Category: Technology

Julian Assange is Tracking Spyware Contractors

Another weapon we have against the state’s surveillance apparatus is Julian Assange. Mr. Assange, through his Wikileaks project, has provided a platform whistle blowers can use to leak information and remain anonymous. Wikileaks has now announced another project called the Wikileaks Counterintelligence Unit, which will attempt to actively surveil surveillance contractors:

The inaugural release zeroes in on 19 different contractors as they travel visit countries like Bahrain, Kazakhstan, Spain, and Brazil. The location data displays only a time stamp and a country for each entry, but occasionally displays the message, “phone is currently not logged into the network,” indicating the data likely comes from some kind of cell-tracking service. The contractors in question work for Western companies like Gamma International, designer of the infamous FinFisher spyware tool — and as with previous Wikileaks releases marked as “Spy Files,” readers will also find marketing brochures for surveillance products to intercept and monitor web traffic.

I think this is a great idea and needs to be expanded. It would be great if we could eventually do to the surveillance apparatus what it has done to us. Imagine a world where anybody working to spy on us, whether they be private contractors or public National Security Agency (NSA) employees, was being spied on 24/7. Perhaps losing all sense of privacy would be enough to discourage people from working for these bastards.

3D Printed Skin

The technology industry makes me happy. While politicians run around trying their damnedest to wreck everybody’s life the technology industry is busy trying to improve everybody’s life. One of the most interesting technologies that looks to change our society is 3D printers. Taken to its logical conclusion, 3D printer technology stands to decentralized great deals of manufacturing and medical care. The manufacturing side of 3D printers is discussed frequently but the technology’s applications in the medical field are less publicized. For example, I haven’t read about the fact that scientists at Wake Forest University have printed skin onto a burn victim:

Scientists have developed a method of 3D printing new skin cells onto burn wounds at Wake Forest University’s Military Research Center. The method is far superior to traditional skin grafts because regular grafts require skin from a donor site somewhere on the patient’s body. Taking skin from a donor site is painful and sometimes the patients do not even have enough unburned skin to transplant.

Wake Forest accomplishes the skin printing by way of laser scanning and a modified inkjet printer. The laser scans the patient’s burn and that information gets translated into a personalized plan for filling the wound up with cells. Then the inkjet printer lays down the cells individually, one layer at a time until the burned area is completely covered.

Imagine a day when entire organs can be printed. No longer will people in need of transplants have to worry about a lack of potential donors.

Careful What You Plug Your Phone Into

I’ve often said that I would enjoy putting several phone charging stations in an airport or mall that would exploit whatever phone was plugged into them. As it turns out, I’m not the only one with such demented ideas:

This news couldn’t wait for the Black Hat conference happening now in Las Vegas. We reported in June that Georgia Tech researchers had created a charging station that could pwn any iOS device. The full presentation revealed precise details on how they managed it. I’m never plugging my iPhone charger into a USB port in a hotel desk again.

This is a potential vulnerability with any device that is capable of receiving data over it’s power input. Most smartphone, and many dumb phones for that matter, use a Universal Serial Bus (USB) to transfer data and charge the battery. Manufacturers of assume the USB port, being a port that requires physical access, is secure and doesn’t need much in the way of verification of validation (although this attitude is slowly changing) making the transfer of malicious software relatively easy. Just because a port requires physical access doesn’t mean one can’t do away with security measures. It’s trivial to convince most people to plug their phone into a random USB port (just claim that they’re plugging it into a phone charger).

Social engineering, the art of tricking somebody to do something for you, is probably the most effective security bypassing mechanism. You may not have access to a machine you want to exploit but chances are you can convince somebody who does have access to grant you access. For example, gaining access to a phone is often as easy as asking the person with the phone if you can make a phone call. If you make an effective story that appeals to the owner’s emotions chances are high that they’ll hand you the device.

One of the most entertaining rooms at Defcon this year was the Social Engineering Village. Inside they had a phone booth where competitors would call various businesses and try to use social engineering to pump important information out of employees. The tactic worked frighteningly well. During one of the times I popped in the competitor had a man on the phone spilling his guts about the entire network setup for his company. Trickery works.

The Feds Want Everything

The federal government sure is a grabby little bastard. First it taps all of our phones and Internet connections and now it’s demanding passwords and Secure Sockets Layer (SSL) certificates. Let’s start with their demands that online service providers hand over their customers’ passwords:

The U.S. government has demanded that major Internet companies divulge users’ stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person’s password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

“I’ve certainly seen them ask for passwords,” said one Internet industry source who spoke on condition of anonymity. “We push back.”

A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies “really heavily scrutinize” these requests, the person said. “There’s a lot of ‘over my dead body.'”

Some of the government orders demand not only a user’s password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.

The difficulty of handing over user passwords is that any system administrator worth his salt (pun intended, deal with it) only stores a hash of the password. For those of you who don’t know, a hash is the result of a one-way algorithm. You put some text in and the hashing algorithm gives you some output. Ideally, the input cannot be recovered from the output and the algorithm gives a different output for each unique input. Salts are often added to the hashing algorithm to trip up word list attacks, as the added information to the input creates a different output than sending the clear text password alone.

Assuming the system administrator or software developer properly implemented this system (which is difficult to do), receiving the password hashes would do the federal government very little good. They may be able to reverse individual passwords given enough time and computing power but it’s almost certainly outside their capabilities to revere every user’s password. I would be less concerned about the federal government receiving and reversing my password than I would be of it performing rubber-hose cryptanalysis on it.

The other thing the federal government has apparently been demanding from only service providers are their SSL private keys:

The U.S. government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users’ private Web communications from eavesdropping.

These demands for master encryption keys, which have not been disclosed previously, represent a technological escalation in the clandestine methods that the FBI and the National Security Agency employ when conducting electronic surveillance against Internet users.

If the government obtains a company’s master encryption key, agents could decrypt the contents of communications intercepted through a wiretap or by invoking the potent surveillance authorities of the Foreign Intelligence Surveillance Act. Web encryption — which often appears in a browser with a HTTPS lock icon when enabled — uses a technique called SSL, or Secure Sockets Layer.

“The government is definitely demanding SSL keys from providers,” said one person who has responded to government attempts to obtain encryption keys. The source spoke with CNET on condition of anonymity.

Having a service provider’s SSL private keys would allow a malicious individual to intercept and decrypt any SSL secured traffic going to or coming from a service provider’s network. This concern can be put to rest if service providers began implementing forward secrecy (which I enabled on this site beginning last month). Forward secrecy negotiates temporary session keys for SSL connections. The temporary keys are used to encrypt and decrypt data going between a service provider and a customer. After the session concludes the keys, at least ideally, are to be disposed of. Implementing forward secrecy means that an attacker is unable to decrypt SSL secured traffic even if they are in possession of the correct private key. Unfortunately, as a recent study by Netcraft noted, very few service providers currently implement forward security (leading one to wonder why a guy operating a free blog is able to implement security technologies before multi-billion dollar corporations). It would be wise, especially in light of recent developments, to put pressure on service providers to implement forward secrecy.

While it’s annoying that the federal government has become a surveillance state, there are technologies that allow us to mitigate many of their demands. We live in a world where the spying powers of the state are incredible but the power to avoid surveillance is also very powerful. The state is a collection of a handful of individuals fighting the rest of the world. With such high odds against it, the state will be unable to win in the long run.

The Nintendo Entertainment System Turned 30

I never thought I’d post this many video game related articles in one day but I learned that the Nintendo Entertainment System (NES) turned 30 yesterday, making the same age as me.

The NES was the first video game system I ever owned and I probably spent more time playing that thing that I should admit (in my defense I grew up in the small town with nothing to do). It was kind of cool to learn that it’s the same age as I am.

Apple’s Worldwide Developers Conference 2013

Yesterday Apple held it’s Worldwide Developers Conference (WWDC) and announced a slew of new software and hardware. Most notable were the introductions of a new Mac Pro and iOS 7. Of course Apple also unveiled a new version of their desktop operating system, OS X. OS X 10.9 no longer follows the tradition naming convention of large cats, instead 10.9 is called Mavericks. Frankly, I think it’s a stupid name but the name really is irrelevant. What is relevant are the features.

The first feature Apple announced in 10.9 is property multi-montior support. Yes, Apple has finally joined the 1990s. No longer are users relegated to a menu bar and dock only on one screen and users can now have a full-screen application running on each monitor! All I can say is that it’s about fucking time.

OS X will also include Apple Maps. What does this mean for consumers? It means they can get the same shitty direction on OS X as they get on iOS and even transfer those shitty directions from their Mac to their iPhone or iPad.

iBooks will also be included in OS X. Mac users can now not read the books they didn’t buy in the iBooks Store because they were too busy buying them from the Amazon Kindle Store. As you can tell I’m absolutely ecstatic about this announcement.

That’s basically it. Apple did talk about new Safari features but nobody uses Safari so nobody cares what features are included in it.

Switching over to more exciting things Apple also announced new MacBook Airs. The new Airs are based on Intel’s new Haswell processor, which means the battery life is mind blowing. Apple claims the 11-inch Air will get 9 hours of battery life and the 13-inch will get 12 hours. Even if those claims are exaggerated and the 11-inch only gets 7 hours and the 13-inch only gets 10 hours those numbers of fucking impressive.

Hell hath also frozen over because Apple has finally announced a new Mac Pro. The new Mac Pro is an impressive piece of hardware. It’s no longer a large box. Instead the computer is shaped like a cylinder with a crap load of ports on the back of the device. It also includes new Xeon processors that are 256-bit, which I didn’t even know existed. The rest of the specs are equally impressive. In the end the new Mac Pro was probably the best thing that was announced. Sadly it’ll probably cost $5,000 because of the obviously alien technology included in the case.

I also mentioned the new version of iOS was announced. The biggest difference between iOS 6 and iOS 7 is the graphical interface. Apple gave iOS a complete overhaul. The shitty skeuomorphic applications are finally gone; replaced with flat icons in pastel colors. I’m not sure if I’m wild about the color scheme since it looks like the Easter Bunny vomited all over the screen but I’ll take a new design that looks a little nutty over the old design that I was getting bored of.

iOS 7 also includes a new feature called Control Center. Control Center is a small dashboard that allows users to quickly disable wireless interfaces, adjust the phone’s volume, adjust the screen brightness, and several other features Android users have been enjoying for ages. I’m glad Apple has finally joined the party, it would have been better if they arrived on time.

There’s also some unspecified multitasking features. I hope this means applications can have some limited access to network resources while sitting in the background but I’m guessing the implementation won’t be as good as I’m hoping. I’ll have to play with this feature before I make any ruling. On the upside Apple has finally copied WebOS’s app switcher, which was basically the best app switcher implemented in smartphone history.

The other iOS features were pretty minor in my opinion. It was good to see Apple didn’t announce any new iPhones or iPads. Why is this good? Because it means iOS 7 won’t be gimped on my iPhone 5. I hate downloading a shiny new operating system only to find out various features are disabled.

Overall this is the first product announcement Apple has done in a while that impressed me. Granted the only thing that really impressed me was the new Mac Pro but impressed I was. I may not be as impressed when I see the price tag but that’s another story.

The Implications of Hardware Attacks on Phones

A story has been circulating amongst the various Apple blogs regarding an iOS hardware exploit:

Careful what you put between your iPhone and a power outlet: That helpful stranger’s charger may be injecting your device with more than mere electrons.

At the upcoming Black Hat security conference in late July, three researchers at the Georgia Institute of Technology plan to show off a proof-of-concept charger that they say can be used to invisibly install malware on a device running the latest version of Apple’s iOS.

Though the researchers aren’t yet sharing the details of their work, a description of their talk posted to the conference website describes the results of the experiment as “alarming. Despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software,” their talk summary reads. “All users are affected, as our approach requires neither a jailbroken device nor user interaction.”

Surprisingly most of the Apple blogs I’ve read have written this exploit off as a minor issue. I’m not sure if the people writing off this exploit are just zealous Apple fans who refuse to acknowledge any flaw in their favorite company’s products or if they lack imagination but the severity of this flaw, if it works as advertised, shouldn’t be understated.

While the risk of a hacker loading malicious software onto your phone through a physical cable are relatively low the risk of the state doing the same is relatively high. Various police departments have been advertising that they possess devices that can download data off of cell phones. In practice such a device can be used to obtain the contents of a person’s phone upon detainment but that’s about it. But Combining that concept with sneak and peek warrants and now you have an interesting issue. During the execution of a sneak and peek warrant law enforcement officers can enter your home, search it, and not inform you that they’ve performed the deed. It wouldn’t take much to use a hardware device to load surveillance software onto your mobile devices during one of these searches. Once that’s done it’s possible that the phone could be used as a remote monitoring system to capture conversations by turning on the microphone, images of the area you’re in by activating the camera(s), and everything you type via key logging software.

I still question whether this exploit works with every iOS configuration. The exploit could be reliant on either the 30-pin or Lightening connector, it may not operate at all if the device’s contents are encrypted, etc. But the exploit could be effective enough for state agents to load surveillance software onto most iOS devices, which makes it a notable threat that shouldn’t be written off as a minor issue.

On the less frightening side of things it will be interesting to see what the jailbreaking community does with this exploit. It’s possible that the exploit could offer an easy way for iOS users to jailbreak their devices. If that is the case I also expect Apple to fix the problem quickly since they’ve done a remarkable job at fixing holes used by the jailbreaking community.

Ron Paul Found Guilty of Reverse Domain Name Hijacking

Early this year Ron Paul decided to ignore the free-market principles he usually advocates and attempted to seize the domain names RonPaul.com and RonPaul.org from their current owners. The World Intellectual Property Organization (WIPO), the organization Ron Paul filed his complaint with, not only agreed that the current owners of RonPaul.com and RonPaul.org should be allowed to maintain their ownership but the organization also found Mr. Paul guilty of reverse domain name hijacking:

The owners had offered to sell RonPaul.com to Paul but also offered to give him RonPaul.org as an alternative if Paul didn’t want to buy the .com. Since Paul filed a UDRP against RonPaul.org after the owner offered to give it to him for free, the panel found the case to be reverse domain name hijacking.

Respondent has requested, based on the evidence presented, that the Panel make a finding of Reverse Domain Name Hijacking. In view of the unique facts of this case, in which the evidence demonstrates that Respondent offered to give the Domain Name ronpaul.org to Complainant for no charge, with no strings attached, the Panel is inclined to agree. Instead of accepting the Domain Name, Complainant brought this proceeding. A finding of Reverse Domain Name Hijacking seems to this Panel to be appropriate in the circumstances.

The panel did not find reverse domain name hijacking in the RonPaul.com case (pdf), but determined that Paul did not prove a lack of rights or legitimate interest in the domain by the respondent. As a result, the panel ruled the domain name should remain with its current owner.

Libertarian ethics usually grants property ownership to the first claimant. If you come across a piece of land that isn’t in use and hasn’t been “improved” by somebody you can mix your labor with the land to claim it as your own. Since Mr. Paul is a strong advocate of libertarianism it’s rather ironic that he decided to make an attempt to grab RonPaul.com and RonPaul.org from the first claimants. Free-market principles would state that Mr. Paul should have purchased the domain names for the asking price or negotiated a more favorable price. I commend the WIPO for ruling in favor of the current holders instead of the more famous individual.

My YaCy Installation

I mentioned YaCy, the distributed search engine, yesterday and managed to get a working prototype server online. If you’re interested in trying it out you can do so by navigating your web browser here. As it currently stands I’ve only indexed this blog meaning most of the search results on the first page with be from here. Another thing to note is that crawling and indexing sites takes a notable amount of computing power so the search page becomes unresponsive during those operations (it’ll throw a “504 Gateway Time-out” error).

Feel free to play with it and let me know what you think. I’ll be tweaking it periodically throughout the week so it may be down from time to time. Also, I know the search results aren’t going to be nearly as good as those provided by Google or Microsoft but it’s a fairly young system and still growing. Right now you should just assume my setup is a prototype.

YaCy

I’m a big fan of decentralized technologies. In my quest to decouple myself from the major corporations that seem inclined to wage war on the Internet I’ve been looking high and low for a search engine not run by Google or Microsoft. My quest has finally provided some fruit in the form of YaCy.

YaCy is a peer-to-peer search engine that can be run on Windows, Linux, or OS X (technically, since it’s written in Java, it should also run on other platforms). Instead of relying on centralized entities to crawl and index the Internet YaCy relies on each peer. I’ve setup a test server running YaCy to see how well it works and so far it shows promise. Granted, the search data isn’t nearly as complete as Google or Microsoft’s data at this point but that will almost certainly improve overtime. YaCy doesn’t do as good of a job at ranking search criteria based on how useful it is (at least in the eye’s of whatever search algorithm is being used) but that is likely to improve in time as well.

With those criticisms aside, and considering the limited amount of time I’ve had to play with it, YaCy does have one major advantage over Google or Bing: there is no central authority. State’s rely on central authorities to coerce into removing data when they want to enforce their archaic censorship laws. If no central authority exists it becomes much harder to enact censorship, which is where my primary interest in YaCy derives.

I’m planning to make the search interface publicly accessible in the near future so you guys can test it out. While I won’t promise a replacement for Google or Bing I will promise an interesting technology that’s worth experimenting with.