Author: jgamblin

One of my personal projects this year is to understand and build a SLAM (Simultaneous localization and mapping) robot. To get started I bought the Xaxxon OpenLidar and after a few struggles getting it to work correctly in a VM I finally did and decided to throw together my build notes for future reference.

Virtual Platform

While I would have liked to use (and tested) Virtualbox there is a known issue with RVIZ that isn’t present in VMWare Fusion, so while I hate not keeping this open-source I could not get it to work.

Ubuntu Install

You want to start with a new Ubuntu18.04 Install (ROS isn’t Ubuntu 19.0 compatible yet with the VM tools installed.

Run these commands to update and install the need utilities:

sudo apt update -y
sudo apt upgrade -y
sudo apt install git curl screen

ROS Install

ROS is the Robot Operating System (ROS) is a set of software libraries and tools that helps you build robot applications. You need it installed to run the OpenLidar hardware.

Here are the commands to install it:

sudo sh -c 'echo "deb http://packages.ros.org/ros/ubuntu $(lsb_release -sc) main" > /etc/apt/sources.list.d/ros-latest.list'
sudo apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654
sudo apt-get update
sudo apt install ros-melodic-desktop-full -y
sudo rosdep init
rosdep update
echo "source /opt/ros/melodic/setup.bash" >> ~/.bashrc
source ~/.bashrc
sudo apt install python-rosinstall python-rosinstall-generator python-wstool build-essential mesa-utils

OpenLidar Install

The last step is to install the software for the OpenLidar system and configure all of the variables and reboot.

Here are those commands:

mkdir -p ~/catkin_ws/src
cd ~/catkin_ws/src
git clone https://github.com/xaxxontech/xaxxon_openlidar.git .
cd ~/catkin_ws/src
catkin_init_workspace
cd ~/catkin_ws/
catkin_make
echo "source $HOME/catkin_ws/devel/setup.bash" >> ~/.bashrc
source ~/.bashrc
sudo adduser $USER dialout
sudo reboot now

Running

Once your VM reboots and you connect the Uart Bridge to the VM and you are now ready to fire up the software. That can be done with these commands:

roslaunch xaxxon_openlidar xaxxon_openlidar.launch &
roscd xaxxon_openlidar
./rvizlidar &

You should then see the RVIZ window load and data start populating the screen like this:

Troubleshooting

If you run into any problem you can always serial into the Lidar and check it with some of the commands on this page.

screen /dev/ttyusb0 115200

As the 2010s come to an end I started to think about what security stories from the last ten years changed how we think about security in this decade and the next. While this list is in no way complete these are the ten stories that I think had a lasting impact on security in the last decade and the next.

Stuxnet – 2010

Stuxnet targeted SCADA systems and was responsible for causing substantial damage to Iran’s nuclear program. It has been the subject of many books and even a movie.

It has been publically confirmed that Stuxnet was created and built by the NSA in partnership with the CIA and Israeli intelligence.

LulzSec – 2011

LulzSec was a high profile hacktivist group that hacked Sony Pictures, HBGary, and PBS along with many other organizations. Its history and reputation are complicated with many of its members’ serving prison sentences and others have become members of the security research community.

Heartbleed – 2014

Heartbleed was an improper input validation bug in the OpenSSL library that allowed a malformed heartbeat request with a small payload and large length field to permit attackers to read up to 64 kilobytes of the victim’s memory that was likely to have been used previously by OpenSSL.

One of the humorous takeaways from this bug is that it was submitted at 11:59 on New Years’ Eve 2011.

Probably the most lasting takeaway is after this vulnerability Google established Project Zero.

The Shadow Brokers – 2016

The Shadow Brokers were a hacker group that published several leaks containing hacking tools from the National Security Agency including several Microsoft zero-day exploits that lead directly to WannaCry.

It is widely believed that Russia was responsible for these leaks although how they obtained the information is still unknown.

WannaCry – 2017

The WannaCry ransomware attack targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin. It propagated through EternalBlue, an exploit developed by the National Security Agency and stolen and leaked by The Shadow Brokers a few months prior to the attack.

Marcus Hutchins discovered the kill switch domain hardcoded in the malware and registered the domain which limited the spread of the ransomware.

Sony Pictures Hack – 2014

In 2014 sony pictures were hacked and personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, and copies of Sony films were stolen and released on the internet. The attackers then released a disk wiper bot that formated a large number of hard drives at Sony.

It is widely believed that North Korea was behind this attack because Sony had made the movie The Interview which plot revolved around trying to assassinate Kim Jong-un.

US law enforcement agencies have charged Park Jin Hyok with this attack and for masterminding WannaCry.

DNC Hack – 2016

Russia hacked and released DNC internal communications to WikiLeaks in the run-up to the 2016 presidential election. While the technical details of these attacks are not impressive, America and the rest of the world have been dealing with the fallout from these breaches and will continue to do so for the foreseeable future.

Chelsea Manning – 2010

In 2010, Chelsea Manning gave WikiLeaks 500,000 documents that became known as the Iraq War and Afghan War logs along with numerous Diplomatic cables. She was arrested in May of 2010 but the information she had given to Wikileaks which made them a household name and allowed them to play a role in the DNC Hack and releasing the information that Edward Snowden leaked.

OPM – 2015

 In 2015, the United States Office of Personnel Management (OPM) had a data breach that affected approximately 21.5 million people. These included an unknown number of SF-86 (Questionnaire for National Security Positions) forms and over 5 million fingerprints.

Most experts have blamed China for this breach but no public proof of this has been shared.

Equifax – 2017

This was a huge data breach that ended up exposing the data of roughly 200 million consumers using a vulnerability in the Apache Struts framework. The House Oversight Committee has released a full report on the breach. Many security experts see this attack as an eyeopener for companies to look closely at their internally developed software along with their OS and Network patching.

No one has taken responsibility for this attack and none of the stolen data has ever been reported to have been used.

Closing

Six of these stories come directly from State actors attacking either another country or a large corporation, one of them was an insider threat, one was a determined group of motivated external attackers and one was a really nasty bug a developer submitted at 11:59 on New Year’s Eve and Park Jin Hyok is probably the most dangerous hacker in the world.

Did I miss a story that should have been on this list? Let me know on Twitter at @JGamblin.

I had a new years resolution to Read More Books this past year and actually read around 20 books this year. Out of those books here is a quick list of some of my favorites from the past year that I really enjoyed.

Stillness Is the Key

This book was probably one of the most impactful books I read this year. It walks through how the great and the good spent time alone and in thought in order to make their most momentous decisions. It really inspired me to take 30 minutes a day to disconnect to journal and meditate.

GCHQ 2

I love these puzzle books. I spent many hours on planes and on the couch walking through this book and trying to figure out these puzzles. I am looking forward to the thrid installment that will hopefully come out shortly.

Zero Trust Networks: Building Secure Systems in Untrusted Networks 

Zero trust has been an overused buzzword for the last few years in security. This book is the ground truth about what zero trust really is and how to implement it correctly. This is a must-read for anyone in security.

People-Centric Security: Transforming Your Enterprise Security Culture 

This book was a great reminder that you cant fix security in any organization through technology alone and you have to concentrate on how to get people at all levels of the organization to care about security.

The Moscow Rules: The Secret CIA Tactics That Helped America Win the Cold War 

This was a really interesting, entertaining and quick read. Here are the Moscow Rules:

• Assume nothing.
• Never go against your gut.
• Everyone is potentially under opposition control.
• Do not look back; you are never completely alone.
• Go with the flow, blend in.
• Vary your pattern and stay within your cover.
• Lull them into a sense of complacency.
• Do not harass the opposition.
• Pick the time and place for action.
• Keep your options open.

Our Man in New York: The British Plot to Bring America into the Second World War 

This book is about how England used the media in the 1940s to change American’s opinions about entering world war 2 by doing everything from bribing a radio psychic to predict Hitler’s death to slightly changing public opinion polling questions to make it look like Americans were more open to joining the war.

Gray Day: My Undercover Mission to Expose America’s First Cyber Spy

This is a great story about how Eric O’Neill and the role he played in hunting down Robert Hanssen and how he hacked his bosses Palm III to download and decode its encrypted contents.

I spent the last week at AWS re:Invent 2019 in Las Vegas with over 65,000 other AWS users. This conference is always jammed packed with announcements and interesting discussions with people both inside and outside of my normal security bubble. Overall I really enjoy this conference even though it is ridiculously large and I spent over 6 hours on the shuttles this week going between the 3 campuses of the conference.

I was glad to see Amazon finally get serious about security that matters to both practitioners and audit teams. While Encrypted by Default only applies to their Nitro Enclaves at this point I hope this is the start of moving this principal to all of their services.

Here are some roughly organized notes and thoughts about some of the services that were launched or announced this week that I was impressed or really confused about.

General Cloud

• AWS Outpost
  • It is a rack full of AWS equipment they install in your data center and then you manage it through the AWS console. It only costs $225,504.81 for the entry-level model.
• AWS Nitro Enclaves
  • Nitro Enclaves enables you to create isolated compute environments to further protect and securely process highly sensitive data such as personally identifiable information.
• AWS ARM Processors
  • Amazon is launching its own Arm-based processors. You have wonder if at least part of this isn’t to hopefully avoid future side-channel attacks.
• AWS Compute Optimizer
  • You pay AWS to tell you how to pay AWS less or something.
• Ubuntu Pro
  • This is a customized version of Ubuntu to run on EC2 that comes with LivePatch and will have preinstalled hooks into the AWS security hub soon. On the downside, it does cost $.03 an hour to run which will end up costing about $25 a month per instance.
    

Security

• Amazon Detective
  • I think this is a SIEM? I really don’t know.
• Amazon Fraud Detector 
  • I am *super excited* about this offering. Fake accounts and purchases are a huge deal for security teams and if they can do what they are promising this could be game-changing.
• CloudTrail Application Anomaly Detection
  • Here is a new tool from my friend Will Bengtson which is a simple CloudTrail based anomaly detection for use in AWS. 
• IAM Access Analyzer
  • A long-overdue tool to help control access and permissions to your AWS services and resource.

Machine Learning

• Amazon SageMaker Studio 
  • An IDE for SageMaker to help train your models.
• SageMaker Autopilot 
  • Data science for people who don’t understand data science.

¯\_(ツ)_/¯

• Amazon CodeGuru 
  • It is a super expensive linter that only does JAVA.
• Amazon Builders Library
  • White papers on how Amazon tackled some of their biggest technical issues.
• Amazon Kendra
  • It is Google but by Amazon?
• AWS DeepComposer
  • It is a $99 keyboard that uses machine learning. I am guessing a SageMaker Autopilot model told someone this was a good idea.

General & Uncategorized Thoughts

• Amazon did a better job of not over-promising this year.
  • All most everything they announced was in general availability or public preview.
• Blackberry QNX and Karma have built an amazing connected car platform.
• The builders’ fair projects were amazing this year.
• Firecracker VMs look promising.

This week I gave a talk on Hacking Holiday Lights at Kenna Security and here is the promised accompanying blog that outlines the hardware and software I demoed for easy reference for anyone who wants to build their own holiday lights.

Controller Boards

I looked at a bunch of different boards that ended up having a variety of technical hurdles and ended up really liking the first two boards for ease of use and the last one for the “Real Hacker Experience”.

• PixelBlaze
  • Some Soldering Required.
  • Most Programable.
• The Kube NodeMCU LED Strip Controller
  • Runs WLED Software
  • 3D Printed Enclosure.
• AllPixelMini Universal LED Controller
  • Requires a PI or Laptop to run.
  • Here is a simple python script to scroll a text message on an 8*32 matrix.
    

LED Lights

Getting the right lights for your project is probably one of the most important parts of building out your project. Below are the lights I have used and really like.

• “Christmas Style” Lights
• Weatherproof Strip
• 8*32 Matrix

Software

• FastLED
• BiblioPixel
• WLED.me

Tips

• Stick with 5V Lights.
  • This allows the strip and controller to be run from a single USB cable.
• Alibaba has tons of lights if you have extra time.
• Tindie is always is adding new controllers to check out.

Closing

This has been an amazingly fun project that I was able to do with my son and my hardware hacking is not always that easy. You can easily build more complex and complicated displays using these tools and I hope you have fun exploring these systems and finding the right fit for you. If you have any questions please ping me on twitter @jgamblin.

I have been meaning to look at Cartography since I saw their talk at BSidesSF last year and I finally had a chance to start looking at it today. One of the first things I noticed was that is was not containerized so I built a quick container for it and decided to document my progress here.

Prerequisites

• AWS CLI (Installed and configured)
• Docker 18.0+

Build The Cartography Container

• Create a local cartography directory.
• Create a Dockerfile and copy this into it:

# syntax = docker/dockerfile:experimental
FROM ubuntu:latest
# Install Python
RUN apt-get update \
  && apt-get install -y python3-pip python3-dev wget apt-utils \
  && cd /usr/local/bin \
  && ln -s /usr/bin/python3 python \
  && pip3 install --upgrade pip
RUN pip install awscli \
    &&  pip install cartography

• In your terminal open the cartography directory.
• Build the container using: DOCKER_BUILDKIT=1 docker build -t cartography .

Run Neo4J Container

docker container run \
  -e NEO4J_AUTH=none \
  -v neo4j-data:/data \
  -p 7474:7474 \
  -p 7687:7687 \
  -d \
  neo4j:3.5.12

Run Cartography Container

docker run --rm -v $HOME/.aws:/root/.aws --net=host cartography cartography --neo4j-uri bolt://127.0.0.1:7687

This step will take a few minutes depending on the size of your environment.

Accessing The Interface

Once the container is done building you can access the web interface at http://127.0.0.1:7474/browser/

Closing Thoughts & ToDo List

• Lyft provides some sample quires here
• I am looking forward to setting this up for multi-cloud environments
• Need to investigate authentication for Neo4J

I just spent a day and a half recovering my Github account after the code in my 2FA application stopped working for authentication. GitHub has a good support article on how to recover your account that has this ominous warning on it:

Warning: For security reasons, GitHub Support may not be able to restore access to accounts with two-factor authentication enabled if you lose your two-factor authentication credentials or lose access to your account recovery methods.

I was worried that I wasn’t going to get access to my account back since I didn’t have a copy of my recovery codes so I reached out to GitHub support and was able to work with them to get access using my verification token from an SSH session.

If you have 2FA enabled on your account you should make sure you have the following:

• Access to your recovery codes.
• That ssh -i ~/.ssh/github_rsa -T [email protected] verify returns a verification token.
• A fallback number on your account for SMS 2FA.

Hopefully, no one else has to go through this but I figured I would write up my notes since they were fresh in mind.

About once a month I need a Kali VM to use for an hour or so, and I am terrible at keeping a VM up-to-date, so this weekend I took a few hours and built a tool to download automatically, provision and update a Kali Linux VM in Virtualbox.

All the code for this project is in this Github Project.

Here is what the output looks like:

This script meets my needs but if you have any questions or suggestions please feel free to ping me on twitter at @JGamblin

Recently I have been working on a project to use the Trivy container scanner to scan large swath of containers for open vulnerabilities that I wanted to quickly post here. There is a full blog about the project here on the Kenna site.

Here are some of the pages I have built out so far:

• Top 1000 Popular Containers Scanned
• Official Docker Containers Scanned
• 10,000 Most Popular Containers

As always reach out to me on twitter if you have any questions.

I had the chance to attend LoCoMoCoSec this year and had a fantastic time. It was a well-run conference that was extremely focused on being friendly for families and being inclusive of the diverse group of people who make up our community.

It also doesn’t hurt that it was in one of the most beautiful places I have ever seen.

Many of the attendees and speakers had brought their families with them, and this helped the conference have a fantastic family feel to it.

The organizers decided to keep the inclusiveness going by only offering a cash bar and asking anyone who was planning on over drinking to please move to another bar.

LoCoMoCoSec is the only conference I have attended that is hyper-focused on real-world product security. With talk after talk full of actionable or relatable stories that I will take back to work with me to help improve our security posture. I will highlight some of the key takeaways I will be bringing back to work with me.

Open Source Security

Neil and Adam both had amazing presentations on open source security and I had a ton of conversations with people around the subject at this conference.

Neil talked about how Github struggled with getting from an out of date forked version of Rails to the latest current version. It was one of those rare talks where the presenter was open and honest about how hard it was to get up to date even in a technology company. I am looking forward to this presentation video being uploaded to share with my dev teams.

Adam from NPM talked about framework security and how little code is actually written in modern node apps. This slide shows that 97% of modern node apps are made up of underlying frameworks was one of the most talked about at the conference.

Outside of these talks, I spent a lot of time talking with people about how we can better understand and help the security of the many open source frameworks that companies build their applications on. This is a problem that everyone is obviously thinking about but no one has found an answer to yet.

DevSecOps

I saw three really good talks about DevSecOps from James Wickett, Tanya Janca, and Dave Lindner all of who I really respect as leaders in our industry. They each had a very unique approach to this topic but they all ended up with DevSecOps is really hard and we all have a lot of work left to do. I have some thoughts on this topic and am working on a talk that I am hoping to be able to share later this summer.

James Wickett talk was one of the most entertaining of the conference, and he is writing a DevSecOps book that he is looking for material for. You can check out his slide deck here that includes contact information.

Tanya Janca is a high energy presenter and talked about the DevSecOps in sprints. She also talked about how great organizations have a ratio of 100 Devs to 10 Ops to 1 security person.

David Lindner who works at Contrast and is a friend of mine talked on Friday about the challenges of adapting appsec at a startup and balancing that with business needs. I empathized with him as we both come from startups of about the same size.

Bug Bounties

Bug Bounties are always a touchy subject at these conferences but there was a bunch of great discussions around them and how to improve them to make them more actionable.

Google in their talk about fixing CSP talked about 75% of their web payouts are for XSS bugs and how they are working on fixing that.

Katie Moussouris gave a talk about how bug bounties work and my biggest take away from her talk was that there is likely less than 500 bug bounty hunters who find the majority of all bugs.

CTF

Matt Langlois put together an amazing collabrtive CTF for the last day of the confrence and open sourced all the puzzles.

Dive Track

Melanie Ensign from Uber put together an amazing Dive Track with the ability for people to take a few hours and explore some of the best diving in the world. I took a morning and went out for an amazing drive.

Closing

Overall I had an amazing time and I didn’t talk to anyone who wasn’t looking forward to LoCoMoCoSec 20202. I know if at all possible I will be going back. 🤙