From 957bf65275290ef41774f7b3f7a88aff9c000bd6 Mon Sep 17 00:00:00 2001 From: Murray Stokely Date: Sun, 31 Jan 2010 22:36:14 +0000 Subject: Add transcripts for three additional conference talks from YouTube Machine Translation and 1 pass of human editing hired through Amazon Mechanical Turk. Sponsored by: FreeBSD Foundation --- .../captions/2007/meetbsd/brueffer-torprvacy.sbv | 2391 +++++++++++ .../captions/2007/nycbsdcon/dixon-bsdisdying.sbv | 943 +++++ .../2009/dcbsdcon/bejtlich-networksecurity.sbv | 4426 ++++++++++++++++++++ 3 files changed, 7760 insertions(+) create mode 100644 en_US.ISO8859-1/captions/2007/meetbsd/brueffer-torprvacy.sbv create mode 100644 en_US.ISO8859-1/captions/2007/nycbsdcon/dixon-bsdisdying.sbv create mode 100644 en_US.ISO8859-1/captions/2009/dcbsdcon/bejtlich-networksecurity.sbv (limited to 'en_US.ISO8859-1') diff --git a/en_US.ISO8859-1/captions/2007/meetbsd/brueffer-torprvacy.sbv b/en_US.ISO8859-1/captions/2007/meetbsd/brueffer-torprvacy.sbv new file mode 100644 index 0000000000..1bba30ffdc --- /dev/null +++ b/en_US.ISO8859-1/captions/2007/meetbsd/brueffer-torprvacy.sbv @@ -0,0 +1,2391 @@ +0:00:09.649,0:00:15.249 +Fortunately my slide will be centered, because +I'll have to change resolutions, I think this works out.. + +0:00:15.249,0:00:19.310 +And, it's about protecting your privacy with FreeBSD and Tor + +0:00:19.310,0:00:20.859 +and, uh... + +0:00:20.859,0:00:21.480 +Privacy + +0:00:21.480,0:00:25.859 +what I mean here is mostly anonymity + +0:00:25.859,0:00:28.889 +but there are some other aspects that + +0:00:28.889,0:00:34.390 +I'll talk about later + +0:00:34.390,0:00:36.290 +uh, so... + +0:00:36.290,0:00:39.500 +I want to first talk about who needs anonimity anyway + +0:00:39.500,0:00:42.880 +is it just for criminals or some other bad guys, right? + +0:00:42.880,0:00:44.209 +after this + +0:00:44.209,0:00:50.940 +anonymization concepts, then Tor. Tor's a, well, a tool + +0:00:50.940,0:00:52.870 +to, uh... + +0:00:52.870,0:00:59.320 +anonymize you on the Web. Then I'll talk about what +FreeBSD can do with it + +0:00:59.320,0:01:00.430 +and what else + +0:01:00.430,0:01:01.980 +you have to take care of + +0:01:01.980,0:01:06.070 +when you want to be anonymous on the Web or the Internet + +0:01:06.070,0:01:06.650 +and uh, + +0:01:06.650,0:01:12.280 +if time permits I'd like to do a little demonstration + +0:01:12.280,0:01:16.970 +Ok, so who needs anonymity anyway? + +0:01:16.970,0:01:20.510 +Anonymity is a pretty vast + +0:01:20.510,0:01:22.030 +interest to most people + +0:01:22.030,0:01:24.740 +but it's really important for + +0:01:24.740,0:01:26.400 +journalists... There was a case in, uh, + +0:01:26.400,0:01:28.619 +Thailand last year + +0:01:28.619,0:01:32.510 +when the military coup was going on + +0:01:32.510,0:01:38.150 +and the journalists in Thailand couldn't really uh, + +0:01:38.150,0:01:39.830 +journalists couldn't really, uh + +0:01:39.830,0:01:43.050 +get the information they needed to do their work + +0:01:43.050,0:01:45.750 +also, uh, informants + +0:01:45.750,0:01:49.100 +whistleblowers... people who want to tell you about + +0:01:49.100,0:01:52.490 +corruption going on in governments and companies + +0:01:52.490,0:01:56.460 +and don't want to lose their job for it... Dissidents + +0:01:56.460,0:01:58.250 +uh, best case + +0:01:58.250,0:02:01.610 +when in Myanmar + +0:02:01.610,0:02:03.750 +last few weeks ago + +0:02:03.750,0:02:05.290 +when the + +0:02:05.290,0:02:07.649 +all the Buddhists monks were going to the streets and uh, + +0:02:07.649,0:02:09.879 +the Internet was totally censored + +0:02:09.879,0:02:14.899 +it was really dangerous to do anything on the Internet + +0:02:14.899,0:02:17.719 +so, so umm + +0:02:17.719,0:02:20.489 +socialy sensitive information, like when you want to uh, + +0:02:20.489,0:02:23.719 +when you were abused + +0:02:23.719,0:02:25.769 +and want to talk to other people about it + +0:02:25.769,0:02:30.039 +you don't... naturally you don't want other people to +know who you are + +0:02:30.039,0:02:31.840 +as it will be very embarrassing + +0:02:31.840,0:02:33.779 +also Law Enforcement, ah + +0:02:33.779,0:02:38.579 +for example, uh, when you want to set up a + +0:02:38.579,0:02:41.669 +an anonymous tipline for crime reporting + +0:02:41.669,0:02:45.810 +and uh, also companies that want to, uh + +0:02:45.810,0:02:48.079 +research competition, as one case that, uh + +0:02:48.079,0:02:51.029 +that a company went to check the, uh + +0:02:51.029,0:02:54.339 +website competition and they noticed when they used Tor + +0:02:54.339,0:02:58.209 +that, uh, they were actually getting a different website +when they + +0:02:58.209,0:03:00.829 +uh, were coming from the corporate LAN + +0:03:00.829,0:03:04.609 +than anyone else was getting, so ah, + +0:03:04.609,0:03:07.509 +it's a good way to, uh, + +0:03:07.509,0:03:11.859 +check out... competition like this + +0:03:11.859,0:03:13.349 +Also military + +0:03:13.349,0:03:15.679 +actually military was one of the, uh + +0:03:15.679,0:03:17.479 +original + +0:03:17.479,0:03:20.510 +driving forces behind the + +0:03:20.510,0:03:24.319 +anonymization research. + +0:03:24.319,0:03:26.169 +and maybe you + +0:03:26.169,0:03:28.799 +may have heard of the European Union + +0:03:28.799,0:03:30.349 +Data Retention Directive? + +0:03:30.349,0:03:33.039 +where, umm + +0:03:33.039,0:03:35.739 +collection data gets stored + +0:03:35.739,0:03:41.259 +six to twenty-four months? Depends on the limitation +on the different nations + +0:03:41.259,0:03:45.069 +Two weeks back this was, uh, + +0:03:45.069,0:03:47.729 +the law was passed in Germany + +0:03:47.729,0:03:48.900 +so, uh + +0:03:48.900,0:03:50.450 +from first January on, + +0:03:50.450,0:03:52.159 +every connection, phone connection, + +0:03:52.159,0:03:55.389 +SMS, IP connections, + +0:03:55.389,0:03:58.480 +email, or the dial-in data needs to be stored + +0:03:58.480,0:04:00.449 +by providers for six months + +0:04:00.449,0:04:02.510 +and, uh, + +0:04:02.510,0:04:05.379 +sooner or later it's going to be in Poland as well + +0:04:05.379,0:04:07.689 +[talking] + +0:04:07.689,0:04:14.689 +well, you're part of the Euro Union now, so ah, welcome! + +0:04:16.989,0:04:18.529 +okay, uh + +0:04:18.529,0:04:21.220 +that's a + +0:04:21.220,0:04:27.110 +maybe you want to hide what interests you have and uh, +who you talk to, I mean uh, + +0:04:27.110,0:04:30.889 +like all of you know the Internet isn't very + +0:04:30.889,0:04:34.199 +secure in the first place so your ISP can see who you're +talking to + +0:04:34.199,0:04:37.780 +if they bother to find out + +0:04:37.780,0:04:40.709 +yeah, and also + +0:04:40.709,0:04:46.279 +criminals, but um, they already do illegal stuff and they +don't care about + +0:04:46.279,0:04:51.629 +doing more illegal stuff to stay anonymous, right? They can +uh, steal people's identities, they can rent botnets or +create them in the first place + +0:04:51.629,0:04:53.829 +and uh, + +0:04:53.829,0:04:54.689 +or just + +0:04:54.689,0:04:59.689 +crack one of the thousands of Windows computers online, +no big deal + +0:04:59.689,0:05:02.029 +so, uh + +0:05:02.029,0:05:05.199 +Criminals already do this and uh, + +0:05:05.199,0:05:06.360 +the normal + +0:05:06.360,0:05:13.360 +citizens can't do this so... + +0:05:14.680,0:05:16.460 +So all the groups that need anonymization are very different, + +0:05:16.460,0:05:18.330 +but they all have the same goal, and uh + +0:05:18.330,0:05:20.619 +that's also one of the + +0:05:20.619,0:05:22.229 +key concepts of + +0:05:22.229,0:05:22.919 +anonymization + +0:05:22.919,0:05:24.090 +you can't really + +0:05:24.090,0:05:25.930 +stay anonymous on your own + +0:05:25.930,0:05:28.999 +you needs the help of more people + +0:05:28.999,0:05:30.559 +and uh, + +0:05:30.559,0:05:32.680 +the more diverse the group that needs + +0:05:32.680,0:05:38.539 +anonymity, the better + +0:05:38.539,0:05:40.979 +Ok, so on to talking about two + +0:05:40.979,0:05:42.949 +anonymization concepts + +0:05:42.949,0:05:44.539 +uh huh + +0:05:44.539,0:05:51.539 +Proxy? Everyone here probably knows how a proxy works, +uh yeah + +0:05:52.559,0:05:53.169 +LANs connect to the proxy and request + +0:05:53.169,0:05:57.290 +a website or whatever and the proxy + +0:05:57.290,0:06:00.359 +just passes it on and pass through + +0:06:00.359,0:06:03.789 +right + +0:06:03.789,0:06:04.680 +um + +0:06:04.680,0:06:09.329 +Proxys are fast and simple but it's a single point of +failure, like uh, + +0:06:09.329,0:06:13.139 +when law enforcement or anyone else wants to +uh, know + +0:06:13.139,0:06:15.289 +who you're talking to they just + +0:06:15.289,0:06:19.759 +get a subpoena or + +0:06:19.759,0:06:22.440 +break into the computer room or whatever + +0:06:22.440,0:06:26.400 +it's pretty easy + +0:06:26.400,0:06:30.050 +Second anonymization concept is mixed, + +0:06:30.050,0:06:32.549 +it's really old from nineteen eighty one + +0:06:32.549,0:06:35.099 +so you can see, uh, + +0:06:35.099,0:06:41.150 +how long the research in this area is going on + +0:06:41.150,0:06:43.150 +the mix is kind of similar to a proxy + +0:06:43.150,0:06:47.090 +like, trying to connect to it to send the messages + +0:06:47.090,0:06:50.779 +and the mix collects them + +0:06:50.779,0:06:54.550 +and no less than um + +0:06:54.550,0:06:56.699 +it puts them all + +0:06:56.699,0:06:58.319 +in through different coincides and uhm, + +0:06:58.319,0:07:00.169 +you see here it + +0:07:00.169,0:07:03.849 +shuffles them and waits + +0:07:03.849,0:07:08.930 +til there's enough data in it and just + +0:07:08.930,0:07:11.039 +shoves them and sends them back out so + +0:07:11.039,0:07:18.039 +um, this is to protect against correlation effects. + +0:07:20.219,0:07:22.439 +But second in... + +0:07:22.439,0:07:23.379 +Oh yeah, and + +0:07:23.379,0:07:27.879 +when you actually put several mixes uh + +0:07:27.879,0:07:31.259 +behind them; it's a mixed escape and uh, + +0:07:31.259,0:07:32.149 +between mixes is also + +0:07:32.149,0:07:35.330 +a friction going on, uh, the first + +0:07:35.330,0:07:38.349 +or the client which is + +0:07:38.349,0:07:44.069 +you could see here if this lights would be centered, uh, + +0:07:44.069,0:07:46.029 +what else gets the + +0:07:46.029,0:07:48.879 +public keys of all the mixes + +0:07:48.879,0:07:51.160 +and encrypts the message first for each of them + +0:07:51.160,0:07:54.879 +and each mix removes one encryption layer and + +0:07:54.879,0:07:59.280 +uh, the last one actually passes on the message unencrypted + +0:07:59.280,0:08:04.369 +and uhm, loop back backwards the same + +0:08:04.369,0:08:06.379 +So, as you can probably imagine, + +0:08:06.379,0:08:11.389 +if you wait until you have enough messages, ah, and all +public key encryption + +0:08:11.389,0:08:12.280 +is going pretty slow + +0:08:14.069,0:08:17.939 +and uh, + +0:08:17.939,0:08:20.360 +this concept is mostly used for + +0:08:20.360,0:08:22.419 +remailers like + +0:08:22.419,0:08:26.359 +MixMinion, for example uh + +0:08:26.359,0:08:28.800 +where it's not really a possib... um + +0:08:28.800,0:08:32.610 +it's not really important + +0:08:32.610,0:08:33.979 +if the message is a couple of seconds + +0:08:33.979,0:08:36.540 +late or something, but it's not really + +0:08:36.540,0:08:39.870 +great for uh, for + +0:08:39.870,0:08:41.830 +low latency connections, + +0:08:41.830,0:08:44.730 +like web routing for example + +0:08:44.730,0:08:47.060 +but what's good about it it's uh + +0:08:47.060,0:08:50.500 +distrinuted trust uh, + +0:08:50.500,0:08:54.940 +just one these mixes has to be secure to actually + +0:08:54.940,0:08:56.840 +anonymize the whole connection + +0:08:56.840,0:08:58.460 +so it's slow but it's + +0:08:58.460,0:09:05.460 +distributed trust, which is good. + +0:09:06.230,0:09:09.930 +So, I want to introduce Tor + +0:09:09.930,0:09:12.320 +Tor stands for The Onion Router. + +0:09:12.320,0:09:16.340 +It's a concept that is actually built on + +0:09:16.340,0:09:17.720 +both these concepts + +0:09:17.720,0:09:21.340 +mixes and proxies. + +0:09:21.340,0:09:22.770 +It's a TCP-Overlay network, + +0:09:22.770,0:09:24.900 +means you can, uh + +0:09:24.900,0:09:25.560 +channel any + +0:09:25.560,0:09:27.320 +TCP connection through it + +0:09:27.320,0:09:28.480 +theoretically + +0:09:28.480,0:09:31.310 +uh, theoretically I will explain + +0:09:31.310,0:09:33.790 +a couple of slides later + +0:09:33.790,0:09:37.040 +it provides a SOCKS interface so you don't need any uh, + +0:09:37.040,0:09:42.060 +special application proxies like any application that uses +SOCKS interface can just, + +0:09:42.060,0:09:43.370 +talk to talk + +0:09:43.370,0:09:48.070 +and it's available on, um, all major platforms + +0:09:48.070,0:09:53.940 +what is uh, especially important is available in Windows + +0:09:53.940,0:09:55.850 +'cause, uhm, like I said earlier once + +0:09:55.850,0:09:57.740 +you want a really diverse, + +0:09:57.740,0:09:59.560 +really diverse group of users + +0:09:59.560,0:10:05.250 +so you actually need uh, + +0:10:05.250,0:10:06.860 +the normal user + +0:10:06.860,0:10:13.150 +not just geeks. + +0:10:13.150,0:10:15.160 +Um, well it aims to uhm + +0:10:15.160,0:10:15.939 +combine the positive attributes of + +0:10:15.939,0:10:17.480 +proxies and mixes + +0:10:17.480,0:10:18.749 +Like, proxies are fast, but + +0:10:18.749,0:10:20.620 +seem prone to failure + +0:10:20.620,0:10:21.770 +and mixes + +0:10:21.770,0:10:24.590 +distributed trust, you want to combine them + +0:10:24.590,0:10:29.930 +so uh + +0:10:29.930,0:10:31.310 +Fast, uh, Tor use not only public key + +0:10:31.310,0:10:33.220 +encryption but also session keys + +0:10:33.220,0:10:35.170 +symmetrically encrypted. + +0:10:35.170,0:10:37.260 +so uh + +0:10:37.260,0:10:41.710 +All the connection set up is this public key so you just, uh + +0:10:41.710,0:10:44.840 +authentication and stuff? + +0:10:44.840,0:10:50.860 +And uh, the actual communication that's going on later +is always symmetrically encrypted + +0:10:50.860,0:10:54.170 +And uh, so it's also TCP multiplexing + +0:10:54.170,0:10:55.850 +so you can run + +0:10:55.850,0:10:58.520 +several TCP connections through one + +0:10:58.520,0:11:02.220 +virtual Tor connection. + +0:11:02.220,0:11:05.610 +And the design goals are + +0:11:05.610,0:11:06.790 +yeah + +0:11:06.790,0:11:07.880 +deployability + +0:11:07.880,0:11:09.770 +like dums want the user to actually have + +0:11:09.770,0:11:12.680 +to patch his PC off the Operating System or something + +0:11:12.680,0:11:16.070 +just be in a... workable state really fast + +0:11:16.070,0:11:19.340 +um, usability, + +0:11:19.340,0:11:20.600 +so you get the uh, + +0:11:20.600,0:11:22.400 +normal users + +0:11:22.400,0:11:26.850 +not just the geeks. Flexibility, uhm + +0:11:26.850,0:11:28.310 +it's aimed to + +0:11:28.310,0:11:29.910 +enable more research + +0:11:29.910,0:11:32.010 +in this whole area. + +0:11:32.010,0:11:33.059 +so, uh + +0:11:33.059,0:11:34.679 +the protocol to all users + +0:11:34.679,0:11:37.890 +should be really flexible + +0:11:37.890,0:11:42.110 +And uh, for simplicity it's a security application and + +0:11:42.110,0:11:45.900 +well complexity doesn't play well with uh, + +0:11:45.900,0:11:52.070 +security + +0:11:52.070,0:11:53.190 +So, this uh, + +0:11:53.190,0:11:55.300 +it's how Tor works, more or less + +0:11:55.300,0:11:58.800 +Dave is uh, a directory server, + +0:11:58.800,0:12:03.160 +it uh, caches information about the network state + +0:12:03.160,0:12:08.130 +and uh, which Tor servers are available in the network + +0:12:08.130,0:12:09.490 +and uh + +0:12:09.490,0:12:10.930 +Alice downloads + +0:12:10.930,0:12:14.740 +this whole list from Dave + +0:12:14.740,0:12:18.940 +you see the Tor nodes with the plus here? + +0:12:18.940,0:12:21.020 +Through this random + +0:12:21.020,0:12:22.790 +tree of service + +0:12:22.790,0:12:23.910 +when she wants to talk to Jane + +0:12:23.910,0:12:30.380 +for example + +0:12:30.380,0:12:34.280 +The first one is the entry node, middle LAN nodes, and the +uh exit nodes, I will leave thes for later + +0:12:34.280,0:12:41.000 +uh, so this + +0:12:41.000,0:12:43.990 +Alice talks to the entry node + +0:12:43.990,0:12:47.550 +there's a connection that is going on and is public key +encrypted + +0:12:47.550,0:12:51.330 +and they establish a session key and same + +0:12:51.330,0:12:53.090 +thing goes on + +0:12:53.090,0:12:58.520 +in these two and these two so they can communicate later on + +0:12:58.520,0:12:59.780 +What's really important here + +0:12:59.780,0:13:00.629 +is the last connection here + +0:13:00.629,0:13:03.090 +is actually unencrypted. + +0:13:03.090,0:13:05.240 +I will talk about it later + +0:13:05.240,0:13:06.610 +So it has to be unencrypted + +0:13:06.610,0:13:13.610 +so you can get your request through + +0:13:20.690,0:13:22.700 +this is a virtual circuit + +0:13:22.700,0:13:24.490 +that gets established and uh + +0:13:24.490,0:13:29.190 +every, every + +0:13:29.190,0:13:31.340 +ten minutes + +0:13:31.340,0:13:32.450 +a new circuit is built + +0:13:32.450,0:13:37.250 +when a new website, when a new request come through, so uh + +0:13:37.250,0:13:40.080 +this one stays, all these connections above stays + +0:13:40.080,0:13:41.940 +in this circuit + +0:13:41.940,0:13:43.630 +and after ten + +0:13:43.630,0:13:45.410 +when after ten minutes, ah + +0:13:45.410,0:13:52.410 +Alice wants to talk to Jane, a new circuit is built + +0:13:53.610,0:13:55.410 +and uh, this is important + +0:13:55.410,0:13:56.920 +to get strong + +0:13:56.920,0:13:57.710 +anonymity + +0:13:57.710,0:14:00.220 +in case one connection is compromised, for example. + +0:14:00.220,0:14:01.600 +An these ten minutes + +0:14:01.600,0:14:04.490 +are really an arbitrary value + +0:14:04.490,0:14:08.560 +,you can choose anything + +0:14:08.560,0:14:10.660 +you have to do the research + +0:14:10.660,0:14:11.970 +which value is best and so + +0:14:11.970,0:14:18.970 +ten minutes is compromised. + +0:14:19.840,0:14:22.240 +With all you get exit policies, + +0:14:22.240,0:14:24.640 +this is important for the exit node + +0:14:24.640,0:14:27.880 +the one which actually send the uh, + +0:14:27.880,0:14:30.410 +original request to the destination server + +0:14:30.410,0:14:31.670 +and huh + +0:14:31.670,0:14:32.839 +you can control which + +0:14:32.839,0:14:34.220 +TCP connections you want + +0:14:34.220,0:14:39.180 +to allow from your node if you want + +0:14:39.180,0:14:41.000 +that's default policy which uh + +0:14:41.000,0:14:43.610 +blocks SMTP and NNTP to prevent uh + +0:14:43.610,0:14:48.080 +spamming and all stuff + +0:14:48.080,0:14:49.060 +but you can actually allow + +0:14:49.060,0:14:51.970 +SMTP if you want + +0:14:51.970,0:14:54.070 +and there's some other ports blocked + +0:14:54.070,0:14:56.170 +but the rest of it works so + +0:14:56.170,0:14:57.900 +HTTP SSH + +0:14:57.900,0:15:01.630 +all the important stuff + +0:15:01.630,0:15:05.250 +that you would want to minimize just works + +0:15:05.250,0:15:10.290 +and uh, if you uh + +0:15:10.290,0:15:13.050 +this is important for uh, if you + +0:15:13.050,0:15:18.540 +want to run you node, uh + +0:15:18.540,0:15:19.220 +waht kind of node you actually want to run + +0:15:19.220,0:15:24.120 +if you look at the picture, uh earlier + +0:15:24.120,0:15:31.120 +there's these three different nodes: entry node, +middleman note, and exit node + +0:15:32.400,0:15:34.180 +and uh, which node you want to run + +0:15:34.180,0:15:36.780 +depends on how many problems you want afterwards + +0:15:36.780,0:15:39.590 +I will talk about it later uh + +0:15:39.590,0:15:40.970 +this one, + +0:15:40.970,0:15:46.950 +the exit node actually forwards the uh, requested date, uh + +0:15:46.950,0:15:47.700 +depends upon what + +0:15:47.700,0:15:51.570 +what the user actually uh wants, that's + +0:15:51.570,0:15:52.830 +if the user uh + +0:15:52.830,0:15:58.020 +Alice in this case uh + +0:15:58.020,0:16:02.080 +insults someone out on a web forum, then uh the uh + +0:16:02.080,0:16:03.470 +administrator of the forum will see the IP address + +0:16:03.470,0:16:05.340 +of the + +0:16:05.340,0:16:11.230 +exit node in his forum and not the one + +0:16:11.230,0:16:15.330 +of Alice so uh he's going to have the problems later on + +0:16:15.330,0:16:18.250 +so I will talk about it later + +0:16:18.250,0:16:21.600 +but you have to keep this in mind + +0:16:21.600,0:16:28.600 +and uh, keep up everything and uh we can play the role of +entry nodes and middle man nodes + +0:16:30.170,0:16:37.170 +which is also important + +0:16:39.130,0:16:42.930 +Special feature of Tor are hidden services + +0:16:42.930,0:16:45.850 +these are services which can be + +0:16:45.850,0:16:46.990 +accessed + +0:16:46.990,0:16:49.420 +without having an IP address + +0:16:49.420,0:16:50.960 +so uh + +0:16:50.960,0:16:56.300 +you can't really find them physically + +0:16:56.300,0:16:57.880 +so if you want to run a + +0:16:57.880,0:16:59.720 +hidden service you can do it from anywhere + +0:16:59.720,0:17:01.850 +do it from inside this private network here + +0:17:01.850,0:17:05.950 +instead of a service and everyone in the outside world can +actually access it + +0:17:05.950,0:17:07.770 +even if you don't have the rights to do + +0:17:07.770,0:17:11.330 +port forwarding or something + +0:17:11.330,0:17:13.580 +uh, this is really important to, uh + +0:17:13.580,0:17:15.690 +resist Denial of Service, for example + +0:17:15.690,0:17:20.160 +'cause every uh, + +0:17:20.160,0:17:20.519 +every client that wants to + +0:17:20.519,0:17:22.829 +access the service uh, gets + +0:17:22.829,0:17:25.700 +gets a different route in the network + +0:17:25.700,0:17:26.529 +and uh, it's hard + +0:17:26.529,0:17:28.460 +to actually uh + +0:17:28.460,0:17:31.970 +DOS it. And it's also important to + +0:17:31.970,0:17:33.610 +resist censorship + +0:17:33.610,0:17:38.510 +And the addresses look like this: + +0:17:38.510,0:17:43.280 +it's really a hash of a private key + +0:17:43.280,0:17:47.340 +and each hidden service is actually, well, identified + +0:17:47.340,0:17:53.300 +by a public key + +0:17:53.300,0:17:59.000 +this how it works, uhm, yet Alice the client + +0:17:59.000,0:18:02.170 +and the hidden server, Bob. + +0:18:02.170,0:18:04.120 +And if Bob wants to, uh, + +0:18:04.120,0:18:07.640 +wants to set up a service, + +0:18:07.640,0:18:08.159 +he chooses three introduction points + +0:18:08.159,0:18:09.899 +out of the whole mass + +0:18:09.899,0:18:11.920 +of Tor servers. + +0:18:11.920,0:18:18.920 +And Bob has the public key to identify the service, +and uh he sends + +0:18:22.530,0:18:26.860 +this public key into each of these three introduction +points to the directory server. + +0:18:26.860,0:18:28.740 +Now Alice wants to uh, + +0:18:28.740,0:18:31.610 +connect to Bob, but first the first thing she does + +0:18:31.610,0:18:34.480 +is download this + +0:18:34.480,0:18:38.910 +this list with the introduction points and the uh + +0:18:38.910,0:18:45.910 +public key from the directory server. After that, uh + +0:18:50.120,0:18:54.299 +she choose one of the uh introduction points + +0:18:54.299,0:18:55.930 +and uh, + +0:18:55.930,0:19:02.920 +posts a circle rendesvouz cookie there. A piece of +data so uh, she can, uh + +0:19:02.920,0:19:05.480 +identify herself + +0:19:05.480,0:19:06.900 +and uh, she also + +0:19:06.900,0:19:07.860 +gives the introduction point + +0:19:07.860,0:19:14.500 +the address of her random rendesvouz point that +Alice has chosen + +0:19:14.500,0:19:18.550 +so what happens then is uh, Bob notices that uh, + +0:19:18.550,0:19:23.760 +some data has been stored in the introduction point + +0:19:23.760,0:19:28.160 +and Alice and Bob uh, + +0:19:28.160,0:19:31.230 +make a rendesvouz point, and + +0:19:31.230,0:19:34.940 +Bob uses this, this uh + +0:19:34.940,0:19:36.700 +rendesvouz cookie to + +0:19:36.700,0:19:38.180 +actually identify himself on the rendesvouz point + +0:19:38.180,0:19:39.990 +and after that + +0:19:39.990,0:19:46.990 +all the connection of data runs through this rendesvouz point. + +0:19:50.870,0:19:53.180 +uh, if time permits I'll actually uh, + +0:19:53.180,0:19:54.710 +set up a rendesvouz + +0:19:54.710,0:19:55.960 +a hidden service here + +0:19:55.960,0:19:59.120 +so you can actually see how it works + +0:19:59.120,0:20:06.120 +I'll also demonstrate Tor, like I said + +0:20:08.800,0:20:09.770 +uh, there's some legal issues to be uhm + +0:20:09.770,0:20:12.450 +recognized, uh. As you can imagine, Tor may be +forbidden in some + +0:20:12.450,0:20:14.880 +countries; especially totalitarian countries + +0:20:14.880,0:20:17.530 +which censor the Internet anyway + +0:20:17.530,0:20:18.719 +and uh, + +0:20:18.719,0:20:21.030 +you may get into trouble for using Tor + +0:20:21.030,0:20:25.580 +practically, anyone knows this + +0:20:25.580,0:20:27.580 +there can be crytpo restrictions + +0:20:27.580,0:20:29.070 +for example Great Britain, the uh + +0:20:29.070,0:20:33.200 +RIPA act, I'm not even sure what it stands for + +0:20:33.200,0:20:36.140 +but basically says that uh, + +0:20:36.140,0:20:37.510 +if the government wants, + +0:20:37.510,0:20:40.410 +then you have to give up your crypto keys + +0:20:40.410,0:20:42.910 +so they can decrypt it later + +0:20:42.910,0:20:47.860 +and uh, yeah, it's not... + +0:20:47.860,0:20:50.010 +and it's actually last week was the first case + +0:20:50.010,0:20:52.890 +when this was actually used in + +0:20:52.890,0:20:56.600 +Great Britain + +0:20:56.600,0:21:00.720 +uh, there can be special laws like in Germany + +0:21:00.720,0:21:03.480 +sort of like a hacker paragraph + +0:21:03.480,0:21:06.990 +just a nickname, it has some cryptic legal name + +0:21:06.990,0:21:07.940 +uh, in reality + +0:21:07.940,0:21:11.090 +and it says that uh + +0:21:11.090,0:21:14.570 +you're liable if you, uh, + +0:21:14.570,0:21:17.360 +if you give people access to tools + +0:21:17.360,0:21:20.020 +that they can use to uh, + +0:21:20.020,0:21:22.270 +well, to do illegal stuff. + +0:21:22.270,0:21:23.630 +More or less. + +0:21:23.630,0:21:27.080 +It's really uh, + +0:21:27.080,0:21:29.080 +not concrete and no one really... + +0:21:29.080,0:21:30.440 +it could uh, + +0:21:30.440,0:21:31.929 +it could + +0:21:31.929,0:21:36.669 +restrict anything. From a map to a + +0:21:36.669,0:21:39.210 +to God know what? Network tools. + +0:21:39.210,0:21:40.880 +and uh + +0:21:40.880,0:21:43.559 +But it was actually, it was actually passed so no one +really knows + +0:21:43.559,0:21:45.510 +what's the, uhm + +0:21:45.510,0:21:46.490 +what's really + +0:21:46.490,0:21:50.260 +restrict by it. So Tor could be restricted + +0:21:50.260,0:21:55.590 +by it, because it could really enable people to do +illegal stuff, + +0:21:55.590,0:21:58.640 +but no one really knows + +0:21:58.640,0:22:00.990 +and uh, the biggest Tor + +0:22:00.990,0:22:02.250 +problems + +0:22:02.250,0:22:07.480 +that, uh + +0:22:07.480,0:22:10.180 +when uh, when it actually gets sent to a Tor network + +0:22:10.180,0:22:13.210 +the uh, the + +0:22:13.210,0:22:14.669 +IP address that + +0:22:14.669,0:22:16.210 +gets sent + +0:22:16.210,0:22:17.220 +well that's what the destination server + +0:22:17.220,0:22:19.090 +actually sees + +0:22:19.090,0:22:21.200 +is one of the exit nodes. + +0:22:21.200,0:22:22.380 +So when, uh + +0:22:22.380,0:22:23.740 +when a client + +0:22:23.740,0:22:26.090 +actually causes trouble, + +0:22:26.090,0:22:26.950 +then the one + +0:22:26.950,0:22:29.790 +that gets into trouble + +0:22:29.790,0:22:32.460 +is the exit nodes provider. And uh, + +0:22:32.460,0:22:33.560 +so stuff that gets done + +0:22:33.560,0:22:38.620 +for torment purpose like sending ransom mails or uh, + +0:22:38.620,0:22:40.480 +distributing illegal stuff + +0:22:40.480,0:22:42.040 +and it, this all happened + +0:22:42.040,0:22:43.500 +and, if you are + +0:22:43.500,0:22:46.460 +unlucky as an exit node operator + +0:22:46.460,0:22:47.109 +your server gets seized or something + +0:22:47.109,0:22:52.059 +and uh, + +0:22:52.059,0:22:55.530 +that's random stuff that can happen + +0:22:55.530,0:22:56.540 +though, uh, + +0:22:56.540,0:22:59.559 +as an exit nodes provider you can get + +0:22:59.559,0:23:03.690 +letters from Law Enforcement entities, and uh + +0:23:03.690,0:23:05.649 +What are you doing there? + +0:23:05.649,0:23:06.830 +Maybe some illegal stuff? + +0:23:06.830,0:23:10.040 +And you have to explain to them that you are + +0:23:10.040,0:23:12.260 +providing Tor server + +0:23:12.260,0:23:13.980 +it wasn't you + +0:23:13.980,0:23:15.120 +and stuff. + +0:23:15.120,0:23:18.020 +For example the FBI + +0:23:18.020,0:23:19.960 +in America + +0:23:19.960,0:23:23.580 +actually knows what you're talking about when you tell them + +0:23:23.580,0:23:24.580 +that you're using Tor... + +0:23:24.580,0:23:26.019 +so, uh + +0:23:26.019,0:23:26.600 +they won't bother. + +0:23:26.600,0:23:28.810 +But in Germany the uh, + +0:23:28.810,0:23:34.830 +Law Enforcement agencies, actually are, so so + +0:23:34.830,0:23:41.440 +depends on what kind of guy you're actually talking to + +0:23:41.440,0:23:47.120 +So what's... what kind of role plays FreeBSD here? + +0:23:47.120,0:23:51.880 +uh, FreeBSD is really well suited as a Tor node, uh + +0:23:51.880,0:23:55.490 +when you're operating the client you just want to use the +network, uh + +0:23:55.490,0:23:57.830 +it doesn't matter what kind of system you use + +0:23:57.830,0:23:59.150 +and it shouldn't matter + +0:23:59.150,0:24:00.830 +There's one of the, uh + +0:24:00.830,0:24:03.130 +like I said earlier one of the design + +0:24:03.130,0:24:05.500 +criteria of Tor + +0:24:05.500,0:24:08.610 +so it doesn't matter if you're using Windows or FreeBSD. + +0:24:08.610,0:24:09.929 +But if you're using the Tor + +0:24:09.929,0:24:14.290 +as actually uh, + +0:24:14.290,0:24:17.320 +the security of other depends on your node + +0:24:17.320,0:24:20.690 +and uh, + +0:24:20.690,0:24:22.950 +when you're operating a node is important to + +0:24:22.950,0:24:25.310 +have Operational Security + +0:24:25.310,0:24:25.980 +and Jails + +0:24:25.980,0:24:27.550 +are really great for this, + +0:24:27.550,0:24:29.980 +so you can run a Tor server in Jail. + +0:24:29.980,0:24:32.950 +It's also Disk and Swap encryption + +0:24:32.950,0:24:38.010 +which is important, especialy the swap encryption. And uh, + +0:24:38.010,0:24:39.390 +there's also audit + +0:24:39.390,0:24:40.740 +and the mac framework + +0:24:40.740,0:24:43.780 +when you want to run your installation + +0:24:43.780,0:24:46.220 +What's also nice, + +0:24:46.220,0:24:46.659 +Tor servers do a lot of public key encryption + +0:24:46.659,0:24:48.440 +and it's pretty slow + +0:24:48.440,0:24:49.480 +so it's great to have + +0:24:49.480,0:24:54.750 +hardware acceleration for this. + +0:24:54.750,0:24:56.160 +And uh, probably the biggest feature: + +0:24:56.160,0:25:03.160 +Well maintained Tor-related ports. + +0:25:04.060,0:25:07.390 +There is the main port, security Tor + +0:25:07.390,0:25:11.370 +Which is a client and server if you want to run + +0:25:11.370,0:25:13.610 +a network node, or just a client. + +0:25:13.610,0:25:15.210 +There's Tor level + +0:25:15.210,0:25:16.450 +and these are really up to date, uhm + +0:25:16.450,0:25:22.830 +Tor development happens really fast + +0:25:22.830,0:25:23.710 +and ports get updated + +0:25:23.710,0:25:30.710 +pretty soon after a release is made. + +0:25:32.050,0:25:39.050 +There's Privoxy, which is an uhm web proxy and uhm, +we'll use it later when we do the demonstration + +0:25:41.320,0:25:44.310 +And there's net management Vidalia which is a +graphical content + +0:25:44.310,0:25:47.200 +also for Windows + +0:25:47.200,0:25:48.260 +and, uhm + +0:25:48.260,0:25:53.929 +there's trans-proxy Tor + +0:25:53.929,0:25:58.650 +which enables you to actually + +0:25:58.650,0:25:59.560 +uhm, well there's some + +0:25:59.560,0:26:02.080 +badly written applications out there + +0:26:02.080,0:26:05.280 +that do stuff that's + +0:26:05.280,0:26:07.510 +that makes it hard for Tor to + +0:26:07.510,0:26:08.860 +run with them + +0:26:08.860,0:26:10.810 +and you can use trans-proxy Tor + +0:26:10.810,0:26:15.510 +to tunnel such connections through the Tor network. + +0:26:15.510,0:26:20.580 +We'll actually talk about them in the next slide. + +0:26:20.580,0:26:24.960 +Yeah. What else do you need to take care of +besides running Tor? + +0:26:24.960,0:26:27.130 +Uh, there's name resolution, uh... + +0:26:27.130,0:26:28.760 +Some applications just + +0:26:28.760,0:26:30.500 +bypass the configured proxy + +0:26:30.500,0:26:34.500 +for example FireFox versions below version 1.5, + +0:26:34.500,0:26:35.700 +which send every data, + +0:26:35.700,0:26:38.320 +all data through the proxy + +0:26:38.320,0:26:38.909 +but not + +0:26:38.909,0:26:40.880 +DNS requests + +0:26:40.880,0:26:44.380 +so they actually result in mistrust + +0:26:44.380,0:26:46.450 +and uh, so yeah + +0:26:46.450,0:26:49.280 +the connection is actually anonymized + +0:26:49.280,0:26:51.080 +but the DNS server + +0:26:51.080,0:26:52.250 +really knows + +0:26:52.250,0:26:53.870 +uh, who you were talking to + +0:26:53.870,0:27:00.870 +and this is really the intention of Tor, but uh, +newer versions actually takes. + +0:27:03.130,0:27:04.240 +Uh, there's the usual + +0:27:04.240,0:27:09.990 +cookies, web-bugs, referrer and stuff, uhm + +0:27:09.990,0:27:11.800 +which uh, + +0:27:11.800,0:27:13.530 +sites can use to check which + +0:27:13.530,0:27:20.530 +websites you're visiting, and it's just the +usual disabling stuff + +0:27:20.549,0:27:23.250 +Privoxy is a great tool to + +0:27:23.250,0:27:28.160 +normalize HTTP traffic. + +0:27:28.160,0:27:30.010 +And it's also great to uhm, well filter off advertising + +0:27:30.010,0:27:36.370 +and stuff. + +0:27:36.370,0:27:38.660 +This should be really obvious + +0:27:38.660,0:27:41.110 +but apparently is not. Uhm, + +0:27:41.110,0:27:43.770 +There's so many people who don't realize + +0:27:43.770,0:27:44.700 +that the last connection + +0:27:44.700,0:27:46.380 +chain is actually unencrypted + +0:27:46.380,0:27:50.900 +if you're using, uh + +0:27:50.900,0:27:53.250 +if you're not using a secure protocol. + +0:27:53.250,0:27:54.100 +So, + +0:27:54.100,0:27:56.440 +people actually uhm, + +0:27:56.440,0:27:59.430 +get their mail through POP3 or something + +0:27:59.430,0:28:04.870 +and the exit nodes can just run desniff and sniff +out all the passwords. + +0:28:04.870,0:28:11.870 +And it's really surprising how many people uh, do this. + +0:28:13.450,0:28:16.700 +So, lesson learned: use secure protocol. + +0:28:16.700,0:28:18.220 +There are also other services that require + +0:28:18.220,0:28:20.630 +registration, for example, + +0:28:20.630,0:28:22.040 +with your e-mail address or + +0:28:22.040,0:28:23.640 +personal + +0:28:23.640,0:28:25.360 +data + +0:28:25.360,0:28:27.590 +and uh, well + +0:28:27.590,0:28:28.620 +if you're using Tor and you + +0:28:28.620,0:28:35.620 +actually log on to one of those services, Tor can help you + +0:28:40.850,0:28:42.440 +So, once I actually demonstrate how + +0:28:42.440,0:28:49.440 +this all works. + +0:29:13.550,0:29:15.520 +Uh, I've installed Tor and + +0:29:15.520,0:29:22.520 +Privoxy on this system + +0:29:24.810,0:29:27.180 +the config files are on the usual places. + +0:29:27.180,0:29:34.180 +And if you read this, this little.. small.. Is this alright? + +0:29:46.950,0:29:50.600 +So there is this Tor I see sample file + +0:29:50.600,0:29:57.600 +which we can use + +0:30:07.020,0:30:08.370 +so this + +0:30:08.370,0:30:10.340 +there's the usual commands and stuff + +0:30:10.340,0:30:11.030 +and this, + +0:30:11.030,0:30:15.720 +much stuff that we don't need for the moment + +0:30:15.720,0:30:19.840 +there's this uh, + +0:30:19.840,0:30:24.220 +SOCKS port and SOCKS listen address information + +0:30:24.220,0:30:31.220 +that's the + +0:30:32.770,0:30:34.659 +tells you where to connect your uh, + +0:30:34.659,0:30:36.679 +your proxy to + +0:30:36.679,0:30:38.200 +so this is the information that we use in Privoxy to + +0:30:38.200,0:30:41.450 +access Tor. + +0:30:41.450,0:30:42.190 +Uhm, + +0:30:42.190,0:30:45.320 +all we have to do to actually use Tor is + +0:30:45.320,0:30:48.970 +copy over the config file. + +0:30:48.970,0:30:55.970 +Start the service + +0:31:04.110,0:31:10.570 +so, it tells us it's running... Now we have to + +0:31:10.570,0:31:12.350 +take a look at Privoxy + +0:31:20.880,0:31:25.120 +There's also lots of stuff that we don't need +right now + +0:31:25.120,0:31:30.360 +What we need is the uh, + +0:31:30.360,0:31:31.740 +we need to tell + +0:31:31.740,0:31:33.809 +Privoxy uh, + +0:31:33.809,0:31:40.809 +where to send connections requests. + +0:31:51.740,0:31:53.659 +Ok, I've actually entered this earlier + +0:31:53.659,0:31:54.860 +uhm, + +0:31:54.860,0:31:58.700 +all it says is uh, + +0:31:58.700,0:32:03.490 +forward all requests to + +0:32:03.490,0:32:10.490 +the uh, SOCKS client + +0:32:13.020,0:32:20.020 +So we just start + +0:32:34.120,0:32:38.870 +Ok, so we all set + +0:32:38.870,0:32:40.480 +Now we can just do + +0:32:40.480,0:32:47.480 +everything with our brother + +0:32:50.790,0:32:52.029 +we all started times + +0:32:52.029,0:32:59.029 +a bit slow on my external drive + +0:33:06.860,0:33:08.070 +okay, uh + +0:33:08.070,0:33:11.470 +proxy settings + +0:33:11.470,0:33:16.140 +we just put in our Privoxy server + +0:33:16.140,0:33:23.140 +which listens on port 3128, hopefully, or does it? +Oh, 8108, that's it. + +0:33:47.360,0:33:49.060 +Ok, so every + +0:33:49.060,0:33:56.060 +connection we want to make should actually be routed +through the Tor network + +0:33:56.820,0:33:58.880 +uhm, this is going to take a little bit, + +0:33:58.880,0:34:01.950 +'cause all the route selection needs to be done + +0:34:01.950,0:34:08.950 +all the public crypto, there's also network latency + +0:34:13.059,0:34:14.539 +Once the connections are actually setup + +0:34:14.539,0:34:17.789 +it's pretty fast, not like this + +0:34:17.789,0:34:21.159 +and it's uh, really dependent upon uh, + +0:34:21.159,0:34:21.419 +which + +0:34:21.419,0:34:23.059 +kind of nodes you get + +0:34:23.059,0:34:26.669 +if you have a node that is running a modem then, + +0:34:26.669,0:34:33.669 +you'll have problem, it's really slow + +0:34:36.099,0:34:42.989 +ok, while waiting + +0:34:42.989,0:34:45.319 +we can actually take a look + +0:34:45.319,0:34:52.319 +at how our hidden service is configured + +0:34:59.699,0:35:03.369 +there's some lines for the Tor config file + +0:35:03.369,0:35:07.439 +the routing services + +0:35:07.439,0:35:14.219 +Ok, so you can see here hidden services here and +hidden service port + +0:35:14.219,0:35:19.369 +as I said, the hidden service is identified by a +public key, and uh, if you + +0:35:19.369,0:35:22.159 +uncommand this sutff, + +0:35:22.159,0:35:24.999 +and uh, + +0:35:24.999,0:35:26.619 +we start Tor + +0:35:26.619,0:35:28.249 +quickly + +0:35:28.249,0:35:31.690 +generate a public key and put it into the start tree + +0:35:31.690,0:35:38.690 +and it will, uh, well it actually says to uh, + +0:35:40.659,0:35:47.659 +where this omni address earlier, + +0:35:48.549,0:35:49.539 +we'll just + +0:35:49.539,0:35:56.539 +route every connection through this address to this +local nodes line + +0:36:02.119,0:36:07.199 +This could be the case that uh, + +0:36:07.199,0:36:08.640 +that an exit node + +0:36:08.640,0:36:11.599 +doesn't uh, + +0:36:11.599,0:36:18.599 +allow + +0:36:19.779,0:36:22.900 +Ok, this is typical that when you want to show stuff +it doesn't work + +0:36:22.900,0:36:25.369 +it worked earlier, so uh, it's not the network's fault + +0:36:25.369,0:36:27.619 +let's uh, + +0:36:27.619,0:36:31.609 +back to the hidden services + +0:36:31.609,0:36:38.609 +So we actually need to + +0:36:39.230,0:36:46.230 +change this + +0:36:51.170,0:36:55.099 +The default directory in FreeBSD is bar/db/Tor + +0:36:55.099,0:36:57.909 +and uh, + +0:36:57.909,0:37:03.249 +and when we start Tor it will actually, uh + +0:37:03.249,0:37:07.499 +create the service directory + +0:37:07.499,0:37:11.789 +by itself. It's also a web server listening on port 80 +on localhost + +0:37:11.789,0:37:13.889 +so we can + +0:37:13.889,0:37:20.889 +and hopefully will be able to see it later on + +0:37:45.849,0:37:48.529 +okay, so let's see if + +0:37:48.529,0:37:49.679 +this stuff is already + +0:37:49.679,0:37:56.679 +actually created. + +0:38:02.829,0:38:03.790 +Ok, so you have + +0:38:03.790,0:38:05.069 +two parts in this directory + +0:38:05.069,0:38:11.650 +hostname and private key. Private key is uh, + +0:38:11.650,0:38:14.739 +and the hostname is actually what you give to people +if you want to + +0:38:14.739,0:38:21.739 +to publish your service + +0:38:33.319,0:38:36.039 +this is actually less likely to work right now + +0:38:36.039,0:38:40.059 +because it takes some time for Tor to choose these + +0:38:40.059,0:38:41.639 +introduction points, + +0:38:41.639,0:38:44.880 +send all this stuff to directory services + +0:38:44.880,0:38:47.369 +it takes time for directory services to sync up + +0:38:47.369,0:38:54.329 +and actually distribute information to the clients + +0:38:54.329,0:39:00.789 +and when we want to exit the service, we actually put +this address into the uh, + +0:39:00.789,0:39:03.889 +the address line, and uh, + +0:39:03.889,0:39:05.069 +Tor knows how to + +0:39:05.069,0:39:12.069 +deal with this uh, the Onion pop up domain, so uh + +0:39:15.410,0:39:22.410 +this usually actually works. Let's see what's going on here... + +0:39:33.499,0:39:35.049 +Well, like I said + +0:39:35.049,0:39:37.529 +this one will take a while and + +0:39:37.529,0:39:40.450 +what's going on with the other one? I can actually see + +0:39:40.450,0:39:45.039 +But uh, + +0:39:45.039,0:39:47.850 +usually you can just go to one of these server websites + +0:39:47.850,0:39:50.209 +that tell you your IP address, and + +0:39:50.209,0:39:52.899 +Google is a fair example + +0:39:52.899,0:39:56.709 +you can go to Google and Google will get you a + +0:39:56.709,0:40:00.589 +localized web page. + +0:40:00.589,0:40:02.879 +For example, when you are from Germany, and you go to + +0:40:02.879,0:40:04.099 +Google.com, you get a German webpage + +0:40:04.099,0:40:07.379 +and if you're using Tor and you go to Google, + +0:40:07.379,0:40:09.679 +it depends + +0:40:09.679,0:40:10.319 +upon where your exit point is located + +0:40:10.319,0:40:11.859 +for example, + +0:40:11.859,0:40:14.029 +if it is in the Netherlands, + +0:40:14.029,0:40:21.029 +you get a Dutch Google, which is uh, pretty cool. + +0:40:23.329,0:40:25.549 +so uh, + +0:40:25.549,0:40:27.419 +I'll have to take a look later + +0:40:27.419,0:40:28.829 +while I'm working + +0:40:28.829,0:40:35.829 +so let's just, continue for a moment + +0:40:38.569,0:40:41.009 +ok, to summarize, uh + +0:40:41.009,0:40:44.799 +Tor is actually useful if + +0:40:44.799,0:40:51.799 +you want to be hidden on the net. If it actually works. +Not in this case, uh + +0:40:55.519,0:40:59.339 +Tor is usually pretty cool to offer services from anywhere + +0:40:59.339,0:41:00.410 +so theoretically + +0:41:00.410,0:41:02.509 +it should work + +0:41:02.509,0:41:03.549 +I should + +0:41:03.549,0:41:06.049 +publish my hidden services from around here + +0:41:06.049,0:41:10.429 +and anyone in the world that's connected to the Tor network +can actually exit it, access it + +0:41:10.429,0:41:12.169 +and uh + +0:41:12.169,0:41:14.799 +Privoxy is a pretty cool platform for Tor + +0:41:14.799,0:41:18.819 +'cause it's for one, it has very nice + +0:41:18.819,0:41:21.779 +security features like jail + +0:41:21.779,0:41:23.949 +and if you want to run a Tor node + +0:41:23.949,0:41:25.899 +and uh, + +0:41:25.899,0:41:27.949 +tools like Tor are really needed + +0:41:27.949,0:41:28.860 +in our time + +0:41:28.860,0:41:35.860 +this isn't going + +0:41:36.599,0:41:43.599 +to get better any time soon; so uh, we better +create the tools now + +0:41:45.779,0:41:52.779 +to circumvent this + +0:41:52.899,0:41:59.039 +Take a quick look at the uh browser again + +0:41:59.039,0:42:00.089 +currently the uh, + +0:42:00.089,0:42:02.660 +connection set up failed + +0:42:02.660,0:42:04.070 +which I can't do anything about right now. + +0:42:04.070,0:42:11.070 +uh, which one? + +0:42:23.089,0:42:25.629 +Oh, that's all me + +0:42:25.629,0:42:27.539 +uhm + +0:42:27.539,0:42:30.249 +it depends upon + +0:42:30.249,0:42:33.140 +you can use any port you like + +0:42:33.140,0:42:34.539 +depend on uh, + +0:42:34.539,0:42:39.279 +what port the nodes use. Nodes can use any port + +0:42:39.279,0:42:42.259 +for example, when I don't want to run nodes + +0:42:42.259,0:42:44.109 +I can put it on pause + +0:42:44.109,0:42:45.679 +port 80 if you want + +0:42:45.679,0:42:47.470 +so anyone who uh + +0:42:47.470,0:42:49.219 +who has uh + +0:42:49.219,0:42:50.979 +HTTP access can actually access my node + +0:42:53.009,0:42:56.529 +so uh + +0:42:56.529,0:43:01.299 +yet in theory uh + +0:43:01.299,0:43:05.959 +you can use any port you like. + +0:43:05.959,0:43:12.009 +So, this isn't going to work. + +0:43:12.009,0:43:13.519 +Maybe I'll just uh, + +0:43:13.519,0:43:20.519 +if anyone is interested, I'll just try again later + +0:43:33.089,0:43:34.680 +That's port 80 + +0:43:34.680,0:43:39.369 +it's a you know, HTTP connection so, + +0:43:39.369,0:43:42.359 +So, are there any questions? + +0:43:42.359,0:43:49.359 +Yes? + +0:44:06.140,0:44:08.689 +Well, usually I use Opera, so + +0:44:08.689,0:44:13.679 +a + +0:44:13.679,0:44:15.659 +I didn't know + +0:44:26.839,0:44:28.970 +Yes, there are about 300 uh, + +0:44:32.879,0:44:35.040 +I think about + +0:44:35.040,0:44:39.759 +300 Tor servers around the world + +0:44:39.759,0:44:43.349 +No, it's uh correct + +0:44:43.349,0:44:47.119 +at the moment there are three directory servers + +0:44:47.119,0:44:49.579 +worldwide + +0:44:49.579,0:44:51.630 +you can recognize them by their public key + +0:44:51.630,0:44:52.909 +and their public keys are + +0:44:52.909,0:44:56.119 +hard coded into the source code at the moment + +0:44:56.119,0:44:58.799 +so, the uh + +0:44:58.799,0:45:01.499 +Tor developers actually run those directory servers + +0:45:01.499,0:45:08.499 +but this is really crypto infrastucture + +0:45:11.729,0:45:12.719 +uhm + +0:45:12.719,0:45:14.729 +Well it's it's hard to say + +0:45:14.729,0:45:16.219 +'cause the question was uh + +0:45:16.219,0:45:21.799 +Were there any estimates on uh, + +0:45:21.799,0:45:26.489 +net usage and other stuff + +0:45:26.489,0:45:31.730 +it's really hard to say because it's an anonymization +network so uh, + +0:45:31.730,0:45:32.999 +you can't say for sure, but there are estimates of +one hundred thousand users around the world + +0:45:32.999,0:45:36.949 +and uh, I'm not sure of the traffic. + +0:45:36.949,0:45:39.219 +I used to run a middleman node, + +0:45:39.219,0:45:40.369 +and in one monthm + +0:45:40.369,0:45:42.699 +it would make + +0:45:42.699,0:45:43.849 +it was on a one hundred megabits + +0:45:43.849,0:45:45.359 +or dedicated line, + +0:45:45.359,0:45:47.249 +and it made about one terabyte of traffic + +0:45:47.249,0:45:49.459 +so it's a lot of traffic + +0:45:49.459,0:45:52.449 +going on + +0:45:52.449,0:45:56.259 +and unfortunately also a lot of filesharing systems + +0:45:56.259,0:45:59.739 +which it doesn't relly make sense 'cause they're slow + +0:45:59.739,0:46:00.570 +so uhm, + +0:46:00.570,0:46:01.609 +Tor is really cool + +0:46:01.609,0:46:03.359 +for web browsing and stuff + +0:46:03.359,0:46:10.359 +but if you really want to move a lot of data it's +not a good tool + +0:46:10.759,0:46:11.479 +ah, any other questions? Doesn't seem to be the case. Ok! diff --git a/en_US.ISO8859-1/captions/2007/nycbsdcon/dixon-bsdisdying.sbv b/en_US.ISO8859-1/captions/2007/nycbsdcon/dixon-bsdisdying.sbv new file mode 100644 index 0000000000..e3ff5ee343 --- /dev/null +++ b/en_US.ISO8859-1/captions/2007/nycbsdcon/dixon-bsdisdying.sbv @@ -0,0 +1,943 @@ +0:00:07.329,0:00:13.679 +You're here, Bob, of course. Bob is hot. Bob is very hot. + +0:00:13.679,0:00:14.679 +Welcome to BSD is Dying. + +0:00:14.679,0:00:15.779 +No, it's not dead yet, + +0:00:15.779,0:00:16.529 +we're getting there. + +0:00:16.529,0:00:18.949 +Anybody out here last year? + +0:00:18.949,0:00:24.939 +Okay. I gave a really bad talk on pf, so and I +appreciate Bob coming out and correcting me this year. + +0:00:24.939,0:00:28.550 +Anyways, we should go and get started. + +0:00:28.550,0:00:33.560 +BSD is Dying. + +0:00:33.560,0:00:35.820 +What is BSD? + +0:00:35.820,0:00:40.150 +I think most of us know, BSD is a derivative of UNIX. + +0:00:40.150,0:00:41.630 +Okay, what is UNIX? + +0:00:41.630,0:00:44.300 +UNIX is an + +0:00:44.300,0:00:45.260 +operating system. + +0:00:45.260,0:00:48.000 +What is an operating system? + +0:00:48.000,0:00:53.930 +It runs computers. + +0:00:53.930,0:00:56.610 +But, what is a computer? + +0:00:56.610,0:01:03.610 +It helps users accomplish tasks. What is a user? +A user is somebody biped like + +0:01:07.409,0:01:10.600 +biped that stands up right sort of like me. + +0:01:10.600,0:01:14.280 +Who am I? My name is Jason Dixon. + +0:01:14.280,0:01:18.000 +First and foremost, a SysAdmin. I like to work on networks, + +0:01:18.000,0:01:18.590 +firewalls. I like to tweak. + +0:01:18.590,0:01:21.350 +No. Yes. + +0:01:21.350,0:01:27.630 +I'm a programmer, sort of. I enjoy + +0:01:27.630,0:01:28.960 +Perl, Postgres, + +0:01:28.960,0:01:30.820 +on Apache + +0:01:30.820,0:01:34.150 +servers. I'm a consultant here. I'm an employee + +0:01:34.150,0:01:38.920 +here, and a lover of + +0:01:38.920,0:01:40.150 +BSD. + +0:01:40.150,0:01:42.050 +Why am I here? + +0:01:42.050,0:01:46.970 +That’s the question I've been asking myself all along. + +0:01:46.970,0:01:48.630 +To talk about why BSD is dying. + +0:01:48.630,0:01:52.380 +Sex, and greed. + +0:01:52.380,0:01:59.380 +Someone kick these guys out. + +0:02:00.410,0:02:05.470 +Okay. So again, what is BSD? What is UNIX? +What is an operating system? What is a computer? + +0:02:05.470,0:02:12.470 +Computer is a device that computes, especially a +programmable electronic machine that performs high-speed +mathematical or logical operations or that assembles, +stores, correlates, or + +0:02:13.900,0:02:14.390 +otherwise processes + +0:02:14.390,0:02:15.529 +information. + +0:02:15.529,0:02:19.090 +This is a computer. This is also known as a + +0:02:19.090,0:02:22.459 +computer. This is a really big computer. + +0:02:22.459,0:02:28.309 +This is a fake computer, and sometimes, just can, well, compute + +0:02:28.309,0:02:31.339 +But what does a computer really do? + +0:02:31.339,0:02:33.729 +All right, it helps us write documents, + +0:02:33.729,0:02:40.729 +shopping lists. Sometimes, it can even delete documents. +It helps us work with emails, + +0:02:42.050,0:02:46.749 +surf the Web, movies, + +0:02:46.749,0:02:48.769 +and listen to music. + +0:02:48.769,0:02:50.409 +Oh, and yes, games. + +0:02:50.409,0:02:53.959 +How? How does the computer let us do these + +0:02:53.959,0:02:56.569 +things? Well, it takes the work + +0:02:56.569,0:03:00.179 +and using the computer component, we can translate it +into machine language + +0:03:00.179,0:03:01.489 +that is the foundation + +0:03:01.489,0:03:07.999 +for kernel, libraries, userland applications, +otherwise known as operating system. + +0:03:07.999,0:03:10.659 +like BSD. + +0:03:10.659,0:03:12.619 +What is a kernel? + +0:03:12.619,0:03:16.439 +It's a wonderful thing, it allows + +0:03:16.439,0:03:23.439 +The management and processes of memory, peripheral devices, +and by extension, allows us to do networking, security, + +0:03:23.540,0:03:26.639 +work with disks and file systems, user interfaces, +userland applications, + +0:03:26.639,0:03:33.619 +people can write documents, check email, surf the Web, +watch movies, listen to music, and play games. + +0:03:33.619,0:03:38.209 +and much, much more. + +0:03:38.209,0:03:41.009 +So, in summary, BSD + +0:03:41.009,0:03:44.150 +is a UNIX-derived operating system + +0:03:44.150,0:03:51.150 +enables users to harness the power of a computer to process +information. It uses the kernel to manage processes memory, +and peripheral devices. And by extension, we can perform + +0:03:51.730,0:03:58.149 +networking, enforce security, read from and write to storage +devices, and interface visually to applications like text +editors, mail clients, Web browsers, multimedia players, and + +0:03:58.149,0:04:05.149 +games. + +0:04:05.509,0:04:09.199 +In the beginning, I'm going to try and breeze through this, +people + +0:04:09.199,0:04:10.970 +The Holy + +0:04:10.970,0:04:15.369 +Trinity – MIT, Bell Labs, and GE created +a systems called Multics. + +0:04:15.369,0:04:18.750 +This is a nice flash from the past. + +0:04:18.750,0:04:20.650 +Life was good. + +0:04:20.650,0:04:21.639 +No. No. + +0:04:21.639,0:04:22.849 +Actually, it + +0:04:22.849,0:04:24.970 +wasn’t. The Multics was a commercial + +0:04:24.970,0:04:29.690 +failure. So, a couple of gentlemen like Ken Thompson and +Dennis Ritchie + +0:04:29.690,0:04:34.539 +[xx] support, like to play games. They worked at Bell Labs +and they had this game called + +0:04:34.539,0:04:36.470 +Space Travel, which performed really + +0:04:36.470,0:04:40.500 +really badly. So, what's…actually, I'm sorry + +0:04:40.500,0:04:43.639 +it ran on a PDP-7. + +0:04:43.639,0:04:48.989 +What is an assembly programmer to do when a game +doesn’t work properly on the star board? He moves + +0:04:48.989,0:04:53.240 +it. So, in 1969, Ken Thompson + +0:04:53.240,0:04:53.969 +and + +0:04:53.969,0:04:58.620 +Sorry, came out with the Uniplexed Information + +0:04:58.620,0:05:01.270 +and Computing System. It was capable of supporting + +0:05:01.270,0:05:02.499 +a number of users + +0:05:02.499,0:05:04.189 +up to two. + +0:05:05.239,0:05:07.100 +And by + +0:05:07.100,0:05:11.949 +1970, UNIX was officially known as U-N-I-X + +0:05:11.949,0:05:14.759 +It ran on a PDP1145 + +0:05:14.759,0:05:17.929 +and was capable of text processing + +0:05:17.929,0:05:21.019 +and had utilities like roff and a text editor. + +0:05:21.019,0:05:22.409 +for the purpose of + +0:05:22.409,0:05:24.210 +patents. By + +0:05:24.210,0:05:28.929 +1973, they rewrote UNIX and a programming language called + +0:05:28.929,0:05:33.340 +C which allowed AT&T to make the source code available +to let other + +0:05:33.340,0:05:35.650 +people run it on their systems. + +0:05:35.650,0:05:40.110 +By 1974, a gentleman by the name of Bob Fabry, +who was at the University + +0:05:40.110,0:05:42.079 +of Cal Berkeley in their Computer Science Department + +0:05:42.079,0:05:44.940 +bought a copy of UNIX for $99. + +0:05:44.940,0:05:47.710 +to run their PDP-11. + +0:05:47.710,0:05:52.850 +By 1977, a gentleman named Bill Joy, a graduate + +0:05:52.850,0:05:55.569 +student, distributed the Berkeley Software + +0:05:55.569,0:05:56.979 +Distribution as + +0:05:56.979,0:06:02.590 +1BSD. It was on a tape media that contained the PASCAL + +0:06:02.590,0:06:04.270 +compiler, the ex editor, and + +0:06:04.270,0:06:09.289 +by 1978, it was known as 2BSD with + +0:06:09.289,0:06:10.179 +vi, csh, and the list + +0:06:10.179,0:06:11.549 +goes on. + +0:06:11.549,0:06:17.030 +By 4BSD, we had job control, delivermail, + +0:06:17.030,0:06:21.339 +precursor to sendmail, curses, libraries. 1981, + +0:06:21.339,0:06:24.750 +4.1BSD, this one, we are recorded through VAX + +0:06:24.750,0:06:30.539 +4.1BSD addressed memory performance issues with UNIX on VAX + +0:06:30.539,0:06:34.159 +1983, 4.2BSD uses TCP/IP from BBN, + +0:06:34.159,0:06:36.990 +and also the Berkeley Fast File System from the + +0:06:36.990,0:06:39.219 +gentleman, Kirk McKusick, + +0:06:39.219,0:06:44.100 +who also brought us the original BSD mascot. + +0:06:44.100,0:06:49.280 +In 1986, 4.3BSD introduced performance improvements +over 4.2BSD + +0:06:49.280,0:06:53.299 +By 1988, we had a list called 4.3BSD-Tahoe + +0:06:53.299,0:06:57.180 +originally intended to run on the Power 6/32 +“Tahoe” platform. + +0:06:57.180,0:07:00.160 +That platform actually never came to fruition + +0:07:00.160,0:07:04.280 +but it did allow us to extract some of the +machine-independent + +0:07:04.280,0:07:07.240 +code which allowed it to become portable much later on. + +0:07:07.240,0:07:09.050 +By 1989, there was + +0:07:09.050,0:07:10.810 +Net/1, which separated the networking code + +0:07:10.810,0:07:14.349 +from the AT&T UNIX code + +0:07:14.349,0:07:17.399 +allowing for a permissive BSD license + +0:07:17.399,0:07:20.479 +By 1990, 4.3BSD-Reno + +0:07:20.479,0:07:24.770 +introduced the MACH virtual files, MACH virtual + +0:07:24.770,0:07:27.189 +memory system, Sun-compatible NFS + +0:07:27.189,0:07:30.939 +However, it was known as a real + +0:07:30.939,0:07:34.119 +gamble, hence the Reno moniker. + +0:07:34.119,0:07:36.690 +By 1991, we had + +0:07:36.690,0:07:40.280 +Net/2 where all AT&T code and utilities were +replaced or removed + +0:07:40.280,0:07:44.439 +and ran on the Intel 386 + +0:07:44.439,0:07:47.360 +and it became the basis for the 386BSD + +0:07:47.360,0:07:50.840 +and BSD/386 releases. + +0:07:50.840,0:07:52.870 +A gentleman by the name of Bill Jolitz + +0:07:52.870,0:07:54.880 +behind 386 + +0:07:54.880,0:07:58.169 +BSD release, which eventually became the foundation for + +0:07:58.169,0:07:59.849 +FreeBSD and NetBSD. + +0:07:59.849,0:08:02.250 +And the + +0:08:02.250,0:08:09.250 +BSD3, I'm sorry, the 386BSD, which later on became +BSD/OS by BSDI + +0:08:09.659,0:08:14.599 +Exodus. Back in 1992, a wholly own subsidiary of + +0:08:14.599,0:08:18.699 +AT&T called Unix System Laboratories + +0:08:18.699,0:08:20.389 +decided to go after + +0:08:20.389,0:08:22.539 +BSDI for + +0:08:22.539,0:08:25.249 +I'm sorry, + +0:08:25.249,0:08:26.860 +in New + +0:08:26.860,0:08:33.139 +Jersey, as for an injunction against him due to various +what they consider proprietary + +0:08:33.139,0:08:34.650 +code in the + +0:08:34.650,0:08:35.960 +BSD. + +0:08:35.960,0:08:40.200 +This was one of their advertising and again, they used +this as the basis for the + +0:08:40.200,0:08:42.150 +lawsuit. I have + +0:08:42.150,0:08:44.640 +no idea what that’s for. + +0:08:44.640,0:08:47.660 + + +0:08:47.660,0:08:52.440 +Net/2 was basically, I'm sorry + +0:08:52.440,0:08:55.809 +the three BSDIs version of BSD OS is basically Net/2 + +0:08:55.809,0:08:58.239 ++ 6 files that they had version from + +0:08:58.239,0:09:00.540 +Bill Jolitz’s 386 + +0:09:00.540,0:09:05.030 +BSD. The lawsuit was, I'm sorry, the court settlement was + +0:09:05.030,0:09:09.020 +ruled over by a judge who denied the injunction + +0:09:09.020,0:09:11.469 +and asked them to narrow their + +0:09:11.469,0:09:15.650 +complaint to recent California copyrights +and the possibility of the loss of + +0:09:15.650,0:09:19.299 +trade secrets. He also did a really great thing +for BSD is that he hinted, + +0:09:19.299,0:09:21.829 +that…actually by this + +0:09:21.829,0:09:25.770 +point, the lawsuit with California Berkeley had been +also added into the + +0:09:25.770,0:09:29.030 +lawsuit. Well, he gave a hint to bring the case to the state + +0:09:29.030,0:09:30.160 +court. So, + +0:09:30.160,0:09:36.110 +BSD laywers were pretty smart over at Cal and they decided +to make a run over to the state court by the next + +0:09:36.110,0:09:38.690 +Monday to file a countersuit + +0:09:38.690,0:09:39.390 +against USL, + +0:09:39.390,0:09:43.250 +in the state of California. + +0:09:43.250,0:09:46.280 +Soon after USL went up for + +0:09:46.280,0:09:49.070 +sale, and it was bought by Novell + +0:09:49.070,0:09:53.860 +A gentleman, Ray Noorda, the CEO + +0:09:53.860,0:09:58.730 +at Novell, agreed to a settlement at this point because +they understood that there was + +0:09:58.730,0:10:01.060 +no copyright infringement in the + +0:10:01.060,0:10:03.510 +code. So, basically, + +0:10:03.510,0:10:05.850 +the lawsuit was settled out of court + +0:10:05.850,0:10:07.150 +in secret for ten years. + +0:10:07.150,0:10:08.870 +In 2004, + +0:10:11.490,0:10:14.990 +done with the actual settlement + +0:10:14.990,0:10:16.120 +was and really sit. + +0:10:16.120,0:10:17.910 +And, + +0:10:17.910,0:10:19.560 +USL, AT&T and + +0:10:19.560,0:10:20.550 +Novell sort of + +0:10:20.550,0:10:22.190 +was embarrassed, + +0:10:22.190,0:10:27.060 +which ended up resulting in two distinct releases + +0:10:27.060,0:10:32.990 +4.4BSD, there is an encumbered version and had USL license + +0:10:32.990,0:10:37.490 +and AT&T code, and 4.4BSD-Lite, which was completely +unencumbered + +0:10:37.490,0:10:39.460 +and became the + +0:10:39.460,0:10:40.600 +foundation for + +0:10:40.600,0:10:43.470 +a FreeBSD. + +0:10:43.470,0:10:47.500 +NetBSD, I'm sorry, FreeBSD + +0:10:49.150,0:10:55.670 +FreeBSD, people with background, only different BSDs +that came out of 386BSD + +0:10:55.670,0:11:00.900 +It runs on Intel x86, Itanium, AMD64, Alpha, Sun Ultra + +0:11:00.900,0:11:05.149 +SPARC and it gives us the neat features of jail, which +most of us are familiar with, + +0:11:05.149,0:11:07.420 +mandatory access control as MACH + +0:11:07.420,0:11:10.830 +and historically, had a very strong TCP/ + +0:11:10.830,0:11:11.750 +IP and SMP performance. + +0:11:11.750,0:11:16.150 +The original NetBSD, which also came from 386BSD + +0:11:18.680,0:11:22.200 +Over 50 hardware platforms from a single +source tree + +0:11:22.200,0:11:25.520 +and that’s pretty much what it's known for. To be honest + +0:11:25.520,0:11:31.790 +I mean, I got to admit I'm an Open BSD guy, I was looking for +a really cool and innovative features in NetBSD and I really + +0:11:31.790,0:11:32.329 +couldn’t find any. + +0:11:32.329,0:11:34.940 +Why am I hanging on this. + +0:11:34.940,0:11:37.160 +Sorry, + +0:11:37.160,0:11:39.650 +I know people are going to… + +0:11:39.650,0:11:46.650 +I know the NetBSD is going to get me…I can +handle two of you. Okay? And this is + +0:11:48.680,0:11:51.490 +a list of the platforms that probably + +0:11:51.490,0:11:53.820 +including a toaster. + +0:11:53.820,0:11:55.000 + + +0:11:55.000,0:11:56.410 +OpenBSD, + +0:11:56.410,0:11:59.179 +this is one of the old logos, this is the new + +0:11:59.179,0:12:03.510 +logo. It was forked from NetBSD 1.0, we won't go +into the history, I know + +0:12:03.510,0:12:08.929 +most people know it, and it's supported by about +16 official platforms + +0:12:08.929,0:12:12.530 +platforms. This is about half of the most popular ones. + +0:12:12.530,0:12:17.570 +And it comes out with a new release every six months, +generally, in May and November + +0:12:17.570,0:12:20.810 +1st, so if you haven’t already, pick a copy, it just came + +0:12:20.810,0:12:24.880 +out of the foil. It's unofficial model is secure by default + +0:12:24.880,0:12:31.880 +only what's needed is running on the default + +0:12:32.750,0:12:35.690 +And, some of their goals + +0:12:35.690,0:12:38.300 +and features - full disclosure, audits, + +0:12:38.300,0:12:43.950 +privsep, privilege separation & revocation, chroot jails, +like FreeBSD, + +0:12:43.950,0:12:48.910 +random values wherever possible. This is probably + +0:12:48.910,0:12:52.180 +the most obvious example. ProPolice + +0:12:52.180,0:12:58.070 +Some other features that they’d given us through +the years – PF, authpf, CARP, fsyncd, + +0:12:58.070,0:13:01.380 +which I think some of these are probably in the + +0:13:01.380,0:13:08.380 +FreeBSD by now. DragonFlyBSD was a continuation of +FreeBSD 4.8. Again, + +0:13:08.760,0:13:11.160 +DragonFlyBSD was + +0:13:11.160,0:13:15.640 +FreeBSD 4.8 and was intended to basically + +0:13:15.640,0:13:21.580 +overhaul the SMP features in FreeBSD 6 +and 7,5,6, and 7. + +0:13:21.580,0:13:25.690 +DragonFly is another example. If you look at their goals, +it had some really neat technological stuff. + +0:13:25.690,0:13:28.500 +I can't find any features that really, you + +0:13:28.500,0:13:31.830 +know, mean anything. + +0:13:31.830,0:13:33.130 +Of course, + +0:13:33.130,0:13:36.890 +Tiger is an old I'm sorry, OSX + +0:13:36.890,0:13:43.890 +It started from the Jolitz project, but it's sort of a inbred + +0:13:48.870,0:13:53.800 + + +0:13:53.800,0:13:58.350 + + +0:13:58.350,0:14:04.130 +That is all about, I wanted to cover kind of the present of +where we are right now, some of the myths and truths. + +0:14:04.130,0:14:08.260 +Why is BSD dying? Really, that’s what the title + +0:14:08.260,0:14:11.750 +of the project and topic is. + +0:14:11.750,0:14:16.270 +Well, first, because IDC said so. + +0:14:16.270,0:14:21.480 +Market share for BSD is, right now, all time low, under 1% + +0:14:21.480,0:14:28.480 +And, of course, Netcraft confirms these findings. +Last place in the SysAdmin networking test, so we all + +0:14:29.660,0:14:30.930 +know that word, we're just big losers. + +0:14:30.930,0:14:37.610 +Because open-source projects are giving away free software. +I mean, we can't possibly make + +0:14:37.610,0:14:39.310 +money, so that, obviously, means that + +0:14:39.310,0:14:46.310 +we're dying. And free software is… + +0:14:46.390,0:14:53.390 +We know how to say this, when we came out. +Free software equals terrorism. + +0:14:55.120,0:14:57.910 + + +0:14:57.910,0:15:04.910 +Our inability to adapt. As you can see by this graph + +0:15:09.630,0:15:15.980 +Let's be serious here, people. + +0:15:15.980,0:15:20.520 +We see Windows, I mean, the way people. Come on, +they’ve been doing this for a number of what? 15, + +0:15:20.520,0:15:22.180 +20 years. Linux is second. + +0:15:22.180,0:15:24.349 +They actually are showing some. + +0:15:24.349,0:15:29.259 +We presume that someone is doing office by doing + +0:15:29.259,0:15:35.450 +The BSD is only for register, so we've got to work +on that, of course + +0:15:35.450,0:15:37.030 +Loss of talent. Free + +0:15:37.030,0:15:41.410 +BSD has lost 93% of their core developers. + +0:15:41.410,0:15:45.300 +Okay, come on, guys, let's go. + +0:15:45.300,0:15:48.030 +But not all is lost. + +0:15:48.030,0:15:53.600 +Fortunately, a few very small companies still +use BSD in this age. + +0:15:53.600,0:15:56.450 + + +0:15:56.450,0:16:02.590 +I know you probably have heard most of these. + +0:16:02.590,0:16:05.780 +Believe it or not, this is our premier + +0:16:05.780,0:16:12.780 +sponsor, and some other company that didn’t sponsor us + +0:16:16.070,0:16:17.560 + + +0:16:17.560,0:16:20.070 +I should just end right there. + +0:16:20.070,0:16:21.870 + + +0:16:21.870,0:16:28.130 +Seriously, though, the technological challenge that we +have ahead of us. Virtualization, that’s a big deal + +0:16:28.130,0:16:29.529 +as far as the market. + +0:16:29.529,0:16:33.230 +Of course, developers are in the market, so, +if that happens, that + +0:16:33.230,0:16:35.370 +happens. The end is really, really cool. + +0:16:35.370,0:16:40.150 +DRM, is obviously evil, yes, I know, I don’t care about + +0:16:40.150,0:16:41.690 +DRM. Ran out. + +0:16:41.690,0:16:43.980 +Right? + +0:16:43.980,0:16:45.310 +Political challenges + +0:16:45.310,0:16:48.710 +No, this has been hard to admit, but I can't beat + +0:16:48.710,0:16:50.530 +people, blobs, + +0:16:50.530,0:16:52.140 +binary is bad, + +0:16:52.140,0:16:53.140 +don’t do it + +0:16:53.140,0:16:56.180 +just smoke in the same crack + +0:16:56.180,0:16:57.540 + + +0:16:57.540,0:16:59.590 +NDAs + +0:16:59.590,0:17:01.900 +and closed documentation. + +0:17:01.900,0:17:06.460 +How many of us here are actual core developers for +one of the BSDs? + +0:17:06.460,0:17:08.159 +Okay, the rest of us, let's help them + +0:17:08.159,0:17:09.420 +out + +0:17:09.420,0:17:10.120 +okay + +0:17:10.120,0:17:12.000 +get your files with your supplier, + +0:17:12.000,0:17:16.740 +let's get some documentation to these guys. + +0:17:16.740,0:17:18.159 +Because without the + +0:17:18.159,0:17:20.100 +diversity, we'll have + +0:17:20.100,0:17:22.220 +unity + +0:17:22.220,0:17:24.630 +and a common goal. + +0:17:27.420,0:17:30.090 +Thank you. diff --git a/en_US.ISO8859-1/captions/2009/dcbsdcon/bejtlich-networksecurity.sbv b/en_US.ISO8859-1/captions/2009/dcbsdcon/bejtlich-networksecurity.sbv new file mode 100644 index 0000000000..caa7460c7a --- /dev/null +++ b/en_US.ISO8859-1/captions/2009/dcbsdcon/bejtlich-networksecurity.sbv @@ -0,0 +1,4426 @@ +0:00:05.950,0:00:10.409 +So I’d like to thank Jason for inviting me. +I have to say I feel + +0:00:10.409,0:00:11.909 +woefully unprepared + +0:00:11.909,0:00:15.719 +all the stuff I’ve been listening to, you pretty +much have to be a kernel developer here + +0:00:15.719,0:00:18.549 +it's not even enough to be like a normal committer I imagine + +0:00:18.549,0:00:21.519 +um you have to have invented something really cool + +0:00:21.519,0:00:23.069 +I'm here as a user + +0:00:23.069,0:00:27.199 +to try to take the loser off of it + +0:00:27.199,0:00:31.260 +I didn’t even boot into the BSD side of my laptop so + +0:00:31.260,0:00:34.290 +no rocks thrown up here + +0:00:34.290,0:00:36.120 +I wanted to talk about actually + +0:00:36.120,0:00:39.820 +how many people here had some kind of security responsibility + +0:00:39.820,0:00:41.660 +okay so wow that’s interesting + +0:00:41.660,0:00:43.530 +okay so there are a lot of security people here + +0:00:43.530,0:00:46.500 +I usually speak to security audiences + +0:00:46.500,0:00:47.430 +when I speak in + +0:00:47.430,0:00:49.019 +or when I spoke before at + +0:00:49.019,0:00:52.340 +BSD conferences it was usually on something + +0:00:52.340,0:00:54.490 +something I was doing with BSD + +0:00:54.490,0:00:56.409 +for security purposes so I kind of + +0:00:56.409,0:00:59.610 +had that same theme for today + +0:00:59.610,0:01:01.350 +so what we’ll talk about + +0:01:01.350,0:01:03.610 +just so you know I am I worked in a variety +of + +0:01:03.610,0:01:06.560 +I was in the military where I learned all this stuff + +0:01:06.560,0:01:10.050 +I work in commercial industry defense contractors + +0:01:10.050,0:01:12.490 +I worked for a small start up + +0:01:12.490,0:01:14.550 +out of Connecticut + +0:01:14.550,0:01:17.240 +you might have heard of us + +0:01:17.240,0:01:22.110 +we’ve lost like three hundred billion in market cap over +the last year it’s been an exciting ride + +0:01:22.110,0:01:25.230 +the ads general electric we get three hundred thousand users + +0:01:25.230,0:01:28.360 +um just a few security issues as you might +imagine + +0:01:28.360,0:01:30.590 +company that size + +0:01:30.590,0:01:31.689 +but what I’m going to talk about + +0:01:31.689,0:01:34.040 +uh first of all I’ll just do sort of a + +0:01:34.040,0:01:36.149 +intro of how I think about security + +0:01:36.149,0:01:40.470 +and why it drived me down the road of having +devices that I’ll talk about + +0:01:40.470,0:01:42.280 +and I’ll + +0:01:42.280,0:01:45.970 +I’m open to any questions it’s funny I was actually sitting +in front of a couple of guys who were asking me + +0:01:45.970,0:01:47.330 +we were talking about + +0:01:47.330,0:01:50.200 +that some of the software I’ll talk about he didn’t even +realize it was me + +0:01:50.200,0:01:51.120 +sitting at front + +0:01:51.120,0:01:53.039 +so if any point you have questions about + +0:01:53.039,0:01:54.940 +how we do things why we do things + +0:01:54.940,0:01:56.320 +please let me know + +0:01:56.320,0:01:59.179 +what I’m going to describe isn’t exactly what I do +with general electric + +0:01:59.179,0:02:02.390 +or at least it's not officially what I do at general +electric + +0:02:02.390,0:02:06.950 +but you can imagine that I just don’t come up with +this stuff in a vacuum and then present it obviously + +0:02:06.950,0:02:07.559 +it's + +0:02:07.559,0:02:12.199 +based on what I think works in various environments + +0:02:12.199,0:02:15.979 +so my job title is director of incident response + +0:02:15.979,0:02:19.930 +and what I tell people that they usually think of +oil spills or + +0:02:19.930,0:02:24.479 +you know Hazmat or something like that +its information security incidents + +0:02:24.479,0:02:28.349 +and I like to say that I’m as close to the problem +as you possibly could be + +0:02:28.349,0:02:30.639 +right and we have project managers who are + +0:02:30.639,0:02:32.890 +trying to create risk equations + +0:02:32.890,0:02:37.230 +they're trying to figure out if I tweak this +knob it’ll result in more risk or less risk + +0:02:37.230,0:02:38.889 +I think that’s a whole bunch of + +0:02:38.889,0:02:40.069 +crap for the most part + +0:02:40.069,0:02:41.209 +%um + +0:02:41.209,0:02:46.189 +I deal with all the failures so I +deal with failure all around + +0:02:46.189,0:02:47.689 +I like to say that this + +0:02:47.689,0:02:51.709 +theory out there but the reality is when +okay you've got + +0:02:51.709,0:02:57.999 +dozens or hundreds or thousands of systems +that are compromised what do you do about that + +0:02:57.999,0:03:02.560 +so in some ways you might say that's actually +the worst possible place to do security is after it’s + +0:03:02.560,0:03:03.380 +failed but + +0:03:03.380,0:03:09.889 +in other ways maybe it's the best place because +you can see what's wrong and you can try to fix it + +0:03:09.889,0:03:14.539 +well you have to say what is security and I went +to the doctor one day and the doctor asked me questions + +0:03:14.539,0:03:15.469 +like well how do you feel + +0:03:15.469,0:03:17.629 +do you feel healthy + +0:03:17.629,0:03:19.190 +that's kind of like do you feel secure + +0:03:19.190,0:03:23.699 +so what is that even mean right I mean +if you think about health well you might say + +0:03:23.699,0:03:25.719 +how’s your blood pressure + +0:03:25.719,0:03:27.940 +well it’s under one hundred and twenty over eighty + +0:03:27.940,0:03:29.659 +that's sort of one data point + +0:03:29.659,0:03:33.119 +what about your cholesterol body mass index and so forth + +0:03:33.119,0:03:34.999 +the idea is that you have to measure something + +0:03:34.999,0:03:37.039 +and you have to get your data from somewhere + +0:03:37.039,0:03:40.040 +and what I find is that a lot of people who make +security decisions + +0:03:40.040,0:03:42.089 +are not getting data from anywhere + +0:03:42.089,0:03:43.559 +In fact + +0:03:43.559,0:03:45.450 +a lot of very high level security people + +0:03:45.450,0:03:48.560 +are getting data on the golf course when they're +talking to their fellow + +0:03:48.560,0:03:49.819 +CSIO’s about + +0:03:49.819,0:03:52.669 +hey what product are you buying from Cisco or this and that + +0:03:52.669,0:03:54.969 +and it’s completely disconnected from reality + +0:03:54.969,0:03:59.029 +and as a result nobody can tell whether they’re spending +any money on security that makes a difference + +0:03:59.029,0:04:00.339 +%um or how to get + +0:04:00.339,0:04:05.029 +how to get better + +0:04:05.029,0:04:08.849 +so like how many people here are sort of like involved in +federal security with like FISMA and stuff + +0:04:08.849,0:04:11.559 +like that that right + +0:04:11.559,0:04:12.510 +so I find all that to be the most frustrating thing possible + +0:04:12.510,0:04:15.409 +I don't deal with that because I’m in private industry + +0:04:15.409,0:04:18.889 +but I've commented on it quite a bit because I +have a blog + +0:04:18.889,0:04:22.469 +and I like to complain + +0:04:22.469,0:04:24.839 +so my feeling is that the FISMA folks + +0:04:24.839,0:04:27.910 +not be implement but the people who wrote the legislation +they tended + +0:04:27.910,0:04:29.889 +to focus on things like imput metrics + +0:04:29.889,0:04:30.930 +like do you have AV + +0:04:30.930,0:04:32.039 +do you have your patches + +0:04:32.039,0:04:34.499 +is the box configured properly + +0:04:34.499,0:04:35.889 +all those things of that nature + +0:04:35.889,0:04:39.610 +I call all those input metrics they really make no difference +as far as I'm concerned if you're truly trying to figure + +0:04:39.610,0:04:41.039 +out what the problem is + +0:04:41.039,0:04:42.510 +it's kind of like looking at a + +0:04:42.510,0:04:45.759 +sports teams let’s say an American football team + +0:04:45.759,0:04:47.240 +and you say well + +0:04:47.240,0:04:50.069 +input metrics would be like how tall are all the players + +0:04:50.069,0:04:51.939 +how fast do they run the forty + +0:04:51.939,0:04:53.330 +where did they go to school + +0:04:53.330,0:04:54.650 +you could look at all those things + +0:04:54.650,0:04:56.100 +but does that tell you what their + +0:04:56.100,0:04:58.549 +what their record was over the season + +0:04:58.549,0:05:01.250 +did they win the Super Bowl did they win their elite +championship + +0:05:01.250,0:05:03.669 +no those are those are all inputs right + +0:05:03.669,0:05:05.689 +I care about ouputs like + +0:05:05.689,0:05:08.810 +is this box is this box part of a bot net + +0:05:08.810,0:05:10.219 +no it’s not really Windows + +0:05:10.219,0:05:12.560 +%um + +0:05:12.560,0:05:13.900 +I could boot it into Windows but + +0:05:13.900,0:05:16.559 +I prefer to stay out of the bot net + +0:05:16.559,0:05:18.259 +did you + +0:05:18.259,0:05:22.669 +have an earnings report appear on the network share or +on a peer-to-peer network somewhere + +0:05:22.669,0:05:25.949 +that's that's an ouput that means you had a failure somewhere + +0:05:25.949,0:05:28.069 +do you have a system or network that’s unavailable + +0:05:28.069,0:05:29.720 +due to a Ddos attack + +0:05:29.720,0:05:31.060 +these are all outputs so + +0:05:31.060,0:05:32.710 +I try to focus on these + +0:05:32.710,0:05:36.459 +I really don't care so much about that I think +these can influence these + +0:05:36.459,0:05:40.539 +these are the things that I I care about + +0:05:40.539,0:05:44.129 +and just to step a +little bit out and change the way you might think + +0:05:44.129,0:05:48.619 +about this there was a good article in The Economist last +year where they talked about people who are + +0:05:48.619,0:05:49.410 +trying to make + +0:05:49.410,0:05:50.949 +policy decisions + +0:05:50.949,0:05:53.150 +about health policy in Africa + +0:05:53.150,0:05:55.500 +and it's a safe thing with security + +0:05:55.500,0:05:58.349 +right actually kind of what I like about seeing the +developers here is that in the last talk there was + +0:05:58.349,0:06:01.030 +lots of discussions about + +0:06:01.030,0:06:05.289 +you made this change and you get a five percent difference +or you made this change and you get a ten percent difference + +0:06:05.289,0:06:07.019 +none of that happens in security + +0:06:07.019,0:06:09.249 +it's all well we’ll deploy this and see what happens + +0:06:09.249,0:06:12.129 +actually it’s not even that we’ll deploy this + +0:06:12.129,0:06:13.900 +not even let's see what happens + +0:06:13.900,0:06:16.000 +there’s not even a test to see if it made any difference + +0:06:16.000,0:06:17.230 +so what I try to + +0:06:17.230,0:06:18.640 +focus on in my job + +0:06:18.640,0:06:20.739 +at GE is + +0:06:20.739,0:06:22.489 +let's do some tests like + +0:06:22.489,0:06:24.120 +the company is big enough + +0:06:24.120,0:06:26.680 +why don't we have part of the company + +0:06:26.680,0:06:27.699 +run + +0:06:27.699,0:06:29.539 +with no local admin on the desktop + +0:06:29.539,0:06:31.309 +and another part + +0:06:31.309,0:06:34.060 +continuing to run its local admin I didn’t say that +out loud sorry + +0:06:34.060,0:06:36.139 +and then compare and see what the infection rates are + +0:06:36.139,0:06:39.449 +and guess what I bet the ones with local admin +are going to be a hell of a lot worse + +0:06:39.449,0:06:42.199 +and there’s been some recent studies that have +shown that that's the case + +0:06:42.199,0:06:44.780 +so you can run these sort of policy-based trials + +0:06:44.780,0:06:46.100 +and figure out what you should do + +0:06:46.100,0:06:47.880 +then I can go talk to my boss and be like look + +0:06:47.880,0:06:51.900 +this part of the company that runs with local admin +they’re ten times worse than everybody else + +0:06:51.900,0:06:54.849 +and even better I can say it's costing us ten +times more + +0:06:54.849,0:06:56.529 +then we can make a change + +0:06:56.529,0:06:57.770 +but in order to do that you have to have + +0:06:57.770,0:06:58.740 +some kind of measurements + +0:06:58.740,0:07:01.349 +you’re going to have data come from somewhere + +0:07:01.349,0:07:04.810 +and I like to say that I call this management +by fact not by belief + +0:07:04.810,0:07:06.479 +the there's a lot like + +0:07:06.479,0:07:08.860 +security people are very religious + +0:07:08.860,0:07:09.589 +we have this + +0:07:09.589,0:07:11.819 +idea of what should be and what shouldn’t be + +0:07:11.819,0:07:18.049 +and it's all because we don't think usually +measure what works which is unfortunate + +0:07:18.049,0:07:21.770 +so I’m all about visibility I want to find out what's +going on + +0:07:21.770,0:07:24.939 +and the reason I think about it this way is +I think in the air force + +0:07:24.939,0:07:26.990 +we have this thing called OODA loop + +0:07:26.990,0:07:31.849 +and if you’ve ever seen my hands doing this it’s because +I'm reliving my air force days flying around in my F-16 + +0:07:31.849,0:07:35.000 +not really I only flew once in the F-16 and +once in the F-15 + +0:07:35.000,0:07:35.770 +but + +0:07:35.770,0:07:39.219 +when I would talk to the fighter pilots they would talk +about having this thing the OODA loop + +0:07:39.219,0:07:41.400 +and it came out + +0:07:41.400,0:07:43.539 +like I’m thinking before the first gulf war + +0:07:43.539,0:07:45.270 +and the idea was you’re in your + +0:07:45.270,0:07:46.599 +F-16 + +0:07:46.599,0:07:48.110 +and you want to win the fight so + +0:07:48.110,0:07:50.159 +the first thing you do is look out the window + +0:07:50.159,0:07:51.389 +you see what's going on + +0:07:51.389,0:07:52.999 +that's your observation + +0:07:52.999,0:07:57.409 +and then you orient and you figure out well where am +I in relation to where the bad guys are + +0:07:57.409,0:08:02.359 +then you make a decision like okay is there’s a bad guy +I better roll over and shoot it down + +0:08:02.359,0:08:04.269 +and then you take the action + +0:08:04.269,0:08:06.009 +the problem we have with security + +0:08:06.009,0:08:06.849 +is that + +0:08:06.849,0:08:07.930 +there's none of this + +0:08:07.930,0:08:09.269 +there’s no observe and orient + +0:08:09.269,0:08:11.749 +there’s only decide and act + +0:08:11.749,0:08:13.549 +so we have no idea what's happening + +0:08:13.549,0:08:16.030 +but we're told that to do things so we buy stuff + +0:08:16.030,0:08:16.930 +we deploy it + +0:08:16.930,0:08:18.699 +and we just keep doing that over and over again + +0:08:18.699,0:08:22.679 +and we never figure out if it makes any difference + +0:08:22.679,0:08:24.219 +the unfortunate thing is if you do + +0:08:24.219,0:08:27.599 +stumble upon something that works it's +usually luck + +0:08:27.599,0:08:29.809 +%uh as opposed to + +0:08:31.029,0:08:37.780 +figuring it out by observation and orientation +what you should be doing + +0:08:37.780,0:08:41.870 +so this is probably my favorite description + +0:08:41.870,0:08:45.120 +of security period + +0:08:45.120,0:08:49.830 +my aplogies to my European friends this +is the football poll security + +0:08:49.830,0:08:54.710 +but this is what I believe that I've seen +this just for years and years and years + +0:08:54.710,0:08:56.919 +the idea is you’re told + +0:08:56.919,0:08:58.750 +or you read in a magazine + +0:08:58.750,0:09:00.660 +or you talk to your buddy + +0:09:00.660,0:09:02.180 +about something bad + +0:09:02.180,0:09:06.090 +and you assume that that bad thing that's +happening it must be happening at your location + +0:09:06.090,0:09:06.540 +too + +0:09:06.540,0:09:09.190 +and sometimes it is but sometimes it isn’t + +0:09:09.190,0:09:12.330 +and so you run around and you spend all this time +on one area + +0:09:12.330,0:09:15.680 +while meanwhile you could be completely all about +something different + +0:09:15.680,0:09:19.650 +and I first started thinking about this in 2000 2001 + +0:09:19.650,0:09:21.800 +where there were some guys in Finland + +0:09:21.800,0:09:27.060 +who did this huge innumeration they were doing some of the +first fuzzing work against SMTP + +0:09:27.060,0:09:27.849 +it was called the + +0:09:27.849,0:09:29.000 +protos toolkit + +0:09:29.000,0:09:32.140 +and they did all this work in and they found that +basically everybody's SMTP + +0:09:32.140,0:09:33.970 +implementation was really bad + +0:09:33.970,0:09:35.640 +and they were all vulnerable + +0:09:35.640,0:09:37.430 +and the whole world was going to end because + +0:09:37.430,0:09:40.610 +SMTP vulnerabilities existed everywhere + +0:09:40.610,0:09:43.769 +well I don’t know if everybody was around back then +so they're looking at these things + +0:09:43.769,0:09:45.470 +but did the world end in 2001 + +0:09:45.470,0:09:47.690 +with SMTP + +0:09:47.690,0:09:48.940 +absolutely not + +0:09:48.940,0:09:51.259 +so while a lot of effort was spent on + +0:09:51.259,0:09:54.350 +spending all this time fixing SMTP implementations + +0:09:54.350,0:09:55.750 +when the bad guys really weren’t + +0:09:55.750,0:09:57.240 +taking advantage of it + +0:09:57.240,0:10:00.740 +so this is what I feel like is happening with +security now we're told about + +0:10:00.740,0:10:03.340 +this is the one that really kills me is + +0:10:03.340,0:10:04.769 +insider threats + +0:10:04.769,0:10:05.819 +oh they’re insider threats they're so bad + +0:10:05.819,0:10:08.890 +this in that and so you spend all your time over +here and you’re like + +0:10:08.890,0:10:13.750 +paying attention to your own employees you’re violating +their rights and their privacy + +0:10:13.750,0:10:15.100 +and meanwhie you got like + +0:10:15.100,0:10:16.899 +Romanians and Russians and Chinese and + +0:10:16.899,0:10:17.829 +every other + +0:10:17.829,0:10:20.380 +hacker in the world inside your company + +0:10:20.380,0:10:21.980 +that you can't do anything about + +0:10:21.980,0:10:25.590 +unless you know unless you actually do something + +0:10:25.590,0:10:28.030 +so my goal is to + +0:10:28.030,0:10:30.819 +get it so this guy he's looking at the right +spot + +0:10:30.819,0:10:33.040 +so at least he has a chance + +0:10:33.040,0:10:36.010 +right he doesn’t even have a chance if he’s looking +over there at least if you can sort of + +0:10:36.010,0:10:38.279 +orient and say okay well here’s this threat + +0:10:38.279,0:10:40.210 +here's what I need to do about it + +0:10:40.210,0:10:42.430 +you have a chance you still might get scored on right + +0:10:42.430,0:10:43.830 +but at least you can say + +0:10:43.830,0:10:47.330 +I had a fighting chance many organizations +when I was a consultant + +0:10:47.330,0:10:48.619 +I would drop into + +0:10:48.619,0:10:51.690 +and they didn't even have a fighting chance +there was just no + +0:10:51.690,0:10:56.310 +I would call them you know indefensible networks + +0:10:56.310,0:11:01.160 +to use a Cisco term I would call them self-defeating networks + +0:11:01.160,0:11:06.490 +self-defending anyway + +0:11:06.490,0:11:12.610 +yeah + +0:11:12.610,0:11:16.890 +the network part of ours sure + +0:11:16.890,0:11:19.110 +so yeah isn’t it interesting the self-defending network what +does that imply zero head count + +0:11:19.110,0:11:21.089 +that is the truth behind Cisco's vision + +0:11:21.089,0:11:23.370 +and think about it they sell it to every CIO + +0:11:23.370,0:11:25.080 +the CIO is like yeah + +0:11:25.080,0:11:27.970 +the network takes care of itself + +0:11:27.970,0:11:31.990 +oh yeah that means you you you you bye bye + +0:11:31.990,0:11:33.890 +and that's sort of the model that + +0:11:33.890,0:11:34.980 +I mean think about it + +0:11:34.980,0:11:37.140 +what business owner with would + +0:11:37.140,0:11:39.720 +not want to operate zero staff + +0:11:39.720,0:11:41.290 +if you could still make money + +0:11:41.290,0:11:43.050 +and no people + +0:11:43.050,0:11:43.930 +oh that's great + +0:11:43.930,0:11:49.920 +maybe you just have robots or something right don't they +don’t complain + +0:11:49.920,0:11:50.850 +So anwyay wow + +0:11:50.850,0:11:51.909 +that came out of nowhere + +0:11:51.909,0:11:53.300 +but %uh + +0:11:53.300,0:11:56.449 +that's what I see with a lot of things is a %uh + +0:11:56.449,0:11:58.980 +presumption that you just buy products right you +don't actually + +0:11:58.980,0:12:00.960 +invest in people so + +0:12:00.960,0:12:03.049 +back to this whole idea of visibility the question is + +0:12:03.049,0:12:04.089 +well where should you try to get visibility + +0:12:05.259,0:12:07.750 +and I’ll talk about what kind of visibility + +0:12:07.750,0:12:11.680 +well the model that I use is to establish trust +boundaries first and what’s interesting about + +0:12:11.680,0:12:13.160 +using a trust boundary approach is + +0:12:13.160,0:12:14.420 +it can apply anywhere + +0:12:14.420,0:12:16.910 +I use a network example here because + +0:12:16.910,0:12:19.170 +it's a low-cost way to do it + +0:12:19.170,0:12:21.220 +but you can apply trust boundaries + +0:12:21.220,0:12:22.790 +on a system + +0:12:22.790,0:12:24.010 +within an application + +0:12:24.010,0:12:26.400 +I mean there’s lots of different places that you can apply +trust boundaries + +0:12:26.400,0:12:28.849 +the idea is though once you establish trust boundaries + +0:12:28.849,0:12:29.829 +start watching + +0:12:29.829,0:12:31.150 +something there + +0:12:31.150,0:12:33.010 +so I’m going to use a network example but you could + +0:12:33.010,0:12:35.540 +you know apply it someplace else + +0:12:35.540,0:12:37.050 +so what I do is I + +0:12:37.050,0:12:39.600 +the general process is I identify my trust boundaries + +0:12:39.600,0:12:41.280 +I apply some instrumentation + +0:12:41.280,0:12:43.620 +and then I collect analyse and escalate + +0:12:43.620,0:12:46.000 +%uh collect meaning I get the information + +0:12:46.000,0:12:48.420 +analyse I look at it figure out what it means + +0:12:48.420,0:12:48.889 +escalate + +0:12:48.889,0:12:53.920 +is take it to somebody who cares + +0:12:53.920,0:12:57.420 +surprisingly difficult to find those people +in many + +0:12:57.420,0:12:57.980 +enterprises + +0:12:57.980,0:13:00.020 +I came from the DOD where + +0:13:00.020,0:13:02.649 +if we found a single machine that was compromised + +0:13:02.649,0:13:03.730 +that was an incident + +0:13:03.730,0:13:05.889 +and it could be reported all the way up to some +general + +0:13:05.889,0:13:07.339 +who would be on the phone + +0:13:07.339,0:13:10.580 +like barking orders that you need to fix this +within + +0:13:10.580,0:13:12.440 +hours or days or whatever it was + +0:13:12.440,0:13:14.250 +to private industry + +0:13:14.250,0:13:15.100 +where + +0:13:15.100,0:13:17.660 +you finding a compromise computer + +0:13:17.660,0:13:22.200 +and the response could be + +0:13:22.200,0:13:23.370 +eh what can they do + +0:13:23.370,0:13:26.790 +well they can access any machine that’s in this domain + +0:13:26.790,0:13:28.220 +well have they + +0:13:28.220,0:13:33.670 +%uh because I just got here I can't tell yet + +0:13:33.670,0:13:35.949 +I really don't know if we have to care about +this right + +0:13:35.949,0:13:39.520 +the only thing that’s changed that recently has been the +disclosure laws + +0:13:39.520,0:13:44.180 +because there are some disclosure laws that say if +it's possible that they could have stolen the data + +0:13:44.180,0:13:45.300 +you need to report + +0:13:45.300,0:13:47.570 +so that's changed the equation + +0:13:47.570,0:13:48.140 +dramatically + +0:13:48.140,0:13:52.940 +right it used to be in fact I worked some big +cases years ago where it was like + +0:13:52.940,0:13:56.940 +well you guys signed an NDA with us right yeah we +did + +0:13:56.940,0:13:58.120 +right well just bye bye + +0:13:58.120,0:13:59.860 +see you later + +0:13:59.860,0:14:02.270 +okay great alright well I’m glad I’m not a customer + +0:14:02.270,0:14:08.190 +at this place + +0:14:08.190,0:14:12.019 +I didn’t responded there I bank with Bank of America and the +reason I bank with Bank of America + +0:14:12.019,0:14:13.980 +is I know the guy who runs security there + +0:14:13.980,0:14:16.100 +and he does this + +0:14:16.100,0:14:17.340 +so of course + +0:14:17.340,0:14:18.640 +I still think he has a job + +0:14:18.640,0:14:19.739 +now that I think about it + +0:14:19.739,0:14:21.390 +has he been replaced by a robot + +0:14:22.410,0:14:24.490 +no he hasn’t been replaced by a robot + +0:14:24.490,0:14:26.810 +maybe his minions have been replaced by + +0:14:26.810,0:14:28.590 +Perl strips but + +0:14:28.590,0:14:32.010 +he’s still there + +0:14:32.010,0:14:34.010 +so this is my general process + +0:14:35.130,0:14:38.570 +and it’s funny people have probably heard about building security in + +0:14:38.570,0:14:42.620 +that's like trying to make things more secure +have been trying to do that for like twenty years + +0:14:42.620,0:14:44.240 +it just doesn't work + +0:14:44.240,0:14:48.910 +so I would say let’s monitor first because at least when you monitor you can tell that something bad is happening + +0:14:48.910,0:14:52.000 +if you just say build security in and walk away + +0:14:52.000,0:14:52.730 +then you’re in trouble + +0:14:52.730,0:14:56.250 +what I find is that in any product you have +this cycle + +0:14:56.250,0:14:59.020 +where you start out with a feature + +0:14:59.020,0:15:03.140 +and then the features proliferate and you need to manage them + +0:15:03.140,0:15:06.689 +and then somebody’s like oh yeah we need to apply +some security to that + +0:15:06.689,0:15:10.150 +and then finally check to see if it works when really +it should be the other way + +0:15:10.150,0:15:11.500 +figure out what’s out there + +0:15:11.500,0:15:13.230 +build a security policy for it + +0:15:13.230,0:15:14.080 +manage it + +0:15:14.080,0:15:19.330 +and then introduce the feature but that's +not how it’s done + +0:15:19.330,0:15:23.340 +I wanted to mention here some I just want +to put this on the table before I go into my + +0:15:23.340,0:15:24.970 +next part because these are they + +0:15:24.970,0:15:26.800 +%uh criticisms I usually hear + +0:15:26.800,0:15:31.220 +so let's just mention them now so if I’m taking some kind of +a network-centric approach to + +0:15:31.220,0:15:32.460 +security + +0:15:32.460,0:15:35.090 +the first thing we’re always told is well what about the +cloud + +0:15:35.090,0:15:39.440 +and this is very interesting %uh I work really +closely with the guy does the cloudsecurity.org + +0:15:39.440,0:15:40.870 +blog + +0:15:40.870,0:15:44.800 +and %uh he's he's a fellow employee with +me is that we always considering this because + +0:15:44.800,0:15:45.380 +we’re + +0:15:45.380,0:15:48.260 +putting more and more of our stuff in the cloud + +0:15:48.260,0:15:49.140 +and if your + +0:15:49.140,0:15:50.630 +window to the cloud + +0:15:50.630,0:15:53.530 +is an SSL encrypted pipe + +0:15:53.530,0:15:58.430 +%um it doesn't help me too much to inpsect it at the +network level right + +0:15:58.430,0:16:00.129 +so we're going to have to push our cloud vendors + +0:16:00.129,0:16:02.769 +to provide the visibility for us + +0:16:02.769,0:16:04.650 +oh boy that’s really happening + +0:16:04.650,0:16:10.110 +try getting good logs out of any of the cloud buyers +it is absolutely horrible they they don't + +0:16:10.110,0:16:14.150 +they don't want to store them they don't want +to provide you the data in any format that’s useful + +0:16:14.150,0:16:17.710 +if they provide you with anything it's generally +performance metrics like + +0:16:17.710,0:16:20.580 +we cleaned ten billion of your emails today + +0:16:20.580,0:16:23.159 +oh that’s wonderful that’s great you know I don’t care + +0:16:23.159,0:16:24.660 +I don’t care how many emails you cleaned + +0:16:24.660,0:16:26.660 +I want to know about + +0:16:26.660,0:16:28.660 +which ones came from this + +0:16:28.660,0:16:30.650 +%uh a person who + +0:16:30.650,0:16:32.519 +was phishing us + +0:16:32.519,0:16:36.600 +and you know got control of some of our systems and +so forth + +0:16:36.600,0:16:38.400 +virtualisation is obviously an issue + +0:16:38.400,0:16:40.100 +%um if you think about + +0:16:40.100,0:16:42.290 +in a one-machine + +0:16:42.290,0:16:43.230 +one + +0:16:43.230,0:16:44.460 +platform world + +0:16:44.460,0:16:47.260 +any time two machines talk you can potentially see the +traffic + +0:16:47.260,0:16:50.370 +what happens when you have a hundred machines all on one +platform + +0:16:50.370,0:16:54.350 +unless you instrument the virtual machine +itself + +0:16:54.350,0:16:57.539 +you know one hundred machines could all be infected an +talking to each other and stuff but + +0:16:57.539,0:16:59.219 +the way I deal with that is + +0:16:59.219,0:17:01.649 +unless the bad guy is also inside the VM + +0:17:01.649,0:17:03.370 +like he lives in it + +0:17:03.370,0:17:07.810 +you can see him because generally the people +you care about are on another continent + +0:17:07.810,0:17:08.590 +so + +0:17:08.590,0:17:09.490 +I mean it could be + +0:17:09.490,0:17:11.390 +somewhere else in the united states obviously but for + +0:17:11.390,0:17:14.449 +the most part like if someone were to compromise +my machine + +0:17:14.449,0:17:16.439 +unless they physically walk up to it and touch it + +0:17:16.439,0:17:19.040 +there will be some network traffic that reaches out + +0:17:19.040,0:17:19.959 +and generally that’s enough + +0:17:19.959,0:17:22.339 +to tell that there’s a problem + +0:17:22.339,0:17:28.080 +so maybe the fastest way to tell if there’s a +kernel rootkit on a system + +0:17:28.080,0:17:29.720 +it’s for the system to look normal + +0:17:29.720,0:17:32.380 +but to have it to be beaconing out to + +0:17:32.380,0:17:34.160 +you know take your pick of rogue country + +0:17:34.160,0:17:37.560 +so that that's a very effective way to +use to find stuff + +0:17:37.560,0:17:41.020 +And of course you’ve got your non-traditional +platforms + +0:17:41.020,0:17:43.580 +you know I’ve got my Blackberry here I absolutely love it + +0:17:43.580,0:17:46.910 +but I would love to be able sniff the traffic +going to and from it + +0:17:46.910,0:17:47.270 +because + +0:17:47.270,0:17:50.690 +who knows who’s sitting on my Blackberry right now + +0:17:50.690,0:17:51.650 +I really don't know + +0:17:51.650,0:17:52.550 +and that kills me + +0:17:52.550,0:17:53.889 +it kills me kills me kills me + +0:17:53.889,0:17:55.090 +that I cannot + +0:17:55.090,0:17:57.809 +find an interface sniff traffic on it and see +what's happening + +0:17:57.809,0:18:00.080 +or somehow get between the wireless + +0:18:00.080,0:18:03.670 +watch the traffic and see what's happening + +0:18:03.670,0:18:06.110 +so that to me it's a big issue + +0:18:06.110,0:18:08.399 +and we’ve got all these crazy European privacy laws + +0:18:08.399,0:18:11.690 +I can’t collect anything in that whole continent + +0:18:11.690,0:18:13.690 +not true it kills me though it's kind of difficult + +0:18:13.690,0:18:15.830 +%um you’ve got this tension between + +0:18:15.830,0:18:20.570 +%uh it's interesting Europeans tend to have very +strong collection laws like you have to keep logs for a + +0:18:20.570,0:18:22.380 +certain period of time + +0:18:22.380,0:18:24.830 +but at the same time they have very strong privacy laws + +0:18:24.830,0:18:27.760 +so this is a tension there + +0:18:27.760,0:18:29.870 +skilled resources I don't know about you but +it + +0:18:29.870,0:18:33.410 +even with the downturn it's tough to find +good security people I think + +0:18:33.410,0:18:36.540 +there's a lot of people who come out with +their Cisco certified + +0:18:36.540,0:18:37.410 +whatever + +0:18:37.410,0:18:39.330 +and they don't know the first thing about + +0:18:39.330,0:18:42.420 +how to actually secure anything which is tough + +0:18:42.420,0:18:46.270 +and then finally we see this quite often in software + +0:18:46.270,0:18:47.149 +security space + +0:18:47.149,0:18:49.820 +a lot of the tools that are out there were +built for + +0:18:49.820,0:18:50.370 +developers + +0:18:50.370,0:18:52.850 +and for performance and not for security + +0:18:52.850,0:18:54.470 +So you see people using tools + +0:18:54.470,0:19:00.280 +to disassemble malware that were built +for reverse engineering for software purposes + +0:19:00.280,0:19:04.150 +and not for security purposes + +0:19:04.150,0:19:05.960 +anyway so what I’m going to talk about briefly + +0:19:05.960,0:19:06.980 +is not new + +0:19:06.980,0:19:08.840 +I was actually cleaning out + +0:19:08.840,0:19:11.240 +an old drive and I found this presentation + +0:19:11.240,0:19:13.120 +from 2000 + +0:19:13.120,0:19:16.150 +I used to give this briefing when I was in + +0:19:16.150,0:19:18.250 +the air force cert + +0:19:18.250,0:19:20.510 +and we would talk about the history of our +unit + +0:19:20.510,0:19:22.520 +and back in 1993 + +0:19:22.520,0:19:25.910 +we were deploying what we call network security +monitoring systems + +0:19:25.910,0:19:26.720 +and + +0:19:26.720,0:19:28.810 +the NSN term + +0:19:28.810,0:19:29.309 +comes from + +0:19:29.309,0:19:33.490 +the first network based IDS that taught + +0:19:33.490,0:19:35.400 +he wrote it in UC Davis in ‘89 + +0:19:35.400,0:19:39.520 +so this is wow that’s twenty years I feel +freaking old right now + +0:19:39.520,0:19:39.979 +it’s amazing + +0:19:39.979,0:19:40.820 +so + +0:19:40.820,0:19:44.170 +so this is not a new thing and I wrote a book about this +in 2004 so + +0:19:44.170,0:19:45.230 +that's five years + +0:19:45.230,0:19:46.540 +ago now so + +0:19:46.540,0:19:50.470 +this is not new the funny thing is vendors +is finally start to catch up with it + +0:19:50.470,0:19:56.750 +and they call them network forensic appliances +and they charge you fifty thousand dollars + +0:19:56.750,0:20:02.110 +for the enterprise that’s right + +0:20:02.110,0:20:04.870 +yeah enterprise means expensive + +0:20:04.870,0:20:06.260 +I like that + +0:20:06.260,0:20:07.480 +that’s good + +0:20:07.480,0:20:09.100 +and GUI that's right + +0:20:09.100,0:20:13.610 +and somebody you can complain to who can’t really answer +your problems + +0:20:13.610,0:20:17.320 +alright so I present this because I don’t want to take credit +for this approach + +0:20:18.649,0:20:19.789 +because + +0:20:19.789,0:20:22.590 +people we were doing this I came in around here + +0:20:22.590,0:20:24.210 +but we were doing this earlier + +0:20:24.210,0:20:27.480 +so I learned from people who invented this stuff + +0:20:27.480,0:20:30.779 +you know wow that's like fifteen years ago + +0:20:30.779,0:20:35.279 +alright so why network censors + +0:20:35.279,0:20:40.080 +I have to say some of the artwork I saw in these +presentations were so awesome I feel that mine’s + +0:20:40.080,0:20:40.800 +terrible I mean it was + +0:20:40.800,0:20:45.840 +the lego stuff that was great I need to do like a +little lego pyramid + +0:20:45.840,0:20:48.000 +I really like that but this is different + +0:20:50.210,0:20:55.030 +I wondered where you got your bricks from I have to like +raid my kids lego + +0:21:05.990,0:21:07.820 +that is funny that is good though I’m a visual + +0:21:07.820,0:21:13.250 +I was right in there with the bricks + +0:21:13.250,0:21:14.179 +so + +0:21:14.179,0:21:19.730 +I call this my top security enterprise trust pyramid + +0:21:19.730,0:21:24.180 +I ripped this out of something I used to do when +I was a consultant + +0:21:24.180,0:21:26.990 +and basically it’s a justification for why it’s good to have +network censors and the idea is this + +0:21:26.990,0:21:28.980 +this is the least trusted part and this is the most trusted + +0:21:31.419,0:21:34.279 +that's low user interaction and this is high user interaction + +0:21:34.279,0:21:36.769 +and this also in terms of the numbers of devices + +0:21:36.769,0:21:39.059 +so in an enterprise you tend to have the most + +0:21:39.059,0:21:40.630 +user platforms + +0:21:40.630,0:21:43.840 +desktops laptops phones all that kind of stuff + +0:21:43.840,0:21:45.980 +above that you have servers + +0:21:45.980,0:21:47.550 +above that you have infrastructure + +0:21:47.550,0:21:53.920 +%um routers firewalls things like that and above +that you have censors + +0:21:53.920,0:21:55.550 +so I trust these the least + +0:21:55.550,0:21:56.350 +because + +0:21:56.350,0:21:57.920 +well because there are these + +0:21:57.920,0:21:59.390 +users + +0:21:59.390,0:22:01.800 +right and users are doing things like + +0:22:01.800,0:22:03.440 +interacting with the system + +0:22:03.440,0:22:06.229 +if they didn’t interact with the system I would +probably trust it more + +0:22:06.229,0:22:08.090 +but because they’re on the system + +0:22:08.090,0:22:09.950 +they could be running as an admin + +0:22:09.950,0:22:11.850 +they're going to all these + +0:22:11.850,0:22:13.620 +you know malicious web sites + +0:22:13.620,0:22:15.770 +even normal web sites + +0:22:15.770,0:22:18.940 +that have been owned or are injecting malicious job descripts +or whatever + +0:22:18.940,0:22:21.430 +so the more user interaction there is + +0:22:21.430,0:22:24.889 +the less likely I’m going to trust what +the system tells me + +0:22:24.889,0:22:26.600 +so why get on a system and I say + +0:22:26.600,0:22:29.680 +tell me how you're feeling you know what your +state + +0:22:29.680,0:22:34.190 +I'm not going to trust that system eighty +is generally worthless + +0:22:34.190,0:22:36.960 +you have to get outside of the this is +the key point + +0:22:36.960,0:22:41.070 +you have to get away from these things you +have to get outside the system to get of you + +0:22:41.070,0:22:41.970 +whether or not + +0:22:41.970,0:22:43.520 +you should trust it + +0:22:43.520,0:22:44.750 +but that's not the case right + +0:22:44.750,0:22:49.260 +we're moving more and more to pushing all the security +down to the end point + +0:22:49.260,0:22:50.560 +so like my laptop defends itself + +0:22:50.560,0:22:52.380 +my phone defends itself + +0:22:52.380,0:22:53.869 +guess what if they fail + +0:22:53.869,0:22:56.950 +the whole model fails as well + +0:22:56.950,0:23:00.110 +so above this we have servers I +trust servers a little bit more + +0:23:00.110,0:23:01.710 +because if you're a good admin + +0:23:01.710,0:23:03.019 +you're not surfing + +0:23:03.019,0:23:06.370 +MySpace on your Windows server + +0:23:06.370,0:23:08.070 +right well you’re not on a Windows server + +0:23:08.070,0:23:13.590 +but well you can admin on a Windows server +but you know what I mean + +0:23:13.590,0:23:16.710 +well because I think that's right that's true + +0:23:16.710,0:23:18.960 +above that you have infrastructure + +0:23:18.960,0:23:20.140 +no one should be + +0:23:20.140,0:23:21.530 +in general + +0:23:21.530,0:23:24.050 +like no user is directly + +0:23:24.050,0:23:25.450 +dealing with a firewall + +0:23:25.450,0:23:27.309 +if a user is logging into a firewall + +0:23:27.309,0:23:28.980 +there’s a problem right + +0:23:28.980,0:23:32.080 +a user doesn't necessarily log into a server but he uses +services on the server right + +0:23:32.080,0:23:34.840 +so I tend to trust this even more + +0:23:34.840,0:23:38.330 +because you just can't touch them + +0:23:38.330,0:23:43.230 +the number of people who deal with the infrastructure in +general is smaller than the number of people who deal +with servers + +0:23:43.230,0:23:46.150 +and in many cases the infrastructure is completely + +0:23:46.150,0:23:48.630 +you know invisible + +0:23:48.630,0:23:52.890 +alright how many people like interact with a router when +you're sending traffic through + +0:23:52.890,0:23:54.970 +no you know it passes traffic + +0:23:54.970,0:23:57.520 +same with the firewall blocks it allows it whatever + +0:23:57.520,0:23:58.649 +so I tend to trust + +0:23:58.649,0:24:01.600 +what this will tell me even more because there's +less user action + +0:24:01.600,0:24:03.690 +the final stage here is my sensor + +0:24:03.690,0:24:06.390 +the sensors completely pass it + +0:24:06.390,0:24:09.210 +most of the people in the company might not even know it +exists + +0:24:09.210,0:24:11.139 +which is which is good in most cases + +0:24:11.139,0:24:14.760 +unless you want a deterrent effect + +0:24:14.760,0:24:16.390 +so I can get data from the sensor + +0:24:16.390,0:24:18.390 +typically like in my team + +0:24:18.390,0:24:21.960 +there's only two people that even know the route +password + +0:24:21.960,0:24:24.270 +we could heavily defend these things + +0:24:24.270,0:24:26.159 +we can have them defend + +0:24:26.159,0:24:27.549 +each other + +0:24:27.549,0:24:28.620 +like watch each other + +0:24:28.620,0:24:31.529 +so I tend to have a very very high confidence to +what the sensor is telling me + +0:24:31.529,0:24:33.530 +as opposed to + +0:24:33.530,0:24:35.180 +what a user platform is telling me + +0:24:35.180,0:24:35.980 +so if I’m + +0:24:35.980,0:24:37.799 +if I’m on a user platform + +0:24:37.799,0:24:41.290 +and I'm looking around for evidence of a rootkit +and I see nothing + +0:24:41.290,0:24:44.140 +but up here in my sensor showing traffic going by + +0:24:44.140,0:24:47.220 +out to some site in Brazil + +0:24:47.220,0:24:48.490 +then I can say + +0:24:48.490,0:24:50.070 +alright we have a problem here + +0:24:50.070,0:24:51.120 +so this is why I like + +0:24:51.120,0:24:54.020 +to itroduce these sorts of devices + +0:24:54.020,0:24:55.070 +let me talk a little bit + +0:24:55.070,0:24:55.959 +to about + +0:24:55.959,0:24:57.560 +least trusted and most trusted + +0:24:57.560,0:24:59.840 +if you had to rank operating systems here + +0:24:59.840,0:25:01.830 +would you put Windows up here + +0:25:01.830,0:25:02.899 +and BSD here + +0:25:02.899,0:25:06.150 +or the other way around right + +0:25:06.150,0:25:11.010 +so I like to use BSD especially for my sensors + +0:25:11.010,0:25:13.510 +because I introduce what we call a technology gap + +0:25:13.510,0:25:16.789 +my company we use a lot of Windows as you +might imagine + +0:25:16.789,0:25:19.230 +and we use a lot of Linux + +0:25:19.230,0:25:22.820 +we don't use a lot of BSD in fact I’m +probably the only BSD + +0:25:22.820,0:25:24.770 +shop in the company that I know of + +0:25:24.770,0:25:25.729 +but that's good + +0:25:25.729,0:25:28.090 +because if you’re a bad guy and you get inside the company + +0:25:28.090,0:25:31.850 +and you root our Windows infrastructure and you root our +Linux infrastructure + +0:25:31.850,0:25:34.420 +and then you find some BSD boxes + +0:25:34.420,0:25:36.530 +and we administer them ourselves + +0:25:36.530,0:25:39.020 +it's going to take a lot more work to get +into this + +0:25:39.020,0:25:41.930 +and we’re probably did notice when you're trying +to get into our systems + +0:25:41.930,0:25:44.220 +so it does not make sense and I’ve seen + +0:25:44.220,0:25:47.450 +we get a lot of pressure on this internally +and I’ve seen it in other companies + +0:25:47.450,0:25:49.740 +to have our sensing + +0:25:49.740,0:25:50.180 +infrastructure + +0:25:50.180,0:25:53.679 +be integrated with the rest of the company +infrastructure + +0:25:53.679,0:25:54.930 +right oh just have you know + +0:25:54.930,0:25:58.190 +have our hosted Linux service + +0:25:58.190,0:26:00.059 +where you know you can have + +0:26:00.059,0:26:01.870 +potentially all these admins you don't know + +0:26:01.870,0:26:04.960 +on another continent logging into your devices + +0:26:04.960,0:26:07.280 +no way you know I want a gap I want + +0:26:07.280,0:26:09.580 +the stuff that we have to protect + +0:26:09.580,0:26:10.730 +not be + +0:26:10.730,0:26:12.470 +the same as what’s using + +0:26:12.470,0:26:13.170 +or not be + +0:26:13.170,0:26:15.740 +the same systems that we’re using to watch this + +0:26:15.740,0:26:16.729 +so I introduced BSD as + +0:26:16.729,0:26:18.540 +as a new operating system to + +0:26:18.540,0:26:23.110 +watch this yes + +0:26:23.110,0:26:27.950 +so the question was do I stay on the Intel platform + +0:26:27.950,0:26:30.750 +I actually bring up that point in my forensics talks + +0:26:30.750,0:26:32.780 +I am on an Intel platform + +0:26:32.780,0:26:34.370 +for my sensors + +0:26:34.370,0:26:37.250 +however + +0:26:37.250,0:26:40.130 +depending on how you want to do forensics for +example + +0:26:40.130,0:26:43.710 +I have done cases where I had one tax stack +where I’ve got + +0:26:43.710,0:26:46.730 +you know Intel Windows + +0:26:46.730,0:26:48.180 +Toolex + +0:26:48.180,0:26:48.780 +whatever + +0:26:48.780,0:26:51.119 +and in another platform where I’ve got + +0:26:51.119,0:26:52.559 +Power PC + +0:26:52.559,0:26:53.420 +Debian + +0:26:53.420,0:26:55.560 +blah blah blah blah blah and something completely different + +0:26:55.560,0:26:58.740 +and I will say by the way + +0:26:58.740,0:27:04.310 +I don't run the one sytem I expose in my home lab +is not an Intel system + +0:27:04.310,0:27:06.940 +it's a Mac mini + +0:27:06.940,0:27:08.550 +and it’s running Debian on top + +0:27:08.550,0:27:11.789 +I tried to put on BSD I had a problem +I don’t know what that was + +0:27:11.789,0:27:13.109 +probably user error but + +0:27:13.109,0:27:15.310 +so Debian is running on that and what’s + +0:27:15.310,0:27:18.529 +nice about that is do you remember when the Debian +the SSL stuff when was that + +0:27:22.789,0:27:24.340 +that happened recently + +0:27:24.340,0:27:27.360 +all of the pre-compiled exploits for that + +0:27:27.360,0:27:30.570 +%uh and all of the pre-compiled keys + +0:27:30.570,0:27:34.230 +they shell code was all wrong because I was running +Power PC + +0:27:34.230,0:27:36.240 +and like when I did my + +0:27:36.240,0:27:38.050 +update or whatever I was like oh + +0:27:38.050,0:27:39.110 +I wonder if I’m affected by that + +0:27:39.110,0:27:42.160 +and it kept saying I wasn't even though I knew +I was because the + +0:27:42.160,0:27:44.270 +you know I had the vulnerable library version + +0:27:44.270,0:27:46.809 +I was like that's right this isn’t an Intel box + +0:27:46.809,0:27:48.170 +it's a Power PC box + +0:27:48.170,0:27:52.120 +so I do use that diversity argument in very very +limited situations + +0:27:52.120,0:27:55.180 +but it would be really expensive for me to say buy + +0:27:55.180,0:27:57.639 +you know eighty + +0:27:57.639,0:28:01.710 +I don't know I’m not even sure what I would use these days +it would be tough to find that I could get + +0:28:01.710,0:28:03.070 +a good price and everything + +0:28:03.070,0:28:06.460 +so I have to make some compromises there + +0:28:06.460,0:28:10.419 +but that’s not a bad idea if you have to have some kind of +like central server that was going to like watch everything maybe + +0:28:10.419,0:28:12.559 +you need to go that extra step to make it + +0:28:12.559,0:28:15.580 +even more diverse + +0:28:15.580,0:28:18.380 +alright so I’d like to talk just for a minute +about what I do + +0:28:18.380,0:28:21.320 +like to deploy + +0:28:21.320,0:28:23.190 +um what’s my time here + +0:28:23.190,0:28:29.300 +so I'm involved with this open source project called SGUIL +S-G-U-I-L + +0:28:29.300,0:28:32.780 +SGUIL doesn't stand for anything officially + +0:28:32.780,0:28:38.180 +but it originally when we first wrote it in like by the way +Bam Busher is the lead developer he’s probably actually the +only developer + +0:28:38.180,0:28:42.360 +the rest of us are just lamers + +0:28:42.360,0:28:43.820 +that's what the L means + +0:28:43.820,0:28:46.660 +originally it was snort GUI for lamers + +0:28:46.660,0:28:48.900 +%uh but then a couple people who got it + +0:28:48.900,0:28:52.490 +well we didn't get the joke they got a software +like I’m not a lamer I’m not going to use your software + +0:28:52.490,0:28:54.220 +well I don’t care if you use it or not + +0:28:59.890,0:29:01.540 +yeah right + +0:29:01.540,0:29:04.060 +But we felt okay that’s kind of + +0:29:04.060,0:29:09.860 +we’ll just call it SGUIL it doesn’t mean anything + +0:29:09.860,0:29:13.670 +So I’m going to talk to you about SGUIL but the thing about +SGUIL to remember is + +0:29:13.670,0:29:15.310 +it's open source it runs on + +0:29:15.310,0:29:16.460 +you know Picker + +0:29:16.460,0:29:18.080 +Distrobe Choice + +0:29:18.080,0:29:19.970 +or Flavor whatever you want + +0:29:19.970,0:29:22.080 +it's more about the data and less about the tool + +0:29:22.080,0:29:24.690 +so you could potentially implement this with your own tools + +0:29:24.690,0:29:26.850 +%uh even commercial if you wanted to + +0:29:26.850,0:29:29.350 +%um it’s really + +0:29:29.350,0:29:32.419 +about way of getting data and thinking about it and less +about the actual + +0:29:32.419,0:29:37.020 +the actual tool + +0:29:37.020,0:29:38.400 +you know this guy it’s Elvis + +0:29:38.400,0:29:44.900 +you know what martial art he studied + +0:29:49.720,0:29:51.000 +so here’s Elvis + +0:29:51.000,0:29:53.750 +and Elvis is the patron saint of this system + +0:29:53.750,0:29:56.380 +I don't know why it's been a long time + +0:29:56.380,0:29:57.230 +but %uh + +0:29:57.230,0:30:00.609 +I love Elvis because he’s in his Kenpo karate stance + +0:30:00.609,0:30:02.480 +and his stance is like this + +0:30:02.480,0:30:08.860 +which it would take him like a week to get out +of his fight stance to do anything + +0:30:08.860,0:30:12.610 +I actually won some concert tickets by stumping +an Elvis expert on a radio station here + +0:30:12.610,0:30:13.399 +in DC- + +0:30:13.399,0:30:16.120 +I called and said what style of martial arts did he + +0:30:16.120,0:30:18.590 +he’s like oh karate I’m like what style + +0:30:18.590,0:30:20.080 +oh I don't know + +0:30:20.080,0:30:21.070 +Kenpo karate well + +0:30:21.070,0:30:22.559 +who was his masters’ name + +0:30:22.559,0:30:23.670 +uh Ed Parker + +0:30:23.670,0:30:29.540 +and they were like oh you just won those tickets you stumped +the Elvis expert + +0:30:29.540,0:30:34.540 +so here you have Elvis I’m going to contrast these two methods +of doing investigations right + +0:30:34.540,0:30:35.870 +so you’ve got Elvis + +0:30:35.870,0:30:38.640 +he’s your analyst you don’t want to piss him off + +0:30:38.640,0:30:40.289 +he’s Elvis + +0:30:40.289,0:30:43.799 +he’ll hit you with his magic karate shot + +0:30:43.799,0:30:47.580 +he gets an alert via some system right well not these days he’s looking trim man + +0:30:47.580,0:30:50.900 +by the way if you’ve ever watched him in concert + +0:30:50.900,0:30:53.970 +he’s doing Kenpo like throughout the concert all the moves + +0:30:53.970,0:30:55.910 +he’s doing + +0:30:55.910,0:30:56.269 +he’s doing Kenpo + +0:30:56.269,0:30:59.089 +you zoom in he’s got a Kenpo patch on whatever +he's wearing + +0:30:59.089,0:31:01.279 +you look at his guitar it’s got the Kenpo patch on it + +0:31:01.279,0:31:05.300 +like once you’re exposed to the fact that he did this style it's +everywhere + +0:31:05.300,0:31:06.470 +in fact there was one + +0:31:06.470,0:31:11.210 +he did a concert once actually he didn't +do a concert he attended somebody else’s concert + +0:31:11.210,0:31:15.190 +and I don't know who it was like Johnny Cash or something +but he saw him in the audience + +0:31:15.190,0:31:16.370 +he’s like Elvis do you want to come up here + +0:31:16.370,0:31:17.910 +you know do a song with me + +0:31:17.910,0:31:19.800 +and he’s like oh sorry you know + +0:31:19.800,0:31:22.880 +I'm under contract I can only perform at +this + +0:31:22.880,0:31:23.570 +one casino + +0:31:23.570,0:31:27.360 +but I’ll tell you what I’ll come on stage and do karate + +0:31:30.100,0:31:32.190 +so this guy is doing his performance and Elvis is just jumping on doing karate + +0:31:32.190,0:31:34.530 +I’ve got to find a video of that that would be great + +0:31:34.530,0:31:36.720 +so anyway Elvis is here + +0:31:36.720,0:31:39.440 +and his job is to find intruders + +0:31:39.440,0:31:41.150 +so he gets his console and he gets and alert + +0:31:41.150,0:31:41.990 +and he looks at it and he’s like + +0:31:41.990,0:31:43.520 +alright well + +0:31:43.520,0:31:45.230 +I’ve got to figure out if this matters + +0:31:45.230,0:31:48.470 +so what do I have to work with + +0:31:48.470,0:31:50.960 +well I have other alerts like a picture in front of some Cisco device + +0:31:50.960,0:31:53.870 +like in that range or whatever they are these days + +0:31:53.870,0:31:56.940 +so he creates the database and he gets more alerts + +0:31:56.940,0:31:59.800 +and he says well this is nice but I can’t tell if any of this matters + +0:31:59.800,0:32:02.770 +so that's the end of the line + +0:32:02.770,0:32:05.940 +right at this point he’s got two options he can either ignore it + +0:32:05.940,0:32:10.240 +or he can satisfy his fifteen minute SOA that his customer +pays three thousand dollars a month + +0:32:10.240,0:32:10.860 +for + +0:32:10.860,0:32:11.940 +call the customer and say + +0:32:11.940,0:32:13.059 +I saw this + +0:32:13.059,0:32:14.650 +I don't know what it means + +0:32:14.650,0:32:17.110 +ball is in your court goodbye + +0:32:17.110,0:32:21.360 +so I don't how many of you have you had that experience with an +MSSP but that’s very very common + +0:32:21.360,0:32:22.869 +so to me this is + +0:32:22.869,0:32:27.620 +that's completely worthless so this is the +alternative I propose + +0:32:27.620,0:32:30.550 +so see already you can see there’s more lines so that +must be good right + +0:32:30.550,0:32:32.030 +so you got Elvis + +0:32:32.030,0:32:35.319 +he queries his data he get’s an alert he queries the +database he gets the same alert + +0:32:35.319,0:32:39.050 +but now the difference is he has some data to look +at + +0:32:39.050,0:32:42.499 +so in other words it’s no just an IDS or whatever +generate alerts + +0:32:42.499,0:32:44.470 +there’s some evidence to review + +0:32:44.470,0:32:46.880 +and the key idea behind NSM is + +0:32:46.880,0:32:47.869 +the evidence + +0:32:47.869,0:32:51.700 +is collected whether or not it has security +value + +0:32:51.700,0:32:55.110 +that's not quite right what I mean is you’re +always collecting data + +0:32:55.110,0:32:57.350 +because you don't know what is useful + +0:32:57.350,0:32:58.430 +in other words + +0:32:58.430,0:33:00.360 +if you knew what was bad + +0:33:00.360,0:33:03.159 +why don't you just stop it + +0:33:03.159,0:33:05.709 +that is the whole fallacy of security right +like + +0:33:05.709,0:33:07.359 +the whole thing IDS was + +0:33:07.359,0:33:11.350 +if you could detect it why can’t you prevent it oh yeah + +0:33:11.350,0:33:14.860 +right so you invent this whole IPS category +which is a silver bullet which + +0:33:14.860,0:33:17.270 +did really nothing + +0:33:17.270,0:33:21.780 +but the idea is yeah you can detect it’s bad why don’t you just +stop it well of course that makes a lot of + +0:33:21.780,0:33:22.219 +sense + +0:33:22.219,0:33:24.840 +so you have a lot of stopping bad stuff + +0:33:24.840,0:33:28.250 +but then there’s other bad stuff that’s happening because +you don't know it is bad right now + +0:33:28.250,0:33:29.899 +I mean + +0:33:29.899,0:33:34.140 +I learned these techniques dealing with + +0:33:34.140,0:33:35.820 +intruders + +0:33:35.820,0:33:38.399 +I’ll date myself but in 1998 + +0:33:38.399,0:33:39.509 +intruders in China + +0:33:39.509,0:33:41.049 +who had writtten their own + +0:33:41.049,0:33:44.010 +virtualisation platform on top of Solaris + +0:33:44.010,0:33:46.159 +who were doing stuff we were like holy cow + +0:33:46.159,0:33:48.540 +because we had no idea that they could do +that sort of thing + +0:33:48.540,0:33:51.879 +so there was no system that was going to detect +because we didn't even know it existed + +0:33:51.879,0:33:54.530 +but guess what we were keeping track of everything +that was happening + +0:33:54.530,0:33:56.330 +and once we knew what to look for + +0:33:56.330,0:34:00.380 +we checked our data like holy crap they’ve been in +here since two years ago + +0:34:00.380,0:34:03.230 +right this slide that I showed you here + +0:34:03.230,0:34:07.240 +when we started putting out these sensors there was +huge resistance + +0:34:07.240,0:34:08.459 +this was like + +0:34:08.459,0:34:13.399 +oh man we’re the air force we just defeated Iraq the +fourth biggest army in the world we kick ass + +0:34:13.399,0:34:15.739 +there can’t be anybody inside of our network and we’re like + +0:34:15.739,0:34:19.460 +please please can we put a few sensors out there and they’re +like all right but you guys are wasting your + +0:34:19.460,0:34:20.029 +time + +0:34:20.029,0:34:23.690 +so we put our sensors out and what do you think +what did we find + +0:34:23.690,0:34:24.720 +we were owned + +0:34:25.650,0:34:26.230 +everywhere + +0:34:26.230,0:34:27.569 +up down left right + +0:34:27.569,0:34:29.499 +it was terrible right we were completely owned + +0:34:29.499,0:34:31.329 +because nobody was watching + +0:34:31.329,0:34:33.129 +and then after that + +0:34:33.129,0:34:37.159 +boom that’s when everything took off + +0:34:37.159,0:34:40.859 +so the key here is that you get your alert but then you +have data to look at and the two + +0:34:40.859,0:34:43.939 +%uh well I should say three main forms of data you collect + +0:34:43.939,0:34:45.370 +we collected alerts but + +0:34:45.370,0:34:46.269 +we’re also + +0:34:46.269,0:34:47.780 +just logging all the flows we see + +0:34:47.780,0:34:50.779 +we call it session data but it’s just flows + +0:34:50.779,0:34:52.999 +and we deploy our own software to log the flows + +0:34:52.999,0:34:56.460 +but the key is we don't log the flows that are associated +with the alert we log + +0:34:56.460,0:34:57.789 +all flows + +0:34:57.789,0:34:59.689 +so you don’t have to know what support beforehand + +0:34:59.689,0:35:01.619 +you just keep track of everything + +0:35:01.619,0:35:02.840 +and once you know what to look for + +0:35:02.840,0:35:04.259 +you go look for it + +0:35:04.259,0:35:08.739 +I kind of liken it to the Splunk model like I +how many people have used Splunk + +0:35:08.739,0:35:10.609 +right Splunk is really awesome right + +0:35:10.609,0:35:13.719 +Splunk is the place you go when you know +what to look for + +0:35:13.719,0:35:15.740 +you generally don't have Splunk tell you stuff + +0:35:15.740,0:35:16.679 +I mean you can + +0:35:16.679,0:35:18.150 +but for the most part + +0:35:18.150,0:35:21.910 +you want to be there when you need to ask the question +and have some response + +0:35:21.910,0:35:24.470 +it's the same thing with this once I know what to look for + +0:35:24.470,0:35:25.309 +I need a place to go look + +0:35:25.309,0:35:28.169 +so I query my sessions and I’m like oh well look + +0:35:28.169,0:35:29.040 +this guy + +0:35:29.040,0:35:32.709 +just reached out via FTP and grabbed his tools + +0:35:32.709,0:35:35.109 +guess what most hackers these days still do this + +0:35:35.109,0:35:36.189 +right they aren’t like + +0:35:36.189,0:35:38.319 +STP-ing out or whatever + +0:35:38.319,0:35:40.489 +yeah go grab their tools over FTP + +0:35:40.489,0:35:41.439 +excuse me well + +0:35:41.439,0:35:43.280 +they grab their tools over FTP + +0:35:43.280,0:35:45.939 +while they’re doing that I’m logging all the packet data + +0:35:45.939,0:35:51.379 +and a lot of people used to say oh Bejtlich you’re +crazy who can log packet data on all their gateways + +0:35:51.379,0:35:52.829 +the NSA does + +0:35:52.829,0:35:55.639 +so guess what we can too right it’s not that tough + +0:35:55.639,0:35:58.500 +%uh most network connections are + +0:35:58.500,0:36:00.079 +DS3s or less + +0:36:00.079,0:36:03.509 +at least the outbound ones to the internet + +0:36:03.509,0:36:05.579 +so you could log a lot of packet data + +0:36:05.579,0:36:07.809 +I mean hard drives are cheap + +0:36:07.809,0:36:12.589 +they're cheap so you can grab a lot of data + +0:36:12.589,0:36:18.589 +yeah question what do you use to dump all the data I’ll walk +you through all of it yup yes my question is so I’m located +my servers are in Maryland + +0:36:20.819,0:36:23.099 +yes I’m an ISP what happens when I get stuff from +Massachussetts or California and they’re going you can’t do that + +0:36:27.329,0:36:28.269 +yes okay so there’s two things + +0:36:28.269,0:36:32.709 +the first thing I thought you were going to go down was +I’m an ISP do I do this for my + +0:36:32.709,0:36:33.949 +customers the answer would be no + +0:36:33.949,0:36:37.429 +%uh I would do this for my infrastructure + +0:36:37.429,0:36:40.489 +as far as the privacy stuff goes + +0:36:40.489,0:36:44.589 +we're we’re wrestling with ourselves and what +I end up doing is typically + +0:36:44.589,0:36:46.899 +scaling back to what the law will allow + +0:36:46.899,0:36:50.660 +and then showing that it's either adequate +or not adequate + +0:36:50.660,0:36:56.319 +and then I take it to the lawyers and say we have to +somehow push back against this + +0:36:56.319,0:36:57.630 +%uh but okay + +0:36:57.630,0:37:00.229 +so imagine that you do the full content though + +0:37:00.229,0:37:06.089 +and by the way this isn’t theoretical we do this all the time +I have a reverse engineer on my staff who + +0:37:06.089,0:37:10.589 +when we see machines mission going down pulling their binaries +when the machines are owned + +0:37:10.589,0:37:12.399 +I pass in the traffic + +0:37:12.399,0:37:14.219 +he pulls out the + +0:37:14.219,0:37:15.260 +exe + +0:37:15.260,0:37:19.160 +he reverses it figures out what it does +and now we go into the next stage of insert-response + +0:37:19.160,0:37:21.249 +so it can be done + +0:37:21.249,0:37:24.869 +so then we say oh shoot it uses this back door we +go back and look in the sessions and we say + +0:37:24.869,0:37:27.879 +oh I see this back door let's go and look at the +traffic + +0:37:27.879,0:37:29.350 +and it just keeps going so + +0:37:29.350,0:37:36.350 +the idea is that this isn’t the end of the investigation +it’s the beginning the investigation + +0:37:36.579,0:37:37.369 +sure + +0:37:37.369,0:37:39.059 +can it be done + +0:37:39.059,0:37:41.209 +it’s easy to do and can be done completely free + +0:37:41.209,0:37:42.249 +yes + +0:37:42.249,0:37:44.220 +yes and that is very true + +0:37:44.220,0:37:45.249 +everything that I’ve shown here + +0:37:45.249,0:37:48.249 +you could literally walk out of here + +0:37:48.249,0:37:50.619 +go into the freeBSD ports tree find a SGUIL ports + +0:37:52.119,0:37:54.840 +do your make I mean the ports are a little ugh + +0:37:54.840,0:37:58.029 +I'm not + +0:37:58.029,0:37:59.730 +you don’t want to slam a guy who + +0:37:59.730,0:38:01.190 +volunteers and makes ports right + +0:38:01.190,0:38:05.700 +but there’s still a decent amount of work that you have +to do once the ports are installed it’s good for basically + +0:38:05.700,0:38:09.880 +satisfying dependencies and so forth + +0:38:09.880,0:38:12.879 +so this is the implementation we use as far as software stack + +0:38:12.879,0:38:14.699 +for %uh alert data + +0:38:14.699,0:38:17.459 +we use Snort + +0:38:17.459,0:38:22.799 +I’m starting to I’ve used Bro a little bit +I’m starting to integrate Bro though + +0:38:22.799,0:38:26.949 +full content data I tend to use Demon Logger + +0:38:26.949,0:38:29.029 +it’s Marty Rush’s implementation of Packet Logger + +0:38:29.029,0:38:30.069 +for session data + +0:38:30.069,0:38:34.539 +I use SANCP which is sort a friend of Myrobe which you can +sort of see some other options there + +0:38:34.539,0:38:36.469 +and then statistical data + +0:38:36.469,0:38:38.939 +you know think MRTGA type of thing +that + +0:38:38.939,0:38:40.949 +shows you traffic over time or whatever + +0:38:40.949,0:38:45.979 +%um and the nice thing is SGUIL is the interface to a lot +of this and you know + +0:38:45.979,0:38:47.619 +I’m going to show you what that looks like + +0:38:47.619,0:38:50.709 +by the way so this is it in a picture + +0:38:50.709,0:38:52.289 +so what is SGUIL well + +0:38:52.289,0:38:54.949 +okay yes this is a Windows screenshot + +0:38:54.949,0:39:00.159 +it shows that you can run your BSD back +end on the servers and then have your boss uses Windows + +0:39:00.159,0:39:00.769 +GUI + +0:39:00.769,0:39:02.189 +and log into it + +0:39:02.189,0:39:03.159 +and %uh + +0:39:03.159,0:39:07.559 +again this isn’t about the tool as much as +the data and the way you investigate it but + +0:39:07.559,0:39:08.989 +here’s the screenshot so + +0:39:08.989,0:39:11.890 +you can see we have a console here + +0:39:11.890,0:39:16.509 +and these are our store alerts coming in and by the way it can +be other things we've got it + +0:39:16.509,0:39:20.469 +this isn't a sim incidentally we were talking +just a few minutes ago like + +0:39:20.469,0:39:22.380 +the way we describe it is + +0:39:22.380,0:39:23.259 +with a sim + +0:39:23.259,0:39:26.170 +you could put ABCD all the way through W + +0:39:26.170,0:39:27.200 +into a sim + +0:39:27.200,0:39:28.819 +and it’d still be garbage + +0:39:28.819,0:39:31.449 +but with this we pick the X Y and Z that we + +0:39:31.449,0:39:34.109 +think give you the best value + +0:39:34.109,0:39:37.619 +so for us those are alert sessions and and full content + +0:39:37.619,0:39:39.650 +so you’ve got your interface here + +0:39:39.650,0:39:43.670 +and we try to present as much information +on one screen without having to do a bunch of window + +0:39:43.670,0:39:44.889 +management + +0:39:44.889,0:39:46.839 +yes it is TCL/TK + +0:39:46.839,0:39:50.599 +we started this back in 2001 + +0:39:50.599,0:39:54.009 +but it works it you know it’s fine it’s platform + +0:39:54.009,0:39:56.349 +so here’s the packet that caused the alert + +0:39:56.349,0:39:58.349 +here is the of + +0:39:58.349,0:40:00.100 +the rule that caused the alert + +0:40:00.100,0:40:02.160 +and in most systems this is what you would +get + +0:40:02.160,0:40:05.079 +right you're left deciding if it's okay + +0:40:05.079,0:40:09.039 +in an HTTP transaction + +0:40:09.039,0:40:12.460 +for someone to have put through what looks like the +output of an ID command on Unix + +0:40:12.460,0:40:14.779 +where the result was + +0:40:14.779,0:40:16.179 +UID zero + +0:40:16.179,0:40:19.529 +is that good or is that bad I mean you’d probably say that sounds bad + +0:40:19.529,0:40:24.219 +but once you do the analysis you’ll find out it's +not the question is you have to make that decision + +0:40:24.219,0:40:25.760 +and every vendor that I’ve met + +0:40:25.760,0:40:26.839 +they leave you here + +0:40:26.839,0:40:28.399 +and they abandon you + +0:40:28.399,0:40:29.479 +they say + +0:40:29.479,0:40:31.439 +good luck I’ve given you the packet + +0:40:31.439,0:40:33.329 +like you’ll talk to the source buyer guys they’re like + +0:40:33.329,0:40:36.199 +I gave you the packet what more do you need + +0:40:36.199,0:40:37.639 +I need to know if it matters + +0:40:37.639,0:40:41.569 +and you’re like well + +0:40:41.569,0:40:42.889 +I + +0:40:42.889,0:40:46.549 +can give you the packet look + +0:40:46.549,0:40:48.680 +yeah packet so what it’s a packet + +0:40:48.680,0:40:52.439 +I can tell there’s a packet here yes there’s a packet and yes +it’s nice that you gave me a nice open rule so I can tell how it + +0:40:52.439,0:40:55.140 +came to its decision unlike you know a closed system + +0:40:55.140,0:40:56.150 +you can't tell + +0:40:56.150,0:40:58.240 +but I have to tell if this matters for me + +0:40:58.240,0:40:59.859 +what do you do next + +0:40:59.859,0:41:03.769 +we could do a couple things one thing you +can do is build transcript + +0:41:03.769,0:41:05.550 +the transcript is + +0:41:05.550,0:41:06.510 +all of the + +0:41:06.510,0:41:08.380 +session in this case + +0:41:08.380,0:41:12.719 +rendered through in this case we use TCP flow so we say + +0:41:12.719,0:41:13.789 +literally right-click + +0:41:13.789,0:41:15.379 +give me your transcript + +0:41:15.379,0:41:16.740 +system goes out to the sensor + +0:41:16.740,0:41:18.369 +pulls back the P cap data + +0:41:18.369,0:41:20.319 +renders it in TCP flow + +0:41:20.319,0:41:21.259 +colors the blue + +0:41:21.259,0:41:24.249 +%uh the source the red is the destination + +0:41:24.249,0:41:26.079 +so you can see that my system + +0:41:26.079,0:41:31.009 +visited the www.testmyids.com site + +0:41:31.009,0:41:32.320 +and it replied + +0:41:32.320,0:41:34.009 +with the content + +0:41:34.009,0:41:36.159 +so + +0:41:36.159,0:41:37.679 +there is no like + +0:41:37.679,0:41:39.289 +back door on port 80 here + +0:41:39.289,0:41:40.689 +this is a + +0:41:40.689,0:41:47.119 +by the way the other thing that’s nice is that I came +through this proxy and whatever + +0:41:47.119,0:41:50.779 +if I’m dealing with a binary protocol like let’s say +SNB or RPC or something that doesn’t + +0:41:50.779,0:41:52.249 +render well as text + +0:41:52.249,0:41:56.849 +that's same right-click you can instead choose to +dump it into Wireshark + +0:41:56.849,0:41:58.099 +so here’s the Wireshark data + +0:41:58.099,0:42:00.829 +and you can use anything you want to do for Wireshark +at this point + +0:42:00.829,0:42:01.900 +this is fast right + +0:42:01.900,0:42:05.699 +I don’t know how many of you have had to do this by +hand + +0:42:05.699,0:42:08.570 +you know you SSH out to the sensor find a pcat file + +0:42:08.570,0:42:10.709 +come up with a BPF in your head + +0:42:10.709,0:42:12.119 +you know run it + +0:42:12.119,0:42:13.890 +copy it someplace no this is + +0:42:13.890,0:42:15.359 +right-click right-click right-click I’ve got all my data + +0:42:17.130,0:42:20.909 +if you want to see well have I ever gone to this IP address +before + +0:42:20.909,0:42:23.219 +I query for my sessions and I say + +0:42:23.219,0:42:27.459 +you know in this case it’s a sequel query on that desk IP + +0:42:27.459,0:42:30.770 +and by the way you can right-click and do a default query +or else if you know what the schema looks like you can just +modify it by hand + +0:42:37.369,0:42:40.139 +and I think that’s it + +0:42:40.139,0:42:41.820 +so if you want to try any of that + +0:42:41.820,0:42:44.889 +like I said %uh the ports exist + +0:42:44.889,0:42:49.399 +I maintain some really really really +really lame scripts that automate this + +0:42:49.399,0:42:52.190 +but I need to install it on my home gateway or something +like that + +0:42:52.190,0:42:56.319 +They’re more of just a reference + +0:42:56.319,0:42:57.140 +but that’s what I do on BSD as far as network security +monitoring goes + +0:42:57.140,0:43:03.609 +I’d be happy to answer any questions + +0:43:03.609,0:43:09.139 +yes + +0:43:09.139,0:43:14.049 +what additional features are you looking for in the future I +would say for SGUIL for new features the first thing is resolve + +0:43:14.049,0:43:15.700 +intellectual property + +0:43:15.700,0:43:16.140 +because + +0:43:16.140,0:43:19.469 +I hired Bam as my lead incident handler at GE + +0:43:19.469,0:43:20.439 +so + +0:43:20.439,0:43:21.780 +we need to figure out + +0:43:21.780,0:43:24.940 +if he works on it at work + +0:43:24.940,0:43:27.640 +can we release it well first of all can he even work +on it at work + +0:43:27.640,0:43:29.130 +and secondly if he does + +0:43:29.130,0:43:33.189 +can we release so we're trying to work +out those I think it'll be resolved postively + +0:43:33.189,0:43:35.119 +because we're GE’s actually fairly pro-open-source + +0:43:36.849,0:43:41.189 +I told the CEO of the company that this thing +used my sequel as a back end and + +0:43:41.189,0:43:42.229 +he’s like I love my sequel + +0:43:42.229,0:43:43.680 +okay + +0:43:43.680,0:43:45.470 +he’s like you’ve got your money I’m like oh + +0:43:45.470,0:43:47.089 +okay that’s all I had to say great + +0:43:47.089,0:43:50.969 +%uh he hates Microsoft he hates the company + +0:43:53.819,0:43:58.789 +so we wanted once we get that result we want +to probably introduce other data sources + +0:43:58.789,0:43:59.549 +so introduce like Bro plugin + +0:44:01.090,0:44:02.240 +some other agents + +0:44:02.240,0:44:03.799 +they could accept other data + +0:44:03.799,0:44:05.470 +%uh we need to have + +0:44:05.470,0:44:07.789 +some kind of reporting mechanism + +0:44:07.789,0:44:08.610 +because people don't know + +0:44:08.610,0:44:11.589 +what comes out once you put it in + +0:44:11.589,0:44:16.329 +there's been some talk about making this turn +into a Splunk base application + +0:44:16.329,0:44:18.119 +so all the data goes into Splunk + +0:44:18.119,0:44:25.119 +I mean you could you'd do like use Splunk as the interface +so that's a possibility + +0:44:28.909,0:44:33.859 +yeah Splunk is remarkably cheap for an enterprise +app though we’ve bought like giant licenses + +0:44:33.859,0:44:34.669 +that have not + +0:44:34.669,0:44:38.399 +I mean they've been like five-figure purchases which is +really good considering how many gigabytes of data + +0:44:38.399,0:44:39.489 +we’re indexing + +0:44:39.489,0:44:41.789 +%uh but you know for the + +0:44:41.789,0:44:46.170 +situation here it would be an option because the free Splunk +is 500mb a day + +0:44:46.170,0:44:49.229 +so it's not that + +0:44:49.229,0:44:56.229 +any other questions + +0:45:02.480,0:45:04.219 +yeah I think Bro if you’ve never heard of Bro bro-ids.org + +0:45:04.219,0:45:08.279 +in fact I’m going to Bro training next week +in Berkeley which is just going to rock I’m so excited + +0:45:08.279,0:45:10.629 +about that + +0:45:10.629,0:45:12.469 +Bro I think is a perfect + +0:45:12.469,0:45:14.809 +a perfect compliment to Snort + +0:45:14.809,0:45:17.750 +Snort not exclusively but Snort is quite a bit about signatures + +0:45:17.750,0:45:21.140 +there are some few processors that look for +protocol anomalies and so forth + +0:45:21.140,0:45:26.189 +but Bro on it’s own is completely the opposite it’s all about +protocol anomalies + +0:45:26.189,0:45:27.939 +Snort has kind of like real + +0:45:27.939,0:45:30.999 +hackish type state keeping using flow bits + +0:45:30.999,0:45:32.739 +Bro is all about state + +0:45:32.739,0:45:35.160 +so you put the two of them together you might say + +0:45:35.160,0:45:37.499 +shoot I really need to know when such and such +happens + +0:45:37.499,0:45:41.270 +but to do that Snort I’d have to do all this +flow bits and stuff + +0:45:41.270,0:45:43.030 +whereas with Bro you’re like oh + +0:45:43.030,0:45:43.810 +just track the connections and then do this + +0:45:43.810,0:45:50.810 +so the two of them together I think work really +well + +0:45:51.619,0:45:54.980 +the questions was does Bro have Snort rule input functionality + +0:45:54.980,0:45:57.769 +it does to the extent that every + +0:45:57.769,0:46:02.059 +like hardware vendor accelerator vendor Snort competitor +says that they do + +0:46:02.059,0:46:05.079 +%uh Snort is the engine is always being +updated + +0:46:05.079,0:46:07.880 +so generally what when somebody says that +they can + +0:46:07.880,0:46:09.880 +%uh run Snort rules faster + +0:46:09.880,0:46:12.420 +they’re usually only talking about content matches + +0:46:12.420,0:46:14.519 +so they take whatever the the + +0:46:14.519,0:46:15.500 +content match is + +0:46:15.500,0:46:18.829 +and implement it quickly in hardware + +0:46:18.829,0:46:23.099 +so over time the degree to which you can map +real Snort rules fades + +0:46:23.099,0:46:24.309 +so whereas + +0:46:24.309,0:46:26.510 +five years ago it might have been like ninety percent + +0:46:26.510,0:46:28.619 +these days it's like twenty five percent + +0:46:28.619,0:46:35.619 +so they probably can pull in a certain percentage +but not a lot + +0:46:46.159,0:46:50.020 +right right exactly so the question was about retention +of the full content data + +0:46:50.020,0:46:53.439 +I should mention that for alerts we try to keep for +about a year + +0:46:53.439,0:46:56.809 +for flows we try to keep about six months + +0:46:56.809,0:46:59.529 +and alerts and flows are both centralized although + +0:46:59.529,0:47:03.059 +given the flow volume we’re seeing we might +have to start pushing that back onto the + +0:47:03.059,0:47:04.909 +sensor + +0:47:04.909,0:47:07.549 +pcat data it is + +0:47:07.549,0:47:10.509 +just what we can afford as far as hard drive spaces go + +0:47:10.509,0:47:11.769 +my last budget + +0:47:11.769,0:47:15.319 +I could only spend about twenty five hundred +to three grand per sensor + +0:47:15.319,0:47:18.949 +which limited me to about one to + +0:47:18.949,0:47:22.139 +yeah about one terabyte of disk space with raid + +0:47:22.139,0:47:23.809 +so %uh + +0:47:23.809,0:47:26.279 +depending on where the sensor goes that could be + +0:47:26.279,0:47:28.809 +three months or three weeks + +0:47:28.809,0:47:34.189 +or or a day or three days or three hours +right + +0:47:34.189,0:47:36.259 +what I do is I end up + +0:47:36.259,0:47:38.450 +I buy up chassis that can + +0:47:38.450,0:47:40.960 +potentially grow to have a lot more storage once +I have budget + +0:47:40.960,0:47:42.509 +I put the system out there + +0:47:42.509,0:47:43.319 +and I say + +0:47:43.319,0:47:46.439 +look this is look what I found at this location +boss + +0:47:46.439,0:47:50.709 +if you give me a little more more money I can put in +you know four terabytes of disk space as opposed + +0:47:50.709,0:47:51.609 +to one + +0:47:51.609,0:47:53.209 +and then they give me that + +0:47:53.209,0:47:55.520 +but the pcap data only stays on a sensor + +0:47:55.520,0:47:58.049 +so what I try to do is I have an analysis +window + +0:47:58.049,0:47:59.179 +and a pcap window + +0:47:59.179,0:48:03.799 +and I try to have that pcap window longer than +the analysis window + +0:48:03.799,0:48:08.239 +so the questions yes + +0:48:08.239,0:48:12.269 +yeah so any type of encryption on host + +0:48:12.269,0:48:14.139 +but the funny thing is + +0:48:14.139,0:48:17.909 +most of the time when I did get type of + +0:48:17.909,0:48:19.160 +like third-party tips + +0:48:19.160,0:48:22.669 +it's usually have you seen anybody visiting this IP address + +0:48:22.669,0:48:25.919 +and if I see the visit to that IP address +even if it’s encrypted + +0:48:25.919,0:48:27.669 +I know it + +0:48:27.669,0:48:29.429 +this isn't the whole game right + +0:48:29.429,0:48:32.750 +usually what I do is I use all of this identify +boxes that problems + +0:48:32.750,0:48:34.439 +and then I roll in to do + +0:48:34.439,0:48:35.809 +host-based forensics + +0:48:35.809,0:48:42.809 +so that some of the other coin other side + +0:48:45.349,0:48:49.310 +yeah that is really dependent on the way that + +0:48:49.310,0:48:50.729 +encryption algorithm is implemented + +0:48:50.729,0:48:55.159 +some of them are are very friendly to that +others are not + +0:48:55.159,0:48:57.339 +and others + +0:48:57.339,0:48:59.070 +that you know in some cases + +0:48:59.070,0:49:02.300 +it might be better to use another approach +like there's certain proxies that are out + +0:49:02.300,0:49:03.829 +there like that + +0:49:03.829,0:49:05.419 +Palo Alto firewall + +0:49:05.419,0:49:07.969 +you can specify encryption policies so + +0:49:07.969,0:49:12.210 +and if you go to banks if you go to certain +sites they don’t mess with the SSL + +0:49:12.210,0:49:14.150 +everywhere else they man it in the middle + +0:49:14.150,0:49:16.349 +and so you can get access to the logs that +way + +0:49:16.349,0:49:18.619 +so I try not to do that with the sensors so much + +0:49:18.619,0:49:19.659 +I try to keep it I try to make + +0:49:19.659,0:49:21.799 +the sensor so nobody even knows they’re there + +0:49:21.799,0:49:23.529 +if at all possible + +0:49:23.529,0:49:28.169 +yes + +0:49:39.739,0:49:43.599 +his comment was even if there is four +four three traffic that’s encrypted + +0:49:43.599,0:49:45.349 +general to be something else that isn’t + +0:49:45.349,0:49:48.969 +and that's really what all this is about it's +generally about getting a hint that something + +0:49:48.969,0:49:49.890 +is wrong + +0:49:49.890,0:49:53.460 +and you don't necessarily know what the hint is until +you’ve been burnt pretty badly + +0:49:53.460,0:49:56.609 +and then you go back and you figure out the scope +of the incident is + +0:49:56.609,0:50:00.119 +in no forensic case have I ever worked where I +had a complete picture + +0:50:00.119,0:50:01.929 +you know I had the guys hard drive I had + +0:50:01.929,0:50:04.280 +his logs his network traffic it's generally + +0:50:04.280,0:50:05.490 +you get some piece + +0:50:05.490,0:50:08.160 +and then you start investigating + +0:50:08.160,0:50:10.190 +and the reason I do this approach is because it’s cheap + +0:50:10.190,0:50:14.099 +you know twenty five hundred dollar commodity hardware +open source software + +0:50:14.099,0:50:15.820 +little bit of experience + +0:50:15.820,0:50:17.280 +and suddenly I’ve got some + +0:50:17.280,0:50:18.220 +you know some viable data + +0:50:18.220,0:50:22.129 +you’d think working at GE I’d have some huge +budget + +0:50:22.129,0:50:23.000 +no way not at all + +0:50:23.000,0:50:24.819 +any other questions + +0:50:24.819,0:50:31.819 +yes + +0:50:35.649,0:50:38.709 +well to tell you the truth I started using + +0:50:38.709,0:50:39.750 +FreeBSD specifically + +0:50:39.750,0:50:44.710 +%uh in 2000 and the reason was our +developers who who were building the ASM sensors + +0:50:44.710,0:50:46.659 +in the + +0:50:47.569,0:50:48.279 +they said + +0:50:48.279,0:50:52.579 +if we’re going to have a good network stack we should +use a BSD base stack as opposed to Linux + +0:50:52.579,0:50:53.959 +so that's how it started + +0:50:53.959,0:50:59.519 +%um since then there have been many changes in both +sides Linux within the BSDs and so forth + +0:50:59.519,0:51:02.419 +so I'm really not in a position to say which + +0:51:02.419,0:51:03.319 +is better + +0:51:03.319,0:51:04.410 +I I would say + +0:51:04.410,0:51:06.679 +I've never had a BSD let me down + +0:51:06.679,0:51:08.599 +put it that way + +0:51:08.599,0:51:10.930 +as far as FreeBSD goes specifically + +0:51:10.930,0:51:14.229 +there’s som like minor things that make my +life better + +0:51:14.229,0:51:18.349 +one is I know a lot of the network developers +so when there's an issue I can talk to them + +0:51:18.349,0:51:19.859 +directly + +0:51:19.859,0:51:20.919 +and they can say + +0:51:20.919,0:51:22.420 +like some of the + +0:51:22.420,0:51:23.660 +I don’t know who’s from the free + +0:51:23.660,0:51:26.099 +but some of the zero copy stuff that's being +worked on + +0:51:26.099,0:51:29.159 +like that helps me a lot + +0:51:29.159,0:51:32.999 +some it's the most stupid things like the +ability that any + +0:51:32.999,0:51:33.869 +any + +0:51:33.869,0:51:35.469 +app which + +0:51:35.469,0:51:37.719 +is opening up a BPF + +0:51:37.719,0:51:40.109 +you can track performance with the what was it + +0:51:40.109,0:51:41.609 +net stat dash B + +0:51:41.609,0:51:42.400 +capital B + +0:51:42.400,0:51:45.859 +little things like that are helpful too + +0:51:45.859,0:51:52.859 +there's another question + +0:52:03.309,0:52:05.019 +yes + +0:52:05.019,0:52:09.189 +yeah so I don’t know if what you've seen in the news about +like Chinese hackers and all + +0:52:09.189,0:52:12.499 +this has been going on for a long time it's +just that + +0:52:12.499,0:52:14.590 +nowadays they're mostly on Windows but + +0:52:14.590,0:52:16.269 +ten years ago what was popular + +0:52:16.269,0:52:20.489 +like commercial in the military it was Solaris + +0:52:20.489,0:52:25.289 +so we were seeing all sorts weird traffic in +our Solaris boxes that we couldn’t account for + +0:52:25.289,0:52:27.439 +so these guys had written once we + +0:52:27.439,0:52:28.929 +started doing some + +0:52:28.929,0:52:31.199 +forensics and it wasn't the forensics of + +0:52:31.199,0:52:33.929 +pull the power cord which is what was popular +back then right + +0:52:33.929,0:52:35.319 +it was you know + +0:52:35.319,0:52:37.960 +let's take us the actually I think back then we were +doing + +0:52:37.960,0:52:40.019 +we generated a crash dump + +0:52:40.019,0:52:41.139 +and then analyzed it + +0:52:41.139,0:52:43.899 +so these guys were writing + +0:52:43.899,0:52:45.089 +memory resident + +0:52:45.089,0:52:46.289 +did not touch + +0:52:46.289,0:52:48.129 +did not touch the hard drive + +0:52:48.129,0:52:50.240 +%uh implementations where + +0:52:50.240,0:52:52.029 +they built their own + +0:52:52.029,0:52:53.639 +like hyper visor and had their own little operating + +0:52:53.639,0:52:59.469 +system on top of our Solaris +boxes that we couldn't see + +0:52:59.469,0:53:01.519 +yeah so + +0:53:01.519,0:53:04.179 +that was back then + +0:53:04.179,0:53:06.059 +right %uh + +0:53:06.059,0:53:08.489 +it’s I’ve worked on that side the defensive side + +0:53:08.489,0:53:10.929 +I’ve also worked on a not defensive side + +0:53:10.929,0:53:12.849 +I won’t say what that is but + +0:53:12.849,0:53:15.159 +%uh the stuff I saw here + +0:53:15.159,0:53:16.709 +that we were doing as contractors + +0:53:16.709,0:53:20.369 +I was I was like wow this can be done this +is really amazing so + +0:53:20.369,0:53:25.279 +most of the time if you have an imagination you +can sort of imagine what's happening + +0:53:25.279,0:53:27.579 +and if you think about it you might think well + +0:53:27.579,0:53:30.910 +we're not the only ones in the world who can do that +so there’s probably guys on the other + +0:53:30.910,0:53:31.649 +side + +0:53:31.649,0:53:34.789 +who can do it so then you have to start +looking for it + +0:53:34.789,0:53:36.729 +what you see is a progression of + +0:53:36.729,0:53:39.009 +things that happened at the very high end + +0:53:39.009,0:53:41.189 +eventually it filters down you know + +0:53:41.189,0:53:44.339 +really good rootkits used to be the province +of people who wrote them + +0:53:44.339,0:53:46.039 +but now you can buy them + +0:53:46.039,0:53:53.039 +find them share them whatever + +0:53:59.749,0:54:03.279 +sure yeah so the question is do we do any pattern analysis + +0:54:03.279,0:54:06.219 +there's nothing bad about Latvia + +0:54:06.219,0:54:07.679 +you asked a good question + +0:54:07.679,0:54:11.549 +but + +0:54:11.549,0:54:14.059 +let me put it this way + +0:54:14.059,0:54:17.089 +I'm creating that the first GE cert + +0:54:17.089,0:54:20.400 +it's 2099 but yes we just did +up our first cert + +0:54:20.400,0:54:25.559 +so we are we're not even like crawling yet +we’re like the baby on its back + +0:54:25.559,0:54:26.799 +oh look I can lift my head up + +0:54:26.799,0:54:31.879 +so we're still getting our hands around what does it +even mean to operate the cert data we have and + +0:54:31.879,0:54:32.549 +so forth + +0:54:32.549,0:54:36.649 +I would expect within the next two years we're going +been doing the kinds of things I would have + +0:54:36.649,0:54:37.579 +expected + +0:54:37.579,0:54:38.769 +you know a real + +0:54:38.769,0:54:39.649 +cert to do + +0:54:39.649,0:54:41.320 +it now includes things like + +0:54:41.320,0:54:47.279 +we know our environment so well that when we see +that box doing that that's outside the scope + +0:54:47.279,0:54:50.689 +it's one of those things where we have ideas +that are probably + +0:54:50.689,0:54:52.429 +like two years ahead of where we can implement + +0:54:52.429,0:54:53.729 +but once we do that + +0:54:53.729,0:55:00.199 +we’ll find stuff like that + +0:55:00.199,0:55:04.569 +have we gotten people to do their own what + +0:55:04.569,0:55:08.579 +so the question was I think you probably heard the question + +0:55:08.579,0:55:12.139 +we are actually collaborating with + +0:55:12.139,0:55:16.670 +%uh ICIR at Berkeley like Verne Paxon and his guys the Bro guys + +0:55:16.670,0:55:18.880 +and %uh at New York University so + +0:55:18.880,0:55:21.940 +there’s two research programs at each and +we're going to be + +0:55:21.940,0:55:23.269 +probably + +0:55:23.269,0:55:25.950 +I would guess we’re probably going to ship them data + +0:55:25.950,0:55:30.809 +because that’s what’s great about our method right we just +collect data so we can sign an NDA ship them data + +0:55:30.809,0:55:32.919 +and they can apply all their different + +0:55:32.919,0:55:34.259 +research + +0:55:34.259,0:55:36.260 +theories against it and find stuff for us + +0:55:36.260,0:55:38.299 +so yeah I’d expect some of that + +0:55:38.299,0:55:45.299 +from those guys + +0:55:49.229,0:55:54.039 +yes + +0:55:54.039,0:55:56.439 +yeah so the way I deploy is I use taps where possible +because you can’t screw it up + +0:55:56.439,0:55:59.439 +I mean you can there are certain fiber types you can +physically connect backwards + +0:55:59.439,0:56:02.349 +so just enough light will get through so the +traffic follows + +0:56:02.349,0:56:04.649 +but no light is reflected out to your sensor + +0:56:04.649,0:56:06.760 +but for the most part if you’re talking copper + +0:56:06.760,0:56:07.430 +done tap + +0:56:07.430,0:56:09.649 +it gives you your traffic + +0:56:09.649,0:56:13.350 +I even prefer that model for like IPS’s +if you have to use an IPS + +0:56:13.350,0:56:15.599 +use a bypass switch as opposed to putting it in line + +0:56:15.599,0:56:18.539 +I don't put anything in line because as soon as +you’re in line + +0:56:18.539,0:56:20.599 +what happens + +0:56:20.599,0:56:24.029 +you get blamed so I stay I’m like look I have a dum tap + +0:56:24.029,0:56:27.329 +pull the power cords it’s not going to affect the network +in the least right + +0:56:27.329,0:56:32.129 +I have my sensor my sensor could blow up in a ball of fire +and you wouldn’t even notice it + +0:56:32.129,0:56:36.609 +and all the business owners are like yes + +0:56:36.609,0:56:39.239 +but if I told them I’m putting this box in line + +0:56:39.239,0:56:40.979 +anything that happens you’re like + +0:56:42.449,0:56:44.469 +your box took down my ten million dollar an hour system +I’m going to kill you + +0:56:44.469,0:56:45.160 +so + +0:56:45.160,0:56:50.029 +I don't bother with that + +0:56:50.029,0:56:54.879 +I’ve got a good track record that’s why I’m still employed + +0:56:54.879,0:56:55.469 +so far + +0:56:55.469,0:56:57.629 +the only time I ever took something down + +0:56:57.629,0:56:59.429 +I was fully authorized to do + +0:56:59.429,0:57:00.529 +%uh we had + +0:57:00.529,0:57:01.729 +some script kitty + +0:57:01.729,0:57:03.220 +who was + +0:57:03.220,0:57:03.969 +defacing + +0:57:03.969,0:57:05.569 +web site after web site + +0:57:05.569,0:57:06.869 +we had some you know + +0:57:06.869,0:57:09.380 +Microsoft IS 4 0 websites back in the +air force + +0:57:09.380,0:57:10.839 +and he was dialing in getting + +0:57:10.839,0:57:13.789 +a new IP defacing the website + +0:57:13.789,0:57:16.260 +disconnecting dialing in so he had a new IP + +0:57:16.260,0:57:19.590 +so we had all our admins trying to block these IPs + +0:57:19.590,0:57:20.339 +and we’re like this isn’t working + +0:57:23.069,0:57:24.959 +stupid stupid defensive policies + +0:57:24.959,0:57:29.620 +this is all like at two o'clock in the morning +eastern time actually no central wherever I was + +0:57:29.620,0:57:30.759 +in Texas + +0:57:30.759,0:57:35.449 +and so finally I said this guy is all over the space he’s in +California he's using the UUnet + +0:57:35.449,0:57:38.170 +the Uunet blocker however they’re signing they’re signing +the IPs + +0:57:38.170,0:57:41.390 +it's just all over the place we're blocking Uunet + +0:57:41.390,0:57:43.799 +all of Uunet to the air force + +0:57:43.799,0:57:44.790 +so + +0:57:44.790,0:57:45.369 +I was like + +0:57:45.369,0:57:49.939 +execute that blocking order + +0:57:49.939,0:57:51.089 +yeah + +0:57:51.089,0:57:55.309 +I knew there was going to be hell to pay the next morning +so I the next thing I did I was I started writing + +0:57:55.309,0:58:00.729 +this is why I blocked this whatever and I had +tons of generals why did you I couldn’t check my email + +0:58:00.729,0:58:05.439 +and I got up in front of the generals and I said sir this is +why I did it I did it to protect air force assets + +0:58:05.439,0:58:09.259 +and all that so I was alright + +0:58:09.259,0:58:15.639 +yeah question + +0:58:15.639,0:58:16.719 +%um + +0:58:16.719,0:58:18.550 +yes the sensors are + +0:58:18.550,0:58:19.969 +scanned all the time + +0:58:19.969,0:58:21.669 +%uh I use them + +0:58:21.669,0:58:26.459 +the model I use with the sensors is you don't firewall +all things off like you might with a Windows + +0:58:26.459,0:58:26.959 +platform + +0:58:26.959,0:58:29.139 +you disabled things + +0:58:29.139,0:58:30.250 +I mean you traditionally you don’t turn it on + +0:58:31.819,0:58:35.139 +so I typically only expose SSH + +0:58:35.139,0:58:38.219 +the systems reach out they don’t + +0:58:38.219,0:58:40.660 +all the things you would think is what +I do + +0:58:40.660,0:58:42.140 +and of course they’re scanned + +0:58:42.140,0:58:43.909 +people try to brute force them of course + +0:58:43.909,0:58:46.179 +if I see somebody brute forcing in my sensor + +0:58:46.179,0:58:47.119 +who are you + +0:58:47.119,0:58:49.170 +because these are all internally managed + +0:58:49.170,0:58:50.450 +well who are you + +0:58:50.450,0:58:52.649 +why do you even know that this box is here + +0:58:52.649,0:58:56.229 +we're going to come and get you + +0:58:56.229,0:58:57.379 +the + +0:58:57.379,0:59:00.919 +sounds better than it is + +0:59:04.479,0:59:08.799 +we selling our fleet of black helicopters actually + +0:59:10.030,0:59:13.449 +we don't have a fleet of corporate jets +like a lot of other companies + +0:59:13.449,0:59:16.189 +we have net jets accounts + +0:59:16.189,0:59:23.189 +well I don’t but the CEO does we do have a helicopter I’ve seen it once + +0:59:23.869,0:59:26.289 +yeah the question was would + +0:59:26.289,0:59:27.469 +honey pot be of any value + +0:59:27.469,0:59:28.969 +honey pots are things that are good to run if + +0:59:28.969,0:59:32.119 +one you’re researcher or two you have a lot of time on your hands + +0:59:32.119,0:59:36.039 +because I have like a network of three hundred thousand +honey pots + +0:59:36.039,0:59:38.479 +so + +0:59:38.479,0:59:40.230 +actually it’s more like half a million now that I think about it + +0:59:40.230,0:59:43.139 +so yeah at some point + +0:59:43.139,0:59:46.959 +there’s actually two things one is yeah at some point +you could deploy some honey pots if you see them + +0:59:46.959,0:59:47.589 +scanned + +0:59:47.589,0:59:50.209 +but I have enough systems that are + +0:59:50.209,0:59:51.839 +alive or getting scanned or attacked or exploited + +0:59:51.839,0:59:54.169 +the second thing we have is + +0:59:54.169,0:59:55.510 +if you're inside our network + +0:59:55.510,0:59:59.869 +and if you try to do anything to any any network +that is not explicitly routed by us + +0:59:59.869,1:00:01.239 +you end up in a sink hole + +1:00:01.239,1:00:02.509 +so the sink hole + +1:00:02.509,1:00:04.589 +is an awesome awesome place to find + +1:00:04.589,1:00:07.389 +misconfigured systems malicious systems and +so forth + +1:00:07.389,1:00:09.040 +so I have a sink hole router + +1:00:09.040,1:00:11.210 +and before that I had a sensor that watches that traffic + +1:00:11.210,1:00:13.709 +so the sink hole routers are a great + +1:00:13.709,1:00:14.999 +indicator + +1:00:14.999,1:00:17.509 +source of indicators + +1:00:17.509,1:00:20.849 +it also keeps a lot of load off of our firewalls + +1:00:20.849,1:00:27.289 +so you can’t scan Google from inside GE as +for example it goes straight into the sinkhole + +1:00:27.289,1:00:29.740 +I know Capitol One does that as well + +1:00:29.740,1:00:32.109 +that's it’s a good trick + +1:00:32.109,1:00:34.199 +any other questions + +1:00:34.199,1:00:34.739 +okay thank you very much. -- cgit v1.2.3