aboutsummaryrefslogtreecommitdiff
path: root/en_US.ISO8859-1
diff options
context:
space:
mode:
Diffstat (limited to 'en_US.ISO8859-1')
-rw-r--r--en_US.ISO8859-1/captions/2007/meetbsd/brueffer-torprvacy.sbv2391
-rw-r--r--en_US.ISO8859-1/captions/2007/nycbsdcon/dixon-bsdisdying.sbv943
-rw-r--r--en_US.ISO8859-1/captions/2009/dcbsdcon/bejtlich-networksecurity.sbv4426
3 files changed, 7760 insertions, 0 deletions
diff --git a/en_US.ISO8859-1/captions/2007/meetbsd/brueffer-torprvacy.sbv b/en_US.ISO8859-1/captions/2007/meetbsd/brueffer-torprvacy.sbv
new file mode 100644
index 0000000000..1bba30ffdc
--- /dev/null
+++ b/en_US.ISO8859-1/captions/2007/meetbsd/brueffer-torprvacy.sbv
@@ -0,0 +1,2391 @@
+0:00:09.649,0:00:15.249
+Fortunately my slide will be centered, because
+I'll have to change resolutions, I think this works out..
+
+0:00:15.249,0:00:19.310
+And, it's about protecting your privacy with FreeBSD and Tor
+
+0:00:19.310,0:00:20.859
+and, uh...
+
+0:00:20.859,0:00:21.480
+Privacy
+
+0:00:21.480,0:00:25.859
+what I mean here is mostly anonymity
+
+0:00:25.859,0:00:28.889
+but there are some other aspects that
+
+0:00:28.889,0:00:34.390
+I'll talk about later
+
+0:00:34.390,0:00:36.290
+uh, so...
+
+0:00:36.290,0:00:39.500
+I want to first talk about who needs anonimity anyway
+
+0:00:39.500,0:00:42.880
+is it just for criminals or some other bad guys, right?
+
+0:00:42.880,0:00:44.209
+after this
+
+0:00:44.209,0:00:50.940
+anonymization concepts, then Tor. Tor's a, well, a tool
+
+0:00:50.940,0:00:52.870
+to, uh...
+
+0:00:52.870,0:00:59.320
+anonymize you on the Web. Then I'll talk about what
+FreeBSD can do with it
+
+0:00:59.320,0:01:00.430
+and what else
+
+0:01:00.430,0:01:01.980
+you have to take care of
+
+0:01:01.980,0:01:06.070
+when you want to be anonymous on the Web or the Internet
+
+0:01:06.070,0:01:06.650
+and uh,
+
+0:01:06.650,0:01:12.280
+if time permits I'd like to do a little demonstration
+
+0:01:12.280,0:01:16.970
+Ok, so who needs anonymity anyway?
+
+0:01:16.970,0:01:20.510
+Anonymity is a pretty vast
+
+0:01:20.510,0:01:22.030
+interest to most people
+
+0:01:22.030,0:01:24.740
+but it's really important for
+
+0:01:24.740,0:01:26.400
+journalists... There was a case in, uh,
+
+0:01:26.400,0:01:28.619
+Thailand last year
+
+0:01:28.619,0:01:32.510
+when the military coup was going on
+
+0:01:32.510,0:01:38.150
+and the journalists in Thailand couldn't really uh,
+
+0:01:38.150,0:01:39.830
+journalists couldn't really, uh
+
+0:01:39.830,0:01:43.050
+get the information they needed to do their work
+
+0:01:43.050,0:01:45.750
+also, uh, informants
+
+0:01:45.750,0:01:49.100
+whistleblowers... people who want to tell you about
+
+0:01:49.100,0:01:52.490
+corruption going on in governments and companies
+
+0:01:52.490,0:01:56.460
+and don't want to lose their job for it... Dissidents
+
+0:01:56.460,0:01:58.250
+uh, best case
+
+0:01:58.250,0:02:01.610
+when in Myanmar
+
+0:02:01.610,0:02:03.750
+last few weeks ago
+
+0:02:03.750,0:02:05.290
+when the
+
+0:02:05.290,0:02:07.649
+all the Buddhists monks were going to the streets and uh,
+
+0:02:07.649,0:02:09.879
+the Internet was totally censored
+
+0:02:09.879,0:02:14.899
+it was really dangerous to do anything on the Internet
+
+0:02:14.899,0:02:17.719
+so, so umm
+
+0:02:17.719,0:02:20.489
+socialy sensitive information, like when you want to uh,
+
+0:02:20.489,0:02:23.719
+when you were abused
+
+0:02:23.719,0:02:25.769
+and want to talk to other people about it
+
+0:02:25.769,0:02:30.039
+you don't... naturally you don't want other people to
+know who you are
+
+0:02:30.039,0:02:31.840
+as it will be very embarrassing
+
+0:02:31.840,0:02:33.779
+also Law Enforcement, ah
+
+0:02:33.779,0:02:38.579
+for example, uh, when you want to set up a
+
+0:02:38.579,0:02:41.669
+an anonymous tipline for crime reporting
+
+0:02:41.669,0:02:45.810
+and uh, also companies that want to, uh
+
+0:02:45.810,0:02:48.079
+research competition, as one case that, uh
+
+0:02:48.079,0:02:51.029
+that a company went to check the, uh
+
+0:02:51.029,0:02:54.339
+website competition and they noticed when they used Tor
+
+0:02:54.339,0:02:58.209
+that, uh, they were actually getting a different website
+when they
+
+0:02:58.209,0:03:00.829
+uh, were coming from the corporate LAN
+
+0:03:00.829,0:03:04.609
+than anyone else was getting, so ah,
+
+0:03:04.609,0:03:07.509
+it's a good way to, uh,
+
+0:03:07.509,0:03:11.859
+check out... competition like this
+
+0:03:11.859,0:03:13.349
+Also military
+
+0:03:13.349,0:03:15.679
+actually military was one of the, uh
+
+0:03:15.679,0:03:17.479
+original
+
+0:03:17.479,0:03:20.510
+driving forces behind the
+
+0:03:20.510,0:03:24.319
+anonymization research.
+
+0:03:24.319,0:03:26.169
+and maybe you
+
+0:03:26.169,0:03:28.799
+may have heard of the European Union
+
+0:03:28.799,0:03:30.349
+Data Retention Directive?
+
+0:03:30.349,0:03:33.039
+where, umm
+
+0:03:33.039,0:03:35.739
+collection data gets stored
+
+0:03:35.739,0:03:41.259
+six to twenty-four months? Depends on the limitation
+on the different nations
+
+0:03:41.259,0:03:45.069
+Two weeks back this was, uh,
+
+0:03:45.069,0:03:47.729
+the law was passed in Germany
+
+0:03:47.729,0:03:48.900
+so, uh
+
+0:03:48.900,0:03:50.450
+from first January on,
+
+0:03:50.450,0:03:52.159
+every connection, phone connection,
+
+0:03:52.159,0:03:55.389
+SMS, IP connections,
+
+0:03:55.389,0:03:58.480
+email, or the dial-in data needs to be stored
+
+0:03:58.480,0:04:00.449
+by providers for six months
+
+0:04:00.449,0:04:02.510
+and, uh,
+
+0:04:02.510,0:04:05.379
+sooner or later it's going to be in Poland as well
+
+0:04:05.379,0:04:07.689
+[talking]
+
+0:04:07.689,0:04:14.689
+well, you're part of the Euro Union now, so ah, welcome!
+
+0:04:16.989,0:04:18.529
+okay, uh
+
+0:04:18.529,0:04:21.220
+that's a
+
+0:04:21.220,0:04:27.110
+maybe you want to hide what interests you have and uh,
+who you talk to, I mean uh,
+
+0:04:27.110,0:04:30.889
+like all of you know the Internet isn't very
+
+0:04:30.889,0:04:34.199
+secure in the first place so your ISP can see who you're
+talking to
+
+0:04:34.199,0:04:37.780
+if they bother to find out
+
+0:04:37.780,0:04:40.709
+yeah, and also
+
+0:04:40.709,0:04:46.279
+criminals, but um, they already do illegal stuff and they
+don't care about
+
+0:04:46.279,0:04:51.629
+doing more illegal stuff to stay anonymous, right? They can
+uh, steal people's identities, they can rent botnets or
+create them in the first place
+
+0:04:51.629,0:04:53.829
+and uh,
+
+0:04:53.829,0:04:54.689
+or just
+
+0:04:54.689,0:04:59.689
+crack one of the thousands of Windows computers online,
+no big deal
+
+0:04:59.689,0:05:02.029
+so, uh
+
+0:05:02.029,0:05:05.199
+Criminals already do this and uh,
+
+0:05:05.199,0:05:06.360
+the normal
+
+0:05:06.360,0:05:13.360
+citizens can't do this so...
+
+0:05:14.680,0:05:16.460
+So all the groups that need anonymization are very different,
+
+0:05:16.460,0:05:18.330
+but they all have the same goal, and uh
+
+0:05:18.330,0:05:20.619
+that's also one of the
+
+0:05:20.619,0:05:22.229
+key concepts of
+
+0:05:22.229,0:05:22.919
+anonymization
+
+0:05:22.919,0:05:24.090
+you can't really
+
+0:05:24.090,0:05:25.930
+stay anonymous on your own
+
+0:05:25.930,0:05:28.999
+you needs the help of more people
+
+0:05:28.999,0:05:30.559
+and uh,
+
+0:05:30.559,0:05:32.680
+the more diverse the group that needs
+
+0:05:32.680,0:05:38.539
+anonymity, the better
+
+0:05:38.539,0:05:40.979
+Ok, so on to talking about two
+
+0:05:40.979,0:05:42.949
+anonymization concepts
+
+0:05:42.949,0:05:44.539
+uh huh
+
+0:05:44.539,0:05:51.539
+Proxy? Everyone here probably knows how a proxy works,
+uh yeah
+
+0:05:52.559,0:05:53.169
+LANs connect to the proxy and request
+
+0:05:53.169,0:05:57.290
+a website or whatever and the proxy
+
+0:05:57.290,0:06:00.359
+just passes it on and pass through
+
+0:06:00.359,0:06:03.789
+right
+
+0:06:03.789,0:06:04.680
+um
+
+0:06:04.680,0:06:09.329
+Proxys are fast and simple but it's a single point of
+failure, like uh,
+
+0:06:09.329,0:06:13.139
+when law enforcement or anyone else wants to
+uh, know
+
+0:06:13.139,0:06:15.289
+who you're talking to they just
+
+0:06:15.289,0:06:19.759
+get a subpoena or
+
+0:06:19.759,0:06:22.440
+break into the computer room or whatever
+
+0:06:22.440,0:06:26.400
+it's pretty easy
+
+0:06:26.400,0:06:30.050
+Second anonymization concept is mixed,
+
+0:06:30.050,0:06:32.549
+it's really old from nineteen eighty one
+
+0:06:32.549,0:06:35.099
+so you can see, uh,
+
+0:06:35.099,0:06:41.150
+how long the research in this area is going on
+
+0:06:41.150,0:06:43.150
+the mix is kind of similar to a proxy
+
+0:06:43.150,0:06:47.090
+like, trying to connect to it to send the messages
+
+0:06:47.090,0:06:50.779
+and the mix collects them
+
+0:06:50.779,0:06:54.550
+and no less than um
+
+0:06:54.550,0:06:56.699
+it puts them all
+
+0:06:56.699,0:06:58.319
+in through different coincides and uhm,
+
+0:06:58.319,0:07:00.169
+you see here it
+
+0:07:00.169,0:07:03.849
+shuffles them and waits
+
+0:07:03.849,0:07:08.930
+til there's enough data in it and just
+
+0:07:08.930,0:07:11.039
+shoves them and sends them back out so
+
+0:07:11.039,0:07:18.039
+um, this is to protect against correlation effects.
+
+0:07:20.219,0:07:22.439
+But second in...
+
+0:07:22.439,0:07:23.379
+Oh yeah, and
+
+0:07:23.379,0:07:27.879
+when you actually put several mixes uh
+
+0:07:27.879,0:07:31.259
+behind them; it's a mixed escape and uh,
+
+0:07:31.259,0:07:32.149
+between mixes is also
+
+0:07:32.149,0:07:35.330
+a friction going on, uh, the first
+
+0:07:35.330,0:07:38.349
+or the client which is
+
+0:07:38.349,0:07:44.069
+you could see here if this lights would be centered, uh,
+
+0:07:44.069,0:07:46.029
+what else gets the
+
+0:07:46.029,0:07:48.879
+public keys of all the mixes
+
+0:07:48.879,0:07:51.160
+and encrypts the message first for each of them
+
+0:07:51.160,0:07:54.879
+and each mix removes one encryption layer and
+
+0:07:54.879,0:07:59.280
+uh, the last one actually passes on the message unencrypted
+
+0:07:59.280,0:08:04.369
+and uhm, loop back backwards the same
+
+0:08:04.369,0:08:06.379
+So, as you can probably imagine,
+
+0:08:06.379,0:08:11.389
+if you wait until you have enough messages, ah, and all
+public key encryption
+
+0:08:11.389,0:08:12.280
+is going pretty slow
+
+0:08:14.069,0:08:17.939
+and uh,
+
+0:08:17.939,0:08:20.360
+this concept is mostly used for
+
+0:08:20.360,0:08:22.419
+remailers like
+
+0:08:22.419,0:08:26.359
+MixMinion, for example uh
+
+0:08:26.359,0:08:28.800
+where it's not really a possib... um
+
+0:08:28.800,0:08:32.610
+it's not really important
+
+0:08:32.610,0:08:33.979
+if the message is a couple of seconds
+
+0:08:33.979,0:08:36.540
+late or something, but it's not really
+
+0:08:36.540,0:08:39.870
+great for uh, for
+
+0:08:39.870,0:08:41.830
+low latency connections,
+
+0:08:41.830,0:08:44.730
+like web routing for example
+
+0:08:44.730,0:08:47.060
+but what's good about it it's uh
+
+0:08:47.060,0:08:50.500
+distrinuted trust uh,
+
+0:08:50.500,0:08:54.940
+just one these mixes has to be secure to actually
+
+0:08:54.940,0:08:56.840
+anonymize the whole connection
+
+0:08:56.840,0:08:58.460
+so it's slow but it's
+
+0:08:58.460,0:09:05.460
+distributed trust, which is good.
+
+0:09:06.230,0:09:09.930
+So, I want to introduce Tor
+
+0:09:09.930,0:09:12.320
+Tor stands for The Onion Router.
+
+0:09:12.320,0:09:16.340
+It's a concept that is actually built on
+
+0:09:16.340,0:09:17.720
+both these concepts
+
+0:09:17.720,0:09:21.340
+mixes and proxies.
+
+0:09:21.340,0:09:22.770
+It's a TCP-Overlay network,
+
+0:09:22.770,0:09:24.900
+means you can, uh
+
+0:09:24.900,0:09:25.560
+channel any
+
+0:09:25.560,0:09:27.320
+TCP connection through it
+
+0:09:27.320,0:09:28.480
+theoretically
+
+0:09:28.480,0:09:31.310
+uh, theoretically I will explain
+
+0:09:31.310,0:09:33.790
+a couple of slides later
+
+0:09:33.790,0:09:37.040
+it provides a SOCKS interface so you don't need any uh,
+
+0:09:37.040,0:09:42.060
+special application proxies like any application that uses
+SOCKS interface can just,
+
+0:09:42.060,0:09:43.370
+talk to talk
+
+0:09:43.370,0:09:48.070
+and it's available on, um, all major platforms
+
+0:09:48.070,0:09:53.940
+what is uh, especially important is available in Windows
+
+0:09:53.940,0:09:55.850
+'cause, uhm, like I said earlier once
+
+0:09:55.850,0:09:57.740
+you want a really diverse,
+
+0:09:57.740,0:09:59.560
+really diverse group of users
+
+0:09:59.560,0:10:05.250
+so you actually need uh,
+
+0:10:05.250,0:10:06.860
+the normal user
+
+0:10:06.860,0:10:13.150
+not just geeks.
+
+0:10:13.150,0:10:15.160
+Um, well it aims to uhm
+
+0:10:15.160,0:10:15.939
+combine the positive attributes of
+
+0:10:15.939,0:10:17.480
+proxies and mixes
+
+0:10:17.480,0:10:18.749
+Like, proxies are fast, but
+
+0:10:18.749,0:10:20.620
+seem prone to failure
+
+0:10:20.620,0:10:21.770
+and mixes
+
+0:10:21.770,0:10:24.590
+distributed trust, you want to combine them
+
+0:10:24.590,0:10:29.930
+so uh
+
+0:10:29.930,0:10:31.310
+Fast, uh, Tor use not only public key
+
+0:10:31.310,0:10:33.220
+encryption but also session keys
+
+0:10:33.220,0:10:35.170
+symmetrically encrypted.
+
+0:10:35.170,0:10:37.260
+so uh
+
+0:10:37.260,0:10:41.710
+All the connection set up is this public key so you just, uh
+
+0:10:41.710,0:10:44.840
+authentication and stuff?
+
+0:10:44.840,0:10:50.860
+And uh, the actual communication that's going on later
+is always symmetrically encrypted
+
+0:10:50.860,0:10:54.170
+And uh, so it's also TCP multiplexing
+
+0:10:54.170,0:10:55.850
+so you can run
+
+0:10:55.850,0:10:58.520
+several TCP connections through one
+
+0:10:58.520,0:11:02.220
+virtual Tor connection.
+
+0:11:02.220,0:11:05.610
+And the design goals are
+
+0:11:05.610,0:11:06.790
+yeah
+
+0:11:06.790,0:11:07.880
+deployability
+
+0:11:07.880,0:11:09.770
+like dums want the user to actually have
+
+0:11:09.770,0:11:12.680
+to patch his PC off the Operating System or something
+
+0:11:12.680,0:11:16.070
+just be in a... workable state really fast
+
+0:11:16.070,0:11:19.340
+um, usability,
+
+0:11:19.340,0:11:20.600
+so you get the uh,
+
+0:11:20.600,0:11:22.400
+normal users
+
+0:11:22.400,0:11:26.850
+not just the geeks. Flexibility, uhm
+
+0:11:26.850,0:11:28.310
+it's aimed to
+
+0:11:28.310,0:11:29.910
+enable more research
+
+0:11:29.910,0:11:32.010
+in this whole area.
+
+0:11:32.010,0:11:33.059
+so, uh
+
+0:11:33.059,0:11:34.679
+the protocol to all users
+
+0:11:34.679,0:11:37.890
+should be really flexible
+
+0:11:37.890,0:11:42.110
+And uh, for simplicity it's a security application and
+
+0:11:42.110,0:11:45.900
+well complexity doesn't play well with uh,
+
+0:11:45.900,0:11:52.070
+security
+
+0:11:52.070,0:11:53.190
+So, this uh,
+
+0:11:53.190,0:11:55.300
+it's how Tor works, more or less
+
+0:11:55.300,0:11:58.800
+Dave is uh, a directory server,
+
+0:11:58.800,0:12:03.160
+it uh, caches information about the network state
+
+0:12:03.160,0:12:08.130
+and uh, which Tor servers are available in the network
+
+0:12:08.130,0:12:09.490
+and uh
+
+0:12:09.490,0:12:10.930
+Alice downloads
+
+0:12:10.930,0:12:14.740
+this whole list from Dave
+
+0:12:14.740,0:12:18.940
+you see the Tor nodes with the plus here?
+
+0:12:18.940,0:12:21.020
+Through this random
+
+0:12:21.020,0:12:22.790
+tree of service
+
+0:12:22.790,0:12:23.910
+when she wants to talk to Jane
+
+0:12:23.910,0:12:30.380
+for example
+
+0:12:30.380,0:12:34.280
+The first one is the entry node, middle LAN nodes, and the
+uh exit nodes, I will leave thes for later
+
+0:12:34.280,0:12:41.000
+uh, so this
+
+0:12:41.000,0:12:43.990
+Alice talks to the entry node
+
+0:12:43.990,0:12:47.550
+there's a connection that is going on and is public key
+encrypted
+
+0:12:47.550,0:12:51.330
+and they establish a session key and same
+
+0:12:51.330,0:12:53.090
+thing goes on
+
+0:12:53.090,0:12:58.520
+in these two and these two so they can communicate later on
+
+0:12:58.520,0:12:59.780
+What's really important here
+
+0:12:59.780,0:13:00.629
+is the last connection here
+
+0:13:00.629,0:13:03.090
+is actually unencrypted.
+
+0:13:03.090,0:13:05.240
+I will talk about it later
+
+0:13:05.240,0:13:06.610
+So it has to be unencrypted
+
+0:13:06.610,0:13:13.610
+so you can get your request through
+
+0:13:20.690,0:13:22.700
+this is a virtual circuit
+
+0:13:22.700,0:13:24.490
+that gets established and uh
+
+0:13:24.490,0:13:29.190
+every, every
+
+0:13:29.190,0:13:31.340
+ten minutes
+
+0:13:31.340,0:13:32.450
+a new circuit is built
+
+0:13:32.450,0:13:37.250
+when a new website, when a new request come through, so uh
+
+0:13:37.250,0:13:40.080
+this one stays, all these connections above stays
+
+0:13:40.080,0:13:41.940
+in this circuit
+
+0:13:41.940,0:13:43.630
+and after ten
+
+0:13:43.630,0:13:45.410
+when after ten minutes, ah
+
+0:13:45.410,0:13:52.410
+Alice wants to talk to Jane, a new circuit is built
+
+0:13:53.610,0:13:55.410
+and uh, this is important
+
+0:13:55.410,0:13:56.920
+to get strong
+
+0:13:56.920,0:13:57.710
+anonymity
+
+0:13:57.710,0:14:00.220
+in case one connection is compromised, for example.
+
+0:14:00.220,0:14:01.600
+An these ten minutes
+
+0:14:01.600,0:14:04.490
+are really an arbitrary value
+
+0:14:04.490,0:14:08.560
+,you can choose anything
+
+0:14:08.560,0:14:10.660
+you have to do the research
+
+0:14:10.660,0:14:11.970
+which value is best and so
+
+0:14:11.970,0:14:18.970
+ten minutes is compromised.
+
+0:14:19.840,0:14:22.240
+With all you get exit policies,
+
+0:14:22.240,0:14:24.640
+this is important for the exit node
+
+0:14:24.640,0:14:27.880
+the one which actually send the uh,
+
+0:14:27.880,0:14:30.410
+original request to the destination server
+
+0:14:30.410,0:14:31.670
+and huh
+
+0:14:31.670,0:14:32.839
+you can control which
+
+0:14:32.839,0:14:34.220
+TCP connections you want
+
+0:14:34.220,0:14:39.180
+to allow from your node if you want
+
+0:14:39.180,0:14:41.000
+that's default policy which uh
+
+0:14:41.000,0:14:43.610
+blocks SMTP and NNTP to prevent uh
+
+0:14:43.610,0:14:48.080
+spamming and all stuff
+
+0:14:48.080,0:14:49.060
+but you can actually allow
+
+0:14:49.060,0:14:51.970
+SMTP if you want
+
+0:14:51.970,0:14:54.070
+and there's some other ports blocked
+
+0:14:54.070,0:14:56.170
+but the rest of it works so
+
+0:14:56.170,0:14:57.900
+HTTP SSH
+
+0:14:57.900,0:15:01.630
+all the important stuff
+
+0:15:01.630,0:15:05.250
+that you would want to minimize just works
+
+0:15:05.250,0:15:10.290
+and uh, if you uh
+
+0:15:10.290,0:15:13.050
+this is important for uh, if you
+
+0:15:13.050,0:15:18.540
+want to run you node, uh
+
+0:15:18.540,0:15:19.220
+waht kind of node you actually want to run
+
+0:15:19.220,0:15:24.120
+if you look at the picture, uh earlier
+
+0:15:24.120,0:15:31.120
+there's these three different nodes: entry node,
+middleman note, and exit node
+
+0:15:32.400,0:15:34.180
+and uh, which node you want to run
+
+0:15:34.180,0:15:36.780
+depends on how many problems you want afterwards
+
+0:15:36.780,0:15:39.590
+I will talk about it later uh
+
+0:15:39.590,0:15:40.970
+this one,
+
+0:15:40.970,0:15:46.950
+the exit node actually forwards the uh, requested date, uh
+
+0:15:46.950,0:15:47.700
+depends upon what
+
+0:15:47.700,0:15:51.570
+what the user actually uh wants, that's
+
+0:15:51.570,0:15:52.830
+if the user uh
+
+0:15:52.830,0:15:58.020
+Alice in this case uh
+
+0:15:58.020,0:16:02.080
+insults someone out on a web forum, then uh the uh
+
+0:16:02.080,0:16:03.470
+administrator of the forum will see the IP address
+
+0:16:03.470,0:16:05.340
+of the
+
+0:16:05.340,0:16:11.230
+exit node in his forum and not the one
+
+0:16:11.230,0:16:15.330
+of Alice so uh he's going to have the problems later on
+
+0:16:15.330,0:16:18.250
+so I will talk about it later
+
+0:16:18.250,0:16:21.600
+but you have to keep this in mind
+
+0:16:21.600,0:16:28.600
+and uh, keep up everything and uh we can play the role of
+entry nodes and middle man nodes
+
+0:16:30.170,0:16:37.170
+which is also important
+
+0:16:39.130,0:16:42.930
+Special feature of Tor are hidden services
+
+0:16:42.930,0:16:45.850
+these are services which can be
+
+0:16:45.850,0:16:46.990
+accessed
+
+0:16:46.990,0:16:49.420
+without having an IP address
+
+0:16:49.420,0:16:50.960
+so uh
+
+0:16:50.960,0:16:56.300
+you can't really find them physically
+
+0:16:56.300,0:16:57.880
+so if you want to run a
+
+0:16:57.880,0:16:59.720
+hidden service you can do it from anywhere
+
+0:16:59.720,0:17:01.850
+do it from inside this private network here
+
+0:17:01.850,0:17:05.950
+instead of a service and everyone in the outside world can
+actually access it
+
+0:17:05.950,0:17:07.770
+even if you don't have the rights to do
+
+0:17:07.770,0:17:11.330
+port forwarding or something
+
+0:17:11.330,0:17:13.580
+uh, this is really important to, uh
+
+0:17:13.580,0:17:15.690
+resist Denial of Service, for example
+
+0:17:15.690,0:17:20.160
+'cause every uh,
+
+0:17:20.160,0:17:20.519
+every client that wants to
+
+0:17:20.519,0:17:22.829
+access the service uh, gets
+
+0:17:22.829,0:17:25.700
+gets a different route in the network
+
+0:17:25.700,0:17:26.529
+and uh, it's hard
+
+0:17:26.529,0:17:28.460
+to actually uh
+
+0:17:28.460,0:17:31.970
+DOS it. And it's also important to
+
+0:17:31.970,0:17:33.610
+resist censorship
+
+0:17:33.610,0:17:38.510
+And the addresses look like this:
+
+0:17:38.510,0:17:43.280
+it's really a hash of a private key
+
+0:17:43.280,0:17:47.340
+and each hidden service is actually, well, identified
+
+0:17:47.340,0:17:53.300
+by a public key
+
+0:17:53.300,0:17:59.000
+this how it works, uhm, yet Alice the client
+
+0:17:59.000,0:18:02.170
+and the hidden server, Bob.
+
+0:18:02.170,0:18:04.120
+And if Bob wants to, uh,
+
+0:18:04.120,0:18:07.640
+wants to set up a service,
+
+0:18:07.640,0:18:08.159
+he chooses three introduction points
+
+0:18:08.159,0:18:09.899
+out of the whole mass
+
+0:18:09.899,0:18:11.920
+of Tor servers.
+
+0:18:11.920,0:18:18.920
+And Bob has the public key to identify the service,
+and uh he sends
+
+0:18:22.530,0:18:26.860
+this public key into each of these three introduction
+points to the directory server.
+
+0:18:26.860,0:18:28.740
+Now Alice wants to uh,
+
+0:18:28.740,0:18:31.610
+connect to Bob, but first the first thing she does
+
+0:18:31.610,0:18:34.480
+is download this
+
+0:18:34.480,0:18:38.910
+this list with the introduction points and the uh
+
+0:18:38.910,0:18:45.910
+public key from the directory server. After that, uh
+
+0:18:50.120,0:18:54.299
+she choose one of the uh introduction points
+
+0:18:54.299,0:18:55.930
+and uh,
+
+0:18:55.930,0:19:02.920
+posts a circle rendesvouz cookie there. A piece of
+data so uh, she can, uh
+
+0:19:02.920,0:19:05.480
+identify herself
+
+0:19:05.480,0:19:06.900
+and uh, she also
+
+0:19:06.900,0:19:07.860
+gives the introduction point
+
+0:19:07.860,0:19:14.500
+the address of her random rendesvouz point that
+Alice has chosen
+
+0:19:14.500,0:19:18.550
+so what happens then is uh, Bob notices that uh,
+
+0:19:18.550,0:19:23.760
+some data has been stored in the introduction point
+
+0:19:23.760,0:19:28.160
+and Alice and Bob uh,
+
+0:19:28.160,0:19:31.230
+make a rendesvouz point, and
+
+0:19:31.230,0:19:34.940
+Bob uses this, this uh
+
+0:19:34.940,0:19:36.700
+rendesvouz cookie to
+
+0:19:36.700,0:19:38.180
+actually identify himself on the rendesvouz point
+
+0:19:38.180,0:19:39.990
+and after that
+
+0:19:39.990,0:19:46.990
+all the connection of data runs through this rendesvouz point.
+
+0:19:50.870,0:19:53.180
+uh, if time permits I'll actually uh,
+
+0:19:53.180,0:19:54.710
+set up a rendesvouz
+
+0:19:54.710,0:19:55.960
+a hidden service here
+
+0:19:55.960,0:19:59.120
+so you can actually see how it works
+
+0:19:59.120,0:20:06.120
+I'll also demonstrate Tor, like I said
+
+0:20:08.800,0:20:09.770
+uh, there's some legal issues to be uhm
+
+0:20:09.770,0:20:12.450
+recognized, uh. As you can imagine, Tor may be
+forbidden in some
+
+0:20:12.450,0:20:14.880
+countries; especially totalitarian countries
+
+0:20:14.880,0:20:17.530
+which censor the Internet anyway
+
+0:20:17.530,0:20:18.719
+and uh,
+
+0:20:18.719,0:20:21.030
+you may get into trouble for using Tor
+
+0:20:21.030,0:20:25.580
+practically, anyone knows this
+
+0:20:25.580,0:20:27.580
+there can be crytpo restrictions
+
+0:20:27.580,0:20:29.070
+for example Great Britain, the uh
+
+0:20:29.070,0:20:33.200
+RIPA act, I'm not even sure what it stands for
+
+0:20:33.200,0:20:36.140
+but basically says that uh,
+
+0:20:36.140,0:20:37.510
+if the government wants,
+
+0:20:37.510,0:20:40.410
+then you have to give up your crypto keys
+
+0:20:40.410,0:20:42.910
+so they can decrypt it later
+
+0:20:42.910,0:20:47.860
+and uh, yeah, it's not...
+
+0:20:47.860,0:20:50.010
+and it's actually last week was the first case
+
+0:20:50.010,0:20:52.890
+when this was actually used in
+
+0:20:52.890,0:20:56.600
+Great Britain
+
+0:20:56.600,0:21:00.720
+uh, there can be special laws like in Germany
+
+0:21:00.720,0:21:03.480
+sort of like a hacker paragraph
+
+0:21:03.480,0:21:06.990
+just a nickname, it has some cryptic legal name
+
+0:21:06.990,0:21:07.940
+uh, in reality
+
+0:21:07.940,0:21:11.090
+and it says that uh
+
+0:21:11.090,0:21:14.570
+you're liable if you, uh,
+
+0:21:14.570,0:21:17.360
+if you give people access to tools
+
+0:21:17.360,0:21:20.020
+that they can use to uh,
+
+0:21:20.020,0:21:22.270
+well, to do illegal stuff.
+
+0:21:22.270,0:21:23.630
+More or less.
+
+0:21:23.630,0:21:27.080
+It's really uh,
+
+0:21:27.080,0:21:29.080
+not concrete and no one really...
+
+0:21:29.080,0:21:30.440
+it could uh,
+
+0:21:30.440,0:21:31.929
+it could
+
+0:21:31.929,0:21:36.669
+restrict anything. From a map to a
+
+0:21:36.669,0:21:39.210
+to God know what? Network tools.
+
+0:21:39.210,0:21:40.880
+and uh
+
+0:21:40.880,0:21:43.559
+But it was actually, it was actually passed so no one
+really knows
+
+0:21:43.559,0:21:45.510
+what's the, uhm
+
+0:21:45.510,0:21:46.490
+what's really
+
+0:21:46.490,0:21:50.260
+restrict by it. So Tor could be restricted
+
+0:21:50.260,0:21:55.590
+by it, because it could really enable people to do
+illegal stuff,
+
+0:21:55.590,0:21:58.640
+but no one really knows
+
+0:21:58.640,0:22:00.990
+and uh, the biggest Tor
+
+0:22:00.990,0:22:02.250
+problems
+
+0:22:02.250,0:22:07.480
+that, uh
+
+0:22:07.480,0:22:10.180
+when uh, when it actually gets sent to a Tor network
+
+0:22:10.180,0:22:13.210
+the uh, the
+
+0:22:13.210,0:22:14.669
+IP address that
+
+0:22:14.669,0:22:16.210
+gets sent
+
+0:22:16.210,0:22:17.220
+well that's what the destination server
+
+0:22:17.220,0:22:19.090
+actually sees
+
+0:22:19.090,0:22:21.200
+is one of the exit nodes.
+
+0:22:21.200,0:22:22.380
+So when, uh
+
+0:22:22.380,0:22:23.740
+when a client
+
+0:22:23.740,0:22:26.090
+actually causes trouble,
+
+0:22:26.090,0:22:26.950
+then the one
+
+0:22:26.950,0:22:29.790
+that gets into trouble
+
+0:22:29.790,0:22:32.460
+is the exit nodes provider. And uh,
+
+0:22:32.460,0:22:33.560
+so stuff that gets done
+
+0:22:33.560,0:22:38.620
+for torment purpose like sending ransom mails or uh,
+
+0:22:38.620,0:22:40.480
+distributing illegal stuff
+
+0:22:40.480,0:22:42.040
+and it, this all happened
+
+0:22:42.040,0:22:43.500
+and, if you are
+
+0:22:43.500,0:22:46.460
+unlucky as an exit node operator
+
+0:22:46.460,0:22:47.109
+your server gets seized or something
+
+0:22:47.109,0:22:52.059
+and uh,
+
+0:22:52.059,0:22:55.530
+that's random stuff that can happen
+
+0:22:55.530,0:22:56.540
+though, uh,
+
+0:22:56.540,0:22:59.559
+as an exit nodes provider you can get
+
+0:22:59.559,0:23:03.690
+letters from Law Enforcement entities, and uh
+
+0:23:03.690,0:23:05.649
+What are you doing there?
+
+0:23:05.649,0:23:06.830
+Maybe some illegal stuff?
+
+0:23:06.830,0:23:10.040
+And you have to explain to them that you are
+
+0:23:10.040,0:23:12.260
+providing Tor server
+
+0:23:12.260,0:23:13.980
+it wasn't you
+
+0:23:13.980,0:23:15.120
+and stuff.
+
+0:23:15.120,0:23:18.020
+For example the FBI
+
+0:23:18.020,0:23:19.960
+in America
+
+0:23:19.960,0:23:23.580
+actually knows what you're talking about when you tell them
+
+0:23:23.580,0:23:24.580
+that you're using Tor...
+
+0:23:24.580,0:23:26.019
+so, uh
+
+0:23:26.019,0:23:26.600
+they won't bother.
+
+0:23:26.600,0:23:28.810
+But in Germany the uh,
+
+0:23:28.810,0:23:34.830
+Law Enforcement agencies, actually are, so so
+
+0:23:34.830,0:23:41.440
+depends on what kind of guy you're actually talking to
+
+0:23:41.440,0:23:47.120
+So what's... what kind of role plays FreeBSD here?
+
+0:23:47.120,0:23:51.880
+uh, FreeBSD is really well suited as a Tor node, uh
+
+0:23:51.880,0:23:55.490
+when you're operating the client you just want to use the
+network, uh
+
+0:23:55.490,0:23:57.830
+it doesn't matter what kind of system you use
+
+0:23:57.830,0:23:59.150
+and it shouldn't matter
+
+0:23:59.150,0:24:00.830
+There's one of the, uh
+
+0:24:00.830,0:24:03.130
+like I said earlier one of the design
+
+0:24:03.130,0:24:05.500
+criteria of Tor
+
+0:24:05.500,0:24:08.610
+so it doesn't matter if you're using Windows or FreeBSD.
+
+0:24:08.610,0:24:09.929
+But if you're using the Tor
+
+0:24:09.929,0:24:14.290
+as actually uh,
+
+0:24:14.290,0:24:17.320
+the security of other depends on your node
+
+0:24:17.320,0:24:20.690
+and uh,
+
+0:24:20.690,0:24:22.950
+when you're operating a node is important to
+
+0:24:22.950,0:24:25.310
+have Operational Security
+
+0:24:25.310,0:24:25.980
+and Jails
+
+0:24:25.980,0:24:27.550
+are really great for this,
+
+0:24:27.550,0:24:29.980
+so you can run a Tor server in Jail.
+
+0:24:29.980,0:24:32.950
+It's also Disk and Swap encryption
+
+0:24:32.950,0:24:38.010
+which is important, especialy the swap encryption. And uh,
+
+0:24:38.010,0:24:39.390
+there's also audit
+
+0:24:39.390,0:24:40.740
+and the mac framework
+
+0:24:40.740,0:24:43.780
+when you want to run your installation
+
+0:24:43.780,0:24:46.220
+What's also nice,
+
+0:24:46.220,0:24:46.659
+Tor servers do a lot of public key encryption
+
+0:24:46.659,0:24:48.440
+and it's pretty slow
+
+0:24:48.440,0:24:49.480
+so it's great to have
+
+0:24:49.480,0:24:54.750
+hardware acceleration for this.
+
+0:24:54.750,0:24:56.160
+And uh, probably the biggest feature:
+
+0:24:56.160,0:25:03.160
+Well maintained Tor-related ports.
+
+0:25:04.060,0:25:07.390
+There is the main port, security Tor
+
+0:25:07.390,0:25:11.370
+Which is a client and server if you want to run
+
+0:25:11.370,0:25:13.610
+a network node, or just a client.
+
+0:25:13.610,0:25:15.210
+There's Tor level
+
+0:25:15.210,0:25:16.450
+and these are really up to date, uhm
+
+0:25:16.450,0:25:22.830
+Tor development happens really fast
+
+0:25:22.830,0:25:23.710
+and ports get updated
+
+0:25:23.710,0:25:30.710
+pretty soon after a release is made.
+
+0:25:32.050,0:25:39.050
+There's Privoxy, which is an uhm web proxy and uhm,
+we'll use it later when we do the demonstration
+
+0:25:41.320,0:25:44.310
+And there's net management Vidalia which is a
+graphical content
+
+0:25:44.310,0:25:47.200
+also for Windows
+
+0:25:47.200,0:25:48.260
+and, uhm
+
+0:25:48.260,0:25:53.929
+there's trans-proxy Tor
+
+0:25:53.929,0:25:58.650
+which enables you to actually
+
+0:25:58.650,0:25:59.560
+uhm, well there's some
+
+0:25:59.560,0:26:02.080
+badly written applications out there
+
+0:26:02.080,0:26:05.280
+that do stuff that's
+
+0:26:05.280,0:26:07.510
+that makes it hard for Tor to
+
+0:26:07.510,0:26:08.860
+run with them
+
+0:26:08.860,0:26:10.810
+and you can use trans-proxy Tor
+
+0:26:10.810,0:26:15.510
+to tunnel such connections through the Tor network.
+
+0:26:15.510,0:26:20.580
+We'll actually talk about them in the next slide.
+
+0:26:20.580,0:26:24.960
+Yeah. What else do you need to take care of
+besides running Tor?
+
+0:26:24.960,0:26:27.130
+Uh, there's name resolution, uh...
+
+0:26:27.130,0:26:28.760
+Some applications just
+
+0:26:28.760,0:26:30.500
+bypass the configured proxy
+
+0:26:30.500,0:26:34.500
+for example FireFox versions below version 1.5,
+
+0:26:34.500,0:26:35.700
+which send every data,
+
+0:26:35.700,0:26:38.320
+all data through the proxy
+
+0:26:38.320,0:26:38.909
+but not
+
+0:26:38.909,0:26:40.880
+DNS requests
+
+0:26:40.880,0:26:44.380
+so they actually result in mistrust
+
+0:26:44.380,0:26:46.450
+and uh, so yeah
+
+0:26:46.450,0:26:49.280
+the connection is actually anonymized
+
+0:26:49.280,0:26:51.080
+but the DNS server
+
+0:26:51.080,0:26:52.250
+really knows
+
+0:26:52.250,0:26:53.870
+uh, who you were talking to
+
+0:26:53.870,0:27:00.870
+and this is really the intention of Tor, but uh,
+newer versions actually takes.
+
+0:27:03.130,0:27:04.240
+Uh, there's the usual
+
+0:27:04.240,0:27:09.990
+cookies, web-bugs, referrer and stuff, uhm
+
+0:27:09.990,0:27:11.800
+which uh,
+
+0:27:11.800,0:27:13.530
+sites can use to check which
+
+0:27:13.530,0:27:20.530
+websites you're visiting, and it's just the
+usual disabling stuff
+
+0:27:20.549,0:27:23.250
+Privoxy is a great tool to
+
+0:27:23.250,0:27:28.160
+normalize HTTP traffic.
+
+0:27:28.160,0:27:30.010
+And it's also great to uhm, well filter off advertising
+
+0:27:30.010,0:27:36.370
+and stuff.
+
+0:27:36.370,0:27:38.660
+This should be really obvious
+
+0:27:38.660,0:27:41.110
+but apparently is not. Uhm,
+
+0:27:41.110,0:27:43.770
+There's so many people who don't realize
+
+0:27:43.770,0:27:44.700
+that the last connection
+
+0:27:44.700,0:27:46.380
+chain is actually unencrypted
+
+0:27:46.380,0:27:50.900
+if you're using, uh
+
+0:27:50.900,0:27:53.250
+if you're not using a secure protocol.
+
+0:27:53.250,0:27:54.100
+So,
+
+0:27:54.100,0:27:56.440
+people actually uhm,
+
+0:27:56.440,0:27:59.430
+get their mail through POP3 or something
+
+0:27:59.430,0:28:04.870
+and the exit nodes can just run desniff and sniff
+out all the passwords.
+
+0:28:04.870,0:28:11.870
+And it's really surprising how many people uh, do this.
+
+0:28:13.450,0:28:16.700
+So, lesson learned: use secure protocol.
+
+0:28:16.700,0:28:18.220
+There are also other services that require
+
+0:28:18.220,0:28:20.630
+registration, for example,
+
+0:28:20.630,0:28:22.040
+with your e-mail address or
+
+0:28:22.040,0:28:23.640
+personal
+
+0:28:23.640,0:28:25.360
+data
+
+0:28:25.360,0:28:27.590
+and uh, well
+
+0:28:27.590,0:28:28.620
+if you're using Tor and you
+
+0:28:28.620,0:28:35.620
+actually log on to one of those services, Tor can help you
+
+0:28:40.850,0:28:42.440
+So, once I actually demonstrate how
+
+0:28:42.440,0:28:49.440
+this all works.
+
+0:29:13.550,0:29:15.520
+Uh, I've installed Tor and
+
+0:29:15.520,0:29:22.520
+Privoxy on this system
+
+0:29:24.810,0:29:27.180
+the config files are on the usual places.
+
+0:29:27.180,0:29:34.180
+And if you read this, this little.. small.. Is this alright?
+
+0:29:46.950,0:29:50.600
+So there is this Tor I see sample file
+
+0:29:50.600,0:29:57.600
+which we can use
+
+0:30:07.020,0:30:08.370
+so this
+
+0:30:08.370,0:30:10.340
+there's the usual commands and stuff
+
+0:30:10.340,0:30:11.030
+and this,
+
+0:30:11.030,0:30:15.720
+much stuff that we don't need for the moment
+
+0:30:15.720,0:30:19.840
+there's this uh,
+
+0:30:19.840,0:30:24.220
+SOCKS port and SOCKS listen address information
+
+0:30:24.220,0:30:31.220
+that's the
+
+0:30:32.770,0:30:34.659
+tells you where to connect your uh,
+
+0:30:34.659,0:30:36.679
+your proxy to
+
+0:30:36.679,0:30:38.200
+so this is the information that we use in Privoxy to
+
+0:30:38.200,0:30:41.450
+access Tor.
+
+0:30:41.450,0:30:42.190
+Uhm,
+
+0:30:42.190,0:30:45.320
+all we have to do to actually use Tor is
+
+0:30:45.320,0:30:48.970
+copy over the config file.
+
+0:30:48.970,0:30:55.970
+Start the service
+
+0:31:04.110,0:31:10.570
+so, it tells us it's running... Now we have to
+
+0:31:10.570,0:31:12.350
+take a look at Privoxy
+
+0:31:20.880,0:31:25.120
+There's also lots of stuff that we don't need
+right now
+
+0:31:25.120,0:31:30.360
+What we need is the uh,
+
+0:31:30.360,0:31:31.740
+we need to tell
+
+0:31:31.740,0:31:33.809
+Privoxy uh,
+
+0:31:33.809,0:31:40.809
+where to send connections requests.
+
+0:31:51.740,0:31:53.659
+Ok, I've actually entered this earlier
+
+0:31:53.659,0:31:54.860
+uhm,
+
+0:31:54.860,0:31:58.700
+all it says is uh,
+
+0:31:58.700,0:32:03.490
+forward all requests to
+
+0:32:03.490,0:32:10.490
+the uh, SOCKS client
+
+0:32:13.020,0:32:20.020
+So we just start
+
+0:32:34.120,0:32:38.870
+Ok, so we all set
+
+0:32:38.870,0:32:40.480
+Now we can just do
+
+0:32:40.480,0:32:47.480
+everything with our brother
+
+0:32:50.790,0:32:52.029
+we all started times
+
+0:32:52.029,0:32:59.029
+a bit slow on my external drive
+
+0:33:06.860,0:33:08.070
+okay, uh
+
+0:33:08.070,0:33:11.470
+proxy settings
+
+0:33:11.470,0:33:16.140
+we just put in our Privoxy server
+
+0:33:16.140,0:33:23.140
+which listens on port 3128, hopefully, or does it?
+Oh, 8108, that's it.
+
+0:33:47.360,0:33:49.060
+Ok, so every
+
+0:33:49.060,0:33:56.060
+connection we want to make should actually be routed
+through the Tor network
+
+0:33:56.820,0:33:58.880
+uhm, this is going to take a little bit,
+
+0:33:58.880,0:34:01.950
+'cause all the route selection needs to be done
+
+0:34:01.950,0:34:08.950
+all the public crypto, there's also network latency
+
+0:34:13.059,0:34:14.539
+Once the connections are actually setup
+
+0:34:14.539,0:34:17.789
+it's pretty fast, not like this
+
+0:34:17.789,0:34:21.159
+and it's uh, really dependent upon uh,
+
+0:34:21.159,0:34:21.419
+which
+
+0:34:21.419,0:34:23.059
+kind of nodes you get
+
+0:34:23.059,0:34:26.669
+if you have a node that is running a modem then,
+
+0:34:26.669,0:34:33.669
+you'll have problem, it's really slow
+
+0:34:36.099,0:34:42.989
+ok, while waiting
+
+0:34:42.989,0:34:45.319
+we can actually take a look
+
+0:34:45.319,0:34:52.319
+at how our hidden service is configured
+
+0:34:59.699,0:35:03.369
+there's some lines for the Tor config file
+
+0:35:03.369,0:35:07.439
+the routing services
+
+0:35:07.439,0:35:14.219
+Ok, so you can see here hidden services here and
+hidden service port
+
+0:35:14.219,0:35:19.369
+as I said, the hidden service is identified by a
+public key, and uh, if you
+
+0:35:19.369,0:35:22.159
+uncommand this sutff,
+
+0:35:22.159,0:35:24.999
+and uh,
+
+0:35:24.999,0:35:26.619
+we start Tor
+
+0:35:26.619,0:35:28.249
+quickly
+
+0:35:28.249,0:35:31.690
+generate a public key and put it into the start tree
+
+0:35:31.690,0:35:38.690
+and it will, uh, well it actually says to uh,
+
+0:35:40.659,0:35:47.659
+where this omni address earlier,
+
+0:35:48.549,0:35:49.539
+we'll just
+
+0:35:49.539,0:35:56.539
+route every connection through this address to this
+local nodes line
+
+0:36:02.119,0:36:07.199
+This could be the case that uh,
+
+0:36:07.199,0:36:08.640
+that an exit node
+
+0:36:08.640,0:36:11.599
+doesn't uh,
+
+0:36:11.599,0:36:18.599
+allow
+
+0:36:19.779,0:36:22.900
+Ok, this is typical that when you want to show stuff
+it doesn't work
+
+0:36:22.900,0:36:25.369
+it worked earlier, so uh, it's not the network's fault
+
+0:36:25.369,0:36:27.619
+let's uh,
+
+0:36:27.619,0:36:31.609
+back to the hidden services
+
+0:36:31.609,0:36:38.609
+So we actually need to
+
+0:36:39.230,0:36:46.230
+change this
+
+0:36:51.170,0:36:55.099
+The default directory in FreeBSD is bar/db/Tor
+
+0:36:55.099,0:36:57.909
+and uh,
+
+0:36:57.909,0:37:03.249
+and when we start Tor it will actually, uh
+
+0:37:03.249,0:37:07.499
+create the service directory
+
+0:37:07.499,0:37:11.789
+by itself. It's also a web server listening on port 80
+on localhost
+
+0:37:11.789,0:37:13.889
+so we can
+
+0:37:13.889,0:37:20.889
+and hopefully will be able to see it later on
+
+0:37:45.849,0:37:48.529
+okay, so let's see if
+
+0:37:48.529,0:37:49.679
+this stuff is already
+
+0:37:49.679,0:37:56.679
+actually created.
+
+0:38:02.829,0:38:03.790
+Ok, so you have
+
+0:38:03.790,0:38:05.069
+two parts in this directory
+
+0:38:05.069,0:38:11.650
+hostname and private key. Private key is uh,
+
+0:38:11.650,0:38:14.739
+and the hostname is actually what you give to people
+if you want to
+
+0:38:14.739,0:38:21.739
+to publish your service
+
+0:38:33.319,0:38:36.039
+this is actually less likely to work right now
+
+0:38:36.039,0:38:40.059
+because it takes some time for Tor to choose these
+
+0:38:40.059,0:38:41.639
+introduction points,
+
+0:38:41.639,0:38:44.880
+send all this stuff to directory services
+
+0:38:44.880,0:38:47.369
+it takes time for directory services to sync up
+
+0:38:47.369,0:38:54.329
+and actually distribute information to the clients
+
+0:38:54.329,0:39:00.789
+and when we want to exit the service, we actually put
+this address into the uh,
+
+0:39:00.789,0:39:03.889
+the address line, and uh,
+
+0:39:03.889,0:39:05.069
+Tor knows how to
+
+0:39:05.069,0:39:12.069
+deal with this uh, the Onion pop up domain, so uh
+
+0:39:15.410,0:39:22.410
+this usually actually works. Let's see what's going on here...
+
+0:39:33.499,0:39:35.049
+Well, like I said
+
+0:39:35.049,0:39:37.529
+this one will take a while and
+
+0:39:37.529,0:39:40.450
+what's going on with the other one? I can actually see
+
+0:39:40.450,0:39:45.039
+But uh,
+
+0:39:45.039,0:39:47.850
+usually you can just go to one of these server websites
+
+0:39:47.850,0:39:50.209
+that tell you your IP address, and
+
+0:39:50.209,0:39:52.899
+Google is a fair example
+
+0:39:52.899,0:39:56.709
+you can go to Google and Google will get you a
+
+0:39:56.709,0:40:00.589
+localized web page.
+
+0:40:00.589,0:40:02.879
+For example, when you are from Germany, and you go to
+
+0:40:02.879,0:40:04.099
+Google.com, you get a German webpage
+
+0:40:04.099,0:40:07.379
+and if you're using Tor and you go to Google,
+
+0:40:07.379,0:40:09.679
+it depends
+
+0:40:09.679,0:40:10.319
+upon where your exit point is located
+
+0:40:10.319,0:40:11.859
+for example,
+
+0:40:11.859,0:40:14.029
+if it is in the Netherlands,
+
+0:40:14.029,0:40:21.029
+you get a Dutch Google, which is uh, pretty cool.
+
+0:40:23.329,0:40:25.549
+so uh,
+
+0:40:25.549,0:40:27.419
+I'll have to take a look later
+
+0:40:27.419,0:40:28.829
+while I'm working
+
+0:40:28.829,0:40:35.829
+so let's just, continue for a moment
+
+0:40:38.569,0:40:41.009
+ok, to summarize, uh
+
+0:40:41.009,0:40:44.799
+Tor is actually useful if
+
+0:40:44.799,0:40:51.799
+you want to be hidden on the net. If it actually works.
+Not in this case, uh
+
+0:40:55.519,0:40:59.339
+Tor is usually pretty cool to offer services from anywhere
+
+0:40:59.339,0:41:00.410
+so theoretically
+
+0:41:00.410,0:41:02.509
+it should work
+
+0:41:02.509,0:41:03.549
+I should
+
+0:41:03.549,0:41:06.049
+publish my hidden services from around here
+
+0:41:06.049,0:41:10.429
+and anyone in the world that's connected to the Tor network
+can actually exit it, access it
+
+0:41:10.429,0:41:12.169
+and uh
+
+0:41:12.169,0:41:14.799
+Privoxy is a pretty cool platform for Tor
+
+0:41:14.799,0:41:18.819
+'cause it's for one, it has very nice
+
+0:41:18.819,0:41:21.779
+security features like jail
+
+0:41:21.779,0:41:23.949
+and if you want to run a Tor node
+
+0:41:23.949,0:41:25.899
+and uh,
+
+0:41:25.899,0:41:27.949
+tools like Tor are really needed
+
+0:41:27.949,0:41:28.860
+in our time
+
+0:41:28.860,0:41:35.860
+this isn't going
+
+0:41:36.599,0:41:43.599
+to get better any time soon; so uh, we better
+create the tools now
+
+0:41:45.779,0:41:52.779
+to circumvent this
+
+0:41:52.899,0:41:59.039
+Take a quick look at the uh browser again
+
+0:41:59.039,0:42:00.089
+currently the uh,
+
+0:42:00.089,0:42:02.660
+connection set up failed
+
+0:42:02.660,0:42:04.070
+which I can't do anything about right now.
+
+0:42:04.070,0:42:11.070
+uh, which one?
+
+0:42:23.089,0:42:25.629
+Oh, that's all me
+
+0:42:25.629,0:42:27.539
+uhm
+
+0:42:27.539,0:42:30.249
+it depends upon
+
+0:42:30.249,0:42:33.140
+you can use any port you like
+
+0:42:33.140,0:42:34.539
+depend on uh,
+
+0:42:34.539,0:42:39.279
+what port the nodes use. Nodes can use any port
+
+0:42:39.279,0:42:42.259
+for example, when I don't want to run nodes
+
+0:42:42.259,0:42:44.109
+I can put it on pause
+
+0:42:44.109,0:42:45.679
+port 80 if you want
+
+0:42:45.679,0:42:47.470
+so anyone who uh
+
+0:42:47.470,0:42:49.219
+who has uh
+
+0:42:49.219,0:42:50.979
+HTTP access can actually access my node
+
+0:42:53.009,0:42:56.529
+so uh
+
+0:42:56.529,0:43:01.299
+yet in theory uh
+
+0:43:01.299,0:43:05.959
+you can use any port you like.
+
+0:43:05.959,0:43:12.009
+So, this isn't going to work.
+
+0:43:12.009,0:43:13.519
+Maybe I'll just uh,
+
+0:43:13.519,0:43:20.519
+if anyone is interested, I'll just try again later
+
+0:43:33.089,0:43:34.680
+That's port 80
+
+0:43:34.680,0:43:39.369
+it's a you know, HTTP connection so,
+
+0:43:39.369,0:43:42.359
+So, are there any questions?
+
+0:43:42.359,0:43:49.359
+Yes?
+
+0:44:06.140,0:44:08.689
+Well, usually I use Opera, so
+
+0:44:08.689,0:44:13.679
+a
+
+0:44:13.679,0:44:15.659
+I didn't know
+
+0:44:26.839,0:44:28.970
+Yes, there are about 300 uh,
+
+0:44:32.879,0:44:35.040
+I think about
+
+0:44:35.040,0:44:39.759
+300 Tor servers around the world
+
+0:44:39.759,0:44:43.349
+No, it's uh correct
+
+0:44:43.349,0:44:47.119
+at the moment there are three directory servers
+
+0:44:47.119,0:44:49.579
+worldwide
+
+0:44:49.579,0:44:51.630
+you can recognize them by their public key
+
+0:44:51.630,0:44:52.909
+and their public keys are
+
+0:44:52.909,0:44:56.119
+hard coded into the source code at the moment
+
+0:44:56.119,0:44:58.799
+so, the uh
+
+0:44:58.799,0:45:01.499
+Tor developers actually run those directory servers
+
+0:45:01.499,0:45:08.499
+but this is really crypto infrastucture
+
+0:45:11.729,0:45:12.719
+uhm
+
+0:45:12.719,0:45:14.729
+Well it's it's hard to say
+
+0:45:14.729,0:45:16.219
+'cause the question was uh
+
+0:45:16.219,0:45:21.799
+Were there any estimates on uh,
+
+0:45:21.799,0:45:26.489
+net usage and other stuff
+
+0:45:26.489,0:45:31.730
+it's really hard to say because it's an anonymization
+network so uh,
+
+0:45:31.730,0:45:32.999
+you can't say for sure, but there are estimates of
+one hundred thousand users around the world
+
+0:45:32.999,0:45:36.949
+and uh, I'm not sure of the traffic.
+
+0:45:36.949,0:45:39.219
+I used to run a middleman node,
+
+0:45:39.219,0:45:40.369
+and in one monthm
+
+0:45:40.369,0:45:42.699
+it would make
+
+0:45:42.699,0:45:43.849
+it was on a one hundred megabits
+
+0:45:43.849,0:45:45.359
+or dedicated line,
+
+0:45:45.359,0:45:47.249
+and it made about one terabyte of traffic
+
+0:45:47.249,0:45:49.459
+so it's a lot of traffic
+
+0:45:49.459,0:45:52.449
+going on
+
+0:45:52.449,0:45:56.259
+and unfortunately also a lot of filesharing systems
+
+0:45:56.259,0:45:59.739
+which it doesn't relly make sense 'cause they're slow
+
+0:45:59.739,0:46:00.570
+so uhm,
+
+0:46:00.570,0:46:01.609
+Tor is really cool
+
+0:46:01.609,0:46:03.359
+for web browsing and stuff
+
+0:46:03.359,0:46:10.359
+but if you really want to move a lot of data it's
+not a good tool
+
+0:46:10.759,0:46:11.479
+ah, any other questions? Doesn't seem to be the case. Ok!
diff --git a/en_US.ISO8859-1/captions/2007/nycbsdcon/dixon-bsdisdying.sbv b/en_US.ISO8859-1/captions/2007/nycbsdcon/dixon-bsdisdying.sbv
new file mode 100644
index 0000000000..e3ff5ee343
--- /dev/null
+++ b/en_US.ISO8859-1/captions/2007/nycbsdcon/dixon-bsdisdying.sbv
@@ -0,0 +1,943 @@
+0:00:07.329,0:00:13.679
+You're here, Bob, of course. Bob is hot. Bob is very hot.
+
+0:00:13.679,0:00:14.679
+Welcome to BSD is Dying.
+
+0:00:14.679,0:00:15.779
+No, it's not dead yet,
+
+0:00:15.779,0:00:16.529
+we're getting there.
+
+0:00:16.529,0:00:18.949
+Anybody out here last year?
+
+0:00:18.949,0:00:24.939
+Okay. I gave a really bad talk on pf, so and I
+appreciate Bob coming out and correcting me this year.
+
+0:00:24.939,0:00:28.550
+Anyways, we should go and get started.
+
+0:00:28.550,0:00:33.560
+BSD is Dying.
+
+0:00:33.560,0:00:35.820
+What is BSD?
+
+0:00:35.820,0:00:40.150
+I think most of us know, BSD is a derivative of UNIX.
+
+0:00:40.150,0:00:41.630
+Okay, what is UNIX?
+
+0:00:41.630,0:00:44.300
+UNIX is an
+
+0:00:44.300,0:00:45.260
+operating system.
+
+0:00:45.260,0:00:48.000
+What is an operating system?
+
+0:00:48.000,0:00:53.930
+It runs computers.
+
+0:00:53.930,0:00:56.610
+But, what is a computer?
+
+0:00:56.610,0:01:03.610
+It helps users accomplish tasks. What is a user?
+A user is somebody biped like
+
+0:01:07.409,0:01:10.600
+biped that stands up right sort of like me.
+
+0:01:10.600,0:01:14.280
+Who am I? My name is Jason Dixon.
+
+0:01:14.280,0:01:18.000
+First and foremost, a SysAdmin. I like to work on networks,
+
+0:01:18.000,0:01:18.590
+firewalls. I like to tweak.
+
+0:01:18.590,0:01:21.350
+No. Yes.
+
+0:01:21.350,0:01:27.630
+I'm a programmer, sort of. I enjoy
+
+0:01:27.630,0:01:28.960
+Perl, Postgres,
+
+0:01:28.960,0:01:30.820
+on Apache
+
+0:01:30.820,0:01:34.150
+servers. I'm a consultant here. I'm an employee
+
+0:01:34.150,0:01:38.920
+here, and a lover of
+
+0:01:38.920,0:01:40.150
+BSD.
+
+0:01:40.150,0:01:42.050
+Why am I here?
+
+0:01:42.050,0:01:46.970
+That’s the question I've been asking myself all along.
+
+0:01:46.970,0:01:48.630
+To talk about why BSD is dying.
+
+0:01:48.630,0:01:52.380
+Sex, and greed.
+
+0:01:52.380,0:01:59.380
+Someone kick these guys out.
+
+0:02:00.410,0:02:05.470
+Okay. So again, what is BSD? What is UNIX?
+What is an operating system? What is a computer?
+
+0:02:05.470,0:02:12.470
+Computer is a device that computes, especially a
+programmable electronic machine that performs high-speed
+mathematical or logical operations or that assembles,
+stores, correlates, or
+
+0:02:13.900,0:02:14.390
+otherwise processes
+
+0:02:14.390,0:02:15.529
+information.
+
+0:02:15.529,0:02:19.090
+This is a computer. This is also known as a
+
+0:02:19.090,0:02:22.459
+computer. This is a really big computer.
+
+0:02:22.459,0:02:28.309
+This is a fake computer, and sometimes, just can, well, compute
+
+0:02:28.309,0:02:31.339
+But what does a computer really do?
+
+0:02:31.339,0:02:33.729
+All right, it helps us write documents,
+
+0:02:33.729,0:02:40.729
+shopping lists. Sometimes, it can even delete documents.
+It helps us work with emails,
+
+0:02:42.050,0:02:46.749
+surf the Web, movies,
+
+0:02:46.749,0:02:48.769
+and listen to music.
+
+0:02:48.769,0:02:50.409
+Oh, and yes, games.
+
+0:02:50.409,0:02:53.959
+How? How does the computer let us do these
+
+0:02:53.959,0:02:56.569
+things? Well, it takes the work
+
+0:02:56.569,0:03:00.179
+and using the computer component, we can translate it
+into machine language
+
+0:03:00.179,0:03:01.489
+that is the foundation
+
+0:03:01.489,0:03:07.999
+for kernel, libraries, userland applications,
+otherwise known as operating system.
+
+0:03:07.999,0:03:10.659
+like BSD.
+
+0:03:10.659,0:03:12.619
+What is a kernel?
+
+0:03:12.619,0:03:16.439
+It's a wonderful thing, it allows
+
+0:03:16.439,0:03:23.439
+The management and processes of memory, peripheral devices,
+and by extension, allows us to do networking, security,
+
+0:03:23.540,0:03:26.639
+work with disks and file systems, user interfaces,
+userland applications,
+
+0:03:26.639,0:03:33.619
+people can write documents, check email, surf the Web,
+watch movies, listen to music, and play games.
+
+0:03:33.619,0:03:38.209
+and much, much more.
+
+0:03:38.209,0:03:41.009
+So, in summary, BSD
+
+0:03:41.009,0:03:44.150
+is a UNIX-derived operating system
+
+0:03:44.150,0:03:51.150
+enables users to harness the power of a computer to process
+information. It uses the kernel to manage processes memory,
+and peripheral devices. And by extension, we can perform
+
+0:03:51.730,0:03:58.149
+networking, enforce security, read from and write to storage
+devices, and interface visually to applications like text
+editors, mail clients, Web browsers, multimedia players, and
+
+0:03:58.149,0:04:05.149
+games.
+
+0:04:05.509,0:04:09.199
+In the beginning, I'm going to try and breeze through this,
+people
+
+0:04:09.199,0:04:10.970
+The Holy
+
+0:04:10.970,0:04:15.369
+Trinity – MIT, Bell Labs, and GE created
+a systems called Multics.
+
+0:04:15.369,0:04:18.750
+This is a nice flash from the past.
+
+0:04:18.750,0:04:20.650
+Life was good.
+
+0:04:20.650,0:04:21.639
+No. No.
+
+0:04:21.639,0:04:22.849
+Actually, it
+
+0:04:22.849,0:04:24.970
+wasn’t. The Multics was a commercial
+
+0:04:24.970,0:04:29.690
+failure. So, a couple of gentlemen like Ken Thompson and
+Dennis Ritchie
+
+0:04:29.690,0:04:34.539
+[xx] support, like to play games. They worked at Bell Labs
+and they had this game called
+
+0:04:34.539,0:04:36.470
+Space Travel, which performed really
+
+0:04:36.470,0:04:40.500
+really badly. So, what's…actually, I'm sorry
+
+0:04:40.500,0:04:43.639
+it ran on a PDP-7.
+
+0:04:43.639,0:04:48.989
+What is an assembly programmer to do when a game
+doesn’t work properly on the star board? He moves
+
+0:04:48.989,0:04:53.240
+it. So, in 1969, Ken Thompson
+
+0:04:53.240,0:04:53.969
+and
+
+0:04:53.969,0:04:58.620
+Sorry, came out with the Uniplexed Information
+
+0:04:58.620,0:05:01.270
+and Computing System. It was capable of supporting
+
+0:05:01.270,0:05:02.499
+a number of users
+
+0:05:02.499,0:05:04.189
+up to two.
+
+0:05:05.239,0:05:07.100
+And by
+
+0:05:07.100,0:05:11.949
+1970, UNIX was officially known as U-N-I-X
+
+0:05:11.949,0:05:14.759
+It ran on a PDP1145
+
+0:05:14.759,0:05:17.929
+and was capable of text processing
+
+0:05:17.929,0:05:21.019
+and had utilities like roff and a text editor.
+
+0:05:21.019,0:05:22.409
+for the purpose of
+
+0:05:22.409,0:05:24.210
+patents. By
+
+0:05:24.210,0:05:28.929
+1973, they rewrote UNIX and a programming language called
+
+0:05:28.929,0:05:33.340
+C which allowed AT&T to make the source code available
+to let other
+
+0:05:33.340,0:05:35.650
+people run it on their systems.
+
+0:05:35.650,0:05:40.110
+By 1974, a gentleman by the name of Bob Fabry,
+who was at the University
+
+0:05:40.110,0:05:42.079
+of Cal Berkeley in their Computer Science Department
+
+0:05:42.079,0:05:44.940
+bought a copy of UNIX for $99.
+
+0:05:44.940,0:05:47.710
+to run their PDP-11.
+
+0:05:47.710,0:05:52.850
+By 1977, a gentleman named Bill Joy, a graduate
+
+0:05:52.850,0:05:55.569
+student, distributed the Berkeley Software
+
+0:05:55.569,0:05:56.979
+Distribution as
+
+0:05:56.979,0:06:02.590
+1BSD. It was on a tape media that contained the PASCAL
+
+0:06:02.590,0:06:04.270
+compiler, the ex editor, and
+
+0:06:04.270,0:06:09.289
+by 1978, it was known as 2BSD with
+
+0:06:09.289,0:06:10.179
+vi, csh, and the list
+
+0:06:10.179,0:06:11.549
+goes on.
+
+0:06:11.549,0:06:17.030
+By 4BSD, we had job control, delivermail,
+
+0:06:17.030,0:06:21.339
+precursor to sendmail, curses, libraries. 1981,
+
+0:06:21.339,0:06:24.750
+4.1BSD, this one, we are recorded through VAX
+
+0:06:24.750,0:06:30.539
+4.1BSD addressed memory performance issues with UNIX on VAX
+
+0:06:30.539,0:06:34.159
+1983, 4.2BSD uses TCP/IP from BBN,
+
+0:06:34.159,0:06:36.990
+and also the Berkeley Fast File System from the
+
+0:06:36.990,0:06:39.219
+gentleman, Kirk McKusick,
+
+0:06:39.219,0:06:44.100
+who also brought us the original BSD mascot.
+
+0:06:44.100,0:06:49.280
+In 1986, 4.3BSD introduced performance improvements
+over 4.2BSD
+
+0:06:49.280,0:06:53.299
+By 1988, we had a list called 4.3BSD-Tahoe
+
+0:06:53.299,0:06:57.180
+originally intended to run on the Power 6/32
+“Tahoe” platform.
+
+0:06:57.180,0:07:00.160
+That platform actually never came to fruition
+
+0:07:00.160,0:07:04.280
+but it did allow us to extract some of the
+machine-independent
+
+0:07:04.280,0:07:07.240
+code which allowed it to become portable much later on.
+
+0:07:07.240,0:07:09.050
+By 1989, there was
+
+0:07:09.050,0:07:10.810
+Net/1, which separated the networking code
+
+0:07:10.810,0:07:14.349
+from the AT&T UNIX code
+
+0:07:14.349,0:07:17.399
+allowing for a permissive BSD license
+
+0:07:17.399,0:07:20.479
+By 1990, 4.3BSD-Reno
+
+0:07:20.479,0:07:24.770
+introduced the MACH virtual files, MACH virtual
+
+0:07:24.770,0:07:27.189
+memory system, Sun-compatible NFS
+
+0:07:27.189,0:07:30.939
+However, it was known as a real
+
+0:07:30.939,0:07:34.119
+gamble, hence the Reno moniker.
+
+0:07:34.119,0:07:36.690
+By 1991, we had
+
+0:07:36.690,0:07:40.280
+Net/2 where all AT&T code and utilities were
+replaced or removed
+
+0:07:40.280,0:07:44.439
+and ran on the Intel 386
+
+0:07:44.439,0:07:47.360
+and it became the basis for the 386BSD
+
+0:07:47.360,0:07:50.840
+and BSD/386 releases.
+
+0:07:50.840,0:07:52.870
+A gentleman by the name of Bill Jolitz
+
+0:07:52.870,0:07:54.880
+behind 386
+
+0:07:54.880,0:07:58.169
+BSD release, which eventually became the foundation for
+
+0:07:58.169,0:07:59.849
+FreeBSD and NetBSD.
+
+0:07:59.849,0:08:02.250
+And the
+
+0:08:02.250,0:08:09.250
+BSD3, I'm sorry, the 386BSD, which later on became
+BSD/OS by BSDI
+
+0:08:09.659,0:08:14.599
+Exodus. Back in 1992, a wholly own subsidiary of
+
+0:08:14.599,0:08:18.699
+AT&T called Unix System Laboratories
+
+0:08:18.699,0:08:20.389
+decided to go after
+
+0:08:20.389,0:08:22.539
+BSDI for
+
+0:08:22.539,0:08:25.249
+I'm sorry,
+
+0:08:25.249,0:08:26.860
+in New
+
+0:08:26.860,0:08:33.139
+Jersey, as for an injunction against him due to various
+what they consider proprietary
+
+0:08:33.139,0:08:34.650
+code in the
+
+0:08:34.650,0:08:35.960
+BSD.
+
+0:08:35.960,0:08:40.200
+This was one of their advertising and again, they used
+this as the basis for the
+
+0:08:40.200,0:08:42.150
+lawsuit. I have
+
+0:08:42.150,0:08:44.640
+no idea what that’s for.
+
+0:08:44.640,0:08:47.660
+
+
+0:08:47.660,0:08:52.440
+Net/2 was basically, I'm sorry
+
+0:08:52.440,0:08:55.809
+the three BSDIs version of BSD OS is basically Net/2
+
+0:08:55.809,0:08:58.239
++ 6 files that they had version from
+
+0:08:58.239,0:09:00.540
+Bill Jolitz’s 386
+
+0:09:00.540,0:09:05.030
+BSD. The lawsuit was, I'm sorry, the court settlement was
+
+0:09:05.030,0:09:09.020
+ruled over by a judge who denied the injunction
+
+0:09:09.020,0:09:11.469
+and asked them to narrow their
+
+0:09:11.469,0:09:15.650
+complaint to recent California copyrights
+and the possibility of the loss of
+
+0:09:15.650,0:09:19.299
+trade secrets. He also did a really great thing
+for BSD is that he hinted,
+
+0:09:19.299,0:09:21.829
+that…actually by this
+
+0:09:21.829,0:09:25.770
+point, the lawsuit with California Berkeley had been
+also added into the
+
+0:09:25.770,0:09:29.030
+lawsuit. Well, he gave a hint to bring the case to the state
+
+0:09:29.030,0:09:30.160
+court. So,
+
+0:09:30.160,0:09:36.110
+BSD laywers were pretty smart over at Cal and they decided
+to make a run over to the state court by the next
+
+0:09:36.110,0:09:38.690
+Monday to file a countersuit
+
+0:09:38.690,0:09:39.390
+against USL,
+
+0:09:39.390,0:09:43.250
+in the state of California.
+
+0:09:43.250,0:09:46.280
+Soon after USL went up for
+
+0:09:46.280,0:09:49.070
+sale, and it was bought by Novell
+
+0:09:49.070,0:09:53.860
+A gentleman, Ray Noorda, the CEO
+
+0:09:53.860,0:09:58.730
+at Novell, agreed to a settlement at this point because
+they understood that there was
+
+0:09:58.730,0:10:01.060
+no copyright infringement in the
+
+0:10:01.060,0:10:03.510
+code. So, basically,
+
+0:10:03.510,0:10:05.850
+the lawsuit was settled out of court
+
+0:10:05.850,0:10:07.150
+in secret for ten years.
+
+0:10:07.150,0:10:08.870
+In 2004,
+
+0:10:11.490,0:10:14.990
+done with the actual settlement
+
+0:10:14.990,0:10:16.120
+was and really sit.
+
+0:10:16.120,0:10:17.910
+And,
+
+0:10:17.910,0:10:19.560
+USL, AT&T and
+
+0:10:19.560,0:10:20.550
+Novell sort of
+
+0:10:20.550,0:10:22.190
+was embarrassed,
+
+0:10:22.190,0:10:27.060
+which ended up resulting in two distinct releases
+
+0:10:27.060,0:10:32.990
+4.4BSD, there is an encumbered version and had USL license
+
+0:10:32.990,0:10:37.490
+and AT&T code, and 4.4BSD-Lite, which was completely
+unencumbered
+
+0:10:37.490,0:10:39.460
+and became the
+
+0:10:39.460,0:10:40.600
+foundation for
+
+0:10:40.600,0:10:43.470
+a FreeBSD.
+
+0:10:43.470,0:10:47.500
+NetBSD, I'm sorry, FreeBSD
+
+0:10:49.150,0:10:55.670
+FreeBSD, people with background, only different BSDs
+that came out of 386BSD
+
+0:10:55.670,0:11:00.900
+It runs on Intel x86, Itanium, AMD64, Alpha, Sun Ultra
+
+0:11:00.900,0:11:05.149
+SPARC and it gives us the neat features of jail, which
+most of us are familiar with,
+
+0:11:05.149,0:11:07.420
+mandatory access control as MACH
+
+0:11:07.420,0:11:10.830
+and historically, had a very strong TCP/
+
+0:11:10.830,0:11:11.750
+IP and SMP performance.
+
+0:11:11.750,0:11:16.150
+The original NetBSD, which also came from 386BSD
+
+0:11:18.680,0:11:22.200
+Over 50 hardware platforms from a single
+source tree
+
+0:11:22.200,0:11:25.520
+and that’s pretty much what it's known for. To be honest
+
+0:11:25.520,0:11:31.790
+I mean, I got to admit I'm an Open BSD guy, I was looking for
+a really cool and innovative features in NetBSD and I really
+
+0:11:31.790,0:11:32.329
+couldn’t find any.
+
+0:11:32.329,0:11:34.940
+Why am I hanging on this.
+
+0:11:34.940,0:11:37.160
+Sorry,
+
+0:11:37.160,0:11:39.650
+I know people are going to…
+
+0:11:39.650,0:11:46.650
+I know the NetBSD is going to get me…I can
+handle two of you. Okay? And this is
+
+0:11:48.680,0:11:51.490
+a list of the platforms that probably
+
+0:11:51.490,0:11:53.820
+including a toaster.
+
+0:11:53.820,0:11:55.000
+
+
+0:11:55.000,0:11:56.410
+OpenBSD,
+
+0:11:56.410,0:11:59.179
+this is one of the old logos, this is the new
+
+0:11:59.179,0:12:03.510
+logo. It was forked from NetBSD 1.0, we won't go
+into the history, I know
+
+0:12:03.510,0:12:08.929
+most people know it, and it's supported by about
+16 official platforms
+
+0:12:08.929,0:12:12.530
+platforms. This is about half of the most popular ones.
+
+0:12:12.530,0:12:17.570
+And it comes out with a new release every six months,
+generally, in May and November
+
+0:12:17.570,0:12:20.810
+1st, so if you haven’t already, pick a copy, it just came
+
+0:12:20.810,0:12:24.880
+out of the foil. It's unofficial model is secure by default
+
+0:12:24.880,0:12:31.880
+only what's needed is running on the default
+
+0:12:32.750,0:12:35.690
+And, some of their goals
+
+0:12:35.690,0:12:38.300
+and features - full disclosure, audits,
+
+0:12:38.300,0:12:43.950
+privsep, privilege separation & revocation, chroot jails,
+like FreeBSD,
+
+0:12:43.950,0:12:48.910
+random values wherever possible. This is probably
+
+0:12:48.910,0:12:52.180
+the most obvious example. ProPolice
+
+0:12:52.180,0:12:58.070
+Some other features that they’d given us through
+the years – PF, authpf, CARP, fsyncd,
+
+0:12:58.070,0:13:01.380
+which I think some of these are probably in the
+
+0:13:01.380,0:13:08.380
+FreeBSD by now. DragonFlyBSD was a continuation of
+FreeBSD 4.8. Again,
+
+0:13:08.760,0:13:11.160
+DragonFlyBSD was
+
+0:13:11.160,0:13:15.640
+FreeBSD 4.8 and was intended to basically
+
+0:13:15.640,0:13:21.580
+overhaul the SMP features in FreeBSD 6
+and 7,5,6, and 7.
+
+0:13:21.580,0:13:25.690
+DragonFly is another example. If you look at their goals,
+it had some really neat technological stuff.
+
+0:13:25.690,0:13:28.500
+I can't find any features that really, you
+
+0:13:28.500,0:13:31.830
+know, mean anything.
+
+0:13:31.830,0:13:33.130
+Of course,
+
+0:13:33.130,0:13:36.890
+Tiger is an old I'm sorry, OSX
+
+0:13:36.890,0:13:43.890
+It started from the Jolitz project, but it's sort of a inbred
+
+0:13:48.870,0:13:53.800
+
+
+0:13:53.800,0:13:58.350
+
+
+0:13:58.350,0:14:04.130
+That is all about, I wanted to cover kind of the present of
+where we are right now, some of the myths and truths.
+
+0:14:04.130,0:14:08.260
+Why is BSD dying? Really, that’s what the title
+
+0:14:08.260,0:14:11.750
+of the project and topic is.
+
+0:14:11.750,0:14:16.270
+Well, first, because IDC said so.
+
+0:14:16.270,0:14:21.480
+Market share for BSD is, right now, all time low, under 1%
+
+0:14:21.480,0:14:28.480
+And, of course, Netcraft confirms these findings.
+Last place in the SysAdmin networking test, so we all
+
+0:14:29.660,0:14:30.930
+know that word, we're just big losers.
+
+0:14:30.930,0:14:37.610
+Because open-source projects are giving away free software.
+I mean, we can't possibly make
+
+0:14:37.610,0:14:39.310
+money, so that, obviously, means that
+
+0:14:39.310,0:14:46.310
+we're dying. And free software is…
+
+0:14:46.390,0:14:53.390
+We know how to say this, when we came out.
+Free software equals terrorism.
+
+0:14:55.120,0:14:57.910
+
+
+0:14:57.910,0:15:04.910
+Our inability to adapt. As you can see by this graph
+
+0:15:09.630,0:15:15.980
+Let's be serious here, people.
+
+0:15:15.980,0:15:20.520
+We see Windows, I mean, the way people. Come on,
+they’ve been doing this for a number of what? 15,
+
+0:15:20.520,0:15:22.180
+20 years. Linux is second.
+
+0:15:22.180,0:15:24.349
+They actually are showing some.
+
+0:15:24.349,0:15:29.259
+We presume that someone is doing office by doing
+
+0:15:29.259,0:15:35.450
+The BSD is only for register, so we've got to work
+on that, of course
+
+0:15:35.450,0:15:37.030
+Loss of talent. Free
+
+0:15:37.030,0:15:41.410
+BSD has lost 93% of their core developers.
+
+0:15:41.410,0:15:45.300
+Okay, come on, guys, let's go.
+
+0:15:45.300,0:15:48.030
+But not all is lost.
+
+0:15:48.030,0:15:53.600
+Fortunately, a few very small companies still
+use BSD in this age.
+
+0:15:53.600,0:15:56.450
+
+
+0:15:56.450,0:16:02.590
+I know you probably have heard most of these.
+
+0:16:02.590,0:16:05.780
+Believe it or not, this is our premier
+
+0:16:05.780,0:16:12.780
+sponsor, and some other company that didn’t sponsor us
+
+0:16:16.070,0:16:17.560
+
+
+0:16:17.560,0:16:20.070
+I should just end right there.
+
+0:16:20.070,0:16:21.870
+
+
+0:16:21.870,0:16:28.130
+Seriously, though, the technological challenge that we
+have ahead of us. Virtualization, that’s a big deal
+
+0:16:28.130,0:16:29.529
+as far as the market.
+
+0:16:29.529,0:16:33.230
+Of course, developers are in the market, so,
+if that happens, that
+
+0:16:33.230,0:16:35.370
+happens. The end is really, really cool.
+
+0:16:35.370,0:16:40.150
+DRM, is obviously evil, yes, I know, I don’t care about
+
+0:16:40.150,0:16:41.690
+DRM. Ran out.
+
+0:16:41.690,0:16:43.980
+Right?
+
+0:16:43.980,0:16:45.310
+Political challenges
+
+0:16:45.310,0:16:48.710
+No, this has been hard to admit, but I can't beat
+
+0:16:48.710,0:16:50.530
+people, blobs,
+
+0:16:50.530,0:16:52.140
+binary is bad,
+
+0:16:52.140,0:16:53.140
+don’t do it
+
+0:16:53.140,0:16:56.180
+just smoke in the same crack
+
+0:16:56.180,0:16:57.540
+
+
+0:16:57.540,0:16:59.590
+NDAs
+
+0:16:59.590,0:17:01.900
+and closed documentation.
+
+0:17:01.900,0:17:06.460
+How many of us here are actual core developers for
+one of the BSDs?
+
+0:17:06.460,0:17:08.159
+Okay, the rest of us, let's help them
+
+0:17:08.159,0:17:09.420
+out
+
+0:17:09.420,0:17:10.120
+okay
+
+0:17:10.120,0:17:12.000
+get your files with your supplier,
+
+0:17:12.000,0:17:16.740
+let's get some documentation to these guys.
+
+0:17:16.740,0:17:18.159
+Because without the
+
+0:17:18.159,0:17:20.100
+diversity, we'll have
+
+0:17:20.100,0:17:22.220
+unity
+
+0:17:22.220,0:17:24.630
+and a common goal.
+
+0:17:27.420,0:17:30.090
+Thank you.
diff --git a/en_US.ISO8859-1/captions/2009/dcbsdcon/bejtlich-networksecurity.sbv b/en_US.ISO8859-1/captions/2009/dcbsdcon/bejtlich-networksecurity.sbv
new file mode 100644
index 0000000000..caa7460c7a
--- /dev/null
+++ b/en_US.ISO8859-1/captions/2009/dcbsdcon/bejtlich-networksecurity.sbv
@@ -0,0 +1,4426 @@
+0:00:05.950,0:00:10.409
+So I’d like to thank Jason for inviting me.
+I have to say I feel
+
+0:00:10.409,0:00:11.909
+woefully unprepared
+
+0:00:11.909,0:00:15.719
+all the stuff I’ve been listening to, you pretty
+much have to be a kernel developer here
+
+0:00:15.719,0:00:18.549
+it's not even enough to be like a normal committer I imagine
+
+0:00:18.549,0:00:21.519
+um you have to have invented something really cool
+
+0:00:21.519,0:00:23.069
+I'm here as a user
+
+0:00:23.069,0:00:27.199
+to try to take the loser off of it
+
+0:00:27.199,0:00:31.260
+I didn’t even boot into the BSD side of my laptop so
+
+0:00:31.260,0:00:34.290
+no rocks thrown up here
+
+0:00:34.290,0:00:36.120
+I wanted to talk about actually
+
+0:00:36.120,0:00:39.820
+how many people here had some kind of security responsibility
+
+0:00:39.820,0:00:41.660
+okay so wow that’s interesting
+
+0:00:41.660,0:00:43.530
+okay so there are a lot of security people here
+
+0:00:43.530,0:00:46.500
+I usually speak to security audiences
+
+0:00:46.500,0:00:47.430
+when I speak in
+
+0:00:47.430,0:00:49.019
+or when I spoke before at
+
+0:00:49.019,0:00:52.340
+BSD conferences it was usually on something
+
+0:00:52.340,0:00:54.490
+something I was doing with BSD
+
+0:00:54.490,0:00:56.409
+for security purposes so I kind of
+
+0:00:56.409,0:00:59.610
+had that same theme for today
+
+0:00:59.610,0:01:01.350
+so what we’ll talk about
+
+0:01:01.350,0:01:03.610
+just so you know I am I worked in a variety
+of
+
+0:01:03.610,0:01:06.560
+I was in the military where I learned all this stuff
+
+0:01:06.560,0:01:10.050
+I work in commercial industry defense contractors
+
+0:01:10.050,0:01:12.490
+I worked for a small start up
+
+0:01:12.490,0:01:14.550
+out of Connecticut
+
+0:01:14.550,0:01:17.240
+you might have heard of us
+
+0:01:17.240,0:01:22.110
+we’ve lost like three hundred billion in market cap over
+the last year it’s been an exciting ride
+
+0:01:22.110,0:01:25.230
+the ads general electric we get three hundred thousand users
+
+0:01:25.230,0:01:28.360
+um just a few security issues as you might
+imagine
+
+0:01:28.360,0:01:30.590
+company that size
+
+0:01:30.590,0:01:31.689
+but what I’m going to talk about
+
+0:01:31.689,0:01:34.040
+uh first of all I’ll just do sort of a
+
+0:01:34.040,0:01:36.149
+intro of how I think about security
+
+0:01:36.149,0:01:40.470
+and why it drived me down the road of having
+devices that I’ll talk about
+
+0:01:40.470,0:01:42.280
+and I’ll
+
+0:01:42.280,0:01:45.970
+I’m open to any questions it’s funny I was actually sitting
+in front of a couple of guys who were asking me
+
+0:01:45.970,0:01:47.330
+we were talking about
+
+0:01:47.330,0:01:50.200
+that some of the software I’ll talk about he didn’t even
+realize it was me
+
+0:01:50.200,0:01:51.120
+sitting at front
+
+0:01:51.120,0:01:53.039
+so if any point you have questions about
+
+0:01:53.039,0:01:54.940
+how we do things why we do things
+
+0:01:54.940,0:01:56.320
+please let me know
+
+0:01:56.320,0:01:59.179
+what I’m going to describe isn’t exactly what I do
+with general electric
+
+0:01:59.179,0:02:02.390
+or at least it's not officially what I do at general
+electric
+
+0:02:02.390,0:02:06.950
+but you can imagine that I just don’t come up with
+this stuff in a vacuum and then present it obviously
+
+0:02:06.950,0:02:07.559
+it's
+
+0:02:07.559,0:02:12.199
+based on what I think works in various environments
+
+0:02:12.199,0:02:15.979
+so my job title is director of incident response
+
+0:02:15.979,0:02:19.930
+and what I tell people that they usually think of
+oil spills or
+
+0:02:19.930,0:02:24.479
+you know Hazmat or something like that
+its information security incidents
+
+0:02:24.479,0:02:28.349
+and I like to say that I’m as close to the problem
+as you possibly could be
+
+0:02:28.349,0:02:30.639
+right and we have project managers who are
+
+0:02:30.639,0:02:32.890
+trying to create risk equations
+
+0:02:32.890,0:02:37.230
+they're trying to figure out if I tweak this
+knob it’ll result in more risk or less risk
+
+0:02:37.230,0:02:38.889
+I think that’s a whole bunch of
+
+0:02:38.889,0:02:40.069
+crap for the most part
+
+0:02:40.069,0:02:41.209
+%um
+
+0:02:41.209,0:02:46.189
+I deal with all the failures so I
+deal with failure all around
+
+0:02:46.189,0:02:47.689
+I like to say that this
+
+0:02:47.689,0:02:51.709
+theory out there but the reality is when
+okay you've got
+
+0:02:51.709,0:02:57.999
+dozens or hundreds or thousands of systems
+that are compromised what do you do about that
+
+0:02:57.999,0:03:02.560
+so in some ways you might say that's actually
+the worst possible place to do security is after it’s
+
+0:03:02.560,0:03:03.380
+failed but
+
+0:03:03.380,0:03:09.889
+in other ways maybe it's the best place because
+you can see what's wrong and you can try to fix it
+
+0:03:09.889,0:03:14.539
+well you have to say what is security and I went
+to the doctor one day and the doctor asked me questions
+
+0:03:14.539,0:03:15.469
+like well how do you feel
+
+0:03:15.469,0:03:17.629
+do you feel healthy
+
+0:03:17.629,0:03:19.190
+that's kind of like do you feel secure
+
+0:03:19.190,0:03:23.699
+so what is that even mean right I mean
+if you think about health well you might say
+
+0:03:23.699,0:03:25.719
+how’s your blood pressure
+
+0:03:25.719,0:03:27.940
+well it’s under one hundred and twenty over eighty
+
+0:03:27.940,0:03:29.659
+that's sort of one data point
+
+0:03:29.659,0:03:33.119
+what about your cholesterol body mass index and so forth
+
+0:03:33.119,0:03:34.999
+the idea is that you have to measure something
+
+0:03:34.999,0:03:37.039
+and you have to get your data from somewhere
+
+0:03:37.039,0:03:40.040
+and what I find is that a lot of people who make
+security decisions
+
+0:03:40.040,0:03:42.089
+are not getting data from anywhere
+
+0:03:42.089,0:03:43.559
+In fact
+
+0:03:43.559,0:03:45.450
+a lot of very high level security people
+
+0:03:45.450,0:03:48.560
+are getting data on the golf course when they're
+talking to their fellow
+
+0:03:48.560,0:03:49.819
+CSIO’s about
+
+0:03:49.819,0:03:52.669
+hey what product are you buying from Cisco or this and that
+
+0:03:52.669,0:03:54.969
+and it’s completely disconnected from reality
+
+0:03:54.969,0:03:59.029
+and as a result nobody can tell whether they’re spending
+any money on security that makes a difference
+
+0:03:59.029,0:04:00.339
+%um or how to get
+
+0:04:00.339,0:04:05.029
+how to get better
+
+0:04:05.029,0:04:08.849
+so like how many people here are sort of like involved in
+federal security with like FISMA and stuff
+
+0:04:08.849,0:04:11.559
+like that that right
+
+0:04:11.559,0:04:12.510
+so I find all that to be the most frustrating thing possible
+
+0:04:12.510,0:04:15.409
+I don't deal with that because I’m in private industry
+
+0:04:15.409,0:04:18.889
+but I've commented on it quite a bit because I
+have a blog
+
+0:04:18.889,0:04:22.469
+and I like to complain
+
+0:04:22.469,0:04:24.839
+so my feeling is that the FISMA folks
+
+0:04:24.839,0:04:27.910
+not be implement but the people who wrote the legislation
+they tended
+
+0:04:27.910,0:04:29.889
+to focus on things like imput metrics
+
+0:04:29.889,0:04:30.930
+like do you have AV
+
+0:04:30.930,0:04:32.039
+do you have your patches
+
+0:04:32.039,0:04:34.499
+is the box configured properly
+
+0:04:34.499,0:04:35.889
+all those things of that nature
+
+0:04:35.889,0:04:39.610
+I call all those input metrics they really make no difference
+as far as I'm concerned if you're truly trying to figure
+
+0:04:39.610,0:04:41.039
+out what the problem is
+
+0:04:41.039,0:04:42.510
+it's kind of like looking at a
+
+0:04:42.510,0:04:45.759
+sports teams let’s say an American football team
+
+0:04:45.759,0:04:47.240
+and you say well
+
+0:04:47.240,0:04:50.069
+input metrics would be like how tall are all the players
+
+0:04:50.069,0:04:51.939
+how fast do they run the forty
+
+0:04:51.939,0:04:53.330
+where did they go to school
+
+0:04:53.330,0:04:54.650
+you could look at all those things
+
+0:04:54.650,0:04:56.100
+but does that tell you what their
+
+0:04:56.100,0:04:58.549
+what their record was over the season
+
+0:04:58.549,0:05:01.250
+did they win the Super Bowl did they win their elite
+championship
+
+0:05:01.250,0:05:03.669
+no those are those are all inputs right
+
+0:05:03.669,0:05:05.689
+I care about ouputs like
+
+0:05:05.689,0:05:08.810
+is this box is this box part of a bot net
+
+0:05:08.810,0:05:10.219
+no it’s not really Windows
+
+0:05:10.219,0:05:12.560
+%um
+
+0:05:12.560,0:05:13.900
+I could boot it into Windows but
+
+0:05:13.900,0:05:16.559
+I prefer to stay out of the bot net
+
+0:05:16.559,0:05:18.259
+did you
+
+0:05:18.259,0:05:22.669
+have an earnings report appear on the network share or
+on a peer-to-peer network somewhere
+
+0:05:22.669,0:05:25.949
+that's that's an ouput that means you had a failure somewhere
+
+0:05:25.949,0:05:28.069
+do you have a system or network that’s unavailable
+
+0:05:28.069,0:05:29.720
+due to a Ddos attack
+
+0:05:29.720,0:05:31.060
+these are all outputs so
+
+0:05:31.060,0:05:32.710
+I try to focus on these
+
+0:05:32.710,0:05:36.459
+I really don't care so much about that I think
+these can influence these
+
+0:05:36.459,0:05:40.539
+these are the things that I I care about
+
+0:05:40.539,0:05:44.129
+and just to step a
+little bit out and change the way you might think
+
+0:05:44.129,0:05:48.619
+about this there was a good article in The Economist last
+year where they talked about people who are
+
+0:05:48.619,0:05:49.410
+trying to make
+
+0:05:49.410,0:05:50.949
+policy decisions
+
+0:05:50.949,0:05:53.150
+about health policy in Africa
+
+0:05:53.150,0:05:55.500
+and it's a safe thing with security
+
+0:05:55.500,0:05:58.349
+right actually kind of what I like about seeing the
+developers here is that in the last talk there was
+
+0:05:58.349,0:06:01.030
+lots of discussions about
+
+0:06:01.030,0:06:05.289
+you made this change and you get a five percent difference
+or you made this change and you get a ten percent difference
+
+0:06:05.289,0:06:07.019
+none of that happens in security
+
+0:06:07.019,0:06:09.249
+it's all well we’ll deploy this and see what happens
+
+0:06:09.249,0:06:12.129
+actually it’s not even that we’ll deploy this
+
+0:06:12.129,0:06:13.900
+not even let's see what happens
+
+0:06:13.900,0:06:16.000
+there’s not even a test to see if it made any difference
+
+0:06:16.000,0:06:17.230
+so what I try to
+
+0:06:17.230,0:06:18.640
+focus on in my job
+
+0:06:18.640,0:06:20.739
+at GE is
+
+0:06:20.739,0:06:22.489
+let's do some tests like
+
+0:06:22.489,0:06:24.120
+the company is big enough
+
+0:06:24.120,0:06:26.680
+why don't we have part of the company
+
+0:06:26.680,0:06:27.699
+run
+
+0:06:27.699,0:06:29.539
+with no local admin on the desktop
+
+0:06:29.539,0:06:31.309
+and another part
+
+0:06:31.309,0:06:34.060
+continuing to run its local admin I didn’t say that
+out loud sorry
+
+0:06:34.060,0:06:36.139
+and then compare and see what the infection rates are
+
+0:06:36.139,0:06:39.449
+and guess what I bet the ones with local admin
+are going to be a hell of a lot worse
+
+0:06:39.449,0:06:42.199
+and there’s been some recent studies that have
+shown that that's the case
+
+0:06:42.199,0:06:44.780
+so you can run these sort of policy-based trials
+
+0:06:44.780,0:06:46.100
+and figure out what you should do
+
+0:06:46.100,0:06:47.880
+then I can go talk to my boss and be like look
+
+0:06:47.880,0:06:51.900
+this part of the company that runs with local admin
+they’re ten times worse than everybody else
+
+0:06:51.900,0:06:54.849
+and even better I can say it's costing us ten
+times more
+
+0:06:54.849,0:06:56.529
+then we can make a change
+
+0:06:56.529,0:06:57.770
+but in order to do that you have to have
+
+0:06:57.770,0:06:58.740
+some kind of measurements
+
+0:06:58.740,0:07:01.349
+you’re going to have data come from somewhere
+
+0:07:01.349,0:07:04.810
+and I like to say that I call this management
+by fact not by belief
+
+0:07:04.810,0:07:06.479
+the there's a lot like
+
+0:07:06.479,0:07:08.860
+security people are very religious
+
+0:07:08.860,0:07:09.589
+we have this
+
+0:07:09.589,0:07:11.819
+idea of what should be and what shouldn’t be
+
+0:07:11.819,0:07:18.049
+and it's all because we don't think usually
+measure what works which is unfortunate
+
+0:07:18.049,0:07:21.770
+so I’m all about visibility I want to find out what's
+going on
+
+0:07:21.770,0:07:24.939
+and the reason I think about it this way is
+I think in the air force
+
+0:07:24.939,0:07:26.990
+we have this thing called OODA loop
+
+0:07:26.990,0:07:31.849
+and if you’ve ever seen my hands doing this it’s because
+I'm reliving my air force days flying around in my F-16
+
+0:07:31.849,0:07:35.000
+not really I only flew once in the F-16 and
+once in the F-15
+
+0:07:35.000,0:07:35.770
+but
+
+0:07:35.770,0:07:39.219
+when I would talk to the fighter pilots they would talk
+about having this thing the OODA loop
+
+0:07:39.219,0:07:41.400
+and it came out
+
+0:07:41.400,0:07:43.539
+like I’m thinking before the first gulf war
+
+0:07:43.539,0:07:45.270
+and the idea was you’re in your
+
+0:07:45.270,0:07:46.599
+F-16
+
+0:07:46.599,0:07:48.110
+and you want to win the fight so
+
+0:07:48.110,0:07:50.159
+the first thing you do is look out the window
+
+0:07:50.159,0:07:51.389
+you see what's going on
+
+0:07:51.389,0:07:52.999
+that's your observation
+
+0:07:52.999,0:07:57.409
+and then you orient and you figure out well where am
+I in relation to where the bad guys are
+
+0:07:57.409,0:08:02.359
+then you make a decision like okay is there’s a bad guy
+I better roll over and shoot it down
+
+0:08:02.359,0:08:04.269
+and then you take the action
+
+0:08:04.269,0:08:06.009
+the problem we have with security
+
+0:08:06.009,0:08:06.849
+is that
+
+0:08:06.849,0:08:07.930
+there's none of this
+
+0:08:07.930,0:08:09.269
+there’s no observe and orient
+
+0:08:09.269,0:08:11.749
+there’s only decide and act
+
+0:08:11.749,0:08:13.549
+so we have no idea what's happening
+
+0:08:13.549,0:08:16.030
+but we're told that to do things so we buy stuff
+
+0:08:16.030,0:08:16.930
+we deploy it
+
+0:08:16.930,0:08:18.699
+and we just keep doing that over and over again
+
+0:08:18.699,0:08:22.679
+and we never figure out if it makes any difference
+
+0:08:22.679,0:08:24.219
+the unfortunate thing is if you do
+
+0:08:24.219,0:08:27.599
+stumble upon something that works it's
+usually luck
+
+0:08:27.599,0:08:29.809
+%uh as opposed to
+
+0:08:31.029,0:08:37.780
+figuring it out by observation and orientation
+what you should be doing
+
+0:08:37.780,0:08:41.870
+so this is probably my favorite description
+
+0:08:41.870,0:08:45.120
+of security period
+
+0:08:45.120,0:08:49.830
+my aplogies to my European friends this
+is the football poll security
+
+0:08:49.830,0:08:54.710
+but this is what I believe that I've seen
+this just for years and years and years
+
+0:08:54.710,0:08:56.919
+the idea is you’re told
+
+0:08:56.919,0:08:58.750
+or you read in a magazine
+
+0:08:58.750,0:09:00.660
+or you talk to your buddy
+
+0:09:00.660,0:09:02.180
+about something bad
+
+0:09:02.180,0:09:06.090
+and you assume that that bad thing that's
+happening it must be happening at your location
+
+0:09:06.090,0:09:06.540
+too
+
+0:09:06.540,0:09:09.190
+and sometimes it is but sometimes it isn’t
+
+0:09:09.190,0:09:12.330
+and so you run around and you spend all this time
+on one area
+
+0:09:12.330,0:09:15.680
+while meanwhile you could be completely all about
+something different
+
+0:09:15.680,0:09:19.650
+and I first started thinking about this in 2000 2001
+
+0:09:19.650,0:09:21.800
+where there were some guys in Finland
+
+0:09:21.800,0:09:27.060
+who did this huge innumeration they were doing some of the
+first fuzzing work against SMTP
+
+0:09:27.060,0:09:27.849
+it was called the
+
+0:09:27.849,0:09:29.000
+protos toolkit
+
+0:09:29.000,0:09:32.140
+and they did all this work in and they found that
+basically everybody's SMTP
+
+0:09:32.140,0:09:33.970
+implementation was really bad
+
+0:09:33.970,0:09:35.640
+and they were all vulnerable
+
+0:09:35.640,0:09:37.430
+and the whole world was going to end because
+
+0:09:37.430,0:09:40.610
+SMTP vulnerabilities existed everywhere
+
+0:09:40.610,0:09:43.769
+well I don’t know if everybody was around back then
+so they're looking at these things
+
+0:09:43.769,0:09:45.470
+but did the world end in 2001
+
+0:09:45.470,0:09:47.690
+with SMTP
+
+0:09:47.690,0:09:48.940
+absolutely not
+
+0:09:48.940,0:09:51.259
+so while a lot of effort was spent on
+
+0:09:51.259,0:09:54.350
+spending all this time fixing SMTP implementations
+
+0:09:54.350,0:09:55.750
+when the bad guys really weren’t
+
+0:09:55.750,0:09:57.240
+taking advantage of it
+
+0:09:57.240,0:10:00.740
+so this is what I feel like is happening with
+security now we're told about
+
+0:10:00.740,0:10:03.340
+this is the one that really kills me is
+
+0:10:03.340,0:10:04.769
+insider threats
+
+0:10:04.769,0:10:05.819
+oh they’re insider threats they're so bad
+
+0:10:05.819,0:10:08.890
+this in that and so you spend all your time over
+here and you’re like
+
+0:10:08.890,0:10:13.750
+paying attention to your own employees you’re violating
+their rights and their privacy
+
+0:10:13.750,0:10:15.100
+and meanwhie you got like
+
+0:10:15.100,0:10:16.899
+Romanians and Russians and Chinese and
+
+0:10:16.899,0:10:17.829
+every other
+
+0:10:17.829,0:10:20.380
+hacker in the world inside your company
+
+0:10:20.380,0:10:21.980
+that you can't do anything about
+
+0:10:21.980,0:10:25.590
+unless you know unless you actually do something
+
+0:10:25.590,0:10:28.030
+so my goal is to
+
+0:10:28.030,0:10:30.819
+get it so this guy he's looking at the right
+spot
+
+0:10:30.819,0:10:33.040
+so at least he has a chance
+
+0:10:33.040,0:10:36.010
+right he doesn’t even have a chance if he’s looking
+over there at least if you can sort of
+
+0:10:36.010,0:10:38.279
+orient and say okay well here’s this threat
+
+0:10:38.279,0:10:40.210
+here's what I need to do about it
+
+0:10:40.210,0:10:42.430
+you have a chance you still might get scored on right
+
+0:10:42.430,0:10:43.830
+but at least you can say
+
+0:10:43.830,0:10:47.330
+I had a fighting chance many organizations
+when I was a consultant
+
+0:10:47.330,0:10:48.619
+I would drop into
+
+0:10:48.619,0:10:51.690
+and they didn't even have a fighting chance
+there was just no
+
+0:10:51.690,0:10:56.310
+I would call them you know indefensible networks
+
+0:10:56.310,0:11:01.160
+to use a Cisco term I would call them self-defeating networks
+
+0:11:01.160,0:11:06.490
+self-defending anyway
+
+0:11:06.490,0:11:12.610
+yeah
+
+0:11:12.610,0:11:16.890
+the network part of ours sure
+
+0:11:16.890,0:11:19.110
+so yeah isn’t it interesting the self-defending network what
+does that imply zero head count
+
+0:11:19.110,0:11:21.089
+that is the truth behind Cisco's vision
+
+0:11:21.089,0:11:23.370
+and think about it they sell it to every CIO
+
+0:11:23.370,0:11:25.080
+the CIO is like yeah
+
+0:11:25.080,0:11:27.970
+the network takes care of itself
+
+0:11:27.970,0:11:31.990
+oh yeah that means you you you you bye bye
+
+0:11:31.990,0:11:33.890
+and that's sort of the model that
+
+0:11:33.890,0:11:34.980
+I mean think about it
+
+0:11:34.980,0:11:37.140
+what business owner with would
+
+0:11:37.140,0:11:39.720
+not want to operate zero staff
+
+0:11:39.720,0:11:41.290
+if you could still make money
+
+0:11:41.290,0:11:43.050
+and no people
+
+0:11:43.050,0:11:43.930
+oh that's great
+
+0:11:43.930,0:11:49.920
+maybe you just have robots or something right don't they
+don’t complain
+
+0:11:49.920,0:11:50.850
+So anwyay wow
+
+0:11:50.850,0:11:51.909
+that came out of nowhere
+
+0:11:51.909,0:11:53.300
+but %uh
+
+0:11:53.300,0:11:56.449
+that's what I see with a lot of things is a %uh
+
+0:11:56.449,0:11:58.980
+presumption that you just buy products right you
+don't actually
+
+0:11:58.980,0:12:00.960
+invest in people so
+
+0:12:00.960,0:12:03.049
+back to this whole idea of visibility the question is
+
+0:12:03.049,0:12:04.089
+well where should you try to get visibility
+
+0:12:05.259,0:12:07.750
+and I’ll talk about what kind of visibility
+
+0:12:07.750,0:12:11.680
+well the model that I use is to establish trust
+boundaries first and what’s interesting about
+
+0:12:11.680,0:12:13.160
+using a trust boundary approach is
+
+0:12:13.160,0:12:14.420
+it can apply anywhere
+
+0:12:14.420,0:12:16.910
+I use a network example here because
+
+0:12:16.910,0:12:19.170
+it's a low-cost way to do it
+
+0:12:19.170,0:12:21.220
+but you can apply trust boundaries
+
+0:12:21.220,0:12:22.790
+on a system
+
+0:12:22.790,0:12:24.010
+within an application
+
+0:12:24.010,0:12:26.400
+I mean there’s lots of different places that you can apply
+trust boundaries
+
+0:12:26.400,0:12:28.849
+the idea is though once you establish trust boundaries
+
+0:12:28.849,0:12:29.829
+start watching
+
+0:12:29.829,0:12:31.150
+something there
+
+0:12:31.150,0:12:33.010
+so I’m going to use a network example but you could
+
+0:12:33.010,0:12:35.540
+you know apply it someplace else
+
+0:12:35.540,0:12:37.050
+so what I do is I
+
+0:12:37.050,0:12:39.600
+the general process is I identify my trust boundaries
+
+0:12:39.600,0:12:41.280
+I apply some instrumentation
+
+0:12:41.280,0:12:43.620
+and then I collect analyse and escalate
+
+0:12:43.620,0:12:46.000
+%uh collect meaning I get the information
+
+0:12:46.000,0:12:48.420
+analyse I look at it figure out what it means
+
+0:12:48.420,0:12:48.889
+escalate
+
+0:12:48.889,0:12:53.920
+is take it to somebody who cares
+
+0:12:53.920,0:12:57.420
+surprisingly difficult to find those people
+in many
+
+0:12:57.420,0:12:57.980
+enterprises
+
+0:12:57.980,0:13:00.020
+I came from the DOD where
+
+0:13:00.020,0:13:02.649
+if we found a single machine that was compromised
+
+0:13:02.649,0:13:03.730
+that was an incident
+
+0:13:03.730,0:13:05.889
+and it could be reported all the way up to some
+general
+
+0:13:05.889,0:13:07.339
+who would be on the phone
+
+0:13:07.339,0:13:10.580
+like barking orders that you need to fix this
+within
+
+0:13:10.580,0:13:12.440
+hours or days or whatever it was
+
+0:13:12.440,0:13:14.250
+to private industry
+
+0:13:14.250,0:13:15.100
+where
+
+0:13:15.100,0:13:17.660
+you finding a compromise computer
+
+0:13:17.660,0:13:22.200
+and the response could be
+
+0:13:22.200,0:13:23.370
+eh what can they do
+
+0:13:23.370,0:13:26.790
+well they can access any machine that’s in this domain
+
+0:13:26.790,0:13:28.220
+well have they
+
+0:13:28.220,0:13:33.670
+%uh because I just got here I can't tell yet
+
+0:13:33.670,0:13:35.949
+I really don't know if we have to care about
+this right
+
+0:13:35.949,0:13:39.520
+the only thing that’s changed that recently has been the
+disclosure laws
+
+0:13:39.520,0:13:44.180
+because there are some disclosure laws that say if
+it's possible that they could have stolen the data
+
+0:13:44.180,0:13:45.300
+you need to report
+
+0:13:45.300,0:13:47.570
+so that's changed the equation
+
+0:13:47.570,0:13:48.140
+dramatically
+
+0:13:48.140,0:13:52.940
+right it used to be in fact I worked some big
+cases years ago where it was like
+
+0:13:52.940,0:13:56.940
+well you guys signed an NDA with us right yeah we
+did
+
+0:13:56.940,0:13:58.120
+right well just bye bye
+
+0:13:58.120,0:13:59.860
+see you later
+
+0:13:59.860,0:14:02.270
+okay great alright well I’m glad I’m not a customer
+
+0:14:02.270,0:14:08.190
+at this place
+
+0:14:08.190,0:14:12.019
+I didn’t responded there I bank with Bank of America and the
+reason I bank with Bank of America
+
+0:14:12.019,0:14:13.980
+is I know the guy who runs security there
+
+0:14:13.980,0:14:16.100
+and he does this
+
+0:14:16.100,0:14:17.340
+so of course
+
+0:14:17.340,0:14:18.640
+I still think he has a job
+
+0:14:18.640,0:14:19.739
+now that I think about it
+
+0:14:19.739,0:14:21.390
+has he been replaced by a robot
+
+0:14:22.410,0:14:24.490
+no he hasn’t been replaced by a robot
+
+0:14:24.490,0:14:26.810
+maybe his minions have been replaced by
+
+0:14:26.810,0:14:28.590
+Perl strips but
+
+0:14:28.590,0:14:32.010
+he’s still there
+
+0:14:32.010,0:14:34.010
+so this is my general process
+
+0:14:35.130,0:14:38.570
+and it’s funny people have probably heard about building security in
+
+0:14:38.570,0:14:42.620
+that's like trying to make things more secure
+have been trying to do that for like twenty years
+
+0:14:42.620,0:14:44.240
+it just doesn't work
+
+0:14:44.240,0:14:48.910
+so I would say let’s monitor first because at least when you monitor you can tell that something bad is happening
+
+0:14:48.910,0:14:52.000
+if you just say build security in and walk away
+
+0:14:52.000,0:14:52.730
+then you’re in trouble
+
+0:14:52.730,0:14:56.250
+what I find is that in any product you have
+this cycle
+
+0:14:56.250,0:14:59.020
+where you start out with a feature
+
+0:14:59.020,0:15:03.140
+and then the features proliferate and you need to manage them
+
+0:15:03.140,0:15:06.689
+and then somebody’s like oh yeah we need to apply
+some security to that
+
+0:15:06.689,0:15:10.150
+and then finally check to see if it works when really
+it should be the other way
+
+0:15:10.150,0:15:11.500
+figure out what’s out there
+
+0:15:11.500,0:15:13.230
+build a security policy for it
+
+0:15:13.230,0:15:14.080
+manage it
+
+0:15:14.080,0:15:19.330
+and then introduce the feature but that's
+not how it’s done
+
+0:15:19.330,0:15:23.340
+I wanted to mention here some I just want
+to put this on the table before I go into my
+
+0:15:23.340,0:15:24.970
+next part because these are they
+
+0:15:24.970,0:15:26.800
+%uh criticisms I usually hear
+
+0:15:26.800,0:15:31.220
+so let's just mention them now so if I’m taking some kind of
+a network-centric approach to
+
+0:15:31.220,0:15:32.460
+security
+
+0:15:32.460,0:15:35.090
+the first thing we’re always told is well what about the
+cloud
+
+0:15:35.090,0:15:39.440
+and this is very interesting %uh I work really
+closely with the guy does the cloudsecurity.org
+
+0:15:39.440,0:15:40.870
+blog
+
+0:15:40.870,0:15:44.800
+and %uh he's he's a fellow employee with
+me is that we always considering this because
+
+0:15:44.800,0:15:45.380
+we’re
+
+0:15:45.380,0:15:48.260
+putting more and more of our stuff in the cloud
+
+0:15:48.260,0:15:49.140
+and if your
+
+0:15:49.140,0:15:50.630
+window to the cloud
+
+0:15:50.630,0:15:53.530
+is an SSL encrypted pipe
+
+0:15:53.530,0:15:58.430
+%um it doesn't help me too much to inpsect it at the
+network level right
+
+0:15:58.430,0:16:00.129
+so we're going to have to push our cloud vendors
+
+0:16:00.129,0:16:02.769
+to provide the visibility for us
+
+0:16:02.769,0:16:04.650
+oh boy that’s really happening
+
+0:16:04.650,0:16:10.110
+try getting good logs out of any of the cloud buyers
+it is absolutely horrible they they don't
+
+0:16:10.110,0:16:14.150
+they don't want to store them they don't want
+to provide you the data in any format that’s useful
+
+0:16:14.150,0:16:17.710
+if they provide you with anything it's generally
+performance metrics like
+
+0:16:17.710,0:16:20.580
+we cleaned ten billion of your emails today
+
+0:16:20.580,0:16:23.159
+oh that’s wonderful that’s great you know I don’t care
+
+0:16:23.159,0:16:24.660
+I don’t care how many emails you cleaned
+
+0:16:24.660,0:16:26.660
+I want to know about
+
+0:16:26.660,0:16:28.660
+which ones came from this
+
+0:16:28.660,0:16:30.650
+%uh a person who
+
+0:16:30.650,0:16:32.519
+was phishing us
+
+0:16:32.519,0:16:36.600
+and you know got control of some of our systems and
+so forth
+
+0:16:36.600,0:16:38.400
+virtualisation is obviously an issue
+
+0:16:38.400,0:16:40.100
+%um if you think about
+
+0:16:40.100,0:16:42.290
+in a one-machine
+
+0:16:42.290,0:16:43.230
+one
+
+0:16:43.230,0:16:44.460
+platform world
+
+0:16:44.460,0:16:47.260
+any time two machines talk you can potentially see the
+traffic
+
+0:16:47.260,0:16:50.370
+what happens when you have a hundred machines all on one
+platform
+
+0:16:50.370,0:16:54.350
+unless you instrument the virtual machine
+itself
+
+0:16:54.350,0:16:57.539
+you know one hundred machines could all be infected an
+talking to each other and stuff but
+
+0:16:57.539,0:16:59.219
+the way I deal with that is
+
+0:16:59.219,0:17:01.649
+unless the bad guy is also inside the VM
+
+0:17:01.649,0:17:03.370
+like he lives in it
+
+0:17:03.370,0:17:07.810
+you can see him because generally the people
+you care about are on another continent
+
+0:17:07.810,0:17:08.590
+so
+
+0:17:08.590,0:17:09.490
+I mean it could be
+
+0:17:09.490,0:17:11.390
+somewhere else in the united states obviously but for
+
+0:17:11.390,0:17:14.449
+the most part like if someone were to compromise
+my machine
+
+0:17:14.449,0:17:16.439
+unless they physically walk up to it and touch it
+
+0:17:16.439,0:17:19.040
+there will be some network traffic that reaches out
+
+0:17:19.040,0:17:19.959
+and generally that’s enough
+
+0:17:19.959,0:17:22.339
+to tell that there’s a problem
+
+0:17:22.339,0:17:28.080
+so maybe the fastest way to tell if there’s a
+kernel rootkit on a system
+
+0:17:28.080,0:17:29.720
+it’s for the system to look normal
+
+0:17:29.720,0:17:32.380
+but to have it to be beaconing out to
+
+0:17:32.380,0:17:34.160
+you know take your pick of rogue country
+
+0:17:34.160,0:17:37.560
+so that that's a very effective way to
+use to find stuff
+
+0:17:37.560,0:17:41.020
+And of course you’ve got your non-traditional
+platforms
+
+0:17:41.020,0:17:43.580
+you know I’ve got my Blackberry here I absolutely love it
+
+0:17:43.580,0:17:46.910
+but I would love to be able sniff the traffic
+going to and from it
+
+0:17:46.910,0:17:47.270
+because
+
+0:17:47.270,0:17:50.690
+who knows who’s sitting on my Blackberry right now
+
+0:17:50.690,0:17:51.650
+I really don't know
+
+0:17:51.650,0:17:52.550
+and that kills me
+
+0:17:52.550,0:17:53.889
+it kills me kills me kills me
+
+0:17:53.889,0:17:55.090
+that I cannot
+
+0:17:55.090,0:17:57.809
+find an interface sniff traffic on it and see
+what's happening
+
+0:17:57.809,0:18:00.080
+or somehow get between the wireless
+
+0:18:00.080,0:18:03.670
+watch the traffic and see what's happening
+
+0:18:03.670,0:18:06.110
+so that to me it's a big issue
+
+0:18:06.110,0:18:08.399
+and we’ve got all these crazy European privacy laws
+
+0:18:08.399,0:18:11.690
+I can’t collect anything in that whole continent
+
+0:18:11.690,0:18:13.690
+not true it kills me though it's kind of difficult
+
+0:18:13.690,0:18:15.830
+%um you’ve got this tension between
+
+0:18:15.830,0:18:20.570
+%uh it's interesting Europeans tend to have very
+strong collection laws like you have to keep logs for a
+
+0:18:20.570,0:18:22.380
+certain period of time
+
+0:18:22.380,0:18:24.830
+but at the same time they have very strong privacy laws
+
+0:18:24.830,0:18:27.760
+so this is a tension there
+
+0:18:27.760,0:18:29.870
+skilled resources I don't know about you but
+it
+
+0:18:29.870,0:18:33.410
+even with the downturn it's tough to find
+good security people I think
+
+0:18:33.410,0:18:36.540
+there's a lot of people who come out with
+their Cisco certified
+
+0:18:36.540,0:18:37.410
+whatever
+
+0:18:37.410,0:18:39.330
+and they don't know the first thing about
+
+0:18:39.330,0:18:42.420
+how to actually secure anything which is tough
+
+0:18:42.420,0:18:46.270
+and then finally we see this quite often in software
+
+0:18:46.270,0:18:47.149
+security space
+
+0:18:47.149,0:18:49.820
+a lot of the tools that are out there were
+built for
+
+0:18:49.820,0:18:50.370
+developers
+
+0:18:50.370,0:18:52.850
+and for performance and not for security
+
+0:18:52.850,0:18:54.470
+So you see people using tools
+
+0:18:54.470,0:19:00.280
+to disassemble malware that were built
+for reverse engineering for software purposes
+
+0:19:00.280,0:19:04.150
+and not for security purposes
+
+0:19:04.150,0:19:05.960
+anyway so what I’m going to talk about briefly
+
+0:19:05.960,0:19:06.980
+is not new
+
+0:19:06.980,0:19:08.840
+I was actually cleaning out
+
+0:19:08.840,0:19:11.240
+an old drive and I found this presentation
+
+0:19:11.240,0:19:13.120
+from 2000
+
+0:19:13.120,0:19:16.150
+I used to give this briefing when I was in
+
+0:19:16.150,0:19:18.250
+the air force cert
+
+0:19:18.250,0:19:20.510
+and we would talk about the history of our
+unit
+
+0:19:20.510,0:19:22.520
+and back in 1993
+
+0:19:22.520,0:19:25.910
+we were deploying what we call network security
+monitoring systems
+
+0:19:25.910,0:19:26.720
+and
+
+0:19:26.720,0:19:28.810
+the NSN term
+
+0:19:28.810,0:19:29.309
+comes from
+
+0:19:29.309,0:19:33.490
+the first network based IDS that taught
+
+0:19:33.490,0:19:35.400
+he wrote it in UC Davis in ‘89
+
+0:19:35.400,0:19:39.520
+so this is wow that’s twenty years I feel
+freaking old right now
+
+0:19:39.520,0:19:39.979
+it’s amazing
+
+0:19:39.979,0:19:40.820
+so
+
+0:19:40.820,0:19:44.170
+so this is not a new thing and I wrote a book about this
+in 2004 so
+
+0:19:44.170,0:19:45.230
+that's five years
+
+0:19:45.230,0:19:46.540
+ago now so
+
+0:19:46.540,0:19:50.470
+this is not new the funny thing is vendors
+is finally start to catch up with it
+
+0:19:50.470,0:19:56.750
+and they call them network forensic appliances
+and they charge you fifty thousand dollars
+
+0:19:56.750,0:20:02.110
+for the enterprise that’s right
+
+0:20:02.110,0:20:04.870
+yeah enterprise means expensive
+
+0:20:04.870,0:20:06.260
+I like that
+
+0:20:06.260,0:20:07.480
+that’s good
+
+0:20:07.480,0:20:09.100
+and GUI that's right
+
+0:20:09.100,0:20:13.610
+and somebody you can complain to who can’t really answer
+your problems
+
+0:20:13.610,0:20:17.320
+alright so I present this because I don’t want to take credit
+for this approach
+
+0:20:18.649,0:20:19.789
+because
+
+0:20:19.789,0:20:22.590
+people we were doing this I came in around here
+
+0:20:22.590,0:20:24.210
+but we were doing this earlier
+
+0:20:24.210,0:20:27.480
+so I learned from people who invented this stuff
+
+0:20:27.480,0:20:30.779
+you know wow that's like fifteen years ago
+
+0:20:30.779,0:20:35.279
+alright so why network censors
+
+0:20:35.279,0:20:40.080
+I have to say some of the artwork I saw in these
+presentations were so awesome I feel that mine’s
+
+0:20:40.080,0:20:40.800
+terrible I mean it was
+
+0:20:40.800,0:20:45.840
+the lego stuff that was great I need to do like a
+little lego pyramid
+
+0:20:45.840,0:20:48.000
+I really like that but this is different
+
+0:20:50.210,0:20:55.030
+I wondered where you got your bricks from I have to like
+raid my kids lego
+
+0:21:05.990,0:21:07.820
+that is funny that is good though I’m a visual
+
+0:21:07.820,0:21:13.250
+I was right in there with the bricks
+
+0:21:13.250,0:21:14.179
+so
+
+0:21:14.179,0:21:19.730
+I call this my top security enterprise trust pyramid
+
+0:21:19.730,0:21:24.180
+I ripped this out of something I used to do when
+I was a consultant
+
+0:21:24.180,0:21:26.990
+and basically it’s a justification for why it’s good to have
+network censors and the idea is this
+
+0:21:26.990,0:21:28.980
+this is the least trusted part and this is the most trusted
+
+0:21:31.419,0:21:34.279
+that's low user interaction and this is high user interaction
+
+0:21:34.279,0:21:36.769
+and this also in terms of the numbers of devices
+
+0:21:36.769,0:21:39.059
+so in an enterprise you tend to have the most
+
+0:21:39.059,0:21:40.630
+user platforms
+
+0:21:40.630,0:21:43.840
+desktops laptops phones all that kind of stuff
+
+0:21:43.840,0:21:45.980
+above that you have servers
+
+0:21:45.980,0:21:47.550
+above that you have infrastructure
+
+0:21:47.550,0:21:53.920
+%um routers firewalls things like that and above
+that you have censors
+
+0:21:53.920,0:21:55.550
+so I trust these the least
+
+0:21:55.550,0:21:56.350
+because
+
+0:21:56.350,0:21:57.920
+well because there are these
+
+0:21:57.920,0:21:59.390
+users
+
+0:21:59.390,0:22:01.800
+right and users are doing things like
+
+0:22:01.800,0:22:03.440
+interacting with the system
+
+0:22:03.440,0:22:06.229
+if they didn’t interact with the system I would
+probably trust it more
+
+0:22:06.229,0:22:08.090
+but because they’re on the system
+
+0:22:08.090,0:22:09.950
+they could be running as an admin
+
+0:22:09.950,0:22:11.850
+they're going to all these
+
+0:22:11.850,0:22:13.620
+you know malicious web sites
+
+0:22:13.620,0:22:15.770
+even normal web sites
+
+0:22:15.770,0:22:18.940
+that have been owned or are injecting malicious job descripts
+or whatever
+
+0:22:18.940,0:22:21.430
+so the more user interaction there is
+
+0:22:21.430,0:22:24.889
+the less likely I’m going to trust what
+the system tells me
+
+0:22:24.889,0:22:26.600
+so why get on a system and I say
+
+0:22:26.600,0:22:29.680
+tell me how you're feeling you know what your
+state
+
+0:22:29.680,0:22:34.190
+I'm not going to trust that system eighty
+is generally worthless
+
+0:22:34.190,0:22:36.960
+you have to get outside of the this is
+the key point
+
+0:22:36.960,0:22:41.070
+you have to get away from these things you
+have to get outside the system to get of you
+
+0:22:41.070,0:22:41.970
+whether or not
+
+0:22:41.970,0:22:43.520
+you should trust it
+
+0:22:43.520,0:22:44.750
+but that's not the case right
+
+0:22:44.750,0:22:49.260
+we're moving more and more to pushing all the security
+down to the end point
+
+0:22:49.260,0:22:50.560
+so like my laptop defends itself
+
+0:22:50.560,0:22:52.380
+my phone defends itself
+
+0:22:52.380,0:22:53.869
+guess what if they fail
+
+0:22:53.869,0:22:56.950
+the whole model fails as well
+
+0:22:56.950,0:23:00.110
+so above this we have servers I
+trust servers a little bit more
+
+0:23:00.110,0:23:01.710
+because if you're a good admin
+
+0:23:01.710,0:23:03.019
+you're not surfing
+
+0:23:03.019,0:23:06.370
+MySpace on your Windows server
+
+0:23:06.370,0:23:08.070
+right well you’re not on a Windows server
+
+0:23:08.070,0:23:13.590
+but well you can admin on a Windows server
+but you know what I mean
+
+0:23:13.590,0:23:16.710
+well because I think that's right that's true
+
+0:23:16.710,0:23:18.960
+above that you have infrastructure
+
+0:23:18.960,0:23:20.140
+no one should be
+
+0:23:20.140,0:23:21.530
+in general
+
+0:23:21.530,0:23:24.050
+like no user is directly
+
+0:23:24.050,0:23:25.450
+dealing with a firewall
+
+0:23:25.450,0:23:27.309
+if a user is logging into a firewall
+
+0:23:27.309,0:23:28.980
+there’s a problem right
+
+0:23:28.980,0:23:32.080
+a user doesn't necessarily log into a server but he uses
+services on the server right
+
+0:23:32.080,0:23:34.840
+so I tend to trust this even more
+
+0:23:34.840,0:23:38.330
+because you just can't touch them
+
+0:23:38.330,0:23:43.230
+the number of people who deal with the infrastructure in
+general is smaller than the number of people who deal
+with servers
+
+0:23:43.230,0:23:46.150
+and in many cases the infrastructure is completely
+
+0:23:46.150,0:23:48.630
+you know invisible
+
+0:23:48.630,0:23:52.890
+alright how many people like interact with a router when
+you're sending traffic through
+
+0:23:52.890,0:23:54.970
+no you know it passes traffic
+
+0:23:54.970,0:23:57.520
+same with the firewall blocks it allows it whatever
+
+0:23:57.520,0:23:58.649
+so I tend to trust
+
+0:23:58.649,0:24:01.600
+what this will tell me even more because there's
+less user action
+
+0:24:01.600,0:24:03.690
+the final stage here is my sensor
+
+0:24:03.690,0:24:06.390
+the sensors completely pass it
+
+0:24:06.390,0:24:09.210
+most of the people in the company might not even know it
+exists
+
+0:24:09.210,0:24:11.139
+which is which is good in most cases
+
+0:24:11.139,0:24:14.760
+unless you want a deterrent effect
+
+0:24:14.760,0:24:16.390
+so I can get data from the sensor
+
+0:24:16.390,0:24:18.390
+typically like in my team
+
+0:24:18.390,0:24:21.960
+there's only two people that even know the route
+password
+
+0:24:21.960,0:24:24.270
+we could heavily defend these things
+
+0:24:24.270,0:24:26.159
+we can have them defend
+
+0:24:26.159,0:24:27.549
+each other
+
+0:24:27.549,0:24:28.620
+like watch each other
+
+0:24:28.620,0:24:31.529
+so I tend to have a very very high confidence to
+what the sensor is telling me
+
+0:24:31.529,0:24:33.530
+as opposed to
+
+0:24:33.530,0:24:35.180
+what a user platform is telling me
+
+0:24:35.180,0:24:35.980
+so if I’m
+
+0:24:35.980,0:24:37.799
+if I’m on a user platform
+
+0:24:37.799,0:24:41.290
+and I'm looking around for evidence of a rootkit
+and I see nothing
+
+0:24:41.290,0:24:44.140
+but up here in my sensor showing traffic going by
+
+0:24:44.140,0:24:47.220
+out to some site in Brazil
+
+0:24:47.220,0:24:48.490
+then I can say
+
+0:24:48.490,0:24:50.070
+alright we have a problem here
+
+0:24:50.070,0:24:51.120
+so this is why I like
+
+0:24:51.120,0:24:54.020
+to itroduce these sorts of devices
+
+0:24:54.020,0:24:55.070
+let me talk a little bit
+
+0:24:55.070,0:24:55.959
+to about
+
+0:24:55.959,0:24:57.560
+least trusted and most trusted
+
+0:24:57.560,0:24:59.840
+if you had to rank operating systems here
+
+0:24:59.840,0:25:01.830
+would you put Windows up here
+
+0:25:01.830,0:25:02.899
+and BSD here
+
+0:25:02.899,0:25:06.150
+or the other way around right
+
+0:25:06.150,0:25:11.010
+so I like to use BSD especially for my sensors
+
+0:25:11.010,0:25:13.510
+because I introduce what we call a technology gap
+
+0:25:13.510,0:25:16.789
+my company we use a lot of Windows as you
+might imagine
+
+0:25:16.789,0:25:19.230
+and we use a lot of Linux
+
+0:25:19.230,0:25:22.820
+we don't use a lot of BSD in fact I’m
+probably the only BSD
+
+0:25:22.820,0:25:24.770
+shop in the company that I know of
+
+0:25:24.770,0:25:25.729
+but that's good
+
+0:25:25.729,0:25:28.090
+because if you’re a bad guy and you get inside the company
+
+0:25:28.090,0:25:31.850
+and you root our Windows infrastructure and you root our
+Linux infrastructure
+
+0:25:31.850,0:25:34.420
+and then you find some BSD boxes
+
+0:25:34.420,0:25:36.530
+and we administer them ourselves
+
+0:25:36.530,0:25:39.020
+it's going to take a lot more work to get
+into this
+
+0:25:39.020,0:25:41.930
+and we’re probably did notice when you're trying
+to get into our systems
+
+0:25:41.930,0:25:44.220
+so it does not make sense and I’ve seen
+
+0:25:44.220,0:25:47.450
+we get a lot of pressure on this internally
+and I’ve seen it in other companies
+
+0:25:47.450,0:25:49.740
+to have our sensing
+
+0:25:49.740,0:25:50.180
+infrastructure
+
+0:25:50.180,0:25:53.679
+be integrated with the rest of the company
+infrastructure
+
+0:25:53.679,0:25:54.930
+right oh just have you know
+
+0:25:54.930,0:25:58.190
+have our hosted Linux service
+
+0:25:58.190,0:26:00.059
+where you know you can have
+
+0:26:00.059,0:26:01.870
+potentially all these admins you don't know
+
+0:26:01.870,0:26:04.960
+on another continent logging into your devices
+
+0:26:04.960,0:26:07.280
+no way you know I want a gap I want
+
+0:26:07.280,0:26:09.580
+the stuff that we have to protect
+
+0:26:09.580,0:26:10.730
+not be
+
+0:26:10.730,0:26:12.470
+the same as what’s using
+
+0:26:12.470,0:26:13.170
+or not be
+
+0:26:13.170,0:26:15.740
+the same systems that we’re using to watch this
+
+0:26:15.740,0:26:16.729
+so I introduced BSD as
+
+0:26:16.729,0:26:18.540
+as a new operating system to
+
+0:26:18.540,0:26:23.110
+watch this yes
+
+0:26:23.110,0:26:27.950
+so the question was do I stay on the Intel platform
+
+0:26:27.950,0:26:30.750
+I actually bring up that point in my forensics talks
+
+0:26:30.750,0:26:32.780
+I am on an Intel platform
+
+0:26:32.780,0:26:34.370
+for my sensors
+
+0:26:34.370,0:26:37.250
+however
+
+0:26:37.250,0:26:40.130
+depending on how you want to do forensics for
+example
+
+0:26:40.130,0:26:43.710
+I have done cases where I had one tax stack
+where I’ve got
+
+0:26:43.710,0:26:46.730
+you know Intel Windows
+
+0:26:46.730,0:26:48.180
+Toolex
+
+0:26:48.180,0:26:48.780
+whatever
+
+0:26:48.780,0:26:51.119
+and in another platform where I’ve got
+
+0:26:51.119,0:26:52.559
+Power PC
+
+0:26:52.559,0:26:53.420
+Debian
+
+0:26:53.420,0:26:55.560
+blah blah blah blah blah and something completely different
+
+0:26:55.560,0:26:58.740
+and I will say by the way
+
+0:26:58.740,0:27:04.310
+I don't run the one sytem I expose in my home lab
+is not an Intel system
+
+0:27:04.310,0:27:06.940
+it's a Mac mini
+
+0:27:06.940,0:27:08.550
+and it’s running Debian on top
+
+0:27:08.550,0:27:11.789
+I tried to put on BSD I had a problem
+I don’t know what that was
+
+0:27:11.789,0:27:13.109
+probably user error but
+
+0:27:13.109,0:27:15.310
+so Debian is running on that and what’s
+
+0:27:15.310,0:27:18.529
+nice about that is do you remember when the Debian
+the SSL stuff when was that
+
+0:27:22.789,0:27:24.340
+that happened recently
+
+0:27:24.340,0:27:27.360
+all of the pre-compiled exploits for that
+
+0:27:27.360,0:27:30.570
+%uh and all of the pre-compiled keys
+
+0:27:30.570,0:27:34.230
+they shell code was all wrong because I was running
+Power PC
+
+0:27:34.230,0:27:36.240
+and like when I did my
+
+0:27:36.240,0:27:38.050
+update or whatever I was like oh
+
+0:27:38.050,0:27:39.110
+I wonder if I’m affected by that
+
+0:27:39.110,0:27:42.160
+and it kept saying I wasn't even though I knew
+I was because the
+
+0:27:42.160,0:27:44.270
+you know I had the vulnerable library version
+
+0:27:44.270,0:27:46.809
+I was like that's right this isn’t an Intel box
+
+0:27:46.809,0:27:48.170
+it's a Power PC box
+
+0:27:48.170,0:27:52.120
+so I do use that diversity argument in very very
+limited situations
+
+0:27:52.120,0:27:55.180
+but it would be really expensive for me to say buy
+
+0:27:55.180,0:27:57.639
+you know eighty
+
+0:27:57.639,0:28:01.710
+I don't know I’m not even sure what I would use these days
+it would be tough to find that I could get
+
+0:28:01.710,0:28:03.070
+a good price and everything
+
+0:28:03.070,0:28:06.460
+so I have to make some compromises there
+
+0:28:06.460,0:28:10.419
+but that’s not a bad idea if you have to have some kind of
+like central server that was going to like watch everything maybe
+
+0:28:10.419,0:28:12.559
+you need to go that extra step to make it
+
+0:28:12.559,0:28:15.580
+even more diverse
+
+0:28:15.580,0:28:18.380
+alright so I’d like to talk just for a minute
+about what I do
+
+0:28:18.380,0:28:21.320
+like to deploy
+
+0:28:21.320,0:28:23.190
+um what’s my time here
+
+0:28:23.190,0:28:29.300
+so I'm involved with this open source project called SGUIL
+S-G-U-I-L
+
+0:28:29.300,0:28:32.780
+SGUIL doesn't stand for anything officially
+
+0:28:32.780,0:28:38.180
+but it originally when we first wrote it in like by the way
+Bam Busher is the lead developer he’s probably actually the
+only developer
+
+0:28:38.180,0:28:42.360
+the rest of us are just lamers
+
+0:28:42.360,0:28:43.820
+that's what the L means
+
+0:28:43.820,0:28:46.660
+originally it was snort GUI for lamers
+
+0:28:46.660,0:28:48.900
+%uh but then a couple people who got it
+
+0:28:48.900,0:28:52.490
+well we didn't get the joke they got a software
+like I’m not a lamer I’m not going to use your software
+
+0:28:52.490,0:28:54.220
+well I don’t care if you use it or not
+
+0:28:59.890,0:29:01.540
+yeah right
+
+0:29:01.540,0:29:04.060
+But we felt okay that’s kind of
+
+0:29:04.060,0:29:09.860
+we’ll just call it SGUIL it doesn’t mean anything
+
+0:29:09.860,0:29:13.670
+So I’m going to talk to you about SGUIL but the thing about
+SGUIL to remember is
+
+0:29:13.670,0:29:15.310
+it's open source it runs on
+
+0:29:15.310,0:29:16.460
+you know Picker
+
+0:29:16.460,0:29:18.080
+Distrobe Choice
+
+0:29:18.080,0:29:19.970
+or Flavor whatever you want
+
+0:29:19.970,0:29:22.080
+it's more about the data and less about the tool
+
+0:29:22.080,0:29:24.690
+so you could potentially implement this with your own tools
+
+0:29:24.690,0:29:26.850
+%uh even commercial if you wanted to
+
+0:29:26.850,0:29:29.350
+%um it’s really
+
+0:29:29.350,0:29:32.419
+about way of getting data and thinking about it and less
+about the actual
+
+0:29:32.419,0:29:37.020
+the actual tool
+
+0:29:37.020,0:29:38.400
+you know this guy it’s Elvis
+
+0:29:38.400,0:29:44.900
+you know what martial art he studied
+
+0:29:49.720,0:29:51.000
+so here’s Elvis
+
+0:29:51.000,0:29:53.750
+and Elvis is the patron saint of this system
+
+0:29:53.750,0:29:56.380
+I don't know why it's been a long time
+
+0:29:56.380,0:29:57.230
+but %uh
+
+0:29:57.230,0:30:00.609
+I love Elvis because he’s in his Kenpo karate stance
+
+0:30:00.609,0:30:02.480
+and his stance is like this
+
+0:30:02.480,0:30:08.860
+which it would take him like a week to get out
+of his fight stance to do anything
+
+0:30:08.860,0:30:12.610
+I actually won some concert tickets by stumping
+an Elvis expert on a radio station here
+
+0:30:12.610,0:30:13.399
+in DC-
+
+0:30:13.399,0:30:16.120
+I called and said what style of martial arts did he
+
+0:30:16.120,0:30:18.590
+he’s like oh karate I’m like what style
+
+0:30:18.590,0:30:20.080
+oh I don't know
+
+0:30:20.080,0:30:21.070
+Kenpo karate well
+
+0:30:21.070,0:30:22.559
+who was his masters’ name
+
+0:30:22.559,0:30:23.670
+uh Ed Parker
+
+0:30:23.670,0:30:29.540
+and they were like oh you just won those tickets you stumped
+the Elvis expert
+
+0:30:29.540,0:30:34.540
+so here you have Elvis I’m going to contrast these two methods
+of doing investigations right
+
+0:30:34.540,0:30:35.870
+so you’ve got Elvis
+
+0:30:35.870,0:30:38.640
+he’s your analyst you don’t want to piss him off
+
+0:30:38.640,0:30:40.289
+he’s Elvis
+
+0:30:40.289,0:30:43.799
+he’ll hit you with his magic karate shot
+
+0:30:43.799,0:30:47.580
+he gets an alert via some system right well not these days he’s looking trim man
+
+0:30:47.580,0:30:50.900
+by the way if you’ve ever watched him in concert
+
+0:30:50.900,0:30:53.970
+he’s doing Kenpo like throughout the concert all the moves
+
+0:30:53.970,0:30:55.910
+he’s doing
+
+0:30:55.910,0:30:56.269
+he’s doing Kenpo
+
+0:30:56.269,0:30:59.089
+you zoom in he’s got a Kenpo patch on whatever
+he's wearing
+
+0:30:59.089,0:31:01.279
+you look at his guitar it’s got the Kenpo patch on it
+
+0:31:01.279,0:31:05.300
+like once you’re exposed to the fact that he did this style it's
+everywhere
+
+0:31:05.300,0:31:06.470
+in fact there was one
+
+0:31:06.470,0:31:11.210
+he did a concert once actually he didn't
+do a concert he attended somebody else’s concert
+
+0:31:11.210,0:31:15.190
+and I don't know who it was like Johnny Cash or something
+but he saw him in the audience
+
+0:31:15.190,0:31:16.370
+he’s like Elvis do you want to come up here
+
+0:31:16.370,0:31:17.910
+you know do a song with me
+
+0:31:17.910,0:31:19.800
+and he’s like oh sorry you know
+
+0:31:19.800,0:31:22.880
+I'm under contract I can only perform at
+this
+
+0:31:22.880,0:31:23.570
+one casino
+
+0:31:23.570,0:31:27.360
+but I’ll tell you what I’ll come on stage and do karate
+
+0:31:30.100,0:31:32.190
+so this guy is doing his performance and Elvis is just jumping on doing karate
+
+0:31:32.190,0:31:34.530
+I’ve got to find a video of that that would be great
+
+0:31:34.530,0:31:36.720
+so anyway Elvis is here
+
+0:31:36.720,0:31:39.440
+and his job is to find intruders
+
+0:31:39.440,0:31:41.150
+so he gets his console and he gets and alert
+
+0:31:41.150,0:31:41.990
+and he looks at it and he’s like
+
+0:31:41.990,0:31:43.520
+alright well
+
+0:31:43.520,0:31:45.230
+I’ve got to figure out if this matters
+
+0:31:45.230,0:31:48.470
+so what do I have to work with
+
+0:31:48.470,0:31:50.960
+well I have other alerts like a picture in front of some Cisco device
+
+0:31:50.960,0:31:53.870
+like in that range or whatever they are these days
+
+0:31:53.870,0:31:56.940
+so he creates the database and he gets more alerts
+
+0:31:56.940,0:31:59.800
+and he says well this is nice but I can’t tell if any of this matters
+
+0:31:59.800,0:32:02.770
+so that's the end of the line
+
+0:32:02.770,0:32:05.940
+right at this point he’s got two options he can either ignore it
+
+0:32:05.940,0:32:10.240
+or he can satisfy his fifteen minute SOA that his customer
+pays three thousand dollars a month
+
+0:32:10.240,0:32:10.860
+for
+
+0:32:10.860,0:32:11.940
+call the customer and say
+
+0:32:11.940,0:32:13.059
+I saw this
+
+0:32:13.059,0:32:14.650
+I don't know what it means
+
+0:32:14.650,0:32:17.110
+ball is in your court goodbye
+
+0:32:17.110,0:32:21.360
+so I don't how many of you have you had that experience with an
+MSSP but that’s very very common
+
+0:32:21.360,0:32:22.869
+so to me this is
+
+0:32:22.869,0:32:27.620
+that's completely worthless so this is the
+alternative I propose
+
+0:32:27.620,0:32:30.550
+so see already you can see there’s more lines so that
+must be good right
+
+0:32:30.550,0:32:32.030
+so you got Elvis
+
+0:32:32.030,0:32:35.319
+he queries his data he get’s an alert he queries the
+database he gets the same alert
+
+0:32:35.319,0:32:39.050
+but now the difference is he has some data to look
+at
+
+0:32:39.050,0:32:42.499
+so in other words it’s no just an IDS or whatever
+generate alerts
+
+0:32:42.499,0:32:44.470
+there’s some evidence to review
+
+0:32:44.470,0:32:46.880
+and the key idea behind NSM is
+
+0:32:46.880,0:32:47.869
+the evidence
+
+0:32:47.869,0:32:51.700
+is collected whether or not it has security
+value
+
+0:32:51.700,0:32:55.110
+that's not quite right what I mean is you’re
+always collecting data
+
+0:32:55.110,0:32:57.350
+because you don't know what is useful
+
+0:32:57.350,0:32:58.430
+in other words
+
+0:32:58.430,0:33:00.360
+if you knew what was bad
+
+0:33:00.360,0:33:03.159
+why don't you just stop it
+
+0:33:03.159,0:33:05.709
+that is the whole fallacy of security right
+like
+
+0:33:05.709,0:33:07.359
+the whole thing IDS was
+
+0:33:07.359,0:33:11.350
+if you could detect it why can’t you prevent it oh yeah
+
+0:33:11.350,0:33:14.860
+right so you invent this whole IPS category
+which is a silver bullet which
+
+0:33:14.860,0:33:17.270
+did really nothing
+
+0:33:17.270,0:33:21.780
+but the idea is yeah you can detect it’s bad why don’t you just
+stop it well of course that makes a lot of
+
+0:33:21.780,0:33:22.219
+sense
+
+0:33:22.219,0:33:24.840
+so you have a lot of stopping bad stuff
+
+0:33:24.840,0:33:28.250
+but then there’s other bad stuff that’s happening because
+you don't know it is bad right now
+
+0:33:28.250,0:33:29.899
+I mean
+
+0:33:29.899,0:33:34.140
+I learned these techniques dealing with
+
+0:33:34.140,0:33:35.820
+intruders
+
+0:33:35.820,0:33:38.399
+I’ll date myself but in 1998
+
+0:33:38.399,0:33:39.509
+intruders in China
+
+0:33:39.509,0:33:41.049
+who had writtten their own
+
+0:33:41.049,0:33:44.010
+virtualisation platform on top of Solaris
+
+0:33:44.010,0:33:46.159
+who were doing stuff we were like holy cow
+
+0:33:46.159,0:33:48.540
+because we had no idea that they could do
+that sort of thing
+
+0:33:48.540,0:33:51.879
+so there was no system that was going to detect
+because we didn't even know it existed
+
+0:33:51.879,0:33:54.530
+but guess what we were keeping track of everything
+that was happening
+
+0:33:54.530,0:33:56.330
+and once we knew what to look for
+
+0:33:56.330,0:34:00.380
+we checked our data like holy crap they’ve been in
+here since two years ago
+
+0:34:00.380,0:34:03.230
+right this slide that I showed you here
+
+0:34:03.230,0:34:07.240
+when we started putting out these sensors there was
+huge resistance
+
+0:34:07.240,0:34:08.459
+this was like
+
+0:34:08.459,0:34:13.399
+oh man we’re the air force we just defeated Iraq the
+fourth biggest army in the world we kick ass
+
+0:34:13.399,0:34:15.739
+there can’t be anybody inside of our network and we’re like
+
+0:34:15.739,0:34:19.460
+please please can we put a few sensors out there and they’re
+like all right but you guys are wasting your
+
+0:34:19.460,0:34:20.029
+time
+
+0:34:20.029,0:34:23.690
+so we put our sensors out and what do you think
+what did we find
+
+0:34:23.690,0:34:24.720
+we were owned
+
+0:34:25.650,0:34:26.230
+everywhere
+
+0:34:26.230,0:34:27.569
+up down left right
+
+0:34:27.569,0:34:29.499
+it was terrible right we were completely owned
+
+0:34:29.499,0:34:31.329
+because nobody was watching
+
+0:34:31.329,0:34:33.129
+and then after that
+
+0:34:33.129,0:34:37.159
+boom that’s when everything took off
+
+0:34:37.159,0:34:40.859
+so the key here is that you get your alert but then you
+have data to look at and the two
+
+0:34:40.859,0:34:43.939
+%uh well I should say three main forms of data you collect
+
+0:34:43.939,0:34:45.370
+we collected alerts but
+
+0:34:45.370,0:34:46.269
+we’re also
+
+0:34:46.269,0:34:47.780
+just logging all the flows we see
+
+0:34:47.780,0:34:50.779
+we call it session data but it’s just flows
+
+0:34:50.779,0:34:52.999
+and we deploy our own software to log the flows
+
+0:34:52.999,0:34:56.460
+but the key is we don't log the flows that are associated
+with the alert we log
+
+0:34:56.460,0:34:57.789
+all flows
+
+0:34:57.789,0:34:59.689
+so you don’t have to know what support beforehand
+
+0:34:59.689,0:35:01.619
+you just keep track of everything
+
+0:35:01.619,0:35:02.840
+and once you know what to look for
+
+0:35:02.840,0:35:04.259
+you go look for it
+
+0:35:04.259,0:35:08.739
+I kind of liken it to the Splunk model like I
+how many people have used Splunk
+
+0:35:08.739,0:35:10.609
+right Splunk is really awesome right
+
+0:35:10.609,0:35:13.719
+Splunk is the place you go when you know
+what to look for
+
+0:35:13.719,0:35:15.740
+you generally don't have Splunk tell you stuff
+
+0:35:15.740,0:35:16.679
+I mean you can
+
+0:35:16.679,0:35:18.150
+but for the most part
+
+0:35:18.150,0:35:21.910
+you want to be there when you need to ask the question
+and have some response
+
+0:35:21.910,0:35:24.470
+it's the same thing with this once I know what to look for
+
+0:35:24.470,0:35:25.309
+I need a place to go look
+
+0:35:25.309,0:35:28.169
+so I query my sessions and I’m like oh well look
+
+0:35:28.169,0:35:29.040
+this guy
+
+0:35:29.040,0:35:32.709
+just reached out via FTP and grabbed his tools
+
+0:35:32.709,0:35:35.109
+guess what most hackers these days still do this
+
+0:35:35.109,0:35:36.189
+right they aren’t like
+
+0:35:36.189,0:35:38.319
+STP-ing out or whatever
+
+0:35:38.319,0:35:40.489
+yeah go grab their tools over FTP
+
+0:35:40.489,0:35:41.439
+excuse me well
+
+0:35:41.439,0:35:43.280
+they grab their tools over FTP
+
+0:35:43.280,0:35:45.939
+while they’re doing that I’m logging all the packet data
+
+0:35:45.939,0:35:51.379
+and a lot of people used to say oh Bejtlich you’re
+crazy who can log packet data on all their gateways
+
+0:35:51.379,0:35:52.829
+the NSA does
+
+0:35:52.829,0:35:55.639
+so guess what we can too right it’s not that tough
+
+0:35:55.639,0:35:58.500
+%uh most network connections are
+
+0:35:58.500,0:36:00.079
+DS3s or less
+
+0:36:00.079,0:36:03.509
+at least the outbound ones to the internet
+
+0:36:03.509,0:36:05.579
+so you could log a lot of packet data
+
+0:36:05.579,0:36:07.809
+I mean hard drives are cheap
+
+0:36:07.809,0:36:12.589
+they're cheap so you can grab a lot of data
+
+0:36:12.589,0:36:18.589
+yeah question what do you use to dump all the data I’ll walk
+you through all of it yup yes my question is so I’m located
+my servers are in Maryland
+
+0:36:20.819,0:36:23.099
+yes I’m an ISP what happens when I get stuff from
+Massachussetts or California and they’re going you can’t do that
+
+0:36:27.329,0:36:28.269
+yes okay so there’s two things
+
+0:36:28.269,0:36:32.709
+the first thing I thought you were going to go down was
+I’m an ISP do I do this for my
+
+0:36:32.709,0:36:33.949
+customers the answer would be no
+
+0:36:33.949,0:36:37.429
+%uh I would do this for my infrastructure
+
+0:36:37.429,0:36:40.489
+as far as the privacy stuff goes
+
+0:36:40.489,0:36:44.589
+we're we’re wrestling with ourselves and what
+I end up doing is typically
+
+0:36:44.589,0:36:46.899
+scaling back to what the law will allow
+
+0:36:46.899,0:36:50.660
+and then showing that it's either adequate
+or not adequate
+
+0:36:50.660,0:36:56.319
+and then I take it to the lawyers and say we have to
+somehow push back against this
+
+0:36:56.319,0:36:57.630
+%uh but okay
+
+0:36:57.630,0:37:00.229
+so imagine that you do the full content though
+
+0:37:00.229,0:37:06.089
+and by the way this isn’t theoretical we do this all the time
+I have a reverse engineer on my staff who
+
+0:37:06.089,0:37:10.589
+when we see machines mission going down pulling their binaries
+when the machines are owned
+
+0:37:10.589,0:37:12.399
+I pass in the traffic
+
+0:37:12.399,0:37:14.219
+he pulls out the
+
+0:37:14.219,0:37:15.260
+exe
+
+0:37:15.260,0:37:19.160
+he reverses it figures out what it does
+and now we go into the next stage of insert-response
+
+0:37:19.160,0:37:21.249
+so it can be done
+
+0:37:21.249,0:37:24.869
+so then we say oh shoot it uses this back door we
+go back and look in the sessions and we say
+
+0:37:24.869,0:37:27.879
+oh I see this back door let's go and look at the
+traffic
+
+0:37:27.879,0:37:29.350
+and it just keeps going so
+
+0:37:29.350,0:37:36.350
+the idea is that this isn’t the end of the investigation
+it’s the beginning the investigation
+
+0:37:36.579,0:37:37.369
+sure
+
+0:37:37.369,0:37:39.059
+can it be done
+
+0:37:39.059,0:37:41.209
+it’s easy to do and can be done completely free
+
+0:37:41.209,0:37:42.249
+yes
+
+0:37:42.249,0:37:44.220
+yes and that is very true
+
+0:37:44.220,0:37:45.249
+everything that I’ve shown here
+
+0:37:45.249,0:37:48.249
+you could literally walk out of here
+
+0:37:48.249,0:37:50.619
+go into the freeBSD ports tree find a SGUIL ports
+
+0:37:52.119,0:37:54.840
+do your make I mean the ports are a little ugh
+
+0:37:54.840,0:37:58.029
+I'm not
+
+0:37:58.029,0:37:59.730
+you don’t want to slam a guy who
+
+0:37:59.730,0:38:01.190
+volunteers and makes ports right
+
+0:38:01.190,0:38:05.700
+but there’s still a decent amount of work that you have
+to do once the ports are installed it’s good for basically
+
+0:38:05.700,0:38:09.880
+satisfying dependencies and so forth
+
+0:38:09.880,0:38:12.879
+so this is the implementation we use as far as software stack
+
+0:38:12.879,0:38:14.699
+for %uh alert data
+
+0:38:14.699,0:38:17.459
+we use Snort
+
+0:38:17.459,0:38:22.799
+I’m starting to I’ve used Bro a little bit
+I’m starting to integrate Bro though
+
+0:38:22.799,0:38:26.949
+full content data I tend to use Demon Logger
+
+0:38:26.949,0:38:29.029
+it’s Marty Rush’s implementation of Packet Logger
+
+0:38:29.029,0:38:30.069
+for session data
+
+0:38:30.069,0:38:34.539
+I use SANCP which is sort a friend of Myrobe which you can
+sort of see some other options there
+
+0:38:34.539,0:38:36.469
+and then statistical data
+
+0:38:36.469,0:38:38.939
+you know think MRTGA type of thing
+that
+
+0:38:38.939,0:38:40.949
+shows you traffic over time or whatever
+
+0:38:40.949,0:38:45.979
+%um and the nice thing is SGUIL is the interface to a lot
+of this and you know
+
+0:38:45.979,0:38:47.619
+I’m going to show you what that looks like
+
+0:38:47.619,0:38:50.709
+by the way so this is it in a picture
+
+0:38:50.709,0:38:52.289
+so what is SGUIL well
+
+0:38:52.289,0:38:54.949
+okay yes this is a Windows screenshot
+
+0:38:54.949,0:39:00.159
+it shows that you can run your BSD back
+end on the servers and then have your boss uses Windows
+
+0:39:00.159,0:39:00.769
+GUI
+
+0:39:00.769,0:39:02.189
+and log into it
+
+0:39:02.189,0:39:03.159
+and %uh
+
+0:39:03.159,0:39:07.559
+again this isn’t about the tool as much as
+the data and the way you investigate it but
+
+0:39:07.559,0:39:08.989
+here’s the screenshot so
+
+0:39:08.989,0:39:11.890
+you can see we have a console here
+
+0:39:11.890,0:39:16.509
+and these are our store alerts coming in and by the way it can
+be other things we've got it
+
+0:39:16.509,0:39:20.469
+this isn't a sim incidentally we were talking
+just a few minutes ago like
+
+0:39:20.469,0:39:22.380
+the way we describe it is
+
+0:39:22.380,0:39:23.259
+with a sim
+
+0:39:23.259,0:39:26.170
+you could put ABCD all the way through W
+
+0:39:26.170,0:39:27.200
+into a sim
+
+0:39:27.200,0:39:28.819
+and it’d still be garbage
+
+0:39:28.819,0:39:31.449
+but with this we pick the X Y and Z that we
+
+0:39:31.449,0:39:34.109
+think give you the best value
+
+0:39:34.109,0:39:37.619
+so for us those are alert sessions and and full content
+
+0:39:37.619,0:39:39.650
+so you’ve got your interface here
+
+0:39:39.650,0:39:43.670
+and we try to present as much information
+on one screen without having to do a bunch of window
+
+0:39:43.670,0:39:44.889
+management
+
+0:39:44.889,0:39:46.839
+yes it is TCL/TK
+
+0:39:46.839,0:39:50.599
+we started this back in 2001
+
+0:39:50.599,0:39:54.009
+but it works it you know it’s fine it’s platform
+
+0:39:54.009,0:39:56.349
+so here’s the packet that caused the alert
+
+0:39:56.349,0:39:58.349
+here is the of
+
+0:39:58.349,0:40:00.100
+the rule that caused the alert
+
+0:40:00.100,0:40:02.160
+and in most systems this is what you would
+get
+
+0:40:02.160,0:40:05.079
+right you're left deciding if it's okay
+
+0:40:05.079,0:40:09.039
+in an HTTP transaction
+
+0:40:09.039,0:40:12.460
+for someone to have put through what looks like the
+output of an ID command on Unix
+
+0:40:12.460,0:40:14.779
+where the result was
+
+0:40:14.779,0:40:16.179
+UID zero
+
+0:40:16.179,0:40:19.529
+is that good or is that bad I mean you’d probably say that sounds bad
+
+0:40:19.529,0:40:24.219
+but once you do the analysis you’ll find out it's
+not the question is you have to make that decision
+
+0:40:24.219,0:40:25.760
+and every vendor that I’ve met
+
+0:40:25.760,0:40:26.839
+they leave you here
+
+0:40:26.839,0:40:28.399
+and they abandon you
+
+0:40:28.399,0:40:29.479
+they say
+
+0:40:29.479,0:40:31.439
+good luck I’ve given you the packet
+
+0:40:31.439,0:40:33.329
+like you’ll talk to the source buyer guys they’re like
+
+0:40:33.329,0:40:36.199
+I gave you the packet what more do you need
+
+0:40:36.199,0:40:37.639
+I need to know if it matters
+
+0:40:37.639,0:40:41.569
+and you’re like well
+
+0:40:41.569,0:40:42.889
+I
+
+0:40:42.889,0:40:46.549
+can give you the packet look
+
+0:40:46.549,0:40:48.680
+yeah packet so what it’s a packet
+
+0:40:48.680,0:40:52.439
+I can tell there’s a packet here yes there’s a packet and yes
+it’s nice that you gave me a nice open rule so I can tell how it
+
+0:40:52.439,0:40:55.140
+came to its decision unlike you know a closed system
+
+0:40:55.140,0:40:56.150
+you can't tell
+
+0:40:56.150,0:40:58.240
+but I have to tell if this matters for me
+
+0:40:58.240,0:40:59.859
+what do you do next
+
+0:40:59.859,0:41:03.769
+we could do a couple things one thing you
+can do is build transcript
+
+0:41:03.769,0:41:05.550
+the transcript is
+
+0:41:05.550,0:41:06.510
+all of the
+
+0:41:06.510,0:41:08.380
+session in this case
+
+0:41:08.380,0:41:12.719
+rendered through in this case we use TCP flow so we say
+
+0:41:12.719,0:41:13.789
+literally right-click
+
+0:41:13.789,0:41:15.379
+give me your transcript
+
+0:41:15.379,0:41:16.740
+system goes out to the sensor
+
+0:41:16.740,0:41:18.369
+pulls back the P cap data
+
+0:41:18.369,0:41:20.319
+renders it in TCP flow
+
+0:41:20.319,0:41:21.259
+colors the blue
+
+0:41:21.259,0:41:24.249
+%uh the source the red is the destination
+
+0:41:24.249,0:41:26.079
+so you can see that my system
+
+0:41:26.079,0:41:31.009
+visited the www.testmyids.com site
+
+0:41:31.009,0:41:32.320
+and it replied
+
+0:41:32.320,0:41:34.009
+with the content
+
+0:41:34.009,0:41:36.159
+so
+
+0:41:36.159,0:41:37.679
+there is no like
+
+0:41:37.679,0:41:39.289
+back door on port 80 here
+
+0:41:39.289,0:41:40.689
+this is a
+
+0:41:40.689,0:41:47.119
+by the way the other thing that’s nice is that I came
+through this proxy and whatever
+
+0:41:47.119,0:41:50.779
+if I’m dealing with a binary protocol like let’s say
+SNB or RPC or something that doesn’t
+
+0:41:50.779,0:41:52.249
+render well as text
+
+0:41:52.249,0:41:56.849
+that's same right-click you can instead choose to
+dump it into Wireshark
+
+0:41:56.849,0:41:58.099
+so here’s the Wireshark data
+
+0:41:58.099,0:42:00.829
+and you can use anything you want to do for Wireshark
+at this point
+
+0:42:00.829,0:42:01.900
+this is fast right
+
+0:42:01.900,0:42:05.699
+I don’t know how many of you have had to do this by
+hand
+
+0:42:05.699,0:42:08.570
+you know you SSH out to the sensor find a pcat file
+
+0:42:08.570,0:42:10.709
+come up with a BPF in your head
+
+0:42:10.709,0:42:12.119
+you know run it
+
+0:42:12.119,0:42:13.890
+copy it someplace no this is
+
+0:42:13.890,0:42:15.359
+right-click right-click right-click I’ve got all my data
+
+0:42:17.130,0:42:20.909
+if you want to see well have I ever gone to this IP address
+before
+
+0:42:20.909,0:42:23.219
+I query for my sessions and I say
+
+0:42:23.219,0:42:27.459
+you know in this case it’s a sequel query on that desk IP
+
+0:42:27.459,0:42:30.770
+and by the way you can right-click and do a default query
+or else if you know what the schema looks like you can just
+modify it by hand
+
+0:42:37.369,0:42:40.139
+and I think that’s it
+
+0:42:40.139,0:42:41.820
+so if you want to try any of that
+
+0:42:41.820,0:42:44.889
+like I said %uh the ports exist
+
+0:42:44.889,0:42:49.399
+I maintain some really really really
+really lame scripts that automate this
+
+0:42:49.399,0:42:52.190
+but I need to install it on my home gateway or something
+like that
+
+0:42:52.190,0:42:56.319
+They’re more of just a reference
+
+0:42:56.319,0:42:57.140
+but that’s what I do on BSD as far as network security
+monitoring goes
+
+0:42:57.140,0:43:03.609
+I’d be happy to answer any questions
+
+0:43:03.609,0:43:09.139
+yes
+
+0:43:09.139,0:43:14.049
+what additional features are you looking for in the future I
+would say for SGUIL for new features the first thing is resolve
+
+0:43:14.049,0:43:15.700
+intellectual property
+
+0:43:15.700,0:43:16.140
+because
+
+0:43:16.140,0:43:19.469
+I hired Bam as my lead incident handler at GE
+
+0:43:19.469,0:43:20.439
+so
+
+0:43:20.439,0:43:21.780
+we need to figure out
+
+0:43:21.780,0:43:24.940
+if he works on it at work
+
+0:43:24.940,0:43:27.640
+can we release it well first of all can he even work
+on it at work
+
+0:43:27.640,0:43:29.130
+and secondly if he does
+
+0:43:29.130,0:43:33.189
+can we release so we're trying to work
+out those I think it'll be resolved postively
+
+0:43:33.189,0:43:35.119
+because we're GE’s actually fairly pro-open-source
+
+0:43:36.849,0:43:41.189
+I told the CEO of the company that this thing
+used my sequel as a back end and
+
+0:43:41.189,0:43:42.229
+he’s like I love my sequel
+
+0:43:42.229,0:43:43.680
+okay
+
+0:43:43.680,0:43:45.470
+he’s like you’ve got your money I’m like oh
+
+0:43:45.470,0:43:47.089
+okay that’s all I had to say great
+
+0:43:47.089,0:43:50.969
+%uh he hates Microsoft he hates the company
+
+0:43:53.819,0:43:58.789
+so we wanted once we get that result we want
+to probably introduce other data sources
+
+0:43:58.789,0:43:59.549
+so introduce like Bro plugin
+
+0:44:01.090,0:44:02.240
+some other agents
+
+0:44:02.240,0:44:03.799
+they could accept other data
+
+0:44:03.799,0:44:05.470
+%uh we need to have
+
+0:44:05.470,0:44:07.789
+some kind of reporting mechanism
+
+0:44:07.789,0:44:08.610
+because people don't know
+
+0:44:08.610,0:44:11.589
+what comes out once you put it in
+
+0:44:11.589,0:44:16.329
+there's been some talk about making this turn
+into a Splunk base application
+
+0:44:16.329,0:44:18.119
+so all the data goes into Splunk
+
+0:44:18.119,0:44:25.119
+I mean you could you'd do like use Splunk as the interface
+so that's a possibility
+
+0:44:28.909,0:44:33.859
+yeah Splunk is remarkably cheap for an enterprise
+app though we’ve bought like giant licenses
+
+0:44:33.859,0:44:34.669
+that have not
+
+0:44:34.669,0:44:38.399
+I mean they've been like five-figure purchases which is
+really good considering how many gigabytes of data
+
+0:44:38.399,0:44:39.489
+we’re indexing
+
+0:44:39.489,0:44:41.789
+%uh but you know for the
+
+0:44:41.789,0:44:46.170
+situation here it would be an option because the free Splunk
+is 500mb a day
+
+0:44:46.170,0:44:49.229
+so it's not that
+
+0:44:49.229,0:44:56.229
+any other questions
+
+0:45:02.480,0:45:04.219
+yeah I think Bro if you’ve never heard of Bro bro-ids.org
+
+0:45:04.219,0:45:08.279
+in fact I’m going to Bro training next week
+in Berkeley which is just going to rock I’m so excited
+
+0:45:08.279,0:45:10.629
+about that
+
+0:45:10.629,0:45:12.469
+Bro I think is a perfect
+
+0:45:12.469,0:45:14.809
+a perfect compliment to Snort
+
+0:45:14.809,0:45:17.750
+Snort not exclusively but Snort is quite a bit about signatures
+
+0:45:17.750,0:45:21.140
+there are some few processors that look for
+protocol anomalies and so forth
+
+0:45:21.140,0:45:26.189
+but Bro on it’s own is completely the opposite it’s all about
+protocol anomalies
+
+0:45:26.189,0:45:27.939
+Snort has kind of like real
+
+0:45:27.939,0:45:30.999
+hackish type state keeping using flow bits
+
+0:45:30.999,0:45:32.739
+Bro is all about state
+
+0:45:32.739,0:45:35.160
+so you put the two of them together you might say
+
+0:45:35.160,0:45:37.499
+shoot I really need to know when such and such
+happens
+
+0:45:37.499,0:45:41.270
+but to do that Snort I’d have to do all this
+flow bits and stuff
+
+0:45:41.270,0:45:43.030
+whereas with Bro you’re like oh
+
+0:45:43.030,0:45:43.810
+just track the connections and then do this
+
+0:45:43.810,0:45:50.810
+so the two of them together I think work really
+well
+
+0:45:51.619,0:45:54.980
+the questions was does Bro have Snort rule input functionality
+
+0:45:54.980,0:45:57.769
+it does to the extent that every
+
+0:45:57.769,0:46:02.059
+like hardware vendor accelerator vendor Snort competitor
+says that they do
+
+0:46:02.059,0:46:05.079
+%uh Snort is the engine is always being
+updated
+
+0:46:05.079,0:46:07.880
+so generally what when somebody says that
+they can
+
+0:46:07.880,0:46:09.880
+%uh run Snort rules faster
+
+0:46:09.880,0:46:12.420
+they’re usually only talking about content matches
+
+0:46:12.420,0:46:14.519
+so they take whatever the the
+
+0:46:14.519,0:46:15.500
+content match is
+
+0:46:15.500,0:46:18.829
+and implement it quickly in hardware
+
+0:46:18.829,0:46:23.099
+so over time the degree to which you can map
+real Snort rules fades
+
+0:46:23.099,0:46:24.309
+so whereas
+
+0:46:24.309,0:46:26.510
+five years ago it might have been like ninety percent
+
+0:46:26.510,0:46:28.619
+these days it's like twenty five percent
+
+0:46:28.619,0:46:35.619
+so they probably can pull in a certain percentage
+but not a lot
+
+0:46:46.159,0:46:50.020
+right right exactly so the question was about retention
+of the full content data
+
+0:46:50.020,0:46:53.439
+I should mention that for alerts we try to keep for
+about a year
+
+0:46:53.439,0:46:56.809
+for flows we try to keep about six months
+
+0:46:56.809,0:46:59.529
+and alerts and flows are both centralized although
+
+0:46:59.529,0:47:03.059
+given the flow volume we’re seeing we might
+have to start pushing that back onto the
+
+0:47:03.059,0:47:04.909
+sensor
+
+0:47:04.909,0:47:07.549
+pcat data it is
+
+0:47:07.549,0:47:10.509
+just what we can afford as far as hard drive spaces go
+
+0:47:10.509,0:47:11.769
+my last budget
+
+0:47:11.769,0:47:15.319
+I could only spend about twenty five hundred
+to three grand per sensor
+
+0:47:15.319,0:47:18.949
+which limited me to about one to
+
+0:47:18.949,0:47:22.139
+yeah about one terabyte of disk space with raid
+
+0:47:22.139,0:47:23.809
+so %uh
+
+0:47:23.809,0:47:26.279
+depending on where the sensor goes that could be
+
+0:47:26.279,0:47:28.809
+three months or three weeks
+
+0:47:28.809,0:47:34.189
+or or a day or three days or three hours
+right
+
+0:47:34.189,0:47:36.259
+what I do is I end up
+
+0:47:36.259,0:47:38.450
+I buy up chassis that can
+
+0:47:38.450,0:47:40.960
+potentially grow to have a lot more storage once
+I have budget
+
+0:47:40.960,0:47:42.509
+I put the system out there
+
+0:47:42.509,0:47:43.319
+and I say
+
+0:47:43.319,0:47:46.439
+look this is look what I found at this location
+boss
+
+0:47:46.439,0:47:50.709
+if you give me a little more more money I can put in
+you know four terabytes of disk space as opposed
+
+0:47:50.709,0:47:51.609
+to one
+
+0:47:51.609,0:47:53.209
+and then they give me that
+
+0:47:53.209,0:47:55.520
+but the pcap data only stays on a sensor
+
+0:47:55.520,0:47:58.049
+so what I try to do is I have an analysis
+window
+
+0:47:58.049,0:47:59.179
+and a pcap window
+
+0:47:59.179,0:48:03.799
+and I try to have that pcap window longer than
+the analysis window
+
+0:48:03.799,0:48:08.239
+so the questions yes
+
+0:48:08.239,0:48:12.269
+yeah so any type of encryption on host
+
+0:48:12.269,0:48:14.139
+but the funny thing is
+
+0:48:14.139,0:48:17.909
+most of the time when I did get type of
+
+0:48:17.909,0:48:19.160
+like third-party tips
+
+0:48:19.160,0:48:22.669
+it's usually have you seen anybody visiting this IP address
+
+0:48:22.669,0:48:25.919
+and if I see the visit to that IP address
+even if it’s encrypted
+
+0:48:25.919,0:48:27.669
+I know it
+
+0:48:27.669,0:48:29.429
+this isn't the whole game right
+
+0:48:29.429,0:48:32.750
+usually what I do is I use all of this identify
+boxes that problems
+
+0:48:32.750,0:48:34.439
+and then I roll in to do
+
+0:48:34.439,0:48:35.809
+host-based forensics
+
+0:48:35.809,0:48:42.809
+so that some of the other coin other side
+
+0:48:45.349,0:48:49.310
+yeah that is really dependent on the way that
+
+0:48:49.310,0:48:50.729
+encryption algorithm is implemented
+
+0:48:50.729,0:48:55.159
+some of them are are very friendly to that
+others are not
+
+0:48:55.159,0:48:57.339
+and others
+
+0:48:57.339,0:48:59.070
+that you know in some cases
+
+0:48:59.070,0:49:02.300
+it might be better to use another approach
+like there's certain proxies that are out
+
+0:49:02.300,0:49:03.829
+there like that
+
+0:49:03.829,0:49:05.419
+Palo Alto firewall
+
+0:49:05.419,0:49:07.969
+you can specify encryption policies so
+
+0:49:07.969,0:49:12.210
+and if you go to banks if you go to certain
+sites they don’t mess with the SSL
+
+0:49:12.210,0:49:14.150
+everywhere else they man it in the middle
+
+0:49:14.150,0:49:16.349
+and so you can get access to the logs that
+way
+
+0:49:16.349,0:49:18.619
+so I try not to do that with the sensors so much
+
+0:49:18.619,0:49:19.659
+I try to keep it I try to make
+
+0:49:19.659,0:49:21.799
+the sensor so nobody even knows they’re there
+
+0:49:21.799,0:49:23.529
+if at all possible
+
+0:49:23.529,0:49:28.169
+yes
+
+0:49:39.739,0:49:43.599
+his comment was even if there is four
+four three traffic that’s encrypted
+
+0:49:43.599,0:49:45.349
+general to be something else that isn’t
+
+0:49:45.349,0:49:48.969
+and that's really what all this is about it's
+generally about getting a hint that something
+
+0:49:48.969,0:49:49.890
+is wrong
+
+0:49:49.890,0:49:53.460
+and you don't necessarily know what the hint is until
+you’ve been burnt pretty badly
+
+0:49:53.460,0:49:56.609
+and then you go back and you figure out the scope
+of the incident is
+
+0:49:56.609,0:50:00.119
+in no forensic case have I ever worked where I
+had a complete picture
+
+0:50:00.119,0:50:01.929
+you know I had the guys hard drive I had
+
+0:50:01.929,0:50:04.280
+his logs his network traffic it's generally
+
+0:50:04.280,0:50:05.490
+you get some piece
+
+0:50:05.490,0:50:08.160
+and then you start investigating
+
+0:50:08.160,0:50:10.190
+and the reason I do this approach is because it’s cheap
+
+0:50:10.190,0:50:14.099
+you know twenty five hundred dollar commodity hardware
+open source software
+
+0:50:14.099,0:50:15.820
+little bit of experience
+
+0:50:15.820,0:50:17.280
+and suddenly I’ve got some
+
+0:50:17.280,0:50:18.220
+you know some viable data
+
+0:50:18.220,0:50:22.129
+you’d think working at GE I’d have some huge
+budget
+
+0:50:22.129,0:50:23.000
+no way not at all
+
+0:50:23.000,0:50:24.819
+any other questions
+
+0:50:24.819,0:50:31.819
+yes
+
+0:50:35.649,0:50:38.709
+well to tell you the truth I started using
+
+0:50:38.709,0:50:39.750
+FreeBSD specifically
+
+0:50:39.750,0:50:44.710
+%uh in 2000 and the reason was our
+developers who who were building the ASM sensors
+
+0:50:44.710,0:50:46.659
+in the
+
+0:50:47.569,0:50:48.279
+they said
+
+0:50:48.279,0:50:52.579
+if we’re going to have a good network stack we should
+use a BSD base stack as opposed to Linux
+
+0:50:52.579,0:50:53.959
+so that's how it started
+
+0:50:53.959,0:50:59.519
+%um since then there have been many changes in both
+sides Linux within the BSDs and so forth
+
+0:50:59.519,0:51:02.419
+so I'm really not in a position to say which
+
+0:51:02.419,0:51:03.319
+is better
+
+0:51:03.319,0:51:04.410
+I I would say
+
+0:51:04.410,0:51:06.679
+I've never had a BSD let me down
+
+0:51:06.679,0:51:08.599
+put it that way
+
+0:51:08.599,0:51:10.930
+as far as FreeBSD goes specifically
+
+0:51:10.930,0:51:14.229
+there’s som like minor things that make my
+life better
+
+0:51:14.229,0:51:18.349
+one is I know a lot of the network developers
+so when there's an issue I can talk to them
+
+0:51:18.349,0:51:19.859
+directly
+
+0:51:19.859,0:51:20.919
+and they can say
+
+0:51:20.919,0:51:22.420
+like some of the
+
+0:51:22.420,0:51:23.660
+I don’t know who’s from the free
+
+0:51:23.660,0:51:26.099
+but some of the zero copy stuff that's being
+worked on
+
+0:51:26.099,0:51:29.159
+like that helps me a lot
+
+0:51:29.159,0:51:32.999
+some it's the most stupid things like the
+ability that any
+
+0:51:32.999,0:51:33.869
+any
+
+0:51:33.869,0:51:35.469
+app which
+
+0:51:35.469,0:51:37.719
+is opening up a BPF
+
+0:51:37.719,0:51:40.109
+you can track performance with the what was it
+
+0:51:40.109,0:51:41.609
+net stat dash B
+
+0:51:41.609,0:51:42.400
+capital B
+
+0:51:42.400,0:51:45.859
+little things like that are helpful too
+
+0:51:45.859,0:51:52.859
+there's another question
+
+0:52:03.309,0:52:05.019
+yes
+
+0:52:05.019,0:52:09.189
+yeah so I don’t know if what you've seen in the news about
+like Chinese hackers and all
+
+0:52:09.189,0:52:12.499
+this has been going on for a long time it's
+just that
+
+0:52:12.499,0:52:14.590
+nowadays they're mostly on Windows but
+
+0:52:14.590,0:52:16.269
+ten years ago what was popular
+
+0:52:16.269,0:52:20.489
+like commercial in the military it was Solaris
+
+0:52:20.489,0:52:25.289
+so we were seeing all sorts weird traffic in
+our Solaris boxes that we couldn’t account for
+
+0:52:25.289,0:52:27.439
+so these guys had written once we
+
+0:52:27.439,0:52:28.929
+started doing some
+
+0:52:28.929,0:52:31.199
+forensics and it wasn't the forensics of
+
+0:52:31.199,0:52:33.929
+pull the power cord which is what was popular
+back then right
+
+0:52:33.929,0:52:35.319
+it was you know
+
+0:52:35.319,0:52:37.960
+let's take us the actually I think back then we were
+doing
+
+0:52:37.960,0:52:40.019
+we generated a crash dump
+
+0:52:40.019,0:52:41.139
+and then analyzed it
+
+0:52:41.139,0:52:43.899
+so these guys were writing
+
+0:52:43.899,0:52:45.089
+memory resident
+
+0:52:45.089,0:52:46.289
+did not touch
+
+0:52:46.289,0:52:48.129
+did not touch the hard drive
+
+0:52:48.129,0:52:50.240
+%uh implementations where
+
+0:52:50.240,0:52:52.029
+they built their own
+
+0:52:52.029,0:52:53.639
+like hyper visor and had their own little operating
+
+0:52:53.639,0:52:59.469
+system on top of our Solaris
+boxes that we couldn't see
+
+0:52:59.469,0:53:01.519
+yeah so
+
+0:53:01.519,0:53:04.179
+that was back then
+
+0:53:04.179,0:53:06.059
+right %uh
+
+0:53:06.059,0:53:08.489
+it’s I’ve worked on that side the defensive side
+
+0:53:08.489,0:53:10.929
+I’ve also worked on a not defensive side
+
+0:53:10.929,0:53:12.849
+I won’t say what that is but
+
+0:53:12.849,0:53:15.159
+%uh the stuff I saw here
+
+0:53:15.159,0:53:16.709
+that we were doing as contractors
+
+0:53:16.709,0:53:20.369
+I was I was like wow this can be done this
+is really amazing so
+
+0:53:20.369,0:53:25.279
+most of the time if you have an imagination you
+can sort of imagine what's happening
+
+0:53:25.279,0:53:27.579
+and if you think about it you might think well
+
+0:53:27.579,0:53:30.910
+we're not the only ones in the world who can do that
+so there’s probably guys on the other
+
+0:53:30.910,0:53:31.649
+side
+
+0:53:31.649,0:53:34.789
+who can do it so then you have to start
+looking for it
+
+0:53:34.789,0:53:36.729
+what you see is a progression of
+
+0:53:36.729,0:53:39.009
+things that happened at the very high end
+
+0:53:39.009,0:53:41.189
+eventually it filters down you know
+
+0:53:41.189,0:53:44.339
+really good rootkits used to be the province
+of people who wrote them
+
+0:53:44.339,0:53:46.039
+but now you can buy them
+
+0:53:46.039,0:53:53.039
+find them share them whatever
+
+0:53:59.749,0:54:03.279
+sure yeah so the question is do we do any pattern analysis
+
+0:54:03.279,0:54:06.219
+there's nothing bad about Latvia
+
+0:54:06.219,0:54:07.679
+you asked a good question
+
+0:54:07.679,0:54:11.549
+but
+
+0:54:11.549,0:54:14.059
+let me put it this way
+
+0:54:14.059,0:54:17.089
+I'm creating that the first GE cert
+
+0:54:17.089,0:54:20.400
+it's 2099 but yes we just did
+up our first cert
+
+0:54:20.400,0:54:25.559
+so we are we're not even like crawling yet
+we’re like the baby on its back
+
+0:54:25.559,0:54:26.799
+oh look I can lift my head up
+
+0:54:26.799,0:54:31.879
+so we're still getting our hands around what does it
+even mean to operate the cert data we have and
+
+0:54:31.879,0:54:32.549
+so forth
+
+0:54:32.549,0:54:36.649
+I would expect within the next two years we're going
+been doing the kinds of things I would have
+
+0:54:36.649,0:54:37.579
+expected
+
+0:54:37.579,0:54:38.769
+you know a real
+
+0:54:38.769,0:54:39.649
+cert to do
+
+0:54:39.649,0:54:41.320
+it now includes things like
+
+0:54:41.320,0:54:47.279
+we know our environment so well that when we see
+that box doing that that's outside the scope
+
+0:54:47.279,0:54:50.689
+it's one of those things where we have ideas
+that are probably
+
+0:54:50.689,0:54:52.429
+like two years ahead of where we can implement
+
+0:54:52.429,0:54:53.729
+but once we do that
+
+0:54:53.729,0:55:00.199
+we’ll find stuff like that
+
+0:55:00.199,0:55:04.569
+have we gotten people to do their own what
+
+0:55:04.569,0:55:08.579
+so the question was I think you probably heard the question
+
+0:55:08.579,0:55:12.139
+we are actually collaborating with
+
+0:55:12.139,0:55:16.670
+%uh ICIR at Berkeley like Verne Paxon and his guys the Bro guys
+
+0:55:16.670,0:55:18.880
+and %uh at New York University so
+
+0:55:18.880,0:55:21.940
+there’s two research programs at each and
+we're going to be
+
+0:55:21.940,0:55:23.269
+probably
+
+0:55:23.269,0:55:25.950
+I would guess we’re probably going to ship them data
+
+0:55:25.950,0:55:30.809
+because that’s what’s great about our method right we just
+collect data so we can sign an NDA ship them data
+
+0:55:30.809,0:55:32.919
+and they can apply all their different
+
+0:55:32.919,0:55:34.259
+research
+
+0:55:34.259,0:55:36.260
+theories against it and find stuff for us
+
+0:55:36.260,0:55:38.299
+so yeah I’d expect some of that
+
+0:55:38.299,0:55:45.299
+from those guys
+
+0:55:49.229,0:55:54.039
+yes
+
+0:55:54.039,0:55:56.439
+yeah so the way I deploy is I use taps where possible
+because you can’t screw it up
+
+0:55:56.439,0:55:59.439
+I mean you can there are certain fiber types you can
+physically connect backwards
+
+0:55:59.439,0:56:02.349
+so just enough light will get through so the
+traffic follows
+
+0:56:02.349,0:56:04.649
+but no light is reflected out to your sensor
+
+0:56:04.649,0:56:06.760
+but for the most part if you’re talking copper
+
+0:56:06.760,0:56:07.430
+done tap
+
+0:56:07.430,0:56:09.649
+it gives you your traffic
+
+0:56:09.649,0:56:13.350
+I even prefer that model for like IPS’s
+if you have to use an IPS
+
+0:56:13.350,0:56:15.599
+use a bypass switch as opposed to putting it in line
+
+0:56:15.599,0:56:18.539
+I don't put anything in line because as soon as
+you’re in line
+
+0:56:18.539,0:56:20.599
+what happens
+
+0:56:20.599,0:56:24.029
+you get blamed so I stay I’m like look I have a dum tap
+
+0:56:24.029,0:56:27.329
+pull the power cords it’s not going to affect the network
+in the least right
+
+0:56:27.329,0:56:32.129
+I have my sensor my sensor could blow up in a ball of fire
+and you wouldn’t even notice it
+
+0:56:32.129,0:56:36.609
+and all the business owners are like yes
+
+0:56:36.609,0:56:39.239
+but if I told them I’m putting this box in line
+
+0:56:39.239,0:56:40.979
+anything that happens you’re like
+
+0:56:42.449,0:56:44.469
+your box took down my ten million dollar an hour system
+I’m going to kill you
+
+0:56:44.469,0:56:45.160
+so
+
+0:56:45.160,0:56:50.029
+I don't bother with that
+
+0:56:50.029,0:56:54.879
+I’ve got a good track record that’s why I’m still employed
+
+0:56:54.879,0:56:55.469
+so far
+
+0:56:55.469,0:56:57.629
+the only time I ever took something down
+
+0:56:57.629,0:56:59.429
+I was fully authorized to do
+
+0:56:59.429,0:57:00.529
+%uh we had
+
+0:57:00.529,0:57:01.729
+some script kitty
+
+0:57:01.729,0:57:03.220
+who was
+
+0:57:03.220,0:57:03.969
+defacing
+
+0:57:03.969,0:57:05.569
+web site after web site
+
+0:57:05.569,0:57:06.869
+we had some you know
+
+0:57:06.869,0:57:09.380
+Microsoft IS 4 0 websites back in the
+air force
+
+0:57:09.380,0:57:10.839
+and he was dialing in getting
+
+0:57:10.839,0:57:13.789
+a new IP defacing the website
+
+0:57:13.789,0:57:16.260
+disconnecting dialing in so he had a new IP
+
+0:57:16.260,0:57:19.590
+so we had all our admins trying to block these IPs
+
+0:57:19.590,0:57:20.339
+and we’re like this isn’t working
+
+0:57:23.069,0:57:24.959
+stupid stupid defensive policies
+
+0:57:24.959,0:57:29.620
+this is all like at two o'clock in the morning
+eastern time actually no central wherever I was
+
+0:57:29.620,0:57:30.759
+in Texas
+
+0:57:30.759,0:57:35.449
+and so finally I said this guy is all over the space he’s in
+California he's using the UUnet
+
+0:57:35.449,0:57:38.170
+the Uunet blocker however they’re signing they’re signing
+the IPs
+
+0:57:38.170,0:57:41.390
+it's just all over the place we're blocking Uunet
+
+0:57:41.390,0:57:43.799
+all of Uunet to the air force
+
+0:57:43.799,0:57:44.790
+so
+
+0:57:44.790,0:57:45.369
+I was like
+
+0:57:45.369,0:57:49.939
+execute that blocking order
+
+0:57:49.939,0:57:51.089
+yeah
+
+0:57:51.089,0:57:55.309
+I knew there was going to be hell to pay the next morning
+so I the next thing I did I was I started writing
+
+0:57:55.309,0:58:00.729
+this is why I blocked this whatever and I had
+tons of generals why did you I couldn’t check my email
+
+0:58:00.729,0:58:05.439
+and I got up in front of the generals and I said sir this is
+why I did it I did it to protect air force assets
+
+0:58:05.439,0:58:09.259
+and all that so I was alright
+
+0:58:09.259,0:58:15.639
+yeah question
+
+0:58:15.639,0:58:16.719
+%um
+
+0:58:16.719,0:58:18.550
+yes the sensors are
+
+0:58:18.550,0:58:19.969
+scanned all the time
+
+0:58:19.969,0:58:21.669
+%uh I use them
+
+0:58:21.669,0:58:26.459
+the model I use with the sensors is you don't firewall
+all things off like you might with a Windows
+
+0:58:26.459,0:58:26.959
+platform
+
+0:58:26.959,0:58:29.139
+you disabled things
+
+0:58:29.139,0:58:30.250
+I mean you traditionally you don’t turn it on
+
+0:58:31.819,0:58:35.139
+so I typically only expose SSH
+
+0:58:35.139,0:58:38.219
+the systems reach out they don’t
+
+0:58:38.219,0:58:40.660
+all the things you would think is what
+I do
+
+0:58:40.660,0:58:42.140
+and of course they’re scanned
+
+0:58:42.140,0:58:43.909
+people try to brute force them of course
+
+0:58:43.909,0:58:46.179
+if I see somebody brute forcing in my sensor
+
+0:58:46.179,0:58:47.119
+who are you
+
+0:58:47.119,0:58:49.170
+because these are all internally managed
+
+0:58:49.170,0:58:50.450
+well who are you
+
+0:58:50.450,0:58:52.649
+why do you even know that this box is here
+
+0:58:52.649,0:58:56.229
+we're going to come and get you
+
+0:58:56.229,0:58:57.379
+the
+
+0:58:57.379,0:59:00.919
+sounds better than it is
+
+0:59:04.479,0:59:08.799
+we selling our fleet of black helicopters actually
+
+0:59:10.030,0:59:13.449
+we don't have a fleet of corporate jets
+like a lot of other companies
+
+0:59:13.449,0:59:16.189
+we have net jets accounts
+
+0:59:16.189,0:59:23.189
+well I don’t but the CEO does we do have a helicopter I’ve seen it once
+
+0:59:23.869,0:59:26.289
+yeah the question was would
+
+0:59:26.289,0:59:27.469
+honey pot be of any value
+
+0:59:27.469,0:59:28.969
+honey pots are things that are good to run if
+
+0:59:28.969,0:59:32.119
+one you’re researcher or two you have a lot of time on your hands
+
+0:59:32.119,0:59:36.039
+because I have like a network of three hundred thousand
+honey pots
+
+0:59:36.039,0:59:38.479
+so
+
+0:59:38.479,0:59:40.230
+actually it’s more like half a million now that I think about it
+
+0:59:40.230,0:59:43.139
+so yeah at some point
+
+0:59:43.139,0:59:46.959
+there’s actually two things one is yeah at some point
+you could deploy some honey pots if you see them
+
+0:59:46.959,0:59:47.589
+scanned
+
+0:59:47.589,0:59:50.209
+but I have enough systems that are
+
+0:59:50.209,0:59:51.839
+alive or getting scanned or attacked or exploited
+
+0:59:51.839,0:59:54.169
+the second thing we have is
+
+0:59:54.169,0:59:55.510
+if you're inside our network
+
+0:59:55.510,0:59:59.869
+and if you try to do anything to any any network
+that is not explicitly routed by us
+
+0:59:59.869,1:00:01.239
+you end up in a sink hole
+
+1:00:01.239,1:00:02.509
+so the sink hole
+
+1:00:02.509,1:00:04.589
+is an awesome awesome place to find
+
+1:00:04.589,1:00:07.389
+misconfigured systems malicious systems and
+so forth
+
+1:00:07.389,1:00:09.040
+so I have a sink hole router
+
+1:00:09.040,1:00:11.210
+and before that I had a sensor that watches that traffic
+
+1:00:11.210,1:00:13.709
+so the sink hole routers are a great
+
+1:00:13.709,1:00:14.999
+indicator
+
+1:00:14.999,1:00:17.509
+source of indicators
+
+1:00:17.509,1:00:20.849
+it also keeps a lot of load off of our firewalls
+
+1:00:20.849,1:00:27.289
+so you can’t scan Google from inside GE as
+for example it goes straight into the sinkhole
+
+1:00:27.289,1:00:29.740
+I know Capitol One does that as well
+
+1:00:29.740,1:00:32.109
+that's it’s a good trick
+
+1:00:32.109,1:00:34.199
+any other questions
+
+1:00:34.199,1:00:34.739
+okay thank you very much.