Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,160 --> 00:00:03,919 Okay. So, you are checking for SSIDs, 2 00:00:03,919 --> 00:00:05,200 you're checking for MAC addresses. Is 3 00:00:05,200 --> 00:00:05,759 that right? 4 00:00:05,759 --> 00:00:06,400 >> Correct. 5 00:00:06,400 --> 00:00:07,680 >> Did you say doing something with 6 00:00:07,680 --> 00:00:08,480 Bluetooth as well? 7 00:00:08,480 --> 00:00:09,920 >> Yeah, Bluetooth. Exactly. We're checking 8 00:00:09,920 --> 00:00:11,120 for Bluetooth the same way as we're 9 00:00:11,120 --> 00:00:13,040 checking for Wi-Fi because once again 10 00:00:13,040 --> 00:00:15,519 comes back to the even a nationstate 11 00:00:15,519 --> 00:00:18,400 group, even a group of trained operators 12 00:00:18,400 --> 00:00:20,160 are likely going to have cell phones. 13 00:00:20,160 --> 00:00:22,080 >> Is this free? Is it open source or do I 14 00:00:22,080 --> 00:00:23,439 have to pay a bunch of money to get hold 15 00:00:23,439 --> 00:00:23,840 of this? 16 00:00:23,840 --> 00:00:26,720 >> It is 100% free. It is open source. And 17 00:00:26,720 --> 00:00:28,240 this is not a government thing. Private 18 00:00:28,240 --> 00:00:30,480 sector does it too. We have a horrible 19 00:00:30,480 --> 00:00:33,840 habit of naming our you Wi-Fi the names 20 00:00:33,840 --> 00:00:35,120 of our specialty units. 21 00:00:35,120 --> 00:00:36,480 >> Everyone, David Bumble coming to you 22 00:00:36,480 --> 00:00:37,680 from Black Hat with a very special 23 00:00:37,680 --> 00:00:39,040 guest. Matt, great to have you on the 24 00:00:39,040 --> 00:00:39,360 show. 25 00:00:39,360 --> 00:00:40,800 >> Dave, thanks for having me. It's Lana. 26 00:00:40,800 --> 00:00:43,280 >> So, I remember you showing this demo and 27 00:00:43,280 --> 00:00:45,520 I'm really excited to see the update for 28 00:00:45,520 --> 00:00:47,120 it. Tell me, well, take us on the 29 00:00:47,120 --> 00:00:48,320 journey, right? If I understand 30 00:00:48,320 --> 00:00:50,879 correctly, using a Raspberry Pi to make 31 00:00:50,879 --> 00:00:52,719 sure that people aren't following you or 32 00:00:52,719 --> 00:00:53,760 something like that. 33 00:00:53,760 --> 00:00:56,399 >> Yes, correct. So, it's funny. I give it 34 00:00:56,399 --> 00:00:58,079 a lot of conference talks and I never 35 00:00:58,079 --> 00:00:59,359 really spend time at the beginning 36 00:00:59,359 --> 00:01:00,719 talking about the motivation for the 37 00:01:00,719 --> 00:01:02,559 stock or the story behind it. This one 38 00:01:02,559 --> 00:01:03,840 was different because I think it's 39 00:01:03,840 --> 00:01:05,840 really a key piece of the story. And 40 00:01:05,840 --> 00:01:08,240 what it is is no one likes to be how 41 00:01:08,240 --> 00:01:10,240 this all started is many many years ago, 42 00:01:10,240 --> 00:01:11,920 no one likes to be surprised by their 43 00:01:11,920 --> 00:01:14,240 boss showing up unannounced. And so they 44 00:01:14,240 --> 00:01:16,080 moved me to a warehouse in the back 45 00:01:16,080 --> 00:01:18,080 corner of a military base. And so what I 46 00:01:18,080 --> 00:01:20,000 did, I built a small wireless device 47 00:01:20,000 --> 00:01:21,840 that let me know anytime my boss was 48 00:01:21,840 --> 00:01:23,439 going to be in the area. 49 00:01:23,439 --> 00:01:24,799 my boss enter the building, it would 50 00:01:24,799 --> 00:01:26,159 give me the heads up. Not that I was 51 00:01:26,159 --> 00:01:27,680 doing anything wrong, just no one likes 52 00:01:27,680 --> 00:01:28,240 surprises. 53 00:01:28,240 --> 00:01:30,720 >> So you looking for SSID or something? 54 00:01:30,720 --> 00:01:32,799 >> Exactly. MAC address is coming off, SSID 55 00:01:32,799 --> 00:01:34,560 is coming off. Exactly. Because some 56 00:01:34,560 --> 00:01:36,000 things randomize, but you can't account 57 00:01:36,000 --> 00:01:37,119 for that. So you kind of got to look 58 00:01:37,119 --> 00:01:40,400 both ways. And so I had given a talk for 59 00:01:40,400 --> 00:01:42,320 the government and I theorized on using 60 00:01:42,320 --> 00:01:44,159 that to tell if you were being followed 61 00:01:44,159 --> 00:01:45,439 because if you think about it, even a 62 00:01:45,439 --> 00:01:48,079 nation state, very well-trained group, 63 00:01:48,079 --> 00:01:49,280 they're going to have cell phones in 64 00:01:49,280 --> 00:01:50,640 their pockets, right? They're going to 65 00:01:50,640 --> 00:01:52,560 have TPMS sensors in the tires. they're 66 00:01:52,560 --> 00:01:54,479 going to have Bluetooth headsets. And so 67 00:01:54,479 --> 00:01:55,840 I basically said, "Hey, I'm just going 68 00:01:55,840 --> 00:01:57,759 to go to three different locations and 69 00:01:57,759 --> 00:01:59,439 then see what devices were at all 70 00:01:59,439 --> 00:02:02,640 three." Fast forward many years later, a 71 00:02:02,640 --> 00:02:04,000 acquaintance of mine who worked for a 72 00:02:04,000 --> 00:02:05,920 separate government agency came to me. 73 00:02:05,920 --> 00:02:08,080 They had a confidential informant with 74 00:02:08,080 --> 00:02:10,080 ties to a very legitimate terrorist 75 00:02:10,080 --> 00:02:11,760 organization that we are all aware of. 76 00:02:11,760 --> 00:02:13,360 Yeah. And this person, they weren't 77 00:02:13,360 --> 00:02:14,959 worried about their own safety. They 78 00:02:14,959 --> 00:02:16,080 were worried about the safety of their 79 00:02:16,080 --> 00:02:17,520 informant. They were afraid that if they 80 00:02:17,520 --> 00:02:18,879 were followed, it would get their 81 00:02:18,879 --> 00:02:20,720 informant killed. He said he asked his 82 00:02:20,720 --> 00:02:22,319 agency's tech people. They had nothing 83 00:02:22,319 --> 00:02:23,920 like that. He looked for it, couldn't 84 00:02:23,920 --> 00:02:25,520 find anything. So, he was like, "Hey, do 85 00:02:25,520 --> 00:02:27,040 you know of anything?" And I thought and 86 00:02:27,040 --> 00:02:29,120 I looked and I said, "No." I said, "If 87 00:02:29,120 --> 00:02:30,400 you give me a couple weeks, I think I 88 00:02:30,400 --> 00:02:32,319 can actually build it for you." And so, 89 00:02:32,319 --> 00:02:35,040 that's kind of uh where it led. And I I 90 00:02:35,040 --> 00:02:37,040 got to tell you, it blew up way bigger 91 00:02:37,040 --> 00:02:38,400 than I thought. Speaking here at Black 92 00:02:38,400 --> 00:02:40,879 Hat Wire did an article on me. And the 93 00:02:40,879 --> 00:02:44,160 emails that I got for still to this day, 94 00:02:44,160 --> 00:02:46,000 people um using it for search and 95 00:02:46,000 --> 00:02:47,599 rescue. I think one of the biggest 96 00:02:47,599 --> 00:02:49,599 tearjerkers was a gentleman who reached 97 00:02:49,599 --> 00:02:52,800 out and said his wife was uh worked in 98 00:02:52,800 --> 00:02:54,640 an emergency room in a hospital. Okay. 99 00:02:54,640 --> 00:02:56,560 And pretty much every week doctors and 100 00:02:56,560 --> 00:02:58,000 nurses there were getting death threats 101 00:02:58,000 --> 00:03:00,080 from people and they were using this to 102 00:03:00,080 --> 00:03:01,360 help give him a little piece of mind. 103 00:03:01,360 --> 00:03:03,040 And he's like your device is helping 104 00:03:03,040 --> 00:03:05,680 people safe like feel safe. And I was 105 00:03:05,680 --> 00:03:07,120 just like helping people sleep. It's 106 00:03:07,120 --> 00:03:08,720 like it's getting dusty in here. You 107 00:03:08,720 --> 00:03:10,080 know, I'm trying I'm sitting there at my 108 00:03:10,080 --> 00:03:11,440 desk in my office like trying to fight 109 00:03:11,440 --> 00:03:13,200 back a little tear reading this email. 110 00:03:13,200 --> 00:03:16,000 So it's been amazing. It has been and to 111 00:03:16,000 --> 00:03:17,440 say like the improved and updated 112 00:03:17,440 --> 00:03:19,599 version. I wrote this before AI. It was 113 00:03:19,599 --> 00:03:21,120 me writing the code and I am a lot of 114 00:03:21,120 --> 00:03:23,599 things. A programmer is not one of them. 115 00:03:23,599 --> 00:03:25,519 And so now that we have AI to help me 116 00:03:25,519 --> 00:03:27,200 write the code, an update was long 117 00:03:27,200 --> 00:03:28,800 overdue. I really want to thank Danny 118 00:03:28,800 --> 00:03:30,000 and the team at Straight Locker for 119 00:03:30,000 --> 00:03:32,159 sponsoring my trip to Black Hat and 120 00:03:32,159 --> 00:03:34,000 allowing me to enjoy this amazing 121 00:03:34,000 --> 00:03:36,799 conference. Deny by default is the way 122 00:03:36,799 --> 00:03:38,640 that we need to implement security these 123 00:03:38,640 --> 00:03:41,519 days. You cannot permit everything and 124 00:03:41,519 --> 00:03:43,519 then try and find the bad traffic in 125 00:03:43,519 --> 00:03:46,480 2025. Deny by default. So I'm sure 126 00:03:46,480 --> 00:03:47,840 everyone's interested. Tell us what's in 127 00:03:47,840 --> 00:03:49,200 the box and you know explain what's 128 00:03:49,200 --> 00:03:49,599 going on. 129 00:03:49,599 --> 00:03:50,959 >> Yeah, the original version if you go 130 00:03:50,959 --> 00:03:52,640 back and look at the talk was much much 131 00:03:52,640 --> 00:03:54,239 smaller than this. I'm presenting it 132 00:03:54,239 --> 00:03:56,480 here at Black Hat Arsenal and so I 133 00:03:56,480 --> 00:03:57,920 wanted a little bit bigger form factor 134 00:03:57,920 --> 00:03:59,680 so people could actually see it and 135 00:03:59,680 --> 00:04:01,120 sitting there. So yeah. So we have a 136 00:04:01,120 --> 00:04:03,439 small Raspberry Pi 5 right there hooked 137 00:04:03,439 --> 00:04:05,040 up to a little alpha wireless card. 138 00:04:05,040 --> 00:04:06,799 There's four USBs if you wanted to plug 139 00:04:06,799 --> 00:04:08,640 more in. This is actually a Bluetooth 140 00:04:08,640 --> 00:04:09,519 GPS. 141 00:04:09,519 --> 00:04:11,360 >> So the original version that you that I 142 00:04:11,360 --> 00:04:13,200 saw was only doing Wi-Fi, but you're 143 00:04:13,200 --> 00:04:13,920 doing more than that now. 144 00:04:13,920 --> 00:04:15,439 >> It was doing Wi-Fi and Bluetooth. This 145 00:04:15,439 --> 00:04:17,519 is doing both. So the purpose of the GPS 146 00:04:17,519 --> 00:04:19,519 is this. One of the things that I really 147 00:04:19,519 --> 00:04:21,280 wanted to one of the natural evolutions 148 00:04:21,280 --> 00:04:24,000 in my mind was listen, if someone is 149 00:04:24,000 --> 00:04:26,479 following you, can we flip it around? 150 00:04:26,479 --> 00:04:28,160 Can we tell where they hang out? Can we 151 00:04:28,160 --> 00:04:29,759 tell where they spend their time? Maybe 152 00:04:29,759 --> 00:04:31,520 where they work. And the answer is many 153 00:04:31,520 --> 00:04:34,160 times absolutely. And so with this, with 154 00:04:34,160 --> 00:04:36,400 having the GPS enabled, you can go back. 155 00:04:36,400 --> 00:04:37,919 This can generate reports of where you 156 00:04:37,919 --> 00:04:39,520 were followed, what the devices were, 157 00:04:39,520 --> 00:04:41,199 and then if you give it a Wiggle API 158 00:04:41,199 --> 00:04:43,600 key. It actually goes out to Wiggle and 159 00:04:43,600 --> 00:04:45,360 it queries the networks that the devices 160 00:04:45,360 --> 00:04:46,960 were following you, the where are they 161 00:04:46,960 --> 00:04:49,199 located, and you can flip it around. So, 162 00:04:49,199 --> 00:04:50,960 I had a buddy of mine test it. He is 163 00:04:50,960 --> 00:04:52,479 still federal law enforcement, I would 164 00:04:52,479 --> 00:04:54,479 say, what agency, but I had him kind of 165 00:04:54,479 --> 00:04:56,479 follow me around and do this. And then I 166 00:04:56,479 --> 00:04:58,320 went and looked and it's like, "Okay, 167 00:04:58,320 --> 00:05:00,240 yep. It saw the device following me. Saw 168 00:05:00,240 --> 00:05:02,080 this name of this unique Wi-Fi that it 169 00:05:02,080 --> 00:05:04,240 was looking for, do the probe requests, 170 00:05:04,240 --> 00:05:05,919 put it in there, and it's a building 171 00:05:05,919 --> 00:05:08,080 where at the front it's no ties to the 172 00:05:08,080 --> 00:05:09,440 government. If you Google it, it will 173 00:05:09,440 --> 00:05:11,440 say what government agency it is." And 174 00:05:11,440 --> 00:05:12,800 so I didn't want to blow up anyone's 175 00:05:12,800 --> 00:05:14,880 spot, but absolutely like cuz his phone 176 00:05:14,880 --> 00:05:16,320 had been there because he works there 177 00:05:16,320 --> 00:05:17,360 sometimes. So 178 00:05:17,360 --> 00:05:17,759 >> wow. 179 00:05:17,759 --> 00:05:18,960 >> Yeah, that was kind of cool. 180 00:05:18,960 --> 00:05:20,639 >> So just a Raspberry Pi, right? 181 00:05:20,639 --> 00:05:22,639 >> It is. And honestly, it's anything that 182 00:05:22,639 --> 00:05:24,400 could run Kismmet. So even a Raspberry 183 00:05:24,400 --> 00:05:26,639 Pi 50, anything else similar to a 184 00:05:26,639 --> 00:05:28,560 Raspberry 5, anything that can run 185 00:05:28,560 --> 00:05:31,120 Kismmet, which is fairly lowowered, this 186 00:05:31,120 --> 00:05:31,840 can work with. 187 00:05:31,840 --> 00:05:33,440 >> And you got a screen that's just 188 00:05:33,440 --> 00:05:35,520 connected to the to the Raspberry Pi. 189 00:05:35,520 --> 00:05:37,600 Um, I don't want to put words in your 190 00:05:37,600 --> 00:05:38,880 mouth, so just take us on a journey, 191 00:05:38,880 --> 00:05:40,800 right? So So explain why you need the 192 00:05:40,800 --> 00:05:42,560 screen and why the interface looks like 193 00:05:42,560 --> 00:05:43,360 the way it does. 194 00:05:43,360 --> 00:05:44,639 >> Why the interface looks like it's a 195 00:05:44,639 --> 00:05:46,479 FisherPrice toy, Dave. You can say it. 196 00:05:46,479 --> 00:05:47,280 You can say it. 197 00:05:47,280 --> 00:05:48,000 >> No, not at all. 198 00:05:48,000 --> 00:05:49,759 >> I mentioned that in my original talk. 199 00:05:49,759 --> 00:05:51,360 It's funny is originally when I thought 200 00:05:51,360 --> 00:05:53,520 this up, I was going off location like 201 00:05:53,520 --> 00:05:55,919 location one, location two, location 3. 202 00:05:55,919 --> 00:05:57,440 Very quickly I realized that does not 203 00:05:57,440 --> 00:05:59,440 work in the desert when you're driving 204 00:05:59,440 --> 00:06:01,039 for maybe an hour, hour and a half 205 00:06:01,039 --> 00:06:02,800 straight. And so what I had to do is I 206 00:06:02,800 --> 00:06:04,240 have to shift from locations. Do I have 207 00:06:04,240 --> 00:06:06,319 to shift to temporal? Am I seeing any 208 00:06:06,319 --> 00:06:08,560 devices now that I also saw 5 to 10 209 00:06:08,560 --> 00:06:11,199 minutes ago, 15 to 10 minutes ago, etc. 210 00:06:11,199 --> 00:06:12,639 And once again, if you think about it, 211 00:06:12,639 --> 00:06:14,720 this is designed for an individual maybe 212 00:06:14,720 --> 00:06:17,039 by themselves driving at a high rate of 213 00:06:17,039 --> 00:06:19,199 speed. I I can't have them on a small 214 00:06:19,199 --> 00:06:21,120 screen going through menus looking a lot 215 00:06:21,120 --> 00:06:23,360 of options. And so I have big massive 216 00:06:23,360 --> 00:06:26,080 buttons that even me with my big paw can 217 00:06:26,080 --> 00:06:27,759 tap on correct and hit the correct 218 00:06:27,759 --> 00:06:29,759 button. So that's why the interface 219 00:06:29,759 --> 00:06:31,440 kinds of looks the way it does. And so 220 00:06:31,440 --> 00:06:33,039 there's also a little bit of logic in 221 00:06:33,039 --> 00:06:34,960 here. For instance, you see things like 222 00:06:34,960 --> 00:06:37,360 delete lists and ignore lists. And so 223 00:06:37,360 --> 00:06:39,039 Dave, if you and I if we were going to 224 00:06:39,039 --> 00:06:40,880 go do surveillance, if we were going to 225 00:06:40,880 --> 00:06:42,639 follow someone or we were maybe wanted 226 00:06:42,639 --> 00:06:44,400 this to see if we were being followed, 227 00:06:44,400 --> 00:06:45,919 what we would do is we would go into the 228 00:06:45,919 --> 00:06:48,000 car, right? get set up, have all of our 229 00:06:48,000 --> 00:06:49,759 equipment there, everything turned on, 230 00:06:49,759 --> 00:06:51,680 leave this running for a couple minutes, 231 00:06:51,680 --> 00:06:53,360 >> and then we would create the ignore 232 00:06:53,360 --> 00:06:55,039 list. And so basically what we've done 233 00:06:55,039 --> 00:06:56,319 then is everything you've seen up to 234 00:06:56,319 --> 00:06:58,000 this point since I started you up, 235 00:06:58,000 --> 00:06:59,520 ignore it, never alert on it. 236 00:06:59,520 --> 00:07:01,599 >> You didn't see anything, 237 00:07:01,599 --> 00:07:03,199 >> right? Otherwise, we're alerting on 238 00:07:03,199 --> 00:07:03,680 oursel. 239 00:07:03,680 --> 00:07:04,400 >> Yeah, exactly. 240 00:07:04,400 --> 00:07:06,560 >> So yeah, we have the create the ignore 241 00:07:06,560 --> 00:07:08,720 list, delete the ignore list, a check 242 00:07:08,720 --> 00:07:11,440 system status, start chasing your tail, 243 00:07:11,440 --> 00:07:12,720 which we can push that right now and 244 00:07:12,720 --> 00:07:14,639 start it up. That was all in the 245 00:07:14,639 --> 00:07:16,960 original. Now the difference is one of 246 00:07:16,960 --> 00:07:18,400 the things that I wanted to do with this 247 00:07:18,400 --> 00:07:20,639 code is to really add the post analysis 248 00:07:20,639 --> 00:07:22,880 to be able to add in the GPS data as I 249 00:07:22,880 --> 00:07:24,639 said to be able to create maps of what 250 00:07:24,639 --> 00:07:26,400 your route of travel was. Yeah. Where 251 00:07:26,400 --> 00:07:28,160 you were being followed what devices you 252 00:07:28,160 --> 00:07:30,319 saw and then basically flipping it 253 00:07:30,319 --> 00:07:32,319 around on the purple little following 254 00:07:32,319 --> 00:07:34,479 you. Okay. Where are they going to where 255 00:07:34,479 --> 00:07:35,039 they Yeah, 256 00:07:35,039 --> 00:07:35,840 >> that is really good. 257 00:07:35,840 --> 00:07:36,319 >> It is. 258 00:07:36,319 --> 00:07:37,759 >> Matt, before we go any further, I got to 259 00:07:37,759 --> 00:07:40,080 ask you, is this free? Is it open source 260 00:07:40,080 --> 00:07:41,599 or do I have to pay a bunch of money to 261 00:07:41,599 --> 00:07:42,240 get hold of this? 262 00:07:42,240 --> 00:07:44,880 >> It is 100% free. It is open source. 263 00:07:44,880 --> 00:07:46,720 Before you had to deal with my horrible, 264 00:07:46,720 --> 00:07:48,240 horrible Python code. 265 00:07:48,240 --> 00:07:50,800 >> It's horrible. Horrible. 266 00:07:50,800 --> 00:07:51,759 Just horrible. 267 00:07:51,759 --> 00:07:53,360 >> As you can see, the uh sticker right 268 00:07:53,360 --> 00:07:55,599 there. Now, AI has helped me improve the 269 00:07:55,599 --> 00:07:57,199 code quite a bit. So, it is free open 270 00:07:57,199 --> 00:07:59,440 source. I think it's um I I got to tell 271 00:07:59,440 --> 00:08:01,360 you, if you're in this space, David, be 272 00:08:01,360 --> 00:08:02,560 perfectly honest with you. Now, I'm 273 00:08:02,560 --> 00:08:03,440 going to flip it around. I'm going to 274 00:08:03,440 --> 00:08:05,360 ask you a question. How many Raspberry 275 00:08:05,360 --> 00:08:06,560 Pies do you have laying around your 276 00:08:06,560 --> 00:08:08,240 house doing absolutely nothing right? 277 00:08:08,240 --> 00:08:09,919 >> I don't want to even say cuz I, as a 278 00:08:09,919 --> 00:08:11,759 content creator, I have way too many. I 279 00:08:11,759 --> 00:08:13,360 must have at least 10 of them. Exactly. 280 00:08:13,360 --> 00:08:14,800 I think I have five. That's why it's 281 00:08:14,800 --> 00:08:15,919 funny. The person I gave this to is 282 00:08:15,919 --> 00:08:16,960 like, "How much do I owe you?" Like, 283 00:08:16,960 --> 00:08:18,240 "You don't owe me anything." And I'm 284 00:08:18,240 --> 00:08:19,680 like, "I have like five of these laying 285 00:08:19,680 --> 00:08:21,680 around my house." I think we pretty much 286 00:08:21,680 --> 00:08:23,840 all have a Raspberry Pi. Get that up and 287 00:08:23,840 --> 00:08:25,840 running. Get Kisman on it. Hook it up to 288 00:08:25,840 --> 00:08:27,440 a small screen, which depending on the 289 00:08:27,440 --> 00:08:30,160 form factor, the size, $ 20, $30 on 290 00:08:30,160 --> 00:08:31,840 Amazon. A lot of us probably have some 291 00:08:31,840 --> 00:08:34,240 Alpha or Panda wireless cards capable of 292 00:08:34,240 --> 00:08:35,919 being put in monitor mode as well too. 293 00:08:35,919 --> 00:08:37,360 We got to hook up to it. And then you're 294 00:08:37,360 --> 00:08:41,279 good. If you want a GPS, those USB are 295 00:08:41,279 --> 00:08:44,399 usually $10 or so on eBay. If you want 296 00:08:44,399 --> 00:08:46,000 to get a Bluetooth, which is obviously 297 00:08:46,000 --> 00:08:47,440 nice in a vehicle, depending on how 298 00:08:47,440 --> 00:08:48,800 you're going to use it, I was able to 299 00:08:48,800 --> 00:08:51,440 get the Bluetooth GPS on this for about 300 00:08:51,440 --> 00:08:52,880 $50 on eBay. So, 301 00:08:52,880 --> 00:08:54,000 >> yeah, cuz I saw you got an Alpha 302 00:08:54,000 --> 00:08:55,839 adapter. I think you the story was you 303 00:08:55,839 --> 00:08:57,200 went and asked the community, right, 304 00:08:57,200 --> 00:08:58,160 which adapter? 305 00:08:58,160 --> 00:08:59,760 >> Exactly. Yeah. I mean, there's these 306 00:08:59,760 --> 00:09:01,040 people that do this and they just swim 307 00:09:01,040 --> 00:09:02,720 in these waters deeply every day and 308 00:09:02,720 --> 00:09:04,160 they're far deeper in the tech than I 309 00:09:04,160 --> 00:09:05,600 am. So if we don't reach out and 310 00:09:05,600 --> 00:09:06,640 leverage and ask them what they're 311 00:09:06,640 --> 00:09:07,920 using, what they're having great success 312 00:09:07,920 --> 00:09:10,320 with, I'm being a And so yeah, 313 00:09:10,320 --> 00:09:12,000 the alpha, the panda, those are usually 314 00:09:12,000 --> 00:09:13,279 the two best recommendations. As 315 00:09:13,279 --> 00:09:14,480 >> long as they support monitoring and 316 00:09:14,480 --> 00:09:14,880 injection. 317 00:09:14,880 --> 00:09:15,920 >> Exactly. You just got to be able to put 318 00:09:15,920 --> 00:09:17,120 it. We don't even need injection for 319 00:09:17,120 --> 00:09:18,480 this. Yeah, we just got to be able to 320 00:09:18,480 --> 00:09:20,080 put it in monitor mode. So 321 00:09:20,080 --> 00:09:21,680 >> So Matt, let's get a bit technical. 322 00:09:21,680 --> 00:09:23,279 Right. So it's Kismmet is what you're 323 00:09:23,279 --> 00:09:24,399 using on the back end, 324 00:09:24,399 --> 00:09:24,880 >> correct? 325 00:09:24,880 --> 00:09:26,800 >> Is it a Python script? Because the last 326 00:09:26,800 --> 00:09:28,720 time I saw this, you you wrote a Python 327 00:09:28,720 --> 00:09:29,760 script. Is that what you're still doing 328 00:09:29,760 --> 00:09:31,440 or has it been changed, updated? 329 00:09:31,440 --> 00:09:32,320 >> Correct. Yeah. And if you're not 330 00:09:32,320 --> 00:09:33,920 familiar with Kisman, Kisman is an 331 00:09:33,920 --> 00:09:37,040 amazing free open- source tool that 332 00:09:37,040 --> 00:09:38,480 works with wireless, it works with 333 00:09:38,480 --> 00:09:40,560 Bluetooth, it works with some software 334 00:09:40,560 --> 00:09:42,480 defined radios, and it brings everything 335 00:09:42,480 --> 00:09:44,480 in. It gives you a nice menu. And what 336 00:09:44,480 --> 00:09:46,240 it does is it saves everything into 337 00:09:46,240 --> 00:09:48,080 something that's akismmet file. Now, 338 00:09:48,080 --> 00:09:50,000 it's akismmet file, but really all it is 339 00:09:50,000 --> 00:09:53,040 is a SQLite database. And so, real time, 340 00:09:53,040 --> 00:09:54,560 I don't have to worry about processing 341 00:09:54,560 --> 00:09:56,560 Wi-Fi, Bluetooth, being able to bring in 342 00:09:56,560 --> 00:09:58,320 software to find radios for other radio 343 00:09:58,320 --> 00:10:00,640 types. I can just use kismmet and then 344 00:10:00,640 --> 00:10:03,279 parse that database real time. And so 345 00:10:03,279 --> 00:10:05,519 then the code itself is actually a 346 00:10:05,519 --> 00:10:07,519 Python script. It used to be one single 347 00:10:07,519 --> 00:10:08,720 script. Now it's a collection of 348 00:10:08,720 --> 00:10:10,480 scripts. With the help of AI, I was able 349 00:10:10,480 --> 00:10:12,320 to make it much more modular. It'll be 350 00:10:12,320 --> 00:10:13,519 much easier for other people to 351 00:10:13,519 --> 00:10:15,279 contribute to the project to be able to 352 00:10:15,279 --> 00:10:17,279 add into additional functionality. But 353 00:10:17,279 --> 00:10:19,040 yeah, it's just a collection of Python 354 00:10:19,040 --> 00:10:21,440 scripts that grabs the data from the DB, 355 00:10:21,440 --> 00:10:23,600 performs some analysis on it, starts 356 00:10:23,600 --> 00:10:25,440 looking for devices, and then generates 357 00:10:25,440 --> 00:10:27,200 obviously, like I said, the post reports 358 00:10:27,200 --> 00:10:28,640 for the maps and the things like that. 359 00:10:28,640 --> 00:10:29,600 But it's all Python. 360 00:10:29,600 --> 00:10:31,040 >> Sorry, the code is on GitHub. Is that 361 00:10:31,040 --> 00:10:31,200 right? 362 00:10:31,200 --> 00:10:33,519 >> It is. It's posture on GitHub. So, yeah. 363 00:10:33,519 --> 00:10:34,480 >> Okay, great. So, people can just 364 00:10:34,480 --> 00:10:34,959 download it. 365 00:10:34,959 --> 00:10:36,240 >> Absolutely. Chasing your tail. 366 00:10:36,240 --> 00:10:37,760 >> Just need a Raspberry Pi. Yes. So, 367 00:10:37,760 --> 00:10:38,480 Chasing Your Tail. 368 00:10:38,480 --> 00:10:40,399 >> Yeah, it's under my Argalius Labs, my 369 00:10:40,399 --> 00:10:42,000 small consulting company. It's on our 370 00:10:42,000 --> 00:10:43,200 GitHub. If you check that out, it's 371 00:10:43,200 --> 00:10:43,839 right there. So, 372 00:10:43,839 --> 00:10:46,640 >> I'll put links below. Yep. Um, so just 373 00:10:46,640 --> 00:10:48,399 any does it have to be a really modern 374 00:10:48,399 --> 00:10:49,600 Raspberry Pi or is it 375 00:10:49,600 --> 00:10:51,440 >> It does not. The original one was either 376 00:10:51,440 --> 00:10:53,519 on a two or a three, I forget. This is a 377 00:10:53,519 --> 00:10:55,519 five. I haven't tried it yet, but it 378 00:10:55,519 --> 00:10:57,279 should run fine on a zero. I think 379 00:10:57,279 --> 00:10:58,959 Kismmet right now when it's humming uses 380 00:10:58,959 --> 00:11:01,760 up about 25% of the CPU on this, so it's 381 00:11:01,760 --> 00:11:03,760 not nothing, but anything Kismmet will 382 00:11:03,760 --> 00:11:04,959 run on, this will run on because the 383 00:11:04,959 --> 00:11:06,320 code itself is actually very, very 384 00:11:06,320 --> 00:11:06,800 lightweight. 385 00:11:06,800 --> 00:11:08,399 >> So when you set this up, I mean, you 386 00:11:08,399 --> 00:11:09,680 obviously had an adapter, you had the 387 00:11:09,680 --> 00:11:11,040 Raspberry Pi, so there was only the 388 00:11:11,040 --> 00:11:12,399 monitor that cost you about $20 or 389 00:11:12,399 --> 00:11:12,959 something, right? 390 00:11:12,959 --> 00:11:14,800 >> Exactly. Exactly. And obviously this is 391 00:11:14,800 --> 00:11:16,320 a much bigger smaller form or a much 392 00:11:16,320 --> 00:11:18,240 larger form factor because it's going to 393 00:11:18,240 --> 00:11:19,440 be sitting in a booth where people 394 00:11:19,440 --> 00:11:20,800 standing around so they can see the 395 00:11:20,800 --> 00:11:22,560 screen, but the original one is much 396 00:11:22,560 --> 00:11:24,000 much tighter than this. Much much 397 00:11:24,000 --> 00:11:25,200 smaller and tighter. So 398 00:11:25,200 --> 00:11:27,839 >> So this is YouTube and sometimes the 399 00:11:27,839 --> 00:11:29,360 comments on YouTube aren't don't meet 400 00:11:29,360 --> 00:11:30,880 reality. So I'm going to I'm going to 401 00:11:30,880 --> 00:11:32,240 hit you with some of the comments that 402 00:11:32,240 --> 00:11:33,120 I'm sure we're going to get. 403 00:11:33,120 --> 00:11:33,760 >> Let it rip. 404 00:11:33,760 --> 00:11:36,079 >> Matt, no one's going to use a unique ID, 405 00:11:36,079 --> 00:11:37,040 especially if they work for the 406 00:11:37,040 --> 00:11:38,160 military. So you're not going to be able 407 00:11:38,160 --> 00:11:40,240 to find them. I have to tell you, I have 408 00:11:40,240 --> 00:11:42,720 been in rooms where I was the only one 409 00:11:42,720 --> 00:11:45,680 there who was not an SF operator. And 410 00:11:45,680 --> 00:11:47,200 this is not a government thing. Private 411 00:11:47,200 --> 00:11:49,440 sector does it too. We have a horrible 412 00:11:49,440 --> 00:11:52,880 habit of naming our you Wi-Fi the names 413 00:11:52,880 --> 00:11:54,560 of our specialty units. So, I've sat 414 00:11:54,560 --> 00:11:56,079 there in rooms where literally I was the 415 00:11:56,079 --> 00:11:57,600 only one that was not a special forces 416 00:11:57,600 --> 00:11:59,279 operator. And I love these guys. They're 417 00:11:59,279 --> 00:12:00,959 all my friends. I talked to them all. 418 00:12:00,959 --> 00:12:02,560 And it's like, okay, which one of you 419 00:12:02,560 --> 00:12:04,320 guys is stationed in 10th Mountain? 420 00:12:04,320 --> 00:12:06,000 Which one of you guys is a firstteamer? 421 00:12:06,000 --> 00:12:07,279 Which one of you guys? We had a 422 00:12:07,279 --> 00:12:09,120 lieutenant colonel walk in. His name was 423 00:12:09,120 --> 00:12:10,480 Chris and he was hanging out in the 424 00:12:10,480 --> 00:12:12,399 room. Very nice guy. After a couple 425 00:12:12,399 --> 00:12:14,000 minutes, I pull up on Google Maps a 426 00:12:14,000 --> 00:12:15,120 house. I'm like, "Sir, is this your 427 00:12:15,120 --> 00:12:15,760 house?" He's like, 428 00:12:15,760 --> 00:12:16,959 >> "Oh, wow." 429 00:12:16,959 --> 00:12:19,920 >> Yeah. Yeah, it is. So, 430 00:12:19,920 --> 00:12:21,360 >> and that's Wiggle that you found. You 431 00:12:21,360 --> 00:12:22,079 found the address, right? 432 00:12:22,079 --> 00:12:23,440 >> Exactly. Yeah, it's Wiggle. So, 433 00:12:23,440 --> 00:12:24,959 obviously, if you have a MAC address, if 434 00:12:24,959 --> 00:12:26,880 you're performing forensics, then it's 435 00:12:26,880 --> 00:12:29,279 no ambiguity. If you're going off Wi-Fi 436 00:12:29,279 --> 00:12:30,959 names, which is all you have for a probe 437 00:12:30,959 --> 00:12:32,720 request, then it's obviously depending 438 00:12:32,720 --> 00:12:34,560 on the if it's just Starbucks, if it's 439 00:12:34,560 --> 00:12:36,880 Lynxis, you're not. But once again, we 440 00:12:36,880 --> 00:12:39,040 have a horrible, horrible habit of 441 00:12:39,040 --> 00:12:41,360 naming our Wi-Fi names that are funny 442 00:12:41,360 --> 00:12:43,360 and clever and unique, trying to impress 443 00:12:43,360 --> 00:12:44,959 our neighbors and friends. Funny and 444 00:12:44,959 --> 00:12:46,800 clever is great. Unique is not. 445 00:12:46,800 --> 00:12:48,160 >> Okay, but what about MAC addresses? 446 00:12:48,160 --> 00:12:51,200 Right? Because phones randomize the MAC 447 00:12:51,200 --> 00:12:52,480 addresses, and I'm assuming you're 448 00:12:52,480 --> 00:12:53,760 looking for someone carrying a phone in 449 00:12:53,760 --> 00:12:55,120 their pocket or something like that. So, 450 00:12:55,120 --> 00:12:57,519 how do you how do you manage that? cuz 451 00:12:57,519 --> 00:12:58,639 the MAC address could be changing all 452 00:12:58,639 --> 00:12:59,200 the time. 453 00:12:59,200 --> 00:13:01,120 >> Exactly. So, one nice thing about living 454 00:13:01,120 --> 00:13:02,959 in the desert like I do, Dave, is it's 455 00:13:02,959 --> 00:13:04,480 very easy for me to get away from 456 00:13:04,480 --> 00:13:06,160 everyone and everything and just start 457 00:13:06,160 --> 00:13:07,680 turning on devices and seeing what 458 00:13:07,680 --> 00:13:09,839 happens. And the iPhone in my pocket 459 00:13:09,839 --> 00:13:12,240 right now for probe requests, it was 460 00:13:12,240 --> 00:13:16,079 literally randomizing the Mac per every 461 00:13:16,079 --> 00:13:17,920 request. Every once in a while, I double 462 00:13:17,920 --> 00:13:19,680 dip and use it twice, but otherwise, 463 00:13:19,680 --> 00:13:21,279 every single request as I'm going 464 00:13:21,279 --> 00:13:22,560 through the pcaps and look at what's 465 00:13:22,560 --> 00:13:24,560 going on. And so a lot of people think 466 00:13:24,560 --> 00:13:27,680 that well that solves this problem. 467 00:13:27,680 --> 00:13:29,519 Randomize back solves the problem. But 468 00:13:29,519 --> 00:13:31,040 what they don't think about is it's the 469 00:13:31,040 --> 00:13:32,959 name of the networks you're looking for. 470 00:13:32,959 --> 00:13:33,360 >> Okay? 471 00:13:33,360 --> 00:13:35,279 >> So even if nothing sits there and shouts 472 00:13:35,279 --> 00:13:36,720 out Matt's house, 473 00:13:36,720 --> 00:13:39,120 >> right? Starbucks where Dave hangs out. 474 00:13:39,120 --> 00:13:40,720 It's the signature of like I don't care 475 00:13:40,720 --> 00:13:42,880 what MAC addresses you're using. When I 476 00:13:42,880 --> 00:13:44,639 see a device come in looking for these 477 00:13:44,639 --> 00:13:46,320 five things and I know it's yours, I 478 00:13:46,320 --> 00:13:48,000 know that's your device there. And that 479 00:13:48,000 --> 00:13:49,839 itself becomes a signature. I was doing 480 00:13:49,839 --> 00:13:51,839 a site assessment several years ago for 481 00:13:51,839 --> 00:13:53,760 a um government building here in the 482 00:13:53,760 --> 00:13:56,480 United States. And as I walked around 483 00:13:56,480 --> 00:13:58,240 the building, I was wearing some baggie 484 00:13:58,240 --> 00:13:59,519 jeans. I had everything running on a 485 00:13:59,519 --> 00:14:00,720 tablet. So, I just put it in my back 486 00:14:00,720 --> 00:14:02,800 pocket. And afterwards, you could see 487 00:14:02,800 --> 00:14:04,240 obviously where a lot of people worked 488 00:14:04,240 --> 00:14:05,600 to where a lot of people vacationed, 489 00:14:05,600 --> 00:14:07,680 hung out, etc. And I noticed that a lot 490 00:14:07,680 --> 00:14:09,440 of devices were looking for a network 491 00:14:09,440 --> 00:14:11,839 name that was very, very unique, but I 492 00:14:11,839 --> 00:14:13,279 had no idea what it was. It didn't give 493 00:14:13,279 --> 00:14:14,959 away the name of something. But when I 494 00:14:14,959 --> 00:14:16,560 put that into Wiggle, it was actually 495 00:14:16,560 --> 00:14:18,240 the federal courthouse up in Tempe in 496 00:14:18,240 --> 00:14:20,399 Phoenix, Arizona. And so just the fact 497 00:14:20,399 --> 00:14:21,839 of even if you don't know their names, 498 00:14:21,839 --> 00:14:23,199 if you if you didn't know what agency 499 00:14:23,199 --> 00:14:24,880 they work for, they're at the federal 500 00:14:24,880 --> 00:14:27,440 courthouse in Phoenix often enough that 501 00:14:27,440 --> 00:14:29,360 they've got that saved on there. And so 502 00:14:29,360 --> 00:14:30,800 that was one of the things that I would 503 00:14:30,800 --> 00:14:32,079 the reason I was doing that is they 504 00:14:32,079 --> 00:14:34,240 wanted me to present it from a force 505 00:14:34,240 --> 00:14:36,160 protection, from an awareness. It's 506 00:14:36,160 --> 00:14:37,600 like, you know, normally when I'm 507 00:14:37,600 --> 00:14:38,560 walking through the mall, when I'm 508 00:14:38,560 --> 00:14:40,720 walking through Costco, if my phone is 509 00:14:40,720 --> 00:14:42,480 broadcasting out where I look for, I I 510 00:14:42,480 --> 00:14:44,160 don't really care. But obviously when 511 00:14:44,160 --> 00:14:45,600 you come to places like hacker 512 00:14:45,600 --> 00:14:47,519 conventions or you go into countries 513 00:14:47,519 --> 00:14:49,440 where maybe we're not the most favored 514 00:14:49,440 --> 00:14:50,560 then you know you want to think about 515 00:14:50,560 --> 00:14:51,279 shutting that off. 516 00:14:51,279 --> 00:14:52,880 >> So explain the five I think it's 5 517 00:14:52,880 --> 00:14:54,800 minute 10 minute 15 minute or something. 518 00:14:54,800 --> 00:14:56,000 Explain what that's about because I'm 519 00:14:56,000 --> 00:14:57,279 assuming that's how you know if 520 00:14:57,279 --> 00:14:58,560 someone's tracking you or following you 521 00:14:58,560 --> 00:14:58,880 right 522 00:14:58,880 --> 00:15:01,120 >> exactly as I said earlier the um my 523 00:15:01,120 --> 00:15:02,720 original thought was location. I'm going 524 00:15:02,720 --> 00:15:04,160 to go to location one. Going to go to 525 00:15:04,160 --> 00:15:06,079 location two. Going to location three. 526 00:15:06,079 --> 00:15:08,399 In a big city that works great. But with 527 00:15:08,399 --> 00:15:10,000 the environment that this was in when it 528 00:15:10,000 --> 00:15:11,839 was a desert and you'd be me driving for 529 00:15:11,839 --> 00:15:14,720 60, 90, 120 minutes, there are no 530 00:15:14,720 --> 00:15:16,399 locations. And so then, like I said, I 531 00:15:16,399 --> 00:15:18,240 had to quickly shift to temporal. 532 00:15:18,240 --> 00:15:20,639 >> I had to say, do I see a device right 533 00:15:20,639 --> 00:15:22,480 now within the past minute 534 00:15:22,480 --> 00:15:25,440 >> that I also saw 5 to 10 minutes ago that 535 00:15:25,440 --> 00:15:27,839 I also saw 15 to, you know, 10 to 15 536 00:15:27,839 --> 00:15:30,480 minutes ago, 15 to 20 minutes ago. Cuz 537 00:15:30,480 --> 00:15:31,600 if so, 538 00:15:31,600 --> 00:15:33,040 >> that's, you know, something worth 539 00:15:33,040 --> 00:15:34,639 noting. Exactly. Something worth noting. 540 00:15:34,639 --> 00:15:36,240 There's something going on. So, 541 00:15:36,240 --> 00:15:38,320 >> Matt, I got to ask you stories. Have you 542 00:15:38,320 --> 00:15:39,920 got any examples where people have used 543 00:15:39,920 --> 00:15:42,160 this and told you like, "Okay, I found 544 00:15:42,160 --> 00:15:43,519 out some interesting things." 545 00:15:43,519 --> 00:15:45,680 >> Uh, have I had any stories where I found 546 00:15:45,680 --> 00:15:48,880 out interesting things. The best results 547 00:15:48,880 --> 00:15:50,320 I've had is people using it for search 548 00:15:50,320 --> 00:15:51,759 and rescue. They've all been 549 00:15:51,759 --> 00:15:53,279 heartwarming. They've been good stories 550 00:15:53,279 --> 00:15:54,639 using it for search and rescue, which I 551 00:15:54,639 --> 00:15:59,040 found. I was in Washington DC a uh this 552 00:15:59,040 --> 00:16:00,800 is just about a month ago and at this 553 00:16:00,800 --> 00:16:02,480 point my black tack talk was three years 554 00:16:02,480 --> 00:16:04,720 ago this event and I had someone I don't 555 00:16:04,720 --> 00:16:06,320 want to say what agency it was but I had 556 00:16:06,320 --> 00:16:07,920 someone coming up to me and they said 557 00:16:07,920 --> 00:16:10,000 hey you're the guy from chasing your 558 00:16:10,000 --> 00:16:12,560 tail and I said yeah I am he's like and 559 00:16:12,560 --> 00:16:14,079 the agency he worked for one of their 560 00:16:14,079 --> 00:16:15,920 huge mandates is force protection 561 00:16:15,920 --> 00:16:17,360 protecting executives protecting 562 00:16:17,360 --> 00:16:19,120 facilities he's like oh no that was like 563 00:16:19,120 --> 00:16:21,360 a siminal talk for us and we actually 564 00:16:21,360 --> 00:16:23,199 like oh yeah no we basing a lot of stuff 565 00:16:23,199 --> 00:16:24,800 off that and everything I'm like I'm 566 00:16:24,800 --> 00:16:26,240 actually presenting an updated version 567 00:16:26,240 --> 00:16:27,759 this year. So, good news for you if 568 00:16:27,759 --> 00:16:28,720 you've tried to get up and running. 569 00:16:28,720 --> 00:16:30,160 There's some great improvements. So, 570 00:16:30,160 --> 00:16:31,920 yeah, it's been some of that. I haven't 571 00:16:31,920 --> 00:16:34,240 ever had the um thankfully in a lot of 572 00:16:34,240 --> 00:16:36,079 ways I haven't ever had the oh, I found 573 00:16:36,079 --> 00:16:38,320 a stalker because of you. It was just 574 00:16:38,320 --> 00:16:40,240 more of like I said, helping people have 575 00:16:40,240 --> 00:16:42,800 a little bit of a peace of mind from the 576 00:16:42,800 --> 00:16:44,959 ER search and rescue or protecting 577 00:16:44,959 --> 00:16:46,720 locations. Those have been the uh I 578 00:16:46,720 --> 00:16:47,839 think my favorite stories that I've 579 00:16:47,839 --> 00:16:48,959 gotten back so far. 580 00:16:48,959 --> 00:16:52,639 >> Okay. So, you are checking for SSIDs, 581 00:16:52,639 --> 00:16:53,920 you're checking for MAC addresses, is 582 00:16:53,920 --> 00:16:55,120 that right? Correct. 583 00:16:55,120 --> 00:16:56,399 >> Did you say doing something with 584 00:16:56,399 --> 00:16:57,199 Bluetooth as well? 585 00:16:57,199 --> 00:16:58,480 >> Yeah, Bluetooth. Exactly. You were 586 00:16:58,480 --> 00:16:59,759 checking for Bluetooth the same way as 587 00:16:59,759 --> 00:17:01,519 we're checking for Wi-Fi because once 588 00:17:01,519 --> 00:17:03,279 again comes back to the even a 589 00:17:03,279 --> 00:17:05,760 nationstate group, even a group of 590 00:17:05,760 --> 00:17:08,000 trained operators are likely going to 591 00:17:08,000 --> 00:17:09,600 have cell phones. A lot of us have 592 00:17:09,600 --> 00:17:11,839 Bluetooth headsets now, AirPods or 593 00:17:11,839 --> 00:17:13,760 those, etc. And so that's one of those 594 00:17:13,760 --> 00:17:15,120 things that we can start to track for 595 00:17:15,120 --> 00:17:17,039 too. And anything that Kismmet can 596 00:17:17,039 --> 00:17:19,199 detect, we can start to look for. So we 597 00:17:19,199 --> 00:17:20,959 can easily modify this to just start 598 00:17:20,959 --> 00:17:22,160 looking for air tags too 599 00:17:22,160 --> 00:17:23,439 >> because you were mentioning about tires. 600 00:17:23,439 --> 00:17:24,799 Sorry to interrupt you. So, Oh, no, no, 601 00:17:24,799 --> 00:17:26,160 yeah, the tires, that's another thing. 602 00:17:26,160 --> 00:17:28,960 It's um fairly short distance, but the 603 00:17:28,960 --> 00:17:30,559 uh the low pressure sensors and tires, 604 00:17:30,559 --> 00:17:32,799 the TPMS, that is actually if you want 605 00:17:32,799 --> 00:17:34,559 to go software defined radio route 606 00:17:34,559 --> 00:17:36,080 capability in this, that can be 607 00:17:36,080 --> 00:17:37,520 something you could look for, too. 608 00:17:37,520 --> 00:17:38,880 Obviously, it's got a little bit shorter 609 00:17:38,880 --> 00:17:40,160 distance. It's a little longer than 610 00:17:40,160 --> 00:17:42,240 people think. Like, you can still detect 611 00:17:42,240 --> 00:17:43,840 it from your house of cars going by your 612 00:17:43,840 --> 00:17:45,360 road if your house is fairly closer to 613 00:17:45,360 --> 00:17:47,120 your road. So, it's a little bit longer 614 00:17:47,120 --> 00:17:50,160 than just like 6 ft away, but it's Wi-Fi 615 00:17:50,160 --> 00:17:51,280 and Bluetooth. You're going to get 616 00:17:51,280 --> 00:17:51,919 better range. 617 00:17:51,919 --> 00:17:55,039 >> Okay. So, cell phones, um, any Bluetooth 618 00:17:55,039 --> 00:17:57,280 device like headsets, stuff like that, 619 00:17:57,280 --> 00:17:59,919 tires on cars, anything that's basically 620 00:17:59,919 --> 00:18:02,000 giving a signal, Bluetooth or Wi-Fi. 621 00:18:02,000 --> 00:18:03,200 >> Exactly. A lot of people don't realize 622 00:18:03,200 --> 00:18:04,640 now too. This is the way a lot of 623 00:18:04,640 --> 00:18:06,400 detecting, one of the things that I 624 00:18:06,400 --> 00:18:08,400 teach is detecting modern drones and 625 00:18:08,400 --> 00:18:10,000 modern drones now are giving out that 626 00:18:10,000 --> 00:18:12,320 beacon on a lot of usually now it's long 627 00:18:12,320 --> 00:18:14,000 range Bluetooth. People think of 628 00:18:14,000 --> 00:18:15,200 Bluetooth, right? We think about it as 629 00:18:15,200 --> 00:18:16,400 something for our keyboards or think 630 00:18:16,400 --> 00:18:18,080 about something as our AirPods. No, 631 00:18:18,080 --> 00:18:20,000 we're detecting drones a kilometer out 632 00:18:20,000 --> 00:18:22,559 on a device that costs less than $100 to 633 00:18:22,559 --> 00:18:23,039 build. 634 00:18:23,039 --> 00:18:24,400 >> Do you want people to reach out to you 635 00:18:24,400 --> 00:18:25,760 or you you don't want 636 00:18:25,760 --> 00:18:28,880 >> that? They're welcome to. Yeah, I got so 637 00:18:28,880 --> 00:18:30,320 many people reaching out to me last 638 00:18:30,320 --> 00:18:31,760 time. And it was funny. I've since 639 00:18:31,760 --> 00:18:33,360 retired from the government, but at that 640 00:18:33,360 --> 00:18:34,799 point, I was a federal agent. I was a 641 00:18:34,799 --> 00:18:36,880 federal agent for 22 years. And I had so 642 00:18:36,880 --> 00:18:38,320 many people, it's comical, reaching out 643 00:18:38,320 --> 00:18:39,520 to me. It's like, well, how do I know 644 00:18:39,520 --> 00:18:40,799 you're really the one from Black Hat and 645 00:18:40,799 --> 00:18:42,400 Wired? How do I know? How do I know 646 00:18:42,400 --> 00:18:44,080 you're not a Fed? And I'm like, I am 647 00:18:44,080 --> 00:18:45,760 literally a Fed. 648 00:18:45,760 --> 00:18:47,600 >> I said that in my talk. So, 649 00:18:47,600 --> 00:18:49,600 >> so I mean assuming that no one's wanted 650 00:18:49,600 --> 00:18:52,000 by the FBI, can they reach out to you on 651 00:18:52,000 --> 00:18:53,280 like LinkedIn or somewhere? 652 00:18:53,280 --> 00:18:54,880 >> Absolutely. I am the world's easiest 653 00:18:54,880 --> 00:18:56,559 person to get a hold of on LinkedIn on 654 00:18:56,559 --> 00:18:59,440 Twitter. My account name is Matt0177 655 00:18:59,440 --> 00:19:01,600 everywhere. So, if you uh if you can't 656 00:19:01,600 --> 00:19:03,200 get a hold of me, you're not trying. 657 00:19:03,200 --> 00:19:05,200 >> Matt, you were demoing this at Sorry, 658 00:19:05,200 --> 00:19:06,880 you are demoing this at the Arsenal 659 00:19:06,880 --> 00:19:08,320 section in Black Hat. What is What is 660 00:19:08,320 --> 00:19:09,440 the Arsenal section about? 661 00:19:09,440 --> 00:19:11,679 >> Arsenal is fantastic. So, you can 662 00:19:11,679 --> 00:19:13,120 present to Blackat on a variety of 663 00:19:13,120 --> 00:19:14,960 topics. Arsenal is down here in the 664 00:19:14,960 --> 00:19:16,400 business hall. So pretty much anyone 665 00:19:16,400 --> 00:19:18,080 with any form of Black Hat Pass can get 666 00:19:18,080 --> 00:19:19,919 to it. And it's basically it's a new 667 00:19:19,919 --> 00:19:21,840 tool or an updated tool that you have 668 00:19:21,840 --> 00:19:23,200 that you want to share with the 669 00:19:23,200 --> 00:19:24,640 community. So it's got to be open 670 00:19:24,640 --> 00:19:26,640 source. It's the focus has to be on the 671 00:19:26,640 --> 00:19:28,240 tool, not a company. Right. It can't be 672 00:19:28,240 --> 00:19:30,559 a thinly veiled way to just Exactly. 673 00:19:30,559 --> 00:19:31,840 trying to sell a product or anything. It 674 00:19:31,840 --> 00:19:33,280 has to be open source. The focus has to 675 00:19:33,280 --> 00:19:35,120 be on a tool. And it's constantly 676 00:19:35,120 --> 00:19:37,280 rotating. So you'll go there, you'll see 677 00:19:37,280 --> 00:19:38,480 everything they have, and there's be 678 00:19:38,480 --> 00:19:39,919 like 10 different booths. Then you'll 679 00:19:39,919 --> 00:19:41,039 come back an hour and a half later and 680 00:19:41,039 --> 00:19:43,200 it's 10 new tools. So I always every 681 00:19:43,200 --> 00:19:44,799 time I come to black hat always pop my 682 00:19:44,799 --> 00:19:46,240 head into Arsenal and walk around and 683 00:19:46,240 --> 00:19:47,840 always find out like oh that's kind of 684 00:19:47,840 --> 00:19:49,280 cool. So yeah I've never actually 685 00:19:49,280 --> 00:19:50,960 presented at Arsenal before. This will 686 00:19:50,960 --> 00:19:52,480 be my first time. So I'm excited. 687 00:19:52,480 --> 00:19:55,039 >> De thanks so much for sharing 688 00:19:55,039 --> 00:19:58,240 it. Thank you. Appreciate him.49002