Thursday, September 12, 2013

44CON Presentation - Additional Resources

Update December 2014: 44CON has posted the videos from all 2013 talks online. Unfortunately, they don't allow the videos to be embedded, so here's a link.

For my presentation at 44CON, entitled "Reversing and Exploiting BT CPE Devices", rather than have one or two or three slides packed with hard to read URLs, I included a single slide with a link to this post.  Here you'll find links to additional resources that I may have referenced in my talk.

White paper: Reverse Engineering and Exploiting the BT HomeHub 3.0b (pdf)

BT HomeHub 3.0b specifications
Here's a walkthrough I wrote on getting Debian MIPS Linux up and running in QEMU system emulation.  I use QEMU & Debian Linux to run and analyze binaries that I find in firmware.
QEMU/Debian MIPS Linux walkthrough

Often binaries found in firmware won't play nicely in emulation because they make a lot of assumptions about the underlying hardware which QEMU can't satisfy.  The most common case of this is an application querying NVRAM for configuration parameters.  Here's a library I wrote to intercept those queries and provide answers from an INI-style configuration file.
NVRAM "faker" library for use in emulation

Bowcaster is an exploit development API that I wrote to ease development of buffer overflow exploits.  It grew out of all the tools and techniques Craig Heffner and I developed for exploiting embedded devices.  It primarily targets MIPS Linux, since there support for that architecture was almost non-existent.  I plan to add support for other architectures as I have time.

Here's my Github repository for proof-of-concept exploit code.  In it, you'll find the exploit code for the BT HomeHub 3.0b that I demoed at 44CON, among a few others.
Proof-of-Concept exploit code

I hope these resources are useful.  If you came to this article because you saw my 44CON talk and demo, I hope you enjoyed it!  Be sure to get in touch and share your thoughts!  Twitter or my email are best.

Twitter: @zcutlip
Email: uid000 at gmail


Monday, September 09, 2013

Insulting Recruiter Emails

Note: I have a great job at a company called Tactical Network Solutions, based in Columbia, MD.  I'm not looking for a new job.  That's not why I'm writing this post.  I have way too much fun working with crazy smart people right where I am.

I get a lot of recruiter email.  Some are very thoughtful and are for companies that would be very cool to work for.  I love those, and I want to high five those people for being such class acts.  I try to always send them a thoughtful response thanking them for thinking of me, but letting them know I'm fine where I am.

On the other hand, well, let's just say there are lots of big defense contractors looking for people to fill seats on their contracts.  Many of these messages are insulting in ways that are difficult to summarize, so I decided to blog a few in order to better describe them.

Here's one I received last week, with names sanitized out.  I've annotated it with footnotes for easier discussion

From: Brian A.
Sent: Friday, August 30, 2013 
Subject: Reverse Engineer / Vulnerability Researcher with XXXX 

Mr. Cutlip,

My name is Brian A. and I am an internal technical recruiter with XXXX Corporation[1].  We are one of the U.S. government's leading...[redacted].

We[2] have reviewed your resume and the experience outlined closely aligns with the caliber of talent that we are currently searching for to fill a critical role in support of our technical division.

If there is any interest in exploring this opportunity further, please fill out the attached skills matrix[3] and return it back to me no later than next Monday (2 Sep)[4] by COB.

I understand the tight deadline and apologize for it.  Your responsiveness will obviously reflect your level of interest[5].

The next step will likely be a technically-focused phone conversation next week.

If you have any questions please let me know. 

I hope to connect with you soon.


Brian A.

Sr. Technical Recruiter, Cyber[6]

First, this message, like many others, is really phoned in.  The recruiter makes no attempt to actually recruit by convincing me that his company would be a great one to work for where I would learn, have fun, work with smart people, change the world, and be part of a great culture.

Second, the tone of this message is corporate-ey recruiter-speak.  The types of messages that get my interest and entice me to respond are ones that are written the way I talk.  I'm a hacker.  I wear t-shirts and jeans.  I listen to trance and dubstep while I program.  I say "fuck" a lot, and so does our CEO.  Please talk to me like you get that and I'm the kind of person you're looking for.

But maybe they're not looking for someone who wears jeans and t-shirts and communicates thoughts built on scaffolds of profanity.  That's fine.  So lets talk about some specifics in the above message.

[1] I find this part funny because a company I used to work for was a subcontractor to XXXX Corporation.  I know firsthand that I'm not interested working there.  Also, they're known to try to poach people from their subcontractor partners, which I find hilarious.

[2] "We have reviewed your resume"?  Who is "we"?  This is oddly impersonal.  And where did you find said resume, because I certainly didn't send it to XXXX Corporation.

[3] Skills matrix? Are you fu...what the...omg.   Shoot me now.  Because I'd rather have a bullet to the head than have my professional essence distilled down into a chart full Xs and checkmarks.

[4] Seriously?  This was sent on Friday afternoon, and I was to send the completed "skills matrix" by Monday, which is Labor Day, when everyone in America is partying and drunk and no one is at work.  This message is obviously not targeted at people who already have a great job and are desirable and sought-after. It's aimed at people who are either out of work or whose job is so terrible they would have jumped ship already if only there were somewhere to jump.

[5] Well, good.  Since my level of interest is low this means I needn't respond.

[6] A Senior technical recruiter of "Cyber"? for Cyber? with Cyber?  People! "Cyber" is not a thing.  At best, it is a prefix and not a freestanding word.  Like cybernetics, or cyberspace.  If you're using "cyber-" in any way that isn't facetious I don't want to talk to you.  And really, you're best just leaving "cyber-" to William Gibson, whose book, Neuromancer, is probably the last known acceptable use of the prefix in popular culture.

Anyway, I didn't respond, because, as I mentioned, my interest was low.  But stay tuned for part deux, because a week after the deadline, I received a followup message from Brian.