JDPFu.com 2025

IronGeek – Zipit 2 Hacking

A Zipit2 is a $50 tiny texting computer that can be hacked into all sorts of uses. The main discussion point today was as a leave-behind device to help with IT Security penetration testing. Other devices are more capable, but also much more expensive (N800/iphone, etc) and you probably wouldn’t want to leave them behind. A $50 linux device could be left on the internal network during a visit and used to create a reverse ssh tunnel back to your home machine so you would have internal network access to a company. This would take advantage of the significantly lower levels of security usually deployed for external communications. By having the device make the external connection, the firewalls blocking inbound requests are bypassed.

Duckie, Dan and Madelynn – Introduction to FreeSide Atlanta

FreeSide Atlanta is a non-profit educational organization with a large space available for members to work on projects. Those projects can be work related, college/university or just a crazy guy in a garage-type projects. The membership is around 50 with diverse backgrounds. Artists, computers, networking, security, welders, and general maker types are invited. There seems to be lots of beer involved. Classes are provided monthly on a wide range of topics from welding, sewing, to computer and automobile building. Different projects are being worked in biology, auto mechanics, building an RPV, building a powered couch, etc.

PBR90X – Social Networking #FAIL

This talk was on how different social networking sites have failed to protect their users’ privacy. Facebook, MySpace, Twitter, gmail/google-whatever and others were used as examples. Basically, if you expect any level of privacy, don’t use these services. You already knew that.

Scott Moulton – Hard Drive Kung Fu Magic

Scott is a professional data recovery expert and forensics consultant. He demonstrated specialized disk data recovery hardware and software used in his business. Basically, it seemed like he used his hour to recover a few photographs for a professional photographer while letting us watch. The specialized data recovery equipment costs about $3500 and he said that 2 client engagements would pay for it. While much of the effort had become more automatic, there was still a level of skill involved in using the equipment. Performing forensics consultation may require a private investigation license for your state. Performing this type of work without a license may violate your state’s criminal code and leave you personally open to both civil and criminal charges.

Brian Wilson -Docsis Coolness

Brian works for Cisco and described the DOCSIS protocol 1.0, 1.1 and 2.0 from a high level. He didn’t really get into anything that can’t be found on the wikipedia article, but having the interactive talk cemented my understanding from an extremely high level. He did not discuss anything that could be used to gain higher through put or more cable TV channels.

BOB Talks

CP of DC949 – Project Floodgate

A perl script to combine TOR and BitTorrent was discussed. This extremely simple idea has huge ramifications for security. The use of tor and bittorrent was just one use method and the only mode the presenter discussed. However, I can see some really nefarious uses for this very simple idea which would allow fairly large scale attacks against any internet location to be hidden. This is scary. Get the code and more about the project here.

Another talk was about building a small USB-flash drive keyboard device to playback keystrokes randomly, at specific times or after specific actions occur on the target system. There are other methods to cause similar things, but those are OS specific and can’t really happen without some kind of user interaction. Because this device is a pseudo-keyboard, it can send any desired keystrokes, at any time. The tiny size of the device (thumbnail sized) will let it easily be inserted in a rear USB port and not be readily noticed on most desktops. IronGeek gave this talk. A blog post about this with software .

SkyDog – What’s a hacker?

We are all hackers. We should be proud and introduce ourselves with that team, then help the uninitiated to understand we are really just curious people interested in how things work. I’ve never introduced myself as a hacker due to the negative view that most non-computer people have with that term.

Social Engineering

A few of the event attendees used social engineering to get onto a movie set the prior evening that happened to be filmed across the street from the hotel. They explained their methods of befriending a low level grip who gave them entrance into the movie worker world. They hung out on the set for about 3 hours, getting in the way and not really being asked any questions, after they were inside the approved group.

Presmike – Social Engineering: The Art of Lowering Your Opponents Defenses

The title of this talk didn’t really explain what it was about. I missed the first 10 minutes, but it seemed to be how to use online dating sites to pick up chicks and how to get as far as possible physically as quickly as possible. The speaker had performed research on multiple web sites and conveyed his general ideas about each, the types of women he met, and how many of the contacts were using the accounts to get men to pay for webcam interaction elsewhere. Some appeared to be sex workers. He did meet some nice women and dated them as well. OTOH, some of the interactions were really strange and scary. The dating sites he tested were Match.com, eharmony.com, OkCupid.com, AdultFriendFinder.com, Craigslist.com and another Christian oriented site that I can’t recall. He didn’t pay for any access, so many of the sites were extremely limited for his use. For the paid sites, about $140/quarter is the cost.

Billy Hoffman – Web Performance Talk/Craziness

Billy is a former web security guy who recently converted to a web performance guy at ZoomPf.com. There is a wikipedia article if you want a little background. He has a problem with staying on topic and seemed to want to show live data instead of pre-downloaded data. The off topic things were loosely related to the talk, but did add 45 minutes to his alloted time. Basically, the talk was him introducing an idea about how different web sites were slow and then showing us how those sites were poorly implemented for performance. Basically, highly graphical sites can improve both performance 50% and reduce bandwidth about 20% by following Billy’s recommendations. Those are my estimates, not his.

What does he recommend?

1. Remove white space from all text files (CSS, JS, HTML) that are browser interpreted. HTML, CSS, and Javascript ignore white space. The white space removal should be an automated part of the website publishing process, not manual.
2. Enable content compression for text streams by enabling the mod_deflate and mod_gzip on Apache. For text sites, this fairly trivial change can reduce the text transmitted between 15% and 80% and have no usability impact to users.
3. Reduce the total number of text files required to be downloaded for each complete web page. Merge all CSS into a single file. Do the same for all Javascript and again for the HTML content. It turns out that downloading 10×10MB files is much more costly than downloading 1×100MB file – about 0.7 seconds more costly. Larger text files are also compressed more efficiently too. Minify is a tool for this. There appear to be others.
4. Optimize or crunch your image files. Even if you’ve already resized your web image files to be the correct X:Y for your needs, there are other image file optimizations which can save 80%+ per image with ZERO change to the image quality by removing excess, unused palette information from the files. Yahoo has a tool to do this.
5. Use image maps to merge multiple images into a single file for either display as is or when you need to display specific portions. Google and yahoo do this on their pages very nicely. The goal is to avoid the multi-file download overhead.
6. Use efficient web layout methods like CSS over tables. Tables were the old way to force layouts and are much less efficient when compared with CSS for controlling layout. Further, CSS is much easier to maintain and modify than hand coded tables.

I’m certain I missed a few other tips in his talk.

For years, software development has used source code control systems to ensure code changes were traceable and changes could be seen throughout the code lifetime. Web developers should be leveraging the same methods of development, check-in, test, validate and push to production that has been proven since the 1960s for code development. The idea that a web developer will ssh into a production server, make a small change on the fly, then call it done is simply scare.

ZoomPf.com provides a free performance test of a web site.

Presentations and Videos

Hopefully all the presentations and videos will be available from the Outerz0ne web site in a few days. I’ve been told that the How to pick up Chicks using dating websites video will not be posted due to adult content. I have to agree with that decision.

I plan to attend Outerz0ne in 2011

Next time, I’ll bring more to drink and share. I came unprepared this time with just a quart of alcohol. I’ve learned. The way I see it, if the speakers can drink, then I should be drinking too to aid with the transfer of ideas. Something that I didn’t really say – the cost of this was free. Basically, they work off donations and t-shirt sales. There wasn’t any pressure to donate or purchase a t-shirt, but I did both. The organizer SkyDog, does this out of kindness, not for profit. I’ll probably leave when the thank yous begin too. They seemed to go on and on and on.

Many of the attendees are also part of the DC404 organization and have day jobs in network or data security at companies you know the names of. I think I’ll try to attend the next Smooocon and DefCon.

Links from the talks

• Outerz0ne Con
• IronGeek
• Data recovery
• FloodGate
• ZoomPf.com
• DC404 organization
• FreeSide Atlanta
• WebPageTest