Posts by Pablo Endres

IoT Makerthon

At the end of March 2017, I participated in an IoT Makerthon (Hackathon) at my co-working space in Cologne.

The turnout was not what I expected, we were only approx. 15 participants. Considering it was planned on a Monday in working hours the only people who could attend were those who were either sent by their day job or those who could take the day off.

After a quick round of introductions, we started brainstorming on what ideas we wanted to implement. Everyone got one vote and those with the most votes would be worked on by the groups.  I’ll talk more about the projects later on.

Before breaking into projects, we had some jumpstart sessions with both sponsors to get their platforms and their capabilities:

  • QLOUD with thier IoT platform
  • ubirch presented the calliope-mini microcontroller, which they helped design, and a short introduction to LoRa and LoRaWAN
calliope-mini QLOUD IoT Developer Set
calliope-mini QLOUD IoT Developer Set

Then we broke into teams and started working on the projects. Here are the results that were achieved:

Bridge Measurement: In MediaPark there is a bridge, and we thought it would be cool to be able to measure its usage by means of its movement. So based on the readings of the accelerometer on the calliope-mini, we did just that. Movements were sent via LoRa to the the things network which then can be used for further processing or consumption by someone else. For predictive maintenance.

This slideshow requires JavaScript.

Air Quality: For the open space rooms in Startplatz it is good to have a friendly reminder to open the windows now and then to provide fresh air. So by connecting Seeed Grove Air Quality Sensor to the calliope-mini we managed to find an appropriate quality value to send a visual and auditive reminder.

Foosball Table (Kickertisch): We have a great (professional) Foosball table at Startplatz. We decided it would be useful to be able to monitor when it was in use, call for additional players and for a quick tournament. Using a couple of calliope-mini’s, we setup the first to measure movement on the table. When use is detected it sends a message using BLE to a second calliope (used as a digital board) to signal that the table is busy. By pressing the buttons on the first device signals are sent to call for players or a quick tournament. Of course we had to connect to the things network and based on that info tweet the information on the board, using node-red. The code to this can be found here.

Monitor walk-in meeting rooms: we have walk-in meeting rooms, that cannot be booked and should only be used for max. 1 hour. Some members overstay their welcome in these rooms so we setup the QLOUD box with a sensor for the door, a movement sensor, and a siren. With that we can give the member a kind reminder that is time’s up. This all feeds to their IoT backend to create statistics and be able to see it on a dashboard.

I for one, think it was a great day. I got to know lots of interessting people, got my hands on new technology and even got a starter kit from QLOUD (Thanks again to Christian and Daniel)

The session was followed by a TV crew. There is condensed video in the ZDF Mediathek in German. It starts at 9:50 and ends on 14:45

Before I close this article, I would like to reflect on how much prototyping can be done with these inexpensive kits. Especially if you consider that no one had to do much programming in any language, but rather drag-and-drop.

Links of the week


I’ve been sending myself emails with links at the end of the week for some time now and I’ve decide to share this list of curated links. These links are to articles that I have run by during the week, that at least when I decided to set them aside, had the value for them to be revisited, shared or stored.

The topics vary a lot, depending on what I ‘m working on or am interested at a given point or what I run into.

So without further delay here is the first edition

Keep Reading →

Who signed the .apk file?

After a while searching for an older version of an App from the Play Store, I finally found the version I wanted and downloaded it.
In order to install it, you have to “Allow the installation from unknown sources”. So there goes the chain of trust for the app.


So how do you know:

  • Where did the app came from ?
  • Did someone plant Malware in it?
  • Can I trust it?

These are cases for your trusted cryptographer or in the case your certificates.

Basically you need fo follow these steps:

# Dump the apk information
$ANDROID_HOME/build-tools/23.0.0_rc2/aapt dump badging |grep package

# verify the signer
jarsigner -verbose -verify |less

# Verify that all files have been signed with the same key
jarsigner -verbose -certs -verify |less


Error -505 while installing Android App

I’ve had the DB Navigator app trying to update itself for the last 3 to 12 months, but hadn’t really put some time into figuring out why it didn’t work.  If figured I was not the only one affected so they would fix it themselves someday. Since that never happens, I took some time and wrote this post.

In a nutshell the problem is that the ticket database was owned by another DB app: de.bahn.dbtickets. I uninstalled it and then could update / re-install the DB Navigator app.

How did I figure this out?, you say

  1. Enabled developer mode on my phone
  2. Connected to it and used adb logcat to see the logs
  3. Tried to install the app
  4. Found this in the logs

E/Finsky (28878): [1] PackageInstallerImpl.handleCommitCallback: Error -505 while installing INSTALL_FAILED_DUPLICATE_PERMISSION: Package attempting to redeclare permission de.bahn.dbtickets.permission.WRITE_DB already owned by de.bahn.dbtickets
W/Finsky (28878): [1] 3.installFailed: Install failure of -505 null

So the highlighted part is what told me the problem.

Have fun.

Security mindset reviewed by Matty Beddoes

I normally try to post only original content, but I ran into an interview with Matty Beddoes at Tripwire THE STATE OF SECURITY which is worth sharing. It is a good reminder that security is not just about controls and suits but also about hacking (learning driven by interest) and having the correct mindset really helps.

Here is the money quote:


It’s never a good idea to mess with a 16-year-old, especially one who can use a computer to cause chaos. Honestly, if they had said “Thank you,” things might have turned out differently. But they didn’t.

Sadly, that’s not a unique reaction in today’s industry. In fact, I find that IT staffs generally do not want their managers to know of a vulnerability for fear of looking bad at their jobs. This creates an unhealthy environment where no one wants to hear about vulnerabilities. If you talk to the staff, they will just ignore you, and if you contact the manager, they will take it personally and think you’re criticizing their staff. You’re blocked either way.

This problem is found all over the place but it usually changes after a company has been hacked. And that’s where I came in.


I have also seen this attitude a lot, although I welcome the people that find themselves at the other side of the engagement and see the opportunity that it being given to them to learn and grow..  event make a business or career out of the experience.


old time radio
At the end of last year a friend gave my contact information to a radio producer with an interesting project. She wanted to learn as much she could as you can from a person through different means:

  • Getting his writing analyzed
  • Getting his voice analyzed
  • Using a private detective to follow him for a couple of days
  • And of course the digital perspective (which is where I tried to pitch in)

Basically we had a target (which gave us written permission to hack him and his systems) and the idea was to go, collect all the information we could from his online presence, hack any of his accounts and / or his personal computer. One of the things we had in mind, was since “the Target” was one of the producers, is that we didn’t want to kill any of his devices.

Keep Reading →


I just released a set of scripts that come in handing when creating clean images for virtual environment, heck you can even use it for cloud images.

What they do is:

  • clear all the logs
  • clean up the networking scripts, because the normally get references to the mac address in CentOS
  • clean up the repository files
  • in some cases create a root user

There are scripts for: CentOS 6, Debian and OpenSuse.

They can be be found in the tools section or in github.

Workshops in Cologne

I’m going to be giving to workshops in Cologne in July, with what I think are really fun topics: WordPress Security and Hands-on security for beginners.

So embrace this opportunity to learn some hacking or security for a one time only startup friendly price

Keep Reading →

Horizon and cookies

I’ve been working with the Havanna release of OpenStack the last couple of days and ran across a default setting that should be avoided in any deployment: using cookies as the session backend.

The source of the problems has been known at least since October 2013  in Django and other frameworks: clear-text client-side session management.
There is even OSVDB entry and Threatpost covered it in an article.

Keep Reading →

Launch of Practical security

This is a topic that I have been thinking about for a long time and finally started creating some content for it. The idea is to create a series of posts, workshops and presentations that will help create security awareness at many levels. The topics will go across the board but I will be starting with those I think will have a greater impact in reducing the amount of low-hanging fruit out there.

Keep Reading →