Category: Technology

Technology

DARPA’s Open Source eVoting Initiative

I’ve never been a fan of the concept of electronic voting. I’m still not a fan of electronic voting.

For the most part the idea that I might cast my vote, walk away from the machine that contains my vote, and not know what happens with that machine afterwards scares me.

How do I know my vote eventually gets counted?

It could be argued that a paper ballot in a ballot box might “go missing” too. Most systems have certain kinds of vulnerabilities, whether they be electronic or otherwise.

But can eVoting be made reliable and verifiable?

With this initiative from DARPA, I’ve moved into the “maybe” column. I’m not convinced, but this is the best concept I’ve heard to date.

It’s worth discussing, and we do need to understand that DARPA is part of the US Department of Defence. How much can we trust that?

As an open source initiative, their work would be able to be closely scrutinized by any interested party. This perhaps means the eventual product they develop can be trusted.

It contains a lot of verification mechanisms to instill confidence in it.

Here is their plan as discussed on the most recent episode of Security Now!


References

Technology

Sunday Nerding: Apollo Guidance Computer

Like many a nerd, not only do I love computers and computing, I also love space exploration.

Today I present a magnificent combination of the two, as a group of what can only be described as massive enthusiasts, work at getting an actual Apollo Guidance Computer – (which hasn’t been powered up in around 50 years) – up and running, and executing actual NASA Apollo code.

While this particular unit was never flown into space – (it is understood to be serial number 14, which was used in LTA-8) – it is basically an almost flight-ready prototype.

Technology

Is it Huawei or the Highway?

There’s been a lot of discussion lately around whether allowing Huawei telecommunications equipment into major infrastructure is a good idea or not.

Given the company has strong and proven ties to the Chinese military, I don’t think it is even unreasonable to have an honest discussion about the security implications of using their equipment.

https://upload.wikimedia.org/wikipedia/commons/thumb/1/11/HuaweiCanada9.jpg/1280px-HuaweiCanada9.jpg

However, if we’re going to have such a discussion about their equipment, we should have the entire discussion.

An excellent example is the common HG659 modem/router, in use all over the world, including extensively in Australian premises as part of the National Broadband Network (NBN) rollout.

The HG659 is an extremely popular modem with ISPs, because it is an extremely versatile modem.  It supports both ADSL and VDSL connections, and FTTP connections.  For this reason it is widely deployed in Australia as part of the “multi-technology mix” hodge-podge Malcolm Turnbull turned the NBN into for political reasons, rather than for technology reasons.

Australian ISPs using the HG659 therefore only have to stock one type of modem, and you as the end user just plug it into whatever NBN technology is serving your premises, and the modem self-configures to suit.

Done!

A great number of Australian ISPs use it – (and brand it with their own logos) – see a selection below:

  • Dodo
  • iPrimus
  • TPG

ISPs in other countries also use it:

  • Telmex (Mexico)
  • T-Mobile (US)
  • Vodafone (UK)

The use of the HG659 modem is widespread worldwide – including in jurisdictions where the lawmakers are seeking to ban the use of Huawei equipment in telecommunications systems, such as Australia and the United States.

I’ve even read of instances where one Australian ISP appears to have an active backdoor into their private customer’s networks, using the custom firmware in their supplied HG659 modems.

But why ban Huawei in the implementation of 5G networks, but happily welcome them into other significant network infrastructure?

One might argue that having a footprint inside millions of homes is a bigger concern than having them in mobile phone towers – (which can be and are actively monitored by the carriers operating them, and suspicious activity might be detected) – as the vast majority of home users get the modem from their ISP, plug it into the wall and never think about it again.

Monitoring?  Yeah, right.

I think the politicians are clearly – (as is often the case) – trying to make a political point without having any real understanding of what they are talking about.

Huawei may or may not present information or national security issues, but if you’re going to take a stand against them, you cannot and should not be so selective.

Ban them or don’t ban them – but just don’t half-ass your decision.

Further Reading:

Technology

C64 Resurrection: Project Update 4

Moving along from the teardown in Part 3, I have cleaned up and restored the keyboard and case of my Commodore 64 in preparation for the rebuild into my modern Commodore 64.

Check out Part 4 here!

Also – have you ever wondered if a Commodore 64 can be connected to Wi-Fi and therefore the internet?

Video says “yes”…

Technology

C64 Resurrection: Project Update 3

Carrying on from Part 2, during my time off work last week, I also did the teardown of my Commodore 64 in preparation for cleaning and restoration of the case and keyboard, which will be covered in Part 4.

Check out Part 3 here!

Also, check out this amazing two-part restoration of a Commodore 64C, left outside in a field for more than a decade!

Technology

Sunday Nerding: Resurrect Your Old C64

Hands up if your first computer was a Commodore 64?

Mine certainly was, but like many examples of this popular computer, it has seen better days. I’m not sure if it even works anymore. The last time I tried it – (about 10 years ago) – the sound chip had failed but otherwise seemed okay.

I would love to get the old beast up and running, but my electronics repair skills are basic at best. Parts for a Commodore 64 are also going to be hard to find.

I don’t even want to think about the state of the mechanical disk drive or tape unit.

Never fear – with the help of modern technology, you can retrofit your old C64 – and it is easier than you might think.

And you know what? I’m going to do it!

Technology

Tesla Key Fob Hack – Are We Too Clever?

The recently revealed vulnerability enabling hackers to trivially duplicate Tesla Model S key fobs, in my mind prompts an interesting technology question.

The Hack in a Nutshell

This does not apply to all Model S vehicles, but in simple terms, using a few hundred dollars of off-the-shelf radio and computer hardware, malicious actors can intercept transmissions from your key fob when nearby.

Using the intercepted data and about two seconds of computational power, they are able to duplicate your key fob.

This allows them to open your Tesla Model S, start your Tesla Model S, and drive your Tesla Model S away.

Noting that the cryptographic keys in use are only 40-bit keys, quoting from the Wired article:

The researchers found that once they gained two codes from any given key fob, they could simply try every possible cryptographic key until they found the one that unlocked the car. They then computed all the possible keys for any combination of code pairs to create a massive, 6-terabyte table of pre-computed keys. With that table and those two codes, the hackers say they can look up the correct cryptographic key to spoof any key fob in just 1.6 seconds.

The High-Tech Solution

To solve this vulnerability, Tesla are recommending a firmware update to the security systems in the Model S.

After unlocking the car and disabling the immobiliser system with the key fob, drivers would now need to enter a PIN on the console of the car before they can start it.

This provides rudimentary two-factor authentication, and is probably a reasonable solution to the problem, albeit lowering convenience for the owner.

Until the hackers figure out how to bypass the PIN code – and if the carrot is dangled, they will try.

Hackers are typically highly intelligent people who crave the challenge.

So, what else could we do?

The Lower-Tech Solution

As humans, how did we cope with unlocking our cars and starting them up before remote key fobs?

We coped, and we coped very well.

People walked up to their cars, and put the key in the door. They got inside and put the key in the ignition, and were on their way.

Why aren’t we still doing this?

Key systems without radio transmitters can still contain security codes, which could be read by the car when the key comes into physical contact with it.

All without broadcasting the security codes for hackers to scan and potentially use against you.

It would be harder to steal your car – and would our lives be that much more difficult if we stepped back to something like this?

Sometimes simple proven ideas are far better for us than fancy new ideas that haven’t been completely thought through.

Technology

Sunday Nerding: The Joy Of Data

With the return of my website, I’m also bringing back my “Sunday Nerding” series. I try to sit down every Sunday and watch something truly interesting, and typically nerdy. I don’t and won’t manage it every Sunday, but it’s a ritual I enjoy during my weekend downtime.

First up, a fascinating BBC documentary from 2016 about data, data collection, and how it can, how it does, and how it will continue change the world we live in.

References
Technology

HTTPS Is The New Black

With the advent of modern web browsers flagging all non-HTTPS web traffic as “not secure”, I have a few tips on what to do if you are running a website. Google announced the change some months ago, and Mozilla is following suit with their key products also.

If you are running a website, and you don’t run HTTPS and don’t enforce HTTPS by default, this affects you.

You need to fix it.

Modern web browsers typically upgrade themselves automatically. As such, all of your users will soon receive warnings that show your HTTP website as being “not secure”. They are going to complain.

What are HTTP and HTTPS?

HTTPS is a secure, encrypted version of the original HTTP protocol, instigated by Tim Berners-Lee. When he started developing the world wide web in the early 1990s, the security of the transmission of the data wasn’t considered too important.

Not many people were on the internet, and most of the people who were were considered “trustworthy”.

This has changed – and the switch to HTTPS – which basically takes HTTP, and wraps it up in an encrypted stream of data designed to prevent snooping of the traffic as it crosses the internet is absolutely the “new black” of the internet.

One of the biggest barriers to HTTPS uptake has been the cost of obtaining SSL certificates. They can and do cost several hundreds of dollars for certificates that expire – (typically) – every two years. Such costs are prohibitive for many people, particularly bloggers and small businesses who can’t justify that cost.

The solution?

Along came Let’s Encrypt, an issuer of free SSL/TLS certificates and sponsored by many industry heavyweights.

The arrival of Let’s Encrypt has sparked a massive surge in the uptake of HTTPS by websites, and now more than half of the webpages on the internet are available using HTTPS. This is a huge win for internet users, keeping their communications encrypted and secure when browsing sites with HTTPS switched on.

And because their certificates are free, the barriers holding many people up from making the switch are mostly gone. They do expire every 90 days, but most web hosting companies have embraced them, and have automated mechanisms for the renewal of the certificates without human intervention.

What should I do?
  • If you are hosting and managing your website on your own servers, you probably have the smarts to use Let’s Encrypt to set up the certificates and make the necessary changes to the configuration of your web server yourself. Follow the information in their documentation.
  • If you are hosting your website on the servers of the company you are working for, contact your local systems administrators and seek their assistance.
  • If you are hosting your website on the servers of a web hosting company, contact their service desk team and seek their assistance.

An Important Mistake Not To Make

I recently got into an (somewhat heated) online discussion about the right and wrong ways to implement HTTPS. A common mistake I have seen is where the HTTP content of the website and the secured HTTPS content is served from the same document root.

This is bad.

Even if you move to HTTPS, and your content is still available via HTTP, people can still be directed to your site via HTTP. Old links to your site from someone else’s site can send your visitor via HTTP. This leaves them using HTTP for their entire visit.

Ensure that you ONLY serve your content via HTTPS. Point the “HTTP version” of your website to a different document root. From that document root, redirect all HTTP requests to the HTTPS document root.

Here’s how I do it – (note that this is for an Apache web server with PHP):

Firstly, in the exclusive HTTP document root, place an “.htaccess” file with the following content:

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

This serves to send every single request, regardless of the full URL to the file “index.php”. This file should contain the following (inside normal PHP start and finish tags):

@header("Location: https://michaelwyres.com.au".$_SERVER['REQUEST_URI']."",TRUE,301);

This will ensure that all requests to “http://michaelwyres.com.au/whatever-url/” are picked up and sent to “https://michaelwyres.com.au/whatever-url/”, including pages that do not exist.

In this way, if inbound links are still listing HTTP, or your visitor explicitly requests HTTP, it will be trapped and dumped to the HTTPS version of your site. It becomes impossible for people to browse your content using HTTP.