Introducing LulzCheck

June 26, 2011

So, apparently LulzSec is  over and done with. Even so, they’ve left a lot behind, in the form of more than 100,000 compromised passwords. Cearly, this is still potentially a problem, especially considering password reuse.

LulzCheck is a Greasemonkey script for Firefox. Basically, whenever you log into a website, it checks the username that you supply against an updated list of accounts that have been “leaked” by LulzSec, and gives you a warning if it finds your login in that list.

Keep in mind, if you get a warning message, it may not actually apply to the site that your are logging into. Because people reuse logins, and the ultimate origin of some of the leaked usernames/passwords is unknown, it’s not really possible for LulzCheck to automatically pin down exactly what accounts you need to change.

LulzCheck checks usernames only, and does not try to cross-reference the username and the password. This is done for a couple of reasons:

  1. It allows LulzCheck to alert the user that an account that they use has probably been compromised, even if it is not the account they are currently logging into.
  2. I didn’t want the ptoential leal and ethical implications of distributing the whole password list

 

LulzCheck can be downloaded at http://userscripts.org/scripts/show/105484

Last night I had a spirited discussion. The topic was a controversial one:Whether Amy or Rory was a better Doctor Who Companion. An hour later, I departed, bitter but filled with determination to prove that Rory was infinitely more awesome than Amy

With SCIENCE.

Luckily, the thing that Doctor Who fans love doing most(other than watching Doctor Who) is posting lists of the best and worst companions. This provides an interesting opportunity–if we assume that Google’s crawler doesn’t have its own opinions on Doctor Who, we can use Google’s estimated results counts to figure out how much more likely any given companion is to be on a list of “Best Companions” than they are to be on a list of “Worst Companions”. Specifically, the equation used is:

results for “COMPANION NAME” “best companions” “doctor who”/”COMPANION NAME” “worst companions” “doctor who”=approval factor

In practice, this gets a little bit tricky. Unlike in Firefly, there is no official definition of what qualifies one as a companion in Doctor Who, so I ended up being fairly conservative and using Wikipedia’s list. There’s also a bit of a technical issue in that Google’s result count can vary due to the algorithm they use to estimate it. To get around this, the script actually repeats each query 10 times, to get a representative sample, then takes an average. This appraoch also allows us to do a multiple comparison test later and figure out if any differences are statistically significant.

This resulted in this chart(The length of the bar indicates the companion’s general popularity)

It breaks down pretty much like you’d expect. River Song, Captain Jack, K-9, and Sarah Jane all easily make it into the top, which is led by Martha Jones. Also unsurprisingly, the bottom is filled with Kamelion(the weird robot they couldn’t get to stand up), Melanie, Adric, et al. Tegan manages to move up a few slots beyond her contemporaries Adric and Nyssa, but still falls behind Peri Brown. Interestingly, neither of the Time Lords(Susan or Romana) rank very highly in the list.

And Rory and Amy, when accounting for statistical significance, share exactly the same spot.

[[“gotMessage”, “wanna have computer sex”]]
Stranger: wanna have computer sex
omeglebot: Sex  is more fun alone.
[[“typing”]]
Stranger is typing…
[[“gotMessage”, “well wanna get me horney then”]]
Stranger: well wanna get me horney then
WARNING: No match found for input: want to get me horney then
omeglebot: well wanna get me horney then?
[[“typing”]]
Stranger is typing…
[[“gotMessage”, “get me horney first”]]
Stranger: get me horney first
omeglebot: Where can I get you horney first?
[[“typing”]]
Stranger is typing…
[[“typing”]]
Stranger is typing…
[[“gotMessage”, “in my penis”]]
Stranger: in my penis
omeglebot: May I ask where you got penis?
[[“typing”]]
Stranger is typing…
[[“typing”]]
Stranger is typing…
[[“gotMessage”, “wait what?”]]
Stranger: wait what?

Turing test fail(or win, depending on how you look at it)

A list of some sort

December 19, 2010

I’ve been home for Winter break for about a week.Today, I was slightly bored , and so I decided to look through the desk drawer in my room where I store ideas for future projects. I opened it…

And this came out.

The problem is, I have no idea what this is. It has no label or explanation. Just that chart.

A few things:

  • I’m sure that I was the one who wrote it
  • It’s actually white paper, the white balance on the camera is just kind of weird
  • It’s written in black ballpoint pen on the kind of paper we use for our printer. No detectable invisible ink.
  • “Shutdown -h now” is a linux command to turn the computer off. So maybe this is some some strange way of mapping one command to another?
  • There’s nothing else wriiten on the page, or on the other side.

So, any ideas?

Targeted ads are a favorite thing for privacy advocates to rail about. After all, it’s using the power of modern technology to observe, anticipate, and ultimately manipulate your behavior. Which is creepy.

Just one problem:they’re not very good at doing any of that. . For example, a few I’ve gotten on Facebook recently:

Scoliosis new enemy”

The grammar on this one is ambiguous. Is scoliosis my new enemy? Or is whatever it’s advertising an enemy of scoliosis? Is scoliosis a supervillain? Because if so, that’s pretty much the worst supervillian name ever

 

New Leaf Rehabilitation Center

 

There are a lot of ways you could target ads for rehab centers. You could look for status that were obviously posted while under the influence of some chemical, or you could find all the people who scored high on the “How addicted to Crack are you?” quiz. Or you could just show it to people who have never posted anything related to drugs, EVER, in hopes of…actually, I have no idea why you would do that.

Atheists are idiots

The interesting thing about this one is that it doesn’t seem to be actually SELLING anything. In fact, the link just 404s when you click on it. In other words, the entire function of this ad appears to be to use Facebook’s targeting system to locate atheists and unobtrusively inform them that they are idiots.

 

Tired of conventional education?

Um, no, actually. I haven’t had “conventional” education since I was in like, 9th grade, which was before I even had a Facebook account.

 

You have too many questions

This links to a computer program which can apparently answer your Formspring questions for you. The benefits listed include “reduced  stress”, “less email clutter”, and “saves time
Idea:if the volume of unanswered Formspring questions is causing you stress,  cluttering your inbox,, and wasting your time, just delete the Formspring.

 

 


The (other) Facebook story

October 7, 2010

Facebook Places
Image by Aleksander Soender via Flickr

So apparently, “The Social Network” came out this weekend. And apparently it’s a quite good, if not entirely accurate, movie.

 

The Facebook story that I am referencing here, though, has more to do with a series of interactions that began about a month ago. They typically went like this:

*code code code*

“Hey, what are you working on?

me*code*”I found a security problem in Facebook Places”

“Really, what does it do?”

me:”I can’t really say right now. Just don’t use Facebook Places.”

The  reason  for this secrecy is because of a basic problem in computer security:By telling people how to avoid a security hole, you’re also telling malicious hackers that it exists and (sometimes) how to exploit it. So I decided that the most prudent course of action would be to let Facebook fix their system before writing about it.

Well, now that’s(finally) happened, so on to the interesting part.

I was, at first, surprised by the quality of the privacy controls in Places. Sure, it has that weird maybe-good-maybe-a-problem “feature” where your friends can check you in to their location without your consent, but that’s not so different from being tagged in a photo. It also has a mode you can turn on, called “People here now” that will show that you are in a given location to other people in that location–essentially the digital equivalent of wearing a name tag.

Then I started looking more closely at it. Places normally does two things:tells you who’s nearby, and tells you where your friends are. These are both fairly innocuous–you presumably trust your friends, and the “people nearby” mode doesn’t track anyone’s checkins–it just tells you the names of people who have checked in near you

While that superficially seems okay, it should give any programmer pause for thought. Keep in mind that Facebook doesn’t have a Big Brother system that knows where you are all the time. It has to send a location request to your computer or smartphone, which then uses sensors to figure out its location and send it back to Facebook.

That’s the basis of the “teleportation attack”. If a malicious user has a script that can query every location in a given area for a list of who’s there, they can build a database that will allow them to track an arbitrary user in real time, or examine logs of where they’ve been, as well as identify robbery targets and track visitors to specific locations.

In particular, what an attacker would have do do would be:

  1. Spoof the geolocation
  2. Connect a computer to touch.facebook.com
  3. Automatically check in to every “nearby” place in sequence
  4. Capture the list of “People here now”, and save it to a file
  5. Analyze the file

In more detail…

Spoof the geolocation

Right away, the teleporation method runs into an obstacle:Facebook knows the lat/long coordinates of every location of Places, and won’t let you check in to a place unless your own coordinates match it. Since traveling around the city is not really practical, one must thus figure out a way to “spoof” one’s location.

Here’s where the security comes in.. Like I mentioned above, Facebook has no way to impartially know your location. Instead, it relies on asking your computer or phone to analyze data from any onboard location sensors, and report back a latitude and longitude, plus margin of error.Here’s the thing, though:the geolocation protocol is specifically designed to function with a variety of data sources–Wifi positioning, cell towers, GPS–and present the same results regardless of what method was used. This “black box” method means that a device requesting its position will usually just harvest all the available data, then send it to a “location provider”(usually Google or Apple) which then replies with a lat/lon pair. Facebook doesn’t know who the location provider is, or how it determined your location.

So, why not write your own location provider?

 

This is, in fact, exactly what I did. locationhelper.pde(attached) is a Processing program that can generate a file containing a moving spoofed geolocation point. When configured correctly, Firefox(and Facebook) will believe the spoofed data completely. locationHelper is designed to “scan” an area by moving the simulated position back and forth.

 

Connect to touch.facebook.com

Right away, we run into a stumbling block:Facebook Places doesn’t work on the standard version of Facebook, only on the apps for mobile phones. Luckily, Facebook’s phone site, touch.facebook.com, supports Places and also isn’t too picky about what connects to it. In other words, you can simulate a mobile phone from a computer simply by adding “touch” in the URL. For my proof-of-concept, I also used Firefox’s User Agent Switcher to make it pretend to be a mobile Safari browser.

3.Automatically check in to every nearby place, and capture the people here now data.

With our fake location provider simulating movement, all that’s required for this step is to write a  small script for Firefox that will automatically hit the “check in” button every few seconds, then extract the list of “people here now”. Since this information is presented in a standard Facebook “people list” format, it’s fairly easy to read it and save it to a file, along with the name of the place.

 

4Analyze the loot

Once your database is built up, a malicious user could do a number of things with it, including:

ould allow an attacker to:

  • Stalking a user by creating a database of all checkins within a given area, then querying the database to obtain semi-real-time and historical data on the user’s checkins
  • Identifying potential victims for robbery or vandalism by identifying users who are a significant distance from their home(similar to pleaserobme.com)
  • Collecting aggregate data for sociological or basic demographic research
  • Compiling a database of check-ins in a geographically wide set of “regions of interest”(gambling sites, bars, etc) and determine whether a given person had ever checked in at any of the monitored locations

 

Yeah, scary.

So is it fixed?

Mostly.

Facebook has now successfully beefed up their anti-scraping system, which means that the proof-of-concept I developed now does not work. So to the best of my knowledge, there is currently no code capable of actually performing this attack.Does that mean it’s absolutely safe?

Not really.

The problem is, essentially, that the existence of a “people here now” feature creates what’s known in the security world as an “analog hole”. The problem is this:if the system allows users to see the list of people at their location, then by definition it’s also possible for an automated system to access it. At some point, regardless of how much anti-scraping you have, the fact that the data exists and is actively transmitted to users means that it’s not completely secure(facebook had anti-scraping protection before I write the proof-of-concept–it just didn’t prevent the attack)

 

So the take-away message is basically, turn off People here now(you can find directions here), unless you have some specific purpose that you absolutely need it for.

 

 

Enhanced by Zemanta

100 billion dollars per year

100 billion dollars per year

100 billion dollars per year

I’m going to keep repeating this statistic until you lose any inclination to question whether I pulled it out of thin air. Because this is the amount of money lost from the US GDP due to piracy

100 billion dollars per year

That staggering statistic is why there’s now a bill in the Senate called the Combating Online Infringement and Counterfeits Act.It’s fairly simple:the bill would give the the Department of Justice the ability to effectively block any website that was involved in piracy. Piracy websites go down, industry revenue goes up. Simple.

But when I told someone about this, she immediately responded “But what about freedom of the press?” and that is exactly the point I would like to make.

You see, civil liberties have value. But they’re kind of like home equity—it’s a mysterious kind of value that you can’t really use. You can’t use your home equity to go buy a pizza, and your well-regulated militia doesn’t actually confer any economic benefits to anyone except the guy who writes “You might be a redneck if…”

That’s why the COICA is a great model—it trades in the nebulous, almost-useless value of “freedom of the press” into actual benefit to the American economy., It’s a great model, and I think we need to “cash in” a few of our other civil liberties.

Take freedom of religion, for example. You know what you’re not doing when you’re “praying” and “worshiping”? Buying things. Think about how much better off we’d be, if the only religion allowed based your chances of getting into heaven on how many made-in-the USA automated tomato slicers you possessed?

And while piracy is a big threat to the entertainment industry, you know what’s a bigger threat? Freedom of speech. Think of all the money that could be gained, if only you weren’t allowed to tell anyone that the new Transformers movie is going to suck because it doesn’t have Megan Fox, or complain that all Nickelback songs sound the same. What if it was illegal to tell anyone that Ke$ha has no actual skin, merely a layer of sparkles covering her internal organs, or that Snape kills Dumbledore? Profits. That’s what would happen.

As for the legal system, how about getting rid of the prohibition on excessive bail? Bail is money. We need more money. Who better to take it from than those who have comitted crimes? If you cost the country 100 billion dollars, you should have to pay them back 100 billion dollars. Period.

Obviously, some of these are going to require changes in our daily lives. But in 5 years, when all the movie reviewers are in jail awaiting payment of $500,000 of bail, we’ll all be enjoying a better life in the land of the free.

the hubris of programmers

September 20, 2010

By far the most interesting part of the year for a competition robot programmer is a few weeks near the end of the build season called “Driver Training. If someone made a screenplay involving driver training, it would sound like this:

DRIVER and PROGRAMMER stand around control board, talking

PROGRAMMER:…and this is the main traction control enable/disable which you should use if you think there’s an issue with the accelerometer or the robot seems sluggish, but if the wheels are spinning out you want to hit this button instead to increase the proportional factor of the PID loop

DRIVER:uh huh

PROGRAMMER:Okay, now try driving it forward

DRIVER attempts to drive the ROBOT backward and forward at the same time. ROBOT beeps and tries to eat the PROGRAMMER’s shins.

The problem is really quite simple: the programmers have followed a rigid set of rules, laid out on a piece of paper called a “design specification”–supposedly, the best possible design that you could come up with. You program the mechanisms in the design spec then you put in the inputs that the design spec says to put in, and you see if you get the outputs it says you should get. If you do, the system is perfect, because the design spec is obviously the best possible design you could come up with and there’s no reason to do anything that’s not in the design spec. That’s not to say nothing changes during build, but it usually changes only if the original design doesn’t produce the correct outputs in when presented with particular inputs.(according to the design spec)

The problem is, that spec doesn’t necessarily line up with common sense. A power-on procedure might involve turning on components in a certain sequence to avoid a race condition, but an uninformed user will likely flick the first power switch they find. So are they wrong? No. Regular logic dictates that to turn something on you should look for the button labeled “on”. But the design spec logic might contract this completely, because it logically makes sense, given knowledge about the design, that certain system have to be online first. In both cases, the logical thought process is correct, but the outcome is different because of different base knowledge and circumstances.

Programmers and users have struggled with this problem ever since the days of Charles Babbage, who wrote:

On two occasions I have been asked,—”Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?” … I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question.

Luckily, robotics completions are pretty unimportant in the grand scheme of things(shin-eatings are painful, but not debilitating). But what about other fields–like cryptography, which secures bank transactions, encodes trade secrets, and helps millions of people in totalitarian countries evade internet filtering?.

As it turns out, cryptography and hiding information is basically considered a solved problem. After all we’ve made ciphers that are completely impossible to crack, which should be the final accomplishment of a field dedicated to designing difficult to crack ciphers, right? On the design spec for a cipher, impossibility of cracking is pretty much the only item. So if you make one that can never be cracked, you’re done. Handshakes, math prizes, and all your researchers go retire in Bermuda or something.

One problem:Those uncrackable ciphers? They’re almost useless.

In fact, it turns out, if you try to use one under real-world conditions, you almost always break it and end up with an easily crackable XOR cipher. Even with the more robust public key cryptography systems used for encrypting email, far more research has gone into expanding the time required to crack an email from 500 years to 1000 years than has gone into designing a system that saves the user from having to mess around with public and private keys. The factor that limits the application of cryptography to email is not that PGP is a faulty algorithm, it’s that users don’t want to read a treatise on cryptography before they can email their coworkers.

Enhanced by ZemantaHow to you solve this problem? Well, there’s one answer that ‘s painfully simple:have the end user create the design spec.
“But how do I know how to write a design spec?” you might ask. Truth is, you probably don’t. A proper design spec is an immensely complex document that requires not only an intimite understanding of the technology, but also an intuitive sense of what will work and what won’t.
But at some point, the design spec started off as a general idea–something that anyone could come up with. All the complexity comes later, in a process fueled by argumentative engineers, greasy pizza, and lots of caffeine.
Which, incidentally, is something you can simulate on a computer.
More or less–it’s called a genetic algorithm, and it’s a way of designing an original solution given only a vague design spec–all automatically.
So what if you could design a computer program that could write a custom program based on exactly what you wanted it to do? It doesn’t seem that hard.

In Davis, there’s a company that’s going to release a flying car sometime in the next few years. Seriously. It’s a real thing. The only thing is, they’ve been “just about to release” said flying car for about thirty years, and it’s become a bit of a joke.

I bring this up because this week I got a lot of emails that looked like this

Hey, I downloaded your hackerhat software, and it’s really cool, but are you going to go beyond the alpha version ever?”
or

Is anything still happening on this project or is it dead in the water?”

Obviously, people are worried that this will go the way of the flying car. I’ll try to allieve your worry:there is now a beta version that’s almost completely done, and is just waiting for a few finishing touches. It’s much more polished than the alpha, and has a whole bunch of new features like

  • Layers that can be installed, uninstalled, etc. like regular apps
  • An API for layer development
  • Integration with mini-keyboards and text-to-speech systems
  • A whole bunch more layers
  • Better performance, especially when a lot  of layers are turned on

It’s true, the hackerhat has been one of my longer-running projects. This is due to a couple of reasons: I’ve just started college, which means that all my equipment was basically living in a box for a couple of weeks. And at the start of the semester I’ve been ridiculously busy anyways.

Another part of the challenge is processing speed. The human visual system is, from a design standpoint, absolutely incredible in terms of its resolution, optical quality, and most of all, framerate and latency.unfortunately, these last two factors also present significant challenges for design.

The frame rate is the number of times the image is updated each second. Generally speaking, the brain begins to interpret an input as signifying movement when the frame rate is above 20 frames per second. At lower framerates, the “video” begins to look more like a slideshow of still photos. Because the screen always shows the last frame received, a high frame rate is also required for precise control of movement, and very low frame rate can result in a time-shifting effect, where the image displayed may represent not the current situation, but the situation 0.5 seconds ago.

This leads into the second issue, latency. Basically, what we see is never actually in real time. It takes time for light to travel to your eyes, after which the information must be encoded to neural code and passed through a variety of filters and processors before you really “see” it. The amount of time between when a visual event actually happens and when you perceive it is the latency value. Although it’s difficult to measure precisely, average human visual latency is estimated to be slightly less than 150-300 milliseconds

So how does this figure into the hackerhat? As you might imagine, running the standard hackerhat UI, plus any layers that are turned on, plus the software to stream data to a display requires quite a lot of CPU power–in fact, more than my test system(and probably the systems of a significant number of hackerhat users) possesses.

In an overload situation, latency will increase because the system cannot transfer data as fast as the data is coming in. This results in the formation of a “backlog” of video frames, and ultimately in a noticeable and increasing delay in the video signal that the user sees on the screen, which can seriously affect the safety and usability of the hackerhat.

One way to deal with this is to reduce the frame rate, thus reducing the amount of data that must be transmitted each second to a level that the system can deal with. Unfortunatley, if this is done in excess, it actually results in the introduction of more latency, because an image can persist on the screen for a relatively long time after the actual input has changed.

This is the basic problem that’s been keeping me up at night:given the ambitious goals of the hackerhat project, it’s unlikely that all but the highest-power computing systems will be able to supply truly high-quality video.Since this is a basic fact, the main challenge has been re-engineering the hackerhat code to be more efficient with CPU use.


Enhanced by Zemanta