Thursday, October 31, 2013

ACLU - A Wolf in Sheep's Clothing: But they got this one right!

     In my recent presentations at Hack3rCon^4 and SkyDogCon 2013, I spoke about the fact that NSA wiretaps are legal (according to current interpretation of many laws). In addition, I highlighted some programs that push the envelope on constitutionality. One such program is the Nationwide Suspicious Activity Reporting (SAR) Initiative (NSI). I talked about how this program violates our First Amendment and (possibly) Fourth Amendment rights.

     Yesterday, program details came to light after many years when the ACLU published the findings of its Freedom Of Information Act request. Years ago, the ACLU submitted a FOIA request that  was summarily denied by the government. They quickly followed this denial with a lawsuit against the FBI. Well, they won.

     Just as I suspected, the ACLU determined that the program did not have adequate checks to ensure citizen's rights were being honored. This is not their interpretation of the data. You see, they received volumes of internal  emails and reports that stated this as fact. Several State level "fusion centers" complained about the handling of private citizen's data, the lack of a privacy policy, and storage of data in the eGuardian system.

     I still stand by the premises I stated in my presentation. NSA warrantless wiretaps are legal (albeit, unconstitutional), blame rests equally on the 3 branches of the government, and the ACLU is a den of hypocrisy! I base the latter on the fact that they claim that they have

"been the nation's guardian of liberty, working daily in courts, legislatures and communities to defend and preserve the individual rights and civil liberties that the Constitution, Bill of Rights and laws of the United States guarantee everyone in this country."  

Why am I so critical? The ACLU pushes hard for the Bill of Rights on a national level with the exception of the Second Amendment. When I questioned an ACLU lawyer about this at DEFCON XXI, I was summarily dismissed just as the government dismissed their FOIA request. When I asked again for a reason, this time at their vendor table, I was told that it was a state-by-state issue, not a national issue. 

***Apparently, rather than being a guardian of you rights, they see fit to pick and choose what rights you should have!***

I once again submit to you that you should NOT support the ACLU but you should support organizations that believe the entire Constitution and Bill of Rights is worthy of being defended.

Also, before you try and interpret the Bill of Rights, you must read what the authors and original supporters of this great document said on the issue.

If you would like to know more see the following sites:
NSA wiretaps are legal (and other annoying facts) presentation
Quotes by founding Fathers (public domain)
ACLU article and reports on SAR/NSI

Wednesday, October 30, 2013

SkyDogCon 2013: Southern charm meets hackers/makers, then gets owned!

     I wrapped up my year of cons with the 2013 SkyDogCon. After attending last year for the first time, the decision to attend this year was a no brainer. This is perhaps the most unique collection of mini-events wrapped up into a con there is. Highlights include the typical: quality speakers, lock pick area, hardware hacking village, etc. In addition, there is a healthy smattering of the unique: a rocking electronic badge (includes a hardware hacking challenge), paid breakfast on Sunday morning, a Pirates vs. Ninjas Ball, a ham radio license exam, lego challenge, and others.

     I will begin the blog with a review of the Hotel Preston. This hotel is the model of "southern hospitality" with a twist of the unique, bordering eclectic . From the decor to the staff, this hotel sets itself apart. Think of a scaled down version of The Artisan Boutique Hotel in Las Vegas (former home of BSides Las Vegas) but not as dark. The artwork and decor is an experience in itself, the food is appropriately priced, and the rooms are clean and modern. My one complaint from last year was the speed of food delivery from the kitchen. This was remedied this year. No complaints from me.

 ****Note: If you are feeling lonely, ring the front desk and ask for a fish. Yes, you read that correctly. If you ask for one, the hotel will loan you a fish tank, complete with scenery and a fish. Then you won't feel weird since you can talk to something instead of yourself.****

   The second thing I will talk about is the relentless promotion of the con by its Core Team and Staff. I first learned of SkyDogCon from SkyDog himself, at DerbyCon. Yep you read that correctly. SkyDog was staff at DerbyCon in Louisville and was printing up gimmick badges from popular movies. The one from last year was a mock credit card with the "Triple Crown" challenge on the back. This was a call for all card carriers to attend not just SkyDogCon but DerbyCon and Hack3rCon (a.k.a. the trifecta of regional cons). I later discovered that SkyDog (who is also a Goon at DEFCON) was going to give out special promotional badges at DEFCON to anyone willing to promote the con. Sign me up! This level of detail for promoting his con, and the sister cons of the area, highlights his commitment to the industry as a whole! This year he and Mad Mex spent over 6 hours, during the party, printing up badges for anyone who wanted one.

     Third, we have the awesome lineup of speakers. There were 2 speaker tracks (Friday-Sunday) with 20 minute Lightening Talks (Thursday night). I was fortunate enough to be selected for both a Lightening Talk and a main track. The Lightening Talks format was a set of 20 slides that autoforward every 30 seconds. This was a challenge that forced me to work on my presentation skills. My Lightening Talk was entitled Defense-in-Depth: Fists, knife, gun and will be posted on my blog when they are uploaded. Unfortunately, with 2 main talks going on simultaneously, and the other speaker in my time slot being Deviant Ollam, I had a sparse audience. (Thanks to the 7 people who listened to my presentation NSA Wiretaps are Legal and Other Annoying Facts.) My favorite presentation of the weekend was Evan Booth's. He presented a very serious topic with wit, charm, and grace. Then he showed videos of himself totally destroying fruit. You have to see it. It will make your day as well as scare the heck out of you.

     Finally comes the piéce de résistance (i know, the accent mark on the first e is going the wrong way, but I can't make it work on my Mac).  SkyDogCon is known for its electronic badges. This year's badge does not disappoint. This badge, which has some hardware issues, is utilizing only about 5% of the functionality it was designed for. That 5% however will blow you away! It's simple design, coupled with the Parallax Propeller chipset, and brilliantly written code is a n00b hardware hacker's dream.

****Note: SkyDog announced that he will repair the badge himself if you bring it to one of the future cons he will be at. Anyone up for a quick trip to Atlanta for Outerz0ne? I'll drive if you pick up the room!****

Schematics and badge hacking tips will be posted on the website shortly.

     So, if you feel that you want to know more, visit the website. Don't forget to sign up for the mailing list and follow them on Twitter.

Twitter: @skydogcon

I hope you enjoyed this blog entry and I hope to see you next year.

P.S. If you sign up for a ticket early, you get "Early Bird" status and this results in upgrades to your badge!

Wednesday, October 23, 2013

"Stop Watching Us Rally" - How I wish I could be there!

     I recently gave a presentation entitled "NSA Wiretaps are Legal and other Annoying Facts." I am not a lawyer and maybe I got some things wrong. I am ok with this since my point was to get the community talking. The basis of my talk was that the NSA is performing many surveillance actions at the direction of the President, under the guise of crappy law written by incompetent lawmakers in Congress, and with the aid of a Supreme Court and a legal framework that couldn't care less about the Constitution. I made mention of the rally put on by Stop Watching Us. My only regret is that I cannot be there in person. That is why I am writing this. I want to get the word out!
     Please use the link to check out Stop Watching Us and sign their petition (571,000 have signed so far). Also, sign up for their rally. If you cannot go to DC on such short notice, fine, you can attend online. After you do this, please use these 2 links to find you Representative and Senator. When you find them, send them an email AND fax. Then call them! This has to STOP!
     Don't stop there. Think long and hard about supporting the EFF and their Constitutional campaign.

I will leave you with a quote from one of our founding fathers. Keep in mind that these guys were in the midst of throwing off the yoke of tyranny and the blood was still in their mouths from the fight.

"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
Benjamin FranklinHistorical Review of Pennsylvania, 1759
US author, diplomat, inventor, physicist, politician, & printer (1706 - 1790)

Sunday, October 20, 2013

Hack3rCon^4: Eye of the Storm

     What do you get when you mix Information Security, prepping, and technology with mountains, makers, and moonshine? Hack3rCon! I was fortunate enough to both attend and speak/teach at Hak3rCon^4 this year. This is my second time to attend Hack3rCon and I was not disappointed. For the meager price of $75 the attendee will be privy to cutting edge tools, "A" list presenters, and fellowship.

     This year's con began on Friday with a community driven class on the installation and use of the new Kali Linux BackTrack load. This class introduced the novice to the tool. The relaxed setting and knowledge of the instructor set the tone for the weekend. Students learned that installing and setting up Kali is easier than earlier versions and is not as frustrating for noobies. Friday ended with an @HackerFamilyDinner at a local steakhouse.
     Saturday began with Dave Kennedy as the keynote. As always, Dave captivated the audience with his simple way of communicating the holes in security "best practice." After all, just because the masses are doing it, doesn't mean that it is best. He wrapped his presentation by performing a quick demo of his new tool [working title: Pentesting Framework]. This was promptly followed by a series of outstanding presentations that ran until 5PM. After a short break for dinner, 304 Geeks treated everyone to a gun safety class (something you never see at a conference).
   The conference wrapped up on Sunday with another lineup of great talks, the wrap-up of the CTF, and several raffle drawings. People said their goodbyes and, as usual, teams were formed to tackle some hard infosec problems.
    My thoughts of this conference are all positive. The small size, usually around 100 people, coupled with the low price for a ticket and the caliber of the presentations makes this one of my favorite cons. I look forward to attending next year.

As always, videos for this con can be found at Thanks Adrian!

I would also like to thank the rocking sponsors for making this con possible. This is the first time I have thanked sponsors on my blog. This should tell you something about the level of support.

Saturday, October 19, 2013

Hack3rCon^4: Handgun Safety Course

     For those of you that attended my handgun safety course, and are wanting to file for your license in West Virginia or Virginia, you will be required to present a copy of my NRA Instructor credentials in addition to the affidavit. Please go here to download my credentials. NRA Card 

Hack3rCon^4: Notes and slide deck "NSA wiretaps are legal and other annoying facts"

I have had several people request my slide deck from Hack3rCon^4. Because of bandwidth and email issues, I have uploaded it and my notes here. Dropbox

The video of my presentation can be found on IronGeek's site.

Have fun and don't forget to speak with your elected officials often!

*****Note: I got a couple of things wrong in my presentation.
1) The coauthor of the 2nd Amendment that I was referring to is George Mason. Some really good quotes on the 2nd Amendment can be found here and here. Before discussing what the founders "intended," read what they actually said!
2) I eluded to the 17th Amendment as a joke but got the timeframe wrong. The 17th amendment forced States to hold direct elections for Senators in 1913. Prior to this, some States still allowed  Senators to be appointed by those State's governors. This intent of the 17th Amendment was to stop the corruption of Senators at the State level. This worked! However, Senators are now corrupted at the national level.

Friday, October 11, 2013

My EPIC week of FAIL! and better things to come

So, this week was a hum-dinger! I tackled some tasks at work that, well, didn't work. I finally started some high priority home projects that, well, FAILED! I decided that self deprecation is about the only thing I can get right this week so here it is...

Q: What happens when you spend hours creating a powerpoint presentation and import it into Captivate (like I have done many times before)?
A: It crashes your computer of course.

Q: What happens when you restore files from the midnight backup?
A: It does not restore the the last 6 hours of work of course.

Q: What else happens?
A: You also have to do another 5 hour FTP of Rachel-Pi.

Q: What happens when you change your password and forget what it is?
A: You continue an all day loop of forgetting and reseting your password.

Q: What happens when you root for the Jets while putting DD-WRT on that shiny new router?
A: You accidentally rip the power cord out of the back, bricking the router.

Q: What happens when you perform a "hard" reset (like I have had to do many times before)?
A: You listen to things go pop, watch the blue smoke escape, cry as the power light goes black, and cover your nose from the acrid odor.

Q: What happens when you root your old Android phone in order to get ready to play at SkyDogCon?
A: You remember that you stopped using the phone because it won't hold a charge longer than 1 hour!

Q: What happens when you decide to give up on all things electronic and you take the trash to the curb?
A: The Herbie cart slips out of your hand and trash spills all over the yard!

On the plus side, I will be starting a new blog series that will include learning a new tool, reviewing it, and interviewing the author. Many brilliant people have responded favorably to my interview requests and I will begin with Armitage and  Raphael Mudge. 

Oh, last but not least, I have been accepted to speak at SkyDog! This week was not a total FAIL.

I think I will sleep until Monday now.

Tuesday, October 8, 2013

What are you doing in May? I'm going to another BSides!

     BSides is one of the greatest ideas I have seen in a while. Its stated goal is to be a "community-driven framework for building events for and by information security community members." That leads me to the next BSides I will be attending. On May 17, 2014, the Ezell Center at Lipscomb University will play host to BSides Nashville.
     Looking at the list of organizers/volunteers, I can tell you this should be a quality event. This coupled with the location and the keynote speaker already slated to present is money baby!
     I had the opportunity to hear Brett Wahlin, the CISO of HP, speak (you still haven't accepted my invite on LinkedIn by the way). He came to the University of Kentucky HealthCare and helped to educate our IT staff on the importance of protecting the confidentiality, integrity, and availability of our strategic asset, data, without resorting to FUD. This is something very few people can accomplish. FUD usually creeps into the conversation in some way.
     Looks like I will need to start a new research project so I can have something new for the CFP (happening now by the way). See you there!

Make sure you check out the websites and follow them on Twitter for updates.
BSides Nashville website:
Security BSides website:

Twitter handle: @bsidesnash
Twitter tag: #BsidesNash

As always, feel free to comment.


Saturday, October 5, 2013

Louisville Metro InfoSec Conference

     A small conference, in a big city. This year I attended the Louisville Metro InfoSec Conference. This is my third time to attend and will not be my last. The quality of presentations is always great and the small number of attendees give the con an intimate feel. This year, the highlights for me were the second keynote speech by David Kennedy (Burn it Down! Rebuilding and Information Security Program), the presentation by Adrian Crenshaw (Information Security in University Campus and Open Environments), and the lock pick area run by Kyle Stone.
     What can I say about Dave's speech. As usual, it was very entertaining. Start with a gut check, add a liberal dose of humor, and end with 5 key steps that will help any organization improve their business. Yes, I did say, improve your business. After all, no one wants to start a business to meet compliance. They want to make money. Watch Dave's presentation for more information.
     Adrian had a very interesting presentation. He helped the audience understand how an average college co-ed could wreak havoc on the open networks at universities. After all, most university administrators actually believe that creativity is stifled if you even attempt to secure your environment. He also highlighted the means by which IT and InfoSec can counter these "hackers." The presentation is heavy with links to tools but I recommend it since the tools are worth it.
     Finally, the lock pick village was the break I needed from the typical con burnout. There are few things better than picking up a couple of small pieces of metal and opening those wafer locks!

As always, the videos can be found on