The Hacker Factor Blog

Earlier this week, I attended a presentation by Jochen Wolters titled "Back Up Your Data or Get Ready for Tears" (pdf). Usually the tech talks that I attend are extremely technical and aimed toward hard-core programmers and power-users. However, this talk was for generic users and not programmers. (I think I was one of three programmers there, including the speaker.) As such, Wolters gave an awesome presentation that cut out the technical details and told the audience what they really needed to know.

My own backup needs are an extreme case. I use RAIDs, auto-sync and auto-backup directories, and multiple media devices, as well as off-site storage. However, the typical computer user (mom and dad) don't need five-nines uptime (up 99.999% of the time).

Back to Basics

There are really just a few things that the typical person needs when it comes to computer backups:

• Backups. Kind of a "duh" thing, but if you don't have any backups then you will eventually lose data. Whether the loss is from a hard drive crash, power spike that fries your computer, or your cat deciding to lay on the delete key, data loss will eventually happen. The data you will loose may include your tax forms, family photos, your list of passwords for all of your online services, and more. For damaged drives, data recovery services are very expensive ($2000-$3000 per hard drive, and that assumes that they can recover the data). According to Wolters, some data recovery services even offer 24-hour suicide prevention hotlines. (People can get very emotional when all of their family photos are deleted.)
  
  
• Automated Backups. Your backups should be automated. If you are doing them by hand then you are probably not doing it regularly or often enough. Backups should be automated.
  
  
• Verified Backups. How do you know that your backups are working? If you have never tried to recover a file, then try it now! You don't want to be learning how to restore data after a crash. Instead, you want to be familiar with the backup software and know how to recover the system before you need to use the skill. (Think of it like defensive driving. You don't want to learn how to drive on ice during your first ice storm.)
  
  
• Offsite Backups. Be sure to have at least one backup kept off site. And "off site" does not mean in your attic, basement, or other room in your house. If your house burns down, you want your data safely stored outside the building. Consider storing a backup hard drive in a bank vault -- it will cost much less than a data recovery service.
  
  A good off-site location is any place where you already have access. This may be your parents house, the office, or a friend's apartment. (My pilot friend uses his airplane hangar.) But keep in mind: if you don't have free access to your friend's house, then you may have to wait before retrieving your backup. (E.g., if he is on vacation for 2 weeks and you are locked out, that means 2 weeks without access to the backup.)

Types of Backups

At bare minimum, you really need one type of backup: a full disk copy. This is a full copy of the bootable system. This way, if/when your hard drive or computer dies, you can just slip the backup drive into a working computer and be up and running. And since it is a full copy, you know that every application you need will be fully functional.

The second type of backup is an incremental. It just stores the files that have changed since the last backup. Depending on your needs, you may want a history of incremental backups. This way, you can recover a file as it existed a few weeks ago. If you only keep the most recent copy, then you may lose intermediate changes.

For my own extreme needs, I use external hard drives and only perform full backups. However, I have a bunch of these drives and I cycle through them. I can go back a month without a problem. For critical short-term data, I use system redundancy -- copying files between computers and storing iterative backups as needed. (For source code, I use Subversion for tracking changes. The full backup includes the entire subversion repository and history.)

Of course, some of the work that I do cannot be stored on backups. For example, third-party forensic data usually includes the stipulation to not keep additional copies. In this case, the data that I have is not the original data (I work from copies) and I have specific systems that are not backed up. But that's an extreme case and not typical for regular users.

For critical data that seldom changes (e.g., tax records for the previous years), I burn them to DVD. I usually burn two copies, just in case one gets scratched. Although DVDs usually have a shelf life of 7-10 years, that's perfect for taxes. (Although it varies by accountant, you are usually advised to not keep tax records longer than 10 years anyway.)

Frequency of Backups

Most people view backups as a bother. They won't take it seriously until after they lose a lot of data. My own extreme backup solution only came about after some bad experiences. For example, I had a critical hard drive die 10 years ago. Since then, I keep frequent full backups. Later, I lost some source code between backups. Now I use a source code control system and multiple-system synchronization with backup checkpoints.

There are really two factors to consider for your backup solution: (1) how much data can you afford to lose, and (2) how long do you want to be offline? For my own needs, I can lose up to 4 hours of work and it will take me up to an hour to recover. In the worst case, it will take me 24 hours to repair or replace whatever broke, but I will still be up and running while I wait for the repairs to complete.

Typical user needs are nowhere near as extreme. Your backup starts automatically around 1:00am and a full backup can be done by morning. Recovering from the backup may take just as long -- unless you use a bootable backup. If you do one backup a week, then you can lose as much as a week's worth of data. It'll hurt, but it won't be too bad.

Setting up the backup usually just requires two external USB hard drives (one for home and one for the off-site location -- and you swap them periodically), and getting some backup software. Many USB drives come with backup software, but I usually don't recommend using it. For Apple users, Time Machine is awesome software. For Windows users, your operating system comes with a backup system and a scheduler for automating it. (Right click on the drive icon. Backups are somewhere in the little menu.) For Linux/Unix users, 'rsync -auvf' is your friend.

Typical Needs

The audience at this presentation consisted of regular people. One guy was a carpenter. One woman was a writer. Another was a professional lecturer. Mostly small-office/home-office companies, and most did not have backup solutions. The few people who thought they had backups running were not sure what software they used, whether it was full or incremental, or even where the backed up data resided. If you don't have backups, you're not alone. Now is the right time to setup a backup solution that fits your needs.

Over the last week, a bunch of friends have forwarded to me stories about the risks of GPS information embedded in pictures. For example, MythBuster Adam Savage apparently took a picture of his car at his home and forgot to disable the GPS information. Rabid fans quickly identified where Adam lived. Granted, I doubt most celebrities have secret homes, but the fact is: pictures tell much more about you than just the photo's content.

The GPS data in JPEGs is nothing new. It was part of JPEG's EXIF 2.1 Standard back in 1998. (And that may not be the earliest version...) However, it wasn't until the last few years that cameras, cell phones, and other portable devices began to incorporate GPS technologies. Today, it is hard to find a cell phone without a camera, and many of them include GPS as a feature.

While GPS information embedded in a picture may tell people where you were, Facebook has decided to use your GPS for telling people where you are. Called Facebook Places, they will broadcast your GPS location to all of your Facebook friends. While they do have options for limiting distribution, Facebook is well-known for abruptly changing policies.

iPhone, iPad, iTouch, iMac, iSpy

Today's ever-smarter portable devices are not designed for privacy-oriented people. While the embedding and publishing of GPS information may be an overt example, there are many other cases of your device leaking information about you.

I've been collecting photos from various hand-held devices. I use them to populate a photo ballistics database. My friend, Bum, recently purchased an iPad. He sent me a screenshot from the device. (His iPad doesn't have a camera.) While the picture's ballistics wasn't very interesting, the email header was!

From: Bum <b...@...com>
To: Neal Krawetz <n...@...com>
Content-Type: multipart/mixed; boundary=Apple-Mail-1-186804698
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (iPad Mail 7B405)
Subject: You wanted a photo?
Date: Sun, 8 Aug 2010 10:39:58 -0700
X-Mailer: iPad Mail (7B405)

The first thing to notice is the X-Mailer header. It identifies the device (iPad), application (Mail), and version (7B405). This isn't too exciting since most MUAs (mail user agents) include this type of information. However, it was the content boundary that got my attention: Apple-Mail-1-186804698.

I dug through my email archives and found a bunch of other examples:

Apple-Mail-11-1034880980
Apple-Mail-2--961132422
Apple-Mail-1--77112522
Apple-Mail-1-186804698
Apple-Mail-4--29131759
Apple-Mail-5--10882313
Apple-Mail-15-908210705
Apple-Mail-4-1054791469

With a little help from the DC3, I finally understand what these non-random numbers describe. The big number is actually the most uninteresting value. It is the time in milliseconds stored in a signed 32-bit register. (Negative numbers have the double hyphens.) Since it is a 32-bit register, the value rolls over about every 24.86 days. However, the zero date isn't the Unix epoch (00:00:00 on 1970-01-01). Instead, if you assume the timestamp represents today's date (from the email Date header) and repeatedly subtract 2³¹ microseconds until you reach the Unix epoch, then you'll notice that it is off... The value closest to the epoch (without going under) is 128397792ms, or Jan 2 11:39:57 1970. (You might see it vary by a second, 11:39:58, if the clock happened to roll over between generating the Date and content boundary.) I'm not sure why Apple chose this date, but it is consistent. The Mail program on the iPhone, iPad, iTouch, and Mac OS X all use the same date.

From a forensics viewpoint, this is useful. This is a quick way to identify forged emails that claim to be from Macs. (I actually had a use for this last week!)

The more interesting number is the smaller value. It took me a while to identify the purpose. That is the number of attachments sent by the mailer (Apple Mail) since the program was started. If you see "-1-" then it means that you received the first attachment that they sent since they started the program. The "-15-" means that person had started Apple Mail and sent 14 attachments before sending one to me. (Winn Schwartau sent me an email that had "-245-"!)

This is very useful, particularly if you receive multiple emails from the person over a short duration. For example, Bum always sends me with "-1-". This means he closes the Mail program frequently. (Make sense for an iPad that can't multitask.) I also received emails from a friend, M., who clearly loves attachments -- in 30 minutes he went from "--12--" to "--28--".

From a forensics viewpoint, this is awesome. Let's say the person has a couple of different Apple computers. I should be about to look over his computer and see how many attachments he sent on each system and match the count to the emails. Even if you delete a specific email, I can still determine how many attachments were included in the deletion.

Android Spies

The information leakage is not limited to Apple products. At Defcon, my friend Factor sent me a sample picture from his Android phone. The problem is, it crashed my analysis tool!



The problem was a poorly formed JPEG. Specifically, every JPEG should begin with 0xffd8, contain a stream that starts with 0xffda, and end with 0xffd9. Between the 0xffd8 and 0xffda are various other settings, including APP records (0xffe0 to 0xffef for APP0 to APP15). In his case, his Android was storing additional APP records after the end of stream (0xffd9).

I added a check for this situation (so my code no longer crashes). However, these APP5 records (0xffe5) turned out to be really interesting. They only appear in one type of Android phone: the Motorola Android. I have observed these fields from photos taken with:

• Motorola, Droid, 2.0.1
  
• Motorola, Droid, 2.1-update1
  
• Motorola, Droid, 2.2
  
• Motorola, DROIDX, 2.1-update1
  
• Motorola, DROID2, 2.2
  
• Motorola, Milestone, 2.1-update1

They probably appear in other phones as well. However, I have not seen them with any other type of Android phone.

These extra APP fields like:

tag='0xffe5' length='32' field='APP5' value='HPQ-MetaData'
tag='0xffe5' length='168' field='APP5' value='HPQ-HostIntf'
tag='0xffe5' length='2400' field='APP5' value='HPQ-AutoExpo'
tag='0xffe5' length='1856' field='APP5' value='HPQ-LensInfo'
tag='0xffe5' length='4112' field='APP5' value='HPQ-AutoFoS1'
tag='0xffe5' length='4104' field='APP5' value='HPQ-AutoFoLV'
tag='0xffe5' length='6140' field='APP5' value='HPQ-WhiteBal'
tag='0xffe5' length='1660' field='APP5' value='HPQ-PPR'
tag='0xffe5' length='1164' field='APP5' value='HPQ-Capture'
tag='0xffe5' length='142' field='APP5' value='HPQ-Pipe2Mdd'
tag='0xffe5' length='1692' field='APP5' value='HPQ-Flicker_'
tag='0xffe5' length='44' field='APP5' value='HPQ-SensorMD'
tag='0xffe5' length='22' field='APP5' value='HPQ-ImgGener'
tag='0xffe5' length='20' field='APP5' value='HPQ-DigiZoom'
tag='0xffe5' length='84' field='APP5' value='HPQ-MotionMd'
tag='0xffe5' length='32' field='APP5' value='HPQ-CalsMfg '
tag='0xffe5' length='65016' field='APP5' value='HPQ-CalsSec1'
tag='0xffe5' length='10016' field='APP5' value='HPQ-CalsSec2'
tag='0xffe5' length='8568' field='APP5' value='HPQ-LRGEBUFF'
tag='0xffe5' length='24' field='APP5' value='HPQ-MetaHint'
tag='0xffe5' length='12' field='APP5' length='12' value='pad pad pad '

That's right, every picture has over 95K of additional APP5 data after the picture! That is as much as 8% of the file size!

So far, I can only decode one of the fields: HPQ-Capture. This has 3-5 records (depending on the version) and the records identify your phone. Here's an example from a decoded block from a Motorola, Droid, 2.2:

field='Build Version' value='4719:5353'
field='Build Date' value='2010-06-14 15:15:45'
field='Builder Email' value='kraigp@itlbuild.fc.hp.com'
field='Build Name' value='SholesMR2_RC9'
field='Kernel Release' value='2.6.32.9-g103d848'
field='Kernel Version' value='#1 PREEMPT Wed May 26 18:02:03 PDT 2010'

The kernel information is the same as running "uname -r" and "uname -v" from a command prompt. The Build Version looks like a SVN string, but it could be some other source code revision system.

I sent an email to "kraigp" asking for more information about these undocumented fields, but got a bounced email:

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients was aborted after 34 second(s):

* kraigp@itlbuild.fc.hp.com

Different Android versions include different information. For example, the Motorola DROIDX 2.1-update1 says:

field='Build Version' value='5476'
field='Build Date' value='2010-06-24 16:02:09'
field='Builder Email' value='tanvir@tanvir-lnxdev'
field='Build Name' value='Shadow_RC7'
field='Kernel Release' value='2.6.29'
field='Kernel Version' value='#1 PREEMPT Thu Jul 1 18:18:04 CDT 2010'

All of these HPQ fields appear to be part of the HPAndroidHAL driver. Since only Motorola seems to use this driver, only Motorola photos get tagged. (If I'm wrong here, I hope someone will tell me. I'll be sure to make corrections.) It kind of makes sense that Hewlett-Packard would embed their stock symbol (HPQ) in the APP field...

Most of the HPQ records have fixed lengths. Some values don't change regardless of camera version. Some change between versions but not between cameras, some change with each photo (e.g., White balance and focus), and some seem to change between specific cameras. It is these last fields that seem interesting. Not only can I tell what camera took the picture, but I can tell you if two photos were taken by the exact same camera. Unfortunately, I don't know the meaning of these fields since the "changes between cameras" could be coincidental based on my minimal sample size.

The only variable-sized field seems to be the HPQ-LRGEBUFF record. It looks like some kind of fractional memory dump. (I really suspect debugging code that was not disabled before release.)

If you have an Android phone and want to know if your pictures have the HPQ tags, then try this:

1. Take a photo. (Let's call it photo.jpg.)
   
2. strings photo.jpg | grep HPQ-

If you don't see anything, then your pictures are clean. If you see HPQ strings, then your photos are tagged. Use 'hexedit photo.jpg' and search for "HPQ-". This will show you all of the HPQ records.

In any case, until we learn what "HPQ" is embedding in each photo taken by a Motorola Android, I'm going to stay on the paranoid side. If you happen to know how to decode the other fields, please let me know!

The End?

Smarter devices do not mean smarter users or smarter programmers. Unless you know how to disable every undesirable feature (and remember to disable it), you are probably going to leak information. While online anonymity isn't dead, it is getting harder and harder to protect our privacy.

According to news reports, China is now the world's second largest economy. However, I still equate their exports with cheap plastic, consumables (the opposite of durable goods), and low quality network exploits.

That's right: low quality network exploits. I mean, seriously, if the domain is hosted in China and is not a ".gov.cn" domain, then it is likely a scam site -- spam, phishing, malware, or cheap knockoffs. Sure, there are a few legitimate .cn domains that are not ".gov.cn". For example, www.google.cn, baudu.cn, and kaixin001.com come to mind. However, legitimate sites are the extreme minority. In contrast, I can immediately name hundreds of non-Chinese .com, .us, and even .ru sites that are legitimate (even if I don't include PayPal in the list).

Then again, maybe I just have a biased viewpoint. Having spent decades tracking spam, scams, phishers, and the like -- and constantly seeing China in the loop -- I cannot help but have this bias.

Network Attacks

My web site, like most other web sites, is constantly under attack. Most of the time, the attacks are blind scans. The attacker tries an exploit without first checking if the site is vulnerable. If the attack fails, they move on. If the exploit succeeds, then the automated attacker will quickly compromise the server.

Most attacks use one or two queries. For example, I'll see in my logs a query for "/login.php" and then a second query for the same non-existing file. However, if the attacker comes from China, then I can see 40 or more of the same query coming from an entire subnet of hostile systems. I consider this to be a stoopid attacker: if it didn't work 39 times, then the 40th time probably won't work either.

What likely happened is that some kiddie has a subnet of attack bots and told all of the bots to attack one URL rather than having them each attack different sites. Stupid attack x 40 = very stupid attacker.

Directed Attacks

I've had a couple of groups try to hack my web site for the purpose of stealing my image analysis source code. I know this, because they did blind guesses for things like "sourcecode.zip" and "imagesrc.tar.gz". For the record: I do not keep my source code on this web site. Never have, never will.

Most of these attacks came from China, and I strongly suspect the Chinese government. The attacks began last November, a few months before China was accused of hacking Google. At one point, I uploaded a zip file of hard-core Chinese porn and used a regular expression to match their query and feed them the file. Suffice to say, they stopped their attack for a few months.

The Latest Sad Attempt

I recently had a comment posted to my blog that was so unbelievably obvious as to make me wonder: How much of an idiot do they think I am???

In reference to: http://www.hackerfactor.com/blog/index.php?/archives/317-Backhanded-Apology.html
User IP-address: 205.209.142.173
User Name: louis vuitton
User Email: chenchen21621@hotmail.com
User Homepage: www. louis vuitton handbags. org WARNING: Do Not Visit! Possibly hosts malware. Spaces added to deter people from clicking on it.

Comments:
Thanks for your posting; I really appreciate your ideas. Hope you can keep going.
This is a really great website, and I really like your essay. Thanks for your sharing.

So let's count everything that is wrong:

1. While I have had some big names write into my blog, I kinda think that Louis Vuitton would know how to capitalize his own name.
   
2. I doubt that Louis would use an email address of "chenchen21621@hotmail.com".
   
3. The IP address traces to Fremont, California.

However, it is the claimed homepage that is the true joke. For example, all over the web site they spell the name "Louis vuitton" (forgot to capitalize the surname). The domain for the real "louisvuitton.com" site is registered to "Louis Vuitton Malletier" in Paris, France. But this faker's domain name is registered to some guy in China:

louisvuittonhandbags.org has address 63.223.106.237
Domain ID:D159724340-LROR
Domain Name:LOUISVUITTONHANDBAGS.ORG
Created On:23-Jul-2010 09:43:49 UTC
Last Updated On:23-Jul-2010 09:43:53 UTC
Expiration Date:23-Jul-2012 09:43:49 UTC
Sponsoring Registrar:Bizcn.com, Inc. (R1248-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:orgfl79878227718
Registrant Name:fang li
Registrant Organization:bai shen ke ji
Registrant Street1:wenshanzhuangzuzizhiqu
Registrant City:wenshanzhou
Registrant State/Province:Yunnan
Registrant Postal Code:663000
Registrant Country:CN
Registrant Phone:+86.8762654874
Registrant FAX:+86.8762654874
Registrant Email:zhucepo9@163.com
Admin ID:orgfl79878228061
Admin Name:fang li
Admin Organization:fang li
Admin Street1:wenshanzhuangzuzizhiqu
Admin City:wenshanzhou
Admin State/Province:Yunnan
Admin Postal Code:663000
Admin Country:CN
Admin Phone:+86.8762654874
Admin FAX:+86.8762654874
Admin Email:zhucepo9@163.com
Tech ID:orgfl79878228397
Tech Name:fang li
Tech Organization:fang li
Tech Street1:wenshanzhuangzuzizhiqu
Tech City:wenshanzhou
Tech State/Province:Yunnan
Tech Postal Code:663000
Tech Country:CN
Tech Phone:+86.8762654874
Tech Phone Ext.:
Tech FAX:+86.8762654874

The web site itself appears to be a functional shopping site, but it is certainly a scam. They say the site was established in 2007, but the copyright says 2008 and the DNS registrations says... last month! (Created On:23-Jul-2010 09:43:49 UTC)

Going through their check-out process is equally fun. The only shipping option is "USPS" (United States Postal Service), and the system seems to hang before transferring you to some third-party web site (that I've never heard of) for handling credit card payments. Unfortunately, the link failed... probably because I use the NoScript plugin and it identified a possible XSS attack.

Even more offensive... Why would a site called "Louis Vuitton Handbags" carry items from competing designers like Gucci, Burberry, Coach, and Prada? And why would Vuitton offer fashion items that are a few years out of style? (This is a fashion faux pas that is criminal!) The IP address used by this site also hosts luxurybags-mall.com, salestiffany.com, saletiffanyjewellery.com, and shoptiffanyjewellery.com.

This site is a scam. Most likely, they will take your credit card information (if they ever fix their link) and go for identify theft. I wouldn't rule out malware. At best, they might actually sell you a cheap, counterfeit knockoff made by some kid in a sweatshop.

A little over a month ago I had the need to analyze some images stored in Flash (SWF) files. While there are programs that can extract images from SWF files, they don't necessarily extract the full image. Specifically, most applications drop alpha-channel information.

SWF Format

As far as parsing the file format goes, SWF is almost as easy to parse as PNG. The basic format has a simple header that is followed a tag-length-data structure. The first two bytes of the stream identify the tag type and amount of data. Ten bits are assigned to the tag type and six bits assigned to the data length. If the data length is 0x3f (the maximum value), then 4 more bytes follow that contain the full size. SWF files are very consistent -- even if you don't know what a particular tag value means, you can still parse the entire file.

There are actually two types of Flash files. They are identified by the first 3 bytes. If it says "SWF" then it is a regular Flash file. "CWF" identifies a compressed Flash file -- everything after the header is zlib compressed. After decompression, you can parse it as a regular "SWF" file.

Image Formats

Images can be stored in a couple of different ways within the SWF.

• Split JPEGs. Tags 6 and 8 combine to form a regular JPEG. The idea here is that many JPEGs have identical headers, quantization tables, and Huffman tables. Rather than storing them multiple times, the common parts are stored in tag 8 and the unique data streams are stored in tag 6. In reality, you'll need to play with the first few bytes of the tag 6 data and last few bytes of tag 8 for them to combine correctly. Some SWF-generating programs will end tag 8 with 0xffd9 and begin tag 6 with 0xffd8 -- the JPEG start and end markers -- so you'll need to make sure there are no start/end markers in the place where both SWF tags combine.
  
  
• Tags 20 and 36 define lossless bitmaps. The difference is that tag 36 includes an alpha channel, while tag 20 does not.
  
  
• Tags 21, 35, and 90 define images. Usually these are JPEG, but they can also be PNG or GIF. If the image is a JPEG, then tags 35 and 90 also contain alpha channel information. This is how SWF can use a JPEG with a transparency layer.

Seeing the Full Picture

While the image tag defines the picture, other tags describe how to display it. This can include cropping, scaling, flipping, and/or rotating the image. For my needs, I want the full picture. For example, the file "http://www.staging.mcdonalds.com/content/usa/sports.RowPar.0004.ContentPar.0001.ColumnPar.0001.File.tmp/Sports_07182008.swf" is part of an old ad campaign from McDonalds. Although the web page no longer shows the SWF file, it is still available on their web site and indexed through Google. This movie only shows a cropped picture of a girl dunking a basketball. But the full picture found in the SWF shows a horrendous amount of editing.



I'm not sure which is worse... the extra long arm, the cloned lights on the left, or the "I tried to erase the background" failure on the right.

The second image in this SWF isn't much better. I can understand the desire to make the background gray while leaving the person in color, but why did McDonalds gray-out her knee?

Unseen

When someone creates a Flash file, they build it in layers. Sometimes a layer is not enabled. However, just because the regular Flash movie doesn't show it does not mean it is gone. In fact, hidden images often exist in SWF files. For example, the Flash movie at http://www.liuyehu.gov.cn/index.swf (courtesy of their local Chinese Government) contains a banner showing the town and people having fun. However, there is a second, hidden image that shows the pre-edited version.





Personally, I fear our new Chinese overlords. Their children are taller than trees!

But it Tastes Good!

Ever since I started parsing SWF files, I just can't seem to stop. I'm looking at almost every Flash file I come across. Most are uninteresting. A few make me laugh, like this image from Ralph Lauren (https://www.ralphlauren.com/graphics/media/polo/1112_hp_821x709.swf)... her arm looks broken and what is going on behind the chair???


Reduced size image used for criticism, comment, teaching, and research, as specified in US Copyright Law Title 17, Circular 92, Chapter 1, Section 107 "Limitations on exclusive rights: Fair use".

But the best Flash banner so far comes from Famous Dave's Legendary Pit Bar-B-Que. I went to the site looking for directions (I was meeting some friends for lunch). Most of the images are from the animated banner, where food rises and falls onto a table. However, the first picture is hidden/unused, and it is just amazing... It is a full screen snapshot of the developer's desktop!



Here's how you can view the full thing:

1. Install swftools (http://www.swftools.org/)
   
2. Get the SWF file: wget http://www.legendarybbq.com/header.swf
   
3. Find the image ID (it is 0002): swfdump -D header.swf | grep JPEG
   
4. Extract the image: swfextract -o secretimg.jpg -j 2 header.swf

You can clearly see an open chat session with Kelly Karnetsky (you can even see his email address). The session is between Kelly and someone calling himself, "Well let's focus Mr. Million Dollars and find something that can blow up a car!" There is another chat session with someone called "Jonas". The developer is listening to Sarah Mclachlan's Surfacing and was searching his music collection for Eminem. The screenshot shows the clock at 4:06pm on Sunday, 10/26/2008.

I actually reported this information leakage to one of Famous Dave's managers. I know they received it because I provided them a zip file containing all of the extracted images, including the desktop. Moreover, the zip file was downloaded 7 times, including by people at Basic Food Group -- the parent company of Famous Dave's. However, it has been over two weeks; nobody has gotten back to me and they have not removed the image from the SWF file. I can only conclude that they don't mind if people see it.

Eventually I'll probably make a SWF decompiler for those "Do ABC" blocks of compiled code (tag 82). Just as there are unused pictures, I fully expect there to be unused code, and plain-text passwords for Flash-based cryptographic systems.

I'm finally back and recovered from Defcon 18 (and caught up with my workload). This is definitely my favorite conference. I caught up with a bunch of old friends, made a few new friends, and learned a thing or two.

The conference seemed much more crowded this year. I couldn't get into some of the talks that I wanted to hear. And the sea of people... Everyone was polite, well behaved, and orderly, but there were still very long lines as much as 30 minutes before some talks began.

Relative Perspective

Back when I first attended Defcon (Defcon 9 in 2001), the crowd was about a third whitehats, a third blackhats, and a third feds trying to inventory the other two groups. Over the years, the blackhats and anarchists have dropped off and more feds attend the conference. (As Omar the cabbie once told me, feds don't take taxis. If the parking lot is full, then those are the feds.)

Last year, there were a few blackhats, but most of the attendees were whitehats or feds. (Hint: If you tell people about your military background, run out to your car to take a sudden phone call, or refuse to say where you work, then you're a fed.) This year, I saw nobody that I knew was a true blackhat. (And yes, I know who some of them are.) Nearly everyone was a fed or whitehat from industry or academia. At the end of the conference, Priest (the big Goon) even congratulated the audience -- this was the first Defcon ever that wasn't marred by vandalism or sheer acts of stupidity.

Next year ought to be very entertaining: Defcon is moving to the Rio. Unlike the Riviera, the Rio has a wide selection of restaurants, a great buffet, and rooms that are better than a La Quinta. The Rio should also have more space, so the crowds won't seem as extreme.

Talks

I attended a few of the panel talks. This year, they split the Meet The Fed panel into two parts: Forensics (CSI:TCP/IP) and Arresting Authority (Policy, Privacy, Deterrence, and Cyber War). This was a really good switch -- the panel was more focused and the questions to them were more interesting. Only the Forensics panel played "Spot the Lamer" (the fed's take on Spot the Fed). Ironically, my friend Kristen was selected as a contestant. She didn't win (how lame is that?).

I also attended the Internet Wars panel. (I got to meet Paul Vixie in person. Very cool. He looks more like Charlie Brown than I expected.) While most of the Q&A were interesting, I think the best part was when I convinced Elise to take a picture of Dan Kaminsky...


"Look, Dan's asleep! Take his picture!"


"No, I mean walk over there and take his picture" The audience applauded after she took this. This picture really sums up Defcon. I really like the "Dedicated" t-shirt, empty beers, and the Corona box that says "Relax Responsibly" during the Internet Wars panel.

By and far, the best talk was "Jackpotting Automated Teller Machines" by Barnaby Jack. At one point, he had an ATM machine spewing money across the stage. Other good talks included "Weaponizing Lady Gaga" by Nurse (Brad Smith -- he really is a registered nurse) and "How I Met Your Girlfriend" by Samy Kamkar. And of course, Richard Thieme is always an entertaining speaker.

Besides the talks, I spent a good amount of time watching the various contests. Defcon had more contests this year than ever before. The new "Tampered Evidence" and "Crack Me If You Can" challenges were really good. However, I was most impressed by this year's Capture the Flag contest. My good friend, Factor, was on the winning team. He's gone by the handle "Factor" for longer than my company (Hacker Factor) has been around (the names are coincidental) -- so I gave him an official Hacker Factor hat. Factor is really an amazing guy. Besides winning the CTF this year, he also mentored team pwnage -- they won the high school category of last year's DC3 Forensic Challenge. Anyway, here's a picture of his black badge, which gives him lifetime free admission to Defcon. (It is much nicer than my black badge, which is nothing more than black paint on metal.)



I'll talk more about this picture in another blog entry...

Books!

I ended up giving away about a dozen copies of my latest book, Ubuntu: Powerful Hacks and Customizations. I included two stipulations with the free book: (1) if you like it, mention it in your blog, and (2) take at least three photos of people with the book. I'm hoping that people actually send in photos.

About Vegas

If it wasn't for Blackhat and Defcon, I would probably never return to Las Vegas. The gambling doesn't interest me. (Perhaps if people smiled...) The shows are expensive and really haven't changed in a decade. The entire place stinks like smoke. The food used to be excellent, but now is just adequate in taste and extremely expensive. Expect to spend about $80 per day on food (unless you like fast food).

I didn't stay at the conference hotel. Instead, I stayed at the Wynn. At one point, I decided to treat myself to a meal. I ate at the Wynn's Strata restaurant. The food tasted wonderful, but wasn't much more than 6oz total -- I spent $21 on food and left the table hungry. While the Wynn's weekday breakfast buffet is good, I'd recommend Denny's and the Peppermill down the street if you are hungry and don't want to spend a fortune. The hotel's security wasn't much better. On two of the days, someone played with the combination lock on my luggage while I was away from the room. I also told hotel security that there was a drugged out woman in the elevator and she was having a really bad trip as she was fading out of consciousness. It is suffice to say, the Wynn is a five star hotel with one star amenities. For a better experience, try Planet Hollywood.

I used to go to Vegas 2-3 times a year (various business trips). Now I'm down to once a year. However, in my literally dozens of visits over the years, this is the first time I have ever found a cabbie who did not know the hotels on the Strip. I was about to step out of the car when the bellhop gave the driver directions. (No, I didn't tip.) The other cabbies complained about low numbers of riders, but they no longer blamed Obama. Now they blame the hotels for not catering to anyone except the drug/party people. (Explains my elevator experience...)

Home Again

Overall, I still don't think much of Las Vegas. However, Defcon is definitely fun. I am already looking forward to next year.