0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/149 Thanks! 1 00:00:09,560 --> 00:00:10,999 Good evening, everybody. 2 00:00:11,000 --> 00:00:13,009 Our next speaker is known, 3 00:00:14,730 --> 00:00:17,059 yeah. Our next speaker is known to 4 00:00:17,060 --> 00:00:18,469 cause a little bit of fear 5 00:00:19,490 --> 00:00:22,099 in recent years with 6 00:00:22,100 --> 00:00:23,269 the guys from Cisco. 7 00:00:25,820 --> 00:00:28,189 He's also had his focus on the core 8 00:00:28,190 --> 00:00:30,469 infrastructure of the internet. 9 00:00:30,470 --> 00:00:32,989 And in this talk, as you all know, 10 00:00:32,990 --> 00:00:35,419 we do have lawful interception 11 00:00:35,420 --> 00:00:37,849 interfaces in all the core infrastructure 12 00:00:37,850 --> 00:00:39,919 running our internet. 13 00:00:39,920 --> 00:00:42,049 But there's a big question could 14 00:00:42,050 --> 00:00:44,629 this a lawful interception interface 15 00:00:44,630 --> 00:00:46,759 pose an additional risk to 16 00:00:46,760 --> 00:00:47,749 attack? 17 00:00:47,750 --> 00:00:49,579 Please give a warm round of applause to 18 00:00:49,580 --> 00:00:50,580 ethics. 19 00:00:58,310 --> 00:00:59,259 All right. 20 00:00:59,260 --> 00:01:00,760 Oh, well, Snowden 21 00:01:02,260 --> 00:01:04,389 said, basically, this is the 22 00:01:04,390 --> 00:01:06,519 technical side of 23 00:01:06,520 --> 00:01:08,589 the lawful interception 24 00:01:08,590 --> 00:01:10,779 point. Unfortunately, we 25 00:01:10,780 --> 00:01:13,239 can't believe we submitted another 26 00:01:13,240 --> 00:01:15,639 talk on the political side 27 00:01:15,640 --> 00:01:17,710 together with the gentleman over there. 28 00:01:18,820 --> 00:01:20,979 Mr. Robert Lee 29 00:01:20,980 --> 00:01:23,319 Unfortunately, it was turned 30 00:01:23,320 --> 00:01:25,059 on because he's with the United States 31 00:01:25,060 --> 00:01:26,060 Air Force. 32 00:01:26,840 --> 00:01:27,879 So, you know, 33 00:01:29,080 --> 00:01:30,430 this is not censorship. 34 00:01:32,140 --> 00:01:34,329 But yeah, 35 00:01:34,330 --> 00:01:36,819 if you if you want to be a censor and 36 00:01:36,820 --> 00:01:38,949 your intelligence should be good 37 00:01:38,950 --> 00:01:40,779 and your child means that the guy who's 38 00:01:40,780 --> 00:01:43,059 allowed to talk is with the NEDA 39 00:01:43,060 --> 00:01:45,219 as a co-director anyway. 40 00:01:45,220 --> 00:01:47,219 So what are we talking about? 41 00:01:48,220 --> 00:01:49,959 What we're talking about is like 42 00:01:51,670 --> 00:01:53,469 the game of lawful interception. 43 00:01:53,470 --> 00:01:55,119 What actually turns out to be a pretty 44 00:01:55,120 --> 00:01:58,449 much a game? So what's the justification? 45 00:01:58,450 --> 00:02:00,069 Who are they looking for? 46 00:02:00,070 --> 00:02:02,049 Why are they watching you watching porn? 47 00:02:03,160 --> 00:02:05,079 The inherent problems with lawful 48 00:02:05,080 --> 00:02:07,419 interception in, 49 00:02:07,420 --> 00:02:09,189 you know, the game mapped and we play one 50 00:02:09,190 --> 00:02:11,319 side, we play the other side and we 51 00:02:11,320 --> 00:02:13,120 have conclusions and then we get drunk. 52 00:02:14,370 --> 00:02:15,370 It's 53 00:02:19,670 --> 00:02:20,670 awful. 54 00:02:21,910 --> 00:02:22,910 So 55 00:02:24,370 --> 00:02:26,169 this talk is IP centric. 56 00:02:26,170 --> 00:02:28,479 Keep in mind that every communication 57 00:02:28,480 --> 00:02:31,239 you do since 58 00:02:31,240 --> 00:02:33,759 a couple of hundred years can be lawfully 59 00:02:33,760 --> 00:02:35,189 intercepted, right? 60 00:02:36,220 --> 00:02:38,979 So this one is IP centric, 61 00:02:38,980 --> 00:02:41,229 but there's other things email, 62 00:02:41,230 --> 00:02:43,839 snail mail, wired 63 00:02:43,840 --> 00:02:46,119 phone lines, which we actually don't have 64 00:02:46,120 --> 00:02:48,399 any more mobile phone networks 65 00:02:48,400 --> 00:02:49,479 and stuff like that. 66 00:02:49,480 --> 00:02:51,679 Also, keep in mind, know 67 00:02:51,680 --> 00:02:54,579 I don't know shit about 68 00:02:54,580 --> 00:02:56,679 this, except for 69 00:02:56,680 --> 00:02:58,719 I look at it right, sir. 70 00:02:58,720 --> 00:03:00,849 So this is about reading standards, 71 00:03:00,850 --> 00:03:03,219 reading code, reading 72 00:03:03,220 --> 00:03:05,949 books, making fun of people. 73 00:03:05,950 --> 00:03:07,809 Hey, Dov, we have an empty seat on a 74 00:03:07,810 --> 00:03:08,810 stage. Come on. 75 00:03:10,480 --> 00:03:12,199 So what's the justification? 76 00:03:12,200 --> 00:03:14,349 So basically, lawful 77 00:03:14,350 --> 00:03:16,659 interception means there's a law 78 00:03:16,660 --> 00:03:19,299 enforcement agency layer, 79 00:03:19,300 --> 00:03:21,579 which in contrast to Star Wars, 80 00:03:21,580 --> 00:03:22,810 you know, is on the bad side 81 00:03:25,080 --> 00:03:27,690 in in the idea is deadly 82 00:03:28,960 --> 00:03:31,419 deed. They need to listen into 83 00:03:31,420 --> 00:03:34,359 communication from bad people 84 00:03:34,360 --> 00:03:36,579 and it's legally 85 00:03:36,580 --> 00:03:38,439 and that's really interesting, legally 86 00:03:38,440 --> 00:03:41,499 rooted into the idea of, 87 00:03:41,500 --> 00:03:42,569 you know, looking at. 88 00:03:44,780 --> 00:03:46,919 His name out. So it's 89 00:03:46,920 --> 00:03:48,359 a different thing. 90 00:03:48,360 --> 00:03:50,579 If the police looks at 91 00:03:50,580 --> 00:03:52,110 the envelope of your letter, 92 00:03:53,580 --> 00:03:55,829 which you know, the NSA 93 00:03:55,830 --> 00:03:58,439 calls meta data, or 94 00:03:58,440 --> 00:04:00,269 they opened it later and look at the 95 00:04:00,270 --> 00:04:02,339 letter. So that's where the 96 00:04:02,340 --> 00:04:04,499 legislation comes from. 97 00:04:04,500 --> 00:04:07,049 In actually lawful interception is not 98 00:04:07,050 --> 00:04:09,629 in principle, a bad thing because 99 00:04:09,630 --> 00:04:12,359 it's like basically if your child is 100 00:04:12,360 --> 00:04:14,399 kidnaped and then the ransom note comes 101 00:04:14,400 --> 00:04:16,619 by email, you're going to ask for 102 00:04:16,620 --> 00:04:18,749 it. You're going to ask the police like, 103 00:04:18,750 --> 00:04:20,849 can't you tell me where this fucking 104 00:04:20,850 --> 00:04:21,850 man came from 105 00:04:23,010 --> 00:04:24,149 in in Europe? 106 00:04:26,670 --> 00:04:28,589 Whose phone is that because it's ringing? 107 00:04:36,020 --> 00:04:37,969 Now, I did that a couple of congresses 108 00:04:37,970 --> 00:04:40,159 ago anyway, so 109 00:04:40,160 --> 00:04:42,229 in the European Union 110 00:04:42,230 --> 00:04:45,649 did. The legal basis of the ad is 111 00:04:45,650 --> 00:04:47,879 the council resolution from the 112 00:04:47,880 --> 00:04:50,899 17 January of 1995. 113 00:04:50,900 --> 00:04:53,179 So it's quite some time ago, 114 00:04:53,180 --> 00:04:55,339 which again is legally 115 00:04:55,340 --> 00:04:57,559 rooted into the 116 00:04:57,560 --> 00:04:59,479 Maastricht Treaty and basically 117 00:04:59,480 --> 00:05:01,699 demonstrative says that we have police 118 00:05:01,700 --> 00:05:03,949 cooperation for the purpose 119 00:05:03,950 --> 00:05:06,649 of preventing combating terrorism. 120 00:05:06,650 --> 00:05:07,650 That's all of you. 121 00:05:09,320 --> 00:05:12,439 Unlawful drug trafficking, which 122 00:05:12,440 --> 00:05:15,079 immediately caused me to ask, like, 123 00:05:15,080 --> 00:05:17,389 OK, who's lawfully 124 00:05:17,390 --> 00:05:18,390 drug trafficking? 125 00:05:25,150 --> 00:05:27,309 I mean, you know, you need to 126 00:05:27,310 --> 00:05:28,310 know. 127 00:05:29,700 --> 00:05:31,959 Supply chains and other 128 00:05:31,960 --> 00:05:34,599 serious forms of international 129 00:05:34,600 --> 00:05:37,119 crime and the national 130 00:05:37,120 --> 00:05:39,699 legislation that then implements that 131 00:05:39,700 --> 00:05:41,919 differs slightly 132 00:05:41,920 --> 00:05:43,779 between different European countries. 133 00:05:45,160 --> 00:05:47,649 One of the primary of things 134 00:05:47,650 --> 00:05:50,469 is how much do network operators 135 00:05:50,470 --> 00:05:52,089 allowed to say? 136 00:05:52,090 --> 00:05:54,189 So let's 137 00:05:54,190 --> 00:05:56,259 look at the game map, you know, 138 00:05:56,260 --> 00:05:58,419 before you play a first person shooter, 139 00:05:58,420 --> 00:06:00,039 you better learn the map, right? 140 00:06:01,570 --> 00:06:02,570 Basically, 141 00:06:04,810 --> 00:06:06,969 there's two side stories two people 142 00:06:06,970 --> 00:06:09,489 that built the internet, 143 00:06:09,490 --> 00:06:11,709 not the ones that asked for 144 00:06:11,710 --> 00:06:13,629 it and how to build and pay for it, 145 00:06:13,630 --> 00:06:14,799 because that's the U.S. 146 00:06:14,800 --> 00:06:16,959 military. And well, if 147 00:06:16,960 --> 00:06:18,609 you're surprised that they want it back, 148 00:06:18,610 --> 00:06:19,610 that's your fault. 149 00:06:21,310 --> 00:06:22,310 The IDF, 150 00:06:23,530 --> 00:06:25,989 funnily enough, have has an RC 151 00:06:25,990 --> 00:06:29,469 that is absolutely no 1984 152 00:06:29,470 --> 00:06:31,689 and and that RC 153 00:06:31,690 --> 00:06:34,089 basically says, you know, everyone 154 00:06:34,090 --> 00:06:36,729 should encrypt everything to everything 155 00:06:36,730 --> 00:06:39,699 from a point to point. 156 00:06:39,700 --> 00:06:42,429 And, you know, circumventing 157 00:06:42,430 --> 00:06:44,769 this encryption has no 158 00:06:44,770 --> 00:06:45,910 proven benefit. 159 00:06:47,290 --> 00:06:49,540 The NSA might beg to differ. 160 00:06:51,310 --> 00:06:53,469 Years later, the IETF 161 00:06:53,470 --> 00:06:56,679 came on where the policy on wiretapping, 162 00:06:56,680 --> 00:06:58,749 where they had a 163 00:06:58,750 --> 00:07:00,759 couple of interesting points. 164 00:07:00,760 --> 00:07:02,889 One series is that tools 165 00:07:02,890 --> 00:07:05,289 which are effective for a purpose 166 00:07:05,290 --> 00:07:07,029 tend to be used for that purpose. 167 00:07:08,800 --> 00:07:10,359 Oh, surprise. 168 00:07:10,360 --> 00:07:12,009 However, what they're not saying is 169 00:07:12,010 --> 00:07:14,169 everyone can do that. 170 00:07:14,170 --> 00:07:15,879 That doesn't mean it's the people that 171 00:07:15,880 --> 00:07:16,880 you build it for. 172 00:07:17,770 --> 00:07:19,869 The second point being told, designed for 173 00:07:19,870 --> 00:07:21,849 one purpose that are effective for 174 00:07:21,850 --> 00:07:23,439 another purpose, tend to be used for 175 00:07:23,440 --> 00:07:25,629 other purposes as well. 176 00:07:25,630 --> 00:07:27,910 This is commonly known as HTP. 177 00:07:30,100 --> 00:07:32,349 And if a vulnerability 178 00:07:32,350 --> 00:07:34,929 exists in a security system, it's likely 179 00:07:34,930 --> 00:07:36,999 that some will take advantage of it 180 00:07:37,000 --> 00:07:38,499 sooner or later. 181 00:07:38,500 --> 00:07:40,089 And that's what this talk is about. 182 00:07:41,770 --> 00:07:43,929 And so in the same 183 00:07:43,930 --> 00:07:46,029 hour of sea, they basically sum up the 184 00:07:46,030 --> 00:07:47,529 security considerations 185 00:07:49,000 --> 00:07:51,099 with three points, and this 186 00:07:51,100 --> 00:07:52,869 is really important for this discussion. 187 00:07:52,870 --> 00:07:55,539 The system is less secure 188 00:07:55,540 --> 00:07:57,909 than a copy had this function 189 00:07:57,910 --> 00:08:00,009 not being present because you're 190 00:08:00,010 --> 00:08:02,049 extending the attack surface right? 191 00:08:02,050 --> 00:08:04,309 The system is more complex 192 00:08:04,310 --> 00:08:06,429 and cool, and Kobe 193 00:08:06,430 --> 00:08:09,009 had to function, not be present. 194 00:08:09,010 --> 00:08:11,709 Same argument being more complex, 195 00:08:11,710 --> 00:08:13,809 the risk of unintended security flaws 196 00:08:13,810 --> 00:08:16,119 in a system is larger, 197 00:08:16,120 --> 00:08:17,170 known as PRISM. 198 00:08:18,850 --> 00:08:20,979 So basically wiretapping, even if 199 00:08:20,980 --> 00:08:23,199 it's not used, therefore lowers 200 00:08:23,200 --> 00:08:25,569 the security of the system in today's 201 00:08:25,570 --> 00:08:27,909 world. You will see wiretapping 202 00:08:27,910 --> 00:08:30,189 if it hadn't be implemented, 203 00:08:30,190 --> 00:08:31,929 wouldn't allow PRISM to exist. 204 00:08:34,450 --> 00:08:36,939 Why is wiretapping so difficult? 205 00:08:36,940 --> 00:08:39,069 So, first of all, lawful 206 00:08:39,070 --> 00:08:41,319 intercept as many government 207 00:08:41,320 --> 00:08:43,449 regulated functions in 208 00:08:43,450 --> 00:08:46,119 an ISP is a cost center. 209 00:08:46,120 --> 00:08:48,249 So Google doesn't make 210 00:08:48,250 --> 00:08:51,009 any money. What watching you? 211 00:08:51,010 --> 00:08:52,659 Well, scratch that. 212 00:08:52,660 --> 00:08:53,559 They make all the money. 213 00:08:53,560 --> 00:08:54,560 Would watching you. 214 00:09:02,180 --> 00:09:04,249 Your ISP, at least in 215 00:09:04,250 --> 00:09:06,409 Europe, wouldn't make any 216 00:09:06,410 --> 00:09:08,149 money watching you. 217 00:09:08,150 --> 00:09:10,259 However, I mean, here's 218 00:09:10,260 --> 00:09:12,319 here's a basic calculation from one 219 00:09:12,320 --> 00:09:14,269 of the books on the subject. 220 00:09:14,270 --> 00:09:16,339 So the one time cost of seven or 221 00:09:16,340 --> 00:09:18,649 almost eight million, the 222 00:09:18,650 --> 00:09:20,959 annual cost is like thirty 223 00:09:20,960 --> 00:09:21,889 eight million. 224 00:09:21,890 --> 00:09:23,959 And then if you're lucky, you get 225 00:09:23,960 --> 00:09:25,459 twenty five million back from the 226 00:09:25,460 --> 00:09:27,589 government, which by itself 227 00:09:27,590 --> 00:09:28,590 is questionable. 228 00:09:29,400 --> 00:09:31,070 But if you're. 229 00:09:32,800 --> 00:09:34,959 Not less bad in math than 230 00:09:34,960 --> 00:09:37,269 I am. You will notice this 231 00:09:37,270 --> 00:09:39,070 is not a positive sum game. 232 00:09:40,540 --> 00:09:42,669 The next thing is performance 233 00:09:42,670 --> 00:09:44,679 in an operation, so 234 00:09:46,170 --> 00:09:47,740 the operation of the target is 235 00:09:48,910 --> 00:09:51,069 like the service must appear 236 00:09:51,070 --> 00:09:53,559 to be unchanged. 237 00:09:53,560 --> 00:09:55,629 Do you know any gamers in here? 238 00:09:58,430 --> 00:10:00,379 What do you think you will do when your 239 00:10:00,380 --> 00:10:02,659 ping times go down like 200 240 00:10:02,660 --> 00:10:03,660 milliseconds? 241 00:10:07,040 --> 00:10:08,040 Sorry. 242 00:10:08,510 --> 00:10:11,179 Which was actually triggering the 243 00:10:11,180 --> 00:10:13,279 naming of the talk. 244 00:10:13,280 --> 00:10:15,499 So that is one part. 245 00:10:15,500 --> 00:10:17,869 The next one is during interception. 246 00:10:17,870 --> 00:10:20,869 A lawful intercept agencies may require 247 00:10:20,870 --> 00:10:23,149 information and assistance, blah 248 00:10:23,150 --> 00:10:24,499 blah blah, a.k.a. 249 00:10:24,500 --> 00:10:26,719 they have no fucking clue, and they call 250 00:10:26,720 --> 00:10:28,279 your network administrators. 251 00:10:30,440 --> 00:10:32,779 The third part being by 252 00:10:32,780 --> 00:10:34,879 the telecommunication to and from the 253 00:10:34,880 --> 00:10:36,529 target service, be provided to the 254 00:10:36,530 --> 00:10:39,199 exclusion of any telecommunications 255 00:10:39,200 --> 00:10:41,479 that do not fall within the scope, which 256 00:10:41,480 --> 00:10:43,130 means they tell you 257 00:10:44,840 --> 00:10:46,999 who you're supposed to monitor and you 258 00:10:47,000 --> 00:10:49,369 are fucking responsible to make sure 259 00:10:49,370 --> 00:10:50,749 that you're not monitoring the wrong 260 00:10:50,750 --> 00:10:51,750 people. 261 00:10:52,460 --> 00:10:53,460 Wait a minute. 262 00:10:55,250 --> 00:10:57,769 But then there's the basic 263 00:10:57,770 --> 00:10:59,569 I.T. and networking guy. 264 00:10:59,570 --> 00:11:01,969 There's basic bandwidth issues. 265 00:11:01,970 --> 00:11:04,519 Transmissions forwarded to the monitoring 266 00:11:04,520 --> 00:11:06,589 facility to comply with the performance 267 00:11:06,590 --> 00:11:09,829 standards of the network operators. 268 00:11:09,830 --> 00:11:11,809 A bullshit statement to begin with. 269 00:11:11,810 --> 00:11:14,119 But let me explain why 270 00:11:14,120 --> 00:11:16,399 this is really interesting. 271 00:11:16,400 --> 00:11:18,469 So this is 272 00:11:18,470 --> 00:11:20,839 how we actually envisioned 273 00:11:20,840 --> 00:11:23,539 the internet to be right. 274 00:11:23,540 --> 00:11:25,699 So, you know, you have an access 275 00:11:25,700 --> 00:11:26,700 point. 276 00:11:27,950 --> 00:11:28,950 What hell, 277 00:11:30,110 --> 00:11:31,639 let's drink gigabytes so that one is 278 00:11:31,640 --> 00:11:32,640 already over. 279 00:11:39,490 --> 00:11:41,439 I've never been a plowed into getting 280 00:11:41,440 --> 00:11:42,669 drunk. That's awesome. 281 00:11:44,960 --> 00:11:45,960 Basically, 282 00:11:47,170 --> 00:11:49,030 this is how we envision the internet 283 00:11:50,620 --> 00:11:52,869 where basically this is what I ask for 284 00:11:52,870 --> 00:11:55,149 is if you bomb one site with 285 00:11:55,150 --> 00:11:58,539 a nuke, things still work. 286 00:11:58,540 --> 00:12:01,449 So on the right side, you have the webcam 287 00:12:01,450 --> 00:12:03,549 that you paid for 288 00:12:03,550 --> 00:12:04,509 to use. 289 00:12:04,510 --> 00:12:06,909 And on the left side, you have 290 00:12:06,910 --> 00:12:08,729 the average nerd. 291 00:12:10,900 --> 00:12:13,149 Me included, certainly, that 292 00:12:13,150 --> 00:12:14,559 has an ideas outline. 293 00:12:14,560 --> 00:12:16,659 This is what the two errors mean. 294 00:12:16,660 --> 00:12:17,660 Right? 295 00:12:18,910 --> 00:12:19,910 So. 296 00:12:25,270 --> 00:12:27,339 Which this tries 297 00:12:27,340 --> 00:12:29,799 to sum up that, you know, the military 298 00:12:29,800 --> 00:12:31,209 built the internet to poor and made it 299 00:12:31,210 --> 00:12:32,210 big. 300 00:12:33,280 --> 00:12:35,439 Basically, this is what 301 00:12:35,440 --> 00:12:37,539 the military and 302 00:12:37,540 --> 00:12:39,609 famous universities worked on. 303 00:12:39,610 --> 00:12:41,769 Now, a couple of years ago, 304 00:12:41,770 --> 00:12:44,709 I was on a conference in China, 305 00:12:44,710 --> 00:12:47,229 and after two hours 306 00:12:47,230 --> 00:12:48,969 of the introduction speeches from 307 00:12:48,970 --> 00:12:51,279 professors, I thought, I'm on the wrong 308 00:12:51,280 --> 00:12:53,709 conference. But all the other speakers 309 00:12:53,710 --> 00:12:56,439 that I knew were still there. 310 00:12:56,440 --> 00:12:57,699 And I thought, I'm on the wrong 311 00:12:57,700 --> 00:12:59,259 conference because they kept talking 312 00:12:59,260 --> 00:13:00,700 about the censor network 313 00:13:02,470 --> 00:13:04,629 as in censoring, 314 00:13:04,630 --> 00:13:07,059 because the network topology changes 315 00:13:07,060 --> 00:13:09,009 drastically if you're monitoring 316 00:13:09,010 --> 00:13:10,010 everyone. 317 00:13:10,690 --> 00:13:12,369 This is what the Chinese network looks 318 00:13:12,370 --> 00:13:13,419 like. 319 00:13:13,420 --> 00:13:15,609 And basically 320 00:13:15,610 --> 00:13:17,979 on every single point, you need the sum 321 00:13:17,980 --> 00:13:20,139 of all bandwidth that goes into 322 00:13:20,140 --> 00:13:22,329 deploying and out of the plane to be 323 00:13:22,330 --> 00:13:25,119 collected into your monitoring station. 324 00:13:25,120 --> 00:13:27,049 And this is why the Chinese actually call 325 00:13:27,050 --> 00:13:28,029 the local network. 326 00:13:28,030 --> 00:13:30,249 They're censoring network because it 327 00:13:30,250 --> 00:13:32,259 basically isn't censoring, not with the 328 00:13:32,260 --> 00:13:34,329 C, but with a censor 329 00:13:34,330 --> 00:13:35,440 like it says on its lights, 330 00:13:36,970 --> 00:13:39,159 because that's the topology, and that 331 00:13:39,160 --> 00:13:40,719 means completely different routing 332 00:13:40,720 --> 00:13:43,239 patterns and all that things 333 00:13:43,240 --> 00:13:45,249 get. OK, we understood the basic 334 00:13:45,250 --> 00:13:46,539 problems. 335 00:13:46,540 --> 00:13:48,309 Now what's the game plan? 336 00:13:48,310 --> 00:13:50,529 So I just this is slightly 337 00:13:50,530 --> 00:13:53,049 adapted explanation 338 00:13:53,050 --> 00:13:55,179 from Wikipedia about 339 00:13:55,180 --> 00:13:56,499 counterstrike. 340 00:13:56,500 --> 00:13:58,569 Uh, it's it's we're talking about 341 00:13:58,570 --> 00:14:00,189 a first person game in which the players 342 00:14:00,190 --> 00:14:02,319 trying either a terrorist game, terrorist 343 00:14:02,320 --> 00:14:04,419 team or the counterterrorist team 344 00:14:05,830 --> 00:14:07,569 in contrast to Counter-Strike. 345 00:14:07,570 --> 00:14:09,639 Not all become 346 00:14:09,640 --> 00:14:11,799 specter spectators. 347 00:14:11,800 --> 00:14:14,169 They do it to become spectators. 348 00:14:16,830 --> 00:14:19,049 What points do we actually have, like 349 00:14:19,050 --> 00:14:21,299 where could you take the data 350 00:14:21,300 --> 00:14:23,489 often at work and, you know, watch 351 00:14:23,490 --> 00:14:24,490 me what's important? 352 00:14:25,510 --> 00:14:27,419 There's the acquisition at the source 353 00:14:28,890 --> 00:14:30,899 in Germany. We call that given to you. 354 00:14:32,850 --> 00:14:35,489 There's the next hop, which is the 355 00:14:35,490 --> 00:14:37,559 plastic router that you get from your 356 00:14:37,560 --> 00:14:39,659 ISP or your market or 357 00:14:39,660 --> 00:14:40,660 whatever. 358 00:14:41,290 --> 00:14:43,349 There's the most common way 359 00:14:43,350 --> 00:14:45,450 of doing it in the network access layer, 360 00:14:46,770 --> 00:14:48,839 which we're going to cover in 361 00:14:48,840 --> 00:14:51,269 more detailed stories as the seven 362 00:14:51,270 --> 00:14:53,009 probes, which is really interesting 363 00:14:53,010 --> 00:14:55,499 because it allows you to monitor 364 00:14:55,500 --> 00:14:57,659 phone calls and SMS and stuff like 365 00:14:57,660 --> 00:15:00,299 that from across the planet. 366 00:15:00,300 --> 00:15:02,249 You don't have to be in the network 367 00:15:02,250 --> 00:15:04,349 stream. You can actually, you know, 368 00:15:04,350 --> 00:15:06,839 tell the Seven Network, 369 00:15:06,840 --> 00:15:08,130 Give me that eSIMs. 370 00:15:09,270 --> 00:15:11,399 There's data retention, 371 00:15:11,400 --> 00:15:13,559 which basically means someone 372 00:15:13,560 --> 00:15:15,959 else is monitoring the stuff for you 373 00:15:15,960 --> 00:15:18,149 and runs an Oracle database 374 00:15:18,150 --> 00:15:20,159 that nobody cares to share about it 375 00:15:20,160 --> 00:15:21,899 because it's a cost center. 376 00:15:21,900 --> 00:15:24,119 And while there's 377 00:15:24,120 --> 00:15:25,769 all your communications for the last half 378 00:15:25,770 --> 00:15:28,139 year ender, which 379 00:15:28,140 --> 00:15:30,209 I'm sure no Foreign Secret 380 00:15:30,210 --> 00:15:31,709 Service will find interesting, 381 00:15:32,730 --> 00:15:35,369 there is DNS triggered 382 00:15:35,370 --> 00:15:36,299 interception. 383 00:15:36,300 --> 00:15:37,500 This is what. 384 00:15:40,230 --> 00:15:42,389 I would like to see less free countries, 385 00:15:42,390 --> 00:15:44,579 but by now, I'm not really sure about 386 00:15:44,580 --> 00:15:45,580 that. 387 00:15:46,270 --> 00:15:47,270 U.S. 388 00:15:52,280 --> 00:15:54,499 And then there's the threat actor of 389 00:15:54,500 --> 00:15:56,659 the type global observer, which 390 00:15:56,660 --> 00:15:58,759 as far as I know, is a term the D.A. 391 00:15:58,760 --> 00:16:01,549 actually coined for designing 392 00:16:01,550 --> 00:16:03,019 cryptography groups. 393 00:16:03,020 --> 00:16:05,149 So we're playing on a good site now 394 00:16:05,150 --> 00:16:06,230 where the counterterrorist, 395 00:16:07,340 --> 00:16:09,529 which means let's 396 00:16:09,530 --> 00:16:10,549 all them up and get up. 397 00:16:14,770 --> 00:16:16,959 So, of course, we played a kind of 398 00:16:16,960 --> 00:16:19,809 because we're all the good guards, guys, 399 00:16:19,810 --> 00:16:21,909 whatever in between and an android. 400 00:16:25,190 --> 00:16:27,229 This is how it looks like, so the U.S. 401 00:16:27,230 --> 00:16:29,599 has a slightly different model 402 00:16:29,600 --> 00:16:30,600 called Korea 403 00:16:31,790 --> 00:16:34,039 in Europe, we used it as a model 404 00:16:35,900 --> 00:16:36,900 at sea. 405 00:16:38,330 --> 00:16:40,639 So basically that has three interfaces. 406 00:16:40,640 --> 00:16:42,979 The first interface, it looks like 407 00:16:42,980 --> 00:16:45,499 the computer interface, but it's actually 408 00:16:45,500 --> 00:16:47,599 an interface between 409 00:16:47,600 --> 00:16:48,529 people. 410 00:16:48,530 --> 00:16:50,390 So yes, there is people involved. 411 00:16:51,680 --> 00:16:53,959 So the other 412 00:16:53,960 --> 00:16:56,329 one will, 413 00:16:56,330 --> 00:16:58,939 you know, talk to the network 414 00:16:58,940 --> 00:17:01,369 operators, legal people and say, 415 00:17:01,370 --> 00:17:03,619 you know, we have this, this 416 00:17:03,620 --> 00:17:04,759 warrant or 417 00:17:06,140 --> 00:17:08,209 whatever, we're the French Secret 418 00:17:08,210 --> 00:17:09,348 Service or blah blah blah. 419 00:17:10,490 --> 00:17:12,858 Can we please have that interception? 420 00:17:12,859 --> 00:17:15,078 The second interface 421 00:17:15,079 --> 00:17:17,209 either is what we 422 00:17:17,210 --> 00:17:20,088 all know as metadata. 423 00:17:20,089 --> 00:17:22,229 So if you have an AI 424 00:17:22,230 --> 00:17:24,828 feed that is in an email 425 00:17:24,829 --> 00:17:26,959 to from subject basically the 426 00:17:26,960 --> 00:17:29,659 entire head or on IP communication, 427 00:17:29,660 --> 00:17:31,879 it would be the IP header. 428 00:17:31,880 --> 00:17:34,069 Plus TCB or UDP if 429 00:17:34,070 --> 00:17:35,210 they can recognize it. 430 00:17:36,260 --> 00:17:39,019 The content of communication 431 00:17:39,020 --> 00:17:41,449 means GCP dump 432 00:17:41,450 --> 00:17:43,879 save everything, right? 433 00:17:43,880 --> 00:17:46,009 So this is three different ways 434 00:17:46,010 --> 00:17:48,019 of of dealing with that. 435 00:17:48,020 --> 00:17:51,379 And as you see, with the big bubble, 436 00:17:51,380 --> 00:17:53,480 it's all the fucking ISP's fault. 437 00:17:55,640 --> 00:17:58,339 Yeah. The police just 438 00:17:58,340 --> 00:18:01,579 wanted New Years. 439 00:18:01,580 --> 00:18:04,069 This is far from complete, 440 00:18:04,070 --> 00:18:06,230 but I liked it because 441 00:18:07,610 --> 00:18:09,859 there's a couple of vendors, 442 00:18:09,860 --> 00:18:11,959 as I say it is as far as 443 00:18:11,960 --> 00:18:14,719 I know from Israel, Darren. 444 00:18:14,720 --> 00:18:16,819 And there are interesting because most of 445 00:18:16,820 --> 00:18:19,039 the configuration templates 446 00:18:19,040 --> 00:18:21,259 that you find on a nightly, 447 00:18:21,260 --> 00:18:23,389 OK, I'm running an ISP, I'm new 448 00:18:23,390 --> 00:18:25,519 in my job. How do I configure 449 00:18:25,520 --> 00:18:27,979 lie for blah blah? 450 00:18:27,980 --> 00:18:29,569 This is what they get sent. 451 00:18:29,570 --> 00:18:32,179 Now imagine you have absolutely 452 00:18:32,180 --> 00:18:34,279 no clue on what you're doing, 453 00:18:34,280 --> 00:18:36,649 and someone sends you a line 454 00:18:36,650 --> 00:18:38,479 of configuration for your Cisco. 455 00:18:40,880 --> 00:18:42,500 What do you think happens 456 00:18:44,720 --> 00:18:47,809 control C Control V 457 00:18:47,810 --> 00:18:48,810 Center? 458 00:18:50,150 --> 00:18:52,509 So not surprisingly, as this a 459 00:18:52,510 --> 00:18:54,679 pass WD is a 460 00:18:54,680 --> 00:18:56,749 very common password 461 00:18:56,750 --> 00:18:57,750 and 462 00:18:58,940 --> 00:19:01,789 there's other vendors. 463 00:19:01,790 --> 00:19:03,679 Interestingly enough, because like I 464 00:19:03,680 --> 00:19:05,599 pointed out, that lawful interception is 465 00:19:05,600 --> 00:19:06,859 a cost center. 466 00:19:06,860 --> 00:19:09,859 Most ofthe ally vendors 467 00:19:09,860 --> 00:19:12,019 actually market their stuff with 468 00:19:12,020 --> 00:19:13,969 billing systems. 469 00:19:13,970 --> 00:19:16,399 There's books on return of 470 00:19:16,400 --> 00:19:17,959 investment. 471 00:19:17,960 --> 00:19:19,489 Unlawful interception. 472 00:19:21,410 --> 00:19:23,629 And this is the second 473 00:19:23,630 --> 00:19:24,529 case. 474 00:19:24,530 --> 00:19:26,749 I would like to point out that the 475 00:19:26,750 --> 00:19:29,839 number three to five are, 476 00:19:29,840 --> 00:19:32,239 you know, followed by a German 477 00:19:32,240 --> 00:19:33,240 company. 478 00:19:33,960 --> 00:19:36,229 And guess who's the biggest 479 00:19:36,230 --> 00:19:37,230 vendor in the world? 480 00:19:39,050 --> 00:19:41,299 I mean, there's this interesting 481 00:19:41,300 --> 00:19:42,979 features by some. 482 00:19:42,980 --> 00:19:45,199 Some companies have that feature of 483 00:19:45,200 --> 00:19:47,749 so either information 484 00:19:48,770 --> 00:19:50,299 is sent to you by fax. 485 00:19:53,320 --> 00:19:54,320 Excuse me. 486 00:19:55,990 --> 00:19:58,119 Like the next one, they have a add 487 00:19:58,120 --> 00:20:00,549 on that converts voice over IP 488 00:20:00,550 --> 00:20:03,819 calls into ISDN calls. 489 00:20:03,820 --> 00:20:05,139 Now let me think 490 00:20:06,190 --> 00:20:09,729 I can produce about 200000 491 00:20:09,730 --> 00:20:11,889 voice over IP calls 492 00:20:11,890 --> 00:20:14,349 per minute. 493 00:20:16,890 --> 00:20:17,890 At home, 494 00:20:19,170 --> 00:20:20,999 how many ISDN lines do you have? 495 00:20:24,150 --> 00:20:25,679 And there's there's all kinds of 496 00:20:25,680 --> 00:20:26,930 interesting stuff, so. 497 00:20:28,710 --> 00:20:30,899 And here's 498 00:20:30,900 --> 00:20:32,999 just the takeout from from one of 499 00:20:33,000 --> 00:20:35,189 the vendors and did not 500 00:20:35,190 --> 00:20:37,229 necessarily one of the mentioned. 501 00:20:37,230 --> 00:20:39,869 That is things like it includes 502 00:20:39,870 --> 00:20:42,389 optimal granularity to preserve 503 00:20:42,390 --> 00:20:43,390 privacy. 504 00:20:45,690 --> 00:20:47,789 OK, so you rebuilt 505 00:20:47,790 --> 00:20:49,709 myself out of Lagos. 506 00:20:49,710 --> 00:20:50,710 That's fine. 507 00:20:51,280 --> 00:20:53,429 So it captures only the 508 00:20:53,430 --> 00:20:55,649 traffic to and from the Entity List 509 00:20:55,650 --> 00:20:57,059 and on the way around. 510 00:20:58,290 --> 00:21:00,689 Yes, because that's the only traffic you 511 00:21:00,690 --> 00:21:03,299 can get by legislation 512 00:21:03,300 --> 00:21:04,300 poseur. 513 00:21:05,340 --> 00:21:07,409 It operates at high speeds, 514 00:21:07,410 --> 00:21:08,429 to be precise. 515 00:21:08,430 --> 00:21:10,859 The high operation speed is measured 516 00:21:10,860 --> 00:21:13,469 in jeeps. 517 00:21:13,470 --> 00:21:15,329 Yes. 518 00:21:15,330 --> 00:21:17,440 It ensures the blah blah blah. 519 00:21:19,500 --> 00:21:21,809 The traffic interception happens 520 00:21:21,810 --> 00:21:24,419 in the core network, minimizing 521 00:21:24,420 --> 00:21:26,010 the number of devices 522 00:21:27,120 --> 00:21:29,169 that need to be. 523 00:21:29,170 --> 00:21:30,750 Let me replace that on't. 524 00:21:32,400 --> 00:21:34,469 So this is what what we're looking 525 00:21:34,470 --> 00:21:36,359 at right now. 526 00:21:39,010 --> 00:21:40,179 What blew me away? 527 00:21:42,280 --> 00:21:44,619 If if you know me for a while, 528 00:21:44,620 --> 00:21:47,409 Cisco actually published. 529 00:21:47,410 --> 00:21:49,359 They're lawful intercept. 530 00:21:50,640 --> 00:21:51,640 Interface 531 00:21:52,800 --> 00:21:54,929 with the, you know, with 532 00:21:54,930 --> 00:21:56,579 the IDF. 533 00:21:56,580 --> 00:21:58,289 They made an RC out of that. 534 00:21:58,290 --> 00:22:00,269 The IDF went full FIFA mode. 535 00:22:00,270 --> 00:22:02,519 Like, I'm not talking to you. 536 00:22:02,520 --> 00:22:03,839 This is all your problem. 537 00:22:05,430 --> 00:22:06,869 Have for good reason. 538 00:22:06,870 --> 00:22:08,099 But what the fuck? 539 00:22:08,100 --> 00:22:10,109 I mean, Cisco is the only fucking vendor 540 00:22:10,110 --> 00:22:12,449 that does the right thing in 541 00:22:12,450 --> 00:22:15,119 to lie interphase, 542 00:22:15,120 --> 00:22:16,589 peer reviewed. 543 00:22:16,590 --> 00:22:19,089 And there are parts of my worldview 544 00:22:19,090 --> 00:22:20,880 start to crumble on the left side. 545 00:22:22,500 --> 00:22:24,719 But then, you know, I looked at it and 546 00:22:24,720 --> 00:22:26,639 I'm like, Happy because. 547 00:22:26,640 --> 00:22:29,549 OK, cool. It's it's still Cisco. 548 00:22:29,550 --> 00:22:31,679 The authentication design is a complete 549 00:22:31,680 --> 00:22:33,989 failure simply because 550 00:22:33,990 --> 00:22:35,819 the law enforcement, authentication and 551 00:22:35,820 --> 00:22:37,889 authorization taps happen at 552 00:22:37,890 --> 00:22:38,970 the mediation device. 553 00:22:40,050 --> 00:22:42,599 Now the interception 554 00:22:42,600 --> 00:22:44,959 and the question Where do you interest? 555 00:22:44,960 --> 00:22:46,979 Where do you send the traffic that you 556 00:22:46,980 --> 00:22:49,379 intercept that happens 557 00:22:49,380 --> 00:22:50,999 on the router? 558 00:22:51,000 --> 00:22:52,000 Hmm. 559 00:22:53,810 --> 00:22:54,829 Let's see. 560 00:22:54,830 --> 00:22:56,839 So this is this is from the I.R.S. 561 00:22:57,950 --> 00:23:00,079 and so basically he one 562 00:23:01,580 --> 00:23:04,729 is the nontechnical interface. 563 00:23:04,730 --> 00:23:07,129 I assume that by now, the L.A. 564 00:23:07,130 --> 00:23:08,959 administration function is a web 565 00:23:08,960 --> 00:23:11,659 interface that both company lawyers 566 00:23:11,660 --> 00:23:14,209 and police 567 00:23:15,290 --> 00:23:16,290 address. 568 00:23:17,270 --> 00:23:18,270 I wonder how 569 00:23:19,610 --> 00:23:21,919 in this configures in the center, 570 00:23:21,920 --> 00:23:24,349 there's the mediation device, 571 00:23:24,350 --> 00:23:27,129 so the mediation device talks to 572 00:23:27,130 --> 00:23:29,209 irate meta data collection. 573 00:23:29,210 --> 00:23:30,950 As far as I know, Cisco doesn't have any. 574 00:23:32,220 --> 00:23:33,390 You've got to be fucking kidding me. 575 00:23:34,950 --> 00:23:37,229 OK, I apparently need to hurry 576 00:23:37,230 --> 00:23:39,479 up in 577 00:23:39,480 --> 00:23:41,999 so the rest happens there 578 00:23:42,000 --> 00:23:43,000 to. 579 00:23:43,570 --> 00:23:45,699 Let pictures speak faster than I 580 00:23:45,700 --> 00:23:46,899 do. 581 00:23:46,900 --> 00:23:48,489 This is basically how it looks like. 582 00:23:49,750 --> 00:23:51,939 And oh 583 00:23:51,940 --> 00:23:54,039 my God, I'm 584 00:23:54,040 --> 00:23:56,469 a slight 20 or 44 and 585 00:23:56,470 --> 00:23:57,759 50 minutes left. 586 00:23:57,760 --> 00:23:58,869 Good. 587 00:23:58,870 --> 00:24:01,509 So this reference model basically 588 00:24:01,510 --> 00:24:03,969 says Sears as an v three. 589 00:24:04,990 --> 00:24:07,539 That's common well-controlled. 590 00:24:07,540 --> 00:24:09,880 Everyone knows exactly what they do. 591 00:24:10,990 --> 00:24:13,479 You need authentication. 592 00:24:13,480 --> 00:24:15,399 But the thing is, everything you do is a 593 00:24:15,400 --> 00:24:17,139 single UDP packet. 594 00:24:17,140 --> 00:24:19,209 The mediation device does all 595 00:24:19,210 --> 00:24:21,759 the bullshit and it manages 596 00:24:21,760 --> 00:24:23,979 whatever, and the router only does what 597 00:24:23,980 --> 00:24:25,150 it's supposed to do. 598 00:24:26,200 --> 00:24:28,539 Well, Ally 599 00:24:28,540 --> 00:24:31,329 basically violates the basic, 600 00:24:31,330 --> 00:24:33,609 absolutely pure basic 601 00:24:33,610 --> 00:24:35,919 design principle of the router 602 00:24:35,920 --> 00:24:38,379 because ally matching happens 603 00:24:38,380 --> 00:24:40,359 in what's called the critical path. 604 00:24:40,360 --> 00:24:42,949 Why do you buy a router? 605 00:24:42,950 --> 00:24:44,169 Take packet from here. 606 00:24:44,170 --> 00:24:46,459 Move it here as fast as you 607 00:24:46,460 --> 00:24:48,669 can. Alternatively, look 608 00:24:48,670 --> 00:24:49,670 at it. 609 00:24:53,400 --> 00:24:55,909 That means your porn feels 610 00:24:55,910 --> 00:24:57,559 like in the 80s. 611 00:24:59,850 --> 00:25:00,850 So. 612 00:25:01,550 --> 00:25:04,099 And that's illegal, as I told you. 613 00:25:04,100 --> 00:25:06,199 So voters are not meant to do 614 00:25:06,200 --> 00:25:08,569 that. So the way Cisco implemented 615 00:25:08,570 --> 00:25:10,789 that and that's actually not stupid 616 00:25:10,790 --> 00:25:12,889 is the closest they've found was 617 00:25:12,890 --> 00:25:14,179 access control lists. 618 00:25:14,180 --> 00:25:16,249 The problem is every time they invent a 619 00:25:16,250 --> 00:25:17,599 new performing technique. 620 00:25:19,050 --> 00:25:21,209 A year later, there's a Cisco 621 00:25:21,210 --> 00:25:23,069 advisory saying, oops. 622 00:25:23,070 --> 00:25:25,079 Access control lists are not matched on 623 00:25:25,080 --> 00:25:26,080 this 624 00:25:27,450 --> 00:25:29,909 yet. So for deception purposes, 625 00:25:29,910 --> 00:25:32,069 they actually built them on the fly. 626 00:25:32,070 --> 00:25:33,839 Hmm. Let's see. 627 00:25:33,840 --> 00:25:35,849 So this is how a mediation device looks 628 00:25:35,850 --> 00:25:38,549 like this is a tech version. 629 00:25:38,550 --> 00:25:40,229 So you basically say who, what? 630 00:25:40,230 --> 00:25:41,339 When porn? 631 00:25:43,470 --> 00:25:46,019 How do you protect that interface? 632 00:25:46,020 --> 00:25:48,119 Authentication was actually required, so 633 00:25:48,120 --> 00:25:50,369 you can't, no matter how stupid 634 00:25:50,370 --> 00:25:52,709 you are. You can't configure 635 00:25:52,710 --> 00:25:54,809 S&P V three you 636 00:25:54,810 --> 00:25:56,549 for L.A. 637 00:25:56,550 --> 00:25:57,960 without authentication. 638 00:25:59,400 --> 00:26:01,679 And there's a couple of other values 639 00:26:01,680 --> 00:26:03,689 that you need, basically. 640 00:26:03,690 --> 00:26:06,119 There's also access control lists for 641 00:26:06,120 --> 00:26:08,219 so-called infrastructure accords in 642 00:26:08,220 --> 00:26:10,349 place, so not everyone in the world can 643 00:26:10,350 --> 00:26:11,350 talk to you. 644 00:26:12,150 --> 00:26:14,459 S&P Hopefully 645 00:26:15,870 --> 00:26:18,089 you can bind 646 00:26:18,090 --> 00:26:19,079 us to user groups. 647 00:26:19,080 --> 00:26:19,979 Nobody cares. 648 00:26:19,980 --> 00:26:22,619 You can encrypt is nobody cares because 649 00:26:22,620 --> 00:26:25,019 it's a lie and nobody fucking cares. 650 00:26:25,020 --> 00:26:26,430 We want to run a network. 651 00:26:27,780 --> 00:26:31,249 Then came IPv6. 652 00:26:31,250 --> 00:26:32,729 A different story 653 00:26:34,350 --> 00:26:36,629 and there's notification, so 654 00:26:36,630 --> 00:26:38,819 it tells you when there's lawful 655 00:26:38,820 --> 00:26:39,779 interception going on. 656 00:26:39,780 --> 00:26:41,519 But this is not meant for network 657 00:26:41,520 --> 00:26:42,479 operators. 658 00:26:42,480 --> 00:26:44,429 This is meant to be sent to the mediation 659 00:26:44,430 --> 00:26:45,539 device. 660 00:26:45,540 --> 00:26:48,389 You know, it holds its as 661 00:26:48,390 --> 00:26:50,059 it's had out of its ass. 662 00:26:51,120 --> 00:26:53,189 So Contreras 663 00:26:53,190 --> 00:26:54,119 went right. 664 00:26:54,120 --> 00:26:55,349 That was the point. 665 00:26:55,350 --> 00:26:56,940 This is why we put this all in place 666 00:26:58,140 --> 00:27:00,359 now just 667 00:27:00,360 --> 00:27:02,489 for educational purposes 668 00:27:02,490 --> 00:27:04,259 as a thought experiment. 669 00:27:04,260 --> 00:27:05,599 We're going to play the other side. 670 00:27:07,950 --> 00:27:10,949 The options that we have is 671 00:27:10,950 --> 00:27:12,149 point one. 672 00:27:12,150 --> 00:27:14,489 Do whatever terrorist known on the world 673 00:27:14,490 --> 00:27:16,589 does not using 674 00:27:16,590 --> 00:27:17,590 the internet. 675 00:27:20,020 --> 00:27:21,020 For. 676 00:27:28,660 --> 00:27:31,179 It took me a couple of years to realize 677 00:27:31,180 --> 00:27:33,459 that those meals are not actually 678 00:27:34,660 --> 00:27:36,160 transporting IP traffic. 679 00:27:37,210 --> 00:27:40,419 So it turns out tively, 680 00:27:40,420 --> 00:27:42,489 what we can do is use traffic 681 00:27:42,490 --> 00:27:45,009 that is not intercepted detecting 682 00:27:45,010 --> 00:27:47,079 deception or take over 683 00:27:47,080 --> 00:27:48,080 things. 684 00:27:50,110 --> 00:27:52,389 In traffic, not intercepted 685 00:27:52,390 --> 00:27:54,459 is not something we 686 00:27:54,460 --> 00:27:57,819 really have to do much for, because 687 00:27:57,820 --> 00:28:00,609 so here's a couple of 688 00:28:00,610 --> 00:28:02,559 bags that showed up. 689 00:28:02,560 --> 00:28:05,619 So in extreme, 690 00:28:05,620 --> 00:28:07,899 the lawful intercept feature 691 00:28:07,900 --> 00:28:10,209 needs a license they 692 00:28:10,210 --> 00:28:11,470 turn to expire. 693 00:28:19,660 --> 00:28:21,399 And keep in mind, this is something 694 00:28:21,400 --> 00:28:22,839 nobody fucking cares about it. 695 00:28:23,950 --> 00:28:26,049 The Europe based interception 696 00:28:26,050 --> 00:28:28,149 VR as a virtual writing frame 697 00:28:28,150 --> 00:28:30,399 works basically, 698 00:28:30,400 --> 00:28:32,799 if your company is like, we don't need 699 00:28:32,800 --> 00:28:35,109 encryption because we have an MPL 700 00:28:35,110 --> 00:28:37,359 where service provider virtual 701 00:28:37,360 --> 00:28:39,369 private network over the internet. 702 00:28:40,660 --> 00:28:42,159 Those are not encrypted. 703 00:28:42,160 --> 00:28:44,319 And even if they are dare 704 00:28:44,320 --> 00:28:46,989 encrypted between point and point. 705 00:28:46,990 --> 00:28:49,689 So if the 706 00:28:49,690 --> 00:28:51,939 lawful interception agency 707 00:28:51,940 --> 00:28:54,639 wants to listen to your traffic, 708 00:28:54,640 --> 00:28:55,900 here they go, right? 709 00:28:56,980 --> 00:28:59,079 The thing is, keep in mind 710 00:28:59,080 --> 00:29:01,329 the usual notice that this 711 00:29:01,330 --> 00:29:02,649 happens. 712 00:29:02,650 --> 00:29:04,119 Things break like 713 00:29:05,200 --> 00:29:08,289 minor things like policy based writing, 714 00:29:08,290 --> 00:29:10,659 and nobody uses that 715 00:29:10,660 --> 00:29:12,309 server load balancing. 716 00:29:12,310 --> 00:29:14,409 Whoever has a web farm has never heard of 717 00:29:14,410 --> 00:29:15,410 it. 718 00:29:16,360 --> 00:29:18,489 You know, basic facts 719 00:29:18,490 --> 00:29:21,369 then ally in general, is 720 00:29:21,370 --> 00:29:23,169 prioritized over other features. 721 00:29:23,170 --> 00:29:25,479 So other features that break 722 00:29:25,480 --> 00:29:27,669 optimized ACL logging. 723 00:29:27,670 --> 00:29:29,740 I imagine this guy at Cisco going like 724 00:29:30,850 --> 00:29:32,529 as if we have to optimize to see how 725 00:29:32,530 --> 00:29:34,629 logging and they see 726 00:29:34,630 --> 00:29:36,639 the interceptions going on because we 727 00:29:36,640 --> 00:29:38,980 built a scouts to 728 00:29:41,020 --> 00:29:43,269 there's other ACL matching. 729 00:29:43,270 --> 00:29:45,369 Whatever really like is the 730 00:29:45,370 --> 00:29:47,499 bug report makes a very 731 00:29:47,500 --> 00:29:50,049 honest statement intrusion detection 732 00:29:50,050 --> 00:29:52,329 systems, ideas not functioning 733 00:29:52,330 --> 00:29:53,330 properly, 734 00:29:54,490 --> 00:29:56,319 which is a general statement I'm fine 735 00:29:56,320 --> 00:29:58,719 with. But the funny thing is 736 00:29:58,720 --> 00:30:00,579 you're running a provider network. 737 00:30:00,580 --> 00:30:02,679 Someone gets monitoring your i.d.s 738 00:30:02,680 --> 00:30:05,169 only sees the monitored guy anymore. 739 00:30:06,280 --> 00:30:08,649 That's the only guy they see. 740 00:30:08,650 --> 00:30:11,019 So basically, all you need to do 741 00:30:11,020 --> 00:30:13,389 is call someone else far 742 00:30:13,390 --> 00:30:15,519 enough so they get intercepted and then 743 00:30:15,520 --> 00:30:17,739 you can do whatever you want. 744 00:30:17,740 --> 00:30:18,880 What the fuck? 745 00:30:21,010 --> 00:30:23,179 That there is there's other things, 746 00:30:23,180 --> 00:30:25,309 right? So here's the 747 00:30:25,310 --> 00:30:26,599 Cisco back. 748 00:30:26,600 --> 00:30:28,999 And if you actually buy additional 749 00:30:29,000 --> 00:30:31,189 hardware and put it, you look so 750 00:30:31,190 --> 00:30:32,190 cute with 751 00:30:33,260 --> 00:30:35,839 you and you put an additional line card 752 00:30:35,840 --> 00:30:38,209 in your access router 753 00:30:38,210 --> 00:30:39,679 just for zips. 754 00:30:39,680 --> 00:30:41,569 The police can listen better to VoIP 755 00:30:41,570 --> 00:30:42,570 calls. 756 00:30:43,640 --> 00:30:46,669 And you know, the result is 757 00:30:46,670 --> 00:30:47,689 don't work anymore. 758 00:30:48,800 --> 00:30:51,199 And there's also, you know, 759 00:30:51,200 --> 00:30:53,569 this other back that a rally 760 00:30:53,570 --> 00:30:55,729 to basically the S&P 761 00:30:55,730 --> 00:30:57,499 communication doesn't work anymore. 762 00:30:58,790 --> 00:31:01,129 And the workaround I love 763 00:31:01,130 --> 00:31:02,569 you may be able to restart. 764 00:31:02,570 --> 00:31:04,519 Yes, S&P he managed to force the timer 765 00:31:04,520 --> 00:31:06,739 for S&P and be synchronized. 766 00:31:06,740 --> 00:31:08,899 Note, however, that doing so costs 767 00:31:08,900 --> 00:31:11,359 us a 100 percent 768 00:31:11,360 --> 00:31:14,059 outage for all wiretaps that are served 769 00:31:14,060 --> 00:31:15,319 to the S&P manager. 770 00:31:15,320 --> 00:31:17,689 If you cannot restart the S&P manager 771 00:31:17,690 --> 00:31:18,920 there, there's no workaround. 772 00:31:22,430 --> 00:31:23,630 This is verbatim quote. 773 00:31:25,670 --> 00:31:28,309 And now, if you have so much failed 774 00:31:28,310 --> 00:31:30,079 and you know, there's the tendency to 775 00:31:30,080 --> 00:31:32,769 look for, can I make more fail? 776 00:31:32,770 --> 00:31:35,069 So stateful switch over 777 00:31:35,070 --> 00:31:37,459 and nonstop forwarding our major 778 00:31:37,460 --> 00:31:40,249 selling points for a writer 779 00:31:40,250 --> 00:31:42,379 in this case, the naming of Cisco. 780 00:31:42,380 --> 00:31:45,259 But for Radovan in general, 781 00:31:45,260 --> 00:31:47,599 if you have a site that is somewhat 782 00:31:47,600 --> 00:31:49,489 interesting, you actually have more than 783 00:31:49,490 --> 00:31:51,689 one router and you have, you know, I'd 784 00:31:51,690 --> 00:31:53,239 stand by it. 785 00:31:53,240 --> 00:31:55,399 The thing is, this 786 00:31:55,400 --> 00:31:57,709 doesn't support light. 787 00:31:57,710 --> 00:31:59,989 So if you have a switch over, 788 00:31:59,990 --> 00:32:01,579 all the taps are lost. 789 00:32:03,170 --> 00:32:05,479 Interestingly enough, if you 790 00:32:05,480 --> 00:32:07,639 also switch over, every 791 00:32:07,640 --> 00:32:09,799 router vendor in the world will tell you 792 00:32:09,800 --> 00:32:11,869 it's not a security issue as long 793 00:32:11,870 --> 00:32:13,430 as the other side took over. 794 00:32:15,760 --> 00:32:17,859 It's not a security issue, it's an ally 795 00:32:17,860 --> 00:32:19,599 issue, but that's not your problem. 796 00:32:21,550 --> 00:32:23,229 And the other thing that I've found is 797 00:32:23,230 --> 00:32:25,629 that the domain name for both the router 798 00:32:25,630 --> 00:32:28,269 and the mediation device. 799 00:32:28,270 --> 00:32:30,459 I hope nobody gets 800 00:32:30,460 --> 00:32:32,079 phone transfers from ISP's 801 00:32:33,520 --> 00:32:35,980 are actually registered with a DNS, 802 00:32:37,110 --> 00:32:39,189 and I defer to Dan Kaminsky to 803 00:32:39,190 --> 00:32:40,570 tell you what's wrong with that. 804 00:32:42,700 --> 00:32:44,829 Now, size doesn't 805 00:32:44,830 --> 00:32:45,830 matter 806 00:32:46,930 --> 00:32:48,819 if she told you otherwise. 807 00:32:48,820 --> 00:32:50,259 She lied. 808 00:32:50,260 --> 00:32:52,749 So Leah 809 00:32:52,750 --> 00:32:54,909 has the problem of like 810 00:32:54,910 --> 00:32:56,439 bi requirement. 811 00:32:57,460 --> 00:32:59,709 They want to have the same 812 00:32:59,710 --> 00:33:01,420 bandwidth as you have. 813 00:33:03,000 --> 00:33:05,429 And not everyone does interesting 814 00:33:05,430 --> 00:33:06,749 things from home. 815 00:33:06,750 --> 00:33:08,939 You know, there's people that have big 816 00:33:08,940 --> 00:33:10,799 pipes at work right 817 00:33:12,420 --> 00:33:14,429 in and there's there's interesting 818 00:33:14,430 --> 00:33:16,589 stories about especially the 819 00:33:16,590 --> 00:33:19,349 German police intercepting 820 00:33:19,350 --> 00:33:21,559 where they're not saying like, give me 821 00:33:21,560 --> 00:33:23,669 there's traffic, but you say, 822 00:33:23,670 --> 00:33:25,769 we don't know what this guy does, give me 823 00:33:25,770 --> 00:33:26,879 everything. 824 00:33:26,880 --> 00:33:28,949 And then they call 10 minutes later and 825 00:33:28,950 --> 00:33:31,089 say, What if we only 826 00:33:31,090 --> 00:33:33,300 have a pension? One, turn this shit off. 827 00:33:43,800 --> 00:33:45,539 That's what I was trying to point out, 828 00:33:45,540 --> 00:33:48,059 what the center and I were, so 829 00:33:48,060 --> 00:33:49,060 also. 830 00:33:49,590 --> 00:33:52,169 Somehow the vendors 831 00:33:52,170 --> 00:33:53,170 managed to 832 00:33:54,720 --> 00:33:56,369 negotiate. 833 00:33:56,370 --> 00:33:59,099 That's what you have lobbyists for a 834 00:33:59,100 --> 00:34:01,529 top level load on the IRS 835 00:34:01,530 --> 00:34:03,419 because nobody wants to pay for the 836 00:34:03,420 --> 00:34:05,759 police watching you watching porn, right? 837 00:34:05,760 --> 00:34:08,519 So basically, 838 00:34:08,520 --> 00:34:10,888 here's some examples the 839 00:34:10,889 --> 00:34:13,019 you can only intercept two 840 00:34:13,020 --> 00:34:15,299 percent of the cards, given the fact 841 00:34:15,300 --> 00:34:18,209 that running a VoIP gateway 842 00:34:18,210 --> 00:34:20,519 is a relatively cheap thing 843 00:34:20,520 --> 00:34:23,039 to find some other eight 844 00:34:23,040 --> 00:34:25,138 people that generate interesting 845 00:34:25,139 --> 00:34:26,139 stuff. 846 00:34:27,239 --> 00:34:30,178 And there's also bandwidth 847 00:34:30,179 --> 00:34:32,339 problems, so they really 848 00:34:32,340 --> 00:34:34,349 fucking hate you to mirror 849 00:34:35,639 --> 00:34:37,799 the world and then, you know, go 850 00:34:37,800 --> 00:34:38,800 partying 851 00:34:40,889 --> 00:34:43,379 and numbers do matter. 852 00:34:43,380 --> 00:34:45,479 There's other interception mechanisms 853 00:34:45,480 --> 00:34:47,549 that are not Cisco that 854 00:34:47,550 --> 00:34:48,599 use flow tracking. 855 00:34:48,600 --> 00:34:51,509 Now, flow tracking is random sampling. 856 00:34:51,510 --> 00:34:53,819 If you download another 857 00:34:53,820 --> 00:34:54,820 documentation 858 00:34:55,949 --> 00:34:57,809 records of the talks here, 859 00:34:58,830 --> 00:35:01,439 this one little email is 860 00:35:01,440 --> 00:35:04,019 very unlikely to be caught. 861 00:35:04,020 --> 00:35:05,999 And then there's the compromised observer 862 00:35:06,000 --> 00:35:08,069 problem, because basically now you 863 00:35:08,070 --> 00:35:10,319 have two IP stacks that need 864 00:35:10,320 --> 00:35:12,719 to understand what you are talking. 865 00:35:12,720 --> 00:35:14,669 And that's why it's doesn't work. 866 00:35:14,670 --> 00:35:17,459 This is why IP doesn't work 867 00:35:17,460 --> 00:35:19,379 derriere, because now you have a 868 00:35:19,380 --> 00:35:21,629 combination of two 869 00:35:21,630 --> 00:35:23,699 recipients, so there's many different 870 00:35:23,700 --> 00:35:25,559 ways to fuck this up. 871 00:35:25,560 --> 00:35:27,509 Basically, it's like with an antivirus 872 00:35:27,510 --> 00:35:29,849 solution. The antivirus solution can't 873 00:35:29,850 --> 00:35:32,849 unpack the zip file your 874 00:35:32,850 --> 00:35:35,159 windows zip tool can wear 875 00:35:35,160 --> 00:35:36,719 unzip on Linux can. 876 00:35:37,920 --> 00:35:40,199 So the antivirus solution has no fucking 877 00:35:40,200 --> 00:35:42,249 idea what you're looking at and you get 878 00:35:42,250 --> 00:35:43,250 infected. 879 00:35:43,950 --> 00:35:45,869 This is all lang sick. 880 00:35:45,870 --> 00:35:48,569 If you haven't understood that, 881 00:35:48,570 --> 00:35:49,570 keep getting out, 882 00:35:52,670 --> 00:35:55,010 but it's the wrong direction. 883 00:35:56,340 --> 00:35:57,340 Fat fingers. 884 00:35:58,350 --> 00:36:00,149 So what I said about the code in the 885 00:36:00,150 --> 00:36:01,499 critical path. 886 00:36:01,500 --> 00:36:03,599 Basically, what it means is 887 00:36:03,600 --> 00:36:05,759 the the people at the router vendors 888 00:36:05,760 --> 00:36:08,099 tried to get out of the code 889 00:36:08,100 --> 00:36:10,289 for Ally as fast as possible because 890 00:36:10,290 --> 00:36:11,459 they are not liable. 891 00:36:11,460 --> 00:36:14,129 Neither the ISP nor the router vendor 892 00:36:14,130 --> 00:36:16,289 is liable for not 893 00:36:16,290 --> 00:36:18,359 intercepted packets when they're 894 00:36:18,360 --> 00:36:19,769 not well defined. 895 00:36:19,770 --> 00:36:22,229 So this, for example, looks for 896 00:36:22,230 --> 00:36:24,539 how IPv4 cool mean IPV six 897 00:36:24,540 --> 00:36:25,799 go. Let's go 898 00:36:26,880 --> 00:36:29,339 now. IPV five is what I call 899 00:36:29,340 --> 00:36:30,570 a laser packet 900 00:36:32,520 --> 00:36:33,630 because lasers 901 00:36:36,900 --> 00:36:39,959 lasers don't pass through prisms. 902 00:36:39,960 --> 00:36:41,429 Take a prison. Take a laser. 903 00:36:41,430 --> 00:36:42,430 Try it. 904 00:36:53,050 --> 00:36:54,639 I'm boring for comedy, I'm sorry. 905 00:36:55,900 --> 00:36:58,119 So basically what I try, 906 00:36:58,120 --> 00:37:00,549 it was take a regular IPv4 packet 907 00:37:00,550 --> 00:37:02,649 or packet stream and just 908 00:37:02,650 --> 00:37:04,779 like replace diversion to 909 00:37:04,780 --> 00:37:05,739 number five. 910 00:37:05,740 --> 00:37:07,719 What's funny is there is a number of 911 00:37:07,720 --> 00:37:09,879 routers that are to forward that, and 912 00:37:09,880 --> 00:37:11,919 there is a number of recipients that 913 00:37:11,920 --> 00:37:13,749 actually enter. 914 00:37:13,750 --> 00:37:15,879 That doesn't make sense unless you 915 00:37:15,880 --> 00:37:18,069 look at the entire ozone 916 00:37:18,070 --> 00:37:20,439 layer stack because 917 00:37:20,440 --> 00:37:23,379 on on the data link layer on layer two, 918 00:37:23,380 --> 00:37:25,659 there's a number of protocols 919 00:37:25,660 --> 00:37:28,809 that hint on what is the transported 920 00:37:28,810 --> 00:37:30,039 protocol, right? 921 00:37:30,040 --> 00:37:32,320 So the example for Ethernet 922 00:37:33,400 --> 00:37:36,219 IPv4, we all know 923 00:37:36,220 --> 00:37:37,149 IPv6. 924 00:37:37,150 --> 00:37:39,819 I actually learned from a professor that 925 00:37:39,820 --> 00:37:42,069 why is IPv6 better at transporting 926 00:37:42,070 --> 00:37:44,139 porn? Because it's 86 927 00:37:44,140 --> 00:37:45,140 double-D? 928 00:37:49,660 --> 00:37:50,830 That's not my thing. 929 00:37:54,330 --> 00:37:56,579 His response was, how else do you make 930 00:37:56,580 --> 00:37:58,320 the students remember? 931 00:38:00,810 --> 00:38:03,149 So basically, they take 932 00:38:03,150 --> 00:38:05,189 the hint from the layer two protocol and 933 00:38:05,190 --> 00:38:07,889 ignore half of the IP header 934 00:38:07,890 --> 00:38:09,689 just to get rid of the packet faster 935 00:38:09,690 --> 00:38:12,269 because they're built to 936 00:38:12,270 --> 00:38:13,679 get out, get rid of the up. 937 00:38:15,570 --> 00:38:18,179 How do you get around interception? 938 00:38:18,180 --> 00:38:20,849 Now one of the things is 939 00:38:20,850 --> 00:38:23,009 what you just saw here, but I'm 940 00:38:23,010 --> 00:38:25,319 skipping this for time 941 00:38:25,320 --> 00:38:27,090 reasons. People had us killed to me 942 00:38:29,010 --> 00:38:30,449 to punt a packet. 943 00:38:30,450 --> 00:38:32,819 This is what this thing here shows 944 00:38:32,820 --> 00:38:35,129 like we can't figure out, and 945 00:38:35,130 --> 00:38:37,529 we punt to punt a packet 946 00:38:37,530 --> 00:38:39,869 means you're handing like we're talking 947 00:38:39,870 --> 00:38:42,269 about rather just size and you're handing 948 00:38:42,270 --> 00:38:44,010 the packet all the way up 949 00:38:46,170 --> 00:38:47,399 to the main CPU. 950 00:38:47,400 --> 00:38:49,589 Now, the main CPU is 951 00:38:49,590 --> 00:38:51,689 actually not dared to forward 952 00:38:51,690 --> 00:38:52,690 packets. 953 00:38:53,880 --> 00:38:55,739 It's basically like when you have a 954 00:38:55,740 --> 00:38:56,969 company with a couple of hundred 955 00:38:56,970 --> 00:38:59,189 employees and everyone escalates every 956 00:38:59,190 --> 00:39:01,349 problem to the CEO at some 957 00:39:01,350 --> 00:39:03,929 point a CEO, reboots 958 00:39:03,930 --> 00:39:04,930 or. 959 00:39:07,340 --> 00:39:10,009 Where, you know, gets gets 960 00:39:10,010 --> 00:39:12,170 handed off to medical people. 961 00:39:13,610 --> 00:39:16,159 This happens with Ciscos as well. 962 00:39:16,160 --> 00:39:18,079 So it did. 963 00:39:18,080 --> 00:39:20,299 The interception targeted can basically 964 00:39:20,300 --> 00:39:22,369 just produce perfectly legal 965 00:39:22,370 --> 00:39:24,649 packets and sent 966 00:39:24,650 --> 00:39:27,319 to whoever it was. 967 00:39:27,320 --> 00:39:29,239 I'm not a lawyer, but this should 968 00:39:29,240 --> 00:39:30,829 actually even be legal in Germany. 969 00:39:32,030 --> 00:39:34,609 This pushes the CPU to 100 percent load 970 00:39:34,610 --> 00:39:35,869 like Java. 971 00:39:35,870 --> 00:39:36,870 And 972 00:39:38,000 --> 00:39:40,249 there's in contrast to your PC 973 00:39:40,250 --> 00:39:41,179 or Mac. 974 00:39:41,180 --> 00:39:43,279 Does watchdog process on Cisco that 975 00:39:43,280 --> 00:39:45,349 killed the machine and reboots 976 00:39:45,350 --> 00:39:47,489 it when the CPU is hanging on 100 percent 977 00:39:47,490 --> 00:39:48,529 a? 978 00:39:48,530 --> 00:39:50,239 Now consider the following 979 00:39:51,710 --> 00:39:53,269 You have a communication partner. 980 00:39:53,270 --> 00:39:54,270 Let's say 981 00:39:55,790 --> 00:39:58,579 he's he's an embassy 982 00:39:58,580 --> 00:40:00,769 in London and 983 00:40:00,770 --> 00:40:02,899 you want to have a secure communication 984 00:40:02,900 --> 00:40:05,029 with him, so you trace route to 985 00:40:05,030 --> 00:40:06,030 his IP address. 986 00:40:07,250 --> 00:40:09,379 Then you send like 10000 987 00:40:09,380 --> 00:40:10,939 packets, which is not a lot, 988 00:40:12,170 --> 00:40:14,779 and then you trace route again. 989 00:40:14,780 --> 00:40:17,809 If the trace rule changes 990 00:40:17,810 --> 00:40:19,879 usually to first 991 00:40:19,880 --> 00:40:22,099 to third or fourth hop, there's 992 00:40:22,100 --> 00:40:24,469 an access router on ISP 993 00:40:24,470 --> 00:40:26,179 just rebooting. 994 00:40:26,180 --> 00:40:28,039 The thing is, you don't have to be fast 995 00:40:28,040 --> 00:40:29,959 because they actually take about 20 996 00:40:29,960 --> 00:40:30,960 minutes to reboot. 997 00:40:41,100 --> 00:40:43,469 Now, if you if you 998 00:40:43,470 --> 00:40:45,359 come up with the idea, well, let's take 999 00:40:45,360 --> 00:40:48,479 over the lawful intercept device. 1000 00:40:48,480 --> 00:40:50,489 That's a really bad idea. 1001 00:40:50,490 --> 00:40:52,709 Also like Windows 2000, where 1002 00:40:52,710 --> 00:40:55,799 Santa Larry's is a prop. 1003 00:40:55,800 --> 00:40:58,299 Here's all the holiday itself for that. 1004 00:40:58,300 --> 00:41:00,419 That's not a good idea 1005 00:41:00,420 --> 00:41:02,579 to know because there's people 1006 00:41:02,580 --> 00:41:05,219 that are called compliance people 1007 00:41:05,220 --> 00:41:06,659 in almost it. 1008 00:41:08,530 --> 00:41:10,859 And you know, they hate you because 1009 00:41:10,860 --> 00:41:13,109 their job is to watch the compliance 1010 00:41:13,110 --> 00:41:14,999 of this device and root shells on that 1011 00:41:15,000 --> 00:41:17,909 device are not good if you plan 1012 00:41:17,910 --> 00:41:20,369 to attack the basically 1013 00:41:20,370 --> 00:41:21,370 police. 1014 00:41:22,350 --> 00:41:24,510 I could just like forget 1015 00:41:25,740 --> 00:41:28,169 taking over the 1016 00:41:28,170 --> 00:41:30,989 interception point 1017 00:41:30,990 --> 00:41:32,699 being the router. 1018 00:41:32,700 --> 00:41:35,129 Well, there's this back from 2008, 1019 00:41:35,130 --> 00:41:38,339 and writers are not commonly updated, 1020 00:41:38,340 --> 00:41:40,559 which you know, takes as an MPV 1021 00:41:40,560 --> 00:41:42,749 three years to make coming in. 1022 00:41:44,160 --> 00:41:45,160 I love you, thank you. 1023 00:41:46,290 --> 00:41:47,609 Here's to Matt coming in. 1024 00:41:47,610 --> 00:41:50,379 Here's the make that we have stored. 1025 00:41:50,380 --> 00:41:52,259 We're allowed by our seed to compare 1026 00:41:52,260 --> 00:41:53,849 subset. 1027 00:41:53,850 --> 00:41:54,850 Nice. 1028 00:41:56,130 --> 00:41:58,199 If the packet says the length 1029 00:41:58,200 --> 00:42:00,419 is one, then the attacker only 1030 00:42:00,420 --> 00:42:02,909 sends 256 packets 1031 00:42:02,910 --> 00:42:05,459 and is certainly authenticated. 1032 00:42:05,460 --> 00:42:08,159 And interestingly enough, 1033 00:42:08,160 --> 00:42:10,229 Tom Cross found out that of all 1034 00:42:10,230 --> 00:42:12,299 Cisco Images, everything 1035 00:42:12,300 --> 00:42:14,489 was vulnerable, except for 1036 00:42:14,490 --> 00:42:16,529 most of the ones that had ally 1037 00:42:16,530 --> 00:42:18,809 functionality, which is interesting 1038 00:42:18,810 --> 00:42:19,810 by itself, 1039 00:42:20,940 --> 00:42:23,219 but also as an MPV suite gives very 1040 00:42:23,220 --> 00:42:25,709 detailed feedback on the authentication 1041 00:42:25,710 --> 00:42:27,959 failure. So how you use the name, not 1042 00:42:27,960 --> 00:42:30,839 known password, not known, 1043 00:42:30,840 --> 00:42:33,179 you're coming from the wrong address. 1044 00:42:33,180 --> 00:42:34,180 Blah blah blah. 1045 00:42:35,970 --> 00:42:37,769 When we talk about the NCAA, let's 1046 00:42:37,770 --> 00:42:40,109 remember that we are talking about UDP, 1047 00:42:40,110 --> 00:42:42,419 so the best practice, 1048 00:42:42,420 --> 00:42:44,069 best common practice document for 1049 00:42:44,070 --> 00:42:46,409 providers say prevent spoofing 1050 00:42:46,410 --> 00:42:49,559 from everywhere outside your network, 1051 00:42:49,560 --> 00:42:51,749 your entire network, your 1052 00:42:51,750 --> 00:42:52,750 their customer. 1053 00:42:53,820 --> 00:42:56,039 And apparently people have 1054 00:42:56,040 --> 00:42:58,199 covered attacking Cisco as before. 1055 00:42:58,200 --> 00:42:59,279 I don't know. 1056 00:42:59,280 --> 00:43:00,280 Anyway, so 1057 00:43:01,680 --> 00:43:02,699 what does that mean? 1058 00:43:02,700 --> 00:43:04,559 Terrorists win? 1059 00:43:04,560 --> 00:43:06,570 So the German term is 1060 00:43:07,980 --> 00:43:09,349 allegedly going to excitable. 1061 00:43:12,960 --> 00:43:15,449 So you're basically just waiting 1062 00:43:17,280 --> 00:43:19,349 for everyone else to put more 1063 00:43:19,350 --> 00:43:21,029 interception code in. 1064 00:43:21,030 --> 00:43:23,159 But in fact, wait, I don't 1065 00:43:23,160 --> 00:43:25,199 think anyone in this room is a terrorist 1066 00:43:25,200 --> 00:43:27,329 unless they're paid 1067 00:43:27,330 --> 00:43:28,330 for it. 1068 00:43:29,280 --> 00:43:31,769 So is this is what we're actually looking 1069 00:43:31,770 --> 00:43:32,770 at. 1070 00:43:34,860 --> 00:43:37,079 Nobody would like 1071 00:43:37,080 --> 00:43:39,149 no terrorist organization would 1072 00:43:39,150 --> 00:43:40,199 hire a hacker. 1073 00:43:40,200 --> 00:43:42,659 First of all, you know, they smell funny. 1074 00:43:42,660 --> 00:43:44,459 And second of all, they actually think 1075 00:43:44,460 --> 00:43:46,439 about the mission they're send on. 1076 00:43:47,940 --> 00:43:50,969 But you can make them do things, and 1077 00:43:50,970 --> 00:43:52,439 that's the big risk in this. 1078 00:43:54,480 --> 00:43:56,429 So conclusions. 1079 00:43:56,430 --> 00:43:58,649 First of all, Reuters 1080 00:43:58,650 --> 00:44:00,929 shall not pass packaged 1081 00:44:00,930 --> 00:44:01,930 payloads. 1082 00:44:03,810 --> 00:44:06,749 Please do me a favor like anyone 1083 00:44:06,750 --> 00:44:08,609 read the fucking manual this time. 1084 00:44:08,610 --> 00:44:10,679 Start with the list I 1085 00:44:10,680 --> 00:44:11,680 model. 1086 00:44:12,240 --> 00:44:14,429 You're not allowed to pass anything 1087 00:44:14,430 --> 00:44:16,679 except for 1088 00:44:16,680 --> 00:44:18,479 the app before destination address. 1089 00:44:19,560 --> 00:44:21,149 Once you're done with that. 1090 00:44:21,150 --> 00:44:22,139 Call me back. 1091 00:44:22,140 --> 00:44:23,760 I tell you what to do with V6. 1092 00:44:26,010 --> 00:44:28,079 Evading lawful interception 1093 00:44:28,080 --> 00:44:30,419 seems to be about as challenging as 1094 00:44:30,420 --> 00:44:31,620 evading antivirus. 1095 00:44:32,760 --> 00:44:35,759 In 2008, we had the race to zero. 1096 00:44:35,760 --> 00:44:37,919 How long does it take to 1097 00:44:37,920 --> 00:44:40,649 take a well-known virus to evade 1098 00:44:40,650 --> 00:44:41,819 antivirus engines? 1099 00:44:41,820 --> 00:44:43,949 Every single known one? 1100 00:44:45,180 --> 00:44:47,489 That was a question of minutes. 1101 00:44:47,490 --> 00:44:49,629 I'm like tempted to do that for an 1102 00:44:49,630 --> 00:44:51,749 defcon, but 1103 00:44:51,750 --> 00:44:54,299 the real point here being weakening our 1104 00:44:54,300 --> 00:44:56,130 critical infrastructure for everyone, 1105 00:44:57,480 --> 00:44:59,609 just because some lobbyist 1106 00:44:59,610 --> 00:45:02,099 told some company this is a good idea. 1107 00:45:02,100 --> 00:45:04,379 And yet you will see when 1108 00:45:04,380 --> 00:45:05,789 this guy downloads the app. 1109 00:45:05,790 --> 00:45:08,609 Three A 1110 00:45:08,610 --> 00:45:10,769 disproportionate measure. 1111 00:45:10,770 --> 00:45:12,719 We don't do that for any other 1112 00:45:14,100 --> 00:45:16,249 criminal case, even 1113 00:45:16,250 --> 00:45:17,159 the bigger ones. 1114 00:45:17,160 --> 00:45:19,020 Why would the internet be different? 1115 00:45:20,550 --> 00:45:22,799 So basically, to sum up, like 1116 00:45:22,800 --> 00:45:24,960 how this is built? 1117 00:45:37,620 --> 00:45:39,989 And if you want 1118 00:45:39,990 --> 00:45:42,269 to thank the person that like, 1119 00:45:42,270 --> 00:45:44,369 gave this as a sticker to me, go 1120 00:45:44,370 --> 00:45:46,380 to the info desk when Momo is there. 1121 00:45:48,510 --> 00:45:50,939 Yeah. I couldn't describe it better. 1122 00:45:50,940 --> 00:45:53,280 My recommendation, actually. 1123 00:45:56,070 --> 00:45:58,499 How about we just fucking stop 1124 00:45:58,500 --> 00:46:00,390 and start fucking 1125 00:46:03,410 --> 00:46:04,589 and without? 1126 00:46:04,590 --> 00:46:06,269 Thanks for giving me the extra time.