post

The financial side of building a badge

So what is the monetary cost of making a badge? Even just a SAO? To make a badge it took lots of hours, and in the end, we spent $393.15. Indeed not the quickest way to get rich.

If you are thinking about making a badge and want to know how even the littlest project hits your wallet, let’s go!

Here is our google spreadsheet to show our work. All of the data in this article is coming from there. Red isn’t showing a loss its just how we confirmed costs after receiving the receipt.

Making the boards

First, let us start with the actual board costs. Board fabrication has an economy of scale, and I begin to estimate how this phenomenon manifests as we produce. 1 badge is around $25. However, I knew my low end was around 100 boards and estimated a high end of 190. Estimates take in a 10% board fail rate (produce more boards) and a 20% discount (thanks Macrofab!).

So the price per board estimates look like this:

My actual cost is a little higher because I didn’t take into account shipping or taxes. However, we are still relatively close.

The cost of components

Components added another $0.82 per badge.

Which isn’t too bad. The most significant cost being the additional battery holder and a battery pack. Opting to go with something smaller was more costly allowed people to mount the badge as they saw fit.

In hindsight, we could have reduced costs further if we just didn’t include the battery. Alternatively, we could have redesigned the board not to meet the SAO spec opting for a larger and less expensive coin battery.

One time fees

One time expenses Added another $.74 to the cost and included essentials like buying the artwork, prototyping costs, and solder. High-level backers also received copies of my book.

Fees/taxes for the project

  • 8% Kickstarter claims $1.05
  • 30% Taxes took $4.16

That’s right $5.16 of the badges are taken up in fees which were almost the cost of the board itself. It almost seems like a hidden cost because it doesn’t add anything to the actual board. Instead its just the cost of doing business.

Yeah, but you got money right?

Yep! The Kickstarter campaign raised $2,358.00, DC713 purchased badges during a meeting, and cPanel sponsored us on Kickstarter with $400. Also, we received $300 back after a manufacturing error on the silkscreen. We received in total $3,211.00 for the project.

Extras

For the project, we were always planning on stickers and included those into the cost. Unfortunately, we did not expect to see the manufacturing error. So we decided to go out and buy these pins. They are more expensive than the money we received, but we felt we owed it to the backers for our oversight.

The profit

We lost around $1.87 per badge.

Then how could we have gotten closer to closing that delta? Probably the most enlightening information is over the breakdown of costs. 1. 87 is a 10% difference that we want to close.

  1. Increase Price– Well, of course, We could charge more. The chances are that if we raised the price by $2, we wouldn’t have seen a considerable decrease in purchases. However, this is about Houston pride! We needed to get them for everyone we could.
  2.  Drop the extras– Having extra for higher Kickstarter tiers makes sense. That is why we bundled the book with the purchase of multiple boards. However, maybe we shouldn’t have included the pins for everyone but instead had them for high-level backers. If we took out the cost expensive we would have moved right into the black. Let the cool lapel pins be a separate purchase to preserve costs.
  3.  Board prices– There are two ways we can adjust board price. Get more purchases for the economy of scale or negotiate a better deal. Moving to a different board house than Macrofab might have gotten us a better deal, but I wasn’t willing to move out of Houston due to the theme. Also, we think we would have to at least double production to reduce costs by 10%. A strategy for expansion would be somewhat tricky and presents a significant risk of overbuying. After all, even 3 unsold boards would have eaten up the advantage
  4.  Fees– Besides boards fees are the most considerable proportion of the project expense. Especially taxes. Kickstarter had a significant cost of 8%. Other groups use Tindie for this exact reason. Using something like Tindie can help lowers cost, but you have to determine the demand for your boards more accurately. Overproduction could quickly eat up the cost savings of a misestimation.
  5. No battery– We point out above that batteries was super expensive; however, it seems we may be exaggerating a bit because $0.65 wouldn’t have made it over the gap. What might have been better is to create some totems like other groups which would hold multiple SAOs. In that way, instead of 210 battery holders, we could have had maybe 100. Plus another product to sell!

Starting point

From a budgetary side, we hope this gives you some insight on the funding you should consider as you are building out your badge. Proper pricing is a difficult thing to figure out when it is your first go around and impacts a significant amount of your marketing, design, and financials. That amount of the learning experience only cost us a fraction of what we would have spent for college courses covering the same subjects.

Despite the difficulties, it is a great way to put together a small entrepreneurial project!

post

#badgelife: Sharing art at DEF CON 26

The #badgelife scene that happens at DEFCON is a fascinating topic. Not officially sponsored by DEFCON, #badgelife is an arduous labor of passion for an ever-growing set of hackers. While I wrote about it last year (here) this year I was participating with it in a way which I did not before. I actually made a badge to get out there. It is incredible how many the number of work streams explodes out from just wanting to make a shiny little trinket.

There are many aspects to coming up with a badge. Sure there is a design of the badge, but also there is the production, the selling, the fundraising, distribution, troubleshooting, and repairing of the badge. It’s a small business, and it is tough to do all these things which require much more than just drawing up something with a significant amount of leds in Kicad.

As you can see from this photo by Mike Szczys in his article “All the Badges of DEF CON 26” there were tons of badges and add-ons created this year. How much went into making badges for 2018? Maybe a quarter million by the end of the day. That’s a crazy amount of money here for something so temporal.

However, maybe it’s not ludicrous if you consider all the other temporal art that is out there. It is also acceptable to have an 18-minute fireworks display costing around $270K, so maybe 3 days wearing a hunks of plastic isn’t so bad. Alternatively, maybe they start getting framed and mounted in a museum.

Nobody is getting rich from these. There is almost no way for most of the makers to break even to get these baubles into others hands. I enlisted the help of my family help pack/ship to save money. That isn’t even to take into account the number of hours spent working on them trying to come up with an idea and risking so much time and effort on them. At least 1 of the badges I was backing ran into significant production problems (through no fault of their own) preventing them from being distributed during the conference. Uber might be a way to make an easier buck.

So make no mistake, badges are gifts. They are a way to for others to share with you their love of technology and art. With that, here is my attempt to share a little more with you.

The Design

If there was ever a time to start making a badge, it was this year. While every year I wanted to create something, It always seemed just a little too daunting. However, this year the community put out the SAO connector.

Suddenly, I had a way to be simple, cheap, not worry about power, lanyard, and have a novel function. To fit in with my Houston theme, we came up with the snek. Whenever someone touched the throat of the snek, it would light up its eyes. Cool right? I even had something where I hoped it could take command from the “host” badge to light up as well.

Our local DC 713 group also had great ideas for improvements. First up, it should have a large capacitor to shock someone touching the fangs!

Quietly discarding this idea, we decided we also should have power and some connector since some of the host badges could cost upwards of $150. Then we needed to add an attachment mechanism to affix it somewhere.

Troubles

With all these changes the cost of the badge by quite a bit as a $10 badge suddenly needed $4 of accessories. The cost of this component creep is expensive when scaled out over 210 badges. Fortunately, the launched Kickstarter took this into account and with the help of cPanel as a sponsor we quickly reached our target goal. The influx of cash from the successful campaign allowed me to fund production and component costs.

Days before the con I started trying to use the SAO attached to the first badges that shipped. Slowly, I started seeing some problems with and that the orientation sometimes caused problems when the snek was used as an addon. For one badge the SAO caused a DDOS on the clock. It wrecked the badge for the rest of the conference for me. Ooooops.

Also, distribution was a conundrum due to shipments from people sending items to the wrong place, not reading the local pickup rules, or USPS losing packages.

But we persisted!

The response at DEF CON.

Everyone loved the look of the badges. It was even better since the DEF CON badge made by the Tymkrs also had included the SAO adapter. Hooray everyone could put a snek on the official badge!

Also, Twitter was abuzz with people taking their snek’s out on road trips and assembling at home. Hidden behind #snek tag on twitter you can see the excitement when people successfully solder the insanely small and annoying resisters. There was even a DC713 meet-up to solder these little guys together.

My biggest surprise, whenever I spoke with a fellow badge maker we were discussing two things.

  1. Things we didn’t see coming
  2. How we are going to make the next badge better

With all the time, difficulty, and headaches, my family certainly wondered why I went through the process of trying to build a badge. I may have lost some money, and I lost lots of sleep, but I was floored by how much people enjoyed my modest snek contribution and how it brought our local DEFCON 713 group closer together.

Big Thanks to:

  • cPanel for the great sponsorship!
  • Macrofab for great production
  • DJdead and DC713 for great ideas
  • Family for dealing with the sneks in-house
post

My 3 favorite unofficial DefCon 25 badges

While DefCon has been known to have interesting conference badges, the 25th iteration had an unexpected explosion of intriguing unofficial electronic neck swag. The hunting for and gathering of coveted badges has become a new tradition and this year’s #badgelife built on that tradition. While unforeseen circumstances caused this year’s official badges to be rushed into production, attendees did have a nostalgic combination of throwback badges paying homage to conferences of the past. Fortunately, attendees had many choices to display custom badges that bling, communicate, and even fight from unofficial sources. Often these badges have secret competitions and groups to teach people how to deconstruct and find hidden achievements in their hardware. Although I was far from getting all of these unofficial badges at DefCon, there were three that caught my eye.

1. AND!XOR’s Bender badge

My favorite badge! Last year I fell in love with my little Bender badge after being a winner of the grand elevator rush of DC24. This year’s badge was a huge step up, and it features a full-color LCD screen, a host of LEDs and my favorite character from Futurama mixed with the cult classic Fear and Loathing in Las Vegas. This new badge was a huge step up from last year. The Bender badge has a host of unlocks available to get additional characters, screensavers and a wireless module to interact with other badge owners. They are also cross compatible with many other badges from the regional DefCon groups like DC801. If two compatible badges were near each other, they would flash each other’s logos back and forth between screens. How freaking cool!

A much more well-known feature on the badge was the “Botnet” which allowed badges to fight each other as you develop exploits, patch your badge’s services, and launch attacks. In particular, a successful attack would render the victim badge temporarily unusable as Clippy, BSOD, or a Rickrolling took over for a minute. Suddenly, badge owners were in a race condition with each person trying to hack the other guy first. The loser’s badge sadly broadcasting their shame. The truly devious would launch another attack as soon as the victim cleared the first one.

One hidden feature of the badge is an actual botnet feature that allows the AND!XOR creators to propagate commands across the badges. For example, maybe AND!XOR wanted to start off a Hypno-toad dance party or maybe Rickroll a room. The problem was that DC801 took advantage of this “feature” to hijack the command and control architecture. They were able to infect one badge, which would wirelessly reach out to attack another’s within range and so on. This cascading virus is exciting because there is an IOT mesh net architecture that a virus happily hopped along. Suddenly badges are attacked just by walking through the area! Even after reboot badges just started another iteration of the Matt Damon video clip disabling the user interface for a minute. I am seriously sick of him spinning around. Throughout the weekend AND!XOR and other groups dueled for the control of the botnet and our badges. Fortunately, this seems to have cleared as I got home.

Just take a minute to contemplate this. While users were busy trying to attack each other on an individual level, AND!XOR and DC801 were fighting to control the entire botnet infrastructure.

2. DC Darknet

The DC Darknet is a group of challenges based on the books Daemon and Freedom written by Daniel Suarez. At DefCon, agents of the Darknet fight to gain reputation points as they learn new topics and explore quests ranging from breaking ciphers to building simple exploits. The Darknet badge was one component of these quests.

This badge had a do-it-yourself element. The Darknet badges taught me how to solder, and now I bring a soldering kit to DefCon just to rapidly assemble the Darknet badge. There are a hundred stations in the Hardware Hacking Village but lines quickly form and who has time to wait for a soldering station? A quick 40 minutes after receiving mine it was assembled, flashed, and ready to start speaking with other agents.

A particularly interesting feature on the badges is the IR and RF pairing. After you built your badge, it could be pairing with IR to other agents which would allow for you to send RF messages to them wirelessly. You could state “I would like a taco, ” and that message would be relayed over to the agent of your choice(if they were within range). This feature adds a unique covert method to communicate with your new friends and fits in with the story extremely well.

The dialer aspect of the badge was a refreshing throwback. However, it was somewhat difficult in practice. I felt during one quest requiring a few key numbers (Emergency, Jenny) the touch capacitors would sometimes read incorrectly. Not having a backspace button can be incredibly frustrating when digits sometimes worked and didn’t work.

The team beyond the badge was equally as impressive. The Darknet staff table easily had ten staffers there at all times helping agents trying to complete quests, re-solder badges, or get points from the scavenger hunts. Another particularly nice touch was the rechargeable battery that helped me cut down on AA batteries and the need to charge them.

Although I did not have as much time to devote to the quests, I was able to participate in the boss fight. Working together with a group of people in a hotel room to go through quests was certainly one of the high points of this year’s experience.

3. Mr. Robot

DC Darknet and AND!XOR had both presented badges at DefCon, but the Mr. Robot badge was a cryptic newcomer. There were no official Kickstarter or starting quests to get the badge. Instead, you had to follow a minimalistic twitter page to find out where to purchase the badges and what they even did.

It was pretty amusing how they were handed out. The first batch was distributed out at skeeball which had a feeling that was similar to the show. However, I found out about the drop 4 hours later. I was luckily able to get a badge because I saw a tweet about a sale nearby Caesar’s when coming back from a party. The tweet only stated they were at the Spanish Steps and I stepped it out to get there as fast as I could without running. They were easy to spot because a woman with a large purse was looking around nervously while sitting with three other people. Nobody else had bags large enough to carry the badge. So in what only could have seemed like a drug deal, I approached her, slipped her cash and received my badge.

This badge has a beautiful mask and looks amazing. On the outside, it does not look to be as flashy with LEDs and only had two games (snake and Tetris) on it. Even then the up arrow froze the game. While there was additionally tweets for an ARG, I did not play with them much. Therefore, I was shocked when I suddenly saw a group of open wifi signals while connecting to the network. Later I went back and logged onto these signals to discover a wifi network with https://www.linkedin.com/redir/invalid-link-page?url=192%2e168%2e4%2e1 being the only host. When I unplugged the batteries, the wifi signal disappeared, and suddenly I understood it was coming from the badge!

So I did what anyone at DefCon would do. I logged back in and scanned the network for more devices and open ports. It bizarrely only had one open port UDP 4096 that was open. Despite trying to netcat and run commands against the port, I got nowhere. More discouraging was whenever I saw someone with the badge they knew nothing about the port or how they were carrying around a wireless access point.

Warning FUD and conjecture ahead! There are some rumors that the Mr. Robot badge also had a botnet component to it that would use this port. Once one received the code, it would look for other badges to trigger their code and then launch deauth attacks against other wireless devices in the area. The badge wearers, unaware of they were transmitting wirelessly, would walk around deauthing devices and could be spreading the virus across the conference. Right or not, it sounds like a fascinatingly devious scheme.

But these are just toys?! What does this have to do with security?

The great influx of badges added an interesting IOT component to DefCon. It is easy to forget that these badge designers were able to do amazing things on a tight timeline with relatively cheap devices. As businesses are exploring how they can do more things with the IOT, we will see more and more professionals coming up with outlandish ideas to do many more elaborate things. These are quickly built use cases of how the IOT is both incredibly easy to implement and how the best of intentions could create a raging multi headed botnet if you are not careful.

It was incredible to see the different layers of people coordinating across the country to pull this off, and I am very excited to see what they will put out next year. Who knows, maybe next year I can get a Texas badge put together!

If you want more articles on badges I suggest this one and if you are looking for an audio book I suggest checking my book on Effective Threat Intelligence.

 

post

2016 Hacker Santa and the joy of sharing

Coming to the close of 2016 @InfoSystir was kind enough to set up #HackerSanta which provided an infosec goodie exchange.

My target was @J0hnnyXm4s a hacker who has done numerous infosec talks and helped discuss the risks of TSA keys. After some stalki… open source investigating, I determined that he was probably in the market for a new pelican case, enjoyed lockpicking, and would likely appreciate something repurposed.

Luckily I had a pelican case, some locks, and some things that needed to be repurposed. I chose two locks to secure the goods. This Masterlock is a favorite I have kept around to help humble lockpickers when it became “too easy.” A spare TSA 007 lock would serve as a tip of the hat to Johnny’s research. Everything was coming together nicely.

DomainTools promotional video repurposed

Back in February, DomainTools was kind enough to send me a promotional video in a unique package. The video started to play as soon as you opened the cover. While they have a great product (I encourage everyone to check them out,) I only needed to see it run so many times. So how does this work and what can I use it for?

At first look I could tell there was some type of switch to set it off, a small usb, the controls, and a hidden speaker. However, there was not much else to go on. Time to take it apart! 10 minutes of cutting through adhesive later it looked like this.

Pulling information off the board I was able to find a company selling similar products if I needed to use reference material. However, this was not needed since the USB provided a simple interface and not just for power. After plugging it into my computer I discovered the advertisement was a stored mp4. It was just a simple swap to put in my own mp4.

Fast forward to December, I felt providing a video to Johnny for getting through the locks would be great touch.

The Game is a foot!

All packaged together (including shameless self-promotion) it arrived a little after Christmas. Although I sweated over battery life fears, I was very pleased to see that not just Johnny but a whole host of @BurbsecEast attendees also had fun getting the locks open! Its great to see people come together to solve my silly gift.

Finally it is opened!

So besides from a long awaited Rick Roll you can see how I put it together. The switch is attached to the lid but the magnet is not strong enough to lift the whole screen. Everything sits on top of the foam which will allow Johnny to repurpose both the video player and the pelican case.

What’s the deal with the coin? Ask @Curious_Codes. I received it after completing one of their puzzles at Derbycon and wanted to share the joy I got from it.

I had lots of fun putting this all together. Thanks to @J0hnnyXm4s for providing great documentation of his process and sharing it on twitter. @DomainTools for the promotional hardware. @InfoSystir for setting HackerSanta up. @Curious_Codes for the puzzle within the my puzzle. My HackerSanta @Greenjam94 for the TV-B-Gone. I am excited about next year!

post

Some Scenario Solutions to Effective Threat Intelligence

Effective Threat Intelligence includes a number of scenarios designed to help solidify the content. I have invited readers to provide their solutions and was fortunate to have Andre provide his take.

Andre Gironda has an impressive resume including structuring organizations by using models that delegate risk decisions to Cyber Operations teams and has spoken worldwide on risk models, cyber threat intelligence, DFIR, APT hunter-killer teaming, and red-teaming analysis.

You can find his solutions on my site here.

post

Effective Threat Intelligence Free for a limited time!

Click here to get the Kindle version free!

Until Tuesday the kindle version of Effective Threat Intelligence is free! I set up this amazing offer as a thanks for participating and to drive up the excitement of launching my very first book! If you were ever reluctant on purchasing the book, now you can get it before you start your workday for free!

If you have already purchased the kindle book during the weekend please email me at jdietle@mindtrinket.com to sort it out.

Have you already bought the book? Looking for other ways to support?

– Purchase other book versions. Both free and paid versions give me a boost on Amazon.
– Give the book reviews on Amazon.
– Share my twitter, linkedin, and website with other infosec professionals.
– If you have purchased the physical copy make sure you also pick up the free kindle copy!

Thanks so much for your support in making this day come. I am amazed at how many people keep coming out to help support this project and i am so happy to share it with you!

post

Choosing the right place to hunt for threat intelligence

Building a hunt team is becoming popular in the threat intelligence world. Proactively searching for interesting threat information can help detect a SOC detect new threats and problems. Sometimes information from hunting can find something that has been in the environment for years. A successfully hunt is lots of fun and analysts always enjoy bringing back a trophy of something they found.

Hunt programs can also be designed to look for threat intelligence. When discussing a hunt program I like considering where my hunting grounds are. I like to separate hunting into two factions.

– External to the company environment
– Internal to the company environment

Hunting for information external to the environment can be a popular tactic. Bad guys are everywhere and doing interesting things all of the time. Researching them for indicators can lead in many interesting directions including underground and clandestine organizations. However, with all of this exploring you do run into questions of authority. Should you attempt to connect to a malicious website with a sandbox? Should you be purchasing stolen documents to look for company credentials? Overall I tend to feel that this type of activity is best done by research companies and government/law enforcement, because it pretty quickly gets into areas of vague legality and violating personal privacy.

Internal hunting is similar in that you are moving around the environment looking for things that are suspicious. However, it is different because you own the infrastructure. Internal hunting is largely going to net a higher benefit for your organization. If you see something in your environment, you know it will be… attacking your environment, or has already attacked it. Conversely, external threats may never by interested in attacking you. Therefore, it makes sense to concentrate on strange behavior in your environment, and match it up with what is happening outside, rather then solving external problems to prevent them internally.

A great hunt team will be able to notice anomalies and inefficiencies in the network. This indication that something is amiss can be numerous things. Although it could be the next APT breaking down your door, it can also be a misconfigured server. That’s not to say that aspect should be ignored, instead if you can document it and show it to the process owners you can help make the whole system better.

post

Avoiding the Stigma of Technical Debt

“Technical debt” is the sin of a company not investing in technology, which like not paying off a credit card, causes costs to spiral out of control. The theory goes, as the technical debt increases, projects take longer with more difficult and frequent problems. The cycle is repeated and feeds upon itself, causing harm and strife to companies that fail to maintain a standard of technology. Therefore, a company could reasonably conclude that the only sound business decision is to eliminate “technical debt” by prioritizing technology growth. However, it is only one consideration of a very complex problem. Luckily, problems like these have been solved for years. “Technical debt” is a simply a new way to state that there is “opportunity loss” when systems aren’t upgraded .

A standard to prevent technical debt is not explicitly stated and is inherently vague. This is troublesome because companies can also face overspending by leaning too far forward, innovating new technologies out of fear. Being the innovator can have burdensome costs if your business model now depends on discarded technologies like Betamax, HD-DVD, or AppleTalk. They are left paralyzed by indecision, stuck between the risks and costs of adapting early or the safety and thrift of integrating later.

Instead of waiting until the accumulated debt arrives, be bold and see where you can find opportunity instead of blindly chasing technology. Find a business impact that improves with new technology, create a small task force to test it, and determine if it can achieve a concrete goal. Technology is cheaper to implement, faster to setup, and more scalable than ever before. Gathering evidence, especially evidence that directly helps the bottom line, will help drive wise technology investment with enthusiastic executive support.

“Technical debt” is an easy way to state the dangers of underinvesting in technology. However, to build a complete narrative, stay engaged with the groups you’re supporting and give evidence of the new opportunities available by adopting new technology.

post

Love the Hacker, Hate the Problem

Hackers have been receiving quite a bit of bad press recently. Cryptocurrency blackmail, planes flying sideways, and cars driving into ditches all help sell an image of hackers as mercenaries and anarchists, but it ignores the motivations of countless individuals tinkering with systems in positive ways. The drive to emphasize “malicious” hackers trivializes their real capability to solve problems which arise from society’s reliance on incredibly complex systems, which can fail at the speed of light.

Good employees need to be able to understand a system of processes, and then alter those processes to benefit their goals. However, great employees are the ones able to see through the sea of competing processes and identify the friction. This is a defining trait of a hacker, the ability to fall in love with this sea of unknowns, study it with devoted reverence, and perhaps even zealotry. Does this level of dedication make some people feel uncomfortable, despite the good works that are accomplished?

It appears to be perfectly acceptable for web articles on food hacks, management hacks, and dog care hacks, which give insight to really difficult problems. These are just hackers of a fleshier science. While the difficulty of these topics is equivalent to most technology topics, such as packet routing or database normalization, it appears the mere mention of technology taints the conversation. Technology forms a mythos where the hacker is regarded more like a wizard than an expert in their field. This completely skews the tone of public opinion, and suddenly technical problems center on either the incompetence of developers or the selfishness of hackers wishing to trade public safety for profit/fame.

While hackers are at best the anti-heroes of the news cycle, the real villains are the problems lurking in the dark. Technologies constantly change creating problems we have not yet begun to imagine, however if we appreciate the complexity of the situation perhaps we would be more inclined to celebrate a hacker mindset.