I’m back in Los Angeles but I thought I’d leave you with one last image from ShmooCon. Larry Pesce from PaulDotCom has been been bringing new ShmooBall guns to the conference for the past few years. ShmooBalls are foam balls given to the conference attendees so they can throw them at speakers they disagree with.

This year Larry brought a turret mounted to a Power Wheels. You can see the 2008 and 2009 versions on Hack a Day.

Mike opened by quoting from the February 2003 issue of Bruce Schneier’s Crypto-Gram on the importance of authentication.

Last year I had a conversation with an engineer involved with security for the Bluetooth wireless protocol. I told him that Bluetooth has only privacy and not per-packet authentication. He responded with the prototypical lame responses: 1) pseudorandom frequency hopping makes it “nearly impossible” for an attacker to get in, and 2) the range is only 8 feet, so the attacks are naturally limited.

I tried to argue the point, but eventually gave up. Then I said something like: “I can hardly wait for Bluetooth to become universal, because I really want a wireless keyboard and mouse with the “base station” built into my computer.” He said: “Yes, but you really probably don’t want to use Bluetooth for that, because then somebody could stuff keystrokes or mouse clicks into your system.” I didn’t know whether to laugh or cry. Talk about not getting it.

The bluetooth HID profile is essentially USB HID implemented over bluetooth. The bluetooth dongle has two USB protocols it can use to communicate to the computer either “boot” protocol or “report” protocol. The report protocol is very flexible to suit whatever the device needs. The “boot” protocol on the other hand is fixed. The boot protocol is designed this way because it’s in the computer BIOS which allows the keyboard to be used at boot time without needing a full USB stack. Many dongles default to this boot protocol when plugged in and just enumerate as a mouse and keyboard instead of a full bluetooth host (which you can later switch to in software).

Mike developed the btbb plugin for WireShark which lets you look at bluetooth baseband packets captured over the air with the USRP software radio. While working on it he noticed the keystrokes were being sent in the clear. He sent a few captures to Joshua Wright who used them to develop btaptap which takes a pcap file and spits out the keystrokes. The dongle they were captured from was in boot mode, but just being in boot mode doesn’t guarantee they’re sent in the clear. Some computers with bluetooth now ship with boot mode as the default.

The next thing Mike talked about was HID Attack by Collin Mulliner. Collin developed xkbd-bthid as a virtual bluetooth keyboard to send keystrokes to bluetooth devices. It was designed to hunt down machines that were waiting for keyboards to connect. Most of these holes have been patched now. Mike demoed injecting mouse commands by using a dongle on the victim’s machine while the mouse was turned off. The interesting part of the demo was that he injected keystrokes using the mouse since it’s the same HID boot protocol. Support for encryption in mice isn’t required by the USB HID spec only for keyboards.

To do the spoof, you have to know the BD_ADDR of the device you’re spoofing. If you have physical access, you could just read it off of the device or OS. Kismet now ships with kismet-btscan for actively sending inquiries to recover the BD_ADDR of local devices. kismet-bluetooth is also being developed to passively monitor the baseband using the USRP.

When bluetooth devices are using encryption there’s a link key that you must crack. Much research has been done on this with BT Crack by Thierry Zoller and btpincrack by David Hulton. They work but require a lot of time and usually capturing the actual device pairing. Mike suggested in jest that all pairing should be done inside of a Faraday cage.

bthidproxy is yet another handy piece of software. Using it you can man in the middle bluetooth connections by using two dongles and spoofing the host and device addresses. Because of ‘virtual cabling’, a one to one connection is made between device and host. This means that almost all attacks must be performed when either the device or host are off allowing you to take their place. This isn’t too much of a problem since machines get powered down often and many mice have off switches to save battery.

Mike talked about K Chen’s Apple Keyboard firmware attack. The USB keyboard doesn’t check the firmware’s signature so it can be rewritten. Bluetooth HID is USB over bluetooth, so Mike decided to see if the same thing was possible. He was able to modify the firmware on his Apple bluetooth keyboard by sending it packets over the air. His keyboard is the older three battery version which required the link key to be used, but he said that the newer two battery version doesn’t have this protection.

It was a great presentation and Mike has the slides and additional resources on his site. He even includes a checklist for verifying how secure your bluetooth devices are. The link key puts most attacks out of reach of your average hacker, but as he pointed out it is often not implemented. For future work, he plans on developing baseband injection using the USRP.

As was bound to happen, I put the finishing touches on my GPU post and immediately ran into David Hulton (h1kari) at Pico Computing’s ShmooCon booth. As the organizer of ToorCon, he was the person that originally introduced me to the power of the FPGA.

Pico recently hit a new high mark for decrypting 56-bit DES (PDF). DES encryption has been deprecated but can be found in old systems and uses many features found in modern encryption algorithms. They can now check all keys in just 4.65 days as opposed to 9.14 years it would take a graphics card.

The 4U machine was built with 7 of the company’s EX-300 x1 PCI Express cards. Each card has 16 Xilinx Spartan FPGAs for a total of 176 in the system. It’s quite a beast, but don’t expect to see too many since this SC-4 SuperCluster is ~$80K.

Also on display was the new E-101. It’s a single Spartan-6 LX45 FPGA. It has a mini-USB connector to make it very benchtop friendly; previous boards in this class used CF, CardBus, or ExpressCard formats.

For having to fill a last minute ShmooCon opening, dragorn delivered a very provoking talk. You may know him for his indispensable wifi tool, Kismet. He blew through 100 slides in 20 minutes and I’m sure I’ll miss the finer points but it really turned out to be something potentially incredible (and destructive). He laid the ground work by discussing how open public wifi hotspots are so heavily used. Many of us understand the risk but he set out to show even more unexplored territory.

802.11 traffic is trivial to capture and as Toast demonstrated at Defcon, easily injectable with airpwn. Many people saw this but the full implications weren’t really understood so dragorn decided to expand on the idea. The team built a new version of Airpwn TCP hijack for the Metasploit framework. It now supports full content replacement using regex and a very fast ruby-based packet assembler.

dragorn outlined the many ways you could use this. You could modify one of the many helper .js files that browsers download while loading pages. You could rewrite the DOM to your benefit, change all forms to go through your proxy, or change all https to plain http.

These attacks could be made persistent by telling the browser to cache the .js for an extremely long time (10 years even) as rsnake described in his VPN research. Then when the user returned to their home intranet the exploit would still be viable; it could even phone home to get new .js payloads. Want to make the attack really generic? Poison Urchin.js, the code that every site using Google Analytics makes you load.

What’s the answer? Securing your connection with a VPN perhaps. This doesn’t really help the average user though because it’s difficult to do. If your splash start page is http which hands off the login to https, the attacker could hijack you starting with that very first page before you’re in the VPN.

dragorn also built DNSpwn DNS hijack. You can use it to poison someone’s DNS so that it persists even when they switch to a VPN.

This is one of those attacks that could be easily missed by expert users. At the end of his talk, dragorn lamented, “I’ve ruined wifi for myself.”

I’m at the ShmooCon hacker conference in D.C. this weekend and will be posting about some of the more interesting talks. The Friday round of talks are limited to 20 minutes and cover a wide variety of topics. Collin Brack opened with a subject I’m thoroughly interested in: GPU based cracking.

In the past, I’ve talked about using FPGAs for dedicated repetitive math. Since then, GPU manufacturers have started developing frameworks so you can write code directly against the processor, not necessarily for graphics. Nvidia has been pushing their CUDA technology, while other manufacturers have been working on OpenCL.

Collin uses Nvidia devices in his day job and naturally leans towards CUDA. He has specifically worked with the Tesla C1060 and Tesla S1070. The second being a dedicated 1U device, it doesn’t have a video out.

The conclusion of the talk was a broad survey of what cracking tools have been ported to these frameworks, many of which work with live tool DVD BackTrack 4—they have a CUDA guide. Programs like aircrack-ng-cuda are available for wireless cracking; cRARk and RAR GPU for RAR password recovery; and IGHASHGPU, MD5 GPU Crack, and RainbowCrack are available too. The shining star of the group though is pyrit, which is available for many different GPU platforms.

If you’ve got a unibody Mac, you’ve probably got the hardware to play with any of these tools. Even though we’re moving away from FPGA, I’m still happy to see developers taking advantage of the speed increases available from GPUs.

Goozex is a videogame and DVD trading service I’ve been using and I’m quite happy with it. Each game or DVD has a point value based on the age and demand. You earn points by giving items and spend points to receive items. Each trade costs the receiver 1 dollar. Points can be purchased 100 for $5. New games usually enter the market at 1000 points and age in 50 point increments.

I started using the service when I realized I wasn’t a videogame collector and started getting rid of my Playstation 2 and 1 games. I decided that I didn’t want to go to the trouble of finding a backwards compatible PS3 so I bought an Xbox 360. Again. Of the 15 Playstation 2/1 games I listed, I got rid of 11 within a month. I could then reinvest those points in 360 games.

I like the economy of Goozex because it helps you avoid the new game penalty. You can get a new release, play it, and then trade it before it has dropped in value. Thursday night I completed Assassin’s Creed II. The game was released in late November and is 1000 points. I got it in trade a week ago and just sent it to a new person today. With the cost of shipping, packaging, and $1 for Goozex, the game cost me $4 to play since it didn’t drop in points. I could have kept it another month and it would still be 1000 points. I could use a subscription service like GameFly but sometimes I’ll go long stretches without playing anything. It’s also 2/3rds more expensive than Netflix, a service I use all the time.

I learned about Goozex from Chris Grant at Joystiq. I had used ITradeVideoGames a few years before, but I like Goozex’s reputation system and presentation. It also lets me pick up cheap DVDs without having to deal with random eBay auctions or Amazon sellers.

Next up, I’m going to be resuming my Mass Effect game (wherever the hell I stopped that a year ago) in preparation for the playing the sequel.

When I was 17 in the summer of 1998, my twin sister and I dug a fish pond in front of our house. I thought I’d share a little bit about it since it wasn’t that difficult to construct. It sits in the front yard and has about 3 kiddy pools worth of surface area (yes, that’s a unit of measure).

To start, we connected the ends of of a garden hose together and then massaged the shape till we were happy with the look and location. We staked the hose down and started digging. The liner is actually what I like most about this project; it’s “ice guard”, a rubber sheet product used under roof shingles. It’s way cheaper than commercial pond liners and very puncture resistant. I think the sheet is ~15 feet wide. The borders are held down with river rock. We had originally used salvaged flagstone, but without a proper foundation, it didn’t last. We also found out that you shouldn’t put any rock in the bottom of the pond. It will just become a bacteria breeding ground as decaying plant matter builds up.

I believe the pond is over two feet at its deepest. Goldfish do just fine in the winter, even with ice on the pond, but you have to make sure they have room. Big goldfish ponds are also nice because the goldfish get BIG in response to having so much space.

The pond is almost zero maintenance. Throw the lilies in and they just take off. There’s a pump for aeration and an overflow pipe. Both the lilies and goldfish were brought in from a friend’s pond. The pond will turn green occasionally, but that usually disappears when the lilies get more coverage and the fish population increases, reducing the amount of food.

I think this was a great addition to our home and I hope this post shows just how simple it is.

Aside: The town I’m from, Beaver Crossing, Nebraska, was known for its large number of free flowing artesian wells in the early 1900s. Fed by the Ogallala Aquifer, the town claimed to have the World’s Largest Swimming Pool. One of the most well known businesses during this period was Smiley’s Water Gardens which raised many varieties of lilies and trout. This all disappeared with the rise of deep well irrigation though; the water table dropped and artesian wells have become a rarity. You can read more about the town’s history here.

I bought my first digital camera in 2003. It’s a Panasonic DMC-FZ1 and you can find a picture and review of it here. I bought it for a couple reasons: it’s 2.1 megapixels which looks acceptable if you’re printing 4×6s. It had options to shoot either 2 or 4fps at full resolution. 12x stabilized optical zoom and f1.8 meant it was very flexible. I went to the Pikes Peak International Hill Climb shortly after purchasing the camera. The zoom was very useful as we could see ~11 turns and 700 feet of elevation change. I used the multiple frame mode to shoot cars going through turns and then assembled them with panorama software.

I stopped using my FZ1 when I got my N95 in 2007 since it was much smaller, 5 megapixels, and always on me. When I lost the N95 I got a G1, which is a 3.2 camera that shoots images that look like ass, just like its iPhone competition.

I’m talking about the FZ1 now because I recently put it back into service. I’ve been doing a lot of projects around the house and wanted better pictures for the blog. Using it again made me realize what I’ve been missing in a camera (I have no desire to be a DSLR person). The feature that really hooked me again was the manual white balance. I’m always working under fluorescents, sometimes with indirect sunlight; none of that matters since I can reset the white balance in less than two seconds. Having a real camera also means a functional macro mode. You get other nice features like being able to see the shutter speed the camera is planning on using so you can attempt to increase the lighting if it seems too slow.

It’s really been a great experience bringing back this piece of tech that I had pretty much written off. The only thing that’s missing is an Eye-Fi card to make it the perfect around the house camera.

This last week, Machine Project has been hosting several different events as part of their FungiFest 2010. Chris and I decided to check out their mushroom walk this morning at Franklin Canyon Park. I was a bit skeptical when we showed up and they turned us loose into the woods to gather whatever we found with only a few words, but the whole experience was quite interesting.

I guess most of my enjoyment was from bringing in one of the largest specimens. After everyone returned from hunting, Dr. Bob Cummings identified the many different kinds of fungus we had found. While Chris and I only come across four, the group effort came up with at least fifty different kinds.

The one pictured above is Suillus luteus or Slippery Jack, named for its slimy top. It’s found on pine roots and is edible if the brown slimy skin is removed. There was an equally large cap from the deadly Amanita ocreata destroying angel. The majority of edible mushrooms we found were Boletus edulis, porcini, which you can buy immature in some grocery stores. Two of the more interesting edibles we found: Coprinus comatus, shaggy mane, must be processed within 4-6 hours of picking because the cap will quickly digest itself into a black spore filled ink. Clitocybe nuda, wood blewit, is also edible and has a lovely purple-pink color.

It was a great day and you can see a video of Dr. Cummings showing many of the same mushrooms we saw today embedded below.