Back to: Palimpseste | Forward to: Small but perfectly formed annoyance

Social Engineering

Oh dear fucking Cthulhu, this is like something out of a John Brunner novel: NewsTweak.

TL;DR version: it's a plug computer like SheevaPlug or PogoPlug ... or the rather less benign PlugBot. It runs Linux and has wifi and a bunch of preconfigured software to do interesting things on whatever wifi network it finds itself on. You'll notice it has an extra mains socket on the front, so that it looks like a rather clunky surge suppressor or similar adapter.

In the case of NewsTweak, it uses ARP spoofing to change the text displayed on certain web sites. In the demo video (see that link at the top?) we see NewsTweak changing a headline on the BBC News website. Note that it's not messing with the HTTP transaction, it's doing this at a lower level by injecting ethernet packets into the stream going to the machines running the web browsers.

Next step: they'll add a 3G or 4G phone stage so that it can maintain its own back-channel to Black Hat HQ to receive updated instructions in real time. For example, to look for someone logging onto a banking site or a business application or a government database, and then modify what they can see. Or modify what they can't see, so that an HTML login form pointing at a government server might be silently redirected to a hacker's machine instead, which is running a proxy pointing at the real government server (to enable the hackers to grab the login credentials — a classic man in the middle attack, and the reason why Serious People use two-factor authentication instead of passwords, not that it would help much for this particular session).

Smart organizations (and government departments) treat any wireless network as untrusted for exactly this reason: someone can have added an inconspicuous wall-wart loaded with penetration tools to your network, and it could be listening in on everything your users type.

Moral of story: if you can't see the wires you can't trust the channel.

Secondary thought:

This sort of gadget is, in bulk, extremely cheap — I bet you could order them for well under $100 in batches of a thousand and up. Say you're a repressive regime, but not so repressive that you can just haul random dissidents off to the torture chamber without paying lip service to due process. How hard would it be to plant these things in your targets' homes, so that you can gaslight them by interfering with the news they're reading? Call it a digital agent provocateur. Say you're the DHS and you want a steady stream of clueless Al Qaida wannabes to arrest and show on CNN to keep everyone afraid enough to go along with your PATRIOT Act extension? Plant these in the homes of young muslim males who hang out at the wrong mosques, crank up the volume of hateful news, and see who snaps ...

95 Comments

1:

Moral of story: if you can't see the wires you can't trust the channel. > the same goes for wired networks. In my old team we had a very similar PC that you could pop into an Ethernet port somewhere out the way and it would spend some time figuring out how to phone home.

2:

uhh... I don't think such high tech subterfuges are necessary in a world where people already flip out over The Onion articles

3:

And yet ironically, the same technology is being used to create the Freedom Box, which is the complete antithesis of this, and is intended at least in part to help maintain secure channels of communication between individuals, even in repressive regimes.

4:

How hard would it be to add a mic into one of those wallplugs? Whatever you see hobbyists knocking out you can bet the Security Service and NSA has something a lot smaller. The only real problem is the antenna and power supply. I recall a paper from the early 80s about a TRW custom signal processing chip that could do 300 MIPS. This was when a PC ran an 8088 at 4.7MHz

5:

This is why ssl exists. The browser wont fall for any packets that are not encoded with the correct private key, regardless of whether or not someone is ARP spoofing.

And as another poster already commented, these types of attack are also possible on wired networks, as long as you are on a hub instead of a somewhat intelligent switch.

Now, if the attacker has CA root keys, all bets are off, but that's a somewhat bigger problem.

In short, if it's important, use https, ssh, or sftp.

6:

Nestor@2: Well, they might not be "necessary" for those people. But everybody has different preconceptions about their filters. For example, even if it's on PBS, Tupac isn't alive in New Zealand. Of course, people who know their too smart to be fooled can be especially easy to fool.

8:

"In short, if it's important, use https, ssh, or sftp."

This is more subtle than that; something like this can manipulate theoretically low-value data with potentially high-value consequences.

In America it's very blatant that "news channels" are biased, with Fox News being the shining example of this (while under the banner of "fair and balanced"). Rational people try to take the bias of the source into account, research multiple different sources and so on. A device like this could manipulate a right-wing biased news service so that it looks like it's supporting a left-wing agenda. What do you do when every news story about a specific topic is biased because your internet access has been manipulated? This could be used to manipulate public opinion into supporting government policy, for example.

Not that I think this will scale beyond very small targeted attacks (central government can more easily control ISPs than subvert every household!) but the possibilities are there...

9:

Your link is broken but I bet I know which article you're talking about, the one about the "long nightmare of peace and prosperity" finally being over?

11:

Not that I think this will scale beyond very small targeted attacks (central government can more easily control ISPs than subvert every household!) but the possibilities are there...

To quote "Rule 34", ... "The twenty-first century so far has been a really fucking awful couple of decades for paranoid schizophrenics".

12:

This thing still needs to be able to join the WiFi network. I don't think WPA2 has known weaknesses so far; a wired link (without 802.1x or ipsec) would be easier to attack.

There's a lot of criminal stuff enabled by physical access; skimming for example.

13:

Maybe a story like this will persuade more people to use signatures and encryption. Sure, you still need to acquire the public keys from a safe source but you're cutting the scope of attack for a man in the middle to just that initial key transfer instead of the majority of traffic.

14:

...and the government could still mess with the website operator in meatspace, of course.

15:

But is freedom even the done thing anymore?

16:

Plant these in the homes of young muslim males who hang out at the wrong mosques, crank up the volume of hateful news, and see who snaps

From news stories about e.g. satellite tv channels and the sermons in some (local) mosques, it seems it would be hard to make more extreme conspiracy theories (TV series based on the "Protocols of Zion", calls for revenge on blasphemers, etc).

The fascinating thing is... am I paranoid, because I half-seriously wondered if I was the victim of conspiracy propaganda, while writing the previous paragraph? :-)

17:

Which organization with IT personnel worth their money runs their wireless without both 802.1x and WPA2? (The wired part is usually more susceptible to attacks from unauthenticated machines than is wireless.)

18:

ARP spoofing works because when the victim broadcasts an ARP request to the local network — “What is the MAC for this particular IP address” — it has no choice but to trust the first reply it gets. Hence, if the device can send it's custom ARP packet to the victim, when it asks for the IP to the gateway router, it can reroute all outbound traffic to the internet. Do the same to the router, and it has both inbound and outbound traffic.

A few things to note about this sort of attack:

  • It will work against wireless networks (from the carpark, or the cafe on the bottom floor of the building)
  • It will also work against wired networks (though you need physical access to the network, that's not as hard as you'd think)
  • ...even if they use switchs rather than a hubs

It can be mitigated with various techniques — monitoring, seeding machines with static arp tables, various switch level security techniques, but they all trade away a fair amount of the plug and play convenience of ethernet and wifi.

It's also worth noting that while a lot can be done with this sort of man in the middle attack — snoop for plain text passwords, rewriting DNS look ups, rewriting URLS to point to phishing domains — but it can't beat good end to end encryption if trust for each end has been established by other channels.

(Of course, people screw that up all the time. Hands up, ssh users, if you've ever accepted a host's key fingerprint without verifying it...)

19:

If it's that important -- don't use https. Https protects low value sites, like say banks. Sites that aren't valuable enough to justify the expense of stealing/buying private keys from the certificate authorities.

But if you're a political dissident or a CEO in conflict with Other Powers, https is asking for trouble. Your enemies have got the keys and can write their own certificates.

20:

What Jon Swanson@5 said. Single-ended TLS deals with this quite nicely--as long as the user is vigilant about listening to the browser when it freaks out about invalid certs. But this would be a great Fiendish Plot for all the CA vendors. News organizations and bloggers now all need certs, which aren't exactly cheap.

The real problem with this is that it's potentially the end of free public wifi. The more pernicious form of this gadget has a battery and a sticky back. For really effective, annoying vandalism, just wander through your favorite airport (or hotel, mall, starbucks, whatever) gluing these things under seats, counters, desks. As long as you've configured the proper SSIDs for the environment, you can mount a DOS attack that's very expensive to clean up.

I wonder: does secure DNS fix this?

21:

It's not completely dangerous yet. It still sticks out from the wall. In the US at least, a power socket fits into a hole in the wall which is about 5 cm by 10 cm, and maybe 6 cm deep, so there's plenty of room for a computer which mimics a wall socket and fits completely inside the wall. Thus configured it would be completely unnoticeable. Older socket holes are lined with metal, which might cause some problems for the wifi, but the newer ones are made of plastic.

22:

Public open wifi has always been woefully insecure. Hell, secured wifi has a pretty poor track record, too. Which is why you need to use higher level protocols that offer cryptographic privacy over untrusted networks, and use them properly. For casual browsing, this probably won't matter much.

It is possible to use the same sort of ARP spoofing attack to deny service, but I suspect it would be cheaper to build a device that vomits out interference over the frequency band that wifi uses. File under the thousands of other things annoying pricks can do to make a public nuisance of themselves.

Secure DNS (of whatever form) can't fix this problem — ARP is lower down the protocol stack — but it can at least protect you from trivial DNS cache poisoning. It probably doesn't matter, as an attacker would likely rewrite URLs to send victims to look alike phishing domains, instead.

23:

Installing a version of the gadget that replaces a wall socket by fitting in the wall might be a bit difficult.

However, there's a cracking disguise available: just disguise it as an iPad charger by giving it a USB power-out socket and an Apple logo. If you're lucky someone will even plug their toy tablet into it! It can be exactly what it looks like at the same time.

24:

The DHS and DoJ have historically been able to get any degree of cooperation it wants from both US ISPs and certification authorities.

The Americans wouldn't need a device like this to create new fake terrorists as they could easily get any ISP to manipulate connections as the traffic passed over their network.

In no case would SSL help, however, as various CAs have been caught issuing fraudulent certificates to the American government to facilitate MITM attacks on encrypted traffic for criminal investigations. One can assume the CAs would be just as willing to issue forged CAs for illegal government work, as well.

NewsTweak would be very useful for private parties and other governments. The Americans, however, would have no use for it.

25:

SSL certificates are only as good as the security of the organization issuing them. However, if they realize that they have issued bad certificates, they can revoke them and the browser can check the revocation list... unless someone intercepts the request, say via ARP spoofing:

http://www.imperialviolet.org/2011/03/18/revocation.html

26:
Installing a version of the gadget that replaces a wall socket by fitting in the wall might be a bit difficult.

That really depends on how much effort an adversary were to put into custom hardware development. American electrical boxes are huge--295cm^3 or more for a single receptacle or switch. NewsTweak hardware could be fitted readily into a custom built light switch mounted inside a standard electrical box.

NewsTweak could also masquerade as a surge suppressor mounted in an electrical panel. Volume available here is quite substantial.

27:

Bruce Schneier if read would indicate that ssl with a payment is rubber hosed and comprised making ssl open to interception since $evil_thing has the key as they cooperate.

Comodo also proves that many ssl issuers are pretty retarded.

28:

Wnat's the deal with Comodo?

29:

In the US replacing the wall socket is very easy. Six screws to remove and replace. If you're breaking into someone else's house to install bugging/nasty stuff, it's maybe an extra 15 minutes. The worst problem would be a color match for the faceplates.

Your idea about the socket disguised as an Apple charger is pretty scary. How do you know they're not doing it already?

30:

That router needs 5W to run; 1.5A of 3.3V. Why make this plug in? Seems to me it’d be trivial to build into a thick Frisbee-style disc with a solar panel on top. Network penetration by tossing a toy on a roof.

31:

Except for the fact that there's live mains current in there, which can and will kill you. So it's fine to replace the outlet if you've got a bit of time and the right equipment, and you're a competent electrician, or you can somehow contrive to turn the power off. In the wall-wart design you can plug it in and go, no special equipment necessary -- in and out in under 30 seconds, with a ready-made excuse.

32:

In the UK in many cases shutting power off is trivially easy, The meters and company fuse/master switch (and in many cases the master distribution board for the property) are accessible from OUTSIDE the property secured by nothing more than a recessed turnbuckle. No security at all - just use needle nosed pliers. This is to allow the meter to be read without disturbing the owner/occupants.

Add the right set of overalls and fifteen minutes with a decent DTP program gives you ID and no suspicions raised about your toolbox. You can do it in an occupied premises ten minutes to fit the device and twenty sticking meter probes into random items and making notes on a PDA and no one with even remember your face. They'll think themselves lucky that EPower hasn't charged them for the visit.

33:

Why would it need 3G? Even if it's behind a NAT, we know it can poll outward (else no one would be able to see the news articles it's rewriting).

People running sniffers on the network might notice the traffic, but that's easy enough to disguise, and anyway, the duplicate ARP responses are already visible if you're looking.

34:
the reason why Serious People use two-factor authentication instead of passwords

RSA SecureID tokens didn't help Lockeed-Martin (or any of the US military-industrial corporations that haven't yet admitted they were hacked) prevent a break-in attempt that resulted in shutting down most of their intranet and all of their external VPN connections for more than a week, and have to issue thousands of new tokens. Any existing SecureID token is now suspect, and we (the public) don't know what the target of the Lockeed hack was, so it's difficult to know who else might have been hit. Sure the hackers may have been after military aircraft design specs, but remember that L-M supplies IT services to large segments of the US government, so they may have just been the next link in the chain, with some government agenc{y,ies} the real target. They say they thwarted the break-in before anything sensitive was stolen, but I don't know that I believe them.

35:

The US is a puny 120VAC, so I hear. Given that I've been bitten quite a few times by out 230VAC and lived, screwing up in the US seems a lot safer. Just don't sweat it...

36:

Any speculations on the Lockheed hack? I assume it was either Russia or China, although I would not rule out France or Israel. Are Lockheed doing anything interesting as far as sales or bidding go? I would guess that their key skunkworks stuff if not connected to the Net at all so it's more likely to be commercial espionage.

37:

When I was in China, I discovered that even though I was using a VPN, I was not getting connected to twitter correctly. it turned out that my computer was still using DNS addresses supplied by the hotel network. I had to set my DNS servers to 8.8.8.8 and 8.8.4.4 (servers that google maintains) to resolve twitter.com address properly.

Then I remembered an old news story that said for several months, Chinese users trying to connect to google.cn were being directed to baidu.cn instead.

38:

The problem with getting shocked by US house current is that 60 Hz is optimum for causing your heart to fibrillate. Hospitals spend a lot of time testing their patient connected equipment to make sure that it allows a leakage current of no more than 10 microamps. In particular ECG equipment contains an elaborate isolated front end to protect heart patients.

Also, look up Edison's campaign against Tesla's AC carried out by demonstrating electrocution on various animals.

39:

This kind of gadget doesn't even need to be in the same house. It doesn't even need to be in a house.

It's not usually even necessary to crack WEP/WPA/WPA2 to get onto a wireless network since passwords are more often poor/guessable than not. Wired networking has no authentication, the routers password is probably even more guessable.

Ultimately there is little protection from a dedicated adversary. All software, firmware and even hardware is full of security holes by nature. Spies are probably setting on a library of 0-day exploits for just about everything. To some extent gadgets like these aren't really necessary.

I guess it's just a cheaper easier way to do whats already happening.

40:
Given that I've been bitten quite a few times by out 230VAC and lived, screwing up in the US seems a lot safer.

120vac will make anyone very dead very quickly under the right circumstances. Electrical fatality statistics demonstrate this very well.

Anyone competent installing something into an electrical box would either use insulating gloves or turn the power off to the box in question. Both options are quite easy.

When I was in China, I discovered that even though I was using a VPN, I was not getting connected to twitter correctly. it turned out that my computer was still using DNS addresses supplied by the hotel network.

It's very bad practice for VPN users not to tunnel their DNS queries through the VPN. You found one reason why, but there are also others.

41:

The problem is that I'm one of those people who would notice a strange wall-wart and immediately become suspicious, so anyone who put one of those in my premises would have bad troubles almost immediately. (Of course I don't use wireless in my house. I don't trust wifi as for anything but the most trivial surfing.)

I like Eric's "frisbee on the roof" idea. I'd probably just ignore that. Or someone who was really bright could paint a frisbee the same color as my roof tiles and I'd probably never even notice the damn thing.

42:

Dastardly. You could argue that provoking young Muslim men was entirely justified---after all, you only lied to them, they were the ones who went out and committed crimes because of it.

43:

I havent seen any speculation that had any logic or facts attached. The Wall Street Journal reported that "Chinese hackers stole terabytes of secret information", but I suspect they only said that because they just learned the word "terabyte" and wanted to use it in a story. L-M denied the WSJ report, but you'd expect them to do that no matter what actually happened.

Also, the Australian government is upset about the break-in: they've ordered a bunch of F-35s and they appear to be afraid that the hack was aimed at them, though I don't quite understand why. And all of L-Ms competitors have refused to say whether they were attacked.

From the way that L-M and the DOD are talking about this, I gather that this was a really sophisticated exploit (not just that they used the SecureID codes they stole, but it sounds like they didn't trip any alarms until they were starting to pull stuff out, though no one will actually say that). My guess is no one knows as yet just how successful it really was. And until they figure out what these guys are really after, it will be very difficult to pin the blame on anyone.

And don't expect anyone who's been targeted to tell us what's going on anytime soon.

44:

Read some of the news stories about how the FBI handled the "Christmas Tree Bomber" in Portland, Oregon (my home town, so I've been following the case). It took months of egging the suspect on for the FBI to convince him to agree to the attack, and when they arrested him he still hadn't actually done anything but make plans. All of the other people involved in the "plot" were FBI agents.

45:

how about an LED lightbulb as a disguise? maybe even give it to the mark as a free sample.

46:

The flip side of this sort of hardware hackery: it's not anonymous any more.

Sure, you MIGHT slip in and out of somewhere and do something clever like this and not get caught - but if you do get caught, it's a long time to spend in jail for ten minutes of funny.

...so the people who will be trying this sort of thing seriously will be going after the big score - which also means they're going to have to deal with better physical security. Many of the newer buildings are a pain to get signals into and out of anyway - it murders cell phone coverage when they coat the outside windows with a few molecules of copper or some other conductor. A lot of people are reading the old TEMPEST books and applying them to their data centers and places of business.

To get past a decently-run setup, you have to have the sort of physical access that comes with, well, being the sysop of the place to begin with, so you don't need to do the funny stuff...

47:

Sorry Charlie, but you aren't even nearly paranoid enough, when it comes to dealing with religious nutters, especially.

You really don't need "planted" news to make religious bleievers go deolally, as previous posters referring to "the Onion" have pointed out. And you may have missed This vile group of (muslim) whack-jobs who attempted to murder a schoolteacher, because he taught comparitive religion.

So @ 42, it is un-necessary. Some (already brainwashed) "young muslim men" will do it anyway - as in "Voting is un-islamic". And, yes, I really have seen that one.

48:

This Device is first generation and so of course its bulky ..remember how big mobile phones were in their first generation.

It seems to me that the, lets say, Third Generation device could be Incorporated into the molded mains power plug that you find on any household device.

At the mass production level all that Blofeld Inc. International needs is control over factories that produce the molded plugs for standard household devices and it could then set out to Rule The World ... " 'Ve ave been expecting you Mr Bon.. er, Stross. "

49:

I haven't seen anyone answer this yet, so I will do so now

Spoof attacks like this can't sidestep DNSSEC, any modified DNS answers provided by the device will either be unsigned or the signature will be incorrect. So a device with valid root keys baked into it can determine from first principles whether it is getting true answers and alert the operator if not.

You can use DNSSEC to bootstrap to SSH server keys (the OpenSSH implementation supports this feature right out of the box), and SSH tunnel out to somewhere safe for any otherwise unencrypted transmissions or to verify DNS answers for names not yet protected by DNSSEC.

DNSSEC has the pleasingly intuitive property that the answers for www.antipope.org can only be interfered with by the root, by those controlling .org, and those controlling antipope.org. Unlike with CAs where say, an Italian bank can issue a certificate claiming to be the US DoD.

50:

Did anyone read the first Hackaday article yet? ("our previous coverage of...") The comments, especially.

The interesting thing about this seems to be not that Nefarious People Can Steal Your Mind, but that a couple of art hackers can throw it together as a commentary of how easy it is to manipulate what people read. IMHO, of course.

What'll happen when my phone can manipulate the news you see on your phone? (Or when Anonymous does it to everyone, distributed-flash-mob style?)

Or alternatively, as someone said in the comment thread, when someone plugs one of these in at the stock exchange...

51:

After a quick bit of measuring, if you were mounting a device into a UK double socket, you'd have about 5"x3"x2.5" less the space you need for the power pins if it was mounted in a brick or stone wall. If you were going into drywall you still need the 5x3 form factor frontage, but you've suddenly got more like 4" of depth since you no longer need the back wall of the box. Power is obvious, and there are solutions for using a 2sqmm section copper wire as an antenna...

52:

The makers of these devices are missing a trick by using wifi. A lot of people (myself included) have realised that in older houses, wifi is sluggish and unreliable; ethernet over power cable is much more effective, and somewhat more secure, too. Were such a device built into these mini-computers instead of wifi, they would make much more effective devices.

53:

It doesn't need to get inside DNSSEC; unless all your web traffic goes over SSL it can tweak what you're reading.

I run Firefox with HTTPS-Everywhere; nevertheless I think we're getting a little bit ahead of ourselves in hoping for a 100% encrypted internet! (For one thing? Wikipedia and Google over SSL are sluggish. For another? It's still a minority pursuit: imagine if everyone was doing it ...)

54:

Ethernet over powerline is a minority pursuit in places where mains voltage is 230 volts -- not only do you risk frying your computer, you risk frying yourself.

You'll note the demo hack used Euro plugs, implying something about the locale of the hackers in question ...

55:

Comodo is that firm who issued skype and twitter ssl certs to some Iranian 'by accident'.

56:

Perhaps so - but note the plug type visible on http://en.wikipedia.org/wiki/HomePlug_Powerline_Alliance . I see no particular reason why such a plug should be any riskier than the power brick you're using for your docked laptop.

58:

Something like this, being done by "ordinary" hackers, means that there is now an excuse for a government to deny they used a gadget such as this one.

Stuffing the same gear into the wallbox behind the power socket suggests something more organised.

59:
To get past a decently-run setup, you have to have the sort of physical access that comes with, well, being the sysop of the place to begin with, so you don't need to do the funny stuff...

Or being the janitor.

Those guys have regular access to many otherwise secured spaces, often at hours where their actions are unlikely to be observed. It matters somewhat less how hard it is to get a signal out of the building if you can arrange to be three feet away from the transmitter every evening at 8:30 PM...

60:

FYI: It's apparently 'Newstweek', not 'NewsTweak'. From the logo it looks like a deliberate reference to Newsweek magazine (newsweek.com).

61:

The oligarchy's wet dream will be that functionality on a chip whose stated purpose is to render unplayable any media that they're not getting paid for, anti-piracy, you know, and the chip will be required on any new motherboard.

62:

Curmudgeon @40: It's very bad practice for VPN users not to tunnel their DNS queries through the VPN. You found one reason why, but there are also others.

So true. If your VPN is high profile enough, someone might bother trying to steal the net's private keys. Most of the time a simple cost-benefit (or damage-risk) analysis will yield that you're safe enough.

bruce @43: L-M denied the WSJ report, but you'd expect them to do that no matter what actually happened.

What? You think they'd LIE?

Charlie @54: Ethernet over powerline ... not only do you risk frying your computer, you risk frying yourself.

I disagree. It's not less safe than any other device with a built-in power supply (obviously it isn't any safer either).

bellingham @56: "..."

Since it's almost but not quite the same thing I said I'll leave my 2¢, too.

63:

Charlie D. @59: Or being the janitor. Or anybody else with a grey jumpsuit, a toolbox, a ballpen and a work order pad ;-)

64:

Power is obvious, there are solutions for using a 2sqmm section copper wire as an antenna...

Ah! The irony of having that comment followed by a comment suggesting ethernet over power cable. It's much harder to not piss your signals all over the ether than, if you have power to spare, to get something that will do for an antenna. Leaving aside how un-neighbourly it is to do anything as senselessly polluting to radio spectrum as powerline communications, anybody who cares about keeping their private network private would do well to avoid using power lines for data. Granted, an adversary would still want physical access if they needed to inject packets into your network, but they can easily listen in on whatever you put onto it.

On the other hand, whereas I do see the mischief potentially caused by something like NewsTweak, I see it more as an inherent risk of relying on a single channel for access to the outside world. Getting some diversity in communication channels (e.g., things like having your bank require a reply from you to an SMS message they sent, to confirm details of a transaction initiated over the internet) makes a man-in-the-middle attack much harder. I doubt I'm interesting enough as a target to have much to worry about, personally; I've settled for what the bank gives all their internet banking customers. But for anything really important, I wouldn't ever trust any single channel for both message and authentication.

65:

You mean, "Mr Howard," of course.

66:
What? You think they'd LIE?

No, of course not. They're just managing their stockholders' expectations. </snark>

67:

This thing still needs to be able to join the WiFi network. I don't think WPA2 has known weaknesses so far

But I suspect that the majority of public wireless access goes by either no security or things like any AT&T device can get on without a log in. Which means the device needs to put up a fake MAC plus maybe a few other bits.

People are already being scammed by fake AT&T hot spots since their device will latch onto it when it sees one.

68:

Older socket holes are lined with metal, which might cause some problems for the wifi, but the newer ones are made of plastic.

Uh, no. It's a matter of choice. Many outlets are still installed with metal boxes. Many.

69:

However, there's a cracking disguise available: just disguise it as an iPad charger by giving it a USB power-out socket and an Apple logo.

Naw. Too likely to be turned in as lost or just taken. Make it look like a portable surge protector. One that plugs into a standard wall outlet and gives you "protected" power. :)

70:

120vac will make anyone very dead very quickly under the right circumstances. Electrical fatality statistics demonstrate this very well.

I'd like to see those stats. There's a difference here between someone touching the hot leg of a 120V line and someone grabbing said hot side while standing in water or holding onto a water pipe or whatever.

240V is somewhat more dangerous but this is not a slam dunk.

Especially if they are a heavy smoker. This tends to restrict the blood flow to extremities and makes their skin much less conductive. My father would test to see if a circuit was live by just touching it. 3 packs a day.

71:

Regarding 230V power lines and their lethality... people usually survive them okay.

But if you make a mousetrap where you splice open a power cable, electrify a dust pan(for bonus points, wet it with salt water), then put food onto a live wire and suspend it a little over the pan..

Works like a charm, although sometimes the mice catch on fire and get too crispy to be eaten.

72:

Ethernet over powerline is a minority pursuit in places where mains voltage is 230 volts -- not only do you risk frying your computer, you risk frying yourself.

I really don't understand this. And I know a little about electricity. There's a transformer in the device and it takes Ethernet in and modulates it into a high frequency signal that travels over your house wires. Other lumps listen for said frequencies and demodulate them. Lots of details in the microchips but how does 120V vs 240V affect any of this?

73:

240VAC will not give you much of a shock if your fingers are dry. I suspect there are fewer electrocution deaths in winter than in a hot sweaty summer. The best fun was when I had to make up a lead with a power plug on each end. Several times I ended up throwing it into the air after forgetting.

74:

Except for the fact that there's live mains current in there, which can and will kill you. So it's fine to replace the outlet if you've got a bit of time and the right equipment, and you're a competent electrician, or you can somehow contrive to turn the power off.

It is not hard at all to swap out a STANDARD electrical outlet (at least in the US) while it is live. And 120V isn't very likely to kill anyone who just touches the hot leg. But even so there isn't much reason to get shocked unless you're careless. Or maybe working in one of those shallow boxes where the original guy doing the wiring didn't leave any pigtails to speak of.

Now doing this while buck naked on a damp concrete floor while drinking a Bud, well that's dangerous.

75:

Is this not a form of changing history? Happens all the time. Do you really think you are not already a victim of propaganda? How can you tell. Most of what's find acceptable is what others you known think. As for personal scary stuff, what about phone boxes. Plug into to a outside one and call a Fed Judge and the phone owner will have some spaning to do. "60 Hz is optimum for causing your heart to fibrillate" is news to me but a lot of things are. Why not 50? I read of a guy who did it with pins his chest and a 1.5 volt battery. Skin is a very good insulator and the juice "usually" runs on your sweat, not into you body. 110, 220. AC or DC, relax and don't let run the juice across your chest. It may wander there anyway, so use one hand and don't ground yourself. Here, with 110, electricians will ground out one hand to see if the wire is live. Old time Moslems and Jews did not vote. They followed the same Book and the Priest said what the Law was. No voting. Most that was not mandatory was forbidden. That's why it is so dangerous to go to a poll. You are not doing what the Book says and that's blasphemy. Maybe they would be easer to get along with if the Mongols had not killed all they could catch. The populations are still lower in places thanks to the destroyed irradiation systems. The ones that lived were the hardest core. Old time Christians were fast with a rock before there were Moslems.

76:
I don't think WPA2 has known weaknesses so far;

WPA2 Personal, which is what I use on my home WiFi net, closed to unlisted MAC addresses, can be spoofed, but it's a lot more work than your average wardriver is willing to do; my neighbors on either side have open networks so they tend to lower the temptation mine presents. WPA2 Enterprise, which uses a (theoretically separate) RADIUS authentication server AFAIK is as secure as the CA which issues the certificates (and that's not a small problem given how lax some of the CAs have been). But let's face it: no security is proof against sufficient desire and means. The best you can do is make it difficult enough to break in that the people who are likely to want to are not the ones with the means.

78:

The claim that "various CAs have been caught issuing fraudulent certificates to the American government ..." is not proven, to my knowledge (and I am a researcher working in exactly this area). There is circumstantial evidence suggesting that fraudulent certificates are or have been issued to law enforcement organizations (in the US and elsewhere), but nobody has (again, to my knowledge) directly observed such a certificate coming over the wire. If you know of a direct observation, I would love to hear about it (email and PGP keys are on my website).

79:
Here, with 110, electricians will ground out one hand to see if the wire is live. Old time Moslems and Jews did not vote. They followed the same Book and the Priest said what the Law was. No voting.

d brown, Bwana, Sir! What are you, and what are you on? Last time I saw someone participate in conversations with this kind of breakneck twists, the weird and hard to understand poster turned out to be a chat bot.

(See here and here for the conclusion; he/it had been posting for months, confusing people before being found out.)

And for the love of Baby Chthulthu, paragraphs.

80:
Hoax

Pff, as if we'd believe you hadn't even read the Hackaday articles.

"... but now there’s a great walk through and it seems our doubts about this project were disproved."
"In our previous coverage of the Newstweek, we couldn’t decide if this was a social commentary art project, or a real device. It looks like it’s both now."
81:

thats a daft plan,, youer just making a dangerous trap for yourself

82:

I said "there are solutions for using 2mm section copper wire as an antenna". I did not say that I was advocating ethernet over power cable. In fact I wasn't; I was thinking of using the wire as a radio frequency aerial.

83:

Actually, WPA(2) can be cracked. But it is harder than WEP. (On the network I administer I put the wireless network outside the firewall, and users have to VPN into the main network).

84:

"paragraphs" get wiped out when it is posted. It really po's me, but thats the way it is.

85:

Works for everyone else.

I wonder what you're not doing.

86:

Some investigation of OS and browser/device may be needed?

It could be some strange incompatibility, like how I'm stuck with a Cheeznet posting name (I have tried using variaitons on my real name, and they never seem to arrive at Charlie's server; it's not even showing them making a moderation queue, ever).

87:

After I first heard about this, I cooked up a script to almost-imperceptably scramble the semantics of google news stories. I generate nightlies of cooked news now: see if you can figure out which stories are legitimate. This kind of semantic scrambling is both easier and more subtle than actively turning up the flow of particular types of news, but its effects are less easy to predict. All I did in that script was swap some of the names involved in many of the news stories.

88:

Actually, the US DoD operates its own root certificate authority for just this reason.

My beef with SSL certificates is that the system as currently set up is a complete fraud: to get a certificate costs significant $$$ for what is basically a few seconds of CPU time to generate and sign a new public/private key pair, while the certificate authority does nothing to validate that you are actually trustworthy / you are who you say you are except to ensure that your credit card transaction clears. I don't think they even validate that you own the domain you say you own.

For certificates to have real value, the CA should provide some actual service to back up that certificates are issued to a legitimate individual or organization along with kind legal liability for issuing certificates that contain fraudulent information.

89:

I did not say that I was advocating ethernet over power cable. In fact I wasn't; I was thinking of using the wire as a radio frequency aerial.

I completely agree that using the wire as an antenna would be the way to go (unless the wire runs inside a metal duct, use the metal duct in that case). Reading your comment together with the next one, by Dan Holdsworth at number 52, was what triggered my mini-rant about powerline communications. In retrospect, I might have made it more clear that I was commenting on the juxtaposition of the two comments rather than on your comment itself.

90:

I'd like to point out that most Ethernet switches sold in the last 10 years or so have anti-ARP-spoofing capabilities built in - one must enable them, of course, but once they're enabled, it's no longer an issue.

91:

I've had similar problems on various blogging platforms. You might try starting your paragraphs with the html <p> tag and see if it helps. If that doesn't work, try ending your paragraphs with <br> <br> (which is two carriage returns in a row.)

92:

Will do, thanks

93:

It worked!! Once.

94:

Well a good reason to get a VPN setup. Of course you eventually have to trust someone eventually...

really this technique looks good for pranks, but all the real scary stuff can be accomplished with firesheep. I already use HTTPS myself on all the sites I login to (and care about) due to that extension.

95:

Charlie, I thought about exactly this. I wanted a socket on the back the Shivaplug for exactly this reason. (No I wanted six sockets, so it looks like: http://www.amazon.com/dp/B000H5Y99Q/ref=asc_df_B000H5Y99Q1583987?smid=A1L3CQ37JES30&tag=dealtimemp2-892-20&linkCode=asn&creative=395105&creativeASIN=B000H5Y99Q)

Almost two years ago, I went to give blood. I was sat down at an insecure PC that to ask me whether I'd engaged in dangerous activity recently. right in front of me was their Canadian Blood Services' entire network. Not only was I alone in the room (to have privacy), but the outside parking lot was only 6 inches of brick away (think wireless).

I blogged about it here: http://www.sandelman.ca/mcr/blog/2009/08/24#canadian_blood_services_new_interview_system_a_

It has not, to my knowledge been fixed. I did get a call from their IT people, but I don't think in the end they sorted it out.

Specials

Merchandise

About this Entry

This page contains a single entry by Charlie Stross published on May 30, 2011 12:15 PM.

Palimpseste was the previous entry in this blog.

Small but perfectly formed annoyance is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Search this blog

Propaganda