Security Conferences
I attend various meetups and conferences to hack code and pick locks with folks and otherwise geek out. Most of these events are centered around computer security, but there is a lot of crossover with lockpicking. I'll be documenting with text and pictures any security events I hang out at here.
Black Hat 2011 + Defcon 19
Just got back from doing Black Hat and Defcon. My buddy Datagram and I taught a two day training course at Black Hat called Tampering with Security Seals. It was a great time and the students really enjoyed it. They even came up with and executed a few previously undiscovered seal defeats. At some point, "someone" tamper sealed the training room door closed. The next day the seals were broken, so it was obvious that the hotel staff had been in there.
The image on the left is my Defcon 19 badge sunglasses. I bought the second badge for the glasses from a dude and threw them together using my mill and a pair of pliers. I'll be replacing the bailing wire bits with some nice machined brass when time permits. My time at Defcon was completely dominated by participating in Dark Tangent's Tamper Evident Contest as part of The Motherfucking Professionals. Having won the previous year and, in the meantime, hosted two other tamper contests; we were pretty prepared. In additon to a new solvent for adhesives, we found quite a few new vulnerabilities in mechnical seals (all of these were used in the contest). Before Defcon, we machined a custom setscrew holder for gripping bolt seals in a power drill and pulling them apart (the so called "spin attack"). We also machined recrimping dies for the previously very secure metal-ball seals. We used a Dremel to cut the ball off the target seal and then replaced it with two pre-cut ball halves before crimping them together. The result is an almost perfect defeat. After some of the mechanical seals did not respond to shimming, we cut them and were able to melt the plastic back together. Next we experimented with methods to refinish the plastic. The result was very convincing (and almost fooled the judges completely in one case). Another highlight was improving our electrolysis defeat for padlock seals. The metal clips did not dissolve fully, but we salvaged it by bending the clips outward and sharpening them so that they dug into the plastic seal body. This passes the tug test and allows an attacker to return and instantly repopen the defeated seal for repeated surrepititious container access.
In all, there were 3 levels of boxes that the teams had to work through. In the end, it came down to our team vs. Covert Penetration in a bonus 4th round. Dark Tangent gave us each a bottle of Jaegermeister sealed with an electronic tilt-sensitive combination seal. We were to defeat the seal, drink the liquor as a team, replace it with something that looked similar, reseal the bottle, and rearm the seal. Both seals ended up being tripped (blinking red LED). After pouring the shots and downing them, we cut the line at a nearby Starbucks and requested the blackest and most syrupy coffee they had. Using a paper cup as a funnel, we filled the bottle. Our teammate, mmca, managed to bruteforce the electronic combination and disarm the device but did not know the combo. He continuously waved the seal around to keep it from rearming until we returned with the bottle. Once resealed, the bottle automatically armed itself after sitting still for one minute. The total time to defeat was around 5 minutes...Great success!
We ended up winning the tamper contest and got free entry to Defcon for next year (but no black badges, maybe next time). It was a lot of fun, a lot of work, and took up a ton of time. For example, on Saturday we worked from 9AM until 5AM on nothing but this contest. In the end, it was worth it and we look forward to competing again next year.
Toorcon 12
Now that I'm out here in San Diego, it was time to finally go to Toorcon. Its a smaller con than say Defcon but way better in my opinion. There was a lot higher concentration of smart and passionate people. Everyone pretty much knows everyone else and I got to meet the world. I didn't attend a single talk just because I had a lot of other things going on. Also had a great time at the various parties, overall its a really cool crew.
Most of my time was spent winning the badge hacking contest. I wrote a lot more on this in the Electronics page. There were some other cool entries, I already described the second-neatest hack on that page. The dude used shift registers and a full size Arduino to individually address almost all of the LEDs he put in. Another really slick one used an analog clock (with hands) module to make the badge into a clock. It didn't stop there, however, she also populated the board with LEDs at each hour mark. She then ran current through copper foil on the hour hand. When the hour hand passes over the hour marks, this foil bridges to foil circles to complete the circuit for that LED. So as the hour hand moves around and passes each hour mark, it lights up the cooresponding LED. One guy made a clock and threw it on a paper plate with a yellow plastic chain Flavor Flav style. His video submission for the contest was something like "vote for me, bitches!". One guy that had really minimal electronics experience wanted to alternate blinking half of the LEDs but had no microcontroller. I let him know that he wanted an astable multivibrator, he looked it up, and built it. The con was shutting down before he could finish troubleshooting to find why it wasn't working so I hope he took another look at it at home.
The other thing I did was run the tamper evidence contest with datagram. We built 7 tamper-evident boxes filled with various puzzles, security envelopes, a bank bag, evidence bag, mechanical seals, etc.. My favorite part was something that I built for the contest (one in each box). I may move these details to the electronics page later, but it was an electronic tamper box (video here). When the teams open the box to get a code inside, it trips an RS NAND flip-flop and makes an LED come on. They must reset the state while bypassing the metal lid until it can be screwed down. If the lid loses connection with the box for a split-second, the the tamper indicator trips again and they have to reset it. I did build in an easy bypass for the lid in the form of an audio jack. So the trick is to use a mono headphone plug with the contacts shorted together while you reset the seal and put the lid back on.
In the end, the team "Covert Penetration" won the contest so congrats to them. They also documented everything at this blog. Gabe Lawrence became my team's impromptu photographer while we were winning the Defcon tamper contest, so his team had a bit of an edge. Most of the photo links on this page came from there so be sure to check it out for a ton more detail including defeat methods. The second place team "The Couple" did really well and have performed the best defeat ever on the metal ball seal (carefully picked like a lock). It was awesome that they did so well because they had no idea that the contest was happening. I talked to them randomly and we convinced them to try it out. They got a custom printed "1st Place Loser" shirt for the 2nd place prize, first place got a ton of tamper devices and donated swag from the vendors; thanks! The last place team was hilarious. They took their entire box drinking all night. It got ran over by a car, envelopes and tapes ripped open, etc.. They did manage to defeat the electronic box perfectly, though.
DefCon 18
So this update is about a month late but whatever. Datagram, stderr, and myself drove out to Vegas from LA and checked into the Circus-Circus. Apparently, getting there in Thursday means you dont get a cool-guy badge but its cool. I didn't go many talks but Marc Tobias' was decent; he covered a lot of random lock/safe defeat that fell into the "doh!" category of security engineering. Also got to meet Clyde Roberson of Medeco again. I promised him and Marc each a Medecoder (actually I promised Marc one two years ago..he does not forget or forgive :-)). I've been slowly getting these tools finished along with one for myself; been using a crappy paper scale tool for a while now.
I've been hanging out at Null Space Labs up in LA a lot lately. Thanks to mmca, I was able to try out the DefCon partying thing and meet a lot of cool folks that way. Ran into a dude at the Ninja party wearing a Tusker beer shirt (Kenyan brew) and had a good time talking about Africa. Also finally met pyr0 at the tail end of the 303 party; cool dude for sure. Thanks to TOOOL, I got to run around to Summit teaching folks to shim open handcuffs and giving out keys. Ended up staying awake from around 6AM on Saturday until 2AM on Monday.
By far, the highlight this year was competing in Dark Tangent's Tamper Evidence Contest. Datagram, mmca, scorche, and myself made up the team "The Motherfucking Professionals". I'e also gotta to give mad props to scorche's girlfriend Charlotte. She helped us out in defeating a ton of these devices and tolerated their hotel room being turned into a security lab for 2 days. Also, thanks to Gabe; this dude was wandering by and saw us working on the box in the contest area; he tagged along and took photos of pretty much everything. His documentation was a great help; most of the photos linked here are his. Check out Gabe's Flickr account for tons more.
The contest itself was awesome. The staff gave each team (17 total iirc) a box which has been sealed with tamper-evident tapes and security decals. Inside this box were various envelopes and a sealed plastic bag which you must get into to change documents inside, etc.. We used solvents like isopropyl alcohol and acetone to defeat the adhesives. Another big part of the contest was documenting every defeat for submission to the manufacturer (mostly ULine) and eventual public release. We ended up running all over town to find replacements for the security envelopes. Apparently everyone is afraid to copy envelopes for fear of jamming their copiers. The Riv's business center was awesome and let us play with it until we got it right. During the course of running around, we ran into the Fedex/Kinko's that made the paper badges for DefCon. The girl behind the counter saw mine and complained about spending hours cutting them out of laminate. My social engineering skills were too weak/nonexistent to convince her to laminate a few more and sell them to me.
The coolest part of the contest was the mechanical seals. We had to defeat several mechanical tamper devices and move them from one short length of chain to another without leaving evidence. The metal ball was interesting; it uses a small keyring-like clip enclosed in a steel ball to lock two ends of metal strap together. I ended up carefully cutting off a ball from a spare that we brought along. Next I destroyed the ball on the target device and inserted its bands into the spare ball. A little crimping with pliers completed the defeat. Team Obsinisize actually got leet on it and picked the ring off, but scratched up there metal bands too much to get the full points. Mmca used dry ice to break the plastic bond on one of the plastic seals. He then glued in a replacement plug for it for a flawless defeat. My favorite was my defeat of the plastic padlock seal with a metal clip. I used electrolysis to dissolve the metal clip without hurting the plastic and then inserted a replacement clip. By submerging the seal in a solution of salt water and hydrochloric acid and then running 5Vdc through it, the clip dissolved nicely. Also made sure to use an Arduino as a power supply for the street cred. This was, by far, the most rediculous defeat of the contest; but it worked and I don't recall any other team beating it to the degree that we did.
Hauling all of the gear back and forth from my car was a pain and I thank the team and Schuyler Towne for that. In the end, it was all worth it: We won the tamper contest. Team Obsinisize did much better on the adhesives than us and we only beat them by 4 points (total around 50) because our mechanicals were awesome. Because this was the first of its kind, we were all pretty much working blind. There was pretty much no prior public documentation for defeating this stuff but that made it really fun. Next year will be more challenging and the competition is expected be fierce. I think we won because we bought a bunch of seals before-hand, practiced our asses off, and brought a ton of gear along. We were also completely obsessed and spent a ton of con time on it. We didn't get the coveted Black Badges for winning, but next year they will be the prize. We must emerge victorious again!
The Next Hope
I just got back from this year's HOPE conference and had a great time. For those that don't know, Hope is a security con that is held once every two years. It is similar to Defcon but tends to attract a more colorful crowd and is a bit more politically and socially aware. My own politics/ethics(I'm not a socialist/hippy) differed greatly from the majority of these folks. This is not a bad thing! It made for some lively debate and fun conversations in which a mutual respect was enjoyed.
The biggest story from the con was surely the Wikileaks affair. I'm not going to explain the whole story here, but I encourage you to give a google for some of the terms I mention here and explore the reports. Jacob Appelbaum gave a presentation on behalf of Wikileaks, spoke about the organization, and praised Bradley Manning. After the talk, a doppleganger dressed as Jacob and surrounded by staff ran out of the room as a decoy. This was done to distract the feds...Oh yes, there were several civilian-clothes feds standing in the back of the room. By the time the presentation started, everyone there knew exactly who they were (Jacob ackowledged them as well). Anyway, the speaker slipped out the back way and flew back to Europe. At the end, the famous leaked video 'Collateral Murder' was shown.
There was a second talk given by a panel..and Adrian Lamo. This is the guy that informed on Manning after he bragged about leaking classified diplomatic documents to Wikileaks. As a result, Manning is sitting in jail in Kuwait basically waiting for his life to be ruined. This was, by far, the most hostile audience I've ever seen (which made it entertaining). Lamo showed a lot of guts by getting up there and defending his actions. Given the views of the majority of the crowd, this talk could have gone much worse than it did. Attending these talks and seeing both sides of the story was a good time.
As usual, I spent most of my time in the lockpicking village. I gave a few introductory talks, talked locks, met old and new friends. One of the folks that I was surprised to meet was Clyde Roberson of Medeco who stopped by to check the place out. I was also excited to meet a fellow who goes by the alias nostromo who brought along a ton of homebrew tools and was very generous with them. He was still teaching newbies toward the end of the con when many of us were getting burned out. I also enjoyed meeting sfi72; this guy can pick! Of course, the regulars were there and it was great seeing these folks again: Doug, Schuyler, Squelchtone, Matt Fiddler, Eric Michaud, Babak, and of course Deviant Ollam. I know there were others, but this paragraph is already heading toward being just a listing of cool people. Anyway, I also gave a Medecoder-building workshop to 10 participants and a few spectators. Being relative newbies and one out-of-practice has-been, we didn't have as much success opening the locks as I hoped. But I accomplished the goal of teaching everyone one how to build the tools and how to use them. Please keep practicing, improve the design, and let me know how it goes. This was definitely the most successful lockpicking village at Hope yet; it was packed most of the time despite being somewhat hidden away. Although we do not approve of this sort of behavior, it was somewhat amusing to see things like this around the hotel.
There were also quite a few picking contests happening that were a lot of fun. Schuyler Towne won the final round of Lockpicking Wizard against Doug Farre. The original goal was to throw a bunch of locks and tools into burlap sack and get them open without looking. For the final round, this was done outside the sacks with blindfolds on for the enjoyment of the audience. It was an awesome contest and everyone had a great time; this one needs to stay around. After I abandoned Doug Farre to watch a talk, Jgor teamed up with Schuyler to win the Defiant Challenge contest. This involves picking as many locks as possible while handcuffed together and then escaping the cuffs in the final seconds. My favorite contest was much less frenzied and lasted 24 hours; the Points Competition. Jgor won this one and did an awesome job; I believe he opened two more locks than I did which left me with second place. I missed the Connect-4 contest which involved picking locks on a board to create rows of locks before your opponnent. The craziest contest was the Banana Contest. This invited everyone that could fit to simutaneously start picking a big connected cluster of easy padlocks as fast as they could before the timer ran out. Doug Farre killed this one but everyone had an awesome time.
I also checked out part of Robert Steele's talk. I say "part of" because the man talked about politics, intelligence, and tradecraft for 8 hours. To make this clear, he did an 8 hour long question/answer forum. It was funny watching the hippies attempt to use this as a platform to tell everyone about their various pet causes instead of inciting meaningful dialogue. Thankfully, he shot these guys down quickly to keep it moving. If Steele had let all of these guys go on about everything from eating vegan to 9/11; he would still be there. While I'm mentioning talks, there is a website that is getting updated right now with video of all of the presentations: HatTorrents. Check these out, there are some good ones.
The con wasn't all rainbows and gummi-bears, however. My magstripe room door lock decided that its battery could give out. So after relying on random cleaning staff folks walking around to let me in for a while (no ID, knowledge, or social engineering needed, btw; just ask), I asked for maintenance. They didn't solve the problem, but did let me get a look at their door programmer while fumbling with it. The airport was insanity with delayed flights and cancellations. My advice: never fly AirTran..ever. I ended up spending around 20 hours solid sitting in the airport and only got home in less than 3 days (literally the alternative) by taking a refund and buying a very expensive one-way ticket. I won't go into all the details but the experience included a flight that was 2 hours late and 3 hours on the tarmac before returning to the gate to refuel.
Overall, this was a great time and I recommend everyone try to make it out there for one of these. I met so many more interesting people and saw cool things than I can fit here. As I dig up good links, videos, etc.. from Hope; they'll be integrated here. See you guys at Defcon :-)
Los Angeles Locksport
This is a brand new group that Datagram and I started up in LA. Its hosted by a hackerspace called Null Space Labs which is an awesome location. I drive up from San Diego to attend these meetups and recommend you all do the same. There is good chance that this will become a Locksport International chapter in the future; we are still gauging interest at the moment. We are meeting on the third Friday of every month for now, but keep an eye on the Locksports Local forum at lp101 for updates.
18JUN10 - Tons of people showed up for this one. Some we knew and lots that we didn't. Datagram gave an epic presentation that lasted for hours. We played around with using cooking molds to cast copies of keys and it was a lot of fun. There were so many interested folks that we ran out of chairs. If this is the future of LA Locksport; I welcome it.
21MAY10 - We had a pretty good turnout of around 8 people for this first meeting. Datagram gave an introductory picking talk. The fellow that runs the space, M, figured out a way to non-destructively defeat the new Master One padlocks. It turns out, you can just remove the security screws from the back and play with the mechanism to open the lock. Datagram and I worked on picking BiLock a bit and are getting very close. There was also some discussion on future meeting ideas; building lever locks and doing impressioning are planned.
