My talking schedule over the next couple of months:
October 25-27: SecTor in Toronto, talking on DDoS and a turbo talk on some of my barcode stuff.
November 8-11: AppSecDC in um… DC, talking on the internal security program for a cloud vendor.
And coming to you, if you give me a call. =)
Posted in Speaking | 
No Comments »
Tags: barcode • cloud • cloudcomputing • ddos • management • security • speaking
In the spirit of Shockwave Rider’s information-sharing worm, the charm of StumbleUpon, and this xkcd cartoon:
And based on the fact that QR codes are “teh awesome”, I have created something both wonderful, inspiring, and evil all at the same time: a Random QR Code Redirector. Just point your phone’s QR reader app at this barcode, sitback, and enjoy the mayhem. Sometimes you get a neat hack url, sometimes you get a funny movie, sometimes you get information about barcodes, sometimes you get something that “once seen, cannot be unseen”. Feel free to print them out and leave them places. =)
And ta-da, the barcode:
Readme, Clickme!!!
Get a QR reader and other QR Code infos here.
“How’s it all work?” Well, for starters I got a vanity domain at co.de (works swimmingly for software projects because, well, it’s “code”). Then I built a database and ~15 lines of php code. I make a weighted random select from the database and send a redirect to the browser.
Table create statement:
CREATE TABLE IF NOT EXISTS `qr_redirect_links` (
`id` smallint(3) NOT NULL auto_increment,
`url` varchar(1500) collate utf8_unicode_ci NOT NULL,
`weight` smallint(3) unsigned NOT NULL,
`comment` varchar(1500) collate utf8_unicode_ci NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=37 ;
The query code is as follows:
<?php
$con = mysql_connect(“<hostname>”,”<username>”,”<password>”);
if (!$con)
{
die(‘Could not connect: ‘ . mysql_error());}
mysql_select_db(“random_urls”, $con);
//You could do a bunch of random select stuff in php but using the database Rand()*(1/Weight) is the easiest 1-liner I know to get a random result.
$result = mysql_query(“SELECT url FROM qr_redirect_links ORDER BY Rand()*(1/Weight) LIMIT 1;”);
while($row = mysql_fetch_array($result))
{
$newurl = $row[‘url’];
header( “Location: $newurl” ) ;//actually send the redirect here
}mysql_close($con);
?>
I’m also collecting interesting urls, just email/twitter/whatever to me, the only rules are that they need to not harm the browser and I have final say on what meets my stringent url quality standards.
Posted in Hack the Planet | 1 Comment »
Tags: barcode • qr
This is something I’ve been working on in my spare brain cycles: building a process for barcode hacking.
Limitations with barcode hacking:
Kernels of nummieness:
The process should run something like this:
BTW, all the kids with their barcodes that say “‘ or 1=1;–” crack me up because they’re being barcode skiddies and don’t understand how barcodes are really used. =)
SQL Injection Bogus Example by ME! Only you can stop the stupidity.
Posted in Hack the Planet, Technical | 1 Comment »
Tags: barcode • itsatrap • pwnage • tools
So it started with an idea. How cool would it be to get everybody to install a QR code reader and read temporary tattoos off each other? Anyway, at Shmoocon I walked around with a bag of QR temporary tattoos much to the delight and chagrin of the hackers assembled therein.
The howto:
#1 Get a barcode generator. I use zint, it’s my favorite tool for generation. For those of you on Ubuntu or Debian, I have packages built for you. And give the zint guys some money while you’re at it, they use the funds to buy standards and make zint work with every symbology known to mankind.
#2 Get a layout program. I use Inkscape. Key here is that it has to be able to import .svg files and be able to flip images horizontally.
#3 Get printable temporary tattoo paper. It’s not really cheap, but I found kits on tattoofun.com. The kit consists of waterslide temporary tattoo paper, adhesive sheets, and an instruction sheet.
#4 Make .svg Barcodes! I load up zint and toss some text at it, then use the QR symbology. Some examples:
#4.5 Add in QR error correction. The more error correction you use, the more data in the barcode so the smaller the blocks are. However, some error correction compensates for distortion and glare. IIUC, Zint automagically adds in 20% error correction. I’m not sure what the magic number here is because it depends on the size of the printed barcodes.
#5 Export barcode from zint. SVG is awesome to save as because you can scale the barcodes up as much as you want and they won’t get all pixelated-looking. You can grab a ton of the barcodes I made here.
#6 Import barcode into inkscape. File=>Import then select the .svg file you want. Since the barcodes are svg, you can scale them awesomely. For mine, I set up guidelines so I could lay out rows proportionately. Be sure to lock the object proportions or you’ll get hideously warped QR monstrosities that nothing can read. You can grab my sheet of barcodes here.
#7 Make “The Big Flip” and print. Inkscape-specific: Edit=>Select All followed by Object=>Flip Horizontal. Then print the page on the glossy side of the slide water paper.
#8 Add the sticky. It’s a bit like laminating a map only the adhesive is way more forgiving. Poke some pin-holes in the adhesive sheet and smooth out all the bubbles.
#9 Cut, peel, stick, wet, pull, read, lol. You can get a reader here, but the important bits: iTunes Store: Barcodes. Android: Barcode Scanner.
Lessons Learned:
Laser barcode scanners don’t work because the film is reflective. Photo-based barcode scanners (ie, most mobile scanners) work pretty well.
You have to make the barcodes bigger than I did. Mine were .75x.75 inches and due to the glare on the paper and some distortion due to putting them on skin, they were hard to read. I think maybe 2×2 inches are optimum.
Hackers don’t like informational urls in their tattoos: “I got an add for ZXing, this sucks”. I think random goofy phrases and skin pwnage would work better than informational urls.
Some people (Quine) weren’t happy with a grab-bag random url and needed their own custom witty saying. I felt the rage, it has now been fixed.
You can’t read the barcodes until they’re on the skin because of the horizontal flip. Before you do the flip, print out the barcodes on regular paper. You can read these easily enough. Then flip the finished barcode sheet over after you’ve printed it and you can match up the barcode with the non-flipped sheet. Even better if you use your computer monitor as a lightbox.
Posted in Hack the Planet, Odds-n-Sods, Technical | 6 Comments »
Tags: barcode • hacking
A little presentation I did for NoVA Hackers. Basic intent was to be more workshop than something more formal and to give everybody the tools to do their own experimentation at home.
I even inspired Jack to write a blog post.
Caveat: this has nothing to do with FISMA or Government InfoSec. =)
Links in the Presentation:
Links of interest:
Posted in Hack the Planet, Speaking, Technical | 6 Comments »
Tags: barcode • hacking • infosec • itsatrap • pwnage • security • speaking • tools
Posts RSS
Subscribe via Email