Solder Sesh #21 Transcript: Mark Smith

Here's a blast from the past soldersesh from last year with our special guest, Mark Smith! Mark is a software developer by profession, an amateur radio expert by choice, and a nerd by fate. Mark is passionate about all things HAM radio and in the first highlight video, he goes over just what exactly ham/amateur radio is and is used for. He grew up with the old school TRS-80 and PC Jr. computers and was encouraged from a young age to build, code, and tinker! After college, Mark became involved in a local security and hacking club, SLOwhiterabbit, which hosted fun scavenger hunts with QR codes and private keys! He was also an avid and frequent attendee at DEFCON  (the largest hacking and security conference), where he participated in the birth of the #badgelife  and even has the first badge from DEFCON 14!
You can find Mark on Twitter and YouTube to keep up with him and find out what he's working now!

Full Stream:

(2:06 – 9:36) What is HAM Radio?

Carrie: I know pretty much nothing about ham radio. So, I have so many questions about it. First of all, tell us about how you got into ham radio.

Mark: That is an interesting one.

Carrie: I guess maybe we should actually back up and do a brief overview of what ham radio is.

Mark: So, amateur radio, ham is– it's not a derogatory term, but it is an unofficial term. The proper term [is amateur radio] we're going to be proper, stick your pinky up.

Carrie: Hang on, I'll drink my tea because I'm double fisting with tea and beer because that’s how you do it.

Mark: Uppers and downers.

Mark: Amateur radio is a way for non-commercial entities, individuals, people like me, to be able to experiment with radio. There are a billion and a half different things you can do in ham radio. So, when people say, what do you do with ham radio? One of our favorite phrases is that it is a hobby of a thousand hobbies because there are so many different things that you can do with it. Anything from short range, and by short range I mean miles to tens of miles to hundreds of miles in the absolute best case. If you think of an FRS radio, like you see kids running around the neighborhood with, like that, but on steroids. To the longer-range stuff, which is the lower frequencies ironically called high-frequency, HF. So, the HF range are longer wave lengths and bigger antennas, lower frequencies. And they are the kinds of waves that can bounce around the world, literally.

Carrie: It can like bounce off the atmosphere.

Mark: Yeah, and come back down again, thousands of miles away.

Carrie: Which is just super cool. And you actually can talk to people who are outside of line of sight of the antennas.

Mark: Correct.

Mark: The VHF/UHF [very high frequency and ultra-high frequency] stuff is mostly line of sight and there's asterisks there because there are asterisks on all of this. There are exceptions to everything I'm about to tell you. But for the most part, the VHF/UHF stuff is short range line of sight. Typically, we'll use a what's called a repeater. It's a radio that you stick on a mountain top or on top of a building that receives a signal and then rebroadcasts it. So, the obligatory drawing is, think of a mountain and you got a person over here with a radio and a person over here with a radio. They can't talk directly to each other, but they can both talk to the top. So, repeaters are useful. HF is the direct person to person stuff. That's the long-range stuff. I do all of it. Both of those. Some people only do one, some people only do the other. These are just the two kinds of entry, simple to explain things, there are a jillion other things you can do with ham radio. So, what is ham radio? It is a kind of an internationally defined thing. The rules are not exactly the same in all the different countries, but most countries have something that is called amateur radio with the intention of being able to talk to other amateurs, either in the same country and/or other countries as well.

Mark: The whole point of amateur radio, the reason the governments still do it is because we… I'm going to get this wrong and I'm sure people are going to correct me… but the idea is, we are supposed to be experimenting. In the early days of radio in the early to mid-20th century, a lot of the new advancements in radio technology came out of amateurs, just playing around with stuff. Single side band and even AHAB [all hazardous alert broadcasting], all that kind of stuff came out of amateurs experimenting with it. Even now, a lot of new technology comes out of the amateur radio community. CDMA [code-division multiple access], some of the early cell phone technology wasn't actually experimented with in amateur radio, but an amateur radio operator is the one who developed it and used his knowledge from amateur radio to develop that. I can't remember the guy's name, but he's a very active ham. Fun story, he's also the guy who wrote ProComm, if any of you from the old BBS [bulletin board systems] days in the 80’s and 90’s, ProComm was a DOS terminal emulator – same guy. Anyway, experimentation to come up with new technologies.

Mark: We're also very good in emergencies because none of the stuff that we do requires any infrastructure, right? It doesn't require a telephone line. It doesn't require internet. Again, asterisk, we're getting into things that does make use of that sort of stuff, but the basis of the technology doesn't require any infrastructure. So, when the shit hits the fan, I can swear on this live stream! I can't swear on my other ones, but she told me it was okay. So, when the shit hits the fan and your cell networks are down or the Internet's down, or you don't have power or whatever, amateur radio operators are there, and they can communicate. We'll get called out when there’s earthquakes, you know, we’re in California so earthquakes are our natural disaster. But Red Cross will call us out and have us do communications for them and stuff like that.

Carrie: Yeah. It's super interesting. So, growing up in the USVI, U.S. Virgin Islands territory, it is part of the United States. It's really interesting because the radio played a much bigger role in even just person to person communications and community communications than it necessarily does here, I would say. Even the FM stations, right? When there was a hurricane, everybody would be broadcasting for as long as they could kind of thing, just updates. People would call into the radio station if they still had telephone to report on what was going on, on different islands and on different parts of the island. It’s really weird to me that the radio here does not. There's never anything about if there's a local fire, there's just not even anything on the local radio stations about that. I probably have to go to AM and there's probably some AM band that's the emergency one that I don't know about, but it's just odd for me that it seems like here radio is just not used in that way.

Mark: Our broadcast radio, in this area especially, doesn't have a lot of local ownership; it's produced locally, but it's all owned by Clear Channel and whatever else. So, the programming is done elsewhere. There are a few exceptions to that, KVEC… I can't remember whether KVEC is local still or not.
 
(1:13:55 – 1:20:15) Badge Life and DEFCON

Mark: Badges, badge life. Alright!

Carrie: Badges are super cool. We like doing little badges around here. Our badges are typically very simple and more kind of beginning soldering kit focused and are just fun, little graphics.

Mark: “I Voted”. This is one of my favorites. Definitely.

Carrie: “I Voted” – that one was a good one. Definitely our best seller in November.

Mark: I believe I bought two of them. All right, so, badge life. I, for many years, went to an event called DEFCON. I haven't been in a couple of years just because my life is kind of going in other directions these days, but I was a regular at an event called DEFCON, which is a hacker's convention in Las Vegas. It happens every year and has been going since 1992, I think. So, DEFCON 14 changed the world of conventions forever and I'm not exaggerating. This is not hyperbole. Joe Grand of Grand Idea Studio – if you've ever seen the TV show Prototype This, do you remember that show? You would enjoy Prototype This; I recommend you look it up. I think it was on Discovery Channel 10-15 years ago or so. Anyway, Joe Grand was the guy who did all the electronics on Prototype This. Do you remember when a hacker group went to testify to Congress back in the 90’s?

Carrie: Yeah, I have a vague, fuzzy memory. Yeah.

Mark: So, they convinced Congress… this is like the best hack ever. They convinced Congress that they couldn't use their real names. They had to testify under their handles for anonymity reasons and whatever. So, they're sitting there and there's a picture of L0pht Heavy Industries guys in their suit and ties at the Congress. They're being totally respectful and everything else, but they've got “kingpin” and all their different hacker handles in front of them.

Mark: I can't remember the names of some of the other guys, but Joe Grand was one of those guys. Joe is a wonderful person. I love him to death. He and I kind of became friends since he started doing this DEFCON 14. Every year at DEFCON they had to come up with new ways of making the badge unique and hard to copy because in the early days they were just laminated cards and people would go out to Kinko's make literal copies of them, laminate them, and get into DEFCON for free. Right. I don't know why, it was $20 back in the days, guys. Come on, really? Anyway, I think it's more for doing it for the hack, right. Can you hack them?

Carrie: Can you hack the hackers?

Mark: Can you hack the badge? Right. At DEFCON 14, Joe and Jeff, so “kingpin” and “darktangent.”  Darktangent is the guy who runs DEFCON, Jeff Moss is his name. They got together and they're like, “We want to do something new, something that's never been done before.” So, Joe designed a circuit board with a little tiny PIC microcontroller, a little six pin pic microcontroller, a few passives, a coin cell, and a button that you use to turn it on and off. Let’s see if this battery still any good.

Carrie: We’ve got more if it's not.

Mark: No. Yeah, it's not working.

Carrie: Thank you, Robyn will get us a battery.

Mark: Anyway, he created this batch and it started out as, as you know, it would turn on solid and it would blink. Then you had this little random pattern in there.

Carrie: I just love the giant LEDs, too. They're like the 10mm ones.

Mark: Yeah. And he put out a challenge. He's like “Hack the badge, do something cool with it. Just anything, no rules.” Just hack the badge and if you can impress Joe Grand, then you won the competition. So solid, then blinky, and then I reprogrammed it. Did the wigwag and then I reprogrammed mine to transmit DEFCON 14 in Morse code.

Carrie: So, you had to learn Morse code for your HAM I’m assuming?

Mark: You don't anymore. So, my hack was that I reprogrammed the microcontroller to blink DEFCON 14 in Morse code. But the point being that when Joe created this, this became the standard by which all conference badges for the next decade or more were measured. Everyone started doing electronic badges for their conferences. This was the first, this is what started at all. And it says here, it says DEFCON; it doesn't actually say human in on this one anywhere, but the white ones were for humans, the attendees. Then there are goons who were the security that run it, green for the speakers. They all have different colors for the different types of badges that you have. That was on 14. I saw this and I fell in love with it. I'm super, super excited by it.
 
(1:20:15 – 1:26:27) Follow the White Rabbit

Mark: A few years later. @namniart on Twitter, his name is Austin. He came up to my desk one day and just handed me a sheet of paper. On this sheet of paper was a giant QR code and he just stuck it on my desk, and he walked away. Well, shit! Of course, I've got to scan that thing and figure out what it is. I got out my phone and I scanned it and decoded it and it turned out it was an RSA private key. His experiment, at that point, was to see whether I was intrigued enough just by a QR code to scan it, look at it, and try and figure out what to do. Of course I was, but I don't know what to do with it yet. He had this idea of starting a kind of scavenger hunt and using this as the Trailhead.

Mark: So, the two of us started thinking about this and we did an event at the local college; he was still a student. I had graduated at that point, 10 or 15 years earlier, but we did a little scavenger hunt thing where it started out with the QR code. The big one, this big single one was hard to decode so we cut it up into three blocks. You had one that had the begin RSA block and then a bunch of random characters, the one in the middle that just had a bunch of random characters, and then the third one, which was a bunch of random characters and the end key block. So, by scanning these 3 different QR codes, you could tell that this was a thing that you had to assemble and put together. On the flyers, we just wrote alice@slowhiterabbit.org and then we had a little ASCII art of a white rabbit on it. White rabbit, obviously you've got to chase it.

Carrie: Right, you have to follow it down the rabbit hole.

Mark: So, you have alice@slowhiterabbit.org and you have an RSA private key. What would you do if you saw that?

Carrie: I would go to the website and try to…

Mark: alice@slowhiterabbit.org as a website, I think it just had a picture of a rabbit on it and that was just it. Yeah.

Carrie: Oh well I would, I would email it. I would email it.

Mark: Yeah. You would get an automated response that says, “I like the way you think, but you're on the wrong path.”

Carrie: Interesting. So, it feels like it's credentials for something, right. It feels like it's a username and password combo essentially. So where would you use it to login?

Mark: Have you ever used SSH?

Carrie: No.

Mark: Okay, the RSA private key turned out to be a private key to an SSH server. And if you log in as Alice–

Carrie: So how would you know you where the server is?

Mark: You don’t, but the goal is to get people thinking about it and trying a bunch of different things. So, you log in using this RSA private key as your authenticator to alice@slowhiterabbit.org. For the first two weeks that we put this up, it had an ASCII art of a white rabbit, because of course it does, because we put white rabbits anywhere and everywhere to let you know that you're on the right track, then it printed out three numbers. The top one was static. It was a big nine-digit number. Then the next one was a slightly smaller number, but the same number of digits, and it was counting up once a second.

Mark: The third one was a little tiny number, the difference of those two. These are Unix time, the number of seconds since December 31st or January 1st, midnight, 1970. Right? So, any hacker will recognize these numbers as Unix time. The top one was the Unix time when an event was going to happen, the second one was the current Unix time, and the third one was just a countdown timer. So, you log in and you're like, oh, okay, something's going to happen. You take the top number, translate that, and figure out when the next thing is going to happen. We had a whole bunch of people logged in at the time when that happened. I can't remember all of the steps, but it was a lot of fun. I think what we did next was we just output a latitude and longitude.

Carrie: Oh boy, okay. So now maybe you have to be in a certain place at a certain time.

Mark: So, it became like a geocache, right? Here's a lat. and long., go there. It was a spot out in Poly Canyon where there was a tree, and Austin went out there and hung a laminated card with a picture of a white rabbit on it. We used this a lot, unfortunately; another QR code, but this one had another private key that was used to connect into our website. So, this one was a forum program and you had to use this private key in your browser to connect to this forum so that you knew that anybody else that was in this forum was also playing the game.

Carrie: Got it.

Mark: So, it's a way for us as the ones who are running the game and the players to communicate with each other, without actually knowing who each other were. We modified the JavaScript so when you created your account, you would give a username and a password. When you type it in and click enter, the cursor would go up to the username, backspace over the name that you put in there and assign you a random handle. I think it would use Greek letters or something like that. So, everybody had their randomly assigned handles, not their chosen usernames. Then it just went on; like every two weeks we would add a new stage to the scavenger. It was a lot of fun!
 
(2:21:50 – 2:27:37) Software and Hardware

Carrie: So, your day job has been software for a long time.

Mark: Yes, dev ops.

Carrie: But obviously you have a quite strong background in hardware as well., I know you kind of downplay yourself in this aspect, but I'm like, dude, you're making audio amplifier PCBs. You're making all of these other badges that are quite complicated. Don't downplay yourself.

Mark: The problem is I know professional EEs [Electrical Engineers], so I am advanced for a hobbyist, but I've never done this as a paying gig.

Carrie: Yeah, we can talk a lot about what qualifies you for different things, and experience is the majority.
​
Mark: Fair enough. I have a fair bit of experience.

Carrie: Yes. So, my question is, was there one or the other that like came first? You started doing the radio shack kits when you were in third grade and stuff like that. Were you also playing around with programming at that point or did programming like come second or did one lead into the other?

Mark: I was doomed to be a nerd from birth.

Carrie: And why did you choose software as the professional thing?

Mark: So, my dad worked for IBM for 32 years. My mom was a network administrator at the local high school. My oldest sister is 9 years older than me, and she bought our family's first computer when I was 3 years old. So, we had a TRS 80 model-I growing up. That's what I had growing up. You know, my dad brought home a PC junior. I think I was probably 8 or 9 years old. So that's when I got into PCs, right? I've been around computers literally, my entire life, and I've been encouraged to program them and use them. I got into BBS-ing when I was in 5th grade; I started running my own BBS when I was in 7th grade. At the same time, all of that was going on, I was doing a lot of Legos– a shit ton. My parents say that they spent a veritable fortune on Legos, and it was the best investment they ever made.

Carrie: I know a guy who's selling some Legos. If you need some Legos, I have a hook up. I'm just saying, Kevin is selling some of his Legos.

Mark: I got into the Technic Legos very quickly, pretty young. There are a lot of motors and I got little project boxes from Radio Shack and put in switches to make my own controllers. I was building robotic arms. I was doing amusement parks, all of these large scale technical/mechanical Lego kits with motors and lights that I wanted to control.

Mark: So, I was playing with electrics from a very young age, playing with lights and batteries and motors and switches and that kind of stuff from a very young age; early elementary school. So, I don't know that one really came before the other. I've been doing software, writing things in BASIC on the TRS 80 and on the PC Jr. I actually wrote my own BBS code for a while, but it sucks. I ended up going back to other people's software. I ran Asgard or Citadel, if anyone knows what those are, [I ran them] for many, many, many years. In fact, technically, I still am running it on Unix now, but because I've been a system operator since 1987, when I was 12 years old, that kind of led into when I got into college, and I found Unix and I found Linux. I was a very early adopter of Linux. My first kernel compile was version 0.99 patch level 13G.

Mark: I've been doing this for a long ass time. So that led into systems engineering and network engineering and running applications. I write code, but I'm not a software developer. I write a lot of code for microcontrollers. I can do a lot of shell scripting. Historically, I've done Pearl; nowadays, I do Python – that kind of thing, but I'm not an application developer. I've never done a mobile app. I've never done a big web application or anything like that. My programs typically top out around 1,000 lines. Like right now, my secret squirrel project is probably going to be the biggest single application I've written. Wild guess, probably 3,000 lines, maybe a little bit more than that. So, you say I do software and I do, but not like huge application-level software. I've been doing that kind of stuff pretty much my entire life since I was a kid, same with hardware.