Hard Drives. The theory is it is hard to build a device to read platters removed from a hard drive. This is what your hard drives look like. Good luck finding them they're sold to Cloud guys only about anymore. But, that's what it looks like. It's just a platter. We've had to fly, they don't even really know how far off anymore. All right. Angstroms. Yes. It's very close. They're doing hundreds of thousands of tracks per inch. It's very hard to build something to read that off. So, we think it's pretty much impossible, therefore, we're going to put this critical security data stored on the platters someplace that you can't access. Basically, we're going to put it in a range that you can't address. Hey, we're secure, right? Well, there are data recovery companies that'll charge you thousands of dollars to get the information off of there. Well, I can send it there, but what's better yet we don't need that. The hard drive company has created the nice device for us to read anything on there. Like I said, it's stored someplace you can't address unless you're on the controller. If I hacked the controller software, I can read anything I want on there, can I? So, now, who is "We" in the theory that states only "We" can access it? This is actually one of the biggest things you'll hear in the corporate world when it comes to designing security stuff. Only "We" know this value. You're going to hear a lot in this country, you're going to hear if you watch the news. However, you're following news that we need back doors on lot of this electronic communication, and only the police will know it. Sure, the police will know it, let's see. If you're living in the US, buying devices for sale in the US, the Chinese will know it, the Russians will know it, the Israelis know everybody's everything. The French, they like to look into a lot of things. Hey, yeah, you know there's this other country that's pretty up and coming and doing pretty well called India. Yeah, you think they might know it? I don't know why it's Doom. At DEF CON this past year, I think there was a Verifone credit card reader, point of sale terminal. The guy went to hack it and I guess one of the biggest things in the hacking world is you hack stuff, so you can put Doom on it. He was able to hack it to put Doom on it. Now, if you reset it, if you power cycled it, you'd have to re-hack it. So, to get in a mode where instead of coming up with a nice little graphic and you can operate, read your credit card, so on so forth. To update firmware or things like that, there's a certain key combination. So, to find out, he Googled it. Now, if you think your security for software downloads' good enough, who cares, right? Someone can make it unavailable to the cashier because they don't know how to reset it. But, okay that's an inconvenience. When someone finds out, it goes on the Internet or minimally the back Web will sell it to somebody. But, you break a PlayStation, you break an Xbox, that stuff goes on the free Web, man. Those are kids, they're smart enough to sell it. So, the "We" is whoever controls the hard drive processor, that controller chip. So, if I can hack into that, the theory because they won't tell you, the theory of how the NSA got past the security on Seagate hard drives is you allow ROM patches or microcode patches or things like that, and through that they found a weakness, so that they could point to different storage locations on the drive for getting the keys and stuff. So, they would boot it up like normal, write what they wanted in those locations, then they would hack the ROM update code to point to those and they'd know the key, or what our government and I'll guarantee all the other ones do this, our government will come to you with a brilliant design for a random number generator that they suggest you use. You pry won't detect the weaknesses, but they're in there. So, find bugs in the firmware, write your own firmware, make requests through a debug port. Wi-Fi allows me to do this without physically being there, I just need to be close. Okay. Go back. Go back. I got one. So, during the security segment about developing a security mindset and some quotes from Brucheneer, so anytime in near future when you're out in the working world and you hear this statement, ''Only we can do something. Only we are capable of it.'' You should flash back to this moment, this course, and I'll encourage you to back up and do some orthogonal thinking and say, ''Wait a minute, why do we believe this?'' Where is the data that supports that only we can do this? What makes us so confident to make that statement? Always challenge that assertion that only "We" are able to break something, only we are able to have this capability. Any other examples without testifying against yourself? So, does anyone here have any friends that have broken into anything? Anyone? Anyone break in any of these offices around here? Anyone knows way to break in any of the labs? Last year, one of the students after the class said, ''Yeah, there's this lab down here that everyone knows how to get in to.'' Come on, you guys got to know something. None of us are saints here, come on. How many ways can you get by things? All the time, all the time. All right. So, one of the things and you quote me on this in your presentation, security through obscurity is not security. In other words, we've got a proprietary algorithm, "run," and just run. If you want to get into security and someone says we're developing our own algorithm, go get a different job. Obscurity can help you when it comes to some of these attacks, power analysis attacks. If I do other things that obscure the signal that make it pretty much impossible for you get this signal because of all the noise, if I'm going to read a value like the root key, whether that's through eBeam, whether that's through some light admittance, whatever it happens to be, those technologies aren't fast. It's going to take me a certain amount of time. If I keep rolling those bits, whether that's inverting them, whether that's rotating them, so on and so forth, if I do it fast enough, you can't read the information out of it. That's obscurity. I'm obscuring what's there. So, obscurity can help. Lots of times, what you're doing is just putting up extra hurdles. It's not going to stop the determined attacker. Look at the last year, we had Equifax breaches, we've had some Amazon, we've had a whole bunch of medical companies breaches. If someone wants into your network, I will guarantee the same for defense contractors, and they put a ton of money towards that, for the. So, I worked remote when I worked at the defense contractor. I did a VPN into the computer network. From there, I would VPN into a another very limited network, and the only way to access it was through VPN. So, even if I was on site, I had to VPN into it. For the critical stuff, they'll do air-gapped networks where there is no outside connection. We have a network. All these computers are connected together because we don't do development without a central storage, but is air-gapped. There is no communication outside. So, how can I eavesdrop on conversations? It's easy nowadays with all these wireless devices, that assumes I can get into the building. I can point a laser at a window and pick up the vibrations of that window. What causes that window to vibrate? Every single sound inside and outside that building. If you have an office next to that window when you talk loud, it can be on the other side of it. Some government stuff based on the glow from your monitor and the power emissions from your monitor, they can detect what's on there. Very little signal, take a lot of money to boost that signal, government attacks. Google's not going to use this against Microsoft. The US might use it against China or China might use it against the US. So, the interesting thing when you get into defense, which some you may get into your a country's Defense Departments or whatever companies that supply them, when they do a classified facility, you better get someone who knows what they're doing to build that. Because usually, what happens when the government wants a classified facility, you need to have one available, then they're going to test it, and it's a pass fail test. They won't help you by saying "you failed this test," because telling you what tests you failed allows you to determine their capabilities. They don't want to give that out. Lots of times when you have these testing facilities where like Phipps, you talked a little bit about Phipps, Phipps is wide open. They'll tell you everything. When it comes to defense, it's like, "Nope, you failed." Well, what did we do wrong? Well, this area needs something. You need to grow this area. We had a random pool of data, about 4,000 bits in one of our designs. They said we need you to have two separate memories. So, one engineer took that to mean one thing, I took it to mean another. One engineer took it to mean we did not have enough random bits. We needed more random bits. What I took from it is the fact that we read two pieces of data from that same memory was the problem and they wanted each read to be from a different memory. What the real story? I'd like to think I'm right, but pay, I don't know, because they won't tell you. Now, good random source is what we used in seguing, ring oscillators. What side channel information you think I can get from a ring oscillator? That'll probably tell me where it is. What might tell me what the frequency is? No. Same as side-channel attacks, electromagnetic, radiated energy, so high that you can put a bunch of them together. How many do you need before someone can't read all of them? Because if I can do EM on one, what prevents me from doing EM on eight? or 10? or 20? How many do I need in a cluster, before it becomes greater than the technology to be able to differentiate them? I don't know. Once again, what's your threat model? Is it billions of dollars, country? Is it millions of dollars, company? Or is it your neighbor's kid? He may need any money, he might get access to his dad's lab equipment in the basement, if his dad has it. What's your threat model?
