So one of the things to consider is some of these tight channel attacks, they don't need to be perfect. Like I said, with your power analysis, you're trying to do eight bits at a time, and sometimes you don't get all eight bits correct. You might only get four. But if I get four enough times, instead of a 128-bit key, I've got a 64-bit key. That's pretty hard to brute force, but it's doable. If I'm getting six bits out of the eight, it becomes very easy to brute force that. So sometimes, you're doing a combination. I don't have to have 100% guarantee that I've got the key. I can brute force a little bit of it. >> I told the class about when cryptography research came in, with the ASL algorithm running on the iPhone and we waved the antenna over, I can't remember if you were at that meeting. >> Yeah. >> Were you, it was me and you? >> Yeah. >> I couldn't remember who it was, and yeah, so I told them the story and they had almost every hexadecimal digit, just a few of them were off, in what? Ten minutes' worth of, less than ten minutes' worth of computation. I remember we sat there and chit chatted for a few minutes while they- >> Yeah. >> While their PC was cranking on it, and then they put up the known key and then the guest key. And it was surprisingly close. >> The purpose behind that meeting was to convince my manager that we had to address it. And it didn't convince him, okay? because it's like, well, we've got a hard drive. There's a lot of noise going on back there. The people coming up with these algorithms are the people that can determine that there's a planet around a star in another galaxy. The way they're doing that is the way that the star wiggles based on the gravitational field of the planet, how many trillions of miles away. If you look at it long enough, you can remove the noise. Lot of counter measures originally, well, we'll just use more power. Yes, makes it a smaller signal. How do I boost a signal? Sample it, and sample it, and sample it. So if I have to do a million samples and hey, we like to design our cryptographic engines to go as fast as possible. So to do 100 million runs is nothing. I capture the power on all that, I just set it up, tell it to go. Once it's set up, and it will run the analysis and everything. So, other attack methods, cache attacks. I can't go into a lot of details, but Spectre and Meltdown, okay, those hit pretty much everybody. Some worse than others based on which particular attack. All right, people didn't think about that, all right. There's other things that happen out there that impact how we do things. So a lot of the original attacks on, I don't remember whether it was IPSec or SSL, okay? You pad out the message at the end, they used to give two different errors, one that said that there was a padding error, and one that said there was an encryption error. I could use that information to try to break the amount of padding I needed. And I could actually work on the decryption one byte at a time by just continuing to send packets, okay? And that allowed me to essentially be able to read, especially like your email or things like that. Even though it all came to you encrypted, right? That's why you notice a lot of these protocols, error. What went wrong, and it's a pain in the butt to program, right? What went wrong? I don't know, something went wrong, error. Lots of times, we kill the connection and start from scratch. We don't want to take any chances if someone's trying to hack us, makes life a pain when you're trying to develop a product. Once again, this is why you use open source software. 99% of it's already there for you, okay? So some of these leads into threat model, all right? What are you trying to protect? Who are you trying to protect it from? So I worked for a defense contractor and they do all sorts of logic to try to prevent some of these E-Beam attacks, some of these very invasive type attacks. All right, why? Because the people trying to break in to this country or any country's military systems are governments that are more than willing to throw billions of dollars at it, okay? Playstation, anyone who throws a $1 billion into breaking that's not thinking. Usually what happens with Playstation is you have kids, no money, plenty of time. And they'll just try things, and try things, and try things. Sometimes you get people that are bored, you're all familiar with these, used to be big boxes for toll roads. I was at a conference, it was years ago, I think it was 2007. There was a guy who broke open the box, took the chip, which was not a cutting edge technology. He had a belt sander. He sanded the thing down layer by layer so he could determine all the metal wires for all the layers. Figured out which company manufactured the chip to get their library. Basically reverse engineered the whole chip to discover their cryptographic algorithm, which was a proprietary one, that he then broke. A lot more patience than I have. But these are some of the people out there, by the way, this is the DEFCON conference. DEFCON's cheap to go to if you want to go. It's a lot of fun. Lot of weird things happen at it every year. You can go, so I went last year. They had a car hacking contest, so you could hack into the security systems on automobiles. They have a lock picking course with a whole bunch of locks that you can pick. They have a whole bunch of little embedded systems. And this year they had problems, couldn't get them but usually they have an electronic badge, and it's designed for you to break into it somehow, there is a vulnerability. And there's a vulnerability that they know of. How many that are unknown, you don't know. It's an interesting place. It's like 25 bucks to go to. It's in Vegas so you're going to pay a ton to stay there, but it's interesting if you're interested. That's like in August. >> What's the reward for breaking the security on the entry badge? Just get your name on a list or something? >> I think you get your name on a list. >> Bragging rights or something? >> Yeah, bragging. Well, so the first year I went, that 2007 Most boards are green, why pay for another color? It's fiberglass, right? They actually have boards of all different colors. And the coveted one was the blackboard. I forget what you had to do to get that, but like, presenters had like a yellow board or something like that. The blackboard, you had to do something. And it might have been having to break into some of these things. Okay, like I said it's fun to go to, very different cast of characters. You know, it's held right after black hat which is more your professionals. And a lot of those guys will also go to the DEF CON conference. So, threat model, what am I protecting? Am I protecting money? Who holds it? So, a cash value card that's in my hand. The US is highly connected, so every time you use your credit card, it goes back and authenticates, okay? Europe and a lot of other countries just don't have the same telephone network. And they'll communicate with the smart card. It'll store the transactions and maybe once an hour it will dial in and say these are the transactions, okay. So the authentication, my smart card knows how much money I have, if I can hack it, I can say I have more money. I can print money, this is not counterfeiting because I don't actually have to print anything it's just on a card, it's electronic. Okay, I have a huge incentive to hack that don't I? And banks have a huge incentive to make sure it's not an expensive card. Every time you lose one, they don't want to send you another ten dollar card. >> [Cough] >> They want it cheap, but secure. Alright, is it information? A lot of information's becoming less valuable, because we give so much of it away on Facebook, and Instagram, and Twitter, and everything else. A friend of mine who works here part time. He's going to grad school right here also. 90% of the time, on about 10 tweets, they can tell your social economic status. 90% of accuracy, 10 tweets. Doesn't matter your background, you could have been poor, came up with a great idea, became rich, they're going to know you're rich. It's not your language ability, it's a lot of this studying of linguistics, all right? We give out everything, because it's all available to all out there. So, what am I protecting? What's the value and to who, all right? Personally, I really don't care much about my credit card. You get my number, I call them, I didn't buy that. They refund it, it costs me nothing, okay? The biggest time I care is when I'm traveling. Not in the US, outside of the US. I lose my credit card number there it's not like they can get me another one. That's when I care, all right? Very low value to me, value to them. But they didn't create any pain for me, so why do I care? Now, I don't just flash it around to everyone. But I think you all understand what I'm saying. What are people after, all right? Amazon, who here shops at Amazon? Stored your credit card number with them? By breaking to Amazon's Bank and get credit card information, how many credit card numbers do you think I can get? >> Millions. >> Billions, okay? The local little mom and pop restaurant, if I break in to their system, how many credit card numbers can I get? >> Hundreds or thousands. >> Hundreds or thousands, all right? Amazon spends a lot of money on their security, because they need to, they need to. >> Has anyone in the class had a credit card compromised? Yeah, I did. So I had a credit card that I used for mileage, my airline where I can accumulate my miles. And I was repeatedly using it to order pizza and have chicken wings delivered to my house while I watch football games. [LAUGH] And, okay, everything's fine. And, it was a Broncos game, so Sunday afternoon, I had pizza and wings delivered. And Tuesday I get this text from my credit company that said, did you authorize this account and get those texts? And, it was first on online gaming multi-massive player game. And I called them up and said, no that wasn't me, and bang I had to shut the card down. And, the cost is not having the card for the week, or whatever it takes for them to mail you a new card, right? So, it's an inconvenient, I didn't lose money right, they credited, or they avoided out those charges. And it didn't cost me anything, but it costed me time, because I wanted to during that week when I was waiting for the card to come back I didn't have it available to me. So if I was in a store, or grocery shopping, and wanted to use it elsewhere in that period to accumulate additional miles, I wasn't able to. That was an inconvenience cost to me only. >> See I've got a fault tolerant design with that, I've got three credit cards. One of them with my bank ATM card, so, you get one credit card I use the other. [LAUGH] >> Three with your same bank? No. >> No. >> Okay. >> Discovered Chase, my bank- >> I have other ones too, but I just have one that has all my- >> Yeah, you have all the points, yeah. >> I have one with all the points, but I- >> Don't do any big purchases, because you aren't going to get the points, yeah. >> You're right. >> Yeah, so any questions? Any other ideas along these lines? Other things that, you know, need to be protected and some of the differences based on how big the database is. >> Purchase habits, maybe? >> Yeah, well that's why everyone does rewards cards. Because especially you sign up with email and they can, They will ship you customized sales, for you, based on what you want. So, you guys all familiar like with 7-Eleven convenience stores? All right, all the things that used to be known has been really expensive? It's convenient, all right? Except if you want soda, because they're just trying to get you to come in there. Most of the time you can buy milk cheaper at a 7-Eleven than you can at a grocery store. Because where a grocery store is more than willing to make only a couple of pennies on something that they're trying to convince you to buy. Everyone who walks in there buys milk. So, why would they discount it, all right? Reward programs allows them to do a lot of this analysis, and I'll guarantee you that Amazon does it too. I'll guarantee you that your price and my price could very well be different on the Amazon, based on what you're purchasing habits are and what mine are. You might get a good price but it might not be the lowest price, it can change all the time. Attack avenues, who possesses it? Stored value card, it's in your possession, okay. You give your credit card number to Amazon and tell them to save it. It's in their possession, and yours. Usually they get it from used someone who needs to skim it. You go to a little place where they look at it and someone's got a good memory, things like that. Not a huge attack space, all right? Access, fixed location, is it mobile? Is it connected through Wi-Fi, bluetooth? All of this and this class, IoT right? [LAUGH] You never plug it in. Right, it's available to everyone and how strong it is whether there it's WiFi or bluetooth, it's available to everyone around here and it's capturing information on you also. Nest, all right, nest is an automatic thermostat, it's. Do active learning to figure out your habits when you get home so on and so forth. It's like who cares if they steal that information. Except if I can talk to your nest device I can tell if you're home, based on the temperature setting. Or I can tell that you leave at 7 o'clock in the morning and you return home at 5 o'clock at night. That gives me a lot of time to rifle through your stuff, I know you're college students, you don't have a lot I don't need that much time. My house has a little bit more junk in it and a few more piles you got to dig through. But this is all information that I can get from a device. We hand out, the Nest actually has some pretty good security. They only attack, I heard on and I don't even know the details, but it required physical access, okay? But who owns the Nest now? Is that Amazon or Google? >> Yes, Google. The Google, okay? Google knows all that. They're more than willing to sell that information. because the amount of time that you're out tells whether you're gainfully employed. because most people that are out for nine to ten hours have a regular job. So on and so forth. That's all information that tells a lot about you. If you're out nine hours at a time but it moves all over the place chances are you're working hourly. Nothing wrong with working hourly, except the pay is usually at a different range. That's good information to know. We can sell that to people. So, once again my friend works here, right? The last election, one of the things that Trump did better than the other candidate Hillary, was he used Facebook with targeted ads. They would target down to a thousand people. And sometimes the difference in the ad was the background color, that's it. Certain people, certain colors are going to be more favorable to them, and they can find that out through your online habits. Security, right, it's not all just about algorithms. You can have the best algorithm implemented poorly or some other things now. Let's go back to attacks, you still have this in your slides, right, okay yeah, what can go wrong with this? Any ideas? Besides the, I can potentially hack the bluetooth. Something physical about this can go wrong. Any ideas? >> In that physical access. >> You can get physical access. >> Buttons kind of gives away what key presses you make usually. >> Yep, people don't consider it when they buy this, your home, everyone's going to use the same code.