Badge Announcement

Sure, it was haphazard. We shat out a badge announcement tonight. You wanna know why? Because Kevin and Txnner put together such a beautiful intro/promo demo that it just begged for public consumption.

Yes. DC540 has a badge this year. This is the badge that was supposed to happen last year, but us ADHD misfits with demanding day jobs couldn’t get our shit together to complete it in time to release last year. And when we realized that, we relaxed. We were like, “Fuck it, we’ve got time to do it right. Let’s do it right.”

And I, for one, think we did.

So the badge is once again based on the RP2040. But this time, we didn’t use a prefab Pico devboard as a base. We went all out and did all the things we needed to rawdog the RP2040. We have EEPROM. We have flash. We have USB-C. We have Li-Po. We 3D-printed battery covers to protect the Li-Po. We painted and laser engraved and cut acrylic wings, and used sidelights to light them up. It’s fucking glorious. It’s eloquent. I think it’s the most beautiful badge we’ve done yet.

But it’s not just me. Kevin is ejaculating in his pants as well. This is a beautiful fucking badge.

But we didn’t stop there…

We have seven badge challenges this year. And NONE of them will be released before DefCon 32 Day 1. The winners of the challenges will receive beautiful laser-crafted physical trophy awards to commemorate their diligence and commitment to NoVa’s death cult. Something so glorious and displayworthy that we’re not even going to preview it here. The first THREE winners to complete all seven challenges at DC32 in-person will receive a trophy. The first VIRTUAL winner who can’t make it to DC32 will also receive a trophy.

We’ll do presales. We have assembled badges in-hand. We have lanyards. We have packaging. The only thing we don’t have yet is the documentation booklet. And we’re working on that. We’re going to do a limited presale, maybe 25 badges, maybe more, way before DefCon. Those presale badges will not have the final firmware, they’ll have some lovely demos and things you can play with, but they won’t have the badge challenge. Those who pick up our badge at DefCon will have a fully functional badge with the badge challenge loaded.

Those who preorder will have to make do with demos, features and maybe customizing it with your own software while you wait for DefCon Day 1. We’ll publish the pinouts and starter hints in the documentation booklet. On DefCon Day 1, we’ll release the final badge challenge firmware, it’ll be easy to reflash your badge with it.

Let’s be clear. We don’t WANT to do a presale. But we’re pretty heavily out of pocket for creating this year’s badge, and we need to recoup costs, hopefully before we get out to vegas. Not all of us make the big tech bro dollars. But we’re doing it. And we’re almost 100% ready.

You ready for the preview now? Here goes. Make sure you’re in a private place, because regardless of gender or personal junk, this badge might just give you some sort of boner. I present, the DC540 DC32 2024 Chakra Badge.

Thoughts on an NFC hunt game

I picked up a batch of NFC tag stickers from you know where.

I started thinking they would be a fun way to host a hunt-type game during a conference, gathering, or other event where the playing field could be large enough and diverse enough, yet still somewhat controlled.

They look innocuous enough, just a plain white circle about 1″ in diameter.

You could direct someone to a landmark — a sign on a building or street, a shelf in a bookstore, a corner of a bar, etc., where you have pre-planted a preprogrammed tag, have them locate and scan the tag, on which they’ll find clues — a URL, a phone#, an email address, or just a block of text. The options are endless.

I think most modern phones support the NFC apps. On my Pixel 6, I’m using NFC Tools by WakDev. Here’s what it looks like on an empty tag:

You can see from this screenshot that it’s writable, can hold 540 bytes of data, and can be made read-only. This is useful to have this choice. In a hunt game, you may want to make the tag read-only so that players can’t corrupt your clue data. If you’re using these tags to exchange data with someone, however, you may want to leave it writable. Imaging using it as a stealth message delivery tool.

Here is the large list of types of data it supports. You’re limited by its 540-byte memory, but anything too large to fit on here can be put somewhere semi-privately on the web and just shared as a URL.

Meeting ON this evening

Meeting at the usual place this evening. Sorry for the late notice. Was traveling, got in late last night, really wasn’t sure what I was up for. But I got hot tweezers and I’m dying to try them out. And some folks who didn’t go to vegas might be interested in badge&stickers show&tell. Also there may be some front-side badge soldering.

Meeting will be hybrid on Discord as well. But you can’t taste Malört through a screen.

Or maybe you can.

If you’re new to the group, hit me up via DM on the Discord or on Twitter if you’re interested in attending. If I met you in LV, mention that. Otherwise, generally we like to get to know people a little bit before inviting them to the private space.

Boundaries, directions, and taking it farther

I wanted to take a moment to give a little guidance to all of our new followers now that Defcon is over and everyone is resting before catching up on everything. Our twitter followers tripled in the past 28 days, and I realized new followers are coming from all sorts of different angles.

Hi. I’m Baab, sometimes Baabalicious, sometimes just Bob, and sometimes just DC540. I put out feelers for starting this group three years ago. Immediately lured in some quality people who brought intelligence, passion, curiosity and out-of-the-box thinking. The collaboration has been beneficial for all of us, I like to think.

We got the idea for doing a badge probably after DC27. We kind of faded in energy when DC28 was announced as all-virtual, so the badge idea just dragged along. But as DC29 approached and it became clear there would be an in-person component, we became energized again. On May 24, 2021 (yes, just over ten weeks before Defcon opened, we had a planning meeting, wherein we attempted to nail down specifics. The whiteboard at that meeting is attached to this post. We had wanted it themed for Hitchhiker’s Guide, but none of us came up with a structure or shape that really called out to us or that we found compelling, so it was still feeling a bit in question. After everything went home that evening, I sat down to do some reading and kind of had an epiphany.

I realized that the general shape we had settled on, which I was already uncomfortable with just because it didn’t holler “pick me” when I looked at it with my mind’s eye, seemed as if it would perfectly accommodate a Tree of Life arrangement. This made me nervous. I was well aware that some of the members of the group may have come from a religious background that might lead them to feel uncomfortable around such symbolism. So I tended to tread lightly when approaching the group with this idea. I came up with some mockups, and either they were too busy to respond or I can be ridiculously persuasive at times, because I got no pushback, and continued to develop. As usually happens with this type of group project or volunteer/nonprofit organization, the person with the most forward momentum tends to get what he or she wants. At a certain point it had gathered so much momentum that it had to be completed.

And here we are. We have presented to the Defcon community an esoteric artifact, on behalf of a group who mostly has no historical involvement or investment in such esoterica. And it’s been remarkably well-received. It led to a lot of interesting doors being opened at the con, and some great conversations. I suspect the acquirers had varying reasons for desiring this badge. Some because the backlit presentation with a black solder mask created an especially appealing aesthetic; some because they appreciate anything esoteric; some because they gotta have ’em all, and some, well, who had spend considerable portions of their lives in the study of the badge’s subject matter.

What is Kabbalah? Well, it’s a lot of things to a lot of people. And it’s not the same to all of them. The way I like to describe it to people with no background at all is, “It’s a framework for interpreting the world around you.” In Judaism (I’m not Jewish), it’s been around for hundreds of years. It has been adapted by others, probably most notably Aleister Crowley, and you’ve probably noticed it associated with celebrities like Madonna. It’s not my role to attempt to give you a definitive answer, that would take a whole new website, or maybe a whole new career. But if you gave me enough money, I would try. 🙂

I think maybe I was initially attracted because, you know, spooky occult. But I came back to it from a pure hacker standpoint. It’s like when my family bought a sailboat eight years ago. As a hacker, if you love boats, you will love sailing. It’s a hobby where you can learn something new every day you do it. There are lots of techniques, strategies and optimizations to geek out on. Same with Kabbalah. No matter which angle you approach it from, there is an endless amount of knowledge and information behind it. I met several people during con who have studied it for decades.

I will say this. Based on my own personal research, a fantastic and humorous introduction to Kabbalah, also known as the Tree of Life, can be found in The Chicken Qabalah of Rabbi Lamed Ben Clifford: Dilettante’s Guide to What You Do and Do Not Need to Know to Become a Qabalist by Lon Milo DuQuette. (affiliate link) At the very least, this book should give you an idea of whether Kabbalah (also spelled a bunch of different ways, blame Hebrew ambiguity) is something you’d be interested in studying.

How does this connect with, and why does it resonate with, the Hacker community? This question came up during a talk I was invited to participate in during Defcon. (It was a private talk, don’t get your FOMO in a bunch). I think it was actually during that talk that it sunk in, and I mentioned it, that I think the seeds of this interest were planted in the textfile BBSes many of us frequented back in the day. Who remembers “The Occult Technology of Power?” Every textfiles BBS had subcategories. Hardware, phone phreaking, piracy, occult, basically everything us hacker kids felt was suppressed knowledge. So maybe some of us dabbled back then. Maybe some of us deep dived. Either way, here we are.

Going forward. As I mentioned before, the members of this group come from different religious backgrounds, and it’s not fair to them to attach any prejudices associated with this badge to them, so going forward, I’d like to separate this out a bit. This might go even farther in the future, but for now, the official DC540 website (dc540.org) and Twitter (@dc540_nova) will focus on the badge hardware, functionality, software updates, and the game we released. P.S., nobody has won yet!

For deeper conversations on esoteric or related matters, to exchange related resources or suggestions, or to continue friendships made at Defcon, or to get random shitposts now and then, hit me up on my personal account (@dc540baab). I met some very interesting people at Defcon, both badge-related and not so much, and I’d love to the continue the conversations. The general rule is, if it relates to something the group gets behind, it’ll go here. If it’s something I think might be controversial to the group, it goes to my personal. I don’t want to scare new group members away with what are essentially personal pursuits.

OK, enough of my too-long-for-twitter babblings the day after returning from Con.

Review: Making Spaces Safer, by Shawna Potter

I was made aware of this book very recently on Twitter in one of the many, many threads calling out shitty behavior, specifically shitty behavior at cons, more specifically shitty behavior at Defcon.

As a person who runs a space and attends cons, it seemed exponentially important for me to read it.

I’ve been around a while. I’ve seen shitty behavior. I’ve seen shitty behavior at Defcon. Combine people who have never had their bad behavior challenged with the Vegas factor and the perception of anonymity, and it’s easy to see how things can go off the rails really quickly.

Going into this book, I felt like I had done the work. I’ve worked on myself over the years. I’ve intervened and confronted on behalf of others. I’ve been that person that discreetly notifies staff that a problem might be brewing. After reading this book, I know there’s even more to do. I was surprised. In fact, I was surprised at how surprised I was.

Shawna (Twitter: @ShawnaPotterWOW) does a fantastic job at describing the problems faced by marginalized people — people of color, women, LGBTQIA+, etc. — and then takes it farther by giving real world examples of both shitty behavior and legit strategies that can be employed by community space staff, allies and even bystanders. None of it is extreme or difficult. In fact, 99% of it costs nothing, and much of it aims for not only de-escalation of a situation and how to support the victim in the moment, but also changing the behavior using confrontation, education and specifically targeted strategies on dealing with the person who has been harmed as well as the person causing the harm.

I feel like this book is a great starting point for anyone who manages a group or opens up a space to the public. I still have questions, of course, but as the book points out, these behaviors and their reactions can be nuanced and require thinking outside of the box, and there will be situations that come up that feel like gray areas. But the book does a fine job of guiding the reader into the mindset of a victim-centered approach.

The important thing is that it makes situations that may seem unmanageable seem more manageable by providing you with a toolset for dealing with them.

Going forward, there’ll be a copy in the DC540 library. Members who are interested are encouraged to consider reading it. Or get your own copy:

Amazon (affiliate link)

Also available on audiobook at libro.fm

My SAINTCON badge came today.

What an exciting time to be alive. The badge itself will be a really fun platform for collecting minibadges. A minibadge came with it, as well as a coupon for three copies of my own minibadge, which I designed today as part of the Hackers Challenge CTF that’s going on during the con. Strongly recommend y’all get one before they run out. Very affordable for the level of fun and creativity involved.

Hey Kyle, look, I took it apart!

Just kidding. When I was lining up to buy this year’s SAINTCON badge, I saw they had the board/LED display available super cheap, so I bought one. If I can’t have the full ENIGMA badge, at least I can have a fun replica. Never mind that I have no earthly idea how to connect to it to light it up. All in good time, my friends.

[Update] — OK, I figured out where it connects. That was easy. Just almost too tiny for my poor old man eyes.

SAINTCON Hackers Challenge

SAINTCON’s Hackers Challenge opened up today. I spent a number of hours on it. I nailed the Wireshark tasks, the DD tasks, most of the crypto, and I slayed at Hacker Jeopardy. My weak spots right now are binary analysis and web app exploitation. Might spend more time on it this week and try to get farther along. As of now I’m still in the top five By morning that will be stolen from me. 🙂

Crocodile Hunter

One of the most exciting talks at Def Con Safe Mode 28, for me anyway, was Cooper Quintin discussing the EFF project “Crocodile Hunter,” an SDR app that helps to discover rogue cell stations.

As some of you are aware, I spent quite a bit of time two years ago trying to get a working platform for observing 4G behavior. I had a great SDR for it, the BladeRF X40, but I never managed to get a system completely up and running.

With this release, we’ve been given a predictable, stable, working platform for 4G experimentation. The hardest part for entry-level experimenters such as myself has been automated.

My platform:

Ubuntu 20 LTS
BladeRF X40
(2) LTE paddle antennas from Amazon ($10-15)
An HP All-In-One gen 1 PC.

All that’s really required is reasonable processing power, and optimally USB 3.0. It should even run on a Raspberry Pi 4, which is wicked convenient for mobile cell tower mapping.

Caveats:

Make sure you have the 2019 BladeRF libraries, if that’s the device you use.

If you run into any problems compiling, check the issues page on the github page for the project. I ran into a couple and was able to resolve them pretty quickly.

Also, per Cooper, there’s a bug in the initial job to fetch the EARFCN list. I had to populate my config.ini manually.

https://github.com/EFForg/crocodilehunter

BSidesLV Cancelled

So I’m sure you’ve seen the alert that BSides Las Vegas is cancelled this year, you know, due to that thing that’s going around.

I have zero inside information, but I can’t imagine a scenario where this doesn’t play into the decision process for DEFCON and BlackHat, since it’s the same location during the same week. While I haven’t cancelled my hotel booking yet, it’s looking more and more likely.

I’m sad about this.