So in the rush to get this done, apparently I mixed up power and ground between the top and bottom boards. So we’re going to disable them by removing those pins from the headers between the two boards. Power and ground on the front board ONLY provides power to the SAO header.
If you want to bodge it, you’re welcome to bodge it, just desolder the 4-pin header on the right and resolder a 6-pin header after cutting and rerouting the traces appropriately. If you want to add a SAO connector to mount an SAO without power, you’re welcome to do so. Just keep in mind it’s disabled for a reason. If you re-enable it without rerouting, it will burn out your SAOs and make your room smell funny.
This will be resolved in official batch #2 later this summer.
I could have retconned this as a “we deliberately disabled power on the SAO header for the Tarot badge so that it could connect to the Tree of Life Badge without concern for power in a future release of the firmware” but then we’d have to follow through on that promise.
First, a little bit of background. We had the idea for a Tarot badge last year, while walking around DefCon and getting so much love for our Kabbalah (Tree of Life) badge. That badge started so many interesting conversations and opened so many doors that we just felt it made sense to keep going down that path. When we started digging in to complete last year’s badge, I decided to commit to learning more about Kabbalah for a year and then to evaluate. I sorta mostly kinda did that, off and on. Once you start going deep on Kabbalah, you start to see it’s complete interconnectedness with Tarot. What happened was we started wishing last year that we had built last year’s badge bigger to include more about the tarot correspondences. The natural answer to badge insufficiency regret is “maybe next year.” So here we are.
The Badge: Technical
We did not stray too far from the technical features of last year’s badge. At the core level, this is still an RP2040-based Pico, some LEDs, an NRF radio and a display. But here’s why we were struggling until just this week to get it out. We lost a lot of time to decision paralysis – there are a lot of screens available. Which ones work with the Pico? Which ones will work with MicroPython? Which ones will work at our power level. A lot of research goes into these decisions. A lot of parts bought that end up never being used. I’m going to quote a prominent member of the badge-making community who recently said “Why do I do this to myself?” The answer has to be a feeling that you’re putting something useful, interesting and/or beautiful into the world. And we kind of hope we did.
We settled on the 2.2″ ILI9341 with integrated SD card. It seems to be the smallest profile screen available with 240×320 resolution, which is critical for displaying tarot cards. Any less resolution would have looked shitty. And it’s sad, but that’s one of the more expensive screens out there, which reflects in the final price of our badge.
Kevin, our developer, like to scoff at those who consider MicroPython as some sort of lesser language. Some still linger in the world of perceptions where led animations are slow, there are blockers everywhere, and too many Python libraries haven’t made it over yet. We’re here to tell you, MicroPython is thriving. Our LED animations are proof that there’s nothing slow about either the RP2040 or MicroPython. We make generous use of the dual core architecture. And Kevin managed to squeeze three SPI devices onto a two SPI bus system. And nobody knows why, but apparently we’ve implemented AES encryption into the badge.
Next year we’re thinking of bypassing the fully-built Pico and working with the RP2040 directly.
Please remember that none of us do this professionally. We’re all learning. This is a labor of learning, and a labor of love. Last year’s badge was the first “big thing” I ever designed in KiCad. After Defcon, this year we plan to develop some PCBs as a group in a group class series, so that more people can be part of the development effort, and we’ll teach each other some group workflow lessons.
The Badge: Features
It wouldn’t have taken much to make a badge that does a Tarot reading. We didn’t want to stop there. What I envisioned last year, and I told at least a few of you this in Vegas, was this. I wanted a badge that could do Tarot readings, but I wanted it to be OPEN. Meaning I wanted to provide at least one deck. In my naive early imaginations, I thought we’d actually find an artist to do a deck specifically for the badge. But Crowley and Harris we are not. They had time and money to pursue their project. We all have day jobs. Then we realized there are public-domain and open-licensed decks available. So we included (at time of writing) three decks on the badge to choose from. The Rider-Waite-Smith deck, a version of the Tarot de Marseille (unfortunately not the Jodorowsky version — I really want to turn more people on to Jodorowsky and the story of that deck), and what we call the Shitty Deck, one that we hand drew over DC540 meetups. Trust me when I tell you that this deck is absolutely shitty.
We’re including instructions on how to add your own decks to the SD card to make them available for display. It’s slightly convoluted, they have to be resized and converted to raw format, and a naming convention is enforced. But think about it — once you do this process once, you have that deck for use on the badge. We could populate the SD card with the hundreds of copyrighted decks out there that can be found on various file-sharing platforms, but that would be violating copyrights, and that would be wrong. So maybe scan the decks you have. Maybe make your own deck.
So you can choose a deck, you can do a reading. What else? We have badge pairing, of course. We have a challenge game, like last year, but unlike last year when all we had to give as a prize was Defcoin, this year we’re offering a badge as the prize. Either an additional Tarot badge, or last year’s Tree of Life badge. Because of quantity issues, there won’t be many badges to go around at the con itself, so that complicates the game a bit. We’ll see how that works out. Maybe we’ll separate out part of the game so that non-badgeholders can play.
Everyone seemed to like the illumination scheme we went with last year. I’m not a fan of surface LEDs beaming photons into my faceholes, so I chose a more subdued look by strategically removing solder mask on both sides of the board and illuminating from a board below. I pushed to expand on that this year, but instead of just beaming through shapes and symbols, I put the shapes and symbols on the surface and opened up an entire wheel for shine-through. As you can see, the color of the FR4 itself tends to adulterate the LED colors a bit when illuminating large areas like that, but not excessively. I found it difficult to get a good blue to shine through, for example. As delivered, there is a lot of bleed between the different segments of the wheel, but in the demo Kevin posted last night, what you see is the result of gluing a light separation wheel to the underside of the top board. There are 24 LEDs on the bottom board this year, each illuminating half a wedge on the the top board. The separator wheel shown in the video only has 12 divisions, but still provides a nice sharp difference between the wedges. We will be providing an STL file for 3d-printing your own separator wheel, and the STL file has the inner ring defined as well, for full separation of all 24 segments. To be fair, I think beauty is in the eye of the beholder. The spinny animation in the first public demo, when run without a separator wheel, tends to lead to some interesting effects that evoke searchlight patterns at times, which is its own meaningful thing.
Searchlight casting for faults in the clouds of delusion
Anyhow, here’s what the beta version of the wheel separator looks like. It’s about 60mm in diameter. Thanks to BradánLaneStudio for creating the STL.
Not Many Copies at Defcon
We are so sorry, but because we got finished so late, we were too timid to drop coin on large quantities of the badge before knowing if it would work, so we won’t have many at Defcon at all. We should have enough to show everyone, and a VERY limited few to sell or trade, but literally don’t get your hopes up. We made 25 in the first batch. There are 10 of us going. We lost a few to testing. So we might have maybe 10 extras if we’re lucky. The good news is, boards and parts have been ordered, so we’ll be able to make more when we get back home.
We haven’t had the deep communications required to figure out how we’re going to distribute such a limited number of badges. We had such a good time distributing badges last year, we wish we could have done the same thing this year. We’ll try to have those discussions by the time the con starts. But seriously, temper your expectations of getting one onsite.
Some Thought About Tarot in General
A lot of people have a lot of thoughts about Tarot. On the ends of the spectrum, there are some pretty heavy expectations people lay on Tarot. As a lifelong rationalist, I see it, much like Kabbalah, as a framework in which to view the world and life events. A structure to be superimposed, for examination and rumination. Sometimes the results can be profound, but I like to believe the results are directly correlated to how much the reader and/or readee are able to open and stretch their minds. I will quote Lon Milo Duquette:
It's all in your head. You just have no idea how big your head is.
DC540’s Status and Mission
Last year, DC540 Nova cemented our status as a 501(c)(3) nonprofit. We have banking, we’re on AmazonSmile, and we have plans to to support people both in and out of the infosec community with our skills, talents, passions and green energy. So when you’re forking over your hard-earned pay to covet one or more of our badges, please keep in mind that it’s going to a good cause. If you’d like to contribute some of that green energy directly to DC540 to support our efforts, you can do so by sending money via Paypal to [email protected]. This will help recoup dev and prototype expenses, and support our mission. Now we’re not saying that making a healthy donation might lead you to receive a badge at Defcon, but we can absolutely be bought. And donations are tax-deductible.
Future Thoughts on this badge
We don’t know if it’s possible yet, but what if a new firmware could be developed for this year’s and last year’s badge that expanded the functionality a little bit, so that when a card is displayed on this year’s badge, the corresponding sphere(s) or path could be illuminated on last year’s badge? We exposed two GPIO pins on both badges via the SAO header, so maybe… Food for thought…
Engage with us. Join our Discord. Talk with us on Twitter.
I picked up a batch of NFC tag stickers from you know where.
I started thinking they would be a fun way to host a hunt-type game during a conference, gathering, or other event where the playing field could be large enough and diverse enough, yet still somewhat controlled.
They look innocuous enough, just a plain white circle about 1″ in diameter.
You could direct someone to a landmark — a sign on a building or street, a shelf in a bookstore, a corner of a bar, etc., where you have pre-planted a preprogrammed tag, have them locate and scan the tag, on which they’ll find clues — a URL, a phone#, an email address, or just a block of text. The options are endless.
I think most modern phones support the NFC apps. On my Pixel 6, I’m using NFC Tools by WakDev. Here’s what it looks like on an empty tag:
You can see from this screenshot that it’s writable, can hold 540 bytes of data, and can be made read-only. This is useful to have this choice. In a hunt game, you may want to make the tag read-only so that players can’t corrupt your clue data. If you’re using these tags to exchange data with someone, however, you may want to leave it writable. Imaging using it as a stealth message delivery tool.
Here is the large list of types of data it supports. You’re limited by its 540-byte memory, but anything too large to fit on here can be put somewhere semi-privately on the web and just shared as a URL.
Yesterday I wrote about the mystery Waldorf Astoria Park City room keys that didn’t respond to either 13.56MHz or 125KHz probes. Mystery solved. They use NFC. On a whim, I hit them with NFC-tools on my phone, and the world makes sense again.
I decided to audit my large collection of RFID hotel keys I’ve collected over the years. Just to get an idea what’s out there, and look for patterns and anomalies.
One strange set I found is from the Waldorf Astoria in Park City. Didn’t respond to HF or LF search, but it clearly says right on the card, “hold key within 1/2 inch of locking device.” I wonder what they’re using if it doesn’t register at all on the Proxmark? I have four of them, maybe I’ll see if I can crack one open to see what’s inside.
The Hilton cards, for the most part, revert to hardnested attacks, but fall rather quickly, as opposed to the Sheraton card I was battling earlier in the week.
I guess I have about 75 card dumps in total now, about 40 of which are Hilton.
I’ve been playing with reading/cracking hotel room keys using the Proxmark3 RDV4 lately.
Most hotel room keys I have collected are MiFare Classic 1K. MOST of them are susceptible to autopwn within a minute or so. Coincidentally, most of my collection are from Hilton properties. Recently I came across a Sheraton room key that didn’t fall within the expected timeframe.
The “Weak PRNG” method did not work on this particular card, and so pm3 (RRG/Iceman fork) reverted to a hardnested attack. On my macbook M1 air, that was slated to take 2 days. I moved the task to a more powerful Kali desktop, and it’s now slated to take 9 hours to complete.
I will update this post when experience either success or failure. I do like a challenge.
Hours later: The first run stopped in midstream with “Could not connect to Proxmark.” Running it again for good measure.
Hours later again: Collapsed again after a couple of hours. Might have to try a different approach.
I learned some stuff in my reading, though. Apparently it’s all a game of spy vs spy. There are RFID systems that will detect cloned cards by attempting to write to block 0. If successful, it’s a writable clone card and the system can deny and alert. There are also more advanced CARDS that can be written and then locked, to defeat those features.
For those who choose to join us, Social House in South Riding/Chantilly. We’ll try to get our usual outdoor table. Tonight’s topics are badge artwork and stickers. 1830, first one there grab the big table.
Some of you might have been subject to my old-man ranting about how difficult it has become to install software that “just works.” My raging against the cloud, against everything-as-a-subscription, and against software that requires the capability of phoning home, either during install or on a continual basis.
My task was to install MS Office in a closed lab network, so that the users doing the work in the lab could write reports, etc., without having a separate machine just for that purpose. This network does not connect to the internet. It is a self-contained lab network with only what is needed for the lab installed on it.
It’s been a while since I fucked around with Microsoft products, and I naively assumed it would be a piece of cake. Just install it, give it a key, and be good to go. I was warned by those who had gone before me that it’s no longer that simple. Everything in Microsoft-land requires internet, they told me. “Surely they understand that a use case exists for no internet/no cloud,” I started to respond, before reliving the trauma of having to kill Atlassian when they made their on-prem product completely out of reach for small groups/businesses.
So I started down the road. I bought 12 licenses for “standalone” office 2016, went through the process of installing it on one of the lab machines, and yep, it requires internet to activate. OK, I’ll play along. We use FOG to image these lab workstations, so I set up a fresh install on a golden image candidate, activated it over the internet (very ugly process, by the way, if you buy multiple licenses), confirmed it was functional, and then captured an image of it. Rolled it out to other workstations, only to find that each new clone required its own activation. Well, this will never work.
I managed to get MS to refund the product after a lengthy discussion with a support rep. I decided I wanted to go the way of a volume license, only to learn that the KMS server too needs to touch the internet. I kept reading and reading and learning, and finally came across vlmscd, which is a linux-based open-source KMS server. Its only job is to say yes. When configured as the KMS server for a workstation (using DNS or manually via slmgr), any activation requests received by that KMS server are simply approved.
So I built one, making sure our licensing is properly paid for and accounted for,I of course. I added the SRV record for announcing the KMS service to the closed-network DNS, and installed the VL version of Office. Initially, running OSPP.VBS from the Office16 directory reported that the software was under a grace period with <30 days remaining, but after a reboot it reported it was fully licensed.
I wish vendors would provide a bit more flexibility in their product offerings, and understand that there are use cases that are outside the norm. I understand their need to protect their software from piracy, but this kind of heavy-handed control really makes it difficult for some of us who, for various reasons, don’t want to connect every network in our enterprise to the internet. We still exist.
Tune in to the Discord voice channel at 1830. Good chance to get to know some of us if you haven’t been to an in-person, or to participate in summer camp decisionmaking if you’re a regular.
I picked up a large batch of MicroSD cards and adapters for an upcoming project. I’m cheap, and the data reliability isn’t critical, so I picked up used cards on ebay. After I made the purchase, it occurred to me that this was a potential teaching moment, both to freshen my own skills and to raise awareness for others who may not pay as much attention as those of us in the field.
TLDR: If you don’t know how deleted your data really is, don’t give, sell or return writable media. Either learn how to securely erase your data and confirm that it has been erased, or toss it in a fire.
So before they showed up, I installed the latest version of Autopsy on a fresh Windows box. Fresh because, well, just like I’m assuming that others might have been careless in data deletion, I have to guard against being careless about sticking random cards in my machines.
So they arrived. The moment of truth was here. I pulled out the first MicroSD, stuck it in the first adapter, and inserted it into a USB slot on the PC.
Predictably, it pops up as a blank, formatted card. Let’s see what Autopsy sees…
Let’s see, it’s been a while since I played with Autopsy. Let’s go with: * Add Data Source
Let’s call it * Card001 * Local Disk * Select Disk. On my machine it showed up as H: <Next>
I’m leaving everything checked here. If this was true forensics I might be more choosy, but I’m not.
Looks like the first test is examining the file system. “Adding $OrphanFiles,” it says.
After that, it tells me file analysis has started. I can hit finish, but I can tell by the progress bar in the lower right that it’s still analyzing stuff. This process goes on for a few minutes.
After the file analysis phase, it moves on to the data integrity phase.
Finally it’s done. I browse the card in the data source tree. Ooh, look, there are recovered files in the $CarvedFiles folder! Baby pics, family pics, and yes… porn. Folks, I recycled porn from the very first used SD card I tested.
So I’m up to card 28 now, and a few patterns emerged.
The metadata shows a strong preponderance of Nokia 5300 as the image source. This tells me these cards were likely sold by a shop servicing Nokia phones. The mp3 and video content I’ve extracted so far shows a strong trend toward Spanish-speaking content, and a few of the images with recognizable stuff on them actually mentioned Mexico.
I need to dig deeper into metadata, but visually it appears that at least some of the porn is homemade. Some of the cards had porn images which had likely been downloaded from the internet, as I discovered by running through through TinEye.
I’ve really got to refresh my Autopsy skills. I don’t do forensics for a living, but it helps to know the workflow of someone who does, in case you might one day find yourself protecting yourself from an enthusiastic forensic investigator.
Further learning: There are hash sets you can obtain that can validate files you find against known file hashes. Which might be the prudent thing to do if you don’t know what your found media might contain. Might be good to know if you’re handling CSAM before you actually view CSAM.
