Netscape Communicator And SHA-1 Written Into Brexit Agreement

We pity the civil servants involved in the negotiations between the European Union and the United Kingdom, because after tense meetings until almost the Eleventh Hour, they’ve had to cobble together the text of a post-Brexit trade agreement in next-to-no time. In the usual manner of such international agreements both sides are claiming some kind of victory over fish, but the really interesting parts of the document lie in the small print. In particular it was left to eagle-eyed security researchers to spot that Netscape Communicator 4, SHA-1, and RSA encryption with a 1024-bit key length are recommended to secure the transfer of DNA data between states. The paragraphs in question can be found on page 932 of the 1256-page agreement.

It’s likely that some readers under 30 years old will never have used a Netscape product even though they will be familiar with Firefox, the descendant Mozilla software. Netscape were a pioneer of early web browsers, and  Communicator 4 was the company’s all-in-one browser and email offering from the late 1990s. It and its successors steadily lost ground against Microsoft’s Internet Explorer, and ultimately faded away along with the company under AOL ownership in the late 2000s. Meanwhile the SHA-1 hashing algorithm has been demonstrated to be vulnerable to collision attacks, and computing power has advanced such that 1024-bit RSA encryption can be broken in a sensible time frame by anyone with sufficient GPU power to give it a try. It’s clear that something is amiss in the drafting of this treaty, and we’d go so far as to venture the opinion that a tired civil servant simply cut-and-pasted from a late-1990s security document.

So will the lawmakers of Europe now have to dig for ancient software as mandated by treaty? We hope not, as from our reading they are given as examples rather than as directives. We worry however that their agencies might turn out to be as clueless on digital security as evidently the civil servants are, so maybe Verizon Communications, current owners of the Netscape brand, could be in for a few support calls.

European Right To Repair: Poor Repairability Shamed With Rating System

Happily the right to repair movement is slowly gaining ground, and recently they’ve scored a major success in the European Parliament that includes a requirement that products be labelled with expected lifetime and repairability information, long-term availability of parts, and numerous measures aimed at preventing waste.

… including by requiring improved product information through mandatory labelling on the durability and reparability of a product (expected lifetime, availability of spare parts, etc.), defining durability and reparability as the main characteristics of a product…

Even the UK, whose path is diverging from the EU due to Brexit, appears to have a moment of harmony on this front. This builds upon existing rights to repair in that devices sold in Europe will eventually have to carry a clearly visible repair score to communicate the ease of repairability and supply of spare parts, making a clear incentive for manufacturers to strive for the highest score possible.

We live in an age in which our machines, appliances, and devices are becoming ever more complex, while at the same time ever more difficult to repair. Our community are the masters of fixing things, but even we are becoming increasingly stumped in the face of the latest flashy kitchen appliance or iDevice. The right to repair movement, and this measure in particular, seeks to improve the ability of all consumers, not just us hackers, to makebuying decisions for better products and lower environmental impact.

With a population of around 450 million people spread across 27 member countries, the EU represents a colossal market that no manufacturer can afford to ignore. Therefore while plenty of other regions of the planet have no such legislation this move will have a knock-on effect across the whole planet. Since the same products are routinely sold worldwide it is to be expected that an improvement in repairability for European markets will propagate also to the rest of the world. So when your next phone has a replaceable battery and easier spares availability, thank the EU-based right to repair campaigners and some European lawmakers for that convenience.

European Parliament from EU, CC BY 2.0.

Zoombombing The EU Foreign Affairs Council

Those with security clearance are capable of making foolish mistakes, just like the rest of us. So is the story of how a Dutch journalist made an appearance on video meeting of the European Union’s Foreign Affairs Council (Dutch language, Google Translate link).

Ank Bijleveld's Tweeted picture, with the access details blacked out by Daniël Verlaan.
Netherlands Defence MInister Ank Bijleveld’s Tweeted picture, with the access details blacked out by Daniël Verlaan.

Like any other video call, if you had the link you could enter the meeting. So when Netherlands Defence Minister Ank Bijleveld Tweeted a photo of a video call last Friday, the address bar of the browser gave away the secret to anyone with a keen eye. Dutch journalist Daniël Verlaan working for the broadcaster RTL saw the URL on the screen and deduced the login credentials for the meeting.

We say “deduced”, but in fact there were five of the six digits in the PIN in the clear in the URL, leaving him with the difficult task of performing a one-digit brute-force attack and joining with the username “admin”. He joined and revealed his presence, then was admonished for committing a criminal offence before he left.

On one level it’s an opportunity for a good laugh at the expense of the defence ministers, and we certainly wouldn’t want to be Ank Bijleveld or probably the EU’s online security people once the inevitable investigation into this gets under way. It seems scarcely credible that the secrecy on such a high-security meeting could have sat upon such a shaky foundation without for example some form of two-factor authentication using the kind of hardware available only to governments.

EU policy is decided not by individual ministries but by delicate round-table summits of all 27 countries. In a pandemic these have shifted to being half-online and half in-real-life, so this EU defence ministers’ meeting had the usual mosaic video feed of politicians and national flags. And one Zoom-bombing journalist.

EU Duty Changes, A Whole VAT Of Trouble For Hackers?

It could be said that there are a number of factors behind  the explosion of creativity in our community of hardware hackers over the last couple of decades, but one in particular that is beyond doubt is the ease with which it has been possible to import small orders from China. See something on AliExpress and it can be yours for a few quid, somewhere in a warehouse on the other side of the world it’s put into a grey shipping bag, and three weeks later it’s on your doorstep. This bounty has in no small part been aided by a favourable postage and taxation environment in which both low postage costs and a lack of customs duties on packages under a certain value conspire to render getting the product in front of you a fraction of the cost of buying the thing in the first place. Continue reading “EU Duty Changes, A Whole VAT Of Trouble For Hackers?”

Europeans Now Have The Right To Repair – And That Means The Rest Of Us Probably Will Too

As anyone who has been faced with a recently-manufactured household appliance that has broken will know, sometimes they can be surprisingly difficult to fix. In many cases it is not in the interests of manufacturers keen to sell more products to make a device that lasts significantly longer than its warranty period, to design it with dismantling or repairability in mind, or to make spare parts available to extend its life. As hardware hackers we do our best with home-made replacement components, hot glue, and cable ties, but all too often another appliance that should have plenty of life in it heads for the dump.

Czech waste management workers dismantle scrap washing machines. Tormale [CC BY-SA 3.0].
Czech waste management workers dismantle scrap washing machines. Tormale [CC BY-SA 3.0].
If we are at a loss to fix a domestic appliance then the general public are doubly so, and the resulting mountain of electrical waste is enough of a problem that the European Union is introducing new rules governing their repairability. The new law mandates that certain classes of household appliances and other devices for sale within the EU’s jurisdiction must have a guaranteed period of replacement part availability and that they must be designed such that they can be worked upon with standard tools. These special classes include washing machines, dishwashers, refrigerators, televisions, and more.

Let’s dig into the ramifications of this decision which will likely affect markets beyond the EU and hopefully lead to a supply of available parts useful for repair and beyond.

Continue reading “Europeans Now Have The Right To Repair – And That Means The Rest Of Us Probably Will Too”

Ask Hackaday: Get The Lead Out Or Not?

For most of the history of industrial electronics, solder has been pretty boring. Mix some lead with a little tin, figure out how to wrap it around a thread of rosin, and that’s pretty much it. Sure, flux formulations changed a bit, the ratio of lead to tin was tweaked for certain applications, and sometimes manufacturers would add something exotic like a little silver. But solder was pretty mundane stuff.

Source: RoHS Guide

Then in 2003, the dull gray world of solder got turned on its head when the European Union adopted a directive called Restriction of Hazardous Substances, or RoHS. We’ve all seen the little RoHS logos on electronics gear, and while the directive covers ten substances including mercury, cadmium, and hexavalent chromium, it has been most commonly associated with lead solder. RoHS, intended in part to reduce the toxicity of an electronic waste stream that amounts to something like 50 million tons a year worldwide, marked the end of the 60:40 alloy’s reign as the king of electrical connections, at least for any products intended for the European market, when it went into effect in 2006.

Continue reading “Ask Hackaday: Get The Lead Out Or Not?”

Hackaday Links: September 16, 2018

Apple released a phone, the most phone in the history of phones. It’s incredible.

There are four machines that are the cornerstone of electronic music. The TR-808, the TR-909, the TB-303, and the SH-101 are the machines that created techno, house, and every other genre of electronic music. This week at KnobCon Behringer, the brand famous for cheap mixers, other audio paraphernalia of questionable quality, and a clone of the Minimoog, teased their clone of the 909. Unlike the Roland reissue, this is a full-sized 909, much like Behringer’s clone of the 808. Price is said to be under $400, and the best guess on the release is, ‘sometime in the next year’

Speaking of synths, [jan] has created a ton of electronic musical instruments based around single chips. There’s one that fits inside a MIDI plug, and another that also adds a keyboard. Now he has an ‘educational kit’ on IndieGoGo. It’s surprisingly cheap at $19.

Europe, currently.

Europe is outlawing memes (I’m 12 and what is this?).

The EU parliament adopted a proposal for a Copyright Directive, the most onerous proposal being Article 13, requiring platforms to adopt copyright filters to examine everything uploaded to a platform.

The takeaway analogy is that this proposal is opposite of the DMCA’s Safe Harbor provision that protects ISPs from consequences of user’s actions; If Article 13 is adopted, an image-hosting service could be sued by copyright holders because users uploaded copyrighted images.

Needless to say, this is dumb, and a massive opportunity for you to become a startup founder. Companies like Google and Facebook already have robots and databases crawling their servers looking for copyrighted content, but smaller sites (hackaday.io included) do not have the resources to build such a service themselves. You’re looking at a massive B2B startup opportunity when these copyright directives pass.