Ourselves As Others See Us Through The Lens Of Traditional Media

When I presented myself at the SHACamp 2017 info desk bright and early on the first full day of the camp, I was surprised to find that I was to be assigned a volunteer along with my press badge. Because of the way our community is sometimes covered by the traditional media, it was necessary that any journalists touring the site have a helping hand to ensure that they respect the privacy of the attendees, gain permission from people likely to be in any photographs, and generally not be idiots about the whole Hacker thing. I pointed out that I was working for Hackaday and not The Sun, and that as an active hackspace member and former hackspace director I was very much a part of the community attending SHA 2017 who would simply be wasting the valuable time of any volunteer assigned to me. Fortunately for the next volunteer in line they agreed with my point of view, so one of the angels was spared a day of my breakneck walking pace and impenetrable British colloquialisms.

It’s interesting therefore a few weeks after the event, to investigate how it was portrayed through the eyes of people who aren’t coming as Hackaday is, from within the bubble. To take a look at that disconnect between what we know about our community and its events, and how the traditional media sometimes like to portray us. Are they imagining the set of a Hollywood “hacker” movie in which assorted geniuses penetrate the computer systems of various international institutions by the simple expedient of banging wildly at a keyboard for a few seconds, or will the reality of a bunch of like-minded technology enthusiasts gathering in a field for several days of tinkering and other fun activities be what makes their reports?

Continue reading “Ourselves As Others See Us Through The Lens Of Traditional Media”

Hacking On TV: What You Need To Know

It seems to be a perennial feature of our wider community of hackers and makers, that television production companies come up with new ideas for shows featuring us and our skills. Whether it is a reality maker show, a knockout competition, a scavenger hunt, or any other format, it seems that there is always a researcher from one TV company or another touting around the scene for participants in some new show.

These shows are entertaining and engaging to watch, and we’ve all probably wondered how we might do were we to have a go ourselves. Fame and fortune awaits, even if only during one or two episodes, and sometimes participants even find themselves launched into TV careers. Americans may be familiar with [Joe Grand], for instance, and Brits will recognise [Dick Strawbridge].

It looks as if it might be a win-win situation to be a TV contestant on a series filmed in exotic foreign climes, but it’s worth taking a look at the experience from another angle. What you see on the screen is the show as its producer wants you to see it, fast-paced and entertaining. What you see as a competitor can be entirely different, and before you fill in that form you need to know about both sides.

A few years ago I was one member of a large team of makers that entered the UK version of a very popular TV franchise. The experience left me with an interest in how TV producers craft the public’s impression of an event, and also with a profound distrust of much of what I see on my screen. This prompted me to share experiences with those people I’ve met over the years who have been contestants in other similar shows, to gain a picture of the industry from more than just my personal angle. Those people know who they are and I thank them for their input, but because some of them may still be bound by contract I will keep both their identities and those of the shows they participated in a secret. It’s thus worth sharing some of the insights gleaned from their experiences, so that should you be interested in having a go yourself, you are forewarned. Continue reading “Hacking On TV: What You Need To Know”

Is Your Child A Hacker?

Parents in Liverpool, UK, are being prepared to spot the signs that their children might be hackers. The Liverpool Echo reports on the launch of a “Hackers To Heroes” scheme targeting youngsters at risk of donning a black hat, and has an expert on hand, one [Vince Warrington], to come up with a handy cut-out-and-keep list. Because you never know when you’re going to need one, and he’s helped the Government so should know what he’s talking about.

Of course, they’re talking about “Hacker” (cybercriminal) while for us the word has much more positive connotations. And it’s yet another piece of ill-informed media scaremongering about technology that probably fits like so many others in the “People are having fun. Something Must Be Done About It!” category. But it’s still something that will probably result in hassle for a few youngsters with an interest in technology, and that’s not encouraging.

The full list is reproduced below, if you’re a parent it seems you will need to watch your children if:

  1. They spend most of their free time alone with their computer
  2. They have few real friends, but talk extensively to online friends about computers
  3. Teachers say the child has a keen interest in computers, almost to the exclusion of all other subjects
  4. They’re online so much it affects their sleeping habits
  5. They use the language of hacking, with terms such as ‘DdoS’ (pronounced D-dos), Dossing, pwnd, Doxing, Bots, Botnets, Cracking, Hash (refers to a type of encryption rather than cannabis), Keylogger, Lulz, Phishing, Spoof or Spoofing. Members of the Anonymous Hackivist group refer to their attacks as ‘Ops’
  6. They refer to themselves and their friends as hackers or script kiddies
  7. They have multiple social media profiles on one platform
  8. They have multiple email addresses
  9. They have an odd sounding nickname (famous ones include MafiaBoy and CyberZeist)
  10. Their computer has a web browser called ToR (The Onion Router) which is used to access hacking forums on the dark web
  11. Monitoring tools you’ve put on the computer might suddenly stop working
  12. They can connect to the wifi of nearby houses (especially concerning if they have no legitimate reason to have the password)
  13. They claim to be making money from online computer games (many hackers get started by trying to break computer games in order to exploit flaws in the game. They will then sell these ‘cheats’ online).
  14. They might know more than they should about parents and siblings, not being able to resist hacking your email or social media
  15. Your internet connection slows or goes off, as their hacker rivals try to take them down
  16. Some circumstantial evidence suggests children with Autism and Asperger’s could be more vulnerable to becoming hackers.

Reading the list, we can’t help wondering how many Hackaday readers would recognise as perfectly normal behaviours from their own formative years. And some of them look ripe for misinterpretation, for example your internet connection slowing down does not automatically mean that little [Jimmy] is selling a billion compromised social media accounts on the Dark Web.

Particularly concerning though is the final association of computer crime with children who are autistic or have Asperger’s Syndrome. Picking on a minority as a scapegoat for a public moral panic is reprehensible, and is not responsible journalism.

Still, you have to laugh. They remembered to include a stock photo of a hacker using a keyboard, but they’ve completely missed the telltale sign of a real hacker, which is of course wr1t1n9 11k3 r341 1337 h4xxx0rzzz.

Via The Register.

Liverpool skyline, G-Man (Public domain) via Wikimedia Commons.

Network Security Theatre

Summer is nearly here, and with that comes the preparations for the largest gathering of security researchers on the planet. In early August, researchers, geeks, nerds, and other extremely cool people will descend upon the high desert of Las Vegas, Nevada to discuss the vulnerabilities of software, the exploits of hardware, and the questionable activities of government entities. This is Black Hat and DEF CON, when taken together it’s the largest security conference on the planet.

These conferences serve a very important purpose. Unlike academia, security professionals don’t make a name for themselves by publishing in journals. The pecking order of the security world is determined at these talks. The best talks, and the best media coverage command higher consultancy fees. It’s an economy, and of course there will always be people ready to game the system.

Like academia, these talks are peer-reviewed. Press releases given before the talks are not, and between the knowledge of security researchers and the tech press is network security theatre. In this network security theatre, you don’t really need an interesting exploit, technique, or device, you just need to convince the right people you have one.

Continue reading “Network Security Theatre”

Great Scott! A Flux Capacitor Notification Light

If you are into your social media, then you probably like to stay updated with your notifications. [Gamaral] feels this way but he wasn’t happy with the standard way of checking the website or waiting for his phone to alert him. He wanted something a little more flashy. Something like a flux capacitor notification light. This device won’t send his messages back in time, but it does look cool.

He started with an off-the-shelf flux capacitor USB charger. Normally this device just looks cool when charging your USB devices. [Gamaral] wanted to give himself more control of it. He started by opening up the case and replacing a single surface mount resistor. The replacement component is actually a 3.3V regulator that happens to be a similar form factor as the original resistor. This regulator can now provide steady power to the device itself, as well as a ESP8266 module.

The ESP8266 module has built-in WiFi capabilities for a low price. The board itself is also quite small, making it suitable for this project. [Gamaral] used just two GPIO pins. The first one toggles the flux circuit on and off, and the second keeps track of the current state of the circuit. To actually trigger the change, [gamaral] just connects to the module via TCP and issues a “TIME CIRCUIT ON/OFF” command. The simplicity makes the unit more versatile because an application running on a PC can actually track various social media and flash the unit accordingly.

Dial is a Simple and Effective Wireless Media Controller

[Patrick] was looking for an easier way to control music and movies on his computer from across the room. There is a huge amount of remote control products that could be purchased to do this, but as a hacker [Patrick] wanted to make something himself. He calls his creation, “Dial” and it’s a simple but elegant solution to the problem.

Dial looks like a small cylindrical container that sits on a flat surface. It’s actually split into a top and bottom cylinder. The bottom acts as a base and stays stationary while the top acts as a dial and a push button. The case was designed in SOLIDWORKS and printed on a 3D printer.

The Dial runs on an Arduino Pro mini with a Bluetooth module. The original prototype used Bluetooth 2.0 and required a recharge after about a day. The latest version uses the Bluetooth low energy spec and can reportedly last several weeks on a single charge. Once the LiPo battery dies, it can be recharged easily once plugged into a USB port.

The mechanical component of the dial is actually an off-the-shelf rotary encoder. The encoder included a built-in push button to make things easier. The firmware is able to detect rotation in either direction, a button press, a double press, and a press-and-hold. This gives five different possible functions.

[Patrick] wrote two pieces of software to handle interaction with the Dial. The first is a C program to deal with the Bluetooth communication. The second is actually a set of Apple scripts to actually handle interaction between the Dial and the various media programs on his computer. This allows the user to more easily write their own scripts for whatever software they want. While this may have read like a product review, the Dial is actually open source! Continue reading “Dial is a Simple and Effective Wireless Media Controller”

SpoofedMe Attack Steals Accounts by Exploiting Social Login Mechanisms

We’ve all seen the social logon pop up boxes. You try to log into some website only to be presented with that pop up box that says, “Log in with Facebook/Twitter/Google”. It’s a nice idea in theory. You can log into many websites by using just one credential. It sounds convenient, but IBM X-Force researchers have recently shown how this can be bad for the security of your accounts. And what’s worse is you are more vulnerable if the service is offered and you are NOT using it. The researcher’s have called their new exploit SpoofedMe. It’s aptly named, considering it allows an attacker to spoof a user of a vulnerable website and log in under that user’s account.

So how does it work? The exploit relies on vulnerabilities in both the identity provider (Facebook/Twitter/etc) and the “relying website”. The relying website is whatever website the user is trying to log into using their social media account. The easiest way to describe the vulnerability is to walk through an example. Here we go.

Let’s imagine you are an attacker and you want to get into some victim’s Slashdot account. Slashdot allows you to create a local account within their system if you like, or you can log in using your LinkedIn account. Your victim doesn’t actually have a LinkedIn account, they use a local Slashdot account.

The first step of your attack would be to create a LinkedIn account using your victim’s email address. This needs to be the same address the victim is using for their local Slashdot account. This is where the first vulnerability comes in. LinkedIn needs to allow the creation of the account without verifying that the email address belongs to you.

The second step of the attack is now to attempt to log into Slashdot using your newly created LinkedIn account. This is where the second vulnerability comes in. Some social media services will authenticate you to websites like Slashdot by sending Slashdot your user information. In this case, the key piece of information is your email address. Here’s the third vulnerability. Slashdot sees that your LinkedIn account has the same email address as one of their local users. Slashdot assumes that LinkedIn has verified the account and permits you, the attacker, to log in as that user. You now have access to your victim’s Slashdot account. In another scenario, Slashdot might actually merge the two credentials together into one account.

What’s really interesting about this hack is that it isn’t even very technical. Anyone can do this. All you need is the victim’s email address and you can try this on various social media sites to see if it works. It’s even more interesting that you are actually more vulnerable if you are not using the social logons. Some real world examples of this vulnerability are with LinkedIn’s social logon service, Amazon’s service, and MYDIGIPASS.com’s service. Check out the demonstration video below. Continue reading “SpoofedMe Attack Steals Accounts by Exploiting Social Login Mechanisms”