Hackszine.com: October 2007 Archive

« September 2007 | Main | November 2007 »

Archives: October 2007

Page 1 of 3 1 2 3 >>

October 31, 2007

Decrypting GSM

Check out this video from last August's CCC Camp, which describes using a Universal Software Radio Perhiperal (USRP) to record GSM messages, and then using an FPGA to defeat the A5/1 encryption that's used to secure an encrypted GSM channel in the span of a couple weeks. By spending a couple months to precompute a 5 TB lookup table you could bring the decryption process down to just a few minutes.

First half of the talk is an introduction into GSM interception. Second half presents a new method for cracking the GSM encryption A5/1. This is a new attack that can crack any encrypted channel (SMS, Voice) within 3-5 minutes regardless of how long the conversation is (e.g. can crack a telephone conversation that only lasts 4 seconds).

Now, most of us won't be running out right now to grab an FPGA and a software radio so we can start cracking GSM voice converstations and SMS messages, but the actual discussion of how GSM works and how the team went about putting together a real-time cracking method for A5/1 is fascinating. What's really crazy is that for a few thousand dollars, anyone could really set up a GSM recording and cracking system. This isn't just NSA or government-funded spy stuff.

At about the 19 minute mark, Steve talks a little about how mobile identification and position information is transmitted. If you've ever called the phone company to track down a stolen phone, you've probably been told this isn't possible. Turns out that if you've had a phone lost or stolen, it actually transmits its position information _all_the_time_. So, technically, your network operator should be able to tell you the phone's location to within 200 meters.

The A5 Cracking Project - [via] Link
GNU Radio - Link

October 30, 2007

Ionic wind heatsink

Inventgeek has a slick DIY heatsink project. It's completely silent, unlike the traditional CPU fan. With a $24 ion generator and a few items that you can pick up at the hardware store, the device is able to generate an ionic wind that pulls air through a traditional heatsink. The total cost is under $60, is completely silent, and puts tens of thousands of volts of static electricity an inch or two from your CPU.

The Ion Cooler 3.0 - Heat Sink - [via] Link

October 29, 2007

WikiPediaVision

Here's another fun real-time Google Maps mashup, inspired by flickrvision and twittervision. WikiPediaVision displays recent anonymous edits to WikiPedia, showing you the article being edited, and where on the globe the edit came from. It's a nice way to passively graze interesting topics that someone else just got done thinking about. Why are these simple little maps hacks so addictive?

WikiPediaVision - Link

October 28, 2007

De-anonymizing Tor and Detecting Proxies

Catch this article over at ha.ckers.org regarding an easy way to bypass most anonymizing proxies (such as Tor) and figure out the true origin IP of a web surfer. Plugins such as Java or Flash can be written to make a socket call back to the server. Since the plugin isn't making a normal HTTP request, it ignores the proxy settings of your browser and connects directly to the server.

This code (it takes a several seconds to load) uses a piece of JavaScript to instantiate a Java socket call back to the origin site. In doing so it bypasses the proxy settings of the browser, allowing you to de-anonymize people using proxies. It works great for Tor or just about any HTTP proxy that I can think of. Cool stuff.

Ouch.

A safer anonymizing solution might be to route all traffic through a transparent proxy, while also blocking all traffic not destined for port 80.

De-anonymizing Tor and Detecting Proxies - Link

October 27, 2007

Accelerometer Mouse

David writes:

Bernard shows us how to use an use an accelerometer as a mouse. This project uses a MEMS X/Y accelerometer, a PIC microcontroller and a old mouse. He also describes a trick for powering the new mouse with the unused RS232 serial control lines.

This is a great idea. My optical mouse is always goofing up on my desk's wood grain and traditional ball mice, well... they suck. Word has it that Apple's next Mighty Mouse is going to be accelerometer based. Why wait when you could build your own?

Accelerometer Based Mouse - Link

October 26, 2007

FlockBots

FlockBots, created back in 2005, were the product of the Evolutionary Computation Laboratory at George Mason University. The concept was to create an open-hardware reference platform for small, sub $800 robots that could be used in education and swarm research. I was noticing this afternoon that the project's wiki doesn't seem like it's been updated in a couple of years, but the build information and pricing is still relevant. And they still remind me of a tiny Dalek army.

One thing that has changed is the available processor and motor controller technology. The original FlockBots are built around a 200MHz Gumstix board connected to an Acroname Brainstem motor controller. Peeking at the current Gumstix offerings, you can build your own FlockBot at about the same pricepoint using the 400MHz Verdex motherboard, Robostix motor controller, and a choice between a bluetooth or wifi uplink.

FlockBots Wiki - Link

October 25, 2007

OS X Finder.app string tweaks

If you want new folders instead of untitled ones, or if you prefer to have a copy of a file instead of a file copy, it's pretty simple to tweak some of the localization text that Finder.app uses.

Just view the package contents of /System/Library/CoreServices/Finder, and then open Contents/Resources/English.lproj/Localizable.strings in TextEdit. Inside, you'll find the contents of various messages and default names used throughout the OS X Finder interface.

You can tweak a lot of things in there, but two of the most useful are the default new folder name (normally "untitled folder") and the name given to files that are created using the "Duplicate" menu item.

So, you can change:

"N4" = "^0 copy";
to
"N4" = "another ^0";

or maybe change:

"N2" = "untitled folder";
to
"N2" = "name me";

Aside from a goofy hack to mess with a coworker, one thing that could be useful would be to prefix new or duplicate files with an underscore or a couple of zeroes. This makes them sort to the top, easier to find in a large directory. Just make sure to make a backup of the Localizable.strings file in case you later decide you like things better the way Jobs intended it.

Change the Finder's default name for duplicated files - Link

October 24, 2007

iPhone "revirginizing" tool

If you bricked your iPhone by updating an unlocked device, the iPhone Elite dev team has a tool that will restore it to its inital virgin state. It will safely back up and then restore the seczone area of the phone, undoing the bug created by the inital unlock code.

RevirginizingTool - Link

October 23, 2007

Secret Photoshop shortcuts

WebDesignerWall has a big list of undocumented Photoshop shortcuts that you might find useful. Most notable are scroll wheel zooming by holding down Cmd+Opt, scroll wheel document panning by holding Cmd (or Cmd+Ctrl to toggle between left/right and up/down) and, my new favorite, moving a selection by holding the spacebar while dragging. The latter lets you reposition the top-left location of the marquee while you are still making it, which is about as useful as it comes when you are trying to select something to the exact pixel.

Photoshop Secret Shortcuts - Link

October 22, 2007

iPhone OpenStreetMap

If you have a jailbreak'd iPhone, you can update the Maps.app database with tiles from OpenStreetMap. Mikel Maron figured out how to update the Maps sqlite DB and was able to import the street tiles for London.

My first idea was to modify the configuration or constant that the Maps App used for constructing Google Maps tile requests. Andrew helped with decompiling and pointers to other files, but we had no luck as yet. But looking at the app or at the GMM module in a hex editor, there appeared to be SQL inserts of tile pointers .. perhaps Maps was using a database to cache requested tiles. Searching through the filesystem found MapTiles.sqlitedb. That db has just two tables..

This is slick. You still use the built-in Maps interface, but you can add whatever you like to its database. Technically you could alter the database with any map tiles you like. One idea would be to make an alternate database file and fill it with topo-maps. Just swap the file out and you can use the Maps application when you're backpacking.

OpenStreetMap on the iPhone - Link
OpenStreetMap - Link
SQLite Tutorial - Link

October 21, 2007

DSMidiWifi - Nintendo DS wireless MIDI controller

The DS Music Interface (DSMI) is a collection of tools that will allow you to use one or more DS devices as wireless MIDI controllers. Using the touchpad on your DS, you can control a MIDI capable music instrument or MIDI-driven visualization software. Using DSMI, the DS can also receive MIDI events. This can be used to drive the built-in Gameboy sound generator, or as control input in your homebrew applications.

The Nintendo DS hardware offers a variety of possibilities for creating music as well as interacting with music. TheRain first had the idea of using the DS as a MIDI controller and created the DSMIDI, a DS cartridge that adds a standard MIDI port to the DS that can be used by homebrew DS software.
But since making a DSMIDI requires soldering skills and is rather dangerous, we came up with another idea: Using the DS as a wireless MIDI controller. The MIDI signals are sent to the computer via Wifi, and a server program forwards them to MIDI applications.

Later, support for natrium42's, DSerial was added, enabling MIDI input and output via standard oldskool MIDI cables.

The project's primary applications are a touchscreen-based keyboard and a 2d "Kaos" pad. These are built using the included libdsmi library, which you can use to add MIDI controller or MIDI client capabilities to your own homebrew DS apps.

Wireless and wired MIDI for the Nintendo DS - Link

October 20, 2007

Windbelt: elegant non-turbine wind generator

One of the problems with traditional turbine generators is that they are only really efficient and cost-effective at large scales. They may be great for feeding the grid, but an efficient, cheap, and portable device to power your cell phone or charge a radio a wind turbine will never be. Shawn Frayne's invention, the Windbelt, does not have this problem, and its mechanical simplicity makes you smack your head and wonder why this hadn't been thought of before.

There's no gearbox -- just a thin belt strip stretched taught with a button magnet at one end. When the wind blows, the belt begins to oscillate, moving the magnet in and out of a coil to generate an AC current.

Shawn's Windbelt was one of the award winners in Popular Mechanics' 2007 Breakthrough Awards. They have a video of him discussing his invention and using the prototype and a few dollars worth of electronics to power some LEDs and a clock. He hopes that cheap Windbelt-powered LED lighting will eventually be able to provide an environmentally sound and easily serviceable home-lighting alternative in developing nations. It's such a brilliantly simple design. You can probably build one yourself before the weekend is through.

Windbelt, Cheap Generator Alternative, Set to Power Third World - Link

October 19, 2007

UPnP: change a router's firewall rules from a client machine

Universal Plug and Play support is available on most modern wireless and DSL routers. Among other things, it allows client machines on the local network to remotely configure the router's port forwarding, typically without authenticated access.

Adrian Crenshaw has a nice screencast which shows how to detect UPnP capable devices on your network and how to use the PortForward utility in Windows to remotely configure port forwarding for routers on your LAN.

After looking at this, you'll probably come to the conclusion that, while convenient, unauthenticated UPnP is pretty dangerous. It allows someone who has momentary access to your network to easily reconfigure your router to punch holes through its NAT firewall. This could be somone on your wireless network, or it could be as simple as a malicious program that you accidentally execute on your own machine.

Fortunately, most routers allow you to disable UPnP, and you should probably take advantage of this and turn off UPnP on your devices now.

UPnP Port Forwarding and Security Screencast - Link
UPNPScan - Link
UPNP PortForward (exe, source and documentation) - Link

October 18, 2007

Remote snapshot backups with rsync and Samba

Thanassis Tsiodras writes:

What would you do if you had to automatically backup a remote Linux box (e.g. your web server), and all you had locally was Windows machines? How about this:
automatically expanding local storage space
transmissions of differences only
automatic scheduling
local storage of differences only
secure and compressed transfer of remote data and
instant filesystem navigation inside daily snapshot images

I covered all these requirements using open source tools, and I now locally backup our 3GB remote server in less than 2min!

We've all used Samba and rsync before, but Thanassis has really put all the pieces together into a complete backup system that's superior to a lot of commercial products I've seen.

The really impressive bit is how he's easily doing snapshot images using filesystem hardlinks. You can save several days worth of snapshots at very little cost because additional space is only taken up by files that have changed. Using hardlinks, identical files from different snapshots all point to the same inode.

root# mount /dev/loop0 /mnt/backup root# cd /mnt/backup root# rm -rf OneBeforeLast root# cp -al LastBackup OneBeforeLast root# cd LastBackup root# rsync -avz --delete root@hosting.machine.in.US:/ ./
The "cp -al" creates a zero-cost copy of the data (using hardlinks, the only price paid is the one of the directory entries, and ReiserFS is well known for its ability to store these extremely efficiently). Then, rsync is executed with the --delete option: meaning that it must remove from our local mirror all the files that were removed on the server - and thus creating an accurate image of the current state.

And here's the icing on the cake: The data inside these files are not lost! They are still accessible from the OneBeforeLast/ directory, since hard links (the old directory entries) are pointing to them!

In plain terms, simple navigation inside OneBeforeLast can be used to examine the exact contents of the server as they were BEFORE the last mirroring.

Just imagine the data recovery headaches you could solve by adapting that to a cron job that shuffles a months worth of nightly backups.

Optimal remote Linux backups with rsync over Samba - Link

October 17, 2007

Change the message on HP printers

A lesser-known feature of the HP Printer Job Language (HPPJL) command set is that you can change the ready message" from "READY" to whatever you like. Yaakov wrote a Perl script that will change the message for you, and he also came up with the clever "INSERT COIN" replacement. Very nice.

You can think up your own funny, confusing or scary messages. My personal favorite is "INSERT COIN" which fits perfectly on the small LCDs. You can even sit in sight of the printer and change the message while watching the reaction of your victim. Don't be surprised, though, if a large fraction don't even notice. I was quite surprised myself but, it appears, some people don't look at what is in front of them.

I haven't been able to test yet (no HP printer here), but if I'm reading the code right, you can actually do this right from the command line using telnet. Just telnet to port 9100 and type in the following:

\e%-12345X\@PJL JOB
\@PJL RDYMSG DISPLAY="MESSAGE HERE"
\@PJL EOJ
\e%-12345X

INSERT COIN: changing the "Ready Message" on HP printers - [via] Link
HP LaserJet Commands (PDF) - Link

Page 1 of 3 1 2 3 >>

Bloggers

Welcome to the Hacks Blog!

Brian Jepson

Jason Striegel

Phillip Torrone

See all of the books in the Hacks Series!

Suggest a Hack

Request a Hack

HACKS: