Explaining Efail and Why It Isn’t the End of Email Privacy

Last week the PGPocalipse was all over the news… Except that, well, it wasn’t an apocalypse.

A team of researchers published a paper(PDF) where they describe how to decrypt a PGP encrypted email via a targeted attack. The research itself is pretty well documented and, from a security researcher perspective, it’s a good paper to read, especially the cryptography parts.

But we here at Hackaday were skeptical about media claims that Efail had broken PGP. Some media reports went as far as recommending everyone turn off PGP encryption on all email clients., but they weren’t able to back this recommendation up with firm reasoning. In fact, Efail isn’t an immediate threat for the vast majority of people simply because an attacker must already have access to an encrypted email to use the exploit. Advising everyone to disable encryption all together just makes no sense.

Aside from the massive false alarm, Efail is a very interesting exploit to wrap your head around. Join me after the break as I walk through how it works, and what you can do to avoid it.

Continue reading “Explaining Efail and Why It Isn’t the End of Email Privacy”

Video of the Arduino FPGA Board Demo at Maker Faire

This week, Arduino announced a lot of new hardware including an exceptionally interesting FPGA development board aimed at anyone wanting to dip their toes into the seas of VHDL and developing with programmable logic. We think it’s the most interesting bit of hardware Arduino has released since their original dev board, and everyone is wondering what the hardware actually is, and what it can do.

This weekend at Maker Faire Bay Area, Arduino was out giving demos for all their wares, and yes, the Arduino MKR Vidor 4000 was on hand, being shown off in a working demo. We have a release date and a price. It’ll be out next month (June 2018) for about $60 USD.

But what about the hardware, and what can it do? From the original press releases, we couldn’t even tell how many LUTs this FPGA had. There were a lot of questions about the Mini PCIe connectors, and we didn’t know how this FPGA would be useful for high-performance computation like decoding video streams. Now we have the answers.

The FPGA on board the Arduino Vidor is an Altera Cyclone 10CL016. This chip has 16k logic elements, and 504 kB memory block. This is on the low end of Altera’s FPGA lineup, but it’s still no slouch. In the demo video below, it’s shown decoding video and identifying QR codes in real time. That’s pretty good for what is effectively a My First FPGA™ board.

Also on board the Vidor is a SAMD21 Cortex-M0+ microcontroller and a uBlox module housing an ESP-32 WiFi and Bluetooth module. This is a really great set of chips, and if you’re looking to get into FPGA development, this might just be the board for you. We haven’t yet seen the graphic editor that will be used to work with IP for the FPGA (for those who don’t care to write their own VHDL or Verilog), but we’re looking forward to the unveiling of that new software.

Arduino Just Introduced an FPGA Board, Announces Debugging and Better Software

Today ahead of the Bay Area Maker Faire, Arduino has announced a bevy of new boards that bring modern features and modern chips to the Arduino ecosystem.

Most ambitious of these new offerings is a board that combines a fast ARM microcontroller, WiFi, Bluetooth, and an FPGA. All this is wrapped in a package that provides Mini HDMI out and pins for a PCIe-Express slot. They’re calling it the Arduino MKR Vidor 4000.

Bringing an FPGA to the Arduino ecosystem is on the list of the most interesting advances in DIY electronics in recent memory, and there’s a lot to unpack here. FPGA development boards aren’t new. You can find crates of them hidden in the storage closet of any University’s electronics lab. If you want to buy an FPGA dev board, the Terasic DE10 is a good starter bundle, the iCEstick has an Open Source toolchain, and this one has pink soldermask. With the release of the MKR Vidor, the goal for Arduino isn’t just to release a board with an FPGA; the goal is to release a tool that allows anyone to use an FPGA.

The key to democratizing FPGA development is Arduino’s work with the Arduino Create ecosystem. Arduino Create is the company’s online IDE that gives everyone the ability to share projects and upload code with Over-the-Air updates. The MKR Vidor will launch with integration to the Arduino Create ecosystem that includes a visual editor to work with the pre-compiled IP for the FPGA. That’s not to say you can’t just plug your own VHDL into this board and get it working; that’s still possible. But Arduino would like to create a system where anyone can move blocks of IP around with a tool that’s easy for beginners.

A Facelift for the Uno WiFi

First up is the brand new Arduino Uno WiFi. While there have been other boards bearing the name ‘Arduino Uno WiFi’ over the years, a lot has changed in the world of tiny radio modules and 8-bit microcontrollers over the past few years. The new Arduino Uno WiFi is powered by a new 8-bit AVR, the ATMega4809. The ATMega4809 is a new part announced just a few months ago, and is just about what you would expect from the next-generation 8-bit Arduino; it runs at 20MHz, has 48 kB of Flash, 6 kB of SRAM, and it comes in a 48-pin package. The ATMega4809 is taking a few lattices of silicon out of Microchip’s playbook and adds Custom Configurable Logic. The CCL in the new ATMega is a peripheral that is kinda, sorta like a CPLD on chip. If you’ve ever had something that could be more easily done with logic gates than software, the CCL is the tool for the job.

But a new 8-bit microcontroller doesn’t make a WiFi-enabled Arduino. The wireless power behind the new Arduino comes from a custom ESP-32 based module from u-blox. There’s also a tiny crypto chip (Microchip’s ATECC508A) so the Uno WiFi will work with AWS. The Arduino Uno WiFi will be available this June.

But this isn’t the only announcement from the Arduino org today. They’ve been hard at work on some killer features for a while now, and now they’re finally ready for release. What’s the big news? Debuggers. Real debuggers for the Arduino that are easy to use. There are also new boards aimed at Arduino’s IoT strategy.

Continue reading “Arduino Just Introduced an FPGA Board, Announces Debugging and Better Software”

PGP Vulnerability Pre-announced by Security Researcher

From the gaping maw of the infosec Twitterverse comes horrifying news. PGP is broken. How? We don’t know. When will there be any information on this vulnerability? Tomorrow. It’s the most important infosec story of the week, and it’s only Monday. Of course, this vulnerability already has a name. Everyone else is calling it eFail, but I’m calling it Fear, Uncertainty, and Doubt.

Update: eFail site and paper now available. This was released ahead of Tuesday’s planned announcement when the news broke ahead of a press embargo.

Update 2: The report mentions two attacks. The Direct Exfiltration attack wraps the body of a PGP-encrypted email around an image tag. If a mail client automatically decrypts this email, the result will be a request to a URL containing the plaintext of the encrypted email. The second attack only works one-third of the time. Mitigation strategies are to not decrypt email in a client, disable HTML rendering, and in time, update the OpenPGP and S/MIME standards. This is not the end of PGP, it’s a vulnerability warranting attention from those with a very specific use case.

[Sebastian Schinzel] announced on Twitter today he will be announcing a critical vulnerability in PGP/GPG and S/MIME email encryption. This vulnerability may reveal the plaintext of encrypted emails. There are currently no fixes — but there’s no proof of concept, or any actual publication of this exploit either. The only thing that’s certain: somebody on Twitter said encrypted email is broken.

The EFF has chimed in on this exploit and advises everyone to immediately disable and uninstall tools that automatically decrypt PGP-encrypted email. It also looks like the EFF came up with a great little logo for eFail as well so kudos on that.

While there are no details whatsoever concerning eFail aside from a recommendation to not use PGP, a few members of the community have seen a pre-press of the eFail paper. [Werner Koch] of GnuPG says eFail is simply using HTML as a back channel. If this is true, PGP is still safe; you just shouldn’t use HTML emails. If you really need to read HTML emails, use a proper MIME parser and disallow access to external links. It should be noted that HTML in email is already an attack vector and has been for decades. You don’t need to bring PGP into this.

Should you worry about a vulnerability in PGP and email encryption? Literally no one knows. European security researchers are working on a publication release right now, but other experts in the field who have seen the paper think it’s not a big deal. There is no consensus from experts in the field, and there is no paper available right now. That last point will change in a few hours, but for now eFail just stands for Fear, Uncertainty, and Doubt.

Flash Memory: Caveat Emptor

We all love new tech. Some of us love getting the bleeding edge, barely-on-the-market devices and some enjoy getting tech thirty years after the fact to revel in nostalgia. The similarity is that we assume we know what we’re buying and only the latter category expects used parts. But, what if the prior category is getting used parts in a new case? The University of Alabama in Huntsville has a tool for protecting us from unscrupulous manufacturers installing old flash memory.

Flash memory usually lasts longer than the devices where it is installed, so there is a market for used chips which are still “good enough” to pass for new. Of course, this is highly unethical. You would not expect to find a used transmission in your brand new car so why should your brand new tablet contain someone’s discarded memory?

The principles of flash memory are well explained by comparing them to an ordinary transistor, of which we are happy to educate you. Wear-and-tear on flash memory starts right away and the erase time gets longer and longer. By measuring how long it takes to erase, it is possible to accurately determine the age of chip in question.

Pushing the limits of flash memory’s life-span can tell a lot about how to avoid operation disruption or you can build a flash drive from parts you know are used.

Google’s Duplex AI Has Conversation Indistinguishable From Human’s

First Google gradually improved its WaveNet text-to-speech neural network to the point where it sounds almost perfectly human. Then they introduced Smart Reply which suggests possible replies to your emails. So it’s no surprise that they’ve announced an enhancement for Google Assistant called Duplex which can have phone conversations for you.

What is surprising is how well it works, as you can hear below. The first is Duplex calling to book an appointment at a hair salon, and the second is it making reservation’s with a restaurant.

Note that this reverses the roles when talking to a computer on the phone. The computer is the customer who calls the business, and the human is on the business side. The goal of the computer is to book a hair appointment or reserve a table at a restaurant. The computer has to know how to carry out a conversation with the human without the human knowing that they’re talking to a computer. It’s for communicating with all those businesses which don’t have online booking systems but instead use human operators on the phone.

Not knowing that they’re talking to a computer, the human will therefore speak as it would with another human, with all the pauses, “hmm”s and “ah”s, speed, leaving words out, and even changing the context in mid-sentence. There’s also the problem of multiple meanings for a phrase. The “four” in “Ok for four” can mean 4 pm or four people.

The component which decides what to say is a recurrent neural network (RNN) trained on many anonymized phone calls. The input is: the audio, the output from Google’s automatic speech recognition (ASR) software, and context such as the conversation’s history and the parameters of the conversation (e.g. book places at a restaurant, for how many, when), and more.

Producing the speech is done using Google’s text-to-speech technologies, Wavenet and Tacotron. “Hmm”s and “ah”s are inserted for a more natural sound. Timing is also taken into account. “Hello?” gets an immediate response. But they introduce latency when responding to more complex questions since replying too soon would sound unnatural.

There are limitations though. If it decides it can’t complete a task then it hands the conversation over to a human operator. Also, Duplex can’t handle a general conversation. Instead, multiple instances are trained on different domains. So this isn’t the singularity which we’ve talked about before. But if you’re tired of talking to computers at businesses, maybe this will provide a little payback by having the computer talk to the business instead.

On a more serious note, would you want to know if the person you were speaking to was in fact a computer? Perhaps Google should preface each conversation with “Hi! This is Google Assistant calling.” And even knowing that, would you want to have a human conversation with a computer, knowing that it’s “um”s were artificial? This may save time for the person whom the call is on behalf of, but the person being called may wish the computer would be a little more computer-like and speak more efficiently. Let us know your thoughts in the comments below. Or just check out the following Google I/O ’18 keynote presentation video where all this was announced.

Continue reading “Google’s Duplex AI Has Conversation Indistinguishable From Human’s”

Microsoft Kinect Episode IV: A New Hope

The history of Microsoft Kinect has been of a technological marvel in search of the perfect market niche. Coming out of Microsoft’s Build 2018 developer conference, we learn Kinect is making another run. This time it’s taking on the Internet of Things mantle as Project Kinect for Azure.

Kinect was revolutionary in making a quality depth camera system available at a consumer price point. The first and second generation Kinect were peripherals for Microsoft’s Xbox gaming consoles. They wowed the world with possibilities and, thanks in large part to an open source driver bounty spearheaded by Adafruit, Kinect found an appreciative audience in robotics, interactive art, and other hacking communities. Sadly its novelty never translated to great success in its core gaming market and Kinect as a gaming peripheral was eventually discontinued.

For its third-generation, Kinect retreated from gaming and found a role in Microsoft’s HoloLens AR headset running “backwards”: tracking user’s environment instead of user’s movement. The high cost of a HoloLens put it out of reach of most people, but as a head-mounted battery-powered device, it pushed Kinect technology to shrink in physical size and power consumption.

This upcoming fourth generation takes advantage of that evolution and the launch picture is worth a thousand words all on its own: instead of a slick end-user commercial product, we see a populated PCB awaiting integration. The quoted power draw of 225-950mW is high by modern battery-powered device standards but undeniably a huge reduction from previous generations’ household AC power requirement.

Microsoft’s announcement heavily emphasized how this module will work with their cloud services, but we hope it can be persuaded to run independently from Microsoft’s cloud just as its predecessors could run independent of game consoles. This will be a big factor for adoption by our community, second only to the obvious consideration of price.

[via Engadget]