May 15, 2023 • 34 mins
This week, we are speaking with Dennis Pelton about his expertise in hardware. He makes badges for all the major security conferences and loves to share his knowledge in this space. #security #hacking #wifi #rubberducky #hardware #defcon #schmoo #defcon #bsides
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Eric Brown (00:05):
You're listening to the Audit presented by IT Audit
Labs.
Dennis, thanks for coming back.
Welcome back to the Audit by ITAudit Labs Today joining us.
We've got Nick Mellem and ScottRisdahl.
Hey, all Today we're talkingwith Dennis Pelton about some
(00:30):
hardware hacking.
And, dennis, you and I ran intoeach other at Wild West Hacking
Fest over the summer and youwere giving a presentation on
wireless for noobs, if I recall,and you did a previous episode
with us on that.
We thought we were going tocover both those things in one
(00:52):
episode, but we had a greatconversation there and I ran out
of time, so we thought let'sdedicate the whole episode to
hardware hacking.
And you've got a business card.
Unlike anybody else, you've got, from what I understand, an
encrypted version of your resumeon this chip on the card.
(01:14):
Yeah, yeah, how cool is that.
Dennis Pelton (01:21):
So I mean, did you follow the?
Because there's a QR code onthe back Did you follow that?
Eric Brown (01:24):
or anything.
I did not.
I mean, did you follow the,because there's a QR code on the
back?
Did you follow that, oranything?
I did not.
Dennis Pelton (01:27):
I should, though, so I mean it basically explains
kind of what you were justtalking about.
That on the card is a chip,that on the chip is an encrypted
copy of my resume, and so it'skind of a series of challenges
really, and challenge number oneis get the data off the chip.
There's a number of differentways you can go about it.
(01:47):
I've heard stories from otherpeople of how they were able to
get it off, and it's like eachperson tells me something new,
even ways I hadn't even thoughtof in the past, where I'm like,
oh, actually that's a rad way todo it.
I never thought about that.
But once you get the data off,it's encrypted.
So you have to determine whatkind of encryption was used and
how you can break thatencryption.
And if you take the time to doall that, there's my resume, but
(02:11):
there's also kind of a coverletter with a you know,
congratulations for solving this.
You are exactly the type ofperson that I want to work with,
the type of person who kind ofhas the drive and motivation to
do all of this just for thesheer fun of it.
You know, there's no reward,it's just you're just doing it
because you want to learn newthings, and so I thought that
was kind of a fun way to, youknow, kind of get that message
(02:33):
out there of like, look, I'mlooking to work someplace fun, I
want to work someplace.
That's cool.
That really has people thatjust want to do these things,
just to learn.
And so that was kind of theinspiration for me on making
these was I thought you knowwhat's something kind of fun
that I could give out to people,because most business cards you
get it and you go okay, cool,maybe you bring it home, but
then it ends up in the garbage.
Can?
Yeah, something like this.
(02:54):
I figured that's probably notgoing to end up in a garbage,
can you know, maybe some of themwill.
Eric Brown (02:58):
I don't know, but I tell you, dennis, I, since I I
met you, uh, black Hills, I'vehad this in my bag and I can't
tell you how many vendor cardshave gone in the bag and gone
right out of the bag, but thisis stuck around.
It's cool.
I've showed this to a fewdifferent people.
Dennis Pelton (03:23):
And yeah, it certainly is a neat concept.
Yeah, thanks.
Honestly, they were a lot offun to build.
I probably should do anotherrevision of it or something
these days, but when you'rebuilding it.
Nick Mellem (03:30):
How many?
How many are you building at atime?
Do you have 20, 50, 5?
Dennis Pelton (03:36):
I think I originally bought 30.
And then I think I actuallybuilt like 10 of them for the
first conference I went to.
I ended up passing them all out, went home and built the other
20.
And then now, anytime I go to aconference, I'll usually
reflash the chip with a new,updated version of my resume.
So I have to, kind of it's.
(04:02):
The one unfortunate thing aboutthe card is I have to kind of
keep updating it as time goes on.
But you know, I figure by thetime people solve it my resume
might change anyway.
But whatever, they can find meon LinkedIn or something like
that.
For the most recent, I don'tknow.
Eric Brown (04:11):
So what's the process that you go through to
build these?
Was this the first iteration ordid you have a few prototypes
before it?
Dennis Pelton (04:19):
So this was actually the very first one I
did, but I had built kind ofother you know puzzle-y type
things in the past.
Oh man, yeah, this is oldschool right here.
This was like the very firstrevision that I did, where it
was just like a little keychainand you know it just said
rot13labscom and it had thelittle chip on there and the
(04:40):
chip had some puzzles on it andit wasn't quite the same thing,
but you know it was similar onthere and the chip had some
puzzles on it and it wasn'tquite the same thing, but you
know it was similar.
And then, uh, then I ended upswitching up the keychain and
doing a little differently thanthat, but kind of similar.
And then, uh, I think that'sabout when I did that one and
then for defcon last year I did,I did these keychains that
(05:01):
looked like little sticks of RAM.
Oh nice, that's awesome.
And so it's got the four chipson there and these on the back.
It looks kind of similar to thebusiness card On these ones.
It was something where thefirst chip was unencrypted but
the rest of the chips wereencrypted and so you'd have to
(05:22):
solve the puzzles on the firstone to get the decryption key
for the second one, and thensolving those puzzles would get
you the decryption keys for thethird and the fourth and so on.
So it's kind of like you had toprogress through the, you know,
through the key chain.
So I don't know, I always tryto make some fun stuff like that
to pass out at DEF CON, becauseI feel like you know, if you
(05:45):
meet someone for the first timeat DEF CON and you're able to
just like, oh here, here'ssomething cool for you to play
with later, it's like you know,you've already met a friend
right there.
Nick Mellem (05:52):
They're going to like you and they're going to
they're going to chat with youand you know it leads to more
work.
I would assume Right In thatsense.
Dennis Pelton (06:00):
Yeah, it could lead to work, but more often
than not it just leads tomeeting a new friend, kind of
thing.
There you go.
This is good, yeah, I feel likeI think these ones, I think I
made a couple hundred of them,and that's the same with the
other keychains I did.
This was kind of the finalproduct of that keychain where
it has a little LED up there atthe top.
(06:20):
So when you make a successfulconnection to that chip, the LED
would light up.
Oh, neat top so when you make asuccessful connection to that
chip, the led would light up.
Nick Mellem (06:25):
Oh neat, but uh well, I think for me, the mo,
the question that keeps hittingme in the head is how did you
decide to do this?
Or do you have like insomnia atnight and you just are like why
should I be able to?
The coolest business card ever,or or what's the thought
process behind that?
Dennis Pelton (06:40):
so it's uh, it was actually.
Let me think here, it was theDEF CON the year that COVID hit
and it was all from home, yep,and it's something where that
year I was like, well, I can'tgo to DEF CON this year, and DEF
CON was really where I go tokind of learn new things and
stuff like that.
And so I was like, well, I'mgoing to do something for myself
(07:01):
, that I'm just going to takethose days off of work and I'm
going to do something for myself, that I'm just going to take
those days off of work and I'mgoing to learn something nerdy
on my own.
And I don't even remember whatkind of originally inspired it.
But I said, you know, I'm goingto learn how to make hardware,
that's going to be my thing.
And so I just started studyinglike crazy.
I started downloading like theprograms to actually start
(07:22):
building boards.
And you know, I just startedkind of ordering things and
being like, well, either this isgoing to work or it isn't, and
either way I'm going to learnsomething out of the deal.
So it's like each one I'vebuilt after that it started
getting a little more complexand, like you know, building out
a little further.
And you know there's plenty ofboards where I ordered it,
waited the two weeks or whateverit came and it totally didn't
(07:42):
work.
And it's like, well, okay, well, okay, what did I do wrong?
Well, start going overeverything and I don't know it.
Learned a little bit more fromeach one.
Nick Mellem (07:50):
Yeah, no, that's really fun, that's awesome.
Eric Brown (07:52):
Yeah, do you do any of the badge challenges at DEF
CON?
You mean?
Dennis Pelton (07:58):
like building badges, or you mean like the
actual yeah, with the actual DEFCON badge.
Eric Brown (08:03):
you know, do you try to go through the puzzles?
Yeah, I do, yeah.
Dennis Pelton (08:08):
So I've got a thing over there with all my DEF
CON puzzles and all thedifferent badges, and I usually
end up buying a lot of theaftermarket badges too, like the
ones the makers make.
And then actually you probablyremember this one I made these
for Wild West Hackenfest.
Eric Brown (08:22):
Oh cool.
Dennis Pelton (08:23):
Yep.
So with this one I know Ibrought a battery over here
somewhere.
So this one, when it lights upthe LEDs on the front, they're
actually not wired up to LEDpins, they're actually tapping
into the GPIO of gpio on there.
(08:46):
That's meant for outputs, soit's just spinning out kind of
random output which sets theleds to random colors and it
kind of shifts them every sooften.
But then on the back is one ofthose esp8266 chips that does
like wi-fi and stuff and so it'sbroadcasting out a Wi-Fi
(09:06):
network.
You can actually log into thebadge and do a lot of the hacks
that I talked about during that.
You know the Wi-Fi hacking fornoobs.
You can do those attacks fromthe badge.
How cool is that?
Yeah, so I thought that was areally fitting kind of thing to
bring to that conference.
Eric Brown (09:24):
Did you have a hard time getting those chips coming
out of the pandemic?
Dennis Pelton (09:29):
You know it's funny, those ones I haven't
really had much of a problemgetting and granted the main
brand that makes those I thinkthey're called AI Thinker.
Those ones I don't see themvery often, but I'm kind of like
.
You know, I haven't been burnedby the knockoffs yet, so I just
buy the knockoff ones, but youcan seem to find them pretty
(09:50):
much everywhere and the pricingreally hasn't gotten too absurd
on them yet.
But I don't know, maybe that'llchange as more people learn.
Eric Brown (09:59):
What do you have that makes the form like the
form of that sheriff's star thatyou have on that, uh, wild west
badge yeah, so I use, uh, it'scalled easy eda and it's
actually a like an eda programdeveloped by jlc pcb.
Dennis Pelton (10:19):
So they're kind of tightly linked in that way.
But, um, you can still exportas gerber and like buy them from
elsewhere if you want.
But if you buy them through jlcpcb, uh, they do something
where, like if you built it ineasy eda once a month you get
like an eight dollar off couponor something like that.
So basically it covers aprototype batch for free.
You still have to pay shippingusually, but it's like I get
(10:42):
prototypes for free every month.
Like sure, I'll keep using this.
But uh, yeah, so I just buildeverything through them and you
know there's I know there'sbetter programs out there, but
I've gotten so good and so fastwith easy eda.
I just kind of stick with it.
I know I need to learnsomething else, but I don't know
(11:03):
.
Eric Brown (11:03):
I feel like it's hard to change once you've
learned it so well in your uh,in your free time do you do
puzzle rooms, escape rooms,things like that?
Dennis Pelton (11:13):
I've never actually done one like I want,
because I'm like that's itsounds right up my alley, like I
feel like I need to be doingthese, but I I never have and uh
, I've only done those.
Uh, what do they call like thehunt killer or something like
that, where it's like the boardgames that there's a, there's a
killer and you look through allthe evidence.
I did one of those like onceand it was a blast.
(11:34):
I had a great time.
But yeah, I don't know, I justI I need to like get out more.
Eric Brown (11:39):
I think I I saw they had at one of the hotels at
Wild West last year.
They did have an escape roombut it was like only open on
Saturday afternoon or somethinglike that.
So we might be able to get agroup together this year and do
(11:59):
just kind of a couple privaterooms, just kind of a couple
private rooms, and I think theyhad an escape room, put on by
the conference as well, up onthe third floor that you just
had to sign up for in advance?
Dennis Pelton (12:11):
Yeah, Huh, okay, I may need to look in that for
next year.
Eric Brown (12:16):
Yeah, are you definitely going this year?
That's the plan.
Dennis Pelton (12:20):
Yeah, I mean, I had a blast there.
Unless there is some majorreason why I can't go, I will
definitely be there.
What other conferences will youdo so?
I did SHMU already this year.
I'm doing B-Sides Tampa, which,yeah, I've got something to
show you for that one too.
Let's see here.
So I'm on the wait list fortickets to ThoughtCon, but it's
(12:44):
Chicago.
Yeah, it's getting closer and Ihaven't heard back.
So I'm kind of like, eh, maybethat one's not going to happen.
Yeah, I mean really, defcon andWild West are kind of the two
main ones that I'm reallygunning for.
Eric Brown (12:58):
Yeah, I think we were trying to get to ThoughtCon
as well, and I know I'm on thewait list too.
And, scott, I think you weretrying to get a ticket too.
I don't know if you got one yetor not, but yeah, it seems that
one.
I saw it a couple months ago.
I was like I need to get thatticket and then a couple months
later's like I need to to getthat ticket, and then a couple
months later they were all gone.
Dennis Pelton (13:18):
Yes, that's exactly what happened to me is I
kept being like, oh, I need to,I need to figure that out.
And then all of a sudden it wasjust they were gone and I'm
like, oh well, okay, so I don'tknow, we'll see.
Oh yeah, so for b-sides, nickand I were talking earlier and
he was saying this is probablygoing to be aired after b-sides
actually happens, which is inApril 1st.
So, yeah, no one's supposed toknow about this yet, but I
(13:41):
figure, if it's going to beaired afterwards, it's okay.
Yeah, absolutely.
So I'm making the main badge forthem, like the attendee badge,
speaker badge, all that kind ofstuff, and it's really just a
PCB art.
So it doesn't actually doanything.
There's no electronics on it,it's just the art badge for now.
Next year we're going to try todo an electronic badge, but for
now it's just the art.
But for winners of the badgechallenge and for a couple of,
(14:06):
like select staff members andthings like that, I made these
right here, which is the calledthe Egru Vash.
Oh cool, that's cool.
And then when you turn it on,it's got blue eyes to initialize
and then it will go to kind ofbarely see it there, but the
eyes turn different colors andit will slowly shift through
(14:26):
colors as time goes on.
But if there's a Deoth attackthat happens, the eyes will turn
red and they'll kind of slowlypulse red while the Deoth attack
is going on as soon as itattacks it stops.
Then it goes back to the justkind of cycling through that is
so yeah, so it's kind of asimilar design to those other
ones where it uses that esb8266and stuff like that, and there's
(14:49):
um, yeah, so there's differentuh, flash and reset badge
buttons on here so that you canactually like hack the badge and
put whatever else you want onhere.
Have it do something else ifyou wanted to.
Eric Brown (15:00):
And then it looks like you've got the sponsors on
the back too, there.
Dennis Pelton (15:04):
Yeah, so there's a whole lot of sponsors.
It was difficult to fit themall on here.
Nick Mellem (15:11):
These badges are really turning into being like
an Olympic medal.
If you win that, how cool is itto try to win something and get
that like put it on your wallright?
That's awesome to have, exactly, yeah, a medal of honor badge
of honor yeah, so I'm doingthose.
Dennis Pelton (15:28):
And then, um, right now, sadly the boards
don't actually come for a fewmore days, but I've got kind of
a little prototype that I'vebeen building out over here.
Um, have you guys ever heard oflike a ham radio fox hunt?
I don't think so no.
So what they do is they'll takea transmitter that will play a
little like usually like a 15second tune, and then it kind of
(15:51):
identifies itself as a fox andit will just transmit that every
you know 15 to 30 seconds andyou hide it somewhere in the
city and then people usedirectional antennas and like
attenuators and things like thatto locate the fox based on the
signal that it's broadcastingsure so I've made a handful of
(16:11):
foxes that are little pcbs thatare actually shaped like foxes,
which I thought was kind offunny, and I'm planning on
hiding those around B-sides andjust telling people if you find
it, you get to keep it, and Ifigure that's kind of a fun
little twist on it, becauseusually foxes are, you know,
like 100 bucks or something likethat usually, and it's like you
(16:31):
know it'skind of a fun little thing to
just hack and play with.
Oh, that's cool, yeah.
Yeah, I thought it was kind ofa fun little idea, have you?
Eric Brown (16:40):
participated in those before, so I've never
actually done one.
Dennis Pelton (16:48):
I'm like so intrigued by them and I don't
know where any of them arehappening.
So I'm like if I just startlike throwing fox hunts, I'm
sure I will meet people who likethem and be able to do one
myself.
But for now I've just been likedoing tons of research and
being like am I doing this right?
I hope so.
We'll find out what a neatconcept.
Eric Brown (17:02):
Yeah, yeah, yeah so that should be fun.
Nick Mellem (17:06):
I don't know that might be cool for that.
Dennis Pelton (17:10):
Well, so that's the plan.
Is that defcon?
This is kind of my trial runFor Defcon.
I've contacted a couple ofartists who work in InfoSec and
the idea is to get a couple ofdifferent artists to make like
special limited edition, likeart ones.
So I'm trying to get some artfrom them on, like Fox.
The idea that I had was to, youknow, like, maybe one that was
(17:33):
space-themed and we could callit Star Fox One that's like fire
fox, stupid stuff.
Maybe one that was space themedand we could call it Star Fox
One that's like fire fox, stupidstuff, like that.
That was funny.
64.
Yeah you know, and I figured, ifwe do a couple of those and
make these really like limitedones and then just hide them all
over Vegas, like you know, I'msure people would go nuts
finding those.
Eric Brown (17:52):
That does sound cool , yeah, yeah.
Dennis Pelton (17:55):
So there's that.
And then, I don't know why, butat defcon I always see, like I
always see kids and they alwaysseem so bored, like you know
these kids are.
You know some of them.
I'm sure they're having a greattime, but they always just look
so bored whenever I see themthere.
So I thought of an idea where Iwanted to make these badges of
like an esp8266, but gigantic,to make it easier for like small
(18:17):
hands to experiment with andplay with.
And it actually works.
So you know, these are allwired up to these various pins
with kind of the little pull-upsand pull-downs on the back, and
so I'm going to try to make aton of these and anytime I see a
kid at DEF CON, I'm just goingto go up and hand it to him Like
here, this is for you, playwith it, learn it.
That is cool, you know, justfor something kind of fun, I
(18:38):
don't know.
So I brought a handful of thoseto Shmoo just to get like some
feedback on them, and I think Iwas charging like $20 for them
and just told people like look,I'm just, I'm constantly like
coming up with all these newideas and I'm like when do I
have time to do all this?
Eric Brown (19:01):
So I don't know, is it getting faster for you now to
make the badge once you've comeup with the idea?
Dennis Pelton (19:09):
Yes, definitely.
So once I had this Fox circuitdone, like once, I kind of
figured it all out as far aswhat pins needed to go where,
and really the firmware was whattook the most time.
I'm one of those people where,like, if you show me code I can
modify it to do what I want veryeasily.
But writing from scratch I'mnot great with, so I had to kind
(19:31):
of search around, find someprojects doing something close
to what I wanted and I was ableto easily kind of modify it from
there and get to work.
But once I had that done,building out the Fox shaped PCB
with all the parts where Ineeded them to go and all the
routing on there, I think thattook a few hours and that was it
.
And it's not too bad.
Eric Brown (19:49):
Are you in the Tampa area yourself?
Dennis Pelton (19:51):
I'm a little further north.
I'm up in Gainesville, oh, yeah, yeah north I'm up in
gainesville oh yeah, now we'redrawing.
Eric Brown (19:56):
You have the concept of the maker spaces there where
, um you know, people come inand they collaborate on kind of
a shared use set of equipmentyeah.
Dennis Pelton (20:07):
So we do have one here, but sadly it's like on
the far other side of town forme, like I'm kind of on the town
and it's really on the otherside, so I never actually make
it there.
Like I'm really sad that Idon't.
I wish I could get there moreoften, but yeah, I never end up
going.
Eric Brown (20:24):
So here in the Twin Cities they've got, I think, a
couple of those maker spaces,but one in particular hosts the
open Locksport group where theLocksport people come in and I
think it's like the firstThursday of the month, something
like that, and if you'reexperienced or inexperienced, it
(20:45):
doesn't matter.
Experience or inexperience, itdoesn't matter.
They've got a pretty good groupof people there that will give
you the picks if you want themor if you have your own, they
can show you some more complexthings.
But I bring it up because thatspace sometimes does some
interesting things, and a badgemaking workshop would be an
awesome idea for a space likethat, where people could come in
(21:06):
and maybe learn the basics ofhow to make one of these.
Dennis Pelton (21:10):
Yeah, honestly, I've had a couple people ask me
about doing a demonstration atDEF CON or something like that.
So I would like to.
It's one of those, if I canfind the time to make a short
presentation on my process,because I know everybody does it
a little differently, but thatis definitely a goal of mine to
(21:32):
to go out and do something likethat.
And then at b-sides, that'sanother thing that we had kind
of talked about, but I I kind ofgot in touch with them a little
too late for this year, butthey would like to do a kind of
hardware hacking village atb-sides.
Yeah.
So we've talked about kind ofyou know what that might entail
and things like that, and I'vegot a bunch of uh like little
(21:54):
bad usb kits to build your ownbad usb.
I've got probably probablyabout 100 of them.
So just sitting around and I'mlike, hey, you know, I'm happy
to donate these to theconference and you know we can
have people build these if theywant to.
But it's just kind of likegetting it all organized is
really going to take some time.
So we figured, okay, maybe fornext year we'll have kind of all
(22:14):
that in place to do it.
Eric Brown (22:16):
And maybe Wild West, too, would be a good place for
that.
Dennis Pelton (22:19):
That's actually true.
That probably wouldn't be a badidea either.
Yeah, yeah, I've got probablyabout 100 or so of the kits to
build your own.
Yeah, like, probably about 100or so of the kits to build your
own, and then I think I've gotabout 60 or so of like still
packaged ones that just arepre-made.
So we had talked about kind ofwhat to do with those two.
Like a buddy of mine and I.
(22:44):
We were talking about, you know, maybe buying a bunch of rubber
ducks, like little mini rubberducks, in bulk on Amazon and
kind of installing them in there.
So it's a little rubber duckythat has the USB coming out of
him and then just like hidingthem around DEF CON for people
to find and see if they plugthem in.
I don't know.
It's all this hardware thatI've built and I'm just like I
don't really know what to dowith this now.
I should probably sell it, butI don't know.
Nick Mellem (23:06):
I find it hard to believe that people at DEF CON
would pick up a rubber ducky andactually plug it into their
machine.
Dennis Pelton (23:12):
Well, so that was the idea was like, if we need
the code on it, just executesomething that hits a website so
we can get a counter of howmany people actually plugged it
Exactly.
Nick Mellem (23:21):
Because I don't know if you've seen the pictures
online or wherever.
But people put like a littleUSB like in the wall right, Like
in a brick wall, and they likecement around it.
You're supposed to just go upwith your computer and just like
kind of stand there, like whowould actually plug into?
Dennis Pelton (23:40):
this thing, but it's cool idea, I guess.
Yeah, oh yeah, I know Iremember at airports you see
those tables where it's justlike a row of usbs for people to
plug their laptops into charge,and every time I see it I kind
of go look at it and I'm likeman, it would be so easy to
convert that to be a rubberducky.
But it's like guys, pleasedon't do this.
So I don't know.
(24:01):
It's the stuff that you learnas you learn how easy it is to
make all this stuff.
Eric Brown (24:08):
Did you go to the car hacking village or look at
any of that sort of hardwarehacking stuff at DEF CON?
Dennis Pelton (24:15):
Yeah, honestly, a lot of my time is usually spent
in the hardware hacking village, but the car hacking has a lot
of fun stuff there.
I feel like I haven't done.
I barely scratched the surfacebasically of the stuff they have
there.
I feel like they do some reallycool stuff there.
I'm always done.
Even I barely scratched thesurface basically of the stuff
they have there.
But uh, yeah, I don't know.
I feel like they do some reallycool stuff there.
I'm always interested to likestick around and learn a little
bit more the voting machinevillage was pretty cool too.
Eric Brown (24:38):
Where they had the voting machines torn open, you
could see the insides.
Dennis Pelton (24:41):
That was neat yeah, yeah, I know it.
Every time I see those there, Ikind of think to myself I'm
like man.
I wonder if I can get my handson one of these, like not from
them but, like you know, findone on ebay like they do or
whateverit's like I don't want to mess
with theirs, but I would love totake one of those apart and be
able to actually, you know,really go to town on it, and you
(25:02):
know I'd probably break it, butit's like the stuff I'd learn
in the in betweenbetween timewould be amazing.
I bet Absolutely, yeah, likeI've heard horror stories about
how those things are built andmaintained.
Eric Brown (25:15):
Yeah, yeah, I can imagine.
Dennis Pelton (25:19):
But yeah, I'm trying to think if there's any
other.
Yeah, I don't know.
I've got so many projects goingon.
I recently picked up I recentlypicked up, it's everything that
you need for building a Wi-Fiadapter.
So there's, you know, you canpossibly see it on there.
(25:39):
It's so small but it accepts,you know, basically just the USB
inputs.
So you know power, ground, andthen data in, data out, and then
it gives you a antenna port andthat's essentially it.
So I've been looking into theidea of, like building my own,
you know, wireless adapterslately, see if that was
(26:00):
something I could do and I gotone working.
But the problem I've hit now isthat a lot of these chips that
they make in that type of formatare for Windows only and it's
like if I'm going to makesomething, I want it to be
usable by anybody.
You know, even if it was justlike Windows and Linux, that
would be better than nothing.
But I use Mac at home.
So I'm like I want something Ican use too.
Eric Brown (26:22):
What frequency is it ?
Dennis Pelton (26:23):
on.
Let's see here.
So they're BGN, I believe, iswhat they support.
Okay, yeah, but like I said,yeah, this one here is the
Realtek 8188 chip, but I ordereda couple different chips of
them to test them out.
Like I said, you know, I got itworking, but it's like if it
(26:45):
only works for Windows.
So actually I think this wasone of my yeah, so I made it in
the shape of dick, but becauseit just seemed kind of like a
funny thing to do, yeah, so onthe back here you can see like I
had to kind of Like right nowit's got two different
(27:05):
capacitors on there going intoit, but it seems like it's still
just not quite getting enoughpower at for the boot up on it,
sure?
so I had to take an externalpower supply and kind of touch
it to it to get it started, andthen, once the chip comes on,
it's able to run.
So I'm like, okay, well, nowI've got to figure out how to
get this thing a little extra.
I'm sorry, how are we going tostart?
Yeah, so it's kind of one ofthose situations where I'm like,
(27:25):
well, okay, you know someone.
So it's kind of one of thosesituations where I'm like, well,
okay, you know someone hassolved this problem.
I'm sure it's easy to solve.
I just need to figure out whatit is that I need for it.
But I don't know.
I feel like I need to find abetter chip first.
It's more universal fordifferent, for Mac and stuff
like that.
Eric Brown (27:40):
Have you done much with the Ponegachis or doing any
sort of E-ink screen?
Dennis Pelton (27:47):
So not the Ponegachis, those I would love
to play with.
That one is definitely on mylist of something, and I haven't
done the e-ink screens, but Ijust recently started messing
with screens more.
So I made that Hackbutt badgelast year for DEF CON.
It was a bad USB, so I had thisidea.
I was like it'd be kind offunny to make a hack, but again
(28:08):
this year, but for Wi-Fi.
So I've got a little screen onthis guy here.
Oh, he does basically yeah, yeahhe does essentially all the
same stuff as that Wild WestHackenfest badge.
But now you don't have to loginto the badge to do it.
You still can if you want to.
But it's got kind of likevarious.
You know, there's like a packetmonitor on here and things like
(28:29):
that.
It's all the SpaceHoon's ESP8266deauthor package, oh yeah, and
then I added a couple littlemodifications onto it and so
I've just started kind ofmessing with screens a little
bit.
I've been working with BlueTeam Village.
I might be doing their badgethis year Sweet, doing their
badge this year, sweet.
So if I end up doing theirs, um, the idea that I have if I can
(28:51):
make it work is going to be kindof a dual screen type thing.
So again, it's all like if Ican make it happen, especially
like within the time limit andstuff like that.
But uh yeah, I haven't done theinc ones yet.
I've got a couple friends whowork with them and they
absolutely love them but yeah sowe're gonna have to come find
you this year at defcon.
Eric Brown (29:12):
Get one of those badges.
Dennis Pelton (29:13):
That's cool, yeah yeah, I should have a number of
different things there atdefcon, so I should be pretty
easy to find.
Eric Brown (29:20):
I don't know, I guess, what's your like?
What?
Dennis Pelton (29:23):
is it 30 000 people?
Eric Brown (29:26):
there.
What's your price range onthose around 100?
Dennis Pelton (29:30):
you know, I don't even know yet if we do these
ones, I mean, it'll definitelybe less than 100, but um, I
always try to price my badgespretty much as low as I can get
them like to reasonably be.
So something like this I thinkthe uh, I think the total bomb
on this was around like 25 bucks, so it'll probably be like 40
oh sure I don't know um.
(29:51):
Yeah, it's very reasonable yeah, you know, for me it's, it's
like I don't have any tooreasonable.
yeah, well, and that's why I'mlike you know, what can I
reasonably do?
Because I I don't usually makea lot of money off the badges I
do.
In fact, a lot of the badgesthat I make I usually just end
up giving away for free anyway,because for me it's more of the,
the hobby, the fun of it, andit's like so the ones I do
(30:12):
charge for they pretty much justcover the cost of all the ones
I give away.
Like I would love to make abusiness out of it someday, but
that's kind of out in the future, I guess.
Eric Brown (30:23):
Do people have a way of reordering the badge from
you?
Dennis Pelton (30:28):
So last year I didn't do anything like that
because I really wanted to beable to actually meet the people
and chat with them and thingslike that.
But last year a lot of my DEFCON was just spent delivering
badges and chatting with peopleabout badges and I didn't get to
do much.
So this year I would reallylike to do that.
I haven't set up anything forit yet.
(30:49):
It'll probably be on tindy.
Um, I've got a buddy who'strying to start up a kind of a
badge life shop specifically for, like defcon badges and things
like that.
So if he ends up getting thatup in time, I'll definitely be
selling one there.
But I need to kind of figurethat side of it out.
Eric Brown (31:07):
Sure, that's cool.
Do we have anything else?
We were going to ask DennisNick.
Nick Mellem (31:12):
Well, I think that pretty much covers it, unless
Dennis.
Is there anything else coolthat you, anything that's
interesting to you, anythingyou'd like to jump into?
Dennis Pelton (31:21):
I don't know.
I'm trying to think if there'sany other badges I'm working on
right now or weird electronicsI'm trying to build.
Eric Brown (31:31):
Or are you a coffee guy, a bourbon guy like do you
have any vices like that, oh manboth.
Dennis Pelton (31:38):
Honestly, like beer is usually my big thing.
I've got a huge collection oflike stouts and stuff down here.
Oh, mate, age for you know, aslong as I can before I finally
give up and say it's time tocrack it open.
Nick Mellem (31:51):
You don't brew on your own at all.
I take it.
Dennis Pelton (31:53):
No, I tried it for a bit and I realized you
know, these other people makethem so much better and it would
take years to get to that leveland I'm like I just it's not
Let them do it.
Yeah, you know.
Nick Mellem (32:07):
That's how we feel.
With your badges, we're alreadydoing it, so good, let's let
him do it.
Dennis Pelton (32:13):
It's a fun hobby though.
Eric Brown (32:14):
It's worth getting into.
Where's your favorite place togo for beer?
Have you been to a particularpart of the country that you
think is pretty good?
Dennis Pelton (32:24):
Man, that's a tough question, I mean.
So we've got actually there's alocal beer shop here called
tipples and they, uh, theirselection is just constantly
changing and it's amazing.
So, like for me, I usually justgo down there and hang out with
them for a bit and they know mytastes at this point still, you
know, yeah, they're right.
(32:44):
Yeah, so you know, like my wifecalls it.
Uh, everyone knows you in thereeveryone knows your names.
Nick Mellem (32:51):
You're like norm, yeah, yeah, exactly.
Oh, there's a bunch of us.
Yeah, that's fun, but yeah,yeah, I don't.
There's nothing else from me,scott, I don't know if you have
anything, but uh, I had a listof things and we already breezed
through it.
Eric Brown (33:07):
Awesome well, dennis , we'll look for you at uh
defcon.
I guess we'll be first beforewild west, but wild west uh as
well and uh definitely want tomeet up and have a beer at
defcon oh, hell, yeah, I'd loveto dennis, if you can let all
the listeners know where theycan find you?
Nick Mellem (33:27):
Is there a Twitter?
Is your where you hang out orLinkedIn?
Dennis Pelton (33:32):
Yeah, so I'm on Twitter and I'm on Mastodon.
Nick Mellem (33:36):
Okay.
Dennis Pelton (33:37):
It's cold brew on both of them, but it's C0LDBRU
and I'm on InfoSec Exchange forMastodon.
Eric Brown (33:49):
Well, Dennis, thanks a lot for your time today
Always cool hanging out with you.
Dennis Pelton (33:53):
Learned a lot of things, thanks for having me.
Eric Brown (33:54):
Jim Want security leadership without the headcount
.
As an extension of the team, itAudit Labs will provide the
experts to guide and counselyour company.
We will start by creating acustom security program that
caters to your industry whileproviding transparency and
(34:16):
remediation to improve cyberposture while reducing risk.
Contact IT Autolabs to find outmore.
You're listening to the Audit presented by IT Audit
Labs.
Dennis, thanks for coming back.
Welcome back to the Audit by ITAudit Labs Today joining us.
We've got Nick Mellem and ScottRisdahl.
Hey, all Today we're talkingwith Dennis Pelton about some
(00:30):
hardware hacking.
And, dennis, you and I ran intoeach other at Wild West Hacking
Fest over the summer and youwere giving a presentation on
wireless for noobs, if I recall,and you did a previous episode
with us on that.
We thought we were going tocover both those things in one
(00:52):
episode, but we had a greatconversation there and I ran out
of time, so we thought let'sdedicate the whole episode to
hardware hacking.
And you've got a business card.
Unlike anybody else, you've got, from what I understand, an
encrypted version of your resumeon this chip on the card.
(01:14):
Yeah, yeah, how cool is that.
Dennis Pelton (01:21):
So I mean, did you follow the?
Because there's a QR code onthe back Did you follow that?
Eric Brown (01:24):
or anything.
I did not.
I mean, did you follow the,because there's a QR code on the
back?
Did you follow that, oranything?
I did not.
Dennis Pelton (01:27):
I should, though, so I mean it basically explains
kind of what you were justtalking about.
That on the card is a chip,that on the chip is an encrypted
copy of my resume, and so it'skind of a series of challenges
really, and challenge number oneis get the data off the chip.
There's a number of differentways you can go about it.
(01:47):
I've heard stories from otherpeople of how they were able to
get it off, and it's like eachperson tells me something new,
even ways I hadn't even thoughtof in the past, where I'm like,
oh, actually that's a rad way todo it.
I never thought about that.
But once you get the data off,it's encrypted.
So you have to determine whatkind of encryption was used and
how you can break thatencryption.
And if you take the time to doall that, there's my resume, but
(02:11):
there's also kind of a coverletter with a you know,
congratulations for solving this.
You are exactly the type ofperson that I want to work with,
the type of person who kind ofhas the drive and motivation to
do all of this just for thesheer fun of it.
You know, there's no reward,it's just you're just doing it
because you want to learn newthings, and so I thought that
was kind of a fun way to, youknow, kind of get that message
(02:33):
out there of like, look, I'mlooking to work someplace fun, I
want to work someplace.
That's cool.
That really has people thatjust want to do these things,
just to learn.
And so that was kind of theinspiration for me on making
these was I thought you knowwhat's something kind of fun
that I could give out to people,because most business cards you
get it and you go okay, cool,maybe you bring it home, but
then it ends up in the garbage.
Can?
Yeah, something like this.
(02:54):
I figured that's probably notgoing to end up in a garbage,
can you know, maybe some of themwill.
Eric Brown (02:58):
I don't know, but I tell you, dennis, I, since I I
met you, uh, black Hills, I'vehad this in my bag and I can't
tell you how many vendor cardshave gone in the bag and gone
right out of the bag, but thisis stuck around.
It's cool.
I've showed this to a fewdifferent people.
Dennis Pelton (03:23):
And yeah, it certainly is a neat concept.
Yeah, thanks.
Honestly, they were a lot offun to build.
I probably should do anotherrevision of it or something
these days, but when you'rebuilding it.
Nick Mellem (03:30):
How many?
How many are you building at atime?
Do you have 20, 50, 5?
Dennis Pelton (03:36):
I think I originally bought 30.
And then I think I actuallybuilt like 10 of them for the
first conference I went to.
I ended up passing them all out, went home and built the other
20.
And then now, anytime I go to aconference, I'll usually
reflash the chip with a new,updated version of my resume.
So I have to, kind of it's.
(04:02):
The one unfortunate thing aboutthe card is I have to kind of
keep updating it as time goes on.
But you know, I figure by thetime people solve it my resume
might change anyway.
But whatever, they can find meon LinkedIn or something like
that.
For the most recent, I don'tknow.
Eric Brown (04:11):
So what's the process that you go through to
build these?
Was this the first iteration ordid you have a few prototypes
before it?
Dennis Pelton (04:19):
So this was actually the very first one I
did, but I had built kind ofother you know puzzle-y type
things in the past.
Oh man, yeah, this is oldschool right here.
This was like the very firstrevision that I did, where it
was just like a little keychainand you know it just said
rot13labscom and it had thelittle chip on there and the
(04:40):
chip had some puzzles on it andit wasn't quite the same thing,
but you know it was similar onthere and the chip had some
puzzles on it and it wasn'tquite the same thing, but you
know it was similar.
And then, uh, then I ended upswitching up the keychain and
doing a little differently thanthat, but kind of similar.
And then, uh, I think that'sabout when I did that one and
then for defcon last year I did,I did these keychains that
(05:01):
looked like little sticks of RAM.
Oh nice, that's awesome.
And so it's got the four chipson there and these on the back.
It looks kind of similar to thebusiness card On these ones.
It was something where thefirst chip was unencrypted but
the rest of the chips wereencrypted and so you'd have to
(05:22):
solve the puzzles on the firstone to get the decryption key
for the second one, and thensolving those puzzles would get
you the decryption keys for thethird and the fourth and so on.
So it's kind of like you had toprogress through the, you know,
through the key chain.
So I don't know, I always tryto make some fun stuff like that
to pass out at DEF CON, becauseI feel like you know, if you
(05:45):
meet someone for the first timeat DEF CON and you're able to
just like, oh here, here'ssomething cool for you to play
with later, it's like you know,you've already met a friend
right there.
Nick Mellem (05:52):
They're going to like you and they're going to
they're going to chat with youand you know it leads to more
work.
I would assume Right In thatsense.
Dennis Pelton (06:00):
Yeah, it could lead to work, but more often
than not it just leads tomeeting a new friend, kind of
thing.
There you go.
This is good, yeah, I feel likeI think these ones, I think I
made a couple hundred of them,and that's the same with the
other keychains I did.
This was kind of the finalproduct of that keychain where
it has a little LED up there atthe top.
(06:20):
So when you make a successfulconnection to that chip, the LED
would light up.
Oh, neat top so when you make asuccessful connection to that
chip, the led would light up.
Nick Mellem (06:25):
Oh neat, but uh well, I think for me, the mo,
the question that keeps hittingme in the head is how did you
decide to do this?
Or do you have like insomnia atnight and you just are like why
should I be able to?
The coolest business card ever,or or what's the thought
process behind that?
Dennis Pelton (06:40):
so it's uh, it was actually.
Let me think here, it was theDEF CON the year that COVID hit
and it was all from home, yep,and it's something where that
year I was like, well, I can'tgo to DEF CON this year, and DEF
CON was really where I go tokind of learn new things and
stuff like that.
And so I was like, well, I'mgoing to do something for myself
(07:01):
, that I'm just going to takethose days off of work and I'm
going to do something for myself, that I'm just going to take
those days off of work and I'mgoing to learn something nerdy
on my own.
And I don't even remember whatkind of originally inspired it.
But I said, you know, I'm goingto learn how to make hardware,
that's going to be my thing.
And so I just started studyinglike crazy.
I started downloading like theprograms to actually start
(07:22):
building boards.
And you know, I just startedkind of ordering things and
being like, well, either this isgoing to work or it isn't, and
either way I'm going to learnsomething out of the deal.
So it's like each one I'vebuilt after that it started
getting a little more complexand, like you know, building out
a little further.
And you know there's plenty ofboards where I ordered it,
waited the two weeks or whateverit came and it totally didn't
(07:42):
work.
And it's like, well, okay, well, okay, what did I do wrong?
Well, start going overeverything and I don't know it.
Learned a little bit more fromeach one.
Nick Mellem (07:50):
Yeah, no, that's really fun, that's awesome.
Eric Brown (07:52):
Yeah, do you do any of the badge challenges at DEF
CON?
You mean?
Dennis Pelton (07:58):
like building badges, or you mean like the
actual yeah, with the actual DEFCON badge.
Eric Brown (08:03):
you know, do you try to go through the puzzles?
Yeah, I do, yeah.
Dennis Pelton (08:08):
So I've got a thing over there with all my DEF
CON puzzles and all thedifferent badges, and I usually
end up buying a lot of theaftermarket badges too, like the
ones the makers make.
And then actually you probablyremember this one I made these
for Wild West Hackenfest.
Eric Brown (08:22):
Oh cool.
Dennis Pelton (08:23):
Yep.
So with this one I know Ibrought a battery over here
somewhere.
So this one, when it lights upthe LEDs on the front, they're
actually not wired up to LEDpins, they're actually tapping
into the GPIO of gpio on there.
(08:46):
That's meant for outputs, soit's just spinning out kind of
random output which sets theleds to random colors and it
kind of shifts them every sooften.
But then on the back is one ofthose esp8266 chips that does
like wi-fi and stuff and so it'sbroadcasting out a Wi-Fi
(09:06):
network.
You can actually log into thebadge and do a lot of the hacks
that I talked about during that.
You know the Wi-Fi hacking fornoobs.
You can do those attacks fromthe badge.
How cool is that?
Yeah, so I thought that was areally fitting kind of thing to
bring to that conference.
Eric Brown (09:24):
Did you have a hard time getting those chips coming
out of the pandemic?
Dennis Pelton (09:29):
You know it's funny, those ones I haven't
really had much of a problemgetting and granted the main
brand that makes those I thinkthey're called AI Thinker.
Those ones I don't see themvery often, but I'm kind of like
.
You know, I haven't been burnedby the knockoffs yet, so I just
buy the knockoff ones, but youcan seem to find them pretty
(09:50):
much everywhere and the pricingreally hasn't gotten too absurd
on them yet.
But I don't know, maybe that'llchange as more people learn.
Eric Brown (09:59):
What do you have that makes the form like the
form of that sheriff's star thatyou have on that, uh, wild west
badge yeah, so I use, uh, it'scalled easy eda and it's
actually a like an eda programdeveloped by jlc pcb.
Dennis Pelton (10:19):
So they're kind of tightly linked in that way.
But, um, you can still exportas gerber and like buy them from
elsewhere if you want.
But if you buy them through jlcpcb, uh, they do something
where, like if you built it ineasy eda once a month you get
like an eight dollar off couponor something like that.
So basically it covers aprototype batch for free.
You still have to pay shippingusually, but it's like I get
(10:42):
prototypes for free every month.
Like sure, I'll keep using this.
But uh, yeah, so I just buildeverything through them and you
know there's I know there'sbetter programs out there, but
I've gotten so good and so fastwith easy eda.
I just kind of stick with it.
I know I need to learnsomething else, but I don't know
(11:03):
.
Eric Brown (11:03):
I feel like it's hard to change once you've
learned it so well in your uh,in your free time do you do
puzzle rooms, escape rooms,things like that?
Dennis Pelton (11:13):
I've never actually done one like I want,
because I'm like that's itsounds right up my alley, like I
feel like I need to be doingthese, but I I never have and uh
, I've only done those.
Uh, what do they call like thehunt killer or something like
that, where it's like the boardgames that there's a, there's a
killer and you look through allthe evidence.
I did one of those like onceand it was a blast.
(11:34):
I had a great time.
But yeah, I don't know, I justI I need to like get out more.
Eric Brown (11:39):
I think I I saw they had at one of the hotels at
Wild West last year.
They did have an escape roombut it was like only open on
Saturday afternoon or somethinglike that.
So we might be able to get agroup together this year and do
(11:59):
just kind of a couple privaterooms, just kind of a couple
private rooms, and I think theyhad an escape room, put on by
the conference as well, up onthe third floor that you just
had to sign up for in advance?
Dennis Pelton (12:11):
Yeah, Huh, okay, I may need to look in that for
next year.
Eric Brown (12:16):
Yeah, are you definitely going this year?
That's the plan.
Dennis Pelton (12:20):
Yeah, I mean, I had a blast there.
Unless there is some majorreason why I can't go, I will
definitely be there.
What other conferences will youdo so?
I did SHMU already this year.
I'm doing B-Sides Tampa, which,yeah, I've got something to
show you for that one too.
Let's see here.
So I'm on the wait list fortickets to ThoughtCon, but it's
(12:44):
Chicago.
Yeah, it's getting closer and Ihaven't heard back.
So I'm kind of like, eh, maybethat one's not going to happen.
Yeah, I mean really, defcon andWild West are kind of the two
main ones that I'm reallygunning for.
Eric Brown (12:58):
Yeah, I think we were trying to get to ThoughtCon
as well, and I know I'm on thewait list too.
And, scott, I think you weretrying to get a ticket too.
I don't know if you got one yetor not, but yeah, it seems that
one.
I saw it a couple months ago.
I was like I need to get thatticket and then a couple months
later's like I need to to getthat ticket, and then a couple
months later they were all gone.
Dennis Pelton (13:18):
Yes, that's exactly what happened to me is I
kept being like, oh, I need to,I need to figure that out.
And then all of a sudden it wasjust they were gone and I'm
like, oh well, okay, so I don'tknow, we'll see.
Oh yeah, so for b-sides, nickand I were talking earlier and
he was saying this is probablygoing to be aired after b-sides
actually happens, which is inApril 1st.
So, yeah, no one's supposed toknow about this yet, but I
(13:41):
figure, if it's going to beaired afterwards, it's okay.
Yeah, absolutely.
So I'm making the main badge forthem, like the attendee badge,
speaker badge, all that kind ofstuff, and it's really just a
PCB art.
So it doesn't actually doanything.
There's no electronics on it,it's just the art badge for now.
Next year we're going to try todo an electronic badge, but for
now it's just the art.
But for winners of the badgechallenge and for a couple of,
(14:06):
like select staff members andthings like that, I made these
right here, which is the calledthe Egru Vash.
Oh cool, that's cool.
And then when you turn it on,it's got blue eyes to initialize
and then it will go to kind ofbarely see it there, but the
eyes turn different colors andit will slowly shift through
(14:26):
colors as time goes on.
But if there's a Deoth attackthat happens, the eyes will turn
red and they'll kind of slowlypulse red while the Deoth attack
is going on as soon as itattacks it stops.
Then it goes back to the justkind of cycling through that is
so yeah, so it's kind of asimilar design to those other
ones where it uses that esb8266and stuff like that, and there's
(14:49):
um, yeah, so there's differentuh, flash and reset badge
buttons on here so that you canactually like hack the badge and
put whatever else you want onhere.
Have it do something else ifyou wanted to.
Eric Brown (15:00):
And then it looks like you've got the sponsors on
the back too, there.
Dennis Pelton (15:04):
Yeah, so there's a whole lot of sponsors.
It was difficult to fit themall on here.
Nick Mellem (15:11):
These badges are really turning into being like
an Olympic medal.
If you win that, how cool is itto try to win something and get
that like put it on your wallright?
That's awesome to have, exactly, yeah, a medal of honor badge
of honor yeah, so I'm doingthose.
Dennis Pelton (15:28):
And then, um, right now, sadly the boards
don't actually come for a fewmore days, but I've got kind of
a little prototype that I'vebeen building out over here.
Um, have you guys ever heard oflike a ham radio fox hunt?
I don't think so no.
So what they do is they'll takea transmitter that will play a
little like usually like a 15second tune, and then it kind of
(15:51):
identifies itself as a fox andit will just transmit that every
you know 15 to 30 seconds andyou hide it somewhere in the
city and then people usedirectional antennas and like
attenuators and things like thatto locate the fox based on the
signal that it's broadcastingsure so I've made a handful of
(16:11):
foxes that are little pcbs thatare actually shaped like foxes,
which I thought was kind offunny, and I'm planning on
hiding those around B-sides andjust telling people if you find
it, you get to keep it, and Ifigure that's kind of a fun
little twist on it, becauseusually foxes are, you know,
like 100 bucks or something likethat usually, and it's like you
(16:31):
know it'skind of a fun little thing to
just hack and play with.
Oh, that's cool, yeah.
Yeah, I thought it was kind ofa fun little idea, have you?
Eric Brown (16:40):
participated in those before, so I've never
actually done one.
Dennis Pelton (16:48):
I'm like so intrigued by them and I don't
know where any of them arehappening.
So I'm like if I just startlike throwing fox hunts, I'm
sure I will meet people who likethem and be able to do one
myself.
But for now I've just been likedoing tons of research and
being like am I doing this right?
I hope so.
We'll find out what a neatconcept.
Eric Brown (17:02):
Yeah, yeah, yeah so that should be fun.
Nick Mellem (17:06):
I don't know that might be cool for that.
Dennis Pelton (17:10):
Well, so that's the plan.
Is that defcon?
This is kind of my trial runFor Defcon.
I've contacted a couple ofartists who work in InfoSec and
the idea is to get a couple ofdifferent artists to make like
special limited edition, likeart ones.
So I'm trying to get some artfrom them on, like Fox.
The idea that I had was to, youknow, like, maybe one that was
(17:33):
space-themed and we could callit Star Fox One that's like fire
fox, stupid stuff.
Maybe one that was space themedand we could call it Star Fox
One that's like fire fox, stupidstuff, like that.
That was funny.
64.
Yeah you know, and I figured, ifwe do a couple of those and
make these really like limitedones and then just hide them all
over Vegas, like you know, I'msure people would go nuts
finding those.
Eric Brown (17:52):
That does sound cool , yeah, yeah.
Dennis Pelton (17:55):
So there's that.
And then, I don't know why, butat defcon I always see, like I
always see kids and they alwaysseem so bored, like you know
these kids are.
You know some of them.
I'm sure they're having a greattime, but they always just look
so bored whenever I see themthere.
So I thought of an idea where Iwanted to make these badges of
like an esp8266, but gigantic,to make it easier for like small
(18:17):
hands to experiment with andplay with.
And it actually works.
So you know, these are allwired up to these various pins
with kind of the little pull-upsand pull-downs on the back, and
so I'm going to try to make aton of these and anytime I see a
kid at DEF CON, I'm just goingto go up and hand it to him Like
here, this is for you, playwith it, learn it.
That is cool, you know, justfor something kind of fun, I
(18:38):
don't know.
So I brought a handful of thoseto Shmoo just to get like some
feedback on them, and I think Iwas charging like $20 for them
and just told people like look,I'm just, I'm constantly like
coming up with all these newideas and I'm like when do I
have time to do all this?
Eric Brown (19:01):
So I don't know, is it getting faster for you now to
make the badge once you've comeup with the idea?
Dennis Pelton (19:09):
Yes, definitely.
So once I had this Fox circuitdone, like once, I kind of
figured it all out as far aswhat pins needed to go where,
and really the firmware was whattook the most time.
I'm one of those people where,like, if you show me code I can
modify it to do what I want veryeasily.
But writing from scratch I'mnot great with, so I had to kind
(19:31):
of search around, find someprojects doing something close
to what I wanted and I was ableto easily kind of modify it from
there and get to work.
But once I had that done,building out the Fox shaped PCB
with all the parts where Ineeded them to go and all the
routing on there, I think thattook a few hours and that was it
.
And it's not too bad.
Eric Brown (19:49):
Are you in the Tampa area yourself?
Dennis Pelton (19:51):
I'm a little further north.
I'm up in Gainesville, oh, yeah, yeah north I'm up in
gainesville oh yeah, now we'redrawing.
Eric Brown (19:56):
You have the concept of the maker spaces there where
, um you know, people come inand they collaborate on kind of
a shared use set of equipmentyeah.
Dennis Pelton (20:07):
So we do have one here, but sadly it's like on
the far other side of town forme, like I'm kind of on the town
and it's really on the otherside, so I never actually make
it there.
Like I'm really sad that Idon't.
I wish I could get there moreoften, but yeah, I never end up
going.
Eric Brown (20:24):
So here in the Twin Cities they've got, I think, a
couple of those maker spaces,but one in particular hosts the
open Locksport group where theLocksport people come in and I
think it's like the firstThursday of the month, something
like that, and if you'reexperienced or inexperienced, it
(20:45):
doesn't matter.
Experience or inexperience, itdoesn't matter.
They've got a pretty good groupof people there that will give
you the picks if you want themor if you have your own, they
can show you some more complexthings.
But I bring it up because thatspace sometimes does some
interesting things, and a badgemaking workshop would be an
awesome idea for a space likethat, where people could come in
(21:06):
and maybe learn the basics ofhow to make one of these.
Dennis Pelton (21:10):
Yeah, honestly, I've had a couple people ask me
about doing a demonstration atDEF CON or something like that.
So I would like to.
It's one of those, if I canfind the time to make a short
presentation on my process,because I know everybody does it
a little differently, but thatis definitely a goal of mine to
(21:32):
to go out and do something likethat.
And then at b-sides, that'sanother thing that we had kind
of talked about, but I I kind ofgot in touch with them a little
too late for this year, butthey would like to do a kind of
hardware hacking village atb-sides.
Yeah.
So we've talked about kind ofyou know what that might entail
and things like that, and I'vegot a bunch of uh like little
(21:54):
bad usb kits to build your ownbad usb.
I've got probably probablyabout 100 of them.
So just sitting around and I'mlike, hey, you know, I'm happy
to donate these to theconference and you know we can
have people build these if theywant to.
But it's just kind of likegetting it all organized is
really going to take some time.
So we figured, okay, maybe fornext year we'll have kind of all
(22:14):
that in place to do it.
Eric Brown (22:16):
And maybe Wild West, too, would be a good place for
that.
Dennis Pelton (22:19):
That's actually true.
That probably wouldn't be a badidea either.
Yeah, yeah, I've got probablyabout 100 or so of the kits to
build your own.
Yeah, like, probably about 100or so of the kits to build your
own, and then I think I've gotabout 60 or so of like still
packaged ones that just arepre-made.
So we had talked about kind ofwhat to do with those two.
Like a buddy of mine and I.
(22:44):
We were talking about, you know, maybe buying a bunch of rubber
ducks, like little mini rubberducks, in bulk on Amazon and
kind of installing them in there.
So it's a little rubber duckythat has the USB coming out of
him and then just like hidingthem around DEF CON for people
to find and see if they plugthem in.
I don't know.
It's all this hardware thatI've built and I'm just like I
don't really know what to dowith this now.
I should probably sell it, butI don't know.
Nick Mellem (23:06):
I find it hard to believe that people at DEF CON
would pick up a rubber ducky andactually plug it into their
machine.
Dennis Pelton (23:12):
Well, so that was the idea was like, if we need
the code on it, just executesomething that hits a website so
we can get a counter of howmany people actually plugged it
Exactly.
Nick Mellem (23:21):
Because I don't know if you've seen the pictures
online or wherever.
But people put like a littleUSB like in the wall right, Like
in a brick wall, and they likecement around it.
You're supposed to just go upwith your computer and just like
kind of stand there, like whowould actually plug into?
Dennis Pelton (23:40):
this thing, but it's cool idea, I guess.
Yeah, oh yeah, I know Iremember at airports you see
those tables where it's justlike a row of usbs for people to
plug their laptops into charge,and every time I see it I kind
of go look at it and I'm likeman, it would be so easy to
convert that to be a rubberducky.
But it's like guys, pleasedon't do this.
So I don't know.
(24:01):
It's the stuff that you learnas you learn how easy it is to
make all this stuff.
Eric Brown (24:08):
Did you go to the car hacking village or look at
any of that sort of hardwarehacking stuff at DEF CON?
Dennis Pelton (24:15):
Yeah, honestly, a lot of my time is usually spent
in the hardware hacking village, but the car hacking has a lot
of fun stuff there.
I feel like I haven't done.
I barely scratched the surfacebasically of the stuff they have
there.
I feel like they do some reallycool stuff there.
I'm always done.
Even I barely scratched thesurface basically of the stuff
they have there.
But uh, yeah, I don't know.
I feel like they do some reallycool stuff there.
I'm always interested to likestick around and learn a little
bit more the voting machinevillage was pretty cool too.
Eric Brown (24:38):
Where they had the voting machines torn open, you
could see the insides.
Dennis Pelton (24:41):
That was neat yeah, yeah, I know it.
Every time I see those there, Ikind of think to myself I'm
like man.
I wonder if I can get my handson one of these, like not from
them but, like you know, findone on ebay like they do or
whateverit's like I don't want to mess
with theirs, but I would love totake one of those apart and be
able to actually, you know,really go to town on it, and you
(25:02):
know I'd probably break it, butit's like the stuff I'd learn
in the in betweenbetween timewould be amazing.
I bet Absolutely, yeah, likeI've heard horror stories about
how those things are built andmaintained.
Eric Brown (25:15):
Yeah, yeah, I can imagine.
Dennis Pelton (25:19):
But yeah, I'm trying to think if there's any
other.
Yeah, I don't know.
I've got so many projects goingon.
I recently picked up I recentlypicked up, it's everything that
you need for building a Wi-Fiadapter.
So there's, you know, you canpossibly see it on there.
(25:39):
It's so small but it accepts,you know, basically just the USB
inputs.
So you know power, ground, andthen data in, data out, and then
it gives you a antenna port andthat's essentially it.
So I've been looking into theidea of, like building my own,
you know, wireless adapterslately, see if that was
(26:00):
something I could do and I gotone working.
But the problem I've hit now isthat a lot of these chips that
they make in that type of formatare for Windows only and it's
like if I'm going to makesomething, I want it to be
usable by anybody.
You know, even if it was justlike Windows and Linux, that
would be better than nothing.
But I use Mac at home.
So I'm like I want something Ican use too.
Eric Brown (26:22):
What frequency is it ?
Dennis Pelton (26:23):
on.
Let's see here.
So they're BGN, I believe, iswhat they support.
Okay, yeah, but like I said,yeah, this one here is the
Realtek 8188 chip, but I ordereda couple different chips of
them to test them out.
Like I said, you know, I got itworking, but it's like if it
(26:45):
only works for Windows.
So actually I think this wasone of my yeah, so I made it in
the shape of dick, but becauseit just seemed kind of like a
funny thing to do, yeah, so onthe back here you can see like I
had to kind of Like right nowit's got two different
(27:05):
capacitors on there going intoit, but it seems like it's still
just not quite getting enoughpower at for the boot up on it,
sure?
so I had to take an externalpower supply and kind of touch
it to it to get it started, andthen, once the chip comes on,
it's able to run.
So I'm like, okay, well, nowI've got to figure out how to
get this thing a little extra.
I'm sorry, how are we going tostart?
Yeah, so it's kind of one ofthose situations where I'm like,
(27:25):
well, okay, you know someone.
So it's kind of one of thosesituations where I'm like, well,
okay, you know someone hassolved this problem.
I'm sure it's easy to solve.
I just need to figure out whatit is that I need for it.
But I don't know.
I feel like I need to find abetter chip first.
It's more universal fordifferent, for Mac and stuff
like that.
Eric Brown (27:40):
Have you done much with the Ponegachis or doing any
sort of E-ink screen?
Dennis Pelton (27:47):
So not the Ponegachis, those I would love
to play with.
That one is definitely on mylist of something, and I haven't
done the e-ink screens, but Ijust recently started messing
with screens more.
So I made that Hackbutt badgelast year for DEF CON.
It was a bad USB, so I had thisidea.
I was like it'd be kind offunny to make a hack, but again
(28:08):
this year, but for Wi-Fi.
So I've got a little screen onthis guy here.
Oh, he does basically yeah, yeahhe does essentially all the
same stuff as that Wild WestHackenfest badge.
But now you don't have to loginto the badge to do it.
You still can if you want to.
But it's got kind of likevarious.
You know, there's like a packetmonitor on here and things like
(28:29):
that.
It's all the SpaceHoon's ESP8266deauthor package, oh yeah, and
then I added a couple littlemodifications onto it and so
I've just started kind ofmessing with screens a little
bit.
I've been working with BlueTeam Village.
I might be doing their badgethis year Sweet, doing their
badge this year, sweet.
So if I end up doing theirs, um, the idea that I have if I can
(28:51):
make it work is going to be kindof a dual screen type thing.
So again, it's all like if Ican make it happen, especially
like within the time limit andstuff like that.
But uh yeah, I haven't done theinc ones yet.
I've got a couple friends whowork with them and they
absolutely love them but yeah sowe're gonna have to come find
you this year at defcon.
Eric Brown (29:12):
Get one of those badges.
Dennis Pelton (29:13):
That's cool, yeah yeah, I should have a number of
different things there atdefcon, so I should be pretty
easy to find.
Eric Brown (29:20):
I don't know, I guess, what's your like?
What?
Dennis Pelton (29:23):
is it 30 000 people?
Eric Brown (29:26):
there.
What's your price range onthose around 100?
Dennis Pelton (29:30):
you know, I don't even know yet if we do these
ones, I mean, it'll definitelybe less than 100, but um, I
always try to price my badgespretty much as low as I can get
them like to reasonably be.
So something like this I thinkthe uh, I think the total bomb
on this was around like 25 bucks, so it'll probably be like 40
oh sure I don't know um.
(29:51):
Yeah, it's very reasonable yeah, you know, for me it's, it's
like I don't have any tooreasonable.
yeah, well, and that's why I'mlike you know, what can I
reasonably do?
Because I I don't usually makea lot of money off the badges I
do.
In fact, a lot of the badgesthat I make I usually just end
up giving away for free anyway,because for me it's more of the,
the hobby, the fun of it, andit's like so the ones I do
(30:12):
charge for they pretty much justcover the cost of all the ones
I give away.
Like I would love to make abusiness out of it someday, but
that's kind of out in the future, I guess.
Eric Brown (30:23):
Do people have a way of reordering the badge from
you?
Dennis Pelton (30:28):
So last year I didn't do anything like that
because I really wanted to beable to actually meet the people
and chat with them and thingslike that.
But last year a lot of my DEFCON was just spent delivering
badges and chatting with peopleabout badges and I didn't get to
do much.
So this year I would reallylike to do that.
I haven't set up anything forit yet.
(30:49):
It'll probably be on tindy.
Um, I've got a buddy who'strying to start up a kind of a
badge life shop specifically for, like defcon badges and things
like that.
So if he ends up getting thatup in time, I'll definitely be
selling one there.
But I need to kind of figurethat side of it out.
Eric Brown (31:07):
Sure, that's cool.
Do we have anything else?
We were going to ask DennisNick.
Nick Mellem (31:12):
Well, I think that pretty much covers it, unless
Dennis.
Is there anything else coolthat you, anything that's
interesting to you, anythingyou'd like to jump into?
Dennis Pelton (31:21):
I don't know.
I'm trying to think if there'sany other badges I'm working on
right now or weird electronicsI'm trying to build.
Eric Brown (31:31):
Or are you a coffee guy, a bourbon guy like do you
have any vices like that, oh manboth.
Dennis Pelton (31:38):
Honestly, like beer is usually my big thing.
I've got a huge collection oflike stouts and stuff down here.
Oh, mate, age for you know, aslong as I can before I finally
give up and say it's time tocrack it open.
Nick Mellem (31:51):
You don't brew on your own at all.
I take it.
Dennis Pelton (31:53):
No, I tried it for a bit and I realized you
know, these other people makethem so much better and it would
take years to get to that leveland I'm like I just it's not
Let them do it.
Yeah, you know.
Nick Mellem (32:07):
That's how we feel.
With your badges, we're alreadydoing it, so good, let's let
him do it.
Dennis Pelton (32:13):
It's a fun hobby though.
Eric Brown (32:14):
It's worth getting into.
Where's your favorite place togo for beer?
Have you been to a particularpart of the country that you
think is pretty good?
Dennis Pelton (32:24):
Man, that's a tough question, I mean.
So we've got actually there's alocal beer shop here called
tipples and they, uh, theirselection is just constantly
changing and it's amazing.
So, like for me, I usually justgo down there and hang out with
them for a bit and they know mytastes at this point still, you
know, yeah, they're right.
(32:44):
Yeah, so you know, like my wifecalls it.
Uh, everyone knows you in thereeveryone knows your names.
Nick Mellem (32:51):
You're like norm, yeah, yeah, exactly.
Oh, there's a bunch of us.
Yeah, that's fun, but yeah,yeah, I don't.
There's nothing else from me,scott, I don't know if you have
anything, but uh, I had a listof things and we already breezed
through it.
Eric Brown (33:07):
Awesome well, dennis , we'll look for you at uh
defcon.
I guess we'll be first beforewild west, but wild west uh as
well and uh definitely want tomeet up and have a beer at
defcon oh, hell, yeah, I'd loveto dennis, if you can let all
the listeners know where theycan find you?
Nick Mellem (33:27):
Is there a Twitter?
Is your where you hang out orLinkedIn?
Dennis Pelton (33:32):
Yeah, so I'm on Twitter and I'm on Mastodon.
Nick Mellem (33:36):
Okay.
Dennis Pelton (33:37):
It's cold brew on both of them, but it's C0LDBRU
and I'm on InfoSec Exchange forMastodon.
Eric Brown (33:49):
Well, Dennis, thanks a lot for your time today
Always cool hanging out with you.
Dennis Pelton (33:53):
Learned a lot of things, thanks for having me.
Eric Brown (33:54):
Jim Want security leadership without the headcount
.
As an extension of the team, itAudit Labs will provide the
experts to guide and counselyour company.
We will start by creating acustom security program that
caters to your industry whileproviding transparency and
(34:16):
remediation to improve cyberposture while reducing risk.
Contact IT Autolabs to find outmore.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.