Raspberry Pi Bitcoin Miner

As those of you reading know, I’m a big fan of Bitcoin and a big fan of the Raspberry Pi. It was only a matter of time until I decided to follow in the footsteps of many and setup a Raspberry Pi Bitcoin miner. In an unrelated Amazon search I noticed that the ASCIMiner Block Erupters had come down in price (they sell for $29.98 on Amazon’s main page but cheaper units can be had from other Amazon vendors) so I decided to order a couple.

Mind you, nobody is going to get rich off of a Block Erupter. My desire was to experiment with them. I’ve often wondered how much a somewhat decent miner could be built for. Combining cheap Block Erupters with cheap Raspberry Pis seemed like an excellent want to build an affordable miner (with the acknowledgement that the setup was unlikely to pay for itself). I followed the setup guide on Adafruit and was mining Bitcoin in minutes. What follows are some issues I ran into.

First, my Raspberry Pi wasn’t able to provide reliable power to both modules. This wasn’t unexpected. While the Pi could run one Erupter without any issue the second one would periodically die from loss of power. The mining application I used, cgminer, continuously notified me of hardware errors. Fortunataly, I have a second Raspberry Pi that runs my Tor relay so I unplugged the second Erupter from the first Pi, plugged it into the second Pi, and got it up and running without any trouble. The obvious solution to this problem is to purchase a powered USB hub.

Second, Block Erupters run hot. I learned this lesson when I went to unplug my second Erupter from my first Pi. If you’ve been running an Erupter make sure you give it time to cool down before touching it (or be impatient, like me, and grab some gloves). You will also want to invest in a small fan to keep your Erupters cool. This USB powered fan has been recommended by several people and costs all of $8.00.

Third, as I feel this needs to be pointed out, setting up a mining rig isn’t the most efficient way to acquire Bitcoin. Sites like Coinbase are better sources. The amount of Bitcoin you can mine with an Erupter isn’t going to pay for the hardware for quite some time (even before calculating in the cost of electricity, fans, powered hubs, etc.). I’m perusing this project for fun and to fulfill my curiosity. When I need to acquire Bitcoin in usable quantities I tend to buy from sellers.

Fingerprint Folly

It was only a matter of time before somebody found a way to crack the fingerprint reader on the iPhone 5S. Coming in as the first group to publicly announce a bypass is the Chaos Computer Club (CCC), which has a habit of breaking security systems:

The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple’s TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.

[…]

“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake”, said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking. “As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”

I’ve never been a fan of biometrics. While it’s true that using features unique to a person can be used to uniquely identify that person it’s also true that, as Frank Reiger of the CCC pointed out, one cannot change their biometrics:

“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token”, said Frank Rieger, spokesperson of the CCC.

If you can’t change your authorization token and somebody compromises that token things aren’t going to end well. Fingerprints are especially bad tokens because they can be lifted from many of the surfaces we touch. An authorization token isn’t very secure when you go around telling everybody about it.

With that said, if Apple’s fingerprint reader is convenient enough that people actually use it it will have served its purpose. While an unchangeable security token that you leave everywhere you touch isn’t great it’s better than no authorization control whatsoever.

Bitmessage

Since I just spent a post bitching about the ineffectiveness of e-mail I think it’s time to discuss alternatives. In my pursuit to find methods of secure communications I’ve stumbled across an interesting piece of software called Bitmessage. Bitmessage caught my attention because it attempts to fulfill several goals I have when looking for an e-mail replacement. First, it’s decentralized. There are no central servers running the Bitmessage network. Instead the Bitmessage network is similar to Bitcoin in that messages are broadcast (in an encrypted form) throughout the entire network.

The second feature that interests me is Bitmessage’s pseudo-anonymity.Bitmessage, like Bitcoin, is based off of public-key cryptography. Users create a keypair and the public key is hashed, which gives you an identifier that others can use to communicate with you. All message sent to you are encrypted with your public key so only you, the holder of the private key, can decrypt and read them.

That leads me to the third feature of Bitmessage that interests me, an attempt to use strong cryptography. All messages in the Bitmessage network are encrypted using public-key cryptography. That makes snooping on communiques extremely difficult. One of the weaknesses I’ve noted in most potential e-mail replacements is a tendency to send communiques in plain text. Most instant messenger servers, for example, send all message in plain text so anybody can easily listen in.

Bitmessage isn’t perfect by a long shot. The software is obviously in an alpha stage. I could only find a pre-built Windows client on Bitmessage’s website and an unofficial pre-built OS X client after some digging. Installing Bitmessage is probably more work than most people want to go through. Another problem with Bitmessage is that no independent security audit has been performed on the network or the client (although a request for such an audit is on the front page of Bitmessage’s wiki). Without a security audit there is no way to know how secure Bitmessage really is. But these are problems that plague every new piece of software. One should approach Bitmessage as a proof of concept that promises to deliver great things in the future.

If you’re interested in testing Bitmessage with me my address is BM-2D95ncE8da721wVxQzcA3QEhjrg2MGFjka.

Laugh of the Day: White House Telecom Adviser Proposes Privacy Code of Conduct

The National Telecommunications and Information Administration, the top telecom adviser to the White House, has laughably proposed a code of conduct for apps:

WASHINGTON — Assistant Secretary of Commerce for Communications and Information and NTIA Administrator Lawrence E. Strickling issued the following statement on the multistakeholder process to develop the first privacy code of conduct aimed at improving disclosures on mobile devices.

“NTIA is pleased that today a diverse group of stakeholders reached a seminal milestone in the efforts to enhance consumer privacy on mobile devices. We encourage all the companies that participated in the discussion to move forward to test the code with their consumers. I want to congratulate all of the participants, who through their commitment and dedication have demonstrated the promise and importance of the multistakeholder policy-making process.”

What makes this laughable is the fact that any privacy policy that is developed will almost certainly take the form of “Signatories to this contract agree to share no personal information about users with anybody, except the National Security Agency (NSA), for whom it will be mandatory to share with.”

The Nintendo Entertainment System Turned 30

I never thought I’d post this many video game related articles in one day but I learned that the Nintendo Entertainment System (NES) turned 30 yesterday, making the same age as me.

The NES was the first video game system I ever owned and I probably spent more time playing that thing that I should admit (in my defense I grew up in the small town with nothing to do). It was kind of cool to learn that it’s the same age as I am.

Fed’s Asked to Avoid Def Con

In a rather hilarious turn of events Dark Tangent, the organizer of the Def Con security conference, has kindly asked the Feds to avoid the event:

The request was posted to the main Def Con webpage by Jeff Moss, the founder of the hacking conference.

In the past, he said, the convention had been an “open nexus” where government security staffers and law enforcement agents could freely mix and share ideas with the other hackers, researchers and security professionals that attended.

“Our community operates in the spirit of openness, verified trust, and mutual respect,” he said, a state of affairs that had led to an exchange of information that had seemed mutually beneficial.

However, wrote Mr Moss, many people now questioned that free exchange of ideas in the wake of ongoing disclosures about the US National Security Agency’s Prism programme, which, since 2007, has been scooping up huge amounts of data about people’s online activity.

As a result, “it would be best for everyone involved if the feds call a ‘timeout’ and not attend Def Con this year,” he wrote.

I guess this year’s Spot the Fed contest will be far more exciting than in years past. It also stands to reason that any employee of a federal agency will receive extra special attention from any black hat hackers at the event. Hackers, in general, don’t appreciate being spied on and have a tendency to return the favor. Since the federal government has been spying on everybody it wouldn’t surprise me if the attendees at Def Con decided to spy on federal employees or attempt to compromise any electronic devices they bring along (after all, this is the same conference where a team demonstrated how easy it is to intercept Global System for Mobile (GSM) phone calls).

Apple’s Worldwide Developers Conference 2013

Yesterday Apple held it’s Worldwide Developers Conference (WWDC) and announced a slew of new software and hardware. Most notable were the introductions of a new Mac Pro and iOS 7. Of course Apple also unveiled a new version of their desktop operating system, OS X. OS X 10.9 no longer follows the tradition naming convention of large cats, instead 10.9 is called Mavericks. Frankly, I think it’s a stupid name but the name really is irrelevant. What is relevant are the features.

The first feature Apple announced in 10.9 is property multi-montior support. Yes, Apple has finally joined the 1990s. No longer are users relegated to a menu bar and dock only on one screen and users can now have a full-screen application running on each monitor! All I can say is that it’s about fucking time.

OS X will also include Apple Maps. What does this mean for consumers? It means they can get the same shitty direction on OS X as they get on iOS and even transfer those shitty directions from their Mac to their iPhone or iPad.

iBooks will also be included in OS X. Mac users can now not read the books they didn’t buy in the iBooks Store because they were too busy buying them from the Amazon Kindle Store. As you can tell I’m absolutely ecstatic about this announcement.

That’s basically it. Apple did talk about new Safari features but nobody uses Safari so nobody cares what features are included in it.

Switching over to more exciting things Apple also announced new MacBook Airs. The new Airs are based on Intel’s new Haswell processor, which means the battery life is mind blowing. Apple claims the 11-inch Air will get 9 hours of battery life and the 13-inch will get 12 hours. Even if those claims are exaggerated and the 11-inch only gets 7 hours and the 13-inch only gets 10 hours those numbers of fucking impressive.

Hell hath also frozen over because Apple has finally announced a new Mac Pro. The new Mac Pro is an impressive piece of hardware. It’s no longer a large box. Instead the computer is shaped like a cylinder with a crap load of ports on the back of the device. It also includes new Xeon processors that are 256-bit, which I didn’t even know existed. The rest of the specs are equally impressive. In the end the new Mac Pro was probably the best thing that was announced. Sadly it’ll probably cost $5,000 because of the obviously alien technology included in the case.

I also mentioned the new version of iOS was announced. The biggest difference between iOS 6 and iOS 7 is the graphical interface. Apple gave iOS a complete overhaul. The shitty skeuomorphic applications are finally gone; replaced with flat icons in pastel colors. I’m not sure if I’m wild about the color scheme since it looks like the Easter Bunny vomited all over the screen but I’ll take a new design that looks a little nutty over the old design that I was getting bored of.

iOS 7 also includes a new feature called Control Center. Control Center is a small dashboard that allows users to quickly disable wireless interfaces, adjust the phone’s volume, adjust the screen brightness, and several other features Android users have been enjoying for ages. I’m glad Apple has finally joined the party, it would have been better if they arrived on time.

There’s also some unspecified multitasking features. I hope this means applications can have some limited access to network resources while sitting in the background but I’m guessing the implementation won’t be as good as I’m hoping. I’ll have to play with this feature before I make any ruling. On the upside Apple has finally copied WebOS’s app switcher, which was basically the best app switcher implemented in smartphone history.

The other iOS features were pretty minor in my opinion. It was good to see Apple didn’t announce any new iPhones or iPads. Why is this good? Because it means iOS 7 won’t be gimped on my iPhone 5. I hate downloading a shiny new operating system only to find out various features are disabled.

Overall this is the first product announcement Apple has done in a while that impressed me. Granted the only thing that really impressed me was the new Mac Pro but impressed I was. I may not be as impressed when I see the price tag but that’s another story.

The Implications of Hardware Attacks on Phones

A story has been circulating amongst the various Apple blogs regarding an iOS hardware exploit:

Careful what you put between your iPhone and a power outlet: That helpful stranger’s charger may be injecting your device with more than mere electrons.

At the upcoming Black Hat security conference in late July, three researchers at the Georgia Institute of Technology plan to show off a proof-of-concept charger that they say can be used to invisibly install malware on a device running the latest version of Apple’s iOS.

Though the researchers aren’t yet sharing the details of their work, a description of their talk posted to the conference website describes the results of the experiment as “alarming. Despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software,” their talk summary reads. “All users are affected, as our approach requires neither a jailbroken device nor user interaction.”

Surprisingly most of the Apple blogs I’ve read have written this exploit off as a minor issue. I’m not sure if the people writing off this exploit are just zealous Apple fans who refuse to acknowledge any flaw in their favorite company’s products or if they lack imagination but the severity of this flaw, if it works as advertised, shouldn’t be understated.

While the risk of a hacker loading malicious software onto your phone through a physical cable are relatively low the risk of the state doing the same is relatively high. Various police departments have been advertising that they possess devices that can download data off of cell phones. In practice such a device can be used to obtain the contents of a person’s phone upon detainment but that’s about it. But Combining that concept with sneak and peek warrants and now you have an interesting issue. During the execution of a sneak and peek warrant law enforcement officers can enter your home, search it, and not inform you that they’ve performed the deed. It wouldn’t take much to use a hardware device to load surveillance software onto your mobile devices during one of these searches. Once that’s done it’s possible that the phone could be used as a remote monitoring system to capture conversations by turning on the microphone, images of the area you’re in by activating the camera(s), and everything you type via key logging software.

I still question whether this exploit works with every iOS configuration. The exploit could be reliant on either the 30-pin or Lightening connector, it may not operate at all if the device’s contents are encrypted, etc. But the exploit could be effective enough for state agents to load surveillance software onto most iOS devices, which makes it a notable threat that shouldn’t be written off as a minor issue.

On the less frightening side of things it will be interesting to see what the jailbreaking community does with this exploit. It’s possible that the exploit could offer an easy way for iOS users to jailbreak their devices. If that is the case I also expect Apple to fix the problem quickly since they’ve done a remarkable job at fixing holes used by the jailbreaking community.

My YaCy Installation

I mentioned YaCy, the distributed search engine, yesterday and managed to get a working prototype server online. If you’re interested in trying it out you can do so by navigating your web browser here. As it currently stands I’ve only indexed this blog meaning most of the search results on the first page with be from here. Another thing to note is that crawling and indexing sites takes a notable amount of computing power so the search page becomes unresponsive during those operations (it’ll throw a “504 Gateway Time-out” error).

Feel free to play with it and let me know what you think. I’ll be tweaking it periodically throughout the week so it may be down from time to time. Also, I know the search results aren’t going to be nearly as good as those provided by Google or Microsoft but it’s a fairly young system and still growing. Right now you should just assume my setup is a prototype.