This Week in Security: Backdoors in Cisco Switches, PGP Spoofing in Emails, Git Ransomware

Some switches in Cisco’s 9000 series are susceptible to a remote vulnerability, numbered CVE-2019-1804 . It’s a bit odd to call it a vulnerability, actually, because the software is operating as intended. Cisco shipped out these switches with the same private key hardcoded in software for all root SSH logins. Anyone with the key can log in as root on any of these switches.

Cisco makes a strange claim in their advisory, that this is only exploitable over IPv6. This seems very odd, as there is nothing about SSH or the key authentication process that is IPv6 specific. This suggests that there is possibly another blunder, that they accidentally left the SSH port open to the world on IPv6. Another possibility is that they are assuming that all these switches are safely behind NAT routers, and therefore inaccessible through IPv4. One of the advantages/disadvantages of IPv6 is that there is no NAT, and all the network devices are accessible from the outside network. (Accessible in the sense that a route exists. Firewalling is still possible, of course.)

It’s staggering how many devices, even high end commercial devices, are shipped with unintentional yet effective backdoors, just like this one. Continue reading “This Week in Security: Backdoors in Cisco Switches, PGP Spoofing in Emails, Git Ransomware”

Radio Free Blockchain: Bitcoin from Space

Cryptocurrencies: love them, hate them, or be baffled by them, but don’t think you can escape them. That’s the way it seems these days at least, with news media filled with breathless stories about Bitcoin and the other cryptocurrencies, and everyone from Amazon to content creators on YouTube now accepting the digital currency for payments. And now, almost everyone on the planet is literally bathed in Bitcoin, or at least the distributed ledger that makes it work, thanks to a new network that streams the Bitcoin blockchain over a constellation of geosynchronous satellites.

Continue reading “Radio Free Blockchain: Bitcoin from Space”

Yes, You Can Put IoT on the Blockchain using Python and the ESP8266

Last year, we saw quite a bit of media attention paid to blockchain startups. They raised money from the public, then most of them vanished without a trace (or product). Ethics and legality of their fundraising model aside, a few of the ideas they presented might be worth revisiting one day.

One idea in particular that I’ve struggled with is the synthesis of IoT and blockchain technology. Usually when presented with a product or technology, I can comprehend how and/or why someone would use it – in this case I understand neither, and it’s been nagging at me from some quiet but irrepressible corner of my mind.

The typical IoT networks I’ve seen collect data using cheap and low-power devices, and transmit it to a central service without more effort spent on security than needed (and sometimes much less). On the other hand, blockchains tend to be an expensive way to store data, require a fair amount of local storage and processing power to fully interact with them, and generally involve the careful use of public-private key encryption.

I can see some edge cases where it would be useful, for example securely setting the state of some large network of state machines – sort of like a more complex version of this system that controls a single LED via Ethereum smart contract.

What I believe isn’t important though, perhaps I just lack imagination – so lets build it anyway.

Continue reading “Yes, You Can Put IoT on the Blockchain using Python and the ESP8266”

Hackaday Links: December 16, 2018

Microsoft is really leaning into vaporwave these days. Microsoft is giving away knit Windows sweaters to social media influencers. Is it for an ugly sweater contest? Maybe, or maybe Microsoft is capitalizing on the mid-90s AESTHETIC. Recently, Apple got back in their 90s logo game with the release of a few ‘rainbow Apple’ t-shirts. The spirit of the 90s lives on in tech culture.

Have a Hackerspace? Frack is organizing the great Inter-hackerspaces Xmas goodies swap! Since your hackerspace is filled with weird ephemera and random crap, why not box it up and send it out to another hackerspace? You’ll probably get another random box of crap in return!

Just an observation looking for commentary, but is Thingiverse slow these days? It seems really, really, really slow these days.

The Blockchain makes it to the Apple II! By far, the most interesting thing in tech right now is the blockchain, with AI, at the edge. This will get your Merkle trees tinglin’ with some AI, and 5G is where it’s at. We’re back with cylinder computing this time, and this is the greatest achievement that will synthesize brand new paradigms. Of course, if it weren’t for millennials, we’d have it already.

There’s a new portable console out there, and it’s at the top of everyone’s Christmas lists. The SouljaGame Handheld is a rebrand of what’s available on AliExpress. What makes this one different? It has Soulja Boy’s name on it. If you couldn’t get your hands on the SouljaGame Handheld, don’t worry: Post Malone Crocs are available on eBay for about $300.

What Can The Blockchain Do For You?

Imagine you’re a general, camped outside a fortified city with your army. Your army isn’t strong enough to take the city without help. But you do have help: camped on other hills outside this city are a half dozen more generals, with their armies ready to attack. Attacking one army at a time will fail; taking this city will require at least three or four armies, and an uncoordinated attack will leave thousands dead outside the city gates. How do you coordinate an attack with the other generals? Now, how do you coordinate your attack if one of those other generals is Benedict Arnold? What happens when one of the generals is working with the enemy?

This situation is a slight rephrasing of the Byzantine Generals Problem, first presented in the ACM Transactions on Programming Languages and Systems in 1982. It’s related to the Two Generals Problem formulated a decade prior. These are the analogies we use when we talk about trust over a communications channel, how hard it is to transmit knowledge, and how to form a consensus around imperfect facts.

This problem was upended in late 2008 when Satoshi Nakamoto, a person or group of people, published a white paper on the ‘block chain’. This was the solution to double-spending in digital currency. Think of it as having a digital thing that only one person could own. As a test of this block chain technology, Bitcoin was launched at the beginning of 2009. Things got more annoying from there.

Now, blockchain is at the top of the hype cycle. Every industry is looking at blockchain tech to figure out how it will work for them. Kodak launched their own blockchain, there are proposals to use the blockchain in drones and 3D printers. Medical records could be stored on the blockchain, HIPAA be damned, and there’s a blockchain phone, for reasons. This doesn’t even cover the massive amount of speculation in Bitcoin itself; thousands of other cryptocurrencies have also sprung up, and people are losing money.

The blockchain is a confusing thing, with hashes and Merkle trees and timestamps. Everyone is left asking themselves, what does the blockchain actually do? Is there an independent body out there that will tell me what the blockchain is good for, and when I should use it? You’re in luck: NIST, the National Institute of Standards and Technology released their report on blockchain technology (PDF). Is blockchain magic? No, no it is not, and it probably shouldn’t be used for anything other than a currency.

Continue reading “What Can The Blockchain Do For You?”

New Mooltipass Begins Development with Call for Collaborators

One of the most interesting aspects of our modern world is the ability to work collaboratively despite the challenges of geography and time zones. Distributed engineering is a trend which we’ve watched pick up steam over the years. One such example is the Mooltipass offline password keeper which was built by a distributed engineering team from all over the world. The project is back, and this time the goal is to add BLE to the mini version of the hardware. The call for collaborators was just posted on the project page so head over and check out how the collaboration works.

The key to the hardware is the use of a smartcard with proven encryption to store your passwords. Mooltipass is a secure interface between this card and a computer via USB. The new version will be a challenge as it introduces BLE for connectivity with smart phones. To help mitigate security risks, a second microcontroller is added to the existing design to act as a gatekeeper between the secure hardware and the BLE connection.

Mathieu Stephan is the driving force behind the Mooltipass project, which was one of the first projects on Hackaday.io and has been wildly successful in crowd funding and on Tindie. Mathieu and five other team members already have a proof of concept for the hardware. However, more collaborators are needed to help see all aspects of the project — hardware, firmware, and software — through to the end. This is a product, and in addition to building something awesome, the goal is to turn a profit.

How do you reconcile work on an Open Source project with a share of the spoils? Their plan is to log hours spent bringing the new Mooltipass to life and share the revenue using a site like colony.io. This is a tool built on the Ethereum blockchain to track contributions to open projects, assigning tokens that equate to value in the project. It’s an interesting approach and we’re excited to see how it takes shape.

You can catch up on the last few years of the Mooltipass adventure my checking out Mathieu’s talk during the 2017 Hackaday Superconference. If this article has you as excited about distributed engineer as we are, you need to check out the crew that’s building this year’s Open Hardware Summit badge!

This Year, Badges Get Blockchains

This year’s hottest new advance in electronics comes through wearable badges. You can’t have failed to notice another technology that’s getting really hot. It’s the blockchain. What is a blockchain? It’s a linked list where every item in the list contains a cryptographic hash of the previous item in the list. What is a blockchain in English? It’s the most revolutionary technology that’s going to solve every problem on the planet, somehow. It’s the basis for crypto (no not that one, the other one). The blockchain is how you add more Lamborghinis to your Lamborghini account. Even though we’re still trying to figure out how it solves a single problem, one thing is certain: blockchains solve every problem. We were born too late to explore the Earth, born too early to explore the Universe, but just in time for blockchain.

Independent badges are always looking at the latest technology, and perhaps this was inevitable. It’s a badge built on the blockchain. It’s a wearable sneakernet of mining. It’s a game with collaborative proof of work.

The blockchain badge from [Mr Blinky Bling] is an independent badge for this year’s Defcon, and like most independent badges it’s loaded up with RGB LEDs, microcontrollers, and exquisitely crafted FR4. What makes this badge different is the add-ons, or ‘blocks’ that attach to the main badge through 1/8″ phono jacks. These blocks form the basis of the social game, where two badge holders trade blocks for a while, allow their badges to perform a proof of work on each block, and finally, each block is hashed and the score increased. Yes, this is a blockchain, but it’s more of a block-tree, and it runs on sneakernet instead of the Internet.

Yes, this does indeed all sound like a joke. Make no mistake, though: this is real. This is a hardware game built on blockchain technology, that some lucky badge holders will be playing at this year’s Defcon. It’s filled with blinky and blockchain. It’s awesome.

[Mr. Blinky Bling] has already started a project for this badge over on hackaday.io, and right now they’re running a Kickstarter campaign for this badge with delivery at Defcon. This is one of the more interesting badges that will be floating around the con this year, and it has blockchain. This really isn’t one to miss.