EARN IT: Privacy, Encryption, And Policing In The Information Age

You may have heard about a new bill working its way through the US congress, the EARN IT act. That’s the “Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020”. (What does that mean? It means someone really wanted their initials to spell out “EARN IT”.)

EARN IT is a bipartisan bill that claims to be an effort to put a dent in child exploitation online. It’s also managed to catch the attention of the EFF, Schneier, and a variety of news outlets. The overwhelming opinion has been that EARN IT is a terrible idea, will make implementing end-to-end encryption impossible, and violates the First and Fourth Amendments. How does a bill intended to combat child pornography and sex trafficking end up on the EFF bad list? It’s complicated.

Continue reading “EARN IT: Privacy, Encryption, And Policing In The Information Age”

Can Solid Save The Internet?

We ran an article on Solid this week, a project that aims to do nothing less than change the privacy and security aspects of the Internet as we use it today. Sir Tim Berners-Lee, the guy who invented the World Wide Web as a side project at work, is behind it, and it’s got a lot to recommend it. I certainly hope they succeed.

The basic idea is that instead of handing your photos, your content, and your thoughts over to social media and other sharing platforms, you’d store your own personal data in a Personal Online Data (POD) container, and grant revocable access to these companies to access your data on your behalf. It’s like it’s your own website contents, but with an API for sharing parts of it elsewhere.

This is a clever legal hack, because today you give over rights to your data so that Facebook and Co. can display them in your name. This gives them all the bargaining power, and locks you into their service. If instead, you simply gave Facebook a revocable access token, the power dynamic shifts. Today you can migrate your data and delete your Facebook account, but that’s a major hassle that few undertake.

Mike and I were discussing this on this week’s podcast, and we were thinking about the privacy aspects of PODs. In particular, whatever firm you use to socially share your stuff will still be able to snoop you out, map your behavior, and target you with ads and other content, because they see it while it’s in transit. But I failed to put two and two together.

The real power of a common API for sharing your content/data is that it will make it that much easier to switch from one sharing platform to another. This means that you could easily migrate to a system that respects your privacy. If we’re lucky, we’ll see competition in this space. At the same time, storing and hosting the data would be portable as well, hopefully promoting the best practices in the providers. Real competition in where your data lives and how it’s served may well save the Internet. (Or at least we can dream.)

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter.

Want this type of article to hit your inbox every Friday morning? You should sign up!

Simulating The Enigma’s Oddball Cousin

Even if you wouldn’t describe yourself as a history buff, you’re likely familiar with the Enigma machine from World War II. This early electromechanical encryption device was used extensively by Nazi Germany to confound Allied attempts to eavesdrop on their communications, and the incredible effort put in by cryptologists such as Alan Turing to crack the coded messages it created before the end of the War has been the inspiration for several books and movies. But did you know that there were actually several offshoots of the “standard” Enigma?

For their entry into the 2019 Hackaday Prize, [Arduino Enigma] is looking to shine a little light on one of these unusual variants, the Enigma Z30. This “Baby Enigma” was intended for situations where only numerical data needed to be encoded. Looking a bit like a mechanical calculator, it dropped the German QWERTZ keyboard, and instead had ten buttons and ten lights numbered 0 through 9. If all you needed to do was send off numerical codes, the Z30 was a (relatively) small and lightweight alternative for the full Enigma machine.

Creating an open source hardware simulator of the Z30 posses a rather unique challenge. While you can’t exactly order the standard Enigma from Digi-Key, there are at least enough surviving examples that they’ve been thoroughly documented. But nobody even knew the Z30 existed until 2004, and even then, it wasn’t until 2015 that a surviving unit was actually discovered in Stockholm.

Of course, [Arduino Enigma] does have some experience with such matters. By modifying the work that was already done for full-scale Enigma simulation on the Arduino, it only took a few hours to design a custom PCB to hold an Arduino Nano, ten buttons with matching LEDs, and of course the hardware necessary for the iconic rotors along the top.

The Z30 simulator looks like it will make a fantastic desk toy and a great way to help visualize how the full-scale Enigma machine worked. With parts for the first prototypes already on order, it shouldn’t be too long before we get our first good look at this very unique historical recreation.

A Different Way To Privately Chat Over Telegram

If you’ve had the need to send secure, private messages in recent times, you might have considered using Telegram. However, using such a service means that, if discovered, it’s well known what manner of encryption you’re using, and there’s a third party involved to boot. [Labunsky] walks a different path, and built a covert channel within Telegram itself.

[Labunsky] likens their process to the process used in the film Seventeen Moments of Spring, in which a flower placed in an apartment windows indicates a spy has failed their mission. In this case, instead of a flower in a window, one user blocks another to signal them. By switching the blocked status on and off, messages can be sent, albeit in a slow and convoluted way.

It’s more of a proof of concept than a practical way to message people over Telegram. With that said, it does work, and it might just keep the security services monitoring your chats confused for a few extra weeks. Or, it would, if we hadn’t written an article about it. Perhaps consider using zero-width characters instead.

Voja Antonic: Designing The Cube

Voja Antonic designed this fantastic retrocomputing badge for Hackaday Belgrade in 2018, and it was so much fun that we wanted to bring it stateside to the Supercon essentially unaltered. And that meant that Voja had some free time to devote to a new hardware giveaway: the Cube. So while his talk at Supercon in November was ostensibly about the badge, he just couldn’t help but tell us about his newer love, and some of the extremely clever features hidden within.

It’s funny how the hardware we design can sometimes reflect so much on the creator. Voja designed then-Yugoslavia’s first widely used home computer (and published the DIY plans in a magazine!). Thousands were built from their kits. The Galaksija was a Z80-based design with a custom BASIC that was just barely squeezed into the available 4K of ROM. So you shouldn’t be shocked that the retro-badge has a working keyboard and a nice BASIC on board.

But let’s jump ahead to the Cube, because that’s even more of a passion project. On the outside, they’re very simple devices, with only a USB port and a sweet diffused LED ring visible. Aesthetic? Minimalistic? Beautiful, honestly.
Continue reading “Voja Antonic: Designing The Cube”

Don’t Toss That Bulb, It Knows Your Password

Whether it was here on Hackaday or elsewhere on the Internet, you’ve surely heard more than a few cautionary tales about the “Internet of Things” by now. As it turns out, giving every gadget you own access to your personal information and Internet connection can lead to unintended consequences. Who knew, right? But if you need yet another example of why trusting your home appliances with your secrets is potentially a bad idea, [Limited Results] is here to make sure you spend the next few hours doubting your recent tech purchases.

In a series of posts on the [Limited Results] blog, low-cost “smart” bulbs are cracked open and investigated to see what kind of knowledge they’ve managed to collect about their owners. Not only was it discovered that bulbs manufactured by Xiaomi, LIFX, and Tuya stored the WiFi SSID and encryption key in plain-text, but that recovering said information from the bulbs was actually quite simple. So next time one of those cheapo smart bulb starts flickering, you might want to take a hammer to it before tossing it in the trash can; you never know where it, and the knowledge it has of your network, might end up.

Regardless of the manufacturer of the bulb, the process to get one of these devices on your network is more or less the same. An application on your smartphone connects to the bulb and provides it with the network SSID and encryption key. The bulb then disconnects from the phone and reconnects to your home network with the new information. It’s a process that at this point we’re all probably familiar with, and there’s nothing inherently wrong with it.

The trouble comes when the bulb needs to store the connection information it was provided. Rather than obfuscating it in some way, the SSID and encryption key are simply stored in plain-text on the bulb’s WiFi module. Recovering that information is just a process of finding the correct traces on the bulb’s PCB (often there are test points which make this very easy), and dumping the chip’s contents to the computer for analysis.

It’s not uncommon for smart bulbs like these to use the ESP8266 or ESP32, and [Limited Results] found that to be the case here. With the wealth of information and software available for these very popular WiFi modules, dumping the firmware binary was no problem. Once the binary was in hand, a little snooping around with a hex editor was all it took to identify the network login information. The firmware dumps also contained information such as the unique hardware IDs used by the “cloud” platforms the bulbs connect to, and in at least one case, the root certificate and RSA private key were found.

On the plus side, being able to buy cheap smart devices that are running easily hackable modules like the ESP makes it easier for us to create custom firmware for them. Hopefully the community can come up with slightly less suspect software, but really just keeping the things from connecting to anything outside the local network would be a step in the right direction.

(Some days later…)

[Limited Results] had hinted to us that he had previously disclosed some vulnerabilities to the bulb’s maker, but that until they fixed them, he didn’t want to make them public. They’re fixed now, and it appears that the bulbs were sending everything over the network unencrypted — your data, OTA firmware upgrades, everything.  They’re using TLS now, so good job [Limited Results]! If you’re running an old version of their lightbulbs, you might have a look.

On WiFi credentials, we were told: “In the case where sensitive information in the flash memory wasn’t encrypted, the new version will include encrypted storage processing, and the customer will be able to select this version of the security chips, which can effectively avoid future security problems.” Argue about what that actually means in the comments.

Rebuilding The First Vocal Encryption System

Back in the early days of radio, it was quickly apparent that the technology would revolutionize warfare, but only if some way could be found to prevent enemies from hearing what was said. During World War II, the Allies put a considerable amount of effort into securing vocal transmissions, resulting in a system called SIGSALY – 50 tons of gear developed by Bell Laboratories with the help of Alan Turing that successfully secured communications between the likes of Churchill and Roosevelt during the war.

Now, a small piece of the SIGSALY system lives again, in the form of a period-faithful reproduction of the vocal quantizer used in the system. It’s the work of [Jon D. Paul], who undertook the build to better understand how the SIGSALY system worked. [Jon] also wanted to honor the original builders, who developed a surprisingly sophisticated system given the technology of the day.

SIGSALY was seriously Top Secret in the day, and most of the documentation was destroyed when the system was decommissioned. Working from scant information, [Jon] was able to recreate the quantizer from period parts, including five vintage VT-109/2051 thyratrons scrounged from eBay. The vacuum tubes are similar in operation to silicon-controlled rectifiers (SCRs) and form the core of the ADC, along with a resistor divider ladder network. Almost every component is period correct, and everything is housed in a nice acrylic case. It’s a beautiful piece of work and a great homage to a nearly forgotten piece of cryptographic history.

Interestingly, Bell Labs had a bit of a head start on the technology that went into SIGSALY, by virtue of their work on the first voice synthesizer in the 1930s.

Continue reading “Rebuilding The First Vocal Encryption System”