Wow! Is the trick that we now have powerful microcomputers small enough to fit into a USB plug? That's pretty incredible technology. How many years ago did this become possible? My IT security training is dated, I am aware of the risks of plugging in a random USB key, but just a cable from a helpful "coworker"? Yikes.
It’s a copy of the NSA ANT Coppermouth cables. That was part of the Snowden leak, so it’s been possible since at least then (the doc itself is circa 2008) if you have a three-letter name and a national security black budget.
The real answer? Because these people are just like us, geeks, nerds, techies, early adopters. They are just the same people we live and work with.
The film Enemy of the State (1998) was science fiction except with the parts where the techy operators were just normal nerds like us. That what was most scary part of the film not the (at the time fantastic) surveillance.
Couldn't be me: the private sector pays me waaaaaaaay more.
Also, you can't work for the feds if you ever touch the ganja, which is ridiculous. Everyone I personally know in infosec leads a very... alternative west-coast lifestyle which is not conducive to career progression in an east-coast, button-down-shirt environment.
> Also, you can't work for the feds if you ever touch the ganja, which is ridiculous
I believe it is possible to get security clearance after cessation of drugs for multiple years, even drugs like Heroin. I found the full rules[0] while reading an AMA on /r/SecurityClearance.
I entertained the idea of working in the public sector a while ago, for a brief time, until I learned that pot is fine in my past, but not in my present. "How the heck do you expect me to get the code written?"
Also, I've been told that getting a clearance is more burden than blessing. You have restrictions that an "ordinary person" doesn't have, along with criminal penalties for violating them. Whereas, without a clearance, if they really need you for something, they'll bring you in anyway.
> I've been told that getting a clearance is more burden than blessing
Yes it definitely can be, but depends on your personality and stage of life. You are always cognizant of having a clearance and the need to maintain it, and so you consider that in your every day life. You also have to open your life up in uncomfortable ways, even if your only objection is in principal.
You probably don't sweat it too much later in life since you generally are a more 'boring' person, but I had mine in my mid 20's so was a lot more active in terms of social life. One time I was in downtown SF with a buddy hitting up bars etc and eventually had to cut out early because things were getting more drug oriented. I also used to play a lot of cards before getting a clearance and had contacts who were in some shady stuff. I basically excommunicated them from my life to avoid the clearance hassle.
Friend of mine is head of IT for some government agency. Not a spooky one - just a routine agency. However, given the nature of IT and the data they need to store - they are required to get security clearance.
For him it's been a minor nuisance at worst. He has strong restrictions on travel. I think he needs approval to travel abroad. He has relatives in other countries and visits them often, so it can't be too much of a nuisance.
I believe he told me that he does have to report details of where he went in each country and who he interacted with upon his return. Not sure about the details.
Things may have changed, but in my prior life when I had a clearance, for example, dating (or marrying for that matter) a foreign national would result in heavy vetting, including possibly losing your clearance and/or being terminated.
Don't do drugs (including marijuana), don't get blackout drunk, don't talk about your work, don't need psychiatric help...
For the last sentence...Trump had all sorts of clearance when he clearly should not have. But he was in an important position.
Putting aside the politics of it for a second, all clearence stems from the executive branch which stems from the president. Saying the president shouldn't have clearance doesn't make a lot of sense, he's the one who authorized it. He's the one who decides who gets it.
Anyone who thinks differently is arguing for a shadow gov, i.e. unelected bureaucrats who answer to no one and can make decisions unilaterally without consequence... not exactly democracy.
> Anyone who thinks differently is arguing for a shadow gov, i.e. unelected bureaucrats who answer to no one and can make decisions unilaterally without consequence... not exactly democracy.
Lots of countries have an establishment "civil service" comprised of those "unelected bureaucrats" that you mention, and it actually works out quite well for them.
That said, they aren't unaccountable: they answer to departmental heads, MPs, committees, etc. A big advantage of the system is to prevent mad-swings in policy just because the head-of-government changed.
Yes, of course - but if a country already had a well-oiled establishment civil-service which kept its finger on the pulse of the nation then it would already be aligned with the electorates' interests and voting-intent.
Any power structure naturally seeks permanence. Democratic elections with short office terms goes against the nature. If we are not vigilant, shadowy forces will take control of this mechanism too. Some could argue it already has happened.
That statement wasn't about politics at all. Let me put it another way: Had he been trying to get clearance for a normal position, he would probably not have received it.
I also never said he had access to everything. Nobody has access to everything. Not arguing for a shadow government--it's already a fact. It happened when classification rules went from "what would harm national security" to "what would cause problems if American citizens found out we were doing this."
In principle the president has access to EVERYTHING. There is literally nothing he shouldn't have access to, at least within the executive branch which includes nearly all military/defense/intel secrets.
The only thing he does not have unrestricted access to is Justice department stuff (e.g. FBI), although there'd better be a damn good reason to deny it to POTUS if he asks, and legislative branch secrets which really infrequently comes into play. That's due to the whole separation-of-powers, checks-and-balances thing. But security clearances for everything in the executive branch stem FROM the president. If he wants to reveal some state secret, he can just tweet it with no consequences, or blurt it out while on the phone with foreign states. As Trump did on multiple occasions.
That said, of course there is a significant deep state bureaucracy which attempts at times to keep certain things hidden, even from the current president. But if the president were to ask about it, they have to tell him.
I don't know. I haven't worked in that system for many years. That said, it was more received wisdom than a written rule, and I was aware of exceptions who were prescribed more than ADHD meds.
> Also, you can't work for the feds if you ever touch the ganja, which is ridiculous.
Calling it 'ridiculous' removes the debate concerning the pros and cons on such rule. If you consider someone can become vulnerable if they're addicted (to anything, really) then it makes sense to be wary of a drugs addiction. Especially if the resource the person is addicted to is illegal.
That being said, I'd find it reasonable if they OK'ed medical marihuana usage. I hope my gov (NL) does.
Well it's a comparison. Not once on the security clearance paperwork is alcohol mentioned, while if you have smoked/eaten/etc. marijuana at ALL in the past 7 years, it's practically an instant deny unless it was under some exigent circumstance. You can even be denied if you don't partake but are close contacts with other marijuana users.
Obviously if someone is _addicted_ to either, that is a security risk. But the extent to which they reject people for recreational marijuana use is laughable.
They contact all your close contacts listed on the paperwork. Lying also constitutes perjury in this case.
The unofficial advice I’ve heard is to not even bother with SC if you use weed. Generally, it will be found out. I looked into this as needing an SC was a possibility with my current job.
Here’s a different picture. Put in your 20y at NSA right out of school. Get retirement benefits, and then move to the private sector, where they pay a premium for NSA experience. Or, do contract work for NSA since you already have clearance and contacts. They will pay you about 4x more as a contractor.
You are commenting on a forum full of people who build tools and technology for facebook and google and probably palintir and a thousand other facial recognition and thoughtcrime style systems.
There are probably some generalizable differences between software engineers who work for intelligence agencies vs private sector engineers. The most significant factor being that government engineers need to be able to get a security clearance and pass the attendant background checks and interviews. Most of the engineers I've worked with in the private sector probably couldn't pass these checks because of foreign nationality or recreational drug use. It's a virtual certainty that the need for a security clearance produces a strong selection effect. Not saying it makes the intelligence engineers better or worse just that I'm sure there are some significant differences.
I just wanted to point out that obtaining a security clearance is not nearly as hard as you make it sound. For most organizations prior recreational drug use does not preclude you from the clearance.
A lot of what they look for is consistency in accounts of previous behaviors between you and any references / interviews they undertake, trying to assess if you're currently honest.
Another big thing they are trying to decide is if you are blackmailable.
(throwaway because I have the sort of clearance you are not supposed to advertise that you have)
John McAfee discussing getting his security clearance when he worked for Lockheed-Martin:
"They asked me very revealing questions.... Had I ever taken drugs? Yes. What kinds? Almost every kind. Uh, how much? A lot. Have you ever sold drugs? Yes. So I assumed I would never get the clearance but I did and it came in very quickly."
(clearly decades ago, and he's less than reliable, but fun nonetheless!)
Can confirm (source: I have a friend that works for a three-letter agency). Before I sit for a clearance interview, I asked him about it. I used to think I'd probably be disqualified, but I learned that was not the case at all. Much of what they're trying to determine is your exposure to potential blackmail.
How recent? Posts like "FBI can't find hackers" have been frontpaging for years but people who have responded to the ads say they were dismissed at the clearance step or advised to not continue due to it.
Sure, Facebook and Google are pretty evil organisations but they can never match the scope of surveillance of governmental agencies.
Facebook and Google need the user to use their services and they say (despite the message being in legalese) what they're going to track. There is consent involved in these organisations, it's a voluntary transaction.
The government can (and did) just intrude on everything without consent or penalties.
From a moral point of view, I would be open to work for BigTech, but I wouldn't work for a state actor.
In theory, yes. In practice, if you'll try to avoid any interaction with sites affiliated with Google, Facebook or feeding surveillance data to them, you'll quickly discover that the internet became very small and much less usable than before. You don't need to use Facebook or search on Google to be tracked by them. Google owns one of the largest ad networks in existence, so if you visit any site that has ads or analytics trackers, the data about it will go to Google. Any site featuring Facebook social button may feed the data to Facebook. If you write to somebody with @gmail address Google knows about it. And so on, and so forth. For a highly technically skilled person, it might be possible to avoid interactions with Big Tech while being able to still using modern technology, but it won't be easy. For a normal person without deep technical background it's pretty much hopeless unless they avoid using the internet entirely. Of course, using the internet is "voluntary", but this is a very weak consolation.
And, also, both Google and Facebook eagerly cooperate with state actors in censorship and other aspects - likely surveillance too. So there's not much difference in that aspect whether you work for the government directly or for somebody who takes marching orders from the government while being formally independent.
Morality is the difference. That's not exactly "norms" but somewhat on an adjacent path. But in terms of interest and participation in our club, *they are us*. That's the true terrible reality.
A more accessible idea which is quite different but allows some truth to shine in similarly is to consider how many of us are utterly dependent on advertising in our careers but we all adblock personally.
> That's not exactly "norms" but somewhat on an adjacent path. But in terms of interest and participation in our club, they are us. That's the true terrible reality.
I remember "Spot the Fed" at DEF CON where I thought it was reflecting this deep and kind of intractable antagonism between the hackers and the government. It turned out that the government was regularly recruiting people there and at other hacker conferences, fairly successfully, and still does. (First I thought that all computer nerds would be at least somewhat anti-military or anti-surveillance, and then I thought that at least those who actively associate themselves with computer culture and counterculture would be, and now I don't really think either of those.)
The social distance between people working for spy agencies and people who vocally criticize and oppose the spy agencies is tiny. I worked at EFF and I've known socially, or kind-of-socially, four people I can immediately think of who worked directly for NSA at some point in their careers, and those are, of course, just the ones who chose to mention it. I've also seen someone unsuccessfully try to recruit someone for NSA face-to-face right in front of me, and had a boss whose next job was alongside an NSA alum.
I also think that NSA alums are more likely to mention it because they're less likely to have worked under false pretenses in other countries (compared to, say, CIA alums).
I had a relative who was a super-huge computer nerd (the biggest computer nerd in my whole family, possibly more than myself, and taught me a lot of my early Unix knowledge) who had previously held a clearance and worked in aerospace engineering (I think on radars or something). He didn't work for a spy agency, but did work on military projects. And nobody could hold a candle to his Unix expertise.
It's pretty striking how diverse in our beliefs we all are (not just about surveillance and espionage, but kind of on every issue and question). Maybe we don't notice it because of social pressures to act like we agree more than we do. Being fascinated with surveillance and secrecy is a common trait in our circles, but it seems that might translate into trying to fight it, or into trying to do it.
> The social distance between people working for spy agencies and people who vocally criticize and oppose the spy agencies is tiny.
That sort of makes sense to me? The average member of the public doesn't generally think about what spy agencies do. If you assume that recruitment is based more on topical proximity than positive/negative opinion, that's what you'd expect to see.
I would say it's that the set of morals or beliefs are different. Believing that someone is without morals or immoral is just the perspective of the observer.
Some of us don't agree with the intelligence gathering behaviors of our governments, but they certainly might not view it as an issue.
I for one don't necessarily disagree with government having a monopoly on violence and all that jazz. But I guess that what makes me HN crowd is that I'm also easily convinced to change my mind if someone brings up a convincing argument.
There are several industries built around hacking human minds: advertising, pay-to-win mobile games, political consulting, user engagement services like Facebook, and of course literature.
Absolutely. It's the human mind's responsibility not to be "hacked", by which I assume you mean exploited to e.g. mindlessly scroll Facebook all day.
If most people are weak enough to become matrix-like slaves to the machine, so be it. I don't believe in free will and I don't think we need to preserve human life in a certain way (e.g. the way our ancestors lived).
Sure, a lot of people will fail this test, or maybe they prefer to live their life like that. I don't care, that's on them, that's their choice - or, better, the way DNA and the environment shaped this human shell.
If instead you wiretap my device, you're attacking my privacy and I don't have a way to defend myself. You are committing violence.
If you don't believe in free will, why should anyone care about your will to preserve your privacy? Sounds like you only believe in your own free will.
It may be possible to believe you don’t have free will, yet act like you do and to find meaning in life. After all, given how hard it is to even define “free will”, how can we know for sure whether we have it? Now recent research seems to indicate (note the weasel words) that we have less of this “free will” stuff than we like to think. Yet hopefully, if you dig a little deeper, we find something that qualifies as free will, even if we live in a deterministic world. Which we don,t quite; see quantum mechanics. But a free will based on QM seems no better. Who wants a “free will” based on randomness?
Please forgive my ramblings. I may have been reading Daniel Dennett too much, most likely with too little understanding.
To be fair, I too have ended up thinking that free will probably does not exist. Yet everyone else and I will always continue to behave and live as if it existed, that is my consolation.
That does not follow. Reduction in entropy generation surely has meaning, it has thermodynamic consequences, regardless of any ‘free will’ here or there.
‘You can't predict unless you have the will to perform a prediction.’
I’m fairly certain fish can predict the course of future events, to a fairly high degree of accuracy, in relation to seasonal changes in water temp, food density, etc…
e.g. spawning salmon
That's comparing apples and oranges. Perhaps, fish have free will, but this conversation is about human beings, where we have the internal laboratory apparatus required for introspection and determination. We can create hypothesis and tests, then inspect results. We are directly able to test, through choice, to prove that we have free will. It is foolish to compare yourself to a fish, though your ability to compare your mentality to that of a fish was your free choice made from your own free will.
That’s a fairly reductive definition of ‘will’ if fish can have it.
It is not clear at all your claim is true in the general case, which is the point. Humans differ from fish not in kind, but only in degree, a few hundred million years of evolutionary divergence as the biologists would have it. Unless of course special factors such as a ‘soul’ are assigned to humans and so on.
You didn't address anything I wrote, instead choosing to create a strawman about the will of fish. I sincerely hope that one day you will grow into realizing that you have free will.
‘You can't predict unless you have the will to perform a prediction.’
That is a general claim that you wrote that I have shown is not correct unless you have an interpretation of the word ‘will’ that is so broad as to render your other statements somewhat meaningless.
In fact you are the one creating the strawman since you dodged addressing the question. I have made no separate claims about my personal free will, or lack thereof.
Thanks for pretending to be the arbitar of truth, but you are the one who responded to my comment (made to another), "If you don't accept that you have free will, than nothing you write or say has any meaning."
It is now obvious you have no point other than wanting to debate words and are being intentionally obtuse. This is not a high school debate class, and I will no longer engage in your foolishness, since you have stated that you are not actually commenting on the subject of the conversation.
I’m not exactly sure why you think I would care so much about your opinions to be ‘the arbiter of truth’ for any topic. You’ve made claims that are clearly erroneous and I’ve been pointing them out to the passing reader, so they are not waylaid. I won’t comment on the correct interpretation of ‘free will’ since I myself don’t know, and decline to pretend to know.
Not exactly, you, have been convinced that protecting your Nation against terrorism was an important priority, so you endorse the budget going into it and the infringements on your liberties, in exchange for the feeling of safety.
IIRC the funny thing is, the system that provides the codenames is random in order for the system to not leak information about what the code name is for. But since there's no limit to how many times you can request a code name, the system is being abused and users try until they get a good one.
"During WWII, British intelligence was able to glean details of new German technologies simply by considering their code names. For instance, when they began hearing of a new system known as Wotan, Reginald Victor Jones asked around and found that Wotan was a one-eyed god. Based on this, he guessed it was a radio navigation system using a single radio beam. This proved correct, and the Royal Air Force was able to quickly render it useless through jamming."
Read R.V. Jones book "Most secret* war" if this kind of war-engineering interests you.
* Pay attention to "most secret" rather than the ghastly Americanism "top secret"!
Because projects start in the smouldering ruins of as-is, and their business case is mythical (and if you want to rise in this environment you’d better be flame-retardant).
My apologies! I completely missed that I made that typo. Either I was in the throes of exhaustion or my phone spellchecked me :( Now it's too late to edit.
The NSA implant was a passive retroreflector implant, which when illuminated by powerful radio waves, broadcasted back what was being typed, or what was visible on screen.
This seems to be more of a tiny chip that captures and stores keystrokes etc.
There is already an Arm Cortex M0+ in the end of every USB type C cable for power negotiation.
It has a complex codebase and firmware update methods to migrate to new USB specs. Cheap cables don't even support signing so go to town tampering with stock cables if you are so inclined.
Also an Attiny85 can fit inside just about anything.
My favorite BadUSB hello world is using the Arduino HID library to make a Digispark toggle caps lock randomly with maybe 10 lines of code. Drives people nuts.
In the leaks that happened around the time of Snowden's revelations, there were DVI/monitor cables that had transmitters that would broadcast the decrypted signal so that someone with the receiver nearby could "share" the screen. No software installed for security software to find. Just a cable that could be installed by the cleaning crew after hours.
That level of miniaturization is far older than Apple's removal of the iPhone headphone jack in 2016, but the related lightning-to-audio jack dongle had a microcontroller with a DAC inside that you'd never think existed due to the form factor.
The Lightning-to-HDMI adapter is also an insane miniaturization. It runs a (very) stripped down version of iOS/darwin (not sure what apple counts it as) that is loaded in about a second when you plug in the phone, establishes a network connection, and streams compressed video frames over the network over USB to the HDMI.
That's why when you use the iPhone HDMI adapter, everything looks a little bit compressed. Because it is.
Yup. It's actually an incredibly clever piece of tech that lets the iPad/iPhone get around the fact that lightning doesn't have enough bandwidth to transmit HDMI.
For regular home/app views, it does hardware compression of the iPad's screen, outputs that over lightning, then the adapter decompresses it to raw HDMI.
While for Netflix/etc. streams, it outputs the stream directly to the adapter to decompress, without quality loss. (And at full size as well, rather than double-letterboxed.)
I still haven't figured out the magic of how apps like Netflix are able to do overlays of subtitles on top of the compressed video stream. Best I can tell, there must be a separate API for that, that gets sent in parallel.
As far as working within the constraints of USB 2, it's a solid way to do things.
And I'll even leave aside the issue of running a whole OS just to decode video.
But this is dealing with 1080p output. That's not very intensive. A lightning port has two high speed data pairs. You don't even need USB 3 speeds to transmit HDMI over one of those data pairs, and then put in like a $2 redriver.
If you set up double-sided output I think you could even have a passive lightning to HDMI adapter. But that's a side issue, my main point is the bandwidth available that makes these tradeoffs unnecessary.
I'm not sure what point you're trying to make? Basic 1080p is 3.96 Gbps. Lightning is 480 Mbps. The bandwidth isn't there according to how lightning was designed.
Yes. (Well technically you need 3.20 or 3.33 for 1080p60, and HDMI 1.0 supports 3.96)
> Lightning is 480 Mbps. The bandwidth isn't there according to how lightning was designed.
Not true. Lightning has two differential data pairs. The port can do much more than 480 Mbps.
If your response to that is "oh, but it's only connected to pins that do 480", they would have to reconnect it to video pins anyway to do HDMI out. And nothing else in the lightning ecosystem would limit it, because this is a directly-attached adapter.
Also some of the iPad Pros have actual usb 3 support on their lightning ports.
Funny enough, that shouldn't be a challenge for Apple since the world's slimmest smartphone ever made actually has a headphone jack[1], so Apple excuse of not enough space inside the phone is horse shit to force everyone into the Airpods ecosystem.
What's the difference in this case? Volume is a multiplication of dimensions on all axis. If they didn't compromise on thickness that means they have more international volume available to reduce the other dimensions which they didn't as modern iPhones don't lack depth either, barring the mini, they're all quite large on all axis.
I don't know, but I do know that back in 2013 you could get an ARM computer running linux and a webserver with wifi and 16Gb storage in a space the size of an SD card. That is still a bit too big to fit inside a USB plug without being obvious, but not by much. https://hackaday.com/2013/08/12/hacking-transcend-wifi-sd-ca...
Fitting the electronics inside the usb plug itself has been used for years in slimline usb memory sticks and in tiny readers for micro-sd too.
I expect that this has been possible for nearly 10 years, but maybe just not commercially viable for consumers for most of that.
I'd say the total size of silicon has been small enough for this for at least 20 years. The level of integration between these components, skipping the need for packaging and interconnect is what's allowed these covert devices, probably driven by manufacturing optimization that makes is financially tractable to only make 100 units, so that bit is much cheaper yeah. Things like antennas and other bulky non-silicon passive components are probably the limiting factor now.
Not just the microcontroller but also the wifi radio and antenna... But a USB-A socket is pretty big anyway. This isn't too different from the tiny wireless mouse dongles that have been around for a few decades.
In 2008 we had USB flash drives which extended only two millimeters beyond the laptop when you plugged them in, and Wifi dongles in the same form factor.
> now have powerful microcomputers small enough to fit into a USB plug
Like 20 years ago? 32 bit micros were actually not that far behind low end CPUs until they start to fall off dramatically in the 90, and post-90nm age because perf was good enough.
After nineties, CPU improvements were guided as much by software getting worse, slower, and more shoddily written, than genuine need for more raw computing power.
When USB came out I was working in the defence sector. We closed the vector off with cages for the PCs with tied looms under desks, epoxy in all the holes we didn’t want people to use and with threat of being in deep shit.
When I was frequently using things like this on coworkers in red teaming (back when being in an office was a thing) putting my own desktop in a steel cage with a good lock proved effective against retaliation.
Then we moved on to attacking the firmware in each others keyboards.
Since this has generated some discussion on locks and picking, there's been some interesting developments on "unpickable locks" that sidestep the tolerance problem by decoupling setting the pins from testing them. I.e. pins are tested all at once after they are physically decoupled from the key & keyway, eliminating state space reduction attacks (aka picking one pin at a time) leaving only brute force.
One such effort features locks made by Stuff Made Here sent to Lock Picking Lawyer. According to LPL the locks are theoretically sound and he did not attempt to pick them, but these particular implementations had a couple (easily fixable) bypasses. Made for interesting videos on both sides:
Whelp it seems I recalled incorrectly this time, because LPL did pick the second one open, via a weakness in the design that he believes can be patched. I don't think my sentiment was totally off base, but clearly my statement about not being picked was factually incorrect.
I once saw a PC security case where instead of the lock cylinder retracting a bolt, it turned a screw thread and opened the case by about half a millimeter. It took the guy unlocking it a good fifty turns to get the PC out of it.
And there were two - one on each side. What's more, it was a tubular lock, so if you were single-pin picking you'd have to pick it 5 times per rotation.
Nothing that would stand up to a battery powered angle grinder, of course.
Tubular locks are trivial to pick and the lock turning the screw mentioned above would be just as simple with a tubular pick than with the original key.
Unfortunately, there aren't really all that many "good locks" on the market. The Lock Picking Lawyer on YouTube[1] has pretty much destroyed my faith in the modern lockmaking industry.
He can defeat just about anything, but he’s also exceptionally skilled. As a consumer of locks, I expect them to be defeatable by a skilled lockpicker. But I don’t expect them to be defeatable by a bic pen or by reaching in the keyhole with an oddly shaped wire to move the locking paul.
You can buy locks that don’t have easy bypasses, and can’t be easily drilled, and can’t be picked by beginners.
You can also buy locks that can't be picked by people like me who have been at it 20 years.
To keep people like me out for a while buy a Medeco. Pins not only need to be at the right height, but also the right rotation. They are a real pain in the ass to pick. I don't even know any locksmiths that can pick them. Good security for the money.
Bosnian Bill and LPL... Okay they can pick them, but they are like the 0.0001% in skill.
Still even then pay an extra $100 for really high quality disk detainer lock like a Protec 2 and you will keep even them out for quite a while.
That is what I use on my luggage. TSA has to call me to unlock them with my consent every time. The way I like it. Great tip I picked up from Deviant Ollam.
I have hundreds of locks and lock bypass tools. I make sure to pay for ones that are not quickly defeated when it counts.
LPL covers most locks in the wild which are bad, but locks like the Protec2 are quite strong and while it is implied one person in the world can beat it with custom tools (huxleypig)... even then not quickly.
Some of the best locks are very very hard to buy as well and still protected with weird export controls held over from the encryption export days.
I frequently use FF-L-2740 spec locks, which is the spec locks need to hit for use in classified government work, military contractors etc. They are very good locks I can't begin to defeat in any practical amount of time and don't know anyone who can. Particularly since they have timed brute force lockouts.
Problem is not a single vendor is allowed to sell locks of that spec to civilians by contract so you have to jump through lots of hoops to get them.
For most uses of a lock its job is to keep honest people out.
I have had doors kicked in, so these days I want the lock to be the weakest, not strongest, part of the door. So when it is kicked in it is a cheap lock that is destroyed not an expensive hardwood door (I like hardwood doors...)
> there aren't really all that many "good locks" on the market.
You can say that again.
I was once proud of myself for having thoroughly researched the market and I thought EVVA MCS was a safe bet[1].
Then someone showed me a YouTube video (published a year after I bought the locks) of someone picking it (not LPL, another YouTuber). Given the cost of EVVA MCS I was not a happy bunny.
but check out this one instead: https://youtu.be/sES_Hbj92BQ - ~2h to open fully (though the author of the video claims impressioning could speed up the thing; anyway, reportedly attacking the door is just easier in this case)
Guy who made the video here.
The lock mechanism itself isn't one of the easiest, but also not one of the hardest to pick skill-wise. However, it does take a very long time to pick through which means that the lock is doing its job very well. Also, I have read that this lock is very resistant to destructive attack as well. So combining pick resistance with physical resistance, you have a very good lock as long as it's installed on a good door and the building has all other security measures in place (no ground level unprotected windows, etc)
The lock doesn't even need to be that good. As you said, the name of the game is intrusion detection, not necessarily intrusion avoidance.
The Lock Picking Lawyer chronicled very nicely a technique for turning a KW1-keyed Kwikset core (extremely common here in the US) into something that is tamper evident. See the YouTube video linked herein.
I’m into locksport as well and would favor that kind of modification on a back door which is more likely to be targeted by thieves. Not sure I’d do it on a front door in case I put a family member actually locked themselves out and actually needed a locksmith to be able to get in.
When I had towers or pizza boxes I pretty much never touched them once it became normal to leave them on all the time, which was as soon as they were always downloading from the internet at 3.3 kbps.
If the case was locked in a cage I wouldn’t notice until I needed to put access the tower to plug in a usb, which might not be for weeks these days.
Being in an office is definitely still a thing. Let's be real, vaccinated adults working from home is a privilege. Mostly a white upper middle class one. Always was.
My school had a way to keep peripherals from wandering off, but if all you need to do is swap the cables then I’m not sure that would still work. Wrapping the cables into a wiring loom makes that process slower, assuming the loom is complicated enough. Did you ever use heat shrink? Or locking cable ties?
What the school did was run a steel cable behind the desks, then put a loop of the mouse chord through a steel washer and ran the security cable through all the loops. If you secure both ends you can’t get the cables separated even with slack.
The trick is that the hole in the washer had to be smaller than the connector so you couldn’t fish it back through no matter how much slack you get. That could still work for USB-A, but these days the connectors are getting smaller than the diameter of curvature of the cable, so you’d break it trying to do this. And on many peripherals you could destroy the chord without reducing the value of the device. One could cut the cable and install this Trojan one on many devices these days, the only telltale would be that the cable isn’t routed properly, which might be harder to notice immediately.
My anecdote was a bit old and I’m certain some of those devices had soldered cables, meaning that a sheared wire couldn’t be handled by buying a new chord or combining parts of two mice. Because I specifically looked for that a few times with no luck.
But they’re right, these days when you crack open things you often find a connector soldered to the motherboard and the cable is merely plugged in. I think it’s just easier to manufacture. Pick and place, bulk solder and then a machine to plug in the cable, fast as you like, maybe with a loop in it as a poor man’s strain protector.
> meaning that a sheared wire couldn't be handled by [...] combining parts of two mice.
Well, if you're stealing them, you only need parts from one mouse: cut the cable close to the mouse, untangle it from whatever crap it's locked to, take mouse and cable home with you, disassemble mouse, feed cable back though (I think it's called) grommet, strip cable, pick out wires, solder wires to approriate mouse internals, reassemble mouse, done. You have a working mouse with only slightly shorter cable than before.
The point of using soldered cables for security is that setting up a soldering iron near a computer is conspicuous, so you get caught if try to install a attiny85 inside the mouse that way. You can still steal stuff just fine.
Yeah just intentionally drill the head so those screws are not coming out again without power tools which should be obvious in the open where they are deployed.
All the cables were terminated inside the box and strapped every 1 inch with cable ties. Nothing was exposed that could be disconnected other than the monitor IEC lead.
I specifically don't recommend laptops that rely on USB C charging for applications where trust is critical -unless- they are running Linux with USBGuard or QubesOS.
That said I did make transparent and easily auditable USB type C condoms for one client that really wanted to use USB type C laptops.
Systems with security as a strong priority like the Librem 14 use barrel jacks for good reason.
I am in fact implying those that allow use of macbooks at coffee shops to directly access production systems at FAANG and fintech companies are taking a very inappropriate risk :-P
USB C charging happens well below the OS layer, using firmware that often isn't all that good. USBGuard or QubesOS won't help there (but will somewhat mitigate attacks trying to move up the stack)
The problem is not the charging. The problem is that a fake charger cable can run an HID attack over the +/- pins before it does a pass through to the power negotiation MCU for charging.
A tampered USB C to C cable on a conference room table can compromise people all day long.
If the USB C charge ports cut the data pins entirely then great, but I have not seen that be the case on any laptops yet.
> Windows and Mac users are currently easy targets.
Not true, at least for iPhone / iPad users:
- 1. Download Apple Configurator (free to anyone)
- 2. Create new config profile
- 3. Setup your device in "supervised" mode and apply said profile (the reason for this step is that the "best" config profile options are only available in supervised mode).
Config profile items of interest include, but may not be limited to:
- "Allow USB accessories while device is locked"
- "Allow pairing with non-configurator hosts"
- "Allow putting into recovery mode from an unpaired device"
With growing car theft in the US I've been curious about implanting GPS trackers on my own older enthusiast vehicles. There appears to be many options on Amazon but I can't bring myself to trust any of them. Has anyone here gone down that road before?
I would only do this if you either know the police will help retrieve your car if you have the location, or if you are ready to engage the robbers yourself. Otherwise it's useless to know where it is.
I have experience trying to get the cops to help in Oakland and San Jose and they really didn't want to.
A lot of the cellular gps trackers have ignition kill capability, where you can send it a specific sms message and it’ll pull a wire to ground or open circuit a pair of wires, which you can use to remotely kill the engine.
A friend of mine got a motorcycle back by watching its movements via the gps tracking, and killing the engine while the guy was riding in a safe-ish and high visibility place, so the thief just parked it and walked away.
IANAL, but I think in California as long as you don't use excessive force it's ok, but yeah if you kill the engine at a high speed or if you get unlucky and the thief gets seriously injured then you will get in trouble if they want to go after you.
Tbf oakland is a low bar (as well as sf). Here just 15 mi down the road they investigated and arrested a credit card thief who stole my wife’s card and I didn’t even ask for it. They also regularly capture cat converter thieves with sting operations. Overall I’ve been quite impressed with San Mateo PD
We were also surprised by the Oakland thing, as I know they helped with petty crime where the damage was less than a full blown stolen car. It was not a very shady area and it was in their jurisdiction. I heard it's not that uncommon, and a SFPD officer told us that it's probably because we said the robbers where armed and they just don't get involved with that.
The car got recovered by an asset management crew though and it went smoothly AFAIK.
If you want to diy it, Check out ray Ozzie's recent project featured here on HN recently. Very reasonable priced with one up front payment for (10 ?) years of connectivity
Here are some articles and projects where we show how to do Asset Tracking. One article is about an Iceland trip, the other is about building out a GPS tracker, complete with data dashboards.
This feels like a dumb question, but I can't find dimensions of the Notecard anywhere and I can't quite judge the scale from the pictures. How big is it?
Keep in mind that’s he card with a M.2 edge connector on one end. Mostly you’d be plugging that into something, at least to hook up the power/data lines. They sell “Note Carriers” for that, which end up making the combo bigger than that.
Here’s a pic of the note card plugged into their Raspberry Pi note carrier. That’s a standard 40 pin 0.1” spacing connector on the left, so it’s 2” plus the mounting holes in that dimension. 65x57mm and about 20mm tall for the stackable 40 pin socket+pins.
I think the airtag might actually alert them that they are being tracked - the anti-stalker features built into the network will alert an iPhone user when an airtag they don't own is in the vicinity while moving and changing locations.
If the air tag is sufficiently hidden, perhaps this is a feature and not a bug. Maybe this will make them stop the car and leave it, which sounds like a win to me.
They will get a warning saying there is an air tag travelling with them.
I have this problem. We have an air tag on one of my kids shoes when we are out, and whenever I’m not with them, my partner gets spammed with warnings on her phone saying there is an unknown air tag travelling with her.
Tracking a kid at an amusement park, presumably a quite young one, is entirely fine IMO. I remember when I was 4 or so, I waited until my parents weren't looking to sneak off and go play with a toy in the gift shop my parents didn't let me see earlier in the day. I just about gave them a heart attack.
Yeah it is important to know where your kids are. I go with "pay attention".
I guess there are going to be scenarios where tracking could help and maybe even allow the kids freedom to roam within a large zone - the back paddock of a farm say - while still allowing parents to find them.
Some people have more children than adults. “Pay attention” is the default state but it’s not always possible to pay complete attention to both children and everything else, every moment of every day.
I really think you’re holding parents to an unreasonably high standard. The punishment for a moments lapse in not paying attention shouldn’t be a missing 4 year old.
We use this when we are at amusement parks, museums or in the city.
We also have a piece of white tape, with our phone number, on the kids so that if they get lost, and someone finds them, they can call us up.
A lot of people have the opportunity to interact with your (unattended) car or your belongings in situations where they couldn't harm you without taking a substantial risk. Imagine a person you interact with at a bar who drops an AirTag in your purse while you are briefly distracted.
Odd, this got me wondering, and I can’t find any reliable statistics that show a rise in car thefts. Everything I see shows a pretty steady decline over the past 30 years in spite of an increasing the number of cars on the road.
Depending on how old the enthusiast vehicles are, they probably don't have an OBD-II port (or possibly any port at all). None of mine do, up to the mid 90s.
Which is usually quite easy to check. It's not a guarantee, but with someone sophisticated enough to crack a modern car there's a good possibility they know to check the OBDII slot.
It might be an interesting project to build your own in this case.
If you want to trust them I would have as much redundancy as you are comfortable paying for i.e. the software in these products is often dogshit so one failure or bug shouldn't let your car end in a scrap merchant.
Its not that it is chirps it is that any iPhone beeing tracked by a airtag for a extended amount of time will inform its owner that it is being tracked.
It’s not really practical to defend against for most end users.
Keeping a whitelist of known keyboards and mice is really the only defence even on Linux, and unless you work in a data centre that’s probably way overkill.
With a home PC that doesn’t really work though, because in order to authenticate your mouse without some kind of central mouse log on a server you probably need to click a button, which you can’t do without authenticating your mouse.
As an attacker I just have the bootloaders of my malicious devices advertize the USB IDs of whitelisted devices like Apple Keyboards.
The computer has no way of knowing it is not authentic. There is no signing or certification for USB devices.
The only solution is a kernel that can place all newly attached USB devices in a queue for manual approval.
This is what USBGuard and QubesOS both do. The Linux kernel and udev have native support to hook USB devices early making this easy.
It means no one can drive by plug something in when your computer is locked. You will get a popup asking if you want to give some device other than the keyboard you booted with access to behave as a keyboard .
Also the majority of attacks I have seen in the wild attacking production systems were via endpoint compromises.
If your laptop has remote access to said high value datacenter, then your laptop is a high value target.
Note though that laptops have a nice advantage for this threat model as most have built in PS/2 trackpad and mouse which can let you approve external keyboards/mice etc.
> It means no one can drive by plug something in when your computer is locked. You will get a popup asking if you want to give some device other than the keyboard you booted with access to behave as a keyboard .
Makes me think, what would happen if I plugged this cable, unplugged the keyboard, and power-cycled the computer? Or do a hard power down, then the switcheroo, and then power up? Would USBGuard/QubesOS block the new device, even though it's the one it just booted with?
(I think finding your computer rebooted would fly under the radar of most of the users - they'd blame it on automatic updates or intermittent power failure.)
On that note, I wonder how small you could go with a MITM device to attach between victim's peripheral and their computer. Could you pack enough useful features in a dongle that would not be immediately noticeable by most users?
If you rebooted my computer you would be greeted with a full disk decryption prompt which requires a smartcard and a pin to unlock.
It won't go unnoticed.
If your computer can reboot itself for updates that should be a cause for concern as it means your FDE is being cached somewhere that can use it unattended. I don't allow such things personally.
You do have to check for any untrusted USB devices at boot on a desktop. No getting around that one as you need to be able to use input devices at boot. Best bet is a PS/2 keyboard but those are getting harder to find.
For a laptop you have a better story as you can trust the internal PS/2 keyboard/mouse then use that to approve USB things fresh as needed and dictate what applications they get access to.
I connect my USB webcam to the one VM that needs it on demand, for instance.
Assuming you're using LUKS with device mapper, this reboot did be able to be a plain kexec, and the raw disk key can be placed in a pre-defined location in RAM, like how the dmesg buffer is something set up to be persistent, for recovering information from right before a crash, even if only via an automated log push daemon.
Of course the reboot itself will be noticed when the user gets back - whether it's the login prompt, or boot prompt, or just all applications being closed. I meant it might not be noticed as something unusual, warranting further investigation. Typical user, even tech-savvy one, will just think, "must have been a power glitch", or "damn, those updates forced a reboot again".
The latter is something Windows users are conditioned for. Coming back from the toilet to be faced by a fresh login prompt is common enough even in the age of Windows 10 - and especially when the laptop is controlled by your employer, as IT tends to force a stricter schedule on updates[0]. In my case, this happens 1-2 times a week. While I'm working from home this doesn't matter, but if I were back in the office and came back from lunch to a rebooted computer, I would've assumed it was updates again.
> You do have to check for any untrusted USB devices at boot on a desktop. No getting around that one as you need to be able to use input devices at boot.
Makes sense, thanks for clarifying. I was assuming at least some of these solutions are trying to eliminate this requirement, but ultimately it may not be possible.
(Or perhaps it would be, if USB had something like HDCP so that you couldn't construct a dongle that could be transparently inserted between the computer and the peripheral.)
> For a laptop you have a better story
Right. Also, in case of attacker forcing reboot, they can't rely on users assuming it was a power glitch because laptops have batteries.
> I connect my USB webcam to the one VM that needs it on demand, for instance.
I need to read more about such setups, where you compartmentalize your system with VMs. Is there any good primer you could recommend?
--
[0] - I'm increasingly convinced Windows 10 update system is evil, and does this on purpose. It just so happens that it always forces an update and reboot on my work machine whenever I step away from it for more than 10 minutes. It's like it was monitoring idle time, and thinking "ooh, the user is away, let's reboot the machine and lose all the state". I also recently had to switch Lenovo updater malware to manual, because it kept choosing the exact middle of our weekly team meeting as the time to forcibly update video drivers, blanking my screen for anywhere between 2 and 20 minutes.
>The only solution is a kernel that can place all newly attached USB devices in a queue for manual approval.
Would it recognize the newly attached one, if you do the swap while the computer is turned off and they have the same HW ID?
Because if not, then it's not much better than what Windows lets you do with group policies. Although on Windows you could do this swap even while the OS is running.
Apple claims they're "secure by design" when clearly they're not.[1] I don't think they're explicitly cooperating with any Government, I just think they have enough disgruntled employees who cooperate with the Government and companies that sell penetration software to put in back doors and enable exploits.
There's much less discontent among the rank-and-file at Microsoft, so this sort of thing happens less with them.
Read the reviews on the GPS tracking charger... either the people who bought it couldn't figure out how to use it, or its another scam product from china we see flooding amazon.
"HID commands" are a big thing given sufficient automation. You can execute arbitrary code with just HID commands either by typing everything in, or by having the cable present a storage device from which to get data and using HID commands to enable the storage device, fetch and execute it.
USB has been littered with bugs. I never got why this didn't get more news coverage but at least it was possible to read memory from USB. Personally for me it's also a reason that I switched to USB-C that there are less people around with USB-C cables.
You can actually do quite a lot with it, in terms of getting data and dropping various payloads:
There is also an editor and parser for Duckyscript – the scripting language used by the Rubber Ducky offensive USB drive – which acts as a virtual keyboard and launches keystroke injection attacks. That alone opens up a wide array of custom payloads for the O.MG cable. There also appear to be attack payloads for Windows and Ubuntu systems.
In April 2019, when the video was released, MG and the team of hackers working on the embedded cable were also developing extra functions such as detecting user activity/inactivity. According to the Hak5 listing, they also appear to have cracked another key problem: USB enumeration.
You need to explicitly mount (in your ChromeOS settings) any USB devices to the Linux system. Other than that I'm not aware of any specific mitigations.
So if I plug in a usb keyboard or mouse, they do not work until I activate them in settings? Sounds like an easy way for grandma to buy Dell over Google
> Screen Crab: This covert inline screen grabber sits between HDMI devices - like a computer and monitor, or console and television - to quietly capture screenshots. Perfect for sysadmins, pentesters and anyone wanting to record what's on a screen.
> Shark Jack: This portable network attack tool is a pentesters best friend optimized for social engineering engagements and opportunistic wired network auditing. Out-of-the-box it's armed with an ultra fast nmap payload, providing quick and easy network reconnaissance.
> Key Croc: The Key Croc by Hak5 is a keylogger armed with pentest tools, remote access and payloads that trigger multi-vector attacks when chosen keywords are typed. It's the ultimate key-logging pentest implant.
They say "pentesters." What prevents a malicious actor from buying and using these tools?
I buy this stuff, but I run a security consulting company.
I also make my own stuff like this from time to time. A lot of it is pretty easy. I could teach a class of people to make a badusb device from scratch, code and all, in an hour. Any USB capable microcontroller will do. Should we ban those too?
Bad actors have had more sophisticated hardware at their disposal for decades.
Just look at teardowns of credit card skimmers.
Hak5 is not helping those people. They are helping white hats catch up and helping spread awareness how easy this stuff is.
While your mind is adjusting to this, I encourage you to put "crown vic fleet keys" in Amazon and buy yourself keys to the police cars in your area.
The global state of security is a joke and we need people helping onboard whitehats to help teach people to do better.
I think this is a big problem for liberalism in the future. When we have 20 billion people and technology is more powerful and ubiquitous, big consequences could happen from individual bad actors remotely. Even if only the tiniest fraction of people wanted to do bad things, there would still be quite a few of them and they'll have more access as everything is more networked together.
Well, for one, the US government prevents private actors from buying all sorts of things. I am surprised that selling tools which potentially "enable cyber crime" hasn't triggered some overzealous regulator in DC yet. It seems like low-hanging fruit.
What prevents a criminal buying a chef's knife and committing a crime with it?
I am surprised that selling tools which potentially "enable murder" hasn't triggered some overzealous regulator in DC yet. It seems like low-hanging fruit. /s
Pro-authoritarian sentiment keeps going strong. Why is it so normalized these days?
while i do agree with the general sentiment, the technology has moved faster than the societal legislative process.
If you asked a reasonable person off the streets why bioweapons (like anthrax) should not be easily purchasable, they would completely agree and hence the legislature has made such things illegal.
But if you asked that same reasonable person off the street about miniature computers and electronic devices, they would probably not imagine that such uses are possible, nor would they deem it dangerous. They might even consider it useful! So legislation on such things cannot be set by societal expectations.
If anything, by making devices like this accessible to the public, the end result is safer devices for everyone.
Without products like this you have criminals, a small amount of enthusiasts/researchers, and government sponsored actors exploiting vulnerabilities. If you put it out in the open, much like open source software, everyone can do it, but there's more pressure to fix blatant vulnerabilities.
As a simple example, the “trust this computer?” prompt standard on most phones. If devices like this were only known by states governments, this feature likely would have taken longer to become standard
I don’t think that it is. As I understand it the argument in favor of guns is that they would supposedly protect you against someone else with a gun.
I can’t protect myself from someone with a RubberDucky with a RubberDucky of my own. However, knowing that these tools exist and how easy they are to acquire and the ability to try one out for yourself might actually make you think twice about plugging that random cable or USB drive into your box.
Hak5 isn't breaking any new grounds with their technology. They just make it a little easier to get/use and a little sleeker. Can someone abuse this? Sure. People misuse all sorts of handy tools all the time. Knives? Staplers? 2x4s? Hammers? All have been used to kill people - doesn't make them inherently bad.
The difference is most people know about those other things and don't know about the things that hak5 sells. They don't even know it's possible, let alone it exists and is usable.
Recently the lock picking lawyer got a USB drive lock in the mail and while he picked the lock, he refused the plug in the drive. People mocked him saying that he was silly for not simply plugging in the drive into a VM or special purpose computer. The next time around he brought out a USB Killer. https://www.youtube.com/watch?v=ctByXhte_-A ex: https://usbkill.com/ .
If you don't know a random cable or USB drive can be dangerous, you're likely to be the person who picks one up off the ground and uses it. Or worse, see one sitting unattended in a coffee shop or airport and decide you need a quick boost.
What's being sold is educational just as it is dangerous. Terrible people are going to find a way to do terrible things. The least you can do is educate yourself to make it harder for them.
I have a number of hak5 products to see what they fuss is about and to learn what kinds of attacks to worry about being used on me! In some cases they are not really usable anymore, like the WiFiPineapple, which is largely useless due to WPA2 being ubiquitous (yes, you can hack WPA2 but I don't feel like paying for a ton of AWS lamda functions to get on my neighbors wifi). They teach you about how things work from an entirely different point of view. BashBunny is my favorite and it still works, but who plugs in random USB sticks these days? I've never used it but I learned a lot more about USB!
I think the only thing you are missing is that most people most of the time don't want to hurt or bother others and that much of society functioning relies on this.
Cause nothing stopping you from buying any of that, at what looks like very reasonable rates.
This is false. Most people will take advantage of any situation where they detect a low enough chance of consequences, regardleas of who is hurt. We act good because we don't want to be caught, embarrassed, or convicted and condemned.
It's not that most people want to hurt others. It's just that most people care only for themselves. Source: reality.
Hey, we agree that most people don't want to hurt anyone! I think we're much closer to agreeing than you suspect.
Now, we could quibble about whether people are more like to help you or victimize you and we could both be right. Or, we could observe that I'm correct about society functioning mostly because people don't mess with other people very much, you could chalk it up to friction and the lack of interest in others, and I will chalk it up to general back-ground good will.
I don’t think that is true. The ‘median’ person has empathy and care, and would not hurt someone even if they could be totally undetected - but there is a large skew, which makes this true for the ‘mean’ person and thus ‘reality’, if that makes any sense.
As an example: a bowl of candy on Halloween with a “take 2 pieces only please” sign on it. Most people will only take 2. A few people will grab a handful. And one person will come along and take the whole bowl.
This is false, too. Those bowls were always empty by the time I got to them.
Edit: ever been at a long line for the bathroom at a big concert or sporting event? Or driven on the roads? There's always someone cheating, often making it more dangerous or painful to be that median person.
if you look at the iterated version of your example, you will see that everyone will tend towards being the guy who grabs the whole bowl, or risk missing out on the candy.
Therefore, the parent poster's argument is actually true, even if the median person believes themselves to be empathetic.
Yes. I'm not saying we choose to be bad. I'm saying we sort of have to, and billionaires get the choice, and still choose to generally do more damage than than any of us will ever have the opportunity to attempt.
I run a company that builds security awareness training software. While we don’t do any hands on hardcore stuff that this hardware would be used for, I still have an interest in keeping up with it, understanding it, and working that understanding into our training curriculums.
I live in Seattle and have had my car broken into three times. Each time, they steal my iPhone's USB cable. I wonder, could they add cellular connectivity to this cable and use it as a GPS locator?
I'm in San Francisco, so not Seattle, but cars get broken into for the sport of it by this point. A friend's had her window broken and used, gross dog leashes and an old Nokia charger stolen. The lost hours of work to replace the window was the real cost to her dog walking business.
As clever as this idea sounds, it's not a good suggestion. I once accidentally left my windows down in SF for 12 hours and my car was essentially stripped clean - headrests, registration, proof of insurance, manual, floor mats - all gone. Additionally all my doors and trunk were wide open.
Sounds horrible and for me it is unimaginable. In Croatia, you rarely hear that a car waa broken into even in bigger cities. In smaller towns a lot of people don't even bother to lock their cars.
I suspect it might be due to demand/ability to unload hot goods. Or maybe yall got it good in Croatia and no one feels the desire to go rifling through cars?
If you google "Chesa Boudin" and hit question box marked What Did Chesa Boudin Do? It reveals thus
"Then, in November, Boudin did something no San Francisco DA had done before: He charged a police officer with homicide, for the killing of an unarmed Black man in 2017"
I think it has more to do with culture than police effectiveness as we are not so popular as a country with good enforcement of law. Croatia is a small country and there is always someone that knows someone even if he is on the other side of the country. So even if somebody steals something from someone, there is a big chance that it is someone you know (he knows when you leave your house, when you get back etc.), so it would be a really big shame if you find out that someone you know stole something from you. Therefore, most thefts are done by Roma people because they are somewhat excluded/isolated from society.
In countries like Croatia the police is busy catching criminals instead of helping them inject heroin, going after mean people on Twitter, or calculating if the robbed amount is under 900 USD and then apologising to the thief and giving him a ride home like the SF police do.
I guess I've never driven a nice enough car. I used to keep my windows down any time I parked along 8th/Harrison and fwiw nothing ever happened to my car, though there were obvious signs of folks rifling around inside. All my documents were kept in a locked glove compartment and I pretty much had nothing stealable in the car without having the car be cased.
Not sure why this is getting downvoted. I know at least one person who had to get rid of their car after a stinky street person crashed in it. This is a real thing that happens and once an awful stench has permeated cloth and upholstery there is no easy fix.
My friend visited a car breakin prone area in canada once, and left his car unlocked like his girlfriend suggested.
They broke his window anyway, and stole a minecraft keychain and about $4 in change.
Hilariously he actually got the stuff back eventually
I've never had my car broken into... but most of that was a midwestern city not the coasts, although I've been in San Fran, NYC, and DC.
I have a very messy car. Not rotting food messy, just a lot of clothes and things, often a lot of workout clothes, backup winter clothes, a couple blankets.
Thieves like clean cars. See target, break in, grab, leave. Messy cars are slow, annoying, and induce too much cognitive load.
If I lived in San Fran right now, I would have a shitty car with a lot of clothing in it just for the purposes of covering up things I don't want stolen and being annoying to thieves.
I genuinely think HN's emergent property of discouraging jokes actively encourages this kind of misunderstanding and inability to process ambiguous titles using common sense.
People break into cars to steal pocket change in the cup holder, so a $5 cable isn't outside the realm of what a thief would grab. Especially if they're already in the car.
Are you suggesting a stolen cable brings the same sort of premium as a new one from Apple?
Regardless, I'm not suggesting this at all. My point is that there are likely ways to get something worth so little without risking significant jail time.
Man they're selling stolen $25 bottles of tequila on 3rd Ave. Not even expensive stuff is hot commodity now, especially if you live in a cash world. Most of the stuff the street bazaars sell is straight up junk. A shiny Apple cable is worth it
Armchair theory: taking the stereotypical idea of "squirrel on crack" both seriously and literally, maybe people on drugs become like bowerbirds with very, very broken interestingness ranking.
All the stuff you mentioned was immediately visible (so no complex problem solving to find it) and would probably look "definitely probably valuable" to a hyped up 5 year old.
Aaaaand thennnn whoever did the stealing probably just sold it all to someone else in _exactly the same condition_ (high on whatever) who also considered it valuable enough to make a fair trade to swap it all for $amount of $thing.
I'm not sure what the balance is, but it's part-hilarious and part-sad that, if this theory is correct, there's an utterly illogical commodity market being sustained by tweaked-out squirrels with half the attention span of a goldfish, leaves people scratching their heads in its wake, and is so confusingly successful people just don't park in certain places.
The cables have 2km WiFi with a directional antenna (presumably on the other end), you could probably get similar range out of most of your devices if your bases station had a directional antenna, but that eliminates much of the value for many WiFi applications.
Do you mean something like this - https://www.aliexpress.com/item/1005001759023561.html ? You'd just have to look for a version with the proper connector that you need, that particular example is microUSB but there are similar cables for iPhone.
As an aside: somewhat ironic that a shop selling gear such as this has such a large 3rd-party javascript footprint. At least some of that js is required for the page to work, as I'm unable to see pictures of the device. I counted 25 3rd party domains in uMatrix. That's quite the attack surface.
I bought something from them once, and they shared my email address with Facebook to do targeted advertising - that was not something I expected they would do.
Oh why thank you. Yes, I just landed on your page for the first time, looking around to see what you got there.
What? If only I give you my email adress you will send me info about your page on a weekly basis as if I were the most interested person? And I have no guarantee you wont share my adress further? That sounds like an amazing deal! Let me sign up right now, before I even can read a paragraph on your page, I feel like I will definetly not regret it.
--
Seriously, how do these modals still have high enough conversion rate to justify their existence?
I'm not sure what is scarier, the existence of this cable, or the amount of Javascript that this site tries to run when you visit it. According to my NoScript plugin, it's loading Javascript from at least 17 different domains.
Totally unrelated to this cable, but since you mention it...
I've been trying to build web/single page applications using new ES modules and no build tool, so all dependencies are pulled from their creator/CDN rather than bundled locally. Would this set off flags for a no-script user?
The more domains you load JS from, the more entities have control over what happens on that page, and the higher the risk that one of those entities is trying to do something nefarious. So yes, loading all the scripts from one place will set off fewer alarm bells, at least for me.
Been a follower of Hak5 since way back in the day. Even crashed at the hak house with Darren a long time ago. Cool to see them here since they actually hack stuff haha.
Was very fortunate to meet Darren, Shannon, and Patrick Norton at Defcon in 2019.
It was surreal to see them and even though I probably acted all nervous around them (still kinda had a crush on Shannon even after all these years) they were beyond nice and friendly.
They were super busy selling their kits (these OMG cables were being sold unofficially as well lol) but they took the time to chat about the history of Hak5(TechTV in the case of Patrick) and to take pics. All around a superb bunch of folks.
Its crazy to think they have been doing Hak5 for like what 15-16 years now?! So many great memories all thanks to their hard work.
I've been going to DefCon for many years and the hak5 merch booth is the first stop for all newcomers (myself included). Long lines and people handing over fists-full of cash.
Seems like they get a big chunk of their yearly revenue from Defcon sales. Makes sense as I bet a lot of hackers might just want to do an in person transaction and this is the perfect opportunity to do so.
Totally! Cash only, no CC trail or delivery address. I lived in Charlotte NC for a brief period and I bought some lock picks from a "spy outlet" store in a mall. They scanned my driver's license and said they needed to keep it on file for a year. This was ... 1992 maybe? Yikes today.
After looking at that product page and seeing how something that looks innocuous can be so insidious, does anyone else wonder just a bit whether the page is not so innocent and visiting it may have been a mistake.
Hak5 is legitimate. They sell all kinds of pentesting equipment, and most of it is good. It's mostly just small ARM linux "boxes" with some Bash scripts on top, though things like the WiFi Pineapple will (attempt) to break wifi passwords for you (https://shop.hak5.org/collections/sale/products/wifi-pineapp...)
This makes me miss older, simpler protocols. Sure, a parallel cable could also be compromised to snoop but at least it couldn't pretend to be some other device or install rootkits.
That's because it isn't a cable, it is a computer.
In the 1980's I worked with CAD/CAM software that required hardware dongles on parallel ports as an anti-piracy measure. That probably could have been exploitable: e.g., instead of returning the security response, cram a ton of data and cause buffer overrun on their 80286 + DOS5 application and smash the stack. It would be fun to go back in time and see just how vulnerable that software was.
Sure it can. In the golden days of parport we've used parallel port device autodetection based on Device ID. There was a lot of place in the plug to use for a microcontroller in the end of the parport times.
When Apple inevitably removes all physical ports from some future iteration of iPhone, I wonder if they’ll use the existence of tech like this to market the change as a benefit to security.
I’m simultaneously impressed, curious and disturbed.
I still don't understand why they even have usb connection on Iphone. I have not attached a cable to it for years. Wireless charging, bluetooth headset, and all other bluetooth devices. Icloud backup as well as government spyware called CSAM never needed a cable.
I still use the 3.5mm headphone jack over Bluetooth, because of the price of Bluetooth headphones, and also not having to ever worry about battery life. The only downside for me is that I can't use the headphones, and charge and walk around, but that's a lot less annoying then the other things. And with Bluetooth, there tends to be brief pauses (<1sec) where I can't hear anything.
I also use my phone as my computers webcam. It's way better wired than the wifi for me (which honestly shouldn't be true, but).
I almost never use wireless charging, because it takes longer to charge, is everyday inefficient, and most people don't own wireless chargers. And even if they do, it's never in as many places as normal chargers. On an old phone, I ruined the port and had to only use wireless charging, and it was so annoying.
And app development is so much nicer when you have a USB connection. When I lost the ability to do so, coding was a good amount more work
It was my firm belief that many of the angry mobs at vote counting offices around the 2020 elections were cover for planting these types of devices. That is very much out of the Roger Stone playbook. The lack of anomalies has shaken that belief… but I do hope that the existence of these types of devices is included in security training for future polling staff.
Hak5 makes some great stuff, but yeah: how hard would it be to swap the vote counters USB sticks with Hak5 BashBunnies loaded with exfiltration software if their protocols suck to begin with? I really hope there are root of trust procedures.
Be nice if convicted felon Roger Stone or his guy had ever presented evidence of that in a court room. In federal court it's sanctionable for a lawyer to lie to the court. Did you notice that Sidney Powell, the former guy's attorney, was sanctioned and referred to the bar for disciplinary action for providing fraudulent information in court in connection with a 2021 presidential election related lawsuit? Not a good look for someone who claims to have been cheated.
I want to need one of these things. Pranks on my friends are difficult with a lockdown and permanent wfh status, so I’d need a better reason. Can anyone think of non evil uses? My imagination is stunted I guess.
I'd be afraid to prank someone with a tool like this. It seems like it would be easy to unintentionally hack said friend or at least make them believe that you might have hacked them.
Wait until you learn that some phones have serial access through the headphone jack.[1][2] I don't know much about it yet, but I assume it can be exploited in some way, under some circumstances.
Yet another reaffirmation that physical access is game over.
"But the case is locked!" Are the peripherals? Even if the case connectors are locked away behind a bird-box/knockout, if someone left one of these dangling unplugged off of the keyboard, do you think your field technician won't unlock the box and plug it right back in?
Took me a moment to realise, but this is for keyboards, not iPhones. I don't think (?) anybody can access anything from an iPhone using an evil cable (using publicly-known attacks).
I’m kind of surprised that Apple doesn’t encrypt keystrokes between its keyboards and the host machine, given than they have the capability to enable the keyboard to authenticate the host using PKI.
The cable claims that it's a random 3rd party keyboard when it talks to the Mac, the cable claims it's a random non Apple device when it talks to the keyboard, the keyboard falls back to non-encrypted mode as it's not on a product that supports it.
Man in the middle is hard to prevent when you need to be compatible with incredibly broken insecure legacy protocols.
Apple could maybe go the route that all new Apple keyboards only work with new Macs and iOS devices, but that would mean that they can't work with any existing Apple hardware or third party systems.
I guess the MITM attack could be mitigated in the OS by showing an "encrypted keyboard connection" UI indicator of sorts. Assuming the MITM hardware doesn't exploit a vulnerability in the OS to incorrectly show that indicator. ;)
The boot rom of iPhone 8 and older have a publicly known exploit. If you plugged your phone in to charge, and then it spontaneously rebooted, how much forensic digging could you actually do?
How much are you willing to bet that there's not a private exploit against newer iPhones? Not in terms of dollars, but in terms of private data that Apple's iPhone that you're renting from them has access to.
These are more general purpose than just those attacks, the author of the firmware has demo videos of cables attached to Android and iOS devices that when the payload runs they open the system browser and loads a specific page. Depending on what you can do with a web page at any given time on those devices it could be a springboard.
You could also do some passive/active data gathering. On Windows when you plug in an iOS device, if the device trusts the computer it will allow it to access all the photos and videos on the device. The cable it self could then start grabbing those images and sending them over the WiFi link. I don't know if these cables support that, but the concept is valid.
The trick is, you can't buy this particular one because you just don't know what it does exactly.
I have tried to make a cable like that in the past be the best I got was to hide the electronics in what looked like a bead. Unfortunately, this only really works with USB-B devices where users are already used to having beads on the cable which for practical purposes limits attacks to printers and older scanners.
I remember about decades ago that keyloggers would be very scary and powerful because your only defense was your password, and you couldn't know someone was logging in at the same time as you if you were not aware of it.
Nowadays, with 2FA and all the big companies doing extra security check up when they see something wrong with the login patterns ... I don't see the use of keyloggers anymore.
Even if 2FA prevents you from logging in, you still get A LOT of information from a keylogger.
You know the content of all the emails this user writes. You know the websites they visit. Based on the 2FA auth key they use, you may find out what kind of system it is.
A great start for social engineering. The target user writes an email to someone and the day afterwards you can fake call them and pretend to be the recipient of the email (you have all the information). If you're lucky they wrote an email to management and now you can pass orders in this call.
You could do that, but then you'd need to forgo USB Power Delivery, Qualcomm quick charging, etc.
One thing I've heard other comments mention here is a USB condom (USB data blocker). It's just a male to female adapter with only the power lines patched through, not data lines.
If you have a powerbank with you (which may be empty), you could also charge the powerbank using the untrusted power source, and at the same time charge the phone via powerbank to "sanitize" the source. This way you could still benefit from quickcharging.
Yep, this is what I usually end up doing while traveling. The battery doesn't care about the data lane even if the charger is somehow malicious, and my devices get pure juice.
I can't find any on Google that specifically are made without the data lane. Maybe these magnetic ones don't do data[0]. Could also try burning the data lanes on the lightning part of the cable[0] (although you might have issues if it's a lightning-to-C cable, I would guess it uses the data lanes for power negotiation).
Reminds me of the 2013 blog post of Panic in which they discover the lightening to hdmi “adapter” was in fact a small computer performing transcoding to HDMI. It was much larger and bulkier than 0.mg, but another example of a hidden computer in a place where one might expect just some simple wires.
These are normally made with something like an esp32 squeezed into the plug.
To exfiltrate data by WiFi, there is a neat way to get data out... Just have the esp32 connect to all unencrypted WiFi networks in turn and send the data out via a DNS tunnel.
Then the attacker can provide their own WiFi network, but it will also work with airplane WiFi, cafe WiFi, guest networks, etc.
And obviously with DNS tunnelling it works against WiFi networks that require a 'sign in' after connection, even without signing in.
I fantasize all the time about buying stuff like this and using it for nefarious purposes.
Unfortunately the only real legit use for it is boring security work.
The best way to use this while avoiding big legal trouble would be to stalk a single target that would never have any idea they are being stalked and doesn’t have much resources to come after you legally. Maybe an ex-girlfriend or something.
Would they really need many resources to take legal action? What you're describing is illegal. They could simply call the police if they found you out.
that opening line of needing a million dollar budget LOL if anyone follows @_MG_ you'll know that this has been a very long project thats really not been that expensive the dude dropped a load around defcon then hak5 came in and said hey we can charge and arm and a leg for these...
I remember in the early days of the web getting a copy of the Anarchist Cookbook. One idea was to glue the phosphorus material from a match stick to the spinning portion of a floppy disk. Of course that was a n00b level hack.
Does it work like a normal USB Cable, so can you still charge your phone with it and connect it to the PC?
Couldn't find this information. If yes, you can just switch someones cable in his bag and attack him with that. We need to be very careful in the future with our cables...
I'd be more than a little nervous ordering one of these cables from a company that its sole job is creating spyware. If they're okay with spying on their customers' customers why wouldn't they spy on just their customers too?
The product description does a really poor job of explaining what this is to someone who has never heard of it. It's just a wink-wink-nudge-nudge reference to some DEFCON talk.
Can someone explain what this is? Is it a hardware keylogger?
The "USB condoms" I know are USB2/3 only which means there isn't any form of PD negotiation anyway, and the oldschool Qualcomm Quickcharge and Apple's negotiation won't work either as these depend on D+/D-.
A decent USB-C condom would also have to cut not just the USB2 D+/D- line, but also the USB3 SS and SBU lines... the really interesting thing is the CC wires, since without these you can't have reversible connectors, but not cutting them leaves an avenue for attackers (e.g. putting an USB-C port into JTAG mode). And on top of that USB-C PD 1 used the Vbus line with an overlaid HF signal.
That means a decent USB-C condom will need:
- a low-pass on the Vbus line to block PD1
- cut D+/D-, SS, SBU
- cut CC1/CC2 and insert an as-dumb-as-possible controller chip to handle plug orientation
What I hear from you is that a decent USB-C-condom needs to be a smart "MITM" device that has sufficient internal logic to proxy the power negotiation between devices at both ends.
You don't need orientation handling if you've cut all the other signals, so...
Power negotiation is also not a big problem. Just use a correct resistor on the CC pin and you can make the phone use up to 5V/3A, which is plenty for any smartphone. You'd have to make sure to use a 5V/15W capable power source, though.
I actually learnt a lot from these comments, so my thanks - USB-C is still just a mirrage on the horizion for me, so not something I have considered deeply.
I have not seen one that is. You can block data access and revert to USB 2-level power "negotiation" with a couple of passives and that is all I've seen anyone do.
I did look into designing one a few years ago. The PD negotiation is quite complicated (and is done through the signaling lines, so you have to manipulate them yet block all other uses).
That was early days for USB C -- there may be better chip support for doing that today.
I don't get what these can be used for. Is the idea to swap it out with your victim's iPhone charging cable and use it to exfiltrate photos and stuff from the iPhone?
The product pages mention custom payloads, in some of the images it looks like some variant of the DuckyScript used in some of the other hak5 products. It likely depends on if what you want to do is supported or if it would need changes to the firmware to accomplish.
Those are pretty cool. One of the big use-cases for me is small-form-factor USB-passthru sniffing, however. I don't think any of the Tomu devices have that but would definitely be an option if so.
Buy your own cables, and as you unwrap them, secure a tamper seal around them in some way. Commit the tamper seal codes to memory. Only then can you be absolutely sure.
Standard Apple cables already have a chip inside, and USB 3.1 cables are also supposed to have chips inside.
I would also assume they are not paying enough attention to even notice, there is no regulation against them so there is no reason to even train to notice differences in USB cables.
> They probably see thousands of cables and it'd be pretty easy to spot the difference.
If anything seeing thousands of cables will make them less likely to notice anything, change blindness is a real problem in jobs like that.
They see thousands of cables and probably don't give any a second glance for the bare few seconds they gaze at each bag, an extra IC or two in the connector or not.
The sheer volume of bags that get run through those x-ray machines in a shift, and the time given to look at each one precludes too much fine grained inspection, especially for something as minor as cables.
Airport security is pretty dismal at detecting actual weapons or contraband, why should they be any better at noticing a slightly different cable?
The TSA agent making $25/hr who was formerly a line chef or retail worker or correctional officer or whatever is not sophisticated enough to tell the difference. Suspicious computer cables don't cause planes to fall out of the sky, and that's about all that agency even pretends to care about.
Yes, perhaps. And so the day (after) someone brings down a plane with a non-standard cable, they'll start looking for cables that 'look kind of weird'.
Most likely nothing in most countries. At least that's what my experience was with something way more suspicious – pouch with a lead layer, I use it for transporting film so it won't get damaged by xrays. Around 60% of the times no-one even says anything about it despite the bag looking like a huge square on their screens.
I don't think transport security people would care about any small tech stuff until something happens inflight because of it.
