Recursive Soldering Iron Hacking

We’ve all done it. You’re walking out the door or maybe you’ve even gotten on the road when the question hits, “Did I leave the [coffee pot | stove | hair curler | soldering iron ] on?” [Daniel Johnson’s] problem was even worse. He couldn’t tell if his Hakko-936 soldering iron was off because the LED indicator wasn’t always on. Instead it flashed. He fixed that problem and along the way hacked his battery powered soldering iron since he was out of batteries. Now that’s perseverance.

Hacked Soldering Iron to Hack Soldering Iron
Soldering Iron Hack Recursion

The Hakko’s LED turned on whenever the power turned on to heat the tip. That was about every 5 seconds once the tip was hot. But just as a watched pot never boils, a watched LED never seems to flash. After determining the LED was driven by a comparator he decide to unsolder it as part of his hack. He wisely decided using the Hakko on itself was not a good idea so reached for the battery-powered portable iron, which was sadly battery-free. Undaunted, he wired the portable to a power supply and when 4.5 volts didn’t melt the solder cranked it up to 6 volts.

Back to the Hakko, he replaced the red LED with a RBG LED but used only the red and green leads. The green was tied to the 24v power supply through a hefty 47k ohm resistor, and the red was tied to the comparator. A little masking tape to hold things in place and provide insulation finished the job. Now when the Hakko is on the green LED is lit and the red LED shows the heating cycle. Quite clever.

Shmoocon 2016: GPUs And FPGAs To Better Detect Malware

One of the big problems in detecting malware is that there are so many different forms of the same malicious code. This problem of polymorphism is what led Rick Wesson to develop icewater, a clustering technique that identifies malware.

Presented at Shmoocon 2016, the icewater project is a new way to process and filter the vast number of samples one finds on the Internet. Processing 300,000 new samples a day to determine if they have polymorphic malware in them is a daunting task. The approach used here is to create a fingerprint from each binary sample by using a space-filling curve. Polymorphism will change a lot of the bits in each sample, but as with human fingerprints, patterns are still present in this binary fingerprints that indicate the sample is a variation on a previously known object.
Continue reading “Shmoocon 2016: GPUs And FPGAs To Better Detect Malware”

The Smallest Google Street View In Miniatur Wunderland

The world’s largest model railway exhibit — on display in Germany of course — is quite the attraction. The huge Miniatur Wunderland features towns and trains from Germany, Switzerland, Austria, and even a little America. And it’s all on Google Maps.

[Frank] accepted the challenge to build a tiny Google Streetview train, capable of traversing the entire Wunderland. It features a fish-eye camera on both the front and rear car, and is powered by an Arduino — the Wattuino Nanite 85. He upgraded the train to use tiny stepper motors to allow for precise movement along the tracks to get all the shots in perfect Streetview fashion.
Continue reading “The Smallest Google Street View In Miniatur Wunderland”

Shmoocon 2016: Phishing For The Phishers

After years of ignoring the emails it’s finally time to get into a conversation with that Nigerian prince you keep hearing from. Robbie Gallagher — an Application Security Engineer with Atlassian in Austin, TX — wanted to find out where perpetrators of phishing emails actually live. Of course you can’t count on the headers of the emails they send you. A better way to track them down is to actually draw them into a conversations, and this means making yourself a juicy target.

Robbie gave an excellent talk on his project Honey-Phish at this year’s Shmoocon. Part of what made it stand out is his narrative on each step of exploring the social engineering technique. For instance, there is already a vibrant community that specializes in forming relationships with scammers. Those who frequent 419 Eater have literally made it into a sport called Scambaiting. The ultimate goal is to prove you’ve baited a scammer is to get the person to take a picture of themselves balancing something on their head. Now the image a the top of this post makes sense, right?

Writing personal emails to your scammer is a great system if you have a lot of time and only want to track down one scammer at a time. Robbie wants to catalog geographic locations for as many as possible and this means automation. Amusingly, the solution is to Phish for Phishers. By automating responses to phishing emails, and enticing the people originating those phishing scams to click on a link, you can ascertain their physical location.

Continue reading “Shmoocon 2016: Phishing For The Phishers”

Shmoocon 2016: Computing In A Post Quantum World

There’s nothing more dangerous, so the cryptoheads say, than quantum computing. Instead of using the state of a transistor to hold the value of a bit as in traditional computers, quantum computers use qubits, or quantum information like the polarization of a photon. According to people who know nothing about quantum computers, they are the beginning of the end, the breaking of all cryptography, and the Rise of the Machines. Lucky for us, [Jean-Philippe Aumasson] actually knows a thing or two about quantum computers and was able to teach us a few things at his Shmoocon talk this weekend, “Crypto and Quantum and Post Quantum”

This talk is the continuation of [Jean-Philippe]’s DEF CON 23 talk that covered the basics of quantum computing (PDF) In short, quantum computers are not fast – they’re just coprocessors for very, very specialized algorithms. Quantum computers do not say P=NP, and can not be used on NP-hard problems, anyway. The only thing quantum computers have going for them is the ability to completely destroy public key cryptography. Any form of cryptography that uses RSA, Diffie-Hellman, Elliptic curves is completely and totally broken. With quantum computers, we’re doomed. That’s okay, according to the DEF CON talk – true quantum computers may never be built.

The astute reader would question the fact that quantum computers may never be built. After all, D-Wave is selling quantum computers to Google, Lockheed, and NASA. These are not true quantum computers. Even if they’re 100 Million times faster than a PC, they’re only faster for one very specific algorithm. These computers cannot simulate a universal quantum computer. They cannot execute Shor’s algorithm, an algorithm that finds the prime factors of an integer. They are not scalable, they are not fault-tolerant, and they are not universal quantum computers.

As far as true quantum computers go, the largest that has every been manufactured only contain a handful of qubits. To crack RSA and the rest of cryptography, millions of qubits are needed. Some algorithms require quantum RAM, which nobody knows how to build. Why then is quantum computing so scary? RSA, ECC, Diffie-Hellman, PGP, SSH and Bitcoin would die overnight if quantum computers existed. That’s a far scarier proposition to someone hijacking your self-driving car or changing the display on a smart, Internet-connected thermostat from Fahrenheit to Celsius.

What is the verdict on quantum computers? Not too great, if you ask [Jean-Philippe]. In his opinion, it will be 100 years until we have a quantum computer. Until then, crypto is safe, and the NSA isn’t going to break your codez if you use a long-enough key.

Wolfenstein In 600 Lines Of Code

What’s more impressive, the fact that this Wolfenstein-like game is 600 lines of code, or that it’s written in AWK?

AWK is a language primarily used for text processing. But if you can write code the world bows to your wishes. [Fedor Kalugin] leverages the ability of a Linux terminal’s color options to draw his game. The 3D aspect is produced through ray-casting which generates a 2D image from 3D coordinates.

Trying out the game is extremely simple, install gawk, clone the repo, and play:

Continue reading “Wolfenstein In 600 Lines Of Code”

Software Controlled Hard Drive Solenoid Engine

[Fabien-Chouteau] submitted his interesting solenoid engine. In an internal combustion, steam, or pneumatic piston engine, the motive force is produced by expanding gas. In [Fabien]’s little engine it is produced by the arm of a hard drive. Solenoid engines are usually just for show, and come in all shapes and sizes. If you want to move something using electricity an axial motor is probably a better bet. But if you want a challenge and a learning experience, this is hard to beat.

[Fabien] had some problems to solve before his motor made its first revolution. Just like a piston engine the timing needed to be exact. The arm firing at the wrong time could cause all sorts of trouble, the equivalent of backfire in a combustion engine. A STM32f4 discovery board was coupled with a Hall-effect sensor and a MOSFET. When the board read that the arm has moved back to the most efficient position for firing it sent a pulse through the coil. Just like a regular engine, getting the timing right makes all the difference. Once [Fabien] got it tuned up his motor could spin around at a steady 3000 rpm.

Continue reading “Software Controlled Hard Drive Solenoid Engine”