Stalking Last.fm Streams On Spotify

Back in the early days of social media and Web 2.0, Last.fm was one of the premier music sites on the internet. With a huge library containing what felt like every song ever, along with an excellent algorithm for recommending new tracks, it quickly gained a large following. Unfortunately, its business model and following changed over the years, but there’s still a diehard userbase. [Hexalyse] was unhappy with Spotify’s algorithms, so built a tool to allow her to shadow what Last.fm users were listening to in real time.

Last.fm’s major feature is that it allows you to tell others what you’re listening to, by “scrobbling” your tracks as you play them. It’s possible to scrape this live data from any user via the Last.fm API, making the project possible. [Hexalyse] whipped up a Python script to query a selected user’s current playing track via Last.fm, before then handing the song data to the Spotify API to play the music locally.

It’s a fun way to find new music, relying on human taste rather than a pile of data center algebra. [Hexalyse] has uploaded the code to Github if you’re eager to try it for yourself. Of course, you get bonus points if you integrate it with Spotify on the Macintosh SE/30.

Yes, You Can Put IoT on the Blockchain using Python and the ESP8266

Last year, we saw quite a bit of media attention paid to blockchain startups. They raised money from the public, then most of them vanished without a trace (or product). Ethics and legality of their fundraising model aside, a few of the ideas they presented might be worth revisiting one day.

One idea in particular that I’ve struggled with is the synthesis of IoT and blockchain technology. Usually when presented with a product or technology, I can comprehend how and/or why someone would use it – in this case I understand neither, and it’s been nagging at me from some quiet but irrepressible corner of my mind.

The typical IoT networks I’ve seen collect data using cheap and low-power devices, and transmit it to a central service without more effort spent on security than needed (and sometimes much less). On the other hand, blockchains tend to be an expensive way to store data, require a fair amount of local storage and processing power to fully interact with them, and generally involve the careful use of public-private key encryption.

I can see some edge cases where it would be useful, for example securely setting the state of some large network of state machines – sort of like a more complex version of this system that controls a single LED via Ethereum smart contract.

What I believe isn’t important though, perhaps I just lack imagination – so lets build it anyway.

Continue reading “Yes, You Can Put IoT on the Blockchain using Python and the ESP8266”

Hack Your Gmail: A Quick Start for Google App Scripting

For many people, Gmail is synonymous with e-mail. Some people like having cloud access to everything and some people hate having any personal data in the cloud. However you feel about it, one thing that was nice about having desktop software is that you could hack it relatively easily. If you didn’t like how your desktop mail client worked, you had a lot of options: use a different program, write your own, hack the executable of your current program, or in the case of open source just fork it and make any changes you are smart enough to make.

Google provides a lot of features with all of its products, but however you slice it, all the code runs on their servers out of your reach. Sort of. If you know JavaScript, you can use Google Apps Script to add features to many Google products including Gmail. If you’ve used Office scripting, the idea is the same, although obviously the implementation is very different.

With scripting you can make sophisticated filters that would be very hard to do otherwise. For example,  monitor for suspicious messages like those with more than 4 attachments, or that appear to come from a contact between the hours of 2AM and 5AM.

For our example today, I’m going to show you something that is easy but also highly useful.

Continue reading “Hack Your Gmail: A Quick Start for Google App Scripting”

IPv6 Christmas Display Uses 75 Internet’s Worth of Addresses

We’ve seen internet-enabled holiday displays before, and we know IPv6 offers much more space than the older IPv4 addressing scheme that most of us still use today, but the two have never been more spectacularly demonstrated than at jinglepings.com. The live video stream shows an Internet-connected Christmas tree and an LED display wall that you can control by sending IPv6 ICMP echo request messages, more commonly known as pings.

Reading the page, you quickly parse the fact that there are three ways to control the tree. First, you can type a message in the box and press send – this message gets displayed on the crawl at the bottom of the LED screen.  Second, you can light up the tree by sending a ping to the IPv6 address 2001:4c08:2028:2019::RR:GG:BB, where RR, GG, and BB are 8-bit hex values for red, green, and blue. This is a neat abuse of the IPv6 address space, in that the tree has 224 (around 16.8 million) IPv6 addresses, one for each color you can set. We were impressed by this brute-force use of address space, at least until we read on a little further.

You can also make your own drawings on the LED wall, again by sending pings. In this case, the address to set a pixel to a particular color is: 2001:4c08:2028:X:Y:RR:GG:BB, where X and Y are the pixel coordinates. This seems easy enough: to set pixel (10, 11) to magenta, the RGB value (0xFF, 0x00, 0xFF), you’d simply ping the IPv6 address 2001:4c08:2028:10:11:FF:00:FF. Having  an array of addressable LEDs is commonplace in hacker circles today, although each of them having their own live IPv6 address on the Internet seems a little excessive at first. Then it hits you – each LED has an IPv6 address for every possible color, just like the tree: 16.8 million addresses for each LED. The LED display is 160×120 pixels in size, so the total number of IPv6 addresses used is 160x120x224, which is 75 times larger than all possible IPv4 addresses!  This is a hack of monstrous proportions, and we love it.

In case you’re not running IPv6 yet, we’ve got you covered. To send individual pings using your browser, you can use a site like Ipv6now. If you want to send pixels to the display wall, you’re better off using a 6in4 tunnel that lets you access IPv6 sites using your current IPv4 connectivity.  Hurricane Electric offers a free 6in4 tunnel service that we’ve found useful. Then it’s just a matter of writing some code to send pixel values as pings.  The python scapy module is perfect for this sort of thing. But, first you’ll have to fill out the form on jinglepings.com and wait to get your IPv6 address whitelisted before you can draw on the display; evidently the usual bad actors have found the site and started drawing inappropriate things.

If you think this use of addresses seems wasteful, you needn’t worry. There are around 3.4×1038 IPv6 addresses, enough for 1027 such displays. We’re going to go out on a limb here and say it: nobody will ever need more than 2128 IP addresses.

If you’re looking to build an LED holiday display on a smaller budget, check out this one that re-purposes normal LED strings.

Thanks to [Ward] for the tip!

Linux Fu: Turn a Web App into a Full Program

I hate to admit it. I don’t really use Linux on my desktop anymore. Well, technically I do. I boot into Linux. Then I do about 95% of my work in Chrome. About the only native applications I use anymore are development tools, the shell, emacs, and GIMP. If I really wanted to, I could probably find replacements for nearly all of those that run in the browser. I don’t use it, but there’s even an ssh client in the browser. Mail client? Gmail. Blogging? WordPress. Notes? OneNote or Evernote. Wouldn’t it be great to run those as actual applications instead of tabs in a browser? You can and I’ll show you how.

Having apps inside Chrome can be a real problem. I wind up with dozens of tabs open — I’m bad about that anyway. Restarting chrome is a nightmare as it struggles to load 100 tabs all at once. (Related tip: Go to chrome://flags and turn “Offline Auto-Reload Mode” off and “Only Auto-Reload Visible Tabs” on.) I also waste a lot of time searching since I try to organize tabs by window. So I have to find the window that has, say, Gmail in it and then find Gmail among the twenty or so tabs in that window.

What I want is a way to wrap web applications in their own window so that they’d show up in the task bar with their own icon, but external web pages that open from these apps ought to open in Chrome rather than in the same window. If applications were outside of the single browser window, I could move them to different desktops and organize them like they were any other program, including adding them to a launcher. Hopefully, this would let me have fewer windows like this:

Continue reading “Linux Fu: Turn a Web App into a Full Program”

Five Year Old Bug Spawns Router Botnet Monster

In the news has been yet another router botnet. [Hui Wang] and [RootKiter] of 360Netlab announced their discovery of what they call the “BCMUPnP_Hunter” rootkit. They estimate this botnet to be running on over 100,000 routers worldwide.

There are two elements of this story that I found particularly baffling. First, this botnet infects routers using a vulnerability that was first reported by Defensecode over five years ago, in 2013! The second oddity is the wide range of devices that are vulnerable and are now part of the botnet. Dozens of brands and at least 116 models have been found to be infected.

One of the details of this story hasn’t been reported entirely accurately. The bug is not built into the Broadcom chipset. Unlike Spectre and Meltdown, it’s not actually a hardware fault. Broadcom distributes a Software Development Kit (SDK) that enables device manufacturers like D-Link, TP-Link, and Linksys to quickly develop firmware for routers using Broadcom chips. The vulnerability lies in this code, rather than part of the hardware itself.

Continue reading “Five Year Old Bug Spawns Router Botnet Monster”

Hack My House: Opening Raspberry Pi to the Internet, but Not the Whole World

If you’ve followed along with our series so far, you know we’ve set up a network of Raspberry Pis that PXE boot off a central server, and then used Zoneminder to run a network of IP cameras. Now that some useful services are running in our smart house, how do we access those services when away from home, and how do we keep the rest of the world from spying on our cameras?

Before we get to VPNs and port forwarding, there is a more fundamental issue: Do you trust your devices? What exactly is the firmware on those cheap cameras really doing? You could use Wireshark and a smart switch with port mirroring to audit the camera’s traffic. How much traffic would you need to inspect to feel confident the camera never sends your data off somewhere else?

Thankfully, there’s a better way. One of the major features of surveillance software like Zoneminder is that it aggregates the feeds from the cameras. This process also has the effect of proxying the video feeds: We don’t connect directly to the cameras in order to view them, we connect to the surveillance software. If you don’t completely trust those cameras, then don’t give them internet access. You can make the cameras a physically separate network, only connected to the surveillance machine, or just set their IP addresses manually, and don’t fill in the default route or DNS. Whichever way you set it up, the goal is the same: let your surveillance software talk to the cameras, but don’t let the cameras talk to the outside world.

Edit: As has been pointed out in the comments, leaving off a default route is significantly less effective than separate networks. A truly malicious peice of hardware could easily probe for the gateway.

This idea applies to more than cameras. Any device that doesn’t need internet access to function, can be isolated in this way. While this could be considered paranoia, I consider it simple good practice. Join me after the break to discuss port forwarding vs. VPNs.

Continue reading “Hack My House: Opening Raspberry Pi to the Internet, but Not the Whole World”