Monthly Archives: November 2012

A Tool to Deceive and Slaughter

Caleb Larsen‘s “A Tool to Deceive and Slaughter,” sells itself on eBay every week. Every ten minutes, the microcontroller inside the the acrylic box wakes up and checks connects to a server that then checks eBay for an active auction. If none exists, then the server creates one. Each owner agrees to keep the work connected to the Internet at all times, and to set the starting price at “market expectations.”
Current price: $7500.

Larsen says his work represents the temporary nature of ownership, and draws form Robert Morris’s “Box With the Sound of Its Own Making”, a wooden box that contains an audio recording of the carpentry work done to construct the box, and Jean Baudrillard’s ideas on art auctions

via WiRED Wired UK

Pwnie Express

Pwnie Express, a company that apparently receives DARPA funding, develops clandestine network sniffers. Disguised as innocuous power strips or transformers, these boxes hide Ubuntu powered computers that contain packet sniffers and keyboard loggers with cellular network connections.

This isn’t a particularly new idea. I seem to remember a computer disguised as a UPS back in the late 90s or early aughts. There was also talk of using gum stick computer powered over ethernet as an inline network sniffer, although I wonder if it would have really worked back then. Still, these types of things always fascinate me, even if they seem relatively straight forward. It’s spy technology! I imagine sneaking into office buildings and secretly installing these either Mission: Impossible &endash; or more likely &endash; Sneakers style (i.e. in plain sight), and then retiring to a delivery van filled with electronic gear and retrieving whatever secrets I was looking for.

Needless to say, I have no use for these thing in real life.

via zdnet

Mobile Phone Keyboard Logger

Two related links, both involving using your phone to shoulder surf your passwords. Both attacks take advantage of the fact that smart phones with accurate accelerometers are now ubiquitous. By monitoring the the vibrations of the phone, the attacks inver what keys were pressed on a keyboard. Both of these a much more proof of concept, than actual sophisticated attacks, but they are interesting none the less.

At HOTSEC 11, Liang Cai and Hao Chen of UC Davis were able infer which key was pressed on an onscreen keyboard with 70% accuracy. By measuring how far phone was torqued around both the X and Y axises, the the location of where force was applied, and thus which key was pressed can be inferred. Cai and Chen made the task a bit easier for them. They held the phone in landscape mode, which spread the keys out more, thus causing a larger distribution of torques that could be measured. That’s not necessarily a problem since many people type in landscape mode. The bigger simplification was that they only looked at a touches on the dialing pad. A more interesting paper would have looked at attacking the alphabetical keyboard instead. I understand why they didn’t. The experiment was to find out if someone could use the accelerometers to read key presses at a high enough accuracy. Looking at their confusion matrix, I would think that determining alphabetical keyboard presses would need to be a two step solution. First, you’d get a distribution of what key was pressed. You’d then combine these presses with a Markov Chain language model to determine what the actual keyboard press was. “it was the durst of timez” becomes bit more Dickensian, a little less crappy rap-rock, and a lot less monkey.

Of course, sniffing the phone’s keyboard is one thing, figuring out what someone is typing on their laptop or desktop is something else, but that’s exactly what
Philip Marquardt and others at Georgia Tech did. In their work published at CCS 2011, they describe a technique where a phone placed next to keyboard read key presses via vibrations on the table at 80% accuracy. Unlike the method above, this team used a dictionary to increase the decoding accuracy. Their method feels the vibrations through the table and then attempts to categorize the key being on the left or right side of the keyboard (assuming the phone is placed to the left of the keyboard). Pairs of key presses are read, the distance between the first and second key of each pair is categorized as being either “near” or “far”. These triple are then passed through the dictionary in order to figure out what is the most likely English word typed. Left-right and near-far categorization is done using a neural net.

via Security News Daily,

Discouraging Voters

Emily Bazelon at Slate has written a short essay lamenting the fact that access to polls has become a partisan issue. In other words, the Republican Party is transparently engaging in widespread voter suppression.

I will never understand why someone would not want to make it as easy as possible to let people vote. There’s something wrong if you’re in politics and you depend on an unengaged electorate.

Waste of Space

I don’t understand this. So this old man that has loads of cash to spend on World Series tickets that are front row, right behind home plate comes to the game completely decked out in Marlins gear. A team that isn’t even playing. I know what he would say too, because I one time asked someone that wearing a complete outfit for the wrong team before. “I’m a Marlins fan, and I want everyone to know I care about the Marlins.” Of course, the guy I talked to was at a midsummer day game / bachelor party and hadn’t shelled out over a couple of thousand dollars in tickets, airfare and lodging.

And of course sitting next to him is Mr. John 3:16. (Although,
he did move down for the last out.) Yeah, that’s going to save some souls.

Mac & Cheese

I will never understand why someone would feel the need pour a can of corn into a perfectly fine pot of mac & cheese.