During the DEF CON 26 DC101 Panel, someone (probably highwiz) asked one of the n00bs they brought on-stage, "What makes you a hacker?" In the past, it has been used by bad actors as an aggressive question. Thoughtful types and artists have used it as a prompt. But here it was dripping with curiosity. "Why do you go to DEF CON?"
I'm more than a year out from a move that took me far from my hometown of Las Vegas to an adventure into the Pacific Northwest. Budgets, family and time being what they are, I too had to ask myself, "What makes you a hacker? Why should you go to DEF CON, again?" Obviously, moving two states makes it harder to go. Plane tickets are cheap enough in cattle-class, and I'm lucky to have family and friends in town upon which I can rely for lodging. But family illness and obligation are also considerations, and this feeling in the pit of my stomach topped it all off: the idea that I no longer belonged.
Ironically, this security-focused community is affected by deep insecurities. Concerns of legitimacy, competence, and belonging haunt us collectively, as do public examples of snake oil, burnout, and depression. Discussions of Impostor's Syndrome are almost cliche in their frequency. As is the mouth-agape disbelief following one of our rock stars admitting they second-guess themselves. This loose band of social misfits and punks emerged from in our cocoon of BBSes and IRC to be famously dysfunctional. We have had to exorcise #MeToodemons, and our unhealthy relationship with alcohol keeps many away for fear of their own safety. As a late-comer to DEF CON, I have not been personally affected by loss of friends in the community, but there's a reason Amber Baldet gave a talk on Suicide Interventions at DC21. Hackers in my cohort are maturing as well. Some of us are on their third career since the demoscene, and it has veered wildly away from any Information Security role. There has to be something that keeps us coming back to the desert in August. It sure ain't the unmistakable fragrance of Sunday morning talks.
It is a bit of a balancing act to maintain a conference that keeps drawing more and more people. As of this writing, DC28 is scheduled to use almost 400,000 sq. ft. of conference space in a brand new facility. Almost 30 villages with both broad and niche topics have formed, and each is a mini-con in and of itself. Along with this widening scope, there were public and repeated attempts by The Dark Tangent to reestablish DEF CON as a Hacker event and set it apart from the Information Security industry where so many of its attendees find employment. In the past, DT has publicly disinvited the Feds, and the run-up to DC27 saw another public clarification that while individual villages arrange their own sponsorship, DEF CON maintains no corporate sponsors. You can see the push and pull of "What makes you a hacker?" at the highest levels.
And so we approach a new year and a new DEF CON. Since DC19, I've grown with the conference. I started managing Toxic BBQ with the help of friends and this will be our fifth consecutive kick-off barbecue. People just show up to create an inviting space from scratch for anyone that can find it. I won a Black Badge with my son at DC 26 by solving crypto puzzles and have tried to contribute in equal measure since then. And yet there's this nagging feeling...
Ultimately, I've decided the gate-keeping question is not an important one to answer. What I give to and get from DEF CON keeps me going. I'm comes down to a desire to think things I have never thought before. I may not be able to show off like some, but I can gawk with the best of them at the Hacker Carnival. DC28's theme, Discovery!, is right out of my high school years when the internet promised the sum-total of human knowledge at our fingertips and all that we could do once those barriers dropped. Maybe we can celebrate by shedding our insecurities. Just for the weekend.
Plenty has gone on in the past year. Here's a quick rundown:
- Learned how to quilt. 104 patches from my tour-guiding days on a lap quilt.
- Learned how to Black Badge at DEF CON 26. Shout out to my fellow Murder Hobos, PunkAB, and the entire Dungeons@DEFCON team for this kick-ass experience.
- Learned how to move across country through forest fires and with cats
- Learned how to survive a leg infection possibly from a cat scratch (not pictured; it was pretty gnarly)
- Learned how to not buy board games. I finished a 10x10 (play ten games ten times or more) without buying any new games in between. Moving thinned the collection, but it still takes up an entire linen closet.
A friend returned from San Diego Comic Con 2018 with an RFID bracelet used to track users in the Amazon Fire TV experience (on Twitter, #FireTVSDCC). This is a teardown of the bracelet after the event. At this time, I was unable to read from the bracelet.
The bracelet is fairly simple with a cloth band and plastic/paper tab threaded through. The closure is plastic and one-way. It bites into and mangles the cloth band if you attempt to remove, but you could probably shim it with tools and practice. Might be a fun thing for the Tamper Evident Village if it turned out events were trying to use this for access control like plastic self-destructing wristbands.
The back contains a serial number. I would like to see if this serial number would match the data read off the tag.
Separating the badge by prying them apart, I spot the prize: an adhesive RFID tag placed between the glossy plastic covers. It appears to have a model number of "CXJ-040" in the center of the tag. It uses a circular antenna. CXJ is the initials of Shenzen manufacturer Chuangxinjia. Their product pages show manysimilarwristbands in a few different frequencies.
The tag didn't respond to my Android phone, so it is not a Mifare or similar. Hopefully I can find a reader at the local Hackerspace or DEF CON 26.
Above is Dan Kaminsky's keynote at the inaugural DEF CON China. It was nominally about Spectre and Meltdown, and I thought it was immediately applicable to testing at all levels. Here are some moments that jumped out at me:
On Context:
"There's a problem where we talk about hacking in terms of only software...What does hacking look like when it has nothing to do with software." 1:55
"But let's keep digging." Throughout, but especially 5:40
"Actual physics encourages 60 frames per second. I did not expect to find anything close to this when I started digging into the number 60...This might be correct, this might not be. And that is a part of hacking too." 6:10
"Stay intellectually honest as go through these deep dives. Understand really you are operating from ignorance. That's actually your strong point. You don't know why the thing is doing what it is doing...Have some humility as you explore, but also explore." 7:40
"We really really do not like having microprocessor flaws...and so we make sure where the right bits come in, the right bits come out. Time has not been part of the equation...Security [re: Specter/Meltdown] has been made to depend on an undefined element. Context matters." 15:00
"Are two computers doing the same thing?...There is not a right answer to that. There is no one context. A huge amount of what we do in hacking...is we play contexts of one another." 17:50
[Re: Spectre and Meltdown] "These attackers changed time which in this context is not defined to exist...Fast and slow...means nothing to the chip but it means everything to the users, to the administrators, to the security models..." 21:00
"Look for things people think don't matter. Look for the flawed assumptions...between how people think the system works and how it actually does." 35:00
"People think bug finding is purely a technical task. It is not because you are playing with people's assumptions...Understand the source and you'll find the destination." 37:05
"Our hardest problems in Security require alignment between how we build systems, and how we verify them. And our best solutions in technology require understanding the past, how we got here." 59:50
On Faulty Assumptions:
"[Example of clocks running slow because power was not 60Hz] You could get cheap, and just use whatever is coming out of the wall, and assume it will never change. Just because you can doesn't mean you should...We'll just get it from the upstream." 4:15
"[Re: Spectre and Meltdown] We turned a stability boundary into a security boundary and hoped it would work. Spoiler alert: it did not work." 18:40
"We hope the design of our interesting architectures mean when we switch from one context to another, nothing is left over...[but] if you want two security domains, get two computers. You can do that. Computers are small now. [Extensive geeking out about tiny computers]" 23:10
"[RIM] made a really compelling argument that the iPhone was totally impossible, and their argument was incredibly compelling until the moment that Steve Jobs dropped an iPhone on the table..." 25:50
"If you don't care if your work affects the [other people working on the system], you're going to crash." 37:30
"What happens when you define your constraints incorrectly?... Vulnerabilities. ...At best, you get the wrong answer. Most commonly, you get undefined behavior which in the presence of hacking becomes redefinable behavior." 41:35
"It's important to realize that we are loosening the assumption that the developer knows what the system is supposed to do...Everyone who touches the computer is a little bit ignorant." 45:20
On Heuristics
"When you say the same thing, but you say it in a different time, sometimes you're not saying the same thing." 9:10
"Hackers are actually pretty well-behaved. When hackers crash code...it does really controlled things...changing smaller things from the computer's perspective that are bigger things from a human's perspective." 20:25
"Bugs aren't random because their sources aren't random." 35:25
"Hackers aren't modeling code...hackers are modeling the developers and thinking, 'What did [they] screw up?' [I would ask a team to] tell me how you think your system works...I would listen to what they didn't talk about. That was always where my first bugs came from." 35:45
On Bug Advocacy
"In twenty years...I have never seen stupid moralization fix anything...We're engineers. Sometimes things are going to fail." 10:30
"We have patched everything in case there's a security boundary. That doesn't actually mean there's a security boundary." 28:10
"Build your boundaries to what the actual security model is...Security that doesn't care about the rest of IT, is security that grows increasingly irrelevant." 33:20
"We're not, as hackers, able to break things. We're able to redefine them so they can't be broken in the first place." 59:25
On Automation
"The theorem provers didn't fail when they showed no leakage of information between contexts because the right bits went to the right places They just weren't being asked to prove these particular elements." 18:25
"All of our tools are incomplete. All of our tools are blind" 46:20
"Having kind of a fakey root environment seems weird, but it's kind of what we're doing with VMs, it's what we're doing with containers." 53:20
On Testing in the SDLC
"We do have cultural elements that block the integration of forward and reverse [engineering], and the primary thing we seem to do wrong is that we have aggressively separated development and testing, and it's biting us." 38:20
"[Re Penetration Testing]: Testing is the important part of that phrase. We are a specific branch of testers that gets on cooler stages...Testing shouldn't be split off, but it kinda has been." 38:50
Ctd. "Testing shouldn't be split off, but it kinda has to have been because people, when they write code, tend to see that code for what it's supposed to be. And as a tester, you're trying to see it for what it really is. These are two different things." 39:05
"[D]evelopers, who already have a problem psychologically of only seeing what their code is supposed do, are also isolated from all the software that would tell them [otherwise]. Anything that's too testy goes to the test people." 39:30
"[Re: PyAnnotate by @Dropbox] 'This is the thing you don't do. Only the developer is allowed to touch the code.' That is an unnecessary constraint." 43:25
"If I'm using an open source platform, why can't I see the source every time something crashes? ...show me the source code that's crashing...It's lovely." 47:20
"We should not be separating Development and Testing... Computers are capable of magic, and we're just trying to make them our magic..." 59:35
Misc
"Branch Prediction: because we didn't have the words Machine Learning yet. Prediction and learning, of course they're linked. Kind of obvious in retrospect." 27:55
"Usually when you give people who are just learning computing root access, the first thing they do is totally destroy their computer." 53:40 #DontHaveKids
"You can have a talent bar for users (N.B.: sliding scale of computer capability) or you can make it really easy to fix stuff." 55:10 #HelpDesk
"[Re: Ransomware] Why is it possible to have all our data deleted all at once? Who is this a feature for?!... We have too many people able to break stuff." 58:25
Update: Plume added, rebuilt using thread and pipe cleaners to keep it upright and separate strands, removed plasticard sticks and zip ties. Also pulled the EL Wire which is being repurposed in my son's EL Hoodie.
We were only able to print a few OFBC 2.0 cases before DEFCON 26. The leftover parts would have sat in my toolbox for quite a while if not for a serendipitous mistake: I ordered the wrong color LEDs from Sparkfun. This plus a little construction advice from a seamstress helped me cobble together the glowing headgear that is The Glowhawk
My courage and thinning hair prevents me from getting a mohawk while at DEFCON, but I've always wanted one. Instead I started to create one with a networking theme. Pipe cleaners in the color of Cat6 twisted pair served as a thick mane anyone could be proud of. This was wired onto a hat as a test. It looked OK, but it was kind of stubby to wear all on its own.
The LED driver for the OFBC is overdone. A single charge can last 10 hours on the original model. I wondered how much it could handle in terms of output, and a little breadboarding showed me I could wire several of the LED modules together as long as they were in parallel. Now how to use them?
The LEDs are these 3W green modules with attached heat sink. Direct eye contact is not recommended (hence the pains we took to use momentary buttons on the OFBC). On the beer light, we diffused the over-bright light so it could be sculpted by the drink it passed through. I was inspired by a fiber optic dress I saw elsewhere and found fiber optic table centrepieces for dirt cheap on Amazon. Some hot glue joined the disassembled fiber optics to the bright LED. The mane of glowing green was born!
With this fresh take in hand, DEFCON was upon us. I packed my things and thought I might take a crack in the evening. The Richard Cheese show was the perfect venue to solder everything together. The_bozo and I found a better place to work where the hot glue gun could run safely. I transferred the existing Cat6 mohawk to a bright green John Cena hat from Goodwill. Inside the channel that ran between upturned pipe cleaners, I hot glued the modules and fiber optics. Zip ties kept the fiber bundles from flopping around too much.
I consider the Glowhawk a great success, if a tad impractical. It lasted about 2 hours on a charge, and I was able to walk around wearing it with the mobile party crew for that long before it got uncomfortable. A photo of me wearing it hit the DEFCON Closing Ceremonies, and my son keeps trying to steal my remaining fiber optics for a lamp in his room.
Future improvements include better internal support, googly eyes to cover the logos, and a fifth plume to fill out the front. See you next year!
For Toxic BBQ 13 (DEFCON 25), we returned to the OFBC to see if we could improve the design and add some needed table decorations.
The first step was to simplify the PCB creation. I created a new layout in Fritzing that reduced whitespace. It also moved off-board components like batteries and the LED modules to use JST connectors for easy installation and swapping. OSH Park did a great job with the PCBs. I was able to directly convert the Fritzing designs to printable format. Each board was less than 2 bucks by the time we finished. Never again will I make my own PCBs by hand.
Sparkfun supplied most of the same components for about 15 bucks per light. Here is an updated BoM for this case:
Next, we redesigned the case. Instead of a three piece design requiring glue to assemble, the two pieces would be a base and a lid with a logo. Everything could be screwed into designed posts and covered with the lid. It was a snap. Production was easier with Shapeways. However, this lead to had longer lead times that prevented us from delivering to the barbecue. The prototyping went well and matched the designs, but the mass printings were so delayed that they didn't arrive in time for the barbecue even with expedited shipping. The resin product looked much better than the filament-printed 1.0 model. The cost at 20 bucks or so each was not prohibitive, but it certainly wasn't mass-market ready.
Amazon had a selection of sturdy bottle openers by Starr X, and a particularly helpful blog post by K & J Magnetics helped me pick out the featured magnet. I'm relying on the interesting grain of the Indian Rosewood to give the piece character as I didn't have the tools to do a fancy profile, and my router bits are incredibly lacking, so I just went with dog-eared corners and a chamfered edge. The burning visible on the below pre-finishing shot (accompanied by my favorite Wasatch brew) was due to the bit I used.
The magnet was epoxied in place after I cleared out a spot for it. In order to prevent the opener from sliding on slick surfaces, I added slightly inset tiny rubber feet. This also set the opener off from the fridge by just enough that you can get your fingers behind it to pry it off with ease. Lots of sanding from 100 to 600 grit made a great smooth base for some stain and spar urethane. After three days of curing time, I plopped it on the post at the Toxic BBQ and had a pile of at least 50 caps by the time the night was through. A great first run!
I took Ethan to the event run in parallel with DEF CON, R00tz Asylum. I think he had a blast as they covered a lot of traditional hacker topics at multiple levels of complexity. The highlights are below.
Structure
The event was held in the Crown Theater at the Rio. It was about a 10 minute walk from DEF CON proper. The separation was nice as it made for a more quiet and contained experience. The stage was occupied by a speaker almost all the time. Spread around the perimeter (mezzanine?) were tables with activities that changed every day. Kids could choose to listen, play or work on challenges. Most activities stayed the entire day, though some were more transient.
This setup was advantageous for my son. He has little ability to focus on any one thing for an extended period of time, so the variety of activities was nice. Much like its parent conference, R00tz Asylum did well when it focused on hands-on learning. Toool, Google and Wickr held contests and learning opportunities that pushed attendees and their parents to participate together. In particular, Ethan loved the puzzles, and I finally got him to solder something. He did a bang-up job.
Speakers
The speaker experience was less than optimal with a few notable exceptions. The stand-outs were Gene Bransfield's hilarious "Weaponizing your Pets" and Meredith Patterson's engaging activity "The Telephone Game" about Man-in-the-Middle attacks. Special mention goes to @muffenboy and Esau Kang for being kid attendees and speakers. For the rest, it would be good to learn that speaking to children is not the same as speaking to hackers, and most talks were too technical, lacked a hands-on component, and thus ended up being torture for the little ones. From speaking with the organizers, I can tell this is something they are trying to focus on next year.
The Gift
R00tz Asylum is the opposite of DEF CON in one respect: it relies on sponsors to add pizzazz and to make ends meet. One of those traditions that may or may not hold in coming years is the gift of a hackable piece of technology to attendees. This year brought ASUS Chromebooks care of Google. My son was enthralled, and I spent most of the conference convincing him to get off the Chromebook and out to the activities. By the end of the conference, we had Linux in addition to Chrome, and we were running Wireshark thanks to perseverance by Joe and Chris, a father/son team. This effort won Chris a trophy, even. My son begged me to put Minecraft on there, but then quickly forgot how to get back to it and reformatted his Chromebook undoing all our hard work. Hats off to Google, and congrats to Chris on the win.
Hardware Hacking
By far, my favorite part of the conference was the Hardware Hacking table. Not only did the goodie bag include a HakTeam Throwing Star LAN Tap, but a table full of old equipment was available from which attendees could rip apart and salvage components. The LAN Taps were used in an activity that taught wireshark and packet sniffing. The hardware component salvage table was exploited for speakers, LEDs, gears and motors for all sorts of toys. I am definitely bringing projects for Ethan next year. I already recommended the salvage table to the official DEF CON Hardware Hacking Village. Las Vegas thrift shops may see a run on their printers, VCRs and routers before next year's conference.
Lock picking
The one talk and table I was surprised that Ethan was interested in was from Toool. Their interactive 101 talk caught his attention, and we worked on a lock at their companion activity table. Though he ended up losing interest before successfully opening a lock, it gave me a clue of the type of activity he could do on his own between conferences.
Going Forward
I would definitely recommend any hacker parent to bring their child to R00tz Asylum. Its expanding and evolving to be a great summer camp weekend that dovetails with the DEF CON experience. As the organizers ger more experienced, I expect the content to grow and change to fit the kids and their interests. We all started somewhere, and I hope R00tz is that start for the next generation. I started a subreddit for R00tz, though it hasn't taken off.
As for Ethan and I, we are preparing a talk on how to hack Skylanders figures. We hope it will be a fun combination of encryption, hardware hacking and games that will draw the attention of attendees and inspire them to really dig in and explore the technology that is used around them every day.
I viewed StarWest's Virtual Conference offering again. This and the affiliated Better Software conference are run by Techwell. A few observations.
I loved the talk on Healthcare.gov given by Ben Simo (@QualityFrog). He communicates how easy it would have been to predict, find and fix the problems that would plague that site for more than a year. It was a good choice putting him on keynote.
To attend one of these conferences will run you or your company into the thousands of dollars. Attending the tutorials is even more. This in spite of being sponsored by some of the biggest software providers in the industry. We are bombarded by ads for the latest ALM or bug tracking tool and they are called talks. What is such sponsorship getting the attendees? Who is benefiting from this other than the organizers? If the conference organizers were a not-for-profit, would they charge the same amount?
The online offering tries to simulate the networking opportunities for those who could not attend. It tries to simulate the marketing side too by giving attendees contact info to vendors. What about the testing opportunities? With more than half the talks about web app testing, why aren't tutorial sites and learning apps available and promoted to virtual attendees?
Maybe DEF CON has spoiled me. $200 for the most frenetic hands-on conference over twice the number of days? A lot of that is a labor of love and volunteers, but then again most of it is also not sponsored by corporations too. Maybe I need to bring DEF CON to testers, or testers to DEF CON. See what shakes out.
This post is part of a series about building electro-mechnical PIN-cracking robots, R2B2 and C3BO.
This is a proof of concept for @JustinEngler's C3BO (https://github.com/justinengler/C3BO) using transistor controlled relays. It was prototyped by modifying Blink from the Arduino sample project.
In the video, You'll notice I've replaced the touchpad for your finger with a wire to the headphone jack's ground as the circuit ground. The two pieces of copper tape were no longer sticky enough to stay by themselves, so I am holding them down. They press two and 5 with about 8 key presses per second.
Note: This is part of the Project Write-up for OFBC: One Fluorescent Beer Coaster After months of effort, we had a circuit, PCB and shell design to accomplish our goal. Putting it all together meant solving some unique challenges in the home stretch. By far the most communal part of the project was finishing the circuit. Parts were bought by three different people. It took hours of trial runs and four different nights in my shop to finally get the circuit assembled and ready. In all, the project taught us to keep moving in spite of obstacles.
Internals
The main obstacle was PCB manufacture. As detailed in that post, uncooperative copper and etchant lead to abominations not fit for solder. Drill bits broke in PCBs, holes were misaligned, and traces were torn up as we worked and reworked the boards. The major blunder was the reversed PCBs, but it was tempered by the lack of polar components. Only the transistor and MOSFET needed to be adjusted when we realized our mistakes. The quality checks and encouragement as we worked as a definite plus. There were several times I wanted to just give up and abandon the project. Truly, I get by with a little help fro my friends.
After the PCBs were in our hands, the task of soldering all the components was a team effort. One person ran continuity tests on newly etched boards. Another bridged scratches and pasted down traces. Buttons (functional and fake) were inserted and crimped at one station while a fourth person began to solder on components.
That moment of truth when the LED lit up was breathtaking all nine times it happened. When it, more often than not, didn't work on the first try, the scramble to troubleshoot was a team effort as well. A loose connection, bad trace or through hole in need of a reflow was rooted out in minutes. I can't describe the feelings from closing the box with nine functional copies of the idea sketched out on a picnic table the year before.
The Ziploc idea produced 4 "just in case" models. We stabilized them with glass beads and hot glue. The containers became the shell and mount for the PCB. The beverage lid was provided by another ziploc container hot-glued onto the buttons. Hot glue for grip and stabilization of the platform finished the job. See the result in the pic below next to the finished shells.
Luckily, the 3D Printer roadblock was cleared just two days before the BBQ. Poor quality filament lead to clogged extruders. After a good cleaning, we were back in business. 5 shells total were produced with various upgrades. We got a top that nested well with the shell, and the mouse-hole in the shell was added to allow the USB to be passed out of the body. We did not get impressions in the top to get the lid closer to the lens of the LED. We also did not get any part of the body held together by magnets.
Final assembly took place at Toxic BBQ itself. The lights stayed on this year, but we started conversations and passed out some business cards with links here. We placed a few on the tables farther out that didn't have light, and we presented two to the organizer in a Utilikilt. Furthermore, it went on display in r00tz and the HHV for most of the convention.
Final Word
I left DEF CON for two years running with a profound sense of my own shortcomings. I saw people around me doing amazing things, but I couldn't point to similar achievements for myself. Though not terribly complex (most ideas came from Instructables, after all), the process and coordination required to pull off this simple idea has been eye opening. It all started by pivoting from planning to doing. It finished with an 80's-montage-worthy string of late nights and high fives.
Already, these efforts are fertile ground from which numerous other ideas have sprung. Facing another DEF CON, I'm looking for the next big project instead of lamenting my noob credentials. Only time will tell how many of these work their way to reality.