ScareMail Tries to Disrupt NSA Email Surveillance

scaremail

Are you on the NSA’s email watchlist? Do you want to be?  This project is called ScareMail and it’s designed to mess with the NSA’s  email surveillance programs.

[Benjamin Grosser] has written it as a plugin for many popular web browsers, and it uses an algorithm to generate a clever but ultimately useless narrative in the signature of your email using as many probable NSA search terms as possible. The idea behind this is if enough people use it, it will overload the NSA’s search results, ultimately making their email keyword tracking useless.

So how does it work? The algorithm starts with natural language processing (NLP) and an original source of text — he picked Ray Bradbury’s Fahrenheit 451. Using the processor it identifies all nouns and verbs in the original text and replaces them with properly formatted and conjugated “scary” words that he’s indexed from a list of hypothetical NSA key words. To ensure each signature is unique, he makes use of a Markov chain to generate new texts that are completely different each time. The result is a somewhat coherent paragraph that doesn’t make any real sense.

But wait! Surveillance like this is bad, but hypothetically it could work! Well, maybe. But the point is: 

ScareMail reveals one of the primary flaws of the NSA’s surveillance efforts: words do not equal intent.

Stick around after the break to see a proper video explanation of ScareMail by [Ben] himself.

[Read more...]

Update: SD Card Locker Now Supports Password Protect

sdlocker2_1

[Karl Lunt] has updated his Secure Digital Card locker to support password based locking. [Karl's] original design only supported write locking via the TMP_WRITE_PROTECT  bit. The new design gives the user an option: TMP_WRITE_PROTECT, or password protection. [Karl] goes into further detail this time around about the bit fields used with CMD42, and how they are set. The passwords in this case are up to 16 bytes. The bytes don’t necessarily have to be printable characters – any binary value can be used. Unfortunately, [Karl's] locker doesn’t utilize a user interface beyond the buttons, so any password must be “baked in” to the SD Card locker firmware. We would love to see the option of even a basic serial interface for entering a password (most likely in hex).

[Karl] tried his device out with several different cards, and several computers. While not an exhaustive test, he did find that the computers always behaved the same: A locked SD card would not show up. In the case of windows, no beep, no drive, nothing. He goes into the security possibilities of using password locking: Financial data could be stored and physically transferred via SD or microSD, with the password sent separately (say in an email or SMS). Any unenlightened data thief attempting to use the card would think they have a broken device on their hands.

We don’t know how secure the password lock feature is – brute forcing a variable length 16 byte binary password would take some time. It all comes down to how quickly each password attempt takes. Some cursory web searching didn’t bring up any information about successful SD card password cracking. Sounds like a challenge for our readers!

Sniffing Out LG Smart TV Tracking Protocol

lg-smart-tv-tracking

[DoctorBeet] noticed the advertisements on the landing screen of his new LG smart television and started wondering about tracking. His curiosity got the better of him when he came across a promotional video aimed at advertisers that boasts about the information gathered from people who use these TVs. He decided to sniff the web traffic. If what he discovered is accurate, there is an invasive amount of data being collect by this hardware. To make matters worse, his testing showed that even if the user switches the “Collection of watching info” menu item to off it doesn’t stop the data from being phoned home.

The findings start off rather innocuous, with the channel name and a unique ID being transmitted every time you change the station. Based on when the server receives the packets a description of your schedule and preferred content can be put together. This appears to be sent as plain data without any type of encryption or obfuscation.

Things get a lot more interesting when he discovers that filenames from a USB drive connected to the television are being broadcast as well. The server address they’re being sent to is a dead link — which makes us think this is some type of debugging step that was left in the production firmware — but it is still a rather sizable blunder when it comes to personal privacy. If you have one of these televisions [DoctorBeet] has a preliminary list of URLs to block with your router in order to help safeguard your privacy.

[Thanks Radcom]

An Awesome Wireless Motion Sensor

sensorWireless sensor networks are nothing new to Hackaday, but [Felix]‘s wireless PIR sensor node is something else entirely. Rarely do we see something so well put together that’s also so well designed for mass production.

For his sensor, [Felix] is using a Moteino, a very tiny Arduino compatible board with solder pads for an RFM12B and RFM69 radio transceivers. These very inexpensive radios – about $4 each – are able to transmit about half a kilometer at 38.4 kbps, an impressive amount of bandwidth and an exceptional range for a very inexpensive system.

The important bit on this wireless sensor, the PIR sensor, connects with three pins – power, ground, and out. When the PIR sensor sees something it transmits a code the base station where the ‘motion’ alert message is displayed.

The entire device is powered by a 9V battery and stuffed inside a beautiful acrylic case. With everything, each sensor node should cost about $15; very cheap for something that if built by a proper security system company would cost much, much more.

Getting a Shell on any Android Device

USB

If you’re an Evil Customs Agent or other nefarious Three Letter Agency Person, you’re probably very interesting in getting data off people’s phones. Even if the screen is locked, there’s a way around this problem: just use the Android Debug Bridge (ADB), a handy way to get a shell on any Android device with just a USB cable. The ADB can be turned off, though, so what is the Stasi to do if they can’t access your phone over ADB? [Michael Ossmann] and [Kyle Osborn] have the answer that involves a little-known property of USB devices.

USB mini and micro plugs have five pins – power, ground, D+, D-, and an oft-overlooked ID pin. With a particular resistance between this ID pin and ground, the USB multiplexor inside your phone can allow anyone with the proper hardware to access the state of the charger, get an audio signal, mess around with the MP3s on your device, or even get a shell.

To test their theory, [Michael] and [Kyle] rigged up a simple USB plug to UART adapter (seen above) that included a specific value of resistor to enable a shell on their test phone. Amazingly, it worked and the thought of having a secure phone was never had again.

The guys went farther with some proprietary Samsung hardware that could, if they had the service manual, unlock any samsung phone made in the last 15 years. They’re working on building a device that will automagically get a shell on any phone and have built some rather interesting hardware. If you’re interested in helping them out with their project, they have a project site up with all the information to get up to speed on this very ingenious hack.

[Read more...]

Keep Your SD Cards Data Safe with the SD Locker

sdlocker_1

[Karl Lunt] has come up with a simple circuit for protecting data you have stored on SD cards. As is relatively well-known, the little lock switch on the side of most SD cards really doesn’t do anything more than the switch on floppies or the tabs on VHS or cassette decks. It’s up to the reader/writer to check the status of the tab and decide if it should write to the card or not. Not a very safe system. However, it’s not the only write protection system built into SD and SDHC cards. As part of the standard, cards have three protection methods: A TMP_WRITE_PROTECT bit, a PERM_WRITE_PROTECT bit, and a PWD register.

The PERM_WRITE_PROTECT bit permanently write protects the card. The bit can not be reset, so you should be really sure you want to keep the data on the card forever. The PWD register is a password register. The card will not allow any access (read or write) unless a password is provided. The TMP_WRITE_PROTECT bit is a temporary write protect. This is the bit that [Karl] is working with. When TMP_WRITE_PROTECT is set, the card can be read but not written. Note that there is no true protection here, as anyone can modify the bit. However, this should stop grandma from accidentally deleting your wedding pictures.

[Karl's] device is very simple. A card is inserted into an Altoids tin enclosure. One button locks the card, another unlocks it. Three LEDs return status – power, card locked, and card unlocked. Under the hood, he’s using an Atmel ATmega328 to set and clear the TMP_WRITE_PROTECT bits. Power is provided by two AA batteries, and regulated with a Pololu 3.3v boost regulator. [Karl] has also included a serial port for control and debug information. We think this is a great hack, however one thing we’re not sure of is how or if these features are implemented in all cards. We’re relatively sure the name brand cards stick to the SD/SDHC spec sheet, but what about all the knockoff and no name brands from overseas?

Detect Disguises with a Raspberry Pi

maskdetect

Computer vision based face detection systems are getting better every day. Authorities have been using face detection and criminal databases for several years now. But what if a person being detected is wearing a mask? High quality masks have been making their way out of Hollywood and into the mainstream. It isn’t too far-fetched to expect someone to try to avoid detection using such a mask. To combat this, [Neil] has created a system which detects face masks.

The idea is actually rather simple. The human face has a well-defined heat signature. A mask will not have the same signature. Even when worn for hours, a mask still won’t mimic the infrared signature of the human face. The best tool for this sort of job would be a high resolution thermal imaging camera. These cameras are still relatively expensive, so [Neil] used a Melexis MLX90620 64×8 16×4 array sensor. The Melexis sensor is interfaced to an Arduino nano which then connects to a Raspberry Pi via serial.

The Raspberry Pi uses a Pi camera to acquire an image. OpenCV’s face detection is then used to search for faces. If a face is detected, the data from the Melexis sensor is then brought into play. In [Neil's] proof of concept system, a temperature variance over ambient is all that is needed to detect a real face vs a fake one. As can be seen in the video after the break, the system works rather well. Considering the current climate of government surveillance, we’re both excited and a bit apprehensive to see where this technology will see real world use.

[Read more...]