A MarketPlace of Ideas

WikiLeaks has released damaging new information that ACA a project called cherry blossom has been hacking into home Wi-Fi routers since 2007 that's not all the CIA reportedly used that hack as a listening device and for more on this developing story were joined by cyber security expert and CEO of MGT Capital John McAfee welcome John thank you very much and so first I want to go back to Alexa's report I mean we just heard about a massive information being put out there roughly 25 terabytes worth of information being accessed without a password I mean just to be clear this information was not stolen by hackers it was actually there and without a password and I mean with so many of us having passwords on our phone how is this even possible well the hacking happens all the time the thing that concerns me is not so much the fact that the information was available all of this information you can buy from Google what concerns me is how did they get this information my phone number my address my age my marital status my preferences whether or not I believe in Obama care what do I feel about immigration what do I feel about our national policy every single political attitude is in that database for virtually every adult in America now should we be asking the question how did this data company even acquire that information that's what concerns me because once you get the information into a database it will be hacked it will be let loose this is just a fact of life these days and something we should be concerned about but far more concerning to me is how did it happen it happened because companies like Google and Facebook acquired data on every one of us what blogs we are visiting even our messages that we pass on Facebook or instant messages on Twitter are accessible and these things are collected so that we have no privacy what concerns me about this is if you look at the data in this 25 terabytes it's almost every political attitude a person could have and my phone number and the jobs that I've had and my health records please a lot of people's room I'm sorry go ahead yeah a lot of people don't want that information public especially their political stances I mean it causes so much friction nowadays I mean maybe your clothes daily members can know how you feel but you know publicly out there again a lot of people just don't want people to know but moving on now to WikiLeaks you know they just release those secret documents revealing that home routers from 10 different manufacturers can be turned into listening posts that the CIA can monitor I mean this sounds similar to you know those other devices like some televisions that are being used and listening devices so were you personally shocked at these findings well no I mean myself and every other security professional have known about this and I have been warning about this it's not just the CIA all of these routers and that's virtually every router that's in use in the American home I are accessible to hackers to the CIA that they can take over the control of the router they can monitor all of the traffic and worse they can download malware into any device that is connected to that router so I personally never connect to any Wi-Fi system I use the LTE on my phone I know that sounds crazy but that's the only way that I can be secure because every router in America has been compromised we have all known this and we've been worrying about it for years nobody pays attention until something like WikiLeaks comes up and says look this is what's happening then or goes oh but we've been saying it for years and and it is devastating in terms of the impact on American privacy our individual privacy because once the router is compromised and it infects the cell phones that are attached your your laptop your desktop computer your tablet then they become compromised and not only can you watch the data you can start listening to conversations you can start watching to the cameras on these devices so you're saying even when we go to something like say Starbucks and get on the free Wi-Fi that our information can be compromised Wow incredible in fact if you actually go to Starbucks and get on free Wi-Fi you're being very foolish because not only is the router compromised at Starbucks but there are people in Starbucks that have devices pretending to be Wi-Fi and you're connecting to them sometimes and they're monitoring all of your traffic reading your emails listen and your text messages here comes so this is the problem the fundamental issues we are completely blind as to our circumstances in regards to security I mean that's one and then you kind of laid it out for us but can you kind of recap what are your thoughts ethically with the CA using technology this way and do you think they have the right without the American people's consent of course not of course not there's nothing in the American Constitution which gives the government the right to invade the privacy of my home or any place that I am where I am I have the presumption of privacy of course it's not ethical if it's unconscionable and we have very few means of combating this my own company mg T is a product coming out soon called Sentinel which will prevent this from happening in corporations but nothing for the home yet and we're working on that but it will be six months to year before that comes out so we're totally helpless we are we are in a situation with our government where they know everything about us and we know nothing about what the government is doing Wow they have the right to privacy and secrecy but the individual does not anymore well good to know and it will certainly be careful on where we go online nowadays thank you so much John McAfee CEO of MGT thank you

what's up internet on here from Don does 30.com bringing you a hacking tutorial today on hacking WordPress websites using an updated method from prior examples that I gave and this is going to be a really good tutorial using a new tool by I guess new P called WP force it's a wordpress attack suite that not only helps you crack a password using a kind of dictionary attack group for scenario type thing but it also allows you to upload get this shells PHP shells are shells that you could use to kind of really get into the website and mess things up or you know because we're responsible hackers let the site owner know so the two previous wordpress tutorials thought i gave we have brute-forcing wordpress passwords and in an ever increasing security world people are using a lot of plugins so this new tool according to the author uses the API instead of the login form so it allows you to bypass a lot of the methods protection methods that these websites might have and also finding vulnerabilities to hack WordPress sites so these are the two previous ones that we showed you but this is the new tool that we're going to be using it's exciting so first we have to download the tool I haven't downloaded it yet this way it just kind of doing a fresh start for you guys or all on the same page and generally what I like to do I'm going to make a directory first called newbie and go into that directory oops of course if I could spell newbie all right and to get the to download it we're going to download it from github so get clone HTTPS and see github com and new P is actually spelled n 00 py so those aren't capital o's that's those are zeros and WP Force dot get and this will download all the files that we need now I set up a wordpress site on my test server so that way we could test this against that and it looks like it's downloading already or finished downloading already I should say so let's check it out so created a directory called WP force will go into that and it's just a couple of files not very many at all so the wp force is what we're going to be using to crack the password I guess this is your ttle Yertle is going to allow us to upload a shell using the hacked credentials so that way we get a shell back to our computer or watch we use an interactive shell for this example and 3d file read media files are always good to look at so you have an understanding of what's going on so this is what it's going to look like and let's see where the steps were the steps here we go I'll actually let's take a look at some of the features right so brute force via API which is what when I mentioned earlier so it can bypass some form protection login form protection automatically upload an interactive shell which is really cool can be used to spawn a full-featured reverse shell which is even better because this particular thing this tool will go ahead and utilize metasploit as kind of a extra extra options for you it's going to dump the wordpress password hashes if you tell it to backdoor authentication function for plaintext password collection which is pretty cool it's a keylogger inject beef hooks into all the pages which is really fun if you noticed on one of my other tutorials that there's an introduction to beef and how the beef hooks will go ahead and allow you to use the beef the browser exploitation commands and functions to do some cool stuff as well and then again pivot to an interpreter session if needed so we already went and installed everything and this is our usage for the wp force so as you can see it's a Python script it does require a user name list and a password list so if you have a word list of mine for your passwords that's awesome if you use maybe one of the other methods such as brute forcing the word for WordPress passwords or finding vulnerabilities if you go back to those tutorials you may be able to go ahead and enumerate some of the user names that you could use and then just the website the website name so let's get hacking but first of all like I said we're going to have to create some word lists and all that junk so some kind of ones or WordPress this is the admin so do administrate or WP admin admin super user I don't know web master site admin so these are usually some very common user names for an administrator sometimes they don't use their names they use just the general account so I'm just going to use these as an example I'm going to head we'll save that yes I do want to save it user dot txt and we'll do the same thing with passwords will do some common passwords will say password let's not use that one I'll show you why in a minute so we'll do a pass 123 let me in wordpress password password password 123 no no that's probably good right I mean you could do as many passwords as you want and the more passwords you have in your password list probably the higher or you know your chances are going to be higher I'm cracking it so I'm just going to leave it to that will just use just a for this example because I already know what the username is password are so let's do it let's do Python and WP force not pie and see I already forgot this is why these files or readme files are so helpful so I and W and you so I user text IW past texts i wonder what the reason behind these naming conventions work alright so don test server com WP big easy because it's going to be a big easy hack alright so we just run the script will let it run it looks like I've got about a pretty decent combination of username and passwords again you could have millions of passwords millions of usernames it's going to go through and try each one so again because I knew the credentials I purposely put them into the username and password file it found valid credentials and the account is admin so this is perfect because this is a very shitty username and password easily crackable obviously but this is great for our example so we're going to use these credentials right here to upload that interactive shell so now we have to go back to that help file we'll take a look at your toll just like saying that you for username p for password t4 I guess target and this will use that ready ready ready ready alright so Python ear it'll would we say user name was admin password was password target use the target again Don test server calm and WordPress Big Easy i almost put big easy hack all right now there's to let me do this so there's two options you can either do a reverse shell which i'm not going to get into because i'll get a million questions about for forwarding and shit like that i just don't have the time for those questions right now so we'll just do a interactive shell which is really cool because there's really not anything else to set up so well type all that credential stuff in again we'll do interactive to take a second and hopefully we get a positive response from Yertle and we have a shell set up fingers crossed all right perfect so the back door was uploaded yeah I guess here's a temporary upload directory to where it uploads and we have our shell so first thing I like to do is either type in help or ? to find out what we could do so in this case its technical ? and enter and here the command so ? is our help menu the beef command injects a beef hook into the website exit exit the session hash dump dumps all the word wordpress password hashes help was again the help menu the keylogger again now this will log any type of plaintext credentials that might come through so if you see a wordpress site that doesn't have encryption which there are many out there to where the username and login form screen doesn't have encryption it gives you basically the option of logging those passwords and that goes for site users as well and then you check the key log you could tap an interpreter session to connect back to metasploit quit again terminates the session you can set up a shell the that'll send a tcp reverse shell to a net cat listener and i'm not getting into reverse shells right now for obvious reasons but let's just for shits and gigs will set up a keylogger this modifies the core sure let's modify the core whatever alright so the sign-in function is patched do not run this more than once apparently and use key log to check the log file so as people are logging in with their plaintext passwords we'll go ahead and lock that so we have other users just besides the admin that we could come back and get into as well so anyway cool tool by new p thumbs up for me awesome way to get around some of the login protections that WordPress is now implementing and yeah test it out try it download it from github try a couple things if there's anything that you like specifically about it put it down in the comments anything that you hate about it put it down the comments and I'll talk to you guys later

. Kix that your book hunting career with book crowd book crowd is the largest security research community in the world and it helps companies such as Tesla simple Western Union Spotify and many more with cybersecurity paying anywhere from a simple thank you to 15,000 begin your book hunting career at bugcrowd comm slash track tutorials hey guys welcome back to a new video tutorial today we're going to be taking a look at the tool built into color linux 2.0 called eunice can now eunice can is a web vulnerability scanner some of you may have heard of it some of it some of you may not have but that's okay because either way you're going to learn something today now like said um comes built into color i'm using color next 2016 point one it has one of a terminal version and a GUI version so you can use whichever one you're more comfortable with and yeah it's a very powerful tool is very simple to use which makes it so good you know it's easy to use and is also very rewarding so let's just open up a terminal here and if you type in uni scam you can see that we get the help file now the help file contains all the different parameters you can use all the options we are running version 6.3 and you can download you scan if you don't have it from sourceforge.net and it is written in perl so we are going to be looking at some of these options today so i'll just go through quickly what you can do with eunice cancer you can enable Derrick's checks you can enable file tricks you can enable robots dot txt and sitemap.xml checks you can enable dynamic checks and static checks and stress tests you also have the ability to do Bing and Google searches for dogs however the Google one doesn't seem to be working very well because Google blocks a lot of automated search queries however being does not we also have web fingerprint and server fingerprinting and down here you've got a couple of examples on how you can use uni scan so I'm going to be basically doing these today showing you what and you can do so I'll also show you what the GUI looks like you just do unit scan – GUI for that and you'll get this very simplistic and GUI but if you want to use that you can do is you know perfectly as personal preference I will use both and just because well I'll use both just for one specific check just so you guys can see what it looks like so let's just go ahead and do unit scan again and so what we need to do is we need to first of all whenever you're going to prepare a unit scan a scan you need to do – you and then you just want to put in the URL of the website so let's just do check tutorials comm I'm pretty sure there's nothing too bad that's going to come up here so you can see that we just did a quick scan of it and you get the server so you can see we're running CloudFlare you also get the IP address so now you can add a bunch of parameters to this and you can actually you know you might want to run a direct check and a file check you can just easily do that you can see here under usage – you can string together parameters into one parameter themselves so if I'm just going to copy this out pure laziness but basically this is going to run it's going to enable units going to go back into the background so we will just leave that blank and for now so we're just going to be using QW EDS so we are going to be doing a direct Rick a file check the robots dot txt and sitemap.xml check that looks we're also going to do in a dynamic check and a static check so let's just go ahead and run that so what we'll do is do units can ever jet tutorials and we'll paste in this and still is basic see what's going on and hit enter and you can see that it's going to run through it also has some built-in plugins such as upload form detection email detection PHP info disclosure and many more like that so I'm going to leave that running for a little bit just because it might take a while to return and some of the information so I'll be back in just a second so you can see the report has been saved in this location here now it doesn't actually take long to complete it all you can see we've got some stuff here most of stuff has come up as you know no because and I guess jet tutorials is pretty secure so call me another if you do find a bug feel free to report it to me so if it may come your way anyway let's go ahead and look at that report file so it seems a report files in HTML files it's a very nice a very professional looking reports oh you can use this file I don't know real-life pen tested if you were to do such a thing so just go ahead and click on other locations and then go to computer and then just type in user and then go to share and inside of share there should be a folder called Eunice camp and in here there will be a folder called report and you will have let's just delete these because you don't need them and I don't need that one either and also delete this one these are all the old ones and we will do need to delete this one Mabel it down and mmm yeah we can do that one as well okay so just open up the go the jet tutorials comm HTML report and this is what you're going to get you shows everything in its own section so you've got scan time the target crawling so that includes your things like emails and stuff like that that it finds dynamic tests static tests and scan time so that gives you a basic understanding on how in you know scan looks at websites now I've mentioned that you can do multiple parameters at once so that's always good like said using this at the end of it is multiple parameters so you can add as many as you want onto there alternatively you can just do do the ego I mean you can do that but it's just easier to tie them all up into one single parameter so let's just do that same scan again but we'll use the units can GUI so I'll show you what that looks like let's do you scan GUI and we will paste in well we will try and paste in HTTP do it up check tutorials calm and we can just check what we want to do so let's just check everything and press stat scam so you can see that you just get terminal here and I'm just going to leave that running as well so that's going to take a little bit too long then what I wanted it to take so you get the idea it will save the same report in this HTML file it'll look exactly the same apart from using GUI mode with a nice little turnbull in it so just imagine this this is what it is in a fashion anyway let's move on so let's talk about being in Google dogs so this is two units getting it now I can said and the Google one doesn't work because it can detect automatic queries so for example if I do you lease camp – oh and then do I'll explain what this is in the military right in URL index dot PHP ID equals it's going to return to your websites and if it doesn't then I get surprise for me see what it returns it should be zero if not then there's a reason for that and I can explain it as well so yeah will be an idea if actually like put in quotes and so you can see that it returns zero sites and the reason why is because Google can filter automated search requests now if I change this to Bing is going to work fine so let's just talk about what dog is and so doc is a specific search term so if we just go actually we'll just do this in color why do I always need to go to my Windows machine let's stay in color so I just got iceweasel here and I'll head over to Google so you just work and go but basically this is a search term so I can put in in URLs so that means to look inside of the URL for index dot PHP ID equals HC that's returned to a bunch of websites but these websites and return because of their content you know the title or the header text or all like that is returned specifically based on their URL now we've obviously I've done a SQL injection video and you can see that this link here these are the kind of things you are looking for if you're going to be doing a post based or a get based SQL injection these are commonly the get missing SQL injection so I can obviously go on this website and I can go ahead and I don't know I've just come onto here but I can just do this and we can see if the website is SQL vulnerable or not which hopefully is not so yeah you can see that it seems to be okay so that is what the docs are now you can you know these returns pages and pages of results or you can just use unit scan which will generate generate them fires so let's just do Eunice camp and we are going to have to use Bing because Google doesn't work so – I and we'll just put open speech right here piston that thing that we did before hit enter X it's going to do a Bing search for in URL index dot PHP ID equals now there is a little bit of a downside to this and I'll show you all those in a minute and you can see that we've returned 477 sites and let's save insights dot txt which is inside that bar folder so let's just go head up one folder to the eunice gun folder and it's going to be insights dot txt so you can see we've got 477 sites here now the issue is that it doesn't return it you know with the index dot PHP ID equals it doesn't return that it just returns the actual URL but that's fine there's nothing to really worry about but then and that's kind of ironic hacking skills anyway then you can actually load this file into into units can and you can roam ability scan all these different websites so I can go ahead into units can dash F size dot txt and then put a bunch of parameters on the end of it so let's just do a simple directory check on all of these websites dash Q hit enter and is going to work its way through all of them sites that were in size dot txt so this is going to take a while to do you can see this actually found an admin folder on this first web site and so yeah that's going to take a while to do so we'll just leave that for now ctrl C so you can see that's basically it will have to work its way through 477 website starting from the very top so that was book server and then it's going to go to this one this one this one and that'll save it in their individual reports inside of the reports folder so the final thing I want to show you today ladies and gentlemen I'll probably Millie gentlemen but if you are related that that is awesome and we're going to do you can basically search IP addresses this is using the same google doc method but you can search for IP addresses and they return a list of websites that are also associated with that IP address so for example I'm going to choose one on one you care because it's one-on-one calm because we know that that is a web hosting company so there is a good chance they will have different IP addresses a different websites associated with that same IP address so let's just search one on one and what we want to do is just get the IP address of this which is nice and easy because I can just go ahead in two units can do – you piss in that and I can get the IP address so what we can do them is copy the IP address and we can do units cam – I for blog not blog be easy I I believe it's I Stella look – oh no – I yes – i you can do units can – I I P : and then pierced in the IP address and that's going to return the number of sites that are associated with that site next to it because I returned one website and let's just go ahead and rerun that again so actually doesn't append it it just changes it you can see that the only website associated at HTTP which is interesting I did not expect that result let's just make sure I've got the string right let's go up here and yeah it looks like it's right to me so yeah that's a bad example that's just it's a bad example let's get all the web sites associated with a different IP address so decide to use the IP address that jet tutorials came up once let's have a look at what we've got in there and see we've got lots of different web sites here and then I was like we can go ahead and do Eunice can on that so that is a basic guide on how to use units can hopefully you'll have some fun with it you can do all kinds of stuff in it and you basically can generate some nice reports and also it can be used for finding potential memorable websites so remember to report your findings if you do find anything to the respected every respect – that's not the right word alright good bye we put your findings to the person the webmaster basically so they can fix it so that is the end of this video tutorial please like comment and subscribe if you enjoyed it if you have not already and feel free to follow me on Twitter days at Jack 157 also follow me on Twitch days at check one three three seven as well and also like me on Facebook those track tutorials and don't forget to tune in for next video and I said that this video was going through the veil evasion one but veil evasion and Callanetics above plane up and they're not working properly but hopefully the Creator will have that fixed soon for me to do that video but for now I haven't got really much else to say so Figaro much for watching like I said before and I'll see you again in the next one

 I explore no I explore no no no no I need you to tape the letter right I need but I need you to type the letter I okay okay you got it okay I need to put a space and then w-w-w dot remote tongue somebody's at three two one dot-com um yes one second wait wait sir sir no no I need you I need your nine digit code yes yes and you're doing fine yes I need your code I cannot give you my code I need your code United States we are located in Washington DC oh now D do you have do you have code okay hello yes can you hear me sorry what am I using Skype no I will I need you do you know I need you to use TeamViewer am i no no I I I'm using TeamViewer I am using TeamViewer No so so do you have nine digit code now oh no I'm I'm I have said I am using TeamViewer so let's just just give me the nine digit code and I can help you ah ha ha ha ha ha ha ha ah ha ha ha so do you already have change your installed on your computer so it would appear that you already have um so I need you to do one thing yeah yes do one thing for me now I did ah-ha-ha-ha I'm listening to you you said you need to tell me one thing go ahead oh yes yes but let me tell you one thing ah going ahead and I need you to open up do you still have that Internet window open okay um it is Kim you're open okay so I it would appear you um is this a company laptop or desktop a desktop so what is your name it is what your name is ty okay okay ty I need you to do one thing do you see down in the corner do you see the windows button and the letter R okay I need to I need you to push and hold those now do you get a little box okay now I need you to type do you do you see the words that are in there oh um okay go ahead and hit enter aha now I need you to go ahead and click but yes yes do that do that aha now do you do on wait you you click encryption enabled Oh click on update okay okay yes aha okay and then I put that yeah let me put that in the other box again hold on what was it again oh okay click OK here okay click on okay and tell me what it says account database startup key was check click on ok ok ok can you tell me the password is just that no one can you please back me the password um I I do not remember could you tell me again ok it's 1 2 3 4 5 6 7 8 9 ok go ahead and click on start and then click on restart would would this connect me to you I know it should connect you because that's my ID I just gave you oh ok ok oh this is odd I I am still new here so I'm actually using my supervisors using what you did today using what I'm using my supervisors computer today so this is different than mine though I am not sure you sound like you know a little bit ok I'm actually quality control at malwarebytes um did you restart the computer here's the three whoops hold on um oh I need your password ok the password is 1 2 3 4 5 6 7 8 9 2 3 pull them oh so I don't believe that correct okay so don't work your computer is infected with the spyware virus so what we need to go ahead and do is take your computer into the local technician and it needs to be repair for the registry corruptions and all your banking and financial details are at risk ok sir oh no oh no bad joke oh not good not good no no but good no this is not good not for it Lockwood first day on the job this is not my computer this this is my supervisor computer it's not called our code awkward no no not good girl sir Sir sir Sir sir what have you done so you need to take control whatever you think so what have you done take your computer to Best Buy codes are in the United States sir all right what have you done all I do exactly what your company does to other people do what well are you Microsoft technical support yeah then you can fix it yourself yes we are like the top technical support you can fix it yourself what you can sick no I have not no you can fix it yourself make yourself oh do me one thing what is your password password okay do you want it yeah okay are you ready for it yeah okay five three two okay eight six nine uh-huh five three uh-huh do that did did you get that yeah hold on Oh oh no oh no it is restarting if you tell me which one on screen um hold on I'm having issue here my computer is restarting okay tell me what you see on did you see manufacturer logo what brand is it um yes this is a Dell okay Dell so I'm go ahead and hold down the power button for five seconds and turn it off okay so if there's not good this is my clothes go so I feel so I compute okay um turn on the computer and on your keyboard on key pressing f12 do you see the f12 key gonna keep doing that okay okay oh okay III have a menu okay what does it say with uh gives me options okay what are your boots ah Network hard drives okay do you see something called file setup oh yeah yeah okay click on fire set up ok ok now tell me what you see well it is main security advanced exit okay you need to go to on boot sequence you see boot sequence oh no I see main security advance and exit ok hold on do you see boots um let me go to advanced yes yes I see boot ok DC authentication um hydride password or by a password um both should work okay on we need to give the hard drive password okay okay hold on let me go there okay pop okay and what is it what is the passed away so I can give you the password only once okay or twice uh-huh okay uh-huh and press enter and just ring um it died confirm okay type in same number okay aha and press enter okay and tell me what you see it says completed click Okay on was that the old hard drive password right that was the hard drive yeah okay so the hard drive has been unlocked now we need to unlock the BIOS so click on administrative supervisor password yeah yeah and the R is asking you for a password yeah yeah okay all you need to type in okay okay okay okay press enter AHA and confirm it do you remember it no okay I'll give it you again all right okay okay okay and press Enter and tell me what you see procedure it it successfully added it successfully what but it it did successfully added it it changed it okay can you look on the very top center of the screen and tell me juicy this is a BIOS setup utility or inside h20 setup utility ah no it it did not okay Dee is it is it um the is there a top light blue bar yeah it's light blue yet the whole screen is blue okay hold on and that black matters all right um do you see a column on the left side system onboard devices video security do you do you see that okay can you find the model number of your computer yes hold on okay pretty much sputtered with you need model the model yes why do you need model so I can generate a password for you oh ok ok 1 1 1 1 1 all right yes yeah it it it is it is ok it is a Dell Precision G as in Tom five eight one zero okay do you have the serial number or express service code um I do not feed ok might be called service tag and yet either the service tag or the Express service code uh I do not I do not know that okay hold on okay it should be on the top of the computer there should be a sticker black sticker on top of the desktop on the top of the death deck stuff I do not see if you can look at what it is not like I cannot I cannot access it it's locked yeah okay um so right now do you see on yours look on your screen look on the upper left corner aha and do you see something I'll do see it it's say the model number oh I do not see it that I just know how asses on front of it okay so on can you reach me what it said on the left side there should be a list on the left side the Dell Precision no only one I heard it on your screen you Dell okay what else does say on the screen wait sir sir sir wait wait wait wait no III am helping you I I am supposed to be helping you no this is Dell technical support department we are Beijing and Washington DC today it is well it's based in Washington DC okay press f10 press f10 on your keyboard Hong and tell me what it says uh-huh take the detector okay click on yes okay and press Enter this is restarting okay ah not good look good no good no good no no no this no no this no good it's not good sir sir yes does that do want to do one it's a dub BIOS is locked okay so I need you to provide me a nine digit code or a six digit code for a session key but I died okay so right now your computer is locked local ipsilon to me listen to me let me tell you one to your computers right now is locked by all the hackers and they're stealing your financial details and you need to pay know importantly not good 100 99 rupees is it nope it's 100 99 rupees oh no no no only 199 yes that does not better in manual open so you can send it to your PayPal you want 199 rupees yep that's what it says here after collected donation but do you know how much that is yes rupees on you you are you are in u.s. well correct we are based in Washington DC you want you want hold on I have charge here hold on let me look at chart I have chart on wall three US dollar yes two three US dollar yes all night do your thoughts okay that's that didn't but 199 movie is not done much money I can I can afford that I have I have I have lots of money I'm very rich man how much do you have whoopee yep how many rupees yep hey Vivian how much 1 billion over ok the price has gone up what the price is going up why because you're rich okay hey hey sir hold on let me look at it will cost 19 thousand 999 rupee how many 19 thousand 999 rupee 20 thousand so so so like a 300 u.s. dollar right so that's for the two years of work plan with getting premium tech support from a fake Microsoft Tech Support so so what have you done to my computer ok so right now this is what right now ladies not my computer ok not my committee open ends my 25 you were net stud you can use a fucking kill me he will fucking kill me ok that chase can you pass it on to your manager so he is in the other room he will fucking kill me okay so it is a scam what is this a scam it's what the damn is this skin you are scamming me no I'm not scaring you yes you are you're scaring me ok but you were working from safe tech support Microsoft we are from Microsoft we are Microsoft with we're not fucking Microsoft whatever fuck you fuck you you fucking fucker you're not mad at us what the heart no we're not fucking Microsoft what the fuck have you fucking done you fucking idiot let it should know this is not good not good not good at all ok so immature are you mocking me hmm do you have any idea who you are fucking with oh yeah take tech support I will fucking destroy your fucking computer okay do it fix I support you without a computer oh no oh no oh no I think oh this not oh ok so what you listen to me what you have to do okay listen ok this was server this was server this not computed this was server is it listen if it was a circle you would done if it would be server done listen to me if it was a server you wouldn't be using it to give tech supports people no no do you know he'll run okay with it no no no no now no computers work okay look remove three two one oh no it's still online I gotta take that offline first now no computers work no no computers work are you on a domain no no no what well are you on a domain good I think so okay so what you need to do reinstall windows on all the computers okay okay what's the company work for do the comp is that I just want to feed my family I want to provide for my family I do not want them be armed and to anyone I just want to provide for my family okay so we're working for Microsoft no but we all say that okay here supervisor rahid rakish you know low heat okay can I talk to him

hello everyone so um is that my audio is that yours alright so I'm my name is Krista goin I'm a PhD candidate at Indiana University and I'm gonna be talking about government surveillance today my day job I guess is two things so first I'm a researcher and activists that work on privacy and security issues I also work half time at the Federal Trade Commission where I assist the team of lawyers and going after companies that violate your privacy unfortunately in the United States there's actually no federal agency that's tasked with protecting your privacy from the government the FTC has no official position on the department of justice or NSA's abuse of your civil liberties and so for those reasons I'm not speaking on behalf of the FTC here this is this is definitely my student research so my dissertation relates or is focused on the the relationship between ISPs in the government and so this is this is basically a collection of some of the research I've put together over the last year or two so you might remember me a few years ago I made a website that made fake boarding passes that led to the FBI writing my house at two in the morning shortly after that they finally got around to fixing the ease with which you could manipulate boarding passes now there are cryptographic hashes on the boarding passes whether you could consider that a good thing or not you know that's that's up to you alright so this talk is going to be focused on on a few things so first how often the companies provide our our costs the people's data to law enforcement intelligence agencies what data that can they be forced the club disclose how much money do they make by selling your data to the government and which engineering and legal practices can actually impact the degree to which your information is disclosed Sokka some companies actually fight both through legal means and through engineering means and I'm going to be shedding some light on those because it's for the most part they're just not really known right so part one how often does the government get our data alright so you might remember from the movies you know the old days of wiretapping was someone climbing up a telephone pole and and and listening in on headphones that's not how wiretaps work anymore right this is how wiretaps work someone sitting in an air-conditioned data center typing away at a keyboard pulling down a trunk full of data right when you store your data in the cloud Google doesn't get a visit at 2am by from armed police they don't seize Google's hard drives right Google just sends them a DVD with your data you know there's a reason that this shift from hosting data on our personal computers to hosting it in the cloud is important and impacts that the way the way the government gets information so there are bottlenecks with regard to government resources they only have so many agents and so many officials and so many lawyers right and so consider the marginal increase in work five more searches of homes that means five more teams that have to go out and raid the house and take all your data versus asking Google for five more accounts you're just adding a few names to an existing subpoena or existing search warrant and so it's really really easy for the government to benefit from sort of other network effect with ISPs they can ask for 20 more users information at very little cost all right so well what do we know about the extent of surveillance today so there are surveillance statistics that are published according to to some federal statutes for certain kinds of surveillance but a lot of the information that I have and I'm presenting here I've gone through the Freedom of Information Act through friends that I've made in Washington DC and a really effective strategy is getting company's lawyers drunk they they like to talk and when you promise them that you want name you won't name them they're actually willing to give up the goods it's important to note that the stats that I have by and large don't cover intelligence and the reason for that is that intelligence requests are shrouded in secrecy we have some stats regarding the number of pfizer orders which is a foreign intelligence surveillance court but they list the number of requests or the number of court orders not the number of individuals and so one court order can get 10,000 people's information right so we know nothing about the intelligence industry but we do know plenty about law enforcement so the first sort of a method of surveillance a bit talking about his wiretaps this is real-time interception of communications content includes voice communications text instant messaging and network traffic dumps like think TCP dump to get one you need what's called a super warrant this is a really really high legal standard it's a pain in the ass to get and then it takes a little bit of time and the police have to show probable cause they have to show there's probable cause to believe that you've broken the law they also have to show that they've gone through the all these other steps to try and get data and it failed all right so let's look into the wiretap stats and see what we can figure out so the first thing is this the use of surveillance intercepts grows every year so this is a 1987 through 2009 you can see a clear increase the blue is total intercepts and the red is federal intercepts so take home lesson here is that the federal usage isn't really going up that much but States is skyrocketing also important to note that look at between 1999 and 2001 2003 you would assume that after nine eleven there would be a massive increase in the number of wiretaps it's not there and the reason is because the the massive buildup of surveillance that happened after nine eleven wasn't law enforcement it was intelligence all right next take home lesson drugs are bad if you value your privacy all right so these are the major offences specifies an inner specified in intercept orders narcotics versus other crimes you can see that your chance of getting wire topped if you're engaged in drugs is pretty high and if you're engaged into anything else it's pretty low take-home lesson here is if you're going to break the law and don't want any wires out to stick with something safer like murder bribery or extortion you can see this from the numbers here right so we have two thousand intercepts a year for narcotics and nine for robbery these numbers speak for themselves right so the police are focused on drugs this is this is the this is the impact of the war on drugs in this country and most of the requests are coming from New York and California which have specialized Drug Task Forces these are agents who are trained in the process of getting these these pan the asks court orders um you're not seeing a police officer in podunk Minnesota who is going to go through all the efforts to do a wire that these are special units in LA and New York San Francisco all right next trend foreign surveillance interest increases each year while other forms decline and this isn't due to increases from the feds but this is due to the states so I don't know if you can see this graph but the take-home lesson here the blue thing is total phone intercepts with those have skyrocketed again due to use of the states the little things on that start on the left and the orange and a few other colors those are electronic surveillance so basically electronic surveillance is zero at this point so in in 2009 so actually one of the two thousand nine ninety-five percent of intercept borders were for portable devices so this is your cell phone being surveilled if you are using a phone in your house the chance of them are tapping is also very very slim so again you can see here from from the stats portal devices which are green are the lion's share just massive massive numbers here electronic intercept orders so that that's computers and other things used to be significant in number right so if we look through 1997a you know in 1999 there are nearly 700 electronic intercepts a year and if you go to 2 2009 you can see that you can't even see it on the graph and they've punched to less than five a year all right so we used to have hundreds of electronic intercepts and now we have five or 10 a year combined for federal and state so what happens this is electronic intercept so that category used to include pagers faxes and computers and when people stopped using pagers the number of electronic intercepts went down so why are there no network wiretaps the reason is because they're expensive law enforcement has to maintain a leased line back to their back from the ISPs data center back to theirs it's expensive it requires all this fancy gear they don't have the training to do it so law enforcement agencies just really are not doing network level wiretaps the instead they're going after the fact to your ISP and getting your store data that's your store to email your search queries and this other stuff like why tap your ISP in real time when you can go out for the fat and get it at much much cheaper prices so another interesting data point we used to hear for years that encryption was going to be the scourge of law enforcement how can they keep us safe when criminals are going to be using PGP and so a few years ago the Senate initiated a bill that got reporting of encryption added to the stats so every year law enforcement have to reveal how many cases of encryption they found when they were doing wiretaps so the take-home lesson here first is it they're not encountering it and when they are encountering it doesn't stop them from getting what they're after now again I have to clarify that this is not intelligence collection of data right so NSA is seeing encryption because they're monitoring skype but again you're podunk police officer in the south is not playing with encryption and they're not seeing it because the criminals that they're going after they don't know how to use encryption all right another category of data pen registers so this is the real time capture of non-content communications data we're thinking IP headers to and from information on emails the phone numbers dialed the URLs viewed in some cases and also geolocation data when combined with another kind of order the standard for getting these is ridiculously low it's called relevance to an ongoing investigation this is so so easy to get and as you'll see from the numbers you know they're a lot more of them all right so we have in 2008 14,000 pen registers a year at the federal level this doesn't include States um these reports are not public I had to FOIA these and then get some other stuff leaked to me but we're seeing massive massive numbers like five or six times the number of wiretaps and the reason is one it's really really easy to get there's no there's no evidentiary threshold that they really have to surpass and to the data is not as difficult to parse right they get a list of the phone numbers that are dialed in real time as opposed to having to deal with gigabytes of network transfers all right this is where the mother lode is stored communications and other data oops I move that all right well I'll get to that into them all right so before that location location requests have become a massive massive problem or massive massive tool if you take the perspective of law enforcement it is routine now if there is a murder and the police don't know who did it they call up the phone companies and they say tell us everyone that was within 200 feet of the corner of first and main street at seven p.m. on friday night they can get hundreds of people's information with this the legal threshold to get this historic and historical information super super low the historical information is usually usually cell tower data that is not super accurate but real-time data is based on gps pings or tower triangulation data which is really accurate in some parts of the country it requires a warrant but in often in other areas it can be gotten with a far lower legal process in fact the the standard varies by magistrate in a district so two judges down down the hall from each other can can have different standards this is a big problem because there's no federal guidance as to what the standard should be so it's caught this this is a quote from a house judiciary hearing a few weeks or a few months ago this is a lawyer representing tmobile and a few other companies it's common in hybrid location orders for the government to seek the location of the community of interest that is the location of persons with whom the target communicates so that means if you're under investigation not only is the government getting your location information but they're also getting a location information of everyone that you've called and that everyone who's called you with one order this is really really scary the extent to which they're getting this data and then putting it in a database and keeping it forever so this is a slide that I acquired that was presented at an intelligence conference a few years ago this is a British software solutions company that created a plugin for google earth this shows real-time geographic information geographic sell information on 60 million indonesian cellphone users in google earth so an analyst can sit at a desk top and in real time zoom from the city level down to the street level and see a little dot for every phone this is really really scary and if these companies are so these are Western companies that are selling it around the world you can bet that they're selling it to governments that are slightly closer to our hearts all right so this is something I'm particularly proud of last fall there was a conference in washington DC called ISS world it's some it's nicknamed the wire toppers ball to closed-door conference where surveillance software vendors get together and show off their products to intelligence and law enforcement officials from around the world and a nice lock in it's fun as first time i shaved in six years put on a suit anyway so so i went there and collected some information I rather than explaining it myself I'll let my friend Steven do it for me it was recently revealed that sprint gives the government their customers GPS coordinates sprints electronic surveillance manager Paul Taylor describes the program's success their GPS well we turn it on for law enforcement about one year ago last month and we just had a million requests that conversation was recorded without mr. Taylor's consent which is a terrible violation of sprint's violation of your privacy all right i mean it's funny right but what the fuck are these guys doing eight million pings in one year so what sprint did is they set up a special website where law enforcement can log in and view real-time coordinates for any individual under surveillance now sprint used to charge per paying two hundred and fifty dollars per ping back in the old days when they had an analyst sit down and type the command themselves they removed that that step and now law enforcement is logs in on respect their own special web interface sprint also has created a system they called El site which is an API that law enforcement agencies can can program to and then access the information they want with their own systems so the DEA the Drug Enforcement Administration is the first test pilot user of the system and every DA office has a terminal in it where an agent can sit down and type up there the subpoena or the order or whatever it gets sent electronically cryptographically signed to sprint systems it gets put in a bug tracker spin Sprint's people like monitor it get put the data back in and then I get sent back to the analyst it's cut the response time from days two hours so a sprint employee or the DEA folks put it in the evening before the next morning the date is waiting for them I mean it's cutting through red tape but I would argue that the red tape is actually a feature not a bug but this this stuff is really scary Sprint is not the only company that is providing this GPS information but they are at least right now as far as I know the only one that has provided it in such an easy and friendly to use manner all right so stored Communications I'm to my slides before alright so this includes your email inbox your google documents your spreadsheets your search queries your password protected private blogs your instant messaging communications if saved by a service writer and archived cellular text messages so this is all the data we store with Google and Yahoo and Microsoft and Flickr and all these other companies and the legal standard to get this information is ridiculously low and so obscure and weird right so if your emails are 180 days old it requires one threshold but once it 181 days it's a much lower threshold the minute you've opened up through emails it's easier for the government to get they can get your sent mail and your drafts with a single sip with a simple subpoena that the standards are just really really weird but the take-home messages it's very easy for them to get your information so most most isp's don't talk about the number of requests they get google is actually the first and they release this really handy tool in april this year and they show on a country-by-country basis how many requests they get take-home lesson here message really is that they're not getting that many requests so 3500 requests a year in the US but again that doesn't say how many individuals communications were disclosed just how many requests and one request can be for 10,000 individuals it also notes that this doesn't include intelligence orders because it's illegal for Google to disclose the existence of those but no other isp has created anything like this and google has pledged that every six months they'll be updating this so this actually pretty cool even if it isn't actually particular useful all right a few other data points in May of 2009 an unknown facebook employee gave an interview with Newsweek saying that they were getting between 10 and 20 requests per day that was when they had like 200 million users now they have a 500 million so maybe it's twice as much as that in 2006 AOL was getting a thousand requests a month but that was when a wall had customers so I don't know how many they're kidding now Time Warner revealed just recently that they got about 560 requests a month this is because they don't want to provide people's IP addresses to copyright lawsuits that they reveal dust at this data point they said that nearly all of those requests they get right now come from law enforcement verizon gets a shitload of requests they get the thousand requests a year and approximately 35,000 hours from federal officials and fifty-four thousand from state and local officials we don't have any numbers for AT&T or sprint or t-mobile but it's reasonable to assume the vast majority the requests are going to phone companies right now this is because they have the longest relationship with the government like all the police know how to submit a request to to AT&T or as they don't know how to submit a request the Twitter alright so this awesome document landed in my lap a few weeks back so this is you'll see that the details in a minute this is there's a really nice DOJ agency that can't disclose the identity of them yet that keeps a database of every request they submit to every ISP and they list the recipient of the request and the reason for it so this is information from 2006 you can see that Yahoo and Microsoft hotmail sure that the big winners here the recipient the major recipients 2010 oh look myspace now the number one recipient but by a huge margin myspace is just receiving massive amounts of requests well a few years ago a researcher Berkman named Anna voyage hypothesize that the basically poor people use myspace and rich people use facebook there's been a white flight from from myspace and that the only people who are left behind or those not likely to go to college well you know what unsurprisingly if there are people if there are people who are more poor and more minorities on myspace then they're going to get more requests because they're unfortunately on the receiving end of most government investigations in the real world so why not in cyberspace to what these users don't know is that myspace actually goes out of their way to help the government myspace is by far the best friend forever of the government and I'll get into that later but myspace is chief security officer told me at a conference that he takes it's a matter of pride that the company doesn't charge for the tens of thousands of requests they get per year they they see it as a service to their customers their customers being of course the government alright so those are the stats that we have now let's look into something a little bit more interesting so in which ways in which technical ways can companies actually differ on privacy and protect their customers all right first email headers this is a lovely technical audience I can speak about these things we all know that there is infant interesting information and email headers what you may not know is that webmail providers voluntarily put in some special headers so Microsoft and Yahoo put in their customers current IP address in the headers of the outgoing emails what that means is that if you're sitting in an internet cafe at your house and using Microsoft hotmail or yahoo your computer's IP address is going in the outbound email header not Microsoft or Yahoo's servers IP address um this is not required by technical standard this is something that they've chosen to do to help the government or to cut down on them of requests they receive from the government but Google doesn't do this in several other webmail providers are not doing this so it's important to note that these two companies are voluntarily providing their customers information and actually not telling their customers that they're doing this they're not the only one though so between 2006 and 2009 Facebook was adding users IP addresses to every automated message that was sent so if you commented on someone's wall or you poke them or did something stupid like that your IP address would get sent in the in the notice that was was sent to them I think it's slightly interesting but suck male the email server and named after Zuckerberg was leaking your personal information so in 2009 they changed they they started including the information in an encoded form this is base64 so it doesn't take rocket science to reverse it once people figured out what was going on the company quickly removed it but you know the impact of including this information is that when this information is in a header these companies are not in the loop when they get a request from law enforcement so if i send a threatening email to someone with a yahoo account they can look in the header and know exactly which dial-up or broadband is p i use okay well you know I yahoo or Microsoft we're going to have to give that information up anyway but what if the request comes from the government of Burma or Pakistan or Zimbabwe where those ISPs actually will tell the government's to get lost in those instances you know people in those countries would have had more privacy have been information not been provided all right so another really interesting data point mobile phone and broadband IP addresses so at that same conference I went to Oregon where I was lucky enough to record the executive from sprint talking and he revealed that sprint statically assigns all of their broadband customers IP addresses and they keep the logs of who has which IP address for 24 months they also have the URL history of every web page you view using their web gateway and they keep those for two years but they note that they don't store it for law enforcement purposes they start because when they originally launched their service in 2001 they thought they were going to build by the megabyte but then they decide not to do that but the reason they keep it is because marketing wants to rifle through the data how nice of sprint so if you're using sprint they know which IP address you use which means if you leave a nasty comment and someone's blog and then that person tries to unmask you Sprint is in a position to reveal who you are and which websites you were going to at that time contrast this to cricket which is a prepaid service aimed at the the poor in inner cities they use level 3 communications which is a upstream provider they use that they have no idea which users are using which connections everyone in the same city comes from a single IP address and so in this so this is the this is cricket surveillance manager at the same conference and they're apologizing they're saying look we're really sorry we're not able to help you law enforcement well you know we'd like to but our infrastructures doesn't provide us with that data so if you're a cricket user and you leave a nasty comment on someone's blog that person isn't gonna be able to unmask you you know that's a cool feature but cricket is apologetic they are not advertising this as a privacy feature also at the same conference t-mobile's person said yep we're in the same boat as cricket we don't have the ability to determine IP addresses everyone comes from the same address in the city so if you were a tmobile user you can have far more confidence in your ability to leave the framing comments or download bit torrent files over their network then if you're using sprint I'm not advising that you do that but I would definitely consider that issue when you're deciding who to renew your mobile contract with all right this is an issue that's near and dear to my heart https for webmail so many of you have seen the wall of sheep in previous years i think it's running this year as well all right so when we use wireless networks and we're not using encryption our usernames and passwords go over the network in the clear which means that anyone running a packet sniffer can hijack your information get it break into your account steal your data the solution for this is not rocket science right like it's HTTPS it's used been used by banks for the last 15 years in 2008 google said HTTPS can make your mail slower your computer has to do extra work to decrypt all that data encrypted data doesn't travel across the internet as efficiently as an unencrypted data that's why we leave the choice up to you now in all fairness Google at least offered its customers a choice every other web mail provider at the time didn't even offer HTTPS so Google was at least ahead of the pack and offering it but the choice that they were offering was an option in their inner settings the last of 13 options after Unicode keyboard shortcuts and vacation responders so it wasn't exactly a high priority setting in their eyes well in 2010 Google said you know over the last few months we've been researching the security and latency trade-offs who decided that turning HTTPS on for everyone is the right thing to do and then just this week in testimony before Congress Alma Witten Google's lead privacy engineers said you know we hope other companies will join us soon follow our lead were the first and only provider to do this blah blah blah well why did Google do this what caused him to change your tune well last May or last June I wrote an open letter to Eric Schmidt and it was signed by 38 other experts including some some folks who speak at this conference and some folks in the community and they said we said look this is the responsible thing turn the shit on encrypt your users data it's totally irresponsible to let this stuff go out and make it over the wire Google turn around said yeah we're going to we're going to look into this and then six months later they did it all right so who's still doesn't offer HTTPS by default Twitter Facebook Google's other services so Google Docs Google Calendar Google search they just started offering encrypted search a month or two ago but it's not on by default all right who doesn't use HTTPS at all even as a configurable option to Yahoo Hotmail Bing search myspace these providers don't offer any encryption at all after your username and password goes out over the wire all right well maybe it's expensive right like buying all those crypto accelerators it's really really expensive it's about this gear put in data centers configure these servers how many thousands of servers does it require to support ssl none at this point it's free so this is Google's SSL engineer Adam Langley on a blog post just last month revealing that they had 0 new machines deploy that ssl accounts for less than 1% of the cpu load less than 10k per memory per connection and less than 2% network overhead so encryption is free for these companies this means there is no longer any reason not to protect your customer data with ssl right ssl is awesome it protects your people your users from passive network monitoring it protects them from from many hijack attacks and it protects them from passive Network surveillance by you know folks at NSA who have convinced AT&T to give them access to their backbone this is a good thing and many isps should be doing it all right bet it network encryption isn't enough we also need storage encryption so when you upload your data into the cloud the file should be encrypted so that you know no one can get the information a few companies have been leading the way here so I don't know how many of you using the Firefox web browser they have an add-on that's I think and we come part of the browser at some point called Firefox Sync is synchronized as your cookies and bookmarks and stuff across multiple computers across your wireless or your your hands handheld and the data stored on Mozilla servers but it's encrypted with a key that Mozilla doesn't have Mozilla cannot be compelled to reveal your bookmarks this is a really awesome thing and probably the reason that they've designed it this way is because they're not profiting from it right whereas your webmail provider pays for their costs by scanning your email and showing you ads it's unlikely that they're ever going to be able to offer you encrypted storage of your data right they need to be able to access the plain text of your communications to pay their their hosting costs to other awesome services SpiderOak is a secure backup service and tar Snap is a similar service that has no graphical user interface both offer encrypted backups really really cool really fun and subpoena proof what about data retention so through through collecting some information I've been able to get the data retention periods for a bunch of service providers some of this stuff has been leaked I've gotten other information other ways take-home lesson is that your IP address connection information is retained across the board at companies Microsoft keeps it for 60 days AOL keeps it for 90 days myspace for a year Time Warner for six months companies all have these policies they all have established policies for how long they keep data and when they delete it but they don't tell their customers about these policies the one area where they do tell their customers is in the search engine in space so over the last couple years european regulators have been beating up the search engines and pushing them to start deleting IP address data in response all have moved right so Microsoft now deletes the entire IP address from their logs after six months Yahoo anonymize is some of their logs after three months they keep a second set for security purposes that only a few engineers have access to but it can still be subpoenaed up until six months and then Google does a really shitty job of anonymizing their data they delete the last octet of the IP address and nine months so like one in 255 Google is not doing a good job in the space but but they're all anonymizing their logs after a certain number of months well does this matter no so Google's head privacy lawyers spoke to Wired in 2007 and basically said that when law enforcement comes for data they come a couple days after the searchers we're done right so deleting the data six months at nine months at one month it doesn't really matter because when law enforcement is coming the companies have the full data in there what about Microsoft well they were asked by the New York Times a couple years ago why they wouldn't adopt zero data retention and microsoft said too much privacy is actually dangerous anonymize search can become a haven for child predators and we want to make sure that users have control and choices but at the same time we want to provide a security balance well you know I don't really want my service provider to be striking that balance I wanted to be deleting the data on day one or two not keep it in the first place but you should think about this when companies say we protect your privacy we care about your privacy we put your privacy first then they're making these statements and cutting these deals behind closed doors right so when companies talk about putting your privacy first what they're talking about is putting your commercial privacy first we want to share your data with third parties we want to sell your data none of them consider their relationship with the government to be part of that aspect of privacy so one interesting thing is that when companies have these data retention policies and they don't talk about the data retention policies when they change the number of months after which they keep the data no one knows alright so this is these are screenshots from myspaces law enforcement handbook which they published and compile and pretend give to any law enforcement official in the country you can see it in 2006 they kept 90 days worth of logs and in 2007 they kept to one year of logs so they massively multiply the length in which they keep data and they never told their customers the reason is their privacy policy doesn't include this stuff the privacy policy says we will provide your data you know in certain circumstances we protect your privacy we value privacy blah blah blah but they don't actually include the important details the place those details are listed are in the law enforcement handbooks they don't share with their customers all right so there are also these non technical methods by which companies can protect your privacy and companies do differ in these ways right so not every company is the same and in the way that they respond to requests emergency requests all right so we have requests that come with court orders we have requests that come with subpoenas that has come with some legal process and we have these emergency requests what this means is the law says if a provider in good faith believes that an emergency involving danger of death or serious physical injury to any person requires disclosure or delay of communications relating to the emergency so what this means is that the feds or local police can go to an ISP and say someone's going to die we need this person's data it sounds reasonable right you don't want to stop the investigation its tracks well when you have two paths one with high work and one with low work everything shifts to the low work track and so suddenly there are lots and lots of emergencies so how many are there a huge fucking amount so of the approximately ninety thousand requests that Verizon received from government agencies each year twenty five thousand or emergency requests these are requests that have no court order no subpoena no search warrant no oversight at all this is a police officer calling them up or writing a fax saying someone's going to die and the ISPs don't even have to learn about the circumstances they can take the police on their word so the important thing is here that the feds are not actually submitting loads of emergency requests to verizon they're all from state and local law enforcement so like missing person in the woods or you know a murder or something I don't know what what you know what the cases are because unfortunately because there's no court order there's also no paper trail to follow up so we have no idea what these emergencies are it's important to note that a voluntary disclosure means a voluntary disclosure right so according to the internet service providers Association which represents all the big ISPs there is never an emergency obligation on a nice we disclose the ISP has the right to tell the government to get lost and to come back with a warrant they can and in some cases the ISPs do there is a process by which you know the police can wake up at two in the morning and get him to sign a court order I know because they did one and use it to break into my house they can call a pope magistrate over the phone and and he'll issue the order by fax it can take half an hour so this isn't a serious issue but very few ISPs actually say no alright so a company's policy on emergency requests is one of the most important indicators regarding its overall commitment to privacy because this is an area where they can actually say no when they get a court order or they get a search warrant there's nothing they can really do the warrant is if it's valid they have to disclose the data but when it's a voluntary request isp can put their foot down but we don't know how many say no because they don't talk about it this is like an area of uber uber secrecy because the ISPs think that if customers find out that they're doing this that they will not entrust them with their data may be for a good reason all right well what about the cost rights nothing is free in this world companies are legally permitted to pass along the cost of surveillance to the government this includes labor capital costs including associated with hardware and software the development of the of the wiretapping systems as an example sprint has a hundred employees doing nothing but wiretapping their customers and providing their customers call records and location and other stuff that isn't free right those those folks all have salaries what what's interesting is that you know these companies charge you know on a regular basis and actually right now several I big ISPs are under investigation by the Department of Justice for overcharging the government again because we don't know how much they're charging all right so this is some information that came out of report a couple years ago this details the prices for different ISPs it's tough to read but yet basically you can see that the average cost of intercept is between one and a half and two and a half thousand dollars they're charging big bucks for these intercepts not everyone charges them so myspace Facebook and Microsoft don't charge at all they've decided that they would like to help the government in any way they can so they just give the information for free well you know is it good or bad that these companies are charging well so they're actually some benefits the public when is P is charged this is again a telecommunications lawyer godari speaking when records are free law enforcement over consumes with abandon but when service providers charge for extracting data law enforcement requests are more tailored also when they when you charge there's an invoice there's a there's a paper trail and so over the last couple of years I've been filing FOIA requests to get the invoices so you can see here the google charges $25 for your email account it's pretty interesting to know also yahoo charges twenty dollars and thirty-nine cents or twenty dollars and 41 cents what's the difference between those two numbers the increase in the cost of a stamp Yahoo is passing on the cost of a stamp to the government for every time they hand over your data I think this is pretty cool actually alright so as I said before all of these ISPs have surveillance manuals in which they detail their policies that costs everything else they provide sample subpoenas so that the police don't have to spend as much time writing up the requests many of these these surveillance manuals have leaked onto the internet recently I've got copies and they're really interesting you can see them all at crypto morgue that's where they're all hosted this is my favorite this is sprint surveillance manual you can check out the awesome clip art thankfully folks other companies are pitching in like Yahoo who is currently facing a Freedom of Information suit that seeks to learn how much money they made selling their customers private information to the feds they are fighting this suit because according to their lawyer the information if disclosed would be used to shame yahoo and other companies and to shock their customers I for one am shocked does yahoo still have customers so you know there's always this talk about bloggers ripping off the mainstream media and I don't know if Stephen Colbert accounts as the mainstream media but both that sprint recording and this foil request that he's citing are mine and he didn't mention my name on the air so I think it's totally appropriate that I then make it use a clip of his without paying for it all right so we know the ISPs differ on privacy we know that some fight more requests and others we know that the some go out of their way to help the government I think it's interesting to note that so Yahoo's surveillance manual showed up on a crypt home which is a website yahoo sent a cease-and-desist then a few weeks later in Microsoft surveillance manual setup in crypto and Microsoft's like really went hardcore after crypto man had the site shut down like their upstream ISP pulled the connection for a little while these companies don't want their surveillance manuals getting out because it makes them look bad right like there's they're spilling all the goods and describing all the ways in which the government can get your data and the prices they charge like this is damning stuff but i really recommend that you look through these because it's really interesting all right so from this information though maybe we can take it do a little bit of analysis and say well which is peas sucked the least which is P is not going to totally violate your privacy all right so let's start with sprint sprint retains the IP address logs and the URLs viewed for two years and they provided eight million GPS pings to law enforcement in one year another thing these guys are really good so I wouldn't recommend using sprint verizon when sued by eff for assisting in the warrantless wiretapping program actually went to court and an argue that they had a First Amendment right to disclose their customers communications to the government they believe they have a free speech right to have to share your information so so screw verizon what about AT&T one word alright so sort of by process of a process of elimination t-mobile is the largest reasonable communications carrier they use nap they have no IP logs to keep they don't retain the URLs that you view and at least I haven't found any public materials that indicate they went along with the NSA warrantless wiretapping program they very well may have but they didn't get caught doing it which is more than I can say for the author too big service writers also it's important to know that prepaid phones or your friends there's a bill in Congress right now to try and ban the use of prepaid SIM cards hasn't gone through yet so I recommend that you buy several SIM cards and share them with your friends um so you know it is important to know the companies do differ on privacy and they don't want to talk about why they differ in many cases they're apologetic for the ways they differ but you know you can significantly impact and protect your own privacy by intelligently picking your service provider your email provider by using an encrypted cloud service rather than one that data minds your information and serves you ads I would like that when you that you get to walk into best buy and in addition to comparing who has the sexiest new phone or who has the cheapest prices that you could actually compare you know who fights law enforcement requests the most or who keeps the least amount of data we don't have that yet but hopefully we will in the near future thank you

uh so my name is Craig Hafner um yay um and obviously I'm going to be talking about hacking routers today specifically what I'm going to be discussing is how an external attacker can gain access to the internal administrative web interface of your common residential gateway router before I start though oh this is the wrong slide set damn it oh well before I start though my my my work did asked me to make a couple statements first of all I'm not doing this on behalf of them I didn't do any research on behalf of them I'm not here as part of my works if you know who I work for stop calling them and emailing them but I decided to focus on router security because there's very little security in home routers I couldn't fit very many screenshots into this slide I had about 17 more and all of these all these vulnerabilities typically are only exploitable from the land because most of them you know end up being in the web interface which typically most people don't have remote administration enabled so the question for an attacker is not how do I attack these devices and hack them the question is how do I get access to the device if I'm not on the land so the answer to that is typically either cross-site request forgery or DNS rebinding and request forgery is really popular because it's very very easy to do but it has a lot of limitations especially when you're going after routers so first of all you can't rely on there being a trust relationship between the internal clients browser and the router because no one ever logs into their routers so you can't exploit that you can't Forge basic authentication logins anymore with cross-site request forgery used to be able to do you know user : password app and then the URL it doesn't work anymore ie doesn't even recognize that as a valid URL and Firefox will actually throw a warning to the user so you can't rely on that either there's also some anti cross-site request forgery mechanisms in some routers this action tech router is one actually that I'll be demoing later and ultimately cross-site request forgery is limited by the same-origin policy in the browser and it always has been so if you're not familiar with the same-origin policy basically what it says is okay if I browse out to attacker comm I load up some JavaScript from attacker comm that JavaScript can interact with any page on attacker comm but it can't interact with Google calm or 192.168.1.1 and that's good because you don't want some random person's JavaScript talking to your router so that's where DNS rebinding comes in the premise behind DNS rebinding is basically okay well if the browser is going to implement security based on the domain name that's fine just tell it that attacker com has switched IP addresses to one ninety two dot one sixty eight dot one dot one so now when the attack is JavaScript connects back to attacker com the request actually goes to your router but DNS rebinding has been around for a long long time you know it's like 1996 cold and wants this exploit back it's been around forever and so people have put in Prevention's to stop it or try to stop it anyway and so browsers have put in patches and you know third-party plugins and put in patches and you also have services and tools like Open DNS no script DNS wall DNS mask also has some anti rebinding stuff in it and these these all attempt to stop people from using DNS rebinding to attack your internal network and the way they do that is they say well no external domain should resolve to an internal RFC 1918 non-routable IP address because if it does you're probably not gonna be able to connect to it anyway and if they're doing something malicious then we want to block it so that's basically how these tools work so I'm going to focus on using the multiple a record attack which is one variation of DNS rebinding and if you're not familiar with it really all it is is DNS load balancing that's it you return multiple IP addresses for a DNS lookup and so pretty much any major site does this you know you do a DNS lookup on Google you get five or six IPS back so what happens is the browser's this okay you have three IP addresses fine and it just rides and connect to each IP address in order and if one of those IP addresses goes down that's fine I've got more IP addresses it switches over to the next IP address in the list this attack is limited though and that you cannot target internal IP addresses with us you can target any public IP you want but you can't go after internal IPs so let's take a look at it using this attack to go after a public server so you've got your attacker out there with an IP address of one four one four and he wants to send some malicious content to the web server on two three five eight now he doesn't want his IP address showing up in the logs for whatever reason so he's going to proxy his requests through this client who's you know feeling very safe sitting behind his router so the attackers registered the domain name of attacker comm and he convinces this client to browse out to attacker comm so the first thing the browser does is a DNS lookup says what's the IP address for attacker comm see attackers DNS server then says oh I actually have two IP addresses 1 4 1 4 and 2 3 5 8 now 2 3 5 8 is obviously not the attackers IP address but the browser has no way of verifying that so this is oK you've got two IP addresses I trust you so it's going to try the first IP address first which is 1 4 1 4 does it's get request to the attacker server and the attacker sends back some JavaScript code now that JavaScript code then initiates a request back to attacker comm and the browser says well you came from attacker com you're going back to attacker comm fine that's allowed but when the browser makes this connection to initiate the request the attacker server sends back a TCP reset packet so now the browser says well crap that server is down I better switch over to the second IP address and so now the attackers JavaScript is interacting with the 2 3 5 8 server you can send get requests and get the response back parse the data and even send it back to the attacker if you wants so this is this works this has always worked there's never been anything to stop this from happening and there's certainly you know security issues that arise from this but the real threat has always been attacking the internal lamp so I don't want to go after some public web server I want to go after are the clients router I want to get access to the routers internal interface so this is the same scenario but instead of attacking a public IP the attacker is going to try and rebind to one ninety two dot one sixty eight dot one dot one so again client does a DNS lookup and again the attacker server sends back to IP addresses now the browser says oh we've got two IP addresses oh but one of them is an internal non-routable IP address and the browser will always try internal non-routable IP addresses first regardless of the order in the DNS packet so he's just going to go and send the request to the router and load up the routers web interface in the clients browser this does the attacker no good because the client never got went out to the attackers web server to get his JavaScript so attacker has no presence in the browser he's accomplished nothing um so the problem here is that everyone's focused on protecting internal IP addresses okay routers are kind of unique they have both an internal and an external IP address and so we can actually attack the external IP address using this method and gain access to the internal interface and the reason that works is actually kind of interesting so if you take a look at a netstat on a router and this is actually from an open wrt router take a look at how its binding services these services are bound to every interface on the router so port 80 yeah that's found on your way an interface it's listening on the LAN now what prevents just anyone from on the internet from connecting into the router or your firewall rules now anyone who's looked at open wrt firewall rules notice this is extremely simplified but basically says okay each zero is my way in interface I don't want people connecting in from the web so anything that comes in on each zero drop it everything else will except because that's our internal interfaces that's fine and there's nothing really inherently wrong with this but like the same origin policy this attempts to enforce security based on a name computers don't work on names they work on IP addresses and where this comes back to bite is when you look at how the underlying operating system handles IP packets RFC 1122 defines two different models for implementing an IP stack once called the strong end system model and once called the weak end system model now if you know nothing about these two models other than the names which one do you think is better right but interestingly enough the weak model is actually the more prevalent model of the two it's implemented by Linux BSD I believe Solaris and even previous Windows so let's take a look at how this works this is verbatim from the RFC you can read it if you want RCS are very boring but all this says is okay if if I have if I'm a router or any computer and I receive a packet I'm going to look at the destination IP of that packet and if the destination IP matches any of my IP addresses on any of my interfaces I look set that packet and process it now it could come in on technically the wrong interface so it could come in on a zero and it matches the IP address on the eve one doesn't matter I'll accept it and process it because obviously this is one of my IP addresses and this packets intended for me so let's take a look at how this works in the context of the router okay again we have an internal client a router and the Internet so the router has two interfaces each zero is its public way and interface and eath one is the internal interface now each zero has an IP address of two three five eight that's the routers public IP so what happens when an internal client tries to browse to two three five eight I'm just going to send it TCP syn packet and the routers going to look at this and say ah well the destination IP is two three five eight that's one of my IP addresses awesome and it goes okay the destination port is port 80 well hey guess what I have a service bound to port 80 because remember those services bind to every interface so he says yeah I have a service listening on two three five eight port 80 and two three five eight is my IP address so I'll accept this complete the three-way handshake and so now the client can actually access the routers internal web interface via the public IP so oh wait a minute what happened to that firewall rule where we had a firewall rule that says block everything on each zero right well if you take a look at the traffic the top window is e0 and the bottom window is each one no traffic ever went over each zero the week and system model logic happens pre routing so everything gets accepted and processed on the internal interface so that firewall rule that we have that says block everything on a zero does nothing because there's no traffic on the zero so ultimately an internal client can punch in the public IP and get the web interface now again this by itself is really not a problem it's not a vulnerability per se but as an external attacker can rebind any internal client to any public IP I want including the routers public IP so now if I can do that I can completely bypass all of these protections that are trying to stop me from rebinding to internal IP addresses because I'm not rebinding to an internal IP so let's take another look at our rebinding attack again same scenario as before but this time it's every binding to 192 168 dot one dot one attack is going to rebind to two three five eight so internal client does the DNS lookup and again the attackers DNS sends back to IP addresses the browser looks that says hey you've got two IPS both public IP s that's fine I'll try them in order goes out to one four one four gets the attackers JavaScript JavaScript initiates connection back to attacker comm so the browser goes back to one four one four because that's what worked before but this time he gets a TCP reset packet back and so now he immediately switches over to two three five eight and now the attackers JavaScript has full interactive access to the routers internal web interface so this is a really really nice attack for DNS rebinding because unlike some other DNS rebinding attacks there's there's no delay or waiting period before you can rebind it's pretty much instant we also don't need to know the routers internal IP address that's always kind of a problem because you know routers can have different internal Eyed Peas and people can change the IPS and we don't care because we're rebinding to the public IP another nice thing is this works in all major browsers because this is just how browsers work it's how they handle DNS redundancy the downsides are we have some very specific requirements on the router okay we basically have three specific requirements okay the router has to bind its services to the win interface the firewall rules on the router have to block based on interface name and not destination IP or some similar configuration and the router also has to implement the week end system model so obviously not all routers are going to be vulnerable to this so the question is which routers are so I tested 30 different routers and out of those 17 rivana below includes routers from Asus Belkin Dell which I didn't even know they made routers but apparently they did Thompson these are actually pretty popular over in the UK pre popular DSL routers and one thing I wanted a test I didn't get a chance is the BT home hub which is really popular in the UK and it's basically a rebranded Thompson so those may be vulnerable as well lots of Linksys lots and lots of Linksys devices and I really like this line because the bottom two routers they're the 54 GL and the 160 are on Amazon's top five most popular selling routers list so awesome of course a lot of people put third-party firmware on there Linksys routers and it works against them too now hopefully you have some other security stuff put in place which we'll talk about later if you're running these but not everyone does my favorite though are the action tech router x' and a lot of people might not have heard of action tech because it's not really a big router name but these are the routers at Verizon FiOS and Verizon DSL customers get so these are everywhere let's see the action tech 701 704 and then two versions of the mi 424 WR all of those I tested and it worked against all of them now what's really interesting about these the one on the far right there that and and on the bottom they're both the same router just different hardware versions what's really interesting is the firmware running on these isn't manufactured by action Tech action tech actually uses a commercial third-party firmware called open RG which is made by a company called jungle and jungle claims that this same firmware is deployed in over 23 million households worldwide so awesome I like that so this attack definitely works but we need to make it practical okay you can't just say oh my JavaScript can see your router's internal interface people go yeah okay whatever I don't care um so we have to make it really a practical drive-by attack really to demonstrate what can be done with this okay so we have to get the targets public IP address automatically because we don't want to have to know that before beforehand we want to be able to get that automatically and it seems kind of simple at first but we have to know this before they ever do a DNS lookup on us so we basically have to know their IP before they come to us and that it actually is a simple fix for that the more difficult part is we have to coordinate all our services so the DNS server the web server and the firewall all have to be coordinated they all have to know what state each client is in they often know when to block a client when to allow a client what IP is returned to each client so that requires custom code and so that's a little bit more difficult and finally like I said we have to make it do something useful so that end I wrote the cleverly named tool rebind so it basically does everything for you except registered domain name it's pretty much slash run and you're done it implements a DNS server web server it interfaces with the IP tables firewall it's got an HTTP proxy for the attacker to use a series of JavaScript code which basically acts as a client-side proxy to proxy requests from the attacker to the router and back I tried to make the the JavaScript as quiet as possible so it supports across domain XML HTTP requests for exfiltrating data if that's supported in the browser um ie8 and firefox 3 5 and later support those and i've tested in all major browsers and it works it's quite nice so here's how rebind works I love the robot devil he's the best so you've got an attacker here and he's sitting behind the 1 4 1 4 server and he's running rebind on that server and he wants to target this clients router again appliance routers public IPS 2 3 5 8 and the attackers domain is attacker com so the attacker gets the client to browse to attack or calm slash in it I NIT so again before he does this he has to have the name server setup and rebind has to basically handle all of your DNS queries because rebonds handling the DNS portion of the attack so the attacker before he gets the client to browse he has to go into his registrar wherever he registered his domain name and register a name server just name it NS wanna tacker calm and put in the attackers IP address and then once that's registered as a name server guys to go into his domains configuration and say hey and that's one down attacker comm is the primary name server for my domain that's all the configuration you have to do so once once the client browse is out to attacker comm of course it has to do a DNS lookup rebind is only going to send back one IP address because again remember at this point we don't know the clients public IP we have no idea what it is so he's just gonna say yeah I'm at 1 4 1 4 so the browser grows out to 1 4 1 4 and request /a met now we have the clients public IP because he's made a direct TCP connection to the web server running on rebind so rebind says ah ok I've got your public IP of 2 3 5 8 he then sends back a randomly generated sub domain redirection so randomly generates whack me the attacker comm slash exec and he redirects the client to that now he logs this so the DNS server knows as well and so now the browser says ok this is a 302 HTTP redirect that's fine but this is a new domain so I have to do a new DNS lookup so it's okay whereas wacky attacker.com and so now the DNS server says aha the web server just redirected an IP address of two three five eight to whack my attacker com so if you're requesting whack mean attacker com you must be two three five eight so at this point it sends back the two IP addresses one four one four and two three five eight so again the browser is going to try 1 4 1 4 first request the slash exact page gets the JavaScript and now once rebind does this is going to tell I P tables hey reject any connection on port 80 from 2 3 5 8 with a TCP reset packet so when that JavaScript attempts to connect back to attacker comm he gets a TCP reset from IP tables so now he switches over to 2 3 5 8 and we've rebound attacker com2 the routers public IP successfully now once this happens the JavaScript start going is going to start sending it to request pull requests back to attacker comm on port 81 because remember he's blocked on port 80 so it gets sent to port 81 and basically this pull request is the JavaScript saying what do you want me to do well at this point rebind doesn't have anything for him to do so it sends back nothing but once these pull requests start coming in the attackers web interface has that clients IP address in there yes I know that's not the same IP address but that's ok so all the attacker has to do is click on that IP address and when he does he has his browser configured to use the rebind HTTP proxy so his request actually goes off to the rebind server and repine says ok you want me to do a get request on the index page of 2 3 5 8 no problem so he holds that connection open to the attackers browser and the next time this pull request comes in from the JavaScript he says yeah I got something for you to do do a get request on the index page so the JavaScript that's all right no problem since the get request to whack my attacker comm which is the subdomain that we rebound gets the response sends the response back to rebind and then rebind forwards that back to the attackers browser and so now the attacker is browsing around in side the routers web interface as if he's on the land and you can click on links and submit forums and do everyone's so this is much more fun when you do it as a demo than sitting down and explaining everything so see if I can get a demo going here I will smack you will Shh all right so rebind running and yeah that's it you just run it there's there's no configuration beyond that it does support a bunch of command line options if you want them so my breath this is my browser as the attacker and I've already configured it to use rebind as my proxy so if I type in rebind I should get the web interface for repine and let me fullscreen this so it fits a little better there we go so now I got an attacker over here who's connected to the internal land of this router so I'm going to have him browse to attacker comm slash in it and he should pop up here there we go so now as an attacker I just click and I'm in so this is the login page for Verizon FiOS routers default login is admin password one and no one ever changes it oh that's not good I knew my damn it would fail yeah apparently my client stopped calling back or something terrible happened I swear this works yeah so he caught stopped calling back and I have no idea what let's try it again wouldn't doubt try again right all right so he's back yay okay so we logged in so what I'm going to do now is I'm going to go ahead and just enable remote administration oh yes I do want to proceed thank you let's go down here to remote administration yes I want to proceed Kenton's user interface is so annoying okay so I'm going to enable remote telnet okay okay we're done we've been able to tell that on this guy now you will notice here that the images don't get displayed that's because rebind blocks image requests because I don't give a crap about images and they eat up a lot of bandwidth so now we should be able to if my terminal comes up here telnet to three five eight log in same as before admin password one and you get this weird wireless broadband router thing just type in shell and you get a root shell so yeah so a lot of people say well I get into your router I'll change your DNS settings yet that I hate that that's stupid I don't want to do that I want to own your router so yeah I've got a root shell now I can do you know ARP like oh there's an internal client now I know his IP the downside to these these thing is of course they're running Linux um but it's really stripped-down you don't have netcat you don't have double you get you don't have all these fun things but you do have TFTP so i've cross-compiled a scanning tool to run on the I XP 425 processor this inside this router so I should be able to TFTP it down here and to start attacking the internal land ok so there I got it let me trim on it real quick ok so again this is kind of a real quick thing I threw together a poor-man's netcat that runs on the ARM processor because I had trouble cross compiling netcat for some reason but let's just go ahead and scan that internal IP address we got from the ARP 192 168 1.3 yeah if I type in the right IP it would probably help wouldn't it and let's scan ports 21 22 23 80 and 443 oh that was quick for date is open so we can now do a quick get request to port 80 on this internal server and yeah we get the secret web server page fun so one time into your router I can now go ahead and put whatever tools I want on this thing and run them against your internal network I mean I'm on your internal network at this point which is the great thing about routers they're connected to the Internet and your land fun so really I can turn this into an attack platform to go after your entire internal network at this point and of course routers don't have any kind of and I virus or anything on there so I'm pretty much do whatever the hell I want but we're not we're not limited to attacking the main web interface of the router so again you notice okay I had to login and yeah most people are going to leave the default login so that's a big problem but I can also go after soap services what about you PNP UPnP lets me open up ports on your router to any internal client without any authentication at all I can interface with you PNP using JavaScript it's awesome there's also H snap which I'm not going to go into but HF is the home network administration protocol which some routers implement it does require authentication but I found some issues with certain implementations that allow me to get around that we can also rebind to any public IP we're not restricted to the routers public IP so the repined tool allows you to say hey I don't want to rebind to this guy's router I don't really care about his router I just want to use him as an on-demand botnet to attack this other server over here so here's a list of IP addresses I want you to rebind clients to and then the attacker just has a script that goes through and attacks that service through someone else's web browser so how do we stop this forcefields would be awesome unfortunately I don't have those working yet the luckily is it's fairly easy to stop and to identify so you know first of all if you can punch in the public IP of your router as an internal client and you get the web interface yeah this will work there we go the next line now once you identify that this works the best way to stop it is to break any one of those three requirements we have on the router okay so you can stop the way stuff binds to interfaces you can change firewall rules containes routing rules of course just disabling the HTTP interface is probably the best thing to do anyway we can also do that and then we can also reduce the impact of the attack which is basic security precautions so if you want to block the attack of the router you can potentially tell the router services to bind to specific interfaces not all routers let you do this and most people will not have the technical skill or the access to the router in order to do this so is probably not the best option but if you can do it that's really the best way to do it you can also reconfigure the firewall rules and these are again iptables rules basically says okay my internal interface is 'if one if someone on eath one tries to go to my public IP drop it now the downside just new notice I put in actually slash 16 here the downside of putting in your specific public IP is that as soon as it changes this rule breaks and you have to update it so instead what you should do is do a whois lookup on your public IP for your ISP see what the range is but they're handing out for DHCP and just block that entire range because unless internal clients are trying to like hack your neighbors which hopefully they shouldn't be doing then this won't really affect any kind of internet connectivity that you have you're just blocking all everything in the DCP range that comes from your ISP and then you don't have to update the rule yet don't use HTTP use HTTP at least because if I try and rebind to http you're going to get at least a cert error and that's going to break the attack now if you're administrating a router it's best to use SSH even telnet is better than the web interface most people can't do that though so best suggestion is just disable HTTP and enable HTTPS also disable UPnP while you're at it yeah I noted I know you need for your Xbox you need it for your Skype and all that other crap it's bad don't use it however there are some problems don't just enable HTTPS and leave HTTP enabled because then I can still get to http some routers actually don't let you disable HTTP I've seen routers where there's a checkbox to enable HTTPS and you can't disable HTTP at all so that's a problem some routers have HTTP services listing on alternate ports this router for example listens on both port 80 and port 8080 so if you're if you're disabling this make sure that all of those ports get disabled again I'm bringing up a chap it's a home network administration protocol it uses HTTP not HTTP and in some routers you cannot change that and you cannot disable it so I can still go after that if you have a weak password blocking attacks on the host let's say you don't have access to your router to do this you just don't have sufficient access to make these changes or you don't want to make the changes for whatever reason you can go around to all of your internal hosts and basically put in the same rule say don't allow this host to browse out to the routers public IP because again I need an internal client in order to do this attack so if the internal client can access the router then it breaks the attack the downside of this is you have to do this on every single device that connects to your network and will ever connect to your network that includes your iPad's and your iTouches so that that can certainly be a management nightmare if you have you know more than two or three computers you can also configure dummy routes as well to say hey route everything is going to my public IP me to boot back and of course the connection will never succeed um basic security precautions for God's sakes change your routers default password no one does this hopefully everyone in this room does this but many people don't keep your firmware up-to-date there are a lot of vulnerabilities in this routers if you go online and you have routing like oh there's no vulnerabilities in it that means someone hasn't looked at it close enough yet I'm serious these things are full of security holes so make sure you keep your firmware up-to-date because there's probably a vulnerability out there and if something gets published you want to make sure you have a patch for it assuming your offender actually patches it and don't trust untrusted content and yes everything on the internet is untrusted you cannot trust stuff on the internet especially something called attacker comm yet I would suggest disabling JavaScript or using no script but to be honest that's completely impractical for the average user I can't even I get so annoyed browsing around the internet without JavaScript it's like god damn and I just enable it anyway because it's so annoying everything uses JavaScript and stuff will just break epically if you don't have JavaScript enabled so if you want to do that knock yourself out but again it's not really a good suggestion for the average user because they're not going to do it so vendor and industry solutions so fix the same origin policy in the browser's please this attack has been around for almost 15 years so I know you notice that I don't have fixed DNS up here I know a lot of people say oh we need to fix the NS you know fix ENS this is not a DNS problem I think it's completely unfair to put the burden on the DNS hey DNS was around long before the same-origin policy was DNS was never intended to be used for security but whoever decided in their infinite wisdom to create the same-origin policy set up riku's a DNS which is a completely unauthentic ated unverifiable unsecure protocol and based a security model on it so the problem is with the same origin policy in the browser and that's what needs to be fixed it for if you're if you're a router vendor implement the strong end system model in your router and users will not know or care it will not break anything for them and it will keep them secure from this particular attack you can also build DNS rebinding mitigations into routers the only router that I know of that does this is PF sense because when they saw this post it up on the blackhat site when the talk got accepted and they contacted me I said yeah just check your HTTP host setters make sure the HTTP host header has your host name in it or IP address and not someone else's and so their their actual their beta release for the 2.0 release of pfSense has that check in it so kudos to them but no one else does this to my knowledge and that's a very very simple way to stop any DNS rebinding attack in its tracks so how am i doing on time by the way how many 20 Wow no hope you guys have a lot of questions I went through that a lot faster than I expected so DNS rebinding still poses a threat to the land even with all the security protections out there and things that people have put in because ultimately what they put in doesn't work there is it's like going to the doctor and saying hey I've diarrhea and he gives you a cork it's not a real fix we have tools available to exploit DNS rebinding okay they work well they work the second time at least and really you are ultimately responsible for the security of your network you need to be aware of this stuff I know a lot of people just I talked are talking about DNS rebinding like what the hell are you talking about seriously well I'm gonna smack you yet so make sure that you have this you know about this stuff and you take the proper precautions because I mean you really can't rely on vendors to fix patches in their routers I mean if you have a router this like you know they drop support for it a month ago they're like oh well you just had to buy a new router darn so make sure you're aware the stuff there is stuff that you can do to stop this make sure you do it so with that said the rebind code is going to be posted up on rebind code comm um it's I don't have the code checked in yet but it'll be up there sometime today if you want to contact again do not contact my work contact me and do we have questions yeah yes my question was the JavaScript that you said you had on the client that she put on the client that feeds the routers web interface to your attacker machine yeah it proxies request from the attacker to the router and back so it does that pull request back to rebind and the rebind tells it what to get it gets from the router and then sends it back okay one question yeah no more oh there we go so files is the problem with file says they use mocha for their for their cable connection so you have to have a mocha enabled router and those are not very prevalent so most people just use the action tech supposedly you can get them into bridging mode where they just pass through but everyone I've talked to has tried that it's like it's a big pain in the ass and it never worked so pretty much everyone on FiOS is using these routers with very few exceptions okay yeah so if you if you have let's say you have the action tech okay the action tech router is your border gateway and you put another router behind that doesn't matter I'm still attacking the public IP of the action tech so I can still access the action tech router yeah it'll protect your it'll help protect your internal IP once I get on the router but it won't stop me from getting to the router right yeah what are the manufacturers you list was links us we knew who the parent company of that is I'm kind of surprised that they haven't contacted you um my work told me that they contacted them about something and then I never heard anything back from it so I don't know if they just gave up or what happened with that again simply because my work was listed on on the on the presentation everyone contacted them instead of me but yeah I haven't heard anything from them specifically and again but again this isn't really a prop I guess it's kind of a problem with the routers but there's no real vulnerability in the routers it really needs to be fixed in the browser ultimately if the attacker knows the internal IP address of your router can they mount the same attack despite the strong in system model or filters that based on IP address they can't do it with this because remember when you try and do the pub the private IP it'll fail with it with this particular attack if they know the internal IP address you can try and do anti DNS rebinding the downside to that is you have to wait like an exorbitant amount of time at least in Firefox it's like two minutes or three minutes before you can do the rebind so so so the realm of practicality starts decreasing there but yeah you can also do cross-site request forgery attacks too but like I said they're limited good I can't hear what you're saying can't you mount this attack without relying on back same origin policy in the browser course you can still do cross sight post so you can still do one post request to log in another post request should we figure the yeah but not if they're using okay so first of all that will work on this because it has anti cross-site request forgery there's a JavaScript token in there that you have to get so you can't do that type of attack here you also can't like I mentioned you can't do that against stuff that uses basic authentication that won't work anymore so yes you can you can use cross-site request forgery certainly on a lot of routers to do that the other nice thing about this is because I can see the responses this also open up opens up multiple other vulnerability types that are not exploitable cross-site request forgery like information disclosure so for example dd-wrt by default when you go to dd-wrt routers paid you know splash page it doesn't require you to log in but it gives me a nice list of all your internal IP addresses and your MAC addresses and the exact build version of DD WT you're running and so I can't exploit that with cross-site request forgery but I can with this so I don't even have to log in in order to get a decent amount of information about your network and granted that doesn't give me necessarily a definite exploit but it's certainly not information you want to be sharing with everyone on the internet known as a domain name so yeah you I'm not trying to disparage cross-site request forgery and there's certainly a lot of really awesome things you can do with it and it's definitely an easier attack but this has several advantages over it which is kind of the point of doing DNS rebinding no more questions go back to what yeah what's that oh you just wanted to see the show okay and now we got one question back there getting a microphone do we have it a quick one while he's doing that all right hi I'm curious about you with the same origin policy you mentioned this bill it's built on DNS which is an untrusted platform with the changes motion toward getting DNS SEC more widely a probe feasible have you would would that same statement be true or could you still do certain attacks be in it because I legitimately own attacker.com I've registered it I own it so I can set up a legitimate DNS SEC enabled DNS server for it yeah it DNS SEC does nothing to stop this I can't see anything good hands yeah and back there so you said that you tried it on hold on hold on two routers and I think you said about 17 of them worked and the rest didn't did you have time to investigate the ones that didn't work and figure out why they didn't work and what they're doing there that time we prevented it on most of them I suspect they're not using the week-end system model some of them actually were fairly smart about how they rebound services so they weren't listening on the LAN port I didn't get a chance to look at all of them but it from what I've tested if you're running a Linux or BSD based system you're at a much higher risk for attack because they implement the week-end system model in the OS now that doesn't necessarily mean it will work because there are some Linux based routers this didn't work against again because of the way they bind interfaces and set up their firewall rules but but I mean if you're running Linux you already a third of the way there and the other two configuration options are actually fairly prevalent so if you're not if you're running some kind of custom OS on the underlying router it's probably less like because interestingly the week-end system model is more difficult to implement and strong because you have to go through and look at all your IP addresses and see if they match rather than just checking the 1 1 IP said it so yes there is the question is if you didn't hear it is there anything an ISP can do to help stop this attack say notice I'm returning to IP addresses I have seen one really weird ISP that actually would filter out the the extra IP addresses so if I did a DNS lookup on Google it would only give me one IP address back and that will break this attack but it also breaks redundancy for Google as well so it's a pro and a con that it I have no idea why they chose that I really don't and I suspect it's one of those things they chose before you know javascript is real big and you had cross you know you had XML HTTP requests and that kind of thing but yeah I mean ultimately you're trying to enforce security based on domain name but the domain name can point anywhere so it is really just a fundamentally flawed policy but I have no idea why they chose to do that other than it's probably pretty difficult to do it based on IP especially if you want to allow DNS redundancy because then you have to have to allow to switch IPs no I haven't got anything for action tech interestingly though two days ago buddy of my mind forwarded me an email he got from Verizon saying we're very secured about our customer security and here's a link to a website that says you had to change your default password and all this other stuff but yeah I haven't been contact the only router company this contacted me as pfsense they're not really a company there's the open source project anything else all right awesome thanks very much

so it's time for our second short format talk before we get started you might be wondering where as nobody's asked why is there this gigantic supercomputer sitting next to me they tell me it's for a talk that's going to go on tomorrow which sounds awesome because they're going to talk about what's actually in this cabinet either that or they're planning on replacing me next year with this computer and it's learning as it goes I'm not sure I hope I'm back next year right yes computer yes all right so when I was going through the schedule trying to trying to see which speakers we were going to be watching I saw this description as I'm guessing a lot of you did and said oh yeah I got to come check this out and no it is it is this is not a stunt double this is still Chris Rock and he's going to talk to us a little bit about messing with identity let's give him a big hand hi guys that better go okay guys my name is Chris Rock I'm not the black comedian but it will explain the big audience that we have today I'm going to talk to you about the death industry a morbid subject I know but I'll make it a little bit lighter and we'll talk about the birth industry and then we'll make it a little bit more gloomy again and I'll talk to you about how you can combine both of those both death and the birth to look at the vulnerabilities to actually it make some money out of virtual people okay this is a global problem that we have this is not an American problem this is not an Australian problem I originally did my research on the estranged system obviously adapted this presentation for American audience but it also works in other countries I refer to this is an end-of-life vulnerability it's not so much a vulnerability it's just a fuck up and it's a global fucker okay anyone with this knowledge can kill another person multiple people or even yourself I have not contacted any vendor for fixes this is a this is a definition of irresponsible disclosure so why do I research the death industry I was watching the news one night and I noticed that a hospital in melbourne victoria australia where I'm from announced the death of 200 patients they send out 200 death notices instead of 200 discharge notices I thought how could that possibly happen they've obviously moved into the internet world where you can kill 200 off very quickly with a particular button on a mouse so then started looking into the death industry and of Australia here is a global view of the death process where we step one someone dies the doctor fills out in America course certificate of death they have 24 hours to fill out this certificate this certificate contains details such as the cause of death name of the victim and next of kin that document then passes down to the funeral director the funeral director then has seven days of the suppose of the body this is the same document in a very craft in Australia is to separate documents once those documents have been completed that passes on to the registrar or verse deaths and marriages Department then they will issue the death certificate to the next of kin so we're looking at there in terms of a security process we can see that we need to really need to compromise step 2 and step through first step we're going to do is have a look at the dr's component here is a traditional certificate of debt this is what you guys use in the state's the top part of the form is filled out by the funeral director includes where the person is actually buried and the details of the victim and the bit that we're looking at at the moment is the document which is the medical practitioner the medical practitioner will fill out the details such as cause of death in Australia we've moved to an online system here's a snapshot of an internet accessible portal that doctors can use you can see the doctor needs to put their name first name last name license number and where they're from and submit once they submit that form and then all the details that form will be available to the doctor in America you're using a system called EDRs electronic death registration system it was rolled out in 2005 and it's nearly rolled out to all states so you're now moved online as well when a doctor logs on now to fill the certificate of death not paper-based anymore they'll get a portal like this here's an example of the californian EDRs you can see there's some security protections there where there's a username and password required for the doctor here's an example of what a DRS looks like once the doctors logged on and you can see the sort of drop down boxes which are pretty easy to fill out such as autopsy details place of death next of kin details this is a snapshot of the californian a system one thing to note there you'll see was an autopsy performed it's important to note that because when we talk about killing people later on down the track and if you've selected life insurance policy are you a smoker probably another go to do and the life insurance policies put I'm a smoker and then die all like a lung cancer stuff you're not going to get your pay up they'll actually refuse to pay it out okay edrs is actually used for I'll just use the acronym eat RS is used for mass mortality surveillance so here's an example of Hurricane sandy in 2011 and you can see actually where the deaths occurred obviously from drowning etrs is the LA government la vida RS because it has the ability to get accurate desperate records quickly so instead of waiting for a doctor to fill out that paper based system with the signature they can get death records very quickly it also shows what the person died on so this is important for when the government's planning resources whether it be anti-cancer whether it's kids wearing by comets is to do search lookups to make it easier to to fix how does the doctor get access to edrs or how does a hacker get access to a DRS here's a form that the doctor will fill out with the obvious details such as first laying first name last name email address you'll also see things like license numbers this is a paper-based warm obviously this just gets sent into the department now they've also moved on to a DIY registration this states using DIY registration again first name last name license number issuing state at all these personal details this is what the doctor would use to first time register now I'm not all doctors use ers when somebody dies in a hospital that job is done by the medical examiner when someone dies in for example a prison or in a hospital the medical examiner takes that or if it's not a natural death than the medical examiner will look after that but a doctor such as a doctor looks after old age patients we're dying is this normal then they will use the eye DRS system you can see here there are some of the questions are another state space system where it's asking you for those details again you can see the doctor can choose their own username and password they can also choose the phone number and address details now when you use this system it will do a look up against the license details as long as every detail matters except for the email address and phone number you can then reduce yourself as a doctor that's not good so how do you get these details well lucky enough there's a system in place to find out whether your doctor is real or fake so if you want to go find a doctor use google dr. database and you'll find one for every country and that will give you all the license details and office details I've just put some examples up there as I said I'm not cheating on the US I'm here to I'm happy to shit on Canada when I go to Canada as well okay now these are quite difficult to fill out for a hacker or someone malicious obviously doctors have had six years of study and we may have not maybe in different areas so you can see here from the the cause of death certificate here we've actually got from A to D the actual cause of death so in this account example the actual a is what the person actually end up dying off so pulmonary embolism now down the bottom is the doctor speak for liver cancer and then acute havoc attic failure so I could even say it is liver failure and then thrombosis and left thigh is just a blood clot and then the last one is blood clot in the lung as I said the important detail to look for is down the bottom here on 33 was an autopsy performed and we'll talk about that a minute if you guys don't know what that means if the doctor thinks its an unnatural death it has to get referred to a coroner or medical examiner there's guides online I'm have a full day's documents out with 44 use case examples on how to actually see somebody off it's produced by the CDC so you can learn dr. speak really quick okay the role of the medical examiner or coroner a medical examiner for people who don't know is a doctor with a maybe a few more qualifications such as forensics or pathology a coroner is a word for representative the crown they may necessarily not have any medical skills at all they actually elected into the role it's very important that we look at this chart here when you're actually filling out a cause of death because you don't want that case in the coroner so for example as I talked about before using this flow chart you can see which cases go to the coroner or medical examiner so dying in a hospital dying in a prison and also another natural death so if somebody died on the street from like a gunshot wound another important thing to look out for is what we call a reviewable death it is orange box over here if more than one child dies from a single parent then you will go to the coroner in other words if you're going to kill your kids off when we talk about that later on I don't mean real kids I mean virtual kids don't be greedy and corrupt more than one okay so that's the doctor bit of the adrs facility that's how to get access and that's how to fill out the form the next phase is the funeral director so once that the doctors filled out their components of bdrs the funeral director takes over so this would be like the next of kin for example for choosing a funeral director the funeral director will log onto EDRs and complete that fall again here is an example of the death certificate and I've also for the Australians I've actually included a separate document called DRS or death registration system Australian juice two separate documents not a single one so what we're looking at now is that top section of the document the funeral director component how does the funeral get it and director get access it's just very same so same as the doctor so they'll fill out all their details license number again first name last name desired username and of course they have DIY registration as well and there's an example of registering a new user as a more tissue a practitioner now we are you going to get the details of a licensed funeral director again they're online as well just do a Google search on funeral directors in each state and we'll give you details such as license numbers office address which is what you need to get a DRS registration access once the funeral director gets access on to a DRS they can do things like obviously check the doctors details that they submitted they can work with the next I also apply for burial permits and if you have difficulty filling these out there's a video sky for funeral directors as well ok that is instead of doing the fraudulent case of a funeral director I actually thought would be fun to find out to be a cover come a funeral director myself I was had this interest in the death industry so I set up a website the name of my company and just funerals at the end of it stuck up some caskets and some flowers I then I applied online to become a funeral director three days later I've got an automated response that I was a funeral director no phone calls nothing ok so now i can register des so in this case for example a little bit cheeky and I thought of or kill hugh jackman off you can see at the top of the box there the dc's particular his parents and sibling relationship the top now if you like mainly a little bit lazy you can kill multiple people off this has an advantage when you want to kill a lot of people off really quickly ok that's the Australian based system as I point me talking about a strong basis into American audience so here's some research on becoming a funeral director in the US California for example you need an ask degree in Colorado you need nothing in Nevada it's 375 bucks then you sit an exam you might think why would I go through all this process or headache when I could just use edrs for debts registration the reason is if you want to commit insurance fraud it's easier if there's a tombstone sticking out of the ground so you get that def insurance policy if there's an audit in the UK there's no licensing requirements either so it's just as easy to kill somebody off in the UK so that completes the to our parts of fraud to get the death certificate once those documents are complete or the online license is to complete the register then just issues the death certificate they'll then then said said that's this certificate to the next of kin and you might ask how am I going to get that certificate if I'll kill somebody off you're filling out the form you can put on anyone you want as next to Kim now analysis I know it's not in good spirit to kill the house but there's a death certificate of jeff moss he doesn't know he's dead he's walking around but on paper he's dead now there's going to be a problem for him when he travels and it's just a general pain in the ass okay Jeff's dead that was fun but I know jest a lot of money so I want some of it what do I need to do now I have a death certificate I fill out a will online now to be ready to be recognized as an executor of a will you need to do something called a probate petition so that's saying to the court I have a death certificate I have a will I want to access the jeffs accounts it's just a document you sent into the courts to say that I have the rights to shut this person down you then use accompanying letters like what I've just put up there it's just a stretch standard template free website where I'm writing to the bank to say it's shutting down the bank then we'll give me the process the money now normal a normal executor real world will do what they're supposed to do they'll shut the victim down so they will pay out their debts give the money to the next of kin or lots of stuff but if you if you wanted to do it maliciously you disable the money and run of course that system is now moving online as well you can now petition to a petition for probate online the video that is is completely removed you don't have to go to court okay why would you want to kill somebody financial killing yourself so I want to enjoy your life insurance money while you're alive the other one is kill your parents parents are not dying as quick as they used to and they're handing out money very slowly better off killing them taking their funds and do a runner okay revenge revenge on your ex wife girlfriend partner the booty is there dead and they don't even know it so there's one of those silent things we just can't it is don't shut their bank accounts done just when they get there go get the new passport of a new license whoops kill your boss these an asshole okay hinder if you're under investigation dead people find it difficult to travel if you're also committing this sort of a crime against somebody they're more interested in protecting their own lives in terms of getting their financial history but in track than chasing you kill your opposing lawyer or the judge okay this is a bit of a problem for the law because the law is not really really ready for this stuff here there's a case in 2013 where a legally meant a legally dead man must say dead even though he's alive Donald Miller was declared dead in 1994 deadbeat dad skipped out on his family he was declared dead after missing for five years obviously his wife wanted to move on he's not coming home now the 61 year old has come back he wants to be reinstated the judge said too late over three window to bring you back to life the judge said even though you're sitting in my courtroom in front of me I can see you're alive there's nothing i can do you're dead so you heard of someone being stateless this one is bodyless okay I don't I hopefully that plays all right I put a video together of my first kill if it wasn't a clean kill it's a bit like Dexter Morgan and Harry I didn't have Harry in the back of my head saying you got to kill this certain way this is an australian-based kill I'm a bit worried it's going to play off to the side so let's just have a look at is too oh here we go a major Melbourne Hospital has mistakenly announced the deaths of more than 300 patients you thank you okay I've been given the wrap-up so going to go through this quickly sorry guys so now that we've killed somebody what about birthing it's not the exactly the same process it's actually easier we don't need a funeral director so we only need to commit fraud on one side so step one baby is born step to the doctrine Midwife fill out a form and step three there's where the parents fill out their details again it goes to the registry and a birth certificate is issued here's the traditional paper-based certificate half pulled out by the doctor are filled out by the parents that's moving online to refer to as EBR electronic birth registration I've got an example of a Canadian one and an Australian one as well there's a us one at the bottom there link okay again for online birth registration the u.s. is the same as death you just need to register yourself as a doctor or Midwife using those online databases again it's the same database once you log on as a midwife or doctor it's just a matter of putting in the baby's details of whether our born this is not identity therefore actually creating a new ID so why the government make birth certificate stronger that's actually better in our case we're actually using a real birth certificate this is not identity theft so then I got the idea of now that I can kill someone now that I can actually born somebody or burst somebody can i combine the two together to make some money I assume you guys know what a show company is for those who don't an entity that actually doesn't do any business but actually is a legal or accounting term use to protect assets or identities of an owner a sort of episode of the blacklist where the concept of something called a shelf company came up which took that short company a little bit further where the show company actually pays taxes files annual return and builds up a credit rating why would you want to do this is to get route to get around heuristics use for money laundering or terrorist financing so I thought why cuz what can I do the same with my baby so i'll create a baby good for clean SSN a social security number tax benefits or take it a little bit further i call it the virtual the virtual we have to have Home Loans pay taxes multiple life insurances social media pages and also do stock trading why would you want to do all this you can borrow millions of dollars for money and then got paid back the most important want to do over identification so if you really fuck up get a new ID not a fake ID a real ID again life insurance policies do an online life insurance policy when you've had enough of that baby just kill it off and take the money the one that I've really done some research in is by Lee leverage derivatives so for those who've done currency trading before you brought lots of money you bet the US dollars going to go up or the euro is going to go up if it goes up you're rich if it goes down your pool so use to virtuals one's going to be a winner one's going to be a loser the Louisiana up can put back on the shelf who cares also obtaining firearms or getting drugs don't do it with your ID that's stupid do with a virtual it's just an extra layer of anonymity so we all know how we protect ourselves for IP payments and company one step further protect yourself and use a virtual ID okay why is it so vulnerable obviously the doctor Midwife you saw the DIY portal that's just shit at least you guys have a portal we don't even have one of those birth registration is exactly the same they're a little bit behind on the EBR but they're getting the same same way as at a DRS also having the physicians medical license numbers online they need it because if you're a doctor you're getting a job at another hospital you need that information to check whether you're actually a registered doctor or not but not using those as it identifies the funeral director as you see there's no licensing or basic funeral licensing around the world and again they're using DIY service portals okay why is it Swiss cheese the government want accurate centralized birth and death records believe it or not as birth rate and death records have actually been lost in smaller registries through fire or flood edrs fixes all this as centralized and you don't have to put up with doctors handwriting everything is accurate ok so the governor's drawing they have believe it or not babies being registered we're at my home town about two and a half percent of all babies are not registered for whatever reason whether they be remote people or disadvantaged people on drugs they get this estimate of the two point five percent based on when the kids start school at age five and a diversity to get so they do a retrospective birth certificate and you might think who cares it's important to note that you can take five years off your shelf baby by registering a bit later in a lot in life the government historically based the fact that you needed to parties in collusion the doctor and the funeral director to bury somebody to get rid of the body but you can see here from the poor you can become both those persons I'd advise you if you're going to do any of this stuff and I'd I advise you don't but if you did use a virtual don't use your own ID and moving from the paper-based system to an online system is obviously fraught with danger now I've written a book on this topic for more information I've done it years where the research and instant thought I'd put into a book on how to raise your virtual how to use the stock market to your advantage how to kill your baby off bankrupt your baby and if you want to get that and you can buy that on amazon thanks for your time guys that's it thank you thanks Mike run off oh goody much