• Hackability

    Zapp01/07/2017 at 16:31 0 comments

      DEF CON 24

      One of the basic features of our DC24 badge was design for hackability. Personally, the badge project was a journey into embedded electronics. I got started with an Arduino and a breadboard, this is what I was familiar with. I designed Bender along those lines. The hardware was inspired by the Maple Mini from Leaf Labs and Espruino (both STM32F013) and ran an Arduino framework called stm32duino. We exposed as much IO as possible around Bender's eyes, provided SWD and FTDI interfaces, and USB for UART and DFU.

      We know of one user hacking their badge. @mediumrehr added his own cigar PCB and spectrum analyzer to Bender. It was amazing to watch and that his design fit so well.

      This approach had some issues, however:

      1. It required source code to modify the badge - which we didn't release until after DEF CON
      2. stm32duino is not a straightforward install - it requires many steps and is not managed through the Arduino IDE.
      3. The SWD interface was not enabled in the firmware - we released an update that enables it but at DEF CON it was not working

      All in all we were very happy with the badges, we know of at least two people who have created their own Benders from github so it can't be that hard. If you see anybody with it a Purple Bender, buy them a drink. They made it themselves and it was not easy.

      DEF CON 25

      Based off our experience at DEF CON 24, our goal remains the same: Make the Badge Hackable but we want to see your hacks in Las Vegas. We want you to share your hacks. So we're changing things up. This year's badge is not based off a development board. It is completely original. There will be no USB but there will be SWD. We will expose as much GPIO as we can. And we will provide physical dimensions where it makes sense. Finally, we want the barrier-to-hacking to be as low as possible. How? We're not sure yet, but last year the goal was nothing more than a laptop, the Arduino IDE, and stm32duino.

  • Badge Art Contest

    Hyr0n01/04/2017 at 07:34 1 comment

      So from the public's POV, you saw this on our Twitter feed. We decided to get the hype train going a little early and threw a game together to give the l337 H@x0r community of DEFCON something to do over the holiday break. BEFORE READING ANY FURTHER, KNOW THAT THIS IS AN UBER SPOILER OF THE CONTEST STEPS. IT HAS BEEN WON ALREADY, BUT IF YOU STILL WANT TO GIVE YOUR SKILLS A SHOT, DONT READ FURTHER...or if you're the kind of person who racked out their NES checklist with a Game Genie to skip past the hard parts so you could have lunchtime bragging rights of the final boss details, by all means keep reading ;) And if you're too young to know what a Game Genie is...sigh...

      Anyway, about a month ago over a much inebriated brewery board meeting, we locked down a functional baseline of our DC25 badge. At some point, we started thinking of ways to have fun with a contest, and thus this cluster fuck was born. Over a lot of booze.

      We figured, since we were going to give away a free badge, you should f-ing work for it. Instead of going the route of a certain genre of our DC interests, we decided to just layer and sandwich a bunch of stuff together. We knew since mid-October-ish (thats a word right?) we were going to do something, so we started tweeting out easter eggs and hiding stuff in youtube videos we knew we could use later on... It could have been the booze talking too...

      Now at the same time when the contest started, we were running a booster campaign. https://www.booster.com/andnxor Designing and Prototyping badges isn't cheap. It costs us a lot of money. So we we're boosting with shirts that contained a silhouette of the badge design. It had a cryptic message: 42 59 54 45 20 4d 59 20 53 48 49 4e 59 20 4d 45 54 41 4c 20 42 41 44 47 45 21

      I wont give that one away, but cmon, find your favorite HEX to ASCII converter. So instantly we got many MANY guesses that, that was the secret phrase. Well our tweet said "badge design" and this is an outline. Doesn't show you much. To be fair, we quickly told everyone it had nothing to do with the Booster site. But that was a good warm-up for things to come.

      Okay so, in step by step, lead you by the hand fashion, here's a typical way someone could have gone about winning the contest.

      1. It was hidden somewhere on the internet....try our web page
        1. There's only a couple of images, if one tried to download MANBEARPIG (which we referred to a ridiculous amount of times on Twitter) you would notice you cant. We blocked it out with CSS.
      2. View Page Source
          1. Well looky here, there's the name of the style sheet "andnxor.css". Lets type that in...
        1. Looks like someone updated the manbearpig.png with a new version "v2" thats odd. Lets download it. Now that we know the file name, you can just type it in the browser address, and save as. Wow that took forever right? Well most people wouldnt notice cuz their interweb speeds are so fast. But look at the file properties. Isn't it a little odd that you have a BLACK AND WHITE PNG image that's 800kb?
        2. Steganography - the practice of concealing messages or information within other nonsecret text or data. Now this is where paths can diverge on solving the puzzle. You could verify something is hidden the proper way, load it in a hex editor, and notice the regularly unused bits of the image have data in them. Or just hack around. There's many steganography applications out there, even fewer are free and open source
        3. Load the Image in OpenStego
          1. Given the shit I've put you through thus far, you should assume its just not that easy. Of course we damn well password protected it. There were many hints thrown out on twitter, youtube and chats...
          2. I even blurted out "C1E169852F1D95CC2DA7AA791E5F4EFF"
            1. Try cracking the hash
          3. All signs point to the password being "EXCELSIOR!"
        4. Cool, so you now have a PNG with something hidden inside of it, OpenStego, and a password. Extract it and what do you get......
      Read more »

    • We're Back!

      Zapp12/30/2016 at 17:33 0 comments

      We can't say this enough, but we were blown away by the response we got from the DEF CON community last year. DC24 was an amazing experience, we met so many great people. Our experience from the conference can be summed up in this tweet by @wookie_p

      "True cost of the Bender badge: takes 2x longer to walk con floor. So many questions about badge! "

      The plan for DC25 was to take a few months off and come up with ideas. This didn't exactly happen, we went right into testing and prototyping. We have an initial list of 30+ features to incorporate, a BOM, and design. We aren't ready to release many of those details yet. But here's what we are ready to say:

      • It will be bigger - roughly twice the surface area of last year's badge
      • There will be more - at least double, this is dependent on how much money we can come up with as a group
      • The BOM has doubled in cost - we will try to keep the final cost in check through crowd funding and sponsorships TBD
      • We will not be doing production by hand
      • The badge will not be running Arduino - sorry Zapp can't handle the IDE any longer
      • The badge will be hackable - bring your SWD tools
      • There will be a lot more bling
      • The RF will work

      Stay tuned, we will continue to use Twitter and Hackaday.io to release details.