Shulie TornelOK let's get started
davedarko colrceyhnpagtle. sounds klingon.
Sophi Kravitz Who here worked on a badge?
Karl Koscher I certainly did
Bill-Paul I did. https://dc25spqr.com/
Sophi Kravitz // waits ....
jculberts o/
jculberts I help Karl
Sophi Kravitz Alright then! Karl and Bill, can you introduce yourselves? And then I reserve the right to ask the first question
Sophi Kravitz Sorry Bill-Paul
Karl Koscher Sure! I'm one of the organizers of the Crypto and Privacy Village at DEF CON. Part of my responsibilities include producing the badge :)
I did firmware development for the Ides of DEC CON badge along with John Adams. (Our friend Egan Hirvela did game play design for us and Matt Harris did the character art.)
Bill-Paul I also work in the VxWorks Core OS group at Wind River Systems (an Intel company).
Sophi Kravitz So first question is from me: how do you define crypto challenge? is there a challenge that everyone knows about or do you have to guess that there is one happening?
Sophi Kravitz (after you guys are done with intros)
We have done a couple of crypto challenges in the past. They usually take the form of puzzles with elements that are woven into various things
Karl Koscher This year we had a snapchat filter which interacted with the floor to produce something, puzzles on the physical badge, part of puzzles on the lanyard and keys we gave out, and a bunch more on our website
Bill-Paul In our case there were a couple of puzzles (which John worked on mostly). There was a URL that led to some puzzles, and we had one special unlock code that led to a puzzle for an invite to a party at the con.
-= Wolf =- what is the main purpose of a crypto challenge? to grow interest on Crypto software?, to keep people interested on the subject? or just fun?
Karl Koscher In the past, we used the badge to validate answers to the puzzle, and even had a challenge hidden in the badge
Sophi Kravitz @Karl Koscher how did people know there was a challenge?
Bill-Paul Oh, also, one of our sponsors (Avast) asked us to include a touch-tone audio sequence which would lead you to an IP address and port where they had an old school BBS set up.
Karl Koscher I guess if it's your first time at DEF CON you might not know, especially if you don't interact with other people, but it's pretty obvious to people looking for one
Karl Koscher like, we have random letters on the lanyard. what other purpose would those have? :)
Karl Koscher and random dot patterns on the badge
Sophi Kravitz ah ok
Sophi Kravitz I have not been to DEF CON
Bill-Paul Apparently some people can decode the tones by ear so we were counting on that.
Karl Koscher I believe this year we actually had handouts for some of the puzzles at our info desk, so it was easy to find
Sophi Kravitz I imagine that many people on this chat haven't been either
Shulie: Decode the tones by ear, wow, that is insane. :)
Sophi Kravitz by ear???? WHAT?
@Karl Koscher are you LosT/李智上 on twitter?
Bill-Paul Yeah, I think hard core phreakers have the sounds memorized or something. :)
James Murphy I've been following Def Con for about 7 years but have never attended. I would like to but $$ is the issue.
Karl Koscher I am not LosT
Bill-Paul I actually have a touch-done decoder board I built years ago using a DTMF decode chip from Radio Shack which I used to validate that we were generating them right.
jculberts
Bill-Paul Of course you could also just look in the source code. :)
jculberts These are the puzzles at the top of the badge.
Frank Buss I tried some of the puzzles, but too complicated for me
jculberts dang, it didn't keep the rotation.
Karl Koscher @jculberts: can you also post a photo of the dots?
jculberts also, the box has a nice inviting URL to our puzzle website.
Bill-Paul The only real crypto feature we had on our badge was that we turned on the AES-128 encryption in the radio.
anyone have badge pics?
Karl Koscher I would say a lot of "crypto" challenges don't actually involve real cryptography
jculberts
Sophi Kravitz @Bill-Paul I have that DTMF chip!!!
Sophi Kravitz Ahhhh Radio Shack.... sigh
Karl Koscher some puzzles will occasionally use classic cipher systems, like a caesar cipher, Vigenère cipher, etc
Karl Koscher A couple of years ago we did have two puzzles as part of our overall challenge that did require attacking modern crypto systems
Bill-Paul Oh, if you got to the shell on our badge, there was a caesar cipher command. I think John added that just for kicks, since our badge had a Roman theme.
Sophi Kravitz @Karl Koscher what is real cryptography?
Bill-Paul Actually, hackaday has an article with pictures of our badge: http://hackaday.com/2017/08/04/all-the-hardware-badges-of-def-con-25/
Sophi Kravitz I saw that article
Frank Buss I guess you just have to find the github repository of the badge firmware source code, then the challenges are easy :-)
Just thought for the > 40 (possibly lazy) people on the chat, it's more convenient
Bill-Paul Our badge only had 128KB of flash and 16KB of RAM, so we didn't really have room to include encryption libraries.
Bill-Paul But the radio has AES-128 support in hardware.
@Sophi Kravitz: I would consider anything "modem" as "real". And by "modern," I mean after the 1970s or so, and where the security of the system depends on entirely on the key
a href="https://hackaday.io/hacker/220" target="_blank">Karl Koscher so, things like DES, AES, RSA, RC4, etc.
Bill-Paul Someone asked how to prevent cheating. In our case, we shipped the badges with production firmware that had an AES key in it which was different from the one in the source tree (which was just a placeholder).
You could download our source and compile your own firmware images and flash them, and they would run, but your badge would not be able to talk to the other ones.
Bill-Paul We've since checked that key into the git repo now that the con is over. :)
Karl Koscher On that topic, a couple years ago our badge would validate "flags" that you submitted (solutions to puzzles)
Frank Buss you could have read the firmware with a JTAG programmer
Bill-Paul Yes, but it would take you some work to isolate the key in the flat binary file.
Frank Buss well, not long with IDA Pro etc.
Karl Koscher Or you could just look at the git history where they accidentally checked it in for a bit ;)
Karl Koscher *cough*
Frank Buss lol
Bill-Paul Yeah, I ribbed John about that already.
Sophi Kravitz so people are monitoring the github all the time? just waiting for someone to check it in for a few minutes?
also
Bill-Paul People who bought badges, I guess.
Frank Buss classic problem, there is other data in github as well which was not meant to be stored there
Sophi Kravitz how many people solve each puzzle?
Karl Koscher I'm not sure they are. But it is very hard to rewrite history on github, so if you make a mistake, you're kind of stuck with it.
Bill-Paul I think only a couple of people built custom firmware. One of them was Zapp from the and!xor group.
As far as we know, only one team solved the puzzle from two years ago. I believe at least two teams solved everything this year.
Karl Koscher there are several teams who solve many problems
Sophi Kravitz you guys are making me want to go to DEF CON
Sophi Kravitz just to solve pizzles
Karl Koscher you should do it!
Sophi Kravitz puzzles
Karl Koscher There are several teams of people who do nothing but puzzles at defcon
Sophi Kravitz yeah something about Las Vegas in July....
Bill-Paul There are many contests in general.
Sophi Kravitz how do you find out about them though?
jculberts the trick is to book your room at the same hotel and never go outside
Bill-Paul There is a contest area.
Frank Buss they are really difficult, one of their goals is to encourage team work
Sophi Kravitz @jculberts yeah that would be me
Bill-Paul Also some villages have their own; I think you just need to visit them.
Karl Koscher For validating the flags on the DC23 badge, we didn't want to lock the microcontroller down, so we ended up hashing the flags through about 3000 rounds of XXTEA, so even if someone extracted the firmware, DEF CON would be over before you could brute force the flags
Bill-Paul Sadly we spent a lot of time reworking badges that failed QA.
Sophi Kravitz how many badges did you bring?
Sophi Kravitz what is the average cost of a badge?
Bill-Paul Our production run was 225. Some were reserved for kickstarter backers. Unfortunately we had about a 34% failure rate.
Bill-Paul We managed to fix many of them and go that number down to single digits.
Bill-Paul But it was a pain.
Todd Was the failure rate attributable to any particular thing?
Bill-Paul Two things.
Karl Koscher We made about 500 and sold them for $120. Badges tend to vary in price. We (and the AND!XOR abdge) was at the upper end. Some badges are handed out freely, and some go for $30 or so. And then there's a bunch all over the range. BUT -- you did not have to have our badge to do the puzzle.
Bill-Paul 1) We used this CPU: http://www.nxp.com/products/wireless-connectivity/sub-1-ghz-wireless-solutions/kinetis-kw0x-48-mhz-sub-1-ghz-wireless-radio-microcontrollers-mcus-based-on-arm-cortex-m0-plus-core:KW0x
Bill-Paul It's neat, but the solder footprint for it is murder.
jculbertsIn fact the group that solved our puzzle didn't have badges, and they won them as part of their prize.
Bill-Paul In particular there are two large pads under the chip, and the solder can pool and cause the chip to float slightly.
Bill-Paul A lot of our problems were due to soldering issues with the CPU.
Todd Neat that they won the badges from doing the puzzle.
Bill-Paul 2) Those wretched ws2812b LEDs.
Karl Koscher There's another question about the keys we had at DEF CON. Those were part of a puzzle. :)
Bill-Paul They can't handle high heat. Our fabricator used a lead free process which requires high temperatures, and that caused many LEDs to fail.
Todd Oh, I see, the bottom mount chip "pins"... ugh
Karl Koscher The back of the keys has a patent number on it. If you look up the patent, it's for a One Time Pad
Karl Koscher which gives you a hint about how to solve the puzzle
Bill-Paul And replacing them was a pain, because when you hit them with the hot air gun to unsolder them, you run the risk of damaging a neighboring LED. So it becomes like a game of whack-a-mole.
jculberts We had some people ask "you patented these things!?"
We had some oddball things though. Some badges were marked as failed, but all they needed was to have their flash erased and reprogrammed. A couple of boards had the CPU mounted upside-down (rotated 180 degrees). One board had no CPU at all.
Karl Koscher (I don't actually know how to solve that one... I didn't make any of the puzzles this year. That was Whitney, Maya, and straithe)
Sophi Kravitz @Bill-Paul what's the deal with WS2812b? (doing a project with them now...what to look out for?)
Bill-Paul As for cost, estimated cost per board was about $112. Now, that includes cost for screens, batteries, SD cards, lanyards, boxes, challenge coins, instruction sheets, etc...
Todd "missing CPU" is a troubleshooting step even I can do ;)
Sophi Kravitz HAHAHA I guess "missing CPU" might be obvious?
Bill-Paul Yeah we have no idea how that happened. My suspicion is the fabricator was trying to rework that board and removed the CPU and didn't get a chance to put it back before we asked them to just send us everything.
Sophi Kravitz ooooo
Frank Buss I have a client who has a agreement with the fabricator that they test the boards with a test-jig I helped developing, and ship us only working boards
Bill-Paul says:12:39 PM
But yeah, if you add up how much we spent total for parts and fab costs and divide by the number of badges, it was about $112 per badge.
that's a nice chunk of change.
Bill-Paul We paid extra money for test and rework of failed boards. Unfortunately we really needed about 3 or 4 more weeks for them to finish.
Bill-Paul I think we raised about $30K total (between kickstarter and other sponsors) and we ended up about $600 in the red.
Frank Buss that was lucky
Bill-Paul However John managed to fix a few more badges after the con and is eBay-ing them, so we might just break even.
imagine 50% failed :-)
Bill-Paul The kickstarter blew me away: it raised about $23K all together, and it only ran for 18 days. I think we sold out all the badge rewards in less than 10 days.
Sophi Kravitz wow
Shulie: Does your team usually end up in the red (loss)?
Bill-Paul says:12:42 PM Well, this was our first year doing this.
Shulie: Ohh
Todd not that this is a profit maker but maybe breaking even is tough given all the time and effort.
Bill-Paul I think we did pretty well for our first time out. We did not set out to make money.
Shulie: Yeah, definitely about the passion and love for badge life.
Bill-Paul Though we were hoping not to lose a lot of money either.
I think we will try for 500 units next year.
Karl Koscher so is that an official announcement that you're returning to do another badge next year? :D
Bill-Paul I felt bad when people would see me with my badge at the con and ask where they could get one and I had to tell them we were sold out. :/
Bill-Paul I can confirm or deny nothing. :)
Karl Koscher let me tell you... 500 is a lot. But you will still sell out.
Bill-Paul Yes. And you will see people walking around with a dozen badges around their neck.
jculberts 500 is just the right amount where you get pretty good bulk discounts on everything
Karl Koscher Unfortunately we left too many things to the last minute, so I spent at least half of the con finishing the firmware, flashing badges, test badges, putting badges in boxes, selling badges, etc.
We had our firmware done first. Freescale/NXP has a reference board you can buy that has the KW01 chip on it, and we used that for prototyping (with a special cable harness to connect the screen).
Bill-Paul Sadly it takes about 2 weeks to get a prototype board fabbed, and we had one prototype rev that failed because of a slight error in the CPU footprint.
Sophi Kravitz when did you start thinking about the badge?
Bill-Paul So that was 2 weeks and a few hundred bucks down the tubes.
Frank Buss you can get a board in 2 days, if you pay a lot :-)
Sophi Kravitz and is it hard to wrangle the design team to consensus or does one person do the design only?
Bill-Paul I think John starting thinking about it last August, after he got back from DC24.
Bill-Paul Our design team was mainly 2 people.
Frank Buss you didn't solder them yourself? even BGA chips is not too difficult with a stencil and reflow oven
Bill-Paul The hardest thing is picking a base platform. And that sucks, because you can either get good battery life or good performance, but not both.
We didn't want to solder 225 boards with that KW01 chip and its wacky footprint.
Frank Buss sure, I mean in the prototype phase :-)
Frank Buss I see, 225 boards had the wrong footprint? that's bad
Bill-Paul Er... no, soldering the KW01 by hand would have just been too tricky for us.
Bill-Paul
Also neither of us has tried to solder with an oven before.
Bill-Paul
We decided we could either pull our hair out and spend more time, or just throw money at the problem. :)
Frank Buss
you should try it, it is not too difficult, I use a pizza oven for it, with an external controller
Sophi Kravitz
do companies who make the base chips try to get you to advertise for them?
Sophi Kravitz
I use a $40 pancake griddle from Walmart :D
Bill-Paul I don't think NXP even knows we used it.
Sophi Kravitz they'd probably be all over you if they knew
Bill-Paul Honestly we hadn't thought of that.
Karl Koscher I know Espressif sponsored the SHA2017 badge
Karl Koscher which used the ESP32
Bill-Paul Our sponsors were largely security firms that had an interest in DEF CON already.
Todd What did the sponsors get?
Bill-Paul Their logos on the lanyards, their logos in the boot screen, and the options to a certain number of badges.
Unfortunately if you say "you can have up to 10 badges" and then ask how many they want, they will say "10."
Todd shocking, not shocking. ;)
Although I think one of those 10 badges ended up around the neck of Garry Kasparov.
Karl Koscher indeed. the video of his talk is online now, and he was sporting one
Todd that's pretty sweet
Bill-Paul Yeah that was totally unexpedted.
Todd it's a beautiful badge.
Bill-Paul Also, in terms of work, we somehow managed to find a good division of labor. John did the entire game app, along with the home screen app, launcher app, unlocks app and the LED effects, and I did the OS bring-up, driver support, and remaining apps.
Bill-Paul But John did all of the physical board design, and also dealt with all the logicistics and finances.
Sophi Kravitz Do you live in the same place?
Todd Congrats. That's a ton of work for 2 people.
That meant ordering screens, SD cards, batteries, lanyards, challenge coins, boxes, wrangling the fab house, running the kickstarter, etc...
Frank Buss did you develop it all on the real hardware? for more complex project I find it easier to implement a hardware abstraction and then just develop the whole thing on a PC
Bill-Paul Yes, we both live in SF.
Bill-Paul Yes, we used the NXP Freedom reference board.
Frank Buss this sounds painful :-)
Bill-Paul The problem is the screen and SD card were a key part of the design.
Bill-Paul I didn't want to write simulations for those.
Frank Buss the screen is just a Window, one hour even with low-level Win32 GDI
Frank Buss 15 minutes in Qt :-)
Well... I needed to be able to write driver support for the screen.
Bill-Paul Which is done using the KW01's SPI controller.
Bill-Paul And we had to use the uGFX library.
Bill-Paul Which you can port to UNIX/Linux i suppose.
Sophi Kravitz I'm going to jump off, but you all should keep talking!
Shulie: I'm here :)
Sophi Kravitz @Shulie Tornel will be posting a transcript at some point
Bill-Paul Ok, thanks. :)
Karl Koscher o/
Bill-Paul I will hang around for a few more minutes,but then I need to grab lunch.
Sophi Kravitz Thanks @Bill-Paul and @Karl Koscher for being here!
Karl Koscher same!
Sophi Kravitz this was super informative, especially since I was wondering how it all worked
Shulie: yeah, super informative and I adore what you guys do.
Bill-Paul It's turtles all the way down.
Karl Koscher thanks!
Todd thanks
Bill-Paul Also, I looked around a bit for ARM simulators. QEMU kind of works, but again it needs to be able to support the peripherals you want to use.
Bill-Paul You can get the OS off the ground, but after that you need real boards.
This was the board we initially used: http://www.nxp.com/products/developer-resources/hardware-development-tools/freedom-development-boards/freedom-development-board-for-kinetis-kw0x:FRDM-KW019032
Bill-Paul Our code will still run on this board too, just make sure to turn off the joypad support in the Makefile because it doesn't have the right button setup.
You could write the software in a way that you don't need an ARM emulator. I used to write a firmware in C which worked on a HC08 microcontroller, and the same source code was used inside a simulator in Visual Studio, so the customer could get an exe file for quick tests of new features without the actual hardware
Frank Buss in my experience it is less work to write a simulator than the cumbersome compile/flash/test cycles with real hardware
Frank Buss and usually embedded hardware debuggers suck :-)
Bill-Paul Yeah, we used GCC and OpenOCD for compile and debug.
Bill-Paul We ended up buying the Olimex USB ARM JTAG debuggers (which use the FTDI chips).
Bill-Paul Those NXP ref boards come with a second ARM CPU running OpenSDA firmware which allows you do do debug via CMSIS-DAP without extra hardware, but John had trouble getting OpenOCD to work with that on his Mac.
Bill-Paul It worked ok for me on FreeBSD.
Bill-Paul The KW01 only has 2 hardware breakpoints though. (You can't do soft breakpoints because you're running from flash.) That can make debugging complex problems a little tricky.
Bill-Paul Also, while it sucks having only 16KB of RAM, it sure makes it easy to find memory leaks. :)
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.