Hackmosphere

Hardware / OSs (For the thrifty hacker): If you have one machine to play with, run virtual machines with a small variety of operating systems and tools on them (see below). This suggestion is per member, and does not represent the one requirement for the whole team. Each member should be set up in such a way.

Hardware / OSs (For those who have more): If you have two~four machines, make sure one runs FreeBSD 6.3 or newer (check it BEFORE the competition and load all libraries); run a good distro of Linux (load Perl, Python, C and Assembler support) and use the last machine(s) to crunch data culled by the other two. For your Linux distro(s) I would suggest BackTrack 3 and/or Helix 1.9a for probes, analysis and forensics; and/or Ubuntu / Mint / Knoppix for the coding helper machines (more hard core peeps might prefer Gentoo / Debian / Slackware). These suggestions represent what two or more members of your team may have available. The more the merrier - checking over one another’s findings, or sharing out tasks will help!

Team Communications: Have two (or more) ways to contact team members and pass data. For coordination we used a free VoIP application (TeamSpeak) on one of our own servers and a private channel on a public IRC server. We passed data between one another, during analysis, via email and my website. If one channel for comms went down we had several backups… 95% of our comms turned out to be on IRC.

Sandboxes / Sharing Info: Have individual, as well as team, sandboxes to collaborate in. Some of your ah-hah moments may occur when one person is working on something and another is inspired to try something new, based on what s/he saw from the teammate. Said sandbox can be a secondary channel in IRC (away from the normal chatter), an IM or some other method where real to near-real time display of the data and commentary can be performed.

Don’t Be A Prick: Don’t try to socially engineer or “brute force” the qualification judges - people can get banned from the qualification contest for trying various shenanigans. Trust that the judges are smarter than the average bear and have been around the block a few times.

Know Thy Team Mate: Know what your team members are good at. Average team members will need to have an intermediate understanding of what networking is all about, know about coding and be comfortable with various admin / security tools. Above average members may have specialized skills and would be best put in charge of specific tasks that align to their strengths. Knowing who is good at what can minimize time spent spinning wheels and will help the team win points, theoretically, faster than less organized teams. Keep in mind that data can still swap between members as the task progresses, based on the skill set requirement changing as the datasets evolve into the answer you will need to win the task.

All Work & No Play Makes Jack A Dull Boy: Schedule your times for working together on tasks - or at least for touching base. Our team was too small to work 24 hours every day, but we were on for a sizable chunk of the competition. And for those long stretches, remember to throw some fun time in with the work - Halo / Rock Band / Mario Kart mini-competitions should be encouraged in moderation (wink). Helps with breaking tensions when a task seems unbeatable and the play time bonds the team together.

It’s shocking, I know, but I didn’t make it into the top seven teams who were chosen to compete in the hacker bloodsport known has Capture The Flag at DefCon 16. (Not that I thought I had a chance in hell) Only the top seven teams are picked - and they are at the very top of a very competitive heap. It was a heck of a challenge, and with the help of the brethren (and sisteren) of the Church of WiFi (especially ThePrez98, Israel Torres, DaKahuna and Jakalope) we made it up to #61, out of 311… Not too shabby for a bunch of first timers!!

For those who have a desire to see what challenges the teams faced in this devilish qualification round, click HERE. The folks at Kenshoto did a masterful job of wrangling all the tasks and code together, and keeping the participants honest (”stop bruting”). At the very beginning things were a little slow, but the Kenshoto fellas were able to figure out the comms glitch and after the fix things ran smoothly. No doubt, after the fix, things picked up as people started hammering the site with a slew of wrong answers (could it be THIS, no, THAT, no, THIS+2, frack!)…

Next year, we’ll be better prepared… Waaaay better prepared. Hope we can break 60 next year :). Lessons learned will be posted tomorrow… After I sleep properly.

DefCon 16 CTF Quals Announcement:
https://forum.defcon.org/showthread.php?t=9352

Team scores:
http://nopsr.us/ctf2008qual/results.txt

Answers:
http://nopsr.us/ctf2008qual/

Well crap. It’s official… My Lacie 1TB Ethernet Big Disk NAS took a dirt nap and I have lost a *lot* of data - some personal, tons of research, more than a few hard-to-come-by hacker / security videos and lots of other fun stuff. Sadly, attempts to recover the data have failed as one of the RAID 0′d 500G Samsung drives is already dead and the other is well on it’s way to mechanical failure. A total loss. I’m sure if I had TONS of money, I could send it off to a clean-room recovery company, but who has that type of cash?? (Any sugar daddies out there?) The other sad thing is that I was just days away from a major file sort/cleanup and backup evolution - making this drive failure a bit more tolerable… (sadhat)

I’m planning on sending the unit back to Lacie for total replacement. Thinking seriously of taking the new drive and selling it on eBay and using that money to get a Buffalo Linkstation Pro. At least the Buffalo is hackable (wiki link) with custom firmware (wink).

Nekkid Lace Pics:
My Lacie 1TB Ethernet Big Disk’s Guts
One of the two Samsung drives in the EBD

Interested in a Buffalo NAS? Check the links:
Buffalo Linkstation (UK)
Firmware passwords
Firmware FAQ
FreeLink for Linkstation Pro Info Page
Turn a FreeLink LSP into a Slim Server (SqueezeCenter 7)

Hotnessssss… I can finally roll with the cool kids… I got my Chumby in the mail!! After a couple months of hearing about it from friends who jumped on the train ages ago, I caved to the peer pressure. My unit is the “Latte” color (as seen to the left), but a “Basic Black” Chumby was a VERY close second choice. Oh, and word to the wise: if you buy one on eBay do NOT pay over $179 total for it (price+ shipping) - that’s what the delivered cost of the unit goes for direct from Chumby Industries. I got mine for a little under that cost, but while I was shopping for mine I noted that there are more than a few Chumby units were listed at a $40+ profit on eBay… CLICK to see the latest crop of sellers and scammers… (Bleep) bags.

I have a couple of small plans for this Chumby, as it is marketed as a hackable device, and hope to create a widget or two as soon as I learn how it’s done… To see the official wiki for developing widgets go HERE.

Chumby Review Links:
http://www.linuxjournal.com/content/chumby-redux
http://www.geek.com/review-chumby/
http://www.iht.com/articles/2008/05/14/technology/ptpogue15.php (Added)

[[[ Updated 18 May 2008: I have added a total of 78 widgets on my Chumby - spread out over four channels. I have channels set up for Day, Night, Test and Kitchen. For one of my widget ideas, I'm looking at how I might be able to work a small search engine GUI out, using the on-screen keyboard. Why? Cause I wanna take a stab at integrating my Kitchen Assistant (using a Google API) as a means for looking recipes and drink mixes up. The only down side is that I am not certain if I will be able to work some magic and get all the clicked-through recipe pages to display right on the Chumby without a serious portal (most of these recipe sites do not export their data in XML format). The other option is to syphon a truck load of recipes from a variety of locations, convert them into an XML format and dump the whole lot into a personal SQL database on my (or a central) network. Either way, uuuggghhhhh...]]]

Whiew! I flew back in from my ShmooCon (DC) trip laaaaate last night. Seemed that there was a problem with the little crop-duster I flew in on from Memphis to Pensacola… The main hatch wouldn’t seal. So there was a very long lay-over in Memphis as we waited for the initial mechanic and then a specialist to work on the problem. Been catching up on sleep lost all weekend today (yawn).

What a blast! ShmooCon was a little bigger this year from the last, but it had the same great speakers, organizers and attendee. Incriminating photos of my drunken state may be found on Flickr accounts of some friends (SullyJMan, Ethan, and the general ShmooCon 2008 stream) - I know I was not the only toastie that night ;P. Thanks to everyone who made ShmooCon4 a joy to attend!

While there, I was tempted to purchase three books (saving up cash):

No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing
by Johnny Long
Publisher: Syngress (February 21, 2008)
ISBN-13: 978-1597492157
Hit up Johnny’s link (HERE) to help raise money for AOET (Action for Empowerment). For more information check out his site at: http://www.hackersforcharity.org/

Hacking: The Art of Exploitation, 2nd Edition
by Jon Erickson
Publisher: No Starch Press (February 2008, 488 pp., w/ CD)
ISBN-13 978-1-59327-144-2

Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems
by Chris Sanders
Publisher: No Starch Press (May 2007, 172 pp.)
ISBN-13 978-1-59327-149-7

I ran through the haul that I made of the 24C3 videos and checked them against the list of presentations on the official site, and noted a couple of items missing :(. If you have any of these presentations in video or audio format PLEASE contact me at squidly1 (gmail).

(UPDATE: 06 Jan 2008) Thanks to Sam for the new torrent links ;). All are from http://berlin.ccc.de/~24c3_torrents/ Plus, I have mirrored about a dozen of the 24C3 videos HERE. Enjoy!
-

Videos I would *love* to find:
A collection of random things - Torrent Link (MKV / MP4)
A Spotter’s Guide to AACS Keys - Torrent Link (MKV / MP4)
Anonymity for 2015
Building a Hacker Space
Chaos Communication Camp ‘07: The Movie - File Link
Dining Cryptographers, The Protocol - Torrent Link (MKV / MP4)
EU Policy on RFID & Privacy - Torrent Link (MKV / MP4)
From Ring Zero to UID Zero - Torrent Link (MKV / MP4)
haXe
I know who you clicked last summer - Torrent Link (MKV / MP4)
IPv6: Everywhere they don’t want it
<NO>OOXML - A 12 euros campaign - Torrent Link (MKV / MP4)
One Token to Rule Them All - Torrent Link (MKV / MP4)
Overtaking Proprietary Soft … Writing Code - Torrent Link (MKV / MP4)
Playstation Portable Cracking - Google Vid Link - Local MP4
Reverse Engineering of Embedded Devices - File Link
Ruby on Rails Security - Torrent Link (MKV / MP4)
Security Nightmares 2008 (in German) Torrent Link (MKV / MP4)
The Arctic Cold War - Torrent Link (MKV / MP4)
Unusual Web Bugs - Torrent Link (MKV / MP4)

Wow… This has got to be a record for any security/hacker conference. While the event was still ongoing someone was posting MKV and MP4 (as well as a couple MP3 and OGG audios) torrents of the presentations at the 24th Chaos Communications Congress (27-31 Dec 2007). And since I *again* was unable to attend, due to fudiciary constraints, I am relagated to downloading them all : /. Luckily I have been able to collect about 53 of them since yesterday. Below are a list of the torrents I used. If I find any videos that fit areas of interest (or study) for my site I will post them for download  Turns out the CCC peeps, and others, were nice enough to make all of the torrented vids available for download.  Hit the following link for more information on those sites:
http://events.ccc.de/congress/2007/Conference_Recordings

For more information on the yearly conference, in Germany, check this out:
http://events.ccc.de/congress/2007/Main_Page

Alrighty… I’ve been debating this for a couple of weeks, and have decided to be brave. I have posted the video of my DefCon15 presentation (direct link HERE - R-Click & Save). I must apologize for the epic “uuuhhhs,” the curse words and verbal goofs - I was nervous… Enjoy.

Well hell… First they had issues with being able to run the Black & White Ball - now I see the Whitedust website has the following message on it:

“14 August 2007 - 23:58 GMT

With the industry and those in it so seemingly hostile to Whitedust, and pure apathy from anyone who thinks otherwise. Why bother. This site is now closed permanently. It’s staff have abandoned the scene and the industry for real world projects - for good, you won’t be seeing us again. You “Won”.

Good luck out there. You’ll need it.

-The Staff”

I have no clue what this was all about, but it’s sad that Whitedust was unable to fight it. That’s one less good RSS feed I have to read on my aggregator… Sorry to see you guys go : /

Well, it’s done. My updated and corrected slides are in (check the Haksys Files area). You may now also view the video demos I showed at DefCon15 - two ways. Download the higher resolution versions (of my videos) directly from this site (*cough* Files), or watch them on YouTube - PSP VNC and PSP SSH2 and PSP GPS.

My voice is still a little off, with the cold, but I plan to make a couple of attempts at recording that voice track to the slide show I gave at DefCon15. When it’s done and converted to Shockwave, you’ll get a link to it from here. Hope to have it up before the official DefCon vids hit everyone’s mailboxes :).