The Contrarian Response To Apple’s Need For Encryption

On December 2, 2015, [Syed Rizwan Farook] and [Tashfeen Malik] opened fire at a San Bernardino County Department of Public Health training event, killing 14 and injuring 22. This was the third deadliest mass shooting in the United States in recent memory, and began a large investigation by local, state, and federal agencies. One piece of evidence recovered by the FBI was an iPhone 5C belonging to one of the shooters. In the days and months after the shooting, the FBI turned to Apple to extract data from this phone.

A few days ago in an open letter to customers, [Tim Cook], CEO of Apple, stated they will not comply with FBI’s request to build a backdoor for the iPhone. While the issue at hand is extracting data from an iPhone recovered from the San Bernardino shooting, [Cook] says building a new version of iOS to extract this data would allow the FBI to unlock any iPhone. Needless to say, there are obvious security implications of this request.

Apple does not publish open letters to its customers often. Having one of the largest companies on the planet come out in support of privacy and encryption is nearly unprecedented. There is well-founded speculation this open letter to the public will be exhibit A in a supreme court case. Needless to say, the Internet has gone a little crazy after this letter was published, and rightly so: just imagine how better off we would be if AT&T said no to the NSA in 2002 – [Snowden] might just be another IT geek working for a government contractor.

CalvinThere is a peculiar aspect of public discourse that doesn’t make any sense. In the absence of being able to say anything interesting, some people have just decided to add a contrary viewpoint. Being right, having a valid argument, or even having evidence to support assertions doesn’t matter; being contrary is far more interesting. Look at any comment thread on the Internet, and you’ll find the longest comment chain is the one refuting the parent article. Look up the ratings for a cable news channel. You’ll find the highest rated show is the one with the most bickering. When is the last time you saw something from the New York Times, Washington Post, or LA Times on Facebook or your favorite news aggregator? Chances are, it wasn’t news. It was an op-ed, most likely one that was espousing a view contrary to either public opinion or public policy.

As with any headline event on the Internet, the contrarians have come out of the woodwork. These contrarians are technically correct and exceedingly myopic.

Continue reading “The Contrarian Response To Apple’s Need For Encryption”

Hijacking Quadcopters with a MAVLink Exploit

Not many people would like a quadcopter with an HD camera hovering above their property, and until now there’s no technical resource to tell drone pilots to buzz off. That would require actually talking to a person. Horrors. Why be reasonable when you can use a Raspberry Pi to hijack a drone? It’s the only reasonable thing to do, really.

The folks at shellIntel have been messing around with quads for a while, and have recently stumbled upon a vulnerability in the Pixhawk flight controller and every other quadcopter that uses the MAVLink protocol. This includes the Parrot AR.drone, ArduPilot, PX4FMU, pxIMU, SmartAP, MatrixPilot, Armazila 10dM3UOP88, Hexo+, TauLabs and AutoQuad. Right now, the only requirement to make a drone fall out of the sky is a simple radio module and a computer. A Raspberry Pi was used in shellIntel’s demo.

The exploit is a consequence of the MAVLink sending the channel or NetID used to send commands from the transmitter to the quadcopter in each radio frame. This NetID number is used so multiple transmitters don’t interfere with each other; if two transmitters use the same NetID, there will be a conflict and two very confused pilots. Unfortunately, this also means anyone with a MAVLink radio using the same NetID can disarm a quadcopter remotely, and anyone with a MAVLink radio can tell a quad to turn off, or even emulate the DJI Phantom’s ‘Return to China’ function.

The only required hardware for this exploit is a $100 radio and three lines of code. It is certainly possible to build a Raspberry Pi-based box that would shut down any Pixhawk-equipped quadcopter within radio range, although the folks at shellIntel didn’t go that far just yet. Now it’s just a proof of concept to demonstrate that there’s always a technical solution to your privacy concerns. Video below.

Continue reading “Hijacking Quadcopters with a MAVLink Exploit”

Panopticlick: You Are A Beautiful And Unique Snowflake

We all like to think we’re unique, but when it comes to remaining anonymous online that’s probably not such a good idea. By now, it’s common knowledge that advertising firms, three-letter agencies, and who-knows-who-else want to know what websites you’re visiting and how often. Persistent tracking cookies, third-party cookies, and “like” buttons keep tabs on you at all times.

For whatever reason, you might want to browse anonymously and try to plug some of the obvious sources of identity leakage. The EFF and their Panopticlick project have bad news for you.

The idea behind Panopticlick is simple: to try to figure out how identifiable you are even if you’re not accepting cookies, or if you’ve disabled Flash, or if you’re using “secure” browsers. To create a fingerprint of your browser, Panopticlick takes all the other little bits of identifying information that your browser gives up, and tries to piece them together.

For a full treatment of the project, see this paper (PDF). The takeaway from the project is that the information your browser gives up to servers can, without any cookies, specifically identify you.

fooFor instance, a server can query which plugins your browser supports, and if you’ve installed anything a tiny bit out of the ordinary, you’re fingerprinted. Your browser’s User Agent strings are often over-specific and tell which browser sub-sub-sub version you’re running on which OS platform. If you’re running Flash, it can report back which fonts you’ve got installed on your system. Any of these can be easily as rare as one-in-a-million. Combining them together (unless they’re all highly correlated) can fingerprint you uniquely.

You can’t necessarily win. If you disable Flash, the remote site doesn’t get your font list, but since only one in five browsers runs with Flash disabled, you’re still giving up two bits of information. If you run a “privacy-enhancing” niche browser, your chances of leaving a unique fingerprint go through the roof unless you’re also forging the User Agent strings.

I ran the Panopticlick experiment twice, once with a Firefox browser and once with an obscure browser that I actually use most of the time (dwb). Firefox runs a Flash blocker standard, so they didn’t get my font list. But still, the combination of browser plugins and a relatively new Firefox on Linux alone made me unique.

It was even worse for the obscure browser test. Only one in 1.4 million hits use dwb, so that alone was bad news. I also use a 4:3 aspect-ratio monitor, with 1280×1024 pixels at 24-bit color depth, which is apparently a one-in-twenty-four occurrence. Who knew?

fooFinally, I tried out the Tor browser, which not only routes your traffic through the Tor network, but also removes a lot of the specific data about your session. It fared much better, making me not uniquely identifiable: instead only one in a thousand. (Apparently a lot of people trying out the Panopticlick site ran Tor browser.)

If you’re interested in online anonymity, using something like Tor to obscure your IP address and disabling cookies is a good start. But Panopticlick points out that it may not be enough. You can never use too many layers of tinfoil when making your hat.

Try it out, and let us know in the comments how you fare.

Who’s Watching the Kids?

It wasn’t long ago that we saw the Echo bloom into existence as a standalone product from its conceptual roots as a smartphone utility. These little black columns have hardly collected their first film of dust on our coffee tables and we’re already seeing similar technology debut on the toy market, which causes me to raise an eye-brow.

There seems to be some appeal towards making toys smarter, with the intent being that they may help a child learn while they play. Fair enough. It was recently announced that a WiFi enabled, “Hello Barbie” doll will be released sometime this Fall. This new doll will not only be capable of responding to a child’s statements and questions by accessing the Internet at large, it will also log the likes and dislikes of its new BFF on a cloud database so that it can reference the information for later conversations. Neat, right? Because it’s totally safe to trust the Internet with information innocently surrendered by your child.

Similarly there is a Kickstarter going on right now for a re-skinned box-o-internet for kids in the shape of a dinosaur. The “GreenDino”, is the first in a new line called, CogniToys, from a company touted by IBM which has its supercomputer, Watson, working as a backbone to answer all of the questions a child might ask. In addition to acting as an informational steward, the GreenDino will also toss out questions, and upon receiving a correct answer, respond with praise.

Advancements in technology are stellar. Though I can see where a child version of myself would love having an infinitely smart robot dinosaur to bombard with questions, in the case of WiFi and cloud connectivity, the novelty doesn’t outweigh the potential hazards the technology is vulnerable to. Like what, you ask?

Whether on Facebook or some other platform, adults accept the unknown risks involved when we put personal information out on the Internet. Say for instance I allow some mega-corporation to store on their cloud that my favorite color is yellow. By doing so, I accept the potential outcome that I will be thrown into a demographic and advertised to… or in ten years be dragged to an internment camp by a corrupt yellow-hating government who subpoenaed information about me from the corporation I consensually surrendered it to.

The fact is that I understand those types of risks… no matter how extreme and silly they might seem. The child playing with the Barbie does not.

All worst case scenarios of personal data leakage and misuse aside, what happens when Barbie starts wanting accessories? Or says to their new BFF something like, “Wouldn’t we have so much more fun if I had a hot pink convertible?”

Hackaday Terms of Use (aka: The Lawyers are Coming!)

they-laywers-are-coming

Hackaday has posted Terms of Use and Privacy Policy documents which you should read. These can also be accessed through the Policies Page which is linked in the footer. We’ve edited this post to take up less room since it will be sticky for a few days. Original text and updates after the jump.

Continue reading “Hackaday Terms of Use (aka: The Lawyers are Coming!)”

Raspberry Pi Tor proxy lets you take anonymity with you

pi-tor-proxy

Your web traffic is being logged at many different levels. There are a few different options to re-implement your privacy (living off the grid excluded), and the Tor network has long been one of the best options. But what about when you’re away from you home setup? Adafruit has your back. They’ve posted a guide which will turn a Raspberry Pi into a portable Tor proxy.

The technique requires an Ethernet connection, but these are usually pretty easy to come by in hotels or relatives’ homes. A bit of work configuring the Linux network components will turn the RPi into a WiFi access point. Connect to it with your laptop or smartphone and you can browse like normal. The RPi will anonymize the IP address for all web traffic.

Leveraging the Tor network for privacy isn’t a new subject for us. We’ve looked at tor acks that go all the way back to the beginnings of Hackaday. The subject comes and goes but the hardware for it just keeps getting better!

Making a privacy monitor from an old LCD

privacy-screen

[dimovi] had a spare LCD monitor sitting around and thought it would be great to convert it into a “privacy” monitor.

The process is simple enough for anyone comfortable with disassembling electronics. He took apart the monitor’s plastic frame, cutting out the polarized film with a utility knife. Once the film was removed, he spent some time removing the film adhesive from the glass panel using a combination of Oops cleaner and paint thinner.

He reassembled the monitor, which now shines a bright white regardless of what is actually being displayed on the screen. He removed the lenses from a pair of theater 3D glasses, replacing the plastic with the film he removed from the monitor.

Now, [dimovi] is the only one who can see what’s he is doing on his computer, which is just the way he likes it.

While there’s not a lot of magic going on behind the process, we think it’s a neat way to reuse an old monitor.