ShmooCon 2009

February 12th, 2009 § 8 comments § permalink

Last weekend I attended ShmooCon 2009 in Washington, DC with my colleagues Brian and Mike. For my years in, around, and studying the computer underground, I’d rather embarrassingly never actually attended a hacker conference before. This, then, was an excellent opportunity to go to a local one with a reputation for openness and friendliness–and on someone else’s dime to boot. Some highlights:

  • Matt Blaze’s keynote around arcitecture, secrecy, and telecommunications was excellent. Mr. Blaze didn’t provide deep technical analysis, but rather told a series of loosely-connected anecdotes under the theme “system design matters more than most people think”. To give an example: CALEA is a policy that layers a set of specific technical requirements on top of a system architecture that has grown organically and provided natural security controls. Prior to CALEA, law-enforcement had to request a phone tap, which was placed close to the subscriber’s line using a loop extender, and then that loop was manually recorded at the requesting police station. CALEA mandated a convenient, instant, standard interface for tapping telephones, which sounds lovely, but is expensive, and gives an easily exploitable view into phone switches. When that hole was exploited, hackers got to say “I told you so”.
  • ShmooCon gives attendees the ability to dispense what it likes to term “instant feedback”. Sure, you can go to the conference website and fill out a feedback form, but that’s boring. If, during a talk, you feel that the speaker isn’t being entirely truthful, you can hurl a conference-sanctioned ShmooBall at the hapless presenter. The organizers do provide speakers with perspex shields, however. Some attendees build pneumatic, fully-automatic launchers to ShmooBall their friends into oblivion, which really takes heckling to a whole new level in my view.
  • Meeting some heavy hitters in the InfoSec field. RenderMan even commented on my hat.
  • Brian, myself, an anonymous friend, and Mikes arm and leg

    An anonymous friend, Brian, myself, and Mike's arm and leg

    Getting the latest beta version of BackTrack 4, then using it to great effect to score second place in the “Hack or Halo” challenge on Saturday evening. Brian, Mike and I formed Team NYU and popped some boxes, somehow managing to score 14/17 points in under two hours. When Brian and I sat down, we decided that since we were unlikely to place very high in the contest, we should kick back, hang out, grab a beer, and see how many puzzles we could solve. Twenty minutes in, we glanced at the scoreboard, saw we were tied for second, and hit the afterburners. Mike joined us, scoring key points cracking a WEP key, and, most famously, calculating the Fibonacci sequence on his phone, and summing the sequence on his calculator for an epic win in the binary analysis category.

  • Attending Jay “MF” Beale’s talk and witnessing the long-awaited release of Middler, then meeting Jay the following day.

Many thanks to the Shmoo Group for hosting a fantastic conference. All things being equal, I’ll be returning next year.

EDIT: Thanks also to foobar42 for graciously allowing me to use a couple of his photos; I was too busy hacking to take any.

Confession: I switched to Ubuntu

October 2nd, 2008 § 5 comments § permalink

I’ve been a Red Hat Linux user for years, from somewhere around RedHat 7 in 2000, making the switch to Fedora Core 1 in 2003 and continuing to run the latest Fedora release from there on. When I rejoined TSS, I decided that my primary desktop machine should be a Linux box; many of our backend systems are Linux-based, and it makes sense to be able to develop and deploy code from my desktop without the need for extensive hacking just to get a comparable environment. For example, I toyed with the idea of a new iMac or a Mac Pro, but while the hardware is nice and and the OS stable, the time lost in hacking around with Perl and Apache to make them interact with each other in a similar way to a standard Linux installation outweighed any street cred I might pick up for having some Cupertino hardware on my desk. And besides, I still have my MacBook Pro.

As soon as my chosen hardware arrived–a Dell Optiplex 755–I popped in the Fedora 9 DVD, and installed the OS. The installation itself was comparatively painless, but the provided open-source drivers for the ATI video card failed to work at all with the included Radeon 2400XT, requiring a hard reboot and dropping into single-user mode just to get a bash shell. I spent a couple of days coming up with a workaround hack that would allow me to boot my machine and run the OS at my monitor’s native resolution, but with no 3D acceleration.

It happened that at the time, one of my colleagues’ laptops was failing spectacularly and in need of a total replacement. In the interim, however, he needed to boot to a usable OS to keep working and to retreive what data he could. Rather than create a Fedora 9 boot disk, he went with Ubuntu, and reported a smooth installation process and ATI drivers which worked out-of-the-box and even provided friendly GUI links to download and run the non-free ATI-provided drivers. My interest was piqued, so I grabbed the Live CD, booted it up, and within minutes had a functioning Ubuntu system, with working video drivers. Out of the box. Shortly thereafter, my own laptop suffered a hard drive failure, and while waiting for the Apple store to install a new drive, I worked from a loaner laptop, booting and working solely from a USB key. Ubuntu installed flawlessly and quickly, booted and worked as fast as one could expect over USB2, and was generally a pleasure to use. I took the plunge and installed it on my desktop, and haven’t looked back.

I’ve had only a couple of gripes thus far:

  • Ubuntu 8.04 does not configure a host-based firewall by default. In my opinion, this is the single greatest problem with the distribution. If Microsoft can turn on the Windows firewall at install-time and issue appropriate scary warnings to users who attempt to turn it off, Ubuntu ought to be doing the same, and it worries me that it isn’t. Thankfully, iptables is installed by default, but it’s not configured to actually do anything. Users can use the included “ufw” scripts to configure iptables in a friendly fashion, though, so all hope is not lost. The OS should include a comprehensive firewall ruleset from the outset, however, which is something that Red Hat has done for years.
  • VMWare 2.0 doesn’t install cleanly, although it comes close. This isn’t strictly the fault of the OS, but Ubuntu apparently relies on a quirky PAM configuration which VMWare doesn’t know how to deal with when authenticating users to the web interface. Our newest hire at TSS has managed to get VMWare working on Ubuntu, though, so it is possible, I just haven’t done it myself yet.
  • Ubuntu ships with Compiz Fusion for ‘enhanced’ desktop effects. While some of the eye-candy is pleasant to watch and makes the hours sitting in front of a screen that much better, some of the defaults are headache-inducing and Ubuntu includes no way, by default, to customize the Compiz effects. You’re presented only with three levels of enhancement, essentially “none”, “some”, and “melt video card”. The latter includes the ‘wobbly window’ effect which more or less sends me running for dramamine every time I see it. Thankfully, one can find more granular configuration utilities in the default Ubuntu package repositories which allow for the disabling of the more disorienting compiz features.

On the whole, I’ve been thrilled with the ease-of-use of Ubuntu and its ability to get out of my way while I’m working and the minimal effort I have to put into keeping the OS happy. To be clear: I was never massively disappointed with Fedora, but for my purposes, its function as a proving ground for bleeding-edge software has proven to be burdensome, especially when upstream non-free driver providers like ATI are unwilling to update to the latest at the same frequency that Fedora does. By its nature as a development platform, Fedora will always feel to be in ‘constant beta’ more than the average open-source project, but I feel that for my needs, Ubuntu gets closer to the sweet spot of free software that’s stable, highly functional, and easy and intuitive to use.

License Plate

April 29th, 2008 § 4 comments § permalink

This must be the “Bobby Tables” of license plates:

Best License Plate Ever!

(Via Bruce Schneier)

Rejoining the NYU Security Team, and visiting Little Branch

April 10th, 2008 § 3 comments § permalink

If you’ve spoken to me directly in the last week or two I’ve probably told you this already, but I’m excited to announce to the world that I’ll be rejoining the NYU Technology Security Services team full-time starting on April 15th. This is my post-graduation, real, full-time, proper, grown up job and I’m thrilled to sign there after an eighteen-month stint at NBC.

Naturally, in classic fashion there were some celebratory libations in the village with my new colleagues. We paid a visit to Little Branch, owned and operated by the creator of Milk and Honey, the hallowed, super-secret speakeasy that I’m, frankly, not nearly cool enough to have the unlisted number to, let alone actually attend. The bar is as a bar should be: smallish, dimly lit, clean, tidy, and specializing in precisely one thing: drinks. Little Branch prides itself on mixing drinks in the manner they were mixed at the time of their creation. Their menu is small, but the expertise of their staff spans decades of cocktail history, and a popular choice is to ask suggestions of the bartender or waiter, who will expertly guide your beverage choice based on your suggestion of liquor, flavor, and so on. Some noteworthy drinks from the table:

  • Gordon’s Cup: Mint and Cucumber muddled with Gin, with a pinch of salt and a dash of bitters. Outstanding
  • Vieux Carré: Rye, Cognac, Sweet Vermouth, Benedictine, and bitters. Rather like a Manhattan, but, well,better.
  • Little Italy: Can’t quite remember. (What can I say, it was the last round.) Most likely Bourbon, Vermouth, and Cynar. Bitter as hell, but very tasty

Many thanks go to Jane and Chris for doing the necessary reconnaissance work and introducing me to this fine establishment; I can’t wait to return.

iPhone SDK is Here! (Sort of)

March 7th, 2008 § 0 comments § permalink

If you’ve been online for more than a nanosecond today, you’ll no doubt have heard that the Software Development Kit for the iPhone is being released today as a public beta. This is a huge deal: Upon its intoduction, development on the platform was strictly limited to Apple only.
As someone who’s spent the last few months (quietly) studying the iPhone hacker community for the past few months, I wonder what will happen to the vibrant, largely noncommercial group that has been devoted to enabling third-party applications on the iPhone, minus official Apple support. My bet is that the community will redouble its efforts to surround distributing SDK-created apps that have not been vetted by Apple through a mechanism other than the new iTunes App Store. Hackers tend to favor entirely open systems, and while the new SDK makes the platform far more accessable than it was yesterday, it will still be somewhat restricted, notably in the areas of SIM unlocking and VoIP via cellular data. I expect to see the SDK fully reappropriated to those tasks.