized by TSA is not fun. Size and purpose requirements. Putting it on a drone, you need something smaller. And then lastly, there's other things you can do with this. Autobands communications again meshtastic great option for that. You can make your own lura devices. War droning, war driving, war RC caring, driving a little RC car
around. You can get information and it's a lot easier. And then spoofing. You can spoof different uh Wi-Fi addresses and just have fun pretending to be anyone you want. So, got through the last part very quickly. Uh does anyone have any questions? I think I'm >> handic
to fire figure out a way to handle the device or or just to configure it >> in a way that uh to make it do something different or something like that. So for most of the the solutions I found that adding a screen and maybe some buttons it's it's a great way to go and some for other project I found out that Bluetooth for example Bluetooth energy and building an app it's a right solution. So where would you draw the line where it's better to just go with Bluetooth and when it's better to go with just a screen and buttons? So for me personally, I I have a laziness factor of which one is going if I'm trying to
interact with the device, how much effort do I want to put in to like select A, select B, C when I'm doing the buttons and screens, unless it's like something preconfigured and there's like few options. I'll do that. That's what I've used before. for Bluetooth. If I need something more complicated like typing in a full string or a full password, Bluetooth all the way because I can connect it to my computer, my uh my phone, and I can just quickly type it in and I don't have to go A C D FY, >> huh? >> Energy. So, it is going to be a little bit more with the Bluetooth, but then at that point, you just get a bigger
battery in my opinion versus the screen. It still takes up energy and it's something to consider. But at that point, you can just get a bigger battery, recharge it, or don't don't use it as long. >> No problem. Uh, okay. Oh, just one more question. >> If you'all want to connect or have additional questions I can't get to, please feel free to connect. >> Is there a specific IDE that you use? Does it depend on the board? >> So, for MicroPython, un I hate it. Uh there's something called Thorny and Thorny allows you to very quickly edit the code, upload the code, and download the code and it handles a lot of the package management, which is super
important and very annoying to deal with, but Thorny definitely helps for MicroPython. >> No problem. >> All right, let's hear it for Alex.
[Music] Daddy. Bye. [Music] for [Music] hey [Music] down. [Music] There you [Music] go. [Music] Heat. Heat. [Music] Heat. Heat. [Music]
[Music] [Music] By [Music] baby boo. [Music] There you go. [Music]
Black. [Music] Hey. Hey.
[Music] Heat. Heat.
Heat.
[Music] Heat. Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. Heat. [Music] Heat. Heat. Heat. [Music]
Heat. Heat. Heat. [Music] Heat. Heat.
[Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat.
[Music]
[Music]
[Music] Heat. Heat.
[Music] Heat. [Music] Heat. [Music] Heat. Heat.
[Music]
Heat. Heat.
Heat. [Music]
Hey, heat. Hey, heat. Heat. Heat.
[Music]
Heat. Heat.
Heat. Heat. [Music] Heat. Heat. [Music]
Heat. Heat. [Music] Heat. Heat.
Heat. Heat. [Music] Yeah, [Music]
[Music] down. [Music] Hey hey [Music] yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey [Music] down down
down
down down down.
[Music]
[Music] by [Music] Heat. Heat. N. [Music] Hey, hey, hey.
Hey, [Music] hey hey.
[Music] down. Down. [Music] Heat. Heat. [Music] Heat. Heat.
Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat.
Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. N. [Music] Heat.
[Music] Heat. [Music]
[Music] Hey, [Music] hey hey. Heat. [Music] Heat. [Music]
Wow. [Music] Heat. Heat. Heat. [Music]
[Music] Heat. Heat.
[Music] Heat.
[Music] Heat. [Music] Heat. Heat. [Music] Heat. Heat.
Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music] Yeah, [Music]
[Music]
down. [Music] Hey, [Music] hey hey. [Music] Yeah, [Music] down down. [Music] Down down down down down down down.
[Music] Heat. Heat. [Music]
[Music] [Music] D [Music] hey [Music] baby. [Music] Here [Music] you [Music] Hey.
Hey. [Music] Hey. [Music]
[Music]
Heat. Hey, heat. Hey, heat. [Music] Heat. Hey. Hey. Hey.
[Music] [Applause]
Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music]
Heat. Heat. [Music] Heat. [Music] Heat.
Heat. Heat. Heat. [Music]
Heat. Heat. N. [Music] Heat. Heat. N. [Music] Heat.
[Music] Heat. [Music] Heat. Hey, Heat.
[Music] Heat. Heat. [Music]
Wow. [Music] Heat. [Music]
Heat. Heat.
Heat. Heat.
[Music] Heat. Heat.
[Music] Heat.
Heat.
Heat. Heat.
[Music] Heat. Heat.
[Music] Heat. Heat.
Heat. [Music] Heat.
Heat. Heat.
[Music] Yeah, [Music]
down. [Music] Hey, hey hey. [Music] Yeah, [Music] down. [Music]
Down
[Music]
[Music] [Music] Heat. Heat. N. [Music] Data. [Music] down. Down you [Music] Heat. Heat. [Music] Heat.
[Music] Heat.
[Music] [Applause] [Music]
Heat. Heat. Heat. [Music] Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music]
Heat. Heat.
[Music] Heat.
Heat. Heat. Heat. Heat. [Music] Hey,
hey, hey.
[Music] Hey. [Music] It's [Music] true.
[Music]
Wow. [Music]
[Music] Heat. [Music] Heat. Heat. [Music] Heat. [Music] Heat. Heat. [Music]
Heat. Heat. N.
Heat. Heat.
[Music] Heat. Heat. Heat.
[Music] Heat.
Heat. [Music] Heat.
Heat. Heat.
[Music] Yeah, [Music]
down. [Music] Hey, hey hey. [Music] Yeah, [Music] down.
down.
[Music]
[Music] [Music] quite amazing. >> All right, good afternoon everybody. Welcome back to Bides on the ground floor. All right. So, for our talks now, we have Dungeons and Dragons, the security power tool you didn't know you needed by I'm so sorry, Klouse and Glenn. Yeah. >> Right. And a few announcements before we begin. We'd like to thank our sponsors, especially our diamond sponsors, Adobe and Iikido, and our gold sponsors, Profit and Run Zero. It's their support along with other sponsors, donors, and volunteers that make this event possible. Now, these talks are being streamed live to YouTube and as a courtesy to our speakers and the audience, we ask that you check to make sure that your cell phones are silent.
If there's still time after the talk is finished, there will be time for audience questions where I will pass the mic around for anybody who would like to ask. And as part of the cell phone policy for Bides Las Vegas, there is no photography allowed. And with that, I think we'll pass it off to our speakers. Give them a round of applause. [Applause] Well, thanks and and welcome. Um, the the first thing I want to say is that that there's no reason to take photos of any slides because the last slide will be a QR code to to download the slides and I promise it's yet. So, no, don't worry. I'm not going you're not going to
going to get hacked >> this time. >> This time. Yeah. All right. who we well anybody who has black pads knows this problem because first of all can't really take photos of so so you can see how damn cute they are and if you do to have happen to take a photo nobody can see how damn cute they are >> because yeah little voids they they are there it's not like I have a misshap misshaped head head or anything >> but I live um with these two rascals and and also my wife in Copenhagen Denmark uh I've been in security for 20 years I'm um I've been an adviser internal external consultant. Then I two years
ago I became a freelancer. I wanted to do more fun stuff. I've always been into games and and thought that you know games and having fun and learning sort of had sort of got went together. So when the opportunity came to do something around this along with Glendon, I jumped at it and uh of course then we are here to convince you to do the same. All right. And uh uh so this is me uh or AI me kind of. I don't actually have a beard like that. I do have cats like that though. Uh we have four cats. Uh my my wife and two children and I have four cats which sometimes seems like 47 cats.
Uh but they're good sports. Um I've been in the IT and security space on about 20 years depending on how much misspent youth you count in that too. Um, I've held a number of roles in my career. Uh, so seen a little bit of everything. Um, gotten gotten okay at a lot of things, maybe, you know, master of none or few. Uh, in my childhood, however, I spent a lot of time playing Dungeons and Dragons style games. And little did I know, um, I would later have the chance to make that blend with my career a little bit. So, um, so that's kind of why I'm here. >> Yeah. Well, um, we'll be talking about what we
see as a problem with traditional training and how and and then we'll talk a little talk a little bit about how the human brain is wired for games and and social learning. Uh, then we'll talk about, you know, how role playing itself creates an immersive engaging experience. and then we'll talk about hackback um hackback security train that doesn't suck. So yeah, all right but but first of all um you might have heard about gamification. You may not have heard about game based learning. They are two different things. Game based learning is when the game itself is the way to learning. And gamification is turning something that's not a learning experience into some kind of I don't know competition.
For instance, >> gameish. >> Yeah. For for instance, who which team does the magnificently boring security training first gets cake? I'm from Denmark, so everything is done in cake, right? And that's not what we would not we're going not what we're going to talk about today. All right. We'll be talking about game based learning. So yeah, what's the problem with training? Well, there is a bunch of different uh different approaches to training. That's like class class based training, computer based training and but they are very theoretical. It's a very intellectual way to learn and that's not what we need in instant response. We need >> people standing up like this talking to you. >> Yeah, exactly. We need muscle memory,
right? So, we have tabletops in instant response and that should that should be it, right? But, you know, that's not really how it is because they're often really really dull. It's basically people standing sitting around the table talking about procedures and what have you and that's just not any fun. So often times this is what people are forced to do. They do it because they have to. They can't wait to get out of there. They fight the scenario. They try to do everything they can to sabotage everything so it goes haywire. You know, all that stuff. We we don't need that. We need people to be honest. We need them to be happy. we need to to
learn and have fun and all that stuff. So, um yeah. >> All right. Um tabletops. So, this is the idea that we're uh we're we're sitting down and we're talking through a scenario and things that might happen. Um this is typically a uh a compliance checkbox. um it's it's done for a reason, but sometimes the the value in that can be lost. What we want to do with them is build muscle memory um on incident handling or uh or anything else you're doing a tabletop about. We just tend to gravitate towards incident response as the the main application for it. Um >> yeah yeah yeah it obvious it's better when everybody know knows their role and
it's a cost effective way to train teams rather than putting it rather than setting everything on fire and then go >> and letting your lizard brain having to work with your lizard brain taken over. So >> yeah. >> Yeah. So yeah. Yeah. So we we do tabletop exercises and the goal is preparedness coordination. So but you know what what's the problem with with how we do them? um traditional tabletop exercises and why they can sometimes suck. >> Um but but anyway, this that's our experience. We're not we're not saying that whatever tabletop you do will suck. We just say based on our experience, it probably does. >> And and and I I'm a tabletop exercise
geek. I I I love them, including the traditional ones. Um, but I've I've I've heard so many stories about people saying, uh, this is this wasn't great. It was it was a checkbox. It was a a scripted thing that didn't necessarily represent reality. It didn't uh it didn't get to what we were trying to get to. It was um sterile and people were bored. So, >> yeah. So, so we see what what we see generally is people protecting their own turf. They're not being honest. They don't open up. We have egos clashing politics. >> Yeah. It's even worse when there are more than one ego. >> You have people that uh they're they're afraid to speak up in front of their
boss that might be in the room or they're afraid to, you know, to look bad or look like they don't know something uh amongst their peers. Um it's the some of the posturing and you know some of the stuff that humans do. >> Yeah. And obviously there are people fighting this scenario. There is always that person >> that's impossible. That could never happen. Our EDR would have handled that. >> Yeah. And and it's always a guy >> anyway. >> I mean the kind of nature of an incident is your EDR didn't handle this, right? That it didn't just solve the problem it. So >> yeah, but when I say the most important thing, the most the biggest problem we
see with is that there is no um there is no focus on engaging participants. Um I was at a seminar a couple of years ago where I talked to the people that arranged the the NATO exercise locked shields and I asked them, well, what do you do to engage people? And they literally looked at me as I just fell down from the moon. So they it's just not in their in their mindset at all. >> Engagement like what is that what is that thing? >> And and obviously and obviously the most cardinal sin here is that there tends to be this misunderstanding that is if something is fun it's not serious. But that's in reality not how it works
because training like this need to be fun. If it's not fun people don't engage and if they don't gauge >> there's this >> why even do it in the first place. the this perception in in business among some circles that like you can't have fun and learn at the same time when the opposite is true. >> Yeah. >> So so obviously the result of this is dull, no engagement, no learning, no freaking point. So >> you're not getting the value out of it. >> So is there another way? Well, funny you should ask because obviously there is. So let's talk about that for now and and how that works. Yeah, it turns out and when we that when
we talk about game based learning and I talk to potential clients about this um it's it's not really that good an argument saying that it's fun that's why they should do it. So I I look I look to I look to science for authority. So I found that luckily science backs up what we what we have known all the time. So I found a few a few studies and a few analog quotes and a few quotes. Most studies in the sample reported analog game-based learning as an effective pedi pedagogical tool with an impact on the learning cognitive and psychological levels. So that's that's an article from from Frontiers in psychology. So well well that's that's good right in in general
game baseline works. So but but what is it and how does it how exactly does it work? Um this is my favorite quote. You'll see why. Uh this this is about why why together why collaborative learning is a thing. So basically the quote is that I think we're all impressed by how stupid humans are. It reaches almost every every proportions. We're stupid in dozens and dozens of way of ways. But human minds are plug-and-play devices. They're not meant to be used alone. So um they're meant to be used in networks. Games allows us to do that. So they allow us to use collective intelligence. So collectively we're not so stupid at least in theory. Um that's an arming
sum summing up a panel debate at Stanford and um obviously there are many ways to implement game-based learning. we we chose the role playing kind and uh luckily there are people researching into that as well which I think is enormously cool. Um so yeah again when Dungeons and Dragons and his cousin are played in an inviting, encouraging, compassionate and intellectually engaged environment play opens the door to truly amazing possibilities for learning. Um, but so the scientific uh begging does exist, but to be honest, we're geeks and that's not really we don't really care about the science, right? So, we'll say any excuse to do Dungeons and Dragons in our grown up jobs and >> have a good time.
>> We're guessing you will. You probably also will. So, thank you very much. >> Um, so yeah. Um, role playing is immersive um, often in uh, some unexpected ways and it gives you a chance to play something outside of yourself. Meaning what you do in your day job doesn't necessarily have to be what you do in this game. Uh, you can play something that is outside of your normal role. you can learn things that you can approach things from a different perspective without having to be thrown into the you know marketing manager's role um because nobody else can do that in the midst of an incident when your lizard brain is taken over and you are totally
unprepared for doing anything like that. So, um, communication is, uh, is one of those pieces that, uh, that I like to, uh, point out to people, especially tech teams, uh, tech focused individuals. There's a lot of there's a lot of things that need to happen uh, on the communication front during an incident. uh you don't communicate with your tech teams the way that you're going to communicate with your end users, with your customers, um with various categories of people that you might have to interact with and talk to about the incident. So, >> yeah. So, so, so basically what what we've seen when we when when we're playing this is that compared to to to a
I guess an ordinary tabletop, people are acting a lot different because they laugh. They laugh a lot, right? And that's good because when people are immersed and when when they're having when they're having fun, they immerse. And when they immerse, they forget their egos. They forget >> some of those negative. Yeah. >> In the traditional tabletop exercise go away. >> Yeah. Just just like just by magic, right? So, and and there are more in general, but the but the unexpected bonus of doing this are like things like empathy, meaning that it's a role- playinging game, but nobody says that the role you're playing is a is is the exact same role that you should or are would be
playing in in an incident. That means if you are switching roles around, people get an a feeling of how would it be to be another role. And my favorite example is that when you're a very technical person, you tend to think that that's the only thing that matters. But what if you take a person like that and put them into the role of a communication responsible like head of communication? So all of a sudden they get this epiphany that oh this stakeholder management is a freaking [ __ ] show, right? And it and and also and and and you know but but that's also very very important important part. So building empathy meaning that you understand the
other people in the team. So it will automatically become a better team. >> And the the flip side of that too is if you put a you know chief marketing officer in the role of the IT manager, they gain an empathy for the pressures that are part of that role that they never thought about before. Uh so how do you how do you then be that person in the midst of you know crisis or chaos or you know whatever this thing is? >> Yeah. and and also you get a more lifelike situation because when you're sitting around the table talking about these uh these procedures it's very easy to not see that one person is actually
doing the doing everything and obviously as we all know in in an incident one person can't do everything. This is how it is. So >> because this is because this is a game it allows us to put a structure on it that uh that that otherwise doesn't necessarily exist in the same way. um it it balances some of that imbalance in participation that happens kind of kind of naturally. You get the people that uh that are doing all the things in the in the exercise and you uh the other side of that is you have folks that are afraid to speak up uh or don't want to speak up for you know insert reason here
and that levels that that field a little bit. >> Yeah. So um yeah and and that that that is one thing and also we we introduce the 20sided dice and the reason we we do that is to introduce um randomness because in real life and that's not only true in incidents in real life you can do all the right things but the it just doesn't work. And how many times have folks who've been in incidents found that maybe you weren't logging exactly the events you thought you were logging? Maybe your backups aren't as robust as you thought they were or aren't covering the things that that you thought. >> So this gives u uh the dice roll gives
this this randomness gives us a a more realistic experience. It doesn't just play out how we thought it would. So yeah, well this is um enough J chatter hackback is table of sizes the fun the fun uh the fun kind there's a website there's a QR code that's also totally legit and there's also like a LinkedIn thing promise you can feel free to promise or you feel feel free to follow so um let's talk about what it actually is >> yeah um hackpack is framework. Um it is a structure that you can put around a lot of things more than just incident response for example. That just was the first place that we kind of
gravitated to with it. Uh it seemed the first natural application. Um but we can do a lot of other things with it too. Um think about uh you know offensive security or you know use your imagination. Uh you can do basically anything you can imagine with it. >> Yeah. So, so, so we have Hackbag is open source soonish, meaning that we we want to open up open it up, but we also want it to be in a state where people can use it and we really really hate that writing documentation. So, >> takes a little bit of time, >> but there but there is a GitHub and it's private and you can be invited if you
join our join our >> you can message us and we can >> yes our discord which we will show you soon. Uh but yeah but uh let's talk let's talk more about what it can be used for. Uh so this is why you will see that it this is actually or this is truly the security universal security power tool that um you didn't know you needed because these are just examples and it's all about getting the right idea and I know and one and one thing I do know is the security folks are really good at getting more or less good ideas but at least ideas so I'm sure that you can find you you can find even more good
things that we have good applications that we have the first thing is abstractify which is adly a madeup word but uh it's the point is that you you can use it to to to explain concepts that is a bit that otherwise is a bit hard to explain for zero trust what hell is zero trust anyway anyways I mean I mean it's not like somebody at black hat thinks that is products but you can play a game where you are where you are going through a scenario and and not calling it zero trust but actually >> concept steps are built in. >> Yeah. And then and then afterwards you can say, "Whoa, that was zero trust."
And people are like, "Oh, that was zero trust." >> So you've kind of backed your way into an understanding of what zero trust is and what it means. >> Yeah. Or or something as I am, user management. It's very very important, but it's also super super boring, right? So So companies that don't have to do, they don't understand why is my ad not good enough? Well, let's play a scenario, right? And then you'll get [ __ ] over because you only had a freaking freaking AD, right? So, and then you learn, right? Or um you can use it to to teach non nontechnical people about security because sales and marketing traditionally they don't know [ __ ] which is how it is. But obviously
you you can also teach them teach them via game. They can know the they can know how it is how is it to be in an incident or how does a hacker think if you just put through the right scenario. They don't need to know all the all the technical stuff because that's the beauty of role playing game. We're just making it up, right? We're just talking about it. So, we can talk it talk about at a more at a higher level higher level of of abstraction. So, it doesn't have to be all technical jar jargon. You can really have a conversation about conversation about how you would handle this thing. >> Or you can introduce a non-player
character who is actually the technical the technical genius whereas the one who who don't know can then you know spar with this nonplay character and then go through the incident like that or whatever you come up with. And kind of the other side of that too is you can go deeply technical with a a technical team uh using the same focus. It's it's very flexible in that way. >> Yeah. >> Uh you can also use it to to teach teamworks. For instance, a scenario of f where five people are tasked to break into a building. All the five people have they're good at various skills. They can they can each carry two things that are different. So obviously it's a
game about hacking and entering but it's also a game about teamwork because if you can't work together then you can't pass the game. >> No one person can do everything. So >> yeah exactly or or marketing events you you can you if you can use it to as a sort of a lightweight puck I guess you can call you you can write scenarios about what which services your company does or which products you >> this is where our product might have helped. Yeah. Um or you can use it for a seam events. I've played the thing with Dungeons and Dragons is that it doesn't really scale very well. You can't have 25 characters in a game then it would
take 14 days >> many many many hours more than you have more than you more than you have attention at the very least. But but if you divide people into groups so that instead of a person a group is a is is a character or you can put people into groups and then they can discuss what's what should which character do next. Then you can try to scale it. I've done that I said with with up to 25 people you can probably scale more. Who knows? I haven't tried that yet. And you can use it to talk about real events. You can talk about you can use it to communicate how did our team handle this
and that event. because one thing is writing a report about that breach or whatever, but that doesn't make them make the make people feel how was it really. So you can you can also use that as an extension of reports of >> and I've done a number of games and scenarios over the years based on real things that have happened. Uh let's live through that. You could also do famous events. Um how about like stuckset for example? How did that play out? you can use this to you know to play that. >> So yeah the the possibilities are are l are literally endless just you just need the right idea. So um be beyond beyond
the instant response you know that's one thing but um uh you know that that that is like classic defense response to ongoing attacks offensive security like real red team operations penetration testing scenarios. Um or defensive security you can um do proactive threat hunting security architecture design attack and defense you can have like two teams playing against each other in the same scenario in a ransom west scenario where one is the attacker one is the defender one is one one is a group one is the company and both have to do have to do stakeholder management for instance and the part of the game is negotiating ransom >> or purple team and cooperative >> yeah yeah or or or you can put on top of
of of of a private team meize if you also want to train the whole crisis management part of something going bac in your infrastructure. Uh and our newest idea or newest project. Yeah, sorry I forgot one thing. We can also do hybrid scenarios. We can also do risk assessments. Um >> again, you get back into some of those those more abstract concepts that uh if you don't work in them or haven't worked in them, you may not understand. >> Yeah. And and you know, everybody or at least the mo all of the technical people I know, they really really hate risk management. I and I get it because it's it can be it can be extreme. It's
usually really really boring. But if it's if but if you take a rich management scenario say we are in the Star Wars universe we have risk set in the death star one beat that waiter who in here wouldn't play that game right but in but in reality we are we we we're [ __ ] with you so we we we're trying to teach risk management without you without you even realizing >> right so that's one thing and our newest project is called Mware and Monsters that's that's a collaboration with uh with Mel They um they made um for all malwares they so sorry I'm from Europe so I said malware so if I if you don't understand
then just think malware >> malware >> malware all right anyways they uh for all for all malwares they they've created like a like a a Pokemon character they're called Mmons Moware monsters and uh I was I was approached by them earlier this year and they asked me if I could do like a game with them, a game with those moments. So, I've created like a Dungeons and Dragons or we've created a Dungeons and Dragons h Pokemon hybrid kind of games where all p where players collect Pokemon sorry mmons in their mold decks. Um the Mmans evolve if you don't contain them and um all sorts of other probably recognizable things, mechanics. So, not only do you collect the moments, you you
also learn about malware malware history, about strains, about containing them because that's what the game is about. And it's a m it's a it's at malware and monsters.com available now. I'm doing a workshop on sorry we are doing a workshop on Saturday about it where we are teaching experienced dragon players and security professionals to play the freaking game. where >> in a in a malware in a malware village but unfortunately the uh is oversigned but uh anyway come come to us if if you want to learn more uh we can probably arrange something at some point we are we also trying to build a community around that so um yep but uh let's let's talk about
more let's talk more specifically about the instant response edition of hackback >> yeah um so we We find it the the most natural place to gravitate to to begin with being incident response. You hit the um >> so it's run by an incident master or dungeon master. Uh at least that's the theory. Uh but this person has the same role as a dungeon master. It is about facilitating the incident. It's about moving it uh moving it along, being the the referee and telling the story. >> Um >> Yeah. Yeah. Know and and also adjusting the difficulty because the whole objective of the game is for people to go through it and learn. They don't learn anything if they just roll one all
the time and they're stuck, >> right? >> If they just fail or just successful, >> they also learn they also don't learn anything if they just rule 20 all the time and everything works. So the instant master is you're automatically trying to, you know, make it just the right amount of hard. >> So there's there's a fair bit of thinking on your feet and adapting and anybody who's been a dungeon master for uh a role playing game or similar understands that. So >> yeah, >> um this is this trains a team with broad skills. Um, it can also be used for depth, but we find the the better application for it is in the breadth of
skills. Um, having a character who's a CFO, what what role do they play in an incident? Well, I mean, they they have to sign off on, you know, things that are purchased. Um, maybe this whole happen this whole thing happened because of something they didn't sign off on before. Uh, so there's a role of the CFO, there's, you know, communications manager. How do you manage the communications in an incident? Who are you communicating with? Who's who is important to communicate with? The messaging isn't going to be the same. And I think uh that's often uh overlooked sometimes, all of the the the effort and nuance that goes into that. Um we have uh your your typical
technical incident responders. They have a role in this too. Um, and really you can build a scenario uh for your audience that covers any any need or any any objective. When you when you want somebody to expand skills in a certain direction, you just put a character in there. They don't have to play themselves, they play a character. Um the one of the things to keep in mind about a character too is you have to help help your players get into character a little bit. Um and we have some interesting ways to do that and I think we'll talk about that more later, but uh whenever there's an action, you roll in a d20. Is it a an easy, medium,
or hard thing? We can adjust the role based on that. Um that's our randomness again that we were talking about earlier. Um there's not everything is going to go according to plan as happens in an incident. >> Yeah. >> Um we we like open-ended scenarios. We like things that are maybe start extremely vague or abstract or there's a lot of uncertainty at the beginning because think about the the alerts that you might get that start an incident. Well, we know something happened. What was it? Now we've got to go figure it out. And you can play through and uh and let this unfold in story form. >> Yeah. Just like real life. >> Just like real life. A real
investigation. >> Yeah. >> All right. So we have characters. Um these are just examples. Uh again the the sky's is the limit. um CISOs, IT admins, CFOs, marketing managers, middle managers, GRC analysts. Um they all have modifiers. Some roles may uh may be good at hardware or software or security. Some might be particularly bad at that and might not have any experience at all with it. Some might be extremely likable and get a plus two to likability. Um >> or or the opposite >> or the opposite. So talking talking about which we also have stereotypical relatable characters because because obviously we need >> we need people who have who haven't seen this before and seen the game before get
the characters right away and and and a good way to do that is by using stereot stereotypical characters and my favorite is this Microsoft system architect who is a huge Microsoft sell who really loves everything everything Microsoft and truly believes that the only reason why the Lumia phone fails was because he was ahead of his time. He they he also really really loves Linux. They also have minus two in liability or the CFO who only thinks about money, right? Because we have all met those people, right? We uh we like to to play up a few of these like stereotypes and some of these some of these attributes or some of these traits uh because that
that is really what lets a player latch on to a character and get into character. You can play up some of these things and immediately start having a good time and and that's what it's all about. That's really why we're here. >> Yeah. >> Alignment. >> Alignment. Yes. um you know that your your lawful evil CFO. >> Yeah. Yeah. So yeah. So get getting into character can be a little bit hard especially if you don't have Dungeons Dragons experience. But one one way to do it and one way that also effectively break the break the ice is is in the beginning of the beginning of the game where we ask people to introduce themselves as the character and the
smallest thing can make people crack up. I then I played a game at some point where there was this guy who had the like the character of a woman and you know nothing wrong with that or anything but he made a high pitched voice and it was really really stupid but was freaking hilarious. >> Everybody immediately started laughing and that set the tone for everything else that came after >> because that is where the magic happens. This is where people where where where the ice breaks. This is where people engage >> that laughter switch. >> Yeah. So um Yep. I said this this is the magic. this magic time. All right, let's uh play for a couple of
minutes a very very simple scenario but as one big team. So just just to show you how it works. So obviously this this is our company their entire IT infrastructure is is in Azure. Um, it's Friday 4:15. 4:50 because >> because that's when incidents start. >> Exactly. Exactly. And we get an alarm from Microsoft Dart or whatever they're called these days. Uh, there's an there's administrator for marketing who logged in and uh they're on vacation also. They log in from Romania. So, what do you do, right? >> Any suggestions? >> Open that up a little bit. >> It's cool. They're doing work remotely, >> dedicated, >> but but but but obviously you could look at this from different points. You you
can either take a take a technical look at the locks, what they're doing, block things off. You can call them up. Don't make the Microsoft guy call them. Maybe you should have somebody that's likable call them up and they may have a better chance of answering while they're on vacation. >> One of my modifiers. >> Well, if you've got plus two likability, you might be the one doing the calling. >> Yeah. >> So, that's the point that that's also what Glenn meant when he said that in the beginning, we don't know anything. We just know somebody has a vacation date like that. >> What happened here? Yeah. >> Maybe it's legitimate. Yeah. >> Maybe it's not. make well it would be
really it would if it's legitimate >> it's probably not legitimate >> it would be a really really boring scenario >> but in theory we could also play scenarios that nothing is nothing's wrong here nothing to see yada yada >> you just have to figure that out >> that's that's also kind of training but um but yeah that's there there also other things that you can do with with the with hack with hackbag which I more or less already mentioned so no worries we'll do that real fast. All right, cool. So, um right now everything is in our private GitHub repo. We'll open source and when it's more usable. It's uh mostly cordo markdown which is basically
just markdown orchestration. Uh we have a discord you can join if you want to help out. Sharing is scaring and that's a QR code or you can also just go to discord.d.gg/hackback. GG/hackback >> totes legit. >> It's totally legit because because there's Discord logo, right? >> So it can't be it can't be anything else. So yeah, the states we we had plans, right? But um there there were pre-made characters, a couple of scenarios, there are some incident master guidance, handouts rules and uh the instant incident master handbook is in the works. And uh yeah, what we >> just needs a little bit of help. >> Yeah, obviously we we could need some improvement or people trying out or just
building the thing and you know, whatever. That's kind of where the community comes in. If you guys are interested and want to do some of this yourself, >> uh you will have ideas we haven't uh you will do amazing things that we haven't thought of yet. >> So, yeah, but but we we we definitely have have the Discord. It's kind of dead because it's it is >> our time has been limited sometimes. >> Yeah. Um and uh but but obviously the the plan is to build a community of people helping each other out and spreading spreading the word of their stuff. Also, I'm from Europe, so we're doing this, too. Or you could just insert any compliance frameworks.
No, no, no matter what compliance it is, you're probably doing tabletop exercise because you have to. >> Your your requirement to test your IR plans have to happen somehow. >> Yeah. So, basically, you have two options. Either do it the sucky way and make your colleagues hate you or if you do it the fun way and make them love you. So, the red the red pill or the blue pill, right? So, um, yeah. And, uh, woohoo. And high five. >> All right. >> So, >> if you put the QR code back. >> So, what >> the QR code? Of >> course. >> I think we can probably make that happen. >> Uh, we can probably
>> God damn it. >> We can at least imagine it. >> Yeah. All right. >> Thank you. >> All right. Jesus Christ. Should we move? We moving on now. Now we're moving on. And then All right. Here we are. Where we are. All right. Yes. And obviously this is the this is the coolest animation you can do with Google Slides. So yeah, but uh obviously if if you if if you want to do this stuff and you want want our help, I'm a freelancer by the way, then feel free to be to be in touch. And um yeah, if obviously if if you have inspired you want to do this work, that's cool. If you al also have some
decision power, it's even better. But uh anyway, get in touch. We can also help you convince your bus. We know we know we know we know things, right? But anyway, thanks. And uh
and I said at the beginning, the QR code for downloading the slides. We are we are on LinkedIn. We have emails and uh if you have any questions.
>> Thanks. That's awesome. Hello. Testing. >> Yep. Works. >> Well, kind of works. It's >> People don't have a hard >> It work. It works. You're like that. >> Oh, I just have to eat it. That's the problem. Okay. Thank you, people. Um, thank you. That's awesome. Uh, I guess one question I have is when you're switching people in different roles, could you talk a little bit more about how you handle that where you put like the marketing manager in charge of a technical role that they don't know anything about? And then the other question I have is why not LAR? Like you could have gone laring instead of DN. Well, >> you're good. You're good. You're good.
>> Um, the way I like to think about putting people in roles is you you still have to know your audience and uh and understand what a person might be comfortable with. Some players are not going to be comfortable shifting from their dedicated IR role or whatever it may be, uh, technical role into communications director or CEO even. Um, so the personalities have to be okay with that. So you're you're kind of gauging that a little bit. Um but even then if you take somebody who's normally a technical incident responder and make them the manager of that team that still shifts the role a little bit and makes them think about things from a little
bit different angle and I mean you can use that as stepping stones to get further out of that and and really broaden the understanding of the roles that exist in an incident response. So um that's my two cents on it. >> Yeah. Yeah. So, so, so I guess the next question is, Glenn, why have you done any laring? >> Um, well, I've not historically been a larer. Um, a little cosplay now and again, we're hat cosplays John Strand. Um, >> yeah, we Well, that that'll be the next edition, I think. >> All right. Wonder here. Microphone coming around. >> Yeah. >> Sorry. Thanks. >> Um, very general question, but do you think it is a career added value to
learn how to play Dungeons and Dragons? If I have never never done it in my life, I don't know what the learning curve is. I don't know if it's worth it. I don't know if I'm going to throw the game board to the wall in 30 seconds. Like, will it help? >> Never too late. >> Never too late. But is it worth the time investment? Is it worth value add to your life one way or another. >> No, but but but >> career-wise career-wise. >> But but but seriously, what this is very very simple Dungeons and Dragons. I have >> I've I I haven't been a Dungeons and Dragons player myself. >> So it's it's it's it's not needed
really. Also al also because the whole the whole role playing part of it >> you don't have to be completely role playing about it. You can also say well then I want to do this and that, right? Instead of going into the character. So, >> this is this is really supposed to be low barrier to entry. >> So, >> but but but that also means that every once in a while you come into people who have never done you bump into people who have never done Dungeons and Dragons and they are they jump into it, right? And they are like all in and it's really really amazing. So, so, so you see the other thing around people that are just
naturals. >> Well, thank you. Um >> Oh, yeah. One, yeah, there was one. >> Yeah, right. Right here. >> Yeah. I would say a really big reason as to why it's D and D and not LARPing is because with D and D you have these awesome math rocks >> with laring. Where are the math rocks? >> Why can't I roll a d20? >> Yeah, I like the math rocks. >> Yeah, there there's rock paper scissors, but it's just it's not the same as rolling a d20 or >> rolling a one and having your plan spectacularly fail. Yes, >> good point. Thanks. >> The randomness. >> Yeah. If there's one small thing we could do to help you guys out, what
would that be? Like a little action we could take? >> Well, talk talk about it. Talk to your boss. Talk to your colleagues. Talk to your friends. >> Yeah. >> Join Discord. >> Yeah. Join Discord. >> Yeah.
>> So, I guess half joking question. Whenever you're trying to do this, like a I was kind of looking at your site a little bit. Um, are you seeing this as more of kind of like a oneoff thing? Are you trying to set up campaigns or is this adventure rules? >> Yes. >> No. Nobody. But it all it all depends on the on the company. Obviously, if you do instant response, which you more or less have to, right? Then why not just do this instead, right? It all it all depends on what what you're trying to achieve with it. All right, more questions. >> We'll uh we'll be around tomorrow and uh also on the emails and LinkedIn
and all that. Oh, there's one more. >> Are you are you actually having these teams take their runbooks and put those into play during this as well? we can uh it's not necessarily a requirement but uh it's absolutely something on the table uh if they want to use their their own plans for their own company or a company very close to theirs. Absolutely. >> Yeah. Yeah. But yeah, obviously if if every now and then when we pay with people and they actually remember they have an instant response plan and they say, "Hey, I want to think I want to do my instant response plan," they get plus points. Right. >> Right. I mean I I think that would be
helpful and I was curious also like if you have done that how much time it actually took in advance like are you helping them establish the gameplay or is that more on the company to do that? >> Uh we typically op uh operate as the incident master and run the game but we are more than happy to teach people how to do it too. >> Awesome. Um, yeah. So, there's there's an art to it and we've we've learned this art by bumbling around until we got it. So, we can save the bumbling around. >> Yeah. But that that also means that you could read instant master handbook 20,000 times. But if you haven't tried it, it's not the same as doing
>> if you don't know about as in master you need to know about security. You need to understand the instant the technical aspects of it because if you don't if you if you don't know it don't understand it then you can't sort of when people >> keep it plausible. >> Yeah they can't keep it plausible they can't drive this drive a story in the right direction and you also need to think on your feet. So >> so so actually you training is one training is one thing that you can't get just by reading the book. So it's a it's a learned skill >> and and also for many companies it's just easier just to get someone else to
get else to do it instead of allocating a lot of time themselves.
>> Yeah, absolutely. >> All right, let's give it up for Claus and Glenn. Thank you. Thank you a lot. And and and also I'm really impressed about the turnup. Really I'm highly impressed. This is my first sorry this is my second Bside Vegas talk. The first one like is maybe three years ago at the same time more or less and I think five people showed up. All right, >> that was great. [Music] Hey
honey. [Music] Hey. [Music] [Music] Data Boo. [Music] Hey, hey, hey. [Music]
Heat. Heat. [Music] Heat. Heat.
Heat. [Music]
Heat. Heat. [Music] Heat. [Music] [Applause] Heat. Heat. [Music] Heat. Heat. Heat. [Music]
Heat. Heat.
[Music] Heat.
Heat. Heat. Heat. [Music] Heat. Heat. [Music]
[Music]
[Music] It's
[Music] Heat. Heat. [Music] Woo! Wow! [Music] Heat. Heat.
Heat. [Music] Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music] All right, good afternoon everybody and welcome back to Bites Las Vegas and Common Ground. The talk we have now is Keeping Our History Alive: Hacker's Guide to Sticker Preservation, hosted by Brian. So, a few announcements before we begin. We'd like to thank our sponsors, especially our diamond sponsors, Adobe and Iikido, and our gold sponsors, Formal and Drop Zone AI. It's their support along with our other sponsors, donors, and volunteers that make this event possible. These talks are being streamed live to YouTube. And as a courtesy to our speakers and audience, we ask that you kindly check to make sure your cell phones are silent before
we start the show. And if there's still time left after the talk, there will be time for audience questions. And I'll pass around the mic to whoever wants to ask a question. And as part of the cell phone policy for Bides Las Vegas, there is no photography allowed. But with that, I think I'm gonna hand it over to Brian if he's ready. Yeah. >> All right. Let's give him a warm welcome. >> So, thank you all for coming six o'clock in the afternoon. Uh, so fun actually talk. >> Could I stickers? >> Yes. If you want to hand out stickers, please pages. >> So, yeah, pass around. There's a book of stickers going around. Um, I will have
more up here at the very end as well for people just to grab. >> Yes, let's do it. Let's share uh it's all about sticker swap community. So this is going to be a fun graphical very fast-paced talk. So look at screen don't look at me. All right 60 slides in 20 minutes. Uh the idea here just give you a little bit about my own background and like where I fit into this and how this brings out the talk. Um I am first a real ginger. This is not coloring. This is my actual hair. Uh 15 or so different years as defense contractor what's called the DoD cyber crime center. a lot of working for the forensics and
computer intrusions lab there as a reverse engineer malware person. Uh went to Carbon Black, started up their threat analysis unit for about eight years and ran that and I'm now at Sublime Security running their threat research uh work there. Uh also many years in the back into the where's courier scene a lot of different scenes I won't really call out but they do are applicable to what I'm going to present here later on. So what is the ultimate crux of this issue? one stickers, right? So very prevalent not just in our community but just overall as a means of communication, rallying together, sharing a common message and also sharing descent. You know these are our ways of communicating with each
other in anonymously as we go through the world and they apply to just about everything, right? So every industry, every community, every culture, uh every person with a Cricut machine at home, like this is the, you know, where this comes out to. I don't want to focus on that. I want to focus on this. This is part of the the Defcon sticker wall from a few years ago. This is our community's set of stickers. This is what we use to display who we are and express our culture and express our wants, our needs, who we are as a person and where we can find other people with like um like beliefs and like uh skill sets. So
we also have a tendency to throw stickers up on everything walls, pay phones, Matt Damon, uh that goes around to where we want to actually use these to show off our sets. And I guess the ultimate crux of this, finding your tribe in this community. And how can we use stickers to do just that? When you come to Besides Vegas, 3,000 plus people, Defcon, 30,000 plus people. RSA, who cares? Black Hat, really, who cares? But lots of thousands of people, right? So, how do you in a group that size actually find someone that you know ahead of time that you can actually communicate with and you have a shared interest just by looking at their laptop
screen? This is what I really want to focus on for this talk and beyond just the infosc industry right so the uh abilities of people doing this for just crafts right this is obviously someone who's doing this but in a very different realm that we care about there are ones on the just the edge of what we do very technical based we see the stickers that say okay these are technical companies I'm familiar with these half of these I really don't care about but okay there's some shared interests there but not really are seen. Get a little closer. Uh, we see the encryption. We see the call outs to this technology. However, very likely this is a crypto
bro. So, do not approach. Don't care about these people. All right. Instead, when you get down to something like this, right, this is a crux of this. This is uh hidden symbols in here of old specific CTFs, old specific challenges, old versions of Defcon and the and the branding that were associated with each of those. So very strong messaging here of not only is this person within my scene, but they're also within a skill set that might align to what I do. Therefore, I already have a conversation in place. I can actually discuss with this person and know that we're one of alike. Now, where these start off is at a very basic level. uh you have these very
generic ones as technical-minded people, hackers, hardware hackers, uh just little ones that we kind of like throw out there to say like, okay, I'm within this realm of computer hacking, some sort of hacking, or at least doing weird and bad stuff to also my favorite, you know, safety third, which is I think important to all of us here. The safety should not be first because that's where fun comes in, right? But safety should be in there somewhere. So this also plays in again uh sticker planet sticker all you know hands out the safety third to the community during this week RTFM okay yes maybe it also calls into the IT side the master operate from hell side okay maybe
maybe not really don't care but these are kind of like leading into the culture that we're building now you might have some that come in who just know of it from the outside they know of it through popular culture they know of it through media they know it because they saw Mr. Robot. Is this someone you can actually relate to and talk about actual attacks and and vulnerabilities right now? Likely not. However, they do have a shared interest and say like, "Oh, they probably willing to at least discuss with you and hear of what you're talking about." Or you have someone that just saw a lot of Baby Shark and just wanted something of that theme on their
laptop, right? Still lines of work we do, but also a cultural influence or just the movie Hackers, right? So people who fall in love with a scene, a movie, a trend, uh they want something to showcase that. Doesn't mean they're not part of our group, but it could be a sign that they're, you know, just really interested in the work we do. Now, beyond those, let's actually call out like the sites, the tools, the protocols we use, things that we are actually highly interested in. Pirate Bay and a lot of sort sites like that where this is not your common person who is going to these sites and downloading stuff u cracks is not your common person
who's on tour. However, that is becoming much more common now. A lot of people are using tour and tour browser. So it's you know maybe a s a small resemblance there maybe a small relationship. I would love to call out Kali Linux. However, it's so generic and everyone knows it and everyone's got this stimp, you know, I'm sorry if I'm offending anyone, but that doesn't care anymore. Like everyone just has that. So, it really doesn't mean a thing anymore. Uh, but you also have like newer technology like Veil who's here. Like if you see something like this, like all right, this is someone who's actually into this newer version of encryption technology. Maybe they run a node, maybe they have a
setup here. Like this is new and cutting edge tech. I probably have a relationship with this person because I'm also interested in what that means. Without even saying the word of what some of these stickers are, just looking at the symbol alone carries a lot of meaning with it. And I I just love to say like, okay, Cali, I love it, but where's the backtrack? Like, we can go back to get some of the really nice ones out there. Show your history there, right? Don't show the new stuff. Now, EFF is out here. This also falls in the realm of like your personal beliefs, your motivations, your political realms of things, right? So EFF is really well
known and regarded, right? So people who tend to have EFF around have a personal mission of encryption of security of privacy u and what we can do in the community from that side as well as the idea of you know obviously encryption anti- crime to the political side of do birds actually exist right I'm still not convinced and if you remember way back in the day uh title 42 section 20A was this whole idea that I'm a journalist I have unpublished lish research on this laptop. Therefore, you cannot search and seizure this machine. It doesn't work. But everyone loved to put that sticker on all their stuff to maybe in hopes that one that anyone even cared about
them to search and seizure the equipment. They never did. Beyond the technology, right, let's find other ways we can connect with people. The events that we go to, our shared experiences, right? So besides Vegas here, 3,000 other people to say that I was here along with you at this year at this event or 24 23 at Defcon. Obviously there's a very generic one. Defcon's going back almost 35 years now. Um I would love to say like Defcon with the actual hotel it was hosted at to really date yourself. Uh but still it gives a glimmer that hey we're have a shared interest here into some of the more other generic regional uh bides and so
forth. Bes charm that's mine Baltimore and some of the more obscure very specific uh conferences also exist out there reverse labs con and so forth to the groups that we know and love. They're very well regarded. This is typically not us showing that we are a member of the group more that we hold that person in esteem that we like this group and we appreciate the work we do. So from Loft Industries to CDC woowoo and to hackerstown like these are groups that we can say I'm a member of this group or I love the work this group does and I appreciate them and I respect them and knowing that a lot of people in this
scene didn't come directly into hacking. They came from a similar scene and crossed over. So old school teleer freaking old school means of coming into here. There was no direct line that I'm a hacker. It was you came from something else. you came from the old wares community. Everyone knows Razor 1911. Uh when you start bringing out like Fairlight, some of these other obscure groups mask where if you see that you're like, "Okay, that's very niche wears." That's all OS2 wears, by the way. If you see that, that's a very weird connection that you have now made with someone. uh seeing groups that you actually like and enjoy or that you love to see them being
taken down like law sec you know tango down love it to the fact that we went as newbies in this field to season kmagins who just say okay I've had enough of this this is BS it's the same thing year after year just leave us be I am sick of this like I've been in this field for so long I want to start an emu form and get out of it but I'm stuck to our own personal progression in our careers, right? So student hacker uh to our personal pref or our personal you know identities who we are we're in the scene but we also have this other shared trait that makes us a person uh I am
this person I am she hacks I have this you know I am this person and I'm in this field and I would love to discuss that with other people like me we have the shared jokes we have the shared events if you survive crash strike in 2024 that's a smaller group of people yes it was wellknown global event but the people who actually know the core of it was a very much smaller set people who remember the pew pew maps uh from RSA and the company who I won't name who's now gone out of business who really relied on those right so this idea that this was protection that was a really big thing for a while
the real Kali Linux users this is their logo right this is what they used to actually show off that they actually use Cali and know what they're doing, right? Not the other one. Uh and we cannot do anything without hailing out to thread who we highly rever in this industry. So again, these are things that pop out to us. All right, this is now someone who I really know who's actually in a scene like me who comes to these events and knows what Threatbutt is. That's a big sign that we have a lot in common as well as the individual skill sets, right? So you want to knock sled out of something, you're like, "Nope, nope, nope, nope.
This means nothing to 99% of the world. They have no idea what you're talking about. And that's why we care. We want that 1% who actually does understand it. The 1% who knows what an attack tactic ID is and have lists of their favorites and they can use it as like a dating across the room to see who has the best attack tactic that they love or the actual industry that they're actually part of. being the malware side, being the attack side, being the vulnerability research side, there's typically a joke trend that goes along with that for each side. Rosie Riverer, everyone's familiar with her and the work we do, I'm sorry, the work she does and what she represent
from World War II. We can do lots of spins on that of St. Ida during not only can we do it, but we can re it, reverse engineer, more specifically Gedro the reversator. We can re it on the GRA side. So not only you know the the idea of a reverse engineering but the actual skill sets and tools used by these people uh who you can immediately relate with as well as you know from the IDA pro side right so everyone who's a reverse engineer either vulnerability research exploit development malware analysis knows IDA pro and st Ida not a love lace by the way so st Ida in a very cool form as well as back in the day can
you name very certain events that happened in a specific software. No undo, no surrender, dates back to 2019 when every competition to IDA had an undo feature they're coming out with. IDA did not. You made a mistake. You're stuck with that. You're screwed. Hopefully, you had a backup. Uh, which was great. People rallied around it. This was their, you know, rally call. This, we're sticking with IDA. And then they added undo. So, they had to change the sticker up the next year. So, we're going really fast on time. Uh, so I'm going to move a little fast here. Done with the culture side. I really want to talk about the technical side now. And I apologize. I'm going to rush
through some of this. Make sure we're not too far late over on time. The idea, we have these stickers now. We want to preserve these. We have these 20-year-old stickers. We want to make sure that we retain them. Take off old equipment, reuse it as much as possible. To do that, let's think about a hamburger. This is our sticker, right? From the very top down. Your meat is your actual vinyl material. Your cheese is the printing on top of that vinyl. Your laminate on the top. And what we're really focusing on is that secret sauce adhesive. That's going to be the structure to everything we have here. Now, it might seem simple. You take a
sticker, you take a razor underneath it, or what's called a spudger, and you just pry it up, right? No. Because nine times out of 10, there's actually different layers on that sticker, and you're very much likely to catch the laminate layer and pull that off than you are actually catching the adhesive layer and pulling that off. Lots of testing I've done on this. If that happens, you know, laminate actually just makes things shiny. That's actually the point for it. Half of this on the left is actually the laminate removed. Half on the right on is actually laminate. And actually, not much of a difference. So, worst case, as you're doing this work and you pull the
laminate off, oh well, you lost some protection. Well, let's assume using plastic razors, not metal, that scour your laptop lid, you are able to get under the pry, lift the edge, pull it off. You get something like this where as you ran the razor underneath, you still separated out between adhesive. You left adhesive behind and adhesive with the sticker. The sheer force of pulling the sticker off pulled the adhesive with it, but wherever you actually cut in left adhesive behind. So, you're stuck with this massive mess that you have to clean up. Not only that, this is adhesive that did not carry over to the sticker. So when you try to reapply it, you now have
massive gaps that you now have to somehow fill and reglue to make sure that they actually still work in the future. We'll cover that in a second. Beyond the physical side, let's talk about chemicals, uh the actual methodology of what we can use to also pull these stickers off and clean up the adhesive. And this is where science comes into play.
Related talks
51:51
32:48
33:48
54:33
31:06
20:51