This week we have special guests, Hal Pomeranz and Ed Skoudis will be joining us to talk about the Command Line Kung Fu blog!

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

The live stream should be active about 19:45 EDT (or 7:45 PM Eastern :), Thursday, March 26th. We should begin recording the live show at about 20:00 EDT. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

This week we have special guests, Hal Pomeranz and Ed Skoudis will be joining us to talk about the Command Line Kung Fu blog!

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: PaulDotCom UStream Channel

Icecast: PaulDotCom Radio

Please join us, and thanks for listening!

- Larry, Paul & John

Paul, Larry, and John welcome special guests, Jonathan Ham, SANS instructor/owner of Jham Corp and Sherri Davidoff, blogger at philosecurity.org/owner of Davidoff Information Security Consulting!

• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program
• Be sure to check out "Maltego" from Paterva, try the community edition for free!
• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

The live stream should be active about 18:45 EDT, Thursday, March 19th. We should begin recording the live show at about 19:00 EDT. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

This week we have special guests, Jonathan Ham, SANS instructor/owner of Jham Corp and Sherri Davidoff, blogger at philosecurity.org/owner of Davidoff Information Security Consulting.

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: PaulDotCom UStream Channel

Icecast: PaulDotCom Radio

Please join us, and thanks for listening!

- Larry, Paul & John

[Note: This is the last re-post from the WRT54G Hacks web site, look for more hardware hacking and wireless fun coming soon!]

Over the past few months I've been contemplating a few projects for some WRTSL54GS routers with OpenWrt, however I really need these to have a high gain antenna on the WRTSL54GS. As you may recall, this model has a fixed antenna, with no option for adding one. I decided that I needed to fix that "design flaw".

Note: By adding various antennas to this device it may become possible to violate your local or federal regulations on output power. Be careful!

First off, we need to open the WRTSL54GS up. The screws are located under the rubber feet. Once apart, we need to de-solder the current, fixed antenna from the board. Follow the LMR cable from the antenna to the board, and de-solder both strands of the LMR from the board.

Once removed, the board should reveal two pads on which we need to solder our new connector.

Once de-soldered, we can remove the antenna from the case by pinching the end of the antenna on the inside of the connector. This will compress the size so that the outer locking ring will pass through the mount.

We need to make sure that we have an appropriate connector to attach a new antenna to. I happened to have scavenged parts from an old Linksys BEFSX series model. This old router had an internal PCMCIA card with two pigtails, one end with the standard RP-TNC antenna connector.

I removed the connector at the other end of the cable, as it is not important. I gave it a good pull, but certainly a pair of wire cutters will get the job done.

Strip the LMR cable back so that the inner and outer conductors are staggered. Match up the lengths that you need with the two pads to verify your length - the smaller inner conductor will be attached to the smaller pad on the board, while the outer conductor will be attached to the larger pad. Don't solder them together! This will create a short, and render your antenna inoperable, possibly even frying your router!

We also need to modify the case so that the external portion of the connector will fit through. My connector at the base was 3/4 of an inch, so I drilled a 3/4 inch hole into the edge of the case, right near the original connector.

Part of the selection of this location was so that it would still be at the top of the unit, and the board has a notch out of it at this location. The notch leaves a handy place to be able to fit the additional portion of the connector between the board and the edge of the case.

Once mounted, solder the LMR form our new connector to the board as described earlier. I utilized some electrical tape to maintain the bend in the LMR and to hold it down to the board. This allows me to have both hands free to solder!

Once complete we can reassemble our router and show off our new connector.

One of the nice features of using the RP-TNC connector is that we can reuse antennas from most of our other Linksys devices!

Have fun adding new antennas!

- Larry "haxorthematrix" Pesce

[Note: This is a re-post from the wrt54ghacks.com blog which has been intergrated into this blog. For an even more updated version of this hack see my article in (IN)Secure Magazine, Issue 17]

So, here is the scenario, you need a wireless network for guests, it has to be easily accessible (i.e. can't require a WPA supplicant) and be secure. This is a common problem, and one that is not-so-easily solved. For example, you may want a separate wireless network for training rooms, on-site visitors, consultants, or for just general guests to your organization. Guest such as these typically only require access to the Internet and nothing else. The nice part is, all this can be done for under $300 (on a small scale with two access points), and its all open-source! This is a great, cheap, fast, and easy way to handle guests that may be coming into your network. Of course, this is only the first step. In future parts we will show you how to add the security measures, such as captive portals, bandwidth shaping, intrusion detection, and firewalling. To get us started you will need:

• 2 Linksys WRT54GL Routers
• 2 Linksys POE Adapter - WAPPOE12 12V

• OpenWrt "Whiterussian" 0.9

Below are the step-by-step guidelines for getting the initial setup going:

Step 1 - Unbox and flash the routers. For the WRT54GL, you must use the web interface to put the initial OpenWrt image on them. (Question, why does Linksys not enable boot_wait by default?). Also, do not use the PoE adapters when flashing!

Step 2 - Change the IP address of the routers, enable boot_wait, and set the hostname:

nvram set lan_ipaddr="10.10.10.5"

nvram set boot_wait="on"

nvram set wan_hostname="myap1"

nvram set wan_proto="none"

nvram commit

Step 3 - Create a separate VLAN or physical network, preferably with a separate Internet connection. Put that APs on that subnet.

Step 4 - Harden and perfomance tune OpenWrt - Remove the packages that are not required:

ipkg update

ipkg remove ppp ppp-mod-ppoe webif haserl kmod-ppp kmod-pppoe

ipkg upgrade

Disable services not required:

cd /etc/init.d

mv S50httpd disabled_S50httpd

mv S50telnet disabled_S50telnet

Step 5 - Enable DHCP on each of the access points:

cat > /etc/init.d/S60dnsmasq

#! /bin/ash

/usr/sbin/dnsmasq &

CTRL-D

Now, remove the DHCP configuration from the /etc/dnsmasq.conf, and replace it with:

# enable dhcp (start,end,netmask,leasetime)

dhcp-authoritative

dhcp-range=10.10.10.100,10.10.10.150,255.255.255.0,12h

dhcp-leasefile=/tmp/dhcp.leases

# use /etc/ethers for static hosts; same format as --dhcp-host

#

read-ethers

# other useful options:

# Default Gateway

dhcp-option=3,10.10.10.1

# DNS Servers

dhcp-option=6,10.10.10.6,10.10.10.7

Step 6 - Reboot the WRT54GL, make sure all is well. Now, connect the POE adapaters and place the APs where you want them.

Step 7 - Configure Wireless - Place the access points on their respecitve channels using the command nvram set wl0_channel=1. Ideally, you could have 3 APs, one on channel 1, 6, and 11. Now, set all of the SSIDs to the same value using the command nvram set wl0_ssid="guestwireless. Finally be certain to run nvram commit to commit your changes, and /sbin/wifi so that the wireless system picks up the new values.

You should now be able to associate to the given SSID. Which access point you associate with will depend heavily on the wireless driver that you are using, and other factors that require too much math.

In Part II, we will show you how to implement a captive portal for guest authentication, and add additional layers of security such as intrusion detection and IP filtering.

Paul Asadoorian (Edits by Larry Pesce)

[Note: This was the original post to www.wrt54ghacks.com, with two more to follow! The blog hosted there has been merged with this site. All WRT54G hacking related posts can be found at http://pauldotcom.com/wrt54g/. All book material can still be accessed on the www.wrt54ghacks.com site. Please contact us if you have questions! psw /at/ pauldotcom.com]

Linksys has officially released the WRT54G version 8 here in the US, and Paul was able to find one at our local big box computer retailer. Of course the first thing that we did was to tear it apart and see what is inside, in typical hacker fashion. We've sucessfully voided the warranty without even pluging the darned thing in!

Without further ado: Inside the WRT54G version 8!

Before we get to the juicy bits, this version will be very easy to identify on the store shelves. Linksys has totaly redesigned the packaging:

The power supply has remained the same here in the US, with 12 volt output. Nothing to see here folks. The front panel also remains the same as the last few versions:

Before we even get this bad boy apart, we can see some very significant design changes. No more removable antennas! (we'll get to this more in a bit)

When we open up the case, we can immediately see that the board design looks different from some of the earlier versions. I'm not sure of how it stacks up to the version 7, as we've been unable to locate one locally. The front of the board looks different:

The reverse side of the board actually features some components, even if they are SMT resistors:

With some closer inspection, we may be drawn to the traces for the wireless antennas. It looks like the traces still exist for the removable connectors. Possibly for future board revisions, or a hold over from the v7 design:

Guess what! Those traces also contain, what looks like a U.FL antenna connector! Certainly we can find a pigtail online to convert to something we can use. Add a little de-soldering braid, and a soldering iron to that mix and we've got a removable antenna, at least on the primary connenctor. Looks like we'd also need to disable antenna diversity too. Here's a good look at the U.FL connector:

Further examination of the board reveals some more of the standard features we've come to expect. The first is the JTAG header:

There is also another set of headers, which would appear to be a single serial port. this remains unconfirmed by us at this point, but all signs point to yes: capability in the chipsets (the BRCM5354 spec sheet states that it has two UARTs available), and the proper pin count. Why only one port? Who knows, but I would bet that the other serial port could be found on the board, just not at a header. Here's a good look at the possible serial port:

The RAM installation seems to be fairly typical With a Samsung chip:

But wait! What's that you say? You read the Samsung chip documentation, and is says the chip is 64M? Well, sure! We still need to confirm that some open source firmware (say...OpenWrt) can take advantage of the additional RAM, if the extra RAM meets up to the documentation. All available reports state that this unit only has 8M!

Even more changes to the design for the version 8 is a diversion from the Intel based flash chip. Linksys has opted to drop the Intel brand for a company named Spansion, which is apparently a subsidiary of AMD. The new Spansion S29AL016D90TF chip is listed as being 16M, however other available documenation only lists flash as 2M! It looks as though the chip is modifiable to protect some sectors, limiting the amount usable memory sectors. Overall, this device may be quite nice for hacking, given the alleged 64M RAM and 8M of flash. Here's a good look at the the Spansion flash chip:

Again the Broadcom SoC has changed to the BCM5354KFBG, which operates at 240Mhz! This chipset contains all of the goodies: ethernet switch, main processor, and wireless processor. Here is a shot of the chip:

In combination with the wireless processor, the wireless power amp chipset can be located under the nice metal shielding, and is of the SiGe SE2528L RangeCharger variety, which is rated at 24dBm for 802.11b networks and 21dBm for 802.11g networks. Here is a look of this sneaky little animal:

In even more modifications, we have some additional changes related to the power conversion and regulation chipset. The main power conversion chip has remained the same with the AnaChip AP1513 which can take an input voltage of between 3.6 and 18 volts DC, in combination with the SK33B Schottky Rectifier, it utilizes a separate resistor to regulate maximum power output. While I have been unable to confirm, I'd suspect that like the board requirement has been capped at between 3.3 and 3.6 volts, the optimal voltage range for many of the other components. Here's a close-up of the chip combination:

While I thought that this new release would be very disappointing for my hacking pleasure, there are clearly a few questions that need answering in relation to RAM and Flash. The wireless antenna situation can apparently be rectified, and apparently reduced power requirements make alternate power sources very tempting.

We hope that you have enjoyed our willful voiding of our warranty for your viewing pleasure! Any questions, comments or updates are appreciated.

- Larry

Paul, Larry, and John do a tech segment extravaganza with special guest Seth Misener!

• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program
• Be sure to check out "Maltego" from Paterva, try the community edition for free!
• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

The slides for Larry's Document Metadata and GPS tracking slides have been posted for your reading enjoyment. These were great fun to give and thank you to all that attended.

They can be found on the presentations page, but here's a few direct links:

Document Metadata, The Silent Killer

Where to now? An Adventure in GPS Tracking

If you have any questions, comments or suggestions, feel free to e-mail me at larry(at)pauldotcom.com

- Larry "haxorthematrix" Pesce

The live stream should be active about 18:45 EDT, Thursday, March 12th. We should begin recording the live show at about 19:00 EST. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

This week we have a special guest, Seth Misenar!

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: PaulDotCom UStream Channel

Icecast: PaulDotCom Radio

Please join us, and thanks for listening!

- Larry, Paul & John

Over the past few weeks we have had to deal with the loss of the breach blog.  This was an outstanding site that kept quite a few of us up to date with current data breaches.  Unfortunately, many security pros never really got to take advantage of this excellent blog.  However, there are still many sites that will offer this information.  I have stolen the list of recommended sites from the breach blog and posted them below.

The real question is why is this important? There are two ways to look at this: like a pen tester and like a security analyst.

For the penetration tester we need to keep up to date on these attacks because we ultimately need to emulate them.   It is also important for us to keep up to date on these exploits because we must incorporate these stories into our reports.   While you as a super technical "geek" may think that the risk is high for a particular vulnerability, it is fairly easy for C-O's to discredit your advices as that of a tech nerd living in his/her mother's basement.  You can reinforce your findings with examples of other organizations that have been compromised via the same family of vulnerabilities.

For the security analyst it is even more important.  Take a look at the current economic environment.  Security teams need now more than ever to find ways to keep security awareness on the minds of their management.

Please use the links below to raise awareness in your organization and in your own day to day activities:

http://www.pogowasright.org/
http://www.phiprivacy.net/
http://datalossdb.org/
http://www.databreaches.net/

-strandjs

First a little background...

For those of you that are no familiar with the conference, Shmoocon (hosted by the fine folks at the Shmoo group, an independent security "think tank") is a small hacker/sercurity conference on the Washington, DC, typically some time during the month of February. This past February was no exception.

One of the great things about Shmoocon is the ability to provide instant feedback to the presenter, while the presentation is happening. Ever been to a conference or presentation where you just knew there was something "rotten in Denmark", or you wanted to make a point about some minute, but essential overlooked detail? Shmoocon enables and encourages every attendee to tall the speaker to task: They provide a foam stress ball (aka a Shmooball) at registration for each attendee (and offer more for sale, proceeds going to charity). The organizers encourage you to throw them at the presenters when you have a point to make, or when you think that you're being sold a bill of goods.

As a result, the closing ceremony of the conference has typically found the Shmoo group founder, Bruce Potter, amidst a barrage of shmooballs. Why? Because the attendees could.

In 2007, a group of folks unveiled their Shmooball cannon at closing ceremonies and unloaded at Bruce. It was multi-shot, made from PVC and a 2-stroke leaf blower. It was a great concept, but it was smelly and not incredibly efficient.

This is when I had thoughts of doing better. In 2008, I created a version that was much like a shoulder fired grenade launcher. In 2009, I decided I needed to take it up a notch.

This is the story of the building of the 2009 Shmooball cannon.

I had great plans for 2009 after items that I learned form 2008. I wanted something that was light, easily carried, and easily reloaded. I thought I had come up with a fantastic way to accomplish all 3: create a pistol style cannon, fed with easily detached tubing, and house all of the mechanical and pressurized bits in a backpack.

I came up with my original concept right after Shmoocon 4 in 2008. In typical fashion, I didn't begin the actual execution until 4 weeks before con. Add a wife, baby and large quantities of snow into this mix, and there isn't a lot of time left for construction.

As a result of my procrastination, I realized that I needed to source all of my parts locally: Home Depot, Lowes, Radio Shack and the local paintball supply. I affectionaltly refer to this type of construction "Hacking Home Depot": Come up with an idea, and spend 4 hours wandering the aisles of the home improvement store looking for appropriate parts, and how you can modify them with tools on hand to meet the end gaol. Tons of fun.

Here is what I came up with.

Shmooball cannon initial design

As you can see, I've accomplished the pistol portion fairly well. The barrel is made from 2.5 inch schedule 40 PVC electrical conduit, with a female thread adapter at the butt end, glued with PVC cement. The muzzle break happened to be a feature of the conduit, as a way to connect two lengths together without the need for additional couplers.

Muzzle break

The grip was constructed out of a 3 inch to 2 inch schedule 80 PVC "Y" adapter. A table saw was used to trim off the to section of pipe that wasn't needed. The barrel is attached with a clamp at the front end, and 5 minute epoxy was used at the butt end of the threaded adapter. The outer portion of the threaded adapter was almost an identical fit for the internal diameter of the 3 inch "Y", os it was used as a glue point. With out some additional material at the front end of the barrel, it would have off by about 3/8 of an inch. A 2.5 inch female coupler was sacrificed to the shop saw, and utilized as a spacer at the front of the barrel.

The grip "Y" adapter

The actual grip was simply constructed out of a short length of 2 inch PVC with a female threaded adapter on the end. Screwed into the adapter was a threaded clean out plug. The hand grip was not glued, so that parts could be added later (safety switch, trigger and batteries), and so that they could be easily replaced.

Battery storage

At the end of the barrel a make threaded 2.5 inch adapter was used for the butt end. Unfortunately, 3 Lowes stores later (the only store that carried 2.5 inch PCV conduit), I was never able to find 2.5 inch endcaps. I did find 2 inch endcaps, and fortunately these were a close enough fit into the end of the male threaded adapter. Because they weren't a tight fit, PVC cement wasn't an option here, so both halves were sanded with the Dremel and glued with 5 minute epoxy.

Barrel end cap

The pistol is then attached to the valve assembly through standard air tool coiled hose, utilizing 1/4 inch NPT quick release adapters. The barrel end cap was drilled in the drill press, and threaded with the brass adapter. Yes, the PVC is soft enough to have the brass cut it's own threads, I like to hold on to the brass fitting with a pair of vice-grips and welder's gloves, and run the brass fitting through the blowtorch for a few minutes. This makes the thread cutting almost like a hot knife through butter.

Quick disconnect

At the valve end, I needed to increase the size of the 1/4 inch NPT coiled hose to meet the 1 inch threaded inlet of the i inch water sprinkler valve. This is accomplished with several steel step down adapters and plenty of teflon tape.

Valve step down adapters

Next is the hub of the operation, the 1 inch lawn sprinkler valve. In the 2009 cannon construction, the valve was used as it came from the manufacturer, activated with an 24V solenoid. While we could modify this valve to be pneumatically triggered for faster operation, the solenoid application works just fine.

Feeding the valve is a set of male threaded adapter and end cap, but this time fitted with a 5/8 inch paintball regulator. From there, our 20oz compressed CO2 is attached with a shutoff and quick disconnect. the paintball regulator in this case is a necessity, as the paintball CO2 tank is typically charges somewhere from 800 to 1200 PSI. This pressure, if unregulated to much less (80 to 120 PSI), will quickly turn all of our PVC components into shrapnel. Carrying that around a con full of people would not be a good idea...

Tank regulator and adapter

The last point to mention is the firing mechanism. We need to provide 24V to the solenoid to operate it, allowing the air to propel the Shmooball form the cannon. However, 18v, delivered by two standard 9v batteries wired in series works just fine. the negative lead is connected to the solenoid, and the positive os wired to two switches in series; this way both need to be closed in order for the cannon to fire. I elected for a standard momentary pushbutton for the trigger, and a light up, shrouded saftey switch for the safety.

Switches!

In order to deliver the 18V to the solenoid, I needed a cable that I could quick disconnect from the hand grip where the batteries and the switches were, to the valve located at the other end of the coiled air tool hose. I happened to have a CAT5 cable and wall jack insert in hand, so I elected to use those. In a twist of fate, the wall jack insert fit perfectly inside the end of the threaded clean out end cap.

Cable goes here!

A 1/4 inch hole was drilled in the end of the clean out end cap, the jack placed inside, and held in with 5 minute epoxy.

CAT 5 jack

Once complete, I found the it was nearly impossible to undo the little clip on the CAT5 cable in order to release it form the jack, due to the insert now being recessed behind 1/8 inch of PVC!. So, the clean out end cap had to be ground down to provide a rounded edge to allow access to the CAT5 cable clip.

Tapered end cap

So, it looked pretty good at this point. That was, until I test fired it 24 hours before the whole assembly needed to be dropped off for transport to the conference. Let's just say that the test fire didn't have the expected results.

I had figured that the failure was due to not having enough airflow from the valve to the barrel. I had figured that it might be a problem ealier on, so I had purchased extra parts as a backup plan.

What I didn't realizes was how far my backup plan would have to go, until 2 hours before con opened. The results of the hotel room testing, the the frankenstein creation are what are shown below.

The final result

So, let's start with the upgrade to the coiled tool hose. It was replaced with a new endcap with a 1 inch brass threaded "hose barb" fitting. I found this bad boy in the plumbing section for flexible hose for artesian well water systems. That sucker was 12.99 for a darned fitting!

New barrel endcap

Regardless, it was attached to a 1 inch clear vinyl tube with a hose clamp , which was then paired to a PVC 1 inch threaded hose barb at the valve end.

Valve end upgrades

Now it required an act of congress to breach load (undo CAT5, unscrew pistol (not endcap!), load, re-screw pistol, connect CAT5, arm, fire.), so muzzle loading with a wood ramrod became the next choice.

Unfortunately, during the hotel room tests, Paul and I also discovered another fatal flaw. The 20oz paintball tank could not feed the delivery system with enough air fast enough to propel the shmooball from the barrel more than 6 feet (and with the sound of a dying cat as well). What we really needed was a tank that could hold a large volume of air that could be recharged from the slow paintball tank, but released quickly.

Fortunately, Paul had suggested that we bring along the 2008 shoulder fired cannon. I also had the hindsight to pack too many tools and extra teflon pipe tape.

The 2008 version featured a large tank mated to an identical sprinkler valve. Thank goodness for modular parts; we scavenged the 2008 tank to replace the direct feed from the paintball tank.

The scavenged tank is fed by a 20oz paintball CO2 tank via remote kit with a 5/16 inch threaded quick release. I needed to convert the 5/16 to 1/4 to mate up with the old regulator in the 2008 design, so a capsule of 1 inch end caps was created to make the adapter (drill endcap, heat fitting, thread, PVC cement to 1 inch PVC pipe). This capsule is then attached using 1.4 inch hose barbs and standard air tool hose to a air tool regulator (more Home Depot hacking!), and then to more hose with a barb drileld and threaded into the tank.

Tank feed and regulator

The tank was originally intended for another application, so it features some additional twists and turns. However, the main chamber is 3 inch schedule 80 PVC with an end cap, reduced to 2 inches, fed to 2 inch 90 degree elbows, reduced to 1.5 inches, reduced to 1 inch, ending in a 1 inch male threaded adapter. That's a LOT of PVC fitting, which are of course glued together with PVC cement.

Twisty!

What Paul and I ended up with at the end of our cannibalization was a pistol design that was appropriatley powered, but with a much larger "back end support" than anticpated. Now, the tank, CO2 and valve didn'f fit so well, and ended up looking like a particle accelerator out of Ghostbusters. Backpack was quickly abandoned in favor of using gaffer's tape to directly strap the tank to my back, and the CO2 tank to my thigh. Nothing like intentionally strapping yourself to a bunch of potentially explosive compressed air!

Who you gonna call? Shmoobusters!

After all was said and done, it was a huge ugly looking success. We learned a lot this year, and made a few notes:

• Pack extra tools and parts. The valve actually failed on stage during the presentation on the build of the cannon. Looks like over pressurization one too many times.

• Bring extra CO2 on stage! I ran out during the demo. Paul got me more. :-)

• Plan early, start construction even earlier! This will allow for more testing and sourcing of more appropriate parts. Sure, hacking Home Depot is a great challenge, but sometimes you have to know when you are beat!

• Use lots of teflon pipe tape. Thought you used enough? Use more. Some is good, more is better, but too much is just enough.

• Have fun and be safe. Remember, melting and or pressurizing PVC and sprinkler valves is not recommended by the manufacturer!
  

See you at Shmoocon 6 in 2010, cannon in hand. In hand? Maybe there is something else in the works...

Paul, Larry, and John are together in the same room for the first time podcasting live from SANS Orlando 2009!

• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program
• Be sure to check out "Maltego" from Paterva, try the community edition for free!
• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

If we can acquire appropriate bandwidth, the live stream should be active about 19:25 EST, Tuesday, March 3rd. We should begin recording the live show at about 19:30 EST. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

Live on site at SANS2009 in Orlando, FL!

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: PaulDotCom UStream Channel

Icecast: PaulDotCom Radio

Please join us, and thanks for listening!

- Larry, Paul & John