Socialized Data: Using Social Media as a Cyber Mule

Socialized Data: Using Social Media as a Cyber Mule

I don't wear hats. But if I did, even though I'm in an underground bunker in the dark, it would be kind of "off-whitish-grey." Like many, many of us in this industry I don't do anything "bad" even though I can. That's because I choose not to. I think "Freedom" is doing what you want to do - as a corollary, I think "Liberty" is the degree of choice one has in exercising their Freedom. This is the basis of my "grey" affinity. Though my actions are "white" by choice, I get very, very concerned when I see governmental/legislative/enforcement effort encroach upon my liberties even though it doesn't affect me personally. For instance, I'm totally fine with DRM and copyright laws. If you don't like the way the vendor produces their product, don't buy it. However, when legislation like SOPA comes along, it provides a mechanism for the government to dictate what private, non-affiliated companies must do in order to protect property belonging to another private company on their behalf. Thought I buy my music and software (really) I'm vehemently opposed to such legislation, particularly when all we have to do is edit a hosts file to bypass it. As such, I assert than any legislator who supported/supports SOPA or similar laws is an ignorant fucking slag.

I feel the same way about communications as it relates to monitoring, intercepting, collection and storage outside of my control. That's why I wrote TGP - so people could use cloud-based resources to encrypt their communications in a way that no-one can decrypt (presumably). But I always look for ways around encryption, and more importantly around detection of any method by which I choose to communicate in a manner to ensure it isn't intercepted, detected, or otherwise divulged to anyone.

And this finally leads us to what this talk is about. When thinking like a "bad guy" with the goal of distributing any number of covert communications to any number of recipients, there are a number of critical attributes which should be present. The message should:

  • Be portable and "self-sustaining.
  • Be able to be propagated without the originator actually having to own the message or carry it on him.
  • Have the ability to control which recipients receive/can read the message.
  • Have the messages backed up and managed by a 3rd party in perpetuity.
  • Be free
  • Be able to be received without any privileged access to equipment or require specialized equipment to receive.
  • Be detection resistant, or even detection PROOF.

This session will be about how to go about just that. ALL of these attributes will be satisfied, and I will illustrate how you can literally have a "detection-proof" covert communication. I don't think I've ever said that before, and just writing the words "detection-proof" makes me cringe just a bit. But I've racked my brain on a way to detect what I'll show you and I can't find a way to do it.

That will be the other cool part of this talk - we'll all brainstorm at the end on a way to detect this. I bet you can't. :) To me, this is the epitome of what DEF CON is about, and I hope you'll join me at this talk. Besides, my super-hot wife will be there. Get hammered at Hammer of God!!!

Presented by