Kiwicon 10 Day 2 Afternoon

Lunchtime walking in the sun; Wellington is offering Kiwicon visitors the full experience. Yesterday would have left a large number of visitors wondering “Why would anyone live in this hell-hole?”, while today is posing the question “Why would you live anywhere else?”

metl promises a mind-expanding afternoon.

Let’s do the Timewarp Again

Karit @nzkarit

Starts with the Crue and friends performing the Timewarp on stage.

The theme is GPS spoofing on the cheap, and the correspondance thereof.

  • It must be reliable, right? Look at everything that relies on it: taxis, armoured cars, ntp, etc etc.
  • But GPS jammers are available off the shelf.
  • The Iranians used GPS spoofing to steal a US millitary drone.
  • Qihoo360 Unicorn team demonstrated that they can mess with GPS time this year, albeit with no code release.
  • A BladeRF GPS transmitter, a Rasperry Pi, and software will let you screw with GPS. This costs as little as $420 - a game changer.
  • This is not public spectrum, so screwing with it is illegal. If you want to play with this, you need to do it in a Faraday cage.


  • You can record the data ahead of time (about 1 GB per minute).
  • You can generate the data ahead of time, which requires a bit of grunt.
  • You need to supply paths as well.


  • Hijack an armoured car, spoof the path while you drive it elsewhere.
  • Uber trips with no distance.
  • Fuck with airport approach routes.

This is scary.


  • NTP will take time-over-serial.
  • Many GPS time recievers are ntpd under the hood.
  • Too big a time shift (5 minutes) will cause a shutdown - but when it restarts it uses the new time anyway.
  • tardgps does this in small enough increments.

There are some creative uses of this: TOTP is based on time moving forwards, for example. Freezing time allows you to re-use 2FA codes.

You can disallow reuse of tokens, but it’s not a default. Consider alternatives like U2F or TOTP-HMAC.

This can really screw with your logging and ability to understand what an attacker is doing.

GPSnitch can help with detecting this

Pwning ML for Fun and Profit

Davi Ottenheimer

Control becomes a function of knowledge.

We want to win, and we want machines to help us win, but machine learning can go horribly wrong; consider google images lanelling black people as gorillas, or professional hairatyles showing only white women, or unprofessional hair showing only black women.

Learning systems are labelling people as potential offenders based on race at erroneously high and prejudicial rates

Driving automation: tested in narrow locations like Cambridge or Silicon Valley. They mis-identify surroundings in other locations, with potentially fatal results.

HAL9000, like Tesla, believed it’s infalliable. “Every time I watch the test in Blade Runner, I wonder why he didn’t stop asking questions when the replicant got upset. But that’s what we do with machine learning. We notice something is wrong and keep going.”

Machine learning is not really learning; it’s just rules at speed. They are often easy to break. And we need to do that to understand what can go wrong.

We now have security camera systems that try to guess emotions and dispatch security based on detected anger.

He fed pro wrestling and MMA into the system; it could detect fake pain and anger in wrsetling, and reliably predict the outcome of MMA fights from the emotions in the opening seconds.

Lip-reading systems have become very sophisticated, but are confused by accents.

Reinforcement Learning Defeat: a Ukrainian group defeated speeders by having mylar balloons resembling people pop up. Google cars are defeated by e.g. pedestrians blocking them.

We need to get better at breaking machine learning to fix it. If we machines are to learn, they can’t just take orders from human “gods”. And we need to be more careful about what we consider a win, because people can become blind to horrible outcomes.

Bias can pop up in odd ways: African scam letters use racist assumptions about Africa to subvert the target’s judgement.

“But wait. It gets worse.”

Technology is millitarised. The automation of the machine gun turned the world to hell. Cathy O’Neil’s Weapons Of Math Destruction tells us some of the negative scenarios - but says we shouldn’t worey about Netflix.

But Netflix knows watch you watch, when you watch things, when you’re home.

Widspread healrh sensors: analyzing wastewater to understand health and drug use.

Security systems, Bluetooth tracking (BlueToad, BlueJay): why do you want to break this? To create doubt, to preserve anonymity.

PWN ML now, or be PWNed later.

Red Star OS will bring the imperialist aggressors and Park Geun-Hye clique to their knees

Lord Tuskington

For too long we have been under the jackboot of the clique of imperialists distributions: Red Hat and their lacky SuSE.

Red Star OS 3 was released in 2014, with a Juche Oriented Architecture.

It has not succumbed to error of systemd!

Red Star OS has faithfully reproduced the vision of Comrade Jobs with KDE, rejecting the reactionary GTK garbage.

Red Star OS will prevent you from succumbing to Pepe memes. We accomplish this by inserting the fingerprint of the serial number of the device it was opened on, so that we may use the watermarking to track the perpetrators of rare Pepe memes.

By sandboxing everything, we liberate the user from the tyranny of having root on their system. Alas, some reactionaries have discovered how to attain privesc.

_blank slate


This is the story of _blank, which is a feature, not a bug.

Your website is beautiful, and you don’t want anyone to leave it. So you use target="_blank" to force links to open in new tabs, so your site stays open.

(This is shitty UX)

Unfortunately this has an interesting side effect. You can use the window.opener function to change things within DOM of pages in the same domain.

You can extend this to having the source page load another site while the user is looking at the newly-opened tab. Which means the malicious code need not run on your domain.

The final step is a practical use. Sending a message via LinkedIn, with an embedded URL; the target clicks on the link, which redirects to a phishing site, which displays the logged-out page. The target thinks they’ve logged out accidentally, and re-enters their credentials, which are havested.

Jen notes that she is a web dev, not a security hacker, and she has created a convincing phish with 120 lines of JavaScript in a node environment.


  • Don’t use _blank.
  • Use _blank with rel="noopener noreferrer".

Kicking Orion’s Ass-sets


  • Ships with admin/no password by default.
  • Stores credentials to log in to ALL THE THINGS for asset management.
  • The credentials are stores in the SQL Server DB that’s attached. They’re encrypted, at least.
  • Decompiling the “security.dll” indicated that it used a certificate to do the encryption. And exportable cert, but at least one that’s unique to each install.
  • The DB stores LM hashes alongside the properly encrypted password.
  • The SWNetPerfMon.DB file, which is globally readable, contains all the credentials. And it’s append-only, so it has a history of every set of credentials ever used.

All that said, SolarWinds were really awesome about the findings and working with the researcher.

Condensed History of Lock Picking

Grace Nolan

Once, locks were a status symbol: keys were huge in Medievel Europe, for example; the Romans might wear them as rings. In these eras, being able to afford a lock was bragging about your wealth, and your ability to secure it.

The modern bolt lock was patented in 1865 by Linus Yale, but the basic idea is not new; King Sargon II had the same sort of pin and bolt design. They made it to ancient Egypt, but disappeared from history.

Lock security is measured in time - the time it takes to break them. It’s security by obscurity; making it too much of a nuisance.

Some locks have heavy deterrents: Grace showed a lock with a built-in pistol, and another with a lion sculpture whose jaw could clamp down on a failed attempt to pick it.

The era of “perfect security”, from the 18th century through ended in the Crystal Palace exhibition in 1851. The two strongest locks of the era were on display; then Calvin Hobbs came in. He was a salesman from an American company who would demonstrate failures in others’ locks, so as to sell his employers. He managed to crack the two “unpickable” locks, but it took a number of days.

Unfortunately it turns out that the competitions didn’t really work. The public weren’t prepared to pay for these phenominally strong locks; they would use the cheap pin and cylinder Yale-style locks.

Contactless Access Control

Ryan and Jeremy

Imagine you’ve locked yourself out of your office. There’s a touch to exit button, but it’s on the other side of the door.

A capacitive touch button.

These buttons measure a small environmental change, intended to be you touching the button. But you don’t actually need to touch it. Just change the capacitance of the circut.

“I built an electromagnet to play with.”

It turns out that if you point that electomagnet at the touch-to-exit sensor and put a moderately high-frequency (say 100kHz) current through it, the button sees a change, and then opens.

And then “I guess we needed more lightning.” Having used a spark plug and an automotive component (high current motor driver), he could generate enough voltage to arc through the air and trigger the button’s circut.

Thwn they moved away from MOAR VOLTAGE, and went with an induction coil, and a script that drives it at a range of frequencies. The software in the touchpad sees the noise, changes the sensitivity, and then when you cut the interference, they assume that a touch event happened, and unlock.

Unfortunately pushing the coils harder and harder caused them to overheat. And desolder. Whoops.

The next iteration had some safety mechanisms, like a heat cut-out. It can still reach out 15 cm.

Time for the portable version! Batteries, the coil, and an IC to run it, all of which can fit into a large pocket. Not bad, but the range was pretty limited. And eventually it exploded.

But still. It works. WTF security device manufacturers?

Closing Ceremony & Prizegiving

An a capella rendition of the Badger song by the Doubtful Sounds choir.

2135 tickets sold, with a 90% collection rate.

Thanks to Liberty Brewing for the beer.

Achievment Unlocked: FUCKING EARTHQUAKE Achievment Unlocked: Radiated Lighting Desk Achievment Unlocked: Dihydrogen Monoxide Achievment Unlocked: Pie Sandwich

Another amazing year. Consistentky the best conference I go to.