Tag • #network

chevron_right

Making RADIUS more secure

pubsub.slavino.sk / networkradius · Friday, 24 November - 12:00

As we’ve previously discussed, there are several insecure elements in RADIUS. We are currently working in the IETF (Internet Engineering Task Force) to close those gaps and improve security for everyone. This article outlines some of the current shortcomings of RADIUS, best practices for mitigating against them, and a roadmap for how these vulnerabilities will be addressed within the RADIUS standard.

Značky: #Network, #articles

chevron_right

C2PA's Butterfly Effect

pubsub.slavino.sk / hackerfactor · Thursday, 16 November, 2023 - 15:59 edit

chevron_right

Out with the Old

pubsub.slavino.sk / hackerfactor · Sunday, 12 November, 2023 - 16:31 edit · 8 minutes

I often use DVDs for watching videos. To me, the quality is as good as anything streaming. But it has an added benefit: I don't have to deal with commercials or "buffering" issues. My local library has a really good DVD collection. I use the library for those "watch once" movies. When I find a movie I expect to repeatedly watch, I buy it on DVD. This way, I don't have to visit the library the next time I want to watch it. (I'm still on the Library's waiting list for the Barbie movie. I'm expecting it to be a fun movie, but one of those "watch once" videos. I suspect it won't be like Firefly or Rogue One, which I bought on DVD. I watch those movies at least once a year.)

As another benefit, DVDs often include lots of extra features that you won't find on most streaming services. If you want to see all of the funny outtakes from Monsters Inc., or hear the director's commentary about Buffy the Vampire Slayer's "Hush" episode (my personal favorite), then you really need the DVD.

My DVD player, the one that's hooked up to the TV, broke last week. It wasn't that it couldn't play anything. Rather, the video card in it died. The HDMI connector didn't work, the S-Video didn't work, and the RCA connectors for red, green, and blue only worked for red and green.

I was really on the fence about whether to get a replacement DVD player or just stream everything from my home media server. (My Synology RAID includes a Plex media server that streams to my Roku.) Among other things, Netflix recently decided to stop their DVD-by-mail rental service. (Before streaming, Netflix began with mail-order DVD rentals.) This was followed weeks later by Best Buy announcing an end to DVD and Blu-ray. Even my newest computers came without DVD players. (Want to install media? Use a USB drive.)

Just as we all moved from vinyl records to CDs and then MP3s, it looks like the age of the DVD is over. And this is when I decided to replace my DVD player. I guess I bought one of the last dedicated DVD movie players.

My replacement DVD player is physically smaller that my old one (a fraction the size) and only cost a few dollars. It supports HDMI and the RCA yellow/red/white connectors. My old DVD player also supported USB and cable TV inputs, and it could record to DVD-RW media. But I hadn't used those features in decades. The replacement is just a DVD player, and that's fine for my needs.

You'd have to wait but you could hear it on the AM radio

It's not just DVDs that are going away. A few months ago, it was announced that automakers want to remove AM from the radio players . The technical reason is that electric vehicles generate a lot of radio frequency (RF) noise that interferes with the AM radio reception. Shielding the radio from the RF noise would increase the vehicle costs.

The proponents for keeping AM radio have pretty weak arguments. They point out that it's really easy to set up an AM transmitter and if there's ever a big emergency, then AM radio will work when all else fails. However, if you really want to help in an emergency, then get your amateur radio license. When there are big disasters, likes earthquakes, hurricanes, and wars, the ham radio operators are usually the first people to get the word out.

I'm not sure how I feel about AM radio going away. I own an antique radio (a 1930 Grigsby-Grunow Majestic 131 lowboy). Normally, it only receives two stations: religion and religion+sports. I built a tiny AM radio transmitter that plugs into the headset port on my computer. It's very low power and has a range of a few feet. Using this, I can stream music from my computer to the old radio over an AM signal. However, other than running my very tiny AM station for my antique radio, I haven't used AM in decades. When driving across country, I might scan the FM stations but I never switch to AM.

Yes, a collect call for Mrs. Floyd from Mister Floyd. Will you accept the charges?

Another thing that is going away are landline phones . The plain old telephone service (POTS) is a relic. In 2019, the FCC lifted regulations requiring carriers to provide POTS/landline support. And earlier this year, AT&T (one of the three remaining baby bells ) decided to drop landline support .

Today, almost everyone uses cellphones. This simplifies connectivity for most carriers and metro areas. In particular, the carriers don't have to run copper wires to every house; they just put up more cell towers. However, if you're in very rural areas (like driving through Idaho, Wyoming, Montana, or the Dakotas), then there are large swaths of land without cell coverage. A landline used to be the only option, but that option is going away.

Personally, I moved my landline phone number to a mobile service years ago. However, I use a 'base station' to connect to the service. In my office, there's an actual phone with a handset on my desk. The phone plugs into the base station which bridges to the cell service. When an incoming cellular call comes in, the base station makes my phone ring. I do this because I find a real phone handset easier to use than a regular cellphone.

Of course, there is a downside. The base station can't receive text messages. In fact, none of my phones have text messaging enabled. For me, this is more about costs. For most carriers, text messaging requires a data service, and cellular data services are both slow and expensive. On top of this, there are apps on my phone that cannot be disabled and will happily use any network connectivity. This means that they will run up my data usage even if I don't want them to. Rather than fighting with them, I just don't have a data plan. Unless I'm on my home or office WiFi, my phone can't go online -- and I'm happier this way.

Can you hear me now?

Unfortunately, having a phone with a data plan is becoming mandatory.

Restaurants have stopped handing out pagers for people waiting to be seated. Instead, they want your cellphone number. This way, they can text you when your table is ready. I've gotten lots of blank stares when I've said, "I don't have a cellphone." (Well, I do, but I don't have text messaging. And even if I did, the paranoid security freak in me doesn't want to give out my number.)
One of my webcams is inaccessible from anything except a cellphone. I have no idea why (other than the vendor wanting to track my cellphone usage).
Want to buy food or drink on an airplane? Lots of airlines have gone cardless. You register with your cellphone and then purchase airplane snacks with your phone. Of course, I (1) refuse to install their app due to privacy issues, and (2) don't have a data plan for registering the app. My choices are to starve or (more often) carry food onto the plane.
Rental car places just assume that you know your car's parking spot because they texted it to you. But if you don't receive text messages, well, hold on while they get a supervisor.
My bank recently forcefully enabled two-factor authentication. The good news is that 2FA is more secure. The bad news is that they kept trying to send a text message to my landline (no texts) phone number. When speaking with their tech support, it literally never occurred to them that someone would do online banking without SMS support.

Home Sweet Home

It's not just me. One of my friends recently bought a house. This turned out to be much more complicated than he expected:

The real estate company was completely confused by the fact that he didn't receive text messages about his closing papers. They sent it to a phone number that doesn't have text messages.
Instead of texting, they emailed him links to the ownership documents. Some of their links only worked with Chrome. He almost exclusively uses Firefox.
They were surprised that he couldn't just sign the papers on his touch screen or with a mouse. He only has a laptop and it has one of those eraser-nub mice in the middle of the keyboard. No touch screen, no mouse, no trackpad. Remember hearing about the old old days when illiterate people could sign using an "X" ? That's how he bought a house.

It's not that my friend is super paranoid like me. He's just at that age where he doesn't want to upgrade unless it's absolutely required. Most of the time, upgrading means a learning curve and it's not worth the inconvenience. And in this case, buying a house shouldn't require a new computer plus a new cellphone with a data plan.

Coming Soon?

When I check out at the store, the cashiers always ask for an email address or phone number. "Is it required?" "Uh, no." But if I say 'no thank you', then they enter in something anyway. (Like the store's phone number?) It may not be required, but they cannot complete the transaction without entering something.

Of course, all of this makes me wonder about the gap between the haves and have nots. If you're poor, homeless, or simply can't afford a phone, then you are locked out of lots of things. Without a cellphone, the simple tasks that we take for granted, like using a bank account or buying something from a store, becomes a serious hardship. Moreover, having a cellphone isn't free. If you're on a poverty-level fixed income, then the phone is often one of the first things to go.

I'm fine with using new technology for convenience. However, companies need a plan for users who don't have (or don't want) the new technology. There's more of us than you might think.

Značky: #Politics, #Network, #Unfiction, #Financial, #Privacy

chevron_right

The various meanings of DKIM signing message headers

pubsub.slavino.sk / chris_spam · Sunday, 5 November, 2023 - 02:34 edit · 2 minutes

When I talked about the issue of what headers to include in email DKIM signatures , I didn't really cover the specifics of how you DKIM sign email headers and what the various options mean. The specifics can matter, especially since they help you (me) understand and navigate through the options that mailers (such as Exim ) offer here.

In email messages, DKIM signatures appear in a DKIM-Signature header, which lists a bunch of parameters:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed;
   d=list.zfsonlinux.org;
   h=from:to:subject:message-id:in-reply-to:references:date
   [....]

The 'h=' list (which isn't complete here) is a list of headers that have been signed. More specifically, it's a list of instances of headers. If there are multiple instances of a given header in a message, DKIM defines an order to them and the instances of the header are checked (or used) in that order. So if you include 'from' once in the DKIM header list, you are saying that your DKIM signature includes DKIM's first 'From:' header in the message. If a second 'From:' header is added to the message, it's not included what's covered by your DKIM signature; it can have any value and the message will still pass DKIM validation.

As mentioned last time , including a header that doesn't exist in the DKIM signature signs its absence; if that header is then added to the message, the DKIM signature will become invalid. DKIM signing things that aren't there is sometimes called oversigning a header; you're not just signing what's present, you're also signing what's not. As a corollary of this, if you want to seal a message against having extra copies of some headers added, you can deliberately oversign existing headers. This is done by including their names an extra time in the h= list; the first time signs the existing header, and the second time signs that there's no second header. So if we wanted to make sure no one added a second 'From:' to a message, we'd sign 'h=from:from:[....]'.

One reason to oversign existing headers that should only appear once is that anyone who adds a second 'From:', 'Date:' or whatever to your message is probably up to no good. Another reason is that it's hard to predict which instance of the header a mail client will show to people reading the message, and there are probably some mail clients that will show the wrong instance of the header (the instance that isn't covered by your DKIM signature and so can be set to anything by an attacker).

This creates several options and decisions:

do you make it so that certain headers can't be added to the message later, like the List-* and Resent-* families, or allow them to be added later?
what headers do you sign if they're present? For example, should you sign Resent-* or List-* headers at all?
do you oversign some existing headers so that no additional copies can be added?

Based on a quick skim of email that I have handy, relatively few sources of mail seem to be oversigning existing headers. However, GMail does oversign at least some email for core headers like From: and Subject:. Since Google is one of the eight hundred pound gorillas of email, if they're doing it people's DKIM signature validation is at least prepared to cope with this.

(I suspect that having two From:, Subject:, or so on headers trips enough spam detection systems that attackers don't normally do it.)

Značky: #Network

chevron_right

Motion Tracking

pubsub.slavino.sk / hackerfactor · Sunday, 29 October, 2023 - 19:50 edit · 9 minutes

A few blog entries ago, I wrote about problems with helping other people with their computers. (Most of the problems were due to the software and not the people.) This turned into a discussion about automating the monitoring of the elderly and making a minimal " Are you okay? " system. My solution uses a very simple script to monitor their computer for signs of activity since they all use their computers fairly regularly. If they change their habits and miss a check-in window, then it triggers an alert.

While monitoring the computer is a good start, it's still not ideal. Recently I've been evaluating miniature embedded systems and homemade IoT devices for simple automation tasks. These included Raspberry Pi miniature computers as well as Arduino embedded controllers. In the comments to my blog entry, Matt and Jon suggested that I look at the ESP32. It's the same concept as an Arduino, but it has built-in WiFi and bluetooth. (Now I just needed a reason to try it out.)

One of my friends has an elderly parent who lives alone. While this person regularly uses the computer, my friend is concerned about his father falling and going unnoticed for hours. We worked out an inexpensive solution: a network-based motion sensor. (Woo hoo! A reason for getting an ESP32 and a guinea pig for testing!) Here's the idea: we will place 2 of these wifi motion sensors in my friend's elderly parent's home. They are going to be located near the kitchen and the main hallway. These are areas that he walks by often. As a motion sensor, it will be triggered each time his father goes to the kitchen, walks to the bathroom, TV room, bedroom, etc. ("Or you could just call me. I like it when you call." Nope -- remote wireless sensors!)

First Attempt

An Arduino costs about $15 USD but needs a network adapter that costs another $15. In contrast, I purchased my first three ESP32 controllers for about $6 USD each (three CPUs plus development boards for $22 total). Unfortunately, I had to return them because each was faulty. Here's the link to the item at Amazon . However, I do not recommend these. While the development boards are fine, each ESP32 had the same problem: bad ground.

analysis.php?id=ab801a37c8d5240f8142c22b6a55fc02a6428467.433255&fmt=orig&size=600

The ESP32 (ESP32-WROOM-32, 38-pin) has three ground pins (in black).

Good ground . The ground pin in the top right (opposite corner from 5V) is good. Use it for everything.
Bad ground . The ground pin on the left (6 pins from the bottom) is bad. With the power off, I hooked a meter from good-ground to bad-ground. It does have connectivity, but there's a slight delay as the resistance drops to zero. This suggests that there's a capacitor or inductor or something sitting in front of the ground pin. When power is first applied, this pin has zero connectivity for a few microseconds.

I noticed that the device wasn't running the program when power was supplied over USB. I had to press the reset button before the program would run. Other people came up with complicated workarounds (using capacitors and resistors) that effectively press the restart button a moment after power is applied.

Another person noticed that, if you want to use external power, then you need to use good-ground and not bad-ground. Otherwise, it won't boot. I took his idea and tested it: If you jumper good-ground to bad-ground, then it boots properly when power is applied over USB. As a power source, the integrated USB port appears to be hooked to bad-ground. Don't use bad-ground.
Ugly ground . The third ground pin is on the right, 7 pins from the top. According to my meter, this pin has zero connectivity. At all. It's a floating ground pin. At best, it won't work for you. And depending on your electronics, you might end up not having it work, frying something, or causing a fire. Do not use!

If the developers can't get ground right, then who knows what else is wrong with the hardware. I returned it.

I want to emphasize that not every ESP32 has this problem. This appears to be a bad batch. (Most likely, someone bought up a bunch of known-bad chips and tried to sell them for cheap on Amazon.) However, this experience is bad enough to scare me away from anything with this form factor. Fortunately, there are lots of other options.

Attempt #2

A couple of my friends suggested that I look at the M5Stamp-S3 from a company called M5Stack. This is a postage-stamp size ESP32 controller with built-in WiFi and bluetooth. It also has a built-in multi-color LED. And best of all, the version that I got had all the pins already soldered in, so I can plug-and-play without soldering. (I didn't get it from M5Stack because they use a Chinese credit card processor who is associated with fraud and potentially unsafe . Instead, I paid $0.50 more and got it from DigiKey . And since the price for shipping didn't increase with quantity, I ordered three of them.)

analysis.php?id=e316fd71ddfb5b3102fa5fe60783cf01687aa747.68035&fmt=orig&size=600

This is a device that I can definitely recommend. It was simple to hook up to the sensor rig that I had originally created for the ESP32. (The pins are in different places, so be sure to redo the wiring.)

The Sensor

I configured the M5Stamp as a controller for a wireless motion sensor. For the sensor, I used a tiny microwave doppler radar switch. While it uses microwave frequencies, it's so low power that you won't fry anyone. The microwaves go through wood, drywall, doors, etc. The only things that really stop it are metal and water. Humans are basically large bags of water and create a strong microwave reflection. As you walk past the sensor, it triggers for 2 seconds.

The thing that I like about this sensor is that you don't have to drill a hole in the wall. Just mount it on the wall near an electrical outlet. It has a range of over 9 feet (3 meters). However, I'm currently seeing brief flashes of activity when there shouldn't be any. (Either there's a ghost in my house that is triggering the motion sensor, or there's a little chatter in the electronics.) I probably just need a little shielding or to filter the chatter in software. But I think this is really close to being ready. (Maybe another 1-2 weeks.)

Here's the first attempt at the box:

analysis.php?id=8260eb8c6fc7948b01b2dd56eb5d6dcc28cc84df.361281&fmt=orig

The orange block is the M5Stamp.
The M5Stamp is plugged into an 11x5 mini breadboard.
The breadboard is sitting on top of a piece of cardboard with aluminum tape on one side. The aluminum tape blocks any RF noise from bothering the motion sensor and the cardboard prevents the metal tape from shorting out the electronics on the sensor.
Under the aluminum and cardboard is the motion sensor. (Just the pins are peeking out the top.)
The electronics are mounted in a box. I have a piece of foam (not shown) that keeps everything from moving around. (The box is much larger than needed because it was originally designed for the ESP32-WROOM, which is a much larger controller chip. The next version will be smaller.)
The entire thing plugs into a USB cable and power plug.

When it's done, it will just need to be plugged in and hung on the wall at about ankle level. (You can't see it in this photo, but there's a hook hole for a nail at the top of the box.) It can easily be hidden out of view.

My program for the M5Stamp does a few things:

It connects to the WiFi network.
It watches the motion sensor.
When there is any activity, the on-board LED turns on. No activity turns the LED off.
I track when the sensor was triggered and maintain a delay of 20 seconds for the motion event. This way, small chattering is ignored until there is at least 20 seconds of inactivity.
At the start of each motion event, it uses the WiFi to contact a reporting web page. It only reports that activity was seen near the sensor.

Now, if there isn't activity for a few hours, then either (A) the person isn't home (check their iPhone and friend tracker), (B) the person is asleep (check the clock and don't panic at night), or (C) the person has fallen and needs help. Moreover, it's more reliable than waiting for the person to use their computer and trigger any proof-of-life script. It's also non-intrusive; while we know there is movement in the house, we don't know what he's doing or where he's going. (It's not like putting a camera in every room in the house.)

Other Uses

Using a wireless motion sensor is a great solution if you don't have pets. However, dogs and cats will trigger the sensor. I mentioned this to a friend of mine and he loved the idea for his elderly dog ! He currently uses multiple PIR (passive infrared) sensors to alert him when the dog walks around at night. (If he doesn't get up when the dog gets up, there's going to be a messy accident.) A single WiFi motion sensor would cover the entire area without being as directional as a PIR.

Another friend of mine lives with a parent who has dementia. He's planning on tracking every external door of the house, "just in case she makes another escape attempt." (It sounds funny, but it's really a serious problem.)

Version 2

After I finish the first version, I'm planning on making a second one for myself. It's going to monitor the front door because UPS, FedEx, Amazon, and the postal service have all decided to never ring the doorbell. They walk up, drop off packages, and run away. I'm usually in the house. If I'm near the door, I might hear the thump of a box and realize there's a package. I do have a camera by the door, but it can take up to 60 seconds before my phone beeps. (The notification is great if I'm next to my phone, but often my phone is in a different part of the house.)

The next wireless monitor will watch the front of the house. If anyone approaches the doorstep, it will let me know immediately. I'm also going to have a second sensor inside the doorway. This way, someone walking out of the house will trigger the inside sensor first, allowing me to know when someone is leaving and not trigger the doorbell. In contrast, someone walking up to the door first will trigger the door sensor. And since it's microwave, I don't have to worry about drilling a hole in the wall or mounting something outside in a weather-resistant case.

With these inexpensive and customized IoT systems, I might end up with a smarter home that works the way I want it to work -- and at a fraction of the price of a mass-produced solution.

Značky: #Network, #Security, #Programming

chevron_right

The issue of what headers to include in your DKIM signatures

pubsub.slavino.sk / chris_spam · Friday, 27 October, 2023 - 03:20 edit · 3 minutes

Increasingly, you have to sign your outgoing email messages with DKIM . When you use DKIM to sign things, in one sense you're signing an abstract 'email message', and in another, more concrete sense, you're signing the email body plus some of the email message headers. You might innocently think that the message headers to sign are standardized and obvious, but I've recently learned that neither is the case due to a recent discussion on the Exim mailing list. Different mail systems may sign different sets of headers in ways that are more or less aggressive, and some of these ways have downstream effects.

(This is especially relevant to Exim, where the default configuration of what headers to sign is perhaps somewhat aggressive.)

A basic part of DKIM signing is that if a message doesn't have a particular header and you include it in the DKIM signature headers anyway, what you're doing is signing that there is no such header in the email; basically, the header is interpreted as having a null value. If someone adds the header later, it will have a non-null value and so fail the DKIM signature check. Signing nonexistent headers is important if you think that adding them would change the meaning of the message as people perceive it (or as they see it).

As far as what headers to include goes, RFC 6376 provides relatively little guidance in section 5.4 and then a big and somewhat questionable list in section 5.4.1 . Some headers are in practice part of the meaning of the message as people reading it will perceive things; in this category I'd include From: (which is required anyway), Subject: and Date:, and probably To:, cc:, and Reply-To:, and in practice I'd roll in In-Reply-To and References and some others. Some headers will change the interpretation of the message body if modified so must be protected by the DKIM signature; this includes all MIME related headers.

But then you have headers that may or may not change what you see as the meaning of the message if they're added to it after your signature. In this category are both the Resent-* family of headers for resent messages and especially the List-* family of mailing list headers. In some environments, whether a message was sent directly to people or came through a (visible) mailing list matters, as does what mailing list; in those environments you probably want to include the List-* headers in your DKIM signatures. But in other environments, this is not critical and in fact your people may be sending messages to outside mailing lists and want this to not break the DKIM signatures of their messages so the post-mailing-list version of their email is still accepted by, for example, GMail .

(You can have a similar discussion about Resent-*. Maybe these headers should never be signed, maybe they should be signed only if they're present, and maybe they should always be signed so that if someone visibly resends a signed message, it no longer passes DKIM verification.)

Now that I'm aware of this issue, we're probably going to change away from the Exim default (which signs all of the section 5.4.1 headers, plus the MIME headers) to something where we definitely don't sign the List-* headers and probably don't sign the Resent-* headers.

PS: One of the reasons to not sign Resent-* and List-* headers is that in both cases, you can do resending and mailing lists without changing the headers at all. Breaking DKIM signatures if people actually do add headers thus only encourages them to not add the headers; since adding the headers is useful and nice, we shouldn't discourage people from doing so.

Značky: #Network

chevron_right

Throwing Shade

pubsub.slavino.sk / hackerfactor · Sunday, 22 October, 2023 - 02:26 edit · 7 minutes

As part of FotoForensics, I try to track major occasions, such as holidays, weather warnings, and astronomical events. Often, I'll see fake photos of the occasion before it happens. I might see photos of a major blizzard burying a neighborhood days before the storm hits or a beautiful picture of a full moon a week before the full moon. What I'm usually seeing are forgers creating their pictures before the event happens.

Similarly, I often see fakes appear shortly after a major event.

Last Saturday (Oct 14), we had a great solar eclipse pass over North and South America. This was followed by some incredible photos -- some real, some not.

I tried to capture a photo of the eclipse by holding my special lens filter over my smartphone's camera. Unfortunately, my camera decoded to automatically switch into extended shutter mode. As a result, the Sun is completely washed out. However, the bokeh (small reflections made by the lens) clearly show the eclipse.

analysis.php?id=1108ecd1fc724ecc75440e23b1a924e9660583a5.2769929&fmt=orig&size=600

I showed my this photo to a friend, and he one-upped me. He had tried the same thing and had a perfect "ring of fire" captured by the camera. Of course, I immediately noticed something odd. I said, "That's not from Fort Collins." I knew this because we were not in the path of totality. He laughed and said he was in New Mexico for the eclipse.

Ring of Truth

Following the eclipse, FotoForensics has received many copies of the same viral image depicting the eclipse over a Mayan pyramid. Here's one example:

analysis.php?id=0a489b546ab8883e5a8d2b8a6d2a0d71daaf78c1.53573&fmt=orig&size=600

The first time I saw this, I immediately knew it was fake. Among other things:

The text above the picture has erasure marks. These appear as some black marks after the word "Eclipse" and below the word "day". Someone had poorly erased the old text and added new text.
The Sun is never that large in the sky.
If the Sun is behind the pyramid, then why is the front side lit up? Even the clouds show the sunlight on the the wrong side.

Artists for these kinds of fakes usually start with an existing picture and then alter it. I did a search for the pyramid image but couldn't find it. What I did find were a huge number of viral copies.

analysis.php?id=c383b31ff7a1711fba0c73e52a82095adc276bb3.1282921&fmt=orig&size=600

These include sightings from Instagam , LinkedIn , Facebook , TikTok , the service formally known as Twitter, and many more. Everyone shared the photo, and I could not find anybody who noticed that it was fake.

Ideally, we'd like to find the source image. This becomes the "smoking gun" piece of evidence that proves this eclipse photo is a fake. However without that, we can still use logic, reasoning, and other clues to conclusively determine that it is a forgery.

Looking Closely

Image forensics isn't just about looking at pixels and metadata. It's also about fact checking. And in this case, the facts don't line up. (The only legitimate "facts" in this instance is that (1) there is a Mayan pyramid at Chichén Itzá in Yucatán, Mexico, and (2) there was an eclipse on Saturday, October 14.)

The Moon's orbit around the Earth isn't circular; it's an ellipse. When a full moon happens at perigee (closest to the Earth), it looks larger and we call it a "super-moon". A full moon at apogee (furthest away) is a "mini-moon" because it looks smaller. Similarly, if an eclipse that happens when the Moon is really close to the Earth, then it blocks out almost all of the Sun. However, the Oct 14 eclipse happened when the Moon was further away. While the Moon blocked most of the Sun, it did not cover all of the Sun. Real photos of this eclipse show a thick ring of the Sun around the Moon, not a thin ring of the corona that is shown in this forgery.
I went to the NASA web site , which shows the full path of the total eclipse. The path of totality for this eclipse did go through a small portion of Yucatán, but it did not go through Chichén Itzá . At best, a photo from Chichén Itzá should look more like my photo: a crescent of the eclipse.
At Chichén Itzá, the partial eclipse happened at 11:25am - 11:30am (local time), so the Sun should be almost completely overhead. In the forgery, the Sun is at the wrong angle. (See Sky and Telescope's interactive sky chart . Set it for October 14, 2023 at 11:25am, and the coordinates should be 20' 40" N, 88' 34" W.)
Google Maps has a great street-level view of the Mayan pyramid. The four sides are not the same. In particular, the steps on the South side are really eroded, but the North side is mostly intact. Given that the steps in the picture are not eroded, I believe this photo is facing South-East (showing the North and West side of the pyramid), but it's the wrong direction for the eclipse. (The eclipse should be due South by direction and very high in the sky.)
Google Street View, as well as other recent photos, show a roped off area around the pyramid. (I assume it's to keep tourists from touching it.) The fencing is not present in this photo.
The real pyramid at Chichén Itzá has a rectangular structure at the top. Three of the sides have one doorway each, while the North-facing side has three doorways (a big opening with two columns). In this forgery, we know it's not showing the South face because both stairways are intact. (As I mentioned, the South-facing stairwell is eroded.) However, the North face should have three doorways at the top. The visible sides in the photo have one doorway each, meaning that it can't be showing the North face. If it isn't showing the North side and isn't showing the South side, then it's not the correct building.

There was one other oddity in this fake eclipse photo: the people. The forgery photo shows a lot of people. However, you can't make out any details about them. Except that they are all dressed in dark clothing and nobody is standing on the lawn. If you ever see a real photo of tourists, you'll notice that there are lots of different colors of clothing. And a crowd of people at a major event like this? People will definitely be standing on the lawn. In addition, there are no telescopes or cameras. (If the people are there for the eclipse, then why are they not watching the eclipse?)

I can't rule out that the entire image may be computer generated or from some video game that I don't recognize. However, it could also be a photo from something like a museum diorama depicting what the pyramid may have looked like over a thousand years ago. (Those museum dioramas almost never have people standing on the miniature lawns.)

In any case, the eclipse was likely added after the pyramid photo was created.

Moon Shot

While I couldn't find the basis for this specific eclipse photo, I did see what people claim is a second photo of this same eclipse at the same Mayan pyramid. I found this version of it at Facebook , but it's also being virally spread across many different social media platforms.

analysis.php?id=0bedb7d5fb38cb3e3f2cc75d890b4ab53df1d6d7.23371&fmt=orig&size=600

Now keep in mind, I've already debunked the size of the Sun, the totality of the eclipse, and the angle above the horizon. This picture also has the same problem with the wrong side of the pyramid being in shadow. Moreover, it contradicts the previous forgery: it shows the eclipse happening on the other side of the pyramid, no people, and different cloud coverage at the same time on the same day.

With this second forgery, I was able to find the source image. The smoking gun comes from a desktop wallpaper background that has been available since at least 2009:

analysis.php?id=377ca5d013e7f88739491ca2591fad06f53ae9bf.144797&fmt=orig&size=600

In this case, someone started with the old desktop wallpaper image, gave it a red tint, added clouds, and inserted a fake solar eclipse.

Total Eclipse of the Art

It's easy enough to say "it's fake" and to back it up with a single claim (e.g., wrong shadows). However, if this were a court case or a legal claim, you'd want to list as many issues as possible. A single claim could be contested, but a variety of provable inconsistencies undermines any authenticity allegedly depicted by the photo.

The same skills needed to track down forgeries like this are used for debunking fake news, identifying photo authenticity, and validating any kind of photographic claim. Critical thinking is essential when evaluating evidence. The outlandish claims around a photo should be grounded in reality and not eclipse the facts.

Značky: #FotoForensics, #Network, #Forensics

chevron_right

Tracking Proof of Life

pubsub.slavino.sk / hackerfactor · Saturday, 14 October, 2023 - 16:14 edit · 10 minutes

In my last blog entry , I mentioned about helping other people with their computers. While I didn't mention anyone's age, a lot of the feedback has been related to elderly relatives. (Only some of the people I tried to help were elderly.) These comments led to some very interesting discussions about monitoring the elderly.

Whether it's your parents, grandparents, distant relatives, or nearby neighbors, we all know someone who is elderly. Unless you live with them, you probably check up on them during the occasional visits, while on walks around the block, or through phone calls, emails, texting, and social media apps. I know many people (myself included) who have scheduled weekly calls to check in and chat. The problem is, if we don't hear from them, we just assume they are busy. We usually don't get concerned until after days or weeks pass.

My biggest fear is to learn that someone had an accident, like falling, and remain unnoticed for days. I remember reading an article about a man who died and nobody noticed for 7 years. That's when his auto-pay bank account ran out of funds for utilities. Another deceased person went unnoticed for 8 years .

I've been chatting with friends about different kinds of "proof of life" monitoring. Personally, I don't want to install a camera in every room of someone's house. That's too invasive. But at the same time, friends and family should know that the person is moving around and doing the expected day-to-day things. An alert should be triggered whenever the daily routine is disrupted. My friends and I have come up with a few solutions.

Solution #1: Panic Button

Devices like Life Alert, LifeCall, Lifeline, and invisaWear are wearable devices that you can press if you have an emergency. However, they are large, bulky, and unflattering to wear. The button also don't work if you can't reach it or are unconscious.

The TV commercials for these devices always show a happy elderly person receiving the device, and then using it while in distress. I'll tell you from first-hand experience: I'd rather have dental surgery than try to convince an elderly person to carry the device around every day, "just in case they need it."

A few decades ago, these panic buttons were good solutions. But there are much better options today.

Solution #2: Apple Watch

The Apple Watch includes a fall detector. If you fall, it sounds an alert. If you don't stop the alert, then it uses the built-in cellphone to call for help.

The Apple Watch is a great (but expensive) out-of-the-box solution. No technical programming needed and it's easy enough that even my non-techie elderly friends can use it. As an emergency monitoring system, this is a bare-minimum solution. However, it has some serious limitations. For example:

If you fall, then it must be a hard fall. If you hit a sofa, slide down a wall, or partially catch yourself, then it won't detect the fall.
If you fall and land on the watch, it could be damaged. (For example, falling onto hard concrete can break the watch.) A broken Apple Watch won't call for help.
If you're not wearing the watch, then it won't detect the fall. This includes falling while getting out of bed, slipping in the shower, or not wearing the watch while it is charging.
Speaking of charging... The watch needs to be regularly recharged. If you forget and it loses power, then it won't help you.
The watch needs cellular connectivity to call for help. One of my friends has a cellular blind spot in the kitchen, between the refrigerator and the oven. (If you want good reception, move away from the kitchen.)

Let's say it's a soft fall and you are conscious. You can always use the phone to dial for help, right? Well, not necessarily. What if you broke one or both arms when you hit the ground? Then you can't easily touch or navigate the watch's interface. If the user has "Hey Siri" enabled, then it may not register when your voice has a lot of stress. (It doesn't recognize screaming.)

The worst case? A soft fall as you lose consciousness. The watch is no help here.

Solution #3: Daily Pattern Monitoring

Rather than watching for a life-impacting event, I've been thinking about detecting the absence of an event. For example, when I travel, I always have my laptop with me. If I get to the hotel too late at night, I might not call home (I don't want to wake anyone up). However, I am guaranteed to check my email when I get to the hotel. I've recently configured my laptop to trigger a "proof of life" URL every time it goes online. This way, my friends and family who want to know if I made it safely can always check to see if my laptop was turned on.

Similarly, I have a couple of elderly friends who always check their computers. I've recently modified their Windows configuration to trigger a proof-of-life URL anytime the computer is logged in (including when screensaver is deactivated). If they don't use their computer at least once a day, then it will trigger an alert.

To do this, I just needed to create three things: (1) a VisualBasic script to trigger the proof-of-life URL, (2) a task scheduler event that runs the script when there is a login event, and (3) a receiving service that looks for missed events.

Keep in mind, these are the steps I used. I wouldn't be surprised if there was a better or easier option.

Open the Command Prompt. This will default to your home directory (C:\users\ name \). Create a directory called 'Scripts' for holding the script to call when the event is triggered. ( mkdir Scripts )
Create the script. I used 'Notepad' to create a simple visual basic script. This script calls 'curl' to trigger a URL that will record the activity. I saved the script as \users\ name \Scripts\Proof-Of-Life.vbs (the suffix ".vbs" is important.) Here's the source code:
```
Set oShell = CreateObject("Wscript.Shell")

Dim strArgs

strArgs = "cmd /c curl -A Eddie+Desktop https://server/life-track.php"

oShell.Run strArgs, 0, false
```
Change the URL to point to your own web server, and set the user-agent string (-A) to identify which computer is doing the reporting. The script's 'run' parameters will trigger the tracking URL silently (without having a terminal window briefly popup). In effect, the user won't notice that this happened.

To verify that you did this part correctly, you should be able to open the File Folder, navigate to \users\ name \Scripts\, and run the Proof-Of-Life.vbs file by double-clicking on it (or right-click and select "Open" from the menu). If everything works correctly, nothing will appear to happen on the desktop. However, the remote web server will see a request for "/life-track.php" coming from the computer.
Open the Windows 'Task Scheduler'. (Go to the Start menu and just type 'Task Scheduler'. It will appear at the top of the list.) This is where things get complicated. For tracking logins, you will select "Create Task" and then fill in the tabs:
- General . Give this task a name and description. I called mine "Proof of Life Login". (Caveat: You can't change the name. To change it, delete the task and recreate it with the new name.) Select 'Run only when user is logged on". You don't need to change any of the other default values.
- Triggers . Select "New" to create a new trigger. From the top drop-down menu for "Begin the task", select "On workstation unlock". I also configured it to "Stop task if it runs longer than" 30 minutes. (It should only take a second to run.)
- Actions . Select "New" and "Start a program". Select your "C:\users\ name \Scripts\Proof-Of-Life.vbs" program.
- Conditions . I uncheck the Power settings since I want it to run no matter regardless of whether it's on battery or AC. I also selected the Network with "Any connection".
- Settings . This vbs program should take a second to run. For "Stop the task if it runs longer than", select the minimum time: 1 hour.

With all of these entered, click "OK". Now you should be able to activate the screensaver (Win-L to lock). When you unlock the screensaver, it will immediately trigger the tracking URL.

On the server side, I created a life-track.php script that (1) validates the user based on the User-Agent string value, and (2) logs the information in an SQLite database. I record the user, date and time, and IP address. I also have a cronjob that checks the SQLite database every few hours to make sure that the user triggered the URL. If no user was seen, then it sends an alert email to me. (My first response will be to check if they are supposed to be home. Then call them, and if that fails, then issue a welfare check on them.)

As far as privacy goes, the only people who knows about the data are myself and the person who said I could monitor them. The monitoring is also not intrusive: I don't know what they are doing at the computer, or even how long they are on the computer. I only know when a proof-of-life was last observed. If the person is injured or missing, then I'll know within a few hours. Worst case, they will be on the floor for up to 16 hours (night check through next morning check), but that's much better than having nobody know there's a problem.

Alternate Use

For my laptop, I have a similar Windows Task called "phone home". It runs automatically whenever the laptop connects to any network. For this script, I used a custom event trigger:

Begin the task: On an event
Log: Microsoft-Network-NetworkProfile/Operational
Source: (leave blank)
Event ID: 10000 (that's when the network is up)

When I get to the hotel, I use my laptop to connect to the WiFi, and it automatically triggers a proof-of-life.

(This has the added benefit of tracking my laptop if it is ever stolen. If the thief turns it on and connects to any wireless network, it will immediately and silently call home.)

Configuring Windows Tasks is not intuitive. There are tons of event names and numeric identifiers, and very little documentation. A good start is to look in the "Event Viewer". Every event is logged and lists both the log file and the numeric code.

More Options

Looking for a change in the daily pattern of life is a great option for monitoring someone's welfare. If they end up falling or being incapacitated, then they may be down or hurt for a few hours, but it won't be for days or weeks before someone notices.

Besides tracking login access and network connectivity, there are other great uses for these types of monitors. For example, I have one Windows computer that I only use with one client. I can use these triggers to monitor both start and stop times, allowing me to automatically track my billable hours. (Why estimate to the nearest 15 minutes when I can see the exact times that the computer was in use?)

The tracking doesn't even need to be a global system event. I showed this to one of my coworkers and they immediately put in a tracker around their social media apps. The event contacts the tracking server each time the program starts and stops. Now they know exactly how much time they are wasting online.

The tracking URLs don't even need to be accessible over the internet. I could have my script contact a local embedded device, like a Raspberry Pi, Arduino, or ESP32, that runs a simple web server. The micro computer can then trigger some event or activity. Personally, I might make one that beeps every hour, so I remember to get up and move around a little. (It's not healthy to sit in one place for hours.) Or maybe have it automatically adjust the room lighting and temperature when it sees that I'm working.

The Dark Side of Tracking

While these technologies can be used to track the welfare of elderly friends, they can also be abused. A stalker with access to your computer can use this technique to monitor when you are at the computer. Employers could use them to determine when you are not working.

Fortunately, you can use the Task Scheduler to see what other tasks are currently on the system. If you see an unexpected task, you can easily disable or delete it.

On my own systems, I noticed that Google and Microsoft both added event tasks to check for updates. I modified those so that they only run on my home network. (Woo hoo! No more "auto update" while giving a presentation at a conference!) Personally, I don't care how high the risk is that the patch wants to fix; I don't want updates when I'm traveling. When I'm on the road, the risk from a malicious or failed update is almost always worse than the problem being patched.

Značky: #Privacy, #Network, #Programming

chevron_right

Here to Help

pubsub.slavino.sk / hackerfactor · Monday, 2 October, 2023 - 19:49 edit · 10 minutes

I've been doing a lot of traveling recently. Besides my regular work, I also meet up with friends and inevitably am asked to help them with their computers. Keep in mind, I normally don't do hands-on computer tuning or even deworming. But just as a brain surgeon knows how to set a broken leg, anyone involved in deep computer security knows how to tune preferences and apply patches. In addition, I find it fascinating to see how non-techies use their computers.

Person #1: Self-Inflicted Wounds

The first person I assisted was someone who I swore long ago to never assist. Why? Because things always go wrong on his computer. He seems to get a new computer virus ever few months. He frequently responds to spam messages, and he can't stop clicking on popup ads. The problem is blame: if you touched his computer recently, then the next problem is your fault -- even if it isn't your fault.

Although I repeatedly stated that I'd never touch his computer, I did take pity on his non-technical wife. Her job was to provide tech support since none of his friends want to assist him. While I didn't touch the computer, I did talk her through how to make sure the latest patches were applied and how to turn off Microsoft's "personalized" recommendations and ads. These led to two problems.

First, I have no problem with him having his own political beliefs. The guy has always leaned far right. However, Microsoft's ads and customized recommendations clearly noticed this and were driving him much further to the right. At his wife's request, I showed her how to turn off the customized recommendations in the start menu, in the bottom search bar, in the browser, etc. Immediately his wife noticed that the computer was running much faster.

Second, we used Microsoft Windows 11 to "Check for Updates". Oddly, it was just hanging and not returning anything. After digging through logs, we noticed that he had installed MalwareBytes Antivirus. Twenty years ago, MalwareBytes was a good-enough AV system. However, today it lacks many of the advanced protection features found in other AV systems. (In my opinion, you're better off using the default Windows Defender on Windows 11 than using MalwareBytes. Or better yet, switch to Norton or Sophos.) Moreover, Google found over 4 million results for " malwarebytes blocking windows update ". It turns out, this is a known problem. We turned off MalwareBytes and immediately saw a long list of necessary and critical OS patches. It took nearly an hour and three reboots to bring the system up the current patch level. (I don't think the computer had been patched in years.)

Let me say this very clearly: If your antivirus is blocking critical OS updates, then it's not helping you.

With MalwareBytes disabled, the default Windows Defender AV system kicked on. We did a deep scan and everything was clean.

Finally, we looked at the startup applications. He had Spotify running. It started at boot and always ran, playing some far-right propaganda stream. According to his wife, he usually had the speakers turned off because he couldn't figure out how to stop Spotify. I talked her through how to switch it from "always run" to "manual" (starts when needed). Again, the computer seemed much faster.

When I left there, everything was working well. His wife was pleased. And even the computer's owner said that it was much faster. He also noticed that some of the "clutter" (ads and recommendations) were happily gone.

This happiness lasted about 2 weeks. Then he called up furious that he had a virus and he blamed me. What we were able to piece together:

Windows hit a Patch Tuesday and wanted him to reboot. He didn't want to reboot, so he (very non-technical) tried to back out the patch. (Oh no...)
In doing so, he somehow also turned off Windows Defender.
Then he wanted to open an attachment from one of his far-right emails. "This program is from an unknown source, do you trust it?" YES! "This wants to access the hard drive, let it?" YES! "This wants to access your contact list, let it?" YES! "This needs to access the network, let it?" YES! He didn't know what all of the prompts were, so he just kept clicking YES, YES, YES until it installed.

That's right, he did all of the necessary steps for installing malware: he avoided security patches, he disabled his antivirus, and he approved every permission prompt.

Honestly, some people just can't be helped. Since I'm not able to drop everything and drive a few hundred miles to help him, I suggested that he take the computer to Best Buy's Geek Squad since, if they can't fix the OS, then they can probably help him buy a new computer. (To reiteration: I'm never touching his computer again, even if his family begs me to help. No matter what you do to deter malware, a determined user can always find a way to self-infect.)

Person #2: Technical Enough

One of the people I visited isn't a techie, but is very computer literate. (And having hung around me, this person knows enough about computer security to have developed some very good habits.) Again, I started with applying system patches. (Good news: The OS was up to date!) However, the web browsers (Firefox and Chrome) were behind by a couple of updates.

It turns out, having browsers update often isn't always a good thing. Users get burnt out after too many updates. And frankly, I can see why. If it isn't the OS, Chrome, or Firefox wanting an update, then it's Adobe, Word, or something else. On Windows, there isn't a centralized update method; every application manages their own updates. As a result, there's always something that wants to be updated. You can easily spend more time doing updates than doing actual work.

Adding to this problem is a lack of convenience. Most programs check for updates when they first start up and then want to install any updates. However, we start the program because we want to start work. Some updates may take minutes or require a system reboot. We don't want to wait for an update to complete before writing or drawing or looking something up. This is a big reason why updates are often skipped. As Person #2 remarked to me, "Why can't it ask me to apply updates when I'm done?"

Windows 10 and 11 are getting better at the convenience issue. They often try to reboot after work hours. (I occasionally enter my office and notice that the Windows computer rebooted itself overnight.) However, Windows displays an annoying popup that asks if you want to "Reboot now or later?" I'm working now -- why are you bothering me with a popup?

While Windows tries to be convenience, other programs are not as considerate. On Linux, I've had web browsers crash on me because 'snap' did an update and I didn't restart the browser fast enough. (If Chromium on Linux tells you to restart the browser, then it's best to drop everything and restart immediately.)

Person #3: Remote Support

I and one other person often provide remote support for one of my non-technical friends. We have a small Linux box sitting inside their firewall. Either of us can use secure shell (ssh) to log into it and then tunnel VNC to the user's desktop. This is a simple way to provide "remote hands" support.

For this user, I often respond to inquiries for simple tasks. The most common request is "I forgot how to attach a file to an email." The tiny paperclip icon is too small for their bad eyes to see and it isn't intuitive for this person. (This is a usability failure, not a user-education issue.) Another request is about directories: "Where did it save the file?" With browsers, downloads go into the download directory, but a "save" from the scanner or word processor goes into whatever directory was last accessed. On Windows, the "last accessed" directory is usually a bad default. It doesn't take much effort to remotely login and point out the attachment button or help them navigate to the folder containing their document.

Using my remote access, I've already disabled all of the personalized ads and recommendations. (This user doesn't do anything with Xbox games. Why does Windows require Xbox to be enabled?) However, as a remote user, I never noticed something that was really obvious the first time I sat at the keyboard: the computer was slow. When accessing it over the network, I just assumed that any delays were due to the network. Nope -- it was really the computer. The hard drive was constantly grinding.

While visiting in person, I went over the system settings and startup applications. As far as I could tell, Adobe, the AV, and some other apps were looking for updates. Two of the processes were causing an update loop: one checks for updates and the other thinks something changed. Then the second process checks for whatever changed and the first process thinks it needs to check the system again. This was a loop due to battling update systems.

I changed the Adobe and Chrome "check for updates" background programs from automatic to manual. This broke the loop. (Both still check for updates when you run each program. But they no longer check for updates all the time in the background.) Suddenly the computer was significantly faster and the grinding on the hard drive stopped.

Common Problems

While people in the computer security field usually don't have these problems, I saw at least one problem on every single non-technical user's system: constant updates, series of prompts, and software that -- even with constant update checks -- were not being updated. In my opinion, this isn't a user-problem. The bad default settings and constant update checks were design decisions that result in usability issues.

Because of these issues, the software was teaching users the wrong things:

Too many updates? Users learn to not update right now, often delaying updates for weeks or longer. Worse: Some applications can block updates. (Poof! The problem of too many updates has stopped! Of course, this makes you infinitely less secure.) And at least one user decided to forcefully back out an essential update.

In my opinion, the correct solution would be for Windows to provide a central update scheduler rather than requiring every application to manage updates independently. Even if it checks daily, at least it isn't constantly checking. (Of course, standardizing this would require a significant development effort, as well as a specification like an IETF RFC or something from ISO .)
Too many prompts? This trains users to always select "yes". Perhaps it would be better to have one prompt that lists all of the required permissions: "This application requires hard drive access, access to your contact list, and network access." This is what Android and iOS do. If developers don't declare permission up front, then they don't get the permissions. Some permission combinations could even trigger a warning, such as "These access privileges are commonly requested by computer viruses. Are you sure you want to install it?" Or maybe alternate yes/no responses to break the "yes, yes, yes" pattern. A really smart system could force a sandbox until after the program is used a few times in order to establish an access pattern.

In any case, prompt after prompt after prompt where "yes" means "enable it", is just a fast way to train users how to install malware.
Having built-in ads and "personalized recommendations" as a feature in the operating system may be a good way for Microsoft to generate revenue, but it leads to insecurity. Users can't distinguish spam/malware and an OS "feature". At best, users get annoyed and figure out how to turn it off. At worst, they end up installing malware because they can't tell the difference between an OS-provided ad and a virus ad.

However, there's one more issue that keeps going around in my head. It takes power and bandwidth to constantly check for updates. Each time I turned things off, the computers became noticeably faster. Extra computational power may result in only a few cents per week of electrical power, but that really adds up when you consider that there are millions of computers all doing these same scans, update checks, and hard drive grinding. I have to wonder how much this extra power, excess bandwidth use, and increased costs for power consumption (both by home computers and the backbone providers) could be reduced if every computer just checked for updates periodically and didn't deal with constant real-time personalized ads. Besides reducing user frustration, it could save money, reduce power needs, and have a real impact on the environment.

Značky: #Forensics, #Network, #Security