Category: Meetings

Posted on

December Meeting update…

Things are rolling right along for December’s meeting. I hope to see a bunch of you on the 16th.

  • I’ve got a healthy smattering of Kali and ParrotOS workstations on the long table ready for anyone who wants to do actual pentesting against the CTF server. (These were the HP All-In-Ones I picked up at the auction.)
  • The CDC book will be one door prize/raffle for one lucky winner, and I will also have a few decks of “Backdoors and Breaches,” a tabletop card-based game for simulating incident response using a D20 for other winners.
  • As I mentioned before, the LED Marquee parts kits are all here ($15 a set), and I built and tested one. It’s been up and running in my family room for a couple of weeks now. If you want to assemble one at the meeting, it’s super-easy, and if you want it programmed as well, I’ll leave the choice up to you whether you want me to push the programming from my Arduino IDE on my laptop, or if you’d rather go through the process of setting up Arduino yourself, for the learning experiences. There are a number of dependencies and modifications that need to be made, more than I’ve had to do in any other Arduino project. Most of them are well-documented, and some are just common-sense fixes, I trust all of you are capable of figuring it out. It’s just a matter of do you want to go home with a working device or a challenge. 🙂

I mentioned this on Twitter, but not all of you follow Twitter — I picked up the “Crash Course Electronics & PCB Design” course on Udemy over Black Friday weekend for just $10. I can’t say enough good things about it. I have a reasonable enough basic understanding of electronics to get by on mimicry and duplication with minor troubleshooting, but I’ve always wanted a deeper understanding and more foundational knowledge. This 100-hour course, taught patiently by Andre Lamothe, is really hitting the mark.

I guess the best way to characterize it is, come for the PCB design, stay for the best approach to electronics foundational knowledge I’ve seen yet. I was going to skip ahead to the PCB design part, but I’m learning and enjoying the electronics portion so much that I haven’t been able to pull myself away. Already I’ve added a few more things to my wishlist (a signal generator, a set of thru-hole diodes, etc.) and acquired a renewed sense of vigor and enthusiasm for my portable payphone project, which fell by the wayside in the old house when I ran into issues trying to power it properly. Exciting times indeed. It’s one thing being able to troubleshoot a circuit by trial and error. It’s another thing to understand the math and theory behind it and be able to make it right — or even make it better.

Be sure to register for the meeting so that I can be sure to have enough beer chairs for everyone.

Posted on

The LAB comes alive!

So I happened upon an auction for a collection of HP All-In-One PCs. I’ve always thought they were great general purpose solutions for classroom, lab, specific location browser use. Not what any PC fetishist would want, but fine for group use or general use purposes.

The price was right, so I picked them up, not knowing the complete specs, with only pictures and a “tested and working” claim attached to them.

I fired the first one up during the November meeting the other night. It booted into Windows, with an enterprise login screen for a medical group — brilliant, they sold medical PCs without wiping the hard drives. Mucked around with the BIOS settings so that I could boot Ubuntu to determine the specs of the machine without opening it up, found out it had bitlocker, which didn’t like me mucking with BIOS settings.

Tried to install Kali via Fog, something was busted in my Fog installation, so I just installed Ubuntu from a USB. It turns out they have an i5 4590s quad-core in them, along with 8GB RAM and a 500GD HDD. 4x USB 3.0 ports, 2x USB 2.0 ports. Gigabit ethernet and Wifi built-in. Not too shabby, glad I picked up this auction.

So the other night, I fixed Fog (firewalld was blocking TFTP), and deployed Kali. Updated and re-captured the image so that the future builds would be more up-to-date, then imaged the second unit this morning. Imaging a new unit just takes two minutes when connected via Gig-E.

Late last night I noticed one showed a CD in the drive. Popped the tray, and what do I find but a CD, labeled by a medical services vendor, with the attached label on it.

The file on the CD was a PDF file. The file name was the patient’s full name in last, first middle format.

It took just a minute or to to create a file with every possible date for the last century, seconds to normalize the password hash so that security tools could use it, and then just seconds to run a brute force tool against the hash using the wordlist I created. Within just a few minutes of discovering the CD, I was able to view a patient’s FULL MEDICAL HISTORY.

Some lessons here:

1) DON’T leave sensitive media in PCs that are going up for auction or to be “destroyed.” Never trust that process to someone else. Remove ALL media — USB, CD, hard drives, etc. Wipe/destroy them separately.

2) DON’T put a label on something telling whoever has possession of it the exact format of a password — it really narrows things down and makes it much easier for us to “guess” it.

3) DON’T make the filename the person’s full name.

4) DON’T use DOB as a password field. It’s absolutely not complex enough. Make it a long password and hand that piece of paper to them separately, or make it available in your highly-secured medical portal.

Posted on

November Meeting tomorrow evening

Our November meeting is tomorrow evening Monday 11/18. Show up as early as six if you want. We’ll be in the basement again, it’s so much more comfortable than the library. Registration on the dc540.org website, remember, not on Meetup.

I will try to put some lighting in the side and back yards to make the path easier to navigate now that it’s getting darker earlier. I promise you won’t get murdered here, this is a nice neighborhood.

BYOB if you’re picky. There’s still some Durian candy left over.

As expected, the LED marquee group build stuff won’t be here in time for tomorrow’s meeting, but really should be here in time for the December meeting.

If there’s something you want to say, learn, try or do during the meeting, speak up. I’m just a facilitator, not a leader. 🙂

My kink is fringe culture, always has been. What’s yours? Bring something for show and tell.

Posted on

BSidesDC?

How many of us are going to BSidesDC next weekend? I’m volunteering Saturday and Sunday mid-day, but I’ll have some time before and after to wander and maybe have a drink with some of y’all, especially those of you who can’t make the Monday night meetup in Stone Ridge.

Posted on

Thanks, Meetup!

So, if you were following our Meetup page, you’ll notice that WeWork/Meetup announced some upcoming changes that I, as an organizer, was not comfortable with.

They decided that, beginning in November, they would reduce organizer fees. Great. All in favor. But at the same time, they would start charging attendees $2 per RSVP. Yeah. No.

I would be okay with $1 per RSVP, -if- and -only- if, that money were split between Meetup and the organizer somehow. But it’s not, and I feel pretty strongly that they will either reverse this decision, or face the demise of their platform.

It’s easy for me. I’m a small organizer. It’s EASY for me to get off their platform. I don’t have to rely on them. I really feel for some of the organizers of larger events. Especially those who charge for attendance — this new schema, at this time, doesn’t seem to offer the capability to upcharge.

But again, it’s not about the money — for me, anyway. It’s that I resent a sudden inconvenience on my user base that benefits me in almost no way.

So from this point on, please feel free to follow this website and/or Twitter (@dc540baab) for updates. How this is likely to flesh out is that I continue to announce the events on Meetup, but no longer allow RSVPs through that platform, instead driving them here, where I will add a registration form of some sort.

Posted on

In case you’re not following the Meetup Group…

It has been decided that for the foreseeable future, meetings will be held in my hackerspace basement (hackerspasement?) just a few blocks from the Gum Spring Library.

I (Bob) am looking to grow this group and its members. I am also looking to transition it into more of a cooperative and less of me being the main driver. I love hosting these things, and I’m more than happy to keep doing so, but I thrive on entropy. So for the future, I would love to see:

  • Someone step up to help out with comms for the group. A social media presence maintainer, so to speak.
  • Someone (or hopefully more than one) step up to offer to teach us something new. Along those lines, maybe for the September meeting we can collect a list of our collective weak points, and move forward from there in the act of bolstering them. Examples:
    • I’m reasonably strong on linux exploits, server hardening, network device hardening, and getting there on hardware hacking.
    • I’m weak on Windows exploits, buffer/stack overflows and reverse engineering. Anything that makes that knowledge more easily transmissible (shortcuts) is a good thing.

Posted on

And on to the next meetup!

Tonight was another fun evening for DC540.  Three of us pregamed at Red Dragon Brewery, then headed over to the library, where our three became five.  We played show and tell with the CrowPi and the TS80 solder iron, and shared our experiences with the Pontifex crypto scheme, designed by Bruce Schneier for Neal Stephenson’s excellent book Cryptonomicon.

We decided that even though there’s no meeting on the 4th Monday of December because the library is unavailable for Xmas eve, that we’re going to go ahead with a social meeting at the brewery on Tuesday, December 18.  

Interesting upcoming events: Shmoocon tickets – next round Friday.  BSides Philly February 1.  If anyone has extra Shmoocon barcodes and is looking for worthy buyers, look no further.