Midnight Research Labs

perl format strings and webmin
aaron posted in exploits, interesting on November 30th, 2005
comments:0

This could get nasty real fast. There is supposedly an advisory coming out for perl itself from dyadsecurity that could have far-reaching effects. While this was recently triggered from just a webmin advisory, if it turns out to be true, it could affect scads of other things written in perl. As alluded to in the Full-Disclosure list posts, this could be a “new” type of format-string exploit for perl. Beware.

Update: Looks like this has been confirmed by others

Debian Security Packages Project
aaron posted in project updates, slacking on November 29th, 2005
comments:0

While I should be working on wicrawl, I instead kicked off the start of a Debian Security Packaging project by creating a few of the packages, and creating an apt repository for them. If you want to use the apt source, you can add the following to your /etc/apt/sources.list file, and do an ‘apt-get update’:


deb http://midnightresearch.com/local/debian etch main contrib non-free


Please feel free to give me feedback on the current list of packages, or if you know of something you think is worth spending the time to package.

shmoocon
aaron posted in cons on November 28th, 2005
comments:0

Shmoocon will soon be upon us (Jan 13th-15th). Registration prices will go up at the end of December, so register now if you’re interested in going. You should be, because Shmoo rocks, and at the very least it should be a fun time. Plus, you can hang out with some MRL people, =).

It looks like for the most part they are not recycling the same talks that are given at every other con, so I’m looking forward to hearing some new stuff. I’m also curious to see if it’s a whole different crowd that goes to a con on the east coast. I haven’t been to one on that side of the country since h2k in NYC which was a blast.

irpet sourceforge page
aaron posted in project updates on November 28th, 2005
comments:0

I put up a project page on SourceForge for IRpet. Hopefully it will help drive some google juice, and it’s a good way to manage downloads and bugs, etc. I have a couple hundred downloads so far (before putting it on SF), but only one support request, =). Hopefully there are a few people who find it useful. If not, it was still fun to create.

november meeting
aaron posted in meetings, rfid on November 17th, 2005
comments:0

/* **************************************************************************** 
*                           Midnight Research Labs                            *
*                     !!  November Meeting announcement !!                    * 
*                        (http://midnightresearch.com)                        *
**************************************************************************** */

                        __  ____    __     _      __   __ 
                       /  |/  (_)__/ /__  (_)__ _/ /  / /_
                      / /|_/ / / _  / _ \/ / _ `/ _ \/ __/
                     /_/  /_/_/\_,_/_//_/_/\_, /_//_/\__/ 
                        ___               /___/       __      
                       / _ \___ ___ ___ ___ _________/ / 
                      / , _/ -_|_-< --_) _ `/ __/ __/ _ \
                     /_/|_|\__/___/\__/\_,_/_/  \__/_//_/
                              __        __     
                             / /  ___ _/ /  ___
                            / /__/ _ `/ _ \(_-<
                           /____/\_,_/_.__/___/

		Fellow Hackers, Slackers, and Code-crackers:
        On Friday November 18th at 7pm PST we will be holding our monthly
        official Midnight Research Labs meeting.

        The focus for this month will be an entry-level talk/presentation on
        RFID, and also furthering development on wicrawl.  Check out
        [http://midnightresearch.com/wiki/index.php/Wicrawl] for more details.

        Anyone with project ideas, or active projects that they want
        help with are encouraged to bring them along.  This can either
        be just to show them off, or to actively propose them for an
        official MRL project.  Projects are generally either security
        or "novel computing" related, though we're always open to cool
        and new ideas (read robotics, electronics hacking, etc =).
        Don't feel pressured to come up with something or bring anything.

        Light refreshments, pizza and beer will be served.

        Agenda:
                Phase 0x0: Bootstrapping
                  - Greetings and welcome
                  - Who we are, and what we do
                Phase 0x1: Initialization
                  - RFID preso (25 min)
                  - RFID project brainstorming (15 min?)
                  - wicrawl
                          - status
                          - Design, brainstorming, etc
                          - roles, research, and project pieces
                          - Project Hacking!
                Phase 0x2: Local exploits
                  - Food
                  - Off topic tools, toys and other shiny things -- If anyone
                    has any interesting to show off or play with, please bring
                    it.
                        - cybernmd's VR goggles
                  - Whatever till whenever -- This is the more social
                    part of the event.  People are invited to stay and
                    hack and have a couple drinks till whenever this

        This is an "invite only" event, so, don't distribute the location to
        just anyone =).  That being said, we're still looking for active
        members, so if you know someone that would be interested in
        contributing and want to sponsor or vouch for them, feel free to bring
        them along (let me know in advance if possible)

       Location:
       [ censored for http, contact [sth -[at]- midnightresearch dot com] for details ]

                For those remote, we will have a conference number, and I'll
                email that out shortly before the meeting.

        Notes (nfo):
        - We're about 1.5 miles from bart.
        - Bringing a Laptop is a probably good idea if you have one.
        - Please feel free to contact me by email or phone if you have
          any questions
        - I don't expect hordes of people to show up, probably ~8-10 but I
          do expect the signal to noise ratio to be very good.  I hope that
          people learn and are challenged by attending, and on the flipside,
          I expect great things to come out of MRL.


Thanks! Hope to see you there!

        # perl -e '$in_real_life ? print "Aaron\n" : print "sith\n"'

buffer overflows
aaron posted in most unnecessary on November 9th, 2005
comments:0

Wired magazine created a sadly hilarious flash animation of the buffer overflow. It does, however, appear to be written at the appropriate level for most of the people I’ve met on the internet. Aleph One would be sad.

Here’s a bonus animation on race conditions.

Also amusing — This is wired’s image for “evilhacker”.

Playing with Decipher Dog
aaron posted in most unnecessary, slacking on November 9th, 2005
comments:2

Uh, wow.

(from http://www.nsa.gov/kids/ )

—
Hi Kids!
Welcome to the NSA/CSS Kids page.

On this site, you can learn all about codes and ciphers, play lots of games and activities, and get to know each of us – Crypto Catâ„¢, Decipher Dogâ„¢, Rosetta Stone, Slate, Joules, T.Top, and, of course, our leader CSS Sam.

—

I like how they actually bothered to trademark all of the characters…

tracking people with rfid (update)
aaron posted in rfid on November 2nd, 2005
comments:0

Just a quick update to the last post. Here’s a link to c|net coverage, and here’s a link to some pictures of the event. Looks like it had a pretty good turn out.