Archive for the ‘CompScI’ Category

DEFCON notes: Day 2

Monday, August 3rd, 2009

Saturday was a little calmer than Friday from my perspective. Part of the reason for that may have been Adam Savage‘s talk (and the meet and greet afterwards) took a lot of folks out of circulation for two or three hours. (I didn’t go.)

More quick takes:

“Hacker vs. Disasters Large & Small”: Michael Schearer, who did the first part of the presentation, also did the Hacker In Iraq presentation. As a Naval officer, he went through SERE school, so he’s got some hands-on survival experience which makes him worth paying attention to. Schearer’s part of the presentation basically covered short-term wilderness survival (as in, “I’m cold and there are wolves after me.“) and was more practical. Renderman’s half of the presentation was a more long-term, “How do we survive and rebuild society after the Big One?”, philosophical presentation. (Edited to add: links to the final versions of the slides; Part 1, Part 2.)
Key takeaways:

  • “Hacker skills are largely compatible with the skills necessary to survive in the wilderness or during a natural disaster.”
  • “Don’t be squeamish about breaking or destroying something to help you stay alive.”
  • “You are not Jack Bauer, MacGuyver, or Survivorman; you need practice to survive.”

“Personal Survival Preparedness”: Nice guy, okay talk, mostly dealing with survival in an urban environment after some devastating event (Katrina or worse).

“Picking Electronic Locks Using TCP Sequence Prediction”: Excellent presentation, short, and scary. Brief summary: many electronic lock systems are IP based and the traffic on the network is not encrypted. This makes the locks vulnerable to a man-in-the-middle attack (to capture an unlock command) and a replay attack with a spoofed TCP sequence number (to replay the command). These attacks bypass the existing control software, so the spoofed unlock command leaves no audit trail. The author is a network admin at Texas State University; woo hoo! Greater Austin/San Marcos Metropolitan Area represent!

Sniff Keystrokes With Lasers/Voltmeters”: Two pretty amusing guys with another excellent presentation. In the first half, they presented an attack on PS/2 keyboards with very simple hardware; all you need is a slightly hacked power cord connected to a common circuit with the computer in question on one end, and an ADC plus a micro-controller (for data acquisition, filtering, and storage) on the other and viola! In the second half, they outlined a acoustic-based attack that builds on previous research, combined with microphone hardware using freaking laser beams. As the authors said, “How cool is that?”
Key takeaway: “girls will melt when you show this…”

“Bluetooth, Smells Like Chicken”: Pretty much what I expected from the summary. Using software-defined radio gear (about $1000) you can monitor the Bluetooth frequencies. Bluetooth does frequency hopping over about 79 MHz, and the software-defined radio gear can only monitor about 25 MHz (max) at one time. But you can monitor one channel and use information from that packet to actually predict the frequency hopping cycle. The authors also presented a technique that allows aliasing of the entire Bluetooth spectrum to the 25 MHz available in the radio gear they were using without compromising the ability to extract packets. Finally, they discussed Bluetooth attacks using off-the-shelf sub-$10 hardware to sample and inject data.

Key takeaway: there is no longer any such thing as a non-discoverable Bluetooth device.

DEFCON notes: Day 1

Sunday, August 2nd, 2009

I’ve been running a little behind on these, but I’m trying to catch up. I’m also going to try to insert links to the actual presentations as they go up.

Quick takes:

“Is your IPhone Pwned?”: This was turned into a more general talk about the whole class of smartphones, including Windows mobile devices. They demonstrated one exploit that involves settings on Windows devices from some vendors. (Basically, the exploit involves misconfigured security settings that allow a remote computer to send malicious WAP push messages that the phone will accept.) Patching mobile vulnerabilities is difficult; there’s a lot of QA issues that have to be dealt with by each vendor for each platform, plus the FCC gets involved if you touch the radio code. Beyond that, the presenters spent a lot of time discussing the design of their Fuzzit tool for finding phone vulnerabilities. Key takeaway: the state of mobile security today is roughly equivalent to the state of network security as of 1999.

“Hacking With the iPod Touch”: Key takeaways:

  • There’s a lot of tools available for penetration testing on the iPod Touch if you’re willing to jailbreak the device. (Wilhelm’s presentation includes a long list of available tools. Did you know that you can run Perl, Python, and Ruby on the iPod Touch? Neither did I.)
  • Nobody gets suspicious if they see you fiddling with your iPod Touch. A full-sized laptop, or even a netbook, might be a different matter.

“That Awesome Time I Was Sued For Two Billion Dollars”: Jason Scott is a pretty good speaker, but this was sort of a “meh” talk. “Yeah, I got sued for two billion dollars by someone who is apparently mentally unbalanced (in the speaker’s opinion -DB) and the case got thrown out of court.” Key take away: Don’t let yourself be intimidated by legal (or legal-looking) documents.

“Three Point Oh”: Couldn’t get in to see Long’s talk.

“Something About Network Security”: Kaminsky’s talk this year concentrated on vulnerabilities in the PKI infrastructure, and specifically certificate attacks. I still think Kaminsky is the cat’s pajamas, but his talk this year seemed a bit off, compared to some of his previous talks (for example, the tunneling data over DNS hack).

I heartily endorse this event or product.

Saturday, August 1st, 2009

Pico, makers of fine FPGA development boards.

I haven’t actually worked with any of their products (though learning more about FPGAs is on my list of things I’d like to do) but the people they sent to DEFCON 17 were very nice. I even got two of their “business” cards.

IMG_0318

Someone’s getting one of these as a slightly late birthday present.

0-Day DEFCON Notes

Thursday, July 30th, 2009

I like DEFCON. I like Dark Tangent personally. I like Joe Grand, the guy who has designed the DEFCON badges for the past few years.

But, guys, it looks really bad when, for the second year in a row, you run out of badges early on Thursday and have to issue temporary badges until more real ones get to the con Friday morning. You don’t even have the Olympics to blame this year. This is especially frustrating now that badge hacking is an official event/contest.

DEFCON talks I will not be attending:

“Hacking UFOlogy 102: The Implications of UFOs for Life, the Universe, and Everything.”

“Two years ago at Def Con 15, Richard [Thieme] presented Hacking UFOlogy. He supported his contention that (1) UFOs are real and (2) the data to support that statement is voluminous with numerous references and links…”

Hippie, please.

DEFCON talks I plan to attend:

“Is your iPhone Pwned”, Mahaffrey, Hering, and Lineberry. (This may be tough to get into, but it is scheduled against Dark Tangent’s intro and Joe Grand’s discussion of the badge, so we’ll see.)
“Hacking with the iPod Touch”, Willhelm
“That Awesome Time I Was Sued For Two Billion Dollars”, Scott
“Three Point Oh”, Long. (For the speaker’s reputation; I’ve heard Johnny Long speak before, and he’s someone I’d like to know better.)
“Something About Network Security”, Kaminsky. (Again, for the speaker’s reputation; Kaminsky is to TCP/IP what Musashi was to the sword.)
“Hacker vs. Disasters Large & Small”, RenderMan and Schearer
“Personal Survival Preparedness”, Dunker and Dunker
“Picking Electronic Locks Using TCP Sequence Prediction”, Lawshae
“Sniff Keystrokes With Lasers/Voltmeters”, Barisani and Bianco
“Bluetooth, Smells Like Chicken”, Spill, Ossmann, and Steward. (It looks like they’re going to talk about using software-defined radio to sniff Bluetooth, techniques for breaking the pseudo-random hopping sequence, and apparently some stuff that can be done with sub-$10 off-the-shelf hardware.)
“RAID Recovery: Recover Your PORN By Sight and Sound”, Moulton
“USB Attacks”, Vega
“Cracking 400,000 Passwords, Or How To Explain to Your Roomate why the Power Bill Is a Little High”, Weir and Aggarwal

I missed the panels on “Hacking With GNURadio” and “Hacking the Apple TV and Where your Forensic Data Lives”. Perhaps next year I need to arrive on Wednesday. If there is a next year.

Going Transmetropolitan FYI

Thursday, July 30th, 2009

I’m in Las Vegas for DEFCON, so posting may or may not be light.

I may try to do some live (or semi-live) blogging from the convention, depending on how things go. I may end up just compiling notes and posting when I get back to the room at night. (For those who are not familiar with DEFCON, one of the things it is most famous for is having the most hostile network in existence.)

Efficient closest point calculation; how to?

Tuesday, July 28th, 2009

Randall Lawrence Waterhouse

Current meatspace coordinates, hot from the GPS receiver card in my laptp:

27 degrees, 14.95 minutes N lattitude 143 degrees, 17.44 minutes E longitude

Nearest geographical feature: the Bonin Islands

—Neal Stephenson, Cryptonomicon

One of the projects that I’ve had cooking in the back of my mind is to implement something like Waterhouse’s signature block in Cryptonomicon. After all, I’ve reached a point in my life where I actually have GPS equipment and a computer that are small enough to use on an airplane. (Unlike Waterhouse, I tend to fly coach.)

There’s a couple of different parts to this project as I see it.

  • You need an interface to the GPS reciever to get the current position data. That should be easy; both Perl and Python have GPSD interfaces.
  • You need a database of geographic points. It looks like that shouldn’t be a hard problem to solve; there’s some online databases that I think can be made to work, or converted, for this purpose.
  • You need an interface between your programming language and the database to look up points. Again, that should be easy; I’m assuming the database of geographic points is stored in some sort of standard SQL databse, and both Perl and Python have SQL database interfaces. (One possible problem is that I want to be able to run this on a Nokia N800, and the SQL database choices for that machine are kind of limited.)
  • You need to be able to calculate distance between two points. That’s easy: see http://www.movable-type.co.uk/scripts/latlong.html  for an example.
  • But here’s the problem. Let’s say you have a database of two million geographic points. How do you efficiently find the closest point to your current geographic location?

I’m stumped by the last part. Doing two million Haversine calculations seems like a time consuming operation; I suspect on a N800, the closest point would have changed substantially by the time the calculations finish.

Anyone have any good ideas? If I ever do write the script, I promise public acknowledgment (and public posting of the code).