Remote Access, the APT

all right folks thanks for waiting while people uh trickled in uh we've got Ian ladder here to talk to us Ian's a 20-year veteran of the IT industry who spent the last 15 years working in Security in a number of positions including penetration tester security architect and most recently is a in a security governance role at a blue chip corporation uh Ian is practical threat intelligence course at uh black hat and has spoken at Key International hacking and security conferences including KAC ruxcon and kiwion if he had the spare time Ian would be pursuing a number of private software and Robotics projects including the Barby car that he promised his daughter uh wiser friends have

advised that he finish this project before she's old enough to ask for a real Corvette instead please put your hands together for Ian ladder thank you uh and thanks to bids uh and today we're going to talk about through glass transfer um as a remote access uh exploitation tool the key messages for this session the messages I want you to take away from this session um is that this is a current security architecture flaw so if your current security architecture is flawed today um I published everything that you need to know about this already it's all up on the website um from first principles to demonstration of full code release proof of Concepts all included

in the white paper so this is for the first version of tgx tkx and tcx F which you'll see in this uh deck uh the impact will probably be significant um today it will be much more significant uh there are no constraints to Data Theft for remote workers or offshore Partners uh and there are no easy answers though the paper has some suggestions uh my career I've been on both as you heard the uh the red team and The Blue Team um I'm currently on The Blue Team um in my I have a number of hobbies uh my daughter's Barbie car unfortunately is one of the many projects that have suffered because of my lack of time uh and hopefully we'll

get on that at the uh at the end of this year I want to give credit to a number of researchers that have worked in this field uh it seems that um quite a few of the Technologies involved have actually been invented uniquely multiple times and I did the same thing again you'll find some technologies in here that have been presented before um I did know that at the time when I wrote it I've even written to some of these people and um make sure that I've got their blessing um there's a lot more references on the website for people who've worked in similar disciplines and future useful disciplines for this um and I I learned

about one more yesterday that was presented in October in Budapest I believe that I've got a look at so let's look at the problem space now it's my assertion that any user controlled bit is a Communications Channel so my validation for this is that the screen transmits huge huge volumes of data so I want you to imagine the screen as a bundle of fiber optics that have been cut clean through so those fiberoptics are pumping bits at you from your screen so then can the screen be transformed into an uncontrolled binary transfer interface so my technology solution my proof of concept um my brain went back to terminal printing vt220 um at at that stage terminal printing

sends all we did was redirect the virtual terminal to a file to a to a printer or to a file so data didn't actually leave the screen uh same as what we did with XY and Zed modem protocols there was a VHS tape backup product that I got to see when I was working in an electronics store as a kid um Grace guard blocks were actually stored they played out of an AV port and recorded on a VHS tape when you play back that tape plug it into the video and on this board it could actually restore data so you could see data in blocks on video didn't Technic come out of the screen but it was

close the first one that I'm aware of was the timx data link watch from 1994 it was a Microsoft project um with timx uh it programmed the eom through the face of the watch the uh the the little um window to the eom was exposed to the screen uh and I've got a demo over that for you uh it was dependent on a CRT there's a couple of projects out that have been out since that do it with a TTL uh LED um took about 20 seconds to transfer 70 phone numbers and this is the ad this was from the first computer watch Revolution 20 years ago as you can see configure your diary you remember this

interface and then uh to transfer it we hold the watch up to the screen and those those lines actually emit patterns that the watch uses to store the data directly in the eomp so that's data emitted from the screen under some very specific circumstances now I'm not going to go given the audience into the complete history of QR codes needless to say that um I wanted highly distinguished highly machine readable uh recognizable on 360° scanning the native features of QR code um once it was standardized we also got inherent error correction um and support for deformed uh images for deformed codes um it's got large capacities but I don't use that in this uh in this demonstration so the Zen

moment here is I want you to consider a QR code on the screen as a layer three packet a datagram packet um and it's it's captured within the ether of that display device so then at this point we need to get from one QR code to another to create a packet flow we simply replace one QR code with another on the transmit side on the receive side um all we have to do is use video instead of a photo and not exit but this creates a number of problems at layer four so it's a unidirectional interface I've got no signaling back into the screen I can only receive um this means no synchronization and no

flow control as well it means I've got to I've got to over sample the screen to make sure I've captured the packet uh when I oversample the screen I get duplicates when I try and duplicate it I've got problems because that was possibly intended in the application layer so I need some sort of transport protocol if I use the smallest QR code version one it's 14 bytes in size with 15% error correction um got take the first bite and turn that into a packet header so now I can choose different flavors of packet I I've created a control on a data frame in the control frame I've got sorry in the data frame the first bit

chooses the first bit toggles the packet type uh and then I've got a counter uh and Reserve data and then the rest of it payload it's just Source data moded to the packet size originally designed just to transfer data as a file transfer one file at a time out of the screen the control frame very similar control bit set to control and a couple of message types A major type and a minor type and then the payload is the contents for that control message so you can see the messages here file name file size um QR code version um frame rate most of these messages are actually irrelevant to the transfer protocol because the receiver can do nothing but

work with what's been sent to it um really all of this is for user interaction user interface to show the user details about the progression of their transfer at this point I can do a one-way transfer between one or more receivers don't forget I can have multiple people seeing the same screen um I've got features at layer between layers 4 and seven for high latency interrupted transfers because I can only mod packet the distance into the file kind of like bit torrent you're putting a bit at a time a chunk at a time um it includes eror detection both natively and end to endend because I put a CRC in the stop message it requires of layers

layer three these are arbitrary I've set these up in the protocol just for the proof of concept um 125 8 or 10 frames per second I'm assuming a commodity camera on the other side so I probably can't go like I'm looking for a third of the camera speed so 30 frames per second I want a max out at about 10 frames QR codes versions 128 or 15 just to give a spectrum um and then binary encoding with 15% error correction now the problem with the error correction that's in the QR code is if you get to depending on the type of data if you get close to the suggested capacity it may spill over and then in in this

protocol that means suddenly you get a different size QR code in the middle of your stream which can break recognition I've arbitrarily selected a smaller reliable capacity which won't cause that spill over in 15% error correction so the smallest packet size I'm working to is 15 bytes per frame and the largest is 408 in this example to give a quick hello world file transfer um that's control start file name hello world it's got to fit in the uh in the pack in the packet smallest packet so size Start Control file size I'm sending you a 13 by file Start Control 148 bytes per frame that I can send uh start C Start Control FPS I'm

sending five frames per second so you can now display a um status bar and a time estimate um data with a counter of zero there's my Hello World text and then I send a controls. complete with a crc32 so you can validate the complete file transfer this is example of what that looks like um this is a file encoded encoded in a tgx transfer graphically so that's what you'll see on the screen if we update those layer three configurations with um frame rates frames per second the scale that we get with the smallest frame at 1 frame per second is 80 bits per second through to about 32k it's arbitr set by me in the

configuration of this protocol um also note that this is only limited by the receiver so if I had a highspeed camera I could get closer to the frame rate of the screen here's an example of a letter that I sent off to the office of the Australian information commissioner after February last year when he changed the rules to say that use of a system was different from disclosure of data in that system when offshore workers use the use data in my system that that data is considered to be onshore when the data leaves that system that data is considered to be offshore this protocol makes that possible you can see here if you look very very

closely that it's uh in flight mode and there's a yellow status bar off the bottom there that's showing oh sorry wrong spot off there that's showing the status of the file being transferred this is a a an app that you can pull down now and that was a realtime transfer of that PDF to the phone so that's Google being used as Dropbox now the reason why I kept the version one QR code and wrote the protocol around that is because natively is 21x 21 pixels 21x 21 pixels happens to be able to be rendered in an 80 80 by 25 text window this is an ansy version of the same sequence generating using simply space characters with white on black and

black on white um an Cod so that sequence will come out from a terminal window so if the tgx transmit software was on this laptop right now I could exfiltrate data file by file through the screen and the binaries for that were made public a year ago but then how do I get tgx onto the laptop in the first place well if any control if any user control bit as a Communications Channel and I have a keyboard then I need a programmable keyboard the uino Leonardo um has native USB head support uh it shows up as a a mouse keyboard and joystick I believe the digispark on the top has 6K flash it was a a community project the Leo stick that

I can buy at my local electronic store for about 20 bucks is below 32k of flash if we put data on there we can upload it but what do we upload well we could upload source code because it's text so we can type in text um but that kind of sucks CU secured systems won't have a compiler so what we really want to do is upload a gzip version of the binary um we we gzip it we hex dump it so it's compressed it's dumped out to a bunch of heximal characters so we're from 0 to 9 a to F so we can type it in um and then I en I simply wrap around

that maybe some print FS for bash or print for Pearl so that whatever gets put in I can run and it'll give me the binary back out this is the file uploader here's an example of a HP Thin Client that my wife bought off eBay for me um I don't know the administrative password for this device when I plug in my file uploader actually before I plug in my file uploader I'm using party to SSH to another machine and open a text editor when I plug in that leonado device a whole heap of questions are going to come up asking to add drivers for the Arduino side of the device I'll cancel those because I don't have the

permission to do anything with it but the usb hid keyboard will be accepted by this device out of the box you can pre-program the hid on these devices so this could look like a Chone HP keyboard for example so I've plugged it in there it goes typing in the data as a

script it'll get to the end it's flash to tell me that it's finished it gave me a beep I can quit change the permissions on the file run the file outputting it to the gzip file because remember it's the gzip binary that's encoded in there I can gunzip it change the permissions of the payload so I can run it and then run the payload so now I've got my binary on the target system but wait if there's now no barrier to getting something onto the target system then technically I've got full duplex I've got data coming out and data going in so I could actually replace file transfers with full-blown through the screen networking to do this we need to make a

few tweaks first of all the USB H keyboard interface is p is a ped interface from the hardware it's ped once every millisecond um the T typical implementation sends a key packet followed by a null packet uh that's not necessary but I kept it that way because it was easier um it contains up to six keyboard keys by code uh there's no native binary mode in here um it's automatically duped which is something I was not expecting so I had to we'll get to that in a sec but data is removed irretrievably with DJ um we have the same problems we had with tgx data going into the system um needs some sort of transport protocol um

although it's it's unidirectional although the status LEDs could be used to extract data and when I wrote this I didn't know that someone had done that there was a project that I'd read about but I can't find code for that shows 10 kilobit per second data X filtration through caps num and scroll lock keys um data is a b we wanted to create a binary payload by encoding it in HEX of Des which harves the throughput and retaining the key clear means we're getting about three bytes per packet per 2 milliseconds Peak Performance there are a few things limiting that in the Arduino as well which I think I remov most of uh including so I needed to

correct for D duplication and that takes about half the keyboard I think if I remember correctly um at this stage there's not enough space in that packet to take a to take a whole bite out for a header so what I've done is I've book into the sequence of of of keys and said this is a control and this is a d uh and then I've taken out anything file based I really just want to stream if I take that um leonado device which is my keyboard emulator and I add a USB serial device the attacker now has a USB serial Port where he can send binary data and that's encoded as keystrokes um to create this keyboard

stuffer so now I can send binary data and have it typed in encoded for me um and I made a few extra changes to the Arduino native code to make that run faster on on that's the tkx side on the tgx side um I strip out anything that made it file based I really just want streams so I've got streams in and streams out this is what happens when we combine into a single architecture on the left at the personal computer end the attacker end I've got a listening TCP socket on my attacker device what I send out of my serial Port goes into the end user compute device the the Enterprise device as a USB keyboard so

now typing in so all you see is a keyboard um what that goes into the code at the other end that sends it out of the TCP socket coming in from the TCP socket on the Enterprise side data is encoded as packets on the screen that's decoded in this case via a camera and what's been decoded is sent out of the socket so now I've got a TCP socket on my device and I've got a TCP socket on the Enterprise device and technically they're air gapped the only connection here is a keyboard the reference implementation has 12 kilobits per second Up Maximum I don't think I achieved that um in theory that could go up to 32k I've made some

suggestions for doing that I'm not going to pursue it um the reference implementation for tgx at this point has 32k maxed down at this stage we've got bidirectional binary clear serial Communications it's a native Network socket interface so anything will run over this uh and it's insanely portable and massively vulnerable an example of this is that you can run pppd over netcat over that interface and actually get a a native IP interface as well and I'll show you a demo of that in a moment in terms of architecture what have we done to the Enterprise well firstly what is tgx tkx and tcx f um these are storage based covert Channel attacks although some of

suggested they're overt Channel attacks um secondly where is the Enterprise in all this I've been talking about this device but where is the rest of the organization uh well in the enterprise we abstract the screen and keyboard uh on the organization side so when I'm offshore as an offshore worker this is what Enterprise looks like at layer 7 I'm out here I'm way back out here or from your perspective out in the audience offshore as I connect into the organization and I go through my Citrix jump host my vdi maybe my SSH ssh jump box to the most sensitive box in the organization where I've got to work the the the the pixels rendered on the

screen in that SSH session from the most sensitive part of my organization are passed clear through to my screen offshore uninterrupted so it doesn't matter how many gates we pass through the screen is clearly passed out and the keyboard's clearly passed in in terms of the model on the bottom you'll see who owns what the attackers on the left and the Enterprise owns everything to the right I don't need to compromise the end user device that's been given to me offshore there's no AV that's going to tell me that this has been been compromised cuz all you've seen is a keyboard plugged in and a screen in front of it and I can make that keyboard hid look like the keyboard

that I unplugged the client that's running on my end on the attacker device is outside of your visibility the client that's been deployed internally hasn't been deployed on this device it's been deployed deep in your data center where that asset is where I have access to right back next to that little beer in the corner where you don't have AV where you don't have DLP where where you don't have malware detection what's it look like on the left I've got an attacker device marked with red tags then I've got the EU device the HP Thin Client and an application server marked with the yellowy green tags you can see I've got the camera sitting in front of

the screen and I've got a keyboard stuffer plugged in I'm running it up with the two putty sessions from the EU box from the Thin Client through to the application server and so I'm running this session from the application server that attacker box is not connected to a network I've run up pppd um on the application server and on the laptop and now I'm sshing from the laptop which has no network connection to the application server which is on the same IP network as the laptop you can see it's slowly ticking away and I'm sorry about my bad elbow acting because it got in the way of the autofocus it does clear up at the right

spot um I'm accepting the SSH key on the left we're going to wait as it ticks over now I got to type in the

password and now I've got a shell so now I'm sitting on that application server the only thing you're seeing is the QR codes on the screen at best that's a running putty window and the and the encoded key codes that are typed hex effectively I'm now doing an LS and you can see that slowly ticking over so that's TCP that's SSH on on IP pppp over TCP over screen and keyboard with one part of that over SSH technology solution two people get really hung up on the QR codes yes I can go pay my DP provider to go and filter QR codes yes I know that in the original paper I said that was the obvious next

step it won't work um at Christmas I did a version that ran on pure asy so the datagram at layer 3 can be anything it can be pixels it could be Fortune 500 logos I'd love to see people for um filter off Fortune 500 logos um it could be letters words or pH or phrases um I've chosen um some asky zeros and ones um in this case the letters enable using text letters means I can also make it clientless so I don't need to drop a binary I can now do it in bash um and it's still minimal service side indicators a compromise because I've just got this 300 by bash script and it demos the futility of tracking QR

codes that's the bash code I've put it a specific font and color because I'm using OCR in my proof of concept it could have been done better but it was done quickly I'm now getting rid of the camera I'm going to use an a media game capture device this plugs into the HDMI port these devices are designed to allow you to upload your game videos from your Xbox and Playstation to YouTube in this in this case I'm capturing it down to that little orange USB key as an mp4 file um this is a 1 kilobit per second upload that we're going to capture uh and then ret from from a box by looking at the MP4

video now last year at the at one of the bars I was asked about uh the Red Room in this scenario the Red Room is that special room in your organization where uh the secret source is kept now in our offshore case um typically we regard the offshore environment from tier one organization perspective to be a lockdown room where things aren't allowed to go in and out I'm yet to see one of those rooms pass a physical security audit but let's roll with it if we anyway um the Red Room argument was put to me the rules are a device can enter the Red Room but it's got to be blanked except for the firmware it shouldn't have a

problem so we can get the device into the room um but the device when it leaves also has to be blanked except for the firmware so how do I get my video file back up uh the argument I put back was Captain says be creative um if you don't know the movie reference you'll have to look it up this is the bash program running with a capture I've redirected Etc password to file scri 3 which is what I'm going to read in in code you'll see we still have the same format the data packets have a counter on the left and one bite per packet on the right it's a really tiny tgx in the next video I take that

capture and I play it back so I've taken this mp4 file back to the attacker's computer this code is now reading it frame byf frame and displaying it on the right you'll see little if you're close enough you'll see little boxes flashing around the text that's the OCR going nuts and showing where we've actually found characters as it runs you'll see it decode on the screen on the left so line by line You'll see Etc password come out which is what that is over there so there's no limitation simply because I've got a text window and you've taken QR codes off me um when that if you've got more time you can have a look on YouTube that video ends

with the correct M uh I don't know if I did an md5 on that one but the others all end with the correct D5 um solution three this year I'm making good on the on the pixel threat people say yeah but QR codes and text it's all very slow I don't really care you can't steal enough fine tgx has been updated I now do a CRC 32 per frame because I'm doing massive frame sizes um the datagram protocol is uh HTML we're using HTML 5 canvas and JavaScript so at this stage um what I'm uploading is a whole bunch of um htmr Cod about 30k is worth even though I said 20K there it got a bit bigger um

it's still technically clientless in that sense it feels a bit clienty to me but people still seem to think that it's clientless again the indicator of compromise is quite lightweight here you're really just looking at that script and a HTMI plug a script in the data center HTMI plug this one is graphical which means you'll be doing it from your zenap um browser or from your video desktop for example so you're still in the environment exporting offshore um again demos the futility of targeting a specific implementation cuz if there's one message you take away from this is that I can change this infinitely um same box the over media gives me 1.3 megabits per second at two

frames um per second with one bit per pixel so black or white it's either on or it's off I'm doing 1280 x 720x 60 frames per second capture this box doesn't run anywhere near that fast and you'll see that in a sec 100 kilobytes per frame now um is being captured and again we take this offline to do the MP4 read I can store this on my 25k uer plug it in there goes my code I'm typing it in so all I had to do was open a text editor on the desktop at the other end this is a web browser window uh f11 this is this is Firefox but it Al also runs in Chrome so it's in full screen

mode um what you'll see I've selected the 5.5 megabyte white paper that I originally wrote on this um the big red frame was a sinking frame uh and then each of these is obviously the data encluded bit by bit one bit per pixel black or white being captured by a screen the HDMI capture tool when it completes you'll see up in the top Corner up over there the speed yeah and there you go 1.3 megabits per second so we take that MP4 and we decode it I've got debug turned on every single frame line in the text window is another frame of video that's going past what you'll see in this video because the a media um struggles to keep

up about 50% of the way through the file transer you'll see this sort of pixelation as the screen tries to Res up it's almost like it ran fast for a while and then slowed down because it's designed to ultimately upload videos to YouTube so don't need to be high quality when it does that about halfway through the video you'll note a whole heap of Errors pile up between recognized frames so it's getting control codes at the moment they're tiny up here you'll eventually see a burst of data here so that's all those control headers then this is a little burst of failure so didn't quite get the right Data before we finally got a valid CRC on a packet

and stored one packet you can see the gap of the number of frames that are all duplicates and perfectly readable so we dumped them all because we don't need them what'll happen is those oneoff little errors will suddenly stack up when we get halfway through the video so there's still just a couple of Errors still just a couple of Errors somewhere here you'll see that the video does some weird resing thing where a whole lot of data slowly gets populated and it takes many many frames before I get a perfectly clean frame we're starting to get more errors starting to get loads of Errors we almost run out into the next frame before I get my perfect

frame that's because of this device um in the bottom corner over here you can see the PDF that's slowly being drawn out of this video and when we get to this get to the end of the transfer which is coming up you'll see that the end the uh CRC validates for the file um so we're almost there couple more frames loads of Errors there but we still get enough we still get a couple of good frames so we've got enough and that's it the CRC validates I now have a PDF when I double click on it you see I've got that entire file back and that was a 1.3 megabit per second upload so it's not good enough for a

conference for another 30 bucks you can have a professional card this is a Blackmagic design decklink mini recorder I didn't read the description properly it's a yuv card not an RGB card I have no idea what the AA media was I never went back to the manual um the problem here is get raw RGB data if I had raw RGB data there's no reason that I couldn't take every single frame perfectly every time uh so we'd be talking fulls size picture 60 frames per second depending on what's possible offshore give or take the bandwidth and the setup of your environment right um same resolution um same number of um bytes per frame but I'm now doing eight

frames per second at one bit per pixel which gets me up to 4.7 megabits per second for the low low price of 10 times as much I'm now at $15,000 that Blackmagic design decklink uh 4K extreme 12g card is designed to capture 4K video at full frame rate the only reason why I'm not showing you a gigabit download today is because I couldn't PA the bloody video file in Linux what I got uh FFM Peg came the closest and it allowed me to get three bits per pixel um which is which is giving me 12.1 megabits per second but that's the only thing stopping me from making this faster I didn't have a Windows box to try it on so 12.1

megabits per second I'm doing 10 frames per second at 3 bits per pixel um we're now talking 300K per packet big packet sizes I shouldn't be using crc32 um but it works this is what it looks like there's the sync frame and that's the 5.5 Meg file being uploaded this is what it looks like to decode it's so quick I can't even size the screen fast enough it's already got the control packets you notice it's almost perfectly clean there's only two CRC errors in the entire transfer and it's not enough to upset it because it gets it gets the right frame that's a CRC validated transfer back to the Enterprise architecture if we take PPP back out of

the example because that's cheating that was the only place where we required super user access to create an interface requires permission if I take that out every thing I've shown you can it only it has no privilege escalation it those protocols can only do what the user can do what I could do so with the permissions I had it can only type and read what I could type and read the distinct properties of what's changed here seem to revolve around volume accuracy structure and utility and the paper goes into some thoughts about what you could do around that the legal problem the reason why I started all this is back in February 2014 the rules changed so that they

relied on use versus disclosure in Australia they made the organization that's doing the offshoring the Australian entity that brought in the offshore agency legally responsible and liable for what happens when that data gets disclosed so I'm allowed to bring people in to use it in my systems where it's controlled and within Australia but when that data is disclosed and it goes offshore if it's used for a purpose other than it was collected then it becomes the Australian entity's liability um and that's there's some similar rulings in hipa and and and fisma um there's some interesting rules in there too they all rely on the difference between use and disclosure the this also includes in this particular uh set of rules

unauthorized access where the user discloses it themselves so the offshore user actually hacks it like what we're doing here if you didn't take reasonable steps of all the reasonable steps listed the only one that makes any sense to me is monitoring so the question is what is reasonable monitoring Butler Lampson in 1973 this is the world's oldest zero day was looking to um restrain data being transferred between um people of of different um classifications his conclusion was probably cheaper to accept the risk um and try and bound the capacity than trying to bound the capacity of all covert channels his material became part of tcse so the dod specification um so B2 and B3 trusted

systems um said that a high cover Channel bandwidth was probably 100 bits per second because 100 bits per second was considered a useful terminal so if a terminal is leaking at the rate of a useful terminal it's probably not a secure terminal from this presentation today I have not shown you a demo that ran under 100 bits per second including the text demos HDMI as I've already mentioned at 1920 x 1080 by 24 bits per pixel by 24 frames per second which is low for for that spec we'll run it faster than gigabit per second so far as acceptability in the dod spec um they've captured it uh one bit per second for a for a uh for a covert

Channel um but you have to be able to audit any channel that can exceed a rate of 1 bit in 10 seconds is your organization today able to audit every keystroke every pixel every change in caps loock light that can happen at one one tenth um 10 time one in 10 seconds across the entire organization cuz that's what these people are suggesting is is reasonable I'll give you a commercial example and we're about to wrap up the talk um I put this risk calculator on the website um a month ago so you can play with it in your own environment um in at the in April the FCC uh went after AT&T from what I

remember reading um for losing 280,000 records through their offshore centers in I think it was Mexico Colombia and the Philippines that was a $25 million settlement for 280,000 records that works out to about $89 a record that's quite low compared to the ponymon figures of $188 $189 per record but this is just the fine this is just that suit if my offshore workers were limited today to just what this chart goes this calculator goes as low as memory so I might be able to remember a word a day for example there's nothing stopping someone from remembering a word and taking it home but I'll start with something a little bit more meaty let's say an A4 page u a th000 words is about

5 kilobytes um I've set a records 2 kilobytes we're going to treat it as you know complete complete binary object you can probably go harder um we got one attacker so one attacker 4 days time taking an A4 page home per day of record data we're talking at the at the rates from the from the example we've looked at 10 records in in four business days um or a thousand bucks let's say they do 10 times that let's say they take 10 pages home we're still less than 10 grand and we're still only talking you know maybe 100 people as long as the FCC doesn't give bulk discounts what I've shown you today would be capable of changing that figure

uh to somewhere in the order of uh 87 million records in four business days that's 8 hour days that's $8 billion worth of cost um but I don't have to work in 8 hour days anymore I can set this up at 9:00 a.m. today and I can pick it up at 5:00 p.m. tomorrow so that can happen in 32 hours um in a 24-hour day I can take 65 million records worth about $6 billion at that using that case study um every 24 hours so I can take all of the United States every man woman and child um in one week or everyone in Australia in 8 hours CU we're a little country so the message to take away here

the new equilibrium uh use versus disclosure they're functionally identical there is no difference if I can see it I can have it you've uploaded it to the room um offshoring right sourcing best Shoring whatever term you currently want to use to describe um remote access for untrusted or semi-trusted users to sense II data that's onshore um if you really want your data to be yours and yours alone it is not currently and it's unlikely to ever be safe the real question we need to ask is how many bits per second data loss are we prepared to accept thank

you I have a mic in the center of the room if anybody has any questions if we don't have questions I have to put that down in his report and they will revoke his Visa again we don't talk about that all right