The End of an Era

It is with a surreal sense of melancholy I announce that on July 15th, 2020, I will be shutting down the last of our user hosting. It has been a long, winding journey for my peers and I. The research projects and personal things will continue here, but it’s time. There are a few branches at the root of this decision: the departure of customers due to their own ends of operation, prospectives that do not follow through with basic requests for information such as amperage requirements or IP justifications eating time I could spend elsewhere getting a serious client, and ultimately COVID causing an inability to spin up new customers. This marks the end of an era for me, and I’ll spend the rest of this post looking back on this journey.

Read More

Def Con 24 Post Mortem

Now that the dust has settled, and the Vegas alsohol has left my system, time to write the post mortem from Def Con 24.

I solved the Caezar Challenge (albiet I needed a tiny hint on the last stage, as there was a lt of confusion with the hint given which was misinterpreted), and got to chew out the guy who broke my lock (all was forgiven we can 3d print new parts). I came close, but did not successfully defuse The Box. And shenanigans ensued.

Read More

Def Con 24 Caezar Challenges URl Solving

Part of the Caezar challenge involved URL forcing. There were four characters, three unique, that were unsolved in the domain name. Using a combination of scripting and nslookup, it was trivial to solve (though later determined not to be necessary, but was possible after solving via traditional substitution cipher. I wont spoil the preferred method here since it was brlliant and may be used again).

Here I explain this process.

Read More

Def Con Update

Hon1nbo here reporting from Def Con 24. I am taking a break from exploding at “The Box,” and sending this to post via raven carriers.

I got a Caezar’s Challenge badge, and whilst I don’t care to spend all of my time cracking the challegnes for the party, I want to give the person who dropped it a piece of my mind since he broke $150 worth of locks on the table in the process.

If you see someone handing out caezars badges say something. Tweet at me.



Def Con 24

As I write this post, sitting on a plane with my bits flowing through the ether that is tunnels and routers of the networking abyss, I ponder my previous years attending Def Con. My first year, DC 19, was fun with the tamper evident competition yet I could have done more had I a full tool set. So I brought one this year. Pelican makes neat tool chests, so I may be wandering around with it at points.

Anyone who wants to say high feel free to call if you see me. Twitter may be the fastest way to get my attention if you can’t find me.

I have to run fo the moment. The flight attendents are complaining that a purple tail is wagging into the person next to me. I have tried explaining that it must be an optical illusion, as there is no tail, but to no avail.


Site Changes

The site is getting worked on again.

However, since i like to move fast and break things I am bypassing QA right now and, as long as my content is there, letting things happen. So formatting may look weird here and there but unless a link is actually broken, or content missing, please do not bother telling me as I likely know (and am in the middle of fiddling with it).




DEFCON for N00bs (v0.1)

The first revision of DEFCON for Noobs is up. Still very rough, early draft, and missing many things. However, I figured a living document is better and would do better with feedback.

Check it out


Carry On Leaking: When Corporate Security Goes Really, Really Wrong

I had a nice time being interviewed by The Guardian regarding my disclosure of a password leaked from the Nuclear Regulatory Commission. While the NRC insists that this is a non-issue (and in the case of this protected system was the case), it exposes a deeper and more fundamental problem regarding how  systems are secured in the first place. First, the fact that this one file and nothing else in that directory was visible indicates Discretionary access controls rather than Role-based or mandatory. Furthermore, it shows that this type of problem can lie unsolved for years and affect more systems than people realize.

The Guardian: Carry On Leaking: When Corporate Security Goes Really, Really Wrong