Wi-Fi Pineapple Hacking Device Sells Out At DEF CON 132
darthcamaro writes "At the recent DEF CON conference over the weekend, vendor were selling all kinds of gear. But one device stood out from all the others: the Wi-Fi Pineapple — an all in one Wi-Fi hacking device that costs only $80 (a lot cheaper than a PwnPlug) and powered by a very vibrant open source community of users. Pineapple creator Darren Kitchen said that 1.2 Pineapple's per minute were sold on the first day of DEF CON (and then sold out). The Pineapple run Linux, based on OpenWRT, is packed with open source tools including Karma, DNS Spoof, SSL Strip, URL Snarf, Ngrep, and more and is powered by g a 400MHz Atheros AR9331 MIPS processor, 32MB of main memory and a complete 802.11 b/g/n stack. Is this a tool that will be used for good — or for evil?"
Holy False Dichotomy Batman! (Score:5, Funny)
I, for one, am imagining a world where a large number of mass-produced devices, sold to a large number of different parties, can be used for both good and evil at the same time. Blows my mind; but there it is.
Re: (Score:1)
can be used for both good and evil at the same time.
What's the difference?
Re:Holy False Dichotomy Batman! (Score:5, Insightful)
Interpretation.
Re: (Score:1)
so, what's the dealio? is the whole thing packed into a real pineapple, or what?
No its packed inside a plastic lime thats inside a plastic coconut. They just call it a pineapple because it confuses the f*** out of the authorities.
Re: (Score:2)
Re: (Score:1)
So 'framing' Karma is bad now? pretty bold statement from and AC. I think it looks like you are complianing where there is no problem.
Re: (Score:1)
Re: (Score:1)
The account is currently "farming" karma and mod points by asking questions and posting comments that can be moderated up by other managed accounts.
guilty guilty guilty. I'm posting a shill question asking if the device comes in a pineapple, so I can post a self serving response and mod it up for greater visibility. Brought to you by Dole Pineapples!
Re: (Score:1)
Perp or victim?
Re: (Score:3)
The difference in distance from yourself of the people favored and unfavored by the action.
Which is closed differentiates good and evil.
The shorter the distance, the greater the evil and the smaller the good. And vice versa.
Re:Holy False Dichotomy Batman! (Score:5, Informative)
vendor were selling all kinds of gear.
1.2 Pineapple's per minute were sold
The Pineapple run Linux, based on OpenWRT, is packed with open source tools
I, for one, am imagining a world where a Slashdot "editor" can parse the English language and fix typos. Blows my mind, but there it is.
Re: (Score:3)
I, for one, am imagining a world where a large number of mass-produced devices, sold to a large number of different parties, can be used for both good and evil at the same time. Blows my mind; but there it is.
gooevil (goo-we-vil) adjective:
good and evil at the same time
This will vastly improve the communication accuracy of Professor Hubert J. Farnsworth (e.g. "Gooevil news everyone!")
Well done sir!
Re:According to the government (Score:4, Funny)
Then the FBI places an order for 1,000 of them.
Re: (Score:3)
So... considering the more recent events... does that mean it is good?
"Yes" (Score:3, Interesting)
Is this a tool that will be used for good -- or for evil?
There is only one answer to this: Yes. Yes it will.
Too bad packing its functions up in an easy appliance means it now no longer has anything to do with "hacking" at all. You aren't a "hacker" if all you do is run some appliance.
Might as well call yourself a master baker for using a bread baking machine... or even a toaster. Well, no, no you aren't.
That the security industry claims otherwise means that they are deluding themselves... and us. We're not getting our money's worth in security out of their efforts. But we do get nice toaster equivalents, complete with instant "hacker" label. Nice, innit?
Re:"Yes" (Score:5, Interesting)
It kinda hurts to admit it, but yes, you're right. Most of the security industry is a bunch of charlatans who are unable to produce more than cheap tricks to impress those that know even less than they do.
Every time we're about to hire some security consultants (which we have to, regulations require us to have my security system tested by outsiders) I kinda think I know how Penn&Teller feel when they host "Fool us". Only that the amount of half-talented stage magicians who show off ancient tricks is way higher for me.
Re: (Score:3)
And what stops you from sticking with the good ones?
It really is the same in every professional career. You hear much the same about lawyers, doctors and mechanics - the good ones are hard to find. In IT security, it is comparatively easy, just check what they publish.
Re: (Score:2)
Sadly, it's kinda hard to convince Bruce to fly over to Europe at a rate my boss is willing to pay...
Re: (Score:2)
Contact me by mail (tom@lemuria.org) and tell me which country you're in. I am in Germany and I have a couple contacts to pretty good people in several european countries. And if they can't help, they can point you onwards.
Re: (Score:2)
Spam was a problem ten years ago. Get with the times.
Re: (Score:1)
Re: (Score:3)
In all seriousness, there is nothing wrong with publishing an email address. They used to have books that listed everyones phone number, imagine that world.
Re: (Score:2)
His security is so rock solid he isn't worried. Kind of like that lifelock guy and his SS #.
Back in the days when I was doing SELinux work, I did in fact go to conferences, plug down my notebook, get an IP address, pick up a piece of paper, write the IP and the root password on it in large letters and pin it to the wall above my place.
Fun days. :-)
Re: (Score:2)
lol. Where to start?
First, you are an idiot if you think that the common obfuscation stuff will stop harvest bots. Seriously, you are. ;-)
Second, my mail address is all over the net already. It doesn't matter if I post it to one more board. I've had this address for 15 years, it is in publications I've published, websites I run, e-mails, forums, pretty much everywhere.
Third, obfuscation is not security.
Fourth, I didn't advertise my own services, but offered to make contacts, so even if in some strange paral
Re: (Score:1)
Re: (Score:2)
Actually, yes.
Since most security customers doesn't allow the consultant to talk about what he did and for whom, papers and advisories give me an indication of their skills. Or lack of same.
Re: (Score:3)
Not only do I agree with you, but I have an example. Many years ago, I worked at an ISP as a sys admin. It was very early in my career. I had no college experience, and I was starting to learn to program and administer servers.
We were hired by a credit union as security consultants. They needed an audit of their new online banking system. The first thing I did was run Retina against their public server and a few script kiddie tools I had. I found that they had no firewall, an open SQL Server with no sa
Re: (Score:2)
The only thing I can say to that without breaking an NDA is "Yep".
Re: "Yes" (Score:1)
Call myself a toaster? Sure; why not?
Re: (Score:2)
A Minus Minus - Not a Pineapple (Score:5, Funny)
Re:A Minus Minus - Not a Pineapple (Score:5, Funny)
(Nobody suspects the fruit with an antenna)
This was conclusively proven in a Hogans Heroes episode - except it was a WW2-era walkie-talkie hidden in a potted plant.
Re: (Score:1)
I am really not sure what is funnier:
1. "conclusively proven in a Hogans Heroes episode"
2. the Insightful mods that followed
3. "Pineapple" was the nickname for a US handgrade
4. This all rode in on a 93 Escort Wagon
Re: (Score:1)
what! I wanted a wireless enabled fruit! I mean Apple has never produced any wireless or wired apples. Just things with apples on them. A red, apple shaped router would have been awesome and a conversation piece. Just think no one would suppect hacking with a pineapple sitting beside your laptop. (they would just you are crazy in starbucks. Damn, there is the perfect wifi hacking toolcase. A starbucks mug!)
Re: (Score:2)
I was also disappointed by that, but then realized that it is small enough that, with a little creativity, you could put it _inside_ a pineapple.
Cooling might be a minor problem, and the smell of Hawaiian pizza may tip people off to the illicit contents of the fruit basket which was just delivered, but at least it wouldn't need a pineapple-shaped sticker to justify its name.
Re: (Score:2)
Talk about a security device going bad...
Re: (Score:1)
Funny... when I heard it was called a pineapple, I presumed it looked like this:
http://en.wikipedia.org/wiki/File:MkII_07.JPG [wikipedia.org]
Of course, that's not going to help for stealth; I think anyone seeing one of those lying around is probably going to notice, duck and run (and then call out the bomb squad).
Some security experts are idiots (Score:3)
Going a step further, if a Pineapple user is inside a coffee shop (or office location), the research can execute what is known as a "deauth" attack, essentially disconnecting the end user from legitimate access point, then reconnecting him or her to the Pineapple.
However, some security experts say that weaknesses in WiFi and user behavior need to be identified and weeded out in order to make organizations more secure. If the Pineapple is able to help security researchers do that, they say, than it will improve security for us all.
As a user, how the fuck can my behavior be modified to deal with a deauthorization attack?
WiFi has become so stupid simple to use that it leaves us vulnerable, despite all the encryption in the world.
Re: (Score:1)
Use a VPN. Either a paid one or a home one will do. If your connection is encrypted to a known safe point (the VPN provider), then it doesn't matter that they can sniff your traffic. This is why I have my machine set up to disconect from wifi when it can't connect to my VPN.
Mind you, this isn't a solution to the problems of WiFi, but is a solution to that particular attack.
Re:Some security experts are idiots (Score:4, Interesting)
Some? SOME? Most of them are!
Old joke: You can tell by how the techs three-piece suit fits whether he's a hack: If he wears one, he is.
But seriously, it's by no means short of frightening how many quacks and hacks (and I don't mean that as a compliment...) litter the field. Which is quite logical if there is little if any reputable and generally accepted (especially amongst management) certification system. And don't come with things like CISA and the like, I am not looking for a security manager, I'm looking for someone who can actually test a security implementation, not design it.
Now add that the average manager knows little beyond how to plug some device relatively accident free into some hole on his computer and you can easily see how knowledge free idiots who can navigate the surfaces of some "hack tool" (I'll use the term loosely here) can convince said managers that they are "security experts". In the kingdom of the blind and so on...
Re: (Score:2)
The problem is the delusion that managers don't need to know anything about what they manage. It's created a class of basically worthless MBAs that nevertheless get paid more than the people who have a clue what's going on.
Re: (Score:2)
Reminds me of something I saw a while ago during a job interview.
Applicant: Well, what do you do here, anyway?
Boss (surprised): You don't know? You want to work here, right?
A: A good manager can manage everything, no matter what.
B: And a good manager also knows that he should do his homework before getting into a meeting. Thanks for your time, no need to call. NEXT.
Hide your kids, hide your wife (Score:2)
...or just disable auto-join.
Keep an eye out for DEFCON 21 t-shirts in your local coffee shops this next week...
Python offers self-defense against fresh fruit... (Score:1)
3rd Man: You could stand and scream for help.
Sergeant: Yeah, you try that with a pineapple down your windpipe.
3rd Man: A pineapple?
Sergeant: Where? Where?
3rd Man: No I just said: a pineapple.
Sergeant: Oh. Phew. I thought my number was on that one.
3rd Man: What, on the pineapple?
Sergeant: Where? Where?
3rd Man: No, I was just repeating it.
Sergeant: Oh. Oh. I see. Right. Phew. Right that's bananas then. Now the raspberry. There we are. 'Armless looking thing, isn't it? Now you, Mr. Tin Peach.
Convenient, but still overpriced (Score:4, Interesting)
I can see buying one for the convenience of having all the software pre-installed for you, but the specs for the hardware aren't any different than a dozen home WiFi routers, which can run OpenWRT and sell for $40 [amazon.com].
I'd think giving those aging home routers a second life as security tools would be better than everyone buying another new product for twice the price, and eventually throwing both away. I recently added a USB sound card on mine, for use as a streaming audio player.
Re:Convenient, but still overpriced (Score:5, Informative)
No grasp of F/LOSS concept? (Score:5, Informative)
While you claim others "don't get the concept", you seem to have totally missed the cornerstone of how F/LOSS is monetized.
It makes perfect sense for someone knowledgeable and skilled to assemble exactly the right hardware components, and compile+install just the right F/LOSS software components, into an easy-to-use appliance, and sell these at whatever price point the market is willing to pay. People are not paying for the "licenses" they are paying for the labor that went into combining all the supplied pieces together - and perhaps also for getting future support and developmen. In other words people are paying for professional services in a nice and understandable package.
I have no idea why you feel the need to bash this concept with such contempt, but this approach is just about the most popular way to monetize F/LOSS on the planet. It is also shows the clear strengths of F/LOSS: that anyone can take the software, modify it, expand it, improve it, and share it with all other customers without negative impact to the original supplier.
If you want to take the software and install it on a PC, go right ahead. Feel free to install other drivers in the process. Make a laptop-version and share it as much as you like. Go right ahead. But while you may be perfectly willing to spend loads of time on this, others may not. Not all network experts want to mess with assembling their own hardware. Or spend endless nights compiling new versions of [insert-whatever-FLOSS-component-here] just to make a brief packet analysis in the field. It is not trivial to compile and combine all the right F/LOSS products included in the packaged mentioned here and some people are happy to pay someone else to get that job done.
The fact that people are willing to put money on the table for the service and labor this man has produced with F/LOSS software is by no means "retarded". It is a testament to the viability of F/LOSS economy, and clear proof that customer value can be added to F/LOSS without bogging customers down in complex licenses and EULAs.
Ah, damn, I noticed too late you posted as AC. Well, since you won't stand by your words, I guess producing a decent and intelligent answer was a waste of time...
- Jesper
Re: (Score:2)
RedHat and many others do both, and they're very much compatible with open source. Their software is all open source, but you have to pay to get their exact binaries. A great many people do pay.
Their rule-of-thumb is that open source software companies can sustain a price of about 1/10th what a proprietary software company could. So there's very much an opportunity for monetization of open source, just not
Re: (Score:2)
Redhat also monetizes by their use of the "Redhat" trademark. You cannot redistribute Redhat's binaries or source "as-is" because if you do so you are violating trademark law, and they can (and will) sue you. The CentOS project spends a lot of time stripping Redhat's trademarks from RHEL prior to redistributing it as CentOS.
Re: (Score:2)
I don't see how anything you said is relevant to anything being discussed. How does Redhat's trademark change the previous statement:
"Either you give out the source and thereby lose control over its distribution, or you can ask money."
Re: (Score:2)
I don't see how anything you said is relevant to anything being discussed. How does Redhat's trademark change the previous statement:
"Either you give out the source and thereby lose control over its distribution, or you can ask money."
It does not change it. But that doesn't really matter because the statement itself is flawed and untrue.
You are totally free to ask money for F/LOSS while giving away the source and that is exactly what many F/LOSS business do. Customers pay for the software and while they do have the right to rewrite and recompile it all for free they simply choose not to - because the value provided with the software is greater and the price is acceptable for them. Maintaining and compiling software (F/LOSS or not) is com
Re: (Score:2)
Good, then go rant at HIM, not me, dammit. Don't reply to my post (I know... that wasn't you) with some off-topic random discussion about minutia of HOW X does Y, when that's not the topic.
Re: (Score:2)
Sorry, no "rant" was intended and nothing was targeted at you specifically. I had my eyes on the ball, not the man ;-) and I believe my reply simply explains why the statement is false (in a F/LOSS context).
Peace and tranquility to you. :-)
- Jesper
Re: (Score:2)
The statement is that you cannot monetize open source, which is fundamentally incorrect. Redhat has managed to monetize it quite effectively even while giving away their source simply because redistributing Redhat's source "as-is" is trademark infringement and therefore actionable, and modifying it to comply with trademark law is enough trouble as to not be worth it. Thus, Redhat gives out the source, retains control of distribution, and asks for money. Something that the GGP claimed is impossible.
Re: (Score:2)
Then why are you ranting about trademark to me, instead of replying to the GGP? I'm the one who mentioned RedHat as a counter-example in the first place, I hardly need a bunch of people ranting at me about someone else's false claims.
Re: (Score:2)
Still posting as AC ... oh well, some people just won't stand by their opinions I guess.
No. I reject your so-called "cornerstone". You cannot "monetize" infinitely abundant information.
You are mistaken. Ask Redhat. Ask SuSE. Ask Google also, who is absolutely a master of monetizing "infinitely abundant information" and presenting in a way that can be monetized through their specific business model.
You may personally reject it all you want, but reality begs to differ. And while you can off course reject reality itself I really see nothing productive coming from that.
Only the organized crime (like the post-Bill-Gates software sector) that made up the lie about imaginary property to be able to create artificial scarcity and /steal money/ from people, acts like you can.
I don't know why I am even wa
Re: (Score:2)
Re: (Score:1)
*piqued*
I'm not usually a pedant, it's just that your wording broke my brain for a good 5 minutes...
Re: (Score:2)
Of the ten or twelve routers I've bought over the years, only one has had a USB port and it doesn't run Linux. Most of us don't have a useful AP with USB just lying around, even if we are enthusiasts.
Re: (Score:2)
A decent number of people here specifically look for routers that can run some kind of Linux firmware before buying. There's really no reason NOT TO these days, since they're just as cheap as the worst junk hardware. And it's a great fail-safe even if you don't plan to use it, as you're in good shape even if the manufacturer's software is complete junk (like that D-Link).
Re: (Score:2)
A decent number of people here specifically look for routers that can run some kind of Linux firmware before buying. There's really no reason NOT TO these days, since they're just as cheap as the worst junk hardware.
Well, my reason not to has been that I didn't have a cellphone with data, and I buy most of my APs at yard sales. But now I do (albeit GPRS) so I can look up router compatibility...
Re: (Score:2)
The problem with buying random routers off eBay is you never know what you are going to get. Linksys are the worst, often having several very different hardware revisions under the same model number. As such you can't be sure if the one you buy will have the chipset you are expecting, and thus be able to run all the exploits you want and so forth.
For the sake of simplicity I don't think $40 for a guaranteed working and pre-installed solution is at all bad. If you waste an hour with your off-the-shelf router
frsit grammer nazi pozt (Score:5, Funny)
Their what?
Second grammer nazi pozt (Score:1)
Re: (Score:1)
Not seeing your point about the second one. Comma is optional. That is the problem with prescriptive grammarians - half the time they themselves don't understand the rules they try to force on people.
Logging in to say... (Score:1)
I hope it can be used for evil, because "good" these days amounts to a circle jerk with NSA, DEA debauchery. Your privacy is yours to own, and if other people begin to realize how screwed they are maybe they will choose a better path.
You might want to check the security first... (Score:5, Interesting)
Sure, get your wifi pineapple, but I've already got a wifi pineapple buster [wordpress.com].
Already been done - in a coconut (Score:1)
Old news, they have had wireless devices in coconuts for years. Maybe they are expecting better antenna diversity from the rough end of the pineapple, I dunno.
See, http://goo.gl/VoirWo [goo.gl]
Re:Overpriced, have some slightest creativty? (Score:5, Insightful)
Re: (Score:2)
Calling yourself a 'genuine blackhat' and a 'security professional' immediately disqualifies you from both, AND makes you sound like a douche.
Re: (Score:2)
Re: (Score:2)
English, how does it work?
"I always start with the basics and move to more complicated attacks only if I have to. Same as any other genuine blackhat out there."
He's calling himself a 'genuine blackhat'.
easy (Score:3)
Is this a tool that will be used for good â" or for evil?"
Both, like any tool. Next question.
I'm obviously missing something... (Score:1)
I don't know anything about this type of device, but looking in from the outside, the question springs to mind "How is this legal?"
It's for hacking into networks, right? Isn't that against the law, like, EVERYWHERE? It says "Stealth Access Point for Man-in-the-Middle attacks" - that sounds illegal. It also says "Easily concealed and battery powered " - nothing dodgy going on there!
How can this be used for good? Maybe a few people may use it to test the security of their network, but that's clearly not w
Re: (Score:2)
Ban it and someone will release a blank version with the ability to download
Re: (Score:1)
If that's the case, then why not sell bombs in kit form at the show?
It looks like they sold out because they were ready made and you could just pick one up. I doubt a lot of these people would have got one if they had to research it, buy parts, build it, etc.
I can understand government and professional organisations having things like this, but not for them to be unregulated and available to buy from a stall. It seems crazy to me.
Re: (Score:2)
The same way that this assassination weapon, cleverly disguised to fool metal detectors while still providing enough punch to shatter the target's skull [firesafetyplus.com] and this terrorist training handbook [amazon.com] are also legal.
Re: (Score:1)
Yes, very good.
But if the book was actually called a "Terrorist Training Handbook", you might have a point, but the hacking thing is advertised as a device to hide on yourself and to hack with.
Re: (Score:2)
What wrong with summary? It look's fine to me. /s
Retro 2008 (Score:4, Informative)
Wow. This was news when they were released back in 2008. It is interesting to see the devices becoming popular again.
Back in the day they were demoed by putting the little unit and batteries in a novelty plastic cup shaped like a pineapple. The lid had a hole for a straw that was just the right size for a wifi antenna.
You can buy those cups on Ebay and in party stores.