Distorted Text Says A Lot

Getting bounced to a website by scanning a QR code is no longer an exciting feat of technology, but what if you scanned the ingredient list on your granola bar and it went to the company’s page for that specific flavor, sans the matrix code?

Bright minds at the Columbia University in the City of New York have “perturbed” ordinary font characters so the average human eye won’t pick up the changes. Even ordinary OCR won’t miss a beat when it looks at a passage with a hidden message. After all, these “perturbed” glyphs are like a perfectly legible character viewed through a drop of water. When a camera is looking for these secret messages, those minor tweaks speak volumes.

The system is diabolically simple. Each character can be distorted according to an algorithm and a second variable. Changing that second variable is like twisting a distorted lens, or a water drop but the afterimage can be decoded and the variable extracted. This kind of encoding can survive a trip to the printer, unlike a purely digital hidden message.

Hidden messages like these are not limited to passing notes, metadata can be attached to any text and extracted when necessary. Literature could include notes without taking up page space so teachers could include helpful notes and a cell phone could be like an x-ray machine to see what the teacher wants to show. For example, you could define what “crypto” actually means.

Continue reading “Distorted Text Says A Lot”

What Does ‘Crypto’ Actually Mean?

This article is about crypto. It’s in the title, and the first sentence, yet the topic still remains hidden.

At Hackaday, we are deeply concerned with language. Part of this is the fact that we are a purely text-based publication, yes, but a better reason is right there in the masthead. This is Hackaday, and for more than a decade, we have countered to the notion that ‘hackers’ are only bad actors. We have railed against co-opted language for our entire existence, and our more successful stories are entirely about the use and abuse of language.

Part of this is due to the nature of the Internet. Pedantry is an acceptable substitute for wisdom, it seems, and choosing the right word isn’t just a matter of semantics — it’s a compiler error. The wrong word shuts down all discussion. Use the phrase, ‘fused deposition modeling’ when describing a filament-based 3D printer, and some will inevitably reach for their pitchforks and torches; the correct phrase is, ‘fused filament fabrication’, the term preferred by the RepRap community because it is legally unencumbered by patents. That’s actually a neat tidbit, but the phrase describing a technology is covered by a trademark, and not by a patent.

The technical side of the Internet, or at least the subpopulation concerned about backdoors, 0-days, and commitments to hodl, is now at a semantic crossroads. ‘Crypto’ is starting to mean ‘cryptocurrency’. The netsec and technology-minded populations of the Internet are now deeply concerned over language. Cryptocurrency enthusiasts have usurped the word ‘crypto’, and the folks that were hacking around with DES thirty years ago aren’t happy. A DH key exchange has nothing to do with virtual cats bought with Etherium, and there’s no way anyone losing money to ICO scams could come up with an encryption protocol as elegant as ROT-13.

But language changes. Now, cryptographers are dealing with the same problem hackers had in the 90s, and this time there’s nothing as cool as rollerblading into the Gibson to fall back on. Does ‘crypto’ mean ‘cryptography’, or does ‘crypto’ mean cryptocurrency? If frequency of usage determines the correct definition, a quick perusal of the press releases in my email quickly reveals a winner. It’s cryptocurrency by a mile. However, cryptography has been around much, much longer than cryptocurrency. What’s the right definition of ‘crypto’? Does it mean cryptography, or does it mean cryptocurrency?

Continue reading “What Does ‘Crypto’ Actually Mean?”

Hackaday Links: April 22, 2018

Eagle 9 is out. Autodesk is really ramping up the updates to Eagle, so much so it’s becoming annoying. What are the cool bits this time? Busses have been improved, which is great because I’ve rarely seen anyone use busses in Eagle. There’s a new pin breakout thingy that automagically puts green lines on your pins. The smash command has been overhauled and now moving part names and values is somewhat automatic. While these sound like small updates, Autodesk is doing a lot of work here that should have been done a decade ago. It’s great.

Crypto! Bitcoin is climbing up to $9,000 again, so everyone is all-in on their crypto holdings. Here’s an Arduino bitcoin miner. Stats of note: 150 hashes/second for the assembly version, and at this rate you would need 10 billion AVRs to mine a dollar a day. This array of Arduinos would need 2 Gigawatts, and you would be running a loss of about $10 Million per day (minus that one dollar you made).

Are you going to be at Hamvention? Hamvention is the largest amateur radio meetup in the Americas, and this year is going to be no different. Unfortunately, I’ll be dodging cupcake cars that weekend, but there is something of note: a ‘major broadcaster’ is looking for vendors for a ‘vintage tech’ television series. This looks like a Canadian documentary, which adds a little bit of respectability to this bit of reality television (no, really, the film board of Canada is great). They’re looking for weird or wacky pieces of tech, and items that look unique, strange, or spark curiosity. Set your expectations low for this documentary, though; I think we’re all several orders of magnitude more nerd than what would be interesting to a production assistant. ‘Yeah, before there were pushbutton phones, they all had dials… No, they were all attached to the wall…”

The new hotness on Sparkfun is a blinky badge. What we have here is a PCB, coin cell holder, color changing LED, and a pin clasp. It’s really not that different from the Tindie Blinky LED Badge. There is, however, one remarkable difference: the PCB is multicolored. The flowing unicorn locks are brilliant shades of green, blue, yellow, pink, purple, and red. How did they do it? We know full-color PCBs are possible, but this doesn’t look like it’s using a UV printer. Pad printing is another option, but it doesn’t look like that, either. I have no idea how the unicorn is this colorful. Thoughts?

Defcon is canceled, but there’s still a call for demo labs. They’re looking for hackers to show off what they’ve been working on, and to coax attendees into giving feedback on their projects.

Sparkfun’s Alternate Reality Hardware

SparkFun has a new wing of hardware mischief. It’s SparkX, the brainchild of SparkFun’s founder [Nate Seidle]. Over the past few months, SparkX has released breakout boards for weird sensors, and built a safe cracking robot that got all the hacker cred at DEF CON. Now, SparkX is going off on an even weirder tangent: they have released The Prototype. That’s actually the name of the product. What is it? It’s a HARP, a hardware alternate reality game. It’s gaming, puzzlecraft, and crypto all wrapped up in a weird electronic board.

The product page for The Prototype is exactly as illuminating as you would expect for a piece of puzzle electronics. There is literally zero information on the product page, but from the one clear picture, we can see a few bits and bobs that might be relevant. The Prototype features a microSD card socket, an LED that might be a WS2812, a DIP-8 socket, a USB port, what could be a power switch, a PCB antenna, and a strange black cylinder. Mysteries abound. There is good news: the only thing you need to decrypt The Prototype is a computer and an open mind. We’re assuming that means a serial terminal.

The Prototype hasn’t been out for long, and very few people have one in hand. That said, the idea of a piece of hardware sold as a puzzle is something we haven’t seen outside of conference badges. The more relaxed distribution of The Prototype is rather appealing, and we’re looking forward to a few communities popping up around HARP games.

Friday Hack Chat: Crypto Challenge

It’s the middle of August, and that means all the hackers are back from DEF CON, safe in their hoodies, with memories of smoke-filled casinos, interesting talks, and, most importantly, crypto challenges.

This year was an ‘off’ year for DEF CON. There was an official badge, but it wasn’t electronic (which no one expected), and there was no crypto challenge (which no one saw coming). Nevertheless, there was already a vibrant community of badge builders, and the crypto nerds of DEF CON were satisfied by PCB locks from the Crypto and Privacy village, Benders, and Darknet phone dials this year.

How were these crypto challenges constructed? That’s the subject of this week’s Hack Chat. This Friday, we’re going to be sitting down with a member of DEF CON’s Crypto and Privacy village on how these curious codes are constructed, how a winner is determined, and the techniques used to solve these challenges.

This week, we’ll be talking about how crypto challenges actually work, how to put crypto in firmware, on laser-engraved acrylic plates, and in silkscreen on a PCB. We’ll be talking about how crypto challenges are created, and how you solve them. Special attention will be paid to testing a crypto challenge; that is, how do you make sure it’s solvable when you already know how to solve it?

Although this Hack Chat is only going to last an hour, there’s no possible way we could cover all the tips, tricks, and techniques of creating a crypto challenge in that time. If you’d like some further reading, [L0sT] showed up at our 10th anniversary party to tell us he created the puzzles for DEF CON over the last few years.

Here’s How To Take Part:

join-hack-chatOur Hack Chats are live community events on the Hackaday.io Hack Chat group messaging. This Hack Chat will take place at noon Pacific time on Friday, August 11th. Don’t know when the Earth’s sun will be directly overhead? Here’s a time and date converter!

Log into Hackaday.io, visit that page, and look for the ‘Join this Project’ Button. Once you’re part of the project, the button will change to ‘Team Messaging’, which takes you directly to the Hack Chat.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.

NIST Helps You With Cryptography

Getting cryptography right isn’t easy, and it’s a lot worse on constrained devices like microcontrollers. RAM is usually the bottleneck — you will smash your stack computing a SHA-2 hash on an AVR — but other resources like computing power and flash code storage space are also at a premium. Trimming down a standard algorithm to work within these constraints opens up the Pandora’s box of implementation-specific flaws.

NIST stepped up to the plate, starting a lightweight cryptography project in 2013 which has now come out with a first report, and here it is as a PDF. The project is ongoing, so don’t expect a how-to guide. Indeed, most of the report is a description of the problems with crypto on small devices. Given the state of IoT security, just defining the problem is a huge contribution.

Still, there are some concrete recommendations. Here are some spoilers. For encryption, they recommend a trimmed-down version of AES-128, which is a well-tested block cipher on the big machines. For message authentication, they’re happy with Galois/Counter Mode and AES-128.

I was most interested in hashing, and came away disappointed; the conclusion is that the SHA-2 and SHA-3 families simply require too much state (and RAM) and they make no recommendation, leaving you to pick among less-known functions: check out PHOTON or SPONGENT, and they’re still being actively researched.

If you think small-device security is easy, read through the 22-question checklist that starts on page twelve. And if you’re looking for a good starting point to read up on the state of the art, the bibliography is extensive.

Your tax dollars at work. Thanks, NIST!

And thanks [acs] for the tip!

Hackaday Prize Entry: Secure Storage On SD Cards

Here’s a puzzler for you: how do you securely send data from one airgapped computer to another? Sending it over a network is right out, because that’s the entire point of an airgap. A sneakernet is inherently insecure, and you shouldn’t overestimate the security of a station wagon filled with tapes. For his Hackaday Prize entry, [Nick Sayer] has a possible solution. It’s the Sankara Stones from Indiana Jones and the Temple of Doom, or a USB card reader that requires two cards. Either way, it’s an interesting experiment in physical security for data.

The idea behind the Orthrus, a secure RAID USB storage device for two SD cards, is to pair two SD cards. With both cards, you can read and write to this RAID drive without restriction. With only one, the data is irretrievable so they are safe during transit if shipped separately.

The design for this device is based around the ATXMega32A4U. It’s pretty much what you would expect from an ATMega, but this has a built-in full speed USB interface and hardware AES support. The USB is great for presenting two SD cards as a single drive, and the AES port is used to encrypt the data with a key that is stored in a key storage block on each card.

For the intended use case, it’s a good design. You can only get the data off of these SD cards if you have both of them. However, [Nick] is well aware of Schneier’s Law — anyone can design a cryptosystem that they themselves can’t break. That’s why he’s looking for volunteers to crack the Orthrus. It’s an interesting challenge, and one we’d love to see broken.