Blade Runner showed us a dystopian megatropolis vision of Los Angeles in the far-off future. What was a distant dream for the 1982 theater-goes (2019) is now our everyday. We know Los Angeles is not perpetually overcast, flying cars are not cruising those skies, and replicants are not hiding among the population. Or… are they?
The LayerOne conference takes place in greater Los Angeles and this year it adopted a Blade Runner theme in honor of that landmark film. My favorite part of the theme was the conference badge modeled after a Voight-Kampff machine. These were used in the film to distinguish replicants from humans, and that’s exactly what this badge does too. In the movies, replicants are tested by asking questions and monitoring their eyes for a reaction — this badge has an optional eye-recognition camera to deliver this effect. Let’s take a look!
The security conference LayerOne 2018 took place this past weekend in Pasadena, California. A schedule conflict meant most of our crew was at Hackaday Belgrade but I went to LayerOne to check it out as a first-time attendee. It was a weekend full of deciphering an enigmatic badge, hands-on learning about physical security, admiring impressive demos, and building a crappy robot.
This year’s LayerOne conference is May 25-27 in Los Angeles and Hackaday will be there! Hurry and get your ticket now as today is the last day for pre-registration.
As the InfoSec community takes over the Pasadena Hilton next weekend you’ll wish you had a week instead of just three days to take part in all that is offered. There are organized talks and workshops on pen testing, being the bad guy, and DevOps Security. Learn or improve on your lockpicking skills in the Lockpicking Village. The conference hardware badge will be hacking in every direction in the Hardware Village, and new this year is an Internet of Things Village.
If you ask us, the L1 Demo Party is where it’s at. We love seeing what kind of audio and video demos can be squeezed out of a microcontroller board. If you want one of your own, LayerOne is selling the L1 Demoscene Board on Tindie, and you can dig into the hardware on the Hackaday.io page. Take a look back at the results of the 2015 Demo Party for some of the highlights.
This con has an incredible community supporting it, many of the people you’ll meet have been at every LayerOne since it started back in 2004. Supplyframe, Hackaday’s parent company, has been a sponsor since 2015 and is once again proud to support the event and sponsor the hardware badge. Members of the Hackaday and Tindie crew will be on site so come say hello and don’t be afraid to bring a hack to show off!
The LayerOne conference is over, and that means this last weekend saw one of the biggest demoscene parties in the USA. Who won? A European team. We should have seen this coming.
There were two categories for the LayerOne demo compo, the first using only the LayerOne Demoscene Board. It’s a board with a PIC24F microcontroller, VGA out, and a 1/8″ mono audio out. That’s it; everything that comes out of this board is hand coded on the PIC. A few months ago, [JKing] wrote a demo to demonstrate what this demoboard can do. According to him, it’s the only reason Hackaday sold a single Demoboard in the Hackaday store:
Go to DEFCON and you’ll stand in line for five hours to get a fancy electronic badge you’ll be showing to your grandchildren some day. Yes, at DEFCON, you buy your hacker cred. LayerOne is not so kind to the technically inept. At LayerOne, you are given a PCB, bag of parts, and are told to earn your hacker cred by soldering tiny QFP and SOT-23 chips by hand. The Hardware Hacking Village at LayerOne was packed with people eagerly assembling their badge, or badges depending on how cool they are.
The badges are designed by [charlie x] of null space labs, one of the many local hackerspaces around the area. The design and construction of these badges were documented on the LayerOne Badge project on hackaday.io, and they’re probably best con badges we’ve ever seen.
There are two badges being distributed around LayerOne. The first is an extremely blinkey badge with a Cypress PSoC4 controlling 22 individually addressable RGB LEDs. Most conference attendees received a bare PCB and a bag of parts – the PCB will get you in the door, but if you want your nerd cred, you’ll have to assemble your own badge.
There are still a few interesting features for this badge, including an ESP8266 module that will listen to UDP packets and drive the LEDs. Yes, a random person on the same WiFi AP can control the LEDs of the entire conference event. The badges can also be chained together with just three wires, but so far no one has done this.
The second badge – for speakers and staff – is exceptionally more powerful. It’s a Linux box on a badge with two Ethernet connectors running OpenWRT. For a con badge, it’s incredibly powerful, but this isn’t the most computationally complex badge that has ever been at a LayerOne conference. For last year’s badge, [charlie] put together a badge with an FPGA, SAM7 microcontroller, SD card, and OLED display. They were mining Bitcons on these badges.
The Hardware Hacking Village was loaded up with a dozen or so Metcal soldering irons, binocular microscopes, and enough solder, wick, and flux to allow everyone to solder their badge together. Everyone who attempted it actually completed their badge, and stories of badge hacking competitions at other cons were filled with tales of people sprinkling components on random solder pads. Imagine: a conference where people are technically adept. Amazing.
A hot plate was available for those who were not cool enough to solder 22 smd LEDs
We’re at LayerOne this weekend and one of the talks we were excited about didn’t disappoint. [Jos Weyers] presented Showing Keys in Public — What Could Possibly Go Wrong? The premise is that pictures of keys, in most cases, are as good as the keys themselves. And that pictures of keys keep getting published.
[Jos] spoke a bit about new services that offer things like 3D scanning and storage of your key for printing when you get locked out, or apps that ask you to take a picture of your key and they’ll mail you a duplicate. Obviously this isn’t the best of ideas; you’re giving away your passwords. And finding a locksmith is easier than findind a 3D printer. But it’s the media gaffs with important keys that intrigues us.
We’ve already seen the proof of concept for taking covert images to perfectly duplicate a key. But these examples are not so covert. One example is a police officer carrying around handcuff keys on a belt clip. Pose for a picture and that key design is now available to all. But news stories about compromised keys are the biggest offenders.
A master key for the NYC Subway was compromised and available for sale. The news coverage not only shows a picture at the top of the story of a man holding up the key straight on, but this image of it on a subway map which can be used to determine scale. This key, which is still published openly on the news story linked above, opens 468 doors to the subway system and these are more than just the ones that get you onto the platform for free. We were unable to determine if these locks have been changed, but the sheer number of them has us thinking that it’s unlikely.
Worse, was the availability of fire-department master keys which open lock boxes outside of every building. (Correction: these are fire department keys but not the actual lock-box keys) A locksmith used to cut the original keys went out of business and sold off all their stock. These keys were being sold for $150, which is bad enough. But the news coverage showed each key on a white background, straight on, with annotations of where each type of key will work.
Other examples include video news stories about credit card skimmers installed in gas pumps — that coverage showed the key used to open the pump housing. There was also an example of speed camera control cabinet keys being shown by a reporter.
[Jos’] example of doing the right thing is to use a “prop” key for news stories. Here he is posing with a key after the talk. Unfortunately this is my own house key, but I’m the one taking pictures and I have blurred the teeth for my own security. However, I was shocked during image editing at the quality of the outline in the image — taken at 6000×4000 with no intent to make something that would serve as a source for a copy. It still came out remarkably clear.
Some locks are stronger than others, but they’re all meaningless if we’re giving away the keys.
LayerOne, the first level of security. [Brian Benchoff] and I are excited to take part in our first LayerOne conference this Saturday and Sunday in Monrovia California.
Anyone in the Los Angeles area this weekend needs to get out of whatever they have planned and try out this conference that has a soul. Get the idea of a mega-con out of your head and envision a concord of highly skilled and fascinating hackers gathering to talk all things computer security. Speakers will cover topics like researching 0day exploits, copying keys from pictures taken in public, ddos attacks, social engineering, and more.
It’s not just talks, there is a ton of hands-on at LayerOne as well. I plan to finally try my hand at lock picking. Yep, I’ve covered it multiple times and we’ve even had a session led by [Datagram] at the Hackaday 10th Anniversary but I’ve never found time to give it a roll. Of course electronics are my game and [Brian] and I will both be spending a fair amount of time in the hardware hacking village. We’ll have a bunch of dev boards along with us if you want to try out an architecture with which you’re unfamiliar. This year’s LayerOne badges are sponsored by Supplyframe; we’ll have something in store for the best badge hacks we see during the weekend.