Google Security Certificates Forged

Chain of Trust

Recently, Google discovered that a certificate authority (CA) issued forged certificates for Google domains. This compromises the trust provided by Transport Layer Security (TLS) and Secure HTTP (HTTPS), allowing the holder of the forged certificates to perform a man-in-the-middle attack.

To validate that the website you’re visiting is actually who they claim to be, your browser ensures that the certificate presented by the server you’re accessing was signed by a trusted CA. When someone requests a certificate from a CA, they should verify the identity of the person making the request. Your browser, and operating system, have a set of ultimately trusted CAs (called root CAs). If the certificate was issued by one of them, or a intermediate CA that they trust, you will trust the connection. This whole structure of trust is called a Chain of Trust.

With a forged certificate, you can convince a client that your server is actually http://www.google.com. You can use this to sit between a client’s connection and the actual Google server, eavesdropping their session.

In this case, an intermediate CA did just that. This is scary, because it undermines the security that we all rely on daily for all secure transactions on the internet. Certificate pinning is one tool that can be used to resist this type of attack. It works by associating a host with a specific certificate. If it changes, the connection will not be trusted.

The centralized nature of TLS doesn’t work if you can’t trust the authorities. Unfortunately, we can’t.

Guest Rant: From Bits To Atoms

I’ve been a software developer for quite a while. When you spend long enough inside a particular world, it’s easy to wind up with an ever-narrowing perspective. You start seeing everything from a software point of view. As the saying goes, when your only tool is a hammer, you tend to treat every problem as NP-Complete. Or something. I forget how that goes.

Anyway, the point is, it’s always good to broaden one’s horizons, and solve as many different kinds of problems as possible. To that end, I started to get into hobby electronics recently. The journey has been very enlightening in a number of ways.

Continue reading “Guest Rant: From Bits To Atoms”

Guest Rant: Ham Radio — Hackers’ Paradise

Editor’s Note: This is a guest post written by [Bill Meara]

The suits at Hack-a-Day reached out to SolderSmoke HQ and asked me to send in a few words about why their readers should take a fresh look at ham radio. Here goes:

First, realize that today’s ham radio represents a tremendous opportunity for technical exploration and adventure. How about building a station (and software) that will allow you to communicate by bouncing digital signals off the moon? How about developing a new modulation scheme to send packets not down the fiber optic network, but around the world via the ionosphere, or via ham radio’s fleet of satellites? How about bouncing your packets off the trails left by meteors? This is not your grandfather’s ham radio.

You can meet some amazing people in this hobby: Using a very hacked-together radio station (my antenna was made from scrap lumber and copper refrigerator tubing) I’ve spoken to astronaut hams on space stations. Our “low power, slow signal” group includes a ham named Joe Taylor. Joe is a radio astronomer who won the Nobel Prize for Physics. He’s now putting his software skills to use in the development of below-the-noise receiving systems for ham radio. Join me after the break for more on the topic. Continue reading “Guest Rant: Ham Radio — Hackers’ Paradise”

Rant: Why I love what the Chromecast stands for

I’ve had my hands on this Chromecast for almost a week now and I love it. Years ago I hacked my first Xbox after seeing [Kevin Rose] do it on The Screensavers (I did the hardware mod but that’s inconsequential). Why did I do this? So that I could run Xbox Media Center, the predecessor of XBMC. Since then I’ve dreamed of a device which can be hung on the back of the TV with Velcro and run XBMC. We basically got there with the Raspberry Pi, but the Chromecast is the form-factor that I had always envisioned. This lets me watch Netflix, while the RPi runs XBMC. The two are match made in heaven for under a hundred bucks.

That’s why I love the Chromecast device itself, but the bigger picture is that I love what it stands for. Keep reading to see what i mean.

Continue reading “Rant: Why I love what the Chromecast stands for”

The first 3d printed gun has been fired, and I don’t care.

3d-printed-gunSeveral people have sent us this story. I’ve seen it everywhere. A lot of people are upset, on several sides.  A gun has been 3d printed that can actually fire a round.

First, we have people scared that this will bring undetectable guns to people who wouldn’t have had access before. Then we have the gun fans that are reacting to the others with shouts of freedom and liberty and stuff.  The 3d printing community has had mixed reactions, but many are concerned that this will harm 3d printing in general.

I simply don’t care.

Continue reading “The first 3d printed gun has been fired, and I don’t care.”

A quick tour of my workbench

Whenever I release a hackaday video, I invariably get comments and emails about my workbench. Some people are telling me to clean up, others are asking me about things they see in the background.

This isn’t just a set that I film on. Obviously my videos aren’t high enough quality for people to assume that either. This is my actual workbench, made and used by my grandfather.  I do enjoy keeping it decorated though. I try to keep a piece of as many past projects as possible hanging on my bench to serve not only as inspiration to me, but also as an interesting backdrop for the videos.

I make no attempts to hide my upcoming projects when I shoot videos. If you pay close enough attention, you can sometimes see projects appear on my bench in videos before the actual project video hits youtube.

I love my workbench. You should love yours too. Hey, maybe you could do a tour of it and post it on youtube for us to admire! Just try not to say “workbench” as many times in a row as I did.

Top 10 Hacking Failures in movies: part 2

After going through the original quick list we tossed together, people were chiming in like crazy. We felt another 10 might help satiate the desire to smirk at the silliness of tech portrayed in movies and TV. Gathering examples from your comments, we have compiled part 2.  While I would have loved to narrow this down to a specific item like incorrect lingo or screen grabs, I didn’t quite have enough specific scenes to do it yet.  Be sure to keep the comments coming and be specific, I haven’t seen many of these till someone points it out.

Continue reading “Top 10 Hacking Failures in movies: part 2”