DEF CON 27 Blue Team Village Badge

I’ve been working on the DEF CON 27 Blue Team Village Badge over the past 6 months. Soon, more info on the features, design and build process will be here. Code and other supporting files will reside on github a few weeks before con. DEF CON 27 Blue Team Village Badge github repo:

spotlight dataleak automation

I noticed that certain versions of macOS (back then, called OS X) would leak small ammounts of spotlight indexed data to any USB drive that was inserted into the system, even when locked. The project named spotPlight was the result of automating the extraction of this data. I found that rapidly inserting and removing up to 128 emulated USB drives at a time into macOS system using a raspberry pi, that it was possible to exfiltrate data from a locked macOS system.

portable WiFi honeypot

At DEF CON 26, you may have seen a few folks walking around with small boxes with USB wifi adapters, a 320x240 screens displaying a TUI with a menu and a USB. That is what we called “AP1336”, AKA “access point leet minus one”. Essentially, it has two modes. Honeypot mode and internet sharing mode. Open WiFi access point with SSH honeypot The device hands out IP addresses to any associated clients, with an SSH honeypot listening on the gateway interface.

cross site scripting anonymous browser

I presented at both Blackhat DC and DEF CON 17 about the Cross Site Scripting Anonymous Browser, or XAB for short. XAB allows for anonymous browsing fueled by sites vulnerable to XSS. The tool/framework really had no other purpose than to finish the statement of “wouldn’t it be neat if…” All in all, it was a fun research project to expand and extend unintended functionality present in web browsers in an interesting way.


devialog is a behavior/anomaly/signature-based syslog intrusion detection system which detects new and unknown attacks via anomalies in syslog. It fits comfortably in heterogeneous Unix/Linux/BSD environments at the core of a central syslog server, with the capability to generate its own signatures and can alert on anomalies with included generated signatures to administrators to ignore future similar events. I originally released devialog in the early 2000s. In 2019 and looking back, it’s interesting to now see phrasing used in the documentation that seems outdated.