-
Viewing all posts tagged "hack the planet"
-
Safe at Home
When my husband and I moved into our new Park Slope apartment last November and started cleaning, I ran into this safe, conspicuously stuck in the middle of the living room wall. For lack of reference in the picture, I’ll tell you that it’s about 12” square (or cubed, I would assume). It was painted shut and into the wall in a relatviely successful attempt to minimize it’s “decorative impact.” Well, that was before i busted out the super-toxic paint remover and freed that baby up!
The mystery is overwhelming… what could be in there? Old documents, piles of cash, a handwritten joke, absolutely nothing???
You can imagine my excitement, then, when the list of talks for the upcoming HOPE Conference was just released:
Safecracking
Eric Schmiedl
Despite many appearances in film and television, fairly little is widely known about how safes can be opened without the proper combination or key. This talk will attempt to address some of the questions commonly asked about the craft, such as is it really possible to have a safe open in a minute or two using just a stethoscope and some clever fingerwork? (Yes, but it will take a bit more time than a few minutes.) Are the gadgets used by secret agents in the movies ever based on reality? (Some of them.) The talk will cover several different ways that safes are opened without damage, as well as the design of one lock that is considered completely secure.
There is hope yet! (no pun intended).
-
Checking in from The Last HOPE
Dual English-Korean keyboard from which this post is being written.
In true Schroedinger homage, I’m writing this post from a duality of locations. In the one sense, I’m reporting from The Last HOPE - hacker conference. In another sense (an albeit more physical one) I’m sitting in NetZone Internet Cafe in the middle of Korea town.
I’m not sure which location is more absurd. The convention has a few thousand people and at least that many electronic devices. There are hundreds of computers doing myriad tasks; it’s an unabashedly proud electronic war zone. I’ve been live tweeting the entire thing from my BlackBerry to much success, but I would no more sit down at a machine and enter a password there than I would leave my car unlocked with my purse and keys inside in the middle of a bad neighborood. It’s bad enough that the reception in some of the conference rooms requires that I connect to the open WiFi to get a data connection. So…. in a somewhat ironic twist of fate, I’ve ventured into this room on the fifth floor of an anonymous building with roughly 20 computers of various shapes and configurations (all covered in the same layer of filth) to finally spit out a few words before the best details of my recent experiences escape me. Thanks, mobile Google Maps.
It will take more than one post to cover my thoughts on what I’ve seen so far at HOPE. There have been some exemplary talks - U. Penn’s presentation of their results from auditing the ES&S electronic voting machines (laughably insecure) to Prometheus Radio’s panel on “How to Share Your Love of Technology with Non-Technical People” that intermixed their stories of building low-power radios in depressed Kenyan neighorhoods with a decidedly Utah Phillips-ian discussion of growing up invisible to one’s own technological priviledge. The people are, of course, a varied bunch. There are your stereotypical coke bottle eyeglass geeks, your old (in technology years) ham radio operators, your young tatooed cyberpunks, etc etc etc… and a surprising number of women. Both my experience as a woman participant and my views of the place of other women at HOPE will require a full post in and of itself. In fact, you’ll be able to find it on .51 - Geekspace for Women blog. It’s coming Maria, I promise!
In addition to the good quality photos that will be up on flickr soon, so far I’ve managed to upload two quick (not so good quality) videos while brushing my teeth and running out the door this morning. They cover two projects using light and movement to create really neat artistic visualizations. You can find the 3D Volume Visualizer (way cooler than the video shows) and Persistence of Vision clips on YouTube.
Sometimes you just wish there were more hours in the day!
-
But Mommy, I Want a Pwnie!!1!one!
After The Last HOPE, one would assume I’m full up on Essence ‘o’ Hack™ for a while, but I admit I am somewhat disappointed that I can’t go to DEFCON or Black Hat. I mean, they’re on my birthday.
Reading through the nominees for the 2008 Pwnie Awards offers some comfort, though. A few highlights from the nominee list… noted not for their potential to win, but for the hilariously caustic severity of their descriptions:
Nomination Category: Best Server-Side Bug
Discovered by: Nikolaos RangosThis vulnerability was a remote command injection in the recipient e-mail address of an e-mail message examined by the ClamAV open-source AntiVirus scanner. In a nod to 1993, ClamAV called sendmail with popen(), placing the recipient e-mail address right there in the command. With open source anti-virus products, Linus’s Law clearly does hold: “Given enough eyeballs, all bugs shallow”, even the ones that we knew about fifteen years ago.
Wonderware
Nomination Category: Lamest Vendor Response
Response to SCADA denial of service vulnerabilityCORE security reported a denial of service vulnerability in Wonderware’s SCADA software. It is no wonder that the vendor took a long time to even acknowledge the vulnerability and their response indicated total incompetence:
- 2008-01-30: Initial contact email sent by to Wonderware setting the estimated publication date of the advisory to February 25th.
- 2008-01-30: Contact email re-sent to Wonderware asking for a software security contact for Wonderware InTouch.
- 2008-02-06: New email sent to Wonderware asking for a response and for a software security contact for Wonderware InTouch.
- 2008-02-28: Core makes direct phone calls to Wonderware headquarters informing of the previous emails and requesting acknowledgement of the notification of a security vulnerability.
- 2008-02-29: Vendor asks for a copy of the proof of concept code used to demonstrate the vulnerability.
- 2008-03-03: Core sends proof-of-concept code written in Python.
- 2008-03-05: Vendor asks for compiler tools required to use the PoC code.
- 2008-03-05: Core sends a link to http://www.python.org
QuickTime (CVE-2008-*)
No, this nomination is not for a vulnerability in Apple QuickTime, it is for QuickTime itself as a client-side vulnerability. A quick search of CVE entries yields 62 vulnerabilities in Apple QuickTime just in the last two years. The discoverer of the next QuickTime bug wins a free trip to the salad bar. Who would have thought that putting code originally written in the early nineties into a web browser would be a bad idea?
And do be sure to check out all the nominees for Best Song.
-
Hacking the Boy's Club
amberella (me), live-tweeting from HOPE
Before The Last HOPE, ubergeeke over at .51 - Geekspace for Women asked me to keep her in mind for a guest post about the role of women in the conference. I apparently wrote her a book.
How is it that as an increasing number of women graduate with Computer Engineering and other technical or hard science degrees and girl-geek culture explodes thanks to New Media™, that there is not a commensurate increase in women’s contributions to the hardcore techie and hacker community? It’s no longer difficult to find women espousing their love of iPhone apps and digg.com – the problem is finding those that want to infiltrate the realms of bug trackers, penetration testers, and the corporate suites reserved for CTOs and CISOs. more»
This should mark the end of my HOPE related posting, as far as I know. If there’s something you’re interesting in hearing about, let me know.
-
NYC Resistor Soldering Championship
In retrospect, it’s kind of amazing they didn’t short the whole place out.
This happened last week at M1-5. It was followed by they Ignite NYC presentations where 16 people presented 5 minute talks on pretty much anything (think types of physical computer interfaces to the NYPDs training for undercover hookers to starting a guerilla knitting group in your community) supported by a slideshow that auto advanced every 15 seconds. It was like speed dating for your brain.
I was going to write something more extensive about how revolutionary the atmosphere was, but since it’s already been covered in the New York Times and (derivatively) Laughing Squid, I will refrain. Suffice to say, it was awesome.
From the NYT:
Now, young Internet entrepreneurs, some holdouts from the old days and a few members of the city’s creative class (and underclass) are engaged in a new type of party, which mashes together Silicon Alley 1.0’s camaraderie and optimism, meetup.com’s spontaneity and informality, Burning Man’s home-brewed creativity, and a technology conference’s devotion to unveiling ideas. These days many of the ideas are about producing and delivering video content.
-
Terror Alert Level Bert
Commercial Flights: Ernie
Everything Else: BertLet everyone know how seriously you take our nation’s terror alert level by adding it to your website of choice. Brilliant little graphic sourceable from Geek and Proud, shamelessly stolen by me from Cheshire Catalyst.
-
CERN Website Hacked
Click for larger view
During the brief respite between speeches from the CEO of Bank of America and George W Bush (still to come in 5 minutes) and watching the economy plummet into an ever deeper pit of despair, I managed to notice a little blurb about the CERN website being cracked. Apparently a Greek team referenced 2600 in their responsibility claim. Why? Who knows. At least it wasn’t worse.
Scientists working at Cern, the organisation that runs the vast smasher, were worried about what the hackers could do because they were “one step away” from the computer control system of one of the huge detectors of the machine, a vast magnet that weighs 12,500 tons, measuring around 21 metres in length and 15 metres wide/high.
If they had hacked into a second computer network, they could have turned off parts of the vast detector and, said the insider, “it is hard enough to make these things work if no one is messing with it.”
via Telegraph
Dave Lewis over at the Liquidmatrix Security Digest notes:
Um, whut?
Why isn’t this 3 billion € machine segregated? This seems to be akin to attaching a SCADA network to the internet. Not this wisest idea. So what was this website running on before it got taken down? Well, as of Sept 10th it was reporting “Apache/2.2.4 (Unix) DAV/2 proxy_html/2.5 mod_jk/1.2.20 mod_ssl/2.2.4 OpenSSL/0.9.8d ” on Netcraft. Well, running a pwnable version of Apache is a good indication of how they got access.
I don’t really have anything to add to that. Back to watching the Street hide under its collective desk, waiting for the fallout.
-
It seems yesterday’s picture of the new computer generated some confusion. Let me clear it up for you.
-
Kevin Rose & Alex Albrecht pimping out Diggnation on the new Late Night with Jimmy Fallon. Our little boys are all grown up.
-
In other stuff-I-put-on-flickr news, I finally finished uploading and captioning a walkthru of a case mod I did back in 2005. It was all about this clear/UV reactive spraypaint and neato japanese designs. Check it out, yo.
Also - there’s a thread from back in the day discussing it on TheBestCaseScenario, fyi.
Based on Postage by Greg Cooper. Everything heavily modified by me.
*Unlikely to find your lost post using this but you can try...
Comments