Maker Faire: San Mateo Fairgrounds

I just got back from Maker Faire in San Mateo, California. I went with a whole group of students, in the UAT van and drove from Phoenix to San Francisco in 14 hours. 10 of us, packed into a tight space for 14 hours, it was a blast. Most of us slept on the way there, trying to catch up on the sleep we had not had because of finals week. When we finally got to San Mateo we went to our hotel, a dump, to say the least. The Hillsdale Inn sucks. We got there and the lady at the registration had clearly been drinking, and kept walking away from the front desk to the bar. At the same time our leader LostboY (Ryan) was trying to get things sorted, as the lady said we had not paid for the rooms yet, when clearly she had the credit card data on file, AND the credit card showed that it had been charged. She tried to run the card again, but since it was a duplicate charge, american express denied the charge. Eventually she gave us the keys after recording all of the people who would stay in the Hotel rooms ID's.

We unpack the van, and get ourselves situated. We locate a restaurant and head out to go eat dinner. We end up failing to follow the GPS, and we end up at a Denny's, not everyone was too happy, but at least it was food. Sarah one of my room mates who is also on the trip ends up getting sick. We drive back to the Hotel so she can go to bed, as we all have to be up early in the morning to get to the Faire in time. When we get back to the Hotel we find that they have locked us out of the rooms, our stuff is still inside. Ryan goes to the front desk and calmly asks them to unlock the rooms, and asks why they were locked in the first place. At this point someone who was at the bar comes out, and wants to start a fight with Ryan. It is at this point that the front desk lady gives us a few minutes to grab our stuff and get the hell out of there. She is swearing, and at this time heavily intoxicated. We quickly grab our stuff, and throw it all back into the van. At this point the lady threatens to call the police, so we preempt her, and do exactly that. We end up waiting outside in the cold of the night at 0130 in the morning until the San Mateo police arrive so that we could tell them what happened, and to be able to double check both rooms to make sure we did not leave anything behind, and also get the names and numbers of the people involved. Ryan decides to not press charges.

We start looking for new Hotels almost immediately, using the GPS that Ryan brought with him, we find a Best Western right across the highway, and they have two rooms available. So after wrapping up the business with the police, we head over there. We walk in, the lady is extremely nice, gives us our cards to the rooms, and we finally are able to get to a nice hotel room. No identification required, no threats, no problems what so ever. She even gives us a discount when we tell her our horror story about what we just went through. It was a nice change from what had happened.

We finally got situated in our hotel rooms by 0230 in the morning, and we did not fall asleep until 0300 or later. Ryan and I got up at 0600 in the morning, took a shower and left for Maker Faire at around 0700 to help Jon and John from EFX Tek set up their booth (Ryan is part of their company). Ryan had told me much about the two of them, and it was awesome to finally get to meet them in person. They exceeded the expectations that Ryan had set by just talking about them. They are extremely awesome and knowledgeable guys, who have amazing pasts, and really interesting hobbies. They have one of the most awesome booth designs I have ever seen. It came out of two large shipping crates, was made out of solid wood and was panelling that all fit together in an organised fashion. This was a well thought out and perfectly engineered booth.

We finished setting up at around 0930 in the morning. I had been running on 3 hours of sleep, and I was not yet feeling tired at all. Maker Faire just opened for the day, and people are slowly starting to trickle in, as I walk around I already see some very amazing projects in motion, or being worked on. At around 1000 or so the others finally head over to the Faire from the hotel. It is at this time that I start looking at things. The amazing projects people have worked on to show case. Everywhere I go with Ryan people recognise him, or he recognises someone. There are even several people from Defcon there to check things out and they all come over and greet Ryan, mostly to ask him about his Mystery Challenge. What was most interesting is that people were protesting fossil fuels by burning fossil fuels. Beautiful irony, damn hippies. I did get to meet Johnny Lee of Wiimote hacking fame, with the tracking of the pens using the infrared camera in the Wiimotes. Sean and I had worked on replicating one of his many set ups using very simple parts, just to see if we could and it was really cool to meet the person who started it all. Day 1 for the rest was rather uneventful, mostly because I was getting way to tired to enjoy walking around. My feet really hurt, mainly because I had been standing all day, and with very little sleep. At night Abney Park would be playing, I ended up not going to their show mainly because I was too tired and I really did not want to be on my feet any longer. We went out to TGIF for dinner, and then I went straight back to the Hotel. I don't remember much of the rest of the night, other than that I fell asleep!

The next day we all woke up at around 1000 or so, we went out to breakfast at Denny's, had a big breakfast and then headed out to Maker Faire at around 0100 or so, we go there and the parking lot was full, but we all had special badges we had acquired, so we talked our way past the security guard. And guess who was waiting to get in, but the security guard not knowing who he was would not let him in. Adam Savage from MythBusters. The guard did not know who he was and would not let him in, and he needed to be on stage in the next 20 minutes to give a presentation. Eventually Ryan talked the security guard into letting Adam and his wife and kids into the parking lot, at the same time handing over his business card. We park the van and start walking in when we notice that Adam has parked and has the badge he requires, so we let him know what gate he should use to enter, and when Ryan mentions he has a bunch of his students with him, Adam tips his hat in our direction. We all nod, in return as an acknowledgement. Adam's presentation was about his Maltese Falcon and the story behind how he got started making things, building models and everything along those lines. His work has been featured in many movies, including Star Wars, AI, and many others. It is really cool to see some of the work he has done, and how he obsesses over the smallest details. Afterwards Ryan and I head over to tech shop to get our laptops laser etched. He has his Asus eeePC with him, and I have my MacBook Pro. At first I am hesitant to get it engraved, but when the engraver reassures me that Apple never gave him problems over his engraved iPhone or engraved MacBook Pro I go ahead and do it. My MacBook Pro has now been engraved with my nickname (X-Istence) and the following short program:

#include <stdio.h>

int main() { printf("%c", 0x58);

return 0;

}

Re-sale value be damned, this looks fantastic on my laptop. It took off such a small tiny miniscule layer that you are unable to feel it at all when you run your hands across it. If Apple gives me any crap for it, I will just slap some stickers over top of it, as I had stickers on my laptop the last time, and they were not a problem at all. There was another cool design I could have etched instead, but I did not feel that it spoke to me, it did not feel personal enough, hence the small program and my nickname. It makes my laptop mine. At this point it is already 1740 and the Maker Faire is starting to shut down. They want everyone that is not a "Maker" out of the Fairgrounds as soon as 1800 so that they can start packing up and cleaning the place up. We students all end up standing at the EFX Tek booth listening to John talk about his earlier days working for several major companies, and the state of credit card security, and the security of credit card devices. I wish we could have spent more time with both John and Jon since they both have very different and interesting backgrounds. For example, John is certified to nuclear soldering standards. What this means is that he knows the procedures and steps to solder a joint in such a way that it will be guaranteed good for the next 10 years as the human body can only withstand so much radiation. So much knowledge, way too little time.

Hopefully they will be able to make it out to UAT for Tech Forum to talk about their experiences. It is a Sunday and being the last day we all head out to Maccaroni Grill for dinner. Jon goes with us, unfortunately John had to leave. Dinner with a bunch of college students is always fun, so there are jokes, there is talking, laughing. It is an all around good time. We end up going back to the hotel and falling asleep. Ryan and I both wake up at around 0800 in the morning, we start getting ready, packing things back up into suitcases, taking showers and going for the free continental breakfast Best Western serves. We get everyone else up, so that we can leave to head home. We all climb into the van and head home at 1015. Just over 12 hours later, we get to UAT at 2250. On the trip back home many of us are not feeling too great, mainly because of the amount of fast food we have been eating on the trip, combined with the bad road conditions and the amount of sleep we did not get. We get home without any issues what so ever though.

The weekend was awesome. I really enjoyed myself and would like to thank Ryan for driving there, and back. I am surprised he is still sane after that trip. I would like to thank UAT for paying for the hotel rooms, the gas, and the tickets into Maker Faire. I am glad that I did go after all, at first I was not really sure if I wanted to go since I am not into most of what was shown. However the people I met, the cool things I saw, have planted a few seeds here and there as to what I could do, and who knows what the future holds, maybe someday I will be standing at Maker Faire showing off my cool projects.

AVNet Tech Games: Defense in Depth

Yesterday (I am typing this at 00:02, midnight on Sunday) I was part of a team for the University of Advancing Technology competing in the AVNet Tech Games. I was part of a three man team competing against two other teams in the Defense in Depth game. The game consisted of us setting up a network using gear they provided to us, and locking it down in the time they specified.

The game had three parts.

1. Write a security policy (max 5 pages)
2. Secure the network and the machines on the network
3. Find the rogue access point

The night before we figured we should probably get the paper done, so we started writing this on Friday night. Since my team consists of me, and two room mates, when we get tired we head home and start figuring out what software we want to use. In the end we use all open source software, since the game specifically state that the business does not want to spend money on licensing software. We came up with the following free software to supplement what they already had available:

1. WinPooch
2. ClamAV
3. wipfw (IPFW from FreeBSD ported to Windows. Take note Windows admins!)
4. OpenVPN
5. OpenWRT

What we got was the following:

1. Windows 2000
2. Windows XP
3. Windows 2003 Server
4. WRT54G Wireless Linksys router

The night before we also prepped, we had a friend who had a WRT54G they did not mind letting us flash and use, so the day of, I woke up early in the morning and flashed it with OpenWRT, I set it up, and added certain packages I was going to need to be able to configure it properly. Unfortunately the WRT54G's have less memory than I had hoped for, so I had to reflash the router just to be able to finally finish installing the bare minimum packages I required. You will find out more about the configuration I used on this router as I go along.

When we get to our stations, we walk in, and we immediately unplug our router, and replace it with the one we had pre-flashed. Since it was flashed, we could also bridge it with the wireless network that was available, because of problems with the network drops that were given to us to use by the UAT IT staff. We start getting our updates onto the different machines. This takes for ever and a day. Multiple machines are all rebooting all the time. We started at 0800, by 1030 we have completed about half the updates for all the machines. By 1145 the updates for the Windows 2003 Server have been completed and it is on it's final reboot. The Windows 2000 client had been all ready to go, and set up.

During this update cycle, I had created a domain/activate directory on the Windows 2003 server and then joined the other two machines. We now had a way to log in to all the machines with the same usernames/passwords that we set up in the active directory, so now we could easily share folders and make sure that when people accessed files on the server they had the proper permissions to do so. We set up the anti-virus software WinPooch, we installed the firewall and set up some basic rules. And we started setting static IP addresses on all the different machines:

• 10.55.10.1 - Router
• 10.55.10.2 - Windows 2003
• 10.55.10.10 - Windows XP
• 10.55.10.11 - Windows 2000

At this point I head back into the OpenWRT flashed router, and turn off DHCP for the network. All of them have been set to perfectly static IP addresses, and everything functions as expected. Attackers that want to attack the network will now have a more difficult time trying to figure out what IP address range is in use, where the gateway is, and what the machines on the network is. Especially since most people will blindly try the default ranges of 10.10.10.x, 10.x.x.x and 192.168.x.x.

Now I will give a bit more background on the WRT54G from Linksys, if you are not familiar with it. It contains one Broadcom chip, and 5 ports on the back. 1 WAN, and 4 LAN. The cool thing about these ports is that they really are a switch and they are vlan tagged and then handled differently by Linux because of the tagging. So WAN really is vlan network 1, and the other 4 LAN ports are really vlan network 0. Vlans are a way of splitting up networks into logical segments, without actually splitting up routers and switches. It is a hardware based solution to having multiple routers for multiple departments.

As I mentioned before, we had three computers, and one outgoing connection. So I left the WAN port alone, and the other three computers were plugged into ports 1, 2, and 3. The last port was left open, and a network cable was plugged into it, but was not going anywhere. The contest was being judged on how well we could secure our network, so what I did was move port number 4 to vlan number 2. So now we have the following three vlans:

• 0 is physical ports 1, 2 and 3
• 1 is physical port WAN
• 2 is physical port 4

The hackers that read this blog will recognise what happened next. Nowhere in the competition did it state we had to leave this port connected, or at all accessible. So using OpenWRT's config files in /etc/config I set up a "network" I named blocked. This network was going to have the router have a static IP of 192.168.1.1, and we shall turn on DHCP. We won't allow any outgoing, so really it was a dead port that handed out 192.168.1.x ip addresses, yet it would not allow them to anything on the network. So at one point was I was talking to a cute girl and walking over to the contest area, one of the judges pulled me aside and asked me what the hell was up. Apparently the fact that we had turned this port into a dead port stopped them from doing their judging, which was basically running a Nessus scan over the network (I laughed at this! Suckers). This meant that to do their nessus scan, they would have to unplug one of the other machines and plug in, find the IP range (remember, the other ports don't have DHCP turned on), and then set a static IP and do their scans. I had left an extra Asus switch I had grabbed from the LAN Party stash in the contest area, so they made use of that to be able to plug their multiple devices in to do the judging.

I don't know yet what they judges us on, what we scored in what categories. We however set up some fun traps. Windows 2000, even when fully patched, since it is not maintained by Microsoft anymore is vulnerable to many exploits (go search milw0rm.com). Using the firewall that we had found (wipfw, and the front-end for it qtipfw) I quickly set up some basic rules that basically said any outgoing connections are allowed, and state was kept. So that it could correctly connect to the domain controller, and connect to websites. However incoming connections were only allowed for IP addresses 10.55.10.2 and 10.55.10.10. So unless the judges unplugged one of the machines on the network, and took its ip address, the Windows 2000 machine would reply with an RST or ICMP UNREACHABLE packet for every single thing thrown at it. We had reduced a huge target to that the size of a mosquito, by merely setting up a proper firewall. Could it be hacked some other way. Yes, absolutely, and the solution we used was not a hundred percent complete, and would not stop all attacks.

When I finally get some sleep, I am going to email LostboY, who was our team lead, and I am going to see if we can get some clue into what they judged us on, what we did well on, and what we need to learn for next time. For three Unix/Linux/Mac OS X administrators we did pretty damn well. We were pretty lost in Windows, but we pulled through just fine.

I skipped over the first part, which was the security policy, since it sucked, and was something I hate doing. Especially since they wanted us to complete it ahead of time, rather than document while we were working through the problems. So I am going to skip that.

The last part of the challenge was to find the rogue wireless access node. We were the first team to find it, we were also the first time to set up a decoy using the same OpenWRT we had flashed! Since wireless on our router was disabled on purpose (why set something up that is a security hazard, when nowhere it was required to be turned on). So now we had our router also advertising AVNETAP which was the name of the AP we had to find.

We as a team ended up winning the competition. What this means is that we all three will be receiving a scholarship worth a $1000. Which will be going towards paying for security conferences I want to visit this year, those include LayerOne, DefCon and ToorCon, at least, and will most likely also include Maker Faire. The games were a lot of fun, and at the same time were very frustrating because at multiple points in time the judges while judging us were not able to understand what we did and why we did it, and thus wanted to deduct points. All in all, a good day, and probably the quickest I have ever made a $1000, eventhough it took a whole lot of sweating to get the network up and running, and working the way we wanted it to work. Notes for next time. More sleep. 5 hours of sleep before a competition is hell.

Best abuse of Linux utilities

Add a progress bar to cp like wget

Speaks for itself.

A pole to rest on

I arrived in Rotterdam a few days ago, and have not had the chance to blog about it yet. Look at me looking smug, enjoying the breeze outside. Pretty cool windmill eh? Yeah I thought so as well.

Take a look at that. It was cold, but it was a great way to get out and get some fresh air, did I mention fresh air smells so good! Yeah, that is the Erasmus bridge in Rotterdam. I also went and visited the place where passengers used to buy tickets to go on big cruise liners to go to America. The Holland Amerika Lijn.

The wind was so bad I needed to rest against something to make sure I would not fly off. It was cool to see some history.

So, there you have it. My adventures. I would have taken pictures of me celebrating New Years with fireworks, but unfortunately fireworks were nowhere to be seen. There was some very thick fog in the city of Hengelo, which reduced visibility to about 7 feet. Meaning I could hear fireworks, but unfortunately not see.

Walk through the Swiss hills/landscape

Today was a great day to go for a walk through the swiss landscape/hills near Basel. The sky was blue, the air was crisp, and it was not too cold and not too warm it was just right. It was a blast, check out the pictures! Switzerland is such a beautiful country!