0

How to hack my Tesla

This post is just for my own notes. I'm buying a new car (arrives in October) and I need to gather up notes on how to hack it.

To start with is the generic car hacking information. One good source I found is the Car Hacker's Handbook, which has a good explanation of the basics.

Another good start is the various papers produced by Charlie Miller and Chris Valasek, such as their early work and their latest Jeep hack. [1] [2]

Specifically to my car, a Tesla, there is this site that documents all the undocumented bits about the car, such as listing the 56 CPUs found in the car.

Specifically, there is the work by Kevin Mahaffey and Marc Rogers covering their Tesla hacking. I hate them, because they've already done some of the obvious things I would've tried first, such as popping up an X Window on the display.

Anyway, this post is for my own benefit, so when I lose my notes, I can find them again by googling. Maybe other people in similar situation might find it a bit useful, too.

0

What’s that drama?

The infosec community is known for its drama on places like Twitter. People missing the pieces can't figure out what happened. So I thought I'd write up the latest drama.

https://twitter.com/McGrewSecurity/status/583250910387789824

https://twitter. Continue reading

0

Some notes on satellite C&C

Wired and Ars Technica have some articles on malware using satellites for command-and-control. The malware doesn't hook directly to the satellites, of course. Instead, it sends packets to an IP address of a known satellite user, like a random goat herder in the middle of the wilds of Iraq. Since the satellites beam down to earth using an unencrypted signal, anybody can eavesdrop on it. Thus, while malware sends packets to that satellite downlink in Iraq, it's actually a hacker in Germany who receives them.

This is actually fairly old hat. If you look hard enough, somewhere (I think Google Code), you'll find some code I wrote back around 2011 for extracting IP packets from MPEG-TS streams, for roughly this purpose.

My idea was to use something like masscan, where I do a scan of the Internet from a fast data center, but spoof that goat herder's IP address. Thus, everyone seeing the scan would complain about that IP address instead of mine. I would see all the responses by eavesdropping on that satellite connection.

This doesn't work in Europe and the United States. These markets use more expensive satellites which not only support encryption, but also narrow "spot Continue reading

0

Help a refugees would enrich ourselves

This website is for those who want to share their apartment with a refuge. You don't even have to pay -- refugee organizations will pay their share of the rent. This is frankly awesome.

I grew up around refugees. Our neighbors were refugees from south Vietnam. They flew out with the fleeing American troops as the South Vietnamese government collapsed. They got onto an overloaded helicopter that had barely enough fuel to reach the aircraft carrier off the coast. That helicopter was then dumped overboard, to make room for more arriving refugees and American troops.

Because my father was a journalist reporting on El Salvadoran refugees, we became life-long friends with one of those families. She was a former education minister, he was a former businessman. It was "suggested" that she resign from government. One night, while driving home, a paramilitary roadblock stopped them. Men surrounded the car and pointed guns at them. The leader then said "wait, they've got children in the back", at which point the men put down their guns and fled. In other words, they should be dead. They fled to the United States soon after, and hid in a church basement. Since El Salvador was Continue reading

0

Review: Rick and Morty

The best sci-fi on television right now is an animated series called Rick and Morty on the Cartoon Network.

0

Why licensing wouldn’t work

Would you allow an unlicensed doctor to operate on you? Many argue that cybersecurity professionals, and even software programmers, should be licensed by the government similar to doctors. The above question is the basis for their argument.

But this is bogus. The government isn't competent to judge doctors. It licenses a lot of bad doctors. It'll even give licenses to people who plainly aren't doctors. For example, in the state of Oregon, "naturopaths" (those practicing "natural", non-traditional medicine) can be licensed to be your primary care provider, prescribe medicines, and so on. Instead of guaranteeing "good" professionals, licensing gives an official seal of approval to "bad" practitioners. Naturopathy is, of course, complete nonsense, and Oregon politicians are a bunch of morons. (See the Portlandia series -- it's a documentary, not fiction).

Professions like licensing not because it improves the quality of the profession, but because it reduces competition. The steeper the licensing requirements, the more it keeps outsiders out. This allows the licensed to charge higher fees. This is why even bogus occupations like "hairdressers" seek licensing -- so they can charge more money.

Since different states license different occupations, we have nice experimental laboratory to measure Continue reading

0

Yes, they just droned a hacker

Many are disputing the story about a recent story about a drone strike that targeted the hacker TriCk from Anonymous group TeaMp0isoN. They claim instead that the guy, Junaid Hussain, was targeted because he was a major recruiter for ISIS/Daesh. There is some truth to this criticism, but at the same time, the hacker angle cannot be removed from this story.

The Pentagon has confirmed that one reason they targeted Junaid Hussain was his hacking activities. The AP story quotes the Central Command as saying:

"This individual was very dangerous. He had significant technical skills."

The truth of the matter is more complicated. It's unlikely Junaid Hussain actually had "significant technical skills". He was probably a "script kiddy", one of the many low-skilled hackers that form the bulk of Anonymous-style hacking groups. The actual hacks were minor. He may have hacked the CENTCOM Twitter accounts, but it's unlikely he actually hacked anything of military consequence.

Like many in Anonymous, his primary skills were propaganda and mastery of social media. He was in contact with one of the "Mohamed Cartoon" killers in Texas, for example. According to news reports, it was his use of social media in "inspiring" others Continue reading

0

About the systemd controversy…

As a troll, one of my favorite targets is "systemd", because it generates so much hate on both sides. For bystanders, I thought I'd explain what that is. To begin with, I'll give a little background.

An operating-system like Windows, Mac OS X, and Linux comes in two parts: a kernel and userspace. The kernel is the essential bit, though on the whole, most of the functionality is in userspace.

The word "Linux" technically only refers to the kernel itself. There are many optional userspaces that go with it. The most common is called BusyBox, a small bit of userspace functionality for the "Internet of Things" (home routers, TVs, fridges, and so on). The second most common is Android (the mobile phone system), with a Java-centric userspace on top of the Linux kernel. Finally, there are the many Linux distros for desktops/servers like RedHat Fedora and Ubuntu -- the ones that power most of the servers on the Internet. Most people think of Linux in terms of the distros, but in practice, they are a small percentage of the billions of BusyBox and Android devices out there.

The first major controversy in Linux was the use of Continue reading

0

No, this isn’t good code

I saw this tweet go by. No, I don't think it's good code:

And now, your moment of Zen. pic.twitter.com/hh3eEY5Vdc

— Chris Palmer (@fugueish) August 29, 2015

What this code is trying to solve is the "integer overflow" vulnerability. I don't think it solves the problem well.

The first problem is that the result is undefined. Some programmers will call safemulti_size_t() without checking the result. When they do, the code will behave differently depending on the previous value of *res. Instead, the code should return a defined value in this case, such as zero or SIZE_MAX. Knowing that this sort of thing will usually be used for memory allocations, which you want to have fail, then a good choice would be SIZE_MAX.

The worse problem is integer division. On today's Intel processors, integer multiplication takes a single clock cycle, but integer division takes between 40 and 100 clock cycles. Since you'll be usually dividing by small numbers, it's likely to be closer to 40 clock cycles rather than 100, but that's still really bad. If your solution to security problems is by imposing unacceptable tradeoffs, then you are doing security wrong. If you introduced this level of performance Continue reading

0

On science literacy…

In this WIRED article, a scientifically illiterate writer explains "science literacy". It's as horrid as you'd expect. He preaches the Aristotelian version of science that Galileo proved wrong centuries ago. His thesis is that science isn't about knowing scientific facts, but being able to think scientifically. He then claims that thinking scientifically is all about building models of how the world works.

This is profoundly wrong. Science is about observation and experimental testing of theories.

For example, consider the following question. If you had two balls of the same size, one made of lead and the other made of wood, and you dropped them at the same time, which would hit the ground first (ignoring air resistance)? For thousands of years Aristotelian scientists claimed that heavier objects fell faster, purely by reasoning about the problem. It wasn't until the time of Galileo that scientists conducted the experiment and observed that these balls hit the ground at the same time. In other words, all objects fall at the same speed, regardless or size or weight (ignoring air resistance). Feathers fall as fast as lead on the moon. If you don't believe me, drop different objects from a building and observe for yourself.

The point here is Continue reading

0

A lesson in BitTorrent

Hackers have now posted a second dump of Ashley-Madison, this time 20-gigabytes worth of data. Many, mostly journalists, are eagerly downloading this next dump. However, at the time of this writing, nobody has finished downloading it yet. None of the journalists have a complete copy, so you aren't seeing any new stories about the contents. It promises the full email spool of the CEO in the file name, but no journalist has yet looked into that mail spool and reported a story. Currently, the most any journalist has is 85% of the dump, slowly downloading the rest at 37-kilobytes/second.

Why is that? Is AshMad doing some sort of counter-attack to stop the downloaded (like Sony did)? Or is it overloaded because too many people are trying to download?

No, it's because it hasn't finished seeding.

BitTorrent is p2p (peer-to-peer). You download chunks from the peers, aka. the swarm, not the original source (the tracker). Instead of slowing down as more people join the swarm to download the file(s), BitTorrent downloads become faster -- the more people you can download from, the faster it goes.

But 9 women can't make a baby in 1 month. The same goes for BitTorrent. Continue reading

0

AshMad is prostitution not adultery

The Ashley-Madison website advertises adultery, but that's a lie. I've talked to a lot of users of the site, and none of them used it to cheat on their spouse. Instead, they used it as just a "dating" site -- and even that is a misnomer, since "dating" often just means a legal way to meet prostitutes. According to several users, prostitutes are really the only females they'd consistently meet on Ashley-Madison.

0

Trump is right about the 14th Amendment

Trump sucks all the intelligence out of the room, converting otherwise intelligent and educated pundits into blithering idiots. Today's example is the claim that Trump said:

"The 14th Amendment is unconstitutional."

Of course he didn't say that. What he did say is that the 14th Amendment doesn't grant "birthright citizenship" aka. "anchor babies". And he's completely correct. The 14th Amendment says:

"All persons born or naturalized in the United States, and subject to the jurisdiction thereof, are citizens of the United States"

The complicated bit is in parentheses. If you remove that bit, then of course Trump would be wrong, and anchor babies would be guaranteed by the constitution, since it would clearly say that being born in the U.S. grants citizenship.

But the phrase is there, so obviously some babies born in the U.S. aren't guaranteed (by the constitution) citizenship. Which babies are those?

The immigration law 8 U.S.C. § 1401(a) lists some of them: babies of ambassadors, heads of state, and military prisoners.

It's this law that currently grants anchor babies citizenship, not the constitution. Laws can be changed by Congress. Presumably, "illegal aliens" could easily be added to the list.

This Continue reading

0

Notes on the Ashley-Madison dump

Ashley-Madison is a massive dating that claims 40 million users. The site is specifically for those who want to cheat on their spouse. Recently, it was hacked. Yesterday, the hackers published the dumped data.

It appears legit. I asked my twitter followers for those who had created accounts. I have verified multiple users of the site, one of which was a throw-away account used only on the site. Assuming my followers aren't lying, this means the dump is confirmed.

It's over 36-million accounts. That's not quite what they claim, but it's pretty close. However, glancing through the data, it appears that a lot of the accounts are bogus, obviously made up things for people who just want to look at the site without creating a "real" account.

It's heavily men. I count 28-million men to 5 million woman, according to the "gender" field in the database (with 2-million undetermined). However, glancing through the credit-card transactions, I find only male names.

It's full account information. This includes full name, email, and password hash as you'd expect. It also includes dating information, like height, weight, and so forth. It appears to contain addresses, as well as GPS coordinates. I suspect that Continue reading

0

A quick review of the BIND9 code

BIND9 is the oldest and most popular DNS server. Today, they announced a DoS vulnerability was announced that would crash the server with a simply crafted query.  I could use my "masscan" tool to blanket the Internet with those packets and crash all publicly facing BIND9 DNS servers in about an hour. A single vuln doesn't mean much, but if you look at the recent BIND9 vulns, you see a pattern forming. BIND9 has lots of problems -- problems that critical infrastructure software should not have.

0

Infosec’s inability to quantify risk

Infosec isn't a real profession. Among the things missing is proper "risk analysis". Instead of quantifying risk, we treat it as an absolute. Risk is binary, either there is risk or there isn't. We respond to risk emotionally rather than rationally, claiming all risk needs to be removed. This is why nobody listens to us. Business leaders quantify and prioritize risk, but we don't, so our useless advice is ignored.

0

My BIS/Wassenaar comment

This is my comment I submitted to the BIS on their Wassenaar rules:

----
Hi.

I created the first “intrusion prevention system”, as well as many tools and much cybersecurity research over the last 20 years. I would not have done so had these rules been in place. The cost and dangers would have been too high. If you do not roll back the existing language, I will be forced to do something else.

After two months, reading your FAQ, consulting with lawyers and export experts, the cybersecurity industry still hasn’t figured out precisely what your rules mean. The language is so open-ended that it appears to control everything. My latest project is a simple “DNS server”, a piece of software wholly unrelated to cybersecurity. Yet, since hackers exploit “DNS” for malware command-and-control, it appears to be covered by your rules. It’s specifically designed for both the distribution and control of malware. This isn’t my intent, it’s just a consequence of how “DNS” works. I haven’t decided whether to make this tool open-source yet, so therefore traveling to foreign countries with the code on my laptop appears to be a felony violation of export controls.

Of course you don’t intend Continue reading

0

Software and the bogeyman

This post about the July 8 glitches (United, NYSE, WSJ failed) keeps popping up in my Twitter timeline. It's complete nonsense.

What's being argued here is that these glitches were due to some sort of "moral weakness", like laziness, politics, or stupidity. It's a facile and appealing argument, so scoundrels make it often -- to great applause from the audience. But it's not true.

Legacy

Layers and legacies exist because working systems are precious. More than half of big software projects are abandoned, because getting new things to work is a hard task. We place so much value on legacy, working old systems, because the new replacements usually fail.

An example of this is the failed BIND10 project. BIND, the Berkeley Internet Name Daemon, is the oldest and most popular DNS server. It is the de facto reference standard for how DNS works, more so than the actual RFCs. Version 9 of the project is 15 years old. Therefore, the consortium that maintains it funded development for version 10. They completed the project, then effectively abandoned it, as it was worse in almost every way than the previous version.

The reason legacy works well is the enormous regression testing Continue reading

0

More ProxyHam stuff

Somebody asked how my solution in the last post differed from the "ProxyGambit" solution. They missed my point. Just because I change the tires on the car doesn't mean I get credit for inventing or building the car. The same thing with this ProxyHam nonsense: nobody is "building a solution". Instead, we are all just using existing products the way they are intended. We are all just choosing a different mix of components.

People get all excited when they see a bare Raspberry Pi board, but the reality is that there's nothing interesting going on here, no more than lifting the hood/bonnet on your car. This is photograph from ProxyGambit:


What ProxyGambit is doing here is using cellular data on the far end rather stealing WiFi from Starbucks or the local library. Their solution looks fancy, but you can do the same thing with off-the-shelf devices for a lot cheaper. Here is the same solution with off-the-shelf products:


This is just a TL-WR703N ($26) router with a 3G USB dongle. You can get these dongles cheap off eBay used, or new for around $17. Combined, they are cheaper than a Raspberry PI. If you want to customize this, Continue reading

0

How to build your own ProxyHam

"ProxyHam" created controversy because the talk was supposedly suppressed by the US government. In this post, I'll describe how you can build your own, with off-the-shelf devices, without any code.

First, head on over to NewEgg. For a total of $290.96, buy two locoM9 repeaters (for $125.49 each), and two WiFi routers, like the TL-WR700N for $19.99 each.

Grab your first WiFi device. Configure it in "client" mode, connecting it to the "Starbucks" SSID. In this mode, you can then connect your laptop via Ethernet to this device, and you'll have access to the Internet via your WiFi device to Starbucks. In other words, it acts as a WiFi dongle, but one that you attach via Ethernet instead of USB.

Now grab your two locoM9 devices and configure them for "transparent bridging". In this mode, whatever Ethernet packets that are received on one end get sent over the air to the other end. Connect each localM9 via the TL-WR700N via the supplied Ethernet cable.

Now grab the second WiFi device and configure it as a normal WiFi router.

Now, assuming you aim the localM9's correct toward each other with reasonable line-of-sight, you've got a "ProxyHam".

---

The reason Continue reading