Research: It’s Like Cheating, But Fair

My niece’s two favorite classes in high school this year are “Intro to AI” and “Ethical Hacking”. (She goes to a much cooler high school than I did!) In “Hacking”, she had an assignment to figure out some bug in some body of code. She was staring and staring, figuring and figuring. She went to her teacher and said she couldn’t figure it out, and he asked her if she’d tried to search for the right keywords on the Internet.

My niece responded “this is homework, and that’d be cheating”, a line she surely must have learned in her previous not-so-cool high school. When the teacher responded with “but doing research is how you learn to do stuff”, my niece was hooked. The class wasn’t abstract or academic any more; it became real. No arbitrary rules. Game on!

But I know how she feels. Whether it’s stubborn independence, or a feeling that I’m cheating, I sometimes don’t do my research first. But attend any hacker talk, where they talk about how they broke some obscure system or pulled off an epic trick. What is the first step? “I looked all over the Internet for the datasheet.” (Video) “I found the SDK and that made it possible.” (Video) “Would you believe this protocol is already documented?” In any serious hack, there’s always ample room for your creativity and curiosity later on. If others have laid the groundwork for you, get on it.

If you have trouble overcoming your pride, or NIH syndrome, or whatever, bear this in mind: the reason we share information with other hackers is to give them a leg up. Whoever documented that protocol did it to help you. Not only is there no shame in cribbing from them, you’re essentially morally obliged to do so. And to say thanks along the way!

Eavesdropping By LED

If you ever get the feeling someone is watching you, maybe they are listening, too. At least they might be listening to what’s coming over your computer speakers thanks to a new attack called “glow worm.” In this novel attack, careful observations of a power LED on a speaker allowed an attacker to reproduce the sound playing thanks to virtually imperceptible fluctuations in the LED brightness, most likely due to the speaker’s power line sagging and recovering.

You might think that if you could see the LED, you could just hear the output of the speaker, but a telescope through a window 100 feet away appears to be sufficient. You can imagine that from a distance across a noisy office you might be able to pull the same trick. We don’t know — but we suspect — even if headphones were plugged into the speakers, the LED would still modulate the audio. Any device supplying power to the speakers is a potential source of a leak.

Continue reading “Eavesdropping By LED”

Hackaday Links Column Banner

Hackaday Links: March 8, 2020

A lot of annoying little hacks are needed to keep our integer-based calendar in sync with a floating-point universe, and the big one, leap day, passed us by this week. Aside from the ignominy of adding a day to what’s already the worst month of the year, leap day has a tendency to call out programmers who take shortcuts with their code. Matt Johnson-Pint has compiled a list of 2020 leap day bugs that cropped up, ranging from cell phones showing the wrong date on February 29 to an automated streetlight system in Denmark going wonky for the day. The highest-profile issue may have been system crashes of Robinhood, the online stock trading platform. Robinhood disagrees that the issues were caused by leap day code issues, saying that it was a simple case of too many users and not enough servers. That seems likely given last week’s coronavirus-fueled trading frenzy, but let’s see what happens in 2024.

Speaking of annoying time hacks, by the time US readers see this, we will have switched to Daylight Saving Time. Aside from costing everyone a precious hour of sleep, the semiannual clock switch always seems to set off debates about the need for Daylight Saving Time. Psychologists think it’s bad for us, and it has elicited a few bugs over the years. What will this year’s switch hold? Given the way 2020 has been going so far, you’d better buckle up.
Continue reading “Hackaday Links: March 8, 2020”

Sonoff Postmortem Finds Bugs, Literally

While nobody is exactly sure on the exact etymology of the term, Thomas Edison mentioned some of his inventions being riddled with “bugs” in a letter he wrote all the way back to 1878. In the context of computers, any loyal Hackaday reader should know Grace Hopper’s infamous account of a moth being caught in an early electromechanical computer’s relays. To this┬ápantheon of troublesome insects, we would humbly summit the story of a Sonoff TH16 switch being destroyed by a lowly ant.

According to [CNX Software], the Sonoff TH16 had been working perfectly for a year and a half before the first signs of trouble. One day the switch wouldn’t respond to commands, and a power cycle didn’t seem to clear the issue. Upon opening up the device to see what had gone amiss, it was clearly apparent something had burned up. But upon closer inspection, it wasn’t a fault with the design or even a shoddy component. It was the product of an overly curious ant who got a lot more than he bargained for.

Consulting the wiring diagram of the Sonoff, it appears this poor ant had the terrible misfortune of touching the pins of a through hole capacitor on the opposite side of the board. Bridging this connection not only gave him a lethal jolt, but apparently caused enough current to surge through a nearby resistor that it went up in smoke.

Now, some might wonder (reasonably so) about the conditions in which this switch was operating. If bugs could climb into it, it’s not unreasonable to assume it wasn’t well protected from the elements. Perhaps damp conditions were to blame for the failure, and the image of the ant “riding the lighting” is nothing more than a coincidence. Maybe. But sometimes you just gotta believe.

Incidentally, if you’d like to learn more about the woman who helped secure “bugs” in the IT lexicon, here’s a good place to start.

Ed Note: If you think you’re having deja vu all over again, we did point to this story in the Sunday Links roundup, but the graphics are just so good we couldn’t resist running it in full.

Learn Programming From Ants

Humans and insects think on a different scale, but entomologists study the behavior of these little organisms, so they’re not a complete mystery. There isn’t much intelligence in a single ant or a cubic millimeter of gray matter, but when they all start acting together, you get something greater than the sum of the parts. It is easy to fall into the trap of putting all the intelligence or programming into a single box since that’s how we function. Comparatively, itty-bitty brains, like microcontrollers and single-board computers are inexpensive and plentiful. Enter swarm mentality, and new tasks become possible.

[Kevin Hartnett] talks about a paper researching the simple rules which govern army ants who use their bodies as bridges when confronted with a gap in their path. Anyone with a ruler and a map can decide the shortest route between two places, but army ants perform this optimization from the ground, real-time, and with only a few neurons at their disposal. Two simple rules control bridge building behavior, and that might leave some space in the memory banks of some swarm robots.

A simpler example of swarm mentality could be robots which drive forward anytime they sense infrared waves from above. In this way, anyone watching the swarm could observe when an infrared light was present and where it was directed. You could do the same with inexpensive solar-powered toy cars, but we can already see visible light.

We’re not saying ants should be recruited to control robots, but we’re not objecting to the humane treatment of cyborg bugs either. We’ve been looking into swarm robots for a long time.

Thanks for the tip, [JRD].

Continue reading “Learn Programming From Ants”

Microsoft Bug Tracking Hacked

It seems that the database containing descriptions of critical and unfixed bugs and/or vulnerabilities in some of the most widely used software in the world, including the Windows operating system, was hacked back in 2013. This database is basically gold for any security researcher, regardless of the color of their hat. To know which programs fail and the preconditions for that to happen is half an exploit right there.

Microsoft discovered the database breach in early 2013 after the highly skilled hacking group Morpho a.k.a. Butterfly a.k.a. Wild Neutron broke into computers at a number of major tech companies, including Apple, Facebook, and Twitter. The group exploited a flaw in the Java programming language to penetrate employees’ Apple Macintosh computers and then use them as pivots into the company internal network.

Official sources say that the Microsoft bug database was poorly protected, with access possible via little more than a password. Four years later, we have official confirmation that it happened. To measure the breach impact, Microsoft started a study to correlate the potential flaws in their databases and subsequent attacks. The study found that the flaws in the stolen database were actually used in cyber attacks, but Microsoft argued the hackers could have obtained the information elsewhere, and that there’s “no evidence that the stolen information had been used in those breaches.”

There is really no way to know besides asking the actual hacking group, which will most likely not happen… unless they are HaD readers, in this case they can feel free to comment.

[via Reuters]

Spy Tech: Nonlinear Junction Detectors

If you ever watch a spy movie, you’ve doubtlessly seen some nameless tech character sweep a room for bugs using some kind of detector and either declare it clean or find the hidden microphone in the lamp. Of course, as a hacker, you have to start thinking about how that would work. If you had a bug that transmits all the time, that’s easy. The lamp probably shouldn’t be emitting RF energy all the time, so that’s easy to detect and a dead give away. But what if the bug were more sophisticated? Maybe it wakes up every hour and beams its data home. Or perhaps it records to memory and doesn’t transmit anything. What then?

High-end bug detectors have another technique they use that claims to be able to find active device junctions. These are called Nonlinear Junction Detectors (NLJD). Spy agencies in the United States, Russian and China have been known to use them and prisons employ them to find cell phones. Their claim to fame is the device doesn’t have to be turned on for detection to occur. You can see a video of a commercial NLJD, below

Continue reading “Spy Tech: Nonlinear Junction Detectors”