August « 2013 « Whipped Cream Difficulties

Archive for August, 2013

More DEFCON 21: August 7, 2013.

Wednesday, August 7th, 2013

Haven’t found anything yet from the Tom Ritter/Doug DePerry femtocell talk, but Tom Ritter does have slides and speaker notes up for another of his DEFCON 21 talks, “De-Anonymizing Alt.Anonymous.Messages”.
Ryan Holeman has his slides and code from “The Bluetooth Device Database” up here. He also has a blog post that might add a bit more context to the slides.
Slides from Karl Koscher and Eric Butler’s talk, “The Secret Life of SIM Cards” are available here, and there’s a bunch more resources in that repository.
Slides from the Eric Robi/Michael Perklin talk, “Forensic Fails”, are here.

Posted in DEFCON 21, Geek | Comments Closed

Bookity bookity bookity.

Tuesday, August 6th, 2013

Two more things that I wanted to bookmark:

Peteris Krumins’ “A Unix Utility You Should Know About: Netcat“. Actually, I want to bookmark his entire site, as there’s a lot of good stuff there, including “Low Level Bit Hacks You Absolutely Must Know“.

Also: Michael Ossmann’s HackRF Kickstarter, which is fully funded and has 29 days to go. This is a project I’m really excited about and will probably end up backing. Short version: HackRF is a project to build a software defined radio that is about the size of a USB hard drive, runs off of USB bus power…and if you back the project (and if it ships, this being Kickstarter and all), the cost is around $300, which puts it into “Shut up and take my money” territory.

Posted in Bookmarks, linux, Radio | Comments Closed

Random notes: August 6, 2013.

Tuesday, August 6th, 2013

Thinking about the WP sale some more:

I don’t think I was clear in my implication yesterday. Yes, the reports are that Bezos is going to run it as an independent company, instead of an arm of Amazon. I question how long that’s going to last: does Bezos want to be Charles Foster Kane? (Not that there’s anything wrong with that.) Or is he playing a long game here?
Interesting point from the NYT: the sale does not include Slate (or The Root and Foreign Policy). I wonder how much longer Slate has.

We must do something about the deadly killer trees! (See also.)

To celebrate his birthday, the Andy Warhol Museum in Pittsburgh is presenting live-streaming around-the-clock video of two key venues: the church where Warhol was baptized and the grave where he is buried, both in Pennsylvania.

(Insert joke about “Empire” here.)

Posted in Art, Clippings, Media | Comments Closed

DEFCON 21 update: August 5, 2013.

Monday, August 5th, 2013

Yeah, I know, I’ve been quiet. Much of Friday’s blogging time was eaten by Bluehost instability, and Saturday and Sunday were busy.

But I do have some updates and links.

Slides for Benjamin Caudill’s “Offensive Forensics – CSI for Bad Guys” are here. See also his post on the Rhino Security Labs blog.
Amber Baldet has a post up with links to the slides from her “Suicide Risk Assessment & Intervention Tactics” talk, and some additional resources. I’m not on Twitter, so I can’t add to the support she’s been getting there. But I will say, again: thank you, Amber, for doing this.
Amir Etemadieh and the other Google TV hackers have a page up at the GTVHacker site with slides and resources from their DEFCON 21 presentation, “Google TV or: How I Learned to Stop Worrying and Exploit Secure Boot”. There is also a blog entry that (I think) gives a little more context to the slides.
Dan Crowley, David Bryan, and Jennifer Savage have slides, a white paper, and sample code from their presentation at Black Hat, “Home Invasion 2.0 – Attacking Network-Controlled Consumer Devices” up at the Black Hat site. From the descriptions, I assume tha the DEFCON 21 version is very similar to the Black Hat one.
Chris Valasek and Charlie Miller have a blog entry up at IOActive with links to the content and their white paper on “Adventures in Automotive Networks and Control Units”.
The LMG Security blog has a post up with links to the white paper and source code from the Sherri Davidoff/Randi Price/David Harrison/Scott Frethem talk, “Do-It-Yourself Cellular IDS”.
Ryan W. Smith has a post up at the Lookout blog about the talk he did with Tim Strazzere, “DragonLady: An Investigation of SMS Fraud Operations in Russia”. That post, in turn, links to the white paper summarizing their presentation.
I haven’t found the DEFCON slides for Joseph Paul Cohen’s “Blucat: Netcat For Bluetooth” presentation yet. But here’s the Blucat SourceForge page, which includes slides from a couple of other conferences, and the source code, and Mac OS X binaries for 10.6 and 10.8. Wow. I got more than what I asked for. (Edited to add 8/6: Mr. Cohen has added the DEFCON 21 slides. Praise be unto him, and may flights of angels sing him to sleep.)
The slides for Aaron Bayles’ “Oil and Gas Infosec 101” talk are here.

I’m going to cut things off here for right now. I’m still trying to find links to some of the other presentations I mentioned (in particular, I’d love a link of some sort to Anch’s “Pentesters Toolkit” if anyone has one) and will post updates as they come in. Depending on what I dig up, there may be a second post tomorrow. In the meantime, this should keep you busy.

Posted in Android, Bluetooth, Cars, DEFCON 21, Geek, Law, Radio | Comments Closed

Holy crap!

Monday, August 5th, 2013

Breaking news: the Washington Post has been sold.

To Jeff Bezos. Yeah, that Jeff Bezos.

For $250 million in cash. First reaction: the WP was only worth that much?

Second reaction: is this part of some grand Amazon content strategy? Well…

Seattle-based Amazon will have no role in the purchase; Bezos himself will buy the news organization and become its sole owner when the sale is completed, probably within 60 days. The Post Co. will change to a new, still-undecided name and continue as a publicly traded company without The Post thereafter.

Or, to put it another way: reply hazy, ask again later.

Posted in Clippings, Media | Comments Closed

More DEFCON 21 stuff.

Friday, August 2nd, 2013

I’ve added the Twitter feeds for everyone who has one published in the schedule, and who was mentioned in my previous post.

I’m going to try to keep an eye on these so I know when folks post their presentations. If there’s someone or something on the schedule who isn’t on my list that you’re interested in, drop me a line and I’ll add them.

Posted in DEFCON 21 | Comments Closed

DEFCON 21, BlackHat, and related stuff: August 2, 2013.

Friday, August 2nd, 2013

The questions ask themselves:

Trustwave SpiderLabs Security Advisory TWSL2013-020:
Hard-Coded Bluetooth PIN Vulnerability in LIXIL Satis Toilet

Did that say “toilet”?

The Satis is a “smart” toilet. It is controlled using LIXIL’s “My Satis” Android application, which communicates with the toilet using Bluetooth.

Yes. Yes, it did. A toilet with an Android application. And a hardcoded Bluetooth PIN of “0000”.

An attacker could simply download the “My Satis” application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner.
Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.

I have no joke here, I just like saying “discomfort or distress to user”.

On a more serious note, Borepatch has a post up about one of the Black Hat presentations. The math is a little over my head, but the short version is that there’s been a lot of progress made recently in the mathematics that underpin some of the fundamental cryptography used to secure the Internet. According to the presenters:

There is a small but real chance that both RSA and non ECC DH will soon become unusable.

The link above will take you to a PDF of the presentation from Black Hat. Worth noting: Thomas Ptacek is one of the people behind this.

I’m trying to find copies of the presentations I’m interested in; as I dig stuff up and have time, I’ll post links, but I’m not having a lot of luck right now.

Posted in Clippings, DEFCON 21, Geek | Comments Closed

More bookmarks.

Thursday, August 1st, 2013

Thanks to Joe D. for the SQL injection by automobile photo in the earlier post.

Something else I happened to stumble across, while reading a Stack Overflow thread (“We have an employee whose last name is Null. He kills our employee lookup application when his last name is used as the search term (which happens to be quite often now).”). There’s a website devoted to preventing SQL injection.

Is that unusual? No. But the URL sent me into giggling fits. My hat is off to the folks behind this site.

Something else I’ve been meaning to link, and which Tom Ritter’s Twitter feed reminded me about: “Applied Cryptography Engineering“.

Applied Cryptography is a deservedly famous book that lies somewhere between survey, pop-sci advocacy, and almanac. It taught two generations of software developers everything they know about crypto. It’s literate, readable, and ambitious. What’s not to love?
Just this: as an instruction manual, Applied Cryptography is dreadful.

Applied Cryptography was an important book for me, and I don’t have the chops that would allow me to intelligently criticize Schneier or Thomas Ptacek. But even I have to admit that AC is almost twenty years old; that’s two or three lifetimes in cryptography. (Also, that makes me…f’ing old.)

Posted in Bookmarks, Geek | 1 Comment »

Random notes: August 1, 2013.

Thursday, August 1st, 2013

Look, I don’t like drunk drivers. I don’t like drunk drivers who kill people while driving drunk. If I had my way, they’d be charged with murder.

That said, there’s something wrong with this WP editorial arguing that a bar should bear responsibility for the death of a ten-year-old girl “who liked dogs, horses and dancing”. (Would it have been less tragic if she hated horses?)

They also knew something was wrong when Michael D. Eaton downed 17 bottles of the Mexican brew, plus a shot of vodka, in about five hours. It was too much.

So that’s 18 drinks in five hours, or 3.6 drinks an hour on average. The WP doesn’t tell us how much Mr. Eaton weighed, or whether his drinks were evenly distributed over the five hours (as opposed to him being there for 4:30, and then slamming down 17 Coronas and a shot in the last half hour). But assuming he weighed 200 pounds, and the drinks were evenly distributed…according to this chart, he’d be right on the borderline between 0.06 and 0.08. I’m not convinced that’s the sort of visibly drunk that would make the bar responsible for letting him leave.

(It is interesting that none of the articles on this case specify Mr. Eaton’s BAC, but perhaps that has something to do with the fact that he fled the scene and turned himself in 12 hours later. It is also interesting that the WP editorial blaming the bar doesn’t mention Mr. Eaton’s “previous convictions for drunk driving, reckless driving, selling marijuana and speeding “.)

In other news, the Austin PD fired another officer. The twist here is that the fired officer was already on probation and had been suspended for “temporarily ignoring a dispatch and disengaging the tracking system in his patrol car for just over twenty minutes”: even after being placed on probation and suspended, he still turned off the tracking system (and apparently the cameras) in his patrol car another 60 times.

Obit watch: Noted Texas writer John Graves. At some point, I need to read Goodbye to a River.

Speaking of Las Vegas, people are coming back. But they aren’t gambling as much, or spending as much money on other things.

And speaking of DEFCON/Black Hat: WP coverage of the NSA director’s speech.

I’m hoping for some good coverage of Black Hat/DEFCON from Brian Krebs, who, by the way, has an interesting tale to tell:

Earlier this month, the administrator of an exclusive cybercrime forum hatched and executed a plan to purchase heroin, have it mailed to my home, and then spoof a phone call from one of my neighbors alerting the local police.

(Also, credit card and PIN skimmers just keep getting better and better.)

Posted in Books, Clippings, Cops, DEFCON 21, Law | Comments Closed

M	T	W	T	F	S	S
« Jul				Sep »
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Whipped Cream Difficulties

Archive for August, 2013

More DEFCON 21: August 7, 2013.

Bookity bookity bookity.

Random notes: August 6, 2013.

DEFCON 21 update: August 5, 2013.

Holy crap!

More DEFCON 21 stuff.

DEFCON 21, BlackHat, and related stuff: August 2, 2013.

More bookmarks.

Random notes: August 1, 2013.

Pages

Happy Amazon Fun Time!

Archives

Categories

Blogroll

BugMeNot

Firearms Reference

People who deserve your support.

Poetry

Reference

RIP

Twitter

Twitter Catholico

Webcomics I Like (without reservation)

Meta