Last year, I wrote a post outlining some of my focus points for the rest of the year. This is a review of those tasks and an updated perspective for the next year.
Last year, I generically noted that I’d like to get into more hardware security projects. I took on the Juke Box project which was a mixture between hardware hacking, radio, and mobile. I’ve also been doing a lot more soldering to work on Travis Goodspeed’s FaceDancer 11 and GoodFet. I think the new pile of hardware hacking tools in my office reflects a consistent interest in this.
I’ve never had a specific reason for getting my HAM radio license, and I can’t say I’ve really gotten too deep into the HAM community in Rochester, but I have been into a lot more RF related projects this last year. Again, the Juke Box project is an example. I also learned a lot more about using a USRP N210 thanks to Intrepidus Group. Although years down the line, my end goal is to be able to more easily reverse engineer RF signals and hardware. The Juke Box was a good introductory project but some of my next steps have started getting into two way proprietary RF communication. Just writing my own protocols and analyzing them. This has no professional application but I still find it interesting.
I gave myself a goal of “mobile hacking” for this last year but I knew that there was no way I couldn’t improve on this. Work gives me a lot of opportunities to dive into mobile projects so I’ve kept up to date on Android and started diving into Windows Phone 8. Compared to Android, this is a completely foreign monster and a new perspective on a mobile OS. I still won’t be putting my Android down anytime soon but WP8 is going to be pretty interesting. I put on my goal for last year to get into iOS development. While I think I have a decent understanding of the platform from a security perspective, knowledge-wise, I’m still heavy on Android. Unfortunately when I’m deciding what I want to work on over the weekends, Apple just doesn’t rustle my jimmies enough to get motivated. I will still learn more about it but instead of fun exploration, it’ll need to be disciplined learning.
My goal last year was to do another B-SidesROC. Again, pretty predictable that it would happen but I wasn’t sure if it was going to be a “Security B-Sides” even or just a locally run con. There’s been a lot of drama that comes with BSides in the past year so we weren’t sure. People like Jack Daniel, quadling, and banasidhe are still involved in the project which is the only reason I still have hope. Anyways, this next BSidesROC has been ramped up to include a lot of new organizers. People that have been behind the scenes and turned into organizers, and new people that just want to be involved in the project. Every year is pretty stressful but I have a lot of fun attending.
In my post last year, I was planning to replace myself as the Vice-President of the organization. I can say that I succeeded in that, but unfortunately I failed at keeping myself out of the organizations officers. Berticus stepped down from his two-year tenure as President and I some how was put in as his replacement. The president position has, since the inception of the group, been something I stayed away from. Mostly because I did not want the group in any way appear to be “mine” or “lead by.” That couldn’t be further from the truth. In fact, I don’t think that the organization would be as cool as it is if it wasn’t for the previous presidents involvement. You may find it interesting that I needed to convince Alan, our first president, to become the lead. He is a natural leader and was perfect for the group but he needed a couple dozen shots of Jameson at the local Scottland Yard to convince him to do it but it was worth it. Anyways, I think the group has become matured and defined so there’s not much for me to screw up.
Besides all of the above goals, some things have come about either naturally or accidentally. One of those was doing a few presentations at BSides Detroit and Defcon Skytalks. I took what I though (and still do) was a pretty weird presentation about hacking RF and hardware and turned it into a pretty entertaining presentation. I really enjoyed the research time (especially at the bar) and I think people appreciated that it was just fun. I also got back into doing internal assessments. It had been a while since I switched jobs that I was doing internals again. Good times.
This coming year, I can see a lot of the same goals but I’d like to be more specific.
Last year, I had this silly presentation that I submitted to a few things. This year, I’d like to be able to apply some serious research into some kind of topic and present at a major con (that one of my friends are not running). Speaking at a con really has no benefit to me and in some ways, I feel like a whore doing it. But I feel like I haven’t contributed enough to the community lately, it would make my employer happier, and it’s a good item to scratch of my hacker bucket list.
OSINT is such a crazy subject to me. The more I discuss it and learn about it, the more opaque and weird it is. I think that any hacker worth his weight in binary knows the standard OSINT tactics especially from a pentester’s perspective. But what about the next level or processing that content or controlling only relevant information. It’s one thing to say I can find the phone number for some guy in Seattle, it’s another to say I can find out when that guy hacks into someone’s system. I’ve also lumped into this subject OPSEC that is in some ways, a counter-intelligence practice. There are a lot of weird ways this could take off but it’s been a research topic of mine for a while. I can see it being applicable from a malware analyzer’s perspective, or pen-testers, or whatever. **I’d like to gain a higher understanding of some of the concepts and apply the research either privately or publicly. **
One of my goals this year is to turn a hardware hack from using tools and breadboards, to a full circuit. This was always the plan with the Juke Box project but it never really arrived. I’d like to find a new project and turn it into a simple circuit. Simple, but a good opportunity.
Berticus has made a very stable iButton door system at Interlock but I’d like to upgrade it to a Raspberry Pi to allow web administration of it. This may seem like a easy goal but completing this would give me a lot of knowledge about 1wire and electric strike plates that I think will be useful. The first goal is to replace the Interlock door system, the second is to start fitting my home doors with a similar mechanism.
That mannequin needs to meet its death this year. Either I rebuild her into something that is repeatedly useful, or I kill her off in a final explosive way. Either way, it needs to be done.
This just needs to happen. This is kind of like all of my friends are jumping off a bridge so I’m going to need to do it as well. Really, from my perspective, there’s not a lot of horribly hackery things you can do with a 3D printer, but they’re just freaking cool. I think that I need to get involved with them, if nothing else, to just expand my knowledge into this realm. I’d like to see if I can’t print a 3D model of myself or someone else.