When it comes to large systems, there are a lot more computers than there are people maintaining them. That’s not a big deal since you can simply use a KVM to connect one Keyboard/Video/Mouse terminal up to all of them, switching between each box simply and seamlessly. The side effect is that now the KVM has just as much access to all of those systems as the human who caresses the keyboard. [Yaniv Balmas] and [Lior Oppenheim] spent some time reverse engineering the firmware for one of these devices and demonstrated how shady firmware can pwn these systems, even when some of the systems themselves are air-gapped from the Internet. This was their first DEF CON talk and they did a great job of explaining what it took to hack these devices.
Everyone has at least a few games on their computer, and I would assume most of the Hackaday readership would be among the enlightened PC gamer bretheren. At this year’s DEF CON, [Tamas Szakaly] gave a talk about the data these games leak to the Internet, the data they accept from the Internet, and what you can do with that data.
[Tamas]’ talk was entirely about scripting games, like the many games that are scriptable in Lua, or Valve’s Squirrel. Developers have thought about this before and have implemented sandboxes and many anti-cheat mechanisms. However, because these sandboxes are poorly implemented, it’s easy to get outside the game and do some real damage.
[Tamas]’ first target was Crysis 2 and the CryEngine3. This game uses a Lua scripting engine and has no sandbox whatsoever. That means [Tamas] can call os.execute, and from there the entire game is over. Or it’s just begun. Either way you look at it, it’s pretty bad.
CryTek notwithstanding, [Tamas] can also use games with Lua scripting that have a real sandbox. DOTA2 has a leaky sandbox and can be used to call OS I/O routines and execute base 64 encoded executables right over the main executable.
The most impressive example of script abuse in various multiplayer games is from Garry’s Mod. This game has custom implementation of dangerous functions, restricted file IO, and a proper Lua sandbox. This was a wise decision from the developers, but the library is huge. If you create a map or mode used on a server, you can have a full HTTP proxy to the gamer’s home network. During the talk, [Tamas] used this exploit to display an image from a webcam on a Garry’s Mod server. It was on the podium right next him, but this could have been done on a server on the other side of the planet.
If you weren’t at [Cory Doctorow’s] DEF CON talk on Friday you missed out. Fighting Back in the War on General Purpose Computing was inspiring, informed, and incomparable. At the very lowest level his point was that it isn’t the devices gathering data about us that is the big problem, it’s the legislation that makes it illegal for us to make them secure. The good news is that all of the DEF CON talks are recorded and published freely. While you wait for that to happen, read on for a recap and to learn how you can help the EFF fix this mess.
Two weeks ago, news broke of an incredible abuse of power from the National Security Agency. A DEF CON talk was cancelled, and speculation raged that information was not free. This was the ProxyHam, a device that puts you miles away from any agency hunting down your IP address.
Of course, as with just about every DEF CON talk picked up by the press, ProxyHam is an ill-conceived, terrible idea. You can replicate it with parts bought from newegg, and despite using a highly directional antenna the FCC – or any other government agency – can still track you down.
In lieu of a talk on using off-the-shelf networking hardware in the way it was intended, [Dave Maynor] and [Robert Graham] of Errata Security gave a talk at DEF CON that is the proxy to the ProxyHam. They completely debunked the outrageous speculation surrounding the cancellation of the DEF CON talk and managed to introduce a new version of Internet over radio that is actually useful for the security-minded individual.
The ‘debunking’ part of the Errata Security talk was exactly what anyone would expect; the talk was probably cancelled because the creator of ProxyHam exceeded radiated power limits, the FCC caught him, or simply because of ‘advice from counsel’. No big deal; someone was doing something illegal – encryption over ISM bands – and the things you would expect to happen in fact happened.
In the last two weeks, the guys replicated the ProxyHam build, but found a few major shortcomings. Even with a highly directional antenna, interested parties could still track you down. This led the guys at Errata Security to make this system better. They managed to do it in two weeks.
The Errata Security relies on JT65A – a radio mode made for very weak signals – to hide signals underneath the noise floor. By multiplexing data across multiple channels, this system has about the same bandwidth as a 56kbps modem from 1999. It’s not much, but it is possible to use this proxy for ProxyHam over 20 miles away from where you’re stealing WiFi from. That’s far better than ProxyHam could ever manage, and all the transmissions stay below the noise floor. The FCC and similarly equipped agencies might be able to find you, but no one with a $20 SDR dongle will.
There are no releases yet, but Errata Security plan to make the software that allows this multiplex transmissions available soon, and hope to have a Raspberry Pi-based hardware solution for this technique coming shortly. It’s a radio proxy solution that’s actually somewhat secure, and won’t immediately draw the ire of the FCC.
I went to the Opening Ceremonies of DEF CON 23 this morning to get more information on the badge challenge and I was not disappointed. The talk covered the Uber badge, which is hot in a literally radioactive sense. This badge, which is also known as the black badge, is reserved for people who are first to solve one of the official DEF CON challenges. It grants lifetime free admission and opens just about any door when listed on your resume.
The triangle of acrylic itself is adorned with Lichtenberg Figures. This is a bolt of lightning on the badge. By building up extremely high voltages, the discharge leaves a unique pattern. In this case it was a 5 million volt, 150 kW particle accelerator that made the figures.
There is a medallion affixed to this triangular base-plate which is obviously part of the puzzle everyone is trying to solve this weekend. What is less clear is how the radioactive isotopes of this badge play into this challenge.
Whoa, oh, oh, oh, I’m Radioactive, Radioactive
[LoST] took inspiration from [Richard Feynman] to a new level with this badge. [Feynman] was involved with “The Gadget” experiment which I know better as Trinity, the first detonation of a nuclear weapon. This badge contains isotopes from that detonation.
Trinitite (get it, from the Trinity explosion?) is a green glassy substance generated from a Plutonium-based bomb explosion. [LoST] made a point of explaining that the samples of Trinitite in this badge create a unique radioactive signature that not only traces back to this explosion, but actually indicates a precise distance form the epicenter of the explosion.
Also embedded in the badge are glass spheres doped with 3% Uranium 238. Tritium, used in exit signs, is a third source of radioactivity on the badge. This is joined by another marker that is a combination of Uraninite, Pitchblende, Carnotite, Gummit, and Yellowcake.
Interesting story, Tritium is highly regulated in this country but it is hypothetically possible to import it from Europe by a seller who ships it sealed inside packets of coffee. Hypothetically.
The opening ceremonies talk concluded with some inspirational remarks from [Dark Tangent]. Pictures of that as well as a few of [L0ST’s] slides are found below. If you’re working on the badge challenge, join in on the collaborative Badge deciphering we’ve started on Hackaday.io. If you’re at DEF CON, make sure to show up for breakfast with us on Sunday.
The 23rd DEFCON — the Western Hemisphere’s largest hacker conference — doesn’t start until tomorrow but Thursday has become the de facto start for regulars. [Brian] and I rolled into town this afternoon and are working on gathering as much information as possible about the badge challenge.
This year the badge is a 7″ vinyl record. Traditionally the badge alternates years of electronic badges and ones that aren’t. Spend your weekend pulling your hair our trying to solve the puzzles. Check out all the pictures and information (updated as we gather it) and work together collaboratively for a solution by requesting to join the crew on the Badge Hacking page.
Hackaday Breakfast on Sunday
If you’re in town Sunday morning, come nurse your hangover with [Brian], [Eric], and me. We’re headed to Va Bene Caffè at 10:30am on 8/9/15. It’s just across the street in the Cosmopolitan. Request to join this event and I’ll send you a reminder so you don’t forget. You can also hit me up on Twitter for a reminder. See you then (and don’t forget to bring hardware to show off if you have some!).
PS- The Hackaday WiFi Hat is in play. Anyone have the chops to hack it this year?
DEFCON is huge. Last year attendance tipped at about 16k, and we’d wager this year will be even bigger. [Brian] and I will both be among those attending (more on that below) but I wanted to take this time to show you the right way to do a Hacker Conference.
Build Your Own Badge
We met a ton of people at DEFCON 22 last year, but the Whiskey Pirates made a lasting impression. I first ran across two of their crew walking the hallways of the con with this awesome badge. How can you not stop and strike up a conversation about that? Turns out this group of friends have been meeting up here for years. This year they went all out, designing one badge to rule them all. And like any good hacker project, they weren’t able to finish it before getting to the hotel.
Set Up Your Electronics Lab
So, you didn’t stuff your boards before leaving home? For the Whiskey Pirates this is not even remotely a problem. They just brought the electronics lab to their suite in the Rio Hotel.
On the bathroom vanity you find the binocular microscope which was good for troubleshooting an LED swap on the official conference badge. An entire cart with hot-air, multiple solder stations, oscilloscopes, and more was on hand. I populated the surface mount LEDs on the badge the crew gave to me. When I was having trouble seeing my work they called the front desk for an additional lamp. You should have seen the look on the bellhop’s face when he walked in!
A bit of marathon assembly and everyone from the Whiskey Pirates (plus me) had a working badge, demonstrated in the video below. But this isn’t where the fun stops.