[Pete] has an iPhone 4s and loves Siri, but he wishes she had some more baked-in capabilities. While the application is technically still in beta and will likely be updated in the near future, [Pete] wanted more functionality now.

Since Apple isn’t known for their open architecture, he had to get creative. Knowing how Siri’s commands are relayed to Apple thanks to the folks at Applidium, he put together a proxy server that allows him to intercept and work with the data.

The hack is pretty slick, and doesn’t even require a jailbreak. A bit of DNS and SSL trickery is used to direct Siri’s WiFi traffic through his server, which then relays the commands to Apple’s servers for processing. On the return trip, his server interprets the data, looking for custom commands he has defined.

In the video below, he gives a brief overview of the system, then spends some time showing how he can use Siri to control his WiFi enabled thermostat. While the process only works while Siri is connected to his home network via WiFi, it’s still pretty awesome.

Read the rest of this entry »

Today we received the question,

“How to control a web cam via internet,
i want to use it for security reasons, always out of the house and my PC connected want to open the cam from time to time to checkout if something wrong!!”

- [Mohamed Saleh]

What a fun project we thought! And so many different ways of tackling it. Find out what we suggested to [Mohamed] after the break. Read the rest of this entry »

Reader [john] finished up his home power monitor over the holiday weekend. It uses a pair of current transducers clamped onto the mains. These output 0-3V and are read by the Arduino’s ADC. The Arduino averages samples over a 20 second period, calculates power used, and uploads it using an Ethernet Shield. The shield can’t do DNS lookups, so he uses a WRT54G to negotiate with the remote webserver. He admits that the system could be more accurate; it can’t detect small loads like wall warts. He also says that money could be saved by talking serial to the router instead of over ethernet. Here are the current usage charts.

You can find many power monitor projects like this in out Home Hacks category.

D-Link is adding captcha support to its line of home routers. While default password lists have been abundant for many years, it was only recently that we started seeing the them implemented in malware. Last year, zlob variants started logging into routers and changing their DNS settings. It’s an interesting situation since the people who need the captcha feature are the ones who will never see it, since they won’t log in to change the default password.

[photo: fbz]

With today’s release of Security Update 2008-006 Apple has finally addressed this summer’s DNS bug. In their previous update they fixed BIND, but that only affects people running servers. Now, they’ve updated mDNSResponder. Clients are no longer susceptible to DNS cache poisoning attacks thanks to the inclusion of source port randomization.

The Security Update addresses some other interesting bugs. Time Machine was saving sensitive logs without using the proper permissions, so any user could view them.

[photo: edans]

Black Hat has published the media from Dan Kaminsky’s infamous DNS vulnerability talk. You can get the full video (101MB) or just the audio.

The full archive of slides and white papers from this year has been posted too.

[Dan Kaminsky]‘s much anticipated talk on his DNS findings finally happened at Black Hat 2008 in Las Vegas today. [Dan] has already uploaded the complete slides from his talk as well as posted a short summary to his site. New information in the slides since our previous coverage includes “Forgot My Password” attacks and new attacks on internal network vulnerabilities as a side of effect of DNS cache poisoning. [Dan]‘s talk today was over capacity; our shot of the conference room overflow is shown above.

It’s been a few weeks since [Dan Kaminsky] announced the nature of the DNS vulnerability and allowed 30 days of non-disclosure for patches to be applied before details of the exploit went public. Unfortunately, the details were leaked early and it didn’t take long for a functional exploit to be released into the wild. Since then, many ISPs have taken steps to prevent their users from falling victim to the attack, and BIND, the widely-used DNS protocol implementation, was updated to minimize the threat. Even then, there were reports of a version of the attack being actively used on AT&T’s DNS servers.

Mac OSX uses a BIND implementation but as of yet, Apple has not released a patch updating the system (Microsoft, on the other hand, patched this up on July 8). As a result, machines running OSX are at risk of being exploited. Individual users are less likely to be targeted, since the attacks are directed towards servers, but it’s not a smart idea to leave this vulnerability open. [Glenn Fleishman] has published a way to update BIND on OSX manually, rather than waiting on Apple to patch it themselves. It requires Xcode and a bit of terminal work, but it’s a relatively painless update. When we tried it, the “make test” step skipped a few tests and told us to run “bin/tests/system/ifconfig.sh up”. That allowed us to re-run the tests and continue the update without further interruption. [Fleischman] warns that people who manually update BIND may break the official update, but he will update his instructions when it happens with any possible workarounds. Unfortunately, this fix only works for 10.5 but alternative, yet less effective methods may work for 10.4 and earlier.

If you’d like to know if your preferred DNS servers are vulnerable or not, you can use the DNS checker tool from Doxpara. As an alternative to your ISP’s DNS servers, you can use OpenDNS, which many prefer for its security features and configuration options.