def con

    We survived Def Con. Barely. It was about as much fun as I’m physically able to tolerate in 1 week. Highlights:

    • Meeting many online friends and finding out they’re all delightful in person.
    • Seeing it all through my first-time-attendee wife’s eyes as we meandered through it all.
    • Coordinating, conspiring, and scheming face-to-face.
    • Being on the team taking 2nd-place in the EFF Tech Trivia contest.
    • Oh yeah, the parties.

    We’re both happy, grinning, utterly exhausted, energized, and ready for next year.

    Def Con badge acquired. Most of the way through the merch line; another 4 hours at most.

    A roughly cat-shaped clear badge with electronics inside, displaying a Gameboy-style game. It’s glowing with bluish LEDs, except for the red left eye.

    We made it to Vegas in 1 piece, ate a deliciously unhealthy lunch, checked in early (pro-tip: pay the $15 extra for a room upgrade if given the option), and set up the WiFi router that lets all our devices connect to the Internet at the same time without paying an arm and a leg every day.

    It’s been a buy morning. Now we rest, re-caffeinate, and then hit the strip.

    DEF CON is nearly upon us. Today we’re finishing our packing, checking into flights, finalizing plans to meet with friends, and twiddling our thumbs until it’s time to go to bed and wake up early.

    Hope to see y’all there!

    My last work day before Def Con. I’m getting so excited and a little anxious! I’m going to see a lot, learn a lot, maybe teach some, and reunite with some of my favorite people in the world.

    “Summer camp”, indeed.

    My friends and I are getting ready for the EFF Tech Trivia contest at DEF CON. We took a year off after winning in 2022. Now we’re returning to reclaim our bragging rights.

    I’m testing a new writing workflow to prepare for DEF CON. It looks like:

    1. Type something on my Freewrite Alpha.
    2. It shows up on my blog.

    The advantage is that publishing is about as quick and seamless as it can possibly be. The disadvantage is that the published content is raw, first-draft quality. That’s a motivation to write it right the first time.

    I’m going to DEF CON next month. I’ll be live-blogging my way through it to give a peek inside wherever and whenever I have permission from the people around me to do so. If I hear a great story that can be shared, so will you.

    This is an experiment. I’ll knock it off if someone tells me I’m being annoying. I’m there as an attendee, not as a journalist (which I’m not). It’s just that every year there are tales that need to be told. I’d like to help tell them.

    Veilid in The Washington Post

    I’ve been helping on a fun project with some incredibly brilliant friends. I found myself talking about it to a reporter at The Washington Post. The story just came out. My part was crucial, insightful, and far, far down the page:

    Once known for distributing hacking tools and shaming software companies into improving their security, a famed group of technology activists is now working to develop a system that will allow the creation of messaging and social networking apps that won’t keep hold of users’ personal data. […] “It’s a new way of combining [technologies] to work together,” said Strauser, who is the lead security architect at a digital health company.

    You bet I’m letting this go to my head.

    At work: “Kirk, I think you’re wrong.” “Well, one of us was featured in WaPo, so we’ll just admit that I’m the expert here.”

    At home: “Honey, can you take the trash out?” “People in The Washington Post can’t be expected to just…” “Take this out, ‘please’.

    But really, Veilid is incredibly neat and I’m awed by the people I’ve been lucky to work with. Check it out after the launch next week at DEF CON 31.

    Trying (and Failing) to hack the Wall of Sheep

    The Wall of Sheep is a popular exhibit at DEF CON. Participants run packet sniffers on an insecure Wi-Fi network and try to catch people logging into unencrypted websites and other services. If they see that happening, they post the person’s username and password on a giant display. It looks something like:

    Sample Wall of Sheep

    That’s an excellent reminder to be careful when you’re connected to an unknown network, and not to send your login credentials out in the open.

    From the first time I saw it, though, I had to wonder: is the wall itself hackable? Could I make it look like this instead?

    Snoop onto them, as they snoop onto us.

    The idea kept bouncing around the back of my mind until I added it to my to-do list so I could stop thinking about it. I had to at least try it.

    To do: hack the wall!

    Assumptions

    I know nothing about the Wall of Sheep’s internal workings. That’s deliberate. I wanted to test this for the fun of it, and part of the challenge was to see how far I could get without any knowledge of it. I had to make a few assumptions:

    1. If you’re connected to the right Wi-Fi network and submit credentials in plaintext, they’ll be shown on the wall.
    2. The process of getting captured credentials on the wall is automated.
    3. The wall is rendered by a web browser.
    4. The wall’s software has been around for a while and wasn’t written to be particularly secure. After all, it’s on the attacking end, right?
    5. No one’s tried this before, so no one’s fixed it before.

    Choosing the attack

    If the above assumptions are true, the obvious attack vector is Cross Site Scripting (XSS). The method is to create a snippet of JavaScript and then trick the Wall of Sheep into displaying — and executing — it. This should work:

    <script type="text/javascript">alert("I was here.");</script>
    

    But how do I get that onto the board? The password field is usually censored, such as hunter2 being masked to hunt***. That would destroy the payload, so that wouldn’t work. Is there a way to make a DNS hostname that renders correctly? Eh, maybe, but crafting that sounds like work. (Note to self: but boy, wouldn’t that wreak havoc on the web? Huh. I’ve gotta look into that.)

    However, look at that lovely login field. It’s just sitting out there in full, uncensored, plaintext glory. Jackpot! That’s where I’ll inject the JavaScript.

    Setting up a webserver

    This attack requires a webserver to send those faked credentials to. For ease of implementation, I configured HTTP Basic authentication with:

    • Username: Me<script ...
    • Password: lol
    Remember how I've wanted to do this for years? Guess who suddenly remembered to do it on the last day of DEF CON. Everything after this was done on my iPhone with Vim in an SSH client. This was not an ideal way to do something technical. Learn from my mistakes: failing to plan is planning to fail.

    Getting onto the DefCon-open Wi-Fi

    You brought a burner device, right? I didn’t. What could possibly go wrong connecting an off-the-shelf device to an open network at DEF CON! YOLO.

    Visiting the web page

    I logged into the page on my webserver’s bare IP address, watched the board, and… nothing. I reloaded it; nothing. I looked around to see if any of the participants looked like they might’ve found something; still nothing. Rats.

    Enlisting help

    Jan and Pat1 were participants sitting near where I was setting this up. I needed their assistance but didn’t want to outright ask for it. I started posing innocent questions to Jan: “Hey, what are you working on? What’s Wireshark?” While they kindly explained in general terms, they were understandably more interested in their own project than tutoring a passerby. Pat was more willing to teach me and I pulled up a chair to sit with them. They patiently answered my questions and pointed to interesting things on their screen. They also noticed fairly quickly that I was regularly reloading a page on my phone as I watched them. “Hey, uh, are you trying to get caught?” “Maaaaybe…” “Why?” I gave them a quick explanation of my project and they instantly bought in:

    Pat: Do you think this’ll work?
    Me: Probably not, but it’s worth a shot.
    Pat: Oh, wow. If it does, this will be legendary!

    I had a helper. Soon after, Jan noticed we were up to something, leading to one of my favorite exchanges at DEF CON:

    Jan: Are you two trying to get something up there on the board?
    Me, grinning: Yeah. It’s a JavaScript injection.
    Jan, wide-eyed: Who the hell are you?

    Thank you, Jan. I felt like a bona fide Security Researcher after that.

    Another random visitor saw us huddled and asked if we were trying to hack something. Jan looked at me, looked at the visitor, said “nope”, and looked back at me. I winked at Jan. Jan nodded back. The visitor squinted at us and walked off. Jan had my back.

    Pat and Jan were awesome. When we couldn't capture my phone's request, Pat asked if I happened to be on a VPN. facepalm. Yes, I had iCloud Private Relay turned on globally.

    Social engineering a Shepherd

    After experimentation, we had usable Wireshark captures of me logging into my website. However, they weren’t being displayed on the Wall of Sheep. It turned out that my assumption was wrong: we had to demonstrate the capture to a “Shepherd” running the contest. Pat called one over. We showed them Pat’s capture, but they weren’t convinced at first. Most website logins are through a form POSTed to the server, not through HTTP Basic authentication. The Shepherd was also skeptical that the login was successful because the server was returning the default “welcome to Nginx!” page and not something personalized for the (obviously fake) username. I leaned very hard into the “innocent observer” role, asking questions like “but isn’t that what a successful capture looks like?” and “golly gee, it looks right to me. Don’t you think?” and “it looks suspicious to me, too, but couldn’t we try it and see what happens?” Our Shepherd seemed almost ready to go along with it — until they burned my plan to the ground.

    Defeat

    I asked the Shepherd how a login goes from being captured to being shown on the Wall of Sheep. Their reply doomed our fun: “I’d type it in.” Oh no. That’s not good. “Isn’t it automatic?”, I asked. The Shepherd paused to rub the bridge of their nose. “Well,” they sighed, “it was until people started sending a bunch of vile usernames and passwords and kind of ruined it2, so now we have to moderate the process.” I wasn’t giving up, though. “Could you type that username to see what happens?” “It’d just show up like that,” they replied. “Could we try it?”, I pleaded. “I mean, it’s just text. Um, that’s not a web page”, they countered.

    What.

    And then for the first time ever, I saw a flashing cursor down in the bottom corner of the Wall of Sheep. My heart sunk. “Is that Excel or something?” They grinned: “it’s just some old software we run.”

    Disaster.

    Regrouping

    That’s when I formally gave up on this attempt. If it were ever possible to hack the Wall of Sheep, it wasn’t on that day. That doesn’t mean I’m abandoning this forever, though. Next year, I’m going to make a smarter effort, by:

    • Setting this up in advance. Again, Vim over SSH on a phone sucks. I’ll have the fake login working before I leave home.
    • Getting there earlier. If the Wall of Sheep is ever going to be automated and rendered in a browser, it’ll be at the opening of DEF CON before anyone’s polluted the waters.
    • Using a more common authentication method than HTTP Basic auth, like a typical login form.
    • Making the resulting page look like I’d really logged into a legitimate service.
    • Bringing a burner device, because putting my own personal device on that specific Wi-Fi network was not the best idea I’ve ever had.

    And if Jan and Pat are around, I’m recruiting their help again.

    To do: hack the wall harder!

    1. I didn’t get anyone’s names, or their permission to describe them. Fake names are all you get. ↩︎

    2. I appreciate the irony that I’m complaining about hackers getting stuff to show up on the Wall of Sheep in a post where I’m talking about getting stuff to show up on the Wall of Sheep. The first rule of a good prank, though, is “don’t be a jackass and ruin it for everyone else”. I was going for something that I hoped the Shepherds would find amusing and wasn’t trying to get racial slurs and other vile junk to show up on a big screen. Don’t be that person. ↩︎