The 20th Hacking At Random has recently come to a finish. For the unititiated, Hacking At Random or HAR is a massive hacker festival that happens every four years in the Netherlands. Four days of technology obsessed hacking with roughly 2500 people definitely piques our interest. The event is riddled with classes and people speaking on subjects such as censorship and robotics. Quickly built networks sprawl across the entire area, with shacks set up for location of servers. We think there should be an official Hack A Day tent there next time. We mentioned HAR when we were talking about impromptu DECT networks and DECT phone modification. Be sure to browse through the multitudes of pictures located on the HAR website.

In 2006, Defcon 14 premiered a unique electronic badge. All it did was blink, but it raised the bar for what was expected from a hacker conference badge. In 2007, they went from 2 LEDs to 95 in a scrolling marquee. Along with a POV mode, the badge had two capacitive switches to let the user edit the displayed text. Defcon 16’s badge featured an IR transmitter and receiver for transferring files from an SD card. It worked as a TV-B-Gone and had pads to access a USB bootloader. That was the same year that The Last Hope debuted their RFID tracking badges.

This year the official Defcon badge reacted to sound, but they were no longer the only game in town. Ninja Networks brought their 10 character party badges with a built in debugger. The Arduino compatible HackTheBadge 1.0 also made an appearance. With these new entrants into the field, we wondered what you’d want to see in your ideal badge. What badge would you want to see at next year’s Defcon? Leave you comments below and keep in mind that it should be an idea that is easy to cheaply mass produce.

UPDATED: Forgot to mention the Neighborcon 2 badge based on the GoodFET20.

[Photo: Ninja Networks]

UPDATE: The director’s cut of the story

While coverage of the official Defcon badge has been pretty heavy, there was a badge that was far more exclusive and talked about way more. For the last ten years at Defcon a group of hackers known as Ninja Networks hosted an invitation-only party for selected attendees. For the 2009 event, [cstone] and [w0z] created an electronic badge which acted as the ticket to the party. The badge is based around an 8-bit Freescale microcontroller (MC9S08QE8) which drives 10 individual 16-segment HIOX-format LED displays.

The custom PCBs were manufactured by 4pcb, but all other assembly was done by hand with a huge team of volunteers in Boston, Los Angeles, and Las Vegas. Assembly space for this effort was provided by Redwire and Angel Valley Media. More than 500 badges were created. To help fund the effort, the Ninjas took on internet privacy company XeroBank as an event sponsor.

The assembly process is detailed in the video below which highlights a few interesting DIY techniques including using a $30 Target hotplate as a reflow oven.

Once assembled, the default mode for the badge is to randomly cycle each display through a list of characters locking in each one to finally display “NINJA PARTY”, in the same manner seen in the film “WarGames”. The badge also has a “Simon” game mode, the ability to view the badge’s unique identifier and sponsor URL, and a fully functional debugger.

Using the debugger a user can reprogram the badge to display different messages, or change it’s functionality with no computer required. This is demoed in the video below.

While all the badges were distributed at Defcon 17, [cstone] has provided the schematics and gerbers, public domain source code, and the BOM in case you wish to create your own. We were some of the many people to help hand assemble these badges, which you can find listed on his site.

[Photo: vissago]

Following up on their post about the new Defcon 17 badges, Wired recently posted some of the best badge hacks of the con. Among the hacks featured were an LED frequency meter hack, a sound seeking dirigible powered by three badges, and a wireless geiger counter random number generator that sent random numbers back to a laptop equipped with a zigbee card. Probably one of the most impressive hacks mentioned, the hack that won the badge hacking contest, was the LED equipped baseball cap modeled above by [Joe Grand], Defcon’s defacto badge designer.

The hacked badge is connected to the cap by an ethernet cable, where the LEDs pulse on and off in order to defeat facial recognition systems. The cap’s designer told Wired that he initially designed the cap in order to sneak into [Grand]’s room to steal the über badges under his protection. Needless to say, the winner doesn’t have to worry about stealing the badges anymore as he was awarded his own über badge at the award ceremony. While we’re not completely sure who pulled off this awesome hack, we congratulate you and all of the participants of the badge hacking contest on your fantastic hacks.

Update: We’ve confirmed that the badge contest winner was in fact [Zoz Brooks], [Grand]’s co-star on the popular Discovery channel  show Prototype This. From all indications, his hack seems to be legitimate and not a clever idea, however we are still looking to confirm this. Also, even though Wired’s article stated that the dirigible was sound seeking, we have confirmed that it is sound avoiding. Thank’s to everyone in the comments for pointing these things out.

A fake ATM machine, set to capture ATM information was found at Defcon 17 in vegas this year.  Its design has a tinted plastic window at the top which attendees noticed had a computer in it. It was quickly removed by the police. Is this an amazing coincidence? We doubt it. Someone probably knew exactly who was going to be there and either wanted to scam some hackers or just wanted to have some fun.

For day two of Black Hat, we sat in on on [Joe Grand], [Jacob Appelbaum], and [Chris Tarnovsky]’s study of the electronic parking meter industry. They decided to study parking meters because they are available everywhere, but rarely considered from a security perspective.

They focused on the San Francisco’s MTA implementation of electronic smart card meters. To start they purchased several meters on eBay just to see the different styles. SF MTA lets you purchase disposable payment cards with values of $20 or $50. They decided to sniff the interaction between the meter and the smartcard using a shim. With that first capture they were able to easily replay the transaction. This didn’t require a smartcard reader, just an oscilloscope. They then took the attack a little further.

[Joe] built a smartcard emulator using a PIC16F648A. They used it to capture multiple transactions and then decoded the interactions by hand. Luckily, the card was using the IEC 7816 standard so they had some insight into the protocol. They found that the card has a stored maximum value and only writes how many times the value has been decremented. As a proof of concept, they change the maximum value, which you can see on the meter above. They could also have just changed the acknowledgement so that the card never writes any deductions.

The PIC16F648A was a good choice because it’s available in a smart card format called a ‘silver card‘. You can find the emulator code and slides from the talk on [Joe]’s site about the project.

Update: The video of [Moxie]’s presentation is now online.

[Moxie Marlinspike] appeared on our radar back in February when he showed sslstrip at Black Hat DC. It was an amazing piece of software that could hijack and rewrite all SSL connections. The differences between a legitimate site and the hijacked ones were very hard to notice. He recently stumbled across something thing that makes the attack even more effective.

If you apply for a certificate, the certificate authority looks at the common name on the form and contacts the domain owner. The CA ignores the subdomain. The trick is to drop in a null character in the subdomain. If you register, www.paypal.com[null character].thoughtcrime.org, the CA will contact the owner of thoughtcrime.org and issue the cert. When clients like Firefox use NSS to verify the cert, the null character causes them to think the certficate is valid for www.paypal.com because they stop at the null character. Even if the person examines the cert in their browser, it will show www.paypal.com.

Wildcards work as well. You could get a certificate for *[null character].thoughtcrime.org and appear as any site you want. [Moxie] has worked out ways to prevent certificate revocation and browser updates too. This new code will be part of sslsniff 0.6.

[Apologies for the odd notation. WordPress apparently strips null characters...]

The 2009 edition of the Black Hat security conference in Las Vegas has just begun. The first interesting talk we saw was [Andrea Barisani] and [Daniele Bianco]’s Sniff Keystrokes With Lasers/Voltmeters. They presented two methods for Tempest style eavesdropping of keyboards.

The first attack was against PS/2 keyboards. Inside the PS/2 cord, the data line isn’t shielded very well from the ground line, so all data could end up being transmitted back to the building’s electrical ground. The clock signal is also very slow compared to other signals generated by the computer. At about 10-16.7kHz, it should be easy to sample and filter out of the ground noise. They decided to monitor the ground line in an outlet 20meters from the keyboard in question. They used a ~150ohm resistor between the electrical ground and their reference ground. The reference ground was the building’s plumbing and is used to determine what’s actually noise in the electrical ground. They measured the voltage drop across the resistor and used finite impulse response to act as a bandpass filter for 1-20kHz. They were easily able to pick up the keyboard’s signal. It worked so well that they built a remote monitoring board that uses an AVR ATxmega128A1 to do the sampling and send the data over ethernet. In closing, they noted that USB uses differential signaling which should negate any leakage but the processor is more intensive and may end up being easy to pick up. They also stated that many ATMs are probably using PS/2 style keypads that leak this information.

For the second part of their talk, they covered using lasers to collect keystrokes. They pointed a laser at the back of a laptop lid and recorded the resulting vibrations just like a normal laser mic (closer to the hinge provided a cleaner signal). One of the first things they noticed was that the spacebar, being physically larger, created a very distinct signal that was much larger than all others. They used this information to determine where word breaks were. By comparing the captured waveforms to each other using dynamic time warping, they could determine the letter patterns. They then used these sequences with a dictionary to figure out what words had the same pattern and made sense in the same order. It worked quite well and they said it would go much faster if you can guess the context. They mentioned that logos on laptop lids were very reflective and worked well even in daylight and through glass.

You can find whitepapers and example code on their site.

We’ve printed [John Keppel]’s winning t-shirt design. They’ll be available for purchase in the vendor area at Defcon. If you’re at the con, pick one up because we don’t have any plans yet to distribute them online. We will have a small number of women’s tank tops as well. See you there!

Defcon, the world’s largest hacker convention, is this coming weekend in Las Vegas. While the convention generally focuses on breaking new technology, digital archivist [Jason Scott] has an interesting surprise for attendees this year. With some help from VintageTech, he’ll be assembling a massive den of retro computing machinery. They’ll have fully functional systems like the PDP-11/70 for people to play with. It sure to be one of the more unique things to see at the con.

The Pwnie Awards are an annual event at the Black Hat security conference in Las Vegas. They award the Golden Pwnie in a variety of categories: mass 0wnage, most innovative research, most overhyped bug, most epic FAIL, and our favorite: Best Song. Embedded above is [Paco Hope]’s 50 Ways to Inject Your SQL. While a strong entry, it doesn’t touch last year’s winner Kaspersky & Me: “Packin’ The K!”.

Last month, in preparation for Defcon 17, the qualifiers were held for capture the flag, one of Defcon’s most well known events. One participant, [mongii], did a writeup on how to solve problem B300. The challenge was to find the decryption key used by a program that had several twists that hindered debugging. After grappling with self-modifying code and junk instructions, the team was finally able to find the answer. This win helped Sapheads place in the top 10.  Over at xchng.info, they are collecting solutions to the other problems. Sadly, they’re not all in comic form.

[John Park] has managed to snag a couple interesting business cards at Maker Faire. The first is Adafruit’s laser cut Spirograph card. The other is a ATtiny 2313 prototyping board from Evil Mad Science; it looks to be the same style as their well-known AVR target board. We’ve also heard rumors that [Jérôme Demers] has bunch of resistor bending cards.

For more business card nonsense, check out: [Goodspeed]’s smart card emulator, [Mayer]’s embedded gears, and our web server business card.

Maker Faire returns to the San Francisco Bay Area this weekend. It’s “the World’s Largest DIY Festival”. We’ve been attending off and on since 2006 and you’re sure to catch many of the projects we’ve covered in the past. Be sure to stop by our favorite hackers that will be in attendance: mightyOhm, macetech, SparkFun, Liquidware, Jeri Ellsworth, Bleep Labs, Noisebridge, Ani Niow, EMSL, and Adafruit. If you’re attending, upload your photos to the Hack a Day Flickr pool and let us know what you see.

[photo: Scott Beale / Laughing Squid]

Annual hacker conference LayerOne will be held May 23-24th in Anaheim, CA. They’ve completed the speaker lineup and have quite a few interesting talks. [David Bryan] Will be focusing on practical hacking with the GNU Radio. It’s a software defined radio that we’ve covered in the past for GSM cracking. [Datagram] will present lockpicking forensics. While lockingpicking isn’t as obvious as brute force entry, it still leaves behind evidence. He’s launched lockpickingforensics.com as a companion to this talk. LayerOne is definitely worth checking out if you’re in the Los Angeles area.