Archive for the ‘CAU’ Category


August 9, 2007

DEFCON 15, in their second year at the Riviera, seemed a little more settled than the turbulent vibe from last year. Unfortunately DEFCON already seems to be outgrowing this space as a couple of the talks I wanted to see were standing room only and attendees were spilling out into the halls.

The badge this year was a large rectangular PCB with the DEFCON logo parts down the left side and the letters “DEFCON” down the right side. In the center, oriented vertically, was a mini LED pixel display which was controlled by an on-board chip. In it’s default state, the display scrolled the text “I <heart> DEFCON”, however you could program the display through various sequences of pressing your fingers to the DEFCON logo parts down the left side. The badge this year was interesting, but it definitely had some quality issues. The controls to program the scrolling LED display were too easily triggered accidentally, causing most badges to be usually scrolling one of the menu texts instead of the custom message. Also, toward the end of the conference I was seeing a lot of the badges with stuck displays, only having a couple of random LED pixels lit up on them. The badges may have also been a little over-engineered as the instructional poem in the DEFCON book alluded to being able to solder on more components like an RF transceiver, an accelerometer, and potentially some other stuff. I identified at least three different places where you could add components to the badge. There was also WAY too much information about the badge in the DEFCON book such as what types of components you could add, where to get complete source code, how to debug it, etc. This seemed way more like being led down a path than actually being able to “hack” the badge.

Due to speaking this year and having a bunch of friends from DFW in town partying and gambling I didn’t really do the DEFCON social/party thing. I didn’t even have time to attempt Caezar’s Challenge, which from what I could tell merged this year with the Ninja Networks party since the challenge was on the back of the Ninja party pass. Oh well, the couple hundred bucks I made playing BlackJack and hanging out with my DFW friends was worth it.

Out of the presentations and events I attended, here’s my thoughts:


April Fools!

April 1, 2007

April Fools Day has always been a fun day for technology people, especially online. It seems to have become even more so for security people, as every April 1st the security mailing lists get hit with lots of April Fools advisories, fake tool releases, fake announcements from big projects and organizations like Metasploit and the EFF, fake RFC standards, and just an overall flood of craziness.

Of course I have to contribute, so every year I put out an April Fool’s security advisory. The one I released this year was entitled Window Transparency Information Disclosure.

Apparently, so far this year, mine is Bruce Schneier’s favorite, which he noted on his blog. Something I always try to accomplish with my April Fools advisories is to make them believable while still being fairly ridiculous. One of the comments to Schneier’s blog post by “Alex” points out the legitimacy of the vulnerability described in my advisory and calls into question whether or not it is actually an April Fool’s joke, which is exactly the reaction I always shoot for (:

You can find the definitive list of online April Fools jokes for 2007 here.

Crack crack crack, all day long…

February 7, 2007

The other day while migrating data from my old Linux workstation to my new one, I came across a file that had my login credentials for both my personal account and the CAU team account over at If you’re not familiar with, it’s a massively multi-player (heh) encryption-cracking effort. By sheer force of numbers, they have in the past cracked crypto challenges for the RSA’s DES II-1 and DES-III challenges (they lost DES II-2 to the EFF), RSA Labs’ RC5-56 and RC5-64 challenges, the CS Communications & Systems cipher challenge, and others. The way it works is, you, the average computer user, download the client application (dnetc) and run it on your computer. You can configure it to only run while your screen-saver is on, or you can configure it to run in the background at all times. Either way, when your computer is idle, it will use those idle processing cycles to work on a chunk of crypto data that it has downloaded from the available work-pool at Essentially, it contributes to the community workload when you aren’t using your computer.