[MUSIC] [MUSIC] With that, I would like to introduce our next speaker, Kirill. He will be speaking about social engineering. So please give a round of applause for Kirill. >> [APPLAUSE] >> Thank you, thank you. Wow, didn't expect this size of crowd. Cool t-shirt, by the way. So my name is Kirill and I think my first KS event was back in 2010. So it was a pleasure to be to all of them. I run a security company, but I do love social engineering and talking to people and getting things achieved. So this presentation is a very beginner kind of presentation, very hands on. When I was making the slides, I could not avoid to include some theory at the beginning. But what I hope all of you will leave with is some hands on things that you can try right now at the camp and that you can try later in the airport or in the train when going back home. So yeah, these are things we're gonna talk about. You see them in the agenda, imagine. Let's go through them. So what is social engineering? Social engineering is actually a subfield of offensive cyber security. And social engineering itself is a field that includes many different subfields of ways to get your way. And one thing I wanna focus on real quick, and these are the theory slides. So I'm gonna go through them real quick. You're gonna have the slides available today on keros.org if you wish. But one important thing, really one of the cornerstones to keep in mind is that when you social engineer an organization instead of a single individual, it's always a cycle. So you never start with preparation, then build some trust and exploit, and then you're done. It's never linear. It's always a cycle, and it's always a cycle because you cannot and should not ask everything from a single employee, from a single contact, everything at once. You should never do that. So the cycle is you do your research, you do your homework without ever talking to anyone, without ever contacting anyone. Then you target someone, some individual, then you build trust, and then you exploit that trust relationship for your benefit. So this is basically the social engineering attack cycle. Now once again, real quick, I'm gonna go through this real quick. I could talk about this slide for 20 minutes, I think. So the attack types that you have in person, right? You have impersonation, which is what most social engineering encounters are actually based on. You pretend to be someone else entirely, or you pretend to be maybe a bit higher or a bit otherwise privileged than you actually are. You can pretend to be VIP, like a CEO of a company, if it's a large company, a user calling tech support or tech support calling user. Or you can appeal to authority saying, yeah, but the big boss said, even though it's against rules, he'll take full responsibility for that. So it sometimes works. Reverse social engineering is also a cool thing, right? You can try to make sure that the person that you are, social engineering, we call them the mark, that they contact you. Because actually one of the hardest things for a professional social engineer to overcome is battle for your time. You're there watching a movie, working with a work document, and someone calls you, someone emails you, someone approaches you. The hardest thing is actually to make sure that the person gives enough attention to you, and the easiest way to work with that is reverse social engineering. Breaks their computer, they call you. Identity theft, of course, and just stealing someone's photo and name and making fake social profile, fake driver application on the map and so on. Now for access, we have tailgating and piggybacking. The first one is without the person's knowledge, right? You try to enter a restricted area. Piggybacking is with the person's knowledge, right? So you have a fake badge, they look at you, they open the door for you. Key duplication, maybe it's not a very human attack, but it does have a human factor, so we can talk about that in a bit as well. Acquisition finally. So to acquire some data passively, you can eavesdrop. You can talk about that, you can shoulder surf, and you can dumpster dive, of course, my favorite. It's getting harder and harder with all the green stuff going on and trash being divided and segregated, hate segregation. But you can actually pay people to do that for you. You can teach them how hard drive looks, how flash looks, how a document looks, and what you want. Now for remote attack types, we have, of course, many, many, like phishing, spear phishing, targeting someone usually over email. Vishing, so voice solicitation over the phone usually. App impersonation, so creating a fake app as well. It also includes an aspect of social nearing and a bunch of others. You can look up the methodology online. So delivery vehicles, and it's really important to understand both for offensive perspective and defensive perspective. It can be emails, it can be phone calls, it can be USB drops. Sometimes when we have a customer that is really well trained, we print their logo on the USB before we drop it. So then, you know, someone lost it. We'll plug it into the computer and they try to find out which colleague lost the USB. Instant messages, of course, SMS, social networks, traffic injection. I'm not sure if it got fixed, so I think Google, together with some other browsers, browser manufacturers worked on a standard or something, but like ten years ago, basically, if you have a hotspot in the airport, and you need to click I agree to the rules, that page gets injected and you have HTTPS and there's an exception, so you can kind of start injecting malware or some prompts, enter your PNR, so passenger name record locator, enter your surname, and bam, you can cancel someone's flight in the airport. Stuff happens. Yeah, and of course, malware and adware can also be used for attacks, nothing new. Some years ago, if you were Googling for an anti-malware solution, the top sponsored links were malware, so you can actually inject it that way as well. Okay, that's the theory. Now let's go to the slow slides. So in my opinion, there are just three components to being a social engineer. You have to be confident, you have to be quick-witted, and you have to be determined. So if we take a look at the confidence trick or a con man, right, it's actually shorthand for confidence man, since it's an old term. So those are the people that try to trick you into doing stuff. Like I was walking along Seine in Paris 15, 18 years ago, I was first approached by a con man. And basically, there are various tricks they do, right? They drop the ring and say, you lost the ring, now it's not yours, okay, but you keep it, and then it's good luck, it's real gold, and then you leave. And two seconds later, they turn around, I need some money, can you help me? So those kind of comments, right? So it comes from there, and basically all they play on is confidence, and it's the same feature, the same thing that we need as a social engineer. So you have to project confidence when you are social engineering someone, it's super important. The first step to being able to project confidence is convincing yourself first. If you're not sure that you're confident enough to do that attack, then you cannot, you can, you can do it, but you should not do it. It will likely not work. And don't worry, I'll have some other things, some other tips and tricks, some other practical things you can do before actually performing actual attacks so you can build that up. For the quick-witted part, you need to be ready to be challenged, because someone is gonna challenge you, right? It happens all the time. Basically, you can either be really, really on your toes and be ready to answer anything, right? I'll have some examples later on in the practical section. Or you can try to substitute it with a lot of preparation, and I really mean a lot. So you have to build a mind map of all the possible questions you're gonna get asked, and then you don't need that. But it's not practical, but that's something you can do. And finally, you have to set a goal and work towards it. It's easy to get lost on your way to trying to achieve your goal as a social engineer for a specific target, but you shouldn't. You always keep your goal in mind. Actually, there's a song, I'm from Latvia, by the way, there's a song by Brainstorm. It's called There Is Something To It. And I love the song because it reminds me of one of the parts, one of the internal parts of my social engineering and how I do it. It's in Latvian here, but I'll translate it for you. It goes like this. I reached out and got it all. According to my list, I was amazed. Man, that's something magical. Simply focus on what's important, put in a little effort, and look, you've got it. So yeah, now a bit about Austin. How do you prep for social engineering? Open source intelligence is a separate topic all in all itself. You can find lots of videos on it. And it basically means we try to collect existing intelligence from openly available sources. So without accessing any databases that would require you to hack your government or something like that. So what are the sources then? We can, of course, use the web and the dark sense sometimes, even though as many of you know it's overrated, but you can take a look in there as well. Social networks, really important. Metadata. 2023, many companies still do not purge metadata. So unless you're a provider, like unless you use Facebook or some kind of Amazon service or something to publish your stuff, if your provider doesn't prune that for you, most likely you are, well, the target's employees are publishing stuff with their name on it. And sometimes publishing pictures with GPS locations. And all the large social networks, like Meta, for example, they prune the GPS coordinates because the users never learn to do that, which is understandable, I guess. Now, network and service scans as well. It depends on your local legislation, if it's how legal it is and how deep you can scan. Fingerprinting services, of course. And finally, I can highly recommend the OSINT framework at osintframework.com. It's a small sample of it. So basically you click on a category. It's a mind map. And on the leaves of the tree, you have different resources that you can use for assisting your social media attempts. Now for web, you can, of course, use Google Dorks like that, like that, or like that, or like that. These are just some examples that I use. But I think in ExploitDB, they are the subcategory for Google Dorks. I don't like that. I mean, I suggest you learn the actual qualifiers for Google or other search engines you use, and that's quite cool. Of course, you can also get cached web pages. Some other URLs. Pastebin. Sometimes at hacker conferences or during leaks, people paste stuff on Pastebin, online comments and news sites, different maps. It's really important to have different map sources. So if you want to scout a location without actually driving to it, different map sources will have what? They will have different dates for their live photos or for their aerial photos. So you get different perspectives. Webcams. There are a bunch of it. People usually leave the password to the password so you can connect and take a look. Preemptively, Web Archive work for real archiving purposes. TNI, like reverse image search, it's the first one that's dedicated to reverse image search. It's okay. Once again, it provides different results than, for example, Google or Microsoft Search. Blockchain info if you're doing stuff with blockchain. Shodan I/O or sensors I/O, you can use that as well. And different leaks. I collect leaks because they're sometimes useful. You have a database, you can take a look in there. Now, to close down the web section of OSSAN. There are different people search engines. SyncMe was really, really cool until 2019 because GDPR came in 2018 and it's screwed with us being able to easily access it. So SyncMe basically worked in a way that their selling point was there's this app, you install the app on your phone, and if an unknown number calls you, it shows you the name of the person calling you. Now, in the license agreement, in the user agreement for the app, it said we're going to transfer your phone book to our servers. So what you could also do is you could put any random number in there and you could get the name and surname of the person. Even the president of my country, Latvia, was there back in the day when I tested it first. You can also use Google Dork for searching people, of course. Different public registries, so-called deep web, which is not indexed, but every country has their public registries. Many of them in Europe at least are publicly available because of transparency. Online news and so on. And also we have these additional resources for web that are quite useful. For social networks, there are different social networks. Any one that you can imagine, these are the ones that I found most useful in my escapades. And account recovery process sometimes gives nice info. Now, even if your goal is not to take over an account, you can still get some digits from phone number or a domain from an email address of a person of anonymous account. Very valuable, awesome tools on the site, especially for social networks, different readymade tools. Nothing super hacky or super fancy, but it's all in there so you don't have to waste time searching approaches for separate social networks. Right on. So the next or the first step is pretext. We talked about it just a bit, now we can talk about it more. So it's part of the preparation. Preparation has basically two parts. You research your mark, the person you're going to be attacking, and you prepare yourself. And in preparing yourself, pretext is really important. So what's your role? Meaning who do you want to play today? Are you going to be the CEO? Or are you going to be the employee that has lost their password? Or are you going to be the mother of an employee in distress? And your mother sometimes can be really convincing on the phone. But my kid is, "No, no, no, problem, problem." "Okay, I don't want to deal with that, here's your password." So that's really important. But don't make it too crazy. Don't go, "Hello, this is Napoleon Bonaparte and I'm calling you because your password has expired." Doesn't work, I think. So it has to be something realistic. And by the way, before we go to that, one more thing, be ready for challenges. When choosing your persona, for example, where I come from, a big part of the celebrations that we have is name days, right? Every person, every name, every first name that the person has is in the calendar on a specific day. So if you're John or Peter or Anna, you best know when your date is in the calendar because people sometimes ask in my experience. So you have to think about the questions that we'll ask. But we're going to get back to that in just a sec. So next thing is why are you doing this? And it ties to choosing your persona. So during pretext, you have to choose a role that facilitates what you're trying to do here, right? Maybe choosing CEO of a company if you forgot your password may be good in some cases, but probably not the most optimal one. Probably choosing a really annoying and critical employee would be best for that. So make sure that your role that you've chosen matches your goal that you're trying to achieve. And once again, you really have to convince yourself first that you're really that person that you're pretending to be, that you're playing. I'm going to give you once again some tips in the end, some practical tips, and improv is what really, really helped me. Because I do actually get the feeling that I'm that person for that second, for that minute, for that half an hour, how long that interaction is going to go. And you have to challenge yourself. If it doesn't work for you, you can ask help from friend. But if it doesn't, simply try. Okay, so I mean, we have some hackers here, I imagine. You like to find bugs, right? You try to find vulnerabilities, holes. So you have to try to find some holes in your story. See what happens if they ask me this? Am I really that person? Well, maybe what if they ask me for a D card, right? It may happen. You have to, I mean, it doesn't mean you have to always make a fake ID card, which is a technique, a valid technique. But you have to be ready with a response. And by response, I don't mean necessarily verbal response. I mean, if you decide that you're going to run, you can decide that you're going to run. But you have to decide beforehand. It shouldn't be decision made there and then. So a bit about human behavior and decision making. So the things that we're going to work with as social engineers, one of the things is everyone loves to help. Most people love to help, right? Also, people generally try to avoid conflict. Most people don't thrive on conflict. They don't like it. So if they are faced with a reasonable choice of having an argument or not having an argument, many of them will choose to not have an argument. Now then, there are some people that in life have built up a skill enough that they make consistently good decisions. Most people make good decisions on the best effort basis. And a rare person can make a good decision when rushed. So that's another aspect that we can use. We can try and ask the person to hurry up. Which is why the scammers that try to give you a million dollars actually say you have 20 minutes to do this, otherwise money is gone. Because that's just human nature. Now, there is an exception or some exceptions to the first part where everyone loves to help. There are some hard targets. Some roles that are, you know, when you've mastered basic social engineering, you go and try to socialise those guys. Like guards or people that are trained to work with external customers that try to lie to them. I'll give you an example. Let's say you wanted to get a free ticket to something, right? And you've got the ticket place and you say, okay, so my name is this and this and I have a ticket reserved. If the person is trained to work with customers, they will ask you for proof of ID or QR code or something, right? But if you manage to somehow go to someone that is not trained to work with customers, to a middle manager or go just outside the working hours where the customer person is gone, they may not know what to do. So that's the easy target. I have a story about guards that I'd like to share for the first time publicly. So I was active in the student politics movement many years ago and every year in September there are big celebrations all over the country, of course, new students coming in. And I was in student politics so I had some drinks lined up with the rector of university. And the drinks were happening in the same place where the big event was happening, right? And to get to the rector's place, I had to go through the VIP. And the organizer at the time didn't want to give me the VIP. So I went, took a look at the VIP bracelets. They were black paper bracelets with text VIP on it. We have bracelets in the office, so I opened up the cabinet, I grabbed the black bracelet, didn't print VIP on it, didn't even try to write it by hand, so just a black bracelet. So I got into VIP. I was chilling with the rector. And the tradition is at midnight, the rector and some student leaders and invited guests go to the stage to sing a song. And I was dragged along with. So we are backstage waiting for the singing song. So now the student organizers know that I don't have the VIP. So they talk to a guard and say, "Hey, check that guy out. He shouldn't be here." And I hear that. So that's one of the things of social engineering. You have to be receptive to different things happening around you. So I hear that. And now I have, I don't know how many seconds at the time, but in reality I had 15 seconds to think because you can't prepare everything. I had 15 seconds to decide what I'm going to do when the guard comes. And I decided to move the bracelet. Well, it was an event with suits, right? So I had a suit. I decided to move the bracelet on my hand. So I was going to play, I don't have a bracelet. It worked. So he came to me and asked me if I could show the bracelets. And I told him I'm his rector. He went away. That's it. If I were to show him the black bracelet without VIP on it, we might have had a different discussion. So you have to be on your toes. Right. Let's move forward. So how to leverage social normativity in persistent situations. I'm just going to give you some examples here. The first one isn't actually mine. It's from a colleague, a fellow social engineer from the US. And they sometimes post these stories on how they do social engineering engagement. I really love this part. So in their company where they work, they have a fake pregnancy belly that you can put on. So they have a female employee. And at this specific engagement, she puts on the belly. She goes to Starbucks, asks for many, many coffees, as many as you can. Not coffees, cups. She fills the cups with water, so it's cheaper. And then tries to get in. Right? Who the hell would not open the door? Right? And that's people. That's it. People like to be nice. Right? And are you going to close the door in her face? Probably not. And you don't even -- mostly you don't even need all that. You just tailgate someone, and if it's a large enough company, if it's rush hour, when do we have rush hour? Well, during lunch. Right? So people return from lunch in throws. Then when you can do it, that's the best time. And people are unlikely to close the door in your face. Which is, you know, I mean, we do defensive work as well, and it's really hard to advise my customers what to do. It's human nature. You can't really fix this. Unless you do some physical things like man traps where you can't physically walk in. But it's a different story. Then you can, of course, just ask for a favor. And if you have enough time, you just wait for a good hair day. Right? When the person is happy. When the person is shining, then you go and ask, can I get free upgrade to business class, please? Sometimes works. Yeah. I mean, one important thing about corporate world is that usually, mostly, like 99% of the time, you're not talking to the people who own the company's money. Right? The employee doesn't care if the company loses a couple hundred euros. It's not, I mean, not their problem. Then one more thing is you can hint at creating conflict and provide an easy way to avoid it. And it's really important that there is an easy way to avoid it. Myself, I'm struggling with this one here personally. I sometimes entice a bit too much of a conflict and then the person logs down because they see, okay, there's no way out of this. I'm going to buckle down. So it has to be light. And it can't be above the pay grade of whom you're targeting. So if you're talking to an employee, service level, first level support, and they don't have the possibility to waive the fees that you want to get waived, then it's not going to work either. You have to escalate it first in some way. All right. So the next part is on building rapport and trust. I decided to not talk about it because of time constraints. But I do have a presentation from 2017 at OpenFest. It's on lobbying. And half of it is about building rapport and trust. So it basically talks about how to get people to talk to you or how to get people to like you. So you can take a look at it if you want to work with that part. But what's important for social engineering is that this part of building rapport and trust can be short, can be really short, and can be very long. So I'll give you two contrasting examples. For the short one, imagine a scammer somewhere. And I don't like it, but they are also social engineers. So a scammer somewhere sending you emails saying, I'm an Napoleon Bonaparte and I owe you $1 million. You can just pay me $100 and I'm going to transfer to you real quick. And in emails like that, they try to build trust right there in the same email. So it takes a couple seconds, 10 seconds, 20 seconds. It's not really effective for most people, but it's a method. And for some cases, it works. Now it can also be very long. For example, if you want to do whaling, which means social engineering an important person, then what you can do is you can try to approach them on a social network. Now whales will usually not approve random social network requests. So what you do is you befriend their employees or colleagues or whomever with a fake profile. That looks legit. And when you have a lot of them, like 20, 30, 40, then you can try to send a friend request as whale. And then they say, oh, okay, it looks like one of one of my guys. And then they accept. So it can be really long and really short. Now for exploiting trust, it's kind of the easy part, right? When you're in, then you just ask, but not really. If you ask the wrong question, then you're immediately out without getting what you need. First of all, always keep the goal of that specific interaction in mind. So let's say I wanted to get the username and password for the web page server of CCC, right? On my first interaction, I cannot ask the person I'm calling, hey, what's the password? It will not work. I have to set the goal for the interaction. That goal might be, well, I want to know what kind of operating system it runs, right? Well, I could do it via also in line network scans, for example, right? But I could also ask, right? Or I could do the username thing, right? What's the username? Step by step. So always keep that in mind. And don't ask too much at the same time. I'll give you an example from corporate world. So if it's a lockdown system and you can't really find anything from online, even though you could use job advertisements, for example, right? If they're searching for Windows 98 engineers, then you know they're running Windows 98, right? Those are not many of them left. Right. But in all seriousness, some companies like banks or airline industry uses some old stuff, which is really fun. But first you have to get in. And getting in is what we're going to talk about here today, right? So on the first call, I might try to find out what operating systems are actually running. And you don't always have to ask direct questions. For example, if I choose that my role is a user calling tech support, it would be kind of dumb of me to ask, hey, what operating system are we running? It could work because tech support expects users to be like that. But I could also be a bit smarter. For example, I could not ask that directly. I could do a different thing, right? I could say my computer isn't working. And they would say, okay, so what do you see? And I would mumble something like, well, it's not working. But what's on the screen? And they say, well, the usual thing. And then at some point, they get pissed off and they just get really angry. And they say, okay, do you see that logo with this color, that color, and that color in the lower left corner? Uh-huh. And I say, well, I don't know. Is it round? And then I get the Windows version as well. So you can see, and they think they are requesting information, right? But actually, they are the ones transferring bits of information to you. Right. So yeah, and then when I have that, then I can actually call someone else. Important, don't call the same person. Call someone else and try to find out how the usernames are made. Is it first name, last name? Is there a dot in between? Is it some letters, right? Many corporations still, at least the middle ones and the small ones, still use really dumb default passwords. And some of them, in my experience, do not allow employees to change them. So if you find the template of the password, then you can more easily brute force hashes. Right? Or you can even, you know... The goal here, in any case, is to build trust with the next person, the next person as well, to pretend that you're one of them. And if you have the in-house knowledge, it's easier to do that. It's easier to pretend. Okay. Now, let's go to the practical part, which is the last part of the presentation. I'm going to start with some non... Oh. LibreOffice. I'm going to start with some non-social engineering exercises. Actually, it's good that we have that. So you can try to do it with your friends first, right? It doesn't have to be like someone... Some adversary, right? Someone you trust, someone you can play along with, right? Okay. Was that out of the way? So, first of all, talking to people. It's the first step, right? So I'm sorry if there are people here that don't like to talk to people, and if your intent on keeping it that way, then social engineering is not for you, maybe. Or you can try emails or stuff like that, or writing some fake apps. Yeah. So talking to people is the first thing, and just try it. Like these guys here. You can just try talking to each other. Improv. Believe it or not, but until 16 years old, I didn't even talk to anyone. I didn't talk to my own classmates. I didn't want to talk to anyone. Improv is a cool thing. It still happens somewhere. I'm sure all over Germany, all over the world, if you can sign up for Improv, it also helps you to be on your toes when you're challenged, and then you can think of something real quick. Alternative personas. In your daily life, you can just try to pretend to be someone else. Once again, not trying to target anyone. Just walking around. You can walk around the camp. You can pretend to be... Well, don't pretend to be anything critical, please. But you can pretend to be anyone you like, and just make up a story. Not for malicious purposes here, or anything in this presentation is not for malicious purposes, by the way. Seriously, guys. It's a... Yeah. But just make up a fake persona, right? I remember when I was actually doing... Back when I was doing Improv, and I was hitchhiking all over Europe during summers, I liked to... When I got to a city, I liked to randomly walk up to people and get them to tell me their life story. And my goal there was to have more material that I would digest, and not directly present, of course, that I would digest and include bits and pieces of that in my Improv later on. And in order to get them to open up better, I would take on an alternative persona. So that's something you can do. And then, of course, you can pretend to be someone else online. Catfishing is not what I'm talking about here. Someone else with a story, right? So there's a thing called the post secret. Some of you know it. And recently, there was a postcard from someone that wrote that I go to teens' forums, and I talk to people who are contemplating doing suicide. And I tell them I'm a 43-year-old guy that coaches a metal band, and I'm actually a 16-year-old girl, and I've prevented five suicides so far. So pretending someone else online can be really beneficial as well, and beneficial for you as well to train your social engineering skills. Now then, when we've trained that, you can start with passive acquisition methods. They don't require you to actually talk to people. And you can dig for some trash. You can eavesdrop on nearby employees. Once again, my ears, my eyes are always open when I'm even communicating with people. Let's say I'm at an agency of some kind, like a travel agency. I'm talking to one person here while I'm doing that. And it's a skill you can build. You can try to train. It's easy when you're not talking. It's harder when you're trying to listen to what the person is telling you when you try to listen at the next table as well. And it's really hard when you try to talk and listen to what those people are telling, saying. But you can do that. So you can try to eavesdrop on other people's stuff, and just to build a skill. You can also shoulder surf. The cool thing about shoulder surfing these days is it doesn't matter if it's a laptop or a phone. If you're sitting here with your phone out, someone behind you can see what's on your screen. They can also see your keyboard even easier on a laptop. If a person types fast, then they also can read what you're typing fast, even if it's a password. So that's another skill you can hone. Now bump into people, like physically. Well, not here. It's against God of Conduct here. It's serious stuff. Don't do that, please. But you know, on train somewhere. What's the goal here? Well, the goal is to try and copy an RFID tag that they have. Bumping into people is the way to go. And there are two criteria that you should meet. So you can make it a game, a single-player game. One is bump in the most appropriate way that is most conducive to tag copying. And the second way is bump in a way that is the most natural. So you have these two criteria. You can try one, you can try the other. When you win, try to do both at the same time. And then you have your skill. Now then you build some pretext. And we talked about building pretext already. So you try to think what you're going to do, who you're going to be, and how are you going to be challenged. Now be uncooperative where you can. This is how I still try to improve my social engineering skill on a daily basis. For example, you can hide your wristband and see if someone challenges you. And that's a really important part here. Without the presentation, you should stay legal. You should have the right to do whatever you're doing. You can hide your wristband and if someone challenges you, see if you can talk your way out of it. Yeah, I'm with the org, or I'm emergency, or I'm going to scan my QR code in one hour. The angels here are really cool. I'm one of them as well. Don't be terrible to angels. Be nice to them. Be nice to everybody. But if you have the wristband and you don't waste too much of their time, and they're standing there being bored, you can play around, I think. You can smile, be friendly and agreeable. As a rule, it also opens people up. It's easier to talk to them that way. And you can be vague in your responses if you're challenged. I actually use this one and the next one to get out of E-gates on borders. I don't think I've ever scanned my document on an E-gate when entering or leaving the European Union. In many countries, I think in all countries, it's not mandatory. Stuff sometimes doesn't work. Sometimes it doesn't work, so you go to an agent. And I'm doing this to train myself. For example, I was returning to my own country with documents in order and everything, but I just thought, okay, I'm going to play. So when I was approaching the border in the airport, I saw a lady that was going to direct me to the E-gate. And she asked if I have my passport. And I said I have my documentation with me. And she asked if I'm from Latvia. I said, "Hmm?" And a couple of questions later, she sent me to a person to actually get checked into the country. Then you can also be dumb. Again, I used this one to get out of E-gates in a different country abroad. So you know why I hate E-gates and backscatter scanners? Because I know programmers. I hate technology. I mean, there are bugs in there, for sure. And I don't want to get caught up in some holding cell because of a bug. So I always try to get to a person right in there. So basically, I was walking straight through, so the setup was no barriers, nothing like that, five machines here, five machines there, and you could walk straight through. So I was doing that, and someone stopped me and asked, and appointed the machine. And I gave them my passport, like, do what you want. And they gave it back to me and appointed the machine. So I looked at the machine. It said language. I pressed English. It said, "Please scan your passport." I put my passport in the machine. And it showed a photo of my face in real time with no text on it. So I was standing like that for 30 seconds, and then it had some timer on there on screen and then said, "Thank you." So I took my passport and I went through. I mean, it didn't do anything illegal. I mean, I wasn't given an instruction to scan my face or anything. Right. So then you can continue with simple everyday things. For example, airport fast track, right? Some of you fly a lot, if you have miles or other qualifications, you get airport fast track so you can try to not present your qualifications there and just try to convince them. Say your flight is late or... One time I did by accident this year. I didn't know that my qualifications only apply to specific airline. I thought it was airport. But I said, "Yeah, okay. You're here already. We'll go through. We're going to put you through as an exception." Right. And oh, another thing. I was doing a technical inspection, like technical qualification of my motorbike recently, and I was going to get failed because of one thing not working on it. Well, it's a passenger thing, not really important. So the guy comes to me and says, "This thing doesn't work." And I immediately, without hesitation, and forcefully say, "Yeah, it does." And I show him it's partially working. He goes, "Oh, okay. Looks like it works." Finally, what not to do? Do not try to leave with stuff without paying. That's theft. At least offline. Do not provide a fake identity to government agencies. That can probably land you in a lot of pain. Do not damage your property. Also can land you in trouble. And my personal policy for the fourth point here is, if you do social engineering, that could result in you getting any financial benefit, make sure that you've paid for it as well. I'll give you two examples. For example, business launches, when I try to get in, I make sure that I have paid for it before I try to convince them to let me in for free. Or we were hacking, 10 years ago, I think we were hacking Latvian, well, Latvian capital's Riga transportation system, public transportation tickets. And we hacked them successfully, and when we were filming the video, we actually paid for the whole day for us to write for money, so that we could write with a fake thing as well and make a video. So it's a good ethical thing to do, I think. Well, thank you so much. If we do have some time for questions, we can do questions. Slides will be on kudos.org, and you can follow me on Chaos Social. My username is K. Thank you so much. Thank you so much, Kirill. I think we have time for one question, the one question to rule them all. Oh my God. Before you start with everything, what kind of precautions do you take on your own identity? How do I protect myself? Yes. Well, you know, I've done, I think, seven presentations on privacy so far. They are on kudos.org, and privacy is really important to me. But I like to say that I try to stay private for others' sake. It's too late for me. I mean, I have hundreds of videos on YouTube with my face and voice. You call with your own number? Oh, yeah, yeah, yeah. Do I call with my own personal number? Oh, no, I use a PO box. I call without a number because I don't have an incoming number. I use anonymous identities online. Basic stuff, yeah. But the presentation is called Nothing to Hide. It's on kudos.org, and you can see it live in Italy in November and in Canada, Quebec in October if you want to see the new version of that one. Thanks. And if the people here at Camp want to find you now after this talk, where can they find you? Oh, yeah, I have said anonymous numbers. So you can call me at 5511 or 5522, or if you really want to, then you can do 5533. It's a GSM, Dext, and VoIP. I'm not a hoarder. I promise. Thanks. Big round of applause to Kirill. Thanks, man. [MUSIC]