My LTE internet connection (70 Mbit downstream, 15 MBit upstream) came with a combined Huawei B315s LTE modem/access point. As I was using it for the last two to three years a couple of problems did arise: the internet connection was often shaky, oftentimes the uplink connection got lost and I had to power-cycle the modem/access point. Subjectively this got improved with the last system upgrade. while the internet down speed on the wired connection was good, the speed achieved through the wireless connection was atrocious (see measurements later in this blog post) the power supply is badly built and takes the space of two power outlets. I am not trusting proprietary hardware and software too much. Some research showed that I should be able to replace the existing hardware with an OpenWRT-based access point and a single USB LTE-modem. I wasn’t sure if the drivers would work out and what the resulting internet performance would be but there’s only a single way to find that out: build it. ...

During a recent assignment the customer server was utilizing a WebSocket for some notification transport, part of my assignment was to fuzz-test the used WebSocket (and the messages transported over it). To do this, I turned to my typical tools: PortSwigger BURP only supports display of WebSocket messages but not altering and/or automated fuzzing of websocket messages. OWASP ZAP can inject and fuzz web sockets (e. g. using FuzzDB vectors), alas the tested application disconnects the websocket and thus prevents ZAP from performing the fuzzing attack. So again I had to write a small python script. This time i used the Kitty fuzzing framework and the python web socket library to create a simple WebSocket transport/target for Kitty (WebSocketTarget). This target reopens the web socket after each sent message, so the disconnect behavior would not limit the testing (but would decrease its performance — I can live with that). ...

During a recent pen-test I stumbled upon a JSON Web Token(in short: JWT) based authorization scheme. JWTs consist of three parts: header, payload and verification information. The initial header part contains the name of the algorithm that will later be used to generate the verification part of the JWT. This is dangerous as an attacker can change this information and thus (maybe) control what scheme will be used for verification by the server. ...

There’s power in switching mental models. In my work, switching from “there might be a vulnerability in this software” to “i just haven’t found the vulnerability” was a game changer for me. I get nervous prior to presentations; one switch that helped me was that instead of thinking “my goal is to look bright” I try to remember that my goal is to teach the audience something and it doesn’t matter who stupid I look as long as they gain something from me. ...

So my company moved to a new building which uses HID RFID cards for access control. These cards are typically white with some sort of numeric code printed on one side of them. I have not included an image of my card due to (later) obvious reasons.. Setting up my Proxmark3 RDV4 reader Some time ago I joined the Kickstarter for an updated version of the Proxmark3 RFID reader/writer and immediately broke it during the initial flash update. After I was able to unbreak the reader (hint: kill network-manager and modem-manager before trying to flash the new image) this seems to be a good time to test those pesky access cards. Also a huge Thank you! to the Proxmark support team for helping me. ...

This year was good work- and health-wise, but bad when it comes to money and relationships. Financially the stock market drop hurt, emotionally getting dumped was painful. For 2019, I plan to keep and improve my healthy 2018 habits: enjoy life as non-smoker, keep on bouldering (6a+ - 6c with a rare sent 7a in-between), finally finish a full Bikram yoga sequence and maybe meditate more often. In addition, I’d like to improve my sleep. This might lead to less screen time in the evening, more Kindle reading and maybe a slight drop in my caffeine consumption. Another thing that worries me is that many of my best stories start with “when we were out drinking..”. After quitting to smoke, it might be time to work on this area too. ...

Wireguard is recently making a splash as human-configurable low-overhead alternative to OpenVPN and IPSec. As some privacy-centric VPN providers are planning to support it (e.g., PIA) or already have a beta running (e.g., IVPN, as tested by Ars Technica) it was time for me to look into it. The Setup To get a better feeling about the used technology I directly connected my laptop to my desktop (gigabit Ethernet with no switch/router in between) and setup OpenVPN with a minimalist configuration as well as with a more realistic TLS-configuration. I took some bandwidth/latency measurements with iperf and qperf and compared those to a minimal Wireguard setup. ...

I’ve wrote about about creating a simple wireless (WLAN for us right-pondian) http/https interception setup before. Mostly I’m using this as a first step when testing mobile/desktop applications. Linux’ network-manager is perfectly able to create an software access-point with most modern network cards. Alas GNOME’s configuration tool only allows for the creation of ad-hoc networks (and switching to KDE for just this is a bit overkill for me) so you have to setup the access point on the command line with nmtui or nmcli. In this example I will show how to create the interception setup with the latter. ...

This year seems to bring a lot of changes: I’ve switched employers after staying on/off at a research center or the last twelve years. When I started there, I was doing cool network coding for the SECOQC quantum key distribution network, it somehow felt as being a part of some bigger undertaking that finally let to something. My work had a tenable outcome, this compensated for the long hours and poor pay. Colleagues were (and have been until the end) good friends and oftentimes mentors. ...

Recently I’ve found an old post-it with guidelines I wrote myself a couple of years back, two of those stood out: make mistakes don’t buy stupid stuff Seems like I haven’t been the most consistent person back then. The post-it got discovered during a clean-up session of my flat, the same session brought up the following stupidly-bought-and-never-used gadgets: one BBC micro:bit that should be able to capture Bluetooth Low Energy transmissions one Proxmark 3 RV4 that should be able to do some nifty RFID stuff (and that I was recently able to fix) one Realtek Software-Defined Radio USB Stick (rtl-sdr).. My new year’s resolution (or rather near-future resolution) is to do /something/ hackery with that stuff. Suggestions more than welcome. ...