overwraith

Ok, So I got a raspberry pi B+ version recently, and got an idea for a Raspberry pi powered Oculus rift/Land Warrior type device. I really don't know where to start, and was wondering if anybody would have any thoughts. In order to make some kind of virtual reality device I am thinking I would need a raspberry pi camera, a raspberry pi of the correct type, possibly A+ or something, I would need something to mill or 3d print the frames, and the part I have no idea how to make would be the actual display. I wear glasses, so making something like this would need some sort of internal lenses, or would need to compensate for my vision some how. I see plenty of tiny screens for the raspberry pi, but am doubtful that they would be very pleasant to look at that close to one's eye. Does anybody have any ideas? I would almost need a custom built screen or something. (would also need some sort of battery pack, but that shouldn't be too hard.) Putting the raspberry pi in a pocket or something and running cables to the glasses would be the optimum solution, but I think not practical for the camera cables. This is just something I was thinking about, since not all the hardware seems to exist I will probably abandon this thread if nobody has any ideas. On the same token you all might know more than me.

You're right, trust is wimpy. Here is my motto; "Trust but verify". I honestly don't watch porn... yet. At work it would probably make some people feel awkward, and I don't want all the computer viruses I hear are generally associated with it. I just brought it up because it is one of the aspects that an employee should take into account. My dad works at a contractor business, and sometimes he has to watch basically the nervous center of this project, and monitor for phone calls which could come at any moment during certain exercises. If these phone calls come he has to react to them (I am intentionally being a bit vague here). Therefore it is understood that during this grass growing exercise it is completely ok to watch game of thrones or band of brothers while these exercises are going on. No body works harder than my dad on his own projects. I completely agree if you aren't doing work then people will find out, and I would never propose one should try to get away with that. On your mass murderer quip, you have to admit that sometimes businesses are fooled, as happened a while back at a company in the US. Some moron started trying to convert his co workers to Islam, and when they weren't cooperative he brought a gun to work. I can see what you mean about security being a little too intrusive and exacerbating though. Ideally the security types should try to be as invisible as possible until something goes wrong, AKA don't tell your co workers that you know they visit sites x, y, and z unless it is a problem (don't be a stalker). Yes context matters when implementing your security. Also everybody should be aware that if you connect a personal computer to a company network, then even if you are just browsing on your personal computer, the transmission goes over the company network, and can therefore be monitored. Typically companies won't let you bring your own personal devices sometimes. Just be aware.

Of course you want companies to be able to monitor their employees devices. How do you know that your employee isn't some kind of insider who is working to steal your companies valued secret processes etc. How do you know that they are not crafting exploits to hack into your servers and steal your customer info? How do you know there hasn't been a breach because the user clicked on something they weren't supposed to? That is why we have network logging, and desktop logging, etc. Even phones these days can be used to ex-filtrate data, typically via tethering or internal storage. Would be very hard in most cases, impossible on some versions of phones, but possible on others. This is pretty much computer forensics 101. How do you know the employees are not hosting their own web server on business hardware? How do you know they are not watching porn or game of thrones when they are supposed to be doing something idk... constructive with their time at work (sure we have all had those times when we had to watch Windows install or something, watch grass grow, or sit and wait for phone calls that probably weren't going to come but they could, then game of thrones is ok.)? It gets greyer when phones, tablets, or laptops are involved due to the fact that they can be taken home and therefore become more "personal". What matters though is that the device is essentially company property, therefore subject to monitoring. The company policy needs to state this before employees sign over their rights, and the employees need to be made aware of such logging. Also, getting back hardware after the employee has taken it home is often problematical. If it was given to the employee, you may never see the hardware again, and you may not even want to ask for it back. When their employment is up, in some cases you may as well just write off some hardware. There is some implied ownership after the employee has held on to something for a very long time. Also, when a company hands over a device to an employee you can run certain software on it to harden it's security. As far as laptop software goes, I probably will never use a company laptop for everything... some things are too sensitive to allow my business colleges aware of, I probably wouldn't ever trust my co workers with my personal banking info (except the boss who needs to know which account to put my money in, even then he doesn't need to know my password). Another thing would be some forums, perhaps this one. I don't want to give them the wrong conclusions about me. I also do not want my work place viewing my medical information. The point being I have my own laptop which I can put my own software on, and keep it separate from company stuff. P.S. some schools got in trouble a while back for putting software on laptops so they could access the webcam. Just use some tape for that people. I couldn't see a company actually hacking this, but you never know, so just exercise a little bit of precaution.

There used to be websites that would track people via phone numbers according to computer forensics book on my shelf, but I would be surprised if it actually still works. Stuff like that would have probably been knocked off the internet years ago. I am pretty sure the wild west days of tracking people via phone number are over. Purely the domain of the feds now, but do some google searches, and make sure you don't catch a virus. Also make sure you don't send money to disreputable individuals who want the money "up front". This basically appears to be a law enforcement matter, I am sure they have more toys than we do. If you want to do some searches without catching a virus, I would suggest downloading vmware player (the free one), and a knoppix distro, or possibly even the VMWare browser appliance which is a vmware player distro specifically for searching securely. You are traceable, but provided you are not doing anything illegal then you should be fine. When you visit a site and your virtual machine crashes or displays "segmentation fault" you know you have found a bad guy's site. Usually people can't break out of virtual machines but I will not tell you it is impossible (I don't think I have been infected with anything yet, this is as bullet proof as you can get in this imperfect universe). There is some scripting that you need to do for the browser appliance, so read the documentation, it is pretty painless.

If you don't mind my saying, the sheer incompetence here probably guarantees she will make it in the corporate world. Turn your negative into a positive! She seems to play the game well enough. You were trying to make a point about the curious nature of what she has done right?

In your output diskpart says that the ducky is not connected. Make sure you have the right firmware installed, you need twin duck or something in order for this to work and copy the file to the host computer (I don't remember which of the twin ducks you need, try both of em, takes several seconds to mount the SD). You see, twin duck firmware allows the ducky to mount the micro SD card as mass storage, and simultaneously type like a keyboard, it does not come on the ducky standard. Alternatively you could provide your own flash drive, label it "DUCKY" and put the exe's you want to copy on the flash drive. Here is where a lot of the firmware looks like it is, I used to get it at ducky decode, but it looks like it has been moved to github. https://github.com/midnitesnake/usb-rubber-ducky Here is something on flashing the ducky, can't find the handy dandy word doc that midnight snake made; https://github.com/midnitesnake/USB-Rubber-Ducky/wiki/Flashing-ducky In the "CopyFileToDesktop.txt" script it assumes that you want to put your exes in a specific folder on your flash drive/ducky micro SD. Pay particular attention to these particular lines of the script. REM Remove the next two lines if you don't place your payloads in separate folders. STRING set DUCKYdrive=%DUCKYdrive%\CopyFileToDesktop\ ENTER STRING copy %DUCKYdrive%HelloWorld.exe %userprofile%\Desktop\HelloWorld.exe ENTER The reason for a lot of the bulk in the script is that you don't necessarily know how long it will take for the ducky to mount the micro sd, so you actually have to wait for it to be connected, essentially polling for it. I think that this problem used to be a lot worse than it is right now, something appears to have gotten faster, or perhaps my computer upgrade has sped things up, I am not sure. There could have been tweaks to the ducky firmware, I am not sure. It at least seems to me that the problem was a lot worse when I was actually coding this script. Of course you will actually have to modify the copy command in the script to reflect the exe names/exe group, as well as the folder name you decide to stick them in. Pay particular attention to the first line of the previous snippet if you want to place them in a specific folder as you will have to modify the script a little bit. "STRING set DUCKYdrive=%DUCKYdrive%\CopyFileToDesktop\"

Actually I think the echo is important, I don't think you can send parameters to diskpart like "list" and "volume". echo list volume | diskpart

I know, not many drone manufacturers are going to be interested in the implications of something like my suggestion. The only reason I bring it up is that a while back on one of these forums there was a discussion of putting a MKV wifi pineapple on a drone, having it park on somebody's roof, and return to base when the battery gets low. So essentially yes, there would be lots of packet injection and sniffing etc while the drone was stationary. This might not be something you could pursue at this point in time, if ever, I just thought I would bring it up. There have also been discussions on "drone" type processing and tracking of individuals via MAC addresses etc. Would be fun to have a fleet of drones with these types of capabilities cruising around.

I want one with wifi injection radios! ... But since that one isn't going to happen any time soon, I have to say that I completely understand going for the board which you did, especially with the bulkiness of the USB ports etc on the raspberry pi. Regardless of how awesome putting a USB port on a drone would be especially with the injection radio theme, the majority of roboticists are going to be more interested in the sensors you can attach to the drone. By the way, how many sensors can you attach to this drone simultaneously?

I am not sure quite what is wrong, this works on everybody else's computers, but I have some ideas on what could be wrong. I have had instances were websites and forums etc will add newline characters where there shouldn't be any. Make sure that there are no newline characters where there shouldn't be. My lines in my scripts tend to be very long due to the fact that there needs to be an inherent complexity in batch in order to get the same functionality of better programming languages which are unavailable to duckys. Additionally go through the script and the actual output line by line and check to make sure that the script matches up with the actual output, if characters are being skipped then you should be able to see them. A lot of ducky-ing is just debugging. One additional thing that could be happening is that you might not have the correct firmware installed. This script is supposed to run "silently" once the payload has been typed in, so it will wait silently until the drive with the file to copy is plugged in. If you don't have the correct firmware installed on your ducky, then the ducky will not mount the SD, which means the script will essentially run silently forever. If anything else comes to mind I will post back.

The fact that it can be used as a cyber "arm" does not really factor in. The USB rubber ducky is a tool for penetration testers, and provided you are not using it on people's computers who did not sign a waiver you are in the clear. Furthermore it is simply a USB keyboard which types from a file. There are teensys which you can build at home to achieve the same effect, so knocking the USB rubber ducky off the market would be fairly pointless. Penetration tester tools are legal, and penetration testing is a legitimate profession. Regardless of whatever our politicians try to legislate concerning this matter the fact of the matter is that you can either ban penetration testing tools, and leave our networks wide open to foreign hackers, or you can encourage the pen testing market and therefore create more secure networks and applications. Obliterating pen testing tools would be dangerously naive being that companies, and government organizations typically do not modify their behavior without some demonstrable (demonstratable?) flaw or exploit which can be lodged against their systems. Once the exploit has been launched, and the results have been shown then they tend to have some impetus for change. Wouldn't it be just like the government though to train up all these young and interested ethical hackers/security researchers, and then take away the tools of their trade because they are afraid of them falling into the hands of script kiddies?

Here is an excerpt from "Java Network Programming" by Elliotte Rusty Harold; "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 is believed to be reasonably secure against all known attacks. TLS_ECDHE_ECD-SA_WITH_AES_256_CBC_SHA256 is even better if you've enabled it. In general, any suite that begins with TLS_ECDHE and ends with SHA256 or SHA384 is the strongest possible encryption widely available today. Most others are subject to attacks of varying levels of severity. " Apparently when he says this, he is referring to socket communications, which would be using symmetric encryption to transfer data, and some sort of signing so that you know the message has not been influenced by malicious Mallory. Java cypher suites are separated into several parts, protocol, key exchange algorithm, encryption algorithim, and check sum, in that order I believe. So since you are not doing any handshakes with another computer you only need the Symmetric algorithm part, ex... AES 128 with CBC, and AES 256 with CBC. CBC stands for cypher block chaining (probably only need cypher block chaining for text files), so for example if you are encrypting a bunch of textual data, you don't want people to be able to crack your encryption based on the number of spaces, or any repeating text in the crypto file (if I am not mistaken this is how we finally got the first Turing machine to work, repeat/predictable messages). Cypher block chaining alters the next block of cypher text based on the last one. Apparently AES 256 will be more secure than AES 128. You also need to figure out a baseline number of characters your pass phrase needs to be, The longer it is the better (within reason). None of this describes an encryption program, but it does describe encryption algorithms. From some of the sources I have read, Truecrypt has been broken for a while, and is basically completely open to being unlocked by the government via some sort of flaw in the program implementation. I am unaware of any faults in the AES algorithms, but by all means if you all can find articles concerning any feel free to share, it can sometimes be hard to determine which algorithms to use, because the majority are influenced by the NSA (and we have seen the NSA intentionally put faults in the encryption algorithms), and open source isn't necessarily better due to the fact that they do not have all the cryptologists who are paid the big bucks to implement an algorithm. There is something to be said for having enough resources to devote to implementing good crypto algorithims, and the NSA does by far have the majority of the history to know how to build something (getting them not to shaft you when they help you is another story). As soon as something is found to have faults in it's implementation people usually move on from that algorithm to newer, and therefore less tried and true methods of encryption. On another note, by god do not wrap encryption algorithms, ex send output from one algorithm to another, this is terrible according to "C# Data Security Practical .NET Cryptography Handbook" by Matthew MacDonald, and Erik Johansson, and can in fact make it easier to crack the cypher text. I have also heard in some of my college classes that this type of operation can have a "deflationary" effect on the cypher text.

I am glad you liked the idea, I don't know how somebody would shroud the fact that they were giving people hacked hardware. Perhaps you sell to store of some kind, but your main operation is the producer, which would periodically fold up shop change names, or move operations elsewhere. The thing you would have to try to prevent is the consumers from being able to look on the news for recalls, etc, there would need to be a lot of different router cases, to fool people into thinking they did not have one of the hacked routers, but on the inside the hardware is all the same. I am not sure how people go about shrouding their business operations from the government that would be something to ask somebody who knows economics/businesses/etc. If you wanted to do something like this legally, some already are trying with things like TOR routers etc, you could perhaps build your code into the router and advertise it as a service, "IP address shrouding features".

Military surplus stores sometimes carry computers which you can pay cash for. The one I usually visit doesn't seem to have any cameras on the inside. One thing I wonder is if one could give away or sell hacked "routers" etc which could forward your data. Would probably be pretty obvious though.

Ok, I see the logic now. That's also a good solution.

You can't really time for restarting, what you will have to do is reboot and enter the bios manually. Then you use one of the firmware's which uses the button on the ducky to trigger the payload. It will be a tedious process to get the selection of items right, but if you put substantial delays behind most of the code you should be able to make a script which will run on most bios systems of the same type but for faster or slower architectures. Still, like barry said most of us don't trust the ducky to tweak the bios correctly.

I was under the impression that every bios was a little different, or at least every different hardware vendor.

It's ok cooper, I know why it is breaking, I just thought it was funny that so many things started breaking simultaneously by simply altering the system time.

Come to think of it I think there used to be a spy shop around where I live. Pretty sure it's not there any more though. Shannon ought to do a build your own bug segment, I guarantee loads of people would watch it. Was thinking about buying the books for hardware related development, but that would be a lot of learning in addition to the stuff I am going to have to do for work.

A little bit new, yes. I am actually pretty good at programming, the hacking bit is more of a hobby. I took some information security classes, so I do occasionally wonder how the pen tester's etc do things. I actually coded several ducky payloads (no asm), but that is really more batch programming than hacking.

I think we have taken a detour to George Orwell's 1984....

Wait, so there are actually proper bugging devices? I didn't think anybody actually sold those.

It's just hypothetical don't worry. If I do it, it will be only to myself for fun. Also, I would never consider giving the teleco false information and getting caught for it. That would be dumb.

Ok, I might have to do that. I am just curious about how people think they can possibly get away with planting bugs and things with raspberry pi's when the phone provider probably has some kind of information about the customers. I suppose one could provide false information, but I would think that would be somewhat prone to error, where the phone provider would get tipped off somehow.

The question isn't so much can the pi do it, I am sure you can plug one of these 3g modems into it, and have a program which sends the recorded audio to another computer. The question is can't the cellular provider connect your name to your modem if you get discovered? They have a contract with you, don't they acquire your name in the process, and other such data? Not tracking the modem, but connecting you to your modem (the one in the raspberry pi)? What data do they collect during the contract process?