Archive for the ‘DEFCON 17’ Category

I heartily endorse this event or product. (#3 in a series)

Sunday, November 22nd, 2009

Dereu and Sons Manufacturing Company (aka

Back many thousands of years ago, my elementary school library was full of books like F. B. I. The “G-Men’s” Weapons and Tactics for Combatting Crime and other non-fiction children’s books about the heroic exploits of the Federal Bureau of Investigation. (Remember, these were elementary school libraries, and this was before Hoover’s death; they didn’t have books like The FBI Nobody Knows. And I wasn’t reading Rex Stout at that time, so I didn’t enough to be able to seek it out elsewhere.)

Anyway, one of my favorite stories was the one about Rudolph Abel and the newsboy. Not because I had any real investment in catching Russian spies, but because I thought a hollow nickel was incredibly cool, and I wanted one badly.

Flash-foward mumble mumble years to DEFCON 17. What do I find at one of the vendor tables? Yes! Hollow nickels!

Since I was older and more mature, though, a few thoughts came to me. One was that I didn’t have a whole lot of cash on me at the time, and using an ATM at DEFCON…might as well go ahead and pull on the Bad Idea Jeans. Another thought was that a hollow nickel might be cool, but what are the chances I wouldn’t end up spending it by accident?

So I took some notes, surfed the web, waited until I got home and someone had a birthday, and then placed an order…


DEFCON notes: Day 3, or “Killing Priest won’t bring back your G–d–n honey!”

Monday, August 3rd, 2009

Apparently, one of the pools at the Riviera was overrun by killer bees. The fake ATM has been well covered elsewhere.

Final set of quick takes:

RAID Recovery: Recover Your PORN By Sight and Sound”: Technically, a pretty decent presentation on recovering RAID, building on Moulton’s previous presentations on the inner workings of hard drives and their recovery/rebuilding. (Those presentations are linked here: I’m actually pretty interested in the one on SSD drives.)
Key takeaways:

  • Many people don’t understand RAID levels; they think that RAID 0 actually offers some protection against data loss, or there’s no hurry to replace that one drive in the RAID 5 that failed. (The presenter seemed to believe that photographers are particularly bad about these things, perhaps based on bitter personal experience.)
  • If you have a RAID full of pictures, some sub-$100 tools, along with intelligent analysis of reconstructed images, can help you rebuild the array. Even if you don’t know what order the drives were in originally.

“Cracking 400,000 Passwords, Or How To Explain to Your Roomate why the Power Bill Is a Little High” (preview): Or, how to use John the Ripper, and how to optimize your JtR runs.
Key takeaway: Lists of previously cracked passwords are good fodder for JtR. Would you believe people use the same password on more than one site? Even better, you can use lists of previously cracked passwords to build JtR word mangling rules.

DEFCON notes: Day 2

Monday, August 3rd, 2009

Saturday was a little calmer than Friday from my perspective. Part of the reason for that may have been Adam Savage‘s talk (and the meet and greet afterwards) took a lot of folks out of circulation for two or three hours. (I didn’t go.)

More quick takes:

“Hacker vs. Disasters Large & Small”: Michael Schearer, who did the first part of the presentation, also did the Hacker In Iraq presentation. As a Naval officer, he went through SERE school, so he’s got some hands-on survival experience which makes him worth paying attention to. Schearer’s part of the presentation basically covered short-term wilderness survival (as in, “I’m cold and there are wolves after me.“) and was more practical. Renderman’s half of the presentation was a more long-term, “How do we survive and rebuild society after the Big One?”, philosophical presentation. (Edited to add: links to the final versions of the slides; Part 1, Part 2.)
Key takeaways:

  • “Hacker skills are largely compatible with the skills necessary to survive in the wilderness or during a natural disaster.”
  • “Don’t be squeamish about breaking or destroying something to help you stay alive.”
  • “You are not Jack Bauer, MacGuyver, or Survivorman; you need practice to survive.”

“Personal Survival Preparedness”: Nice guy, okay talk, mostly dealing with survival in an urban environment after some devastating event (Katrina or worse).

“Picking Electronic Locks Using TCP Sequence Prediction”: Excellent presentation, short, and scary. Brief summary: many electronic lock systems are IP based and the traffic on the network is not encrypted. This makes the locks vulnerable to a man-in-the-middle attack (to capture an unlock command) and a replay attack with a spoofed TCP sequence number (to replay the command). These attacks bypass the existing control software, so the spoofed unlock command leaves no audit trail. The author is a network admin at Texas State University; woo hoo! Greater Austin/San Marcos Metropolitan Area represent!

Sniff Keystrokes With Lasers/Voltmeters”: Two pretty amusing guys with another excellent presentation. In the first half, they presented an attack on PS/2 keyboards with very simple hardware; all you need is a slightly hacked power cord connected to a common circuit with the computer in question on one end, and an ADC plus a micro-controller (for data acquisition, filtering, and storage) on the other and viola! In the second half, they outlined a acoustic-based attack that builds on previous research, combined with microphone hardware using freaking laser beams. As the authors said, “How cool is that?”
Key takeaway: “girls will melt when you show this…”

“Bluetooth, Smells Like Chicken”: Pretty much what I expected from the summary. Using software-defined radio gear (about $1000) you can monitor the Bluetooth frequencies. Bluetooth does frequency hopping over about 79 MHz, and the software-defined radio gear can only monitor about 25 MHz (max) at one time. But you can monitor one channel and use information from that packet to actually predict the frequency hopping cycle. The authors also presented a technique that allows aliasing of the entire Bluetooth spectrum to the 25 MHz available in the radio gear they were using without compromising the ability to extract packets. Finally, they discussed Bluetooth attacks using off-the-shelf sub-$10 hardware to sample and inject data.

Key takeaway: there is no longer any such thing as a non-discoverable Bluetooth device.

DEFCON notes: Day 1

Sunday, August 2nd, 2009

I’ve been running a little behind on these, but I’m trying to catch up. I’m also going to try to insert links to the actual presentations as they go up.

Quick takes:

“Is your IPhone Pwned?”: This was turned into a more general talk about the whole class of smartphones, including Windows mobile devices. They demonstrated one exploit that involves settings on Windows devices from some vendors. (Basically, the exploit involves misconfigured security settings that allow a remote computer to send malicious WAP push messages that the phone will accept.) Patching mobile vulnerabilities is difficult; there’s a lot of QA issues that have to be dealt with by each vendor for each platform, plus the FCC gets involved if you touch the radio code. Beyond that, the presenters spent a lot of time discussing the design of their Fuzzit tool for finding phone vulnerabilities. Key takeaway: the state of mobile security today is roughly equivalent to the state of network security as of 1999.

“Hacking With the iPod Touch”: Key takeaways:

  • There’s a lot of tools available for penetration testing on the iPod Touch if you’re willing to jailbreak the device. (Wilhelm’s presentation includes a long list of available tools. Did you know that you can run Perl, Python, and Ruby on the iPod Touch? Neither did I.)
  • Nobody gets suspicious if they see you fiddling with your iPod Touch. A full-sized laptop, or even a netbook, might be a different matter.

“That Awesome Time I Was Sued For Two Billion Dollars”: Jason Scott is a pretty good speaker, but this was sort of a “meh” talk. “Yeah, I got sued for two billion dollars by someone who is apparently mentally unbalanced (in the speaker’s opinion -DB) and the case got thrown out of court.” Key take away: Don’t let yourself be intimidated by legal (or legal-looking) documents.

“Three Point Oh”: Couldn’t get in to see Long’s talk.

“Something About Network Security”: Kaminsky’s talk this year concentrated on vulnerabilities in the PKI infrastructure, and specifically certificate attacks. I still think Kaminsky is the cat’s pajamas, but his talk this year seemed a bit off, compared to some of his previous talks (for example, the tunneling data over DNS hack).

I heartily endorse this event or product.

Saturday, August 1st, 2009

Pico, makers of fine FPGA development boards.

I haven’t actually worked with any of their products (though learning more about FPGAs is on my list of things I’d like to do) but the people they sent to DEFCON 17 were very nice. I even got two of their “business” cards.


Someone’s getting one of these as a slightly late birthday present.

Hola, senior. We are the Federales; you know, the Mounted Police.

Friday, July 31st, 2009


I only had to stand in line for about 20 minutes to get one. The latest batch was gone by noon; there were signs up at registration that they were not getting any more, and rumors later in the day that a fresh batch had come in.

Also, posting this gives me an excuse to link to one of my favorite sites, for those who haven’t seen it before.

0-Day DEFCON Notes

Thursday, July 30th, 2009

I like DEFCON. I like Dark Tangent personally. I like Joe Grand, the guy who has designed the DEFCON badges for the past few years.

But, guys, it looks really bad when, for the second year in a row, you run out of badges early on Thursday and have to issue temporary badges until more real ones get to the con Friday morning. You don’t even have the Olympics to blame this year. This is especially frustrating now that badge hacking is an official event/contest.

DEFCON talks I will not be attending:

“Hacking UFOlogy 102: The Implications of UFOs for Life, the Universe, and Everything.”

“Two years ago at Def Con 15, Richard [Thieme] presented Hacking UFOlogy. He supported his contention that (1) UFOs are real and (2) the data to support that statement is voluminous with numerous references and links…”

Hippie, please.

DEFCON talks I plan to attend:

“Is your iPhone Pwned”, Mahaffrey, Hering, and Lineberry. (This may be tough to get into, but it is scheduled against Dark Tangent’s intro and Joe Grand’s discussion of the badge, so we’ll see.)
“Hacking with the iPod Touch”, Willhelm
“That Awesome Time I Was Sued For Two Billion Dollars”, Scott
“Three Point Oh”, Long. (For the speaker’s reputation; I’ve heard Johnny Long speak before, and he’s someone I’d like to know better.)
“Something About Network Security”, Kaminsky. (Again, for the speaker’s reputation; Kaminsky is to TCP/IP what Musashi was to the sword.)
“Hacker vs. Disasters Large & Small”, RenderMan and Schearer
“Personal Survival Preparedness”, Dunker and Dunker
“Picking Electronic Locks Using TCP Sequence Prediction”, Lawshae
“Sniff Keystrokes With Lasers/Voltmeters”, Barisani and Bianco
“Bluetooth, Smells Like Chicken”, Spill, Ossmann, and Steward. (It looks like they’re going to talk about using software-defined radio to sniff Bluetooth, techniques for breaking the pseudo-random hopping sequence, and apparently some stuff that can be done with sub-$10 off-the-shelf hardware.)
“RAID Recovery: Recover Your PORN By Sight and Sound”, Moulton
“USB Attacks”, Vega
“Cracking 400,000 Passwords, Or How To Explain to Your Roomate why the Power Bill Is a Little High”, Weir and Aggarwal

I missed the panels on “Hacking With GNURadio” and “Hacking the Apple TV and Where your Forensic Data Lives”. Perhaps next year I need to arrive on Wednesday. If there is a next year.