2020: Everything Is Virtual

It’s like the dystopian future arrived out of the blue. From one year to the next we went from holing up in overly air-conditioned hotel ballrooms and actually meeting our fellow meatbags in the flesh, to huddling in our pods and staring at the screens. I’m looking for the taps to hook me in to the Matrix at this point.

But if you haven’t yet received your flying car or your daily Soma ration, you can still take comfort in one thing: all of the hacker conferences are streaming live, as if it were some fantastic cyber-future! In fact, as we type this, someone is telling you how to print your way to free drinks on USAir flights as part of HOPE’s offering, but the talks will continue for the next few days. (Go straight to live stream one.)

If retrocomputing is more your thing, Saturday marks the start of the virtual Vintage Computer Festival West of which Hackaday is a proud sponsor. (Here’s the schedule.)

And next weekend is DEF CON in Safe Mode with Networking. While we can totally imagine how the talks and demo sessions will work, the Villages, informal talks and hack-togethers based on a common theme, will be a real test of distributed conferencing.

OK, I’ll admit it: I really miss getting together with folks and having the truly random conversations that pre-scripted teleconferences just don’t seem to facilitate. Lobbycon suffers in lockdown. But if you’ve never been to any of these events, and you just want a taste of the talks and presentations at least, now’s your chance to get in for free. And if you like what you see, and if the virus lets us, we’ll see you in person next summer!

Hackaday Links: July 26, 2020

An Australian teen is in hot water after he allegedly exposed sensitive medical information concerning COVID-19 patients being treated in a local hospital. While the authorities in Western Australia were quick to paint the unidentified teen as a malicious, balaclava-wearing hacker spending his idle days cracking into secure systems, a narrative local media were all too willing to parrot, reading down past the breathless headlines reveals the truth: the teen set up an SDR to receive unencrypted POCSAG pager data from a hospital, and built a web page to display it all in real-time. We’ve covered the use of unsecured pager networks in the medical profession before; this is a well-known problem that should not exactly take any infosec pros by surprise. Apparently authorities just hoped that nobody would spend $20 on an SDR and an afternoon putting it all together rather than address the real problem, and when found out they shifted the blame onto the kid.

Speaking of RF hacking, even though the 2020 HOPE Conference is going virtual, they’ll still be holding the RF Hacking Village. It’s not clear from the schedule how exactly that will happen; perhaps like this year’s GNU Radio Conference CTF Challenge, they’ll be distributing audio files for participants to decode. If someone attends HOPE, which starts this weekend, we’d love to hear a report on how the RF Village — and the Lockpicking Village and all the other attractions — are organized. Here’s hoping it’s as cool as DEFCON Safe Mode’s cassette tape mystery.

It looks like the Raspberry Pi family is about to get a big performance boost, with Eben Upton’s announcement that the upcoming Pi Compute Module 4 will hopefully support NVMe storage. The non-volatile memory express spec will allow speedy access to storage and make the many hacks Pi users use to increase access speed unnecessary. While the Compute Modules are targeted at embedded system designers, Upton also hinted that NVMe support might make it into the mainstream Pi line with a future Pi 4A.

Campfires on the sun? It sounds strange, but that’s what solar scientists are calling the bright spots revealed on our star’s surface by the newly commissioned ESA/NASA Solar Orbiter satellite. The orbiter recently returned its first images of the sun, which are extreme closeups of the roiling surface. They didn’t expect the first images, which are normally used to calibrate instruments and make sure everything is working, to reveal something new, but the (relatively) tiny bright spots are thought to be smaller versions of the larger solar flares we observe from Earth. There are some fascinating images coming back from the orbiter, and they’re well worth checking out.

And finally, although it’s an old article and has nothing to do with hacking, we stumbled upon Tim Urban’s look at the mathematics of human relations and found it fascinating enough to share. The gist is that everyone on the planet is related, and most of us are a lot more inbred than we would like to think, thanks to the exponential growth of everyone’s tree of ancestors. For example, you have 128 great-great-great-great-great-grandparents, who were probably alive in the early 1800s. That pool doubles in size with every generation you go back, until we eventually — sometime in the 1600s — have a pool of ancestors that exceeds the population of the planet at the time. This means that somewhere along the way, someone in your family tree was hanging out with someone else from a very nearby branch of the same tree. That union, likely between first or second cousins, produced the line that led to you. This is called pedigree collapse and it results in the pool of ancestors being greatly trimmed thanks to sharing grandparents. So the next time someone tells you they’re descended from 16th-century royalty, you can just tell them, “Oh yeah? Me too!” Probably.

The Problem With Software Defined Radio

There’s a problem with software defined radio. It’s not that everyone needs to re-learn what TEMPEST shielding is, and it’s not that Bluetooth is horribly broken. SDR’s biggest problem is one of bandwidth and processing. With a simple USB TV Tuner, you can listen in on aircraft, grab Landsat images from hundreds of miles up, or sniff the low-power radios used in Internet of Things things. What you can’t do is make your own WiFi adapter, and you can’t create your own LTE wireless network. This is simply a problem of getting bits from the air to a computer for processing.

At HOPE last weekend, the folks behind the very capable LimeSDR and a new company working with Lime’s hardware laid out the possibilities of what software defined radio can do if you make a link to a computer very fast, and add some processing on the SDR itself.

Continue reading “The Problem With Software Defined Radio”

Yes, You Should Be Hacking Your Car’s Data System

If you own a car, I would wager it’s the most complex device you own. Within you find locomotion, safety systems, and an entertainment system that may be using technology from several decades ago (but that’s a rant for a different article). Jalopy or Sweet Hotness, your ride has an underlying data network that is a ton of fun to hack, and something of a security dinosaur. Both were discussed by Craig Smith and Erik Evenchick during their talk on Car Hacking tools at Hope XI.

You should recognize both of these names. Eric Evenchick is a Hackaday contributor who has been traveling the world presenting talks and workshops on his open source car hacking hardware called CANtact. Craig Smith is founder of OpenGarages and author of the Car Hacker’s Handbook which we highly recommend. The pair made a great joint presentation; both were charismatic, using wit to navigate through the hardware, software, techniques, and goals you want to have in mind to jump into car hacking.

Continue reading “Yes, You Should Be Hacking Your Car’s Data System”

Cory Doctorow Rails Against Technological Nihilism; Wants You To Have Hope

I was skeptical about a two hour block allotted for Cory Doctrow’s keynote address at HOPE XI. I’ve been to Operas that are shorter than that and it’s hard to imagine he could keep a huge audience engaged for that long. I was incredibly wrong — this was a barnburner of a talk. Here is where some would make a joke about breaking out the rainbows and puppies. But this isn’t a joke. I think Cory’s talk helped me understand why I’ve been feeling down about our not-so-bright digital future and unearthed a foundation upon which hope can grow.

Continue reading “Cory Doctorow Rails Against Technological Nihilism; Wants You To Have Hope”

BitCluster Brings A New Way To Snoop Through BitCoin Transactions

Mining the wealth of information in the BitCoin blockchain is nothing new, but BitCluster goes a long way to make sense of the information you’ll find there. The tool was released by Mathieu Lavoie and David Decary-Hetu, PH.D. on Friday following their talk at HOPE XI.

I greatly enjoyed sitting in on the talk which began with some BitCoin basics. The cryptocurrency uses user generated “wallets” which are essentially addresses that identify transactions. Each is established using key pairs and there are roughly 146 million of these wallets in existence now

If you’re a thrifty person you might think you can get one wallet and use it for years. That might be true of the sweaty alligator-skin nightmare you’ve had in your back pocket for a decade now. It’s not true when it comes to digital bits —  they’re cheap (some would say free). People who don’t generate a new wallet for every transaction weaken their BitCoin anonymity and this weakness is the core of BitCluster’s approach.

Every time you transfer BitCoin (BTC) you send the network the address of the transaction when you acquired the BTCs and sign it with your key to validate the data. If you reuse the same wallet address on subsequent transactions — maybe because you didn’t spend all of the wallet’s coins in one transaction or you overpaid and have the change routed back to your wallet. The uniqueness of that signed address can be tracked across those multiple transactions. This alone won’t dox you, but does allow a clever piece of software to build a database of nodes by associating transactions together.

Mathieu’s description of first attempts at mapping the blockchain were amusing. The demonstration showed a Python script called from the command line which started off analyzing a little more than a block a second but by the fourth or fifth blocks hit the process had slowed to a standstill that would never progress. This reminds me of some of the puzzles from Project Euler.

bitcluster-how-it-worksAfter a rabbit hole of optimizations the problem has been solved. All you need to recreate the work is a pair of machines (one for Python one for mondoDB) with the fastest processors you can afford, a 500 GB SSD, 32 GB of RAM (but would be 64 better), Python 64-bit, and at least a week of time. The good news is that you don’t have to recreate this. The 200GB database is available for download through a torrent and the code to navigate it is up on GitHub. Like I said, this type of blockchain sleuthing isn’t new but a powerful open source tool like this is.

Both Ransomware and illicit markets can be observed using this technique. Successful, yet not-so-cautious ransomers sometimes use the same BitCoin address for all payments. For example, research into a 2014 data sample turned up a ransomware instance that pulled in $611k (averaging $10k per day but actually pulling in most of the money during one three-week period). If you’re paying attention you know using the same wallet address is a bad move and this ransomware was eventually shut down.

Illicit markets like Silk Road are another application for BitCluster. Prior research methods relied on mining comments left by customers to estimate revenue. Imagine if you had to guess at how well Amazon was doing reading customer reviews and hoping they mentioned the price? The ability to observe BTC payment nodes is a much more powerful method.

A good illicit market won’t use just one wallet address. But to protect customers they use escrow address and these do get reused making cluster analysis possible. Silk Road was doing about $800k per month in revenue at its height. The bulk of purchases were for less than $500 with only a tiny percentage above $1000. But those large purchases were likely to be drug purchases of a kilo or more. That small sliver of total transactions actually added up to about a third of the total revenue.

bitcluster-logoIt’s fascinating to peer into transactions in this manner. And the good news is that there’s plenty of interesting stuff just waiting to be discovered. After all, the blockchain is a historical record so the data isn’t going anywhere. BitCluster is intriguing and worth playing with. Currently you can search for a BTC address and see total BTC in and out, then sift through income and expense sorted by date, amount, etc. But the tool can be truly great with more development. On the top of the wishlist are automated database updates, labeling of nodes (so you can search “Silk Road” instead of a numerical address), visual graphs of flows, and a hosted version of the query tool (but computing power becomes prohibitive.)

Two Weeks To HOPE X, And We’re Going

hopex_web_topbar_b

In a little less than two weeks, the biannual HOPE conference in NYC will be in full swing. Attendance is more than likely to put you on a list somewhere, so of course we’ll be setting up shop, enjoying the sights and sounds, and throwing swag at hundreds of attendees.

Highlights of HOPE X include a keynote from [Daniel Ellisburg], a video conference with [Edward Snowden], a Q&A with the EFF, a talk I’ll certainly be attending, and the always popular talk on social engineering headed up by [Emmanuel Goldstein].

As with all our extracurriculars, Hackaday will be giving out some swag (200+ tshirts, stickers, and THP goodies), and manning a vendor booth. Look for the eight foot Hackaday flag held up with duct tape. We’ll also be doing the usual video and blog thing from HOPE, for all of you who can’t attend thanks to your company’s security reviews, and some super secret things I can’t believe the overlords signed off on.

In other 2600 news, they ain’t doin too good, with tens of thousands of dollars of debt thanks to rather crappy legal stuff with their distributors. Buying a ticket would help the 2600 guys out, as would buying July’s issue (also on Kindle).