This is Charlie Vera and Mike Larson and Paul Strip polluting Torrent Meta Data. Awesome. Thank you! Alright we know that this is going to get a lot of press attention we want you all to use our logo in anything you write about this please. Alright we are going to move quick because we appreciate that you are busy so that TLDR is that. Intrusion detection systems can and do sniff out to our users. And we think that's bullshit. So we brought false positives for everybody. The Torrent overview. There is directory authorities you get a consensus doc that your client caches and it's so similar to HTTPS, HTTP and HTTPS that we can make your web browser generate false positives in an IDS. We understand there's always opportunity costs we've made some attempts to reduce it other talks going on at the conference that you're missing. It's up. There's some car hacking going on. We decided to cover the physical portion of the hack backers way to car hacking.
>>>: They covered the digital part when full coverage for car attack. Alright. I'm the graph designer. I created that awesome logo that you saw I dabble in security cause privacy is the utmost importance. Yes so just like you were interested in security and privacy but were also interested in arts and crafts here's one of our projects >>>: Ah yeah. The the fake the badge contest. If you go you go to June and show them your fake badge you win a black badge. So do that.
>>>: OK. So if you download Torrent warning number 6 of 6 on the down load page, is that, the fact that you're using Torrent like it provides the anonymity in the sense that people monitoring the wire can't see where you're going but it doesn't hide the fact that you are using Torrent So the wording on this is a little, is a little vague on the webpage but essentially it means an IDS can detect that you are using Torrent and log it. And sometimes this can have real consequences like in the case of the Harvard bomb threat kid. So if you're unfamiliar. Kid wanted to get out of finals. He sent an email via Gorilla Mail connecting over Torrent. Turns out he was one of the handful of Torrent users on the Harvard Campus at the time. So the same day they were able to track down trough the logs and interview him and get a confession. Although he hasn't been formally indicted yet.
>>>: Is Torrent safe? That depends on what safe means. Understanding Torrent, they are pretty up front with what it's designed to do and what it's not. There has been quite a few talks about that.
>>>: And so Runa Sandvik from the Torrent project presented a very good talk last year that you all should watch if your curious.
>>>: Endpoint security is still important. You've got vulnerabilities in the software that your using that could RCV exploit it. For example Onion browser and the Firefox exploit that you may be familiar with. To help with that is portal that is a person named Doug Q. Doug the Grout. So you have the device that you can put upstream and if your endpoints were compromised, it'll end up not leaking any data.
>>>: Alright, So we brought a portal a pie to give away. It's supposed to be for certified Unix network technicians only, ah, but we're just going to give it away to somebody in the audience. We think it's fine cause a lot of you all look like cunts.
So the bridging issue defaults matter as it's set up if you were to use it by default, Torrent creates a bunch of signatures that will show how they're getting caught, but if you use these pluggable transports that use various forms of steganography they can be used to obfuscate the fact that you are connecting Torrent, but that is not one of the direct goals of Torrent itself, to be clear.
OK, so we're gonna show some signatures here in a few minutes and when you initially look at them it's a little confusing because there matching different pieces and different places and essentially fall into these three categories. Either clients connecting to the Torrent network or connections coming from the Torrent network or leaking information. Stuff that should have, traffic that should have been routed over a Torrent tunnel, but was not. IDS, is sort of a boring routine thing and a lot of you all may not bother to keep up to date with the latest IDS news. So we're going to start like if you're not familiar with the 1998 insertion of Asian Idala service paper, it's worth reading even now. And then nothing happened for a couple of years. A conference of history here. Finally like in 2004, still nothing happens. Nothing happened for a while. And then last year Cisco bought Sourcefire for 2.7 billion. Came with an explosion, for sure. So you're up to date on what's been happening with IDS.
>>>: So here's some example rules that will, will trigger these snort, the highlighted red portion is all that it takes to trigger an alert. Which would be support of someone using Torrent at that time. You can see the examples there and the java script at the bottom is what we have assembled to induce those quote false positives.
>>>: And it's important to note that these VRT rules actually aren't going to work in a default client configuration. To give you an example of the first one just matching that straight http content but from the directory specification, but that traffic now by default, it goes over like a one hop to our circuit. In the second case this has been the signature, while it's still in the official VRT rules would only match like a Torrent 0.1 client when there is still client certificate validation. You can read about that at the link there.
>>>: Similar rules matching binary content the like 05 hex onion is matching like the dot onion that you see in DNS. Same thing on for exit. That you see in red.
>>>: And if your not familiar with reading historic rules the piece between the pipes is just a raw match on a hex representation of bytes.
>>>: So the ten bytes are just straight from the, the DNS flags.
>>>: I revoke when I said dot. There's no dot. Yeah there's no dot. The number ahead of the TLD is just the length of the TLD. And that's straight from the RFC.
>>>: So for this one ET open also has a bunch of rules that's detecting traffic from Torrent nodes like as we mentioned very quickly in the discussion in the beginning there's a, the a Torrent relays and the Torrent accents there all, it's all published information. So in this case you see, this is just an example of hundreds and hundreds of straight IP naturals for traffic source from Torrent Nodes so in the case of the first one. We need to make a TCP connection from a Torrent Note to your host to generate the false positive so in that case what we did is there's our Torrent relay that we stood up called imposter and on there is running a web server.
>>>: That this is just the source code. It just joins, it's going to connect back to you when you connect to it. So this will gen, generate a hit on that ET open signature, showing a connection from the Torrent network to you. In the second case it's a little more difficult to generate EDP traffic from java script from your browser. So what we did to get an EDP packet is we looked at some of the relays, some of the relays also happen to be DNS servers. So we set up some lame delegations under the domain lame delegation dash lame delegation dot net... and, did some, added some host names that point to these Torrent Nodes that are also DNS servers, so when you look at those domains. Your domain server is going to get an x domain response from those boxes generating a Torrent alert source from the Torrent network destined for your DNS, your recursive DNS server. Oh, and I guess I should actually show that that's in place. So this is the Torrent node, this is the IP address, this is the emerging threads, and it's in the list of hundreds and hundreds of Torrent Torrent that come with that rule set.
>>>: Another idea, this is the code that matches.
>>>: Okay, it's just matching the subject and issuer from the TLS handshake because as there's Torrent does not use valid host names as use just sort of a random string of characters, so it looks for those weird looking certs and if there is enough of them, bro will send an alert, but because it's just a TLS handshake that it's matching on, you can just point your browser to any Torrent node, make that TLS handshake, and trigger that alert.
>>>: A lot of the pros and cons to using java script. The publishing parts probably the most relevant, this can be induced through cross eyed scripting, for example if you want to frame someone, if they're, you know, on the Torrent network a lot of people use time correlation at networks, that's another source that you can use to get this java script code running that would induce these IDS alerts. And there some examples, you just essentially plug that into your code on your site internet. Wherever you want to have these alerts triggered. And you'll start generating the alerts on the, on the nids.
>>>: So all of the users of your website can become fake torrent users providing coverage from, for everybody that uses torrent from those networks.
>>>: And I would totally trust us to host that java script. I wouldn't recommend pulling it down for audinate yourself.
>>>: So there's a few limitations we had to work around here. Here's most of them.
>>>: So like Exostar you can't write arbitrary headers so there's things like the user agent that the spec doesn't allow you to overwrite. So that has to come from the browser. The browser can't make just arbitrary connections to TCP ports, there's a handful that are prohibited. There's a black list of ports. There used to be attacks, cross protocols, scripting attacks that allowed you to like send email from a browser by pointing it to an IP address port 25 posting and hoping that the mail server would like ignore all of the HB header information and just match the ASCII text of the post body. So a list of those ports you can find them in the tangled web. From a browser, java script perspective, you don't have a lot of ability to generate EDP traffic. But of course all the matches, Torrent doesn't tunnel EDP all the matches are probably going to be DNS, and of course you can generate DNS traffic and there's also a challenge in getting, like for the first batch of signatures we saw. Where we're just matching simple bytes like at to our server. It's hard to a, from an https site to generate, clear text traffic because the, mixed content warnings are pretty robust, they follow all sorts of weird use cases like following redirects, calling other protocols, calling web sockets, like you can't call a, a non-encrypted web socket from an encrypted site. So if you have suggestions on getting around mixed content warning we'd like to hear them.
>>>: There's various other detection techniques. Here's a few. There's time synchronization. One published. There's the TBD user agent. And 512 byte cells. Want to cover those in any detail? There's URL's if you need that.
>>>: So I, I think the most interesting one is user agent so the Torrent browser has a fixed user agent that's like a trade off to prevent finger printing, like if your familiar with pan opticote, pan opticlick project, like a, there's a lot to identify you, in a, a normal browser user agent, >>>: Yeah, so this is all generic. Like, essentially all you need is a device so the TCCPA piece stack that is would take data from a protocol and end up connecting to an arbitrary host with some data so we just, this would apply to any of those protocols we just abused browsers because they're really popular, but there's, @ so pot et introduces this question. Is it possible to write any rules that cannot be spoofed. Yes, there is. If people change the protocol, but it, it does a lot.
>>>: Okay so what we would like you to do is go to the website and put post your IO. And let us know if it triggers IDS alerts. If you're responsible for security infrastructure. If it doesn't work, take a look yourself, let us know what you think the traffic should be. And there's contact information on the website. I'd be happy to help you, we'd be happy to help you figure out how to generate matches against your closed source tools. If you want to help, again, visit the website and support the Torrent project. One key part about supporting anonymity online is here it's a very popular opinion, but when you get back to the real world a lot of people, it's not a popular opinion, a lot of people are more worried about terrorists and pedophiles than supporting freedom on line. Alright, there's a quick summary, if you have questions meet us in the chill out room after this talk and thank you very much. And we have some important research to introduce from our colleague, Joe.
>>>: Okay guys, this is about to be some heavy shit here. When we were doing this Torrent stuff, we ran into these packets and we were going through these leaked documents that Snowden let us view... turns out that there's these walking bipedal nuclear tanks. And, there's a code name "Metal Gear". And we were going through these packets and they seemed to be using all the game protocols as Stego to hide their real, their real process. And as we were going through this we started seeing these repeated pites. Now little did we know it had something to do with bitwise operators and exclusive stuff, so we outsourced it to Snowden and he actually figured it out for us and it's this thing called exwhore. So we we're not able to read their traffic with these nuclear tanks and supposedly they want us to think that somebody reverse engineered these video games and the network protocol and if you hack your PS2 and PS3 your going to start playing this game again But that's not the truth. So we're going to go ahead and describe this protocol for you so you can start checking it out. And actually, find out the truth, so there's these command identifiers right here, and they tell the client what it's actually going to do. And the palletes will be in the end and there's an MD5 check sum that will de verifications across them. All you have to do is MD5 the payload with the command header and you're good to go. So you can go ahead and hop on this. And actually find out what they're actually doing with "Metal Gear". Supposedly, there's an amphibious one that's going to be coming out soon, and just go ahead and start exploring from there. ... Fucking Chemtrails, man!