Security BSides Warsaw dzień 1 ścieżka 1

BSides Warsaw · 20242:33:37771 viewsPublished 2024-07Watch on YouTube ↗

Tags

Show transcript [en]

But at the level of IPs, you can't see anything. At the domain level, something more, which also did something like that. It was authentic IPs. Therefore, we must accept that we have less and less control and less visibility on certain layers. We lose these layers. This is how programming is developed. But notice that these magical boxes we were talking about also lose their effectiveness because they cannot clearly state something.

Going further, I got a little tired of this topic. One of the IPs had a fairly low reputation, I mean, I don't know if it's very low, but I don't have a great reputation in my favorite defensive safety tool to check artifacts. So I talked to Microsoft support a bit, a quite decent person, of course, after the escalation of the ticket, less with this. However, I found out that this data, Microsoft's communication can be confirmed by a given communication if the servers do not belong to Microsoft. So, a chain of delivery. A big vendor like Microsoft also has a chain of delivery. A small digression. In the best effort mode, Microsoft can tell me if

it was communication with Microsoft servers or if it was actually content for Microsoft updates. It froze me a bit. To be honest, I had a little more trust in such a big vendor that we all have in organizations and a lot of our programming in organizations is the product of this producer. But what do we have to accept? Well, using C-DNA is cheaper and faster, right? Business is happy because the money is right. Security guards are complaining a bit, it's hard. They will lose another layer of monitoring. Maybe they won't lose it, but it will be less sure. How Microsoft decided to solve this problem, be sure, record a pickup on the stage. They did

something like that too, right? I'm listening. Well, yes, but in the sense ... I don't know if I made myself clear. We lose the clarity of what we used to understand as a simple fact that a given communication is actually accurate. And now, in the era of CDNs, there is a server somewhere, someone keeps their products there. Five minutes later, there may be some fake content. Sorry, a bit... That's life. Therefore, perhaps we have to replace old acronyms with new definitions of acronyms. Because we are losing some layers, we have to accept that monitoring network traffic will be less and less important, so we will be moving from one of the layers to monitoring hosts. We want or not. A little anecdote, I had the

pleasure of being In Stockholm there is a nice museum, they show the vessels, they show how a ship that was sailing to war with Poland, after 300 meters or something from the port, he turned around, he was poorly designed, he was too tall, the wind blew him out. But what I wanted, I recommend this museum on my way, if you were in Stockholm, it's really worth it, I mean, such a city break, I recommend this museum. But what I wanted to say, these were the times of the Swedish flood, And in the creation of this ship, there were so many people involved, including the king, who set the requirements for this product. It was supposed

to be high, it was supposed to have many wings, this ship was supposed to be much higher than usual. It was the first such ship in Sweden. No head would fly, right? So many people and the king himself involved. If Vendor made the same fall, no heads would fly the same way. So we do not give this responsibility to the vendor, we distribute it. Since Microsoft already has its supply chain, let's think about whether small companies in Poland are able to secure themselves so well that they do not use Microsoft products, Microsoft Cloud, because of how many of those different creations you saw on previous slides, Microsoft offered to secure its infrastructure. I think I don't know. It depends. It depends on how

we think about our infrastructure, what attack areas we will open. The second thing is the cash. These Microsoft products seem to be quite cheap so far. Of course, it all depends on what license we have, whether we are public or not. However, they are probably not expensive yet. However, there is a tendency that after some time, when we take up a lot of market, we will raise their prices. What else? In the case of such mega trust for the producer, we must also trust that the services will not be turned off. Because we have, for example, too much carbon footprint. Because, for example, the service we used was experimental. And too few people used it,

too little money, so why keep it, right? In Sentinel, there are a lot of rules, as long as it is still the case, it is still experimental, right? Microsoft can turn them off at any time. Why not? You knew it was experimental. And the fact that half of it is experimental? Okay, so we have to trust the producer not only that his code is well made, but we have to trust his supply chain. We have to trust all the choices that are made by security, including how he hires people. Remember that such a large vendor is large. It is impossible in such an organization not to have any problems, mistakes. We have to trust that the vendor is not wrong. Should we have full

trust in a given vendor, in a given product class? Ok, hands up if you have this slide in your folder with memes. I thought most of them. I just remind you what the cloud is, that it is someone's computer, I don't know where. And I come to the next topic, i.e. the problem of cloud services, the console that I showed on the slide with segmentation, which is somewhere, I don't know where. How is it that ... In this way, we get rid of many mitigants that we could use in case of an incident, in case of problems, in case of critical dependency on our security product. This is not a responsibility, it is a delivery

of responsibility. Remember, as AI sees security in layers, by the way, this is AI, the GPT time, which largely belongs to Microsoft. It has one rectangle, I don't know how to interpret it, it's probably one blurry layer. Security. Sorry, I have a question, should I quickly tell you what Defense in Depth is? Okay, I'm glad. I'm listening. Maybe it's worth it. It's on the next slide, look. Defense in Depth, that is, we have layers, we defend something in layers. If one, i.e. a layer, for example, can be EDR, and firewall. If one layer fails, then we have another one, theoretically, which can defend us from something. Not all layers do the same, so it's worth having a lot

of them. On the example of Microsoft, how do I see their layers? Microsoft has layers, it has many of these products, but are they layers or are they half layers? Do they not penetrate a little if we are in the ecosystem of one vendor? Do we understand these dependencies and is it actually divided into layers? Is it isolated? I see layers like this, this is my drawing. Moving on, another problem with trust, with this loss of layers. See what the risk bonus is when we reach a big vendor. And what is the risk bonus when we reach a small company being an attacker. Okay, small company, we'll launch ransomware, there's some cash. we will reach a big vendor, we enter this company,

we can have cash from his business processes, from some ransomware, it probably doesn't pay off, it doesn't matter. In any case, in addition, we can still download the producer's code and then sell zero days. And if you manage to scale up nicely, organize yourself nicely, quietly, then we can still get our small companies from the back, which buy their place from this vendor for their services, for their infrastructure. This is cash flow. It means that it pays to get to such a large vendor, even though it is much more difficult. Should we actually put such a lot of trust in it? Shouldn't we have a concept in our heads that we can reach a vendor? SolarWinds showed that we should protect ourselves and trust others. Yes, and it worked.

And there was good communication. What happened there? In many cases there is no communication. Now, I will be Microsoft. How much did Microsoft's fall? Zawluk had a big fall. Now they also have a fall. I don't know what kind of communication. Probably a week ago. We shouldn't trust one Wendler. But how to deal with these clouds, these threats, these identities? What will happen if someone compromises our identity, some dedication, some token? Do we wonder, if we have a lot of these consoles in the yard, do we wonder how these accounts that are compromised in one way or another, what of these consoles, how can we escalate further to the company? Whether it is in this architecture

still in the cloud, which is a cloud, or also in the whole organization. Are we in the context of the fact that there is So many of these identities, so many of these services now exposed to the cloud. Are we as security guards still able to imagine this ecosystem, the risks we are exposed to using it? Do we have mitigants if it is to move to the cloud in a smaller or larger extent? And do we know where to use them? Do big companies make mistakes? They fill in. Do they fill in more than a small company administrator can fill in in a small company? Probably less. SORRY is a big company, SORRY is better

procedurized, they have better processes, they are better scripted, so they will definitely fill in less of these errors. But it is not that a large vendor does not fill in errors by definition. Once again, should we trust him? Shouldn't we leave any diggants? Maybe some small on-premise with backup? Maybe some on-premises, a server with several core business processes for our organization. So that at least these two, three weeks can last, if the lack of availability of services in the cloud is extended. Can such a vendor disconnect us? Why not? Examples from the Polish yard show that yes. If it is our main communication channel, such as Facebook or Instagram. I think it was explained here after two weeks, but for two weeks the services were blocked. It was the

main communication channel of a given company with customers. So it's a big deal. One more time, shouldn't we have some alternatives? Maybe something for OnPremium, maybe in another cloud. They won't block us, right? They blocked a little bigger ones. Here, the politicians don't correct, it's just quite Strong person, right? President of the United States. Blocked account on Twitter. Okay, another problem with our trust. What risk can there be that is worth keeping in mind? SLA. Look, SLA, which is the time that the manufacturer guarantees if we buy a given product or service. Usually in marketing materials there are only nine, so this service will be available practically non-stop. But look how it is, do we have control over it? How

is it that when we go out to a meeting, we are meeting with friends, we finish work, 3:55 p.m. update on Windows, right? Can we go out to work to this meeting that will start in 5 minutes and if we turn off this computer, will it wake up in the morning, right? Will Windows explode for us? We don't know that, we don't have control over it, right? More from our backyard, an anecdote, I had the pleasure of working for a while on XD, maybe Maybe I just came across a period when there was a lot of updates, but these updates were often in this period, but they lasted several dozen seconds, less than a dozen

seconds. Nice programming, apparently some container was rolling under the floor and throwing it fast. Super, right? To make this update. And in fact, SLA had to be filled. But look, it was an XDR console. Imagine you are a stockist on the front line. You have already served 50 identical alerts today. All false positives, clicked, politely. The 51st appeared, it looks like someone has reached us the organization. Finally something interesting, I will learn something interesting. Something is happening. A reminder here. Waiting. A reminder here. And in the meantime, a colleague from the desk next to me assigns this alert to himself. waiting ends, the dopamine is here. It's funny, how does it affect our organization and security? In this case, I think not at all, but it's

annoying. This is an example when we don't have control over SLA, when we actually have this availability. Will SLA of the systems we would have on our On-Premium be better? No, it will be worse. Our administrators don't make updates so quickly. They don't have it so well automated. But we will have it under control. It will be a window that we know when it is. Okay, now the hand up. Who is replacing these old concepts with new ones? I've already told you more or less what I mean. So now you can raise your hands with full awareness. Who would replace them? So you're going into magic, right? It depends. Okay, it depends. So I didn't convince you. But I didn't want to convince

you either. I wanted you to have these concepts in the back of your head, right? I don't know. Nobody fucked up. I understand. Sorry that I'm stopping you because we have time, but I understand that, because I agree that it has its own application. And these problems of distribution of responsibility are consciously dispersed. How does it work? Should it be like that? No. Do we live in a perfect world? No. But it also depends on everything. The class of products we protect is different, the business problem is different. Yes, that's why I'm asking you questions, that's why I said it depends. I also talked about the golden middle. But I'm glad that so few hands were up. I'm not saying it's bad that you raised your

hands, because I absolutely understand that we don't live in a perfect world and we won't live. But I'll give you a quick recap of what I said. I know there were a lot of words and I spoke quickly, but I have a few more minutes left for a question. So I'm glad you're interacting with me. Anyway, what I said is that we lose layers. These levels on which we could cut off individual threats. We lose the possibility of eliminating Vendor's mistakes or our mistakes. We had layers, we could mitigate them at individual stages. Plan B is a mitigant. So maybe let's have something in the cloud. Maybe let's think about what risks are associated with

what, and not another architecture we have at the moment. in the organization, both the products we protect and the products we protect. We don't understand our products, we don't understand the products we defend, we don't understand the products we defend. They are getting more and more complicated, they are getting worse and worse. Look how programming is being created now. Not that we have a goal we are striving for, this goal is changing, we are putting new modules, we have everything in vain. This also makes it difficult. Transfer of support, as I said, abroad, also makes it difficult. Too much and chaotic. How can we deal with it? A person in the organization who has this

knowledge, a senior who understands safety, who understands a given product class during implementation. Perhaps apart from the implementation company, it would be useful to have a consultant implementing a certain product and a life cycle. It would also be useful, perhaps, in the life cycle of a given product. We assume that safety products solve our problems that we do not understand. If we do not understand them, the data will not be solved yet, because we don't even know that we should ask the implementation company to configure a couple of rules that will ensure a given risk. Okay, and if they had agreed, they would have at least analyzed the metadata, right? Whatever, right? Money spent, checks everywhere. So

critical thinking, let's think about our magic, what it actually does. And the next thing, do we implement these solutions to have a bird in the oedipus, be compliant with some ISO or other creation? Do we actually want to cover not 5% of the organization and have this check, do we actually want to work with the implementation company, think about what box we buy, will it cover the risks that we have noticed, which we want to cover with them, or will it cover some magical 5% of the organization, some fragment, a cut? Are we doing it for compliance or for security? Mitigants? To set requirements for the day when we buy a box, to know our needs, to talk internally about what we need and

only then look for the box. And then ask and execute from the supplier. And the server manager? Somewhere, one central, best with agents on all our ends, on all servers. Agents, of course, are the duties of the route, because they are to do, manage, so what else? What can we do with it? Well, I don't think we can escape from such solutions. It's probably impossible, isn't it? We can wonder if we are able to set some mitigants here. We can wonder if, for example, we are able to cut such a console in the cloud in some way if we know that it is compromised. First of all, monitor such consoles. First of all, remember how many of us have such consoles somewhere in the

cloud. because there are more and more of them. The question is whether we know what she put under the bottom of my tip. In my opinion, we cannot bury these paradigms yet. For those who raised their hands, remember that I did not want to tell you that I was right. I also wanted to tell you a few thoughts that are worth having in the back of my head, even if So that we can consciously go to the cloud, if we come to the cloud, I mean, sorry, it's not going to the cloud, I was talking mainly about consoles here, which are in the cloud, which can be a threat, to consciously implement some solutions, to

consciously implement what we can currently buy on the market from the manufacturers of security solutions. Let's not do it without reflection, without reflection, let's not buy boxes. To finish, I would like to thank you very much that you came here at 9 a.m. to listen to what I had to tell you. If you have any more questions, anecdotes, I encourage you to do so. We still have some time. We started a little later, but we ended a little earlier. I have a question. It's a very nice topic, but a little scary that this presentation was created at all. I understand that you suggest that at least if you bring my bath and the connoisseurs, that

these people from the security, they know it all. But you suggest that these people are not the ones who are doing it. because you are not in the security, right? It is so that the security people know it, but often they do not realize it. Now, these SORY consoles are often supposed to help us, this magic, solve some problems, solve the fact that we have too few people, but there are too few administrators, too few security people. We have to hire people who are not, perhaps, who, for example, came straight out of the studios, right? And they don't have such a practical encounter with reality, no one gave them a face. I made this presentation because one of the quotes that was already being read was authentic and it

was one of the reasons I lost my hands when I heard it. So it seems to me that these are topics that everyone knows about, but they are not talked about, they just do not sound. That's why I wanted them to sound today. - Can you tell me if it is necessary to study more technical aspects, to care about people, marketing, what to do, and what to convey above? Because what you say is the problem with people who are um In the end. Absolutely agree. The question is whether it will cost less, because it is difficult to evaluate this safety. You have to be a nice seller. But maybe, I hope that after this presentation you will also get some arguments that you can

use, talking to your safety directors, who, in turn, have a nice talk. They can pass it on to the board, they can influence the board. The idea is to make it as simple as possible. It's always like that, but it's a golden middle. A lot of things we do are like passwords that sound nice. It's used against the effects. Minimum viable product. We'll see what the market will take. I think it's very cool. You can't protect it. And look, this is at the stage of the product we are going to defend and the products that defend. Or this fancy idea. This is a kind of bad word that in my opinion is used, it's nice to see in Microsoft.

It is used to justify that every layer of security we do, we know it's small, but we implement it. I agree with the concept that we will not cover these layers with one layer, but as long as we realize what this layer covers and try to optimize this surface, enlarge it, this is the real concept of "defense in depth". I agree again, what is it? There was one opposite opinion. Anyone else? If not, thank you very much, because I don't know if they won't kick me out here in a moment. So, thank you very much again for listening. I'm listening. I would go out with it. That's why. The best thing is a hybrid, I think.

I'll plug it in there.

I'm starting already I have a shorter presentation than these 45 minutes so we'll do it easily Yesterday I did some tests and I can do it in 15 minutes, 30 or 45 minutes It also depends on how you answer and if I will shut up, please? Yes I think you need to go to the toilet. If something is the men's toilet is on the other side, and the ladies' is on the left. If you would look for it later, because we also looked for it a moment ago. So, as you can guess, my name is Adam, at least that's what the agenda says. I'm here because I reported myself. I'm here completely voluntarily and no one told me. At least that's what I think. And

today we will talk to each other, we will do such a summary of the last 100 pen tests that we have carried out in Logical Trust. in LT and now I wonder if it will be 100 or maybe 200 pen tests because usually it is 100, 1000 and so on and 200 is such a non-standard, besides I have been in LT for over a year and let's say that these 200 pen tests that we will discuss here went through my hands we had about 150 orders so it's not as much as some larger companies, you can say I don't know, recently Securitum boasted that they did 900 pen tests But it is only a matter of scale. And now from such technical things that I wanted to

tell you, I saw that in the agenda some of the highlights are green, those that everyone understands, this one should be green or light green. Here we will not delve into such technical aspects. We will focus on the process before the penetration tests, i.e. the range of the test, and other things that may go wrong. And yet, such things happen. I will move a little, so you don't see my head. Am I in the frame? Is there anything wrong? As it is streamed, I would like to greet my daughter Emilka, because she will probably be watching until this moment. So hey, we can actually go on. A few words about me. I have already introduced myself, my

name. Cool mistakes when it comes to registration often result from it. As you can see, I am associated with Logical Trust and 1753C. I also like these two logos, that's why I associate them with me. I could also give the logo of my physiotherapist, but there is no correlation here. Besides, I like to eat pizza, sometimes we play CTF and I happen to read something. As for the subject matter, it is different. And yes, as part of this introduction,

and let's say such announcements, I don't know if I can do it here, but it's 1753C. This is a local community that we established 5 years ago, among others Adrian Kapczyński, who has a pre-lecture after me, is associated with it, or Kuba Pluszczok, who will also be present, but on the second track today. As for ELT, we have Mateusz here, who will also have a presentation tomorrow. We meet regularly every month in Katowice, here is our Discord and that's it for good. As for Logical Trust, maybe you will be interested, we are currently looking for a pentesting person, i.e. a pentester or pentester. We are looking for people even from junior positions, so if you are interested and you know what Pentest is and you have

some basics, you can apply. The boys are handling it there. I don't think it's boys anymore, but our friend came in there too. It's like this. Does it work? It doesn't work. It will work like this. It's not this. It's this. We're back. Good. I didn't tell you what I do at Logical Trust I forgot and I won't read my notes I didn't do these pen tests to make it clear I work on a contact with the orderer penetration tests so I'm just a seller we were wondering what to call it so that it wasn't account manager So it's called Cybersecurity Sales Ninja. We came up with this name with Borys Włonski. And now I would like to

say that it is a sales presentation, but it is not. And we had to take this data from somewhere. So I don't have anything to sell you. I didn't take the gunk, and the bed from the camel was not. It was apparently just checking, but it was very expensive. So that was a kind of a "guide" I also wanted to say that all the opinions you will hear today are mine and I take responsibility for them, preferably illegal. Racist jokes can also happen, but I'm not going to offend anyone, I was raised in times when they were still going off like this, so I haven't adapted to it yet. I don't have them here in

the notes, so they shouldn't be like that, but still. And yes, let's start with the basics, because this Pentest and audit. And now it might seem that it is obvious, at least for anyone who has read a book or article, that pentest is not equal to audit. And for us it is, let's say, quite clear. We are in this environment, so we see the audit, we know what it is about. As for pentest, we know that it can be a component of the audit, but it is also a separate action for people who are looking for pentests. or they want to check their safety, it is not obvious. And now, does it matter? It doesn't

matter to the client. Our role is to somehow limit it. It is also a space for education. We are able to show that we know what we are doing. And it may seem funny, but many companies that are looking for pentests are wondering if the other side can do it. Who of you does pentests on a daily basis? I thought there would be more. You can leave, because you will get bored. Not really, because you don't need to do pen tests. You won't want to do tests of your infra. You will have a chance to see the process of the process that can be done in the test. Of course. So what is a penetration test? Very briefly, we have security verification

of the application or infrastructure. It revolves around reporting, because the result of the pentest is a report. We report all mistakes made. Here in the set that is not equal, you can also give red teaming, which has become more and more popular in recent times, and the difference is that reporting errors, among other things, does not happen in the same way, because we do not report all the errors, only the critical ones. The tasks in Red Team are to scale as quickly as possible, to get more legalization and this is the key to all this. In pentests, we don't do it all the time, so even if there is a place to scale, we consult with the customer if we can go further, because a

lot of things can go wrong. One of the examples we had During the last year, we had a client whose industry is not important, but they had a lot of glass cars and it looked like this, that the supply management system was very expanded. And we came to a point where with one click we could put the entire production, i.e. managing these glass cars. It's a good moment to see that we can do something like this. It's a phone call to the client or writing an email, stopping the test. Listen, do you want us to click it or not? Because the tests, due to how it looks, took place in production. We'll come to that

later, because it's not so obvious that we're testing only in the production environment. As for the safety audit itself, we can say that It's a matter of documentation and meeting certain standards that the client depends on. I had notes, I don't have them anymore. It's a matter of meeting the standards, making a certificate, so it's a matter of reviewing the documentation, it's also a conversation with employees, and it's to check whether the procedures that have been implemented in the company are observed. This is also a problem and it does not only apply to the cybersecurity industry, it applies to all industries, i.e. production management, logistics and all the ISOs that have these cool numbers also lead to the fact that you have to talk to these people who work

with it every day. And then, when it comes to testers and such a standard division, which is totally mixed, that it is divided into three, which are standard, i.e. Black Box, here I allowed myself very extensive descriptions, so to speak. Black Box, i.e. I don't know anything about the application, I have an address. Grey Box I know a little more because I got it from the client's account and White Box I know everything. And now it's nice to come to the point that usually customers come and say, "Listen, I would like a black box." And the first question is, "What do you want?" Because we heard that it is worth being safe. Another question comes up, at least I shoot at the client, "Have you ever done

a grey box?" And he says: "No, why? We are interested in how we look from the outside." And this is a good approach, we can analyze it with the client, of course, further. The only thing is that cybersecurity is a process and you have to assume that We in BlackBox, after all, will not find a liability at this moment or for various reasons. Normally, it will not happen to us. We estimate it for too little time. There may be many reasons. We can be just fucked up, sorry. I don't know if YouTube will cut it out, but it wasn't such a curse yet. We can just not reach the topic and it happens. It is

worth saying that everyone is perfect and everyone makes mistakes. And what next? For good. That's why I recommend to make this gray box first time and then check how much the environment is developing and how dynamic it is and think about what to do next. We will come to those tests later. And at the very end is this white box. Why did I leave it here? Why is it not so popular? Because it is very expensive. Usually, gray box tests are small applications that take up to 5 mendays and this test is enough. Here we have a code review and it usually doubles. We have to look at this code very carefully. And now the moment when the client falls out and says: "You know what? I

wouldn't like to do such tests. We will do them some other time. Usually we never do them. However, there are very well-known companies do this review or they buy a very large organization in which it is required because the infrastructure on which it is set has already been 15 or 20 years, the administrators are just before retirement and they do not want to share knowledge with anyone, so this way-book must be done in order to usually prescribe it, because this is how it usually ends, but not always, because it all depends on the good deed, so here we have this standard division, which Bookwise, it's known by everyone, and you could practically break it, you

know what? Because everyone calls it their own. Recently I had a nice conversation with a client who, I forgot to tell you, if I were to say the name of a client here, it would be untrue. This is not our client, right? I had a conversation with a client and usually it looks like someone is writing there that we would like to do an audit, it is still a penetration test, but it does not matter. I propose a meeting, and this is precisely to not sell various things and tell miracles, but to find out if I actually need this test and if I need a test like he imagines and whether these imaginations have any

impact on reality. So I meet a very nice guest. I remember this client, but I won't say his name. He said he wanted blackbox tests. I said, "Okay, let's go with this application." We enter the topic, because he says that the tests were already done. They also do manual tests every now and then. Apparently in Greybox. I say, "Fine, if you want a blackbox, what is the address?" He says, "It's not available online." because this is an application that we use internally and our clients too. I say: "Okay, why do you want this pen test?" Because clients demand it from us, so we'll go there later. Even if it comes out in time, it's fine.

So It turned out that we will get our own environment for testing. This is cool, but they will set up an account for us anyway. We are going to do tests that are not really penetration tests, we just have to click the app, not even check too many requests. All integrations are outside of scope. There are 26 accounts that we are only supposed to test 3. Well, why should we click more? And is it a black box? Theoretically yes, but practically no, because no one has access to it. So it's better to call it a grey box, because presenting a report to your clients and modeling this narration We tell them that we are setting up a scenario here in which someone broke into your

environment and is trying to get data in this application because you had, for example, problems with authentication, with authorization and, let's say, the access was very open or there was no access at all. Because I don't know. Let's say the user accounts were very open, and they could also be given these permissions very easily. From what I can recall, this application was like a CRM, in which you could build processes within the company's document flow. So there we have all the personal data, we have financial data, so let's say things that leak out, it can look bad from the company's point of view, and here are legal issues. So once in a while it is

worth testing it a little more carefully. And now three options. I recently bought a book from Securitum, the latest one, nice position. I don't remember the author now, I didn't want to remember him too much, but you can check it out. I describe this process more or less in the way I'm telling you here, I'm throwing some more examples there. So it's worth reading this chapter. I saw that their division looks like this, that these are automatic and manual tests. And it's okay, because most companies, people associate them in this way. And now what is a hybrid? And now we have the biggest problem with hybrids. Maybe you will come up with some idea, you can let me know. Because this name indicates that it is,

yes, a combination of these two, but in some better version. And this is the intermediate version. So yes, in automates, the main work is to scan the application. our tools that we use, whether it's BIRB or Nessus, they spit out a great report that is full of errors. And we check these false positives, they are checked by hand, of course, to put into the report the specifics that need to be corrected. And that's it for a good cause. And now Is it worth doing such tests? Generally, yes. It depends on the company's organization and how often they do them. This is what I said earlier about the dynamics of application development or solutions of the technology used, etc.

Basic, very, AI is very much after this kind of tests and from what I have been meeting lately, these are already very nice, well-developed tools that allow you to click, delete a report, and then you have it, mess with it, check it out for yourself and it often ends like this, when I talk to the orderers or people who are looking at the tests. that they have a problem later with the fact that it is really to reproduce and draw some conclusions from it, because it all involves time, which usually looks like that security departments in companies are underrated when it comes to hours and time and working hours, so they always have something to

do, so this is just one of those less interesting things that could be asked, and not always junior will also check it out. Sometimes there is no time to train this junior. And now what is hybrid and manual? Manual, i.e. standard, we have full tests, 10% of the time, these are automatic tests to scan the infrastructure and what is important, compare what the client told us, because it often happens that Of course, we forgot. And with infrastructure scans, it happens very often that we have the info, the address pool, the tests are estimated, 25 Mendays, two Pentesters, we go with a coke, the guys do the scans, they go deep inside, and it turns out

that we have 10 more Mendays we can add. And the question is, listen, are we doing it or not? Well, it would be nice to do it, we don't have cash, what are we doing? And it depends. We can do it by realizing the part we agreed on, but we can also jump to the hybrid and the hybrid is that we make, let's say, a very theoretical division there, it still has no real assumptions, it is 40 to 60, 40% are automates, 60% are manual tests and now, just Pentesters, based on, not even on the methodologies, because we assume that Pentesters know these methodologies, they can move in them, but also based on their own experience, They look at the application and infrastructure

and test the most key elements, i.e. authentication, authorization, file sharing, so we focus on the most key elements of the application and test them. And we give feedback, what else is there to check. The problem is that many companies do not define their needs and approach it only as a budget version. and recently we had a client with whom there was a huge fuck up when it comes to the range of the conversation and that's why we meet here to talk about these fuck ups because they work on very sensitive data, including medical data, but these are also the personal data, they were also financial there, after all, and they wanted to be a little clever, at least

that's what the conversation was about, and they took the hybrid and after the test everything was fine They got a report, it turned out that they have a broken issue of authorization and we wasted most of the time needed for testing. There was a need to check these elements and we didn't have time to check other key aspects. And the client comes to us and says: "Listen, you did a great job on this test, everything was fine and we would like to post on our website that the tests were carried out by Logical Trust, that we are safe. And our clients can trust us. And what did we answer? There is no such option. because you are not fully tested and we did not test you. And the client

says: but how? Why didn't you tell us that you would not cover this application fully? How much more do we need for tests? We looked at this report and we see: gentlemen, it is so messed up that we need so much more. There is a problem. There is no budget. The project did not start it. Only because it really resulted from the fact that the client wanted to cut a little on the cash register But it shouldn't be the client's fault. It's also my fault, among others. Because, after all, it was a situation in which I didn't press, I didn't ask. The client, of course, is based on information that we get from someone. Whether

me or the pentesters later at the kick-off meetings. We failed to get it out and unfortunately the project ended up in the way that the client got angry and offended. We were supposed to keep it going, I assume it went to competition and now someone has a problem with the fact that LT sometimes doesn't get something. And it's nice when we do good tests and these opinions are fine, we are also recommended by other companies. I will tell you later about what the share market of Poland and the UK looks like and what it results in. And sometimes we give bodies and here is 50/50 wine, but since we sell, if someone buys, whose wine

is it? When the sandwich is in the poppy, it is the wine of those who made it, not mine. I didn't say that it was supposed to be cool, not quickly folded. So this is the division that is with us. And I don't know if it is with others, because I didn't check it. Clients, when I talk to them, wave their heads. So, come on. I wonder if there was a division? You had to listen to the client, he was trying to get in touch with you, he saw you working, he said you were going to... We'll go on. It's a cool question, but we'll go on. I have it further in the presentation, so

let me move it. And if I forget or I don't refer to something, throw something at me. If you get it, 10 points and I'll answer. There is a bit of a difference in the name of the product, and there is an automatic one, there is a penetration one. Well, in the case of the one from SUS, it is not a penetration one, it is a different one. Yes, but it's a matter of the values that go with it, after all. We can. But I, you know, talking to someone who is looking for such tests, I do not call it some super, you know, test or something, you know, some value that they will draw out great. I focus only on the

fact that we sow these errors, check them manually and let's say they have a concrete, on which they can rely, but it is not quantum physics, which is actually not that difficult, but I do not say that it is great and worth doing it. You can do it yourself, but not everyone has the resources for it and it is also very important that despite everything we can have so much infrastructure that they don't have a man to move it. Whether it is difficult or not, you know, I usually, my recommendations are as follows: possibly such, if we analyze it carefully. And if there is a support that there must be automations, because this requires a

standard, certification, the auditor does not stick, because sometimes it is like this, our auditor actually only needs paper. So what does the company do? It makes an automatic. There is not much changed, Mr. Adam, please do not worry. Worse if something comes out, then we will take care of it. Why didn't you tell us? But it's always ... Exactly, this is what the penetration test looks like. We start with scans and it is often the case that even if we have a problem with the harmonogram, it stretches for various reasons, we let the client test at the beginning, automatically he sees that something is happening and then we have time to stretch these tests a

bit and we move on to the manual part, because from these parts, these manuals, for example, in two days, not the next day, because we are putting this time apart. It's not great and you can really do it with tools Or buy a solution that is also very expensive. Recently I talked to a client, he said that they pay 80,000 a year, but they had a lot of them, 500 computers, servers to scan. And the plus was that the employee came, clicked scan and they could scan it four times a month. Super, for a good cause. Very consciously, they don't have to pay anyone, no cybersecurity company to do tests for them, they just do it themselves. There is no

such thing. You have to scan some dependencies, very high-level ones. I do not encourage, but sometimes there is no way out. We talked about it. Yes, but it is a matter of what we want to do and what we need. Because it is often the case that the client needs paper from an external vendor and that's it. The test is to be performed, he has no money, let's do a scan. And you have to do this work anyway, because for some reason they can't do it themselves. and they don't have enough to make a daughter or a company that can do it and so on. I also meet with such people, not too often, because it is still a

very small percentage of these tests. Unfortunately, I don't have such a division, I'll prepare it for the next time. What does it look like to divide into automatic, hybrids and manual? This is my "fuck up" a bit, because these data would look pretty cool. We are motivated. And this is what I was talking about earlier, it somehow happened, because the reason why we want these tests is also important. And a nice internal and external motivation is that a friend has a company and they shot him. The management caught fishing and they were lying for a week, two weeks, a month and they had a huge problem and we would like to test ourselves. From my

experience, these orders are very difficult to pass. Customers can't get along too well. From my perspective, the more involved the management is in the order analysis, the bigger the management is, the harder it is to get along. These people in the offices have different visions on how such tests should look like, how much they should cost and whether they make any sense at all, because it doesn't work, everything works, so why should we test ourselves? We have 18 points, we sell, Everything looks fine, I'm at a meeting with 7 people from the board, of course the company is family, the external director comes and says: I worked in large corporations and I think we should do tests here and I say: Mr. Piotr, bravo,

it should be like that. But we meet with the wall and that's life too, it's also a good opportunity, for a good cause, not to say that it's bad, that this is our time to also present to this board what it looks like, what it is for, and what they have to be prepared for. In addition, this is also a place for if we don't say something, then we won't get along with the range. And we have some kind of fuck up related to the fact that unfortunately we agreed on something different, Mr. Adam, and the guys did something different. And the external one is very popular this year, let's say since January You can say that most of the motivation for new customers who come

to us is external. For example, they sell a solution and suddenly their customer comes and says: "Do you have a report from pentests?" And I say: "What? And what is it?" And I literally say that a customer comes to us, even from a recommendation, and says: "Listen, Adam, It's been like this for years, we write a solution for a client from the UK and they suddenly want penetration tests. What are we going to do with them? And this is the moment when we separate the fact that automatic is a scan, hybrid and manual. I say, listen, first of all, find out what will be OK for your client so that there is no fuck up.

They say, but how? I say, well, write it down, you have some and let them tell you what their requirements are so that we will not do these tests for you, we will do an automatic scan or a hybrid, and they will say: but gentlemen, this is not a full test, our auditor will not allow it, do it further. Well, there is a problem, so I usually stop such Talk, get feedback, because here for good cause we can do you calculations or offers for these three options if they are available, because sometimes it is so that these scans do not make sense at all, so we do not recommend them and we say if you

want, you have to go somewhere else, because it will not make sense from our perspective, or the solution is so individual that there is no automatic release at all. Do other companies do this? I'll tell you what, I don't know. I can tell you a few names and we'll see if they answer later. In general, nothing is an obstacle if you have someone to show a report from penetration tests. I ordered it, I did a penetration test, here is my dear client, here is he. And that's it. We don't have an impact on it either. Someone can order automatic scans from us. We also have such a client from the UK. The industry seems to be able to check quite accurately. He does it automatically and

they do certifications on it. But I will not enter their shoes anymore. I explained to them what the differences are, what actually results from it. And how they call it later, who they show it to, it is difficult to verify. Only possibly, maybe it will come to us in other channels, but it ... I won't tell this client too much later. We're doing scans and you say it's manual. Unfortunately. And we have these external, we still have these clients and this is mainly the reason. Here we have ERP systems, CRM systems, more or less expanded. Sometimes this motivation is also from the client, but from a different perspective. Our customer. Because recently I talked to

one and he says we have such a problem because we are on the market for some time. We didn't do penetration tests before, meaning we didn't do it. Or they had an employee who reads the RAC regularly and said it was safe. Or he was at a few meetings and I lost the topic. and they say that their customers did the tests because they were forced to test the tools they use and they have a liability. So how are we supposed to test them? Unfortunately, everything is brought to the cash very often. So what are we doing? Hybrid. This is also true when it comes to external motivation. And the internal one, this internal one is also the

maturity of companies, among others. So they have their own process, they have procedures, because as you well know, cybersecurity is a process. You can't screw up something with one scan and forget that we are safe. So they have it in the process, they test regularly. More or less, it depends on how much the budget will drop, or how many changes will occur. This also results from the development cycle of the application itself or its creation. We have more and more conscious questions from customers, whether we would be able to enter the project at the initial phase. Advice, for example, to put a pentester for a few hours for a consultation to check these solutions that they want to use, etc. What do we have here? Four

basic questions, I think I've answered some of them, right? So always the answer is what matters, here at the bottom, of course. And what do we have here? automated safety tests or manual. We could change it here, as you said, automatic safety scans or manual tests and it would be better. And it depends on what I said before and it makes no sense to repeat it, because everyone will fall asleep here, and there is no air conditioning here, so it is quite stuffy. You have to analyze it. What do we need? How much money do we have? And what do we really want to achieve? So this is the most important thing. This is usually

my role. It's worse when the guys find out about it during the tests. Then I have to shine my eyes or go to L4. I mean, I haven't been to L4 yet. When and how often to perform penetration tests? I also said before, it depends on our policy, security, it depends on the cash. Generally, it is accepted once a year. Only if nothing has changed in the application, because we put a lag on the project, it does not develop, then is it worth scanning it every year if there are no external requirements for it? You can transfer this money, for example, to Security Awareness and train employees. You can do tests of other solutions, so

nothing to force. This is also an important point and it might seem that from my perspective it is to push this sale, push, push, but I always repeat that I have no provision so I have no problem, it's supposed to spin. And now the third question. And it's very often it falls and sometimes it falls just so that it was, because the clients still do not have a test environment. And now, how often do we test on production? I think I can say that it is 50/50. I don't know, Mateusz, you can nod your head or do nothing. It's more or less. I will tell you about it in a moment, I have a slide with the process and it is that we put a lot of communication during

the tests. It is not that we are going to the tests on the start of July 15, there is info, we started, we will see each other in 6 mendays, where 6 mendays are not working days. It can be 2 working weeks, it can be 3. We contact the client and now with these carts, for example, I said, well, not because I was studying IT or working in IT to talk to people, but our pentesters are exposed to direct contact with the client. There is no project manager there. I have been on vacation for a long time at this stage, for good. I don't have a provisional, but I'm glad it happened. And the guys

contact each other. Listen, this is the place where if we click, it will break down. What are we doing? Are we leaving it, testing it, are we supposed to do it at night? Do you have backups at all? You were supposed to do them, but you have them. Sometimes someone will forget, sometimes not. There was a situation recently when we put the whole database out with one click. And what then? We contact the admin who is 60 years old, 15 years old, sitting in a comfortable seat, nothing happened. And he is very angry about the apology, not to say another word here. And what did we do? We were all over the place and we

were so sure that we couldn't just click it out. But it was just an information, not a division. But still, there should be some verification. Click this or that. So returning from backups took him three days, apparently, because it was very complicated. Nothing big happened in the company, fortunately. It was also a complicated deal because it was an intercompany purchase and the company that wanted to buy the other company did penetration tests to check how safe the environment was, so there was a lot of nonsense. Fortunately, it went well because we also have a good relationship with the client and they know that we usually do these tests very well, not to say that always,

because it is, but I will not talk about it. Have we ever found someone inside? I don't know. We have clients who, for example, were twice ransomed by the government, but we haven't met anyone who, at least since I've been in touch with the tests, that someone has already been there and listen, you have someone there, but recently we found Zero Day. So it's still a big addition. I didn't say before that penetration tests lead to checking the taxable ones, which are known and sometimes zero-day. What if the client has a testing environment? Why test it? These are two applications for a good cause. My recommendation is that we test them. It can't be a recommendation. If you get a test,

or you have to test the production, then think about whether we can do it. Because the risk is always there. And how we will try to limit them, something can happen anyway. We also had a pen test in which We started the BERP scan and it goes through proxy and the client claims that we did a DDoS for him, that there were 100,000 requests per minute, because he said it in minutes and he cut GoFi, because it was going through the national cloud and there was acid in general. We say we couldn't do it there, so probably something was just going wrong with them and they were fighting all the time after this API. Whose fault is it? Ours. We did penetration tests, they had to fix them. There

was a problem, because it was GOV, it was difficult to cut the blockade off, because there are procedures, they have to check it, whether it was not the Russians and these families check it for you, etc. This is in these formal and range issues. We will get to that in a moment. I'm talking a lot, I think it will pass faster. This is the whole process of penetration tests. I will speed up a bit so that there is also a break. These are the four points that we focus on. I have not mentioned communication before, that is, that at least from our perspective, we expose pentesters. This is good and bad, because they have to

talk to people, some clients appreciate it. Can there be problems with that? Yes, because a pentester may not like people and normally do not communicate with someone. And he may be mad that he is a client. I approach clients a little differently, or to the orderers, to make it sound so beautiful. They want to do a pen test, unfortunately make a report. Fortunately, we have these reports pretty quickly, because up to 48 hours we have such a cool tool, which is called Tereska. In general, we have such cool names of tools, because we have Tereska for reports, Zosia for tasks, and integration to Slack of these tasks is Edeltraud. We probably had someone else recently,

but I won't remember now. So there is this communication, there is transparency, i.e. in the contract and in the range of IP address. We have to deliver it so that the client knows who is knocking, and this is also a subheading for us later, that if something goes wrong, it is not our fault. Check the logs, if you don't have logs, then we have a problem. But we were supposed to discuss it on the contract, so it's important. Is the harmonogram, do we deliver it? Not always, because it is usually a percentage division and the tests themselves look like this, that despite everything these environments are different and we draw conclusions on a regular basis

to carry out further steps. So I usually give it in percent. But I emphasize that these are the numbers, put them into the project, but they have no value except 10% of automatic scans. And the rest, you will find out in the process, we estimated it on a specific number of endays based on the information that you provided us, which is in the contract that we agreed on, so we will implement it. If there are any changes, we will contact you, so we have a agreed range, this is my big role, so as not to get out of it, because this is really the most problem. I made one deal with a client with a

sale, I put it out a lot when it comes to the deal last year. Nice lesson, but it could be a huge acid from it, so here It is very important to get along despite everything. Formal agreements, i.e. responsibility. We do not perform tests as white label, so that it is clear that if we have broken something, we did it, but if we did a great job, we did it too. So these are issues of getting along with our suppliers. I have nothing against jumping out to a meeting with a client where there is our integrator. It also depends on the maturity of these companies, whether they are open enough to reveal this contractor. I

will not collect this client, because it is not my interest either. We are in touch, they are informed later, so that they know in the long run what this communication looks like. So this is the address, as I said, the contact person or two people, because pentesters perform two pentesters or one and a half pentesters. The second one is to jump on such a sniper for a consultation, it is also no wonder that it is always two people, but the number of Mendejews always matches. Penetration test, i.e. what we meet for and what we are from. I say boys, boys all the time, because we don't have a pentester. If there was a pentester, I

would say a band or pentesters. The test result is a report that you can see on our website, on the first slide, on Logical Trust. From what I saw, I read today post of Andrzej Dyjak, he discussed with his group how such a report should look like. From the points he mentioned, ours meets all, not to be some kind of authority, but it just happened. I don't want to offend Andrzej here, that's not the point. It just happened and that's it. We have a report, a description of the vulnerability, sometimes these descriptions are irrelevant, we have a 4-degree scale of errors, i.e. low, medium, high, critical and info. Recently we also had a nice case,

you know, critical is very red, high is red, we have yellow, green here. The client asked if it had to be so red. Because they show it to their clients and it looks so stupid that there is so much red there. There are such questions. I don't know what to answer then, but generally we don't change reports. There are also situations where the client wants to color the report. We saw this error, you could not enter it. Unfortunately, we do not agree on this. There is no such possibility. Does this happen often? Uphills happen quite often. But it often fails at the first stage. Clients are very stubborn. Usually, the bigger the client is, the more

he thinks he can do more and he will force something on us. And then we, mainly the guys who delivered this report, because it doesn't break with me. I believe that I will never have contact with this client again. So we have errors indicated in the report. This invoice is here. Unfortunately, because of the 12 months of repayment. It depends on the company cycle. Sometimes it is a week, sometimes it is 12 months. We don't press on it, I mean, we don't tire the client later: "Listen, do a retest, do a retest." I emphasize at the beginning that this is very important, because cybersecurity is a process. So we have found vulnerabilities, shown errors, the

report is later marked as with these errors that have been corrected or not. This is a matter of risk analysis. In the report we have this CVSS score, so on its basis you can estimate this risk, determine: we are correcting it or we have it somewhere. Recently we had a client who we found SQL injection and it's quite easy. Very big client. They know about it, they can't do anything about it. Okay, fine. That's how they have it. In the contract we have such a record that the client proves that the information he provided is reliable. In this situation, if we see that it is so, we cannot run these tests. We also often have questions like Adam, do I need to have

Microsoft's approval for running tests? Or AWS? Usually in AWS you don't need to, in Microsoft it's worth thinking about it sometimes, check it out, because they have different ones there. Usually they don't get such benefits. So we have a retest, the topic is closed. I told you about the report. If you look at our report, there are 10 Pentesters written there. This is the example that we are sharing. I told you that two Pentesters are taking part in PenteX. And so what's the point? You're going to blow up. Not really, because the report itself is discussed with the team, we do modeling before the project or with difficult projects, so we think this is a

place to emphasize the work of the entire team, the one that is currently in Logical Trust. As for RETES, the same person does not have to do it. I told you earlier about the division of test tubes, how it looks like in Poland. It is 80% to 20% and this is exactly such a transition. And despite everything, we mainly have clients from abroad from the recommendations. So either Polish developers work there or members of the security team and they say: "They make a nice report and tests, so let's do it with them." The fact that we do something good or another company does something good, so that it is not so that it is not known how I boast, because others also do pen tests and bring them, it

also means that there is no price. And this is maybe funny and often it is the case that in conversations with the client we ask what is important to them and we talk about values, about the process, about everything, and I get feedback that listen, but it was too expensive. It's just like that. Life after 30 becomes a meme. When I look through memes, most of them are about my life. Sometimes I wonder if I'm just doing them at night or not. So that's how it is. And so that there is no division and technical summary, I promise that I will make the next presentation, mainly we will discuss the penalties. You were my experienced rabbits, so for good reason. These are the five most common penalties. Interestingly, the

third was an information note, but I removed it because it was not a penalty. So this is the division of 200 pentests. We have 29 times the vulnerability with access to files for unauthorized users. Let's say these are very standard errors, because here we have the same errors in security mechanisms, in some firewalls, outdated cryptographic algorithms. and not up-to-date libraries that everyone knows are hollow and the team still uses them. And it is also a matter of the fact that developers do not always know each other on cybersecurity and simply use tools that are most convenient for them in the world. And XSS. And so, for goodness sake, this was probably the last slide, right?

Oh no, I have a report, I will not show it to you. Go to the website if you want to check it. There is a link to download and you can check our report. I said it, they write on the Internet that it meets all requirements. I confirm it, I signed up under Adam Bożymowski. Standard CVSS score, error description. Of course, there are screens described how we get to this tax. I would like to say that we could have spread this CVSS because there are such cool letters here and how to get the easiest way to check and check and put in front of GPT and he will spread it all nicely I used it among others so I will not bore you, I talked for a long time

so I thank you very much for holding out and only two people have come out so far I hope that for a break not because they got bored what time is it and that's it thanks if you had any questions of course I leave here e-mail addresses and if you write to the first one, I will not try to sell you anything. You can have a question and I will answer it. So here for calm. Thank you very much. Any questions? Maybe I didn't answer any of them. Do we do it on stage too? Or on staging? Yes, on staging too. Yes, as much as possible. This is an alternative and we do it as much as

possible. Yes, it can be divided into two parts. Speaking of the environment in which we test, I may have done it so on purpose, but speaking of the test, I also put staging there. So it's 50/50. The last quarter indicates that it is leaning towards the test, i.e. Teraq. staging and testing narrative. So there is, and this awareness is also growing, and it's very cool because these DORs and other norms that come in and make our lives worse are terribly annoying, but you can see on the market, after all, that he is educating himself, there is a slightly different approach to projects, so these are changes that come in pain, but which change does not come in

pain. We will survive this process, thanks to this we also have a lot of work. This cake that was once associated with cybersecurity was big, but the floors have been added, so we have room for automatic scans and ficoes done in manual tests. So just take it, the market is open, it's hard to get into it, but it's also because you have to know a lot, sometimes not much, but also have a little luck. I think it will come off just don't move it. It won't come off you would catch me if I didn't move from there. Here is magnetic, it pulls you. Super. Just under the T-shirt. And just under the T-shirt does it matter

which setting? Here is the microphone. Here is the microphone, right? Yes. Already? Aha, maybe let's do a test right? So it will be live because I don't know if you tell jokes. I will tell you. Yes? I will tell you.

I'm already afraid. Okay, give me three minutes. Thank you for being on time. Yes, the first one from Katowice I had at 5:58, and I finished at 9:15, so there was no chance otherwise. I mean, you could have come earlier, but ... You know what? I'll tell you about this mystery in a moment. Exactly. One more minute. I'm thinking if I have everything, but I think so. Now, will someone be controlling the camera? Yes? You will control it, so you will show what I show at home, right? No, I'm just asking if you can grab what I will show here at this desk. I can. Well, great. I'm very happy too. I understand that I can do this.

I assume it's working. Two, three, four. We'll go here. The microphone is working. Super. So what? Do I understand well that I can start? Okay, well, listen, I'm very happy. Just so that's why he's this timer. So that I don't make a mistake and don't go to lunch. When will you be? My wife is writing. I came here for three days and She is a lawyer and she said that I can stay here. I don't know about you, but when I saw Tom Czajka on this poster, I am from the generation that won the education from these professors. I didn't do as Tom did, but let's not get back to it. It happens. Okay, now a very important thing. If I'm here, it's gonna be okay.

Okay, we're live. All negative comments, you know, you have to moderate, that's obvious. Just kidding. And now to the bottom. It's very nice to be here with you. Thank you for being here. I know it's the beginning of a long weekend, three-day weekend. My colleague from 1753C, Adam Bożymawski, is speaking in front of me. And I think that his reflections based on the experience gained during the pen tests, I think they will be continued. Only today I asked for a few words about biometrics. I would like to mark this lecture as a 100 level, i.e. it will be about basics. At the same time, I would like to point out that I have been working

at the university for 25 years and I usually see people like Tomek Czajka on this poster. You are also valuable, I am convinced. A 19-year-old with several years of experience as a Google Coding Champion enters. I asked Greenvile if there really is such a competition. Yes. And he asks me if it is a grand prize winner. Who is he? "It's an honor for you to be his lecturer." I say: "I understand the language." So I go to him and say: "Listen, we'll work together." He says: "Maybe. Tell me a few words about yourself." You know what has changed phenomenally? That people are developing much earlier and earlier. I learned about biometrics a while ago, in 1998. There were two research

centers in Kraków and Warsaw, not far from here, at the Warsaw University of Technology. And two people who later became friends stood behind this area of biometry. Adam Czajka, also Czajka, is today in the United States. It is an honor to mention the beginnings that were here. I have been in the doctorate for 20 years this year, so I realize how much has changed. And among them, this lecture, in which I would like to say a few words about current affairs. Well, let's go. There will be generally, according to our assumption, there will be four parts. Short intro, let me tell you a few words at the beginning. Then such a part that I have mentioned in the description.

These are specific points. I will not go into the subject of behavioral biometrics, although in 2007 I wrote a grant for habilitation from this area, because Michał Kłaput will have a lecture on this topic. Michale, do you agree? I agree. So I can say that I do not remember what I wrote about 17 years ago, it's completely natural, people forget. Almost everyone knows everything about biometrics, so I will be able to go on cleverly. More points are detailed here, I do not hide. that I would like to... no, not that I would like to spend the most time on the part I have marked as "walk" This "know" and "walk" refers to the famous quote from the cult film "Matrix" "There is a difference between knowing the path

and walking the path" And I know perfectly well that the lecture has a giving character but also take note that the most interesting is this practical part So, my dear, if you are interested in this material, I am quite easily searchable by name and surname in social media. LinkedIn is a great platform, but I am also available to others. I am on Tinder, but only for research purposes. But you can write, no problem. I will answer. A moment ago I was in the toilet on the left side. For the first time in my life. And I will say that and I'm open. My dears, but don't say that, it just happens when they need it. I need to come to this

room prepared and calm, not wearing clothes. Okay, so what? We have the last point, the outro, a summary, a few words from me. I think it's enough about the agenda. Now it will be about biometrics. It will be about the characteristics of anatomy and behavior of a person, which are individually characterized. They are such a personal identifier. I know perfectly well that what you see now may be the subject of a longer discussion, but I will reduce it greatly. This is Mrs. Aleksandra Leo, this is a witness, and this is a piece of paper, and this paper has certain annotations. And please notice how much data can be drawn from something that is static. So I am not surprised that this area related to biometrics

and the emphasis on behavioral biometrics is so intensively exploited today. To make it more clear, I admit that I am watching the reports from the committee meetings. If I can recommend, I will do it in a later time. I am a security guard of love and profession. and the Pegasus Commission is so valuable that there are specific references to specific tools, to specific challenges. Among them was Jurek Kosiński, whom you probably do not need to introduce in this section. Informatics, research and biometrics are very closely related. Today I will not say more about this, except that if we were to focus only on this card, what characteristic would we catch? One. I form thoughts in a specific way, just like I

gesticulate now. Two. Please note that I have static representation. This is not a handwritten signature, it is handwritten. And today, having such a high-quality equipment available, when I go, and I have been here in Warsaw for quite some time, on television, I look at 4K, 8K cameras as standard. Two, note that I have static viewing, this is not a manual description, this is a manual letter. And today, having such a quality of equipment available, much more. Excuse me, the gentleman who is in the last row, what is your name? Maciek's position, I was trained in Microsoft regarding interaction with a human, points to a great interest. I wanted to thank you very much for that. This is just the beginning. But

please note that biometrics, if you focus on the characteristics of anatomy, on the characteristics of behavior, gives us powerful tools to unambiguously answer the question: who are you dealing with? I know that it has already been called upon to me that I say too often that I have a twin brother, but I have a twin brother and I want to say that we are very different. Yes, I give lectures for free, my brother makes a lot of money because he doesn't do anything for free, but we shared that he makes money and I borrow. Oh, Piotr, it's nice that you are here, because I just wanted to refer to something specific that concerns our lives.

I'm sorry, it's very warm here, the windows are tilted, the air conditioning. As a left-handed, I can imagine that we are in great in an air-conditioned room. But let's assume that we are not. Yesterday I was, I throw down 6 kilobytes, it's also about the anatomy department. We have a Silesian fitness club, after training I go to the sauna. I met a professor from Stanford there, you see it's worth going there recently. And look, this is my pad, a pad with a reading of the papillary lines. What do you think, I will leave such a sauna and there is 118 degrees average. I have to interact with this reader as the process will go on.

I draw your attention at the very beginning to the fact that biometrics is truly fundamental, it is omnipresent and raises the question of authenticity. This attribute has always been fundamentally important. Who is in the picture? Attention, the task I am directing to you is the task of identity identification. Recognition. But it will not be a classic task for the biometric system, because you are humans. There is no such keyword there. So, in the picture there is probably Albert Einstein and... What was his name? Oppenheimer. Okay, I like it very much, but equally good, and it would not be so far from realization, some changes could be made here, right? It wouldn't be an original message. Sometimes it

touches us every day. Look at social media. Angelika Bielińska writes to me. Just that she doesn't know that I have a Facebook account. Not exactly that she knows, but that Angelika writes to me, she doesn't know. How and now attention, it will not be about recognition, but about classification. How did I throw this message in as a message that is from an unreliable source. Biometrics is very simple. If there is a demand for biometric verification, some modality is reflected, the image of my papillary lines, further processing of this image, then look, please, at the end the system must make a decision. Imperial, up or down. There is also this middle one, inconclusive. But for the moment, let's assume that it is green or red.

We classify. What indicated, which feature, or rather the representation of the feature indicated that it is most likely not Angelika. Maybe I'll add that Angelika is ... she will write this. I allowed myself, exactly so. We can go further, notice the current implementation of this type of issues. Rafał Brzoska, I had the opportunity to meet Rafał Brzoska years ago, to the minimum, informing that today, based on the principle of authority, Rafał Brzoska is an object of various incitements to false investments. I was in Warsaw the day before yesterday, I went to Warsaw, Instagram, Motivation Pulse and I was there. I was in Warsaw the day before yesterday, I went to Warsaw, Instagram, Motivation Pulse and I was there. I was

there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was

there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. I was there. and I am making the system on the other side believable. That's exactly how I answered the question whether it is original or not. Most likely not. If I push this window, it will land on the original article on money.pl. And the vice-chairman of this portal is the author of a certain publication on loans. How is it technically done? Very simple. I will just note that

this type of issues occur and are, in my opinion, very current. Soon lunch. A few years ago, 14 years ago, when I was in London at the only European conference on biometrics, with my friend, already mentioned Adam Czajka, look, I was there thanks to the kindness of NASK. There is no mystery if not the laboratory, if not cooperation with NASK. I would never have done it in such a short time. I didn't have the resources I have now. I didn't have laboratories, I didn't have people, I didn't have money, but I had a friend who worked for the academic research network. And that's where we were doing the first biometric research projects in Poland. Look at this phenomenon. It was essentially the realization of such a function,

which I will tell you about in a moment, of feeding to give out meals for a person who is a participant in the conference. With one warning: I was not a full delegate. I was a student delegate. I admit, even openly to the camera, saying: I went there writing that I am from the country, that I am from Poland and in general I can't afford anything. And these people said: it was probably quite painful. Okay, we understand that you are from Poland, that's why we cover these costs, but I have one condition: You will be a chairman during the session. Something that seems to be done on a daily basis today. I visited one blog,

I asked if there were any questions. Nobody had any questions, so I didn't even give them a microphone. I ate as much as I could in this London. At McDonald's, because there were prices that I could accept then. Okay, let's leave the topic aside. Biometrics has its weaknesses. Even if there is a strong solution, we will do an unboxing in a moment. I'm sorry, I decided not to cover it here, it's not a product listing from my lab. Unboxing of the Anna Domini 2024 solution. Yes, we have such a multi-solution with a reader. I invite you to interact, let's do this unboxing, let something interesting happen, it's part of the project. it is within the

practical part. Well, this system, if it generates red or green at the end, it is part of a larger whole. If this continuation ends up being a problem, a flaw, the best biometric system will be simply to be thrown away. Do we know this? This is the famous failsafe. This is my biometric pad that can be opened alternatively. but everyone probably knows it perfectly, so I'm moving on to the part "no". Okay, so what? So short? Please allow me to discuss these points quickly. I will signal individual passwords. I look how much time I have, I don't have much time. Of course, it can be expanded. Maybe it's one by one. Behavioral biometrics tie us to personal identification

and behavioural characteristics. For example: What about? Good. The writing dynamics are worth finishing. On the keyboard? For example, too. Great. Exactly. Mouse Biometrics. I was once awarded a mouse biometrics award in 2003. No one has implemented such a brilliant idea. But it's nothing. I noticed that when you start with the input device, it can be characteristic, personal. But believe me, 20 years ago, plus, this type of ideas were opening the door. Great. Biometrics. Multimodal. Modal. If today, excuse me, we will talk about, well, specifically, the first modality is biometrics, that is, the papillary lines, the characteristics of the papillary lines. And what can be the second modality? I look at these hands. Super. The cup arrangement is not even about it. I didn't even think we'd

talk about it in the open. Exactly. So hand geometry He read my hands. We have solutions implemented in Poland. We have been implementing them for 15 years with the team in Poland. It worked, but they are invisible to you, because usually where we enter, there are usually no average y or y. So the civilian world is a minor world when it comes to my implementation team. But in the military world it worked quite well. Great. Multimodality. Let me go further. We have a non-touch biometrics, for example, which does not require interaction. For example, facial biometrics, 2D, 3D, I understand, I will not go into too much detail, because you will mention it, but during COVID-19 we had a narrowing. My diplomats constructed

a non-touch banknote. One of these cool projects that never went outside the laboratory. I think we can give a lot of interesting examples today. The test tube is a doctor. I immediately note that this eye model is my private one, but the truth is that when I am at the test tube, I take these books and shelves and read about a man, because biometrics concerns a man and his characteristics very much. Returning to the main thing, please see, we have a man and we have a doctor who is prepared to enter the operating room. How would you propose to make him biometrically credible? This is the key character. That's right. Everything that comes to us from this camera, today computer vision is at such a level that we

can easily afford it. I had the honor of meeting Prof. Maciejewski. He is one of those doctors who I am glad that he is in Poland and that he was such a engine for change when it comes to the interaction of the doctor with the environment. Because notice, please, I am talking about persuasion, the next stage that will interest me is further interaction. If I wanted to turn on the air conditioning in this room now, what key word could I say? Well, some defined, maybe "air conditioning on"? Imagine, okay? The imagination will lead you everywhere. So do you feel this pleasant cold? If not, maybe you have to drink something. I recommend. You can drink Fiji water, but there is also a food truck nearby, so there

is no doubt here. Ethical and legal. Ladies and gentlemen, this is a very delicate topic. Let me reduce it to the absolute minimum. But we can, and it happens so, draw conclusions that may be in disagreement with the regulations and the rules related to ethics and law. Let us be aware of the first interventions. The Poles stood behind it. Electronic voting systems that are supported by biometrics. The reaction takes place in even more demanding weather conditions than in this room. It takes place in South Africa and you have to deal with mobile biometrics at high temperatures, with the availability of power sources of such and not others. Law. Law that may now re-gain in us and allow me to return to biometrics

as it was in 2002-2003. We will talk about it in a few words. We have the role of artificial intelligence. Let me refer to these, because I brought these exhibits to use them. Let's assume that there is a biometric system and you are to design it. And now I'll choose something that's accessible. OK, this face will probably be fine. And now let's assume that your system was to prepare a set of rules that govern the device classifying the features of the anatomy of this face. And look, please, the task seems to be simple, but it is not at all. However, if you assume that on the other side there is an automatic machine that builds a set of rules itself,

Let's simplify it. An artificial neural network that will notice certain characteristics, will learn from specific examples, it is possible that the process of building such a system will be very, very short. We have implemented a biometric system in Lublin once. In a factory, I'm looking around what you drink, but I see that almost everyone is a foodie, I understand it perfectly. So in some factory, I was surprised that there is a shop for workers in the area of these factories. I am from the ITZ generation, but I don't remember anyone who decided that it was already after 13 o'clock, so we can drink something stronger, but somehow this production was going. What was the problem? Well, when there was physical control and the worker was supposed to

go to work, tired, he had to use this finger, now I'm reaching for this one, to this little window. One of the biggest challenges we had was for the user to manage to attach a finger to the reader. It can be done. We simply implemented organizational solutions, i.e. three people come out and two help the one who is currently being trusted to do what he should. And by the way, seriously, Let me take out a very important problem for the light of day. Julian Osborn, 2003. I graduated from a PhD and did my first research in Poland on the relationship of users to biometric systems. The User Psychology Index. Are you for this? He did a simple survey. Yes, no. And now in practice, are you for

this? When we implemented in Wrocław hospital, let's say I forgot which one, but a big one, 200 doctors sitting in the room had a fire in their eyes and one question: why? Why should we implement such a strong system of work time registration, strong in terms of verification, since we are here from the bottom? The problem is that it doesn't work like that. One of the most pleasant implementations, probably the most pleasant, hence the 6 kilobytes of extra weight, often hides We were at the brothers' place and the father of the administrator said: "Not everyone comes in on time, not everyone comes out on time." So we implemented the most modern biometric system we had in the offer in Poland and implemented it. And in the

end we were in the refectory. For the first time I found out that something like this was there. When they were feeding there, it was something amazing, and then the father of the administrator says: "Come to my office, I have a fountain of chocolate there." Well, a dream job, but I had to go back to Katowice, it's clear. I look at AI and I see that such a system can be adapted to something very unique. If my user psychology index is such that I will intentionally apply my finger, reducing the area of the fingerprint, i.e. these details of the dial will not be able to be taken, then I can handle it anyway. And in

the age of biometric gates, okay, I understand that you don't want to, but we are agreed in this work, that the mentioned gate biometrics can be taken into account, we can take into account completely different attributes. I know, I know, I know. Privacy. But it is already known anyway, based on other sources of information. In 1998, Waldek Sielski, GM Microsoft Poland, checked the presence based on whether we were logged in to MSN Messenger. It was a good method, but Waldek realized that we could race, connect remotely and set that I am present. Then there were 33 people in Microsoft Poland, and Waldek personally checked who works honestly and who does not. These were really cool times and also times when we noticed the potential of the area related

to the use of artificial intelligence. This is very strongly related to point 4. My dear, I think we will improve the current state that we have. In a moment you will see practical systems in action. As for their capabilities, you can go further and further. In 2003, when I was in Amsterdam, at an ISV training for developers, still with Microsoft, I saw Remote Biometrics on ShipHall airport. However, positioning this rainbow took quite a long time, from 4 to 6 seconds. It's long. Of course, you can assume that it is only 4 to 6 seconds, it's enough. But in my opinion, it's long. Today, we have significantly reduced these challenges. It's not doing well in extreme conditions. Do you

remember the sauna we just visited at the University of Silesia, where we cooperate through cyber science? We are on the other side of the fence. Literally. It's very, very cold and you have to believe a man. How? I'm dressed from top to bottom. What to do? Maybe it will be something characteristic. I hope the camera won't take it. I won't show this part of the video, but look, especially for today, The socks from Biedronka, right? How come that the fan of Lidl put on socks from Biedronka? I thought I would find something unique. Does anyone of you have such beautiful yellow socks? I thought so, you see a good choice, but seriously, it will be about something we have. Recently, during the recording of the podcast episode, I asked

what I have on me. I was talking about smartwatches. I talked about the tablet, I talked about the intelligent ring, I said I have something else and no one answered this question. Clothes, exactly. Intelligent clothes that have already come under the roof. And I think that biometrics, let's call it, adaptation will be such a very interesting direction. It's so in the book. And now let me introduce you to the practical part and I'll do it very, very quickly. Three worlds. I focus on this world that is in the upper right corner. but it's not just anatomy. If we were to lean on the dynamics of hand writing, we have the main five-scope, vertical-horizontal pressure force, azimuth elevation, then we could really do a lot of interesting

projects. And we did. There are such niche projects. I admit that I tried to persuade my students and I succeeded, but it was in the direction of summer semesters of computer science. They all smell of technology, I do too. And this prototype system was created and basically came to the shelf. We made such a clone. But there are also projects that are still alive. We have such a cool area related to the analysis of the eye movement. Something that you will find in your Microsoft Windows today. I'm thinking about Microsoft Windows 11. In the availability area you will find control using the eye movement. The need for an interface is a topic for a separate, maybe cool lecture, maybe even very cool and very application-oriented. Because

we ask ourselves the question of how to build a message to get attention. I won't say a word about these studies, but I will say a few more words about these studies. What's ahead of us? What kind of set is this? I know it's a little less visible, but yes, plus today UltraLeap, which when it was a startup, it was called Maybe it's the first time for you when you have the opportunity to hear, I'm sorry, I'll just signal it, to show that I don't have it with me today, I'm sorry. I put my hand on such a reader and now we have an acquisition of this signal and let's think about what to use

it for. I think the best thing I've ever done was using Google Earth when navigating. This use in medicine, I will tell you what was going to happen here. This is a static image. This hand was supposed to wander from right to left. We were supposed to see the structure of the body of this animal. These solutions gain new possibilities. This is an interesting question regarding the study of the characteristics of anatomy and behavior using this type of equipment. I have an current research project in this area. I will draw your attention to the fact that some people look at it from this perspective, which I have just referred to in the series: "Black Mirror". This is not this perspective, it is the perspective of human interaction and machine,

a certain symbiosis. Professor Przegalińska says that this is a collaborative artificial intelligence, because it really is. I think that topics related to the study of human activity can be included in two groups, in such popular and common as the ones I'm talking about and in such a smaller group. Look, please, I'll even expand it, because it will be hard to believe it. This is armchair authentication. If you use Apple TV, there is a possibility of navigating using a remote control. This remote control can be your smartphone and the way you navigate can be a personal identifier. The diplomat is calling, I will write it down right after the lecture. No, for me it is a key thing to be up to date. And my great unfinished

project - biometric pistols. The president of large arms plants, you probably know which ones, came to the Silesian University of Technology. I have the honor of representing the dean of the Faculty of Mathematics and he gave this one among the projects. We will shoot, but not with real bullets, but on a real range. I have a small possibility if my boss, dean, then rector, claims that we are not ready. And maybe, in fact, 10 years ago we were not ready to bring something like this to life. The idea is very simple. A specific weapon in someone else's hand is to be inactive. No sci-fi to use today. I really liked this project. nothing came out of it in my lab. But let's be quick, because we don't

have much time. But let's note that it is possible to use biometrics and the potential of various areas, for example, when it comes to sentiment analysis, I think it is a very interesting and popular topic. Don't be fooled encourage you to join the group of people who build their knowledge based on this type of message. I mean, let it be your source of knowledge, but not the only one. When I worked for the Polish Bank Association, there was a forum on banking technologies, the head of our team for biometrics was unfortunately no longer alive, prof. Remiliusz Kaszubski, a fantastic lawyer. which indicated that biometrics should be immersed from the practical side and see what the feedback is. In fact, there was no

team meeting so that someone would not ask about the problem of a cut finger and Mercedes. Such a story. But I think it's a pretty good idea to look and say what is available to us today. Looking at the fifth element, the Hall of the Odyssey 2001 and the report of the minority, all that you see today is within our reach. Perhaps this visual feedback, i.e. this personalized advertising, when it comes to the display, maybe there is still some potential for development here, but when it comes to biometrics, we are absolutely capable of performing certain activities. If you want to stay in the sci-fi world, there are over 250 films in my list. I've built a cloud of words

with titles here. And let me end by saying that there are many, similarly to fake investments, many ideas that can change people's minds and build a completely untrue image in the field of biometrics. For example, regarding the detection of whether we are telling the truth or not. In general, the periwinkle can be built, we have built it, but not based on what input I get from the paper lines reader. I don't know, because there are ladies in the hall, right? And we even have such identifiers. I have blue. I'm looking here if someone has pink. Oh, maybe we'll talk about coffee or after. But imagine that people believe in it, that it really is. and such applications were

sold, maybe they are no longer sold. Similarly, some myths. Do you know what this meme looks like in its entirety? It looks like this. And something that may wake up your smile, because we look at a mobile device that already has mature mechanisms, can be a deadly problem for low-cost solutions. I know you're guessing what I'm trying to say. Enterprise class requires a lot of money if the biometrics are to be at the right level. Linear detection is a must-have and this mechanism works very well. In 2002, when we built the first system operating in Poland, which was based on the eye sensor, Warsaw University of Technology, professor Andrzej Pacuta's wings. I feel young again.

It was some time ago, but look, please, it was really fundamental for us to take care of not only a good registration process, but also to take care of life detection. Key were also the issues of data trust. Today, after many years, I can say that it was not so pink once. Today it is much better. We guaranteed, sorry, not me, The wanderers guaranteed that nothing travels there, nothing stays there. It was different. The implementations were more or less successful. I don't know what you think about such a biometrically controlled fridge. Well, the idea is not hit. I will describe it briefly. How to get there at night, right? A person is tired and hungry. I listen, Krzysiek, I know, but well, for me it's okay. But what about

such a wallet? And now what do the studies show? People reach for other, simpler solutions, because they do not have confidence in - let me ask you - the reading in the papillary lines that are volumetric. Once again, which, under these atmospheric conditions, will be simply ineffective. Maybe there are people in the room who, excuse me, remember the times - I have a suitcase, I will not take it out - of volumetric readings which required a n-fold addition, Precise Biometrics itself, when it published its first manual in 2001, indicated that yes, no, and that a threefold addition is recommended. The finger is the goal of one realization of the characteristics of the anatomy of the papillary lines. So, my dear, not necessarily for such an area of

application. Such an anecdote, the Biometrics Conference 2001, I wanted to show, I'm a biometrics fan, that's what the doctorate writes, then maybe I will unlock my computer using the papillary line reader. And so I rub it with this finger, and Professor Mita says: "So what? And why does this biometrics remind you?" The chairman of the committee of the conference entitled "Biometrics". It was held at the Institute of Mathematics in Trzewice, Warsaw. I remember it was fantastic. I miss these meetings very much and I don't mean lunch. I want to point out now. My dear, maybe something interesting about biometrics as a conference. In 2003, I met Professor Michał Horasz, then the professor of the university, and today the professor of the honorary university. I am talking about this because

if someone wanted to write promotional works, Michał is a fantastic promoter. My dear, Michał wrote about ear geometry. The promoter was Prof. Ryszard Tadeuszewicz. A very good topic, I'm looking at you here, there will be no problem. I look at the ladies' side, well, sometimes, but it's always possible to take something. There was already information about blood vessels today. That's it. Hands, wrist. On the left side of Fujitsu, I will confess that when voting on the Bank Technology Forum was to give more data at the entrance, when we were building the first biometric ATM and there was supposed to be a vein of biometrics, I voted as the only one. Behind the wrist, the rest of the team chose the blood

vessel of the finger. Who was right? I think it was me. But why? Because you already have your ATM, enriched with the biometrics of your fingertips. And if you are not PPS customers? Okay, who of you has used such an ATM? He didn't see, he used. That's it. This is it. And what is it here? Question to ladies. Hey! You know what? I have a question. What is it here? Who knows? It concerns a person. Close. This is under the umbrella. A difficult question. Listen, I don't have any rewards. But you know what? Here is the machine, I'll buy you something cold later. But I didn't think it would work. Fingers and cubes. Knock knock. Who is it? Please don't finish this

joke, but here we have two biometrics. Because I knock on the surface of the reader and I see this picture and when I knock, the characteristic of knocking is identifying personally. Everyone does it differently, right? I'll talk about it in the couloirs. But when it comes to biometrics, we really have such possibilities. And I have to ask you something, because you are fantastic. Biometrics of the eye lens. Even experts mistake the bottom of the eye for the front of the eye. Well, not you, because you know it, but please go back home and say this: the biometrics of the eye lens is fantastic, but very rarely found when it comes to practical implementation. Have you ever had a bottom

of the eye examined? Or a rainbow? Look, in Krakow, the Kazimierz Gallery, a sample. I would like to use it too, but my wife has money and I have to pay for it. What do you think about this biometrics? I was at the dentist recently, 2,500 PLN for a short visit. It was a mistake. My father said that informatics is a good choice. It was a mistake. Dad, I was going to go to a dentist, for sure. 2,500 PLN for the pleasure of interacting with my tooth? It doesn't fit in your head. I paid like this, I paid like this. With my card, not my wife's. You know right away. And that's why I don't have that money anymore. Just partly my wife, partly in the suitcase.

My dear, I can see that you are smiling. Stone Brothers University is a really great project. It works. Why? Anatomy and additionally, how to smile. And if you add to that ... You know, I mean, how do you laugh? we have something amazing when it comes to personal identification. How does a Pole laugh? Differently, right? And I think that biometrics in people in different countries may look different in relation to this modality. And those who do not go outside the laboratory, you heard about knee biometrics, before entering, X-ray, half an hour later, right? You haven't heard it before, but it's already in the hand logometry. And look, I have two pictures where it is de facto about the near red, generally about the imaging,

to notice that there are such laboratory ones and those that you will find in almost every military unit. What does the colon look like? What does it look like? Well, you could go deeper, I know, Paweł, exactly. What will you say about the Varg movement? The laboratory is very promising. What kind of modality is it? I don't have a second prize, I don't even have the first one, but I'll fund it. I can afford it. I'll pay with a watch. What is it about? These are pictures of legs. No. Listen, we even saw that there is Coca-Cola there, so I'll buy a more expensive drink. If someone says it correctly, but let's set it. Here? Piotr, I don't believe it. Exactly.

You know what it's about. Okay, but I don't think about it. We talked about it. I had a professor at the department who, when he came out of the room, always checked if the doors were closed. Three times the handle. He got out of the car, the car closes, the handle. And how we pull the handle is identifiably individual. The force of pressure. How do we hold our smartphone? How do we interact? See, it's easy to translate. A prototype that my team didn't build. I really regret it, but it can be done. NIME. Have you heard about the fact that there is a certain measurement that we can do with the use of a wearable device? Years ago, this was the first one that was implemented, 2.11. A

solution that examines EKG. sends feedback to the devices around it. This is how our iPhone is today. My Apple Watch opens the possibility of using this mobile device. I wanted to point out that wearable biometrics is always current and important and that challenges concerning attacks are still current. To which I refer this lecture This visualization, Black Hat 2019. In general, I have a package of materials ready from this period, such sources to read. A large package. If anyone is interested, I am available. Maybe I'll make some middle ones, because maybe I'll have to cut the material. We are at the University of Warsaw. There are fantastic people here, I have to start with that. My

first meetings with BCI were with professor Piotr Durka. I got along with professor Dragan when I was a teenager. This is all the University of Warsaw, professor Madej, a long, long list. I feel simply overwhelmed being a university employee and today I have the honor to represent the Silesian University of Technology. Adrian Małpka, Polesel.pl, I will send you a link to the zip, where you will find the PDF files. Well, my dear, we are already approaching this practical part, it will be quick. At the last CyberSec Forum Expo conference I met Michał, here we are focusing on biometrics, how to meet an experienced person in the field of biometrics? He sets the stick in this

way, not this way. So bravo Michał. I was sure, because it was in Kraków, that it was Piotr Konieczny. I don't know if you can see it, it's... when I asked him: "Piotr, is it you?" He says: "You know what? I don't think so." But similar or not, please tell me. And there was one position where I really liked it, where you could verify biometrics systems based on face anatomy and they printed it themselves. Let's zoom in. They printed their faces themselves. Only one thing is very important, but you probably see it. Here is another modeler who works on it a lot. So you have a print from a simple printer. from a solution that is to withdraw almost every wallet. However, this makeup artist who

does a great job. And in fact, their goal is to answer a very important question that others did not answer, unfortunately. Before you, the system, I forgot the name, although it is visible on the slide, which allows you to take care of the study of vitality. How? You have to blink. If someone comes up with an idea to record when someone blinks, In today's age, you can make someone blink. Key Lemon welcomed you with joy, but as you can see, operating systems were then completely different than they are today. From historical but current challenges, look, please, the Luscher test, the biometrics of the rainbow, the subject for a nice meeting, I'll just say it briefly,

although it's probably visible, right? We have a registration phase, the green band means success. I manage to do it because I put a photo of the eye rod, remember that colors do not matter here, the key is what comes in as an acquisition in close red and I cut a hole here with scissors. The research conducted in 2002 did not lose its relevance because we will still find such systems. I have to add something, looking at this rainbow of an eye, that it had never been through the so-called Slavic test. I admit that we introduced this system in one of the banks in Poland. I signed up for it, I say it will definitely work.

And a week later, after the launch of this system, there was a party in this bank and they were spitting this system and they couldn't get out. And indeed, this Slavic test, it was the weakness of these readers. because they should detect these micro-saccharides in such a way that even if someone barely holds on, they should still be able to leave the workplace. I think that responsible solutions should be used. Okay, well, what is implemented in the practice of biometric systems, for example in ATM's, please see in the picture, and challenges related to life detection. I will end this walk through this theory, which is really interesting, I hope, at least partially. We are entering into security. I will gladly tell you about these attacks. I have

all the scenarios prepared in the laboratory. The attack on the river is an adversary, it is a topic of the river. We are working on it now, on these possibilities too. I didn't say anything about generative artificial intelligence, but I'm telling you that today we have a completely new episode in this subject. You hear about deepfakes from every side, from everyone, so let me go straight to the walk part. It's quick, I managed to link it to a few things. My dears, I'm opening the book. I bought a special paper for B-Sides needs. Chapter 49, entitled, let me ask you, How to get finger prints? And what is phenomenal, this book is relatively new. It's a set

of tools you need. Laser printer, non-attractive, octane foil, graphite program, liquid latex. And what is described in this book still works in many specific solutions. Why? Low cost. Where this life detection simply does not work. Because we talked a lot about these aspects of theory today, Let me, please, here with Michał we are talking about the rainbow, about the construction of such an eye. Look, please, how much I can show it. It will be about this element. And now let's imagine that we have to design such a system. This is the practical part. This is an acquisition device. This is a camera. We will illuminate this rainbow. And now let's notice what I don't have in my hands

now, and what we all have as people. We will have everything that is in the way of acquiring such an image. How to deal with all this that is covered by the skin, by the eyelashes? What does it look like when tears are gathering in my eyes? What does it look like in a particular situation when We have anisocoria, when there is any modification, such a classic one. What does it look like if people have such beautiful blue eyes? Sorry, like yours, right? Well, such bright eyes. So beautiful that you have to rebuild this biomechanical system completely anew. Please remember, the registration phase is key. I don't know if you can pause the recording, but

if not, it will be cut out in post-production. So yes. This is Adrianna. And now if someone says it's great, it's the end of friendship. So let's face it, this registration phase is now going on so that I'm entering after some modification. So what am I doing? I put on this wig. I won't wear it, but believe me, it's a cheap solution, but very effective and very ineffective in terms of solutions that are in such devices as this. If you use Face ID and I don't have time to tell you about it in detail, I can only tell you that the modifications are recognized immediately. Okay, so what? It was supposed to be practical. Do you remember what you need? Finding characteristic features. Give me three characteristic features.

Height of the ear, straight eyes, position of the nose. This is the face of my student. In every lecture, right? Can we go out now? No, I'm exaggerating, they've been sitting from the beginning to the end, they're fantastic. I would give this gas can as a reward, but I already drank it in the train, a little bit, so I won't do it. I will enter the practical part. I got such cubes from ISSA Poland for Confidence. I like them so much that they allow me to create a certain scenario. And what is fantastic about this type of systems is the question of what are the assumptions, what works and what does not work. This is the terminal. If now communication with the terminal will not work properly, if

my finger is indisposed, let's imagine that it is wrapped in a plaster, then I can zoom in Nothing happened. I can zoom in on this card and reflect the entry. I agree? I agree. I don't have time to show you the possibilities of dealing with detection in the field of life detection, but please believe me that this is something that requires proper commitment. And so, remembering that we have time until 12:00, we will have time for two minutes. I need to do unboxing. Unboxing, unboxing. Maybe we'll just do it like this. It will be fine? Will you help me? Adrian. Arek, listen, I won't pay you because my wife has money, but my gratitude. What else do

you need? Power supply. Well, power supply. This will really be the moment, but it will be key to see practical biometrics. Biometrics Anno Domini 2024. Oh, cheers! I'll look into my bag, sorry. I have everything in this bag. No exaggeration. But I will have to locate one thing. Let me, please. And even two. Cheers, because someone just whistled. We know what it is and it belongs to this device. You can connect to one of these wires. Yes, we will plug it in. This is Temperature sensor. Do you remember the narrowing? It is prepared for this scenario. Good. And now I have a strip here, but first let's connect it well. On this side. Three, two, one. Tell me if it

starts. Great. We will not do this experiment because you wear glasses, but maybe someone would like to try. What is it? These are goggles that allow you to feel like you are after a drink. Alcoholic goggles, mine are alcoholic. It's not that I can't drink, that's why I wear goggles. Don't get it wrong. But if you were to come up now, if I could ask you, here, to this reader, put your finger. I don't know how you did it, but you should have a problem, right? I congratulate you, I'm sorry. When I did it at a conference abroad, they couldn't handle it. But good. Congratulations. We are good. And now let's work as an admin. There is still

loading. Let's try to replace it. Number one is the reader that allows us to read the intelligent card. You can hear that the intelligent card is not read off. We have a reading of the eye. We have the ability to enter the password. This is probably the most important thing. Papillary lines. And now, attention. Let's see. Well, I didn't drink. It was evident that it was a mail. You see, but nothing happens. Why? Because we have Alternatively, I guess what the reason is. Exactly. I'll be there for three days, so you'll see how it cools down in the evening. It will be the right time. Okay, here's a user. Let's add. You'll be number two. I'm sorry, well, you don't take it

personally. And now it's about seeing this interaction related to the registration of the rainbow eye. But note what the recommendation is. And you will register with glasses. That's what it's about. And now what I expect, maybe you will register yourself, what I ask you is registration with this color. What do I expect? That such a system will cope with something completely natural that is happening today, I'm sorry, almost with each of us. Coloring lenses? I probably don't have to answer such questions because you know what it is. Success or failure? Well, here you go. Listen, it's past 12 o'clock. I have two sentences as part of the outro. One is that once Mikko Hypponen said the following words: "Everything that is intelligent is taxable." And I

think that the topic of the safety of biometric systems is a natural follow-up. As part of the 1753C, we will be doing workshops. I will prepare a topic on the safety of biometrics. Thank you very much for listening to the lecture. And today at 6 p.m. I know that it fits into the agenda "Besides", but every Friday we meet at the "Hakuj Dobroczynnie". I would like to invite you. Part 1 is registered, part 2 is not. So what? That's it from my side. Thank you very much. Enjoy your dinner. You did it. Thank you very much. Now I have a moment to clean up, because now it's lunch time. Right? Right? Great.

Security BSides Warsaw dzień 1 ścieżka 1

Related talks