There is a scenario that keep security gurus up at night: Malware that can detect software compilation and insert itself into the resulting binary. A new Mac malware, XCSSET (PDF), does just that, running whenever Xcode is used to build an application. Not only is there the danger of compiled apps being malicious, the malware also collects data from the developer’s machine. It seems that the malware spreads through infected Xcode projects.
WordPress has a complicated security track record. The core project has had very few serious vulnerabilities over the years. On the other hand, WordPress sites are routinely compromised. How? Generally through vulnerable plugins. Case in point? Advanced Access Manager. It’s a third party WordPress plugin with an estimate 100,000 installations. The problem is that this plugin requires user levels, a deprecated and removed WordPress feature. The missing feature had some unexpected results, like allowing any user to request administrator privileges.
When you’re a nation state, secure communications are key to protecting your sovereignty and keeping your best laid plans under wraps. For the USA, this requirement led to the development of a series of secure telephony networks over the years. John McMaster found himself interested in investigating the workings of the STU-III secure telephone, and set out to replicate the secure keys used with this system.
[John] had a particular affinity for the STU-III for its method of encrypting phone calls. A physical device known as a Crypto Ignition Key had to be inserted into the telephone, and turned with a satisfying clunk to enable encryption. This physical key contains digital encryption keys that, in combination with those in the telephone, are used to encrypt the call. The tactile interface gives very clear feedback to the user about securing the communication channel. Wishing to learn more, John began to research the system further and attempted to source some hardware to tinker with.
As John explains in his Hackaday Superconference talk embeded below, he was able to source a civilian-model STU-III handset but the keys proved difficult to find. As carriers of encryption keys, it’s likely that most were destroyed as per security protocol when reaching their expiry date. However, after laying his hands on a broken key, he was able to create a CAD model and produce a mechanically compatible prototype that would fit in the slot and turn correctly.
Bitcoin’s great, if you sold at the end of 2017. If you’re still holding, your opinion might be a little more sour. The cost to compete in the great hashing race continues to rise while cryptocurrency values remain underwhelming. While getting involved at the top end is prohibitively expensive, you can still have some fun with the basic concepts – as [Jake] did, by calculating Bitcoin hashes on the ESP32.
It’s a project that is very much done for fun, rather than profit. [Jake] notes that even maxing out both cores, it would take 31 billion years to mine one block at current difficulty levels. Regardless, the underlying maths is nothing too crazy. Double-hashing the right data with the SHA256 algorithm is all that’s required, a task that is well within the ESP32’s capabilities. There’s hardware acceleration available, too – though this is weirdly slower than doing it in software.
Back in the early days of radio, it was quickly apparent that the technology would revolutionize warfare, but only if some way could be found to prevent enemies from hearing what was said. During World War II, the Allies put a considerable amount of effort into securing vocal transmissions, resulting in a system called SIGSALY – 50 tons of gear developed by Bell Laboratories with the help of Alan Turing that successfully secured communications between the likes of Churchill and Roosevelt during the war.
Now, a small piece of the SIGSALY system lives again, in the form of a period-faithful reproduction of the vocal quantizer used in the system. It’s the work of [Jon D. Paul], who undertook the build to better understand how the SIGSALY system worked. [Jon] also wanted to honor the original builders, who developed a surprisingly sophisticated system given the technology of the day.
SIGSALY was seriously Top Secret in the day, and most of the documentation was destroyed when the system was decommissioned. Working from scant information, [Jon] was able to recreate the quantizer from period parts, including five vintage VT-109/2051 thyratrons scrounged from eBay. The vacuum tubes are similar in operation to silicon-controlled rectifiers (SCRs) and form the core of the ADC, along with a resistor divider ladder network. Almost every component is period correct, and everything is housed in a nice acrylic case. It’s a beautiful piece of work and a great homage to a nearly forgotten piece of cryptographic history.
Interestingly, Bell Labs had a bit of a head start on the technology that went into SIGSALY, by virtue of their work on the first voice synthesizer in the 1930s.
Imagine you’re a general, camped outside a fortified city with your army. Your army isn’t strong enough to take the city without help. But you do have help: camped on other hills outside this city are a half dozen more generals, with their armies ready to attack. Attacking one army at a time will fail; taking this city will require at least three or four armies, and an uncoordinated attack will leave thousands dead outside the city gates. How do you coordinate an attack with the other generals? Now, how do you coordinate your attack if one of those other generals is Benedict Arnold? What happens when one of the generals is working with the enemy?
This situation is a slight rephrasing of the Byzantine Generals Problem, first presented in the ACM Transactions on Programming Languages and Systems in 1982. It’s related to the Two Generals Problem formulated a decade prior. These are the analogies we use when we talk about trust over a communications channel, how hard it is to transmit knowledge, and how to form a consensus around imperfect facts.
This problem was upended in late 2008 when Satoshi Nakamoto, a person or group of people, published a white paper on the ‘block chain’. This was the solution to double-spending in digital currency. Think of it as having a digital thing that only one person could own. As a test of this block chain technology, Bitcoin was launched at the beginning of 2009. Things got more annoying from there.
Now, blockchain is at the top of the hype cycle. Every industry is looking at blockchain tech to figure out how it will work for them. Kodak launched their own blockchain, there are proposals to use the blockchain in drones and 3D printers. Medical records could be stored on the blockchain, HIPAA be damned, and there’s a blockchain phone, for reasons. This doesn’t even cover the massive amount of speculation in Bitcoin itself; thousands of other cryptocurrencies have also sprung up, and people are losing money.
The blockchain is a confusing thing, with hashes and Merkle trees and timestamps. Everyone is left asking themselves, what does the blockchain actually do? Is there an independent body out there that will tell me what the blockchain is good for, and when I should use it? You’re in luck: NIST, the National Institute of Standards and Technology released their report on blockchain technology (PDF). Is blockchain magic? No, no it is not, and it probably shouldn’t be used for anything other than a currency.
[XenonJohn] dabbles in cryptocurrency trading, and when he saw an opportunity to buy an RGB color sensor, his immediate thought — which he admitted to us would probably not be the immediate thought of most normal people — was that he could point it to his laptop screen and have it analyze the ratio of green (buy) orders to red (sell) orders being made for crypto trading. In theory, if at a given moment there are more people looking to buy than there are people looking to sell, the value of a commodity could be expected to go up slightly in the short-term. The reverse is true if a lot of sell orders coming in relative to buy orders. Having this information and possibly acting on it could be useful, but then again it might not. Either way, as far as out-of-left-field project ideas go, promoting an RGB color sensor to Cryptocurrency Trading Advisor is a pretty good one.
Since the RGB sensor only sees what is directly in front of it, [XenonJohn] assembled a sort of simple light guide. By enclosing the area of the screen that contains orders in foil-lined cardboard, the sensor can get a general approximation of the amount of red (sell orders) versus green (buy orders). The data gets read by an Arduino which does a simple analysis and sends alerts when a threshold is crossed. He dubbed it the Crypto-Eye, and a video demo is embedded below.
This year’s hottest new advance in electronics comes through wearable badges. You can’t have failed to notice another technology that’s getting really hot. It’s the blockchain. What is a blockchain? It’s a linked list where every item in the list contains a cryptographic hash of the previous item in the list. What is a blockchain in English? It’s the most revolutionary technology that’s going to solve every problem on the planet, somehow. It’s the basis for crypto (no not that one, the other one). The blockchain is how you add more Lamborghinis to your Lamborghini account. Even though we’re still trying to figure out how it solves a single problem, one thing is certain: blockchains solve every problem. We were born too late to explore the Earth, born too early to explore the Universe, but just in time for blockchain.
Independent badges are always looking at the latest technology, and perhaps this was inevitable. It’s a badge built on the blockchain. It’s a wearable sneakernet of mining. It’s a game with collaborative proof of work.
The blockchain badge from [Mr Blinky Bling] is an independent badge for this year’s Defcon, and like most independent badges it’s loaded up with RGB LEDs, microcontrollers, and exquisitely crafted FR4. What makes this badge different is the add-ons, or ‘blocks’ that attach to the main badge through 1/8″ phono jacks. These blocks form the basis of the social game, where two badge holders trade blocks for a while, allow their badges to perform a proof of work on each block, and finally, each block is hashed and the score increased. Yes, this is a blockchain, but it’s more of a block-tree, and it runs on sneakernet instead of the Internet.
Yes, this does indeed all sound like a joke. Make no mistake, though: this is real. This is a hardware game built on blockchain technology, that some lucky badge holders will be playing at this year’s Defcon. It’s filled with blinky and blockchain. It’s awesome.
[Mr. Blinky Bling] has already started a project for this badge over on hackaday.io, and right now they’re running a Kickstarter campaign for this badge with delivery at Defcon. This is one of the more interesting badges that will be floating around the con this year, and it has blockchain. This really isn’t one to miss.