Oszukać system (pół żartem, pół serio)

Good morning. I was told to start. I am here for the first time, to be more precise. My name is Darek Jakubowski from Security. I don't have much to do, it's basically a hobby. So I didn't want to do anything serious, nothing technical, because I'm sure everyone here has more knowledge than me. I came up with the idea to do a slightly more relaxed presentation. From smiling, drawing some conclusions from it, because you can seriously talk about anything, The presentation was supposed to be called "Find the system" but it didn't work out. I forgot what my presentation was called, we'll check it out in a moment. Okay, if I have to say something, I was

really destroyed yesterday, I have a huge hangover, so I'm not sure if I'm going to do it right. That's it, except that the security came out a bit... because I see that the security is mainly computer-based, right? Basically some Internet stuff, and I wanted to do something a bit different. And there was some misunderstanding. Safety is the safety of heavy agricultural machines. Heavy agricultural machines are dangerous and especially dangerous is the oral tractor. I thought it was stronger, sorry. But okay, now seriously. I wanted to talk about culture. Basically about culture. Each of us has always been taught that hacking, that any security is divided into the black hat and white hat. You know what, give me a moment,

because I have a technical problem. No, no, no, that's not what it's about. Give me a second, because I don't have my notes. Is Angelika on? She's out. No, no, I want to turn off cloning. Oh, here it is. No, it's not there. And the navigator. There are presenter notes. Jesus, I forgot that I don't have notes. So we have this typical division. Black Hat, White Hat, Black Characters, whatever you want to call it. But the fact is that American scientists have recently proven that I have invented the third division. Troll Hat. That's how I called it. Because there is... There is a category which is impossible to qualify in one or another way. And

it's also impossible to say that it's derived from one or the other. I even think, and I'd like to show it, that Trollhut is a kind of a base for any kind of hacking. The first such breaks were always made for fun. Let's show it further. Some kind of visualization of a trollhut hacker. And I think this topic is quite important. I don't mean such trolls in the style of children on the highway, because we called them trolls, but I mean the American school of trolling, not Amanda98. Such satirical miracles. I mean... Sorry. We know that even anonymous people, even those who took it seriously, they also get out of these jokes. It seems to me that this

is the driving force behind the first hackers, even the majority of them. At the beginning, I don't know if anyone remembers Max Headroom, hands up, does anyone remember this incident? Quite a few. I think it's my favourite term. The group of teenagers probably took over radio and television signal in 1981, a big American station, and they let out basically nothing from the garage. There was no message, as we have now, of anonymous recordings. No message, no purpose. Just to laugh, to show that they are on TV, to show their bare asses. They did it authentically. We have no idea how it has been going for 30 years. It is worth noting that the damage was basically gone, because the attack lasted about 4 minutes. They didn't do anything wrong,

they had no purpose, they didn't do anything wrong to anyone, they just made a certain institution laugh, in this case television. They were only guided by that. And it is impossible to qualify it, neither White Hat nor Black Hat, because they didn't want to gain any benefit, they didn't want to do anything good, they just wanted to show a naked ass to millions of people. They succeeded. Bill Gates, here in a very handsome edition. Everyone probably knows this anecdote. Bill Gates, being at school, at the very beginning of school, as a volunteer, wrote an algorithm, basically a mini-program to divide students into groups. He wrote it in such a way that he was always in

a group and sat next to a pretty girl. It is not a hacking phenomenon, but it is an action that was supposed to not cause harm, but to make the institution laugh. And I think that such a desire to drown cannot be seen as white or black hat. That's it. Ok. So, these were the beginnings, so you know what I'm going to do and how it looks like in my head. And now, I'm using, you can even say professionally, a lot of political parties, organisations that rent their trolls, who walk around the forums and do such things. And contrary to appearances, it is also related to our security. I will talk about it at the end.

I don't think that I have already said it, because I haven't said it yet, I will do it later. Yes? Is someone talking to me? OK, sorry. So, what is this trolling used for? It is usually about political views. You can see it especially after the excavations, about Korwin Mika, about several other such typical politicians. Usually, these are supposed to be funny actions, i.e. as I said, not to do any harm. First of all, you can be exposed to a lot of discomfort. In the sense of the court, such things, if the damage is done, the police always takes it. So it should be a funny action to avoid moderate damage and be relatively safe

after that. using mechanisms created by victims. This is the best. This trolling always tastes best cold and if it was done legally, according to the rules that the attacker provides us, so let's assume some rules of the competition. The rules of competitions, regulations, agreements, they are looking for tricks and they use these tricks to say: "You asked for it yourself". Such a provocation. The less complicated the technique, the better, because it influences the virality. So if we make some complicated attack, it usually stays in the technical branch and is funny for a while, but the best for people are simple attacks. Such that use these mechanisms in a very banal way. I'll show it in a moment. And such attacks

are usually made on people who don't like each other, on institutions that don't like each other, i.e. ZUS, some clowns, caritas, no one has ever attacked in this way, because there is simply no pleasure from it. I wanted to tell you about the situation of Lavabit. You don't read anything, it was supposed to be like that. You remember Lavabit, the email service that Snowden used for some time. This was a typical trolling for the sake of a demonstration, to mock the NSE. In mid-2013, we remember that Lavabit was closed. But not everyone remembers and learned how it happened. When the NSE learned that Snowden was using services in Lavabit, At first, it asked for the availability of private keys of the SSL. So that

they could listen to the whole NoD transmission. Of course, Lawabit did not agree to this. But NSA received a court order. That is, a court order that Lawabit must provide these keys. And what can Lawabit do at this moment? They printed the public keys. in the 4th letter, on 11 pages of A4. And you can rewrite it. It was even unreadable, because the printout looked like this. There is no chance at all. But, I'm listening. Sorry, I keep hearing something. Public printouts. I mean, yes, private. Private keys were made available to NSA in this form. 11 pages of printout in the 4th letter. Unfortunately, it ended up in such a way that NSA was given another order to make these keys available in a readable form. So they

had to specify it. Lava bit at that moment had nothing to do with it, so they filled in a sudoku and closed the service. I had somewhere else... Okay. So I think this is my favorite action with this trolling and I think if you could measure this trolling in some mechanical tools, they would be in trouble. I would also like to mention the church of Kopimi. You probably know the Pirate Bay, which was very often used for dissemination of these files. They have authentically registered their church. The virtual church of Kopimi is called, which is basically free to disseminate, to simply pirate. And in many countries where they are present, it is respected. Every member of the Kopimi church cannot be accused of piracy.

OK. To sum up the first attack, because you can't call it an attack, there are no damages, so there is no attack, the situation sounds a bit sad, I call it an attack. Lavabit has greatly improved their image, although at the beginning they did not expect that they would have to close this service, but it has greatly improved their image in this situation when Snowden was not popular, no one really liked NS, they got a lot of customers. In the end, Snowden's data was protected, because they didn't give us the keys, they didn't steal any of the data, they just deleted everything and there's no service. Once again, NSA managed to make us laugh, and this...

It seems that Gbitch was the first to ban the use of source code in programming technology and people from abroad scanned it. Using the freedom of speech. I haven't heard about it. Some time ago on SysOps, there was a Facebook group, I'll give you some examples, because it's very hard to find any source on this topic. We were on NSA. The damages were not actually incurred, maybe except that LavaBit closed the service, but they were attacking, so there were no damages on the side of the attacker, so NSA. And because this attack was so simple, as I said, the simpler the attack, the better, because it is very memorable. You can smile at it and admire them, not because they had a lot of skills. They had creativity, which

is appreciated the most. This is a nice story. I learned about it when I was looking for materials. It is not in any sense a computer-informatics attack, but it is. There was a situation in London, an advertising agency called Mother Advertising, very creative, famous for this, through a strange coincidence employed a sister of a rich Nigerian priest, who was supposed to show his skills in a qualification conversation. Basically, the only thing that such a priest could do was to write an email. A surprise, a consternation, what's the deal with this email? But they came up with a good idea and sent this email to hundreds of their potential clients, even thousands. Typical scam, typical Nigerian scam, the space was visible in blood. But interestingly,

it was not a spam at all. Really, the person who sent their data received $10,000. So advertising goals, you can also use it. No notes. OK. To sum up. They made a big viral. It was very popular in both industry newspapers and non-industry. To this day it is one of the most popular advertising campaigns. It costed much less than buying banners and even marketing messages. It was nothing more than 10 coins. They made a lot of money. And the person who received the prize gave it to the charity. It was a win-win. It is worth considering, because I know that you all deal with security, but many of you run your own security companies. Planning

your next marketing movements, it is worth thinking about doing it in an unconventional way. History proves that it works, that it is very cool. Another one is "Attack" from our yard. I don't know if anyone remembers it, it was very loud. Someone went around the page-ranking mechanisms, positioning a lot of politicians. Wojciech W., I don't remember who it was, but I told you. Giertych was a moron. Kazimierz M. an idiot. Just a lot of it. Andrzej Leper-Wieśniak. They did great. Our own backyard. I managed to find it while searching for it. I don't know how they did it, because it's new. The previous mechanism was secured. I have no idea how they did it. But

I admire that they did it. And to sum up this situation. There are also no damages. You have to see that there are no damages. Apart from this mockery. But politics doesn't hurt. It was one of the first incidents like this in Poland, in our backyard. So we had a good time, right? Polish people can be proud of themselves. Next. Polish people found potentially dangerous tax in Google. It's funny, right? Giertych is a moron, but the fact is that it was potentially dangerous, because it could have been used in a much worse way. It was possible to change the bank's website and so on. So it's good that it was found and fixed, while making

fun of someone. And yes, it was very popular, mainly in Poland, but it helped in a way that it made the image more visible. Hackers were not so bad anymore, wearing glasses, wearing coats and shooting at each other. They were quite cool guys who mixed politics a bit. And now, we saw these attacks, and I said right away that it is not completely computerized, not completely digital. Do we have to worry about it? Does it concern us? Is it important to us? And it definitely is. It is because everyone has a vision. If someone can't get into a company, can't do anything to harm us, they may want to make fun of us. If someone didn't do it, it

doesn't mean that it may not happen in the future. And we should protect ourselves from it. The thing is that you can't protect yourself from such an attack. As IT experts, as security, we can somehow mitigate the consequences of such an attack, but if our accounts on Twitter are already taken over to make fun of something, as you can see here, A certain hacker, it was also not intended, took over the ISIS account. This is a quite new situation. He took over, he was following terrorist accounts and decorated them nicely, because they were always black and white, sad. And here he decorated it nicely. And now, yes, there were a lot of such accounts. Basically, all that were somehow given were taken over, all so

important. Funny, easy, no one cares. Now imagine yourselves in their skin. We also have beards, they like goats, we have butts, sometimes we smell weird, so these things are common, you can imagine us in their skin. What could we do at this point? As security, we are not able to protect ourselves from it. How? Marketing in our company is always exposed, which we theoretically have to help somehow, because there is no chance to get such an account from marketing. These attacks do not have warning signs. They just come from nowhere and the effects are already there. We are not able to reverse this. How to defend ourselves? Basically, don't provoke. If they want to make

us laugh, they will. One thing we can do, as I said, Caritas, charity foundations, are not attacked, because nobody feels any need for it. We have to lead our companies, our interests, even write in forums in such a way as not to provoke anyone to such an attack, because we will be laughed at. And in fact, the damage is long-term, because customers don't want to talk to us, because they remember us from some strange situation. And that's all from my presentation. I've found a few more examples. Now you can ask any questions, or ask anything. As I said, I have nothing to say. You know more about me. I just wanted to provoke a discussion.

Is it important? Is it worth it? Maybe you have some ideas how to defend yourself against it. So feel free to see what photo you want to add. I really liked this situation. I'm sure everyone remembers this. I don't know if you can see this picture from the bottom. I positioned it wrong. I love it. I found these pictures somewhere. They do the registration in such a way that a policeman who wants to write us off, I wish him good luck. You were talking about XKCD. Yes, about the student, Bobby Table, exactly. I haven't seen that. I don't watch XHCD, it's too loud, it makes some noise. Yes, you shouldn't put it on the screen. Yes, I think I've seen that. Great thing about the hacker

group, it's a typical hacker group. They are really terrible trolls. I don't know if you know WEV. Very well known online troll. Not even a hacker, he has a good idea but he is into trolling. He tried to register his group as an official organization in the country. He would have some profits from it. And in many countries he succeeded. So they made a black homosexuals association. You could actually look for OGN yourselves, because they have a lot of really cool stuff. I would make a completely separate presentation, but not for now, and I think they won't let me in after this. I couldn't find a screenshot of the situation in which... I understand that there are

no questions, right? Nobody wants to answer anything? The guy thought it over nicely. When I introduced Factor Authentication here, he also managed to use this mechanism when Facebook, Twitter, all these serious portals introduced Factor Authentication here, i.e. tokens via SMS. Skuban has registered a premium number. Premium number, so we send SMS and it's paid. He shared it on those websites and I managed to earn a few hundred dollars on it. So he just clicked, "remember the password", or "send token" and it was sent to him via SMS and Facebook paid him for it. Ok. This is bad, I was thinking about a completely different situation, funny, when a certain player on Xbox Live set as

his nickname "Xbox Shutdown". It was about... In One, when you say "Xbox", you get commands. It has Siri, an assistant. So when the player trolled people in games, they would hit him and turn on the Xbox. So many people managed to get into it. And this is a new ford, in the style of iPhones, waterproof iPhones, etc. So to turn on the backward compatibility. Also in some sense trolling, also in some sense IT. I thought it would work. OK, go ahead, go ahead. Exactly, Apple Wave. Great action, there was a lot of it, because there was water resistance, there was iBend, so those new 6's, which were in some way exposed, in some building points they were exposed to bending. So 4chan made such a cool graphic -

iPhone Bend, so they are elastic and we can try to bend them. Yes, yes, yes, a drill. You know what, about this training, 4chan fans really don't like Apple fans. I have somewhere... I'm going to drink, because I can actually snore. Give me a second. So, about trolling Apple. Because it's not shown on Android. iPhone users like it very much and it could be a great presentation, but I also see that it's not very much in the convention of this meeting. I don't know if anyone remembers the live debate of Macierewicz. A live debate by Scape. For a moment, his nickname was just thrown at Scape and people started to call him. Putin even called him, so that they didn't finally get along. OK.

It's like "Mom, let go of these faggots". Yes, but nobody was trolled, so I didn't even remember it. I wanted to make a cool screen, but I failed, because as I said, NetMeat disappeared at some point. Someone made a page on English Wikipedia about Ryszard Kalisz. And he did it in such a way that, well, basically no one knew him, the moderators didn't know who wrote it, and Kalisz was a famous Polish pedophile, he was sitting there for some harassment, so they really put a lot of pressure on him, and this page was hanging on Wikipedia for quite a long time before anyone even realized that there was something there. And I have more... I think I should show you the trash can. No, okay, this is...

Yes, and my slide, I put some unnecessary slides in there. This is the end of my presentation. I wasted half an hour of your time. And I'm a little happy about it. So, if anyone has any questions, I think we can finish, because I really don't have anything to add, we can discuss whether you have any reflections on this topic, whether it is worth dealing with this topic, whether there are any ways to protect yourself, besides not to provoke, because it is a weak protection, I think, but I didn't get into anything better. Any questions? Are you angry that I wasted half an hour? I think you have only good reactions, I have to repeat,

because people don't hear, that's the rule. A colleague said: that I cannot necessarily include it in prevention and that I have to make a guide, some kind of a plan of action. The problem is that if these rules of action will exist, then this is what this training is all about, so then it will be missed. So it won't work. It's like running into a cat and mouse. These adjustments also come out after the time when the victims are already there. There, my friend. One of the methods of protection is to accept the answer from the Convention. But you see what type of institution was attacked. ISIS can do something. Well, okay, ISIS could do something. Ok. But going further, Macierewicz

could also try. Indeed, Oduwet is an idea and it could even make it work. Yes, I thought that cooperation in trolling could even be beneficial. When someone trolls us and we troll him, we always get his effort for our advantage. So it can definitely play a very nice marketing role. Anything else? I have a question. How many passes could you get? How many databases have I managed to find? I once made a situation, a Polish Bobby Table, my company is called x/droptableusers/select1, and I received information that two crawling databases have been found, but I managed to break the CDG for a few hours. They had some sanitization. If I had the Internet, I would show it to you. I could

do it like a screenshot. I was at a conference... Yes. From what I've noticed, the best protection against hackers is to simply write and they won't even bother you. But you know what? I often say that protecting against hackers is giving them access, because... I'll write the password. The truth is that in most cases, when we break in, we try to prove that we can break in. When we have access there, we don't want to. Why? Access is already there. I think so. I've never approached it that way, but... The password didn't work. It's "p" "m" and "k" from the bigger one. I'm one-dimensional. I don't know if it worked. Tell me it worked. No, no, it's okay. But really, is it worth

showing it? It was on the dangerous device. - What? - Good, good, okay. - Do you have a Mac? - But you don't have Mac. - Jesus, through Ukraine? Aha, because VPN still. Okay. There is no, somewhere he has. Am I doing it right? I am unique, really. This is authentic and I actually run this activity all the time. We are currently recruiting such things. The name has been simplified a bit, because writing out invoices at the station is a tragedy. I failed to break the CDG, which I didn't want to do, but because of the article on Niebezpiecznik, which I had no idea about, people started to get into the CDG and it turned out that there is a narrow throat

when you search for it and the IMBA fell down for a few hours because of such a dead-oss. Basically such a small dead-oss killed them at that moment. I could write a book that the funny name of the company is the only thing I managed to achieve in my life, but... Well, yes, at least it was funny for a while. It's the same as with that dream, right? In general, Delos was mainly interrupted just because it was not proven yet, right? Yes, it was, but you know what, I'm not... I was hit by a mouse on the dangerous place, it was somewhere, but I stopped reading it. Longer story. I can't say anything about it.

Okay, moving on with this path, do you have any more questions? Do you have anything funny to say? Nothing? Why not the feminist, but I'm not the one who can do it. I wanted to make a few of these slides, few, so to speak, politically correct, but I didn't know who I would have to deal with, so I won't risk it. Maybe someday, if they let me in here, we'll think about it. I definitely know what topic to talk about, so I won't waste your time for the second time. Okay, no one for sure? One more interesting example of this type of news was once a fake page of the National Regiment on Facebook. I

remember that the trolling was cool, when my credit card was stolen, where I entered my card number on the website and it showed that it was stolen. And recently all the PIN numbers for credit cards were leaked. With the credit card only the PIN numbers were leaked. So he generated 10-9 numbers. And there was a fuss. But it was so much that it appeared in more serious newspapers. The newspapers were so mad that all the PIN numbers for credit cards were leaked. OK, nothing? Or more? Because we really have a few minutes left. Literally. No, not yet. OK, we're done? Andrzej? Thank you for giving me this pleasure of wasting your day.