A Tiny Datacenter On My Head

Obviously, one of those is me. The other one is Rich. Um, if you talk to Rich, he'll tell you that I did all the work and that uh this is totally my project and he has nothing to do with it. But I'm going to tell you that Rich is way too modest. Without Rich, this display would never have come together. It never would have worked. He and I spent weeks getting the damn thing working. and um well yeah so um this was originally a talk I gave at DerbyCon. It was one of their stable talks. It was only 25 minutes slot. So I had to sort of redesign the thing to fit an hour time

slot. So uh one thing I didn't do then was a nice intro. Uh so hi I'm Nate. Um I took several pictures like this to try to fill this slide and this was the one that felt bad. I don't know why. I think I like the sunset in the background. So uh um in my career I have worn many many hats. Oh here's how you can find me on my ebase. Um you can find my website from there my Twitter lots of other things. Um the name gang griff is where what I've been using for a lot of public things like gang like uh Twitter. So gangri I've worn many hats and bonus points to anybody who can tell me what

book this picture is from. Nope. Dr. Seuss. It's Dr. Seuss. You're close. Not the Cat in the Hat. Look like the Cat in the Hat. No, man. No. Do you remember what book it's from, Kira? Okay. Speak up so people can hear you here. Five. Five. What? Five. The 500 hats of Bartholomew Covenants. Right. So I've uh I've done help desk like most people in IT started out. Um after I did help desk I moved up to network support. Uh the same company uh then I moved on to a little company uh where I was the network administrator which was basically a very broad title which said if it has a CPU in it it's your

responsibility because we were uh like 10 people and there was me and one other admin and we had to do everything. So that exposed me to a lot of networking gear and a lot of systems gear and uh all of this time what I really wanted to be was a CIS admin. So finally I got the chance to move on to Lafayette College as a system administrator. I work with a lot of Linux there. Not this kind of Linux. However, when I was looking for a picture to fill this slide, uh I ran across this and I thought it was too funny to not include apparently a cleaner line called Linux. Uh but no um

this kind of Linux. So I I like a lot of people who like Linux, I really despise Windows. So I'm very happy that I ended up in a role that does almost 100% Linux. Uh and all the Kool-Aid that I drink in my Linux career is red. And by that I mean I'm Red Hat certified in several ways. I'm a Red Hat certified system administrator, Red Hat certified engineer, and a Red Hat certified virtualization administrator, which means that uh if Red Hat makes it, I can probably run it. So, uh in my in in the time that I've been in it, I've gone by several different handles. We're all familiar with people. This the struggle that is

how do we name ourselves online? This is what I'm using currently. Uh depending on when you met me and uh what genre we we met in, you could have met me by several other names. One of them is war. That's a pretty unpopular term, which is why I've been using the term or using the name gang. This came from uh a group I was in in high school who called ourselves the four horsemen of the apocalypse. Whatever. In my BBS days, I was Venom. and I still use that term or that name in the BBS community. Um, I'm a member of a project called the Major BBS Restoration Project. If you're interested in very old software or BBS's

in general and you happen to like the major BBS or world group, you should look up that group on Facebook. It's pretty

good. All right. And to some people, a very small subset of people in this world, I'm called daddy. And one of those people is right here. This is my little girl. Can you tell them your name? Kira. Your name is Kira, right? What grade are you in? Kindergarten. How old are you? Five. Right. So, she's here um to be my little hat model. And if anybody There's going to be a point where I'm going to take off the hat and take the battery out of it so you guys can have a look at it. If anybody wants to see it, all you have to do is raise your hand and she'll bring it to you.

Okay. So, we like to do things together. This is one of the fun things we've done. I figured I need a slide that had us in it. This is the best one I could find. Yep. Right, kiddo. You had fun on that trip, didn't you? Uh, right. It was a long Mhm. Where was mommy in that picture? She took the picture, right? You remember why she was afraid? This is one of the hobbies I like to uh uh get into while I'm not in front of a computer. Um unfortunately my wife Jess, who's also here in the audience, uh gets a little paranoid when we're doing things where we're not level or stable safe. So why did I come here? Why did you come

to see me? And what the heck did I build? Well, I built a hat for DerbyCon. This is a picture I took right as I got the hat to sort of show off like, "Hey, look, I got this derby." Cuz this was dumb luck. I found a great derby for $20 on uh online. Uh so, the derby inside of it has a Raspberry Pi and the Raspberry Pi is connected to a wireless adapter, which you can see connected to that little wireless hub there, or little USB hub next to the crochet companion cube that my wife made me. and an external OLED display which you can see inside of hat obviously. Um, so why would I put all those things

into a Derby? Well, thing runs a capture the flag contest all built inside of Derby. You can connect to it wirelessly. You can probably see its SSID right now if you look for Derby Corp Alpha. So, uh, we actually built two of these. Derby Corp Alpha is mine. Derby Corp Beta was Rich's. I guess Rich didn't bring it along. Sorry, you failed. Sorry. I did tell you I didn't need it. So, right. So, um Right. So, there's a whole it's it's a self-contained host inside of the hat. I run a number of services on the Raspberry Pi. Uh those are served out via a wireless access point that's also hosted from the single Raspberry Pi in

the hat. And you can connect to them and you can try to break into them. And there's actually a scoreboard and everything. And I'll get into that more later. Uh so, why the heck? Well, here I guess here's a good point. I can take this off. And if you guys wanted to see how I built this thing, let me just get it. I'm going to pull the battery out so you can see what's underneath the battery. [Music] Don't take it out. Don't take it out. Why? See, then it won't work. Well, I won't I'll try not to disconnect the battery. Okay, keep it in. Are you going to put it back in, Daddy? I'll put it back in when you're done.

How's that sound? All right, you get down with the chair. I can't. You can't hear.

Okay, remember what I told you yesterday? If anybody puts their hand up cuz they want to see the hat. So, you guys hear that? If you want to see the hat, pick up the hat, kiddo. Make sure you don't drop it. Anybody that puts their hand up, they can see the hat. Right. Okay. So, now that you can see it, so why did I build this thing? Well, mainly because I'm a hacker. When I searched for pictures to depict a hacker, this was one of the first that came up. Um, it's actually a Russian hacker according to the site that I got on. So, I don't know. Maybe in Russia they have to wear those masks to keep warm.

[Music] No, really this kind of hacker. Um, and yeah, you've seen this picture before. So, why is this guy a hacker? Is it because of the uh the picture of a firefly in the background or we above his head or I think it's because of the shirt? Not because of the shirt, but because of what the shirt implies. Relax. I can fix it. So, um I like challenges. I like to be able to uh to overcome obstacles and that enables me to do things like build a CTF inside of a hat. Uh be a system administrator, um tinker on things on my Jeep, uh build jeeps from scratch, which is a project I've got going on at the moment. Um or

you know, Ria's Barbie doll arms to broken Barbies. Nobody else wants to see it. I tell you what, keep it on the table. If you want, you can sit up here again or you can go sit with mommy. Want to sit up here still? Okay, you can do that. The first rule. All right. Don't worry. I know someone can fix that. Yeah, I'll put it back in later. Okay, I'll put the battery back in and we can put it back on when we leave. Okay, how's that sound? All right, so uh so what about the hat itself? Um I really the the the original goal here was so in 2014 uh DerbyCon had this contest called

Hack Your Derby where uh people would build derbies and do interesting things like this one does. And there was a contest where you could enter it in and I forget what the rewards were, but whatever. It sounded like a fun whiskey. Was it whiskey? Yeah, I ran the contest and I apologize for not running it this year. It's your fault. That's my next point. My next point is I took this thing to Derby Con not realizing that the contest wasn't on this year. I couldn't go this year. I heard there was a baby involved or something. Well, I asked for other people to step up and run the contest. Nobody did and nobody stepped up so I wasn't there and so it

wasn't run. But the first year we ran it last year, not this last year, the year before that. We had whiskey. We had gift cards to ad approve. We had Amazon gift cards. We had a lot of good prizes and we had some good some good hack derbies. Nothing like this. But uh I wasn't there this year. You stepped up and there was no contest. So yeah, this this one if there if I go next year and there is a contest well then this would be hell. Good. Well, next year we're hoping to build an even better one. We haven't decided what that's going to be yet, but uh we got a lot of I've got a lot of

interesting ideas that they may not pan out. But anyway, uh so the idea was to enter in the contest. Um but it was also it sounded like a fun thing to build. Uh when we heard about the contest in 2014, this is what we thought people were going to be bringing. We thought, you know, compute in a hat people try to break into because that's sort of the theme, right? There's there's a bunch of penetration testers, right, whatever that all get together. So, uh when the contest wasn't on, I mean, honestly, if I had heard before we got there that it wasn't on, I still would have built the thing. I mean, it was a fun project. For

comparison, in 2014, the two winners were one was uh Dr. Beerac, who built a mobile whiskey distribution system. Yep. Out of his hat. Including ice and and soda and whatnot. Uh and the other winner was uh Integral, who built a sound activated light display using LE wire. Ew wire. E wire. Yeah. It was a great he did a great build. They built it all at the conference and it was very well uh put together very neat and worked wonderfully. So those were the two winners. I think if this was there in 2014 it I don't have any Yeah. That's more literal. Yes. Right. So the I I actually got to talk to integral while we were there. He said he was planning

on building a hat with a plasma speaker in it. Oh. For this year. But when he found out the contest wasn't on, he decided to save it for next year. So anybody who's going next year now you've got a heads up. if roll is planning on building a hat with a plastic speaker in it. So anyway, um back on topic here. So um but most of all I thought it would be a fun challenge, you know, to try to do this. I think I already mentioned that. So uh this was what my office looked like at work for the better part of two months. Don't go anywhere with that, kiddo. Okay. Uh so Rich and I

would meet, what was it? Weekly? At the end it was weekly. At first, it was bi-weekly and we would try to work through all these various problems. Um, the college was kind enough to put up with this and fund the project. So, at the end, we probably spent, I don't know, 600 bucks or so on parts and and everything. Remember, we figured it was going to be like 300 bucks a hat. Yeah, that's where we ended up. That was one. Yeah, but we we did two hats. All right. 300 times two, Rich. You're smart. I'm sorry. So anyway, we had a couple of goals going into it. A, you know, we wanted this, I mean, this idea for the platform

came right after Gubcon 2014. We're like on the ride home from Louisville to Pennsylvania talking about what can we do with this thing? Um, we didn't actually start building it until June or so, May, I don't. Anyway, uh, so we had a couple of goals. The first goal was we wanted the thing to run self-contained on battery power for up to 16 hours. Uh we ended up a lot higher than that. The battery that we bought got us like closer to 30 hours. So that might have been overkill. Next time we could probably go with a smaller battery. Uh and save some room in the hat. Uh the second thing is we wanted to be able to

recharge that battery within six hours because face it you don't get 8 hours of sleep at Derby Con and most conferences because you're out talking to people partying or whatever until the we hours at night and then you need to get some sleep in and get up for the 8 a.m. talks the next morning. Uh so we wanted that. Uh we wanted it to not emit a ton of heat because we had to wear these things on our heads and we wanted it to be as as as a aesthetically pleasing as possible. And as you can see other than the screen this thing just looks like a derby. There's no poles for ventilation. There's no We toyed with the idea of an

external antenna just to draw some attention to it, but we decided against it. Um, and the third goal, which came up closer to the end, was we wanted the thing to feel as much like an appliance as possible, which was wake up, plug it in, wait for it to boot up, and go. No tinkering, no, you know, connect to it from my laptop and make sure that all the scripts are running and whatever. So, I put a lot of work into making sure that everything that the thing ran either ran at boot time or was a service that uh the the OS on the Raspberry Pi could just start at boot time. Um or that it was somehow timed, which was the

only time the only thing we ran into, which um the morning leaving for DerbyCon, we turn on our hats as a sort of a last check. Yes. And there was a there's a special mode I put the display into um in the evening time called party mode. the thing that would display something other than its usual advertise loop for the for the parties that that occur at at DerbyCon. And we turn on the hats and they're both in party mode because when we turned them off last time, I I was testing party mode. So, the time still thought the thing was there was a there was a time set in the the script that after like 8:00 p.m. at

night, it would go into party mode. It would turn off at like 2:00 in the morning, right? Turns out there's no battery on the Raspberry Pi. It can't keep time when it's turned off. So every morning we had to turn it on and connect to reset the time. But you know that was minor. So uh the the last thing that we needed to make sure was w obviously wireless range because if we want people to be able to connect to the thing you need enough range down you want to sit

down. Anyway, so we we wanted to be able to cover a single conference room. So, picture a room like this size. We wanted to make sure that the guy in the back corner could still connect. You try to get up. Okay, good job. Uh, and I think we got that via the little w USB wireless adapter that we had in there. So, some highlights about what we ended up putting in. So, we used the Raspberry Pi A+ because it's small. Uh, it's got a pretty compact form factor. It uh has pretty low power consumption. Um, and it's got a single USB port, which is all we thought we needed. We ended up with the USB hub for power reasons, and I'll

go into that. I guess I can go into that at this point, honestly. Um, we had read that the power supply in the Raspberry Pi was a little bit finicky, right? So, the output to the USB to power the US to power the Wi-Fi adapter. We heard sometimes, maybe it was with all the older models or whatever, that the the output voltage on the USB was not always stable. So, we decided it was better to have a powered USB hub. So, the way we connect the thing is the battery powers the USB hub, which then powers the Raspberry Pi, which then the Raspberry Pi connects back to to connect the wireless adapter, which is sounded crazy. I was surprised

it even worked, but it did because the input on the Pi is just power. The output on the Pi is standard USB. Um, so whatever, it worked out. Uh, the next thing was obviously the the display. Uh we ended up with a 16x2 character OLED from Adafruit. Um we went with OLED because it lights up really nice, makes it easy to see. Um and it's also lower power consumption than LED LCD. So uh USB hub I already talked about. Uh we ended up with an hourlink Wi-Fi adapter from Adafruit just because everyone said it would work well with the Pi that Raspian software we ended up with uh would you know there's already drivers built in and whatnot. So that

wasn't going to be a problem. And we ended up with a 20,000 milliamp hour battery, which by the way, you can get a 20,000 mAh battery for powering things like cell phones and whatnot off of Amazon for a whopping $16, which I was floored when I found out. Uh, we found out later that that's because the thing only outputs 1 amp and it only it only uh you can only charge it at 1 amp. So, we thought this was going to be a huge problem for our charging, but it ended up that because we had overbuilt the thing so much, it was still able to charge enough overnight. Um, so that's it's kind of off the edge of the screen. On the side

here is a picture. We had torn one of the batteries apart. We bought three so we'd have a spare. We only needed two. Um, we tore one apart to see if we could take the batteries out of it and mount them in the hat instead of just keeping it inside of the container that it's already in. Uh, we decided against that afterward, but I had already torn the thing apart at that point. So, I thought, hey, let's put a picture in there.

Okay thank you. Okay, so the other picture is the back of the OLED display. So, you see these tiny little uh specks that you might call resistors. I'll point one out. Maybe you already seen them, but uh these things kind of blurry in the screen. So, we had originally read, yeah, you can use OLED displays with Raspian with this cool Python library. Uh all you have to do is run your your display in SPI mode, which is serial mode. That's compared to parallel mode, which it comes in when you buy the thing. And all you have to do to do that is move a couple of these tiny little spec resistors. So, we thought, okay, Rich has some

experience with soldering. Um, he actually runs a class at a local community college that deals with uh you're using um Arduino, not Arduinos and uh LCD displays. So, he had some experience with the whole mobile deal. So, we thought, all right, Rich can do this. He moves the things around and then it doesn't work. So, we read some more documentation and the documentation doesn't match what we found from the spec sheet for the uh the OLED display. And the the guy who wrote the the uh this little how-to that we were following, his pictures didn't match what he was telling us to do. So, we ended up just saying, "We're going to put it back in parallel mode and figure

it out." So, we put the thing back to parallel mode. So, Rich not only had to surface mount solder once, he had to then move it all back. So on the second display when we bought it, we didn't even bother with any of that.

Thank you. So um I I'll get into more about the the woes with the display as we talk about software side of things. Um actually no, I'll talk about the display right now because I had this slide about the pinout of the display. This was another uh challenge. Um this having been the first project either of us had done with a Raspberry Pi. Uh when we were starting to read about pinouts on how to connect the display to the Pi, there was a lot of confusion because the numbering on the the pin block for the Raspberry Pi, the numbering for the GPIO pins, it there seems to be lots of methods to number these things. And

unless you have all of your pieces are using the same method, obviously you end up with the wrong pin. So uh this is what we we decided to show the physical pins. So this is the physical pin on the OLED which were those little blocks you see at the top bridge head soldered with some uh some pins that we could we tested with. Um and then this is the physical pin on the Raspberry Pi that we connected them to. And then of course what that pin does, right? So this is the uh on the Raspberry Pi side what the pin does. I didn't feel it necessary to enumerate what they do on the le on the

OE side, but uh if you decide to build one of these things and you use the library that we use, this is the pin out you're going to need. And all of this is in a blog entry that I wrote um that'll be that's already available. It'll be at the on the last slide in the in the uh presentation. So, the next thing is the software itself. Um, obviously you can take all the hardware you want and slap it into a hat. But if you don't have software to make it all work together, all you got is a hat and it's done. So on the Raspberry Pi, we're running Raspian and Whezy because it was the

latest that was available at the time. Uh, Jesse was released, I think, or soon to be released, but we decided to go with wheezy because that was what was convenient. Uh, also the how-to that I was reading on how to get the ACPD and host APD and whatnot working um, used wheezy. So, I figured whatever. Uh, of course, we're using host APD and DHCPD to host the wireless access point. Um, I gave DHCPD 65,000 IP addresses, which in hindsight was overkill. Um, the conference only has like what 3,000 people, DerbyCon, that is. Uh, so I probably didn't need so many IPs. I also set the lease time out to a while being 1 minute because again I just didn't

know what to expect and I didn't want to run out of leases in the middle of the conference because you know they were 8 hour leases and people were disconnecting reconnecting whatever. Um the AP I did not put any sort of encryption on it. I didn't put any kind of password. You didn't have to try to break the AP. The AP was there to give you access to the derby. It wasn't meant to be a challenge. It was meant to be connect to this thing and there you are. Um, and then of course lots of Python to tie all this stuff

together. So the next challenge we had to overcome software-wise was the actual library to control the OLED display. So you can see it's upside down because of the way things are oriented here, but you can see on the display as it cycles through its things, it does this little Pac-Man animation. It displays on both lines, which you know when you buy a two-line le OLED, it's it's nice to be able to use both lines. Well, the um the library that we found that someone had sort of they they took Adafruit's uh LCD display library and they sort of hacked it around to work with the OLED, which was a matter of timing and a few

other, you know, this does this function and this does that one. There was some things changed around, but uh in the at the end of the day, the thing just didn't work right. It would only display one line. Um there was no easy way to just do things like clear the display or reset it. Like there were functions there. They didn't seem to work the way we wanted to. We couldn't position things on the display. So, uh you'll see that these things show up centered. There was no function in this library to center things on the display. Uh you had to move things around manually and then that half the time didn't work the way

you'd expect it to. So um at the college we have a a team of people that do things like systems management and one of those people is who we call our systems programmer. Uh he's a Python guy and we we took the library to him and we said you know Carl we have this library it's Python I know this much Python I'm learning um you know Python can you look at it and tell us if you can make it better. So he asked us for the spec sheet for the the OLED and we gave it to him and about 6 hours later he came back to us and said, "Hey, I wrote you a whole new

library." So we used his library. Uh, thank you, Carl. He's a lifesaver. Otherwise, Rich and I would have been trying to figure out how to program Python on top of the other Python that I was writing just to get this dang display to work the way that we wanted it to. So, uh, he was a lifesaver. Um, I have to give him credit. Um so the next problem that I had to tackle was so in in a normal CTF um you're not limited by space you're you may be limited by you know power or connectivity or whatever but uh I added a new dimension to the whole thing which was I needed to fit it all inside of a

hat right so in a CTF you might have several servers or a big honking server that does a bunch of VMs I couldn't do any of that I can't put a rack in my hat I mean Maybe I could have put two Raspberry Pies, but not several. Uh, so what I ended up doing was, well, with my virtualization background, my my initial go-to was, well, there needs to be some way to say virtualize this, but how do you virtualize on a Raspberry Pi? It's got 256 mega memory. Uh, and I don't think the CPU even supports virtualization. I didn't even look that far into it. The memory concern was was the biggest problem. So, um, you may

have heard about this thing called Docker. Maybe you have it. I don't know. The idea is uh it containerizes services. Um if you look up Docker, uh you'll find a bunch of pictures that people use of shipping containers on a loading dock or on a ship or whatever. I thought this one was much better just because it was a container containing something, not just containers on a pile. Um and I had no idea you could fit a plane inside of a shipping container. That's pretty cool. So Docker gives me the ability to run several services on this little Raspberry Pi and compartmentalize them because the other option would have been I run the Raspberry Pi and all of my

flags were going to be running in the host's operating system. Now turn that over to a bunch of penetration testers and redteamers and you're just asking for trouble. I feel like I'm a good CIS admin. I don't think I'm that good. I don't know that anybody's that good that you could just turn the host over in the in the way that I would have need needed to and not expect someone to just destroy the thing. So, uh, containers let me run things directly on the host. However, they're contained inside of SE Linux and and whatnot, uh, to make sure that you can't get outside of that that service and get get to the host's operating system. So, uh, that was, uh,

really a breakthrough and I had to figure that one out early on, otherwise this whole project wouldn't have worked out the way it did. So, uh, I've been using the term it's like virtualization light. So, instead of running a whole operating system in the container, well, sort of does, but it sort of doesn't. Uh, it uses the host's kernel. So, there's no, you know, I don't need to virtualize an entire CPU in memory. I just need to say okay you can use the kernel you can use my uh you can use the hosts uh resources but only in these confines. So that was that was really really useful. Uh I had never heard of anybody running something like

docker on a Raspberry Pi before but luckily I found a guy who who' taken the source for Docker and modified it to work on the CPU for the the uh the Raspberry Pi which was great because otherwise I never would have been able to do this. Um, so I had to compile Docker from source, which is something I haven't had to do in a very long time. Luckily, I had done these things before. It wasn't a big problem. Red Hat obviously gives me nice little packages to install everything, so I I may have been a little rusty, but I got through it. Um, so the next thing I had to figure out was scoring. Um, so if you're going to hit you're

going to get to one of my flags, I need to find a way to securely let you register your points. um in a way that others can't just sort of copy them. So my first thought was okay well we'll just internet connect the derby and then when you hit a flag, you know, you run a script or something and that script will talk to the scoreboard and it'll give you points. Well, the problem was I couldn't find a way to reliably get this thing to the internet. I thought, well, if I put two wireless adapters in it, then maybe I could use DerbyCon's access points to get me to the internet. And I thought, well, that

might not be reliable. Then I thought, oh, well, I'll put up I'll put an access point on my phone, then I'll just get to it that way. You know, I'll do it periodically. I'll have it cache the scores and then send them in bursts later or something. And that it didn't seem reliable either because even self service at Derbycon is just patch. So, um, I ended up with a code structure where when you when you got into one of the one of the containers or one of the flags, it would give you a code and then you take that code to an external scoreboard and you enter the code and then off you went, you get your points.

So, the the the next problem with codes was shoulder surfing. So, if you got your code and you're happily going off to my scoreboard and you type in your code and someone happens to look over your shoulder and snap a picture or something right as you're about to enter your code, what's to stop them from entering the same code on my scoreboard, right? And then they get the points without having to do any of the work. Um, I thought uh one option could be I'd have my wife get a whole bunch of these things and then issue them to anybody that wanted to be in the contest. Um, but that didn't seem like it would scale

well. A, it, would take a lot of time to knit those things. B, I would have no idea how to get them to everybody. Uh, and C, that looks really, really hot for the poor laptop. So, um, I came up with codes like this. These are one time used codes. After you enter this in the scoreboard, it is no longer usable. Um, the first half of the code is the identifier for the flag you've gotten into. The second half of the code is just random that I generated. I pre-generated a bunch of these random codes and I populated both derbies with a set of unique codes and the scoreboard had all the unique codes. Uh whenever

one of these codes was generated and granted to somebody that was it. That code would never be seen again uh until someone found the flag obviously. Um but that would never be generated twice even from even between the two derbies. They were unique. Uh and then when you entered in the scoreboard obviously the scoreboard would say okay that code's been used. you can't use that code anymore. Um, I did this by using Docker. So, I needed to needed to find a way to put the codes in some sort of a database on the so that uh you couldn't just steal my database and get all the codes, right? So, Docker has this neat way of uh providing volumes.

So, picture that the the lighter blue box is the Raspberry Pi. That's the host. And that this is the directory structure within the Raspberry Pi. Now that's not the real directory structure, but it's an example. Uh take one of those subdirectories and when you start up your container, you say map this directory to this directory inside of my container. And that's what the green arrow would fix. So every container had uh a special directory in the root and then inside of there there was a code file and on the host I was running a bunch of I notify scripts that basically whenever somebody would access one of the code files it would immediately throw a new code in that file. So when

you're inside of one of my containers and you simply access the file that has the code in it on the host, the I notify would say, "Oh, someone touched that file. I'll make a new one and throw it in there." So if you were able to figure out where my code files were, you could just dump a bunch of codes if you wanted to. Uh, luckily the scoreboard was smart enough that once you registered one, say you registered this flag, it won't let you register for that flag ID ever again. you can't just keep getting the 10 points or whatever that thing is worth over and over again and and mess up the score. Uh so that worked

out pretty well I thought. Um so I don't know why I put this slide in here twice probably. So instead of having to go back to show you that I could have went forward. So the next thing was the scoreboard itself. Now again I'm not a web developer. I'm a system. Um so I could have written a scoreboard. it probably wouldn't have been as secure as a web developer might have. So I went to the web development team in Lafayette and I asked them, "Hey, can you make me a scoreboard?" And they basically said, "Yeah, whatever. That's simple. That's a web form with a display piece." And they they gave me, you see at the top there's a couple

other tabs. They gave me some places that I could put rules and and whatever. So this this starts to feel like a professional CP. You you'd have no idea it was run by an amateur. Um, so the scoreboard was simple. Uh, you put in your username. There was no registration required. You pop in your your whatever username you wanted to display. Um, and you pop in the code that you were granted. The scoreboard would say, "Yeah, that's a that's a good code. Here's your points." And it put you on the scoreboard or it would say, "No, that code isn't valid. Not accepted." Um, does anyone know what that user what that username is from? Anybody read Ready Player One? If

you haven't, you should. It's an awesome book. Um, I'll leave it at that. I'm not going to give you any more about that. It's awesome book. Go read it. So, the next thing is what containers am I going to run? I built a samba container and in that container there was a bunch of uh basically fake documents about this fake corporation that we made up called Derby Corp. Uh, there was some personnel files in there about a fake employee who I named Mark Edward Hack. So, if you translate that into what might be a username, he's called Acme. So, in there, there's some details about how uh Mark likes to play uh uh some mugs while he's on on company time.

Uh he has his habit of reusing his username on places like mug uh and his password. Um so, that was, you know, interesting factf finding information. And there was a code in there. one of this one of the files in the samba container. It gave you a low point code that all you had to do was read the file and there it was. Uh the next thing was an SSH prompt. You could actually SSH into one of the containers and get a shell. Um I made two variants of this thing. One of them was on my derby which was I'll actually demonstrate it later. Once you got the username and the password from Mr. hackme. Uh, you could

then just log into this and there was a script you could run that would get your code and it would let you let you write to the display on the derby which was gone optional. Like I said, I'll demo that. Um, on Rich's Derby, I got a little more creative and uh Keith actually inspired this a little bit. Uh, basically once you connect to the SSH um Damon in your home directory, there would still be a script that you could run. You'd run it and it would give you a really low point code and it would give you a hint that there was more. It would simply say that was too easy and it would give you a code.

Um hopefully that would lead you to look further in taking apart your badges here. Hopefully that would that would lead you to look a little further. Um if you dug a little deeper, you'd find out that the Etsy pseudo file was readable by everybody. Not readable, but readable. And if you read the FC pseudo respon, good job, you'd find out that Hackme is allowed to run this script outside of his home directory buried in some other directory you may never find it in, which would if you ran it via pseudo, it would let you do pretty much what mine let you do, give you a higher point code, and it would let you write to Rich's display. I don't think anybody

found that. I don't think anybody got to that one. Uh the next thing I put in there was a web server and uh Rich was kind enough to write a whole bunch of dummy content about Derby Corp and the alpha site and the beta site and uh there were references in there as to how uh uh so basically the alpha site was like their corporate headquarters and the beta site was their research and design and there was apparently a feud going on between them but we took into consideration the fact that these are airgapped networks and we used that as part of are part of the corporation. That's one of their security measures. They've put their data centers mobile

inside of derbies and um they because they're airgapped, they're they never really see each other, so they don't communicate with each other. So there's, you know, jabs from the beta site about the alpha site. And the alpha site is all, you know, proper and prim.

Um I'll get it. Okay. So, um, right. So, you know, we we kind of ran with that a bit and and Rich came up with some pretty funny content. Um, and the last thing I put on my derby, but not on Rich's was a Circle Mud. So, if any of you familiar with Circle Mud, like I said, my origins come from the BBS days, textbased muds and whatnot. This is a mod that runs on Linux. It's open source. Uh, I wanted to see if I could put it in the container when I was first learning how to use Docker. So, I wrote up a docker container that ran circle mud. And I thought, what the

heck? If anybody finds this thing, it's going to be a fun little bit of nostalgia. And if they want to just play circle mud on my derby for the rest of the convention, then so be it. Um, turns out nobody really did that, but I worked it into the CTA and that's also part of the demonstration I'm about to give you. So, um, I think I've covered most of the build and most of the software. Uh, Rich, did I miss anything that you can think of? No, I don't think so. Uh so I thought I would give you some screenshots of what it would look like to try to get through the SSH container on my derby. All right. So first of all,

uh you would see on your wireless an access point called derby core alpha. Uh again there were two of these derby core alpha and derby core beta. One for my hat, one for uh riches. So they were completely segregated from each other. Uh once you connected you'd see that you get an IP address that's in a non routable 10.42 42.0.x address space. Uh the net mask tells you how big that network is. This is where I said there were 65,000 addresses available. Um I'm going to cheat a little bit because I know where the hosts run. Uh basically in the in the low range basically below the DHCP pool there was some address space I left for the hosts.

So one of those hosts was running at read from here 1042010. So if you were to just end mapap that thing, you'd say, "Hey, look, port 422 is open. That looks like SSH." Uh but obviously you can't get into SSH without a username and a password. Unless you know something I don't, which if you do, I want to know that because I do a lot of SSH. Uh so you might keep looking and you find, hey, there's another container running on port 4000. What the heck is port 4000? So, one of the things you might do to find out what's on board 4000 is just tn net to it. And when you tnet to it,

you'll find a mud. Nice. So, uh, and you'll also find that there's a user there called hackme. Um, he's a bot that I wrote. Really simple one. He just basically he he basically sits there and uh if you ask him what his password is, there's a one in three chance that he'll just give you his password. So this is a really really simple, you know, social engineering flag, whatever. Uh this is what happens when he doesn't um give you his password. He he gets paranoid, he runs away. Um but then he'll come back five minutes later and if you ask him again, he'll just tell you, "Hey, it's Fluffy 69." and he'll give you a code

because you were, you know, uh, diligent enough to ask him again. And he gives you a hint, seek the ring bearer. And that's because I have this ring on my hand which has an NFC chip in it and I wrote a code to the ring. So if you were smart enough to figure out cuz my Twitter avatar is me holding the ring up like this. So if you were smart enough to figure out that I have this ring that you can scan from your phone, you could have gotten a code and that would have gave you a few more points. Um, and he also uh you know then he runs away because he gave you his his password and

the code and whatever. Uh, so then you you know you can go put that code in. Um, however, now that you have the password, hey, what let's try that SSH container. So you SSH in and um, you find that the username and password that hacked me with the fluffy 69 got you into SSH. Uh, you look around and look, there's a script called run me. If that's not a flag, I don't know what is. Um, when you run it, I couldn't make it that simple. I I made an ask a trivia question. And this is based on my rather eclectic knowledge of German industrial bands. Um, name a German industrial band with an anti-political theme and an ultra

heavy beat. If you put that into Google, you'll find the answer. So, this wasn't that hard. So, that's KMFM. Uh, it responds with a little uh inside joke. No pity for the majority. That's what KMFM stands for in German. Um, and then, uh, it asks you for a 16 character output that you'd like to put on the display. And once you've given it that, it'll give you code because you were able to find this. And then, lo and behold, for the next 30 minutes, my hat looks like this. So, that was all part of the uh the loop that we wrote for the the OLED display. Um, the display did a number of things. This was one of them.

Uh, it would display whenever someone connected to the access point, it would display their host name for a few seconds. Um, it would display this advertised loop that basically told you where to find the scoreboard, where to find the rules, that kind of stuff. Um, what what the SSID name was for the hat you were looking at. Um, the Twitter handle of the person that was wearing the hat, you know, so just basic information. And then the party mode that I already talked about. Um, and so that's really sort of it. Uh this is part of the demonstration that Carl wrote along with his uh his OLED display. There was this nice little Pac-Man thing and it asks you to

insert a point at the end. So um you can find more information on the blog that I wrote. Uh this is my website and that's a direct link to the blog entry about this particular hack for DerbyCon 2015. Um and thank you all for coming to my talk. It's been fun. Anybody have any questions? What's the IP of the money? What's the IP of the money? You're just going to have to scan and find it there. 11.

Nobody else. No questions. Come on. I put the data center in half. How many people did you end up on the scoreboard at Derby time? Uh, I think we ended up with like five or six people that finally scored any points. Uh, I think two or three of those are people that I knew that they thought. It didn't quite get the exposure that I hoped it would. Um, one of the problems was in order to try to get into the thing, you had to be where I was. So, you know, that wireless range really didn't become a problem. Um, when I go to Derby Con, I like to actually go to talks. I don't just sit around in the

lobby. So, you'd have to try to find me and find the hat, you know? So basically someone has to trail you and like not be suspect about it like hey exactly yourself stalkers. One of one of my early on concerns was I'm going to have a crowd of people following me around with mobile devices you know laptops or whatever. Uh that didn't happen but uh maybe it would if there was more popularity. I don't know. Uh there was certainly a lot of visibility. A lot of uh we had a Twitter account for the project uh and we were tweeting a lot. I had automatic tweets set up to try to tell people where we might be. Um, you

know, I kept saying like, "Oh, we're in this talk or, you know, I'm in this talk and Rich is in the other one, you know, whatever." Um, so we did our best to try to get visibility out there, but it just didn't. A few people were really interested and they were the ones that I tried to give them the ability to try to get into the thing by hanging around them, try to let them break and do things. Otherwise, it just, you know, I didn't have people coming up to me and saying, "Hey, can you sit still? Yes, Rich. What question could you possibly have? To comment uh further on that, what what I found is while there weren't a whole

lot of people saying, "Oh, wait. Yeah, let me pack on this." It was a fantastication starter for a con. I met a lot of people that were stuff. There were a ton of people that said, "Hey, what's that thing on your head?" And then, you know, it got us the ability to chat with people we may not have otherwise been able to chat with. The black beans is over. The black leaves it over the last slide. Good job. Yeah. Anything else? Do you have a source code or anything for the scoreboard or any of the other components? Uh the scoreboard I had to release the source for. I probably could. Um it's not there's nothing

private in there. Uh the display loop the the and the library are both on that blog entry that I linked. Uh, so they're they're actually I released them both on GitHub, so you can go and get them there. Um, the OLED library, there's some some things that are still in there that are specific to this that I really wanted to clean out before it was officially like released to the public in general. Uh, but yeah, you can get it through that blog entry. There's links to the the git of public. All right. Anything else? Just just be clear that that whole thing runs off that what $16 battery you got from Amazon and that's like 30 hours you

said. Yep. It's really cool. I didn't I didn't expect that. We uh Metaf had this cool little uh USB ammeter that you can plug in in line, right? And we found out that the Raspberry Pi with nothing else connected to it drew like 15 milliamps and then after the display was connected and whatnot, it came out closer to like I don't know 30 or 40. So, it the power draw was a lot lower than we thought it was going to be. So, we could have gone with a smaller battery, but but yeah, that cheap 20,000 mAh battery did the trick.

Oh, to resolve your range issue. Might you consider in the future adding like a 3G? you mentioned, you know, self-service is spotty, but as an alternative connection, so maybe um that sounds like there could be a lot of other issues. Um if it's on 3G, then wouldn't that mean it would have to connect to like a cell provider? And if it's connected to a cell provider, now I need to publish the IP address and now you need to break into it, right? But now you need to not only break into it on this protected private address space, but through a cell provider, like the internet. Yeah, that seems like it'd be tricky. Plus, I wouldn't know what the cell

provider would have in line to stop that sort of thing. They got really I've never I've never tried the whole problem with the uh the cars Jeeps. Oh, yeah. It's just sitting on a Sprint network and has no right protection. Well, if it's on Sprint's network, it won't have any connectivity anyway. Nothing to worry about there. Yeah. So yeah, we thought about I've been kicking around the idea of can we work wireless repeater into this next year somehow? You know, would it be like things we drop around the conference, but then people might steal them? How do we keep them powered at the whole conference? Do we have to like every day we make the rounds and plug new

batteries in? Um, the other thought was make twice as many hats and have, you know, our friends wear hats that are just repeaters and make sure that people are around us or just build little repeaters into a little self-contained thing. You can carry it around in your purse or something, you know. So, that that might be an option for next year. Mash network would be pretty cool. A mesh network. There you go. Boost the power like crazy. I got two things. The other thing is we don't want to we don't want to interfere with the official DerbyCon CPM as well. Like I don't want this to be so big that it's detracting or people think it's part of that. You

know what I mean? It's fun. Some people don't don't want to sit in a CTF room all day long where this would be something that was part of it. I wanted to make these things easy enough that anybody could just in 5 minutes tinker around and get some satisfaction, find a code, you know. Uh and a couple of the harder ones were around to sort of make it a little more entertaining for people that are a little more skilled. So, for example, I had Keith walk through uh just a test of this at a party I was having at my house, and he got through all of the the uh flags that were on this derby in like

a half an hour or an hour, but he's, you know, experienced penetration tester. I think just about anybody could have got one or two flags simply by starting people like people that are just getting into it. You know, it's fun. You put fun stuff in it, little jokes. That's what we tried to do. So, we tried to make it more more so of an entertainment thing than a like I'm going to get, you know, cold cash out of this or something, right? Break it. Flip it apart. We had the right time for that. All

right. Kira