I get board sometimes.

A room like this has not a lot to offer for entertainment.

But for a hacker, it gets a little interesting because that television

is not like the television in your home,

it's a node on a network. Right?

That means I can mess with it.

If I plug a little device like this into my computer,

it's an infrared transceiver, I can send the codes that

the TV remote might send and some other codes.

So what? Well, I can watch movies for free.

(Laughter)

That doesn't matter to me so much, but I can play video games too.

Hey, but what's this?

I can not only do this for my TV in my hotel room,

I can control your TV in your hotel room.

(Laughter)

So I can watch you if you're checking out with one of these,

you know, TV based registration things,

if you're surfing the web on your hotel TV,

I can watch you do it.

Sometimes it's interesting stuff.

Funds transfer.

Really big funds transfers.

You never know what people might want to do

while they're surfing the web from their hotel room.

(Laughter)

The point is I get to decide if you're watching Disney or porn tonight.

Anybody else staying at the Affinia hotel?

(Laughter)

This is a project I worked on when we were trying to figure out

the security properties of wireless networks; it's called the "Hackerbot".

This is a robot we've built that can drive around and find Wi-Fi users,

drive up to them and show them their passwords on the screen.

(Laughter)

We just wanted to build a robot,

but we didn't know what to make it do, so --

We made the pistol version of the same thing.

This is called the "Sniper Yagi".

It's for your long-range password sniffing action,

about a mile away I can watch your wireless network.

This is a project I worked on with Ben Laurie to show passive surveillance.

So what it is, is a map of the conference called

"Computers, Freedom and Privacy".

And this conference was in a hotel, and what we did is we,

you know, put a computer in each room of the conference

that logged all the Bluetooth traffic.

So as everybody came and went with their phones and laptops

we were able to just log that, correlate it,

and then I can print out a map like this for everybody at the conference.

This is Kim Cameron, the Chief Privacy Architect at Microsoft.

(Laughter)

Unbeknownst to him,

I got to see everywhere he went.

And I can correlate this and show who he hangs out with

(phone dialing) when he got board,

(phone dialing) hangs out in the lobby with somebody.

Anybody here use cellphones?

(Laughter)

(Phone ringing)

So my phone is calling--

(Ringing)

calling --

Voice mail: You have 100 messages.

Palbos Holman: Uh oh!

VM: First unheard message --

PH: Where do I press --

VM: Message skipped. First skipped message.

PH: Uh oh!

VM: Main menu. To listen to your-- You have pressed an incorrect key --

You have two skipped messages. Three saved messages.

Goodbye.

PH: Uh oh! So we're in Brad's voice mail.

(Laughter)

And I was going to record him a new message,

but I seem to have pressed an invalid key,

so we're going to move on.

And I'll explain how that works some other day because we're short on time.

Anybody here used MySpace?

MySpace users? Oh!

Used to be popular. It's kind of like Facebook.

This guy, a buddy of ours Samy, was trying to meet chicks on MySpace

which I think is what it used to be good for.

And what he did is he had a page on MySpace about him.

It lists all your friends, and that's how you know

somebody's cool is that they have a lot of friends on MySpace.

Well, Samy didn't have any friends.

He wrote a little bit of Javascript code that he put in his page,

so that whenever you look at his page

it would just automagically add you as his friend.

And it would skip the whole acknowledgement response protocol

saying "Is Samy really your friend?"

But then it would copy that code onto your page,

so that whenever anybody looked at your page

it would automatically add them as Samy's friend too.

(Laughter)

And it would change your page to say that "Samy is your hero."

(Laughter)

So in under 24 hours, Samy had over a million friends on MySpace.

(Laughter)

Hey, he just finished serving 3-years probation for that.

(Laughter)

Even better, Christopher Abad, this guy, another hacker,

also trying to meet chicks on MySpace but having spotty results.

Some of these dates didn't work out so well,

so what Abad did is he wrote a little bit of code

to connect MySpace to Spam Assassin, which is an open source spam filter.

It works just like the spam filter in your email.

You train it by giving it some spam

train it by giving it a little bit of legitimate email,

and it tries to use artificial intelligence

to work out the difference. Right?

Well, he just trained it on profiles from girls he dated and liked

as legitimate email.

Profiles from girls he dated and not liked, as spam,

and then ran it against every profile on MySpace.

(Laughter)

Out spits girls you might like to date.

What I say about Abad is, I think, there's like three startups here.

I don't know why we need Match.com,

when we can have Spam dating? You know this is innovation.

He's got a problem, he found a solution.

Does anybody use these -- bleep -- keys for opening your car remotely?

They're popular in, well, maybe not Chicago, OK.

So kids these days will drive through a Wal-Mart parking lot

clicking open, open, open, bloop.

Eventually you find another Jetta or whatever just like yours,

maybe a different color, that uses the same key code.

Kids will just loot it, lock it up and go.

Your insurance company will roll over on you

because there's not evidence of a break-in.

For one manufacturer we figured out how to manipulate that key

so that it will open every car from that manufacturer.

(Laughter)

There is a point to be made about this which I barely have time for,

but it's that your car is now a PC, your phone is also a PC,

your toaster, if it is not a PC, soon will be. Right?

And I'm not joking about that.

And the point of that is that when that happens

you inherit all the security properties and problems of PC's.

And we have a lot of them.

So keep that in mind, we can talk more about that later.

Anybody use a lock like this on your front door?

OK, good.

I do too.

This is a Schlage lock. It's on half of the front doors in America.

I brought one to show you.

So this is my Schlage lock.

This is a key that fits the lock, but isn't cut right, so it won't turn it.

Anybody here ever tried to pick locks with tools like this?

All right, got a few, few nefarious lock pickers.

Well, it's for kids with OCD.

You've got to put them in there, and finick with them,

spend hours getting the finesse down to manipulate the pins.

You know, for the ADD kids in the house there's an easier way.

I put my little magic key in here,

I put a little pressure on there to turn it, (Tapping)

smack it a few times with this special mallet

and I just picked the lock. We're in.

It's easy.

And in fact, I don't really know much more about this than you do.

It's really, really easy.

I have a keychain I made of the same kind of key

for every other lock in America.

And if you're interested, I bought a key machine

so that I can cut these keys and I made some for all of you guys.

(Laughter)

(Applause)

So my gift to you, come afterwards and I will show you

how to pick a lock and give you one of these keys

you can take home and try it on your door.

Anybody used these USB thumb drives?

Yeah, print my Word document, yeah!

They're very popular.

Mine works kind of like yours. You can print my Word document for me.

But while you're doing that, invisibly and magically in the background

it's just making a handy backup of your My Documents folder,

and your browser history and cookies and your registry and password database,

and all the things that you might need someday if you have a problem.

So we just like to make these things and litter them around at conferences.

(Laughter)

Anybody here use credit cards?

(Laughter)

Oh, good!

Yeah, so they're popular and wildly secure.

(Laughter)

Well, there's new credit cards that you might have gotten in the mail

with a letter explaining how it's your new "Secure credit card".

Anybody get one of these?

You know it's secure because it has a chip in it, an RFID tag,

and you can use these in Taxicabs and at Starbucks,

I brought one to show you, by just touching the reader.

Has anybody seen these before?

Okay, who's got one?

Bring it on up here.

(Laughter)

There's a prize in it for you.

I just want to show you some things we learned about them.

I got this credit card in the mail.

I really do need some volunteers, in fact, I need

one, two, three, four, five volunteers because the winners

are going to get these awesome stainless steel wallets

that protect you against the problem that you guessed, I'm about to demonstrate.

Bring your credit card up here and I'll show you.

I want to try it on one of these awesome new credit cards.

OK.

Do we have a conference organizer,

somebody who can coerce people into cooperating?

(Laughing)

It's by your own volition because --

This is where the demo gets really awesome

I know you guys have never seen --

(Inaudible question)

What's that?

They're really cool wallets made of stainless steel.

Anybody else seen code on screen at TED before?

Yeah, this is pretty awesome.

(Laughter)

OK, great I got volunteers.

So who has one of these exciting credit cards?

OK, here we go.

I'm about to share your credit card number

only to 350 close friends.

Hear the beep?

That means someone's hacking your credit card.

OK, what did we get?

Valued customer and the credit card number and expiration date.

It turns out your secure new credit card is not totally secure.

Anybody else want to try yours while you're here?

Man: Can you install overdraft protection?

PH: Beep, let's see what we got?

So we bitched about this and AMEX changed it,

so it doesn't show the name anymore.

Which is progress. You can see mine, if it shows it.

Yeah, it shows my name on it, that's what my Mom calls me anyway.

Yours doesn't have it.

Anyway, so next time you get something in the mail

that says it's secure, send it to me.

(Laughter)

Oh wait, one of these is empty, hold on.

I think this is the one, yep, here you go.

You get the one that's disassembled.

All right, cool.

(Applause)

I still have a few minutes yet left, so I'm going to make a couple of points.

(Laughter)

Oh, shit.

That's my subliminal messaging campaign. It was supposed to be much faster.