May02 Meeting Report.
Brum2600 May 2002
Pootled up to Birmingham for BrumCon2 on Saturday May 4th 2002, in the Britannia Hotel.
Bigger room than last year, proper audiovisual facilities with about 30 people
Zipser gave an in depth talk on AX25 packet radio protocol flags and bits explained. Not a Radio Amateur myself, but my ears perked up when "bit stuffing" was mentioned - similar technique to the 56Kbs ISDN in the USA as opposed to the 64Kbs ISDN in Europe. Zipser pointed out that Packet Radio often carries remote location telemetry stuff (possibly bearing other unencrypted higher level proprietry protocols) - think oil, gas, water etc pipelines, electricity grid, flood control/warning etc systems - shouldn't these be part of the Critical National Infrastructure ?
Reload talked about PCN30, but also explained more about the general insecurity of Nortel CVX switches - telnet user=nortel, password=nortel
Bambam failed to convince me of the existence of an efficient Echelon / Big Brother mass surveillance monitoring system, although there is obviously a trend towards this given the joys of e-government.
Jonathan talked about Data Network Security Council, and the difficulties of contacting the supposed Guardians of our Critical National Infrastructure to alert them to potentially huge security holes on extremely high profile websites - the Russians could *still* invade this country if they did it over a Bank Holiday weekend, there would be nobody from the UK Government manning their so called 24 hour contact phones!
Bracket gave a talk on Artificial Intelligence techniques, which stimulated quite a lot of ideas from the audience. Mandatory reading for those interested in applying Evoloutionary/Geneteic algorithm programming techniques to comuter security/insecurity is
Computer Viruses, Artificial Life and Evolution
by Dr. Mark A. Ludwig
which shows how to use genetic algorithms to modify a working computer virus to evade an anti-virus software package - includes source code !
The discussion on how to fool the edge detection alogorithms of facial recognition systems got quite surreal
Alex explained about the phun to be had with SMS messages - some companies, banks etc are are relying on the integrity of this system - but it can be abused, and Flash SMS messages are evil.
Beltram updated his report from BrumCon1 showing the almost trivial ease with which vulnerable websites can be found using say the Google search engine and php includes or SQL injection or Cross Site Scripting attacks.
Gus gave the star presentation on GSM:
Having found a way to determine Ki the crypto secret in each GSM handset, various nightmare scenarios are possible, especially since the A3/A8 cryptographic algorithm placeholders are using the broken COMP128 algorithm sacrificing customer security for increased profits (other standard, secure algorithms are available e.g. 3DES etc but these seem to cost more from Schlumberger or Gemplus, the SIM card manufacturers).
It seems that there some other possible nightmare scenarios involving killing an entire GSM network, Denial of Service on a couple of countries and SIM address book replicating viruses similar to unpopular MS Outlook style macro viruses.
The WAP gateway infrstructure in the UK also looks as if it needs some more firewalls and IDS systems - FTP bounce attack style attacks seem to be possible
and much of the Mobile Phone Companies internal systems seem to be exposed.
Gus had plenty more to talk about, but was constrained by time.
Hopefully we can persuade him to give the full presentation at DNS 5 in Blackpool on August 10th.
BrumCon2 was well worth it, and I enjoyed contributing/heckling from the back of the room.
After suitable refreshment in Pizza Hut, with an attractive waitress, we met up with the rest of the crew for the regular Brum2600 meet. We noticed someone attempting to extract a £1 coin from a BT payphone, but it defeated MinusQ 's attempts to free it - we were not as tooled up as we should have been - we needed some of Rat's recycled roadsweeping machine brush spring steel devices!
The Brum2600 meet ended up in a bar under the Library, where there seemed to be quite a discussion of Cyber Dildonics - Microsoft's latest Flight Simulator joystick with force feedback could have potential abuses, and there seem to be several people who are seriously planning to experiment. All suggestions to firstname.lastname@example.org
The streets of Birmingham are patrolled by a Mobile CCTV Surveillance van, which Reload hopefully got a photo of.
A quick 802.11b scan from the hotel with an extended range antenna picked up one WEP enabled AP and one still on its default unencrypted settings from the general direction of the HSBC bank building - when will they learn ?
Thanks again to the Brum2600 crew and all the speakers for an enjoyable day.
brumCon report 4th May 2002, Birmingham, UK. disrail
Being massively hung over, tired and in a general state of nausea,
I was not in the best of spirits for Brumcon II. I had no idea of
who was going to be there, the scale of the event or what I was
going to get out of it. As soon as we arrived Bambam dragged me up
to the front where I kissed good-bye to a £5 note. It better be
Due to the train being an hour late we had already missed the talk
on Packet Radio. After drinking as much water as possible, I sat
down for the second talk. I found the presentation to be a bit
above my level in parts but overall my head was spinning with ideas
inspired by the talk. Bracket made very clear the applications of
AI and the possibilities it yielded.
After a cup of coffee I felt a bit more alert. I looked round the
room, looking on as people of all ages were chatting about a number
of different subjects. One thing they all had in common was the
heavy drinking. I looked on with jealousy as pint after pint just
disappeared, god I wish my stomach was up for it.
After a couple more talks my mind was on overload. My head was
spinning with all this technology that I never knew could be so
easily be used beyond its general purpose. I began to realise what
all this was about.
Then bambam started his talk. It was amazing to see him at the
front, when just over 12 hours before he was in a toilet doing his
best impression of a fluorescent green toilet brush.
After amazing talks on the way that Mobile phone networks work and
the possibilities for which they weren’t designed, and SMS messaging,
the day was complete. After the uncertainty that my mind had felt
earlier all that was left was a sense of wonder at what I had just
experienced. Overall the day was well worth the travelling and
I can’t wait until the Shef2600 meetings start. I really enjoyed
Brumcon and would like to thank all the organisers of the event.
I’ll definitely be there next time!
brumCon II report - May 4th 2002 Birmingham, UK.
All the usual suspects plus a shit load of others.
Approx: 40 all said and done.
It had been the departmental ball in Sheffield the night before,
and having been escorted from the premises by the security staff
there due entirely to drunken-ness, I (and a couple of others) were
really feeling it.
We (the Sheffield contingency) arrived a full hour late courtesy of
our national rail network and hence missed the keynote and Zipser’s
packet radio talk (but stole his hardcopy of the AX.25 protocol to
read on the train home).
Having scared many of the quieter attendees by talking about them
close by in a big loud voice, asking them what they do for a living
and generally introducing myself, it was on to PCM30.
Re-LoaD’s PCM30 talk made me realise how little I actually know about
phone networks. It covered the basics of how and where voice signals
are digitised, the equipment that then goes ahead and routes this
traffic along with weaknesses, inefficiencies and future development.
After more scaring and a bit of drinking (others, not me: I still
couldn’t move my arms at this point) it was on to AI.
This was to be Bracket’s last trip to brum2600 and certainly brumCon
for the foreseeable future as he is one of those dirty student types
who wants to go "travel the world" :p We will all miss him, and hope
that his home in the US of A will be enthused with a renewed 2600
spirit upon his safe return.
Nevertheless, he seemed determined to go out on a high note and that
His talk covered, well, everything in the title ("AI : Machine
learning algorithms and how they could be used for advanced attacking
purposes, neural networks and evolutionary computation. Image
understanding, and its weaknesses.”) and he did it with excellent
balance between theory and practise. Some specially nice ideas came
out of it: Training a neural net based ids to accept your intrusion
as normal, and entering an airport with “random black lines” painted
on your face to the end of fooling the face recognition software.
More break, more beer (for others), more water and feeling sick (for
me), more being scared (for those around me) then onto Speccy Jon’s
talk on DNSCon.
He talked on the state and purpose of DNSCon, what/where/when/who
also (but I think nearly everyone already knew all that) and latest
projects/developments. It was so nice to see someone actually trying
to *do* something about insecurities in the UK infrastructure, rather
than just complain about (or take advantage of :) it. His “tale of
reporting bugs to government agencies” seems to be all too prevalent
but headway is being and must be made. His new standard (which is
more complete and general than ISO 17799 according to it’s authors)
is free and open (but costs for commercial use (maybe then they’ll
adopt it (don’t forget the magic marketing formula: make it look good
and sell it to stupid people))) looks good, and my mind can’t keep
from remembering talk of free stuff for bugfixes... He ended with
the obligatory free stuff (t-shirts and the like) and hardcopies of
the standard (which I also took for the train).
Less time for scaring people - had to set up for my talk.
Bambam’s talk was quite frankly below par - he started rambling on
that the government might be mass monitoring us. What a ridiculous
idea. Now, pass me another (bomb president MI5 al-Qaeda terrorist
hacker) Martini will you Mr. Orwell?
In truth the discussion was very much divided - with good points on
both sides. Set some people thinking. I saw one (policeman) person
desperately trying to avoid laughing, and I have the feeling that I
lost a little credibility throughout the room, but such is life eh?
Now on to the piece de resistance: GSM by Gus. Be afraid. Be *very*
afraid. Network and handset monkey business on a truly global scale.
I still can’t believe he said that stuff. Shocking, brilliant,
amazing, wonderful and highly illegal. Well, at least slightly illegal.
NOTE: NOTHING ILLEGAL OCCURED AT BRUMCON. And I’m serious there.
No break - straight into: "Metagalactic Messaging systems battle at
the edge of time - An introduction to SMS, the applications it's used
for, and why it's about as secure as a paper boat in a force 10 storm."
By Aldelarge where he quickly (by this time we were seriously starting
to run out of time) outlined SMS operation and software packages for
manipulating it. Delivered with his usual brand ready wit and crazy
impishness this talk was delightful.
Beltram’s usual blatant disregard for the sanity of webmasters lead
to his second of such "webhacking" talks at brumCon. Covering php,
cgi and cross site scripting flaws. He seemed a little bored of it
all - as if anyone could get bored of catching large corporations
(along with pet food retailers) with their proverbial pants down.
No time for the Question and Answer section, and good job too: Like
a ’98 box left on longer than 12 hours - I was starting to slowly
but surely crash.
We moved off in a single stream and flooded a local pub with f00d-syn
packets. All techied-out, people started chatting about "the old
days". The technical talk now over it was time for my beddy-byes and
I left for home.
A big thank-you to those who turned up.
A big fuck-you to those who didn’t.
Special thanks to Gus and Jon for being the only non-regular-brum2600
people to speak.
Special thanks to the organisers for organising.
Many goodbyes and a dont-think-you-can-rid-your-life-of-the-bambam-
just-by-moving-back-home-to-the-states to Bracket.
Thanks to the girl in the pub afterwards who wasn’t wearing that skirt.
A big success overall - we eagerly await the next one.
Normally included are a section of corkers by the residents. This time
we went farther a field.
Apologies: I don’t remember even half the good ones, and wasn’t allowed
to take notes.
Some names have been changed to protect the guilty.
"It will happen. It might happen tomorrow. And it might happen, because
one of you do it" - Gus
"[with reference to explanation of image recognition] and they believe
that’s what happens when you’re on acid" - Bracket
"I win, I win - go on, put that on ntk" - Gus to ntk guy.
"Don’t ask me: I only came along ‘cos someone described this event as a
"blackhat think tank"" - ntk guy.
"[right in front of them, in a big loud voice so they can hear] Do you
know who these people are?" bambam to other.
"I don’t know. I tell you what: Why don’t we talk about them in a big
loud voice right in front of them so that they can hear?" other to bambam.
Brumcon the Second: May the 4th be with you.
Every 2600 meet has a defining moment, something its members can look back
on and say with a glint in thier eyes, "Yeah man I was there". Here at
Brum we're still waiting, but the closest we've got must have been
on Sat 4th May the day of BrumCon II.
Unlike the previous brumcon which is infamous for several reasons,
this con was to be a professional affair in a proper hotel room with
(some) almost respectable guests.
It was also extreamly well attended not only by the usual brum team but
also various associates and one or two suspicious looking people
in leather jackets. Bambam had a method for rooting out the FEDs, it
involved him going up to the leather jacket wearing people and introducing
himself before asking in a loud voice, "So tell me are you a member of the
Speaking of the CCU as some of you may have realise the advertised panel
from the unit failed to attend due to the fact they were
giving evidence. Dispite this the talks were all of an extreamly
high standard and covered a wide range of subjects and on behalf of myself
and the organisers a big thank you to all who stood up and spoke.
The first talk of the evening was 'Packet Radio The Basics' presented by
Brum regular Zipser. As a complete radio novice this talk was superb
it covered, as far as I know the
most important methods and implementations of packet radio and its uses.
Moving swiftly on after a beer break the next talk of the day was (I
think, my memory may be going)
' AI : Machine learning algorithms and how they could be used for advanced
attacking purposes, neural networks and evolutationary computation. Image
understanding, and its weaknesses. Given by a relativly new addition to brum,
Bracket. This talk covered a wide range of material but much of the focus and
later discussion was based around the use of AI in facial recongnition.
Obviously in this scary post 11/9 world the use of facial recongnition and
other related technologies is becoming far more acceptable to the general
public, who seem all to happy to ignore the civil liberty nightmare that
is being created. Its worth noting that good as this technology is, it can
be decieved by drawing lines down your face or wearing an eyepatch.
My memory of the order of the following talks is fairly poor, but I think the
next two in whatever order where 'PCM30 -A Basic Intro' by Re-Load and
'DNSCon' by its organiser Jon Wignall.
The DNSCon talk stuck straight to the basics with some debate over various
security holes so big you could fly a 747 throught them. The
free gifts were well recieved as were the copies of "Internet System
Security Standard and Certification Scheme" which as the name suggests
give standards of security that sys admins would do well to heed.
PCM30 ahh where to start so many holes so little time (as the soider said
to the tart) Excelent talk from our resident telco expert Re-load.
Next up was 'GSM - The world of GSM - how it came about, the cryptographic
issues, tracking subscribers, the variety of attacks and the future of GSM as
a whole.' By Gus. I can only speak for myself but this talk scared the shit
out of me, the security and privacy issues surrrounding these little beeping
things we all seem to carry is very worrying. /me gets all paranoid and buries
my phone in a deep hole a long way away from me, before doning a tin foil hat
and hiding under the covers.
Speaking of rampant paranoid people the next talk was Bambam's 'What the
eyes dont see Goverment wiretapping and mass info collection cababilities'
This took the form not so much of a talk but more of a heated
debate/arguement in which a few people, got a bit silly and started
mentioning black helecopters etc. Still it allowed several opinions about
to what degree our goverment gather information about our activities.
The penultimate talk of the day which in my opinion had by far the coolest
title was 'Metagalactic Messaging systems battle at the edge of time -
An introduction to SMS, the applications it's used for, and why it's about as
secure as a paper boat in a force 10 storm.' By Alex
DeLarge. I was suffering from a need for a visit to the little boys
room and then more beer during some of this one but ive since been informed
in was superb, intersperced with comic moments about apes taking over or
Finally the moment we'd all been waiting for, 'Hold onto your hats,
(black or white)' By Beltram. As some of you who attened Brumcon1 may remember
Beltrams talk there was, erm imfamous for several reasons, not least because
it was hugely illegal and given in a state of intoxication. This
talk however was fairly white hat and the speaker was coheriant the
subject matter was similer to the previously talk but went into more detail.
All in all a very good talk covering some very important security issues.
Thus concluded Brumcon II. Happy and hungry most of us set of
to our regular pub. About halfway we got bored and settled
in the first pub we found that had reasonably priced booze and wasnt too
busy. Sadly however our attemps to get food failed miserably as they
imformed us they'd just stoped serving. Suitibly hungry I set off to the
nearby MacDonalds to buy some of that carboard, shitty pap they sell
as food. I was then removed from the pub, to eat it despite my attempts to
argue with the barman, who was obviously a frustrated comedian. The rest
of the night passed with the usual drinking and arguing that characterises
the usualy brum 2600 meetings.
By 11 ish people began to depart and slowly but inevitably the day drew
to a close. Brumcon II was a great success, we broke even on the room, the
talks were well prepeared and well recieved. Once again id like
to thank all who took part. Have fun, and Ill see you all again for
BrumCon III. Anyone who can come up with a cool name mail email@example.com.
Date: Wed, 8 May 2002 13:30:39 +0100 (BST)
From: Steve W
Was a good day - thanks. Just a shame we couldn't hang round for the 2600
meet afterwards (trains to catch).
Hopefully I'll make the next meet...
----- Original Message -----
Sent: Sunday, May 26, 2002 4:46 PM
Subject: Brumcon II
Having just looked through the reports on the con II meet I am, to say
the least, highly amused that I appear to have made poll position in the
'hunt the fed' competition. I must admit that it makes me much less inclined
to come to any of the monthly meetings but I have always been a loner in
these matters so I will just wait for 'con III.
That said I found the meeting very interesting in parts and highly
informing in total.
One criticism I would say is that if possible try to get some sort of
amplifier for next year, it was very difficult to hear some of the
presenters. I realise that these people aren't used to public speaking and
this isn't any criticism of them for that but even in a small room I was
straining to hear some people.
Regards and good luck,
----- Original Message -----
Sent: Sunday, May 26, 2002 7:45 PM
Subject: Re: Brumcon II
Thanks for your mail 'Hunt the fed' is just a bit of fun so please
don't get put off from coming to the monthly meetings I for one would make
you most welcome. The sound system was indeed there and plugged in just
nobody thought to bring a mike, hey something for the list next year. At
least at this con we had the projector :-).
If you would like to come to the next meet on the 1st June let me
know and I can look out for you, I'm at work on that Saturday so if I can
sneak out a bit early I should be on time.
I look forward to seeing you at the meet I'll even buy you a pint
(what was that Re-LoaD buying drinks never).
PS would you have any objection to your email going on the comments page
for brumcon 2, or if you would like to edit it for the web feel free but
all comments are welcome..
----- Original Message -----
Sent: Sunday, May 26, 2002 11:53 PM
Subject: Re: Brumcon II
If you want to post the comments 'as is' then feel free, I am happy with
them without any editing.
I realise that the 'hunt the fed' is just a laugh and it doesn't put me off
attending meetings, Broard St in general does that far better, but a general
mistrust because apparently I 'look the part' is interesting because I spend
more of my time using excatly this type of social engineering to do my job
it makes it an interesting insight.