So it started with an idea.  How cool would it be to get everybody to install a QR code reader and read temporary tattoos off each other?  Anyway, at Shmoocon I walked around with a bag of QR temporary tattoos much to the delight and chagrin of the hackers assembled therein.

The howto:
#1 Get a barcode generator. I use zint, it’s my favorite tool for generation.  For those of you on Ubuntu or Debian, I have packages built for you.  And give the zint guys some money while you’re at it, they use the funds to buy standards and make zint work with every symbology known to mankind.

#2 Get a layout program. I use Inkscape.  Key here is that it has to be able to import .svg files and be able to flip images horizontally.

#3 Get printable temporary tattoo paper. It’s not really cheap, but I found kits on tattoofun.com.  The kit consists of waterslide temporary tattoo paper, adhesive sheets, and an instruction sheet.

#4 Make .svg Barcodes! I load up zint and toss some text at it, then use the QR symbology.  Some examples:

• sms:7035551234 body:Greetz from teh Internetz
• MATMSG: TO:shredder@guerilla-ciso.com; SUB:Test; BODY:This is a test. Please reply if received.;;
• MECARD:N:Wizzleteague, Stinky;ADR:1234 Main St, Arlington, VA 22202;TEL:+17035551234;EMAIL:shredder@guerilla-ciso.com;;
• Hi, I’m Quine. I haz a RAGE! https://twitter.com/quine
• I went to Shmoo and all I got was the flu
• BTW, if you want to pay me to make QR tattoos for promotion events, drop me an email.

#4.5 Add in QR error correction. The more error correction you use, the more data in the barcode so the smaller the blocks are.  However, some error correction compensates for distortion and glare.  IIUC, Zint automagically adds in 20% error correction.  I’m not sure what the magic number here is because it depends on the size of the printed barcodes.

#5 Export barcode from zint. SVG is awesome to save as because you can scale the barcodes up as much as you want and they won’t get all pixelated-looking.  You can grab a ton of the barcodes I made here.

#6 Import barcode into inkscape.  File=>Import then select the .svg file you want.  Since the barcodes are svg, you can scale them awesomely.  For mine, I set up guidelines so I could lay out rows proportionately.  Be sure to lock the object proportions or you’ll get hideously warped QR monstrosities that nothing can read.  You can grab my sheet of barcodes here.

#7 Make “The Big Flip” and print.  Inkscape-specific: Edit=>Select All   followed by   Object=>Flip Horizontal.  Then print the page on the glossy side of the slide water paper.

#8 Add the sticky.  It’s a bit like laminating a map only the adhesive is way more forgiving.  Poke some pin-holes in the adhesive sheet and smooth out all the bubbles.

#9 Cut, peel, stick, wet, pull, read, lol.  You can get a reader here, but the important bits: iTunes Store: Barcodes.  Android: Barcode Scanner.

Lessons Learned:

Laser barcode scanners don’t work because the film is reflective.  Photo-based barcode scanners (ie, most mobile scanners) work pretty well.

You have to make the barcodes bigger than I did.  Mine were .75x.75 inches and due to the glare on the paper and some distortion due to putting them on skin, they were hard to read.  I think maybe 2×2 inches are optimum.

Hackers don’t like informational urls in their tattoos: “I got an add for ZXing, this sucks”.  I think random goofy phrases and skin pwnage would work better than informational urls.

Some people (Quine) weren’t happy with a grab-bag random url and needed their own custom witty saying.  I felt the rage, it has now been fixed.

You can’t read the barcodes until they’re on the skin because of the horizontal flip.  Before you do the flip, print out the barcodes on regular paper.  You can read these easily enough.  Then flip the finished barcode sheet over after you’ve printed it and you can match up the barcode with the non-flipped sheet.  Even better if you use your computer monitor as a lightbox.

Bookmark to:

Hide Sites

I’m curtailing my blog for a couple of weeks.  I’m busy helping out with Haiti.

I spent last Saturday at CrisisCamp DC.  It’s a barcamp-style hackathon to build applications to help relief workers in Haiti.  Think long-range wifi routers to network the country where the infrastructure is destroyed.  Think a website for quake survivors to tell their story.  Think a Craiglist for relief workers where somebody with an oxygen generator and  somebody with a power supply can get together and make something that helps both of them.  Think all of these created in an 8-hour development stint.

Yes, security folks, you can help.  Not only that, but you have the technical skills to get web apps stuff done and the project management experience to lay out what it is that needs to be done.

We’re holding another CrisisCamp in DC this Saturday the 30th.

Go to crisiscommons.org and look for a project that interests you or a local camp.

Here, let Andy Carvin break it all down “Big Bird Style”:

Movie by @Digiphile, Alex Howard from SearchCompliance.com.  Hopefully I didn’t just “out” him.  =)

Bookmark to:

Hide Sites

So I’m working with the AppSecDC folks doing press relations amongst other things.  I’ve noticed several themes for the conference that might be of interest to the rest of the world.  Of course there’s the usual “The end is nigh, and not even Norton can save you!!!!!” stuff that’s been the staple of security conferences for the past 5 years or so (oh noes, teh Internetz are broken.  Again)

However, AppSecDC has another set of themes that are mostly unique to OWASP and AppSecDC in particular:

• The OWASP Approach to Security: it’s not process/product, it’s education and outreach.  Thanks to Doug Wilson for this idea.  Basically with host and network security, the option is to buy stuff and throw it at the problem.  With application security, it’s “go out and touch a developer today” and “use ESAPI as a tool to help the developers write better and secure code more quickly”.  This is a new concept to the system integrator that I am, but I like it much better than my usual approach.
• Government and Application Security: we’re about 5 years behind industry, how do we catch up?  To this effort, we have some notable Government speakers such as a keynote by Joe Jarzombek, Director for Software Assurance in the National Cyber Security Division of the U.S. Department of Homeland Security.
• OWASP Top 10 2009/2010: This will be announced at AppSecDC with much w00tness and excitement.
• OWASP National Summit: this will be held the day before the official conference.

Convinced you want to go?  Check out the conference site.

Bookmark to:

Hide Sites

I got an email today from the author who said that it’s now officially on the street: Guidelines for Secure Use of Social Media by Federal Departments and Agencies, v1.0.  I’m listed as a reviewer/contributor, which means that maybe I have some good ideas from time to time or that I know some people who know people.  =)

Abstract: The use of social media for federal services and interactions is growing tremendously, supported by initiatives from the administration, directives from government leaders, and demands from the public. This situation presents both opportunity and risk. Guidelines and recommendations for using social media technologies in a manner that minimizes the risk are analyzed and presented in this document.

This document is intended as guidance for any federal agency that uses social media services to collaborate and communicate among employees, partners, other federal agencies, and the public.

Bookmark to:

Hide Sites

Actually this is all a little bit strange to comprehend, I’m not sure I get it all, but here goes…

So my friend Michael Santarcangelo sold his palatial estate, put his wordly posessions in storage somewhere in upstate NY state, and packed up his family in an RV and is travelling around the US giving a series of seminars on “Communicating the Value of Security”.  I’ve met Michael, and he’s not a patchouli-smelling hippie looking for inner truth or some kind of weird traveling salesman, he’s just a really smart guy who’s passionate about what he does.

And he’s coming to Northern Virginia on the 25th to bring you BBQ, pool, and a seminar on how to communicate with non-security folks.  There’s a trivial cost to pay for the food.  It’s also a family event, and there’s no extra cost for your family to come along, although when Michael sees how much my teenage daughters eat, he’ll probably charge me at least an extra $50 bucks.

Get the full set of information here.  Sign up and give it a try.

Bookmark to:

Hide Sites

It’s a global-scale conference. It’s in DC November 10-13th.  Registration is open.  I’m helping out as manual labor and maybe all-around fluffer of some sort.

The DC area sponsors (contractor companies and non-profits) are noticeably lacking, and I would like to fix that.  If you’re interesting in sponsoring, let me know and I’ll forward your info on to the event organizers.

And while I’m out shilling, the DC OWASP Chapter is going strong and having their next meeting on August 5th.  Check them out.

Bookmark to:

Hide Sites