Friday, August 29, 2014

Labor Day Weekend - Launch Video

Nacho Libre movie humor to help you build some mood for a proper send off to your Labor Day holiday weekend festivities.  No, your not being JackBlackRolled.

--Milton

Thursday, August 28, 2014

Google Dorkers Under Fed Magnifying Glass

In Arstechnica article, "Feds warn first responders of dangerous hacking tool: Google Search" (sent via @wh1t3Rabbit) describes individuals that use advanced Google search commands called Google Hacking or Dorking are acting like, "malicious cyber actor[s]".

Considering all Google dorkers as malicious is very disturbing since advanced search commands have many legitimate uses and the reason Google makes them available to the public.  In fact, the article I wrote about Johnny Long's (Twitter, @ihackstuff) Google Hacking in "Google Hacking -- Blast from the Past" is a popular post and I'm guessing since it helps people find legitimate information they need on the Internet.  Sorry readers, in my blast from the past post I showed you how to use Google's filetype: command.  You are now acting like malicious cyber actors and likely monitored by governments for you subversive activities.

Profiling individuals that use Google advance search commands in the same class as malicious cyber actors is disturbing.   I think we should treat data like money.  There are a number of uncanny similarities, data provides those who manage it a living wage, it has value, it's traded, it's electronic, it's easy to duplicate, etc.  At least it seems like a place to start.
Consider, a bank that leaves it's money on it's door step and complains when thieves steal it.  We call that bank foolish.  Yet, do similar with our most sensitive data posted on public web sites and we hold site owners blameless.
The concern with profiling those that use powerful tools is that it's a distraction from the real problem - unsecured sensitive data on a public Internet.  There are many tools that can be used both for beneficial or malicious purposes, knifes, guns, etc.  Even if Google removed their advanced search commands it amounts to burying our heads in the sand and ignoring the real problem.  Attackers will only craft new tools to evade detection.

--Milton

Tracking Aircraft on Raspberry PI

Photo: Raspberry Pi RLT-SDR receiver
What can you do with a RLT-SDR receiver, dump1090 software, and a Raspberry PI?  Easy, you can capture data like flight numbers, altitude, speed, and position information from ADS-B equipped aircraft in your area.

Ever since I was a kid I always enjoyed listening to my Grandfather's shortwave radio.  Every twist of the tuner knob would produce a new discovery, aircraft, beeps and bleeps of Morse Code, far away news broadcasts.  Now I'm much older and technology has matured but so have my skills.  Now I have I have a Raspberry Pi, RLT-SDR, and know how to program (which means I'm dangerous).

Awhile back I built a Raspberry Pi project with a 2.8" display from Adafruit.  I also purchased a low cost RLT-SDR receiver at DEFCON 22.  Shortly after I built my Pi project I could not make up my mind what I wanted to do with it so it sat on my shelf collecting dust.  Same goes with the SDR receiver after I returned from DEFCON.  That is until yesterday evening when I had the bright idea to put the Pi and SDR receiver together and make it do something useful.  Around the time I was searching for more information on Internet to get SDR going on Raspberian I discovered some information about ADS-B.  ADS-B equipped aircraft transmit telemetry on 1090mhz and within my SDR receivers bandwidth.  You can learn more about ADS-B on RLT-SDR.com.  I still learning myself so I don't have a good idea where ADS-B fits into aircraft management just yet but ADS-B is definitely interesting technology.
Photo: FlightRadar24.com

As you can see in the picture of my Raspberry Pi screen photo (first photo), various information about aircraft flying in my area are presented near my home.  I had no idea if this information was accurate so to verify I opened FlightRadar24 in my web browser (2nd photo on right).  The results were accurate although I only receive a fraction of the plans arriving or departing from San Francisco, Oakland, San Jose, and Sacramento.  I'm still not sure what the negative longitude is just yet.  In any case, I noticed that I receive telemetry from some aircraft almost 100 miles away with a 4" antenna - wow!  Other aircraft passing over the mountains near my home would drop off my display and to be expected since mountains interfere with radio signals.  I was very impressed with the unit I purchased at DEFCON from Hacker Warehouse and at $20US there's no reason not to experiment.  I noticed at the conference Hacker Warehouse sold a larger microwave antennas at the conference as well as directional antennas which would be interesting to experiment with.

The software package on the Raspberry Pi that makes detecting ADS-B transmissions possible is dump1090.  Dump1090 is used to tune your RLT-SDR radio and receive the ADS-B.  If you want to get dump1090 running on your Pi I then recommend reading Ferran Casanovas blog.  Following are the command line options for dump1090 so you can get some idea for what it does.


pi@raspberrypi ~/dump1090 $ ./dump1090 --help
-----------------------------------------------------------------------------
|                        dump1090 ModeS Receiver         Ver : 1.09.0608.14 |
-----------------------------------------------------------------------------
--device-index <index>   Select RTL device (default: 0)
--gain <db>              Set gain (default: max gain. Use -10 for auto-gain)
--enable-agc             Enable the Automatic Gain Control (default: off)
--freq <hz>              Set frequency (default: 1090 Mhz)
--ifile <filename>       Read data from file (use '-' for stdin)
--interactive            Interactive mode refreshing data on screen
--interactive-rows <num> Max number of rows in interactive mode (default: 15)
--interactive-ttl <sec>  Remove from list if idle for <sec> (default: 60)
--interactive-rtl1090    Display flight table in RTL1090 format
--raw                    Show only messages hex values
--net                    Enable networking
--modeac                 Enable decoding of SSR Modes 3/A & 3/C
--net-beast              TCP raw output in Beast binary format
--net-only               Enable just networking, no RTL device or file used
--net-http-port <port>   HTTP server port (default: 8080)
--net-ri-port <port>     TCP raw input listen port  (default: 30001)
--net-ro-port <port>     TCP raw output listen port (default: 30002)
--net-sbs-port <port>    TCP BaseStation output listen port (default: 30003)
--net-bi-port <port>     TCP Beast input listen port  (default: 30004)
--net-bo-port <port>     TCP Beast output listen port (default: 30005)
--net-ro-size <size>     TCP raw output minimum size (default: 0)
--net-ro-rate <rate>     TCP raw output memory flush rate (default: 0)
--net-heartbeat <rate>   TCP heartbeat rate in seconds (default: 60 sec; 0 to disable)
--net-buffer <n>         TCP buffer size 64Kb * (2^n) (default: n=0, 64Kb)
--lat <latitude>         Reference/receiver latitude for surface posn (opt)
--lon <longitude>        Reference/receiver longitude for surface posn (opt)
--fix                    Enable single-bits error correction using CRC
--no-fix                 Disable single-bits error correction using CRC
--no-crc-check           Disable messages with broken CRC (discouraged)
--phase-enhance          Enable phase enhancement
--aggressive             More CPU for more messages (two bits fixes, ...)
--mlat                   display raw messages in Beast ascii mode
--stats                  With --ifile print stats at exit. No other output
--onlyaddr               Show only ICAO addresses (testing purposes)
--metric                 Use metric units (meters, km/h, ...)
--snip <level>           Strip IQ file removing samples < level
--debug <flags>          Debug mode (verbose), see README for details
--quiet                  Disable output to stdout. Use for daemon applications
--ppm <error>            Set receiver error in parts per million (default 0)
--help                   Show this help

Debug mode flags: d = Log frames decoded with errors
                  D = Log frames decoded with zero errors
                  c = Log frames with bad CRC
                  C = Log frames with good CRC
                  p = Log frames with bad preamble
                  n = Log network debugging info

                  j = Log frames to frames.js, loadable by debug.html

My experience with dump1090 was excellent.  The output is more or less what is shown on my Pi photo (first photo).  I say, more or less, since I made some changes to the program for my smaller display on my Pi.  The problem I had on my 2.8" screen was that the lines would wrap around past the edge of the screen and into the next line.  All the information was on the screen but it was hard to read in --interactive mode.  To get the Pi display cleaned up I was thinking I could find a command line option and then grep something together for a cleaner display.  Unfortunately, I didn't notice any easy way to do this.  As a workaround, I made some changes to the program to shorten the output to only the fields of interest within interactive.c.  The code is customized for the 2.8" PiTFT Mini Kit at Adafruit.  After apply the changes, I recompiled dump1090 and output was shortened to fit my display as I expected.  Next, I made some changes to force the Pi to login automatically and start the dump1090 program running.  I know, not very secure but I don't have any data on this device.  For now, I just used the default account on the Pi but it would be more secure if I created a new account with less privilege.  Anyway, I was lazy and wanted to get this thing finished before I went to bed so I improvised.

One final thought I have rolling around inside my head, since my profession is application security, is that ADS-B does not seem very secure.  ADS-B telemetry is sent from aircraft real-time in route completely unencrypted so far as I know.  I wonder what would happen if an ADS-B transmitter was built and launched in a ballon or drone by an adversary?  It seems possible for adversaries to fake flight numbers, altitude, air speed, and position at a minimum.  Transmitting on ADS-B band is more than likely highly illegal but then again adversaries give little regard to laws.  I hope critical air traffic management systems don't use these signals for routing traffic but I really have no idea.  If anyone is an ADS-B expert and would like to post a comment to educate readers please do.  I'm a noob in this area.

--Milton

Update March 4, 2015, I have since learned other security researchers consider insecure ADS-B a security safety problem, Air Traffic Control Systems Vulnerabilities Could Make for Unfriendly Skies [Black Hat].  Apparently the Government Accountability Office (GAO) is recommending improvements, FAA Must Address Cyber-Security of Air Traffic Control Systems: GAO.

Update April 22, 2015, I discovered a presentation on the ADS-B at a security conference about 2 years ago, "DEFCON 20: Hacker + Airplanes = No Good Can Come Of This".  The presentation is provided by Brad Haines, Render Man(@iheckedwhat).  Render Man goes a step further to demonstration ADS-B spoofing and does a simulated pass by an airport tower.  The radio transmissions were terminated into a dummy load so no danger of harming any real aircraft.  According to Render Man, FAA representatives where attending his conference session.

Update May 1, 2015, FAA's answer to aging air traffic infrastructure is NextGen.  Apparently, NextGen is falling short of expectations.  A little digging on NextGen reveals it's not the deep overhaul expected but more of tune-up.  In fact, NextGen still includes proven insecure technologies like ADS-B.  Unfortunately, the FAA efforts seem to focus on efficiency and safety as opposed to security which is a distinctly different challenge.  FAA continues to press forward with NextGen even after debate on public research and the GAO report noting security concerns.  The price tag for NextGen is around $40 billion but a complete overhaul would likely cost far more.  New infrastructure or sharing military infrastructure may be required to develop a secure solution since foundational technologies like GPS were proven insecure long ago.

Tuesday, August 26, 2014

Kill Switch Ordered for California Smartphones

The Hill reports, "Kill switch" ordered for California smartphones that,
"Gov. Jerry Brown (D) on Monday signed into law a bill requiring every smartphone sold in the state to include the anti-theft feature, which makes phones inoperable, by July..."
--Milton

Birds and the Bees of USB

Evidently what's good in your personal life is also good in your mobile life - USB Condom.  USB Condom is a new security product to wrap that rascally USB device and defend you from infection by Internet baddies.  If I were the product marketer I could have so much fun with this but instead I refer you to the previous link for a full product description.

I'm not so sure the public understands birds and bees of USB devices and perceives any USB security threats.  Until the public is better educated on USB security or more incidents surface, this product is a solution trying to find a problem.  Make no mistake, USB security is real problem but it's going to take more education to for the public understand the threats before they see any value in a product solution.

It would be great if the product had a plastic case like a thumb drive instead of bare board.  Still I will gladly pay $10 if it works as expected.

--Milton

Monday, August 25, 2014

Lantern

Lantern is new crowdsourced project by developers of Limewire to thwart Internet censorship around the world.  The company describes how the technology works, "...running Lantern, every user with uncensored access can become an access point for those without, providing gateways to censored sites like Twitter, Facebook, and YouTube".   Keep in mind, Lantern is not designed to preserve your anonymity and privacy.  Lantern will help you get a message outside areas where there is censorship.

The site provides additional information and a video you can watch.  There are also various ways to contribute to the crowdsourced project for those interested.

--Milton

Friday, August 22, 2014

Iron-Clad Java Marching to September 12, 2014 Launch

The team sent along a photo of the first copy of Iron-Clad Java in print.  We have been floating chapters back and forth electronically for 7-months so it's satisfying to see the book come together in print. Incidentally, we have to wait for printed copies as well (or at least I do).

For those wondering, this book is about securing server side web applications (e.g., servlets).  Someone asked about applets this morning so I thought I would clarify the point.  Amazon provides a great write-up for those interested, table of contents, etc.

Following is a link to the original tweet from the team.

--Milton

Wednesday, August 20, 2014

Security Research on Traffic Lights

Red lights got you down?  No problem, a laptop, radio card, some experimenting, and you can change red lights to green before you arrive at an intersection.

"attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage"

Research by the University of Michigan presented at the 8th USENIX Workshop on Offensive Technologies, Green Lights Forever: Analyzing the Security of Traffic Infrastructure.

--Milton

Recent Stanford Security Research

A couple of interesting research papers from Stanford University.  I may decide to cover these in more detail in the future but for now I provide the links.

Mobile Device Identification via Sensor Fingerprinting
This research is significant since your mobile device can be fingerprinted uniquely like the HTML 5 canvas attack.  This is similar to the canvas attack in that it bypasses any cookie policies or device hardware policies for reading mobile IMEI numbers, etc.  Users can be tracked without their knowledge or consent.

Gyrophone: Recognizing Speech From Gyroscope Signals
This research describes using the gyroscope on mobile devices as a microphone to listen to sounds or conversations in the vicinity of the phone.  This is interesting since any privileges assigned to the microphone are not applicable to the gyroscope.

With canvas fingerprinting, and the new weaknesses discovered by Stanford, there is a trend where device sensors are used in ways outside their design parameters.  If your a hardware manufacturer, threat modeling your hardware devices with your engineering teams is probably a great exercise.

A few ideas to stimulate some thought, it may be possible to determine if a mobile device is being held by the capacitive properties of the human body on microwave transmitter power.  Exfiltrating data from mobile devices by modulating GSM, WIFI, or BlueTooth to transmit over other harmonics.  Listening to conversations by picking up background IR modulated on reflected glass in the room over mobile IR sensors.  Using the capacitive touch sensitive keypads in new and creative ways?  We have already seen add-hoc audio computer mesh networks transmitting ultrasonics over PC mic\speakers.  It's likely this can be done using mobile as well.  Imagine bots running on your mobile devices transmitting data to other bots over add-hoc audio mesh networks - creepy.  Even more creepy, many of device hacks are not detectable by carrier network security controls.  The value of this research is not so much in the research itself but the new approaches it stimulates.  Guaranteed we will see more research using device sensors in new and creative ways we previously didn't imagine possible.

--Milton

Monday, August 18, 2014

More Lorem Ipsum

A follow-up to my previous post, "Internet Ouija, Google Translator".  Badge challenge winners, "DEFCON 22 Badge Contest", summarized their process to break the security conference badges.  One step of the process was deciphering the lorem ip poem (the article provides translation).  During the time of the DEFCON 22 conference, the lorem ip poem could be translated by Google Translator but now it cannot be translated.

lorem ip

Lorem ipsum dolor si
Lorem ipsum do
Lorem ipsum dolor s
lorem ipsum ama
Lorem ipsum dolor sit amet
Lorem ipsum dolor sit ame

Lorem ipsum dolor sit
lorem ipsum ips
lorem ipsum lor
lorem ipsum lo
lorem ipsum lorem
lorem ipsum amat
Lorem ipsum

It's interesting to note the translator behavior was known to at least a couple of different groups prior to DEFCON.  At a minimum, it was known to the researchers described by Krebs and the DEFCON 22 badge challenge creators, prior to the challenge.  During the challenge, the translator behavior was known to contestants that made it far enough through the challenges to encounter the poem.  It's always possible Krebs sources where the DEFCON 22 badge challenge creators.  Meaning less people knew about translator behavior since the two different groups are one in the same.  Does anyone know if Krebs contacts are the DEFCON 22 badge challenge designers?  Last, we don't know what Google knew prior to the event but we know the translators behavior was modified after DEFCON 22.  Again, no conspiracy theories suggested, it could be a bug fix.

Incidentally, I like the DEFCON 22 badges so I encountered the lorem ip poem purely by chance while reading Elegin's post.

Internet Ouija, Google Translator

Brian Krebs, of Krebs on Security, had an intriguing post on Google Translator, "Lorem Ipsum: Of Good & Evil, Google & China".  Apparently, the translator transforms placeholder text used as web page filler like "lorem ipsum" into a mix of geopolitical and contemporary phrases.

Krebs notes that shortly after their research started the strange behavior ceased.  Curious, I tried translating standard Latin template text to see what would happen.  I didn't notice anything about China or politically sensitive content but the results are strange.

Latin English Translation
Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor. Aenean massa. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Donec quam felis, ultricies nec, pellentesque eu, pretium quis, sem. Nulla consequat massa quis enim. Donec pede justo, fringilla vel, aliquet nec, vulputate eget, arcu. In enim justo, rhoncus ut, imperdiet a, venenatis vitae, justo. Nullam dictum felis eu pede mollis pretium. Integer tincidunt. Cras dapibus. Vivamus elementum semper nisi. Aenean vulputate eleifend tellus. Aenean leo ligula, porttitor eu, consequat vitae, eleifend ac, enim. Aliquam lorem ante, dapibus in, viverra quis, feugiat a, tellus. Phasellus viverra nulla ut metus varius laoreet. Quisque rutrum. Aenean imperdiet. Etiam ultricies nisi vel augue. Curabitur ullamcorper ultricies nisi. Nam eget dui. Etiam rhoncus. Maecenas tempus, tellus eget condimentum rhoncus, sem quam semper libero, sit amet adipiscing sem neque sed ipsum. Nam quam nunc, blandit vel, luctus pulvinar, hendrerit id, lorem. Maecenas nec odio et ante tincidunt tempus. Donec vitae sapien ut libero venenatis faucibus. Nullam quis ante. Etiam sit amet orci eget eros faucibus tincidunt. Duis leo. Sed fringilla mauris sit amet nibh. Donec sodales sagittis magna. Sed consequat, leo eget bibendum sodales, augue velit cursus nunc. Lorem ipsum dolor sit amet, please contact us. I really need to focus on consumer impact. I really miss. With my comrades and the home of his and the great gods into labor over the mountains, ridiculous mouse will be born. Of course, than the cats, it's just nothing, kids football, the price of a person who, in the s. No problem for the mass. Unfortunately, the foot of the just, and even customers, travel arrangements, nor that, you need to fill out, inexpensive. In fact, the just, a wide range in order that, from the financing, the magic of life, the just. Actually, it has been said the price of a soft foot PHP tags. Police shot. Tomorrow protein. Maybe the only element always. Health insurance deductible in the region. Just remember a lion around the world, of loans, living environment, and Japan, for example. Mental Health lorem before, in the protein, bio-, from the newspaper, relax. Professionalism of highly as illegal trade bills. Each button. Welcome to the machine. Even if it's just fireball. I'd worry if it's just. For example, Pakistan. The internet. Developers period of time, to improve the development of a wide range of patients, which they have always a lot of freedom, but not a lot of storage, it is important to very important. In fact, more than now, scientists or, mourning for tens of thousands of, Bureau that, lorem. Before the developers nor the hatred and the time of cooking. In addition, the tourism sector in order to free the blockage. Environmental front. It is also important to the development of the United States the United States the jaws of the week. It's timing. Rather, it's funny a lot of options. Members great arrows. But the problem was the timing of the development team members, the organization wants to market now.

It's a mystery to me how the translator selects modern phrases like "PHP tags" from "felis eu" and the results are consistent between queries.  For example, if I hit refresh on my web browser, I receive the same English message translation for similar Latin text over multiple queries.  It's most likely there is a bug in the translator or perhaps a poor translation.  In any case, all this is reminiscent of Ouija boards or playing vinyl records backwards.  If only Google Translator would tell me this weeks winning lottery numbers.

--Milton

Friday, August 15, 2014

Black Hat 2014 Conference Videos Available

Jeremiah Grossman (Twitter @jeremiahg) sent these along, thanks!  Security conference videos for everyone to enjoy.

Black Hat 2014 Conference Videos

Tuesday, August 12, 2014

Black Hat and DEFCON 2014 - Boots on the Ground

The Black Hat 2014 conference was held at the Mandalay Bay hotel venue in Las Vegas Nevada, USA.  Dan Geer, CISO for In-Q-Tel, provided this years keynote (video | text) presentation.  The presentation was sobering but I don't think his ideas surprised too many in the room.  Still Geer communicated what many in the room feel but perhaps lack the skills to articulate.  Geer covered ten different security concerns relevant to society in 2014 and provided his commentary.  Solutions to many of the concerns described by Geer require action from lawmakers as well as the technology industry, not small tasks by any measure.

A couple of larger themes emerged in this year across the security conferences.  The NSA Playbook, this is the NSA technology catalog of information for targeted surveillance and exploitation of information systems.  Not to be confused with bulk surveillance of Americans, a completely separate concern in the media.  I'm surprised to see any focus on NSA playbook frankly.  None of the tools and techniques presented are shocking or surprising to me.  All these tools were covered by Greenwald and the Washington Post long before the conference.  Regardless, the sessions where well attended and the public is both terrified and fascinated with these tools.  Next, Software Defined Radio(SDR) peaked interest at this years conference.  For those unfamiliar, SDR is a radio front end-front that connects to your computer.  The benefit of SDR is that the computer is used to tune the radio as well as provide modulation and provides flexibility over dedicated hardware solutions.  A limitation of SDR is over dedicated hardware is that SDR is not useful technology for scanning or frequency hoping gear (or at least with lower cost gear like I have).  At DEFCON, I picked up a low cost SDR rig ($20 USB stick) and created a short video clip of SDR so you can get an idea (video) how it works.  In my case, I'm tuning into a radio station but you can tune into other frequency bands like aircraft or Ham radio.  There are also some examples on the net of SDR rigs downloading satellite images.  On of my favorite radio hackers is Oona Räisänen (Twitter: @windyoona).  In one article she describes step-by-step reverse engineering a helicopters flight path from RF signal to a set of waypoints superimposed on a Google Map - bad ass!  Anyway, I don't know Oona personally and not sure if she attended the conference but I can't help think of Oona when I'm thinking of SDR.


I highly encourage checking out SDR.  More expensive SDR rigs allow transmitting as well as receiving but may require a FCC Amateur Radio License.  The security significance of SDR is that it's useful to receive RIFD signals, to duplicate access badges, bluetooth, and other radio type hacks.

The best session of the year between both conferences was, "Weaponizing Your Pets: The War Kitteh and the Denial of Service Dog".  I'm not sure if DEFCON will make the presentation public so I included a link to the same presentation provided earlier at Shoocon.  The project and presentation was as you would expect, strapping WIFI to a pet, and sending the pet on a mission.  No spoilers, you must see for yourself, but the presentation was very entertaining and freshens the topic of war driving.
Photo: Grossman (Left), Smith(Center) and Hansen(Right)

Next, no conference is replete without some celebrities.  Photo on the right, from left to right, Jeremiah Grossman (Twitter: @jeremiahg) from WhiteHat Security on the left,  I'm in the center, and Robert Hansen (Twitter: @rsnake and ha.ckers.org) on the right.  Jeremiah and Robert both work at WhiteHat Security.  I know Robert since we both attended the Austin OWASP chapter some years back.  During the Black Hat conference, I was walking the vendor floor and noticed Robert purely by chance so we spoke for a few minutes.  Jeremiah is always followed by a throng of security practitioners and press, that today was no exception.  I didn't think it was appropriate to interrupt with a greeting but Robert pushed everyone aside so I talk a few moments with Jeremiah.  It's really strange, sometimes I feel like Forest Gump - I'm just a nobody in the right spot at the right time.  I met Jeremiah last year when I received an opportunity to present at Black Hat.  Both these gentlemen are security legends and if you get a chance to meet them or attend one of their talks you should.

Photo:  Not so sneaky hacker
On one evening, I was up playing with my SDR rig.  Unfortunately, tethering from from iPhone was not working very well so I decided against my better judgement to use hotel WIFI.  After I connected I noticed an interesting host in the network.  Check out the, not so sneaky hacker, in the photo to the left (click to expand).  Anything interesting about this host name?  This guy needs to go back to hacker school.  A word of advice, if your an amateur don't try to show your hacker mojo at Black Hat or play with your new toys.  Case in point, someone got their Pineapple popped at DEFCON.  Pineapple is a WIFI man-in-the-middle device for security penetration testers.

Photo: DEFCON22 conference badge
The DEFCON badges where awsome this year.  Erik Costlow (Twitter: @costlow) on our team figured out the letters are touch sensitive buttons.  Press the DE together for one pattern of flashing lights, press ON together for another, press FCO for yet another.  Someone said the micro-controller vendor Parallax has information on the badges and how the USB port (on lower left on badge) works.  I need to check that out sometime.  Some mentioned there is a IR sensor and transmitter so the badges can communicate to each other as attendees pass by each other in the conference halls.

One of the annoyances I had at both Black Hat and DEFCON this year was trying to get into my sessions.  Often I would leave a session in one track only to find I cannot get into the session in another track since it would reach capability before I enter.  This sometimes occurred at Black Hat and always at DEFCON.   At DEFCON the only way to ensure you see some sessions and get some value is to attend all sessions for the track with the greatest number of sessions of interest to you.  Remain in the room at the close of the session.  Minimizing track swaps and room changes helped me get the most value out of the experience.  There are some rumors DEFCON will be held at a larger venue next year.  If so, it seems likely to reduce congestion.  Keep in mind, these conferences are packed because they are wildly popular and educational.  I'm sure the events are difficult to coordinate with skyrocketing attendance.
Photo: Iron Clad Java book celebration

I will close with a shot of Iron Clad Java book team celebration.  The four of us have been working on a web application security book project for about 7-months.  In a stroke of luck, we all attended the Black Hat conference in Vegas together so we decided to assemble for dinner.  Photo from left to right, Me, Kevin Kenan, Jim Manico, and August Detlefsen.  Jim treated the team, let's say I have never had such a wonderful dinner.  But thinking for a moment beyond my stomach, the meeting was a great opportunity to speak with team members in person. We all agreed that we learned so much from each other in this project.  This project was a great experience.  Will there be another book?  It's not my place to say but we all enjoyed working with each other.  I can think of no better team for another book project.  It was a great experience and opportunity for us all.

--Milton

Share It!