IPv6 Christmas Display Uses 75 Internet’s Worth of Addresses

We’ve seen internet-enabled holiday displays before, and we know IPv6 offers much more space than the older IPv4 addressing scheme that most of us still use today, but the two have never been more spectacularly demonstrated than at jinglepings.com. The live video stream shows an Internet-connected Christmas tree and an LED display wall that you can control by sending IPv6 ICMP echo request messages, more commonly known as pings.

Reading the page, you quickly parse the fact that there are three ways to control the tree. First, you can type a message in the box and press send – this message gets displayed on the crawl at the bottom of the LED screen.  Second, you can light up the tree by sending a ping to the IPv6 address 2001:4c08:2028:2019::RR:GG:BB, where RR, GG, and BB are 8-bit hex values for red, green, and blue. This is a neat abuse of the IPv6 address space, in that the tree has 224 (around 16.8 million) IPv6 addresses, one for each color you can set. We were impressed by this brute-force use of address space, at least until we read on a little further.

You can also make your own drawings on the LED wall, again by sending pings. In this case, the address to set a pixel to a particular color is: 2001:4c08:2028:X:Y:RR:GG:BB, where X and Y are the pixel coordinates. This seems easy enough: to set pixel (10, 11) to magenta, the RGB value (0xFF, 0x00, 0xFF), you’d simply ping the IPv6 address 2001:4c08:2028:10:11:FF:00:FF. Having  an array of addressable LEDs is commonplace in hacker circles today, although each of them having their own live IPv6 address on the Internet seems a little excessive at first. Then it hits you – each LED has an IPv6 address for every possible color, just like the tree: 16.8 million addresses for each LED. The LED display is 160×120 pixels in size, so the total number of IPv6 addresses used is 160x120x224, which is 75 times larger than all possible IPv4 addresses!  This is a hack of monstrous proportions, and we love it.

In case you’re not running IPv6 yet, we’ve got you covered. To send individual pings using your browser, you can use a site like Ipv6now. If you want to send pixels to the display wall, you’re better off using a 6in4 tunnel that lets you access IPv6 sites using your current IPv4 connectivity.  Hurricane Electric offers a free 6in4 tunnel service that we’ve found useful. Then it’s just a matter of writing some code to send pixel values as pings.  The python scapy module is perfect for this sort of thing. But, first you’ll have to fill out the form on jinglepings.com and wait to get your IPv6 address whitelisted before you can draw on the display; evidently the usual bad actors have found the site and started drawing inappropriate things.

If you think this use of addresses seems wasteful, you needn’t worry. There are around 3.4×1038 IPv6 addresses, enough for 1027 such displays. We’re going to go out on a limb here and say it: nobody will ever need more than 2128 IP addresses.

If you’re looking to build an LED holiday display on a smaller budget, check out this one that re-purposes normal LED strings.

Thanks to [Ward] for the tip!

Linux Fu: Turn a Web App into a Full Program

I hate to admit it. I don’t really use Linux on my desktop anymore. Well, technically I do. I boot into Linux. Then I do about 95% of my work in Chrome. About the only native applications I use anymore are development tools, the shell, emacs, and GIMP. If I really wanted to, I could probably find replacements for nearly all of those that run in the browser. I don’t use it, but there’s even an ssh client in the browser. Mail client? Gmail. Blogging? WordPress. Notes? OneNote or Evernote. Wouldn’t it be great to run those as actual applications instead of tabs in a browser? You can and I’ll show you how.

Having apps inside Chrome can be a real problem. I wind up with dozens of tabs open — I’m bad about that anyway. Restarting chrome is a nightmare as it struggles to load 100 tabs all at once. (Related tip: Go to chrome://flags and turn “Offline Auto-Reload Mode” off and “Only Auto-Reload Visible Tabs” on.) I also waste a lot of time searching since I try to organize tabs by window. So I have to find the window that has, say, Gmail in it and then find Gmail among the twenty or so tabs in that window.

What I want is a way to wrap web applications in their own window so that they’d show up in the task bar with their own icon, but external web pages that open from these apps ought to open in Chrome rather than in the same window. If applications were outside of the single browser window, I could move them to different desktops and organize them like they were any other program, including adding them to a launcher. Hopefully, this would let me have fewer windows like this:

Continue reading “Linux Fu: Turn a Web App into a Full Program”

Five Year Old Bug Spawns Router Botnet Monster

In the news has been yet another router botnet. [Hui Wang] and [RootKiter] of 360Netlab announced their discovery of what they call the “BCMUPnP_Hunter” rootkit. They estimate this botnet to be running on over 100,000 routers worldwide.

There are two elements of this story that I found particularly baffling. First, this botnet infects routers using a vulnerability that was first reported by Defensecode over five years ago, in 2013! The second oddity is the wide range of devices that are vulnerable and are now part of the botnet. Dozens of brands and at least 116 models have been found to be infected.

One of the details of this story hasn’t been reported entirely accurately. The bug is not built into the Broadcom chipset. Unlike Spectre and Meltdown, it’s not actually a hardware fault. Broadcom distributes a Software Development Kit (SDK) that enables device manufacturers like D-Link, TP-Link, and Linksys to quickly develop firmware for routers using Broadcom chips. The vulnerability lies in this code, rather than part of the hardware itself.

Continue reading “Five Year Old Bug Spawns Router Botnet Monster”

Hack My House: Opening Raspberry Pi to the Internet, but Not the Whole World

If you’ve followed along with our series so far, you know we’ve set up a network of Raspberry Pis that PXE boot off a central server, and then used Zoneminder to run a network of IP cameras. Now that some useful services are running in our smart house, how do we access those services when away from home, and how do we keep the rest of the world from spying on our cameras?

Before we get to VPNs and port forwarding, there is a more fundamental issue: Do you trust your devices? What exactly is the firmware on those cheap cameras really doing? You could use Wireshark and a smart switch with port mirroring to audit the camera’s traffic. How much traffic would you need to inspect to feel confident the camera never sends your data off somewhere else?

Thankfully, there’s a better way. One of the major features of surveillance software like Zoneminder is that it aggregates the feeds from the cameras. This process also has the effect of proxying the video feeds: We don’t connect directly to the cameras in order to view them, we connect to the surveillance software. If you don’t completely trust those cameras, then don’t give them internet access. You can make the cameras a physically separate network, only connected to the surveillance machine, or just set their IP addresses manually, and don’t fill in the default route or DNS. Whichever way you set it up, the goal is the same: let your surveillance software talk to the cameras, but don’t let the cameras talk to the outside world.

Edit: As has been pointed out in the comments, leaving off a default route is significantly less effective than separate networks. A truly malicious peice of hardware could easily probe for the gateway.

This idea applies to more than cameras. Any device that doesn’t need internet access to function, can be isolated in this way. While this could be considered paranoia, I consider it simple good practice. Join me after the break to discuss port forwarding vs. VPNs.

Continue reading “Hack My House: Opening Raspberry Pi to the Internet, but Not the Whole World”

Back to School Online

In 1961, FCC Commissioner [Newt Minow] famously described TV as a “vast wasteland.” But TV can do great things; educational programming, news coverage, and great performances do appear, just not all that often. You can draw the same parallels to the Internet. Sure, it’s mostly cat pictures, snarky comments, and posts of what your friends had for dinner. But it can also be a powerful tool, especially for education. Recently, top-name schools and other institutions have posted courses online for everything from Python to Quantum Mechanics to Dutch. The problems are finding these classes and figuring out which ones are gems and which are duds. A site called Class-Central aims to solve these problems.

The site aggregates class descriptions from a variety of sources like edX, Coursea, and more. Users can rate the classes. Many of these courses are free to take. The recent trend is to offer the content for free, but charge for people who want an assessment, such as a certificate of completion or even a full-blown degree. Even then, the cost is typically far less than traditional college costs.

There’s also news about courses. For example, a recent post highlighted that edX now offers nine online master’s degrees in conjunction with major schools. A computer science masters from the University of Texas, for example, runs about $10,000. A Georgia Tech cybersecurity masters degree costs even less. There are another seven not ready yet, including one for electrical engineering.

Continue reading “Back to School Online”

Shakespeare in a Zip in a RAR, Hidden in an Image on Twitter

Steganography involves hiding data in something else — for example, encoding data in a picture. [David Buchanan] used polyglot files not to hide data, but to send a large amount of data in a single Twitter post. We don’t think it quite qualifies as steganography because the image has a giant red UNZIP ME printed across it. But without it, you might not think to run a JPG image through your unzip program. If you did, though, you’d wind up with a bunch of RAR files that you could unrar and get the complete works of the Immortal Bard in a single Tweet. You can also find the source code — where else — on Twitter as another image.

What’s a polyglot file? Jpeg images have an ICC (International Color Consortium) section that defines color profiles. While Twitter strips a lot of things out of images, it doesn’t take out the ICC section. However, the ICC section can contain almost anything that fits in 64 kB up to a limit of 16 MB total.

The ZIP format is also very flexible. The pointer to the central directory is at the end of the file. Since that pointer can point anywhere, it is trivial to create a zip file with extraneous data just about anywhere in the file.

Continue reading “Shakespeare in a Zip in a RAR, Hidden in an Image on Twitter”

Speak Your WiFi

When you create a Thing for the Internet of Things, you’ve made a little computer that does a simple job and which probably has a minimal interface. But minimal interfaces leave little room for configuration, such as entering WiFi details. Perhaps if you made the Thing yourself you’ve hard-coded your WiFi credentials in your code, but that hardly translates to multiple instances. So, how to put end-user WiFi credentials easily on more than one Thing? Perhaps [Rob Dobson] has the answer with his technique of sending them as a sequence of audible tones.

There is a piece of Javascript code in a browser into which you enter your WiFi credentials, which are then expressed through the speaker as a set of FSK tones to be picked up by a microphone on the Thing. They can then be decoded into the credentials, and the Thing can connect. All the code is available, on GitHub, should you fancy it yourself.

Of course, this is nothing new, as any owner of an 8-bit machine that had a cassette interface will tell you. And on the face of it it’s much easier than those awkward impromptu hotspots with a web interface to which you connect and pass on your credentials. But while we quite like the convenience, we can’t help wondering whether expressing the credentials in audible free space might be a bit too insecure for many readers. The technique however remains valid, and we’re sure that other less sensitive applications might be found for it. Meanwhile we hope he hasn’t inadvertently shared his WiFi password in the video below the break.

Continue reading “Speak Your WiFi”