Stilgherrian (@stilgherrian)

Wentworth Falls NSW AU

The below is an off-site archive of all tweets posted by @stilgherrian ever

October 25th, 2013

There are so many typos in my @zdnetaustralia story today. And I have no access to the CMS to fix them.

via Janetter for Mac

@hannahcommodore Yep, there is always next year. Plus I’m determined to visit Melbourne more often. It’s been too long.

via Janetter for Mac in reply to hannahcommodore

Audio: “The Political Economy of the Cyber-security and Malware Markets”, a witty lecture about the arms trade. scmagazine.com.au/News/361877,bp…

via Janetter for Mac

“Aussie govt passwords stolen by Chinese hacker group”, writes @darrenpauli scmagazine.com.au/News/361903,au…

via Janetter for Mac

Me at @zdnetaustralia: “Smart TVs are dumb, and so are we”, riffing off @beist’s research. zdnet.com/smart-tvs-are-…

via Janetter for Mac

My notes on Breakpoint Day 2 will be posted at corruptednerds.com some time Saturday morning.

via Janetter for Mac

Me at Corrupted Nerds: “Breakpoint Day 1: Smart TVs to the digital arms trade” corruptednerds.com/blog/breakpoin…

via Janetter for Mac

While I’m waiting for a friend to call and tell me where we’re catching up for drinks, I shall tweet some pluggage…

via Janetter for Mac

MT @tim_chr: 1000 jobs in Aust journalism lost since Mark Colvin delivered the Lecture in 2012. [WHY DIDN’T SOMEONE STOP HIM? @GreenJ]

via Janetter for Mac

@hannahcommodore No, just a blister. [Yeah ha ha ha I am so funny. Sigh.]

via Janetter for Mac in reply to hannahcommodore

@hannahcommodore I was. While explaining Operation Market Garden. And I will be again soon. I’m just changing a bandage. Very excitement.

via Janetter for Mac in reply to hannahcommodore

I’m hoping @bigmac now has at least some sense of the strategic and geopolitical issues re Operation Market Garden. en.wikipedia.org/wiki/Operation…

via Janetter for Mac

RT @bigmac Getting a war history lesson from @stilgherrian but we need mini soldiers and tanks! pic.twitter.com/v8mVSUDJDv [Somebody has to.]

via Plume for Android in reply to bigmac

@R_Chirgwin Hah. I was thinking of bringing Taiga, but on the day it seemed somehow inappropriate.

via Plume for Android in reply to R_Chirgwin

@mogadeet Thanks. To be honest, though, I first picked up a camera a long time ago…

via Plume for Android in reply to mogadeet

grantshow ‘Bach is a bit too much for porn’ pic.twitter.com/2zVKfMD1QC

via Twitter Web Client (retweeted on 6:52 PM, Oct 25th, 2013 via Plume for Android)

Thanks, @SpawnRich @Mudgutz, I hope it made sense. I’m hoping to refine the process.

via Plume for Android in reply to Mudgutz

@Greybeard3 I’ll be turning the tweets into notes, but never Storify. It is a pox upon literacy.

via Plume for Android in reply to Greybeard3

Saturday and Sunday are Ruxcon all day, and I’ll be covering that too. ruxcon.org.au

via Janetter for Mac

Non-live coverage will appear at corruptednerds.com

via Janetter for Mac

And that, Ladies and Gentlemen, is the end of my live coverage from Breakpoint. Thanks all.

via Janetter for Mac

bigmac Watching a demo of linux running on the controller of a Hard Drive, which ironically cannot find a storage controller to use! LOL

via Janetter for Mac (retweeted on 5:44 PM, Oct 25th, 2013 via Janetter for Mac)

Poor Jeroen is currently being punished by the demo gods.

via Janetter for Mac

Ways to avoid this attack? Encrypt everything; boot off USB.

via Janetter for Mac

In fact, JD has forgotten the real root password of this demo machine. He just uses his hack to log in instead. [Many quiet chuckles.]

via Janetter for Mac

And now he demonstrates it live.

via Janetter for Mac

(For those unfamiliar with Unix/Linux, /etc/shadow is where the system stores the login password hashes.)

via Janetter for Mac

And now the finalé! JD suggests a hypothetical attack where the drive works normally except when it reads the file /etc/shadow … hah!

via Janetter for Mac

Points to idle3-tools for Western Digital drives that rework its power and speed functions etc. [Bad explanation by me.]

via Janetter for Mac

Points to research where people using hacked drives to hide data outside the “official” places it should be written.

via Janetter for Mac

Or, some vendors allow you to re-flash the ROM remotely (though for some funny reason that’s an undocumented feature).

via Janetter for Mac

The next trick is to make the hack permanent by replacing the hard drive’s flash ROM with your own version. Soldering iron time.

via Janetter for Mac

Yes, he found a way to change a few instructions to hook in a routine to change some cache data before it’s written to disc.

via Janetter for Mac

… he found the tables that said which bits of the cache mapped onto which bits of a disc sector. But could he change cache data?

via Janetter for Mac

… but how was the cache structured?There were no strings in the assembly code to provide clues. But after a very, very long time…

via Janetter for Mac

On the drive he investigated, there was a 64MB block of RAM that matched the advertised cache size of the drive…

via Janetter for Mac

@jameslyne Cool. I just wish this wasn’t the last presentation on a Friday afternoon after a long week. Brainfade is severe right now.

via Janetter for Mac in reply to jameslyne

@timfdavis Indeed, most of this is just fleshing out the specifics of the drive he hacked onto the bones of my vague general knowledge.

via Janetter for Mac in reply to timfdavis

@timfdavis Yeah, he’s doing a tear-down of drives to see what he can learn.

via Janetter for Mac in reply to timfdavis

Data sheets? The manufacturers of these chips don’t even acknowledge that they exist. Nothing on their sites.

via Janetter for Mac

Walking thru chips on the controller: DRAM, spindle controller, flash ROM for boot code, HDD controller, ceramic shock sensor.

via Janetter for Mac

Before starting to hack hard drives, back up (doh!) and make sure that your OS disc is a different brand from the one you’re hacking.

via Janetter for Mac

Finally, “Hard Disks: More Than Just Block Devices” by Jeroen Domburg (@spritemods) ruxconbreakpoint.com/speakers/#Jero…

via Janetter for Mac

Combine the process of exploring bug in digital signature code the late-afternoon mental slump with a lack of sleep. Bbfddhhtddmmzzz…

via Janetter for Mac

RobertWinkel for (j=0; j<maxBytes; ++i)
Nice bug.

via twicca (retweeted on 4:32 PM, Oct 25th, 2013 via Janetter for Mac)

Now it’s a minimum truncation length of 80, or half the length of the hash, which is better.

via Janetter for Mac

The spec allowed the HMAC Truncation to reduce the signature length to “zero”, “which was easy to brute force”.

via Janetter for Mac

RT @bigmac: We are now being stepped through CVE-2013-2153 … aka XML Signature Bypasspx [Seems the problem was in the spec.]

via Janetter for Mac

IanMartin I shall call my book A Zephyr Of Whimsy. Then everyone will assume I’m like fucking Stephen Fry or whoever, that cunt who’s on Countdown.

via Twitter Web Client (retweeted on 4:19 PM, Oct 25th, 2013 via Janetter for Mac)

bigmac RT @technorambler @bigmac re. XML: technorambler.tumblr.com/post/302063247… [yep, proves just how soul destroying XML can be! ]

via Janetter for Mac (retweeted on 4:18 PM, Oct 25th, 2013 via Janetter for Mac)

JF: “I don’t want to look like I’m ragging on the C++ XML implementation, but I am. It’s horrible.”

via Janetter for Mac

@StatNerdery @bigmac Yes, XML is human-readable. For some value of “human”.

via Janetter for Mac in reply to StatNerdery

@vealmince Heh. No-on has mentioned them yet. Have they sold enough to be worth hacking?

via Janetter for Mac in reply to vealmince

RT @bigmac: “If you’ve worked with XML, which I hope you haven’t… it’s soul destroying.” says James Forshaw. [But we have Perl!]

via Janetter for Mac

@vealmince That’s got to be the most gorgeous quote from his presentation.

via Janetter for Mac in reply to vealmince

JF is currently going through an explanation of the XML Digital Signature process. There’ll be tutorials for this online.

via Janetter for Mac

My earlier overview of “Breakpoint Day 1: Smart TVs to the digital arms trade” corruptednerds.com/blog/breakpoin…

via Janetter for Mac

Me at @zdnetaustralia: “Smart TVs are dumb, and so are we”, on @beist’s research. zdnet.com/smart-tvs-are-…

via Janetter for Mac

Next up, “The Forger’s Art: Exploiting XML Digital Signature Implementations” by James Foreshaw (@tiraniddo) ruxconbreakpoint.com/speakers/#Jame…

via Janetter for Mac

“There will be another presentation about something else that relates to what you allude to.”

via Janetter for Mac

Audience Q: “Even when the BIOS is write protected, you can sometimes still flip bits?” JB: “No comment.”

via Janetter for Mac

csoghoian The ACLU’s amicus brief in the Lavabit appeal is a work of beauty. Fun reading for security geeks and non geeks too. legaltimes.typepad.com/files/aclu-lav…

via Twitter Web Client (retweeted on 3:18 PM, Oct 25th, 2013 via Janetter for Mac)

Oh, @MITREcorp has released Copernicus (“Question your assumptions”), a tool to check for basic BIOS/SMM security vulnerabilities.

via Janetter for Mac

JB: “Assume that attackers can get in [to the BIOS].” Use either (1) truly immutable BIOS hardware or (2) better timing analysis.

via Janetter for Mac

NewtonMark Halloween. That one time of year when Americans remind themselves of what vegetables look like, by buying a pumpkin.

via Twitter for Android (retweeted on 3:14 PM, Oct 25th, 2013 via Janetter for Mac)

So now JB is explaining how to defend against the trick that Flea users by some trick involving timing and timestamps. I am lost.

via Janetter for Mac

RT @paulkidd: thanks now I’m itchy from all those flea bytes [Well played. Now apply the lotion. ]

via Janetter for Mac

Flea is roughly 500 bytes of code.

via Janetter for Mac

Flea detects when you’re about to start updating the BIOS, and does trickery I don’t follow to re-insert itsef into the new BIOS.

via Janetter for Mac

“Flea” because it jumps from BIOS to BIOS as the user updates to new versions of the BIOS.

via Janetter for Mac

JB is showing his proof-of-concept called “Flea” which infects the BIOS of machines with Trusted Platform Module (TPM).

via Janetter for Mac

snurb_dot_info Slides and audio for the analysis paper at by @timhighfield, @Lena_Sauter and me now online: ow.ly/q9OVV

via Hootsuite (retweeted on 2:59 PM, Oct 25th, 2013 via Janetter for Mac)

Even if you re-flash the BIOS, this is a technique so the malware can re-insert itself into the BIOS after rebooting.

via Janetter for Mac

It’s another deeply technical how-to, but the place we’re going is to dig into the computer’s BIOS and change it undetected.

via Janetter for Mac

Next up, “BIOS Chronomancy” by John Butterworth @MITREcorp ruxconbreakpoint.com/speakers/#John…

via Janetter for Mac

Annoyed that @darrenpauli managed to catch that slide in a picture while mine fucked up.

via Janetter for Mac

RT @darrenpauli: Aussie govt passwords stolen by APT1 Chinese hacker group scmagazine.com.au/News/361903,au…

via Janetter for Mac

@rleigo Thanks very much. I’m enjoying the process, happy in the knowledge my main block of writing can wait until next week.

via Janetter for Mac in reply to rleigo

Next: “LOBO: Scalable Covert Malware Analysis” by Danny Quist (@OpenMalware) ruxconbreakpoint.com/speakers/#Dann…, though I’m writing at the moment.

via Janetter for Mac

Posted today at Corrupted Nerds: “Breakpoint Day 1: Smart TVs to the digital arms trade” corruptednerds.com/blog/breakpoin…

via Janetter for Mac

paulwallbank This is good - We should see more of this from retailers. @ Jaycar Electronics instagram.com/p/f32qlCREMA/

via Instagram (retweeted on 12:59 PM, Oct 25th, 2013 via Plume for Android)

@yinettesys Yep. Doing the entire Breakpoint Ruxcon extravaganza.

via Plume for Android in reply to yinettesys

@Xavier_Ho No, I’m at Breakpoint. But in Mebourne.

via Janetter for Mac in reply to Xavier_Ho

RT @bigmac: Amazing insight into the conundrum and ethical dilemmas of police that want to do more, but can’t. [Indeed.]

via Janetter for Mac

They were well organised, worked office hours, used custom-made malware.

via Janetter for Mac

The guys running the op had more than 300 servers, used proxies to hide their activities, one server per target.

via Janetter for Mac

PR just showed a list of Australian domains that had been targeted. Most were .gov. Stand by for a list.

via Janetter for Mac

PR’s presentation is a walk-through of his methodology, rather than a big reveal, at least so far. Not tweetable.

via Janetter for Mac

@jodiem It was a run-through of @silviocesare’s PhD thesis, so I’ll do a summary of some sort once I’ve read it. Couldn’t do that live.

via Janetter for Mac in reply to jodiem

darrenpauli I spoke to Paul Rascagnères @r00tbsd & others for a feature into cybercrime disruption scmagazine.com.au/News/356543,th…

via Hootsuite (retweeted on 11:39 AM, Oct 25th, 2013 via Janetter for Mac)

Limited scan to Hong Kong to keep scanning time reasonable. Found six hosts with Poison Ivy. Not always up.

via Janetter for Mac

PR based his research on the Mandiant report. intelreport.mandiant.com Wrote a scanner to look for Poison Ivy.

via Janetter for Mac

Next up: “APT1: Technical Backstage” by Paul Rascagneres @r00tbsd ruxconbreakpoint.com/speakers/#Paul…

via Janetter for Mac

“Remember to back up your car before ding this,” which has nothing to do with reverse gear.

via Janetter for Mac

Audience: There’s a community for modding the cars (“remapping”) but it’s all in German.

via Janetter for Mac

RT @kaynerichens: here comes the pineapple [Worst. Euphemism. Ever.]

via Janetter for Mac

Colvinius Blimey. Staid old Time magazine. RT @TIME: Excuse me, Mr. Abbott, but climate change DOES cause wildfires ti.me/1fWsdRW

via Twitter for iPad (retweeted on 11:22 AM, Oct 25th, 2013 via Janetter for Mac)

Audience member: “Personally I’m waiting for ransomware for cars.” [So there’s that idea out in the wild now.]

via Janetter for Mac

@staticsan Yeah, but this is doing it while the car is in motion.

via Janetter for Mac in reply to staticsan

One guy [missed name] is rewriting those tables on the fly. Doesn’t like it being called “auto-tuning the car”.

via Janetter for Mac

Everything done in the car is done with lookup tables, e.g. fuel flow for speeds.

via Janetter for Mac

RT @bigmac: Quick demo of automatic.com which looks impressive for measuring fuel consumption.

via Janetter for Mac

Brief discussion of putting trojans on the smartphone that’s paired with the car and controlling the car remotely that way.

via Janetter for Mac

“You might what to use someone else’s car for this… I’ve broken two cars and it’s hard to explain.”

via Janetter for Mac

bigmac If your car starts to behave like this youtube.com/watch?v=p3-fjJ… you might want to look for hackerz.

via Janetter for Mac (retweeted on 10:58 AM, Oct 25th, 2013 via Janetter for Mac)

All the circuit board hardware designs and the software for this is open source. Links are in the PDF.

via Janetter for Mac

Three steps to analyse a specific-ID protocol message are Sniff (passive listening), Poke (physical stimuli), Write (write to CAN bus).

via Janetter for Mac

Process for case study (aim is to pass college!) was to analyse a few specific protocol messages.

via Janetter for Mac

Demo video of how they can rev the car to 4000rpm, but the tacho still shows it at a slow idle. WHAT COULD POSSIBLY GO WRONG.

via Janetter for Mac

So the CAN controls everything from dashboard to windscreen wipers, the engine of course. Then they started fuzzing the CAN stream.

via Janetter for Mac

They built a series of tools to sniff and analyse packets, MySQL database, modular framework for processing.

via Janetter for Mac

“These are not the protocols you’re looking for.” But they did convince the prof to let them buy another car. This time they checked.

via Janetter for Mac

They looked at the CAN data, it made no sense. Didn’t match spec. Then penny dropped. They’d bought a car that didn’t use CAN. Doh!

via Janetter for Mac

They bought a car (Ford) to experiment with ‘cos they didn’t want to screw up their own cars.

via Janetter for Mac

NicholasFryer Just seen a formal letter from major accounting firm addressed to

Australian Taxation Office
GPO Box 9845
IN YOUR CAPITAL CITY

via Twitter Web Client (retweeted on 10:42 AM, Oct 25th, 2013 via Janetter for Mac)

BTW, this is much the same presentation as at RECON 2013. Here are the slides. recon.cx/2013/slides/Re… (PDF)

via Janetter for Mac

Interfaces on most CAN Protocol Analyser units treat it as a car, not a computer. High-end ones require a vendor’s license to buy.

via Janetter for Mac

Maximum message length is 8 bytes, though they can be strung together into multi-frame messages.

via Janetter for Mac

Cars are now highy-networked devices. Car Area Network (CAN) protocols are ptimised for speed and reiabiity but not security.

via Janetter for Mac

“Let me tell you about air bags some time.”

via Janetter for Mac

Their work was to reverse engineer to vehicles, build car-hacking tools for muggles, and explain it all to engineers.

via Janetter for Mac

They begin with a video of then causing the in-car displays to show all manner of insane error messages.,

via Janetter for Mac

Next up: “Hot-Wiring of the Future: Exploring Car CAN Buses!” with Ted Sumers & Grayson Zulauf ruxconbreakpoint.com/speakers/#Ted%…

via Janetter for Mac

@jpwarren Thank you very much. It helps that they’re mostly astounding presentations on topics I’m personally interested in.

via Janetter for Mac in reply to jpwarren

I will soon regret eating that, I know.

via Janetter for Mac

abcnews Racing pigeons in Belgium have tested positive for cocaine and painkillers, according to reports. ab.co/17MH0Gy

via TweetDeck (retweeted on 9:48 AM, Oct 25th, 2013 via Janetter for Mac)

Former NSA director Michael Hayden’s indiscreet blabbing has now been reported in the Washington Post. washingtonpost.com/blogs/the-swit… HT @Colvinius

via Janetter for Mac

SC is talking about using the WEKA machine learning toolkit, from the Uni of Waikato in NX.

via Janetter for Mac

@KarlskiB Heh. Yeah, this is essentially this guy’s PhD thesis, so it’ll be easy to grab next week.

via Janetter for Mac in reply to KarlskiB

I won’t Instagram all the slides, just a few I’m using for notes, and to give you the flavour. I’ll get @silviocesare’s slides later.

via Janetter for Mac

Classification for machine learning instagram.com/p/f3fUj7iFqt/

via Instagram

“Inexact matching is your friend. Try to use known distance metrics.”

via Janetter for Mac

Fuck. I just had my personal Eureka Moment. I actually more or less understand what this guy is getting at. Fuck you, Turing!

via Janetter for Mac

Something something Jaccard Index something Dice Index something something Manhattan Distance something Cosine Distance.

via Janetter for Mac

SC: Understand your objects. Often you can transform them into vectors, and we have fast ways of handling vectors.

via Janetter for Mac

@gavincostello Here’s the audio of “The Political Economy of the Cyber-security and Malware Markets” you were after. scmagazine.com.au/News/361877,bp…

via Janetter for Mac

RT @darrenpauli: audio: Michael Sulmeyer: The Political Economy of the Cyber-security and Malware Markets t.co

via Janetter for Mac

Example: “Comparing two 100kB strings using the edit distance is impractically slow. Transform the strings to vectors and use N-Grams.”

via Janetter for Mac

This presentation assumes you have a tertiary-level understanding of computing science or pure mathematics. Whirlwind tour indeed.

via Janetter for Mac

First up Day 2, “A Whirlwind Tour of Academic Techniques for Real-World Security Researchers” by @silviocesare ruxconbreakpoint.com/speakers/#Silv…

via Janetter for Mac

New at Corrupted Nerds: “Breakpoint Day 1: Smart TVs to the digital arms trade” corruptednerds.com/blog/breakpoin…

via Janetter for Mac

Fri plan: 0900 Breakpoint conference Day 2 ruxconbreakpoint.com, mute to avoid; writing during conference; evening TBA.

via Janetter for Mac

mathewi former NSA spy boss blabbing on the train RT @rossneumann: wow RT @b_fung: This is incredible pic.twitter.com/eiNl0QXnfM

via TweetDeck (retweeted on 7:59 AM, Oct 25th, 2013 via Janetter for Mac)

johnthelutheran If only the internet provided some other means by which aggrieved Disney customers could download another copy of the films they’ve paid for

via Twitter for Websites (retweeted on 7:35 AM, Oct 25th, 2013 via Janetter for Mac)

meyerweb “Thanks for buying ‘The Lion King’! Now you can’t have it any more.” —Disney eemacrumors.com/2013/10/24/app…t

via Safari on iOS (retweeted on 7:35 AM, Oct 25th, 2013 via Janetter for Mac)

@NicholasFryer That too, yes, we all paid dearly for that time… @paulwallbank

via Janetter for Mac in reply to NicholasFryer

@paulwallbank I shared house with @NicholasFryer, and he’s a dear friend. Does it show?

via Janetter for Mac in reply to paulwallbank

@paulwallbank @NicholasFryer I think you’re right, Paul, it has a distinct 1970s feel to it. I’ll check the OED later.

via Janetter for Mac in reply to paulwallbank

@NicholasFryer @paulwallbank The etymology is “fake grass-roots movement”.

via Janetter for Mac in reply to NicholasFryer

@NicholasFryer That’d actually be @paulwallbank’s typo, and “astroturfing” is not really a new word. At least a decade old?

via Janetter for Mac in reply to NicholasFryer

Dear The Media, defacing a Wikipedia page is no more a “hack” than graffiti on a wall is a break-and-enter. FFS catch up to this century!

via Janetter for Mac

RT @mattdasilva: @fieldproducer I’m going to have a digital wallet facility on my website when I move my blog to there … [Good idea.]

via Janetter for Mac

MT @AnthonyClarkAU: Summed up so well. @ Rural Fire Service Headquarters instagram.com/p/f3K2sYPLWr/ [That’s fabulous. Good work, all.]

via Janetter for Mac

Is it “weeps”, though, @mogadeet? Us freelancers are already paid per story, so maybe paying per story to read is logical. @fieldproducer

via Janetter for Mac in reply to mogadeet

fieldproducer Interesting thing a young video gamer said to me recently was news should follow micro-payments model games are going down.

via TweetDeck (retweeted on 6:29 AM, Oct 25th, 2013 via Janetter for Mac)

The ABC @RNmediareport story on how I used @Pozible crowdfunding to get here to Melbourne is at abc.net.au/radionational/…

via Janetter for Mac

Fri plan, draft: Quick writing, depending on timing; Breakpoint conference Day 2 ruxconbreakpoint.com, mute to avoid; evening TBA.

via Janetter for Mac

RT @paulwallbank: Sprung – Samsung fined $340,000 for astrotrufinvrge.co/HdgbFdoV vi@vergege [This gets easier to discover too.]

via Janetter for Mac

Friday. Yep. Friday.

via Janetter for Mac