Monday, December 10, 2007


If you don't know about airpwn, then you're missing out on some funny. Remember kids, the "man in the middle" attack is sometimes very very disturbing!
Over the course of defcon, we fielded 7 different airpwn configurations to see how well it worked, and of course to watch as 31337 h4x0rz got goatse up in their mug. The configurations were:

HTTP goatse, 100% of the screen
HTTP goatse replacing all images
HTTP goatse as the page background via CSS
HTTP tubgirl replacing all images
HTTP "owned" graphic, replacing all images (eventually I felt bad about all the ass pictures)
HTTP javascript alert boxes, letting people know just how pwned they were
FTP banners (while this worked, nobody pays attention to FTP banners so we abandoned this quickly)

Sunday, December 9, 2007

Off the record messaging (forward security)

Interesting concepts, especially forward security

The idea here is to have secure messaging with a few more benefits than have been available by encrypted chat (offered by gaim and many others for several years). It's supported by everyone's favorite client, Adium X. One of the problems with other methods of encrypted conversations is that they were all authenticated with the same key, so that if your machine is ever compromised the attacker can now read all your past conversations. Also, if your machine is compromised, you cannot deny having said what you said since it was signed with your key.

OTR messaging uses crazy math to ensure that each conversation is encrypted with a different key derived from the same original secret key. Therefore you cannot use a captured private key to unencrypt previous messages but you know the current conversation is authenticated because all the subkeys must have been made with the original key. (This is part of the gpg specification.)

AdiumX is available as a download beta with OTR built in.
I used to use encrypted chat but only 3 of my friends had compatible versions, so unless this were to gain traction amongst a high proportion of your friends, it is probably not very useful. However, the novel abilities of OTR would be nice to see in other products.

Imagine someone capturing your secret key and having the ability to decrypt all your previous communications. That's what happened to the Nazis when they got lazy and started reusing keys.

Tuesday, December 4, 2007

How to build a kitchen timer

Check out these circuit diagrams. What? It's a kitchen timer. What did you think it was?

The guy from has lots of great projects.

It's a kitchen timer. Use it to time spaghetti, or maybe an egg. It uses two PICs, one acts as a keyboard encoder, the other drives the display and supports the timer functions. You key in the desired time and press '#'. It's accurate to 1/100th of a second, which can make all the difference I'm sure you'll agree

Also, the duct tape is critical to it's operation! Let me know when you attempt to bring one of these on board an airplane!

Radio scanning in Louisiana, frequency lists available

Radio scanning in Louisiana, frequency lists available
(Current list that I use.)
(Current list of open channels of all kinds of businesses and agencies)

Louisiana is supposed to be switching over to the Louisiana Totally Interoperable Environment (LATIE) system for all police, fire, EMS, etc radio communications. Some parishes are up and running, and some are taking their time. Listed at that link are frequencies and ID codes for State Police, local police, and basically every other LATIE equipped department. Please note that Lafayette Parish has switched over to encryption with their systems. To listen to LATIE traffic you must have one of two different models currently available. The Uniden BCD369T handheld going for $300-500, or the super bad-ass Uniden BCD996T which is basically sentient.

Here is the forum for LATIE related questions for hobbyists:

My personal belief is that encryption is too difficult for the state guys to even mess with for at least one more generation of gear. Most agencies will continue to use the easiest, cheapest, oldest, and least secure methods of communication until they are forced to adhere to some new minimum requirement. This is good for those of us who want to hear them talk (including reporters, news channels, and any hobbyist.)

I've compiled a massive list of *currently used, non-trunk frequencies of everyone from the cops to mcdonalds and drive throughs, and LSU services available here below the fold. Please enjoy.

If the cops are going to be blasting their radio waves directly into my apartment, then they have no right to complain that I decide to listen to them.

Sunday, December 2, 2007

Mac Users: Set Your File Vault Master Password

Since this blog is, at least in part, about bringing to your attention possible security threats, I'll make my first post here about a threat I recently thought up.  I mentioned this to a friend and, the more we discussed it, the scarier it seemed.  Luckily, there's a simple fix.

The threat in question is the threat of an unset Master Password on your macintosh's File Vault.  Now, many of you are like me, and have been so scared reading about File Vault that you don't currently intend to ever turn it on.  But, at the very least, you should set a Master Password in the File Vault preferences pane (System Preferences > Security > File Vault).  Doing so will NOT turn on File Vault.

Why, you ask?  Well, I suppose that depends, in part, on where you're using your computer.  Mine, a Powerbook G4 running Leopard, stays open on my desk all day.  I'm a graduate student at a university, and my desk is in an office I share with many others.  The office itself remains open during the day and so passers by theoretically have direct access to my machine.

I regularly leave it there, protected by a laptop lock, and go get coffee, teach lab, or take a walk.  In addition to this physical protection, I've recently disabled automatic login and turned on password requirements to wake the computer from sleep or screen saver (both in System Preferences > Security > General).  I've also made an encrypted disk image (using Disk Utility) that contains all of my sensitive data.  This encrypted disk image means that even if someone gains physical access to my machine with the login passwords down, my most sensitive data is safe from prying eyes.  But despite all of these measures, the File Vault Master Password is another security hole that is too easily plugged to risk ignoring it.

It's an unlikely scenario, but one in which you would be completely fucked if it were to occur.  Let's say I'm off getting coffee and my officemates are off doing whatever they are doing.  Now further assume that in a moment of forgetfulness, I left my computer open and didn't trigger the screen saver.  A person with malicious intent could walk in before the screen saver automatically starts and, unopposed, access the File Vault Preferences.  If the Master Password is unset, they could set it themselves and trigger File Vault to lock up my home directory.  I would come back from coffee to an unusable machine in which all of my precious personal data, including any encrypted disk images that I put sensitive stuff in, was encrypted with a key that I did not possess.

While it's true that the antagonist still shouldn't have access to my most personal data, because it's in the encrypted disk image that I never mount unless I'm actively using, it would deny ME access to my own data, which is almost as bad.

I admit, it's an improbable happening, but one that, nonetheless, remains well within the realm of possibility and for which the countermeasures are far too easy to justify ignoring.  If you set the Master Password, then you and your computer are safe from would-be practical jokers or evil office trolls who might encrypt your home directory without giving you the key.   Having the Master Password set doesn't require you to turn File Vault on, but it does allow you to turn it off if someone else turns it on.  And, if that's not enough of an incentive to make you take action, I don't know what is.