Day: March 28, 2017

Russian Hackers Domain Fronting

March 28, 2017 by 51 Comments

FireEye just put out a report on catching the Russian hacker group “Advanced Persistent Threat 29” (APT29, for lack of a better code name) using the meek plugin for TOR to hide their traffic. If you’re using meek with meek-reflect.appspot.com, you’ll find it’s been shut down. If all of this is gibberish to you, read on for a breakdown.

meek is a clever piece of software. Imagine that you wanted to communicate with the Tor anonymizing network, but that you didn’t want anyone to know that you were. Maybe you live in a country where a firewall prevents you from accessing the full Web, and blocks Tor entry nodes as part of their Great Firewall. You’d want to send traffic somewhere innocuous first, and then bounce it over to Tor, in order to communicate freely.

That’s what meek does, but it goes one step further. The reflector server is hosted using the same content-delivery network (CDN) as a popular service, say Google’s search engine. The CDN has an IP address, like every other computer on the Internet, but it delivers content for any of the various services it hosts. Traffic to the CDN, encrypted with TLS, looks the same whether it’s going to the meek reflector or to Google, so nobody on the outside can tell whether it is a search query or packets destined for Tor. Inside the CDN, it’s unencrypted and passed along to the reflector.

Anyway, meek was invented to help bring the uncensored Internet to people who live in oppressive regimes, and now cybersecurity researchers have observed it being used by Russian state hackers to hide their tracks. Sigh. Technology doesn’t know which side it’s on — the same backdoor that the FBI wants to plant in all our communications can be used by the mafia just as easily. Plugins that are meant to bring people freedom of speech can just as easily be used to hide the actions of nation-state hackers.

What a strange world we live in.

Source Parts On TaoBao: An Insider’s Guide

March 28, 2017 by 60 Comments

For hardware aficionados and Makers, trips to Shenzhen’s Huaqiangbei have become something of a pilgrimage. While Huaqiangbei is a tremendous and still active resource, increasingly both Chinese and foreign hardware developers do their sourcing for components on TaoBao. The selection is vastly greater and with delivery times rarely over 48 hours and frequently under 24 hours for local purchases it fits in nicely with the high-speed pace of Shenzhen’s hardware ecosystem.

For overseas buyers, while the cost of Taobao is comparable to, or slightly less than AliExpress and Chinese online stores, the selection is again, many, many times the size. Learning how to effectively source parts from Taobao will be both entertaining and empowering.

Continue reading “Source Parts On TaoBao: An Insider’s Guide”

Arch Your Eyebrow At Impression Products V. Lexmark International

March 28, 2017 by 63 Comments

When it comes to recycled printer consumables, the world seems to divide sharply into those who think they’re great, and those who have had their printer or their work ruined by a badly filled cartridge containing cheaper photocopy toner, or God knows what black stuff masquerading as inkjet ink. It doesn’t matter though whether you’re a fan or a hater, a used printer cartridge is just a plastic shell with its printer-specific ancilliaries that you can do with what you want. It has performed its task the manufacturer sold it to you for and passed its point of usefulness, if you want to fill it up with aftermarket ink, well, it’s yours, so go ahead.

There is a case approaching the US Supreme Court though which promises to change all that, as well as to have ramifications well beyond the narrow world of printer cartridges. Impression Products, Inc. v. Lexmark International, Inc. pits the printer manufacturer against a small cartridge recycling company that refused to follow the rest of its industry and reach a settlement.

At issue is a clause in the shrink-wrap legal agreement small print that comes with a new Lexmark cartridge that ties a discounted price to an agreement to never offer the cartridge for resale or reuse. They have been using it for decades, and the licence is deemed to have been agreed to simply by opening the cartridge packaging. By pursuing the matter, Lexmark are trying to set a legal precedent allowing such licencing terms to accompany a physical products even when they pass out of the hands of the original purchaser who accepted the licence.

There is a whole slew of concerns to be addressed about shrink-wrap licence agreements, after all, how many Lexmark owners even realise that they’re agreeing to some legal small print when they open the box? But the concern for us lies in the consequences this case could have for the rest of the hardware world. If a precedent is set such that a piece of printer consumable hardware can have conditions still attached to it when it has passed through more than one owner, then the same could be applied to any piece of hardware. The prospect of everything you own routinely having restrictions on the right to repair or modify it raises its ugly head, further redefining “ownership” as  “They really own it”. Most of the projects we feature here at Hackaday for example would probably be prohibited were their creators to be subject to these restrictions.

We’ve covered a similar story recently, the latest twist in a long running saga over John Deere tractors. In that case though there is a written contract that the farmer buying the machine has to sign. What makes the Lexmark case so much more serious is that the contract is being applied without the purchaser being aware of its existence.

We can’t hold out much hope that the Supreme Court understand the ramifications of the case for our community, but there are other arguments within industry that might sway them against it. Let’s hope Impression Products v. Lexmark doesn’t become a case steeped in infamy.

Thanks to [Greg Kennedy] for the tip.

Lexmark sign by CCC2012 [CC0].

“Norman, Coordinate!”

March 28, 2017 by 22 Comments

If Star Trek taught us anything, it’s clearly that we’re not quite in the future yet. Case in point: androids are not supposed to be little flecks of printed circuits with wires and jacks sprouting off them. Androids are supposed to be gorgeous fembots in polyester kimonos with beehive hairdos, designed to do our bidding and controlled by flashing, beeping, serial number necklaces.

Not willing to wait till the 23rd century for this glorious day, [Peter Walsh] designed and built his own android amulet prop from the original series episode “I, Mudd.” There’s a clip below if you need a refresher on this particularly notable 1967 episode, but the gist is that the Enterprise crew is kidnapped by advanced yet simple-minded androids that can be defeated by liberal doses of illogic and overacting.

The androids’ amulets indicate when they BSOD by flashing and beeping. [Peter]’s amulet is a faithful reproduction done up in laser-cut acrylic with LEDs and a driver from a headphone. The leads for the amulet go to a small control box with a battery pack and the disappointing kind of Android, and a palmed microswitch allows you to indicate your current state of confusion.

You’ll be sure to be the hit of any con with this one, although how to make smoke come out of your head is left as an exercise for the reader. Or if you’d prefer a more sophisticated wearable from The Next Generation, check out this polished and professional communicator badge. Both the amulet and the communicator were entries in the Hackaday Sci-Fi contest.

Continue reading ““Norman, Coordinate!””