Shmoocon 2009: ...duck!!
It's been six hours since I got back from Shmoocon, and I'm still readjusting to a low information density environment. Shmoocon is DC's premiere hacker con, held early every February by a security research outfit called the Shmoo Group, which seems to have an odd interest in moose (judging by the repeating moose motif all over the place, from the free stickers to the laser cut acrylic convention badges). I've wanted to go for a couple of years but various and sundry things kept me from attending, so when I finally was able to score a ticket I jumped at the opportunity.
Taking the day off from work on Friday made it possible to hop the Metro downtown to the Woodley Park station, which is within a block of the Marriott Hotel that the con was held at this year. I stopped at the front desk to check in, hauled my kit upstairs to drop it off and work the kinks out of my back a little, and then headed back down to the mezzanine level to get my badge and figure out what to do.
I can't speak for the other years of the con, but this year if you were fortunate enough to purchase a ticket you were e-mailed a barcode as a .png graphics file, which you were then to print out and bring to registration to get your badge. It appears to have become something of a tradition to see how far you can push your barcode's representation before it's no longer readable by the scanner - at this con alone, I've seen a medical x-ray containing a registration barcode, a lifecast of someone's head which had the barcode printed on the back of the neck, a fifth anniversary cake for Shmoocon with the barcode printed across the icing, a replica of Leeloo's multipass from The Fifth Element (the handiwork of one Rob T. Firefly), and even a piece of toilet paper. I didn't even bother trying to come up with anything this year, lacking the spare compute cycles and time in which to do so. Obligatory disclaimer: I'm horrible with names. Unless I write them down immediately, I probably won't remember them. If any of you happen to read this and wonder why I didn't mention you by name, it's because I probably remember your face but not your name. I apologize in advance.
After registering, I ran into a couple of folks from both in and out of town: the aforementioned Rob T. Firefly and his significant other (whose name I do not recall - sorry!), C4bl3fl4m3, Renderman and Grey Frequency, Emacsen, and Nick from HacDC, all of whom were breezing around the hotel getting settled in. I bounced around here and there, talking to people, picking up swag (I wound up bringing home about two dozen different kinds of stickers), learning where everything was, and making myself seen while hanging out with Emacsen. We found ourselves going out for Indian and talking shop about microcontrollers while killing time until the presentation at 1700 EST5EDT about the attack on the Srizbi botnet by an old friend of mine, Julia Wolf. Unfortunately, the talks on the first day were limited to thirty minutes each, so she had to skip through some of her slides and try to pack the entire saga into the short period of time they gave her. True to form, she rose to the challenge of running through the technical aspects in about twenty minutes, and had ten to spare to field questions from the audience. One of the more salient points that was brought up was the fact that the Srizbi agent itself resides entirely within the context of the Windows kernel by using the device driver interfaces, which makes it very difficult to detect as well as meddle with. The NT driver subsystem is a funny thing - poke the wrong thing the wrong way and you can crash the machine instantly. Edit the wrong thing in the wrong way, and the machine will have to be rebuilt from scratch because it'll never boot properly again. Thus, sending out an update to the botnet which would uninstall the individual agents would be hazardous in the extreme.
Pluswhich, that would be considered a felony in the United States under 18 USC 1030. Sure, it's a felony to infect machines, but the people who actually write this stuff aren't anywhere that US jurisdiction can easily get to. Security researchers, however, are, and two wrongs don't particularly make a right in the eyes of the law.
Following Julia's talk, Emacsen and I met up with Julia, Katie from HacDC, Scraun23 (who I split the hotel room with - thanks, man!) and a couple of new people from out of town whose names I regret that I don't recall to go to dinner at Tono Sushi, just down the hill from the hotel.
In the madness which comes with attending a convention, while I'm pretty sure that I grabbed menus and cards for the restaurants I went to but I've no idea where in the hell they are right now. The sushi there wasn't bad, and is definitely worth going back for. After dinner, Emacsen headed for home (given that he lives one or two Metro stops away) while I ran around with Scraun23 for the evening. I was originally supposed to go to the HacDC space that night for the big "Hi, welcome to DC!" party that the Shmoocon organizers were throwing there but a combination of no transportation, a multi-mile walk through downtown DC both ways, lack of a sense of direction, and general apathy toward several hundred drunken people in the same place at the same time just after getting over being sick all contributed to my decision to stay at the hotel and geek out that evening. I wound up on the mezzanine with Scraun, Julia, and another woman whose name I never did learn talking about Burning Man and the weird and wonderful sculptures that are built there every year. Around 2300, when it was just Scraun and myself left in the easy chairs, we decamped for the quieter of the two hotel bars to talk about instant messaging platforms, distributed communication, and mind mapping until well into the night. I think we finally went to bed around 0100 or so, and planned on getting up in time to catch the first presentations the next day.
The first presentation we hit on Saturday was Michael Ossmann and Dominic Spill's presentation on figuring out how to monitor all 79 Bluetooth channels simultaneously. It's not an easy process due to the design of the protocol, and it's a highly CPU intensive operation (to say nothing of the cost of commercially available Bluetooth debugging hardware). What they discovered, however, was that the phenomenon of aliasing makes it possible to set the reciever to one frequency (or channel) but pick up traffic on the other frequencies/channels that happen to map to the one you set your scanner to. When you apply the anti-collision packet reconstruction algorithms of Bluetooth it is then possible to pick out the packets from each channel and reassemble them into a coherent whole. I'll admit, Bluetooth isn't something I know a whole lot about but I'm inclined to make the time to study it a bit more.
After that we popped over to Next Generation Wireless Recon: Visualizing the Airwaves, by Joshua Abraham and Ben Smith. They demo'd some new software that they've been working on which takes analysis of wireless recon information to a whole new level: not only are they plugging it into Google Earth (though there were some amusing GPS glitches) but they're organizing the data by "of all of these access points, which ones have active clients associated with them?" There is also some other software that they've been working on which generates hierarchies of access points, clients, and traffic which you can then drill down through to pretty much any level of detail to figure out what's going on. It's interesting stuff, and I hope to play around with it sometime soon, when things calm down.
A chance encounter with The Wrong Hands in the hallway lead Emacsen and I down the street with a couple of new people to get Thai for lunch. Along the way, I finally had a chance to give her that Yule gift that's been waiting in the living room: a compact and collapsable grappling hook that's remarkably strong for its weight. While it says that you're not supposed to use them to support people, I've seen the model in question benchmarked to about five hundred pounds of weight. Still, use your discretion. We wound up talking about infosec law, mock trials of some kind that I've not heard of before (I guess I don't go to all the cool cons), little known phrases in sign language, potential pitfalls in lipreading (note to self: think twice before saying the word 'vacuum'), and creative (sometimes creatively stupid) ways of permanantly destroying hard drives.
We got back to the con in time for Rick Farina's presentation, 802.11 ObGyn, or, Spread Your Spectrum.
I know a couple of people who refused to attend Rick's presentation because of the subtitle, and to be honest I can't say that I really blame them. In Rick's defense, his actual presentation wasn't bawdy or sexist at all. He did an excellent job of taking some very dry topics (like writing device drivers, wireless networking frequencies, and who uses what) and made them interesting, engaging, and witty. As I found out later there was an ongoing... tiff... between Rick and some other people which culminated in his carrying a plexiglas riot shield to deflect incoming shmooballs. The highlight of the talk was Rick being shot at multiple times with a shmooball bazooka, the first four rows of the auditorium standing up to to pelt him with shmooballs and lemons, and to add insult to injury incoming fire from Nerf weapons. However, all hilarity aside, I find Farina's work on altering device drivers to get wireless networking hardware to transmit and receive on frequencies that are normally available only if you hold the proper licenses from the FCC, including government-only frequencies, fascinating. He also spoke for a while about wireless intrusion detection systems, and some of the detection methods that they employ.
It was after this presentation that Emacsen and I hopped on the Metro to go to Dupont Circle and the Brickskeller for SIGBEER, an event organized periodically by DC SAGE. In essence, it's a bunch of sysadmins sitting around sampling imported or exotic beers and talking about whatever happens to come to mind, much of it not suitable for mixed company. I had a blast, though it took a little while to get used to how things were done there. I'm not much of a pub or restaurant drinker, so these things take a little getting used to.
After Emacsen and I got back to the hotel I wound up hanging out with Striker in the hallway where they were showing movies (Sneakers, at the time) and asked him a couple of questions about the practicals of making vampire taps, which are basically registered (RJ-45) jacks that you splice into an existing run of Ethernet cable so that you can silently monitor traffic in both directions. The least shady applications of this technology involve debugging network protocols and IDSes that intruders can't readily detect. Less legal uses of them are pretty much what you'd expect of any physical wiretap, only an intruder could easily push some ceiling tile aside, grab a run of cable, splice into it, and connect a wireless access point... there are a couple of problems that I ran into while experimenting with them, which involves always cutting the conductors by accident when trying to strip the cable jacket off. Striker suggested buying a coax stripper and using it in conjunction with a boxcutter (and NOT my ~~whipped to shit~~ favorite and well-used multitool) to remove about four inches of cable jacket. The real trick, if you've never read the Ethernet spec, is to maintain the correct number of twists in each pair when inserting the jack. If the pairs of wires that make up the cable are undone too far EM interference from the neighboring wires inside the cable will cause signal degredation. Not only would an infiltrator's efforts sneaking around be wasted because the tap wouldn't work, but network admins tend to notice bad cables, investigate them, and all hell would break loose if the failed tap were found. It is possible to make it work if you use a punchdown tool without the cutting blade (this usually means flipping the blade around) to knock the jack into place. So far as I can tell, this should work; the jackpoints we tried on the convention floor were disabled at 2300 EST5EDT, so we didn't even get a link with an un-altered cable.
However, I have more CAT-5 laying around the house than I know what to do with, a punchdown tool, and a ready supply of registered jacks a couple of blocks away, so I'm going to do a little more playing around when things slow down a little.
I wound up spending the rest of the night hanging out in the back room with some of the folks from remote-exploit.org. I learned what exactly happened that morning at the 802.11 ObGyn presentation (it appears to be fallout from a good-natured IRC war that involves a shock site), met Mister_X (who is known for his wireless security auditing software), and discovered that solid-state hard drives, while much smaller than the hard drives which are common on laptops, are several times faster. I watched the beta release of Backtrack boot in just a couple of seconds on someone's laptop, much to my amazement. While I'm not willing to trade off speed for storage capacity because it doesn't fit my needs at present, I now understand why someone would make that decision. It's one thing to read benchmarks and reviews, but another to see it firsthand. I think I wound up going to bed around 0230 EST5EDT because I didn't want to be completely fried the next day.
The only presentation I caught on Sunday morning was 3ric Johansen's RFID Unplugged presentation, in which he disussed RFID-enabled credit cards and how easy it is to get all the information you need to cost someone a considerable sum of money from a distance. He even demonstrated with a credit card belonging to someone from the audience using a utility he wrote that makes the query using a commercially available RFID reader and prints out the reply. Scary stuff. After his talk, I headed up to the front to mention a few things that I'd discovered on my own about the technology. I mentioned briefly what it took to decapsulate the RFID chip of DC's Metrorail cards (about twenty-four hours in an acetone bath, though a much stronger concentration of the solvent heated to the fuming point would do it much more rapidly). One way I found that seems to disable RFID chips is to crack the casing over the chip slightly, get a conductor in there (like a straightened out staple or a bit of bell wire), and hit it with a static charge. Also, monitoring the electromagnetic emissions from RFID readers is a possible means of passively monitoring the returned data because the ones I've played with appeared to have little in the way of RF shielding and a sufficiently overpowered transmitter (a beta version, perhaps? or perhaps overcompensating for potentially 'noisy' environments?) that one could detect from a distance if one were so inclined. The thing about beta versions, I'll admit, is that the dumbest of bugs are often fixed before the final product hits the market, and had I stopped to think for a few seconds longer I might have phrased things better.
Maybe I've been pretending to be dumb for too long.
After his talk I skated around a bit to say my goodbyes to a few people, checked out of the hotel, and headed for home. I hadn't realized that it was going to be so warm on Sunday (mid-60's Fahrenheit) so wearing a wool peacoat, turtleneck, and scarf turned out to not be one of my better ideas. By the time I got home I was dripping with sweat and hoping to get a shower before unpacking (which I still haven't done). I wound up going to dinner with Lyssa and Laurelinde that afternoon at the Thai place in Fairfax I was at last Saturday, stopped in at the pottery painting place around the corner, and popped into the tattoo parlor between the two to examine the portfolios of a couple of artists that I'd heard about.
The rest of Sunday evening was spent running a few errands for the week (vis a vis, buying groceries) and working on this particular convention writeup, which I appear to have finished in record time. I took a few photographs while I was there, but the stated photography policy of Shmoocon made me loath to photograph anything moving about under its own power, just in case.