Archive for August 1st, 2010

DEFCON 18 notes: Day 2.

Sunday, August 1st, 2010

Saturday was kind of a rough day at DEFCON 18. But then, Saturday is always a rough day at DEFCON.

I don’t feel it’d be fair to review or summarize the “Extreme-range RFID Tracking” panel; I came in about 20 minutes late. (We lingered a bit over a very good breakfast at Blueberry Hill.) What I was able to gather is that Padget’s set a new record for long distance RFID reading, and that upping the radio power works for increasing RFID reading range up to a point. (Edited to add 8/10/2010: added link to Black Hat 2010 version of paper. Here’s a link to Paget’s blog entry about the session.)

I was not able to get into “Jackpotting Automated Teller Machines Redux” due to extreme overcrowding. (Edited to add 8/9/2010: The Black Hat website has what purports to be MP4 video of Jack’s version of the presentation at Black Hat 2010. I have not sat down and watched it yet.)

I did attend the “This is not the droid you’re looking for…” panel, mostly because I was camping out for the next talk. This panel turned out to be more interesting than I expected; the presenters demonstrated a proof-of-concept rootkit for Android phones that allows you to do all sorts of fun stuff; grab contact information, grab SMS messages, grab location information (all three of these are stored in SQLite databases on the Android), and even make phone calls from the phone. The presenters haven’t weaponized the attack yet, but claim it should be easy to do so.

Practical Cellphone Spying“: Another nifty panel. Padget discussed the concepts behind IMSI catching, and gave a live demo of cellphone interception on the AT&T network. The key takeaway here for me was that the same technology used by law enforcement to intercept calls is now coming down to the point where it will be wrapped in a turnkey package and sold to people with more questionable motivations. (Edited to add 8/10/2010: added link to Paget’s blog entry which includes slides.)

How to Hack Millions of Routers“: I went to this because Lawrence put in a special request. The short version is that a large number of commercially available routers (such as those used by Verizon FIOS) are vulnerable to a clever attack using DNS rebinding and load balancing. Heffner has also released a tool that automates this attack. (This is another Black Hat talk that got a lot of attention in the press; the link above includes a copy of Heffner’s white paper which details the attack vector.)

(Edited to add 8/9/2010: I’ve added a link to Heffner’s Black Hat version of this talk, which as far as I can tell, is pretty similar to the DEFCON 18 version.)

I didn’t attend either “Hacking with Hardware: Introducing the Universal RF Usb Keboard Emulation Device – URFUKED” or “Programmable HID USB Keystroke Dongle: Using the Teensy as a Pen Testing Device“. (Edited to add 8/10/2010: added a link to the Teensy project from the Irongeek website. The bottom of that page has a link to the DEFCON presentation. I’ve also added a link to HackerWarrior.com for the USB Keyboard Emulation Device; that directory appears to contain a copy of the presentation, plus code.)

Instead, I left a little early, had a very nice sake fueled dinner at Shabu-Shabu Paradise in Henderson (a restaurant I enthusiastically endorse), sidecars at the iBar in the Rio (sadly, we did not get to play with the Microsoft Surface), and Penn & Teller.

The three of us saw Penn and Teller back in 2006, and we wondered how much the show had changed since then. Mike the Musicologist estimated that about 50% of the show was new; I think the percentage is a little higher than that, but my memory may be faulty. I was not unhappy that they ended the show with the .357 magnums; the bullet-catching illusion fascinates me, and I’m still trying to figure out how Penn and Teller do it. (Jim Steinmeyer’s The Glorious Deception: The Double Life of William Robinson, aka Chung Ling Soo is a very good history of the bullet-catching illusion, and yet another book I strongly recommend to anyone with even a casual interest in the history of magic.)

The other thing we all noticed is that Penn and Teller’s show has become a bit more explicitly political; in addition to the .357 magnum closer, which has always included 2nd Amendment references (and big kudos to P&T for reciting the Four Rules), the show also included references to flag burning, the Chinese Bill of Rights (“What Chinese Bill of Rights?” Exactly.) and the stupidity of the TSA. Penn and Teller even sell the Security Edition of the Bill of Rights in their gift shop for a lousy $5. (Quote: “We want McCarran Airport to be flooded with these.”) Not that any of us were bothered by the politics; I think all three of us lay claim to at least some form of Libertarianism. And if you’re the kind of person who would take offense at Penn and Teller’s politics, I won’t tell you “don’t go”; I’ll tell you “go, and have your world view challenged”.

(I’d also like to give Penn and Teller kudos for keeping gift shop prices low. Both Andrew and I picked up DVDs of the Teller-directed “Macbeth” for only $10. Teller, if you’re reading this, thanks for signing my copy. And for everything else you do, too.)

Computers. You know, for kids.

Sunday, August 1st, 2010

We would also like to draw your attention to the Statesman‘s profile of Ken Starks and the HeliOS project.

The HeliOS people take in donated computers, refurbish them, put LINUX on them, and then get them into the hands of poor kids whose families can’t afford to buy computers.

Frequently, these families also can’t afford Internet access, which is the next big problem that the HeliOS people are trying to solve; so far, they haven’t had much luck with that.

Art, damn it, art! watch (#13 in a series).

Sunday, August 1st, 2010

We take a brief break from DEFCON 18 coverage to bring you the following link, by way of Popehat.

Brandon Bird, the man responsible for “Law and Order: Artistic Intent” (previously mentioned in this space), put together another “Law and Order” themed exhibit in Los Angeles: “These Are Their Stories“. Each of the various pieces in this exhibition, as Bird describes it, “is an artist’s interpretation of a one-line episode summary from the DirecTV program guide”.

We have not had time to go through the entire series of works, but we are particularly taken with “Goren Takes on a Chess Master“, and are tempted to order a print. “Detectives Look for a Racist” also makes us grin.

DEFCON 18 notes: Day 1.

Sunday, August 1st, 2010

I’m running a little behind, between running around with Andrew and Mike the Musicologist, and some technical issues (DEFCON 18 has a secure wireless network, but it hasn’t been stable), but I’ll post updates when I can. I’ll also add links to the presentations as they go live, or as I find them. If you have questions, I’m willing to try to answer them, but I’d suggest you email the presenter first. If you are a presenter who wants to respond to my comments, I welcome that.

“Build a Lie Detector/Beat a Lie Detector”: This was the first presentation I attended; it was a pretty awful one. The presenters started 15 minutes late and opened with a crappy rap performance (differing tastes in music, fine, but when you’re running 15 minutes behind schedule, the rap should be the first thing to go). Once they actually got going, they spent too much time on a general history of justice systems and of the polygraph. When they did finally get to the technical aspects of their presentation, it amounted to “Oh, yeah, we built this lie detector based on this paper these other guys posted” (with, to be fair, some minor modifications). I walked out of this presentation before the end, which is something I rarely do at DEFCON.

Build your own UAV 2.0 – Wireless Mayhem from the Heavens!“: On the other hand, Renderman and his partner did an excellent job with this one And not just because they played “Thunderstruck” before the presentation started (playing music is okay, even if I don’t like your choice of music (and I like “Thunderstruck”), as long as you start on time), or because they started on time, or because they actually had video of their UAV launching rockets. (Edited to add 8/10/2010: added link to DEFCON 18 slides and video on Gremlin’s website.)

Key takeaways for me from this one:

  • You have two choices for stabilization systems. Thermopile based systems work in the infrared range and are very cheap, but have problems in certain weather conditions. Inertial based systems are more expensive, but offer all-weather capability, and are rapidly coming down in price.
  • Arduino based control systems dominate at the moment, but there’s some interest in developing systems based on the Beagle Board.
  • There’s off the shelf Zigbee based hardware that can easily be used for telemetry, and offers a 10-12 mile range.
  • You can get cheap and decent video out of board cameras, but transmitting video is a harder problem; for good range, you need to work on frequencies that require an amateur license.
  • GPS systems with a 10 Hz refresh rate are down to $80 or so. Most of the GPS systems I’ve dealt with have a 1 Hz refresh rate, which isn’t good enough for UAV use; it was news to me that faster systems are that cheap now.
  • Foam airframes are cheap and easy to repair.
  • Practical UAV applications, other than launching rockets; warflying with kismet, communications relay (imagine a UAV that could hover on station and serve as a repeater in areas of poor radio coverage), search and rescue (imagine a UAV that could survey a wide area looking for signs of a lost hiker, or recon an area where a search and rescue beacon was picked up), and post-disaster recon. I hadn’t thought much about that last one, but now that Renderman’s brought it up, I find that exciting. The theory here is: you send your UAV into areas that your disaster relief staff haven’t physically visited, and it returns good quality imaging of exactly what the damage is and how accessible the area is (have the roads collapsed? Are they under water?). From that, you can develop priorities (damage in this area doesn’t look too bad, we can hold off for a day; these people look like they need immediate help) and plans to get needed resources into the area.

“Exploiting Digital Cameras”: Another solid presentation. Basically, Isacson and Ortega did some clever banging on the firmware of the Canon Powershot series of cameras, found that these cameras have an embedded interpreter, documented that interpreter, and developed some simple exploits using it. The exploits are somewhat limited; you can’t launch malware on an attached computer, for example, but you can do things like turn on the microphone, display arbitrary images on the camera, and modify EXIF data.

“DCFluX in: Moon-bouncer”: A decent presentation on the theory and practice of radio communication using moon-bouncing, satellites, and other methods. I’m going to gloss over the details of his talk and refer you to the presentation when it goes up, as there was a great deal of technical information in it related to historical and amateur radio usage; I’m not sure the majority of my readers are that interested in ham radio, and those who are would be better served getting their information from the source.

Black Ops Of Fundamental Defense: Web Edition“: So here’s a high-level summary of Kaminsky’s talk. Now that the DNS root certificates are digitally signed, we have the ability to use DNSSEC and the Domain Keys Infrastructure (DKI) to do all kinds of cool stuff, including end-to-end email authentication (so you can be sure that the email you got from Bank of America is actually from Bank of America, and not from some random Nigerian), and to do these things in a scalable way.

Kaminsky’s new company, Recursion Ventures, is building (and plans to release shortly) a set of tools that will allow for the easy deployment of DNSSEC. Kaminsky also gave a brief overview of how DNSSEC works, and touched on a few interesting points related to his research. (For example, not only is it possible to run DNS over HTTP, but Kamisky’s figures show performance over HTTP is actually better than normal DNS.)

(Edited to add 2: The link above goes to a page on Recursion Ventures web site where you can view the slides from Kamisky’s version of this talk at Black Hat 2010. I did not see the Black Hat version of this talk; I do not believe the DEFCON 18 version was significantly different. It may have been shorter, and there is some Black Hat specific material in those slides. Also, I’m aware the actual title (“Black Ops of Fundamental Defense: Introducing the Domain Key Infrastructure”) differs from the title in the DEFCON 18 schedule; I chose to stick with the DEFCON title to make cross-referencing easier.)

Edited to add: I’m sorry if anyone is disappointed, but I did not go to the “Weaponizing Lady GaGa, Psychosonic Attacks” panel.