DEFCON 19 notes: day 1.

“Welcome and the Making of the DEF CON 19 Badge”: didn’t bother going. I don’t care much about the making of this year’s badge.

“WTF Happened to the Constitution?”: perfectly fine talk. Except for some of the case law theprez98 referenced, pretty much everything he covered was already familiar to me from “The Agitator” and “Hit and Run”. That’s not his fault, though, and I’m sure a lot of what he covered was new to the rest of the audience. I was also previously unaware of The Assault on Privacy, and will have to add that to my blogroll.

“From Printer To Pwnd”: This was a fun little talk, covering multi-function printers and the vulnerabilities they introduce into networks. Basically, people get sloppy with these devices and fail to do things like change default passwords; also, many of these devices have bugs in the embedded firmware. The presenter, Deral Heiland, demonstrated some interesting attack vectors: “malformed” URLs which allow you to bypass authentication on certain devices, “information leakage” attacks which allow you to get useful information (like passwords) out of the web admin pages, “forced browsing” attacks which allow you to grab device address books (which may also contain passwords), and “passback attacks” which trick the device into communicating with an attacker (for example, using LDAP configuration script testing). All of this culminated in the release of Praeda, an automated toolkit for attacking multi-function devices. The latest version can be found here: I don’t have a link to the slides, but will add one when I do.

“Black Ops of TCP/IP 2011“: You know how people talk about wanting the old funny Woody Allen back? This was the old funny Dan Kaminsky back; the guy who does deep arcane magic with TCP/IP packets and DNS.

His talk broke down roughly into three parts:

  1. Bitcoin. Short summary: Bitcoin is remarkably secure (“there are entire classes of bugs that are missing”) but it isn’t anonymous, and doesn’t scale well. Kaminsky found a way to basically build a file system on top of BitCoin (BitCoinFS) and also outlines ways of breaking BitCoin anonymity. In the process, Kaminsky also outlined a serious flaw with the Universal Plug and Play (UPNP) protocol used by many wireless routers.
  2. IP spoofing. Kaminsky was running a little behind (it took a while to fill the Penn and Teller theater) and was speeding through this portion of his talk. Rather than attempting to give detailed summaries of how all this stuff works at the low TCP/IP level, I’ll suggest you check out the slides.
  3. Net neutrality. Kaminsky’s developed two tools: N00ter and Roto-N00ter, designed to detect ISPs playing silly buggers with packets (for example, giving preference to packets destined for Bing over packets destined for Google).

“And That’s How I Lost My Eye“: the funniest panel I went to today. Deviant Ollam, Bruce Potter, and Shane Lawson wanted to see if it was possible to destroy a hard drive in less than 60 seconds such that the data was unrecoverable, without setting off alarms or damaging any nearby humans, and without spending a lot of money on something like the SEMShred.

Ollam took the explosives/incendiary part of the equation. His results can be summarized as: it might be possible to use explosives, especially the popular “boomerite” type explosives used in exploding targets, to destroy a hard drive. But playing around with explosives, especially when you’re activating them electronically, is a good way to attract the attention of unpleasant people with badges. Apparently, those same people have no problems with explosives triggered by a rifle bullet, so if you want to affix an M1A above your server with a ton of “boomerite” below, go ahead…

Chemical methods didn’t work out very well either. Cobalt isn’t highly reactive, and the type of acids that can quickly dissolve a hard drive platter aren’t easily available at Home Depot and don’t play well with people and other living things. There were a lot of slides of vats of acid doing nothing to hard drive platters.

It’s also hard to destroy a drive physically. Hole saws, spade bits, and grinders did nothing.

The presenters did discover that a combination of a salt solution and electricity could strip the plating off of ceramic platter drives. But that didn’t work on aluminum platter drives.

What finally did work was fire. Propane and MAPP gas (which you can’t get in the US any more) will melt aluminum, but it’s hard to apply those to a spinning drive and have it melt; the spinning drive tends to dissipate heat. The presenters were working on an automated solution involving a glow plug, propane, and an Arduno, but ran out of time before they could finish that project.

However, you don’t have to melt a drive to render it unreadable; you only have to heat it to the Curie point. That’s not quite as spectacular as a spinning drive throwing off chunks of molten aluminum, but it will work. (However, if I understand Wikipedia right, the Curie point of colbalt is 1100 degrees C, and the melting point of aluminum is 660 degrees C. So I’m not sure what that buys you.) I wonder:

  • Could you come up with some sort of inductive heating method for hard drives?
  • I also wonder, thinking about Deviant Ollam’s approach, what would happen if you fired a nail gun loaded with the right kind of nails into a spinning hard drive at close range? I wonder if Snoop ever tried that. (I also wonder if a nail gun at close range would trigger “boomerite”.)

“Key Impressioning“: I can’t give this panel a fair evaluation. In brief, impressioning consists of sticking a blank key into a lock, moving the blank up and down, removing it, noting where the lock pins hit the key, filing down the contact points, and repeating the process until all the pins reach the proper depth and you have a working key. The presenter gave a live demo of this process, and was impressively quick at it.

The problems I had with this panel were:

  • the camera that was set up for the demo did a poor job of showing the actual process.
  • the sound was off for over half the panel. Combined with tbe presenter’s accent, that left me able to make out about one out of every four words he said. I’m sure he’s an okay guy; I just couldn’t see what he was doing, or hear much of what he said.

6 Responses to “DEFCON 19 notes: day 1.”

  1. Shane says:

    Thanks for attending our talk! To shine a little light on your comments:

    The curie point of cobalt doesn’t matter, that is only the coating over the ferrous plating on the aluminum substrate. On the second question, we discussed using the nail gun powered by.22 rounds, but did not push too much further down the path.

  2. stainles says:

    Shane:

    Thanks for the comments and clarifications. In case I didn’t make it sufficiently clear, I enjoyed the crap out of that panel. Thanks for doing it.

    Are your slides available anywhere online? I’ve searched but haven’t been able to find them, and I’d like to add a link.

  3. jos weyers says:

    The accent you are reffering to is called English.
    A working PA should have made a difference in this situation.

    Sorry you seem to have disliked my talk. Too bad you choose not to opt for a seat within hearing distance.

  4. stainles says:

    Mr. Weyers:

    I neither liked or disliked your talk; I simply wasn’t able to hear or see enough of it to have an informed opinion one way or the other. I apologize if that offends you.

    As far as my choosing not to take a seat where I could hear: as I’m sure you were aware of, the room was full for your talk, and by the time I arrived, I had to take the best seat I could find.

  5. […] Whipped Cream Difficulties blog This was a fun little talk, covering multi-function printers and the vulnerabilities they […]

  6. jos weyers says:

    I was not offended, just p*ssed about the sound situation.
    Apparently the mics worked fine, only the theater speakers seemed to be hacked.
    When the recordings get released it should be possible to actually hear me yelling 🙂

    For a more detailed view of the process there is a video at:
    http://www.youtube.com/watch?v=H-EFymCNlEU
    (which for some reason also happens to have some audio problems, just not as dramatic as at DefCon)

    Hope this helps.