First I’d like to address some of the points I made in my last post:

• I can now control my AR.Parrot drone with my Xoom (ad-hoc wifi access points work now, with a small tweak) though now I think that my drone has some physical damage to it, it doesn’t take off correctly. Must fix.
• I’m able to get interesting widgets and buttons using minimalistic text and widgetsoid
• the cifs client works like a champ, and I can stream everything I’d like, though the best player i’ve found (rockplayer) doesnt support mkv or certain types of divx.
• There are ad-block apps, but I cant tell if they’re working or not.
• Skype lags, still no video. Them being bought by MS is also likely not going to help things.

Now the TODO list:

• I have both ubuntu and backtrack5 running on this thing in chroots. While I now have access to tools like nmap, skipfish and other command line tools, some of the interesting ones (ettercap, aircrack) do not yet function due to lack of the proper kernel modules. I’ve contributed to the Tiamat kernel thread on the XDA forums asking if adding that kind of functionality was feasible.

Verdict:

Everywhere I go, I get asked “is that the new ipad?” and I answer “no, its better”. People look confused. I used to get into debates about it, but now I just dont care. I’ve accepted the fact that the vast majority of people prefer a snappy UI and pretty pictures over functionality and an open attitude. I’ve recently figured out how to get my eye-fi to work with the thing, and I’ve been out a few times while taking pictures and having them zip from my leica directly over the xoom (this is a REALLY cool party trick – I intend on utilizing this somehow combined with a projector at this years ninjapenguin party.).

This platform does everything I need that doesn’t require massive horsepower including simple security tasks – like portscanning and browsing open fileshares, nmapping, and running metasploit. I can watch movies on it, get directions (chrome to phone is awesome on this thing), watch full-screened high-res episodes of southpark from southparkstudios.com and other flash sites (since it supports flash) browse full HTML5 and flash websites, and even set it up like a mini entertainment set – with the jawbone jambox speakers setup as bluetooth speakers.

It’s overclocked from 1ghz to 1.6 ghz with little to no impact on the battery. The modified kernel allows me to have external SD storage enabled and PTP and USB OTG modes so that I can plug in external devices and storage (though I have not yet tried a mouse or keyboard, usb sticks and my leica d-lux 4 work like a champ – for some reason the d3s isn’t properly recognized, so I’ve opened a ticket with google). I hope to use it in a photography sense as well (in Vegas this year, if I’m lucky) with the square reader and squareup app – which lets me accept credit cards as an individual. I can torrent from the thing, as well as use it as a backup phone by way of a skype-in number and a bluetooth headset. The list just goes on and on!

I’ve been tapped to use it as a support tool – once at drinkup a friend had a need to use a variety of basic linux tools such as traceroute, ping and telnet – I was able to hand him my xoom in an ubuntu chroot and tell him ‘go to town’. I can use it to remote control any of my computers as well, even remotely ‘hamachi style’ using a tool called neorouter.

I intend for this to be my “computer” while I’m at Defcon/Blackhat this year. I can easily offload all my photos to it, and it does everything I need while I’m on the go. Someday I hope to actually give a talk from this thing, completely without a laptop.

tl;dr: If you just want a toy, buy an ipad. If you want a tool? Buy the xoom.

Wishlist:

• I still want a site survey tool. Especially overclocked past %50. this thing screams.
• Having the jambox speakers helps when I want other people to hear stuff, otherwise I want a case that has little ‘ears’ to funnel the speakers forward.
• Having backtrack5 on this thing is badass, but some of the more impressive stuff is unavailable – I cant send arp traffic and I cant put the wifi interface into monitor mode or inject traffic. I’ve asked about it on the xda thread.
• I really wish someone would port VLC over to android. This hardware has so much still untapped potential – I want to be able to watch a 720p mkv. Standard dvd rips work fine, highres stuff chokes – because the players don’t leverage the GPU
• I want to find out why the hell it doesn’t work with my Nikon D3s. It sees the camera, but never sees any photos. wtf?

The easier it gets to write code(scripting, really), the sloppier it gets and the more insecure it gets.

We can see this because of the prevalence of sql injection, cross site scripting and error handling in the ever expanding catalog of new sites appearing on the internet.

I cite this from personal experience. As of late people seem to care more and more for ‘how pretty it is’ and less about what actually happens behind the scenes.  I’m reminded of the 90s when video games were stuck in 256 color 320×240, with bleeps and bloops for sound – if you didn’t have a good story people wouldn’t buy your game. Now things are different. All people seem to care about are the graphics, and the story, music, and gameplay is all phoned-in.

These days I see new tools and applications online that in most cases make me shudder. A friend of mine, @quine noticed something – the android foursquare application communicates unencrypted, using apache’s ‘basic’ authentication.

For those of you who aren’t sure what that means, here’s the breakdown:

The most basic form of authentication apache uses is called ‘basic auth’. All it does is take your credentials and encode them using base64 – the same encoding used for email attachments. Encoding is not encryption. You can decode this in seconds. There are even apps that will do it for you if they see a base64 encoded string.

@quine asked me to do a packetsniff on my phone, so I plugged my G1 into my notebook, fired up adb and got a shell on my phone. Tcpdump -s 65535 -A -l -nnnvvv  showed me this

11:18:35.553924 IP (tos 0×0, ttl 64, id 54010, offset 0, flags [DF], proto TCP (6), length 286) 25.97.11.256.39819 > 174.129.33.12.80: P, cksum 0xc5e2 (correct), 1:247(246) ack 1 win 2920

E…??@.@.r..a.?.!….PDH?.????P..h??..GET /v1/user?mayor=0&badges=0&geolat=31.123456&geolong=-110.123456&geohacc=5000.0 HTTP/1.1

User-Agent: com.joelapenna.foursquared 2010011401

Host: api.foursquare.com

Connection: Keep-Alive

Authorization: Basic T2hUaGlua1lvdXJlOkNsZXZlckRvbnRjaGEK

UHHH.. that ‘Authorization: Basic’ line there are my credentials. Right along there with my GPS coordinates! They’re sent with nearly every request. In the clear! Wow – I’m never using my phone on unencrypted wifi again.

To decode base64 one must merely copy/paste the encoded string into any one of a handful of different decoders. We used this command line on osx:

echo ‘<base64 string>’ | openssl enc -base64 -d

There are applications that exist now, like dsniff, which will deobfuscate the credentials when they’re seen on the lan or over the air. This is pretty bad. There’s no other way to put it. Thanks to @jennyjenjen for meeting up with me to test it on the iphone, which uses the same API, and is just as vulnerable.

My suggestion: If you’re going to use foursquare on your mobile device, make sure you’re not using open coffeeshop wifi spots, and you’re using your carriers 3g/cdma/gsm/etc internet connection. This will protect you from the potential of people sniffing credentials on your lan. Or, have a look at zipline!