DEFCON 20 notes: Day 1.

If you asked people to explain DEFCON, what would they say? Some might say: for those who understand, no explanation is necessary, for those who don’t, no explanation is possible.

Others might say that DEFCON is a mystery, wrapped in a riddle, inside… Enigma machine

(Not only did the National Cryptologic Museum bring that, they also were handing out (while supplies lasted) two really cool booklets: “The Cryptographic Mathematics of Enigma” and “Solving the Enigma: History of the Cryptanalytic Bombe”. The inside covers of both books claim they are available for free by sending a request: email me for the address, or try crypto_museum [at]

(I also got a kick out of the “NSA careers” cards they were handing out, mostly because it was the first buisness card I’ve ever seen with an embedded microfiber screen cleaner.)

Today’s schedule:

“Making Sense of Static – New Tools for Hacking GPS”: Pretty much what I expected from the description, but still a very good panel. The presenters have been doing a lot of work with systems that use GPS tracking, and they’ve run up against the limits of affordable off-the-shelf GPS hardware. There are all kinds of things you can’t do with retail GPS:

  • Experimenting with spoofing and jamming attacks is hard because you don’t have low-level hardware access to see what’s going on.
  • Implementing methods for dealing with poor signal environments, such as “urban canyons”, is also difficult.
  • You also don’t have access to the newer systems, such as GLONASS, Galileo, or Compass.
  • And it is hard to experiment with advanced positioning techniques.

Much of the presentation was devoted to a detailed account of exactly how GPS calculates positions on Earth, and what some of the limitations of those calculations are. If I were to attempt to summarize this, I’d be doing from memory and likely get much of it wrong, so instead I’ll point to the Wikipedia entry which covers the same material (including the use of Gold codes to distinguish each GPS satellite).

All of this led up to two products:

  • libswiftnav, which is a lightweight, fast, and portable set of tools for building a GPS receiver. The nice thing about libswiftnav, according to the authors, is that it will run on microcontrollers and other relatively wimpy hardware.
  • Piksi, a hardware implementation that uses libswiftnav and overcomes a lot of the limitations outlined previously: it can do highly accurate positioning, very fast updating, and supports other positioning systems.

The presenters have stated that their presentation should be available at the Swift-Nav site as soon as they have a chance to upload it.

I missed the “Not So Super Notes, How Well Does US Dollar Note Security Prevent Counterfeiting?” session simply because the clock got away from me. If I can find the presentation online, I will link to it.

I wasn’t able to get into the “How to Hack VMware vCenter Server in 60 Seconds” session for reasons of it being held in a room way too small for everyone who wanted to get in. This seems to be a version of the presentation from another conference. I’ve only given it a quick skim, but it looks very interesting indeed.

Bypassing Endpoint Security for $20 or Less” wasn’t quite what I had expected, but it paid off. The basic idea behind this panel was that there’s an increasing emphasis on keeping people from walking out of the office with sensitive data on USB mass storage devices; some companies use software that allows only known and approved devices to connect over USB.

So how do you know if a device is known and approved? Much of the presentation dealt with specifics of how USB, and especially USB mass storage, works. The short answer is that everything depends on “endpoints” (which are sort of “virtual wires” for USB connections) and “descriptors” (which provide information about the device). USB devices identify themselves through a combination VID/PID as part of the protocol, so if you can spoof the VID/PID, you can pretend to be an already authorized device.

Which is what the presenter’s hardware does, for less than $20. I haven’t found the presentation online, but the presenter swears the hardware schematics etc. will be available on github under “usb-impersonator” as soon as he gets around to updating the repository (which he promises will be real soon now).

Edited to add 7/28: Two points in this presentation that I wanted to mention but forgot to last night.

  1. Windows doesn’t see anything but the first LUN on USB mass storage devices. So if you want to hide something on a flash drive from a Windows user, partitioning the drive is a good way of doing that.
  2. If you run modprobe usbmon (this may require running as root) and then fire up Wireshark, wonder of wonders, you get a whole bunch of USB bus devices available as Wireshark interfaces. This is something I want to play with more when I have time: I’ll probably post some Wireshark capture files showing what happens when a device is inserted.

Edited to add: Added link to Phil Polestra’s blog entry, which contains links to the slides and the code, 8/1/2012.

The last presentation I went to was “Safes and Containers – Insecurity Design Excellence”. This is one that’s already gotten a fair amount of attention: a friend of mine emailed me a link to this Forbes article by one of the presenters that neatly recaps the whole thing (including their videos).

Basically, many popular gun safes, especially ones made by the Stack-On corporation, are insecure and can be opened with paper clips, drinking straws, pieces of brass purchased at a hardware store,..or by just simply lifting up the safe and dropping it a few inches.

Why is this? The presenters argue that the people who make these safes don’t come from a culture that says to itself “Okay, I’ve built this safe. Now how can I bypass the mechanism and get in?” Quoting: “Engineers know how to make things work, but not how to break them.” Many of these safes are imported from China and are made as cheaply as possible, which complicates things even more.

There’s also an attitude of “my product meets the standards, so up yours”. The California Department of Justice has standards for gun safes, and these products all meet those standards. However, the CDOJ standards do not involve any kind of realistic tests of the product, such as turning it over to a five-year-old and telling him there’s candy inside.

My one issue with this presentation is that the authors seem to view gun safes as the most important part of protecting your kids from guns; thus they believe safes need to be stronger. I can agree with this, but as I see it, safes should be a last resort, not the primary means of protection. I grew up in a house with guns, and I was never tempted to mess with any of them because my parents raised me properly (and because I knew I’d be beaten bloody if I did mess with them). Age-appropriate training (such as the NRA’s “Eddie the Eagle” program) combined with appropriate physical security (what was that gun safe doing where a three-year old had physical access to it, anyway?), combined with safes that actually do what they’re supposed to do, constitutes a layered defense, and one that works better than just relying on cheaply made Chinese junk.

And so to bed. I’m tired, and stuff hasn’t been working right all night. Project e just shut itself down in the middle of this post, the Kindle’s battery was deeply discharged and I had to wait for it, and dinner was not that great. (More about that later on.)

3 Responses to “DEFCON 20 notes: Day 1.”

  1. Brian Dunbar says:

    or by just simply lifting up the safe and dropping it a few inches.

    Hey .. _I’ve_ got a Stack-On.

    I’m okay with this. Especially if the model I’ve got will fail the drop test.

    Like this: Murphy’s Law implies that when I really need to get in it, I’m going to need to get in there real bad. And the key is not going to be where I have explicitly tucked it away.

    Dropping that sucker on the floor, extracting a pistol from the ruins of the safe … that’s not a bad backup to have.

  2. […] Whipped Cream Difficulties "Something has gone seriously awry with this Court’s interpretation of the Constitution." « DEFCON 20 notes: Day 1. […]

  3. […] two NSA pamphlets I mentioned previously, “Solving the Enigma – History of the Cryptanalytic Bombe” and “The […]