July « 2012 « Whipped Cream Difficulties

Archive for July, 2012

After action report: Las Vegas, NV 2012.

Tuesday, July 31st, 2012

I don’t have much new to report as far as equipment, but I do have a couple of notes on existing stuff. DEFCON for the past few years has run a “secure” network using MSCHAPv2 authentication.

This worked fine on the Kindle Fire. I was able to log in and browse whenever the network was working. However, there seems to be some sort of bug in the Kindle Fire: after a certain amount of time, the wifi setting on the Fire would either stop responding completely (on/off switch wouldn’t do anything) or would immediately crash (with an error message) as soon as I tried to open the setting.
The default Network Manager on Ubuntu 12.04 would not connect to the “secure” network at all, but just constantly brought up the authentication prompt. Google turned up more than a few reports of Ubuntu issues with Network Manager and MS-CHAPv2 authenticated networks, so it seems this is a known issue. I worked around this by downloading and installing wicd, which was able to connect. However, wicd does not appear to save network settings, so every time I wanted to connect to the network, I had to re-enter the configuration.

(In general, I’m seeing more and more problems with project e and Ubuntu 12.04. I suspect some of these may be issues caused by doing several upgrade installs in succession, so I may try doing a backup of /home, reformatting project e, and doing a scratch install and restore of 12.04.)

Food: I had excellent meals at Lotus of Siam (the sea bass drunken noodles) and at Piero’s Italian Cuisine, which is a very old-school Italian restaurant near the convention center.

That was some swell osso bucco. And I don’t think I paid much more for it than I paid for osso bucco at Ciola’s when they were still open.

I also broke with one of my rules and went back to Shabu Shabu Paradise again. In my defense:

I really like these people and want them to be enormously successful.
I haven’t been there since my last trip with Andrew and Mike the Musicologist.
I kind of have a tiny little crush on the waitress. Who, by the way, recognized me from my previous visits, even though I was clean-shaven last time. (I think she’s married to the chef, so nothing’s going to come of that.)

I also had a good meal at Mint Indian Bistro, and very good breakfasts at Blueberry Hill on Flamingo and The Egg and I on Sahara. (The rule doesn’t apply to breakfast, as it is very very hard to find good breakfast places that aren’t casino buffets, Denny’s, or IHOPs in Vegas. If anybody does have a recommendation for a good breakfast place in Las Vegas, please feel free to drop it into the comments.)

I’ve been driving past Hofbräuhaus Las Vegas for years now, considering giving them a try and then not going after all. This time, thanks to Tam inspiring a German food craving in me, I thought I’d give it a shot. The verdict: meh. It wasn’t a horrible meal. The service was pleasant and efficient. But it seemed like I paid a fair amount of money for pretty average food. Walburg is better and cheaper and really not that bad a drive if I go there from work. (You’d be hard-pressed to spend $50+ at Walburg without either being too full to move or too drunk to drive.)

I drove past Flavor Flav’s House of Flavor several times (it is very close to my preferred ATM in Las Vegas, which, in turn, is far enough away from DEFCON that I’m not any more paranoid than usual about using that ATM), and I regret not getting a photo.

I did get some photos (but they didn’t come out well) of “Lynyrd Skynyrd BBQ & Beer“. BBQ and beer? I can haz both?

(By the way, I was never offered a full can of soda on any of my Southwest flights. But I did get a full can of drinking water between PHX and AUS.)

Thanks to: Everyone at DEFCON 20 (staff, goons, presenters, and attendees), the folks at Shabu Shabu Paradise, Lotus of Siam, the Egg and I, Blueberry Hill, and Mint Indian Bistro, the Mob Museum, Amber Unicorn Books, Greyhound’s Books, Borepatch for linky-love, and anyone else I missed.

Posted in Books, DEFCON 20, Food, Kindleing, linux, Mixology, project_e, Travel | 2 Comments »

Banana republicans watch: July 31, 2012.

Tuesday, July 31st, 2012

I apologize: things were so hectic while I was away that I kind of let the banana republicans slip. I don’t think there was much that went on while I was in Las Vegas, anyway. But now that I’m back…

…this LAT story is kind of confusingly written, but it looks like Angel Perales of Cudahy, the “former head of code enforcement”, has pled guilty. Osvaldo “Bimbo and the Badge” Conde and former mayor David Silva are pleading Thursday.

Perales could receive a maximum sentence of 30 years in prison and a $500,000 fine.

And Louis Byrd and Fernando Pedroza, former council members in the city of Lynwood…

…were found guilty of misappropriating public funds following a month-long trial in which prosecutors used a novel legal argument that the officials broke the law by accepting tens of thousands of dollars in stipends for sitting on city commissions that appeared to do little, if any, work.

According to the LAT, this was the first test of this argument, but the LA County DAs office is expected to use this same approach against the city officials in Bell. Also:

In addition to taking aim at the salaries, prosecutors argued that the former council members also abused their position by charging inappropriate bills to the city. Among the most salacious charges: a $1,500 night out at a Guadalajara strip club, where dancers allegedly performed sexual favors for Pedroza and the then-city manager.

Strippers. Always with the strippers.

Posted in California Über Alles, Clippings, Law | Comments Closed

Quote of the day.

Tuesday, July 31st, 2012

“I am a martini man, myself. Over six weeks we used up forty-six bottles of gin and a little less than half a bottle of vermouth. I like martinis dry.”
—Robert Ruark, Horn of the Hunter

(In case you were wondering, 46 bottles over six weeks works out to seven and 2/3rds bottles a week, or a little over a bottle of gin a day. That’s split three ways, though: Ruark, his wife, and their guide. Figuring 750 ml bottles, that’s close to 9.2 ounces of gin a day each. Ruark mentions at one point that they kill the bottle with three drinks each, so that’s something like three ounces of gin per drink. Plus unknown amounts of beer and brandy.)

(I enjoy reading Ruark. I wish more of his work were still in print; I found Horn at one of those used bookstores in Vegas, and spent downtime during the trip reading it.

But I get a funny feeling whenever Ruark talks about drinking, like in the last two chapters of The Old Man and the Boy, or as he does a few paragraphs later in Horn: “I can drink two bottles of wine at lunch in Rome or Paris or Madrid, top it off with three brandies, and feel marvelous all day. A glass of wine at lunch, two glasses at dinner, in New York, would keep me in bed with the miseries for half a week.”)

(This is, of course, a man who would die at 49 of “complications of cirrhosis of the liver”.)

Posted in Books, Guns, Mixology, Ruark | Comments Closed

Hold me closer, tiny dancer. Count the headlights on the highway…

Tuesday, July 31st, 2012

Police say an officer had to swerve to avoid a woman who was dancing in the middle of the road overnight.

Posted in Clippings, Cops, Law | Comments Closed

Obit watch: July 31, 2012.

Tuesday, July 31st, 2012

Chris Marker, filmmaker perhaps best known for his short “La Jetée”.

Posted in Clippings, Movies, Obits | Comments Closed

DEFCON 20 notes: day 3, part 2.

Monday, July 30th, 2012

Where were we? Oh, yes: The Day of the Router.

(That’d be a good title for a movie. Maybe one about penetration testers. Hmmmm…a pen tester accidentally finds a vulnerability in the wrong system, and the bad guys want to shut him up?)

But I digress.

First in our router trilogy is Michael Coppola‘s “Owning the Network: Adventures in Router Rootkits“. (First link goes to his blog, second link goes to the presentation.)

Coppola has been working on altered versions of firmware for popular routers: “altered” in the sense that the firmware contains useful exploits. (‘But how do you get the firmware on the router?” Well, there are well known cross-site scripting attacks on router configuration pages: as I recall, that was the subject of a DEFCON presentation, but I don’t have time to dig out which one right now. When I get back, I’ll add a link. In addition, how many people leave their router login/password set to defaults? Too many.)

Coppola specifically attacked these routers:

Netgear WNR1000v3.
Netgear WGR614v9.
Belkin FD57230
Trendnet TEW652BRP 3.2r

And there’s a simple five-step process:

Profile the firmware image (basically, that means breaking it apart and figuring out what goes where) using a tool such as binwalk from devttys0.
Extracting out the individual parts (like the router file system: Coppola has a good story about getting unsquash.fs out of Netgear)
Deploy your exploit payload.
Repack everything.
Update the firmware metadata.

How much would you pay for all this? But wait, there’s more! The end result of Coppola’s work is rpef, a framework that automates much of this process. You point it at a firmware image, tell it what exploit you want to use and where to save the modified image…and it generates a new firmware binary for you, ready to upload to your favorite router. Isn’t that a clever cleaver?

(At the moment, rpef only supports a limited number of routers. I suspect if this takes off, the number of supported routers in rpef will expand dramatically.)

Second up on the router hit parade was FX with “Hacking [redacted] Routers“. The [redacted] in this case is Huawei, a large Chinese manufacturer of routers, and the short version of this talk is that their routers are crap. They have no known product security group, they do not issue security advisories, the quality of their code is poor, important ports (SSH, FTP, HTTP) are open by default (and you can access the flash file system by FTP), their OpenSSH implementation is a rewrite from scratch and is broken…

…and it is possible with a simple script to hijack a remote session to the router, there are built-in functions that allow execution of commands from the command line interface with no privilege checks…

….and there’s a heap overflow bug (which the presenters spent a great deal of time explaining) that allows you root on the router. Whew. I think that just about covers it. Luckily, in my opinion, Huawei routers are mostly used in other countries, and I can’t get very upset about those countries having their routers hacked. (What’s the worst case scenario? Less Chinese spam?)

(~~I can’t find FX’s presentation, and it isn’t on the DEFCON DVD. I’ll link to it when I can find it.~~ Link added 8/1/2012.)

(Interestingly, these first two router panels were so popular, they had to move FX’s panel to a larger room to accommodate the people who wanted to see it. And I think there were still people who didn’t get in.)

Finally, we have “SQL Injection to MIPS Overflows: Rooting SOHO Routers” by Zachary Cutlip. (Link goes to a version of this talk he gave at Black Hat.)

The short summary here is that Cutlip attacked a specific router, the Netgear WNDR3700 v3. This is a highly popular router: as a matter of fact, WCD uses the v2 version of this router (reflashed with DD-WRT firmware) in our home office. One of the interesting aspects of this router is that it has DLNA support, so you can use it to serve things like music and movies. (It has an external USB port for connecting drives.)

As it turns out:

As part of the DLNA setup, the router runs SQLite. (Apparently, it keeps a database of album art for DLNA device display purposes.)
You probably already guessed this, but the implementation on the router is vulnerable to SQL injection attacks.
You can leverage SQL injection and grab the router’s password file, or other arbitrary files from the running router.
You can also leverage this to force a buffer overflow and run arbitrary code on the device.

Cutlip’s paper contains example Python code for implementing these attacks.

I totally spaced on the “Hacking the GoogleTV” panel and spent the last few hours trolling the dealer’s room for bargains. I did pick up a few things which I may discuss in more detail later. Or maybe not. It depends.

I don’t have a lot to say about the closing ceremonies, with one exception. DEFCON admission this year was $200: during the ceremonies, Dark Tangent stated that they had intended to raise the cost for this year only, to cover all the awesome stuff they wanted to do for DEFCON 20. Their plan was to roll the price back next year, but Dark Tangent found people were asking them how they were going to top this year…

…and he polled the audience to find out if they thought the $200 was a good value for the money. Overwhelming audience sentiment seemed to be that the $200 price tag was not too high, considering what folks got out of DEFCON. And Dark Tangent seems to be serious about getting Kraftwerk to do a concert next year.

I’m going to wrap things here. In the next day or two, I will probably be doing an after-action report, covering Vegas in general and some additional DEFCON odds and ends. I also will be posting updates as I find people’s presentations online, and as folks put them up.

As always, I welcome comments from presenters. I want to say that this year, I did not see a single panel that disappointed me; I liked every single panel I was able to get into.

Also, I want to make note of a thought from dinner tonight with some friends of mine. This may very well be a research idea for next year’s DEFCON.

So we all know how flash memory works, and that if you do repeated write/erase cycles, you’ll wear out your flash. We also know that manufacturers have implemented wear leveling to get around this.

Questions.

Is it possible to bypass wear leveling on flash devices? Can you write software that does write/erase operations to specific flash memory locations?
Can you write software that will do repeated write/erase cycles on flash memory devices and make those devices forensically useless? Similar to the old “three pass overwrite” for hard drives?

I don’t know the answers (as I said, this came up at dinner literally two hours after my plane got in) but it seems like a possible area for exploration. I need to go back through my DEFCON archives, as I have a vague memory of someone doing a presentation on flash memory forensics.

(Also, I’m sorry it took so long to get this post up. I finished about 2/3rds of it in the Las Vegas airport, had a very tight connection in Phoenix (literally running to the plane and arriving just seconds before boarding started), got in, wrote most of the last third, and am now going to have a cold beverage and (I hope) about eight hours of sleep.)

Posted in DEFCON 20, Geek, Music | 1 Comment »

DEFCON 20 notes: day 3, part 1.

Monday, July 30th, 2012

The secret word for the day, boys and girls, is “routers”.

But first, a couple of pictures for my great and good friend Borepatch:

The Matt Blaze Security Bingo Card. (I hope folks can read it: I took that with a cell phone camera from the front row, so I didn’t have a great angle on it.)

And:

A gentleman in the hallway was kind enough to let me take a photo of his DEFCON Shoot shirt.

Speaking of Matt Blaze…

“SIGINT and Traffic Analysis for the Rest of Us” presented by Matt Blaze and Sandy Clark, and crediting a host of other folks.

For the past few years, Blaze and company have been working on APCO Project 25, or P25 for short. P25 is planned to be the next generation of public safety radio, and is intended to be a “drop-in” replacement for analog FM systems. Cryptographic security is built into P25: it uses symmetric algorithms and supports standard cryptographic protocols. All of this sounds great.

But there are a whole bunch of problems with this.

Encryption in P25 doesn’t work very well a significant portion of the time. There are user interface issues; on some radios, the “crypto” switch is in an obscure location, and the display doesn’t make it clear if encryption is on or off. Keys can’t be changed in the field; changing keys requires loading the radio in advance using a special device, or sending keys over the air (“Over The Air Rekeying”, or “OTAR”, which sometimes doesn’t work).

One important point is that the “sender” makes all the decisions: whether the traffic is encrypted, what encryption mode is used, what key is used, etc. The “receiver” doesn’t get to decide anything. If the “sender” sends in cleartext, either deliberately or by mistake, the “receiver” decodes it, automatically and transparently to the user. If the “sender” sends an encrypted message, the “receiver” first checks to make sure it has the proper key, then either decrypts the message or ignores it (if the “receiver” doesn’t have the key).

I feel like I am cheating a little here, but even Matt Blaze at this point in his talk recommended going and reading the group’s paper from last year, “Why (Special Agent) Johnny (Still) Can’t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System” for additional background.

But wait, there’s more! We have encryption, but do we have authentication? Do we know that the radios on our network are actually valid radios? Heck no! The radios transmit a “Unit ID” which is not authenticated, and which is never encrypted, even if the radio has encryption turned on. Just knowing the unit IDs lets you do some interesting stuff: you could, for example, set up two radios, do some direction finding on the received signals with the user IDs, and build a map of where the users are.

Even better: if you send a malformed OTAR request, the radios treat it like a UNIX “ping” and respond back with their Unit ID, even if they’re idle, and without the user ever knowing.

More: P25 uses aggressive error correction. But there’s a hole in the scheme; you can jam what’s called the “NID”, which is part of the P25 transmission, and render the transmissions unreadable. The Blaze group actually built a working jammer by flashing custom firmware onto the “GirlTech IM-Me”. (That was the cheapest way to get the TI radio chip they wanted to use.) You could use this to jam the NID in encrypted P25 traffic only, thus forcing cleartext on the users…

And even more: the basic problem with P25 and cryptographic security is usability. Every time an agency rekeys, someone is without keys for a period of time. Blaze mentioned the classic paper, ““Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0” and pointed out that many of the mistakes mentioned in that paper were repeated in designing P25.

How bad is the keying problem? Bad enough that agencies frequently transmit in cleartext, due to key management issues. (“NSA Rule Number 1: Look for cleartext.”) How frequently? Blaze and his group, for the past several years, have been running a monitoring network in several (unnamed) cites, recording cleartext P25 traffic and measuring how often this happens. About 20-30 minutes per day, by their estimate, of radio traffic is transmitted in unintended cleartext. And that traffic can contain sensitive information, like the names of informants.

Even if most of the traffic is encrypted, remember that the Unit IDs aren’t. So you’re getting some clear metadata traffic, which at the very least is useful for making inferences about what might be going on. (Zendian Problem, anyone?)

(If you’re monitoring P25 traffic, according to Blaze, the phrase you want to look for is “Okay, everyone, here’s the plan.”)

And what is the P25 community response to this? According to Blaze, the Feds have been very responsive and appreciate him pointing out the problem. The P25 standards people, on the other hand, claim Blaze is totally wrong, and that the problem is with the stupid users who can’t work crypto properly.

(This entry on Matt Blaze’s blog covers, as best I can tell, almost everything that was in his presentation. I haven’t found a copy of the actual presentation yet, but this should do to ride the river with.)

So it is getting late here, and I have to catch a plane early-ish in the morning. I think what I’m going to do is stop here for now, and try to get summaries of the three router panels up tomorrow while I’m waiting for my flight.

Posted in Cops, DEFCON 20, Geek, Guns, Law, Radio | Comments Closed

DEFCON 20 notes: day 2.

Sunday, July 29th, 2012

Note: I’ve updated the day 1 notes with a couple of things I forgot to include last night.

“Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2“:MS-CHAPv2 is a wildly popular authentication protocol. For example, DEFCON’s “secure” network uses MS-CHAPv2. People have been attacking CHAP for a while now, but most of the attacks are dictionary attacks, where you use asleap and throw a word list at it, hoping the user picked a weak password.

So is MS-CHAPv2 security password dependent? That’s a reasonable assumption, but not true.

If you look at the details of the MS-CHAPv2 handshake (Moxie had a good visualization, which I can’t find online or I’d link to it here) there’s only one unknown: the MD4 hash of the user’s password. Everything else is sent in the clear, or can be derived from known information.

MS-CHAP does a series of three DES encryptions on the user password. But it isn’t 3DES: it is just three DES encryptions with three keys. One of those keys is padded so it is really only two bytes, which makes it easy to crack. The other two encryptions use the same plaintext; the end result is that the complexity of cracking MS-CHAP DES reduces to about the same as normal 56-bit DES, 2 to 56th power.

Enter the folks at Pico Computing, about whom I have written before. Pico built a machine with 48 FPGA chips, each with 40 cores running at 450 MHz, to attack DES. This machine can search the whole keyspace in about 23 hours. And Pico has come up with some clever optimizations for the FPGAs: preconfiguring memory, reducing the bus down to “key found/key not found” (since searching the keyspace is linear, if you know when the bus went to “key found”, you can figure out what the key is), and possibly just using JTAG instead of a bus.

“So what,” you say. “I don’t have a single FPGA, let alone 48 of them.”

Enter chapcrack. Do a packet capture, point chapcrack at it, and chapcrack will pull out the MS-CHAP handshake, in a handy form which you can submit to…

…CloudCracker.com, which now supports MS-CHAPv2 attacks. Estimated turn-around time is one day. Woo hoo woo hoo hoo.

(Edited to add: Added a link to a blog post by Moxie Marlinspike summarizing his and David Hulton’s (of Pico Computing) presentation 8/1/2012.)

“Exploit Archaeology: Raiders of the Lost Payphones”:More of a fun panel than a practical one, covering all the stuff the presenter went through to find documentation and tools for an old Elcotel payphone he was given. Among other things:

The upper housing lock (which covers the internal phone mechanism, including the reset to defaults button) is a relatively easy to pick 3-pin lock (with “anti-impressioning divots”).
The lower housing (where the money is stored) is a much harder to pick 4-pin lock. But the presenter got lucky…
You also need a special tool, called a T-wrench, to do certain things. The presenter was able to improvise one…

So once you’ve got a payphone, what can you do with it? You can hook it to an ATA and connect to an Asterisk system, and have some fun that way. (The presenter pointed out that by law, 911 calls are required to be free. So he had some fun connecting the payphone to his Asterisk system, and configuring it so dialing 911 on the payphone got an outside line through Asterisk.)

Anyway, it turns out that there are three ways to program/reprogram these phones: there was specialized software available (Elcotel has been out of business for years, but the presenter managed to get a copy of the software, crack it, and get it running), local telemetry (where you open up the upper housing, reset the phone, and let it guide you through voice prompts for reprogramming), or remote telemetry (the phone has a modem). VOIP, by the way, is not well suited to modems.

Some notes:

these phones have a default ID of 9999
a default password of 99999999
a secondary password of 88888888
The phone ID is generally set to the last four digits of the phone number.
And the passwords are frequently left at the default.

There’s some other fun stuff you can do with an old payphone. For example, the presenter managed to rig up his phone, a Pwn Plug, and some custom scripting into a system that allows you to run NNmap port scans over the phone. But I’ll leave details of that for his presentation when he puts it up.

“Into the Droid: Gaining Access to Android User Data“: Excellent presentation covering some of the ways you can get user data out of an Android device, even if it is locked or encrypted. For example:

you can use the abootimg tool to create a custom boot image, intercept the phone’s bootloader, and force it to use your image.
Special USB debug cables work on some devices.
The salt for the lockscreen and system passwords can be pulled out of specific locations on the device and cracked with something like oclhashcat-lite. (See the presentation for specific details on where the salt and key are located.)
Applications with no permissions can still create a root shell and send information back to an end user (by hiding data in URL parameters, for example).
There’s a specific distribution, Santoku Linux, designed for mobile device forensics (both IOS and Android). This is a work in progress, per the presenter…

(While I’m at it, let me say that I’m really impressed with viaForensics, especially their presentation page. Not only did they have the DEFCON presentation up, but it looks like there’s a lot of other good stuff there as well. I’m particularly interested in “iPhone Forensics with free and/or open source tools” and the “Android Forensics Training Presentation“.)

“Off Grid Communications with Android – Meshing the Mobile World”: Solid presentation discussing the Android networking stack, hacking the stack and flipping chipsets into ad-hoc mode, and network routing algorithms. End result: the SPAN project on github, which provides open-source tools for Android mesh networks. (There’s also a paper in that repository that covers the same ground as the presentation, including sexy diagrams of the Android network stack.)

“The Safety Dance – Wardriving the Public Safety Band”:Basically: public safety providers are moving into the 4.9 GHz band. And it is possible to monitor their traffic using equipment bought for cheap off eBay, or equipment that, with the right drivers, can be tuned down to 4.9 GHz. One of the presenters has a blog entry here that covers some of what was in the presentation, and the github repository of their patched drivers, etc. can be found here.

I missed Kaminsky’s “Black Ops” presentation for reasons of the Penn and Teller theater being full, and I can’t find it online (yet). So I wandered over to Renderman’s “Hacker + Airplanes = No Good Can Come Of This” and got there a little late; late enough, as it turned out, that I missed Renderman observing that he was constantly being scheduled on panels opposite Kaminsky, and darn it, he’d really like to see a Kaminsky panel.

But I digress.

So have you ever wondered how things like PlaneFinder work? As part of the government’s efforts to bring air traffic control into the 20th Century, they’ve implemented something called ADS-B. Planes equipped with ADS-B transmitters send out data (such as their aircraft ID, altitude, GPS coordinates, bearing, and speed), which is picked up by ground stations and fed into the systems that feed PlaneFinder and other such sites. There’s two types: ADS-B Out, which is sent automatically as a broadcast, and ADS-B In, which allows planes to listen to each others ADS-B Out broadcasts, so that (in theory) they’re aware of each other without needing air traffic control.

(According to the presentation that followed Renderman, ADS-B is at about 70% penetration for commercial aircraft, and much lower for general aviation. The government’s goal is to have the majority of traffic on the system by 2020.)

When does this get interesting? Right about now. First of all, anyone can build a ground station and receive ADS-B broadcasts. Renderman has. (I understand there’s been quite a bit of work on using cheap-ass USB digital TV tuners as ADS-B receivers.) That gets you access to the flight data going over your head.

But wait, there’s more! ADS-B has no authentication and no encryption built in. That means anyone with the proper equipment (a radio that transmits at 1090 MHz) can spoof ADS-B broadcasts.

Remember the part above about how planes could use ADS-B to keep track of each others positions, bypassing ATC? Have you booked your Amtrak ticket yet?

As ADS-B usage grows, attacks are likely to become more disruptive. What happens if someone starts jamming ADS-B signals? Or inserting fake flight data? Or has the same fake plane in two places at once? The official response, according to Renderman, boils down to “trust us”. “Us” being the same folks who brought you Operation Fast and Furious. Pull the other one, guys; it has bells on.

Edited to add: Link to Renderman’s slides for this presentation added 8/1/2012.

“Busting the BARR: Tracking ‘Untrackable’ Private Aircraft for Fun & Profit”: A semi-related panel to Renderman’s. So how does PlaneFinder get the data that comes from ADS-B broadcasts? The FAA has a feed (called ASDI: Aircraft Situation Display to Industry); they’ll send you the data in XML format, and you can parse it and display it and hug it and squeeze it and call it George, if you want.

However, the FAA also has something called the “Block Aircraft Registration Request”. If you’re someone who doesn’t want their flight information made public, you can put your aircraft on the BARR list. This doesn’t strip your data out of the ASDI feed; that’s still there, but sites that use ASDI (like FlightAware) can’t display information for flights on the BARR. (If you want to subscribe to the ASDI feed, write an XML parser, and be notified every time Jay Z’s plane takes off and lands, more power to you. You just can’t share that information with others.)

So how did the presenters work around that? Their project basically comes down to:

Monitoring LiveATC.net and downloading ATC communications.
Using speech recognition to pull out flight information (such as tail numbers of planes).
Profit. Or in this case, OpenBARR.net, which is still in testing.

That was enough excitement for one day. I seriously thought about entering the DEFCON Beard Competition, but I couldn’t tell if there was a cash prize and I don’t want the IOC revoking my status as an amateur.

Posted in Android, DEFCON 20, Geek, Planes, Radio | 5 Comments »

DEFCON 20 notes: Day 1.

Saturday, July 28th, 2012

If you asked people to explain DEFCON, what would they say? Some might say: for those who understand, no explanation is necessary, for those who don’t, no explanation is possible.

Others might say that DEFCON is a mystery, wrapped in a riddle, inside…

(Not only did the National Cryptologic Museum bring that, they also were handing out (while supplies lasted) two really cool booklets: “The Cryptographic Mathematics of Enigma” and “Solving the Enigma: History of the Cryptanalytic Bombe”. The inside covers of both books claim they are available for free by sending a request: email me for the address, or try crypto_museum [at] nsa.gov.)

(I also got a kick out of the “NSA careers” cards they were handing out, mostly because it was the first buisness card I’ve ever seen with an embedded microfiber screen cleaner.)

Today’s schedule:

“Making Sense of Static – New Tools for Hacking GPS”: Pretty much what I expected from the description, but still a very good panel. The presenters have been doing a lot of work with systems that use GPS tracking, and they’ve run up against the limits of affordable off-the-shelf GPS hardware. There are all kinds of things you can’t do with retail GPS:

Experimenting with spoofing and jamming attacks is hard because you don’t have low-level hardware access to see what’s going on.
Implementing methods for dealing with poor signal environments, such as “urban canyons”, is also difficult.
You also don’t have access to the newer systems, such as GLONASS, Galileo, or Compass.
And it is hard to experiment with advanced positioning techniques.

Much of the presentation was devoted to a detailed account of exactly how GPS calculates positions on Earth, and what some of the limitations of those calculations are. If I were to attempt to summarize this, I’d be doing from memory and likely get much of it wrong, so instead I’ll point to the Wikipedia entry which covers the same material (including the use of Gold codes to distinguish each GPS satellite).

All of this led up to two products:

libswiftnav, which is a lightweight, fast, and portable set of tools for building a GPS receiver. The nice thing about libswiftnav, according to the authors, is that it will run on microcontrollers and other relatively wimpy hardware.
Piksi, a hardware implementation that uses libswiftnav and overcomes a lot of the limitations outlined previously: it can do highly accurate positioning, very fast updating, and supports other positioning systems.

The presenters have stated that their presentation should be available at the Swift-Nav site as soon as they have a chance to upload it.

I missed the “Not So Super Notes, How Well Does US Dollar Note Security Prevent Counterfeiting?” session simply because the clock got away from me. If I can find the presentation online, I will link to it.

I wasn’t able to get into the “How to Hack VMware vCenter Server in 60 Seconds” session for reasons of it being held in a room way too small for everyone who wanted to get in. This seems to be a version of the presentation from another conference. I’ve only given it a quick skim, but it looks very interesting indeed.

“Bypassing Endpoint Security for $20 or Less” wasn’t quite what I had expected, but it paid off. The basic idea behind this panel was that there’s an increasing emphasis on keeping people from walking out of the office with sensitive data on USB mass storage devices; some companies use software that allows only known and approved devices to connect over USB.

So how do you know if a device is known and approved? Much of the presentation dealt with specifics of how USB, and especially USB mass storage, works. The short answer is that everything depends on “endpoints” (which are sort of “virtual wires” for USB connections) and “descriptors” (which provide information about the device). USB devices identify themselves through a combination VID/PID as part of the protocol, so if you can spoof the VID/PID, you can pretend to be an already authorized device.

Which is what the presenter’s hardware does, for less than $20. I haven’t found the presentation online, but the presenter swears the hardware schematics etc. will be available on github under “usb-impersonator” as soon as he gets around to updating the repository (which he promises will be real soon now).

Edited to add 7/28: Two points in this presentation that I wanted to mention but forgot to last night.

Windows doesn’t see anything but the first LUN on USB mass storage devices. So if you want to hide something on a flash drive from a Windows user, partitioning the drive is a good way of doing that.
If you run modprobe usbmon (this may require running as root) and then fire up Wireshark, wonder of wonders, you get a whole bunch of USB bus devices available as Wireshark interfaces. This is something I want to play with more when I have time: I’ll probably post some Wireshark capture files showing what happens when a device is inserted.

Edited to add: Added link to Phil Polestra’s blog entry, which contains links to the slides and the code, 8/1/2012.

The last presentation I went to was “Safes and Containers – Insecurity Design Excellence”. This is one that’s already gotten a fair amount of attention: a friend of mine emailed me a link to this Forbes article by one of the presenters that neatly recaps the whole thing (including their videos).

Basically, many popular gun safes, especially ones made by the Stack-On corporation, are insecure and can be opened with paper clips, drinking straws, pieces of brass purchased at a hardware store,..or by just simply lifting up the safe and dropping it a few inches.

Why is this? The presenters argue that the people who make these safes don’t come from a culture that says to itself “Okay, I’ve built this safe. Now how can I bypass the mechanism and get in?” Quoting: “Engineers know how to make things work, but not how to break them.” Many of these safes are imported from China and are made as cheaply as possible, which complicates things even more.

There’s also an attitude of “my product meets the standards, so up yours”. The California Department of Justice has standards for gun safes, and these products all meet those standards. However, the CDOJ standards do not involve any kind of realistic tests of the product, such as turning it over to a five-year-old and telling him there’s candy inside.

My one issue with this presentation is that the authors seem to view gun safes as the most important part of protecting your kids from guns; thus they believe safes need to be stronger. I can agree with this, but as I see it, safes should be a last resort, not the primary means of protection. I grew up in a house with guns, and I was never tempted to mess with any of them because my parents raised me properly (and because I knew I’d be beaten bloody if I did mess with them). Age-appropriate training (such as the NRA’s “Eddie the Eagle” program) combined with appropriate physical security (what was that gun safe doing where a three-year old had physical access to it, anyway?), combined with safes that actually do what they’re supposed to do, constitutes a layered defense, and one that works better than just relying on cheaply made Chinese junk.

And so to bed. I’m tired, and stuff hasn’t been working right all night. Project e just shut itself down in the middle of this post, the Kindle’s battery was deeply discharged and I had to wait for it, and dinner was not that great. (More about that later on.)

Posted in DEFCON 20, Geek, GPS, Guns, History | 3 Comments »

What. The. Frack?

Friday, July 27th, 2012

The Consumer Product Safety Commission is trying to ban Buckyballs? Because a bunch of stupid kids swallowed Buckyballs, a product that isn’t even marketed for children?

Screw those losers at the CPSC. I’m ordering a set for myself now, while I still can.

And what will Woot do, without Buckyballs to sell?

(As relevant now as it was twelve years ago.)

Posted in Clippings, Stupid | 1 Comment »

0-day DEFCON 20 notes.

Friday, July 27th, 2012

I got in line for my badge around 7:30 AM. Registration opened at 8 AM, according to the schedule.

I got my badge at 9:30 AM. I have no idea how many people were in line, but it was packed. We were told that folks started camping out for badges at 10:30 PM Wednesday night.

But, hey! I got mine!

After what was (in my opinion) last year’s badge fail, they went back to an electronic badge this year, still tied in to a “crypto-mystery” game, but at least the badge does something useful.

Or perhaps can do something useful, would be a better way of putting it. The designer calls it a “development platform”: there’s holes for I/O pins at the top, and we were issued VGA (1) and PS/2 connectors (2) with the badge to attach ourselves. And remember my inquiry a while back about microcontrollers? The badge CPU is a Parallax Propeller.

(I haven’t been able to get the badge and Project E talking yet. I suspect a bad or wrong USB cable.)

I hit two panels today. Worth noting is that today’s theme was “DEFCON 101”: there was only one programming track, and the theme of those items was more “introduction to” rather than “deep dive.”

DaKahuna’s “Wireless Security: Breaking Wireless Encryption Keys” wasn’t quite what I expected, in that he didn’t do a live demo. (Though he did suggest that there would be systems available for practice in the Wireless Village.) Rather, this was something of a “view from 10,000 feet” presentation, giving a basic introduction to hardware requirements and tools for attacking wireless keys, along with explanations of how WEP and WPA keys work, and where the vulnerabilities are. A lot of this stuff I already knew from my academic studies, but then again, I wasn’t the target audience here, and I did pick up a few tips.

The presenters for “Intro to Digital Forensics: Tools and Tactics” sold me in the first five minutes by pointing out that:

Not everyone knows everything.
It would behoove the community to stop acting like dicks when people ask reasonable questions, like “What switches should I use for NMap?”.

The presenters then proceeded to give example usages for what they considered to be the top five tools for testing and exploration:

The Metasploit framework, which they sadly ran out of time while discussing.
Ntop, the network traffic analyzer.
Nmap, for doing port scans and OS fingerprinting. For example:
#nmap -v -sT -F -A -oG 10.x.x.x/24
What does this mean?
-v turns on verbose mode
-sT forces NMap to do a full TCP connection to each host
-F enables fast scan mode
-A tells NMap to do OS fingerprinting
-oG tells NMap to output in a format grep can work with,
10.x.x.x/24 tells NMap the range of hosts to scan.
tcpdump, which captures packets on a given network interface.
tcpdump -i eth1 -n -x
-i specifies the interface
-n turns off /etc/services translation, so instead of displaying the service name (ftp, telnet, etc.) it just shows the port number.
-x dumps hex output to the screen
Netcat, which creates TCP sockets that can be used for communications between systems. But that’s a little misleading. Let’s say we have two systems, our localhost and a machine at 192.168.1.128. On the .128 machine, we run:
nc -l -p 2800 -e cmd.exe
-l tells netcat to listen for a connection
-p tells netcat to listen for that connection on port 2800
-e tells netcat to run a command when a connection is made on that port: in this case, netcat will run cmd.exe.
On the local system:
nc 192.168.1.128 2800 connect
which establishes a connection between our system and the remote system. The remote system will run cmd.exe, which (on a Windows system) should give us a command shell on the remote system that we can use from our localhost.

I took the rest of the day off to visit a couple of bookstores (both are still there, pretty much unchanged) and the Mob Museum.

My first thought was that $18 seems a bit stiff. Then again, the Atomic Testing Museum is $14, And the Mob Museum seems to have more people on staff, and may possibly be a little larger than the ATM. (I can’t tell for sure, but the Mob Musuem bascially has that entire building: all three floors.) ($5 for parking cheesed me off a bit, though.)

Anyway, while the Atomic Testing Museum is still my favorite Vegas musuem, the Mob Museum is well worth visiting, especially if you have an interest in organized crime in the United States. (Not just in Vegas, though that is a key focus; the museum also talks about organized crime in other areas, including NYC and Cleveland.) There is a lot of emphasis on Estes Kefauver, perhaps just a little more than I thought was warranted.(I admit, I chuckled at the “Oscar Goodman” display.)

Two things that surprised me:

The number of families with small children at the Mob Museum. Parents, would you take your kids to a museum devoted to organized crime? (There’s some pretty graphic stuff, but the Museum confines it all to one section, warns you before you enter the section, and gives you an option to skip past it.) (And I feel kind of hypocritical saying this: if my parents had taken me to the Mob Museum when I was, say, 10, wild horses couldn’t have dragged me out of there.)
The popularity among small children of the firearms simulator. Kids were having a lot of fun pretending to be cops, running through various scenarios (like a domestic dispute) and busting caps in bad guys. (I didn’t tell any of the kids that, had they actually been out on the street, they’d be dead before they got their first shot off. Do I look like an asshole?)

Tomorrow is when things start for real. Look for an update, but probably late in the evening.

(Oh, I did want to mention Chad Everett’s death yesterday, but I was using the Kindle to blog, which was a pain, and things got kind of sideways leaving LAX and arriving in Vegas, so consider this your obit watch.)

Posted in Cops, DEFCON 20, Geek, Guns, Law, linux, Museums, Obits, project_e, Travel | Comments Closed

Obit watch: July 25, 2012

Wednesday, July 25th, 2012

Sherman Hemsley.

This is for Lawrence and Andrew:

Hemsley, a former jazz keyboardist, was also a huge fan of prog-rock bands like Yes, Gong, and Nektar…and he even cut his own record with Yes frontman Jon Anderson in 1999 that, sadly, never saw release.

Posted in Obits, TV | Comments Closed

I have no joke here, I just like saying…

Tuesday, July 24th, 2012

…”smothering ocean of high-pressure meat“.

Posted in Clippings | Comments Closed

-1 day DEFCON 20 notes

Tuesday, July 24th, 2012

Lawrence observed yesterday:

Save a mention for the serial number hacking panel, I’m sort of surprised there seem to be no Apple products on any of the panels this year.

So this is interesting:

…Dallas De Atley, manager of Apple’s platform security team, is scheduled to give a presentation on key security technologies within iOS, the operating system for iPhones and iPads.

N.B.: This is at Black Hat, not DEFCON. For those who might be confused, I like Borepatch’s description of Black Hat as “more corporate and buttoned down”: basically, they are different conferences, but with considerable overlap. Looking further into the Black Hat schedule, though, it looks like De Atley’s presentation isn’t the only one on IOS security issues.

My understanding is that the organizers try to keep a certain level of separation between Black Hat and DEFCON: why pay $1,500 for Black Hat if all the panels are duplicated at DEFCON for less? Not that there aren’t panels common to both, but it seems that your presentation has to be pretty high quality, sensational, or both in order to get accepted to Black Hat and DEFCON.

Which in turn makes me wonder: given the popularity of IOS devices, did the organizers segregate all the Apple panels at Black Hat, in an attempt to give folks more of an incentive to attend?

I don’t know: this is all purely speculative, and there’s nothing wrong with it anyway. I’m just wondering…

Posted in Apple, DEFCON 20, Geek | Comments Closed

Random notes: July 24, 2012.

Tuesday, July 24th, 2012

Obit watch: Sally Ride.

Previously noted, but bears repeating: The Lustgarten Foundation for pancreatic cancer research.

Noted without comment. (See also.) (See also.) (See also.)

Faced with a crippling combination of low revenues, high labor costs and decreasing funding from the state, El Monte is moving to declare a fiscal emergency and seek a tax on sugary beverages sold within the city.

El Monte officials said they are not at the edge of bankruptcy but need the sugary drinks tax revenue as a protection against insolvency down the road.

I’m fascinated by the events in Anaheim, but I don’t know what to make of them right now. (More here.)

Posted in California Über Alles, Clippings, Cops, Guns, Law, Obits, Politics | 1 Comment »

Art, damn it, art! watch (#31 in a series)

Tuesday, July 24th, 2012

This story has gotten a fair amount of attention elsewhere, but I want to highlight one aspect of it.

Ileana Sonnabend was a noted NYC art dealer who passed away in 2007. Her children inherited her art collection, which was valued at $1 billion. So far, her heirs have paid $471 million in estate taxes on the collection, selling off a large part of it to do so.

One of the pieces in the collection is a Robert Rauschenberg piece called “Canyon”.

Because the work, a sculptural combine, includes a stuffed bald eagle, a bird under federal protection, the heirs would be committing a felony if they ever tried to sell it. So their appraisers have valued the work at zero.

The IRS values “Canyon” at $65 million, and wants the family to pay $29.2 million in tax.

“The ruling about the eagle is not something the Art Advisory Panel considered,” [Stephanie] Barron [senior curator of 20th-century art at the Los Angeles County Museum of Art] said, adding that the work’s value is defined by its artistic worth. “It’s a stunning work of art and we all just cringed at the idea of saying that this had zero value. It just didn’t make any sense.”

But doesn’t the fact that the work can’t be sold make it of zero value anyway? Sort of by definition? And is Ms. Barron confusing aesthetic value with market value?

[Ralph E.] Lerner [lawyer for the heirs] said that since the children assert the Rauschenberg has no dollar value for estate purposes, they could not claim a charitable deduction by donating “Canyon” to a museum. If the I.R.S. were to prevail in its $65 million valuation, he said the heirs would still have to pay the $40.9 million in taxes and penalties regardless of a donation.

Posted in Art, Clippings | Comments Closed

-2 Day DEFCON 20 notes.

Monday, July 23rd, 2012

The schedule for DEFCON 20 is up.

Lawrence reminded me on Saturday that I also had not solicited panel requests, so this is your pre-DEFCON 20 post.

I’m flying out Wednesday morning and getting to Las Vegas around 1 PM. I’m hoping to visit the Mob Museum (just because it is new since my last visit, and I haven’t seen it) and to make a return trip to the two bookstores I visited last year. Lotus of Siam is also required.

There is some stuff going on at DEFCON on Thursday:

“Breaking Wireless Encryption Keys“: I’m generally familiar with the how-to of breaking WEP, and the attacks against WPA. I keep meaning to set up a lab and do some WEP attacks, but I never get around to it (always something else going on), and I’ve never actually seen it done, so this panel intrigues me.
“Intro to Digital Forensics: Tools & Tactics“: Another possibility. My experience with forensic tools is weak.
“HF skiddies suck, don’t be one. Learn some basic Python.“: A maybe, more for the Python angle than anything else.

Here’s what I’m interested in on Friday:

“Making Sense of Static – New Tools for Hacking GPS“: As you know, Bob, I’m fascinated by GPS, and I’m curious to see what these guys come up with.
“Not So Super Notes, How Well Does US Dollar Note Security Prevent Counterfeiting?“: I don’t think I’ve mentioned this before, but I have an academic fascination with counterfeiting. Then again, who isn’t attracted to the idea of making your own money?
“How to Hack VMware vCenter Server in 60 Seconds“: I have to work with VMware from time to time in my real job, so…
“Bypassing Endpoint Security for $20 or Less“: I like cheap.
“Safes and Containers: Insecurity Design Excellence“: “…design issues that allow locks and safes to be opened in seconds, focusing on consumer-level containers that are specified as secure for storing valuables and weapons, and in-room hotel safes that travelers rely upon.” Enough said.

Saturday, we have a possible tie for this year’s “Hippie, PLEASE” panel:

“Twenty Years Back, Twenty Years Ahead: The Arc of DEF CON Past and Future“: the description doesn’t sound all that obnoxious, but Richard Thieme is a multiple past–winner of the “Hippie, PLEASE” DEFCON panel award.
And, “Beyond the War on General Purpose Computing: What’s Inside the Box?” by none other than C*ry D*ctr*w.

I shan’t be attending either. The Saturday panels I am interested in:

Either “Creating an A1 Security Kernel in the 1980s (Using “Stone Knives and Bear Skins”)” or “Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2“: I do kind of like historical perspective panels, but I’m also really interested in the MS-CHAP attack.
“Exploit Archaeology: Raiders of the Lost Payphones“: Payphones? PAYPHONES? Apparently, those are still a thing you can attack. (“Stamp Out Hash Corruption! Crack All The Things” does deserve a nod, though, for the Hyperbole and a Half reference.)
“Into the Droid: Gaining Access to Android User Data“: Android hacking is still hot.
“Off-Grid Communications with Android: Meshing the Mobile World“: I like the idea of “Smart Phone AdHoc Networks”, if for no other reason than as a fallback in case of disaster.
“The Safety Dance – Wardriving the Public Safety Band“: I’ve kind of dropped away from it, but I used to be a scanner/shortwave geek, and this panel has me curious.
“Black Ops” or “Hacker + Airplanes = No Good Can Come Of This“: I’m a big fan of both Dan Kaminsky and Renderman, and I really really want to see both of these panels. I’ll probably hit Kaminsky’s panel unless I can’t get in. And I do resent the fact that DEFCON scheduled these two panels against each other. (“Spy vs Spy: Spying on Mobile Device Spyware” also sounds fun, but given a choice, I’ll take Kaminsky or Renderman.)
“Busting the BARR: Tracking “Untrackable” Private Aircraft for Fun & Profit“: This will depend on how I feel at the end of the day: I’m kind of interested, and I think a couple of my friends will be as well, but if I’m feeling wore out, I may skip it. I’m also kind of curious about “The Darknet of Things, Building Sensor Networks That Do Your Bidding“: mostly I want to see if these guys are Arduino-based, and if they are, I might hit that instead.

Sunday! Sunday! Sunday! Live at DEFCON 20! Nitro-burning FUNNY CARS!

“SIGINT and Traffic Analysis for the Rest of Us“: I’m also a big fan of Matt Blaze. As an ex-radio geek I’m interested in SIGINT. And I’ve read the P25 paper, so this pushes several buttons at once.
“SCADA HMI and Microsoft Bob: Modern Authentication Flaws With a 90’s Flavor“: SCADA: hot. Plus gratuitous Microsoft Bob reference.
“Owning the Network: Adventures in Router Rootkits“. Seems like the best thing going on in that slot at that time.
“Hacking [Redacted] Routers“: See above.
“SQL Injection to MIPS Overflows: Rooting SOHO Routers“: See previous two entries. At this point, I may be routered-out, so I reserve the right to skip this one.
“Hacking the Google TV“: This might be my only chance to see someone hack what, so far, has been a total failure.
Pretty much have to go to the closing ceremonies.

So that’s that. If anyone has any specific panel requests after looking over the posted schedule, let me know (by email on in the comments), and I’ll try to hit those events. Also, if anyone has any recommendations for new, cool, or interesting places to eat in Vegas, feel free to leave those in comments.

(Edited to add: It’s a Borepatch-o-lanche! Thank you, brother man!)

Posted in Android, DEFCON 20, Food, Geek, Planes, Python | 4 Comments »

We can’t make doughnut jokes any more.

Thursday, July 19th, 2012

But we can make burrito jokes. TJIC, call your office, please.

One of the surest places to find a police officer in downtown Brooklyn, other than the 84th Precinct station house, is the Chipotle Mexican Grill restaurant on Montague Street.

The popularity of this Chipolte among the NYPD might – just might – have something to do with the 50% discount they give to uniformed officers. Of course, accepting this discount violates NYPD policy, or so the department says. However, offering the discount does not violate Chipolte’s policy, according to a spokesman for the chain.

Posted in Clippings, Cops, Food, Law | Comments Closed

Quote of the day.

Thursday, July 19th, 2012

From the comments thread on this article:

I’d MUCH rather have a brony watching my six than someone who was self-absorbed and thinking of little more than his image. Someone saying openly “I like this show” has conquered a fear of rejection and has faced down a few inner demons. Someone criticizing that person lacks courage, is pretty much guaranteed to have medical-grade skeletons in his closet, and is therefore a prime candidate for desertion under fire or is blackmail fodder.

(Hattip: Erin Palette at Lurking Rhythmically.)

Posted in Geek, Horses | 1 Comment »

I want my two dollars!

Thursday, July 19th, 2012

Back in 2008, Austin Energy (the city’s electric utility) made a deal with Nacogdoches Power LLC to purchase the entire output of a proposed new power plant. The key here was that the new power plant would produce electricity from burning “wood waste”, a renewable resource, and thus would avoid potential federal taxes on carbon-based fuels.

This was not a popular decision at the time. Even the local environmental activists were opposed to the plant. Many people felt the city wasn’t releasing all the relevant information and was rushing into the deal.

The plant went live yesterday.

The privately owned plant will sell $2 billion worth of electricity to Austin Energy for the next 20 years at a price well above the going rate for competing power sources. It will add $1.94 to the average home’s monthly bill of about $100, according to Austin Energy estimates.

But when the deal was unveiled publicly, open-government activists said the city was not releasing relevant details, such as the cost. It was later revealed to be a little more than 9 cents per kilowatt-hour to start, then gradually increasing to around 16 cents per kilowatt-hour. The average is about 15 cents per kilowatt-hour over the life of the contract.
That is well above the current cost of natural gas and wind, and probably above what the utility would have paid for a proposed nuclear plant expansion that city leaders repeatedly turned down.

Austin Energy is currently paying “a little more than” 4 cents a kilowatt hour for “coastal wind” power. If I’m reading the article correctly, natural gas is running at about 2 cents per kilowatt hour.

Posted in Austin, Clippings, Politics | Comments Closed

Sometimes, the questions are hard.

Thursday, July 19th, 2012

And sometimes there’s not an easy answer.

What is justice?

What is redemption? How do we decide when a person is redeemed? Are there crimes that are beyond redemption?

What is the purpose of prison? What should our goals be when we lock people up? Protection of society? Punishment? Reform?

How should we treat young people who commit horrible crimes? Do we lock them away for life? Do we give them a chance to reform? What if we’re wrong, and reform doesn’t take?

Greg Ousley is serving a 60 year sentence in the Indiana prison system. He’s been there since 1994. In that time, he’s earned a degree in liberal arts from Indiana State (summa cum laude, no less). The corrections staff at his prison apparently thinks the world of Mr. Ousley.

His former work supervisor, Cindy Estes, was more explicit. “This kid has jumped through every hoop the state has put in front of him,” she told me. “He deserves to come out. There’s absolutely nothing to be gained by keeping him in there for another 10 years.”

He’ll be eligible for parole in March of 2019, unless a judge agrees to modify his sentence.

What did Mr. Ousley do? At the age of 14, he shotgunned his parents to death.

I don’t know what to do with Mr. Ousley. I don’t claim to know whether he’s reformed enough that he deserves to be let out. I don’t have answers to those questions. The only thing I have is the knowledge that I’m glad I don’t work in the justice system, because I don’t have those answers.

Posted in Clippings, Law | Comments Closed

What the frack is wrong with you people?

Wednesday, July 18th, 2012

Not “you people” as in my regular readers. I’m sure you’re all tall, strong, above average in IQ, and every one of your bodily functions smells like a vanilla Glade plug-in.

No, I’m talking about the rest of the Internet who doesn’t read my blog and seems to be overrun with a massive sense of entitlement.

Item 1: The existence of the GR Bullies site. “GR Bullies” is apparently a website devoted to combating “bullying” on the GoodReads website (for values of “bullying” that seem to include posting negative reviews) by…acting like misogynistic bullies themselves. Good plan, guys; I’m sure Big Fred Nietzsche would approve. Or maybe not. I commend to your attention the take of John Scalzi, an actual professional writer who gets bad reviews from time to time, on this subject. (I also recommend reading the other three writers Scalzi links.)

Item 2: The existence of ChickLitGirls, a site that takes money for reviews, only posts positive reviews, and, when it is politely suggested that their pay-for-review policy may not be 100% clear, issues bumptious lawsuit threats.

(“bumptious”. Such a great word. I need to work that into my vocabulary, along with “gargantuan“.)

Item 3: “How dare you think Dark Knight Rises isn’t the greatest thing since the invention of fire?”

Item 4: “…those like my son who have disabilities have the right to live life with access to everything people who aren’t handicapped do.” So, therefore, Netflix is obligated to closed-caption streaming video. And, no, providing closed-captioned DVDs isn’t good enough. I am so sick and tired of hearing people like Ellen Seidman talk about “rights” without making a distinction between liberty rights and claim rights.

There are some things that should require accommodation; for example, access to governmental services. And it may be good business for Netflix to make this kind of accommodation. Right now, Netflix feels that it isn’t. (As other people have pointed out, Netflix gets the material it uses for streaming from studios, that material probably does not have closed captions, and the studios would be rightfully upset if Netflix started altering their property.) If you want to prove to Netflix that they’re wrong, don’t use the service, or start your own competing service with closed captions. If Netflix looses enough business, they’ll change their mind. But you don’t have a right to closed captioned streaming video, or, for that matter, to “access to everything people who aren’t handicapped do”. Down this path lies madness: should we build a wheelchair ramp to the top of Half Dome?

[Edited to add: Hattip on item 4 to Walter Olson at Overlawyered.]

Posted in Books, Clippings, Movies, Sarcasm, Stupid | Comments Closed

Banana republicans watch: July 18, 2012.

Wednesday, July 18th, 2012

Joe Wolfe has either resigned or been fired from the Fullerton, CA police department. Former Officer Wolfe was involved in the (warning!) Kelly Thomas beating death (as always, graphic image warning at that link), but has not yet been charged with a crime.

Add Compton to the bankruptcy watch. With a $42 million deficit, I doubt even a tax on rap groups with platinum records will help.

…the city has consistently fallen behind on payments to vendors, including its sheriff’s contract.

Remember when Compton was talking about reopening the Compton PD and spent $1 million on “equipment” before giving up? Good times, good times.

More recently, the city’s independent audit firm refused to sign off on the annual financial statements and quit, after Mayor Eric Perrodin wrote a letter to the state controller’s office alleging fraud might have contributed to the city’s financial issues and asking for an audit.

I’ve avoided blogging this next story because I felt like there was a limit to what my readers (many thanks to both of you) would put up with. Surprisingly to me, though, these banana republican updates have been among the most popular recent posts on my blog. You put up something thoughtful and original, and it gets ignored, but people seem to love California political corruption.

Anyway, there’s an ongoing case involving the Los Angeles Memorial Coliseum and accusations of bribes and kickbacks. The Coliseum is nearly broke, and USC is in talks to take it over.

A bunch of people have been indicted in the case. Former “general manager” Patrick Lynch has already pled to conflict of interest charges and agreed to repay $385,000 he got from a man named Tony Estrada.

Estrada is a former contractor with the Coliseum, and has been charged with “embezzlement and conspiracy”. Estrada is also a fugitive from justice.

Today’s LAT has an interview with the fugitive Mr. Estrada.

Tony Estrada, rocking the ski mask.

No joke. Mr. Estrada claims to be “somewhere in South America”; the interviews that make up the story were conducted by telephone and over Skype. (It is unclear to me how the LAT verified that the man in the mask was actually Estrada.)

And:

Estrada regards himself as a whistle-blower — and some Coliseum officials described him that way in the past — because he came forward to tell a government lawyer and an outside investigator about alleged kickbacks he paid to former stadium General Manager Patrick Lynch and about other purported misconduct by stadium employees. Those payments are the basis of the charges against Estrada, who said Lynch pressured him for money as a condition of keeping his janitorial contract.

This just in: our old friend Cudahy City Councilman Osvaldo Conde (of the bimbo and the badge) has agreed to plead guilty to extortion and bribery. Actually, make that former city councilman: Conde resigned yesterday.

Conde is the last of the three indicted city officials (the others being former Mayor David Silva and former code enforcement head Angel Perales) to take a plea in the case.

Posted in California Über Alles, Clippings, Cops, Law | 1 Comment »

Guns, guns, guns!

Wednesday, July 18th, 2012

(This is also partially an Olympic watch.)

We’re the only ones professional enough…to shoot ourselves while cleaning our weapons.

The HouChron has a nice profile of Sergeant Glenn Eller, of the Army Marksmanship Unit. Sgt. Eller is competing in the shotgun double trap competition in the London Olympics. This is his fourth time at the rodeo; he won a gold medal in double trap in 2008. And he’s had an interesting time of it:

In 2000, he got food poisoning from “an Australian ham salad sandwich” and finished 12th.
In 2004, he finished 17th “after being informed before the competition of what proved to be a false positive drug test”.
He won the gold medal in 2008, but the shotgun he used was stolen in 2011 while he was on his way to another competition. It took him a while to get used to the replacement gun, and he “…lost the automatic U.S. slot in double trap to his Army teammate, Staff Sgt. Josh Richmond, but won a place on the team when a second berth for the London Games opened up this spring.”

Worth noting:

Richmond, in turn, has picked up a few things that should contribute to a steady hand in London. After clinching the Olympic berth last year, he served three months in Afghanistan, instructing Afghan soldiers.
Eller said he requested to serve as well but was told it would interfere with his competition and training schedule; like the other members of the marksmanship unit, he spends about 200 nights each year on the road for exhibitions and instructional events.
“I would have loved to go over there and help train people how to defend themselves in their own country,” Eller said. “It gives you pride to be able to do that. Sgt. Richmond is going in the same year from a combat zone to an Olympic Games.”

You know, I like these AMU guys. It’d be fun to meet some of them and hang out. I wonder if the AMU will have a presence at next year’s NRA meeting?

(Joy! Also speaking of the AMU, Amazon says my copy of US Military Match and Marksmanship Automatic Pistols has been delivered!)

Posted in Books, Clippings, Guns, Sports | Comments Closed

Banana republicans watch: July 17, 2012.

Tuesday, July 17th, 2012

Today’s tale is brought to you by the town of San Fernando, where voters are trying to recall three of the city council members.

Fiscal irresponsibility? Criminal acts? Election fraud? No. The oldest motivation in the world.

Councilman Mario Hernandez, who has already resigned (but is still up for recall), was carrying on an affair with Councilwoman Maribel de la Torre. For some reason, he decided back in November to announce this. At a council meeting. In public. With his wife sitting in the front row.

Since then, the relationship has deteriorated, to the point where police were called on June 28th; both parties have restraining orders against each other. Hernandez has asked the DA to drop the domestic violence charges against de la Torre: as you might know from watching “COPS”, or living in California, this decision isn’t up to the alleged victim, and the DAs office states they will pursue charges if the evidence warrants.

If prosecutors refuse to dismiss the case, Hernandez has agreed to testify that police officers persuaded him to pursue the report and get a restraining order.

Former councilman Hernandez may want to be very careful about that. I believe California still has laws against perjury.

Anyway, that’s two down. Number three on the recall parade is the Mayor, Brenda Esqueda, who is accused of having an affair with a sergeant on the police force.

In a memo last year, a police commander claimed he was prevented from placing the sergeant on leave by Esqueda and Hernandez. She told reporters this week, “We might be elected officials, but we still are human beings.”

I’ll have to try the “still are human beings” excuse sometime and see how it works out.

Posted in California Über Alles, Clippings, Law | Comments Closed

Archive for July, 2012

Pages

Happy Amazon Fun Time!

Archives

Categories

Blogroll

BugMeNot

Firearms Reference

People who deserve your support.

Poetry

Reference

RIP

Twitter

Twitter Catholico

Webcomics I Like (without reservation)

Meta