Hands-on the AND!XOR Unofficial DEF CON Badge

DEF CON 24 is still about two weeks away but we managed to get our hands on a hardware badge early. This is not the official hardware — there’s no way they’d let us leak that early. Although it may be unofficial in the sense that it won’t get you into the con, I’m declaring the AND!XOR badge to be officially awesome. I’ll walk you through it. There’s also a video below.

Over the past several years, building your own electronic badge has become an impromptu event. People who met at DEF CON and have been returning year after year spend the time in between coming up with great ideas and building as many badges as they can leading up to the event. This is how I met the trio who built this badge — AND!XORAndrew Riley, and Jorge Lacoste — last year they invited me up to their room where they were assembling the last of the Crypto Badges. Go check out my guide to 2015 Unofficial DEF CON badges for more on that story (and a video of the AM transmissions that badge was capable of).

The outline is this year’s badge is of course Bender from Futurama. Both eyes are RGB LEDs, with another half dozen located at different points around his head. The microcontroller, an STM32F103 ARM Cortex-M0 Cortex-M3, sits in a diamond pattern between his eyes. Above the eyes you’ll find 16 Mbit of flash, a 128×64 OLED screen, and a reset button. The user inputs are five switches and the badge is powered by three AA batteries found on the flip side.

bender's-nose-closeup

That alone makes an interesting piece of hardware, but the RFM69W module makes all of the badges interactive. The spring coming off the top of Bender’s dome is a coil antenna for the 433 MHz communications. I only have the one badge on hand so I couldn’t delve too deeply what interactive tricks a large pool of badges will perform, but the menu hints at a structure in place for some very fun and interesting applications.

Continue reading “Hands-on the AND!XOR Unofficial DEF CON Badge”

BitCluster Brings a New Way to Snoop Through BitCoin Transactions

Mining the wealth of information in the BitCoin blockchain is nothing new, but BitCluster goes a long way to make sense of the information you’ll find there. The tool was released by Mathieu Lavoie and David Decary-Hetu, PH.D. on Friday following their talk at HOPE XI.

I greatly enjoyed sitting in on the talk which began with some BitCoin basics. The cryptocurrency uses user generated “wallets” which are essentially addresses that identify transactions. Each is established using key pairs and there are roughly 146 million of these wallets in existence now

If you’re a thrifty person you might think you can get one wallet and use it for years. That might be true of the sweaty alligator-skin nightmare you’ve had in your back pocket for a decade now. It’s not true when it comes to digital bits —  they’re cheap (some would say free). People who don’t generate a new wallet for every transaction weaken their BitCoin anonymity and this weakness is the core of BitCluster’s approach.

Every time you transfer BitCoin (BTC) you send the network the address of the transaction when you acquired the BTCs and sign it with your key to validate the data. If you reuse the same wallet address on subsequent transactions — maybe because you didn’t spend all of the wallet’s coins in one transaction or you overpaid and have the change routed back to your wallet. The uniqueness of that signed address can be tracked across those multiple transactions. This alone won’t dox you, but does allow a clever piece of software to build a database of nodes by associating transactions together.

Mathieu’s description of first attempts at mapping the blockchain were amusing. The demonstration showed a Python script called from the command line which started off analyzing a little more than a block a second but by the fourth or fifth blocks hit the process had slowed to a standstill that would never progress. This reminds me of some of the puzzles from Project Euler.

bitcluster-how-it-worksAfter a rabbit hole of optimizations the problem has been solved. All you need to recreate the work is a pair of machines (one for Python one for mondoDB) with the fastest processors you can afford, a 500 GB SSD, 32 GB of RAM (but would be 64 better), Python 64-bit, and at least a week of time. The good news is that you don’t have to recreate this. The 200GB database is available for download through a torrent and the code to navigate it is up on GitHub. Like I said, this type of blockchain sleuthing isn’t new but a powerful open source tool like this is.

Both Ransomware and illicit markets can be observed using this technique. Successful, yet not-so-cautious ransomers sometimes use the same BitCoin address for all payments. For example, research into a 2014 data sample turned up a ransomware instance that pulled in $611k (averaging $10k per day but actually pulling in most of the money during one three-week period). If you’re paying attention you know using the same wallet address is a bad move and this ransomware was eventually shut down.

Illicit markets like Silk Road are another application for BitCluster. Prior research methods relied on mining comments left by customers to estimate revenue. Imagine if you had to guess at how well Amazon was doing reading customer reviews and hoping they mentioned the price? The ability to observe BTC payment nodes is a much more powerful method.

A good illicit market won’t use just one wallet address. But to protect customers they use escrow address and these do get reused making cluster analysis possible. Silk Road was doing about $800k per month in revenue at its height. The bulk of purchases were for less than $500 with only a tiny percentage above $1000. But those large purchases were likely to be drug purchases of a kilo or more. That small sliver of total transactions actually added up to about a third of the total revenue.

bitcluster-logoIt’s fascinating to peer into transactions in this manner. And the good news is that there’s plenty of interesting stuff just waiting to be discovered. After all, the blockchain is a historical record so the data isn’t going anywhere. BitCluster is intriguing and worth playing with. Currently you can search for a BTC address and see total BTC in and out, then sift through income and expense sorted by date, amount, etc. But the tool can be truly great with more development. On the top of the wishlist are automated database updates, labeling of nodes (so you can search “Silk Road” instead of a numerical address), visual graphs of flows, and a hosted version of the query tool (but computing power becomes prohibitive.)

Bunnie and EFF Sue US Government over DMCA 1201

This morning Bunnie Huang wrote about his reasons for suing the US Government over Section 1201 of the Digital Millennium Copyright Act (DMCA).

The DMCA was enacted in 1996 and put in place far-reaching protections for copyright owners. Many, myself included, think these protections became far-overreaching. The DMCA, specifically section 1201 of the act which is known as the anti-circumvention provision, prohibits any action that goes around mechanisms designed to protect copyrighted material. So much has changed since ’96 — software is now in every device and that means section 1201 extends to almost all electronics sold today.

So protecting copyright is good, right? If that were the only way section 1201 was enforced that might be true. But common sense seems to have gone out the window on this one.

If you legally purchase media which is protected with DRM it is illegal for you to change the format of that media. Ripping your DVD to a digital file to view on your phone while on the plane (something usually seen as fair use) is a violation. Want to build an add-on for you home automation system but need to reverse engineer the communications protocol first? That’s a violation. Perhaps the most alarming violation: if you discover a security vulnerability in an existing system and report it, you can be sued under DMCA 1201 for doing so.

Cory Doctorow gave a great talk at DEF CON last year about the Electronic Frontier Foundation’s renewed push against DMCA 1201. The EFF is backing Bunnie on this lawsuit. Their tack argues both that section 1201 is stiffling innovation and discouraging meaningful security research.

If it’s illegal to write about, talk about, or even privately explore how electronics are built (and the ecosystem that lets them function) it’s hard to really master creating new technology. A successful lawsuit must show harm. Bunnie’s company, Alphamax LLC, is developing hardware that can add an overlay to an HDMI signal (which sounds like the continuation of the hack we saw from him a few years ago). But HDCP would prevent this.

Innovation aside, the security research angle is a huge reason for this law (or the enforcement of it) to change. The other plaintiff named in the suit, Matthew Green, had to seek an exemption from the DMCA in order to conduct his research without fear of prosecution. Currently there is a huge disincentive to report or even look for security vulnerabilities, and that is a disservice to all. Beneficial security research and responsible disclosure need to be the top priority in our society which is now totally dependent on an electronically augmented lifestyle.

Hackers on Planet Earth — We’ll Be There!

This weekend, Hackaday will be rolling into New York for the Eleventh HOPE. This biyearly conference draws hackers from all around the globe. There’s a ton going on at HOPE: talks, hardware hacking, workshops, and pretty much everything else you might be interested in. But really, this gathering which was founded by 2600 in ’94, is where you go to meet and hang out with other hackers. And we want to hang out with you.

Pre-sale tickets are gone. But if you don’t have a ticket yet there are a limited number still available at the door. We’re happy that Hackaday is a sponsor of HOPE this year and for that we have a spot in the vendor’s area. We’re not selling anything — we’re actually reverse-vending. We want you to stop by and show us your hacks!

Hackaday Meetups at HOPE

Find us in the vendor area for two meetups: Saturday 2:30-5:00 (after Cory Doctorow’s keynote) and Sunday 11:00-1:00 2:30-5:00. We’ll be there with our cameras at the ready so don’t forget to bring your hacks. We’re always hungry to hear interesting stories which will end up on the front page for all to enjoy.

We have swag like Hackaday and Tindie stickers, and dev boards to give away from our Hackaday Prize sponsors Atmel and Microchip. During the two meetup times we’ll have munchies (Hackaday branded of course) and a limited supply of T-shirts. Come early and come often.

Brian Benchoff and Mike Szczys will be on hand covering the best the convention has to offer. Hit us up on those Twitter links if you want to get our attention. Sophi Kravitz, Aleksandar Bradic, and Shayna Gentiluomo will also be there, so stop by whenever and hang out with us. Our spot in the vendor area will be open the whole weekend.

We are always looking for awesome things to do in addition to what’s on the official agenda. The meetup on Saturday is the place to get the inside scoop on those plans. Whether you’re going to be at HOPE or not, we’d love to hear from you in the comments. Let us know about any talks we shouldn’t miss, any hackers we should track down and interview, and any of those extra curricular activities for a bunch of hackers in the middle of Manhattan on a hot July night.

Hackaday SuperConference: Call for Proposals

The 2016 Hackaday SuperConference is coming. Now is the time to submit your proposal for a talk or a workshop at the world’s greatest conference about hardware creation. The SuperCon is an unparalleled opportunity to present on a deeply technical level where you can be certain everyone in the audience is following. All of those details, the war stories of production, the out-of-stock problems and board respins, the moments when you’ve bent physics to your will, these stories will be met with awe and cheers as the audience of your peers takes the ride along with you.

SuperCon will take place in Pasadena, California on November 5th and 6th, 2016. It is a gathering of hackers, designers, and engineers passionate about learning, teaching, and celebrating what goes into making new and exciting creations. The atmosphere will be that of a hacker village, with several venues in close proximity playing host to talks, workshops, and other activities. This breaks out of the beige prison that usually accompanies hotel-based conferences and opens the weekend up for you to meet and interact with a cadre of interesting people. SuperCon is the place to share your hard-won knowledge and experience, and to add to your own arsenal of skills.

Accepted talks will be scheduled for 20-40 minutes, and workshops will be booked for 1-4 hours. In both cases, topics may include themes like techniques for rapid prototyping, new and interesting uses of technology, creativity in technical design, and stories of product development and manufacturing.

Last year’s SuperConference was incredibly successful. If you weren’t able to attend you can still work your way through all of the talks which were recorded and posted shortly after the event. That success is a credit to all of the talented presenters in the Hackaday community who put together their stories to share for the benefit of all. Thank you!

To all of you reading this now and wondering if you should propose a talk, you should! We thank you in advance for taking time out of your life to make this year’s SuperConference even more amazing by submitting your own proposal. It won’t happen without you because this is a conference of active involvement and not one of passive consumption. Be the hardware movement; this is your chance.

What Is Home Automation?

Perhaps the buzziest among buzzwords when it comes to electronics is Home Automation. This is a branch of IoT where you can actually go to the home store and come out with bags filled with products. The current Hackaday Prize round challenges you to automate your life and setting your sights on the home seems like an area open to everyone. But we’re having trouble putting our finger on what exactly makes a home automated, and more importantly, the best ways to benefit those who live beside that technology. So we want to know what you think.

Do you have a great idea for what makes an automated home more than a buzz word? Perhaps you are already sold and have been building your own; tell us about it! We want to know how (and when) you think this will turn from a buzzword to something most people want running their house. We’ll round up the best from this discussion for a future post. As a thank you, we’ll select some of the best comments and send you a T-shirt from the Hackaday store.

automatic-ice-maker
Who doesn’t love an automatic ice maker?

You can go back fifty years to the cartoons of the 1960’s and see that home automation was just around the corner. The Flintstones had dinosaurs to handle the mundane, and The Jetsons had a robot maid reigning over a cadre of whimsical gadgets in the home. At that point in time the home was already moving into the automation realm with thermostatically controlled air conditioning and water heaters. This was around the same time that automatic ice makers started to appear in a home’s freezer and remote garage door openers came into use.

Beginning in the 1970’s and 80’s it became common to find a dishwasher under the counter in the kitchen. The porch light option of dusk-until-dawn sensors came into use and were followed later by motion detecting lights which used PIR sensors. Automatic lawn sprinklers started to appear in the yards surrounding the home, and security systems that monitor doors, windows, and often motion (using PIR sensors again) became a thing.

These are great examples of home automation which is often overlooked. Even smarter thermostats are all the rage today, and security system add-ons that let you monitor cameras and locks over the Internet.

Which brings us back to the question. Where is this all going? What kind of automation will be developed now in our time, and looked back in 50 years as obvious technology wanted in every home? Do we already have the automated hardware in place and just need something to stitch it all together? Let us know what you think below, and if you’re already working on your own automation project don’t forget to enter it in the Hackaday Prize.

Going Lo-Tech For The Perfect Pokemon Go Throw

We have our eyes on the horizon for an epic GPS spoof to catch some legendaries in Pokemon Go, but until that hack shows up, we really like [Brian McEvoy’s] hack for the perfect Poke Ball throw.

[Brian] started out thinking that a mechanical build would be the best way (we know he’s got the servo motors and controllers to drive them from this tea steeping robot he built last year). But the mechanics of that are just too complicated for what you get in return (less wasted Poke Balls).

He came to the realization that your finger is the best machine, it just needs some augmentation. Most of his Poke Ball throws missed to one side or another, so he turned to papercraft to guide his way. He made a tray from some paperboard packaging, then used two small stacks of Post-it notes to create a channel where your finger slides. Simply hold the phone and the paper with one hand, and use your other to follow the paper channel to a successful capture. The paperboard doesn’t affect the screen’s ability to sense your finger.

This is one we’re definitely going to try out. But visions of hardware hacks for the game that has rocked the world still dance through our heads. Are you working on anything? If so, we’d love to hear about (so send in a tip!). Those still in the idea phase can ring in below. We are weighing the feasibility of doing a man-in-the-middle between a phone and its GPS chip to spoof location. That feels like a pretty tall mountain to climb.

Continue reading “Going Lo-Tech For The Perfect Pokemon Go Throw”