Author: Eliot

1332 Articles

Roboexotica 2007

November 22, 2007 by 5 Comments


Tonight marks the kickoff of Roboexotica in Vienna. It’s the world’s leading festival for cocktail robotics. The event aims to explore the role of cocktail robotics as an index for the increasing integration of technological innovations into human lives. It also explores the explosion of radical hedonism in man-machine interaction.

…or it’s just an excuse for a bunch of smart people to get together, build robots, and drink.

The word ‘robotics’ seems to always imply ‘efficiency’, but that’s definitely a no-no at Roboexotica. Fine tuned manufacturer grade cocktail production is not the goal; personality, charm, character, all of these qualities are important in machinery destined for Roboexotica. You can already see some photos from the event setup on Flickr and we’ll be bringing you more posts on the individual machines as we get more information/drinks.

Investigating The Leopard Firewall

November 1, 2007 by 5 Comments


Our friend [Rich Mogull] has been flipping the switches on Leopard’s new firewall and scanning it to see what’s actually going on. There is some good and some bad. The new application signing is a mixed bag. It breaks Skype and a commenter pointed out that automatically trusting Apple installed apps like NetCat isn’t a good idea either. You can roll your own firewall using user friendly tools like WaterRoof since ipfw is still included.

ToorCon 9: Retrieving WEP Keys From Road Warriors

October 23, 2007 by No comments


[Vivek Ramachandran]’s Cafe Latte attack was one of the last talks we caught at ToorCon. I’ve found quite a few articles about it, but none really get it right. It’s fairly simple and deals with cracking WEP keys from unassociated laptops. First your WEP honeypot tells the client that it has successfully associated. The next thing the client does is broadcast a WEP encrypted ARP packet. By flipping the bits in the ARP packet you can replay the WEP packet and it will appear to the client to be coming from an IP MAC combo of another host on the network. All of the replies will have unique IVs and once you get ~60K you can crack it using PTW. The bit flipping is the same technique used in the fragmentation attack we covered earlier, but Cafe Latte requires generation of far fewer packets. You can read about the Cafe Latte attack on AirTight Networks.

ToorCon 9: URI Use And Abuse

October 21, 2007 by 1 Comment


[Nathan McFeters] and [Rob Carter] gave a presentation on the problems with URI handling. URIs are used to send commands to external applications from a web browser. itms:// for iTunes for example. Any application that registers a URI has the potential to be abused through this route. For their first example they showed a stack overflow in Trillian’s AIM handling. The next demo created a “Critical Update Available” button on Picasa’s interface. When the user clicked it, their photos would be uploaded to the attacker’s server. They even display a “download progress” bar to encourage the user to keep the connection open. You can read about the attack on cocontributor Billy Rios’s blog.

ToorCon 9: CDMA Unlocking And Modification

October 21, 2007 by 9 Comments


[Alexander Lash] gave a short overview of what you need to unlock a CDMA phone. He strongly recommended Howard Forums for finding most of the info you need. You’ll probably need BitPim and the Qualcomm PST (product support tools). Using the PST you can flash your new carrier’s firmware and then activate the phone on their network.

Verizon offers two ways to get unlimited EVDO data. $59 for a data plan or $15 for VCast. You’re not supposed to be able to use your VCast phone as an EVDO modem and it sends a different network access identifier (NAI) if you tether the phone. Using the PST you can change the NAI and use the cheaper VCast plan for data access. Here is a forum post detailing the process.

ToorCon 9: Real World Fuzzing

October 20, 2007 by 5 Comments


We dropped in on [Charlie Miller]’s fuzzing seminar at the end of the day yesterday. Fuzzing become a fairly popular topic in the last year and essentially involves giving a program garbage input, hoping that it will break. If it can’t handle the fake data and fails in a non-graceful fashion, you could have found a potentially exploitable bug. Fuzzing is a fairly simple idea, but as Charlie points out, without some thinking while you’re doing it it’s unlikely to be very productive.

Continue reading “ToorCon 9: Real World Fuzzing”

ToorCon 9: Crypto Boot Camp

October 19, 2007 by 3 Comments

[Rodney Thayer] gave a 2 hour seminar on cryptographic technology. It was designed to give the audience a working knowledge for dealing with vendors. He gave some rules of thumb for choosing encryption. In order of preference, when doing symmetric key crypto: use AES with a minimum 128bit key, if not that 3-key Triple-DES, or last RC4 with 128bit key. For hashing: SHA 256 preferred, SHA 1 if you can’t do any better, and MD5 if you can’t SHA. For public key: RSA using at least a 2048bit key. The top choices in these lists were picked because they’ve stood up to years of scrutiny. One major theme of talk was to never roll your own crypto algorithm or buy someone elses. Proprietary algorithms get broken all the time, like the GSM A5 crypto we talked about earlier this year.