This Week In Security: Chat Control, Vulnerability Extortion, And Emoji Malware

June 21, 2024 by Jonathan Bennett 13 Comments

Way back in 2020, I actually read the proposed US legislation known as EARN IT, and with some controversy, concluded that much of the criticism of that bill was inaccurate. Well what’s old is new again, except this time it’s the European Union that’s wrestling with how to police online Child Sexual Abuse Material (CSAM). And from what I can tell of reading the actual legislation (pdf), this time it really is that bad.

The legislation lays out two primary goals, both of them problematic. The first is detection, or what some are calling “upload moderation”. The technical details are completely omitted here, simply stating that services “… take reasonable measures to mitigate the risk of their services being misused for such abuse …” The implication here is that providers would do some sort of automated scanning to detect illicit text or visuals, but exactly what constitutes “reasonable measures” is left unspecified.

The second goal is the detection order. It’s worth pointing out that interpersonal communication services are explicitly mentioned as required to implement these goals. From the bill:

Providers of hosting services and providers of interpersonal communications services that have received a detection order shall execute it by installing and operating technologies approved by the Commission to detect the dissemination of known or new child sexual abuse material or the solicitation of children…

This bill is careful not to prohibit end-to-end encryption, nor require that such encryption be backdoored. Instead, it requires that the apps themselves be backdoored, to spy on users before encryption happens. No wonder Meredith Whittaker has promised to pull the Signal app out of the EU if it becomes law. As this scanning is done prior to encryption, it’s technically not breaking end-to-end encryption.

You may wonder why that’s such a big deal. Why is it a non-negotiable for the Signal app to not look for CSAM in messages prior to encryption? For starters, it’s a violation of user trust and an intentional weakening of the security of the Signal system. But maybe most importantly, it puts a mechanism in place that will undoubtedly prove too tempting for future governments. If Signal can be forced into looking for CSAM in the EU, why not anti-government speech in China?

Continue reading “This Week In Security: Chat Control, Vulnerability Extortion, And Emoji Malware” →

Lindroid Promises True Linux On Android

June 18, 2024 by Al Williams 16 Comments

Since Android uses Linux, you’d think it would be easier to run Linux apps on your Android phone or tablet. There are some solutions out there, but the experience is usually less than stellar. A new player, Lindroid, claims to provide real Linux distributions with hardware-accelerated Wayland on phones. How capable is it? The suggested window manager is KDE’s KWIN. That software is fairly difficult to run on anything but a full-blown system with dbus, hardware accelerations, and similar features.

There are, however, a few problems. First, you need a rooted phone, which isn’t totally surprising. Second, there are no clear instructions yet about how to install the software. The bulk of the information available is on an X thread. You can go about 4 hours into the very long video below to see a slide presentation about Lindroid.

Continue reading “Lindroid Promises True Linux On Android” →

Webserver Runs On Android Phone

March 27, 2024 by Bryan Cockfield 36 Comments

Android, the popular mobile phone OS, is essentially just Linux with a nice user interface layer covering it all up. In theory, it should be able to do anything a normal computer running Linux could do. And, since most web servers in the world are running Linux, [PelleMannen] figured his Android phone could run a web server just as well as any other Linux machine and built this webpage that’s currently running on a smartphone, with an additional Reddit post for a little more discussion.

The phone uses Termux (which we’ve written about briefly before) to get to a Bash shell on the Android system. Before that happens, though, some setup needs to take place largely involving installing F-Droid through which Termux can be installed. From there the standard SSH and Apache servers can be installed as if the phone were running a normal Linux The rest of the installation involves tricking the phone into thinking it’s a full-fledged computer including a number of considerations to keep the phone from halting execution when the screen locks and other phone-specific issues.

With everything up and running, [PelleMannen] reports that it runs surprisingly well with the small ARM system outputting almost no heat. Since the project page is being hosted on this phone we can’t guarantee that the link above works, though, and it might get a few too many requests to stay online. We wish it were a little easier to get our pocket-sized computers to behave in similar ways to our regular laptops and PCs (even if they don’t have quite the same amount of power) but if you’re dead-set on repurposing an old phone we’ve also seen them used to great effect in place of a Raspberry Pi.

This Week In Security: Loop DOS, Flipper Responds, And More!

March 22, 2024 by Jonathan Bennett 8 Comments

Here’s a fun thought experiment. UDP packets can be sent with an arbitrary source IP and port, so you can send a packet to one server, and could aim the response at another server. What happens if that response triggers another response? What if you could craft a packet that continues that cycle endlessly? That is essentially the idea behind Loop DoS (Denial of Service).

This unique avalanche of packets has been managed using specific implementations of several different network services, like TFTP, DNS, and NTP. There are several CVEs being used to track the issue, but CVE-2024-2169 is particularly odd, with the description that “Implementations of UDP application protocol are vulnerable to network loops.” This seems to be a blanket CVE for UDP, which is particularly inappropriate given that the first DoS of this sort was first reported in 2009 at the latest.

More details are available in a Google Doc. There some interesting tidbits there, like the existence of cross-protocol loops, and several legacy protocols that are vulnerable by design. The important thing to remember here is you have to have an accessible UDP port for this sort of attack to take place, so if you’re not using it, firewall it.

Flipper Flips Back

We’ve covered the saga of the Flipper Zero vs the Canadian government, in the context of car theft. The short version is that Canada has seen an uptick of car thefts from organized crime. Rather than meaningfully dealing with this problem, the Canadian government went looking for scapegoats, and found the Flipper Zero.

Well now, Flipper has responded, and put simply, the message is “stop the madness”. There has never been a confirmed case of using a flipper to steal a car, and it’s very unlikely it’s ever happened. On a modern car with proper rolling-code security, it’s not meaningfully possible to use the Flipper Zero for the theft. The two primary ways criminals actually steal cars are with dedicated keyfob repeaters and CAN bus hackers.

There is a petition to sign, and for Canadians, Flipper suggests contacting your local member of parliament. Continue reading “This Week In Security: Loop DOS, Flipper Responds, And More!” →

Your 1983 Video Phone Is Finally Ready

February 7, 2024 by Al Williams 8 Comments

If you read Byte magazine in 1983, you might have expected that, by now, you’d be able to buy the red phone with the video screen built-in. You know, like the one that appears on the cover of the magazine. Of course, you can’t. But that didn’t stop former Hackaday luminary [Cameron] from duplicating the mythical device, if not precisely, then in spirit. Check it out in the video, below.

While the original Byte article was about VideoTex, [Cameron] built a device with even more capability you couldn’t have dreamed of in 1983. What’s more, the build was simple. He started with an old analog phone and a tiny Android phone. A 3D-printed faceplate lets the fake phone serve as a sort of dock for the cellular device.

That’s not all, though. Using the guts of a Bluetooth headset enables the fake phone’s handset. Now you can access the web — sort of a super Videotex system. You can even make video calls.

There isn’t a lot of detail about the build, but you probably don’t need it. This is more of an art project, and your analog phone, cell phone, and Bluetooth gizmo will probably be different anyway.

Everyone always wanted a video phone, and while we sort of have them now, it doesn’t quite seem the same as we imagined them. We wish [Cameron] would put an app on the phone to simulate a rotary dial and maybe even act as an answering machine.

Continue reading “Your 1983 Video Phone Is Finally Ready” →

Flat Earth Theatre presents "R.U.R." by Karel Capek. January 23 - 31, 2009. Featuring Michael Wayne Smith, Karen Hart, Valerie Daum, Jeff Tidwell, Kevin Kordis, James Rossi, Bill Conley, Justus Perry, and Amy Lehrmitt. Directed by Jake Scaltreto. Arsenal Center for the Arts, Watertown.

Robot: You Keep Using That Word But It Doesn’t Mean What You Think It Means

January 24, 2024 by Maya Posch 33 Comments

The flute player automaton by Innocenzo Manzetti (1840)

With many words which are commonly used in everyday vocabulary, we are certain that we have a solid grasp of what they do and do not mean, but is this really true? Take the word ‘robot’ for example, which is more commonly used wrongly rather than correctly when going by the definition of the person who coined it: [Karel Čapek]. It was the year 1920 when his play Rossumovi Univerzální Roboti was introduced to the world, which soon saw itself translated and performed around the world, with the English-speaking world knowing it as R.U.R.: Rossum’s Universal Robots.

Up till then, the concept of a relatively self-operating machine was known as an automaton, as introduced by the Ancient Greeks, with the term ‘android’ being introduced as early as the 18th century to mean automatons that have a human-like appearance, but are still mechanical contraptions. When [Čapek] wrote his play, he did not intend to have non-human characters that were like these androids, but rather pure artificial life: biochemical systems much like humans, using similar biochemical principles as proteins, enzymes, hormones and vitamins, assembled from organic matter like humans. These non-human characters he called ‘roboti’, from Old Czech ‘robot’ (robota: “drudgery, servitude”), who looked human, but lacked a ‘soul’.

Despite this intent, the run-away success of R.U.R. led to anything android- and automaton-like being referred to as a ‘robot’, which he lamented in a 1935 column in Lidové Noviny. Rather than whirring and clunking pieces of machinery being called ‘automatons’ and ‘androids’ as they had been for hundreds of years, now his vision of artificial life had effectively been wiped out. Despite this, to this day we can still see the traces of the proper terms, for example when we talk about ‘automation’, which is where automatons (‘industrial robots’) come into play, like the industrial looms and kin that heralded the Industrial Revolution.

(Heading image: Performance of R.U.R. by Flat Earth Theatre, showing the mixing of robot ingredients)

Android-Powered Rigol Scopes Go Wireless

January 18, 2024 by Al Williams 9 Comments

The Rigol DHO800 and DHO900 series use Android underneath, and as you might expect, this makes them easier to hack. A case in point: [VoltLog] demonstrates that you can add WiFi to the scope using a cheap USB WiFi adapter. This might seem like a no-brainer on the surface, but because the software doesn’t know about WiFi, there are a few minor hoops to jump through.

The first issue is that you need a WiFi adapter the built-in OS already knows how to handle. The community has identified at least one RTL chipset that works and it happens to be in the TP-Link TL-WN725N. These are old 2.4 GHz only units, so they are widely available for $10 or less.

But even with the correct hardware, the scope doesn’t have any menus to configure the WiFi interface. To solve that, you need to temporarily use a USB hub and a USB keyboard. Once you have everything plugged in, you can use the Super + N keyboard shortcut to open up the Android notification bar, which is normally hidden. Once you’ve setup the network connection, you won’t need the keyboard anymore.

Or maybe not — it turns out the keyboard does allow you to change a few other things. For example, [VoltLog] used it to increase the screen brightness more than the default maximum setting.

The only other issue appears to be that the scope shows it is disconnected even when connected to WiFi. That doesn’t seem to impact operation, though. Of course, you could use a WiFi to Ethernet bridge or even an old router, but now you have a cable, a box, and another power cord to deal with. This solution is neat and clean. You bet we’ve already ordered a TP-Link adapter!

WiFi scopes are nothing new. We suspect Rigol didn’t want to worry about interference and regulatory acceptance, but who knows? Besides, it is fun to add WiFi to wired devices.

Continue reading “Android-Powered Rigol Scopes Go Wireless” →