The second ToorCon Seattle got off to a quick start last Friday with a round of Lightning Talks at the Public Nerd Area. Each talk was limited to 5 minutes and covered a broad range of topics. Some talks were just supplying a chunk of information while others were a call to action for personal projects. Here are a few of the talks that we found interesting.
[I)ruid] opened with an explanation of his handle, since he catches a lot of flak for it being l33tsp34k (that’s supposed to be a capital ‘I’). The name has actually proven to be quite fun since it has broken a few systems that aren’t sanitizing input properly. Registering at Black Hat 2006 caused a database error. At the ShmooCon hacker arcade, he entered his player name and was dropped directly to a root shell. It’s also rather hellish on many webapps. His point was: why not choose a l33t name and have the fun of fuzzing all the time and breaking stuff even when you aren’t trying?
[nous] gave a quick plug for Ninja Network’s phreaking contest. Last year at Defcon was the first event they held. The first task was to use a butt set on a 25 pair block to find usable line. Once the random line was found they were dropped into a voice mail system to explore. The backend for the contest is Asterisk plus some custom Perl scripts. You can catch a preview version of this contest next month at LayerOne.
[jrandom] talked about how scratch-off cards can be gamed. Using a bright light or a resurfacing pen can help you with games that require a certain scratch order. Other cards can be identified by telltale signs they pick up during their production. Winners and losers are usually produced in two separate batches. Cards from each group will have the same cut quality, alignment flaws, printing color, and even the font could change. Sometimes the cards even have coding on them to indicate the winners (could be a simple as a W and L). All this is great, but the manufacturer might be doing this intentionally just to get attention.
[Travis Goodspeed] gave a brief introduction to reversing the Econolite ASC/3 traffic light controller for compatibility. It’s a PowerPC box running VxWorks 5.x and has snmp and FTP support. The FTP provides simple anonymous access. All of the control values are stored in the ASC3.DB binary file that’s checksummed. [Travis] built a way to describe a binary file structure as XML and generate libraries for reading the binaries natively in multiple languages.
We also thought [Dean Pierce]‘s network pentesting visualization framework was interesting. [Joel Voss] was attempting to write a softphone for the IAX2 protocol and ended up DOSing Asterisk. 30kB from the attacker could cause a massive amount of packets from Asterisk. He now has a framework for testing all aspects of the protocol.