PGP Vulnerability Pre-announced By Security Researcher

From the gaping maw of the infosec Twitterverse comes horrifying news. PGP is broken. How? We don’t know. When will there be any information on this vulnerability? Tomorrow. It’s the most important infosec story of the week, and it’s only Monday. Of course, this vulnerability already has a name. Everyone else is calling it eFail, but I’m calling it Fear, Uncertainty, and Doubt.

Update: eFail site and paper now available. This was released ahead of Tuesday’s planned announcement when the news broke ahead of a press embargo.

Update 2: The report mentions two attacks. The Direct Exfiltration attack wraps the body of a PGP-encrypted email around an image tag. If a mail client automatically decrypts this email, the result will be a request to a URL containing the plaintext of the encrypted email. The second attack only works one-third of the time. Mitigation strategies are to not decrypt email in a client, disable HTML rendering, and in time, update the OpenPGP and S/MIME standards. This is not the end of PGP, it’s a vulnerability warranting attention from those with a very specific use case.

Update 3: Hackaday has published an in-depth explanation of how eFail works which details the scope of the vulnerability.

[Sebastian Schinzel] announced on Twitter today he will be announcing a critical vulnerability in PGP/GPG and S/MIME email encryption. This vulnerability may reveal the plaintext of encrypted emails. There are currently no fixes — but there’s no proof of concept, or any actual publication of this exploit either. The only thing that’s certain: somebody on Twitter said encrypted email is broken.

The EFF has chimed in on this exploit and advises everyone to immediately disable and uninstall tools that automatically decrypt PGP-encrypted email. It also looks like the EFF came up with a great little logo for eFail as well so kudos on that.

While there are no details whatsoever concerning eFail aside from a recommendation to not use PGP, a few members of the community have seen a pre-press of the eFail paper. [Werner Koch] of GnuPG says eFail is simply using HTML as a back channel. If this is true, PGP is still safe; you just shouldn’t use HTML emails. If you really need to read HTML emails, use a proper MIME parser and disallow access to external links. It should be noted that HTML in email is already an attack vector and has been for decades. You don’t need to bring PGP into this.

Should you worry about a vulnerability in PGP and email encryption? Literally no one knows. European security researchers are working on a publication release right now, but other experts in the field who have seen the paper think it’s not a big deal. There is no consensus from experts in the field, and there is no paper available right now. That last point will change in a few hours, but for now eFail just stands for Fear, Uncertainty, and Doubt.

Paramotoring For The Paranoid: Google’s AI And Relationship Mining

My son approached me the other day with his best 17-year-old sales pitch: “Dad, I need a bucket of cash!” Given that I was elbow deep in suds doing the dishes he neglected to do the night before, I mentioned that it was a singularly bad time for him to ask for anything.

Never one to be dissuaded, he plunged ahead with the reason for the funding request. He had stumbled upon a series of YouTube videos about paramotoring, and it was love at first sight for him. He waxed eloquent about how cool it would be to strap a big fan to his back and soar with the birds on a nylon parasail wing. It was actually a pretty good pitch, complete with an exposition on the father-son bonding opportunities paramotoring presented. He kind of reminded me of the twelve-year-old version of myself trying to convince my dad to spend $600 on something called a “TRS-80” that I’d surely perish if I didn’t get.

Needless to say, the $2500 he needed for the opportunity to break his neck was not forthcoming. But what happened the next day kind of blew my mind. As I was reviewing my YouTube feed, there among the [Abom79] and [AvE] videos I normally find in my “Recommended” queue was a video about – paramotoring. Now how did that get there?

Continue reading “Paramotoring For The Paranoid: Google’s AI And Relationship Mining”

Waiting For A Letter? This IoT Mailbox Will Tell You Exactly When It Arrives.

If you’re waiting for a much sought-after letter, checking your mailbox every five minutes can be a roller-coaster of emotion — not to mention time-consuming. If you fall into this trap, Hackaday.io user [CuriosityGym] as whipped up a mailbox that will send off an email once the snail-mail arrives.

The project uses an Arduino Uno, an ESP 8266 wifi module, and an idIoTware shield board — making specific use of its RGB LED and light dependent resistor(LDR). Configuring the RGB LED on the idIoTware board to a steady white light sets the baseline for the LDR, and when a letter is dropped in the box, the change in brightness is registered by the LDR, triggering the Arduino to send off the email.

Continue reading “Waiting For A Letter? This IoT Mailbox Will Tell You Exactly When It Arrives.”

Raspberry Pi, Send Me A Letter

The abundance of small networked boards running Linux — like the Raspberry Pi — is a boon for developers. It is easy enough to put a small cheap computer on the network. The fact that Linux has a lot of software is a double-edged sword. On the one hand, it is a good bet that anything you want to do has been done. On the other hand, some of the solutions are a bit large for a tiny embedded system.

Take, for example, e-mail. Historically, Linux hosts operate as mail transfer agents that can send and receive mail for all their users and possibly even relay mail to others. In today’s world, that’s usually overkill, but the capability is there. It is possible to install big mail transfer agents into a Raspberry Pi. The question is: should you?

What Do You Want?

The answer, of course, depends on what you want to do. If you have a dedicated board sending out text and maybe even files using an external mail server (like, say, Gmail), then the answer is no. You don’t need a piece of software listening for incoming connections, sorting through multiple users, and so on.

Luckily, there are some simple solutions if you know how to set up and configure them. The key is to avoid the big mail programs that do everything you don’t need.

Mail Front Ends

Let’s tackle sending mail first. If you try to grab the mailutils package, you’ll see it drags along a lot of stuff including mysql. Keep in mind, none of this will actually send mail. It just gives you some tools to get mail ready to send.

Luckily, the bsd-mailx package has a lot less overhead and will do the job. Look at the man page to see what options you have with mailx; you can do things like attach files, set a subject, and specify addresses.

It is a little difficult to set up for Gmail, though, thanks to Google’s security. You’ll need the certutil tool from the libnss3-tools package. You’ll need to create a certificate store, import Google’s certificate, and then set up a lot of options to mailx. I don’t suggest it. If you insist, though, you can find directions on the Web.

SSMTP

By default, programs like mailx and other Linux mail commands rely on a backend (often sendmail). Not only does that drag around too much overhead, it is also a full mail system, sending and receiving and relaying–overkill for our little Pi computers.

Luckily, SSMTP is available which only sends mail and is relatively lightweight. You need a configuration file to point it to your mail server. For Gmail, it would look like this:

#
# Config file for sSMTP sendmail
#
# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
root=postmaster

# The place where the mail goes. The actual machine name is required no 
# MX records are consulted. Commonly mailhosts are named mail.domain.com
mailhub=smtp.gmail.com:587

# Where will the mail seem to come from?
rewriteDomain=yourdomain.com

# The full hostname
hostname=yourhostname
AuthUser=YourGmailUserID
AuthPass=YourGmailPassword
UseTLS=Yes
UseSTARTTLS=YES
# Are users allowed to set their own From: address?
# YES - Allow the user to specify their own From: address
# NO - Use the system generated From: address
FromLineOverride=YES

You can use a mail agent like mailx or you can just use ssmtp directly:

ssmtp someone@somewhere.com

Enter a message on the standard input and end it with a Control+D (standard end of file for Linux).

Google Authentication

There’s only one catch. If you are using Gmail, you’ll find that Google wants you to use stronger authentication. If you are using two-factor (that is, Google Authenticator), this isn’t going to work at all. You’ll need to generate an app password. Even if you aren’t, you will probably need to relax Google’s fear of spammers on your account. You need to turn on the “Access for less secure apps” setting. If you don’t want to do this on your primary e-mail account, considering making an account that you only use for sending data from the Pi.

Sending Files

Depending on the mail software you use, there are a few ways you can attach a file. However, the mpack program makes it very easy:

mpack -a -s 'Data File' datafile.csv me@hackaday.com

The above command will send datafile.csv as an attachment with the subject “Data File.” Pretty simple.

Receiving Mail

What if you want to reverse the process and receive mail on the Pi? There is a program called fetchmail that can grab e-mails from an IMAP or POP3 server. It is possible to make it only read the first unread message and send it to a script or program of your choosing.

You have to build a configuration file (or use the fetchmailconf program to build it). For example, here’s a simple .fetchmailrc file:

poll imap.gmail.com
protocol IMAP
user "user@gmail.com" with password "yourpassword" mda "/home/pi/mailscript.sh"
folder 'INBOX'
fetchlimit 1
keep
ssl

You can leave the “keep” line out if you don’t mind fetchmail deleting the mail after processing. The file should be in your home directory (unless you specify with the -f option) and it needs to not be readable and writable by other users (e.g., chmod 600 .fetchmailrc). According to the fetchmail FAQ, there are some issues with Gmail, so you might want to consider some of the suggestions provided. However, for simple tasks like this, you should be able to work it all out.

In particular, the mailscript.sh file is where you can process the e-mail. You might, for example, look for certain keyword commands and take some action (perhaps replying using ssmtp).

Special Delivery

You might not think of the Raspberry Pi as an e-mail machine. However, the fact that it is a pretty vanilla Linux setup means you can use all sorts of interesting tools meant for bigger computers. You just have to know they exist.

How To Keep An Unruly Dryer In Line

If necessity is the mother of invention, then inconvenience is its frustrating co-conspirator. Faced with a finicky dryer that would shut down mid-cycle with a barely audible beep if its load was uneven (leaving a soggy mass of laundry), [the0ry] decided to add the dryer to the Internet of Things so it could send them an email whenever it shut itself down.

After opening a thinger.io account, adding the soon-to-be device, and setting up the email notification process, [the0ry] combined the ESP8266 Development Board, a photosensitive resistor, and a 5V power supply on a mini breadboard. All that was left was to mount it on the dryer and direct the LDR (light-dependent resistor) to the machine’s door lock LED to trigger an email when it turned off — indicating the cycle had finished or terminated prematurely. A little tape ensured the LDR would only be tripped by the desired light source.

If you’re an apartment-dweller have WiFi in the wash area it would be awesome to see a battery-powered version you take with you. But in general this is a great hardware blueprint as many device have status LEDs that can be monitored in a similar way. If you want to keep the server in-house (literally in this case) check out the Minimal MQTT series [Elliot Williams] recently finished up. It uses a Raspberry Pi as the center server and an ESP8266 is one of the limitless examples of hardware that plays nicely with the protocol.

We love seeing hacks like this because not only does it conserve water and energy by reducing instances of rewashing, but it’s also a clever way to extend the life of an appliance and potentially save hundreds of dollars in replacing it. Add this to the bevvy of hacks that add convenience to one’s home — some of which produce delicious results.

Old Kindle Upcycled To Emailable Fridge Messageboard

We’ve all got a pile of old devices lying around somewhere that are waiting to be torn down for parts, or turned into something useful. [Peter Voljek] decided to do the latter with an old Kindle eBook reader, turning it into a neat message board that can be stuck onto a fridge. With the addition of some server-side Ruby code, you can send messages to this by email, and it automatically displays the last message received. Throw on some magnetic sticky tape and you have a neat fridge door noticeboard.

[Peter] runs his Ruby web server on a Raspberry Pi, but it should run on any platform that supports Ruby, so you could run it on a NAS device, or pretty much anything that has a web server built in. The Kindle side of the hack exploits some secret commands to disable the screensaver, then uses AJAX and JavaScript to automatically refresh the webpage the RPi is serving.

Hey, why not combine this with the Kindle weather station hack to create a noticeboard that tells you what you need from the store, and reminds you why you shouldn’t leave the house at the same time?

IP Tracker

An Arduino Device That Monitors Your External IP Address

[Bayres’] dad setup a webcam as a surveillance camera for a remote property. The only problem was that the only stable Internet connection they could get at this property was DSL. This meant that the external IP address of the webcam would change somewhat often; the needed a way to keep track of the external IP address whenever it changed. That’s when [Bayres] built a solution using Arduino and an Ethernet shield.

The main function of this device is to monitor the public IP address and report any changes. This is accomplished by first making a request to checkip.dyndns.org. This website simply reports your current public IP address. [Bayres] uses an Arduino library called Textfinder in order to search through the returned string and identify the IP address.

From there, the program compares this current value to the previous one. If there is any change, the program uses the Sendmail() function to reach out to an SMTP server and send an e-mail alert to [Beyres’] dad. The system also includes a small LCD. The Arduino outputs the current IP address to this display, making it easy to check up on the connection. The LCD is driven by 74HC595 shift register in order to conserve pins on the Arduino.

The system is also designed with a pretty slick setup interface. When it is booted, the user can enter a configuration menu via a Serial terminal. This setup menu allows the user to configure options such as SMTP server, email address, etc. These variables are then edited and can be committed to EEPROM as a more permanent storage solution. Whenever the system is booted, these values are read back out of the EEPROM and returned to their appropriate variables. This means you can reconfigure the device on the fly without having to edit the source code and re-upload.