BG - Reticle: Dropping an Intelligent F-BOMB - Brendan O'Connor

first rule presente never anger the video people they will draw a giant dick on your forehead in virtual reality cool okay so hi there i'm runnin o'connor hopefully you're here to see this talk as opposed to all the other cool talks going on I'm doing reticle dropping an intelligent f-bomb which is kind of a follow-up to some work I did at shmoocon but with a lot more really interesting stuff and it has you know military and dancing cats in it so what do you want so I'm written O'Connor I run my own security consultancy of like about half of you give or take weirdly i'm also a rising second-year law student at the university of wisconsin law school

because it turns out that doing law school doesn't take very much time which is kind of cool so you can actually do real work on the side even though you're a full-time law student and it's way more fun that way because you can scare the hell out of all the other lawsuit to like you you hack things yes yes I do isn't that illegal yeah you should probably go back and take criminal procedure again so it's always good times also in terms of real work I've done work for DARPA I've taught military network warfare classes which is great fun and I'm always looking for work so go ahead and ping me as a young entrepreneur there really are no levels

to which I will not sink so always good to know by the way of course I don't speak for anybody least of all this research is sponsor who will get to on the next slide but i certainly don't speak to the university of wisconsin either just in case you thought i did for some reason as a side note i'll take questions at any time during the talk so just wave your hands if i don't notice you somehow and unless i actually point at you and say i'm ignoring you so just first a note of thanks to half this researchers sponsors so which is DARPA cyber fast track those of you who haven't heard of this you should go

check out Mudge's talks either at black hat from last year or at shmoocon from early this year which was both of which were great talks the 14 shmoocon has some statistics basically it's a way you can apply to DARPA and get DARPA money without having to do 300 not even joking pages of bureaucracy and having to apply for special codes and it's all big pain in the butt cyber fast-track you send in a maximum of 16 pages they get to back to you in one week it's unbelievably fast the final contract from the feds is one page long which those of you who've worked for any major corporation you know that that's completely insane right so this

is a really good program and major thanks to DARPA for allowing me to work on law school pay for law school and still do work that's actually meaningful instead of just being yet another bartender in Madison Wisconsin where I live so this is the general roadmap of where we're going we're going to talk about the problem we're actually trying to solve talk about the hardware talk about the software and then talk about all the crazy stuff we get to do with this because basically we're going to work with disposable computing here so this is the generalized problem right we've three different scenarios all of which I think f-bomb has some hope for Amy recognize this photo not really okay

so this is one of the photos that they took using balloon mapping when BP impose a no-fly zone over the BP oil spill so that you couldn't see how bad the oil was all this kind of brownish stuff is actually oil floating off the beach and this was an awesome things that the thing is that they're using a couple thousand dollars of hardware on every balloon and if somebody shoots it like you know the BP guards with guns who were using guns to keep people from doing exactly this trick you've lost thousands of dollars of hardware which is bad right and of course environmental activists like Greenpeace don't usually have thousands of dollars to just throw

around scenario two is just bad men with guns okay so maybe this is just me but I'm looking around the room and I'm downing it whenever you come up to a big fence with three strands of concertina wire on the top don't you really want to throw stuff over it just to see what they'll do everybody good don't you really want to throw stuff into their little walled garden as a word pretty literally and see what's on the other side right crack into their networks do all these other things you know if you have to be within 50 yards to play with their Wi-Fi networks and you can't get within 50 yards because of bad men with

guns and large fences then it's kind of a problem and if you throw a computer in there you're never ever going to get it back right you just have to accept this off the thing if you have to throw a netbook in there for three or five hundred dollars or throw a macbook pro in for four thousand dollars first of all macbook pros are really hard to get a good oft with but the second problem is that's really expensive right and it makes it very hard to do this as kind of a democracy in action type project right you want some that you can throw away and never have to do the incredibly embarrassing FBI thing from earlier this

year when they had to go to judges and beg them to let them turn back on their five to ten thousand dollar apiece GPS devices that they'd illegally stuck to a bunch of muslim-americans cars and get them back right that's a completely insane place to have to be and yet that's where the government is that we're way better than the government right so we're going to do something better and the third scenario is something like Occupy right where you have a problem where you need network infrastructure and you need it to be cheap enough of that when the cops come in beat everyone up and break all your stuff you can just say okay and throw it

a whole new layer of stuff right so the f-bomb hardware in the entire disposable computing project is spent the last year on addresses all three of these scenarios and kind of different and I think relatively interesting ways because these guys are doing hard I t work in essentially a battlefield so what we want as I mentioned is we want cheap disposable computers and how cheap I want them to be less than 75 bucks because I'm a grad student and I'm a grad student in the wrong Department and if you go to the law school and say hey there I'm doing security research I would like you to give me some funding just like my last university did when I

was studying computer science they kind of step backwards and say you scare us which might be the t-shirt i had on but nonetheless it's not a helpful response oh I want something I can actually fund as a grad student myself the other reason we wanted to be cheap is because we want to essentially democratize surveillance right we want to be able to democratize the area of Technology and I'll talk a little bit more about why that is later we want these to be deployable by untrained personnel if I have to you know if I want to throw something into a wall garden but it has to be me because I have to sit there with a keyboard for half an hour typing

commands in a very unholy woodway right in order to get the sucker to work that's not going to be good so we need something that you can just throw you know like a grenade basically over a fence into places we're bad people who hate you live and then play with them and mess with their mind it needs to be reconfigurable post-deployment so if I'm just going to have it you know just pick it up and throw it it's probably not going to be ideally targeted to the specific mission when I throw it so there needs to be some kind of way I can have communication with it which is made more complicated by the fact that we want these things to be

dirt cheap and light and able to accept a pretty large impact if we're going to ballistically launch these suckers so there needs to be some way to handle all those things and we also need sufficient processing power yeah I mean we've got our food chips now that are you know this half the size of a grain of sand and they've got two transistors on board right yay you'll be able to do a lot of WEP cracking with that or you know more subtle things we need an actual computer for all of this thing so I want it to be the all-singing all-dancing right I wanted cheap I want it brilliantly fast and I want it right now because you know

that's our generation your thing I'd like to point out is that these are not an original design our new design goals for this project right the original UC Berkeley smartdust concept right that we'd have sensors everywhere and we delivered this entire connected life said well we should just make them dirt cheap so we can put them everywhere and then their original smart Duff sensors were about EA big and they cost three thousand dollars apiece even modern academic sensor networks cost between two and five hundred dollars per node right I worked at a great sensor network lab at Johns Hopkins for a couple years and the nodes are this big and they cost several hundred dollars and several

hundred dollars more to make them waterproof because it turns out that's actually more expensive than the note itself and then you still have to write in this completely ass-backwards dialect of c in order to actually communicate with them this is clearly a bad thing and also just by the way I really do mean I want to throw these suckers right because dan kaminsky if you're a black hat said yesterday on stages deploying hardware isn't fun right and it's never fun that's wrong this is a great deployment method I hope you wanted a t-shirt for hardware and it gives me great pleasure every time I launch a computer into the sky cool okay I will avoid that yes I've got lots of objects

that will just be throwing randomly so learn to duck my students when I was teaching network warfare who are all military you could tell the ones who'd been in combat the ones who hadn't because if they dive behind a computer and got scared that man I should probably stop doing this the upgrade however was that I didn't got a marshmallow gun and started shooting them if they got questions right except that I realized that it was actually the ones who were sleeping that I needed to attack so instead I just bounced them off their foreheads which worked really well so marshmallow guns and you can bring a marshmallow gun into a military base because they don't think

it's a real gun which is cool because it's not but that was a little concerning so we're going to talk about the hardware and the hardware is called f-bomb because two things one it's hilarious and two I used to work for DARPA right I've recently worked for DARPA DARPA loves tortured acronyms so we're gonna have a plan will explain what it means in a second so it's the falling or ballistically launch object that makes back doors right because you could always use a good acronym and so our design goals are as I said cheap less than 75 bucks and if we can less than 50 right at william less than 10 if you could do it but i haven't found a

way to and that means not just the base hardware but an entire missions worth of hardware right all the extra stuff we need to glue on to it the batteries everything should be less than 50 bucks if we can pull it off and it should be reconfigurable hardware for different types of sensors for different types of missions that means if one thing you're throwing it onto something mobile like a truck you probably want gps if you're throwing it onto somebody's roof you already know whose roof you're throwing it on so you don't need gps and of course in the land of our do we know there's lots of different sensors right you can reconfigure an arduino or any

microcontroller into anything but you can't do it cheaply a wireless sensor for an our Wi-Fi module for an arduino costs $85 a wireless USB dongle a really good one that you can do master mode on on amazon is the size of my pinky fingernail and costs eight dollars so ultimately even though i love or do we know we have to abandon it we have to use USB because otherwise we just can't keep the cost down not effectively and the other thing is of course we want it to be light enough to be flown on a UAV which is one of my primary methods and then dropped kind of bombing style right or thrown very very hard and it needs to

be durable enough to land on things it wasn't attended intended to land on we'll talk about that in a couple minutes about how durable we're talking here and we wanted to be ubiquitous enough to be desirable this means that we need to preempt supply line tracing that is that if i made custom circuit board right whether I made my own order myself are I've send it to dork Bach pdx and had them lawmen with a bunch of other boards eventually there's going to be a makers mark somewhere in that printed circuit board that tells you which of the ten factories that make custom circuit boards did it and then they're going to go to them and they're going to get a

name and if the names yours or it's dorkbot sits in general going to be somebody who doesn't want them to have their name right because you just threw a computer into their highly classified environment so that's a bad thing so we want completely deniable hardware we want only hardware you can buy in every country in the earth preferably sold on amazon and on ebay at the same time so that you can completely deny that Brendan pwned you or if you're the government that the NSA pwned you right we want it well it could be anyone who knows what a transistor is pwned us that's a much better scenario to be in so there's a few other good concepts in

this space right now are this is becoming cooler so the question I get a lot will why not use the pony plug well how many of you have actually bought a pony plug few of you right and they cost 500 bucks right 200 bucks minimum for the used ones as much as twelve hundred dollars for essentially what is one of these and this is a Shiva plug dev kit it costs 99 bucks online if they'll charge you an extra eleven hundred dollars to stick it inside a power strip which is really cool but he's way outside my budget especially we're going to be deploying tens or hundreds of these suckers and you're a poor grad

student or your greenpeace your Occupy Wall Street right it doesn't work the pros of course it has a nice SD slot on board and it's running on the marvel Shiva chip which is a great chip it's a great design and it uses pretty low power which is pretty cool the cons are it's incredibly expensive and the cons for using even just a native Shiva dev kit it's also pretty expensive it's a hundred bucks which is still outside a price range and this power supply right behind that little thing is a pain to take apart so if you want to run this on batteries easier to do almost anything else right it's easier just to use an

inverter than to try and subvert this thing's power supply the printed circuit board is pretty integrated with the power supply for I'm sure very good reasons if you're Marvel but I'd like this chip but we can't use the pony plug what right okay yeah that is the older version but it still the version they sell his pony plug the older pony plug i should say okay well that's cool i mean yeah but it still it's a hundred bucks right plus shipping by the way exactly 120 dollars but I'm you get it and that's way outside a range of 75 including everything because remember the pony plug doesn't have Wi-Fi it has SD card slots but no onboard storage

right so you still need to put a lot of stuff into it before you get anything out of it there's also this the mini poner which is a great thing right because first of all it's about one and a half inches square which is pretty cool and it has Wi-Fi built in and it's really awesome and the problem is that it has 32 megs of ram and a processor so slow you can only run open wrt which is a really great distribution in terms of mastering the technical achievement of getting it to run something that's low it doesn't give you a lot of power most of the software you want to work doesn't work on open wrt right and especially

with only this little tiny amount of RAM have which has to be dedicated to keeping the Wi-Fi up you can't do advanced things like rever or other kind of brute force attacks efficiently at all on this so even though i love this form factor and i love just the whole project i mean these things the base hardware is 25 bucks which is right in our price range we can't actually use this particular module there's also is the third alternative the wasp the wireless aerial surveillance project which you may have seen at two different def cons or one black hat or they've been around right this is awesome right because it's a flying thing it has a

base station for cell phones in its belly it can sniff all your Wi-Fi can crack everything at phones home on 3G networks the problem is that this costs eight thousand dollars and there's only one of them and it's in an abandoned army target drone and okay so i'm originally from montana right i live in wisconsin now but originally from montana if I see something circling overhead I shoot it because that's what people from Montana do right well it doesn't look like a eagle or anyway the game rangers a long ways away lamb right it's not good and that is unfortunately what you have to do with the wasp right your time on target because it's fixed

wings but can't land without it basically a runway short runway you have to just circle overhead of whoever your opponent ultimately you have a real problem right humans have evolved for thousands of years to look for circling buzzards as it means that the birds think you're going to die right and so we have this built-in thing of disliking stuff circling overhead so as much as I love the wasps project we actually can't use it for this so this is what we ultimately came up with this is the f-bomb version 1 and it's based on the pogoplug just a second so it's based on the pogoplug which is the Shiva core but the difference is the pogoplug or even

though they originally sold for 150 bucks have failed massively in the market and so you can get them on amazon for 25 bucks consistently pretty much as many as you want I bought tenant once had no problem getting all for 25 bucks including shipping half of them on prime right which is awesome so the main board is Marvel Shiva core 21.2 gigahertz it's got Ethernet on board which we don't care about it has four USB ports which we very much do care about you can get the whole thing fill it with Wi-Fi modules add some flash storage you can even screw around with esata if you want to and do the whole thing for less than

50 bucks which is pretty awesome this board is about the size of a piece of bread about three and a half inches by 4 inches by half an inch which is pretty cool and as I mentioned the power supply this is the connectors over here this just takes a regulated 5 volts which apparently the new ones view as well then from the actual Shiva dev kit but as I mentioned before the original Shiva didn't you need it basically to run ACN so regulated 5 volts you can get a 25 cent 7805 chip and run regulated 5 volts off of a couple batteries and that's awesome for us how many of you know the capacity of a d battery anybody know how

many of you guys have used it d battery for anything the last couple of years like 10 of you right and half of you probably have small children who needed it for those right in things right d better have gone out of style because we're all green now right we're all we're not supposed to use disposable batteries because we just throw them away and that pollutes the environment we're 3d the whole computer we totally don't care and addie battery has 18 watt hours as standard capacity off a standard alkaline d battery that's a huge amount of power and therefore we run a few of these things you can run this for 24 or 48 hours off of just a few D batteries

which is pretty awesome the other thing for those of you who care about this D batteries are still made in the United States my fellow Americans right lithium-ion batteries are not made in the United States it's illegal to make them in the United States but rayovac D batteries are made in northern Wisconsin and double A's are actually made in Madison where I live which is kind of cool and the two Wi-Fi dongle why do we have to write she really only need one to do pen testing well it's because remember we're going to use the minimum viable hardware and you notice that there's not a 3g connection on this the f-bomb design concept what we exploited

for reticle is go crack your way into somebody else's network and use that for a backhaul okay so we're going to just basically sent you send you out there and tell you to find somebody who lets you borrow their phone forever and preferably don't tell them right and that's how we're actually going to use when we build reticle the software concept of this that is going to be the first major challenges how do we get that part to work you had a question okay unfortunately they come in a bright pink case so unless you're invading the hello kitty store not so subtle but right but the new version that they've changed colors to actually has a less

powerful board and costs more money on Amazon whereas this version is the version that you can get for 25 bucks and it's really powerful so you want the big pink version but luckily it's like two screws and you can turn it into whatever you want for instance this right in that cute little 3d printed case this with everything on it including the power connector from which I can suck from a parrot drone the three hundred dollar Amazon toy drone ways 107 grams so it's very light it doesn't take anything else you just add a couple batteries to it and it's also small if you can fit it inside almost anything else so this is actually a big carbon

dioxide detector I got an ebay for five bucks ripped out all of its guts including the radioactive bits stuck it inside you know added back in an AC power supply but a smaller one and hid it inside someplace that I won't tell you because I think they'll be pissed at me for several weeks without anyone ever noticing how many of you guys have ever checked your carbon monoxide detectors to make sure that there's still carbon monoxide detectors yeah that's what I thought right hey no one looks at this you wanted something that people will ignore I've hidden these things at triscuits boxes at the back that are stale and marked expired three years ago also a great place

anything kind of moldy great place keep it out of the refrigerator because it turns out those are a Faraday cage but otherwise places people to ignore work great in offices right and it turns out after the talk I did on this at shmoocon the International Spy Museum who are cool guys and do mostly a lot of soviet-era spy technology thought this is great can we have it so now they have it which is the other thing if you make up stupid acronyms random people will call you and ask them to give you ask you to give them things which sounds better than a is better than it sounds so yeah I've been mentioning the you

know very durable impact right and I showed you the 3d printed case that actually works pretty well I throwed off my balcony on the fourth story several times and to survive just fine continuing your core data no problems because there's no moving parts but what if we want to really injure something so this is the soundboard system at sector 67 the hackerspace in Madison where I do a lot of my work and you it's not there anymore but back here there were a couple Pogo plugs they used to live on top of that very large amplifier for our big sound system right and it's a cool place and it works really well until one day I was messing with something and

this happened so that is what it looks like when you drop 300 pounds of hardware on your foot and on this case on top of one of the Pogo plugs which still worked which is awesome so it can survive a 150-pound amplifier plus a bunch of other crap dumping on top of it and still continue to record data and continue to work which is pretty awesomely durable right that's in the original pink case we can make better cases for it right you can put it in a small Pelican case or whatever you'd like so we get the durability we're looking for out of all of this unfortunately sector has had a good idea bell that you ding when somebody's had a

really great idea after this particular thing they installed a fail horn which is one of those horrible little clown horns a granary which they proceeded to honk every time I walked in for a month as punishment even after I'd fix the thing so support your local hacker space but yeah happens so we're now we're going to talk about reticle the actual software we're going to use which is what DARPA actually funded so reticle a reticle is a bomb site in essence right and so if we're going to drop f-bombs we need some way to target them we need a command and control system so we can do actual brains right brains they're not just for munching anymore and so this is

the project that DARPA found they said basically yeah we think it's a cool idea to figure out some way to build in essence an open-source botnet to in order to control these things right let's see how much of a botnet we can build pretty quickly and writing this little code as possible which is the radical project so again for reticle we want the Minimum Viable hardware and again we're not going to bother to bring any Wi-Fi with us the radical software needs to be able to break into somebody's Wi-Fi and we're from there now in most urban areas you don't actually have to use anything other than open Wi-Fi if you don't believe me go

look at the wiggle project which documents the thousands and thousands of access points even just in Madison kind of a small town comparatively so we get away without having to break it in if you don't mind breaking some laws then of course just bust into somebody else's network and go from there it works reasonably efficiently if you've met the Reaver project for instance the next thing we want is we want deniable deployment so again we want hardware you can't trace but we also want to say that if somebody comes along this right the you know traditional underling security guard who comes along with his m16 it says ah what is this pink thing we want

you not to be able to figure out who's attacking you so it means a couple things one all the data all the logs everything have to be encrypted on disk and as any cryptologist will tell you this means that we have to not have the keys on board is we have the keys on board then it's not really encrypted it's basically obfuscated it so that's a problem for something that has no screen and remember we have to have the guys in the field not know how to type keys in right if ugh can throw t-shirt at person right then they need to be able to deploy this and that turns out ugh it's not a cryptologist most of the time so

again this is the deployment method it also means that we need have encrypted communications and more than just encrypted communications as a cell style we need to be resistant to traffic analysis if I go boom every 30 seconds you send a ping back nest egg of must be the NSA who dislikes me right that's a bad sign right we want that not to be able to happen so we need to be able to obfuscate our communication such that the people in the local network can't see who are talking to and hopefully it'll be inconsistent who are talking to and it also needs to have no central command and control server because otherwise this will suffer the same fate as all

those virus foreign botnets right verisign revokes the domain gives it to the FBI and then they own your botnet and then they make fun of you for a year using their special website for their dns servers or they just find you have a central IP addressing a wam and then your whole botnet is over right this is bad we shouldn't like this and luckily there's a couple examples of better botanists like aileron and storm that don't have a Central Command server so we know this is possible it's just that it's not easy you can't go and github and download a botnet yet but in about a day you will be able to and we need also

be resistant to node compromise so if somebody actually does find this gets around the encryption is able to take it apart without killing the power or cold boots that are whatnot there needs to be some way that we can say I don't like that node anymore and take it offline which sounds easy it is easy we've had the technology for decades and how many of your browsers actually use a certificate revocation list which is the same method none of your browser's because no browser does this so we're going to do things the right way because why not its our own system so things that are not designed goals we're not going to build a match network this

looks like mesh network hardware we're not going to because even though mention networks are wonderful it's hard it's hard to do right it's hard to be reconfigurable and more importantly again we're not going to lay these things down in a cute little pattern that makes them able to all talk to each other we don't want to have to spend a lot of time making sure they're all in range to be build a consistent mash right so we're going to use the internet as our mash Network instead is we're not going to build a normal batch network even though they're wonderful and then we also don't care to have synchronous command and control this means if I say

go to 50 of these nodes they're not all going to go at the same time it's not going to work like marching orders and the reason or not is because it as you know if you you know did of the whole cloud computing talk that was here just before me it's really hard to get it all to work if you relax those constraints a little bit you say 30 seconds or a minute is fine we can get a lot more power for a lot less cost and time if we just say you know it doesn't need to be synchronous command and control the thing that this does kills it means you cannot ssh into these nodes not if you

really want to have anything to do for the rest of the afternoon so it takes forever so you try gives it win some you lose some so these are the problems of software install a whole bunch of problems eventually fill up this slide the first problem is we need to get enough hardware to test performance on these embedded systems because if we're going to use crappy little hardware turns out it has different performance than my ecor mac pro which could simulate 50 of these things on one processor luckily we have a great solution for that we're going to build a clone army and we're gonna do it because DARPA's funding this which is wonderful again seriously go do cyber fast-track

it makes your life so much easier so I built a whole little clone army i put a little malice afterthought stickers on them I give them all cute names and now they all have blinking lights problem solved so the solution to this problem is simple it's DARPA so first real problem how do we have encrypted storage without storing the key on disk the solution for this for full disk encryption and laptops is of course type the password in at boot we don't want to do that imagine you're getting you know imagine if it's a smoke grenade right and you've got X grunt in the field it was ok boss I'm ready to throw this wait

I have to unpack my monitor and my keyboard sit down and type in the very long encrypted password and then eventually ok boss now we can throw it and throw it right not good not useful hard to remember how to do correctly if you don't have a monitor you're never going to get it entered correctly you'll never know what it actually worked there has to be some better way to do this so how we're gonna do it we need essentially grenade style key management there needs to be pull the pin go right or you know stick the pin in pull the pin go something very simple right count to three don't count to two unless

you're counting to three yes that's the holy hand grenade of antioch etc the regional solution i had for this was really cool really technical used lots of hot new buzz words i was going to use the tnc microcontroller which is half the size of a USB stick and it can emulate an H i D device just like the new Arduino Leonardo can and then type in doesn't work it totally should work there's no technical reason it shouldn't work on terms of the teensy the reason it doesn't work in reality is one of those you go to war with the hardware you were able to buy on amazon for really cheap instead of the hardware you want

problems in this case the f mom doesn't expose a terminal to the normal USB inputs so if you plug even if you plug the USB monitor and a USB keyboard into it you're not actually typing on normal terminal because its terminals are all over cereal and due to weirdness between Pogoplug and arch linux i wasn't able to get a terminal to actually expose so even though the teensy is really really cool can't actually use it for this so we went with Plan B called cheating which is we fill a USB key with encrypted with randomized data and use it as a key file instead so you still get the same scenario so when we do this

we actually you turn on a pogoplug you plug in a USB key when the light starts blinking you pull the USB key out when the light stops blinking which is about one second and then you throw it that's it right we've used the blinky lights on it everybody understands the general blinking lights concept of operation very simple so it's pretty much the same it's not quite as good as pull the pin to throw but pretty much on the same play so we've solved the second problem with a USB Drive third problem we mentioned before we have to be resistant to traffic analysis because if basically a nerd with a PhD can say ah well Shannon's information theory says that

the NSA pwned you that's bad right that's a complete disaster at that point for diplomatic reasons or if you're Greenpeace knowing that you being stopped by Greenpeace before they decide unfurl or banner on the side of your ship is always bad news for Greenpeace right the solution to this is you probably guess his tour tour is wonderful and I don't need to talk about tour except that we're not just going to use it for a traffic obfuscation we're also going to use hidden services because this allows all of the f-bomb nodes to export services that aren't reachable by a normal IP address this means that we can publish their names without fear of backlash because by

published an IP address and say oh yeah there's a hidden known at you know 74 23 NSA gov right or yep and I be it or as sorry then everybody goes ah shoot that pink thing that suddenly landed on a roof a couple days ago right it narrows the focus whereas if I'm exposing only a hidden service then even if you're sitting right next to it you have no idea that you're talking to yourself you have to go through sixth or intermediate nodes in order to talk to it so this solves a bunch of problems very easily and very well understood way the downside of course is oh my god the lag is horrible when you're working with tor especially

if you have eight of these suckers all exposing hidden services in your closet like I showed you before so don't do SSH those of you who done SSH overt or know not to do SSH remember that it's twice as bad as a normal tour connection because you're going through six nodes instead of three so again we're going to throw out synchronous control debugging was really hard but you don't care in the field because you're never going to ssh of these nodes in the field you're going to give them a mission in a way we'll talk about later next problem we need an easy local storage right we need some way to be able to store tasks we

need to be able to store other nodes in your botnet right we need to be able to store all the data we've just pulled out right all the goodies you actually want it from that bad men with guns and we're gonna use CouchDB because it's wonderful setting inside the whole sequel versus no sequel thing this is generally a bunch of unstructured data right so generally sequel doesn't work very well and count has some other cool things it has MapReduce that I can write in JavaScript because I really wanted to add yet another language to my cyber fast track I got about six during the course of this project and the government reviewers rubbing why are you

writing in so many languages you make our heads hurting because it's hilarious so JavaScript MapReduce which is awesome it also is very restful obviously so it does all those nice web things and it has a built-in HTTP server which is cool so that means you can actually expose all the data sets you're collecting over HTTP and then expose that over tour right over the hidden services so we're going to store tasks in CouchDB we're going to store our exfiltrated data and we're going to store a list of friendly nodes that we know about for replication in CouchDB the next problem is indeed well how are we going to send data from one peer node to another where's the

peer-to-peer part coming in this without peer to peer we have a central command structure somewhere and then we are screwed as notice above couchdb also solves this problem right couch to be as wonderful it's the all-singing all-dancing database couchdb will actually do replication from database to database over HTTP in a pretty simple incredibly fault-tolerant way and since it is just HTTP you can torture the HTTP protocols all the same way you do with normal web traffic you can throw them through proxies you could run them through tor you can do all sorts of evil things to it it's a great solution the other thing that CouchDB gives us at this point excuse me is it also has

hooks for every commit so you get a nice very easily exposed way from couch instead of having to pull it saying is their new stuff yet is their new stuff yet there's a new stuff yet couch just says Bing look I got a new tab do what you want with it so this point we can write a pretty simple script that just acts as mommy whenever a task comes in it runs it and it actually verifies all the encryption keys on the tasks make sure the task was sent by somebody authorized verifies group identity all of this can be run on a pretty dirt simple JavaScript thing we embed in CouchDB makes everything much easier to

work with then we need encrypted revocable communications right so as you probably guess we pretty much want SSL we want to sell done the right way not with a certificate authority we want us to sell because it has encrypted and revocable communications and the solution should be CouchDB if you look at the box right this should be able to solve this problem as well because it says hey we support client and server ssl certificates funny story about that couchdb support has supported client ssl certificates that is you know when you send it to the person you're trying to talk to excuse me for almost a year now they added a support in october of 2011

so i booted it right up and yep they can serve an ssl certificate they can send a client to SSL certificate for replication and if you tell them to verify a client as a cell certificate it crashes and dubs of score yeah it's horrifying and did this repeatedly and it did this on several different operating systems and so I finally did what you should really do and the docs always say you should do go on IRC and go to hash CouchDB on freenode to ask them hey what guys what's going on and they said ah no one's ever used that before what do you mean no one's ever used that so apparently this one dev got a rogue hair and it's decided to

implement client support to me client SSL support and literally according to the CouchDB devs as of march 2012 no one had ever used client certificate support so they didn't know it didn't work so I filed a bug the bug is still there has a screenshot from yesterday they it's marked as low priority they don't care which is too bad they don't care because nobody uses it because no one uses client certificates right and all of you guys in the security community you know why no one else uses client certificates they're really hard to manage right we don't care because we're going to manage them with that nice USB key but they care because they're like there's just

nobody calling for it so there's been one other person who's posed today I want that too and that's it so they'll fix this when they fix this now several you might be asking hey this is open source why don't you fix it how many plays of our coded in Erlang how do you guys have seen an erlang error message even ok they're horrified they make see as they make objective-c how they make ada look very friendly they make gdb ereports look readable by comparison it's it's a great language I'm told by people who are language nerds I love speaking different languages I've had a few bad experiences with functional languages i can't speak Erlang tried

very hard so ultimately we need somebody else to fix this for me hopefully one of you guys will have the Erlang bug and you'll go and you'll fix this in life will be wonderful in the meantime we're still stuck with this problem right we still need encrypted revocable communications tour does not provide this security if you go on tours webpage they will say we don't provide the security you're looking for Brendan but there's a solution its engine X and it doesn't have to be into next it can be any web server that can do a proxy you through for HTTP and impose a cell over it but engine X is really cool it's really fast it's very tiny doesn't use a

lot of ram it works really well and as soon as couch TV pulls this fixes this problem we can pull it immediately out what the others kind of ran the benefit that using engine X as opposed to using couch natively for ssl gives us is that it means that local scripts running on the f-bomb note itself don't need to use SSL they don't need to worry about it and then the firewall simply protects basically only people coming in is this a completely impervious solution could somebody break iptables and then come in yeah sure i'm not going to try and pretend that we've eliminated all attack vectors but i feel like breaking well understood software you used for decades

it is a better attack vector than just me screwing around with it right so engine X is wonderful software if you need this kind of thing and yes engine reticle nodes do check the certificate revocation lists we don't just assume that it's going to be all fine and we propagate certificate revocation list through couchdb through the same peer-to-peer replication so it works pretty well so the last problem we've had if you build a botnet you need to have some way to do introductions okay just like any peer-to-peer operation and this is a problem right and every peer-to-peer system has come up with some different kind of solution BitTorrent or ridges trackers right the tracker says hey I'm a centralized

server that allows you to find your friends and then you can go do decentralized things right the distributed hash table the answer to the centralized server still uses centralized servers for this basically there's a set of long-running long uptime nodes that still you know will respond because it needs to be somebody to tell you who your first friend is right those of you who've thought about clearance in the abstract know you still need to have somebody to tell you who the other people with the secret code are right this problem came up in cryptonomicon if you like neal stephenson so let's think about the threat model we have because i'm using tor hidden services I don't care if bad

guys know the name of my system right I would hear if i was using IP addresses because that gives me a place i can go to i don't care for tour because the weight or works so i don't mind publishing it in some place that everybody can see it I do mind if I publish it and every last copy of it gets taken down so it's more important to spray and pray to borrow from the FPS genre than to try and be discreet about this so what we want in essence is a gossip protocol we want something we're essentially once the date has been pushed every server the world will take immediately and then you know the

essentially the horse is gone so closing the barn door doesn't work he's a Montana isn't him and just note I couldn't use Twitter right because evarin people have asked me why not just use Twitter that goes to everybody well it really doesn't it's still a centralized service right and so sure you're right the FBI won't nuke Twitter delish have twitter hey would you close that account it's being used for criminal activity and then they'll just close it and then I don't get my introductions anymore so we have to use a gossip protocol it's non-optional so I came up with two ideas one how many of you guys have used usenet in the last two years a few of you how many of you

guys didn't use usenet for porn in the last two years there's one hand-to-hands that i can see that used it for non porn purposes erotic is porn porn the internet is for porn usenet lord knows us for porn yeah and the cool thing is that since you know there's lots of illegal stuff I've heard that there might be stolen software on the user nets right and if our adversaries can't be bothered to hunt down all the illegal crap help happen in alt that binary star cheap that badda-badda bath then they are not going to track us down right which is awesome we can just throw our stuff into you stats and it gets distributed to every usenet server in

the world and then we don't have to worry about it getting deleted by anybody because they never seem to lead anything are you snapped we've got at least a month before even the shortest service start throwing away our data and yes there are you said servers that not only don't require a login but don't track anything except an IP address so if you come from an IP address some usenet servers will let you post and if you manage to connect to a website without coming from any IP address then you're awesome and I want to talk to you so this works really well for us so the text is a little bit small here but what

I actually did I need to generate something so that servers like this won't just say hey this looks like spam so I did what spammers do i downloaded five or six old historical religious texts from project gutenberg i select twenty lines and random out of them and i stick an introduction note in the middle and all i have is just the word radical so i can find it you don't need to have that and then the onion name and hvac 256 so it's actually signed so that I can say ah someone is trying to screw with me right preventing NSA from just going on there and flooding all my connections and then we've got the onion

Oda we can connect to that locally okay we don't need to publish anything else because again it's our botnet we know the ports right we know where you know how to use the tonton services we know which certificates to use because it's our thing the other cool gossip protocol that has all the hot and sexiness right now is bitcoin and dan kaminsky proved last year during his black ops Chuck how you can make Bitcoin store anything using the incredibly awesome sassaman memorial hack he not only made Bitcoin have for all time for evermore have a dependency on lends a sermon he made it have a dependency for all time on the the last head of the Fed whose name of

now spaced Greenberg green what no not him anyway they liked the last head of the Fed right because it's lares Greenspan thank you there's actually an ascii art picture it's on the next it would be on the next slide if I continue to columns and Bitcoin forevermore has to calculate Alan Greenspan as part of the Bitcoin mining process this is great it's been very well proved I didn't implement it because basically doing this as a dev thing is kind of rude to the Bitcoin devs but for real world productions for you know real high stakes thing yeah just go ahead and use linear dan Kaminski's code for the Bitcoin or the bit line hack so now

we've solved all these problems we wanted to solve right we have in essence a big large botnet or all the pieces of it and so when we put it together it looks a lot like this so everybody has a nice big iptables firewall running on these little pink things then you've got the tour client which handles all connections the external world we have CouchDB shim through engine X we have the mommy script and that's all the harder it has to be right the cool thing is we've now built all of the methods and madness of a top-level first order modern botnet like aileron or storm and we wrote about 60 lines of code most of

it in the mommy hook script about three hundred lines of configuration but hey right you can't really want too much about it this is cool instead of having to pay Russian mobsters for three years to develop our botnets we got to get away with all other people's code and we can do that partially because we're not trying to infect windows pcs with this we don't have to hide from an existing supervisor or hypervisor we take over the whole system because we own all the hardware so we get to use all the benefits of the open source community like the fact that you know severe Network nerds have worked for five years in the CouchDB replication model we can

just use it for free because it's awesome so now we have to test and for testing I've turned to my friends in sector 67 naturally in order to do a lot of the missions we'll talk about next so a mission is what I referred to is just a task it's a task complete with who's supposed to do it because radical has a grouping system to say only these nodes do it it's complete with all the signatures and there's a bunch of public/private key signing that you'd expect I tried to do it all over the right way more or less and it's also the data you have to send in order for it to process what's the whole big package

right why didn't I just call it a task well because I work for the military for too long so it's a mission right it sounds very cool right like sending shots downrange and stuff so to send the mission to couch all you have to do is find any node and execute a CouchDB put which is you could do it from curl if you really really want to it's kind of a pain to do it all because there's a time stamps and there's a bunch of signatures you can do it manually there's also in the source code a cute little script that just calculates everything it shoves it in for you but that's all you have to do is put it in a CouchDB if

your local on a node you can do it without even as to sell for not local you just have to have the client certificate and tell Kroll to use it pretty easy to send it in and the neat part is that then in order to get your data back right if you've infiltrated and then you want to exfiltrate all the packet captures you've been doing every mission can just send its data back into the CouchDB and on the next verification we run replications of the on the reticle test Network about every 30 seconds to everybody so it takes a couple minutes you'll pretty much have all the data back pretty quickly and all you have to do is sit there so if you've

got one node you don't need to know where all the rest of the nodes are they'll just all handle it pretty much automatically for you so we get infiltration and exfiltration all for free submissions we've lived in so far a cute little blinking lights thing stalker which is a fun project at sector basically saying hey so-and-so walked in right listening for broadcast over their mac address off their phones okay creepy which was kind of fun so another member of sector noticed hey most people this hackerspace use online dating websites right unnamed online dating websites but I won't tell you which one because it's so hard to figure it out and so they said hey you know

what if you look at the packets they include a completely plenty potent cookie in every single packet to and from the unnamed dating website that includes all of your login for information and I bet if I sniff that it will download all of your private messages for me and then it worked and so he wrote a cute little plugin for this is it just you know it's just another mission right it sniffs it listens to the unnamed dating website packet and it downloaded a bunch of stuff good times were had by all right don't worry this is not actually running lord knows that source code isn't going anywhere because it's creepy hence the name but it is a simple proof of concept

that this was really good at because you basically it doesn't even have to send you back the cookie it can just send you back the result in thing again the power of having some actual processing power on the far end there's also private web browsing which is more kind of in the Occupy thing it was a proof of concept right now but it works pretty well throw down one of these things it finds local Wi-Fi and then it uses the other USB thing in master mode to expose a connection gives everybody Wi-Fi access and routes everything through tor so you've got private anonymous deniable web browsing and the cool thing is that since it just automatically scans for

any Wi-Fi can find this will link together to itself so if you throw down one way over the back of the room and it's got wireless like actually internet and then I throw one here they can't see the wireless but it can see the first node it'll just linked together in sequence and you can do some configuration and some saline to make it you know not just keep routing multiple times through tor but that's all a pretty simple configuration thing it works pretty easily so right now you can take this and go rewire your entire occupy protest a couple others emissions I haven't written yet some of which I've just decided in the last couple weeks to

write if you happen to be at Hope or know about the Y Special Agent Johnny can still can encrypt talk you know that supposed it encrypted TLA conversations over there nice radio are actually unencrypted almost all the time and so I'm not telling you that you can throw out four or five radicals over reticle nodes over a metro area and listen to all of what the bi and NSA are talking about mmm but go read this paper it's pretty awesome actually and since software-defined receivers now cost 25 bucks because they found a cool TV dongle this totally still fits within our budget right 25 bucks it's the same as the pogoplug so it's expensive but you can throw one all

these and still keep it under 75 bucks that's a pretty awesome result okay and again the data just gets shipped back processed on board and the resultant data gets transcribed and shipped back over CouchDB you can ship back the audio files to CouchDB doesn't have a file size limit it'll just take longer and if we're the one thing to note is that missions aren't guaranteed to be exclusive that is this we're not easy to write because this is your botnet and it's not a public computing resource so reticle doesn't try and do any operation saying hey well he's already using the Wi-Fi for sniffing right now so you can't have it so play nicely with

yourself as it were I think that means something else however it's a road map what are we going to do next and how you could help the next step for reticle simple one opportunistic replication that is the right now it scans one time and assumes it's going to be in a static place I want to be able to strap these things to cars and have them listen for Wi-Fi continuously and push their data when they get a chance to and like he did this a few years ago on a cool project called cartel for car telecommunications but it means it's funny right but they won't release the source code boo and I've asked several times and I'm like I'm an academic and

they still won't do it they had to regret half the Linux kernel however for how fast they want it yeah we can talk about why they had to that later it wasn't a bad idea at the time but ultimately maybe it's not that helpful they have to rewrite half the colonel right because we already have a pretty specialized colonel we have to do that second problem is we have to do visualization for hordes of data and third one of course is well hey we're Asbury pyas out and it really costs twenty-five dollars poured it to that I've started pouring some of the code Raspberry Pi it works as you'd expect right it's all armed anyway now when I

will write all of this early this fall and here's why this is a bike path doing wireless sniffing with one f-bomb node okay through the city of Madison this is Madison's two lakes but I'm not looking for access points this would be pretty dense for access points or 6,500 on this chart I'm looking for wireless clients because as you know every couple seconds your iPhone or whatever beacons out its MAC address well it occurred to me well hey if I had a few different nodes you know one here and one here and one here and a couple moving I wonder if I could play hide and seek except without the people who are hiding knowing that they're hiding and so this

is going to be spotlight and spotlights going to be very simple we're going to play hide-and-seek we're not going to have any train seekers we're going to strap these things to a bunch of bicycle couriers which are still used in Madison because it's a big bike town and then we're just going to sniff all of the broadcast data all the time and we're going to use a couple simple bits of geometry which works really easily because Madison only has two dimensions essentially there's no hills in Wisconsin despite with your ski resorts will tell you I'm from Montana I know Hills these are not Hills so it works really well simple geometry works pretty effectively we're going to pay a bicycle

couriers and bored students we can give a five-dollar amazon gift certificate to wear this thing on their belt for a day we're going to bring them back we're going to play hide and seek our estimate right now is that twenty nodes given 12 hours can find at least ten moving targets rings 10 is the first exemplar you know it's a five mobile and five static and we're gonna use the movie ones they're gonna be trashed two people or just to call you up to be like on down periscope right you have to confirm the fire in solution because we're not going to just shoot you but you get the idea it's going to be pretty fun and

we're gonna play over a two kilometer area to start because why start with something easy we're going to expend this on the second test to a ten square kilometer area and here's the deal this is what I'm doing this fall DARPA funding is expired they're incredibly wonderful to me I don't have fun you do this I'm going to do this and secretary 67 has already agreed to partner with us getting all the you know it hatches mins to the bicycle mouse but if you are funding agency and think this is a security project which it totally is and contact me if you are a company and would like your stickers on everything I can see contact me and if you're a coder

more importantly and you want to help with these projects so we're solving cool new engineering problems based basically on hey that sounds fun let's do that then by all means contact me all of this code will go up tomorrow on malice afterthought calm which domain there as it turns out they will let you register anything as a corporation name these days and it's all going to be posted on github and so it's going to be a big open source project I did it a secret for three months that got boring i wanta be able to post people to a website now so it's going to be open source you can run your own botnets I'm happy to help port it to any

other weird system you're doing on the software is pretty simple because most of the components work on pretty much everything and so it's a lot of configuration and a lot of just kind of lessons learned and I'm happy to share with anybody who wants I welcome by the way anyone who can show me how to reduce my attack surface or increase reliability or anything by all means tell me I don't try and pretend that all these are the right solutions those solutions I figured out how to do and I'm not an expert in every category that radical works in so that's pretty much it for reticle an f-bomb thank you all and I'll take questions and if you ask

questions I have more things to throw at you yeah

they will probably eventually yes and raspberry pi lifted its order restrictions last week so we are at that point right now I've got two of them already and yeah I think I could just place order for 20 and get it in about a month I did look at using I to pee exactly it's a pain in the ass it's not as performant there are less nodes and the security guarantees aren't as good but that's why I didn't do it you're fun a book catch ya $49 $49 yeah honestly on playing amazon with free shipping that's the thick of it seriously and no stalking craigslist no stalking ebay to get special deals just normal stuff these are everyday prices what a thing I

know that is yeah

so I am NOT a lawyer yet but I even if I wear a lawyer I were not your lawyer none of this stuff is illegal if you get permission to place the nodes or use the Wi-Fi right if you don't get that then your local laws are going to vary in some states it's illegal to use open Wi-Fi like Florida or it's a felony weirdly I don't understand how that can possibly constitutional but it's not my job yet it will be eventually yeah I'm not going to tell you what's legal what's not we got permission from every place we drop these on the roof of mostly because BAM is not subtle now federal buildings are built with bricks

on their roof and therefore they don't hear it but I'm just your normal business they get weirded out if they your thumbs coming from their roof do you have a question now any other questions yeah i'm using a 3d printed case i can show you if I can pull my bag but there's another cool case that I just saw on their website called pie bow which looks better built of my 3d printed case yeah

so this is pretty so this right here is pretty low profile you could you couldn't fit in a 37 millimeter case but you could still fit it in something you can launch with a big water balloon slingshot which is I've launched it like that yeah the case doesn't fit together quite right but that's a V problem what sorry well right but water balloon launcher you've used the water balloon launcher 00 in terms of wine throat yeah he wanted to see it yeah it's funnier if it hits you in the face I tried to throw nice off things I threw you a book at geo I suppose here a little bit enough I threw a jet life but yeah any other

questions okay I'm wearing bright purple so if you want to come talk to me I should be pretty easy to find so thank you all very much