BSides LV 2022 - Wednesday - Proving Ground

Name: BSides LV 2022 - Wednesday - Proving Ground
Uploaded: 2022-08-11
Duration: 4 h 28 min 41 s
Description: Proving Ground runs a two-day intensive workshop teaching professional public speaking to first-time speakers in the security field. Participants work with mentors to develop and deliver a 10-minute presentation on one of three scenarios: reporting penetration test results to clients, presenting tec

BSides Las Vegas · 20224:28:41359 viewsPublished 2022-08Watch on YouTube ↗

Tags

CategoryCareer Community

TopicCareer & Soft Skills

StyleWorkshop

About this talk

Proving Ground runs a two-day intensive workshop teaching professional public speaking to first-time speakers in the security field. Participants work with mentors to develop and deliver a 10-minute presentation on one of three scenarios: reporting penetration test results to clients, presenting technical findings to peers, or pitching internal projects—then present to an audience in a forensics-style competition format.

Show original YouTube description

PG 101: The other kind of forensics for hackers This year, Proving Ground is trying something different. Instead of our normal 4-month program, we’re going to run a two-day workshop to focus specifically on public speaking in the professional sphere. Accepted applicants will come to BSLV and spend day 1 working with a small team of mentors to build a 10-minute presentation based on one of these scenarios: Presenting the results of a penetration test or security audit to a customer; Assembling a technical presentation for consumption by an audience of one’s peers; An internal engineering “pitch” (requesting funding or resources for an internal project) On day two, they’ll present their prepared talks to an audience, in a style similar to high school forensics. Just like the normal Proving Ground experience, we’re limiting applications to those who haven’t spoken at a major international hacker conference.

Show transcript [en]

[Music] do [Music] foreign [Music]

[Music]

you

[Music]

so [Music] so [Music]

[Music] do

[Music]

so [Music] [Music]

[Music]

do [Music]

[Music]

so [Music]

[Music]

[Music] do [Music] so

[Music]

so [Music]

[Music]

[Music] [Music]

[Music]

[Music] do [Music]

[Music]

do [Music] so

[Music]

so [Music]

[Music]

do [Music]

[Music]

[Music] [Music]

[Music]

[Music] you [Music]

[Music]

[Music] do

[Music]

do [Music] do [Music]

[Music]

[Music] do

[Music]

you

[Music]

[Music] do

[Music]

[Music] [Music]

[Music]

do [Music]

[Music]

so [Music] so [Music]

[Music]

[Music] [Music]

[Music]

[Music] [Music]

[Music]

[Music] do

[Music]

all right good morning everybody and welcome to the las vegas b-sides proving ground track a few announcements before we get started i'd like to take an opportunity first to thank our sponsors uh first of all our diamond sponsors last pass and palo alto as long as well as our gold sponsors intel invisium and blue cat without their support and the support of all the volunteers and sponsors and other donors we wouldn't be able to have these amazing talks come see all these amazing people and uh get together like this and have this awesome conference so a huge thank you to all those people uh a reminder right now if you have a cell phone to please take it out from

wherever it is and put it on silent uh this is out of a respect for the speaker and then also we will be recording this so we don't want to get any of those cell phone sounds on the recording in addition to recording this will be live streamed and so a quick reminder our photography policy is you are you should not be taking any photographs unless you have the consent of everybody in the room that includes slides unless the speaker specifically says that that's okay questions will be if you don't mind hold your questions until the end i will come around with the microphone so that you can talk it uh speak into the microphone that way we can get the

question your question on the stream and on the recording and then lastly we are requiring masks you need to take it off to have a sip of a drink or eat something real quick that's fine but otherwise please keep your masks on at all times and so without further ado like to introduce mike lisey and his presentation on how to succeed as a freelance pen tester [Applause] good morning how's everybody doing uh thanks for coming it's a really good turnout i'm i'm pleasantly surprised i'm here to talk today about freelance pen testing a quick note about me mike lisey at mike hacks things on twitter i do penetration testing i have a couple certifications oscp gwa pt

uh ceh i am the founder of mel tech solutions which is the company that i established for my freelance pen testing i also work as the ctf design lead for the ncae cybergames which is a collegiate cyber security competition and i am the co-organizer of a security meetup group called ithacasec and that's in upstate new york so quick note before we begin i'm going to be covering a lot of different aspects on creating the business and talking about freelance pen testing but it's important to know i'm not a lawyer this isn't legal advice this isn't financial advice uh you're responsible to do your own due diligence and understand what works for you in your individual individual

circumstances so just take that into mind as we move forward so if you're interested in pursuing the freelance work there's a few important questions that you need to answer and these are to kind of make sure that you're ready to jump into freelancing so first off why do you want to do it why do you want to become a freelance pen tester your answer is going to be unique to yourself for me i had the opportunity to work on the ncaa cyber games but i was a full-time consultant at the same time and there wasn't enough time for me to do full-time job for that the part-time job for the education and then still have

time for family friends hobbies things like that so freelancing was an opportunity for me to pursue all those things while making it under my terms but for you i mean there's obvious benefits if you're interested in freelancing uh some of those benefits are you know you get to decide when you work how much you work who you're working for what you're doing um big benefits but there's downsides to consider too you're gonna have to make sure that you can uh get through the times when there's not enough work available uh how are you gonna handle those situations uh you may be working with clients that you don't necessarily like or get along with but they provide a lot of work

things like that you have to be ready for those things and you have to find the work it's not going to be provided to you you know unlike with a regular job you have tasking that gets presented to you have you uh to have you do not not the case with freelancing you got to do a lot of work to get that work so if you've decided okay that's all fine i still want to do it let's talk about you know preparation if you have experience as a pen tester you probably have an idea of what your strengths are you know what kind of tests that you can do what kind of work you can do

um so identify those make sure you know that you've established what you're able to offer you know are you an app tester do you work in cloud environments uh do you like breaking medical devices this helps you establish you know your client base who you're going to go after to get some of that work for me i mainly do web app pen testing i do external pen testing there's a lot of work available in those areas so depending on where your expertise is you have to identify how much work there is to pursue outside of you know the specific technical strengths there's a lot of soft skill type things that you need to be aware of too um are you able to talk

to clients can you establish relationships can you define you know how to approach testing how to uh get all the documentation in place do you know what your clients need can you identify those by having discussions with the client you know what are their goals what are their concerns you know are they worried about user data breaches are they worried about pii health information credit cards you know all these are very specific to the customer and you need to have an understanding of what those are when you approach them to get work on the non-technical side are you ready are you financially prepared you know how long can you go until the invoices start rolling in you know you

may not have work day one when you start on this path uh you have to be prepared for that work isn't consistent there's going to be especially in the pen testing world there's going to be ebbs and flows when there's a lot of work and when there's not a lot how are you going to approach things like benefits retirement time off you know all these things that are established and coordinated with a typical job when you're freelancing it's all kind of falling back on you there's legal aspects to consider too a lot of contracts a lot of legal documentation agreements things like that with the clients you have to be ready to approach those situations and to be able to

handle them you know initially i didn't know what i needed to do in this regard i went to my uh employer and i basically said hey i have this other opportunity i kind of want to pursue it i can't do both can i be a contractor and my manager at the time said oh sure you know what's your rate what are your terms uh you know how long are we establishing this relationship for what what are we doing and uh i was complete blank no idea no idea what i had to do but thankfully they were able to help me identify these things get everything established i learned a lot in that process so it's one of these things that you

need to uh to make sure that you can do when you're setting up these relationships so the last thing you got to consider is how are you going to find the work right the work doesn't just come to you you have to go after it so as a pen tester there's times when there's not consistent work this is kind of a graph of my workload throughout the year you know q1 q4 tons of work available q2 kind of gets a little bare you know i gotta make some changes in order to keep going uh things start ramping up again so you got to take that into account with your budgeting you know how are you going to get through that q2

slump to make it successful and the other thing to keep in mind is that when you're a freelancer you're taking on all these other roles and responsibilities that are typically handled by other people in an organization you know you have hr you have legal sales marketing freelancing that all becomes you so outside the technical technical knowledge that you need to know you need to start uh getting acquainted with these other concepts but okay you know you want to do this none of that stuff scares you that's fine you're ready to learn all that or you know it great you're ready for the change so what do you do next you got to get set i'm going to go over a few things here

that are basically required but they take time they take effort they take money but they're all required to get started you've heard the saying there's no such thing as a free lunch that's how it is in business it all these things cost money but they're really necessary and you'll understand why so first up uh you want to create a company not a dba uh do business as that's just basically hey i i can do this work you want to have a legal entity something like an llc an s corp why uh cya you know you know what that is you know cover your ass right uh having a company protects you as an individual it gives the company the

legal responsibility for the work that you're doing so if during a penetration test you know something catastrophic happens you take down a whole data center clients pissed they're going to sue you if you don't have a legal company in place then you are personally liable for that stuff so if you have a house if you have other assets you know all those are on the line you don't want to take that risk if you want to go into the into the freelance world so creating a company kind of helps protect you in that regard a company does some other things too it it legitimizes what you're doing right if you're just saying hey i'm a pen

tester okay that's great but now you say hey i'm a pen tester i have a company set up all this other stuff the companies the clients that you go after they're going to be like okay yeah i get it you have you know you've you've gone through the legwork of establishing a company and everything so that you know i'm more willing to work with you on that uh doing so really kind of varies by where you establish the company right uh different states have different requirements uh there's paperwork involved there's renewal fees you know the research that i've said that i've done uh has ranges between like 120 bucks and a thousand dollars to establish the

company and maintain it throughout you know year to year so depending on where you're looking to establish it there's going to be a cost associated with it next you want to get business insurance some companies won't even work with you if you're if you're not insured right they want to make sure that they're covered too if your company you know isn't worth anything and you screw up and they sue you you know having insurance means that they they have some comfort in knowing that you know something goes wrong they'll be compensated in some way uh so it's on you to make sure that you have the insurance established the other thing that does is it um

it has extra protections in place where contracts don't cover right so you're going to have legal contracts that you know absolve you of different things and they dictate the terms but in areas where there's aren't where there isn't coverage on that insurance really helps so it's basically layered protection right we talk about defense and depth in infosec this is like protection depth so you have the company that's one you know way of covering yourself business insurance is another way um the types of policies to look into you know that's uh you're looking at like commercial general liability it's protecting you against you know bottling injury property damage uh liable advertising mistakes things like that um policies on that you're looking into

like one to two million dollars worth of coverage um it's relatively cheap though it's about 350 bucks a year the next one probably one of the most important ones the arizona missions again you're looking at one to two million dollars worth of coverage maybe more depending on the clients uh about 750 a year but what that one does is if a client claims that you were negligent in some way or your work was inadequate um then this insurance kind of policy helps cover that so you know in a pen testing world uh you missed a no day something got released after you did a test client got breached now they come after you because you didn't find

it right uh the insurance policy helps cover in those situations finally you have like professional liability again you know million dollars two million dollars uh that covers against misrepresentations inaccurate advice things like that there's a lot of things that cover on the insurance side so one way to approach this is looking into insurance agents right i use his cox that's a really big player in that they know you know the type of insurance that is ideal for these types of things other agencies may be beneficial to look into too you need a lawyer uh specifically you want a lawyer that understands business and contract law somebody understands penetration testing all the legal aspects and requirements

associated with that you know you want a lawyer that works for you right they're going to watch out for your best interests so why you know we're cya right we're there's a kind of a theme going here um they're going to be able to review all the legal documents that you're getting established when you're setting up a relationship with a business you know everything's done over these legal contracts msas scopes of work uh ndas all these things all this legal uh verbiage in there your lawyer will review that but make sure that you're being represented correctly and in your best interests and it helps to make sure that both sides are in agreement as to how to move

forward so i've had agreements in place that were provided to me from clients and they had provisions of things like hey any any tools any scripts anything that you create while you're doing any work for us belongs to us we get a royalty free license forever and i was like no that's you can have ownership over the reports anything like that that makes sense but anything that i create is mine uh so my lawyer caught that in the contract review they amended it the company was totally fine with it too they said yeah that's not really what we were going for but you know they're a lawyer put it in so you know having a lawyer on your side

is is really beneficial but the cost on the lawyer it can vary so you know i mentioned before creating the company uh there's lawyers that will set that up for you i had my lawyer create my company and everything for me they handled all the paperwork all the uh documentation for it um so there's a fees you know fees associated with that maybe a few thousand dollars and then you have an ongoing retainer with your lawyer basically you give them a pot of money and anytime you need their services they withdraw from that pool uh to work for you and then you know whatever the agreement that you have with them you refresh that as needed so

a lawyer's a big help it saves you a lot of time a lot of money on understanding all the legal implications that you're agreeing to when you're looking to do freelance testing you also want an accountant not a tax guy not somebody that'll just file your taxes for you somebody that really understands all the tax laws because they're insanely complicated right so when you're working for a company and you're a full-time employee there's things like payroll taxes right you pay half of them as employee the employer pays half when you go into freelancing you're responsible for that total amount so there's extra taxes that you end up having to account for a cpa really helps

you with that um you're going to have payments that you have to make right you're getting paid directly from the client there's no withholdings so every quarter you're going to have to make payments based on the income and your cpa will help you define what that needs to be there's benefits to take advantage of two when you're self-employed there's a lot of write-offs things like the equipment that you use the software you use if you have cloud hosting mileage for uh meeting with clients all those things can be taken into into consideration and the cpa helps you identify those things and make sure they're accounted for so that you know you know what you can

uh you can claim what you can't claim making sure you're playing by the rules because you know at the end of the day the government wants their cut they don't care having somebody that actually understands it is the best way to go and they're relatively cheap you know mine is about 500 a year for all the services they provide for my personal my business taxes my wife's taxes it's it's really not a huge expense and it's a huge like burden to be absolved of so um you know summarizing that there's a couple things here we have the business creation you know hundred to a thousand bucks legal side one to five thousand dollars counting insurance you know all your

startup fees essentially for the for the freelancing could be in the area five to ten thousand depending on your unique situation okay so we talked about why you want to do a got some things established on you know how to get ready for it uh the last thing before you take the leap is work right how do you get the work where do you get the customers as a pen tester one of the best ways to go about it is subcontracting right a lot of consultancies they have uh ebbs and flows in the work that they have available or that they need to get done uh similarly according to the chart like i showed before

that you know q4 uh craziness and work a lot of companies face that so they typically don't always have enough work to hire a full-time person so they'll subcontract it out uh basically the nice part about this is you don't have to go find clients to do the work the companies already have it ready they just need somebody to do it so that's where you can come in uh you still basically have to interview with these companies they want to make sure that you're good fit that you're technically capable that you're able to do the job you can follow their guidelines their procedures as they relate to things like reporting client communications things like that um

but there's also some additional things to take into consideration when you're looking into subcontracting uh you wanna talk about rates you want to talk about terms uh scope statement of work reporting and communication your availability right because it's on your terms now as far as when you're going to be available but you need to communicate these with anybody that you're looking to subcontract with because they want to know are you able to are you going to be there when i actually need you for the work so you need to discuss all those things um it's definitely a great way to get started it it relieves some of the pressure of finding the work it's not quite as profitable as some of

the other methods of getting work but if you're looking to get into it this is this is definitely a great approach but i mentioned rates here so that's one thing i really wanted to take a moment here to kind of discuss you know when you're freelancing you have to understand that you're not working 100 of the time all year so you need to figure out what your rate's going to be according to you know all those uh specific factors so calculating your rate you know one way to approach it is take like a target salary for like a position like a pen tester um you divide it you know by 48 and divide it again by 40 to get kind of

like an hourly rate and that hourly rate you want to double that so you know let's say for example target is 150 000 a year uh weekly it's uh what 3100 gets you an hourly rate of 75 dollars so a good rate to go about you know as a pen testers starting at 150 an hour that helps you cover the times when you're not working and to take into account all the administrative work that is part of getting the work established so you know things like having the discussions with clients setting up work discussing everything and all those things you want to calculate in so having you know a rate that makes sense is going to help you be successful

um but you know not all all companies that are willing to subcontract are going to meet your rate they're not going to be agreed agreeable to it just because they don't have the budget for that so you have to make a decision there like do you accept a lower rate if they're giving you more consistent work does that make sense or is it just not going to be a good relationship so things to take into consideration if you're going the subcontract route direct work is the other method to pursue it's harder to get because you're essentially reaching out to those end clients that need to have the work done there's a lot of overhead a lot of

administrative work because you know this is where you become the sales person right you're trying to sell your services what you're able to do and how it's going to help them you need to understand and discuss their needs uh where you can help and then you have to also handle all that documentation that i mentioned before you know they they may want like a proposal they may want a scope of work uh they want pricing you know you want to take all that stuff and uh you're gonna need to know how to do that for the direct work but on the plus side it's more profitable you're gonna make more money on that just because there's no middleman in

between you and the end client right there's no company taking a cut for themselves so the other way to go about it is networking this has been one of the best ways that i've found work uh twitter linkedin uh the the netsec reddit subreddit um you know when you when you see a lot of job postings and there's companies that are looking to hire pen testers that means typically that they have a lot more work to do than they can handle so you know one tip there is to reach out to some of those companies ask them if they're open to subcontracting for them it's kind of a win-win they can execute on the work you get some money and they

don't have like you know an employee on their payroll but this is where a lot of marketing comes into play you know how do you approach some of this stuff you know some of the important things to consider is when you have your company having a website having business cards having a tire you know take into consideration how you're presenting yourself in person online because clients that you're looking to work with are going to use all that to make a decision on whether they want to work with you so these are important things to to to to think about here even you know besides las vegas yesterday just sitting around talking with a few folks

you know talking about what i do they said hey we have a need for that let's exchange numbers you know let's talk about maybe how you can help me so you know conference networking is a huge huge way to get some work but main thing here is just your reflection on the company that you create who you are what you're doing and all that stuff is you know much more magnified when you're a freelancer right you're not you don't have a company to to hide behind or you know the the reputation of a company other things that you want to do is you know when you do work with any clients try and get some testimonials get some

feedback so that you can use that you know to sell yourself to other companies that are looking for work be like hey if you're you know if you're looking to do this i've worked with somebody else here's some references they're happy to talk about it and this kind of helps establish that you're the right person to do the work with so i'm running out of time here i really wanted to thank everybody for coming i hope you found some of this useful um i wanted to thank mouse and grant from the uh proving grounds you know they helped me a lot with this presentation anybody that's looking to do presentation i would really recommend going through the proving grounds it's a

great experience um you know i'll be around today the rest of the day i'll be at defcon too so feel free to reach out say hi i'm on twitter i'm on linkedin if you want to talk about any of these things happy to help happy to put you in contact with you know any resources that i can but you know thank you for stopping by [Applause] [Music] we've got time for like a question or two if anybody has one

first of all thank you very much for the presentation um can everyone hear me so the question i had for you is in your opinion or in your experience how much of the workload is subcontracting and how much of it are companies now starting to bring this discipline in-house so from a company perspective uh that's gonna vary depending on the company i know some that are very heavy on the subcontract side right they they prefer to subcontract out a majority of their work others are very much just as needed um me personally i would say about 75 of my workers subcontract and 25 of my work is more direct i'm hoping to like invert that a little bit but i went with the

approach of the subcontract work to get more business going and to make sure that i could you know uh be successful and you know kind of make sure that i have a gave it a good shot uh any other questions yeah just feel free to reach me in the hall or whatever i'll try if there's online questions there's probably a way for me to check those out too i don't know i don't know about online questions but yeah um he'll be out in the hall uh uh that's it we ran out of time for questions so another big round of applause for mike [Applause] and our next presentation will start in about five minutes

[Music]

so [Music] do [Music]

[Music]

[Music] do

[Music]

do [Music]

[Music]

about persistency or our research of persistent technologies or techniques used in os apps and keeping inside organization even though the os app itself is is disabled and will release a piece of code on github that uh is the attack work through that we're doing um uh and we'll this code is uh it shows a new technique we developed a watchdog technique to keep an app enabled even after an administrator disables it and will show the work through so first of all i'd like to introduce my scenery research and teammate zeno or alon really happy to be here with him in the first talk in a security conference nieves steinberger is our cto for unfortunate reasons he couldn't be

here himself but he definitely pointed us into the right direction for this research and to put on a new finding that even post-infection you can stay persistent using osaps um i'm gaddy uh it's my 42nd birthday today so i'm really looking this morning for the questions of life the universe and everything i can share it later um i'm really excited to be here and i hope this session will gift you with some new probing points into a less-minded field which is always a good place to look for new vulnerabilities as the researchers and with that i'll give zeno the stage to introduce research hey everyone my name is alon but you can call me xeno

most of my friends do when you see me around here okay so i'm going to talk to you a little bit about oauth2 why we're using it what's the challenging what's the challenges that we can face when we use it and then afterwards we're going to give the stage to gaddy that he'll explain more details about the actual work that we did and some of the um bypasses that we found on oauth right so why do we even use oauth2 right so as we all know all the cool kids are moving to the cloud right all the data everything is going over there so it me it makes sense that we need to go and

find a standard that helps us work with the resources online all right well let's do provide us exactly that it provides us a way for applications to work with resources on behalf of users all right so why are we actually using it the actual reason it it's already there most of the providers such application providers already use that and give that for customers so that's why most of us use it right so let's talk a little bit about how the basic flow of oauth works all right and i'm sure that once we go over it you'll see that it's something that you're all familiar with so the first stage that we have here is actually the actual request for consent

the application that we the application wants to connect to the environment ask for consents for the user you might have seen this pop-up before that happens to the user it just asks you for consent easy enough you just press ok and you get the consent what happens actually after that is that the user gives the consent the app takes that consent that grant authorization grant to the authorization server and receives a token back this is the holy grail the token basically gives you the permission to access those resources as the user repeatedly without asking any more consent without any other prompts for the user you just keep on using it all right so once you get the

token i can just go and access everything so once we talked a little bit about why we use oauth and how it works let's talk a little bit about the challenges it presents we'll start with a quote that we have from iran hammer that made a decade ago right when it started working um as he says you can read there but basically what it means is it started as a good idea but even iran hammer which was the chief editor of that standard decided to withdraw his name from it because he felt it became a bit too complex and it doesn't deliver exactly what we need from it all right so it is widely adopted by most sas platforms a

lot of people use it there it allows us to use all kinds of really sensitive materials sensitive resources but even the creator felt they kind of missed something there right so this is the main challenge that we have working with it so once you have those challenges let's talk about why we decided to actually pick on oauth2 why we wanted to see if there's something weird there the first part is all the data is there the data up in the cloud most of the places that allow you to use oauth2 to access this data right and the second part which is kind of interesting to me is the whole idea behind it is you get

consent once and then you stop bothering the user again right so this is like the main feature of oauth but it's also kind of the main vulnerability it has because if i got once the token i get one consent i can keep on working with it there's no way the user can't see it it doesn't it doesn't bother him as we say right so this is the worst part for this is the worst part for a defender and the best part for an attacker so now what we're going to do is i'm going to give gaddy back stage he's going to talk a little bit about some mitigations that we saw on platforms that they did already because they

wanted to fix a little bit and then he'll talk to you about what we managed to research further and find some bypasses around those mitigations right so gaddy thank you zeno it was excellent introduction always glad to work with you um so about os as xeno said it's a kind of a young uh well it's used for a lot of security-wise it's kind of young and immature and uh in 2018 there was actually a warm using google apps script called google docs warm so even google sometimes mess it mess with the oauth you can see here in the slide that uh the apps script was sending phishing emails from an infected user asking him to that his friend wants to

share a file uh with him using google docs the logo is google docs the naming is google docs so it's in in a way impersonate the apps and it goes over it gets permission to go over all your contact lists and read your emails and send emails on your uh on behalf of you to all of your contact lists with the same phishing message this is a file i want to share with you and and it got over in a couple of hours got over a million users of in fact infected and until google stopped it um so uh about the after this case in similar cases with uh microsoft uh azure and google implemented the different

mitigations uh one of them uh is that the publisher needs to be verified so instead of just giving every developer to put his name and his publisher credential there is a process to be verified by the by the platform by azure by uh microsoft and then to to have better permissions or allow uh higher permissions to be installed or even actually be installed and as you can see here in a new new application registered after 2000 are not allowed to be installed without an admin consent and and you can ask that mean for the relevant uh for for consenting to you to install the app in addition the name the name is missing and the logo is missing so there won't

be any way to copycat or or mimic the application and look alike like the application make a user fall for the phishing additionally uh post-infections mitigations were in place for example you can't send forward emails outside of the organization with uh in email box rules automatically and now actually there's a process for with uh microsoft they're saying they try to raise the awareness that mfa has to be uh enabled in all organizations they fail to do it and now they're trying to do some sort of default security rules then and make sure that at least administrator has to have a multi-factor authentication and there and definitely if if you look back on uh exploit mitigation techniques on on the

pc i think it's a similar process we're seeing now new attacks cause uh the platform to develop new mitigations um is this our relevant mitigations we'll touch in our research how how first of all still though the publisher verification process is in place most uh applications even ones that have email read permissions and email write permissions don't have this published publisher verification play in place we see 60 of uh of applications that are actually having this uh being verified for applications with read permissions and and for sending permissions there is actually only seven percent of application um so it's it's a it's a good start but it still needs to be advocated and awareness should be reasoned to this uh

vulnerability we'll touch now on different attack vectors okay and a very common one is the device code flow this is used for devices with lacking input devices and no keyboard so a user can use his own cell phone to authenticate to the identity access management system by azure for example or any any yam or google slack whatever and then the application i think chronically gets they can can request the token from the server this is how it actually looks like first of all a user or in this case we put it as an attacker that's actually because it's a device or for example a monitor and it's its code is available publicly because anyone can reverse engineer the code so

there's no client secret inside this process so there's no verification that the client that's asking the code or getting the token is actually the client so the attacker or the client asks for device code he then presents this code he gets the code from the yam and this allows the amp to connect the user authenticating and the application so he sends the code to the user and in our case might be a phishing email you send please login to microsoft.com device code the user entered this the the code there and authenticates through the server with this multi-factor authentication in in place so there's no need to but to uh to uh to hack the cell phone etc only only the the user

need to be fixed and the multi-factor authentication doesn't stop the attack sorry um then the attacker gets the access token from the yam and send the token to the resource server and gets the users owned documents or data or can do any functions in the name of the user this attack which starts as instead with this device code the user needs to go to a legitimate login page and just recently william overwhelm also noted that in addition to impersonating the app there's there's no consent needed so in cases the user the first thing the user will see this is this uh login page on microsoft it will enter the code and then in case that the

attacker is impersonating microsoft office which allows this flow for certain reasons and then all the permissions that microsoft office has which is a first party app by microsoft so it's defaultly your user has consented to those permissions there will be no uh permission or consent screen as as is the usual uh flow that there's there's in oauth so the user doesn't suspect he gets the same permissions that he granted the microsoft office so it's called the phishing without consent and we'll use it in our code the the attack methods that we want to discuss here um is first is is persistence okay so if again we're moving from pc world to cloud sas same techniques okay so we want uh you

got the user to be infected or install your os app now you want to be persistent meaning you can you want to have the access to the data without needing to uh re-authenticate the user or get any permissions delegated permissions by the user having him to do a multi-factor authentication again so first of all uh you can you can create a user or create an application you can update the user password uh password recovery email so you can actually have the user password and change the multi-factor authentication number or device and then you can have access in any time you wish and there's also now was a reported a known attack with that they'll allow the

legacy protocol so legacy protocols like imap do not support multi-factor authentication you can enlist the user for such an application and then if you have these credentials you can use it without the need to multi-factor authentication also our passwords is a legacy uh method to allow apps that do not support oauth to to have to use the app passwords and then allow this flow and have the user connected with a username and password and you can add the username password to this app uh what we're adding uh to this post exploit techniques is a watchdog a watchdog essentially means that there's a process that looks over other processes and make sure they are enabled even if an administrator tries to

disable them again for the same term immunology terminology of incident responders there's a lateral movement or pivoting from one user to another so one way is to to get the read access and and put mailbox rules to delete certain messages by that you can read reset emails and for example to monday.com or or other sas platforms after you you reset the emails you get access and move laterally to the other cloud services you can also infect files with macros and and apps scripts and then make sure a user or other user in the same organization are are infected again and there's a very dangerous supply chain attack or if you if you are able to infect a user who is a

developer and he creates applications and actually sells them and exports them to his customers if you'll add a certificate to this application which means the uh many times applications have application level permissions meaning that they don't need the user to authenticate they can just log in with a certificate if you add a certificate to such an application you can by that move uh to all the users of the applications that this developer created this was also used by nation state and and now but of course it becomes more common so about the code that we have um and if there will be interest we'll have another session this afternoon and and we'll we'll show a live demo uh but

i'll for now i'll i'll do an attack uh walkthrough with that code so first what we're looking for in order to allow our watchdog is if we're looking for a application read write all permissions um which allows us to create applications uh we so what we're trying to do is imitate or impersonate a security software in this case because security software for the cloud which lists applications needs to has this permissions in order to view um applications installed on in the organization so you usually need to uh to to find high privileged users that have them you'll be surprised that actually security software do enable some of them enable a device code flow and and as i

said this is very good pointers for researchers and pest pen testers to taste inside the organization um what the user can do or what the administrator will get either he can consent on behalf of himself and and or or behalf of all the users in his organization once he once he allows the permissions to all users in the organization then you can fish actually any any user in the organization and get the application read write accesses that he this user had which actually means you can create applications on on his behalf and also control all the applications that the user controls add certificates etc as i noted um so in our case i'm i'm attacking with the

device code flow um the attacker from you need to create a phishing email that will uh make him install this application security or impersonate a good application security platform and then as we said with that flow uh uh that we create we started this flow so we'll we'll be we'll have the device code we'll send the administrator and then we'll get the token um now using this token what we will do is uh create an internal app and we'll give it our own redirect urls if you remember in the normal flow if after user authenticates he is redirected to the actual app and and then the flow continues if we created the application we can create the redirect url and then

move it get any token to us we also create the secret and and and if you'll notice uh the app here is internal and if you remember what we touched before is that internal apps uh has different uh different bypass the mitigation techniques put by microsoft there's no vetting process or a verifying process for internal apps by microsoft so there's no uh no stating that this app might be risky and that sorry and that uh the name is given and any user in the organization can install the app by itself it doesn't need an admin consent even though it's a newly registered app and this is just the the sample from our code once you get uh we we have infected

that mean uh we got a token for that mean and then infected the user what we'll do is is to keep that uh um that uh phishing application that the user was infected with live okay so this this code shows how we're using the python interface for the microsoft graph api to basically just keep an account enabled even if it was disabled for that mean this is the admin portal for azure he if an edwin admin wants to stop an app what he should do is not delete an app which will might even uh delete all users using this app and might cause errors if it's a false positive but it also if a deleted app can be

reinstalled so the best practice would be to disable an app which means that no user can log into it and no user can uh install it so that's that's the uh why this method is good and then we can restore using our the code we can restore the app to be enabled and um other other than uh so the app was disabled the token was not uh um the document was not revoked and we every infected user we had we can still get get access into it we can also then disable the app and keep it persistent and keep it uh quiet and make the using the refresh token every interval we can keep alive

and keep the our app inside organization even though um i'll touch quickly on solutions though if you have any questions i'll touch or not i'll touch on solutions and i'd thank like to thank you very much for uh for being with us and paying attention [Applause] fortunately we don't have any time for questions but i think you'll be around outside if anybody has any questions so right out back yep feel free to walk up

[Music]

[Music] so [Music] [Music]

[Music]

do [Music]

[Music]

do [Music]

[Music]

go all right let's go so let me uh get uh the original video source back on and uh get going good afternoon sorry about everything that's gone on but welcome to the b-sides las vegas proving ground or were you originally ground truth uh ground floor ground floor track a continuation from the other room glad you are all able to find it make it here but i do have a couple announcements before we get going so first off i'd like to say a huge thank you to all of our sponsors especially our diamond sponsors last pass in palo alto and our gold sponsors plex track intel and blue cat without them and all of the volunteers

and donors we wouldn't be able to put this together we wouldn't be able to see this cool equipment wouldn't be able to do any of the cool things we're doing this week so a huge thank you to all those people next up if you have a cell phone please pull it out now and make sure it is put on silent we are recording this and just as to be nice to our speaker and to the recording we don't want any cell phones or you know watches or pagers going off you know if you happen to still have a pager we are recording this um so i'd like to remind you about our photography policy uh we do not allow photographs unless

you get the consent of everybody that's going to be in the picture as well we also do not allow photographs of the screen unless you get consent from the presenter so he'll let you know if that's okay and uh if he wants that to be a thing uh we'll hold questions until the end yes i'll go around with the microphone since this is being recorded uh you'll use the microphone that way we can get you on the recording and everybody else can actually hear your question and last up we do have a masking policy here so please keep your mask on for the duration if you need to take it off to have a drink get something to eat that's

fine as soon as you're done please put your mask back on and i think that's it so without any further delay see you across you all right hi uh good to see you i'm glad you could all make it so we're doing a presentation here on reverse engineering real ms-dos game from 1994 for fun because we can't feel free to take pictures of anything that's on the screen nothing here is uh privileged or an issue so my actual name is andrew luten i do go by a cpros urc pro for most of it my early childhood consisted of taking things apart making all my battery powered things act up uh you know learning how to put things back

together after uh i had taken them apart um and i got to the point where i wasn't leaving any extra screws or extra screw holes that is important uh so i got bit by the computer bug and uh in preschool by an apple ii plus uh computer using a 6502 processor and yeah so the basic deal with that was i'm not kidding i got on that computer and i either put it into a test mode or i made something in apple basic that caused a bunch of junk to scroll across the screen computer teacher thought that i'd broken the computer which if you've ever used an apple ii you can't break it um and so they sat me in the corner

you know put my name on the chalkboard didn't get my snack for the day i was hooked had to do computers how to have my own so they were prohibitively expensive in the 90s like and it was really hard for me to justify it or get one but i was going to do it so what i ended up doing uh quite a few years later was i was at a computer swap meet and they had a pile of original ibm pcs and i bought one for 42 dollars and for my 42 dollars best 42 dollars i've ever spent i got myself an ibm 5150 the original pc a clicky clacky keyboard um two five uh and a quarter drives 256k

of ram a monochrome green screen and i my parents and me trucked this stuff home and uh the first thing i did was take it apart put it back together take it apart put it back together learn exactly what it was and i started upgrading it i put a 42 meg hard drive in it 640k of ram cga graphics learned everything the hard way about dip switches and jumpers um so after that i built my first computer at nine i got my plus at age 13. um kind of funny story about that my mom brought me to uh icon uh business solutions who did a plus testing um and uh the front desk secretary said uh

ma'am uh you're gonna have to you know leave your son somewhere else we're not a daycare facility my mom said oh no he's taking the test so so yeah so that was fun so uh back then they offered a good deal half off if you take the brand new test and the old test and whichever one you pass you get to have a great plus certification i passed both and i did better on the adaptive test which i was supposed to do worse on because he's supposed to ask you more questions about stuff you get wrong anyway i have to thank my parents for being amazingly encouraging and supportive thank you um so now for something completely

different in 94.95 my parents bought our first nice computer that is a gateway 2000 75 megahertz it had the f div bug it was a socket five uh cpu eight megs of ram 79 meg five meg hard drive uh 2x cd-rom a 14-4 fax modem vibro 16 sound guard which is a cut down version of the sound blaster 16. it came bundled with some software and some games um and one of them was this game called the lawnmower man so i'm going to uh change video sources here so i can kind of show you uh what what this game was and why it was kind of bonkers to me so we're gonna wait for that to come up

so keep in mind this is a 1994 [Music] and i need to adjust some things [Music] unfortunately when you're doing things like this uh you have to just make things up as you go along [Music] so the graphics in this game are pretty pretty good because it's actually video hang on my three cal break here so this is actually gameplay right here [Music] so it goes right into this whole sequence here you'll see the catwalk and this is have you anyone here played dragon's lair the arcade game so this is quick time events before quick time events uh with coin as a term so this expects you to press buttons at a specific time one more man is not chasing you

get ready so you have to spam the key because the input is kind of junky on them [Music]

[Music] jump

okay so i missed that one but this is good because you see games were brutal back in the game killing you you ready for this

[Music] [Applause] [Music] uh

[Music] drawn more man's in your head

needless to say this made quite an impression on eight-year-old me or whatever it was so uh kind of cool thing this is your only pause screen in the entire game there are no menu if you hit this button you have five seconds and then it restarts the entire game no matter where you are if you accidentally press the escape key up it's gone so uh let me go back to the other computer right now so i hope that kind of gives you an idea of what we're dealing with here which is complete insanity so this game made an impact but clearly as you can see for the wrong reasons so one does not simply run an ms-dos game

so getting this game to load is a challenge if you're if you remember back in the day you had to edit your config sys your autoexec.bat your emm 386 your highm.sys you had to configure everything properly in order for your game to run usually it broke other games and windows so there are terms that are very close to each other but they're not quite right so there's xms and ems memory i'm in dos and uh they are completely different things so if you have one and not the other then you're in trouble especially trying to run a game like this this game happens to use like xms memory but if you did everything right and you

configure it you remembered what you changed so you could change it back later so you could still boot windows then you were fine so as you saw you pressing escape at any time exits you and dumps you to das there's no menu system there's no save system there's no pause button puzzles are timed and they would fail you if you took too long the pamphlet was vague about how to play this game it was not intuitive you're supposed to figure out how to play this game by trial and error um you got three failures and that was game over and that's over the entire game over all the different levels if you failed it three times

you just restarted the game um and of course the continue button had a five second time delay and if you didn't hit it well tough uh so yeah the the game used quicktime events which is not to be confused with apple quicktime and remember apple quicktime um before the term was turned and uh it's like dragon's lair so yeah so these video segments are bridged by logic puzzles and captured video which i can show a bit later if i get the time so neat things this thing was way ahead of its time for 94. like it was mind-blowing that it was even possible to do this on a computer you got full motion animation video and

audio you got some pretty cool music i think um the story picked up from where the last movie left off so it's almost like another movie in fact i kind of wish one more man 2 had had this plot from this video game it would have been a lot better um and it gave you hours of serial gameplay so how the hell did they do this in dos that's the question i had um so 28 years later uh how to drop down a rabbit hole so how did we get here well it was just i was thinking about it i was like i want to get i want to dump the music from this video game

because i think it's awesome and that's why as well so why all of a sudden now i don't know but uh you know it's a good time retro computing's big now and uh you know it's time to bring up some of the interesting skeletons in the closet so i came here for an argument not abuse so if we look if we look at our if you look at our files on our cd we got all kinds of stuff going on here this is not your standard binary executable um game this has some really big files some really small files everything in between the um 8sx files which are at the top there uh like act granted act denied well that

sure sounds like it could be sound effects right so you know in my brain before i even start opening things up in hex editor i want to kind of see what the developers did oh cool laser pointer don't know how to use it but uh oh it's green cool thanks so uh but yeah these ones right here they sure sound like uh you know audio files to me so a m um let's see let's see is there any of them yeah there's a m so maybe a m is an animation file uh brs uh well the brs file that we've got let's see where is that thing is uh right here it's screen save so maybe

it's a screen saver i don't know so uh we got another one called lbm and uh let's see where is that very bottom okay so lbm file and we also have one called logo here so logo logo is probably an image file right so we got map files um maybe it's a keyboard map maybe it's mapped to files i don't know maybe it's an in-game map um and excel and i really think this is our video maybe our video and our audio and sht let's not try to think about that one too hard um but uh what we do know about them is they're tiny like 658 bytes tiny so what could they possibly be well

let's let's try and figure that out so let's look at an hsx file first bang it's a sound effect file and we can figure out that it's recorded with whatever studio 16 from sunrise is so you jump down that rabbit hole and you find out yes it's a product for the amiga you know it's a whole entire digital workstation digital audio workstation cool so now we know that that file came out of an amiga and since the card was for omega 2000 it probably came from an omega 2000 so maybe we can uh you know work on that and think about what there is uh as far as that's concerned i need to grab audio here so bear with me just a moment

one part i didn't test all right so we've got an audio file it looks like it didn't play but that's fine with me it's just basically it says access granted so we uh then need to look at the other files and uh what we what we found out is uh that the lbm files are actually deluxe paint files which is another popular program for the amiga so we're starting to get a picture that this game might have been actually made on an amiga this pc game this pc dos game was made on amiga so we uh then take the animation files and we take them and we take them apart using this program that's made to work with the amiga and

we find out indeed we have the precursor to jif here which is deluxe paint animation how cool is that we were able to actually open this up on a pc so now that's not the entire game but we need to start putting the pieces together so the map file contains all these different files and where they are so this is how the game actually knows where they're installed and that's important because you have the ability to install all the animation files on the hard disk not the video files though you can install i think up to like 50 megs of uh of these animation files onto your hard disk so it wouldn't have to load it from

the cd but the game had to know where to where to point them so it has when you install it on the drive it hard codes it to where the path was so if you make the unfortunate uh the unfortunate mistake of renaming that path or that directory the game will break because it's all hard-coded so what about this executable file that we've got here dtv play well thanks to some people who actually took apart the program we were able to find the hidden switches and it's kind of funny because we have a dos program that uses case sensitive switches so s lower case we'll skip frames s capital will actually override which sht file we use sht files it turns

out we'll get to later so uh yeah it's crazy this program runs in 16-bit real mode and basically takes complete control of the computer and uses all of its resources to play these video files so just really really neat stuff um so i really want to find out the real origins of this game so um i found all kinds of weird weird things here like cdtv.device cdtv cd tv error so i thought it was for commodore cd tv because you know it would make sense it was one of in commodore's interesting failed projects um they made a lot of mistakes like this so i'm curious uh has anyone ever seen a commodore cd tv before

so yeah it's uh back in the day in 1991 it was a thousand dollar console so the people whining complaining about the ps3 being 6.99 got nothing on this thing so it was basically uh for all purposes an amiga uh 500 that was shoved into a fancy looking case that kind of looked like you know a cd player and they really compacted i don't know if you can see that motherboard there but it's crammed and so they released it in 91 the movie came out in 92 of march the commodore cd tv was actually discontinued in 1993 during the development of this video game and then they finally released it in 94 for the pc

so punch a little spoken gun probably uh so looking for the information on lawnmower man and his potential connection to the cdtv i found a guy named peter who detailed the cdtv games that didn't make it uh and um the definitive cdtv retrospective part two uh who he wrote for uh amiga world so he said the lawnmower man sales curve wound up as an ibm game but started out as a cdtv project it is a series of linked arcade flying and puzzle games based around the rather silly movie which i can definitely say is a rather silly movie uh the game was uh well long he says he saw the show in 93 but they dropped the project

for something else so interesting so if we look um i was able to actually find out that there were two different conferences in 93 um in germany so if anyone's got footage of that i'd love to see if there's a cd tv running the lawnmower man um in any of that buried footage i haven't found any yet though so my theory is that i think it's possible to take the files that are on the cd and actually make it run on an original platform so we've yet to decode the video files uh as of yet but we're working on it i'm hoping that between b-sides and defcon i can have some you know a whole

bunch of people who are smarter than me take a look at it and see what they need to see and actually take the video and dump it directly i think that's going to be an interesting fun challenge and kind of what i'm hoping to do here so my theory is that they might have used a video toaster uh in order to dump the uh files out um and they probably use magneto optical drives in order to actually uh to actually take the footage from the video toaster to the pc or whatever dev platform they were using then and then burn it into the final so i think these might be raw video toaster files that's my theory on it and uh they

would include audio so it'd be kind of like a precursor to avi it would still be you know interlaced video audio just in a format that you can't open with vlc player or anything recent so i do have an omega 2000 i do not have a video toaster i do not have the uh appropriate licenses or equipment uh to open up the files but maybe someday i will and then i'll be mistaken because if they did something else but again again that's why i'm here so um i hope that kind of gives you a interesting background of some of the technology that went behind this game um so i actually contacted the pro one of the programmers who

worked on this game and he got back to me um as soon as uh this talk was actually accepted so i found out some pretty cool things um so here are his words on it but i'll i'll uh you know paraphrase some of this so uh this just happened to be the the best seller they had and they had another dude who ported it to that to the pc and this was actually meant for the amiga not for the cdtv this was meant as a full pledged amiga game which makes a lot of sense the limitations in color palette everything that you see the way that they went about it the fact that they used an amiga as a development system it

all makes perfect sense um so he told me that he i was right that the sht files were actually shot files they actually set up the the order that the video files run in um which is fascinating to me because it means that each one's a sequence and what he said was the way they made it work was they run two videos at the same time and depending on what input you put in it either gives you the fail or the uh the one that doesn't fail it's actually running the two at the same time even though it's a single speed cd drive and they did some pretty interesting hackery to actually make that happen

as a result the input for the pc is actually quite janky it's not pulling very quickly so you can be pressing the button and it'll miss the pull so you almost have to spam the button for it to pick it up you know sort of like you know when you're frantically trying to press uh delete or f2 or f12 for your bias settings on a pc so yeah the fun part about the actual pc version was that he said that uh he they had an interrupt request blocking function in the program and it corresponded to when it was actually reading data from the disk so input from the keyboard wouldn't actually modify the data that was being run in through the

dma and such so as a result you had no control during a discrete function and you really had no control at all because you're just watching a video of what happened after you hopefully put it in the correct input so the the fact that they actually made it work is amazing to me because they had just so many crazy things that they had to overcome in order to make this thing happen so right now i want to take some questions before i actually have someone try to play the game because i really want you to see how crazy this is how you doing thank you very much for your time um i was wondering uh

when i think amiga sound i think mods those mod files like they were like sequenced yeah i used to play with those a lot when i was a kid um do you know like a big issue was like they're porting all this from an amiga to a pc what about all the licensing all the libraries and stuff they have to port i mean that just seems to make the game prohibitively like expensive to develop i think they just hacked it they were just a game studio of like a couple of people i think they just hacked it and made it work they didn't even export it to wave or anything they just made it work i think

most of the audio is actually inside the video file the raw video file um the only thing that's different is the things that are that are like the mod files which are these uh asx files here that i showed earlier and these happen to have samples and such and they must have written their own home built player for them instead of dealing with any of the licenses yes delhi player can play it in fact i got it right there on delhi player so you can play the sound samples but it's usually just drum loops or maybe access granted or access denied you know it's nothing it's nothing really uh is none of the music is in there

um let me see if i've got anything else on that i don't think so but yeah so that's pretty much it on that they just made it up as they went along and hacked it until it worked any other questions go ahead wait wait wait you got to get the microphone first sorry about that that's my bad so the engine was made for multiple games not just lawnmower man have you explored any of those other games and tried to get them to run as well i found that although the game engine was used for some other games they are so wildly different it's ridiculous and one of the other engines isn't even the same it's just named the

same pretty interesting so so question for you um it is you know with uh i know you're reverse engineering this it makes sense and i probably have this this disc somewhere i can't find it but is it posted anywhere we can get to it is it has it gone into the common domain yes uh you can grab it on archive.org um you just type in the lawnmower man and you can grab the iso of it um and uh it's there for uh messing around with and uh it's handy and if you want a physical cd i can give you one of those too because i got a couple of extras do you want somebody to play yeah so uh

let me get this game set up um actually while i'm doing that let's see here oh i got one more thing i want to do first because i think this is going to be funny um remember i told you that there were logic puzzles in this game well i'm going to pull one of those up right now so uh do who here is good at logic puzzles let me get the audio in here all right it goes in the one that's underneath the volume knob so this is one of the one of the stumbling blocks i ran into as a kid was this game has these logic puzzles in it um anyone want to give it a shot because uh

you have to come up here and act pretty quickly i'll try and give you an idea of what's going on but it's more fun to watch people struggle so anybody anybody at all okay you come up here give him a hand [Music] no don't worry so uh puzzle each column is a separate puzzle so don't look at the ones to the right just look at the one to the left and it is a one of these things doesn't belong you can ask the audience for help okay up and down moves it up and down so just wait for it to come up first and you'll see a little red cursor that selects it [Music] and you have to get four of these

puzzles right past

thank you so uh which one of these doesn't belong all right so go down to the six and press enter wait for it [Music] all right uh which one of these doesn't belong all right press enter [Music] any idea on this one [Music] so you can see that this would have been a stumbling block for eight-year-old me right hey you did it [Music] thank you so yeah that was just an example of some of the crazy things that are actually in this video game so i thought i thought you'd definitely enjoy that so um there are plenty of other interesting things um like the fact that in the second level they reverse the controls on you

um so

yeah it's a completely batch system i learned how to make batch menu systems a long time ago and uh basically all it is is i'm just running a command that brings up the dtv play and selects the level manually [Music] so uh they switch to controls because you're in an airplane now down is up and up is down but they don't tell you that anywhere you have to find out through trial and error but look at this 1994

these were some of my favorite levels right so the way they did this was each one of these segments is a video file and then they string them together in order to form whatever track they want oh yeah you have to shoot so this game captivated me for hours because well it was interesting and very difficult and also it crashed a lot too i remember which you know if you spent eight hours getting through a game and then it crashes you know you're upset or if someone comes in and presses the escape key or the power flicker it was like no didn't look

[Music] so hope you guys enjoyed this that's all i've got [Applause] [Music] all right huge thank you to cpros u i was super cool uh next talking here is at 6 p.m with the proving grounds i think it's lunchtime so go enjoy [Laughter] i know [Music]

i need to get lunch too

correct [Music] it does some crazy thing i i uses interrupt uh request blocking and then it basically shuts down disk reading for just a split second so it can pull the keyboard i don't know believe me i don't i haven't gotten that far and i have not really disassembled the main executable to figure it out and if you want to i love it because you know this game is kind of an enigma because it's like how the how did they do this yeah now i'm think i'm curious about how they're selecting the stream because there must be some sort of you can run it in docs dot dots box it does run horribly though there must be some sort of separator or

offsets or well that's why i went here because i knew that people might be able to figure it out i think it's just way cool that uh that people came up with this back in the day it's a total hack yeah this sounds like that was a real pain to actually put together but yeah i'm just uh super super thrilled i was able to share it and uh you know it's funny because some people actually came to me who had played this game uh back in the day and i've heard of the movie though i've never seen it it's a terrible movie terrible movie terrible game oh absolutely sorry you're fine [Music]

i i try to have smart ideas it's something that i tend to do so yeah or not oh no not yet i'm gonna take care of it i'm just going to be slow about it actually

and uh it's just fun to be able to take one out and uh show it off oh yeah actually have it all all the things worked like a lot of demos didn't bite me how was that possible it looks like they all work yeah it all worked great i'm just uh

it was this machine is uh i'm pretty proud of it because i built this one years after the fact and really went through the uh through the testing of it to make sure that it was stable because i was just sick of dealing with uh back in the day even if it was unstable parts i was gonna do my best to make sure that it was stable and so it is and i've just had a lot of fun with it and gotten to show a lot of people it and it's done its job for sure i remember uh yeah the first few computers i built uh to actually bring to uh the to defcon were to specifically to run

operating systems that were paying the butt to run uh unix system five 386 being one of them because there's like there's an 18 t version of uh unix floating around on the interwebs and it's like 32 floppies and i got it running on a vm i put it up on my youtube i was like well you know what there's nothing stopping me from running it on real hardware and so i just started throwing hardware at it until it started booting and doing things and i was very picky about uh you know say the video card how much ram you've had if you had this cuz you card in it it would just block up and fail and say

you are not licensed to have scuzzy ha ha ha ha ha this is not and of course atmq would like that you'd have to realize they charge licenses not not nearly as bad though that was like yeah because unix was originally free and then they decided it wasn't a very oracle of them yeah

[Music]

[Music] [Music]

[Music]

[Music] do [Music]

[Music]

[Music] do [Music] do [Music]

[Music]

do [Music]

[Music]

[Music] me [Music] [Music]

[Music]

do [Music]

[Music]

foreign [Music] do [Music]

[Music]

[Music] do

[Music]

[Music] do [Music] so [Music]

[Music]

[Music] [Music]

[Music]

[Music] do [Music]

[Music] do

[Music]

do [Music]

[Music]

so [Music]

[Music]

[Music] [Music]

[Music]

[Music] [Music]

[Music]

so [Music] do

[Music]

[Music] [Music]

[Music]

uh [Music]

[Music]

do [Music]

[Music]

you

BSides LV 2022 - Wednesday - Proving Ground

Related talks