I’ve hung onto a few boxes business cards over the years (these particular ones being from Netscape) with the intention of doing a project. I followed the instructions from the well known business card Menger Sponge project to turn 348 cards into 58 identical cubes. The cubes are quite resilient and resist falling apart; even the structures built with them are far more solid than you would expect. 58 cubes isn’t significant, it’s just how many matte white backed cards I had.

Next, I assembled the cubes into a structure to project against. I took a picture from the perspective of the pico projector I’d be using. I dropped this into MadMapper and followed 1024′s tutorial for mapping the many surfaces. I had gone through the tutorial once before, but not with a physical object. The image certainly helped me get in the ballpark, but I had to tweak every single surface once I started projecting against the actual object. The EQ meter is generated by QuartzComposer and passed to MadMapper using Syphon. MadMapper maps arbitrary portions of that video feed to arbitrary surfaces. In this case it’s mapping single squares from the EQ meter as you can see in the input and output window above.

Embedded below is a demo of the whole thing in motion. Sorry for my low lumen pico projector and poor camera phone quality; this would be hard to document with any camera.

The Note in Reader bookmarklet works fairly well but usually you’ll see some weird formatting as it struggles with a chunk of HTML divorced from its stylesheet. The following is what I try to do instead of using the bookmarklet: I click on the page’s RSS icon like I normally would when subscribing to a new feed. This loads the feed into Google Reader and shows you a preview of how the feed will appear. Instead of clicking the Subscribe button, I scroll through the feed and find the item I want and use the share buttons as I would normally. It shares the item and I don’t have to do any sort of cleanup removing the feed since I never actually subscribed.

The key benefits of doing this are: The shared item will look way better since it’s appearing exactly like it does in the RSS feed and not scraped from the site. The item you’re sharing is the canonical version; you’ll see Likes by other users and if someone you follow is a feed subscriber and shares the same item you’ll see it globbed in with yours. Finally, it’s only one more click than sharing an item from a feed you’ve already subscribed to and you don’t have to mess around highlighting a selection.

… okay, so the benefits aren’t that crazy, but they’ll certainly keep your Reader shares neat and tidy.

I decided to use DMs as the update transport since SMS is almost always available. I modified Chris Finke’s retweet.py code (which I use for @SanMo) so it would work with direct messages. Chris added a ban list in the last version and I was able to change that to an admin list. You just run retweet-dm.py as a cron job and it will monitor incoming DMs on all configured accounts. If the sender is on the admin list it republishes the DM as a tweet. It uses the same settings.py file as before and you add admins like this:

$ python retweet-dm.py --account=retweeting_account --admin=approved_dm_sender

This code is also a handy solution if you need multiple people to update a Twitter account but don’t want to hand out the password. It has the caveats: 1) They won’t get the full 140 characters and 2) There’s currently no undo via DM.

Download: retweet-dm.py

Last fall DHS circulated a warning about RF jammers with the same title. What caught my eye was their use of a picture of the Wave Bubble. Designed by ladyada, the Wave Bubble is a self-tuning, wide-bandwidth portable RF jammer. Because of the unique nature of this design, I’m almost certain no one that actually received this memo will ever see a Wave Bubble in person. They would have been better served by a picture of a commercial unit, but that wouldn’t have the sensational appeal of a device that’s concealed by a cigarette pack.

This leads to the final memo OMG ELECTRONICS IN SMALL CONTAINERS by the Washington Regional Threat and Analysis Center’s cut and paste division. It features the Wave Bubble again, then an Altoids tin, and finally an IED mockup. I think this is silly: The Wave Bubble is a rare threat. The IED is a mockup and probably doesn’t do any more damage than a similarly sized derringer. Finally, the Altoids tin IS A HEADPHONE AMPLIFIER. So, watch out folks, some things, that could be evil, are smaller than other things, which are not evil, BE VIGILANT! I guess we’re lucky they used the image of the less common round Altoids tin than the rectangular ones most hackers are using. The newsletter is also good if you want to read about dry ice bombs and Juggalos.

I’m back in Los Angeles but I thought I’d leave you with one last image from ShmooCon. Larry Pesce from PaulDotCom has been been bringing new ShmooBall guns to the conference for the past few years. ShmooBalls are foam balls given to the conference attendees so they can throw them at speakers they disagree with.

This year Larry brought a turret mounted to a Power Wheels. You can see the 2008 and 2009 versions on Hack a Day.

Mike opened by quoting from the February 2003 issue of Bruce Schneier’s Crypto-Gram on the importance of authentication.

Last year I had a conversation with an engineer involved with security for the Bluetooth wireless protocol. I told him that Bluetooth has only privacy and not per-packet authentication. He responded with the prototypical lame responses: 1) pseudorandom frequency hopping makes it “nearly impossible” for an attacker to get in, and 2) the range is only 8 feet, so the attacks are naturally limited.

I tried to argue the point, but eventually gave up. Then I said something like: “I can hardly wait for Bluetooth to become universal, because I really want a wireless keyboard and mouse with the “base station” built into my computer.” He said: “Yes, but you really probably don’t want to use Bluetooth for that, because then somebody could stuff keystrokes or mouse clicks into your system.” I didn’t know whether to laugh or cry. Talk about not getting it.

The bluetooth HID profile is essentially USB HID implemented over bluetooth. The bluetooth dongle has two USB protocols it can use to communicate to the computer either “boot” protocol or “report” protocol. The report protocol is very flexible to suit whatever the device needs. The “boot” protocol on the other hand is fixed. The boot protocol is designed this way because it’s in the computer BIOS which allows the keyboard to be used at boot time without needing a full USB stack. Many dongles default to this boot protocol when plugged in and just enumerate as a mouse and keyboard instead of a full bluetooth host (which you can later switch to in software).

Mike developed the btbb plugin for WireShark which lets you look at bluetooth baseband packets captured over the air with the USRP software radio. While working on it he noticed the keystrokes were being sent in the clear. He sent a few captures to Joshua Wright who used them to develop btaptap which takes a pcap file and spits out the keystrokes. The dongle they were captured from was in boot mode, but just being in boot mode doesn’t guarantee they’re sent in the clear. Some computers with bluetooth now ship with boot mode as the default.

The next thing Mike talked about was HID Attack by Collin Mulliner. Collin developed xkbd-bthid as a virtual bluetooth keyboard to send keystrokes to bluetooth devices. It was designed to hunt down machines that were waiting for keyboards to connect. Most of these holes have been patched now. Mike demoed injecting mouse commands by using a dongle on the victim’s machine while the mouse was turned off. The interesting part of the demo was that he injected keystrokes using the mouse since it’s the same HID boot protocol. Support for encryption in mice isn’t required by the USB HID spec only for keyboards.

To do the spoof, you have to know the BD_ADDR of the device you’re spoofing. If you have physical access, you could just read it off of the device or OS. Kismet now ships with kismet-btscan for actively sending inquiries to recover the BD_ADDR of local devices. kismet-bluetooth is also being developed to passively monitor the baseband using the USRP.

When bluetooth devices are using encryption there’s a link key that you must crack. Much research has been done on this with BT Crack by Thierry Zoller and btpincrack by David Hulton. They work but require a lot of time and usually capturing the actual device pairing. Mike suggested in jest that all pairing should be done inside of a Faraday cage.

bthidproxy is yet another handy piece of software. Using it you can man in the middle bluetooth connections by using two dongles and spoofing the host and device addresses. Because of ‘virtual cabling’, a one to one connection is made between device and host. This means that almost all attacks must be performed when either the device or host are off allowing you to take their place. This isn’t too much of a problem since machines get powered down often and many mice have off switches to save battery.

Mike talked about K Chen’s Apple Keyboard firmware attack. The USB keyboard doesn’t check the firmware’s signature so it can be rewritten. Bluetooth HID is USB over bluetooth, so Mike decided to see if the same thing was possible. He was able to modify the firmware on his Apple bluetooth keyboard by sending it packets over the air. His keyboard is the older three battery version which required the link key to be used, but he said that the newer two battery version doesn’t have this protection.

It was a great presentation and Mike has the slides and additional resources on his site. He even includes a checklist for verifying how secure your bluetooth devices are. The link key puts most attacks out of reach of your average hacker, but as he pointed out it is often not implemented. For future work, he plans on developing baseband injection using the USRP.

As was bound to happen, I put the finishing touches on my GPU post and immediately ran into David Hulton (h1kari) at Pico Computing‘s ShmooCon booth. As the organizer of ToorCon, he was the person that originally introduced me to the power of the FPGA.

Pico recently hit a new high mark for decrypting 56-bit DES (PDF). DES encryption has been deprecated but can be found in old systems and uses many features found in modern encryption algorithms. They can now check all keys in just 4.65 days as opposed to 9.14 years it would take a graphics card.

The 4U machine was built with 7 of the company’s EX-300 x1 PCI Express cards. Each card has 16 Xilinx Spartan FPGAs for a total of 176 in the system. It’s quite a beast, but don’t expect to see too many since this SC-4 SuperCluster is ~$80K.

Also on display was the new E-101. It’s a single Spartan-6 LX45 FPGA. It has a mini-USB connector to make it very benchtop friendly; previous boards in this class used CF, CardBus, or ExpressCard formats.

For having to fill a last minute ShmooCon opening, dragorn delivered a very provoking talk. You may know him for his indispensable wifi tool, Kismet. He blew through 100 slides in 20 minutes and I’m sure I’ll miss the finer points but it really turned out to be something potentially incredible (and destructive). He laid the ground work by discussing how open public wifi hotspots are so heavily used. Many of us understand the risk but he set out to show even more unexplored territory.

802.11 traffic is trivial to capture and as Toast demonstrated at Defcon, easily injectable with airpwn. Many people saw this but the full implications weren’t really understood so dragorn decided to expand on the idea. The team built a new version of Airpwn TCP hijack for the Metasploit framework. It now supports full content replacement using regex and a very fast ruby-based packet assembler.

dragorn outlined the many ways you could use this. You could modify one of the many helper .js files that browsers download while loading pages. You could rewrite the DOM to your benefit, change all forms to go through your proxy, or change all https to plain http.

These attacks could be made persistent by telling the browser to cache the .js for an extremely long time (10 years even) as rsnake described in his VPN research. Then when the user returned to their home intranet the exploit would still be viable; it could even phone home to get new .js payloads. Want to make the attack really generic? Poison Urchin.js, the code that every site using Google Analytics makes you load.

What’s the answer? Securing your connection with a VPN perhaps. This doesn’t really help the average user though because it’s difficult to do. If your splash start page is http which hands off the login to https, the attacker could hijack you starting with that very first page before you’re in the VPN.

dragorn also built DNSpwn DNS hijack. You can use it to poison someone’s DNS so that it persists even when they switch to a VPN.

This is one of those attacks that could be easily missed by expert users. At the end of his talk, dragorn lamented, “I’ve ruined wifi for myself.”

I’m at the ShmooCon hacker conference in D.C. this weekend and will be posting about some of the more interesting talks. The Friday round of talks are limited to 20 minutes and cover a wide variety of topics. Collin Brack opened with a subject I’m thoroughly interested in: GPU based cracking.

In the past, I’ve talked about using FPGAs for dedicated repetitive math. Since then, GPU manufacturers have started developing frameworks so you can write code directly against the processor, not necessarily for graphics. Nvidia has been pushing their CUDA technology, while other manufacturers have been working on OpenCL.

Collin uses Nvidia devices in his day job and naturally leans towards CUDA. He has specifically worked with the Tesla C1060 and Tesla S1070. The second being a dedicated 1U device, it doesn’t have a video out.

The conclusion of the talk was a broad survey of what cracking tools have been ported to these frameworks, many of which work with live tool DVD BackTrack 4—they have a CUDA guide. Programs like aircrack-ng-cuda are available for wireless cracking; cRARk and RAR GPU for RAR password recovery; and IGHASHGPU, MD5 GPU Crack, and RainbowCrack are available too. The shining star of the group though is pyrit, which is available for many different GPU platforms.

If you’ve got a unibody Mac, you’ve probably got the hardware to play with any of these tools. Even though we’re moving away from FPGA, I’m still happy to see developers taking advantage of the speed increases available from GPUs.