Friday, November 16, 2018

Invisibly inserting usernames into text with Zero-Width Characters

https://medium.com/@umpox/be-careful-what-you-copy-invisibly-inserting-usernames-into-text-with-zero-width-characters-18b4e6f17b66 

https://www.umpox.com/zero-width-detection/
Zero-width characters are invisible, ‘non-printing’ characters that are not displayed by the majority of applications. F​or exam​ple, I’ve ins​erted 10 ze​ro-width spa​ces in​to thi​s sentence, c​an you tel​​l? (Hint: paste the sentence into Diff Checker to see the locations of the characters!). These characters can be used to ‘fingerprint’ text for certain users.

Sunday, November 4, 2018

The FBI of the National Park Service

https://www.outsideonline.com/2353856/national-park-service-investigative-services-branch
Last August, I traveled to Yosemite National Park to meet up with Shott’s colleague, ISB special agent Jeff Sullivan, an affable, self-deprecating, 35-year veteran of the Park Service. Sullivan has played a role in investigating nearly every major crime and mystery that’s taken place in Yosemite over the past quarter-century, which made him the ideal guide for a tour of the shadowy side of America’s fifth most visited national park. See that grassy expanse, dotted with wildflowers? That’s where park visitors discovered the skull of a still-unidentified young woman, a murder claimed by the prolific serial killer Henry Lee Lucas. That lush meadow? Once, someone found a dead bear there, its head neatly severed from its body. (The ISB sent the bear’s remains to the park’s wildlife lab in Oregon, hoping to discover clues about who’d poached it. The lab called back a few weeks later: The poacher you’re looking for is a mountain lion.) 
Sullivan and I drove up to Glacier Point, where he told me about the rockslide in 1996 that killed one and injured at least 11. The dust cloud it kicked up was so massive it blocked out the sun; until Sullivan arrived on the scene, he’d been sure there would be dozens of casualties. Next to us, a bored teenager flung a water bottle into the abyss. Watching it fall seemed to cause Sullivan physical pain. He leaned in close and flashed his badge at the kid. “Don’t throw water bottles,” he said quietly.

Monday, October 22, 2018

How to set up Raspberry Pis without a keyboard, mouse, or monitor

There are plenty of guides out there about how to set up headless Raspberry Pis, but they get out of date quickly, and I do this often enough that I'm constantly searching for up to date ones.  So for my own benefit here's my documentation of the process.

Download Raspbian Lite.  This is the version without the GUI components.

Put your SD card in your computer and use lsblk to identify which drive your SD card is. Be careful, if you use the wrong drive below you will overwrite your main hard drive.

Use dd to copy the date over.  They constantly recommend you use the program Etcher, but I've never had it work successfully.  The command is sudo dd bs=4M if=2018-10-09-raspbian-stretch-lite.img of=/dev/sde conv=fsync status=progress

Your card should have 2 partitions, open the boot partition and add an empty file called ssh to enable ssh, and create a file called wpa_supllicant.conf to configure wifi.  The contents of the file are this:




country=US
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
    ssid="YourSSID"
    psk=abcdef1234567890
    key_mgmt=WPA-PSK
}

You can either put your actual password in there as the psk, or use the tool wpa_passphrase to convert your password into a hash that will also work.

Put the card in the Pi, boot it up, and it should connect to your network and you should be able to ssh in with username pi and password raspberry.  Note that you need to boot once for it to expand the filesystem.

You should put your public key in ~/.ssh/authorized_keys and turn off password ssh access.  You should also run sudo raspi-config once you ssh in, and update with sudo apt update && sudo apt upgrade

Saturday, October 6, 2018

Blockchain Technology Overview

https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8202.pdf

NIST just published a good overview of blockchain technologies.  Very thorough, yet digestible for non-technical readers.
Blockchains are tamper evident and tamper resistant digital ledgers implemented in a distributed fashion (i.e., without a central repository) and usually without a central authority (i.e., a bank, company, or government). At their basic level, they enable a community of users to record transactions in a shared ledger within that community, such that under normal operation of the blockchain network no transaction can be changed once published. This document provides a high-level technical overview of blockchain technology. The purpose is to help readers understand how blockchain technology works.

GoogleMeetRoulette: Joining random meetings

https://www.martinvigo.com/googlemeetroulette/
Let’s see… I generated a meeting, got a Google Meet phone number, and all subsequent phone numbers are also from the same carrier. Let me call and see if I get the Google Meet greeting to confirm. Bingo! For countries like Australia and Spain, Google Meet phone numbers are assigned in batches that are sequential. I can generate a meeting myself and just check the subsequent phone numbers to obtain more Google Meet numbers. You can use them to join/find meetings in the US as the phone numbers from other countries are not specific to meetings in that country, they are global.

10 seconds per call, 3 PINs at a time, 10,000 PINs to try. It would take about 9 hours to cover all PIN combinations making one call at a time. Because Twilio is designed to make calls at scale, we can make hundreds of calls at the same time making the process much faster. The script fires so many calls that the line will be busy sometimes. Not a problem! The script will detect failed calls and simply retry. Actually, Twilio notifies of failed calls immediately using webhooks making the script very efficient handling calls that did not go through.  
I did some benchmarks and on average it takes 25 minutes to try all 10k PINs and find 15 different valid PINs for 15 different meetings for a cost of $16. Not bad!

Saturday, September 29, 2018

Man in the browser attack

Recently I heard of the man in the browser attack and thought it was interesting.  This is malware that is installed in your browser (as an extension for example), and silently waits for you to do a bank transfer.  When you do it can simple change the to account and routing numbers you submit to that of the attacker.  Everything looks fine to you, and wire transfers already take days to process.  Things like strong passwords and 2 factor authentication won't help since you are logging into your real bank's website.

https://en.wikipedia.org/wiki/Man-in-the-browser

Monday, August 27, 2018

wideNES - Peeking Past the Edge of NES Games

http://prilik.com/blog/wideNES
At the end of each frame, the CPU updates the PPU on what has changed. This involves setting new sprite positions, new level data, and —crucially for wideNES— new viewport offsets. Since wideNES runs in an emulator, it’s really easy to track the values written to the PPUSCROLL register, which means it’s incredibly easy to calculate how much of the screen has scrolled between any two frames!

Hmm, what would happen if instead of painting each new frame directly over the old frame, new frames are instead painted overlapping the previous frame, but offset by the current screen scroll? Well, over time, more and more of the level would be left on-screen, gradually building up a complete picture of the level!


Friday, August 24, 2018

How I recorded user behaviour on my competitor’s websites

https://dejanseo.com.au/competitor-hack/
I spoofed the back button in Chrome and sent people to my version of search results and competitor websites where I recorded everything with Lucky Orange.

Sunday, August 12, 2018

Friday, May 25, 2018

How Ikea took over the world

http://fortune.com/ikea-world-domination/
One way Ikea researchers get around this is by taking a firsthand look themselves. The company frequently does home visits and—in a practice that blends research with reality TV—will even send an anthropologist to live in a volunteer’s abode. Ikea recently put up cameras in people’s homes in Stockholm, Milan, New York, and Shenzhen, China, to better understand how people use their sofas. What did they learn? “They do all kinds of things except sitting and watching TV,” Ydholm says. The Ikea sleuths found that in Shenzhen, most of the subjects sat on the floor using the sofas as a backrest. “I can tell you seriously we for sure have not designed our sofas according to people sitting on the floor and using a sofa like that,” says Ydholm.

Monday, March 12, 2018

Smart homes and vegetable peelers

https://www.ben-evans.com/benedictevans/2018/1/4/smart-homes-and-vegetable-peelers
Many of the things that get a connection or become 'smart' in some way will seem silly to us, just as many things that got 'electrified' would seem silly to our grandparents - tell them that you have a button to adjust the mirrors on your car, or a machine to chop vegetables, and they'd think you were soft in the head, but that's how the deployment of the technology happened, and how it will happen again. The technology will be there, and will become very very cheap, so it will slide unnoticed into our lives. On the other hand, many things that people did think might get electrified did not, and many of the ideas that did work were not adopted in a uniform way. Most people in the UK have an electric kettle, but that's not true in the USA, and most people in Japan have a rice cooker, but this in turn isn't true in the UK. Anyone who's baked a few times has bought an electric whisk for $20, but not many people use electric carving knives.

Friday, February 16, 2018

The “hydrogen economy” may be a thing after all.

https://www.vox.com/energy-and-environment/2018/2/16/16926950/hydrogen-fuel-technology-economy-hytech-storage
The first product, scheduled to debut in April, is the key to everything else.
It’s called Internal Combustion Assistance (ICA), a modification to internal combustion engines that enables them to substantially increase their fuel efficiency and reduce their air pollution. It does this by adding tiny amounts of gaseous hydrogen and oxygen to the fuel just before it is combusted in the engine’s cylinders. The HHO mix lends intensity to the combustion, allowing the fuel to burn more completely, generating more oomph and less pollution.
The ICA system can technically work on any internal combustion engine, but to begin with, HyTech is targeting the dirtiest engines with the fastest return on investment, namely diesel engines — in vehicles like trucks, delivery vans, buses, and forklifts, but also big, stationary diesel generators, which still provide backup (and even primary) power by the millions across the world.

Let's Learn About Waveforms

https://pudding.cool/2018/02/waveforms/

Monday, January 29, 2018

Password Management

I've long maintained that the only sites that really need strong passwords are emails (because they let you reset other passwords) and financial sites.  I've memorized long random passwords for those sites, and I have a few similar passwords I use for the rest of things.  I've never been too concerned about sharing passwords between other sites, because I literally don't care about the security of those accounts.

That being said, sites are increasingly instituting arbitrary restrictions that are intended to make things more secure.  This means I need variations of my common passwords for every permutation of rules, and then variations of those for when I'm required to change them.  Having to try all these permutations has finally made me break down and start using a password manager.

It's probably no surprise I didn't just go with LastPass, and not just because of my general aversion to the most popular choices, but as I've heard the company they are owned by is shady.

Password Manager

There are a lot of password managers, but if you're looking for open source, and managing your own password file, the clear choice is KeePass.  However, as is an open source tradition, you can't just go with KeePass; you have to follow the forks, to find the version that is currently up to date and being maintained.  That version is KeePassXC.

If you go with KeePassXC you'll have a client on every device you want to use it with.  Then you'll have a password file, which is the encrypted file holding all your passwords.  In theory if your master password for that file is long and secure you won't need to worry about keeping that file too safe (don't post it publicly).  I'd recommend getting to at least centuries on the 10k/second tier of zxcvbn.

You can also use a keyfile, which is a random file you'll need in addition to a master password to decrypt your password file.  This adds some security, but keep in mind that if someone gains access to a device with your password file, they also probably gain access to the keyfile.  It mainly helps if you are worried about your password file getting intercepted during syncing between devices (you wouldn't sync the keyfile, you'd move it manually to new devices).

Syncing the Password File

This felt like it was going to be the hardest part, but it turned out to be the easiest.  Certainly, the biggest convenience of LastPass is that someone else manages the password file for you.  A lot of people use Dropbox to sync the KeePass file, and I was ok with this (as the file is encrypted so you aren't really trusting Dropbox with anything), but I hate the idea of installing Dropbox's bloated, always running, client on every device.

Luckily I found Syncthing.  Which is essentially an open source, bit torrent based, version of Dropbox.  You install it on all your machines and then point it to the folder you want to share and it keeps it synced.  My biggest issue was having to enable discovery on every device so that they would share the list of devices they are sharing with too.  This makes sense to have turned off if you were sharing with other people, but if you're only using it in a closed personal ecosystem it's much easier to have it enabled.

I was slightly worried about the password file becoming out of sync, getting written to by two different computers and getting corrupted.  But my mild stress tests have been unable to make this happen.  I've been using this set up for half a year now without issue, so I'm comfortable recommending it.  That being said, Syncthing does allow you to maintain history files (where it keeps the last few versions of the file every time it overwrites it), and I still have that enabled on my PC.

Browser Integration

KeePassXC uses a protocol called KeePassHTTP to share passwords externally.  This basically just sets up a server and allows http requests for your passwords.  This is risky because there could be external requests.  KeePassXC only allows localhost requests, which should mitigate that risk.  If you're still worried you can disable that and use autotyping where you place the cursor in any text field and the it types the password in that field.

Just searching for "KeePassXC Firefox" or Chrome shows the extensions for either.  I've been happy with both of those, although they do feel like the weakest link.

On Android the app Keepass2Android works well.  If you search for the site in the app it then gives you another keyboard to choose from which only has two buttons "User" and "Pass".  Pressing those fills in that info for the site you have selected.

The closest thing to a problem on the phone is that it takes a few seconds to unlock the file.  This is important though, it should take at least half a second to unlock your password file on a fast PC.  If you make it faster to open, it'll be easier to brute force.