Tag: Geek Stuff

Defcon Summary

Well Defcon has concluded and I’m back in good old Minnesota. It saddens me to know that the convention is over but I don’t know how many more days of partying I could handle. I met some great people and look forward to meeting them again next year at Defcon 20.

So how about the convention? The convention itself was great. This was the first year in our new location, the Rio Hotel and Casio, and I must say it was a far better venue than the Rivera was. The Rivera was becoming too small for the thousands of attendees which was easily seen with the cramped hallways and speaker rooms overflowing with people. The Rio is huge and traffic flow was much better than last year which is good when you have somewhere between 11,000 and 12,000 people attending.

There were some good talks including one by Deviant about breaking into handgun safes. Needless to say most of the handgun safes you can purchase in stores such as Cabela’s and Gander Mountain are pathetically easy to get into without the key or thumbprint (yes he covered saves with biometrics as well). When the talk is posted I’ll link to it here.

Although I already knew that using Internet kiosks was a bad idea and therefore I avoided it, I never knew just how easy they were to hack. If you every sit down to an Internet kiosk and feel the need to hack it just visit this website. The site itself includes tons of ways to bypass the “security” found in most Internet kiosks. Likewise you shouldn’t used those kiosks as you have no idea what somebody has done to them.

The creators of the Wireless Ariel Surveillance Platform (WASP) gave a presentation on their drone. Although no live demonstration was given the capabilities they mentioned were impressive. The WASP is able to intercept and crack a lot of Wi-Fi traffic (it even includes a word list for attempting to break Wi-Fi Protected Access (WPA) secured networks) as well as intercept Global System for Mobile Communications (GSM) phone calls and text messages. The entire unit weights a mere 14 pounds.

Another presentation I found very interesting was the one on cellular security. The speaker examined the traffic sent over a standard Android phone. He covered several popular applications and it’s rather surprising the type of information some of those applications send back home. This, again, is nothing that most people didn’t already know but few have actually released the exact information that was being returned.

Dan Kaminsky did his talk which is always a pleasure to watch. I’ll have to wait for Defcon to publicly post his talk so you guys can watch it but there was one part that really made the Austrian economist in me laugh. He was able to insert ASCII art of Ben Bernanke into the Bitcoin network which will remain there for all eternity (eternity being measure as the lifespan of the Bitcoin network).

Outside of the talks the usual assortment of parties and boozing were had by most. On Saturday night the Freakshow party was thrown in the pool area of the Rio which included some impressive entertainment including a guy break dancing and moon talking on stilts. There were also a couple of scantily clad ladies rolling around the pool in a giant ball. This being Defcon nerdiness was present and a few of my friends and I attempted to calculate the girls weight by using the radius of the ball and the depth at which is sank into the water. What else can you expect from engineers?

Of course no post about my adventures involving flying would be complete without a little comment regarding the Transportation Security Administration (TSA). This year I decided to have a little fun and wore this shirt when I flew out of Minneapolis and this shirt when I went through in Las Vegas. I forgot most TSA agents are illiterate and therefore would not notice my witty shirts. OK, I’m assuming illiteracy is the reason I didn’t receive extra special attention but either way the TSA basically left me alone for once. Still I would like to close this post by saying fuck the TSA.

The Coolest Flying Drone Out There

What if I told you there was an unmanned drone that was developed to fly around, sniff Wi-Fi networks, and eavesdrop on GSM phone conversations? You’d probably get angry and yet another device developed by Motherland Homeland Security to spy on the citizens of the United States. In this case your rage would be misdirected because this drone was developed by a private individual trying to raise awareness of the poor security found on many Wi-Fi and all GSM networks:

At the Black Hat and Defcon security conferences in Las Vegas next week, Mike Tassey and Richard Perkins plan to show the crowd of hackers a year’s worth of progress on their Wireless Aerial Surveillace Platform, or WASP, the second year Tassey and Perkins have displayed the 14-pound, six-foot long, six-foot wingspan unmanned aerial vehicle. The WASP, built from a retired Army target drone converted from a gasoline engine to electric batteries, is equipped with an HD camera, a cigarette-pack sized on-board Linux computer packed with network-hacking tools including the BackTrack testing toolset and a custom-built 340 million word dictionary for brute-force guessing of passwords, and eleven antennae.

“This is like Black Hat’s greatest hits,” Tassey says. “And it flies.”

On top of cracking wifi networks, the upgraded WASP now also performs a new trick: impersonating the GSM cell phone towers used by AT&T and T-Mobile to trick phones into connecting to the plane’s antenna rather than their carrier, allowing the drone to record conversations and text messages on a32 gigabytes of storage

How fucking cool (and scary) is that? Truth be told the security on many devices that we commonly use today is completely nonexistent. Last year there was a demonstration at Defcon showing that it’s very possible for an average person to get the equipment necessary to spy on people using GSM phones (CDMA, as far as I know, is still safe from non-government snoopers).

My Top Android Gripes

Although I’ve switched over to an iPhone as my primary mobile communication device ever so often (usually when a new version of Android drops) I grab my Android handset and test it to see if any of my problems have been resolved. With the release of 2.3.5 for my Nexus S I decided to give Android another run through and I’ve found the following glaring problems:

Virtual Private Networking (VPN) still doesn’t work: How long as Android been out? Something approaching three years now I believe, and it still lacks functioning VPN capabilities. VPN isn’t exactly rocket science as Windows, Linux (which Android is bloody based off of), Mac OS, iOS, Palm OS, and WebOS all have functioning VPN capabilities. Why can’t Google get it working properly in their mobile OS?

No support for CalDAV or CardDAV: CalDAV and CardDAV are open standard protocols for remote calendaring and contact management. Once again I find that almost every other operating system on the planet, including iOS, have support for these two protocols. It seems trivial to me that a company the size of Google couldn’t just download an already completed CalDAV and CardDAV Linux client library and use it to add built-in support for both in Android.

No support for public-key identify certificates: I use self-signed certificates for my mail, calendar, address book, VPN, and HTTPS needs. Although Android has full support for IMAP (although using a separate e-mail client from their star GMail app) Android doesn’t have any way of importing identity certificates (which was a bitch I might add). Although I’ve been able to import my identify certificate Android seems unable to use it to identify TLS connections. When I connect to my IMAP server Android informs me that it can’t establish a chain of trust for for the server’s TLS certificate. Well the public key that establishes that chain of trust is right in the fucking certificate store, why not check there?

No method of encrypting data stored on the device: You know what’s nice about iOS? All of your data can be stored in an encrypted format meaning somebody can’t just grab the phone and download everything without knowing your password (it also makes wiping data from the phone quick as you can just erase the encryption keys). You know what’s not so nice about Android? There is no way to full encrypt everything stored on the phone. Once again full disk encryption isn’t exactly rocket science as Windows, OS X, and iOS all have that capability built-in.

I really want to like Android but Google makes it so damned difficult. If you’re willing to simply use Google’s service Android is decent (although you’re still fucked on the VPN side of things). But when you want to move off of Google’s services and use your own then Android becomes completely unusable. Why should Google care since they want people using their services? Simple, many businesses also need the very things I’ve mentioned. Without these capabilities Google is lacking the ability to make headway into many market sectors that Apple is currently moving into. In addition to that all the problems I’ve listed are gripes that people have posted in the Android support and development forums meaning I’m not the only one wanting these features.

On top of that I’m of the firm belief that a feature advertised in the operating system should work. Android has a preference pane to enter VPN settings and it has a preference pane to import certificates but neither feature works. It looks damn sloppy when your operating system advertises a feature that isn’t functional. Hell, it’s not just that these features aren’t functional, it’s that Android has been out for roughly three years and the features still aren’t functional.

Once again I’ve given Android a chance and found it lacking. I’ll patiently wait for the next Android release where I’ll start this cycle all over again and hope that some of these features are actually working then.

A Rather Pointless Endeavor

Sometimes I look at a newly announced product and simply ask, “Why?” This is rare for me because I recognize that there are many different people with many different needs but sometimes even that fact doesn’t explain the reason a product managed to see the light of day. Canon just announced a new device that is an amalgamation of a Bluetooth laser mouse and a 10-digit calculator.

You know what program all computers have on them? A calculator. It’s true, even your damned cell phone has a bloody calculator built in. Since our computers already have calculator programs included what do we want a mouse that also has a built-in calculator? I could think of a great many other, more useful, gadgets to include in a mouse.

I’ve Been Saying This About Bitcoin For a While

As I hang out with a large circle of liberty minded people the topic of Bitcoin comes up frequently. Generally there are two schools of thought when it comes to Bitcoin; the school that believes Bitcoin is our salvage from government controlled money and the school that thinks Bitcoin is a fad that will die out soon enough.

Although I find many things to like about Bitcoin anonymity isn’t one of them. People often tout Bitcoin as being anonymous and state that as a huge plus. The problem comes from the fact that every Bitcoin transaction ever made is forever stored in the Bitcoin network. This means if somebody is able to tie a Bitcoin wallet ID to a person they could begin the process of tying other walled IDs to people. This can be done pretty easily through data mining (or, if the first wallet ID was discovered through computer access, potentially looking through the user’s Bitcoin address book).

Well somebody finally did some experimentation and demonstrated what I’ve been saying:

Anonymity is not a prominent design goal of Bitcoin. However, Bitcoin is often referred to as being anonymous. We have performed a passive analysis of anonymity in the Bitcoin system using publicly available data and tools from network analysis. The results show that the actions of many users are far from anonymous. We note that several centralized services, e.g. exchanges, mixers and wallet services, have access to even more information should they wish to piece together users’ activity. We also point out that an active analysis, using say marked Bitcoins and collaborating users, could reveal even more details. The technical details are contained in a preprint on arXiv. We welcome any feedback or corrections regarding the paper.

Arguments about the merits of Bitcoin as a competing currency to currently government controlled monies are still relevant but please stop claiming the advantage of anonymity. If you want the most anonymity in your transactions use physical commodities. Any electronic currency system needs to ensure transactions are valid in order to prevent counterfeiting, and thus devaluation. The only way to do this is to know the entire history of each monetary unit which necessarily involves keeping records of every transaction. As transactions occur between individuals some method can always been used to tie a specific monetary unit to a particular person.

Physical commodities aren’t reproducible without physical effort which negates the need to have some kind of record of every transaction that commodity has been through.

OS X Lion Server Admin Tools

When I upgrade my machines to OS X Lion I noticed something of importance was missing, Server Admin Tools. For those who don’t know Server Admin Tools is a package of applications that works as a front-end for maintaining OS X Server installations. These tools aren’t necessary as you can managed everything from the command line if you desire but, being a naturally lazy person who isn’t too fond of manually editing a 500 line text file to change one little thing, I prefer using a quick graphical interface. The administration panel that is included with OS X Lion Server is a toy that doesn’t allow any real manual configuration so that’s out as far as I’m concerned.

Thankfully Apple has posted Server Admin Tools 10.7 on their website. Why the OS X Lion installer didn’t automatically include this or download it from the website when it was upgrading my system I’ll never understand. It wouldn’t be that difficult for the installer to see that I have Server Admin Tools installed and thus it should either upgrade those applications or leave them the Hell alone. Simply removing them wasn’t my idea of funny nor entertaining.

Either way if you’ve upgrade your system to OS X Lion and rely on Server Admin Tools you’re relegated to manually navigating to the website and downloading the installer package.

NoScript Awarded the $10,000 Dragon Research Group Security Innovation Grant

It’s likely you’ve heard to praise the awesome Firefox plugin that is NoScript. NoScript is the primary reason why I’m still running Firefox instead of Chrome. That’s why I’m glad that the plugin was awarded the Dragon Research Group Security Innovation grant which includes $10,000.

NoScript is kind of a Swiss Army knife in regards to Firefox plugins. The main purpose of the plugin is to block scripting on all domains that you haven’t specifically white listed. This not only improves security by preventing malicious scripts from running but it also makes the web a much nicer place to visit since it blocks those annoying pop-over ads that block the site until you dismiss them. I’m honestly at the point where I can’t even stand visiting many websites unless I block scripting on those domains.

My Initial Thoughts on OS X Lion

I have successfully installed OS X Lion on both my Mac Pro and my MacBook Pro. I’m not ballsy enough to attempt the server upgrade until this weekend though so my initial thoughts are all going to be related to client software at this point.

The very first thing I want to point out is the fact having reversed scrolling enabled by default is the dumbest fucking thing I’ve ever encountered. Seriously! When I scroll up on a trackpad or mouse I expect the screen to move up, when I scroll down I expect my screen to move down. This is a pretty basic concept that’s been with us for a while now. An operating system isn’t a fucking flight simulator, we don’t need to reverse the controls for moving up or down. Thankfully this can easily be disabled in the preferences but it seems like such an idiotic thing to have enabled by default.

That was by far my biggest annoyance which is to say I haven’t ran into anything that annoying so far. OS X Lion seems pretty stable outside of the box which is a nice change as most initial releases of new OS X versions have been rather buggy, sometimes bordering on unusable. For Lion the installation went off without a hitch and everything seems to be running properly so far.

The whole full-screen mode for applications is a rather pointless gimmick in my book. I have no idea why Apple saw fit to include such a feature in a desktop operating system but it’s optional and thus easily ignored.

I’m not at all happy with the new way virtual desktops are laid out. Previously you could have a grid of virtual desktops which meant accessing one desktop from another could be done quickly. I usually run with six virtual desktops and in Snow Leopard I had them arranged in a grid consisting of two rows and three columns. In Lion virtual desktops are all laid out linearly meaning you only have one row. This makes traversing from desktop one to desktop six a pain in the ass if you’re using keyboard shortcuts. I’ve not found a way to revert the desktop arrangement to a grid yet, nor am I even sure you can. Either way I find this extremely annoying as it really fucks up my workflow.

I have no real opinion on the disappearing scroll bars. I seldom look at or use the scroll bars anymore so the fact that they vanish when you’re not actively scrolling is irrelevant to me.

The new Mail application is light years ahead of Snow Leopard’s version. The layout feels much better and everything seems to move smoother. I also like that the System Preferences has a central panel to add e-mail, calendar, and address book accounts. It was a bit annoying having to open each separate application to add the appropriate account.

The new “natural feel” iCal and Address Book applications are just fine by me. They look a bit out of place but I don’t think they’re as ugly as many have made them out to be. Honestly I rarely interact with either application on my desktop or laptop so this is another thing that doesn’t really affect me.

Launchpad is pretty worthless in my opinion. I’ve been running with a Application folder stack on my dock forever now to launch applications. It’s actually easier for me to click on the stack icon, scroll to the application I want, and launch it than it is for me to launch an application via Launchpad.

Some of the new trackpad and mouse gestures are pretty sweet. I really like the fact that I can now use my trackpad and mouse to scroll, flip between virtual desktops, show my running applications, and many other things. Apple has done a great job realizing the utility of a trackpad with multi-touch capabilities and I hope other computer manufacturers follow in step.

The new interface elements in Lion are pretty as well. It’s a pretty meaningless change but I like the new look.

I’ll keep you guys apprised of my findings but so far I’m liking Lion even though I find most of the new features to be rather pointless gimmicks. It seems solid from the start which is certainly better than previous OS X releases.

A Valuable Lesson For Those Upgrading Servers and Clients to OS X Lion

One purpose of this blog is so readers can learn from my mistakes. If you’re planning on upgrading both client and servers to OS X Lion you should be aware of something.

First you should know that OS X Lion is a separate download from OS X Lion Server. Instead of having two versions of their operating system available for download Apple has made the server utilities available as a separate installable package. I like this option honestly but I did make a mistake that ended up costing me $29.99.

Because I didn’t want to tie up my server with a major download I initially purchased and downloaded OS X Lion from the App Store on a client computer. I tried to also purchase OS X Lion Server at the same time but the App Store wouldn’t allow me to do so from a system not already running Lion. Later I decided to download OS X Lion on my server so it would be available for install when I was ready (as OS X Lion is a 3.47GB download, I thought getting on the system early was a smart move). When I went to download OS X Lion on my server the App Store reported that I needed to also purchase OS X Lion Server. The App Store did warn me that both would be purchased and that I would be charged $79.98 but being I was in a hurry I made an assumption. My assumption was that OS X Lion was already in my purchase history and thus only OS X Lion Server would be purchased at this point. That assumption, like most, was incorrect and I am now the owner of two OS X Lion purchases.

There are three options available to those wanting to upgrade both server and client computers to OS X Lion. The first, and probably easiest option, is to purchase OS X Lion on a computer currently running OS X Snow Leopard Server. Doing this will require you purchase both OS X Lion and OS X Lion Server at the same time but they will appear as separate purchases in the App Store which will allow you to download just OS X Lion on client computers.

Option number two is to purchase OS X Lion on a client, format the server, install OS X Lion, purchase OS X Lion Server, and then restore your server specific settings. This is probably the most painful method of upgrade both server and client computers to Apple’s new operating system.

The third option is to install OS X Lion on a client, upgrade that client, and purchase OS X Lion Server after the upgrade is finished. This will put both OS X Lion and OS X Lion Server in your purchase history and you should be able to upgrade your server without having to purchase any additional downloads.

So the lesson I have for everybody reading this is making assumptions don’t make assumptions, they can be expensive.

EDIT: 2011-07-20 16:30: I contacted Apple through their App Store support page and they got back to me within a few hours and issued a refund. That’s pretty good support considering the mistake was ultimately mine for making the assumption that I wouldn’t get charged twice.

Lulz Security Calls it Quits

I’ve mentioned my interest in Lulz Security and Anonymous stemmed strongly from their ability to keep themselves anonymous for quite a length of time considering the high value targets they went after. Well Lulz Security has called it quits claiming that they only intended to perform their attacks for 50 days.

This story doesn’t really hold water though as personal information of many members of the group has been published leading which makes their sudden “planned” disbanding rather convenient. What I would like to know though are where they failed in keeping themselves anonymous. The ability to keep one’s self anonymous online is a valuable thing and learning from the mistakes made by others is the only way we can ensure those needing or simply wanting to hide online have the ability to do so.

Of course it’s also possible that Lulz Security’s announcement of the organization disbanding is just them trolling everybody. I wouldn’t be surprised to see them announcement that their previous announcement was just made to fuck with people and that they’re restarting their attacks.