• Home
  • SEHL
  • SE Interviews
  • CoreDump
  • Talks
  • Blog
  • About
Security Endeavors
Pursuing excellence in security

Getting started with Badgy IoT (For the love of #Badgelife)

6/23/2019

0 Comments

 
​I like blinky objects. They fascinate me. I've enjoyed wearing them, but didn't know how to start tinkering with them. Not really... I bought a Badgy IoT from Tindie and just wanted to UPDATE my name... If you wanted to do the same on Windows, this is what worked for me:
Picture
The super short version
  • Order a badgy IoT device from Tindie.com
  • Prep the environment
    • install arduino IDE
      • add repo for ESP8266
      • add required libraries
    • install git
      • clone badgy repo from github
      • update hello.ino file to have desired name
  • Upload to Badgy IoT
    • Using USB
    • Or WiFi
      • set up badgy for wifi
      • compile and export binary
      • Upload binart using web browser
  • Profit!
More info about how this got done (more or less in linear order):

  • Order a Badgy
    • https://www.tindie.com/products/squarofumi/badgy-iot-badge/
    • Wait impatiently for it to arrive
    • Stare longingly at the box for a loong time, because you have no idea how to get started
    • Oh and there's that free time thing... When the magical 'free time' is available and selected
    • Plug the Badgy in using a handy micro-USB cable and then...
  • Prep Environment
    • Install git from https://git-scm.com/download/win
      • Accept all the defaults if you aren't familiar with what it offers you
      • I don't know better at this point and am just sharing what worked
      • No reboot was required
    • Install the Arduino IDE - either of the following works:
      • Windows Store: https://www.microsoft.com/store/productId/9NBLGGH4RSD8
      • or from the Arduino web site: https://www.arduino.cc/en/Main/Software (scroll down!)
  • Launch the Arduino IDE and get it ready to use
    • Set up support for the chips on the Badgy IoT using these links
      • For the ESP8366 chip
      • Install drivers for the CP201X UART for Windows
    • After doing this, tell Arduino how to talk to the board you are going to use
      • Tools > Board > "NodeMCU 1.0"
      • If connecting by USB, select Tools > Port > should show in the list (are drivers are missing?
  • Now it should be possible to compile examples from the Squaro Engineering github repo
  • ​How do I make a local copy of the repo?
    • Please know using the above linked method could save you an entire evening of frustration
    • Got an error when I tried to compile
    • Searched all over
      • This took time... More than I'd like to admit
      • Finally tried using 'git clone' and Would You Look At That! It WORKS!
    • I'm new at this and made LOTS of mistakes. That's okay... Hopefully this page lets somebody else know that it's a BAD idea to copy and paste code from a github page when you don't know what you're doing.
  • Create a local copy of the Badgy IoT git repo, which includes the examples
    • launch a command line tool
    • create a new folder in Documents or a place of your choosing
    • navigate to the folder you just made and type the following command
    • git clone https://github.com/sqfmi/badgy
      • This creates a local copy of folders for badgy to the local computer
      • It will create a new folder to work out of, which is also cool
    • Switch to or launch the Arduino IDE
      • File > Open the hello.ino file (had the arduino logo next to it)
      • Changed the name from "badgy" to your chosen name.
    • ​Those with newer models of the Badgy IoT can use the Arduino IDE to compile and it will push the update directly to the connected device.
    • Need to create a file to upload if wanting/needing to use WiFI
      • From inside the Ardunio IDE...
      • Click on Sketch > Export compiled binary
        • Not saying this is the 'right' way, just how I figured it out.
        • Please share if there's a better way
    • Go find the outputted file!
      • C:\Users\YourAccountNameHere\AppData\Local\Temp\arduino_build_
        • Look for the folder with the closest time to when you clicked Compile
        • May have to change to 'Details' view in Explorer to see the time stamps
      • The file called 'build.ino.bin' is what you're looking for
      • Now that you've found the path to the file you're ready to install this to your Badgy IoT device!
    • Uploading to Badgy using WiFi
      • If this is the first time the badgy is being set up, its WiFi will need to be configured
      • follow the on screen prompts on the device after entering the 'upload' mode
      • If WiFi has already been configured, the Badgy IoT will display a URL​ (see below)
Picture
Badgy IoT will show a URL if WiFi is set up
Getting Badgy into Upload mode
  • Connect the Badgy to power (battery or a USB cable connected to a computer or power source)
  • Holding the Badgy so the screen is facing you, move the switch into the up position (OFF)
  • Press and hold the joystick button like a button and move the switch down (ON)
  • Let go of the button when the display changes to words about how to connect
Picture
Up is OFF
Picture
Down is ON
If WiFi has already been configured, the Badgy IoT will display a URL
  • Now open a web browser and navigate to the address displayed on the Badgy's screen.
  • Click on "Choose File" on the web page portion of the screen
  • Select the .bin file located earlier in the export binary step and click "Open"
  • Click update and watch it go! (the page will be 'not found' after the device reboots)
  • The Badgy will now update and reboot itself!
Picture
  • PROFIT!
  • Well, close... Need to adjust that left margin... THERE!
    • Search for "void showHello" in hello.ino
    • Find the line "display.setCursor(13,100);"
    • Had to change the first number from 70 down to 13 to make it look centered.
    • This is just the beginning of the adventure! Happy Tinkering!
So how do I get it to work when I'm not connected to a USB cable?
  • The Badgy comes fitted with a holder for a LIR2450 coin cell battery
  • I ordered a charger that works off USB, but choose what best suits you
  • Make sure the battery is inserted matching the symbol on the little metal piece that holds it
    (in other words - if the metal shows a plus, then make sure the matching shape is facing you when inserting the battery)
  • Flip the power switch to the UP position (OFF) to save power and leave the eInk display showing the "Hello my name is" message!
Picture
  • Didn't work out? Don't Panic! Flash it back to the hello.bin file from \badgy\examples\hello to start over!
  • Thanks for reading and hope you choose to start your own adventure in #Badgelife!
    ​
  • Adapted from the following sources
    • The 'compiling examples' info at: https://github.com/sqfmi/badgy
    • also from the setup section in: https://github.com/sqfmi/badgy/tree/master/examples
0 Comments

What's new in 2019?

1/20/2019

0 Comments

 
Did you know that keeping a blog up to date takes work?  Who freaking knew!? 

Like so many things, keeping something relevant and up to date is a real challenge, especially if you're disorganized. Let me tell you from experience... YES, this is not easy. Life and ideas come at you fast and there's barely time to get one thing on the page before the next something pops up.  So in an effort push to grow and improve, I'm writing my first blog entry for 2019. What's it about?  

Moving the needle, that's what. So here we are, watching Firefly for the bazillionth time, hoping the band will get back together?  NO. This is more than that. This is admitting that we enjoyed the band while they were around, but we have to look forward. What lies ahead is the future. We'll just keep an eye on history to see if we can maybe learn something from it. It would be really great if it was the RIGHT something, but no promises. Let's just take one step at a time and see where this goes.

And for goodness sake, don't roll a 1.
0 Comments

Linux Every Day? Yes, please!

9/10/2017

0 Comments

 
Picture

I'm a creature of habit, preferring to use tools that do a good job. At some point, that stops being the case because either something breaks, or bit-rot sets in, or worse, it g-e-t-s  s--l--o--w  and painful to use. That's what happened with my old lenovo ideapad s10. I loved the heck out of this thing. It's not new, but it shouldn't be painful to use, right? I mean, isn't that what Linux is known for?  Making the old things usable, again?  Maybe it's true in some cases, but not so much with the IdeaPad. What do you mean I can't run a modern browser on a piece of damaged hardware that never accepted the upgrade ram I tried to install?  So you're telling me that 1GB of RAM isn't enough to run chrome and 3 VMs simultaneously on my netbook?!??  What's a nerd to do?  

The obvious answer is to re-enact a now-famous scene from Office Space, with my netbook standing in for the printer/fax machine. (What does PC/LOAD LETTER MEAN?!)  Stepping back from the ledge, I realize there may yet be hope for the netbook, but not really running more modern browsers. Maybe others can offer some suggestions in that department, but I don't know if Xombrero supports plugins... and I've got other irons in the fire.  Instead, I took to looking for an inexpensive alternative. Something with the ability to get some work done and also be lightweight enough to go on the road.  Enter a used Surface 3 I picked up on eBay. This non-pro model has 4 GB RAM and uses a newer Atom processor.  I passed up several listings with visible or the mention of damage in the descriptions. ALWAYS read the descriptions closely. Wound up winning an auction for less than $165 that came with a keyboard and power supply. The listing explained that windows had been replaced with Ubuntu 17, which is what I was looking for anyway. The auction started for less than $100, but apparently I wasn't the only person who thought this was a good idea. Still comparable to a chromebook, but with 64GB of storage. Say what you want, but I've enjoyed the surface tablet form-factor. To each their own.
​
The box arrived ahead of the estimate and was well packed. The listing said it was a bit dirty, and they were truthful.  Took a bit of effort, but the screen is in great shape, the body has a few scratches, but that's okay.  I spent time with some following the instructions on cleaning the keyboard and the special coating surrounding it and on the bottom of the type cover. Once ungrodified, I left it to dry near a fan, because I'm impatient. I even cleaned the power brick and USB cable that powers the tablet. Having interned with a video production company, I've been trained to be nice to cables, as they can either be your friend or enemy, depending on the situation. The power cable in this case... was treated like it owed somebody money.  It cleaned up with some rubbing alcohol and maybe it will last? Time will tell. Oh, I forgot to mention... While this is a full tablet, it should charge / run on an external battery as long as it supports 2.5a.  I've had success with Anker as a brand, but I'm sure others would work too. Just make sure the specs support 2.5a.  So next time you realize you forgot the power supply, at least a phone charging battery could extend your computing session. Can't do that with a pro model at this price. 

Being cautious by nature, I knew I would feel better if I re-installed from scratch, but I've never done this before. I'll admit that this took a bit more learning than expected, but was well worth the experience. I started tinkering before the reply came in... I tried 'password' and 'user' or 'admin' but sadly didn't try the shorter 'pass'.  Shame, I suppose, but being so impatient, I went ahead and tried to re-build using an existing live image from a thumb drive. Oops! UEFI is different?? WHAAaaat?  Of course it won't be that simple... so did a bit of learning there... so after trying 3 different attempts at rebuilding, I'm right back with Ubuntu 17.04... I had to use the simplest, unpowered USB hub I could find, because the surface only has one port. Now the one I used is a y-2146 by Unitek, but it's long since out of production. Maybe a newer version will also work?  The track pad from the keyboard didn't always get recognized, depending on the distro. Worse still, the touch features only worked in Ubuntu 17. This meant I really needed a hub to add a wireless mouse. The keyboard worked, but it was a bit tricky working out keyboard only installation. Even harder to get wireless active without use of the touch screen or a mouse. So adding a hub before booting seemed the right move. Thankfully it worked and the tablet DID boot from the thumb drive.  

Mint 18 and mint mate 18 were great, albeit without touch support and some other things, until the firmware updates tried to install. Then it was HANG city... and rebooting didn't help. Tried 16.04.03 LTS and BOY that was real hit and miss with firmware support. On power it seemed ok, but trying to boot on battery was _terrible_... Realized I would have to rebuild the kernel just to get things usable... So I went back and rebuilt 17.04 and that did it. Everything 'just works' now. Oh, except there was no sound... Launched a browser, tried youtube... tried internet radio in VLC... Nothing worked.  Was just starting to look things up in a search engine, when I thought to check the sound settings. Of course the 'no sound' issue was as simple as changing to 'speakers' vs. headset! So, it all works again, and it was a frustrating, but all-in-all fruitful learning experience.  The only minor irritations so far: the brightness control doesn't seem to work to dim the screen and the battery indicator isn't showing up on the Gnome Panel. Fairly small things to deal with. Ubuntu 17.10 is right around the corner, so hopefully the experience should keep right on getting better (or not, but I'm going to go with the optimism on this one).  The docking station is certainly inexpensive enough... Looking forward to making use of this every day.

Happy tinkering, learning, growing, and computing.  Thanks for reading!

​@SciaticNerd
0 Comments

News for Mon, 26 Jun 2017

6/25/2017

0 Comments

 
SE News for Mon, 26 Jun 2017
One design firm's jargon-free contract: 'Time is money. More time is more money' / Boing Boing


Oskar Fischinger’s 117th Birthday
https://twitter.com/alecmuffett/status/878903980176396288
Pen-testing as mental out-sourcing...

AES-256 keys sniffed in seconds using €200 of kit a few inches away • The Register

Revenge on an IRS scamming company
Programmer writes script that calls Phone Scammers 28 times a second causing service denial preventing future scams. - videos
Reddit thread

YouTube
Video source
soup/flood.cs at master · Jfaler/soup · GitHub
Source code


Introduction to Python, Data Science & Computational Thinking: Free Online Courses from MIT #MakerEducation « Adafruit Industries – Makers, hackers, artists, designers and engineers!



Brent White - Such a great feeling to see your ideas become realities!
DEF CON 25 - DEF CON Groups panel discussion alongside some great people!
Jayson E. Street Jeff Moss James Smith, and a few more.

YouTube
SuperDeluxe - Block chain explanation


0 Comments

A way ahead for Diehard Blackberry users looking for a Mobile Phone in 2016

1/30/2016

0 Comments

 
Disciples of the Blackberry, I'm going to say the thing you might not want to hear. Blackberry is dying, if not dead, as a hardware platform. I strongly urge you to find something you dislike the least and begin the transition. That means: please back up your contacts, notes, documents and data from any and all RIM and BB devices to a PC. I do not say this lightly, but cannot in good conscience recommend any more devices from a company that has discontinued production of their own operating system.

The only thing going for it at this point, IMHO, is the physical keyboard. OS updates, which may not seem like much at first, will likely be delayed in being delivered to the phone. This has been my concern over every single Non-Google produced Android phone since I owned a Samsung Galaxy S.

You might be thinking that was a while ago. You'd be right. Why? Because each of the interestingly named editions of Android, and their updates, were released directly to the Google phones while ALL Android phones made by someone else had to wait to receive them... If they got them at all.

So... Would you rather wait for a manufacturer to build a version of the most recently updated Android release that works on your phone? Or would you rather not be thinking about whether or not your data is safer every time we hear about security breaches on mobile devices.

Bottom line:

iPhone: best middle of the road solution. It has all the apps and updates. Siri 2.0 is pretty handy. Accessories practically rain from the sky... AND you can get a battery case that will let you keep using a micro USB cable, if you look a bit, instead of having to invest in all new wires.

Android: Again, IMHO, only buy a handset from Google. Bunches of apps, get updates when they are released, and accessories may be ordered online if the phone is less common. The letdown sometimes is in battery life, but Android v6 (Marshmallow) seems to have finally resolved most of this. Google's virtual assistant has never felt fully formed to me. Maybe I'm not giving it it's due, but it never seems to do what I ask it to. The non-Google licensed Android phones are gorgeous, with great features, but I have my bias about staying up to date within hours or days... Not months or a year behind everyone else.

Windows phone: Very decent hardware. Good battery life. The fantastic Cortana virtual assistant, and honest to goodness MS office on a mobile device. Apps are where this platform falls short. Don't get me wrong, the basics are covered, but if your likely to suffer from app envy if your friends all show up playing with the latest game or software widget. If you honestly spend the bulk of your time with email and documents, I do suggest taking a look at Windows phone. Microsoft is working on right now on an idea called Continuum that looks very promising. Connect your phone to a specialized "dock" and it will be possible to connect a mouse, keyboard and video to a monitor and get real work done, with the phone standing in for a laptop or desktop. That seems pretty exciting to me, but not everybody's interests are the same.

So there you have it. A full rundown, plus opinion. Hope it's helpful and thank you for reading.
0 Comments

Phone Phreaking In The 2Ks

3/16/2014

0 Comments

 
Picture
What's actually happening when a call is placed.
This presentation highlights several services that can be connected together in order to facilitate free national inbound and outbound calling.

This introduces the services individually and explains how they work together to provide a phone number in a local area code that can be used with a regular old phone.

Look for future presentations which will go into more detail on each of these services and how to configure them for this and other capabilities.

(Note: Links are not directly represented here (hxxp instead of http). This is a security blog and the author of this post wishes to encourage readers to avoid clicking links directly)
OVERVIEW OF STEPS:

1. Create Google (gmail) account

2. go to hxxp://voice.google.com and create a phone number in your area code- (You will need a regular phone initially to activate this number)

3. Go to hxxp://www.callcentric.com and setup a free account - Use the gmail account above for this and related accounts to keep it simple- Make a note of your SIP credentials for the IPKALL account

4. Go to hxxp://www.ipkall.com and set up a free account - Use the SIP credentials from callcentric to configure IPKALL

5. Configure your ATA with the credentials for your Callcentric account also.- You can test the ATA by dialling 17771234567 on your analog phone

6. Add your ipkall number to google voice as a forwarding number - Google will need you to recieve a call and enter a 2 digit code

7. Test it- Use another phone ro cellphone to dial your google voice number. - If everything is configured correctly your analog phone should ring

And you're in business...
0 Comments

Need a Keyboard!?

3/14/2014

0 Comments

 
https://www.kickstarter.com/projects/5074048/special-dedicated-editing-keyboard-for-photoshop]Well now here's a Keyboard that defies practicality.  Guess this guy got tired of having to learn Keyboard Shortcuts in PhotoShop… so he wants to build and sell a fast-food menu style behemoth to let you pick everything directly… What would that look like with all those functions within PhotoShop?  I'm so glad you asked….


Tiny, huh?  No?  Are your eyes overwhelmed with the number of keys and buttons and light and colors yet??!?!  How about a view from the top down?  And at $89 for the early bird models…. How can you go wrong!?!? 😉


That's right… It's bigger than your laptop and brighter to boot! (But I admit I'm still curious)
0 Comments

Identify > Analyze > Blog

11/11/2013

0 Comments

 
The need to go "beyond the exploit” and work on Defense is a growing trend at InfoSec conferences over the last few years. You're with see a paper describes how a diligent researcher has discovered yet another wall in a popular product or service. Now I think she needs to go out to all those folks you keep working this. This is not my area of expertise and I think their service and they do. The challenges that not everybody is looking for just how to. It's great to know where the holes are, but what about identifying a way to solve it?
Have you ever gone through that? Someone comes to you with a problem or complaints, and all they do is want to talk to you about how bad things are. Then when you ask them how to fix the issue they look at you blankly and say I don't know. C, this is what I'm talking about. I do find myself wondering if this is what the organizers of information security conferences are talking about, to. The concerns that we spend so much time focusing on how to locate the problems without defining for providing solutions.

Today's example comes from an article stumbled across on Twitter called "Stealing PIN Codes With a Wink and a Nod," by Dennis Fisher. The article steps through the risks and discusses a method that might improve things... So why not make an app that displays the digits in a different order each time?

But this opens in tirely different can of worms doesn't it? Why is or how do you provide solutions when there's nobody paying for them? It's great to identify a solution, but at what point do we cross the threshold from being helpful too giving something away for free when we could charge for it? And it could easily be argued that giving something away for free is a great loss leader to get people closer to your service, but we all know that in this industry in particular function for certain they don't have to pay for anything and if somebody wants something for nothing, it's really easy to come by. Hello internet, space what's the point? Do I just keep getting your stuff after giving your stuff or are you going to help me out too?  

I mean, pie isn't going to by itself, is it? So where do we draw the line between asking the internet people of the Internet the community of the internet for help in providing solutions when there's no one to go? Oh wait that's not the right questions it's not so much are we ready who will buy you things that we have to prepare something that they can buy so if you like to find a problem where's the line? Do I tell people about it? Will that mean that someone takes my idea and runs off with it or I could/should have made money? Maybe it's better to just have the software out there.



0 Comments

 Slides on Practical PKI from @LASCONATX 2013

10/26/2013

0 Comments

 
lascon_2013_practicalpki.pdf
File Size: 1519 kb
File Type: pdf
Download File
The following is the abstract for the attached slides from my presentation from LASCON earlier this week.

Establishing Electronic Trust is becoming a more important part of the digital landscape than ever before.  This presentation aims to do two things: One is to use allegory and a story like approach to explain what PKI is without the math.  The other seeks to paint a picture of the impact to doing business and where the road looks to be going.

Part One:  What is PKI in practical terms. It may seem commonplace in the industry by now, but believe you me, there are plenty who don't know a Relying Party from a hole in the ground.  We'll cover some of the common terms above and beyond Digital Certificates, how they interact, and how things are managed.  An attempt will be made to inject some humor as gravy to what is seen as an otherwise dry topic.  

This isn't to say this that finger puppets will be used, but for the people want to learn, demystifying information in plain English should be a welcome change. An explanation of the trusted roles involved in deploying certificates, the governance of the system, and the management and distribution of keys will be offered afterwards. 

Part Two: A few real world examples of how to apply these concepts will then be offered, having established a basic understanding of how the pieces of the jigsaw fit together. Once these topics are briefly covered, it will be time to suggest where things are going based on key events taking place in this ever active and growing industry of Identity Management.  Included will be some observed happenings regarding the National Strategy for Trusted Identities in Cyberspace (NSTIC) and the much sought after on-the-fly provisioning methods.



0 Comments

A Quick Reference for ISSAP students

9/1/2013

0 Comments

 
This is not exhaustive by any means, but at the time of this writing, the links below should represent a time savings over locating the information.  

HIPAA - Health Insurance Portability & Accountability Act (pub law) - HHS has a page devoted to it as well as a good summary page for HIPPA

SOX - Sarbanes Oxley - found a quick guide

Gramm-leach-blilley act - Financial breach notification - Summary page from FTC

FISMA - Federal Information Security Management Act (PDF)

95/46/ec - EU based Data protection directive also 95/46/ec (31995L0046)

2002/58/ec - EU based - Processing personal data

Decent summary on EU Protection of personal data

Common Criteria is a set of standard to facilitate product comparisons to help consumers select the right security products for their needs within AIC goals (Availability, Integrity, and Confidentiality)

ISO 15408 - defines methodologies which resolve the differences between TCSEC and ITSEC. High level presentation. Slightly harder to find is a free copy of the standards themselves. Search for 15408 on the page.

NIST SP 800-53 is a good resource for a catalog of security controls along with the ISO 27000 series.
The 800-53 was on rev 4 (Apr. 2013) at the time of this entry (as well as almost 500 pages!).  The ISO 27000 link above is only to the Glossary and will likely land at a 'click to accept our terms' page. The actual 27000 series documents (Information Security Management Systems or ISMS) don't have a free link as they require payment to obtain.

NIST SP 800-18 will list documentation requirements to consider




It ain't pretty, but it's posted.  #GetToIt
0 Comments
<<Previous

    Archives

    January 2019
    September 2017
    June 2017
    January 2016
    March 2014
    November 2013
    October 2013
    September 2013
    August 2013

    Categories

    All
    Authentication
    Authorization
    Certificate Validation
    Chaining
    Digital Certificates
    Electronic Trust
    Lasconatx
    Pki
    Policy
    Public Key Infrastructure
    Revocation
    Trust

    RSS Feed