I was reading an article over at The Register, an excellent tech news site (don’t forget to check the BOFH!), that explains a plan by Google to use a microphone connected to your PC to record the ambient sound, extract information about what you are watching on a nearby TV, and then deliver targeted advertising to you based on your selection. I wonder what would they deliver if you are a horror movie fan, or if you are watching Sir David Attenborough’s nature documentaries…but I digress.

In my book, this is plain and simple espionage. There are laws in some countries (also at state level in the U.S.) that govern wiretapping and conversation recording; in some cases, recording as long as you have the consent of one of the parties involved is OK, in others it is just plain illegal. Of course, Google would argue that they do not send the actual sound anywhere, but only a mere derived “signature”. Jim Atkinson’s tscm.com site has some really good information on the subject, as he has been dedicated to hunting down the spies for decades.

All this brings me to a new subject, which is the amount of information that Google may already be collecting about you – personally. Do you have a Gmail account? Do you know about something called Google Analytics? Some of you will have already put two and two toghether (answer is not three). Gmail privacy statement mentions:

Google scans the text of Gmail messages in order to filter spam and detect viruses, just as all major webmail services do. Google also uses this scanning technology to deliver targeted text ads and other related information. This is completely automated and involves no humans.

OK, so they have the contents of every email you send and receive, classified in terms of what sort of things you may buy if they present you with targeted advertising. On the other hand, Google Analytics is a statistics tool widely used by people and companies to track usage of their websites with a great deal of precision. Information collected by Analytics includes the IP addresses of visitors, every action they take, and every navigation path they follow.

Now, combine the two bits of information common to your Gmail account, and somebody.com’s tracking data of your browsing session – the IP address used to send the email, or to browse the site. It can be argued that in many cases, these IP address can be dynamic, or belong to a large organization behind a proxy – but hey, Google is now potentially handling millions of bits of statistical data, so they could eventually learn a great deal about what you do online. Now they only need what you are watching on TV, and your assimilation will be complete. Resistance is futile.

Can anyone say separation of powers? If you are really concerned about your privacy, you probably know what this will do, once placed in your hosts file:

# [Google Inc]
127.0.0.1 www.google-analytics.com
127.0.0.1 ssl.google-analytics.com

If you don’t, then welcome to the era of privacy deprivation..

[Edit: I have changed the post's title, as it looks like the strike tag was causing problems with indexers...sigh]

The SGAE (Sociedad General de Autores y Editores, or General Ass. of Authors & Editors), is Spain’s equivalent of the RIAA. I was rather amused by this video, where a couple of members of a TV show attempt and succeed at connecting to the SGAE’s WiFi network (it had no encryption enabled!), and download music – alledgedly pirated. They then add an extra twist by actually walking into the SGAE’s offices and asking to see someone, laptop in hand, saying they have just had an attack of good will and want to turn themselves in…

The audio is in spanish, but you will get the general idea even if you don’t understand the talk. My oppinion is that they shouldn’t have done this, as connecting to WiFi networks without the owner’s permission is illegal in most countries, Spain included – so they have actually provided potential prosecutors a perfect piece of evidence.

I read a couple of days ago about an initiative by a small team of Microsoft coders to create a tool that will make managing WiFi connectivity easier, with features such as bookmarks, network management, a hotspot locator, and interestingly, a VPN solution.

On the surface, it looks like hotspot directories JiWire or WiFi411, but the VPN is what interests me. Currently, this is an expensive add-on service offered mostly to business users to secure their traffic while on public hotspots. If Microsoft can make VPN connectivity to secure traffic for any user, it would solve many problems, and give the Wall of Sheep at DEFCON a very hard time. My only doubt about this service is if and how much it will cost.

The blog entry talks about being in beta, and thus more features being in the pipeline, so this is one I’ll be watching with interest.

This was seen on a Boeing 767 while en route from Las Vegas to Atlanta, the flight being operated by Delta. Apparently, many people were having problems with their purchased movies, and so the crew decided to reset the system, provoking a nicely familiar sight.

Now we could all start making jokes about nmapping the plane, or trying to run Asterisk off a USB drive plugged into the management console, which by the way was accessible to anyone who wandered to the toilet and happened to look left. It had a nice big “Reset all” button too, two USB ports, and a gigabit etherenet RJ45. I just hope they don’t run a kernel with some remote_crash_plane() buffer overflow exploit…

I have just returned from a vacation, interluded by a couple of trips – one of them to DEFCON, the world’s largest hacker conference. This year, it ran at the Riviera hotel and casino in Las Vegas at the beginning of august.

There was plenty to see and do, from conferences as interesting as war-rocketing to an insight into the US-VISIT program, and it’s plans to implement RFID tags into the green visa waivers, or the 2D barcode receipts given out at airports.

I participated in the wardriving events, organised by Thorn, and which consisted of the Running Man and Fox Hunt competitions. Our team was led by Renderman, and we had some backup that put up some noise (fake APs, floods, etc.) to make the contest more interesting.

The Running Man started well, but unfortunately the other team tripped casino security by walking past their booth with a magmount omni antenna on each shoulder, a laptop, several WiFi cards dangling from their belts, a YellowJacket, and other gear – apparently, the IT guys freaked out, and they wanted the contest shut down. After the intervention of Ross and Priest, we were allowed to carry on, but limiting the search area to the venue, and not the whole casino. After the contest resumed, we found the Running Man in around 15 minutes, and won!

The second contest, Fox Hunt, consisted of a hidden WRT54G that was only on for 15 seconds every minute. One was supposed to locate the fox, connect to it, and change the SSID after brute-forcing admin account. 15 seconds to do all that is not a lot! So, our plan was to locate the fox….and make a run with it to a safe place, so we could kill the 15 second timer circuit, reduce the amount of RF leaking out and have a go at changing the SSID. The first part of the plan went well, but then the other team got slightly miffed, called Thorn, who in turn called us to go back to the contest table with the WRT so the other team could also have a go at it.

Interestingly, Thorn had taped the admin password to the bottom of the router, but neither team noticed it! In fact, the other team ended up brute-forcing the AP and changing the SSID. We contested that since when we removed and reapplied power to the AP, the SSID went back to its default, we had in fact won, but Thorn wasn’t having any of it. The contest was a tie, which was decided by the question “Who owns the OID 00:00:00?”, the answer to which is Xerox. We got it wrong, and so we lost. Next year we will be better prepared for sure.

Here are a few pictures from the event:

Thorn and Renderman giving their presentation on the Church of Wifi, with CoWPatty, the WPA rainbow table generator, and the WRT54G mods, which included my WaRThog.

The war-rocketing guys, and their awsome rocket. I wonder how they got that thing past airport security.

The WaRThog on the left, with two more of CoWF’s modified WRT54Gs.

If you used DEFCON’s wireless network to check your email, access your corporate network, etc., but didn’t use any form of security (VPN, SSH…), you are bound to be in the Wall of Sheep. It displays captured user names, passwords, domains and access methods – I actually had the two colleagues travelling with me show up here, even though I told them to not even open their laptops while at the con.

See you next year!

Last week I had to go to Romania for a meeting with a team of coders, landing at Cluj-Napoca on Tuesday. Scheduled to return on Wednesday, I duly turned up at the airport by 08:00, joining the long line leading to the security checkpoint. Wait. A long line? We’re talking about an airport with a single runway, one transfer bus (you could actually walk the 50 yards to the plane, but hey, if they have it they might aswell put it to some use!), about a dozen flights a day, all of them small turboprops with a capacity for around 60 people – which usually fly half empty.

So, what was the reason for the holdup? An overzealous security guard, who stared at each bag on the x-ray monitor while squinting his eyes as if it would bring more detail to the picture. After the long radioactive scrutiny, he would open the bags, shout a few things to their owners, and sometimes pull things out of them. Dangerous stuff such as sticks of SEMTEX I though.

When my turn arrived, some forty minutes later, I was rather curious apart from annoyed at what was captivating this guard. I should have guessed. Romania must have a healthy black market for….spray deodorants. My tiny Nivea sample spray tin was also taken, with a bad boy stare from the guard.

According to international safety regulations, flammable sprays are not allowed on board aircraft (albeit agencies such as the TSA allow toiletries in small quantities), just as dangerous chemicals, explosives, live ammunition, and a whole bunch of other nasty stuff. This guy had the right to take away my little piece of odour-fighting equipment – but was it really necessary to do so? I had almost calmed down, fearing I would miss my connection at Vienna, when I noticed the also tiny duty-free shop, which looked recently refurbished. On a closer look, they were selling…yep, you guessed it – a truckload of flammable products, from large hair sprays ten times larger than my former deodorant, to cologne with a high alcohol content. I could have just bought one and carried on with my world domination plans just as well, but all I wanted was to get to Vienna.

This got me thinking about the recent hubbub about exploding Dell laptops, basically when their batteries vented with flame and smoke, as it is technically defined. Laptop batteries are made of lithium-cobalt, or more recently, lithium-manganese oxide. This type of chemistry is very efficient at holding charge, and making it available at high rates, without damage or aging to the battery. The drawback is that they are very dangerous. A lithium battery can explode violently, sending chemicals and debris out at high speed and causing a lot of damage. They can also vent with flame and smoke, as seen in Dell’s promotional footage. For a great explanation of battery technologies, visit the Battery University.

The TSA officially allows laptops and their batteries in both checked and cabin luggage, so do we have to worry? If you ever find yourself sitting next to a burning laptop on a flight, take this comforting thought with you: there is nothing on the plane that can put out a lithium chemical fire.

Happy flying!

Do you work a lot while on the road? If you use Vodafone’s GPRS/3G data service, it could be costing a lot more than you think.
You surely heard about Vodafone blocking Skype on their mobile network in the UK, with T-Mobile following suit, all in the name of ‘fair use’ and distribution of network resources. Supposedly, using Skype instead of downloading MP3s can make their network grind to a halt…let’s just move on.

I was involved in a project about a year ago, the goal of which was to write an IP stack for an embedded device. The approach was to write the stack in an easy-to-debug higher level language on a PC, then port it to the device. So, I went ahead and started writing the PPP code, aided by a GSM modem and a Vodafone SIM card with GPRS enabled.

To my surprise, as soon as the PPP session was established, a public IP address was given by the network, and packets started arriving. Curious about what this data was, but already suspicious of what it could be, I wrote a quick-and-dirty TCP decoder, and rightly so, the misterious packets were nothing more than the usual flurry of port scans any device attached to the internet is receiving all day long. NetBIOS ports, common trojans, SSH, you name it, it was all coming in.

It was obvious that the security implications of these port scans were just as if the internet connection was coming from a DSL line – but there was a twist. GPRS fees are paid for downloaded data, but what is the definition of downloaded data? Is it just the data portion of a TCP or UDP packet? Is it the whole packet? Thus, were you actually paying for these port scans, and even for getting hacked?

“Vodafone customer support, how may I help you?”

Turns out they couldn’t help me much. Not even the technical department understood what I meant by port scans, or ‘rogue’ data coming from the internet and being charged for it. I escalated and called the UK support line, and finally got someone to admit that they don’t perform any form of filtering, “for technical reasons, as it is something very difficult to accomplish”. Besides, they were sure some customer might want their NetBIOS ports open for the whole internet to see.

Fast-forward to 2006…and they are blocking Skype. If someone can come up with a decent explanation, other than they only block data harmful to their revenue, I’d be glad to hear it. They don’t care if some kiddie hacks into your computer, and turns it into a file dump, as long as you pay for the traffic. Alas, if you touch their voice revenue with a VoIP application, they will go to any length to “protect” you.

RFID, which stands for Radio Frequency Identification, is ubiquitous in our lives. We find RFID tags in our library books, grocery, consumer goods, printer cartridges, and are even implanted into people’s bodies.

The basic principle behind RFID is that a simple, passive device responds to a burst of RF with a unique number, which can be used to identify the object to which the device is attached. There are many types of tags, some of them can even be written to. When I have the time, I will write an in-depth article on this subject.

RenderMan, Thorn and Audit have written a book on this topic, titled RFID Security. You can get this book at Amazon.com. RenderMan is very active in the Church of WiFi, Thorn has participated in other books, such as Wardriving: Drive, Detect, Defend. Audit is a very active moderator of the Netstumbler forums, hosts personalwireless.org, and also participates in many WiFi-related projects.