The first full day of DEF CON was packed with hacking hardware and cars. I got to learn about why your car is less secure than you might think, pick some locks, and found out that there are electronic DEF CON badges after all. Keep reading for all the detail.
Adafruit Technologies has announced the winner of the Open Source Kinect contest. [Hector], who we mentioned yesterday has won, providing both RGB and depth access to the device. Some of you were asking at that time, why the contest was not over yet. Well, Adafruit had to verify. The image you see above are of another user[qdot], verifying the drivers on his machine.
What is interesting is how Adafruit has chosen to close this contest. Not only are they giving [Hector] his prize money, they are also donating an additional $2,000 to the EFF who fight for our right to legally hack and reverse engineer our own equipment.
[Hector] is being generous as well, using his prize money to help pay for gadgets to hack with some teams he is involved with, mainly the iPhone Dev Team and the Wii hacker team “Twiizers”
The Massachusetts Bay Transit Authority (MBTA) has dropped its federal case against three MIT researchers, “the subway hackers”. This happened in October and now the EFF brings news that the students will be working with the MBTA to improve their system. The overall goal is to raise security while keeping expenses minimal.
This whole mess started in August when a gag order was issued against the students’ presentation at Defcon. It’s a shame no one ever saw it because it covers a lot of interesting ground. A PDF of the banned slides is still online. They performed several attacks against both the subway’s fare system and physical security. Our favorites by far were using GNU Radio to sniff the RFID card’s transaction and bruteforcing Mifare Classic with an FPGA.
With a new administration coming into power, the Electronic Frontier Foundation feels that it’s time for a change (see what we did there). They’ve posted an agenda that covers fixing privacy issues that have come to the forefront in the last eight years. It involves repairing amendments that prevent corporations from being sued for warrantless wiretapping. They would also modernize the Electronic Communications Privacy Act so that it would cover modern technology. The heavily abused State Secrets Privilege needs reform as well. Their final issue is with REAL ID and datafarming that many state governments have already rejected. If even a bit of this gets fixed, we’ll be happy. In any case, it’ll be good to have a more tech focused administration that doesn’t need the internet explained to it in terms of dumptrucks and tubes.
[photo: Jake Appelbaum]
The US Department of Homeland Security recently disclosed a new policy that allows agents to seize laptops, or anything capable of storing information, “for a reasonable period of time”. Okay, so this seems normal; A government agency is declaring they may confiscate personal property. However, the strange part of this story is that under this policy, federal agents can confiscate these things without any suspicion of wrong doing or any reason what so ever. So what happens to your personal data after they seize your laptop? Apparently they share the data with federal agencies, and in some cases the private sector, as additional services such as file decryption or translation are needed. While this may seem like a major violation of privacy, it is important to note that this policy only applies to people entering the United States. However given the direction that our federal government is moving in the area of security, it wouldn’t surprise me if this policy will soon apply for domestic flights as well.
[photo: postmodern sleaze]
The EFF has just announce the creation of the Coders’ Rights Project website at the Black Hat conference. The sites’ main goal is to centralize legal information for coders, and to help protect important security work from legal actions that may be taken against them with the DMCA and other legal black holes. While this is in no way a fully comprehensive list of everything you need to know, it looks like a good place to start, and provides a few FAQs for suggestions on how to stay in the legal clear as much as possible. At numerous points the documents suggest you speak with a lawyer, if you have any deeper questions, which you absolutely should. This can be very helpful if a person or group finds a security risk, and wants to publish it, or just wants to start looking into possible security risks.
ISPs have recently become very aggressive towards their customers. They’ve been blocking or altering traffic to prevent you from using specific programs or protocols. Google’s Senior Policy Director recently stated that they’re developing tools to allow people to detect ISP interference. A couple other groups have been building tools as well: The Network Neutrality Squad just released the second beta of their Network Measurement Agent. The tool currently detects spoofed packets by monitoring the round trip time of the connection; early reset packets will have lower than average RTT. If you want to go more in depth, the EFF has published a guide for using Wireshark to do the detection. We’ve even heard rumors of people building tools to tunnel a session inside of one that looks completely different.