DEF CON 27 Blue Team Village Electronic Conference Badge

The DEF CON 27 Blue Team Village badge is a portable WiFi honeypot in the form of a wearable electronic conference badge. The badge was built for the DEF CON Blue Team Village and granted badgeholders access to an event with exclusive threat intel sharing panels comprised of industry luminaries. It initially started as a small side project but then quickly transitioned into a personal challenge to conquer and to learn medium-scale electronics manufacturing and design, all while not neglecting the badge’s defensive security purpose.

spotlight dataleak automation

I noticed that certain versions of macOS would leak small amounts of spotlight indexed data to any USB drive that was inserted into the system, even when locked. The project named spotPlight was the result of automating the extraction of this data. I found that rapidly inserting and removing up to 128 emulated USB drives at a time into macOS system using a raspberry pi, that it was possible to exfiltrate data from a screenlocked macOS system even with filevault enabled.

portable WiFi honeypot

At DEF CON 26, you may have seen a few folks walking around with small boxes with USB wifi adapters, a 320x240 screens displaying a TUI with a menu and a USB. That is what we called “AP1336”, AKA “access point leet minus one”. Essentially, it has two modes. Honeypot mode and internet sharing mode. Open WiFi access point with SSH honeypot The device hands out IP addresses to any associated clients, with an SSH honeypot listening on the gateway interface.

cross site scripting anonymous browser

I presented at both Blackhat DC and DEF CON 17 about the Cross Site Scripting Anonymous Browser, or XAB for short. XAB allows for anonymous browsing fueled by sites vulnerable to XSS. The tool/framework really had no other purpose than to finish the statement of “wouldn’t it be neat if…” All in all, it was a fun research project to expand and extend unintended functionality present in web browsers in an interesting way.


devialog is a behavior/anomaly/signature-based syslog intrusion detection system which detects new and unknown attacks via anomalies in syslog. It fits comfortably in heterogeneous Unix/Linux/BSD environments at the core of a central syslog server, with the capability to generate its own signatures and can alert on anomalies with included generated signatures to administrators to ignore future similar events. I originally released devialog in the early 2000s. In 2019 and looking back, it’s interesting to now see phrasing used in the documentation that seems outdated.