[John Park] has managed to snag a couple interesting business cards at Maker Faire. The first is Adafruit’s laser cut Spirograph card. The other is a ATtiny 2313 prototyping board from Evil Mad Science; it looks to be the same style as their well-known AVR target board. We’ve also heard rumors that [Jérôme Demers] has bunch of resistor bending cards.
Annual hacker conference LayerOne will be held May 23-24th in Anaheim, CA. They’ve completed the speaker lineup and have quite a few interesting talks. [David Bryan] Will be focusing on practical hacking with the GNU Radio. It’s a software defined radio that we’ve covered in the past for GSM cracking. [Datagram] will present lockpicking forensics. While lockingpicking isn’t as obvious as brute force entry, it still leaves behind evidence. He’s launched lockpickingforensics.com as a companion to this talk. LayerOne is definitely worth checking out if you’re in the Los Angeles area.
The massive hacker camp Hacking at Random 2009 has extended their early bird ticket sales until April 14th. At EUR150, they’ve already managed to sell 1000 tickets. Every two years the european hacker community gathers together to hold a multiday camp that covers topics from hacking to art and politics. 2007’s CCCamp was largely the inspiration for this year’s ToorCamp. HAR2009 is looking for people to submit presentations, workshops, and lectures as well. They’re looking for entries that are very technology focused. The call for papers deadline is May 1st. The team is hosting a field day April 18th to tour the grounds with the various hacker villages that will be setting up. The main even is August 13-16 near Vierhouten, Netherlands.
We’ve been watching and waiting intently as ToorCamp comes together. It’s a four day hacker conference that will be held in a Washington state missile silo July 2nd-5th. While we’re excited about this debut event, its success depends entirely on those presenting. The call for papers is currently open and they’ve got a number of formats available: 20 and 50 minute talks and 1 and 2 day workshops. They’re also looking for people to organize campsites and are offering discounts for groups. We’re encouraging you to submit your talk since we’d love to see more hardware talks. You can follow @ToorCamp announcements on Twitter.
Last week at Black Hat DC, [Moxie Marlinspike] presented a novel way to hijack SSL. You can read about it in this Forbes article, but we highly recommend you watch the video. sslstrip can rewrite all https links as http, but it goes far beyond that. Using unicode characters that look similar to / and ? it can construct URLs with a valid certificate and then redirect the user to the original site after stealing their credentials. The attack can be very difficult for even above average users to notice. This attack requires access to the client’s network, but [Moxie] successfully ran it on a Tor exit node.
When we first saw [Chris Paget]’s cloning video, our reaction was pretty ‘meh’. We’d seen RFID cloning before and the Mifare crack was probably the last time RFID was actually interesting. His ShmooCon presentation, embedded above, caught us completely off-guard. It’s very informative; we highly recommend it.
The hardest part about selling this talk is that it has to use two overloaded words: ‘RFID’ and ‘passport’. The Passport Card, which is part the the Western Hemisphere Travel Initiative (WHTI), is not like the passport book that you’re familiar with. It has the form factor of a driver’s license and can only be used for land and sea travel between the USA, Canada, the Caribbean region, Bermuda, and Mexico. They’ve only started issuing them this year.
Notorious hacker conference Defcon has just published their Call for Papers. The 17th annual event will happen July 30th through August 2nd. Most of the announcement is the same boilerplate they’ve included for the past two years. Like last year, they’re not defining the specific speaking track themes and will come up with them based on submissions. New for this year is a half-day of workshops on the Thursday before Defcon for anyone that’s showing up early. This pre-con event is targeted at newbies. It certainly sounds like an interesting way to ease into Defcon instead of the usual delays and fire marshals. We’ve been attending every year since 2005 and love seeing new things. You should definitely consider presenting this year (we want to see more hardware!).
The registration desk hasn’t opened yet at ShmooCon 2009, but we’re already running into old friends. We found [Larry Pesce] and [Paul Asadoorian] from the PaulDotCom Security Weekly podcast showing off their latest ShmooBall gun. ShmooBalls have been a staple of ShmooCon from the very beginning. They’re soft foam balls distributed to each of the attendees who can then use them to pelt the speakers when they disagree. It’s a semi-anonymous way of expressing your dismay physically. [Larry] has been building bigger and better ways to shoot the ShmooBalls for the last couple years. You may remember seeing the 2008 model. This year the goal was to make the gun part much lighter. The CO2 supply is mounted remotely with a solenoid valve and coiled air line. The pistol grip has a light up arming switch and trigger. The gun is fairly easy to transport: the air line has a quick disconnect and the power is connected using ethernet jacks.
After running a successful hacker convention for ten solid years, the people who brought you ToorCon are planning a new event to shake up the US hacker scene. ToorCamp will be held July 2nd-5th, 2009 at a former missile silo in central Washington state. Hackers will camp on-site for two days of talks followed by two days of workshops. Art and music events are planned for every night. Camps like this are already help biannually in Europe: What the Hack in 2005, Chaos Communication Camp 2007, and Hacking at Random 2009, coming this fall. The complex is one of three Titan 1 missile complexes in the Moses Lake area. The sites were in operation less than three years between 1962 and 1965. The former missile command center has been converted to a secure data center run by Titan I, LLC. ToorCamp promises to be a very unique experience and we’re looking forward to attend this and future years.
[Chris Paget] is going to be presenting at ShmooCon 2009 in Washington D.C. this week. He gave a preview of his RFID talk to The Register. The video above demos reading and logging unique IDs of random tags and Passport Cards while cruising around San Francisco. He’s using a Symbol XR400 RFID reader and a Motorola AN400 patch antenna mounted inside of his car. This is industrial gear usually used to track the movement of packages or livestock. It’s a generation newer than what Flexilis used to set their distance reading records in 2005.
The unique ID number on Passport Cards doesn’t divulge the owners private details, but it’s still unique to them. It can be used to track the owner and when combined with other details, like their RFID credit card, a profile of that person can be built. This is why the ACLU opposes Passport Cards in their current form. The US does provide a shielding sleeve for the card… of course it’s mailed to you with the card placed outside of the sleeve.
Technology exists to generate a random ID every time an RFID card is being read. The RFIDIOt tools were recently updated for RANDOM_UID support.
Kenshoto, organizer of the official Defcon Capture the Flag contest for the last four years, has stepped down from the position, and thus Defcon is looking for a new organizer for the event. If you’re highly competent, and maybe a little crazy, this might be your chance to step in and run one of the most well-known and prestigious hacking contests in the world. Please understand that the staff is looking for someone who wants to take ownership of the contest and make something new, unique, and challenging, and that Kenshoto has left extremely huge shoes to fill. Merely offering to replicate the existing contest and keep things mostly unchanged isn’t going to cut it.
If you’re up to the challenge, check out Dark Tangent’s post on the Defcon forums (which, for some odd reason, sounds strikingly like his 2005 post calling for a CTF organizer), where he comprehensively lays out what the staff is looking for in a new event organizer. If it jives well with you, get in touch with the Defcon staff, and maybe we’ll be covering your contest later this year.
With the Chaos Communication Congress concluded, it’s time to start looking towards the next massive European hacker event. This means Hacking at Random August 13-16th in the Netherlands. It’s a four day long camp experience that will feature many conference talks, interactive projects, and more.
The team has selected three tracks in their official call for papers: Dealing with data, Decentralization, and People and politics. You can find more details in the post. Deadline is May 1st.