And the point of that is that when that happens you inherit all the security properties and problems of PCs. And we have a lot of them. So keep that in mind, we can talk more about that later. Anybody use a lock like this on your front door? Okay, good. I do too.
This is a Schlage lock. It’s on half of the front doors in America. I brought one to show you. So this is my Schlage lock. This is a key that fits the lock, but isn’t cut right, so it won’t turn it. Anybody here ever tried to pick locks with tools like this? All right, got a few, few nefarious lock pickers. Well, it’s for kids with OCD. You’ve got to put them in there, and finick with them, spend hours getting the finesse down to manipulate the pins. You know, for the ADD kids in the house there’s an easier way. I put my little magic key in here, and put a little pressure on there to turn it, smack it a few times with this special mallet and I just picked the lock. We’re in. It’s easy.
And in fact, I don’t really know much more about this than you do. It’s really, really easy. I have a keychain I made of the same kind of key for every other lock in America. And if you’re interested, I bought a key machine so that I can cut these keys and I made some for all of you guys. So my gift to you, come afterwards and I will show you how to pick a lock and give you one of these keys you can take home and try it on your door.
Anybody used these USB thumb drives? Yeah, print my Word document, yeah! They’re very popular. Mine works kind of like yours. You can print my Word document for me. But while you’re doing that, invisibly and magically in the background it’s just making a handy backup of your My Documents folder, and your browser history and cookies and your registry and password database, and all the things that you might need someday if you have a problem. So we just like to make these things and litter them around at conferences.
Anybody here use credit cards? Oh, good! Yeah, so they’re popular and wildly secure. Well, there’s new credit cards that you might have gotten in the mail with a letter explaining how it’s your new “Secure credit card”. Anybody get one of these? You know it’s secure because it has a chip in it, an RFID tag, and you can use these in Taxicabs and at Starbucks, I brought one to show you, by just touching the reader. Has anybody seen these before? Okay, who’s got one? Bring it on up here. There’s a prize in it for you. I just want to show you some things we learned about them. I got this credit card in the mail. I really do need some volunteers, in fact, I need one, two, three, four, five volunteers because the winners are going to get these awesome stainless steel wallets that protect you against the problem that you guessed, I’m about to demonstrate.
Bring your credit card up here and I’ll show you. I want to try it on one of these awesome new credit cards. Okay.
Do we have a conference organizer, somebody who can coerce people into cooperating? It’s by your own volition because — This is where the demo gets really awesome, I know you guys have never seen —
What’s that? They’re really cool wallets made of stainless steel.
Anybody else seen code on screen at TED before? Yeah, this is pretty awesome. OK, great I got volunteers.
So who has one of these exciting credit cards? OK, here we go. I’m about to share your credit card number only to 350 close friends. Hear the beep? That means someone’s hacking your credit card. OK, what did we get? Valued customer and the credit card number and expiration date. It turns out your secure new credit card is not totally secure.
Anybody else want to try yours while you’re here?
Male Audience: Can you install overdraft protection?
Pablos Holman: Beep, let’s see what we got? So we bitched about this and AMEX changed it, so it doesn’t show the name anymore. Which is progress. You can see mine, if it shows it. Yeah, it shows my name on it, that’s what my Mom calls me anyway. Yours doesn’t have it.
Anyway, so next time you get something in the mail that says it’s secure, send it to me.
Oh wait, one of these is empty, hold on. I think this is the one, yep, here you go. You get the one that’s disassembled. All right, cool.
I still have a few minutes yet left, so I’m going to make a couple of points. Oh, shit. That’s my subliminal messaging campaign. It was supposed to be much faster.
Here’s the most exciting slide ever shown at TED. This is the protocol diagram for SSL, which is the encryption system in your web browser that protects your credit card when you’re sending it to Amazon and so on. Very exciting, I know, but the point is hackers will attack every point in this protocol, right? I’m going to send two responses when the server’s expecting one. I’m going to send a zero when it’s expecting a one. I’m going to send twice as much data as it’s expecting. I’m going to take twice as long answering as it’s expecting. Just try a bunch of stuff. See where it breaks. See what falls in my lap.
When I find a hole like that then I can start looking for an exploit. This is a little more what SSL looks like to hackers, that’s really boring. This guy kills a million Africans a year. It’s Anopheles stephensi mosquito carrying malaria. Is this the wrong talk? This is a protocol diagram for malaria. So what we’re doing in our lab is attacking this protocol at every point we can find. It has a very complex life cycle that I won’t go into now, but it spends some time in humans, some time in mosquitoes and what I need are hackers. Because hackers have a mind that’s optimized for discovery. They have a mind that’s optimized for figuring out what’s possible. You know, I often illustrate this by saying, if you get some random new gadget and show it to your Mom, she might say, “Well, what does this do?” And you’d say “Mom, it’s a phone.” And instantly, she’d would know exactly what it’s for.