#qi-hardware IRC log for Tuesday, 2015-09-22

kristianpaulwpwrak: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/Speaker%20%20Workshop%20Materials/Lin%20Huang%20&%20Qing%20Yang/DEFCON-23-Lin-Huang-Qing-Yan02:39
kristianpaulg-GPS-Spoofing.pdf02:39
kristianpaulargh02:39
kristianpaulhttps://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/Lin%20Huang%20&%20Qing%20Yang/DEFCON-23-Lin-Huang-Qing-Yang-GPS-Spoofing.pdf02:41
kristianpaulwpwrak: http://navspark.mybigcommerce.com/navspark-mini-uart-to-usb-adapter/ if you want give a try..02:42
kristianpaulits freebie02:42
kristianpaulnow this module has glonass, soo better changes to avoid spoofing02:46
kristianpauland since you can talk with the gps, there is an open room for location spoofing detecto04:47
kristianpauls/defecto/detection04:48
DocScrutinizer05how is glonass more hardened against spoofing? (btw I wonder what's the usecase to have geolocate-locked keys anyway)05:52
DocScrutinizer05actually GNSS-spoofing should be pretty simple, at least for the civil unencrypted part. I'm not sure how secure the SA-encrypted part would be, but taking into account how they brought down some drones I'd think nobody ever thought about anybody being that bold to fake GPS signals ;-P Same as it ever was. See GSM and every other infra, where usually the authorities-controlled infra been considered secure-per-se and nobody thought 05:56
DocScrutinizer05about proper authenzication of servers, only about authentication of clients05:56
DocScrutinizer05but honestly I'm just pissed enough when it comes to GNSS-based geolocation *assistence* to find next bus stop and the time schedule of the bus there. For the life of mine I couldn't figure a usecase scenario where I want a crypto solution *relying* on geolocation06:01
DocScrutinizer05switching to another sorting sequence (locally most recently used key first) in UI list of keys is all I could come up with for a usecase of GNSS in Anelok06:05
DocScrutinizer05implementing OPIE ,and proper URL detection support and even challenge-response auth via optical means to read out QR or similar on screen, in Anelok sounds way more useful06:08
DocScrutinizer05for URL detection on arbitrary webpages via a dedicated server that exploits $referrer I think I already suggested some details, which would make for a really great unique selling point for Anelok06:12
DocScrutinizer05F6;  'anel.ok'ENTER ; <point Anelok on QR appearing on screen until the display is flashing (detected QR)>; ENTER - or back-button (to return to the previous page that requested a password entry)06:15
DocScrutinizer05dunno if that would actually work that flawlessly to return to an input mask with multiple textboxes that way06:16
DocScrutinizer05alas nope, it clears the already filled in values in such multi-textbox forms06:17
DocScrutinizer05so your anelok not only needs to store the password value but actually should playback the complete set of values needed for that form, or you need to do the F6 etc dance as soon as you enter such webpage that eventually needs a password06:20
DocScrutinizer05e.g. when you log in where also a captcha is needed, you first go to anel.ok and THEN return to page, fill in captcha, username and password06:21
DocScrutinizer05wtf? .ok TLD not registered yet?06:37
whitequarkI wonder when they register .exe TLD06:38
DocScrutinizer05either someone grabbed it and it's not easy to find out about the fact, or there must be some special quirks with .ok. Anyway for anelok there's stil all from a.nelok to ane.lok06:39
DocScrutinizer05apropos... (not really, since it's not exactly .exe...) could it fly to make anelok serve a HTTPS:// page that serves as a framework for automatically detecting and providing passwords? I.E. you would open this https://anelok page (ideally served from anelok dongle itself?? file://usb:index.html ?) and then enter the URL of your online banking site or whatever and anelok detects it automatically?06:44
whitequarkno, that would be an XSS vulnerability06:45
DocScrutinizer05:nod:06:45
DocScrutinizer05though, maybe not realy when anelok page first tells anelok dongle about URL and then properly does a forward to that page06:46
whitequarkyou can't enter a password like that06:47
whitequarkhell, it's often hard to enter a password if you have a legit password manager, because banks are stupid06:47
DocScrutinizer05no, i'm not planning to enter the password like that. Anelok already has means to enter password, either by reading it from disply and manually typing it, or by playback when anelok emulates a kbd06:48
DocScrutinizer05I'm just thinking about making anelok aware about the required password06:49
DocScrutinizer05once you got 30 or 50 passwords stored on anelok, it becomes a PITA to select the one you need right now06:49
DocScrutinizer05anelok knowing about the URL you are just looking at would be a great hint to offer the right (set of) password(s to select from)06:50
DocScrutinizer05*entering* the password is a completely unrelated issue06:52
whitequarkah, yeah, that works06:53
DocScrutinizer05ok, when you connect anelok between PC and kbd like a keylogger then it of course has no problem guessing which password you might need now (unless you used mouse to click on bookmarks or the like)06:54
DocScrutinizer05then otoh bookmarks make my formerly sketched aproach fail as well06:57
whitequarkum, yes, of course i would not ever type the full URL there06:57
whitequarkcli<TAB>ck.alfabank.ru is how I always do this06:58
DocScrutinizer05ut for the (raher common) situation where anelok is just-another-usb-dongle and the kbd is connected directly to PC, it might work06:58
whitequarknot to mention you have no clue what the context is06:58
whitequarkimagine sending someone a link to google.com and having anelok enter your google password?06:58
whitequarkand you also don't know what the keyboard layout is06:59
DocScrutinizer05anelok never *automaticaly* adds a password06:59
whitequarkok, two other issues still stand06:59
DocScrutinizer05for keylogger the layout is a pest, yeah06:59
DocScrutinizer05for the ... lemme call it "URL input screen" layout is irrelevant07:00
DocScrutinizer05but of course won't fly when you enter the URL to address field of browser directly07:01
whitequarkyou can surely use a browser extension07:01
DocScrutinizer05heck, we need OCR in anelok ;-D07:01
whitequarkChrome now has WebUSB07:01
whitequarkso you don't even have to pretend that you're a webpage07:01
DocScrutinizer05sounds good07:01
DocScrutinizer05except for "crome"07:02
whitequarkChromium and Firefox too07:02
DocScrutinizer05chrome even07:02
DocScrutinizer05ooh07:02
whitequarkFirefox is not really there yet, but it will probably be at some point07:03
whitequarkin Chromium that's usable right now, Yubikey uses it07:03
DocScrutinizer05I guess 'installing' such plugin still is quite some overhead not competitive with the fiddly picking of right password from anelok's UI directly?07:03
whitequarkwhy? you could make it as light as the browser's builtin autocomplete07:03
whitequarkyou can do whatever you want with the webpages07:03
whitequarkfrom a plugin07:04
DocScrutinizer05err, do plugins autoinstall?07:04
whitequarkno07:04
DocScrutinizer05as soon as you plug in anelok?07:04
whitequarkbut you only have to install it once07:04
DocScrutinizer05yes, but that's not the point. For one-time installation the stuff to install can get arbitrarily complex. But that's not really the major usecase for anelok, I'd use a software password-keeper for that then07:05
whitequarkah, hm07:05
DocScrutinizer05anelok primary usecase is on-the-go07:06
whitequarkright. you would want a composite device: expose a keyboard and a CDC-Ethernet07:06
DocScrutinizer05well, maybe not. Maybe it's "use anelok at home and you're ready for OTG"07:07
whitequarkof course you will immediately bump into various computers not allowing installation under unprivleged user07:07
DocScrutinizer05yep07:07
DocScrutinizer05anyway, time to have that walk to my appointment07:07
DocScrutinizer05both for the appointment as well as for the "start my day" and "have a fine walk"07:08
DocScrutinizer05and the "get a break from PC"07:08
DocScrutinizer05:-)07:09
DocScrutinizer05BBL07:09
wpwrakwhitequark: (webusb) hmm, so a device - e.g., a password safe - isn't expected to be able to protect itself. that doesn't sound too nice.13:21
wpwrakah, you guys were already discussing anelok :)13:24
wpwrakso far, i've been thinking of using hidapi for such things. but webusb could be a nice alternative13:28
wpwraki wonder what the "origin" of a browser plugin would be. e.g., if you install a plugin from anelok.com and that plugin becomes active when visiting fakebook.com/login, would a webusb device have to permit one of anelok.com and fakebook.com, or maybe both ?13:43
DocScrutinizer05don't ask me, no clue about that stuff13:58
DocScrutinizer05what do you think of a mail like that (excerpt, sourcetext. The HTML alternative part stub at end looks extremely fishy... I truncated it, it is 100 times as much of same gibberish)  http://paste.opensuse.org/3128918114:01
wpwraknew task card: https://gitlab.com/anelok/doc/wikis/Task_webusb14:04
wpwrakReceived: from unknown (HELO ns.km20319-04.keymachine.de)  hmm :)14:06
DocScrutinizer05yep14:07
wpwraki guess it would be interesting what is behind "Verifizierung jetzt durchführen"14:07
wpwrakin any case, is there is something amiss, you ought to be able to see it on your account14:07
DocScrutinizer05I wasn't able to parse that shit and I don't dare to try to hand it to a web browser14:08
DocScrutinizer05on account there was no new doom announced14:08
wpwrakor just ask support whether ns.km20319-04.keymachine.de is anything they use14:08
DocScrutinizer05hmm, you think a 30 minutes elevator muzak is worth it? I guess they can't answer such question14:09
wpwrakdon't they have mail or form access ?14:09
DocScrutinizer05err, well. Prolly they have a web form to contact them14:10
wpwrakyou cuold also check if any other mails frmo paypal.com came from similar-looking sources14:10
DocScrutinizer05THAT is a nice idea14:10
DocScrutinizer05Received: from mx0.slc.paypal.com ([173.0.84.225]) by mx-ha.web.de (mxweb001) 14:12
DocScrutinizer05ok, I found other similar rogue mails in my inbox, all with wrong addressee and same gibberish HTML code inside14:20
DocScrutinizer05thanks!14:21
wpwrakbastards. where are extrajudicial executions when we need them ? :)14:23
DocScrutinizer05one mail was a fake payment notification which claimed I'd have paid for a car or somesuch, or car parts14:30
wpwrakhehe :)14:35
DocScrutinizer05SICELO arrive3d \o/14:35
wpwrakhave fun ! :)14:36
--- Wed Sep 23 201500:00

Generated by irclog2html.py 2.9.2 by Marius Gedminas - find it at mg.pov.lt!