Search this site





Defcon 16's badges

Last year had some strange badges at Defcon, but they were fun. This year, they're even more full of technology (mini sd card reader, infrared stuff, and what looks like a usb mount point) and much less fun.

Although it is foolish for me to think another conference badge could be as awesome as the Shmoocon 2007 badge, I think it's safe to conclude that Defcon's badges have jumped the shark, because this year's badges are kind of stupid.

Defcon 16, this weekend.

Another year, another Defcon.

I'm heading up a day early for my bachelor party (woo!) and then it'll be the Con all weekend. If you're going, email me and let me know where you are.

I'm eager to watch Kaminsky talk about how awesome he is for [insert reason]. He's deliciously full of himself (not that he doesn't release interesting things). Lots of other talks look interesting, so it should be a good weekend full of booze and geeking.

Defcon 15 in review

This year's defcon was similar to last years. At the Riviera, black and white ball were split across two night, a few amazingly lame talks were given, some cool talks, and as always Dan Kaminsky's talk was entertaining.

I'm no Vegas expert, but the Riviera casino/hotel is the *worst* casino in town. I had many conversations with fellow attendees reminiscing about how much we missed the Alexis Park. Finding parties at the Alexis was cake - walk outside, follow the people and noise. Parties were everywhere. There were also 3 outdoor pool areas which collected people, booze, and music each night. The only downside to the Alexsis Park was that its conference areas were too small and too few. This downside was mitigated by three-channel closed-circuit TV channels broadcast live and viewable on any hotel room's tv. Watch the talks from your room? Awesome. For parties and community, the Alexis Park ruled. For more plentiful conference space, the Riviera is better. It's a shame we (Defcon) outgrew the Alexis Park.

The Riviera is a giant, old, dirty resort casino. The rooms are not great, the casino smells bad, and the food is horrible. Basically, I can't say much nice about the place other than it does have large quantities of conference space. The casino staff were generally nice folks, but I don't gamble so I didn't interact with them much. Their concierge desk is horrible. Every time I asked where I might find a particular place (pizza, sushi, flare bar, etc) that was not inside the Riviera, they had no answers.

I went to my usual (read: small) number of talks this year. I missed a few that were titled in such a way as to disinterest me that I later found out covered some cool material. Bruce Potter's talk was overflowing with people, so some of us had to leave - sad. If you have his talk on video, please send me a url :)

There were thousands of scene whores at defcon this year. We were drowning in them. So much so, perhaps, that some 0x90 folks made these shirts which showed up during the I/O Active party (which was awesome, btw).

I also found that there were so many super paranoid people at Defcon. Mostly scene whores who really have no idea what a computer is or what security is about. Too many evesdropped conversations where people said "I'm not turning on wireless! I have too much important stuff on my laptop that I can't allow to get out!" Are they that worried about being exploited? Probably. Do they really have shit worth protecting on their laptops? Probably not. One of these people was a student at UCSD and he talked shit about his friends' computer knowledge constantly while his friends were supposedly writing tetris for the defcon badges.

If you have a clue and have something on your laptop worth protecting so much so you physically turn off wifi, then you don't bring it to defcon. Clearly these people haven't got a clue and are just whoring up the scene. [*]

[*] One exception is reporters and other press types, who I won't require to have security or computer clue. Of the people I overheard freaking out about wireless, all of them were normal attendees, not press.

I flew into SFO on Monday morning. Wendy was due to land in a few hours, so I sat at the airport so we could go home together. After signing on for wireless, I remembered a project I've been meaning to do for a while - masquerade as a known-valid MAC and IP combination to bypass captive portals. It's easy to do, but I wanted it automated. Now I have a script. I'll post more on this later, but the typical configuration of "captive-portal authentication == your mac+ip is allowed through the firewall" is not a good way to run your pay-for wireless network.

One final notable event is that we took a limo ride to In-n-Out again this year.

I went to more than the talks listed below, but they weren't worth commenting on or I don't remember them.

    Mike Schrenk - "The Executable Image Exploit"
    Before going, I thought this talk was going to be on a new twist to recent image library exploits. It wasn't. His <sarcasm>amazing</sarcasm> content covered something known for years, that hot-linked images (wikipedia calls them deep links), could be used to track users or reveal information by tracking the referrer url or *gasp* setting a cookie!

    Mike also talked about using php to serve images and that you can set cookies using php, but myspace filters images ending with '.php' apparently. His workaround was to tell apache to process .jpg files as php, and he presented this as if he was breaking some kind of new ground and that this was the coolest thing ever: "You can fool apache into running php code on jpegs!" Clearly by "fool" we really mean "configure the same way you do with .php except you put .jpg". Who's fooling who? ;)

    Around this time I was realizing that by "executable image" he really meant that he was executing php code on his own server whenever someone requested an image, again, from his server. This would have been a good presentation for 1998, perhaps, not 2007.

    Zac Franken - Biometrics and Token access control systems
    This talk was great. My knowledge of rfid, biometrics, and other physical access token systems is limited and this talk gave me lots of good information. Furthermore, Zac gave a live demo that worked well. The tool he made, which he called "Gecko", was really neat. Practical and cheap.

    A short summary is that he was performing MITM on physical access systems. As it turned out, most centralized security systems (biometrics, rfid locks, etc) all talk the same protocol to the central authorization server. Gecko simply man-in-the-middles these transactions. MITM is not new, but this application was pretty neat and the small size of his prototype made this kind of physical hacking practical.

    He gave a live demo, which went smoothly, using a few RFID badges. Being minimalist, the interface to his Gecko tool once it was installed was via standard badges. He had made special "control" badges that the Gecko tool understood to be commands such as a replay command, which would replay a previously-intercepted, known-valid, badge read to the server.

    He also talked about future versions of Gecko which might include bluetooth or GSM, which would let you access the reader device from far away. Very neat.

    Dan Kaminsky - Design Reviewing the Web
    Oh Dan. I love you. I went to Dan's talk last year and saw the same attributes this year. His talk covered some interesting things, but he's so full of himself. Watching him talk makes it seem like he is the security industry. One person only, not the thousands of security professionals and underground hackers around the world. Just Dan.

    He did demo his hack of SLIRP over the web browser (flash+http) which was pretty neat, though. Tunneling traffic through the browser into your network. He also ported his dotplot thing from last year to winamp for fun and profit, which wasn't very impressive but made for a good screensaver.

    Jesse D'Aguanno - Arp Reloaded
    Jesse's description of this talk was that it would "build on the previous research in this field and introduce new, more reliable attacks against the ARP protocol which are much less identifiable and able to protect against."

    He lied.

    He covered exactly what is already known, and nothing more. Like Mike's talk above, this talk would belong in 1995, or earlier, not 2007. Who's reviewing these talk submissions?

    It is almost like Jesse lives in a black box. Not only did he cover decades-old exploits, he reinvented the wheel. There are many many tools that will let you easily craft packets and dump them on the network. Netwox, nemesis, and scapy are just 3 I can name off the top of my head. Ignoring the years of developing packet crafting tools, he wrote his own crappy tool to dump crafted arp packets onto the network which he calls "arpcraft" which does exactly the same thing as netwox, nemesis, and scapy, in more or less the same amount of typing. Weak sauce. I call shenanigans.

    This lame presentation is from the same person who made headlines about his blackberry hackery last year. Was this blackberry research really his own work, or is he just a front for someone elses work?

    He also demoed a remote shell tool using arp. Seems useless to me since arp only goes over layer 2 and won't leave the local layer 2 network. Wxs joked that you would better off beating the owner of your exploit target machine with a bat to wrest the password out of him than using a remote shell via arp, since layer 2 means your target almost guaranteed to be physically close.

    David Gustin - Hardware Hacking for Software Geeks
    The title of this talk grabbed me immediately. The content was great!

    Unfortunately, early in the talk, the speakers mentioned that was a great howto site. I spent the rest of the talk reading tutorials on that website. Oops.

Overriding shared library functions

Long story short...

File: 'connect.over' contains

#include <netinet/in.h>

override(`connect', `
    // code to inject before the connect() call is actually made
Output is '' which overrides libc's connect function.
% LD_PRELOAD=./ nc 80
stream connect: fd=3 host=
% LD_PRELOAD=./ nc -u 53 
dgram connect: fd=3 host=
% LD_PRELOAD=./ ssh scorn           
stream connect: fd=3 host=
stream connect: fd=4 host=
scorn(~) %
The output by nc was due to my function above outputting this.

The strange ssh connection on fd=4 above is seemingly due to ssh calling connect() on a tty? fstat says:

jls      ssh         3221    4 /dev        122 crw--w----   ttypd rw
inode 122 on /dev is /dev/ttypd.

CiscoGate and DefCon

The 'CiscoGate" talk just wrapped up.

I was at Defcon 13 when the Cisco/ISS fiasco was going on, but all I had heard was rumors and gossip about what was going on. The talk had some really good content and filled in lots of gaps in information for me. Interesting to see how insane the problem (dealing with Cisco/ISS/FBI/etc) was and that it took 5 months after the event until the problem was fully resolved (the data was finally cleaned up to Cisco's satisfaction).

I tried to attend Bruce Potter's talk but it seems his popularity is too much as a speaker, and we got booted out because there were too many people. Guess I'll have to wait for the video.

I've also been working on some new shared library overriding code that I'll get around to describing later.

Defcon 15, this weekend.

I'll be making my yearly trek to Vegas for Defcon 15. If you're going, and want to meet up, let me know :)