- Slides from the Jay Beale and Larry Pesce talk “Phishing without Failure and Frustration” are up here at the InGuardians website.
- At the same site, a talk Jay Beale gave in the Packet Capture Village, “Adding Ramparts to Your Bastille: An Introduction to SELinux Hardening”.
- Slides for Max Bazaliy‘s “A Journey Through Exploit Mitigation Techniques in iOS” are here.
- Haven’t found slides yet, but the tools from Salvador Mendoza’s “Samsung Pay: Tokenized Numbers, Flaws and Issues” are here.
- Patrick Wardle‘s “I’ve got 99 Problems, but Little Snitch ain’t one” slides are here.
Archive for the ‘Apple’ Category
Earlier, I wrote “It runs! It works! Mostly. Kind of.”
I’ve been banging on Blue Hydra in my spare time since Thursday, and I stand by that statement. Here’s what I’ve run into so far.
The README is pretty clear, and I didn’t have any problems installing the required packages. (I don’t have an Ubertooth, so I skipped that one. We’ll come back to the Ubertooth later.)
First problem, which was actually very tiny: I know next to nothing about Ruby, other than that cartoon foxes are somehow involved, so the phrase “With ruby installed add the bundler gem” was more like “I don’t speak your crazy moon language”. Google cleared that up pretty quickly: the magic words are
gem install bundler.
Next problem: running
bundle install resulted in an error stating that it couldn’t find the Ruby header files. It turns out that, while my Ubuntu installation had Ruby 2.1 installed, it didn’t have the ruby-dev package installed.
sudo apt-get install ruby-dev fixed that issue.
Next problem: the SQLIte Ruby gem failed to install when I ran
bundle install. It turns out that I also needed the sqlite3-dev package as well. And with that installed, the bundle built, and I could do
Which gave an error stating that it didn’t have permissions to open a handle for write. Okay, let’s try
sudo ./bin/blue_hydra (because I always run code from strangers as root on my machine; everyone knows strangers have the best candy). And that actually worked: Blue Hydra launched and ran just fine. In fairness, this may be a configuration issue on my machine, and not an issue with the software itself.
In playing with it, I’ve found that it does what it claims to do. Sort of. It’s been able to detect devices in my small lab environment with Bluetooth discovery turned off, which is impressive. I also like the fact that it stores data into an SQLite database; other Bluetooth scanning tools I’ve played with didn’t do that.
However, it seems to take a while to detect my iPhone; in some instances, it doesn’t detect it at all until I go into Settings->Bluetooth. Once I’m in the Bluetooth settings, even if I don’t make a change, Blue Hydra seems to pick up the iPhone. Blue Hydra also has totally failed to detect another smart phone in my small lab environment (and I have verified that Bluetooth was both on and set to discoverable.)
Now, to be fair, there may be some other things going on:
- I’ve also observed previously that Bluetooth under Ubuntu 15.10 didn’t work very well. At all. So at one point on Saturday, just for giggles, I upgraded Project e to Ubuntu 16.01.1 LTS. And shockingly (at least for me) Bluetooth works much much better. As in, I can actually pair my phone with Ubuntu and do other Bluetooth related stuff that didn’t work with 15.10. That seems to have mitigated the discovery issues I was seeing with Blue Hydra a little, but not as much as I would have liked. (Edited to add 8/8: Forgot to mention: after I upgraded, I did have to rerun
bundle installto get Blue Hydra working again. But the second time, it ran without incident or error, and Blue Hydra worked immediately aftewards (though it still required root).)
- I was using the Asus built-in Bluetooth adapter in my testing. Also just for giggles, I switched Blue Hydra to use an external USB adapter as well. That didn’t seem to make a difference.
- In fairness, Blue Hydra may be designed to work best with an Ubertooth One. The temptation is great to pick one of those up. It is also tempting to pick up a BCM20702A0 based external adapter (like this one) partly to see if that works better, partly because I don’t have a Bluetooth LE compatible adapter (and this one is cheap) and partly because the Bluetooth lock stuff is based on that adapter. (Edited to add 8/8: I’m also tempted by this Sena UD100 adapter. It is a little more expensive, but also high power and has a SMA antenna connector. That could be useful.)
- It may also be that I have an unreasonable expectation. Project e is seven years old at this point, and, while it still runs Ubuntu reasonably well, I do feel some slowness. Also, I think the battery life is slipping, and I’m not sure if replacements are available. I’ve been thinking off and on about replacing it with something gently used from Discount Electronics: something like a Core i5 or Core i7 machine with USB3 and a GPU that will work with hashcat. Maybe. We’ll see. Point is, some of my issues may just be “limits of old hardware” rather than bugs.
- And who knows? There may very well be some bugs that get fixed after DEFCON.
tl, dr: Blue Hydra is nice, but I’m not yet convinced it is the second coming of Christ that I’ve been waiting for.
Another year observing DEFCON remotely. Maybe next year, if I get lucky, or the year after that.
The schedule is here. If I were going, what would I go to? What gets me excited? What do I think you should look for if you are lucky enough to go?
(As a side note, one of my cow-orkers was lucky enough to get a company paid trip to Black Hat this year. I’m hoping he’ll let me make archival copies of the handouts.)
Is there a use case for a shot timer app for an Apple Watch?
I’m aware of existing ones for the iPhone; I’m just wondering if having the same information, or a subset, available on your wrist – probably linked to your phone – is something that people would find useful?
Sensors included on the iPad Air 2 and iPad Pro:
- Touch ID
- Three-axis gyro
- Ambient light sensor
Not included: GPS, unless you purchase one of the cellular models. It looks like “assisted GPS and GLONASS” are built into the cellular chipset or something?
I keep thinking about getting an iPad or some other sort of tablet to supplement my first generation Kindle Fire. But it always comes back to this: I want GPS, and can’t get it. Okay, I could if I bought a cellular model, but:
- The cellular iPad 2 is $130 more than the Wi-Fi equivalents in every memory configuration. Same with the iPad Pro. Except the Pro only has one cellular/Wi-fi memory config, and that’s over $1,000.
- I don’t want cellular data. I don’t have the $60 to $85 a month it would take to add a device to my plan. $60 to $85 a month is at least one good Smith and Wesson a year. I’d be perfectly happy with a device that just does Wi-fi, as long as it has GPS. If I desperately needed data in non-Wi-fi areas, I’d enable the hotspot feature on my phone – at least that’s only $30 a month, I think.
It isn’t just Apple, though. I’ve looked at Android tablets too. I’ve heard that Android gives you lower-level access to GPS data than iOS, but I haven’t been all that impressed by the Android tablets I’ve seen. The price/memory ratio just seems out of whack to me.
Best Buy, for example, is selling a Nexus 9 with 32GB of memory (which to me is a hard minimum; I’d prefer 64GB) for $432. I can get a Mini 2 for $319 from Apple, or a Mini 4 with 64GB for $499. Decisions, decisions. Do I want an Apple device that doesn’t have GPS, but that I can trust to be updated regularly and work for a while? (I’m still using a MacBook I bought in 2007 as my main computer.) Or do I want to buy another shoddy piece of crap Android thing that’s going to stop getting updates in 18 months, but does have GPS?
Or does it? The specs on Google’s site show the Nexus 9 does, but they also show it has a cellular chipset. Does the Wi-Fi only version do GPS? Can I buy a cellular tablet and use GPS on it without a carrier? Who knows? I can’t find that on Google’s site, the specs on Best Buy’s site don’t mention GPS, and asking a Best Buy employee seems like a good way to invoke the customer appreciation bat.
Am I making this too hard? Am I asking too much? All I want is a reasonably priced tablet that does GPS and doesn’t require a cellular data plan. Why is this so hard?
DEFCON 23 starts Thursday. Black Hat USA 2015 starts tomorrow.
Once again, it doesn’t look like I’m going to make it out to Vegas. Once again, I’m going to try to cover things from 1,500 miles away. It isn’t completely clear to me that anyone other than me is getting any benefit from this, but I’ve been doing this for long enough that I have a hard time stopping now.
Here’s the schedule. There are several presentations that are already getting media attention:
- “When IoT attacks: hacking a Linux-powered rifle” got a write-up in Wired, and notice from Tam. I’ll admit that I’m interested in this research, as it represents the intersection of two of my interests. But given the current state of TrackingPoint, is this more like “knowing how to hot-wire a Tucker Torpedo” than a Ferrari Enzo?
- “Hacking Smart Safes: On the ‘Brink’ of a Robbery” also got a Wired writeup, and I’m pretty sure I’ve seen coverage elsewhere; I just can’t find it right now.
- And Charlie Miller and Chris Valasek got a lot of press coverage off of their “Remote Exploitation of an Unaltered Passenger Vehicle” paper. Another Wired article (I know, I know, but this one is first-hand.) NYT article on the recall triggered by Valasek and Miller’s research. I have to admit, I’m impressed; usually, only people named “Nader” manage to get 1.4 million cars recalled.
So what would I go see if I was there? What sounds interesting to me?
Lawrence Phillips, former NFL running back who is serving out a 31-year prison sentence, may have killed his cellmate.
Nigalidze is suspected of stashing an iPhone in a men’s room stall and using it to cheat during games.
(Well, okay. My favorite John Moltz post as John Moltz at “Very Nice Web Site”. I’m not quite sure it displaces the one at Crazy Apple Rumors where he actually used a question of mine in the “Crazy Apple Help Desk”.)
And so is TMQ. And so is TMQ Watch. The first column of the NFL season is always kind of strange; there’s a lot of short items, basketball coverage, and other things that throw us for a loop. We’re probably not going to hit every one of TMQ’s throwaway quips. And yes, we’re aware that TMQ did a couple of draft columns; we looked at those and frankly didn’t find anything noteworthy in them. One was his usual silly mock draft, the other was his draft analysis, and both contained the recommended US daily allowance of TMQ tropes.
Anyway, back to this week’s TMQ, after the jump…
We have a noodle truck at the office on Thursdays.
And it is pretty damn good.
And they take credit/debt cards. You’ve seen it before, haven’t you? iPad with a credit card swiper, pick your tip, sign, have your receipt emailed to you?
This observation isn’t original to me, and I’m not sure it is terribly profound, but: services like Square have revolutionized credit card processing. I remember the old days, when setting up a merchant account was hard to do, and you needed a phone line, and you needed bulky equipment, and the credit card processors charged enormous fees. Now? I’m kind of far from retail, so I’m not sure if Square has resulted in downward pressure on fees (though I suspect it has).
Someone I know who is in retail and takes credit cards reviewed an early draft of this post and provided this information: they pay 2.61% for credit card processing, but each month’s statement also contains a laundry list of “cryptic inexplicable fees” that they have to pay as well. Square claims to charge a flat 2.75% for swiped transactions (Visa, MC, AmEx, Discover) with no additional fees. (I say “claims” because I have not used Square and can’t verify that for myself.)
Square also claims to deliver your money in one to two business days, no matter what type of card it is. The retail person I know says that AmEx fees depend on how long you let AmEx keep your money: they let AmEx hold their money for 15 days, and pay between 2% and 3%.
But fees aside, anyone who has a bank account can take credit cards these days, and all you need is an iPhone or iPad (or a supported Android device, though frankly that looks a little painful). Little to no bulk, no landline, and the money goes into your linked bank account.
The big thing, as I see it, isn’t the merchant charges: it is the portability. Your credit card machine is your phone or tablet, and it fits in a trailer. Or in a pocket. And you don’t need anything else – you don’t even need a printer, you can just email receipts to your customers. (Okay, you might want a charging cable, depending on how good battery life is on your device. But other than that, nothing.)
You know that comment we made yesterday, about “Start writing or stop talking about it” being pretty good writing advice?