12 hours with the motorola xoom

I was the first person in the door to pick up the new xoom at my local verizon retail store. They mentioned they only had 15, and I jokingly laughed asking “what the hell is this? no line out the door and around the building? dont people know whats going on?”

I’ve been watching the xoom for a few months now, smiling, grimacing, laughing, complaining – as the rumors and news dribbled out.

First Impressions from the first 12 hours:

PROS

  • its FAST. I mean FAST.
  • Angry birds goes very very fast. I presume I’ll be spending a lot of my bored-time screwing with it.
  • I’m now in something like a dozen concurrent games of words with friends.
  • The first thing I noticed was that it supports full-disk encryption. I turned that on right away.
  • The calendar app is awesome, very fluid and easy to use.
  • I can very nearly type two handed on the keyboard as if it were a regular computer keyboard. I’m certain this will improve with time, I’m making a ton of typos.
  • I can video-call my fiance in england from ANYWHERE using google voice chat. Its glorious and awesome. I propped the thing up between the shifter and the dash in my car to test it, and sitting in traffic it was high res and clear, high frame rate. We’re finally in the future – I can internationally video call from the car for free.
  • I love that in video-chat you can switch back and forth between the forward facing and the rear cameras. That right there will be EPIC for any instance where you need someone to show you something, and they want to see where the camera is pointing. Normally (like on laptops) this means having to point the screen away from you, so you’re filming but you can’t see what you’re filming.
  • There was a root howto up less than 6 hours after I bought it.
  • Using it as navigation in the car is BEAUTIFUL. That alone makes me want to build a mount for it so its held properly.
  • Using it as a giant touchpad for my windows/gaming box which is plugged into my 50″ tv is GLORIOUS. It works as a giant touchpad (link). I will be using this A LOT.
  • It supports multiple google accounts, allowing one to use personal and multiple ‘other’ accounts at once. This is particularly useful for me as I’m a contractor/consultant and I often have to manage multiple accounts.
  • Its been said this thing will support usb host mode, meaning I should be able to plug
  • One chief complaint I’ve read was that apps that were ‘made for phones’ look ‘stretched and bad’. Well, the ones I use actually look BETTER. Like wifi analyzer, tweetdeck and antennas. GPS test plus looks RAD!
  • Another complaint people had were that the speakers faced back – I just hold it cupping the speakers and it channels the sound towards me. I’m half tempted to make a couple little ‘ears’ for the thing out of hard plastic that channel the sound forward, and double as an angular stand. Maybe one whole thing that does that plus has a kickstand (HINT HINT PEOPLE WHO HAVE MANUFACTURING CONTRACTS)
  • I feel a lot less constrained – I imagine my phone now will not need to be checking twitter/email/gtalk/etc and I’ll be doing that on the xoom, so my phones battery should last longer.

CONS

  • It cant see my jawbone jambox for some reason. It can see my laptop and my phone, but not the bluetooth speakers (!?!?! no idea. I’ll wait until I get my ubertooth zero to find out wtf.) No Idea what I did differently this time, I got it working. *shrug* – sounds badass too :D
  • I can’t control my parrot ar.drone with it (yet) because I need to find a hack allowing the xoom to associate to ad-hoc networks – though theres another way around this by making the ar.drone associate to an infrastructure AP
  • Skype doesnt support video calls (yet)
  • I really like the HTC clock on my incredible. I want it on the tablet!
  • Now that its rooted, I want to stream movies from my drobo – I can do that on my phone by using cifsmanager, which drops a kernel module in enabling cifs client support – so apps simply think theyre pulling from local storage. After installing it, the xoom said ‘this application isn’t installed’ when I tried to run it. Weird.
  • I cant shake the feeling that I absolutely need to find a way to block the in-app ads. Even on a tablet, they take up a lot of real estate.

TODO

  • Try to get nmap running
  • Try to install debdroid, see what happens
  • Look into seeing what it would take to get pyrit or the aircrack suite running on this thing
  • I WANT DRIFTNET FOR THIS PLATFORM \o/
  • I want to setup ettercap + sslstrip + daemonlogger on this platform
  • I want to see a REAL site survey tool for this platform, like visiwave. That would be EPIC. I’d buy that in a heartbeat.
  • A good ‘dual pane’ (like email) google reader app
  • Need to see if I can turn it into a remote display for my mac or another computer.

More to come as I learn!

Hacking someones personal brand

Troll definitionI know two trolls. Roger Rustad, and David Kaiser – they run socallinux.org.

If you read anything these two post on socallinux.org you can quickly determine they use this mailing list to defame whomever they choose – and because their mailing list gets both spidered by google, and mirrored by list-serv they get pretty much automatic SEO. Multiple domain names replicating messages. And if the mailing list gets any activity for any reason the SEO goes up.

This is like a troll sniper rifle. You want someone to go down in flames, or you just want to make them real miserable? Talk smack about them somewhere that gets spidered by google and replicated to other sites. If anyone googles them, they’ll find listserv messages, mail-archive.com and google cache results all parroting the original messages.

Google is like the force. It can be used for good and evil. In this example, we’re looking at using it for evil.

Continue reading

Toorcon 11, and peoplehacking

Toorcon this year was awesome and fun, with the exception of cstone breaking his femur, of course.  I had originally been slated to talk, but a clerical error left my name off of the schedule. Instead I took the role of  ‘staff photographer’ and shot the whole event and all the speakers. A few interesting occurences took place:

  • Mckt decided to leave early, and gave me his speaking spot, which I took. Before I was able to speak, barkode approached me and kindly asked me to give my speaking slot to his panel since they desperately needed more time. I agreed. I went from speaking, to not speaking, to speaking to not speaking in one day. I was still a little sad to not be able to give my peoplehacking talk though.
  • Jolly approached me starting out his query with “So Viss, you’re a social engineering guy…” and explained how he wanted to pwn the counting jar contest (explained below)
  • I met a really neat guy from San Francisco that lapses into a really bad scottish accent when I do my really bad irish accent. This made all the dinners and parties we went to hilarious.
  • I spent some time in the lockpicking village teaching new folks how to pick locks (this is fairly standard for me at this point)

Continue reading

State of the pwnion.

message begins
Personal details were revealed, emails, chat logs – pretty scary stuff – and very sobering. A clear demonstration that things like cross site scripting and the spreading of malware (likely for the use of cascading spam or addition to botnets) is the least of our problems. Also clear proof that people who consider themselves security folks have to be very wary of using creature comforts such as reusing passwords or even operating a wordpress blog (3 updates in a month?! and 2.8.2 is vulnerable? gaw!).
The textfile the group distributed was called zf05.txt and after skimming it’s abundantly clear that wordpress played a huge part in these folks getting rooted. Almost every example was sort of an ‘all in one’ server that was used for ‘whatever’. Its also become clear that jam packing one server with a bunch of services makes it more vulnerable to compromise. Ever heard of KISS? “Keep it simple, stupid”. It’s used very commonly among engineers, computer people – you name it. Anyone that has to build things or design things. The minute you start adding complexity for no reason the proverbial altimeter begins its decline.
People who fake tech exacerbate things. There are groups that call themselves “tech” when in reality they are simply PR or Marketing. The Web 2.0 craze has hypnotized people into putting almost everything they think and do ‘behind the scenes’. They let someone else worry about it. Some ruby programmers I’ve met are incapable of manually issuing a sql query. Others are incapable of interacting with sql unless they have phpmyadmin. These folks generate a requirement to artificially make systems more complex and less secure entirely to suit their evergrowing hatred of looking things up themselves or actually learning anything about the technology they use every day. The easiest way to think about it is this: Think of some people. Now think of these people all owning cars. Think of these people now requiring something as simple as an oil change, a tire change, or a simple tune up. Now think of these people taking their cars to a shop to get work done – for whatever reason: maybe they lack the tools, maybe their HOA doesn’t allow them to perform work on their cars on the grounds (those HOA people desperately need to be stabbed in the lungs, by the way) or maybe they just don’t know how. Now lets imagine these people have the work done, and are talking to the mechanics as they are preparing the invoice behind the counter. The mechanic begins to explain how their oil was changed, and these people abjectly refuse to learn or understand how this works even from a top-level non-technical aspect – they plug their ears and yell “NO! NO! AAALALALALA!! NOT LISTENING NO NOOOO! ALLALAAAAAA!”.
These people strongly support a fancy new term. “Cloud Computing”. Cloud computing will make this worse for everyone.
Let me jump away for a moment. I’d like to point out a fact. The attackers that distributed zf05.txt made a valid point – a point I’ve tried to make to peers, friends and clients alike – If your site/data are on shared hosting and you consider them secure that may mitigate some amount of risk. But if the other people hosting their data are vulnerable and your data is on the same system, you’re still vulnerable.
Now we have some ingredients – lets make a stew. Lets take these bits of information and put them all together and let it simmer.
- Non technical people whos requirements and behavior are insecure and promote systems being rooted
- Systems with lots of various services running on them
- A new trend of mashing these systems together to form giant systems that do the same thing, ending up being bigger and more powerful
- Commonly used software being exploited within a week of a patch.
Mix in a bowl with a wisk until creamy. Add a teaspoon of extra virgin olive oil to a cast-iron skillet. Add a bit of freshly cracked pepper to the oil and some freshly pressed/minced garlic. Let simmer until the pepper and garlic begin to bubble, then pour the mixture from the bowl into the skillet and add a squeeze of fresh key lime if you wish. Cook until firm or golden brown, flip once, then serve! Let stand for 10 minutes to cool. What do you get? What does it smell like? (Well if people actually taste of chicken then that may make one hell of a breakfast omlette). We dont know. Here’s why we don’t know:
- “Business people” like the idea of getting rid of systems administrators and IT overhead
- “Cloud Computing” does not have a security model yet
- There are no standards – this stuff is too new
- Far too many people are comfortable being hacked, and say “oh there’s nothing important on that sit/box”
.. Really, guys? You don’t use that same wordpress password everywhere? For your bank, for gmail, for your car insurance or your mobile provider to login? If a blackhat gets that password you’re really okay with it? If thats the case, I’d like you to kindly leave the internet, never to return. Please – do us all a favor, for the people that like keeping their privates private and their secrets secret, go away.
So we’re going to take all of these insecurities, vulnerabilities and holes – package them up with non-technical people demanding insecure practices so that they don’t have to learn or think and we’re going to replicate this ad nauseum and store the results in one gigantic computer grid system? Awesome. Maybe I should trade in my whitehat for a black one – since thats obviously where all the focus, media, fear and money are going to be. Or maybe I’ll just make my white hat bigger – perhaps people will come to their senses and listen to fact and reason. Perhaps not. I guess we’ll see.
I’m not the only one, either…
http://darkreading.com/securityservices/security/app-security/showArticle.jhtml?articleID=218102139&cid=RSSfeed
http://www.sensepost.com/blog/3706.html – open the ppt, this was the defcon talk. they pwned amazon ec2.
http://evilpacket.net/ – see the ‘theft of a rackspace cloud api key’. These guys got root on the rackspace/mosso cloud.

I was late to hear – by a day. Thats 10 years in internet time, we all know. If you’re not in InfoSec you probably didn’t hear. Maybe you heard somewhere, irc, twitter, other bits of the intarnets that Kevin Mitnick got hacked. Everyone chuckled. As it turns out a whole bunch of people got compromised. People I know personally who I consider friends. Rob Fuller, Dan Kaminsky, the Hak5 group and a handful of others, including Kevin Mitnick.

Personal details were revealed, emails, chat logs – pretty scary stuff – and very sobering. A clear demonstration that things like cross site scripting and the spreading of malware (likely for the use of cascading spam or addition to botnets) is the least of our problems. Also clear proof that people who consider themselves security folks have to be very wary of using creature comforts such as reusing passwords or even operating a wordpress blog (3 updates in a month?! and 2.8.2 is vulnerable? gaw!).

Continue reading

Making Security Research Relevant

I’m very very open and transparent about security, technology and what I do. I’ve written documentation so thorough that my clients have ended the contracts stating “we dont need you anymore – with these docs we can do the work ourselves” – in the grander scheme of things thats awesome. I love it when clients learn from me and it makes me feel really good about what I do – especially if it sticks the first time – but it certainly is prohibitive towards me paying my rent.

I’ve been very vocal in the last year about what I do – to the point it manifests itself as talks I give during BarCamp (LA and San Diego), and Refresh San Diego which is held at Qualcomm. Here is my most recent talk


Security 102, part 1 from Dan Tentler on Vimeo.


Security102, part 2 from Dan Tentler on Vimeo.

Video courtesy of @northlight


Continue reading

Security 101 at Refresh SD – Jan 13, Qualcomm campus

I thought that doing security101 at places like oggis may have been a tactical mistake because I want people to actually learn and benefit from some of this stuff, so having the discussion broken by the wait staff frequently simply murdered all the momentum the discussion had and the event turned into a hacking 101 lab where I just demonstrated attacks.

That being the case doing a security101 class in an actual classroom environment where I can have the attendees comfortable and perhaps even have a projector would likely be far far better. Phelan was gracious enough to let me usurp the january installment of refreshsd to give my security101 talk in a more meaningful and more formal environment. Refresh this month is on the 13th – see refreshsd.org for details, or see the meetup group.
Here is my proposed curriculum:

Basic networking
– How do computers talk?
– what is a packet?
– whats IN a packet?

clear text versus encryption (http, ftp, dns)
how websites pass information around
How to tell if the site you’re on is passing your information encrypted or not.
Some network voodoo – watching the stream
-driftnet
-dsniff
-watching dns queries
(the next three may or may not be permitted depending on qualcomms network configuration)
basic man in the middle example
faking ssl certs
changing dns

Hope to see you all there!