So instead, I’ll link to this:
and this:
and let my readers fill in the blank.
Archive for the ‘Geek’ Category
Obvious headline is obvious.
Friday, August 17th, 2012Toys, toys, toys.
Monday, August 13th, 2012Did you know that the promo code SUCKITGROUPON will get you 45% off your Buckyballs order from getbuckyballs.com?
I didn’t, either, until I saw it on Overlawyered. I already got my first set of Buckyballs, but I just ordered some more: this time, I got some BuckyBigs, so I can pretend to be Captain Queeg while I’m sitting at my desk.
(Note that I have no financial relationship with the BuckyBalls people; I just want the CPSC to die in a fire.)
In other news, the Germans have shipped my USB TV receiver.
Obit watch: August 13, 2012, part 2.
Monday, August 13th, 2012August 8th updates.
Wednesday, August 8th, 2012Longer Marvin Hamlisch: NYT, LAT.
Speaking of obits, noted astronomer and pioneer of radio telescopy, Sir Bernard Lovell, passed away on Monday.
There was an update to the Sheri Sangji story while I was on vacation that I wasn’t able to blog. Luckily, Derek Lowe was on the case. For those of you who don’t remember the story, Ms. Sangji was working with t-butyl lithium in a UCLA lab; the substance, which catches fire when exposed to air, spilled, Ms. Sangji was severely burned, and died 18 days later. The university and the primary researcher, Dr. Patrick Harran, faced felony charges.
While I was gone, the charges against the university were dropped. Apparently, UCLA made a deal with the prosecution. The charges against Dr. Harran still stand.
But then it gets weird. Dr. Harran’s defense team is trying to discredit the OSHA report on the accident, based on the accusation that the author of the report participated in a murder when he was 16 years old and failed to disclose this to his employers. I’m not sure at this point if it was actually established that the author of the report and the murderer were the same person, but the author resigned his position anyway.
This is intended to be a short update. The Derek Lowe blog entry linked above has a longer summary, including links to various other sources; I commend it to your attention.
Lessons learned.
Monday, August 6th, 2012So…somebody I know was having problems with their netbook running Ubuntu.
The somebody in question decided (for good and sufficient reasons) that part of the problem might be due to them having done several upgrade installs of recent Ubuntu versions which left cruft on the system. This somebody thought the best thing to do was to make a backup of /home, reformat the box, and reinstall Ubuntu 12.04 from scratch, blowing away all the existing data and partitions.
Which they did.
The somebody in question had a MySQL database on the box that had somewhere around ~2,500 records in it. It was a fairly simple database, probably overkill for MySQL: one table, a few columns.
It turns out that MySQL doesn’t store databases in /home. MySQL stores databases in /var/lib/mysql by default, and the somebody in question never changed the default. (This vaguely makes sense if you think about it; after all, MySQL is intended to be a multi-user database, so why would you store databases under an individual user’s home directory by default?)
The somebody in question found this out after blowing everything away. And, of course, the somebody in question only backed up /home.
Fortunately, the database isn’t that important, and much of the data on it can be recovered from older .CSV files that were used to import the data into MySQL.
But next time, the somebody in question is going to backup every damn thing, not just /home.
The somebody in question is also going to try to get out of the habit of making assumptions about where things are stored.
Hmmmmmmmm.
Friday, August 3rd, 2012In the DEFCON 20 day 2 notes discussing the ADS-B presentation by Renderman, I alluded to some work on using USB TV tuners to pick up ADS-B broadcasts.
I did a little more research on this earlier today, just to satisfy my own curiosity.
Holy cow! I’ve been wanting to mess with software defined radio, but the $1,500 cost for hardware is a bit discouraging. This looks like an excellent way to get started for about $20 instead. The necessary software is linked from the rtl-sdr page, and you can even get a script that will build gnuradio with the proper components.
Yow!
Edited to add 8/4: We are not amused. In the past two days, we have been to Fry’s. The shelves at Fry’s were almost completely stripped bare of USB TV adapters. We have also been to three different branches of Discount Electronics; none of them had any of the listed adapters. We have checked Google, and all of the adapters listed with the E4000 tuner do not appear to be available from vendors in the United States. The only adapter on rtl-sdr’s list that we were able to find was the Ezcap EZTV645 DVB-T Digital TV USB 2.0 Dongle with FM/DAB/Remote Controller which DealExtreme sells. However:
- There are conflicting reports as to whether this is the one rtl-sdr is talking about, and whether this one has the E4000 tuner.
- There are a lot of reports that DealExtreme is slow in shipping; as in, a month or longer.
I’ve ordered the Newsky TV28T that’s listed on the sysmocom site (linked from the rtl-sdr page). With shipping, it came out to 23.30 euros, or about $28.86 in dollars. That’s still well within my price range for tinkering with SDR. I’ll update when the device gets here.
In the meantime, if anyone has any GNURadio or general SDR tips, advice, or suggestions, please feel free to leave them in comments or shoot me an email. Contact addresses are in the usual place.
(And thanks, Borepatch.)
DEFCON 20 updates (round 2).
Thursday, August 2nd, 2012- Here’s a link to the slides from Terrence Gareau’s “HF Skiddies Suck, Don’t Be One. Learn Some Basic Python” presentation. I’m not complaining, but be advised that this is a large download (620 MB ZIP file) with video and code examples. Also be advised that, based on a very brief preliminary skim of the file, there may be some NSFW material in the presentation. (Also not a complaint, but an observation.) I’d like to thank Mr. Gareau for making this available: his presentation is the only one in the “DEFCON 101” track that I’ve found so far.
- Added a link to Renderman‘s presentation on ADS-B hacking, “Hacker + Airplanes = No Good Can Come Of This” to the day 2 notes.
- Josh Brashars (who is a heck of a nice guy) and I have exchanged emails, and he’s graciously allowed me to temporarily host the version of his “Exploit Archaeology: Raiders of the Lost Payphones” presentation from the DEFCON 20 DVD. Of course, iDisk no longer exists (NOT that I’m BITTER or anything) and WCD’s hosting provider/WordPress implementation has a 10 MB file size limit, so I’m using Dropbox to host this file. Let me know if it doesn’t work.
I am disgusted.
Thursday, August 2nd, 2012It is 3:00 PM local time on Ice Cream Sandwich Day, and nobody has brought me my Android 4.0 tablet yet.
DEFCON 20 updates.
Wednesday, August 1st, 2012- Added a link to FX and Greg’s “Hacking [Redacted] Routers” to the day 3, part 2 post. (By the way, the messages on those fortune cookies? Real Huawei router messages.)
- Added a link to a blog post by Moxie Marlinspike summarizing the presentation he gave with David Hulton (Pico Computing) on “Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2“. Moxie’s post includes the sexy, sexy diagrams of MS-CHAPv2 handshaking and does a better job than I did of explaining how the problem reduces to attacking 256 DES keys.
- Added a link to Philip Polstra’s blog entry on his “Bypassing Endpoint Security for $20 or Less” which includes links to the slides and his code.
- Here’s a link to the “Hacking the Google TV” presentation, which I missed. There’s also a GTV Hacker blog, and a GTV Hacker wiki.
- Here’s a link to Anarch and Omega’s “The Darknet of Things, Building Sensor Networks That Do Your Bidding” presentation. I was curious about this one, but it was opposite “Busting the BARR”. I note, however: “NO ARDUINO!”
- Link to Ryan Reynolds and Jonathan Claudius’ presentation, “Stamp Out Hash Corruption! Crack All The Things!“, another one I missed due to a schedule conflict.
Quote of the day.
Wednesday, August 1st, 2012Noted for the record.
Wednesday, August 1st, 2012The two NSA pamphlets I mentioned previously, “Solving the Enigma – History of the Cryptanalytic Bombe” and “The Cryptographic Mathematics of Enigma” are available from the NSA website as free downloads, along with quite a few other publications related to WWII cryptography. There are also publications available on cryptography in other eras: Korea, Vietnam, Cold War, etc.
I personally like having the printed versions to have and to hold (and you can request them by email), but this is a gold mine for the impatient person who really wants to know the “History of the Cryptographic Branch of the People’s Army of Vietnam 1945-1975“.
DEFCON 20 notes: day 3, part 2.
Monday, July 30th, 2012Where were we? Oh, yes: The Day of the Router.
(That’d be a good title for a movie. Maybe one about penetration testers. Hmmmm…a pen tester accidentally finds a vulnerability in the wrong system, and the bad guys want to shut him up?)
But I digress.
First in our router trilogy is Michael Coppola‘s “Owning the Network: Adventures in Router Rootkits“. (First link goes to his blog, second link goes to the presentation.)
Coppola has been working on altered versions of firmware for popular routers: “altered” in the sense that the firmware contains useful exploits. (‘But how do you get the firmware on the router?” Well, there are well known cross-site scripting attacks on router configuration pages: as I recall, that was the subject of a DEFCON presentation, but I don’t have time to dig out which one right now. When I get back, I’ll add a link. In addition, how many people leave their router login/password set to defaults? Too many.)
Coppola specifically attacked these routers:
- Netgear WNR1000v3.
- Netgear WGR614v9.
- Belkin FD57230
- Trendnet TEW652BRP 3.2r
And there’s a simple five-step process:
- Profile the firmware image (basically, that means breaking it apart and figuring out what goes where) using a tool such as binwalk from devttys0.
- Extracting out the individual parts (like the router file system: Coppola has a good story about getting unsquash.fs out of Netgear)
- Deploy your exploit payload.
- Repack everything.
- Update the firmware metadata.
How much would you pay for all this? But wait, there’s more! The end result of Coppola’s work is rpef, a framework that automates much of this process. You point it at a firmware image, tell it what exploit you want to use and where to save the modified image…and it generates a new firmware binary for you, ready to upload to your favorite router. Isn’t that a clever cleaver?
(At the moment, rpef only supports a limited number of routers. I suspect if this takes off, the number of supported routers in rpef will expand dramatically.)
Second up on the router hit parade was FX with “Hacking [redacted] Routers“. The [redacted] in this case is Huawei, a large Chinese manufacturer of routers, and the short version of this talk is that their routers are crap. They have no known product security group, they do not issue security advisories, the quality of their code is poor, important ports (SSH, FTP, HTTP) are open by default (and you can access the flash file system by FTP), their OpenSSH implementation is a rewrite from scratch and is broken…
…and it is possible with a simple script to hijack a remote session to the router, there are built-in functions that allow execution of commands from the command line interface with no privilege checks…
….and there’s a heap overflow bug (which the presenters spent a great deal of time explaining) that allows you root on the router. Whew. I think that just about covers it. Luckily, in my opinion, Huawei routers are mostly used in other countries, and I can’t get very upset about those countries having their routers hacked. (What’s the worst case scenario? Less Chinese spam?)
(I can’t find FX’s presentation, and it isn’t on the DEFCON DVD. I’ll link to it when I can find it. Link added 8/1/2012.)
(Interestingly, these first two router panels were so popular, they had to move FX’s panel to a larger room to accommodate the people who wanted to see it. And I think there were still people who didn’t get in.)
Finally, we have “SQL Injection to MIPS Overflows: Rooting SOHO Routers” by Zachary Cutlip. (Link goes to a version of this talk he gave at Black Hat.)
The short summary here is that Cutlip attacked a specific router, the Netgear WNDR3700
As it turns out:
- As part of the DLNA setup, the router runs SQLite. (Apparently, it keeps a database of album art for DLNA device display purposes.)
- You probably already guessed this, but the implementation on the router is vulnerable to SQL injection attacks.
- You can leverage SQL injection and grab the router’s password file, or other arbitrary files from the running router.
- You can also leverage this to force a buffer overflow and run arbitrary code on the device.
Cutlip’s paper contains example Python code for implementing these attacks.
I totally spaced on the “Hacking the GoogleTV” panel and spent the last few hours trolling the dealer’s room for bargains. I did pick up a few things which I may discuss in more detail later. Or maybe not. It depends.
I don’t have a lot to say about the closing ceremonies, with one exception. DEFCON admission this year was $200: during the ceremonies, Dark Tangent stated that they had intended to raise the cost for this year only, to cover all the awesome stuff they wanted to do for DEFCON 20. Their plan was to roll the price back next year, but Dark Tangent found people were asking them how they were going to top this year…
…and he polled the audience to find out if they thought the $200 was a good value for the money. Overwhelming audience sentiment seemed to be that the $200 price tag was not too high, considering what folks got out of DEFCON. And Dark Tangent seems to be serious about getting Kraftwerk to do a concert next year.
I’m going to wrap things here. In the next day or two, I will probably be doing an after-action report, covering Vegas in general and some additional DEFCON odds and ends. I also will be posting updates as I find people’s presentations online, and as folks put them up.
As always, I welcome comments from presenters. I want to say that this year, I did not see a single panel that disappointed me; I liked every single panel I was able to get into.
Also, I want to make note of a thought from dinner tonight with some friends of mine. This may very well be a research idea for next year’s DEFCON.
So we all know how flash memory works, and that if you do repeated write/erase cycles, you’ll wear out your flash. We also know that manufacturers have implemented wear leveling to get around this.
Questions.
- Is it possible to bypass wear leveling on flash devices? Can you write software that does write/erase operations to specific flash memory locations?
- Can you write software that will do repeated write/erase cycles on flash memory devices and make those devices forensically useless? Similar to the old “three pass overwrite” for hard drives?
I don’t know the answers (as I said, this came up at dinner literally two hours after my plane got in) but it seems like a possible area for exploration. I need to go back through my DEFCON archives, as I have a vague memory of someone doing a presentation on flash memory forensics.
(Also, I’m sorry it took so long to get this post up. I finished about 2/3rds of it in the Las Vegas airport, had a very tight connection in Phoenix (literally running to the plane and arriving just seconds before boarding started), got in, wrote most of the last third, and am now going to have a cold beverage and (I hope) about eight hours of sleep.)