A $5 Tool Called PoisonTap Can Hack Your Locked Computer In One Minute

An anonymous reader quotes a report from Motherboard: A new tool makes it almost trivial for criminals to log onto websites as if they were you, and get access to your network router, allowing them to launch other types of attacks. Hackers and security researchers have long found ways to hack into computers left alone. But the new $5 tool called PoisonTap, created by the well-known hacker and developer Samy Kamkar, can even break into password-protected computers, as long as there's a browser open in the background. Kamkar explained how it works in a blog post published on Wednesday. And all a hacker has to do is plug it in and wait. PoisonTap is built on a Raspberry Pi Zero microcomputer. Once it's plugged into a USB port, it emulates a network device and attacks all outbound connections by pretending to be the whole internet, tricking the computer to send all traffic to it. Once the device is positioned in the middle like this, it can steal the victim's cookies, as long as they come from websites that don't use HTTPS web encryption, according to Kamkar. Security experts that reviewed Kamkar's research for Motherboard agreed that this is a novel attack, and a good way to expose the excessive trust that Mac and Windows computers have in network devices. That's the key of PoisonTap's attacks -- once what looks like a network device is plugged into a laptop, the computer automatically talks to it and exchanges data with it.

News at 11

Physical access to equipment trumps (Trumps, heheheh!) almost all security. News at 11.

Re:News at 11

[lucm]

Physical access, browser running, and it only work if you use cookies on sites that don't require SSL.

At that point it s probably best to invest that $5 in a box-cutter and force the user to give your their password.

Re:News at 11

[hcs_$reboot]

Indeed. Boot the pc on a USB Linux, mount the computer disk, enjoy.

Re:News at 11

trump [ verb \trmp\ ] : to disrupt, throw into chaos; to reverse previous gains or invalidate previously-held axioms in an unexpected manner.

Physical access to equipment trumps almost all security.

Yep, sounds like a good candidate for submission to the dictionaries.

Re:News at 11

AND it only works if your PC is set up to connect to any open network using any random hotplug NIC. If my PC was set up like that I'd be worried about far more serious attack vectors.

Re: News at 11

Your dictionary is fucking shit.

http://www.dictionary.com/browse/trump

The non-card definitions of the word "trump" are:
(noun)- A fine person, brick
(verb)- To excel; surpass; outdo

Honestly, whoever is writing the story we are living in is kind of a hack. I mean:
https://en.m.wikipedia.org/wiki/Donald

His name LITERALLY means, Ruler of the world, given by God, Excelling. That's up there with Hiro Protagonist.

Re:News at 11

[Anubis+IV]

and it only work if you use cookies on sites that don't require SSL.

You mean, except for the part where they are able to hijack any site that uses Google's, jQuery's, or other scripting CDN by replacing the legit Javascript with a version that opens a persistent connection to the attacker's server, through which they can serve up anything to your browser? Or the part where they strip out a whole slew of HTTP header security features by serving up fake, insecure versions that they tell your browser to perma-cache for every single one of the Alexa top 1,000,000 sites? Or the part where they open virtually every site up to cross-site scripting attacks by tricking your browser into thinking that the hidden iframes they're now secretly loading whenever you visit any site belong to that site?

But you're quite correct. They can't get properly secured cookies. Thank goodness for that small mercy.

Re:News at 11

[Anubis+IV]

It's the default setting for every major OS, apparently. It exploits a weird quirk where it claims the the entire Internet is part of its LAN, which causes it to get priority over any existing connections to the Internet you might have, since they'll all be via WAN. It won't work on any computer, but it will work on most.

Re:News at 11

[sithlord2]

Not really. Even when SSL is used, a redirect to HTTP can be forced. If the cookie doesn't have the "Secure" flag, it will happily send the cookie over HTTP in this case.

Re:News at 11

It won't work on any computer but Microsoft Windows computer. It is like the autoexec cd-rom all over again.

If they want to make it work on ALL computer, they need to use a Ethernet interface.

Re:News at 11

> Major OS

> It won't work on any computer but Microsoft Windows computer.

That's what he said.

Re:News at 11

[vinlud]

Forcing with a box-cutter at least gives the user the knowledge they've been compromised, so not realyl the same thing.

Re: News at 11

But it IS one. Or at least it looks like one to the system under attack.

Re:News at 11

[jarran]

Indeed. Also: How worrying is is that there are people here who think that an attack that doesn't involve threatening another person with violent assault offers no advantages over one that does?

Re:News at 11

[Gadget_Guy]

It won't work on any computer but Microsoft Windows computer.

Blind hope that your choice of operating system is safe is the worst form of security. From the article:

PoisonTap emulates an Ethernet device (eg, Ethernet over USB/Thunderbolt) - by default, Windows, OS X and Linux recognize an ethernet device, automatically loading it as a low-priority network device and performing a DHCP request across it, even when the machine is locked or password protected

Re: News at 11

His name LITERALLY means, Ruler of the world, given by God, Excelling. That's up there with Hiro Protagonist.

In England "Trump" means fart.

Re:News at 11

https://samy.pl/poisontap/

Creator demonstrates with his own Mac.

Re:News at 11

PoisonTap emulates an Ethernet device (eg, Ethernet over USB/Thunderbolt) - by default, Windows, OS X and Linux recognize an ethernet device, automatically loading it as a low-priority network device and performing a DHCP request across it, even when the machine is locked or password protected

The real test will be to see which OSes get patched first.

Re:News at 11

It won't work on any computer but Microsoft Windows computer.

Blind hope that your choice of operating system is safe is the worst form of security. From the article:

PoisonTap emulates an Ethernet device (eg, Ethernet over USB/Thunderbolt) - by default, Windows, OS X and Linux recognize an ethernet device, automatically loading it as a low-priority network device and performing a DHCP request across it, even when the machine is locked or password protected

Yeah, so you either don't use DHCP, configure dhcpcd/dhcilent to limit it to certain devices, or run dhclient manually whenever you need Internet access. On Linux I'd say it's easier to configure, at least on my non-systemd system running Void Linux.

Re:News at 11

And the MITM using a USB emulating ethernet isn't new either. This is complete non-news.

Re: News at 11

Well in french, trump is very close to the verb tromper which means mislead, cheat, deceive, ...

Re:News at 11

Why a $5 box-cutter instead of a wrench and some drugs?

Re:News at 11

[ilsaloving]

It's basically a MITM attack. There's no difference between this and using a malicious network router. In fact, that's exactly what this is. The only difference is that you're connecting directly to the computer and pretending to be a network adapter rather that it being something upstream.

If a malicious actor has physical access to your PC, then this is the *least* of your worries. There are all sorts of things that could be done.

Re:News at 11

[lucm]

If a malicious actor has physical access to your PC, then this is the *least* of your worries.

True. I don't even want to think about what Russell Crowe would do if he had physical access to my computer.

Re:News at 11

[lucm]

So if you had to choose you'd prefer to be box-cutted than quietly hacked?

Re:News at 11

[kuzb]

...which is why in the demonstration videos he's running it on a mac....

Re:News at 11

Physical access is root access.

Re:News at 11

lucm blows it https://hardware.slashdot.org/... on simple stuff hahahaha

Re:News at 11

[ilsaloving]

It's times like this I wish I could mod posts on the same article I posted a comment on.

Re:News at 11

[unrtst]

Indeed. Boot the pc on a USB Linux, mount the computer disk, enjoy.

... and risk getting stuck at bios password. Get around that and get stuck at disk encryption password (usb boot not enabled). Re-enable usb boot in bios and unable to mount encrypted disks. Or, stick this thing in a usb port for a bit and get access to everything remotely thereafter. Never reboot a box if you can avoid it.

Re:News at 11

We see what happens when you get on a computer hahaha. lucm blows it again https://hardware.slashdot.org/...

Re:News at 11

lucm apk hacked you to bits! Your tech blunder provided him a box cutter to do it hahahahaha https://hardware.slashdot.org/... but don't worry. After all you hide behind a FAKE NAME ONLINE to hide your FAKE LIFE so it's all good. You're a human fail. We understand.

Re:News at 11

I suspect your target is more likely to notice the box-cutter hack than the itty-bitty dongle at the back of their PC.

Re:News at 11

[epine]

Blind hope that your choice of operating system is safe is the worst form of security. From the article:

When you deliberately choose and operating system so inconvenient by default that it's not even part of the mainstream conversation, it's hardly blind hope.

USB Tethering: How to auto-configure?

I have an LG G2 phone that can share its mobile internet via USB tethering. FreeBSD 9.3 recognizes it, but does not automatically obtain an IP address via DHCP and set it to the default route when I enable USB tethering on my device. Is there any way to do that? Just like under Windows.

I'm guessing, on the basis of that final sentence, he hadn't been bumping along on the BSD anti-bandwagon for very long.

Convenience, the simple recipe:
* mise en place: read everything Bruce Tognazzini ever wrote, back in the era where Apple still provided some modicum of external justification for random UI tweak of the randomly selected mountain
* blend into one long, hard night of inspired coding
* activate brew with one generous Pandora's box jigger of "assume trust"
* ladle up hot, attractive mess
* serve steaming

Re:News at 11

[tlhIngan]

The real test will be to see which OSes get patched first.

The problem is HOW do you patch it.

It's going to involve a heavy user space network manager to do it, because the way it works the simple routing engine the kernels have is the root cause.

You also need to consider that you may be connected to WiFi, and Ethernet devices always have routing priority over WiFi (being wired, the metric of connection is lower than WiFi) in practically every OS.

Then you have to consider the ethernet device might already be there - laptops and servers and desktops may have spare ethernet ports that are not connected so it'll be trivial for an attack like this to use Ethernet instead of USB. Servers may be trivially secured by having inactive ports blacked out, but laptops may migrate between WiFI and Ethernet on a rather frequent basis, or even attached to different networks simultaneously (work laptop is connected to work network via Ethernet, but also via guest WiFi to bypass work network firewall blocks).

You might get away with limiting how "wide" your LAN is - after all, there is a practical limit to how big your local Ethernet segment can be before it collapses from the sheer load. Perhaps you can modify the DHCP client to reject anything saying you have more than 65535 devices on the local segment (i.e., you cannot accept anything more than a /16). This seems like the only practical way to do it without basically rewriting every network assumption since the 70s.

Re:News at 11

[Cramer]

Correction: It "pretends" to be HALF the internet. 1.0.0.0/128.0.0.0 to be exact.

Re:News at 11

[Anubis+IV]

That's not what the original blog post said:

PoisonTap responds to the DHCP request and provides the machine with an IP address, however the DHCP response is crafted to tell the machine that the entire IPv4 space (0.0.0.0 - 255.255.255.255) is part of the PoisonTap’s local network, rather than a small subnet (eg 192.168.0.0 - 192.168.0.255)

Re:News at 11

[Cramer]

His videos and animations show a netmask of 128.0.0.0. I don't know of any dhcp clients that will accept a 0.0.0.0 netmask. Also, his github repo doesn't include any of his system setup -- eg. the dhcp server configuration.

Re:News at 11

[Agripa]

The real test will be to see which OSes get patched first.

The problem is HOW do you patch it.

It is easy. Do what Apple does and remove the ports while requiring users to buy new systems.

Re: News at 11

Pretty sure that these days we put a long Id string on all the USB drives anyway. No id match, no play. I do expect you need a decent OS to come out of the box with that being a requirement. Similar for plugging in new network devices that were not there at boot.

Linux has to be seen as a major OS and SE is supposed to be secure. Do you have to be an expert to make it that way?

Re:News at 11

A physical attack is always a TRY. You TRY to attack me with box-cutters ... and I try to blast yo face with my 357-cal DW. I may shoot you down in the lobby ( before attack ) just because you look slimy like a perp!

What the fuck?

[110010001000]

Is this seriously a story? You don't even need a device to plug in to do this. Why would there need to be a browser open in the background? What the fuck is "Motherboard"? Fucking hipsters.

Re:What the fuck?

Is this seriously a story? You don't even need a device to plug in to do this. Why would there need to be a browser open in the background? What the fuck is "Motherboard"? Fucking hipsters.

Because it steals your browser's cookies.

Yipppeeeee! What a hack! We're back to stealing unencrypted cookies from web browsers.

Re:What the fuck?

[FatdogHaiku]

Because it steals your browser's cookies.

It's a Monster!
A Cookie Monster!!!
Also, a guy was sighted near or in a trash can...
said trash can may actually be a giant cantenna!

Re:What the fuck?

Because it steals your browser's cookies.

It's a Monster!
A Cookie Monster!!!
Also, a guy was sighted near or in a trash can...
said trash can may actually be a giant cantenna!

Proof that this Kamkar guy is not another useless African nig-nog.

Re:What the fuck?

Modded insightful for your expert use of the word fuck and hipsters

Re:What the fuck?

Is this seriously a story? You don't even need a device to plug in to do this. Why would there need to be a browser open in the background? What the fuck is "Motherboard"? Fucking hipsters.

This is a valid attack that could be executed on just about any corporate desktop sitting idle and locked, since most corporate desktops still run Windows and users still maintain elevated rights to support antiquated corporate software.

You might realize this if you were in charge of more than your porn server in your mothers basement.

Re:What the fuck?

c'mon, "however the DHCP response is crafted to tell the machine that the entire IPv4 space (0.0.0.0 - 255.255.255.255) is part of the PoisonTap’s local network" eg telling a pc that the entire ip4 space is LAN to gain priority over installed adapters is frigging genious,

Kamkar is a foreign name

Someone should inform Trump of this immediately. Kamkar is a foreign sounding name, he should be deported immediately. Put Steve Bannon on it right away!

That'll fix it!

What do you mean, he's already sacked Bannon?? That was quick.

Re:Kamkar is a foreign name

[amiga3D]

The White House will be the site of the new Apprentice reality show starring President Trump. I expect a lot of firing and hiring. It should be interesting.

Re:Kamkar is a foreign name

[BlueStrat]

Someone should inform Trump of this immediately. Kamkar is a foreign sounding name, he should be deported immediately. Put Steve Bannon on it right away!

That'll fix it!

What do you mean, he's already sacked Bannon?? That was quick.

No worries. Trump already hired Steve's brother.

https://youtu.be/diAGexlJtHk

Strat

Re:Kamkar is a foreign name

Forget interesting, it's fucking embarrassing.

Re: Kamkar is a foreign name

No you're fucking embarrassing.

Re: Kamkar is a foreign name

Unless your name is drawn from nature and given to you according to your Native American tribe's traditions, then it must also be a foreign name.

Okay...

[93+Escort+Wagon]

"Once the device is positioned in the middle like this, it can steal the victim's cookies, as long as they come from websites that don't use HTTPS web encryption, according to Kamkar."

While I do think the fact that this works at all is problematic... if you're doing anything non-trivial on any website which doesn't employ https, that information has likely been available to anyone who really wanted it already.

Re:Okay...

[0100010001010011]

I did this in college since our dorm still had a Hub. How is this new (other than being smaller)?

Re:Okay...

[sheramil]

if you're using your computer and you didn't notice the paperback-sized device plugged into one of your USB ports, you may have other problems.

Re:Okay...

[geekmux]

if you're using your computer and you didn't notice the paperback-sized device plugged into one of your USB ports, you may have other problems.

Corporate users hardly notice anything odd plugged into their systems. I could set a bowling ball under their desk and they probably wouldn't ask about it for a month, because that's not their job. They're far too busy doing the other three jobs they maintain now.

For those of us managing the average user community, the problem is far more systemic than you dismiss here. Behavior modification is one of the hardest jobs in Security.

Re:Okay...

[rgbatduke]

Behavior modification is one of the hardest jobs in Security.

That's what the sucker rod is for...

rgb

Re:Okay...

[sudon't]

if you're using your computer and you didn't notice the paperback-sized device plugged into one of your USB ports, you may have other problems.

I walk into a lot of work places. What I see are a lot of those old "tower" boxes. You wouldn't see anything plugged into the back of one of those. Also, the device doesn't have to stay there forever. Not super-convenient, but workable. Also, the device is the size of a small cell phone, not the size of a paperback, and with a longer cable, and a little creativity, could be disguised and/or placed out of sight.

Re:Okay...

Pi Zero is not paperback size. Slightly larger than a 9 Volt battery in surface area.

Re:Okay...

[chispito]

It's roughly 2/3 the size of a business card. Even if it were the size of a paperback, would it be so easy to spot if it were taped under or behind your desk?

Re:Okay...

[Yvan256]

The Raspberry Pi zero dimensions are 65 x 30 x 4.5mm

Re:Okay...

[pnutjam]

I was discussing this with on of the security guys at work. He seemed to think the VPN software they use, which forces everything over the VPN for unknown networks, would prevent this from working. I tend to agree.

Anyone want to weigh in? I know OpenVPN uses a similar routing entry to preempt traffic and force it into the VPN tunnel.

Re:Okay...

[acoustix]

Does it need to be plugged directly into the desktop? Why not use a USB cable to hide it. Or the back of a monitor (many have USB hubs built-in now).

There's many ways to hide these devices. The vast majority of users don't look over their work area before they start working.

Re:Okay...

That explains this bowling ball.

Re:Okay...

[SScorpio]

Exactly, won't a more useful tool be one that clones the SID and MAC of a open WAP at a coffee shop, over powers the existing network, and then forcefully disconnects all the clients so they reconnect automatically to the hacking device?

Only people using their own data connections would be safe, but who actually does that versus using the free connection?

You could then do everything this does without needing to physically connect to the machine.

Re:Okay...

Seconded, I also don't see the advantage when the computer probably has a LAN wire that can just be unplugged and a rogue MITM device inserted.

To make this truly useful it would have to be the size of a regular USB stick, but BadUSB already implements a nice vector there.

Re:Okay...

[JesseMcDonald]

Only people using their own data connections would be safe...

Or those using a VPN.

Isn't this

just a run of the mill man in the middle attack? How is that novel? And, where's the part where they break into the actual computer?

Re:Isn't this

[aaarrrgggh]

It is an offline attack, and all traces are removed quickly. There are a few things that it makes me want to switch to force https on my LAN, but even /. is https now...

Re:Isn't this

[sudon't]

just a run of the mill man in the middle attack? How is that novel? And, where's the part where they break into the actual computer?

Why not RTFA? You don't even have to google - the links are right at the top of this page.

Pi Zero

[amiga3D]

Yet another interesting use of a Raspberry Pi Zero. Give people a $5 computer and they just have to come up with something to use it for.

Obligatory xkcd

[slazzy]

https://xkcd.com/538/

Re:Obligatory xkcd

[davidwr]

$5 hammer, $5 Pi. Well played sir, well played.

Re:Obligatory xkcd

$5 hammer, $5 Pi. Well played sir, well played.

If by "well played" you mean "endlessly, inevitably posted and re-posted to every single discussion (without fail) that even slightly involves passwords, encryption, or security in any way" then yes, it was very well played.

Novel? No. Clever? No. Witty? No. Original? No. Contributes much of anything? No. Interesting? No. Entertaining? Perhaps a decade ago when it was new and unexpected, but no not in a long while. But that's okay, keep celebrating it! That will definitely help accomplish ... ... ... yeah!

Re:Obligatory xkcd

$5 hammer, $5 Pi. If you don't get it I pitty your parents. It's hard to have an intellectually challenged offspring.

Re: Obligatory xkcd

You're arguing with my postbot just so you know...

Re:Obligatory xkcd

Even closer...

https://xkcd.com/1200/

Not the worst that can happen

[djinn6]

If you have physical access and the computer is on, you can already read the contents of RAM with some specialized hardware. That gives you access to pretty much everything.

Re: Not the worst that can happen

Next thing you know they will be able to read the contents of RAM while the computer is off! How dreadful.

Re:Not the worst that can happen

If you have physical access and the computer is on, you can already read the contents of RAM with some specialized hardware. That gives you access to pretty much everything.

not if the RAM is encrypted

Re:Not the worst that can happen

[tepples]

Which widely used computers encrypt RAM?

Re:Not the worst that can happen

[hcs_$reboot]

Memory is not encrypted, applications that use memory may encrypt the data they put in it.

Re:Not the worst that can happen

Interesting. Is there CPU support for this? i.e. CPU transparently decrypts memory block, executes, and re-encrypts it? Or does the programmer have to do this manually?

Re:Not the worst that can happen

Apple is two steps ahead from you.

Re:Not the worst that can happen

[maelkum]

Not yet, but AMD Zen CPUs will have such a feature. Have some articles:

http://wccftech.com/amd-zen-en...
http://www.phoronix.com/scan.p...
http://www.redgamingtech.com/a...

Re:Not the worst that can happen

Thanks! That will definitely make things easier. Do you know if there are practical ways of doing this manually with current CPUs?

Re:Not the worst that can happen

[geekmux]

If you have physical access and the computer is on, you can already read the contents of RAM with some specialized hardware. That gives you access to pretty much everything.

I think the more valid point being made here is the "specialized hardware" in this case costs five bucks, and can be purchased pretty much anywhere by anyone.

Re:Not the worst that can happen

[Trax3001BBS]

If you have physical access and the computer is on, you can already read the contents of RAM with some specialized hardware. That gives you access to pretty much everything.

The Amiga used Sram for memory. You could play say the game "Blood Money", turn off the system and then boot up with a disk with a program to view the memory.

You could then grab the haunting music of the game or any other sound byte
https://www.youtube.com/watch?...

Sram is in just about everywhere now, even Intel CPU's use it for it's speed and ability to maintain it's contents without being refreshed. You really can't tell what's it's being using in anymore.

I always turn off my system(s) for an extended period before I consider all it's memory flushed. Not for security as much as being sure a possible memory problem that showed up is really gone.

Re:Not the worst that can happen

Yeh, in the iOS setup menu, select Processor tab, check 'encrypt processor', select apply and reboot.

Re:Not the worst that can happen

[citizenr]

The Amiga used Sram for memory.

no it didnt

Re:Not the worst that can happen

[Trax3001BBS]

The Amiga used Sram for memory.

no it didnt

Yep sure did. I should of been more specific, the Amiga 3000 came with 2megs stock (a guess) that was just memory, opposite that memory were memory slots for Sram you purchased separately, it was the only ram that would fit. I put in 10 megs of Sram which disabled the stock memory. I ran a Cnet BBS from it, an 8 line chat board so not much else. I'd search the Sram every now and again just to see what was there.

Had a friend not sure what Amiga he had I thought a 500. It was what he did, he ripped music out of the ram. He'd load a game or whatever till he got to a point of his choosing, shut down, insert his floppy, boot back up and search the ram. I used Blood Money as an example due to it's copy protection, yet it couldn't keep. you out of the ram. He had quite the collection obtained just that way.

Re:Not the worst that can happen

[citizenr]

No. Amiga used DRAM just like every home computer of that period. You are confusing couple of things.
1 you can reset machine without losing ram contents, this was possible in pretty much every computer at the time.
2 ramdisk for storing files in ram.

SRAM is static, that means you dont need to refresh it = you can power down whole computer leaving only ram voltage rail. This is how storage worked on early portables like portfolio.

Re:Not the worst that can happen

[Trax3001BBS]

No. Amiga used DRAM just like every home computer of that period. You are confusing couple of things.
1 you can reset machine without losing ram contents, this was possible in pretty much every computer at the time.
2 ramdisk for storing files in ram.

SRAM is static, that means you dont need to refresh it = you can power down whole computer leaving only ram voltage rail. This is how storage worked on early portables like portfolio.

Don't know if you went through the "computer wars", but to purchase an Amiga was was to put ones self on the front line. I could of really gone off on this thread, a direction of nobodies real interest, or use.

The main point of my first post was that Sram is everywhere and a reboot isn't resetting ones system, it takes a full shutdown and a wait.

"SRAM is also used in personal computers, workstations, routers and peripheral equipment: CPU register files, internal CPU caches and external burst mode SRAM caches, hard disk buffers, router buffers, etc. LCD screens and printers also normally employ static RAM to hold the image displayed (or to be printed)."
https://en.wikipedia.org/wiki/...

Re:Not the worst that can happen

[citizenr]

there is no sram in amigas (except for 768 bytes of palette inside Lisa chip)
The difference between sram and dram is _not_ that one of them can keep the data over a reset, its that one of them keeps data without explicit _refresh cycles_ when rest of computer is powered down completely. Reboot is not doing ANYTHING to ANY type or ram. Resetting a running computer without stopping current program was standard on Intel 286 (dram simms) when switching from protected mode back to real addressing: https://blogs.msdn.microsoft.c... Windows 2 and XMS could do it multiple times per second, this was early nineties.

This is Amiga 3000 dram: http://www.ubbcentral.com/stor...

as seen on page 6 of schematic http://www.amigawiki.de/dnl/sc...
here is detailed specs: http://amiga.resource.cx/mod/a...
and here a definition of "static column mode" in case you would somehow think this means SRAM: https://www.jedec.org/standard...
even scan doubler FRAM is based on DRAM

so again, there never was any sram in amigas

ps: I fix computers on a component level since nineties :/

Re:Not the worst that can happen

[Trax3001BBS]

so again, there never was any sram in amigas

I have an 8 Meg expansion card for the 2000, I only got as far as I needed
http://amiga.resource.cx/searc...

ps: I fix computers on a component level since nineties :/

Got a late start eh, I don't think many on /. haven't worked on computers

Re:Not the worst that can happen

[citizenr]

I have an 8 Meg expansion card for the 2000, I only got as far as I needed
http://amiga.resource.cx/searc...

1 this is A500 expansion
2 this is fast ram expansion, Amiga stores images/sounds in the chip ram (separate memory bus) so even if you had third party sram expansion it would do nothing for you because pictures and music was stored in different part of the computer. Amiga rasterizer and sound chips had no access to fast ram (where this particular sram extension installs). https://en.wikipedia.org/wiki/...
3 again - what you described (reset to rip memory content) _never_ required special memory type. You could do it on C64, Amiga, Atari, even consoles.
4 pointing at third party products to corroborate your faulty memory is like claiming Honda Civics came with Spoon engines, T66 turbo, NOS, and MoTeC system exhaust.

Got a late start eh, I don't think many on /. haven't worked on computers

cute :)

I get it man, you miss remembered something and now just cant let go. Its ok, its not the end of the world. I will leave you and your cognitive dissonance in peace.

Re:Not the worst that can happen

[Trax3001BBS]

Got a late start eh, I don't think many on /. haven't worked on computers

cute :)

I get it man, you miss remembered something and now just cant let go. Its ok, its not the end of the world. I will leave you and your cognitive dissonance in peace.

If I found it to be Sram you can sure bet I'd of sent off a message, so in all fairness.

I stopped by my storage today to pick my stereo with no HDMI. I'm going digital optical connections instead - it's a much nicer receiver.

Just so happened all my Amigas were there, so I brought the 3000 home, snapped a shot of the ram and found it's not Sram and it's not Dram
it's called static column ram - which is as close to Sram as you can get (but not Sram, yet we called it that). In fact if you search for 9A9Z you get
all sorts of answers of what it is.

This ram allows the same search and grab as Sram, the bottom line being "Under some conditions, most of the data in DRAM can be recovered even if the DRAM has not been refreshed for several minutes."
https://en.wikipedia.org/wiki/... How I got there https://groups.google.com/foru...

So shutdown, wait then reboot.

My Ram http://i66.tinypic.com/dx23uw....

Re:Not the worst that can happen

[citizenr]

so I brought the 3000 home, snapped a shot of the ram and found it's not Sram and it's not Dram
it's called static column ram - which is as close to Sram as you can get (but not Sram, yet we called it that).

Its not close to sram at all other than similarly sounding name, as I wrote in previous post it is an improved variant of page mode DRAM:
>and here a definition of "static column mode" in case you would somehow think this means SRAM: https://www.jedec.org/standard...

even wiki has a section on it https://en.wikipedia.org/wiki/...

In fact if you search for 9A9Z you get all sorts of answers of what it is.

datasheet: http://datasheet.datasheetarch...
a big hints are
-a whole timing diagrams section on refresh
-multiplexed address bus
-fact 4Mbit sram chips didnt exist until 1993, and when they first showed up they were >$140 a pop!!!
-and fifth word of the datasheet reading 'dynamic' :-)

This ram allows the same search and grab as Sram,

Now we are moving 2 posts back. You are confusing two separate things, type of ram and ability to recover data after reset. Those two are independent.
  Both types of ram will keep its data mostly intact over a reset, and somewhat intact after total power loss depending on process size, temperature, time etc.
  Difference between SRAM and DRAM is in physical construction. One uses multiple(4-8) transistor latch arrangement - you put logic level in and it stays there until powered down. The other uses _one_ transistor and capacitor and needs frequent refresh (recharging that capacitor).

  More transistors to build sram means more expensive, around x10 was the minimum. This is why in the nineties a 256KB sram cache for a PC motherboard cost around the same as 4MB simm. This price difference (and use of slow processors) was the reason not a single Amiga featured sram.

old news

[Lehk228]

wait till he discovers ARP Poisoning

Re:old news

[hcs_$reboot]

been done already
(don't whooosh me or you'll be whoooshed in return!)

Won't work with my computer

I can't even get it to boot properly half the time. And when it does, it randomly cuts off within a few minutes. Total power down, have to unplug it.

I think I need a new motherboard.

Re:Won't work with my computer

... or power supply

Re: Won't work with my computer

That's the thing, while I have not tried to meter it, it's still delivering power, the motherboard LED and Network lights stay on.

And if I didn't have other issues, including locking up without the powering off.

I left memtest running for long enough I don't think that is it.

Re: Won't work with my computer

Or he needs to stop kicking the power bar under the desk...

Re: Won't work with my computer

PSU failure is not always a binary thing, instead of cutting out they may just be providing under/over voltage. So fun story. I was the IT person for a small school, one of the classroom computer was acting oddly. I cannot remember what exactly the symptoms were but it was a weird mixed bag, hardlock, video corruption, reboots, that type of thing. Anyway i had come in between classes to troubleshoot and the class was about to start so i decided to take it back to my lair for repairs. Plug it in on my desk and hit power, AND FLAMES START SHOOTING OUT THE BACK! The issue was with PSU, when I moved it whatever was broken shifted around and made a direct short.

Re: Won't work with my computer

Well, I almost wish that would happen. At least I wouldn't have questions about what to do.

Next from Kamkar: plain text can be read anywhere

[guruevi]

You don't even need access to the computer to do this "hack" - just use an existing network cable or be on the same network and you can read and modify any plain text sent over the wire. This isn't even "new", compromised USB network cards were all the rage 10 years ago when they first came out with those wallplug computers (before RPi even existed)

There is some novelty here

[davidwr]

Sure, you can do anything with physical access if you have some time on your hands.

Sure, you can be persistent if you can leave something behind, like a modified keyboard.

Sure, you can be persistent if you can install something, but that USUALLY requires either the ability to use the mouse or keyboard on an unlocked machine or tricking the user to do so for you.

The novelty here is that it's a "plug it in, wait a few minutes, unplug it, and walk away" compromise, AND it doesn't make any permanent hardware changes such as blowing up your PC by sending a few hundred volts down the USB ports.

It's also novel in that it exposes a design flaw that should've been noticed and widely discussed decades ago.

By the way, am I the only one that remembers Thick Ethernet, aka 10BASE5, and its "vampire taps"?

Re:There is some novelty here

The biggest flaw is that the OS doesn't ask if the user wants to install the device, but this exploit has been known for years. Just look up "BadUSB exploit".

Re:There is some novelty here

[iggymanz]

well gosh golly gumpers, I can also plug an evil thing into the ethernet jack, and then plug that evil thing into the wired network, and do all manner of bad also. Hell I can substitute an evil hub for a good one and do even more bad. where will it end?

*snooze*

Re:There is some novelty here

[rgbatduke]

By the way, am I the only one that remembers Thick Ethernet, aka 10BASE5, and its "vampire taps"?

Depends. Are you a solipsist, sir? Or a monist Hindu, and hence an avatar of the Mahavishnu and the only real being, the Brahman?

If not, I have a 10BASE5 transceiver in my office as a relic, just to remind me of the old days. I also have a pretty gold 8087 in a box, a QIC with Mastermind in APL on it (unreadable AFAIK at this point in the evolution of the Universe and I/O devices -- pretty annoyed by that as I could probably find an APL emulator for Linux at this point), a giant box of actual punchcards with actual Fortran IV in an actual program, and a large reel of computer tape of the sort that you see in old movies.

It is odd indeed to be typing this reply on a laptop with no visible network connection, no actual moving parts internal drive (just a 500 GB SSD, encrypted), no actual external peripherals but the screen and yeah, an obligatory USB mouse because mousepads suck mouse dick if one actually wants to type on the integrated keyboard. My cell phone is even more bizarre, with a tiny chip that is part of its hard storage that is 10^6 x the size of my first PC's memory (and small at that in modern terms) and an internal memory and processor that would have been categorized as a munition until a couple of decades ago.

I remember bitnet too.

Re:There is some novelty here

[chispito]

I can also plug an evil thing into the ethernet jack, and then plug that evil thing into the wired network, and do all manner of bad also. Hell I can substitute an evil hub for a good one and do even more bad. where will it end?

*snooze*

You didn't read TFA. It requires an available USB port and a minute or two. That's it. It does not require pass through and does not interrupt the network connectivity of the running machine, and has a good chance to work on an average workstation (a workstation that is locked with a web browser open). It also is an incredibly cheap tool:

It requires a $5 Raspberry Pi, a microSD card of probably 4GB or greater, and a USB micro cable. It doesn't even need to be powered, as the Pi is powered from the host.

Re:There is some novelty here

[davidwr]

laptop with ... no actual moving parts

I assume you mean fanless and optical-drive-less in addition to the SSD hard disk that you mentioned.

Convection cooling is nice but sometimes I miss the optical drive.

I guess circulating air, circulating electrons, and vibrating atoms don't count as "moving parts" in this context.

Re:There is some novelty here

You didn't read TFA. It requires an available USB port and a minute or two. That's it. It does not require pass through and does not interrupt the network connectivity of the running machine, and has a good chance to work on an average workstation (a workstation that is locked with a web browser open)..

The attack described certainly does interrupt the network connectivity of the victim.

Re:There is some novelty here

[iggymanz]

I read TFA. If I have physical access to machine there is no end to the bad things I can do. Not impressed

Re:There is some novelty here

[suutar]

how many of them can you do without even unlocking the screen and thereby indicating to the user that something changed? (Serious question - the two factors here that seem to make it interesting are low cost and low visible impact.)

Re:There is some novelty here

[drinkypoo]

It also is an incredibly cheap tool:
It requires a $5 Raspberry Pi, a microSD card of probably 4GB or greater, and a USB micro cable. It doesn't even need to be powered, as the Pi is powered from the host.

A $5 R-Pi is actually substantially more expensive for everyone who doesn't live near a Micro Center. (Why oh why can't they put it in Rat Shack? I have one of those near me. They are everywhere. Oh, that's why. They can't make that many.) But a $9 CHIP can be had for less than typical Pi Zero prices on the interwebs, and it has onboard flash.

Re:There is some novelty here

[chispito]

It also is an incredibly cheap tool: It requires a $5 Raspberry Pi, a microSD card of probably 4GB or greater, and a USB micro cable. It doesn't even need to be powered, as the Pi is powered from the host.

A $5 R-Pi is actually substantially more expensive for everyone who doesn't live near a Micro Center. (Why oh why can't they put it in Rat Shack? I have one of those near me. They are everywhere. Oh, that's why. They can't make that many.) But a $9 CHIP can be had for less than typical Pi Zero prices on the interwebs, and it has onboard flash.

Adafruit and other online vendors have had them in stock for most of the year. Can the CHIP connect as a USB device?

This means nothing

Once someone has physical access your fucked either way.

Re:This means nothing

If I have physical access, I would just insert my pendrive with USB Linux on it and copy the whole disk of the host laptop, I don't need this $5 tool, just burn a Linux ISO on your DVD or USB drive.

Re:This means nothing

[rgbatduke]

....and, good luck reading my fully encrypted hard drive when you get it home. For that, you might need the $5 billion NSA complex. Or (as noted above) a $5 wrench and physical access to my person.

Which would work, very quickly actually. I don't keep anything on a computer drive, encrypted or not, that I wouldn't want my mother to read. Or the Feeb. Or Soviet Russia, where your disk reads you! Because seriously, if somebody REALLY REALLY wants to get into your disk, and you're not dead, they probably can. With 4096 bit encryption and a nice long pseudorandom key, maybe not. But only MAYBE, and over time, it is even probable that they will eventually be able to do so. I remember a time when 6 digit passwords were relatively safe. Then 7. At this point 8 in lower case ASCII is easily searchable by the NSA or anyone with teraflop resources, and teraflop resources aren't even that expensive, petaflops are out there. If one assumes 64 characters, it is still only order of 10^15 permutations, so a petaflop cluster could do it in minutes, a teraflop cluster in days, and that's if one chooses a GOOD password that is essentially random. At this point, I'm not sure that a 12 character password is secure against NSA-level exhaustive attacks, although with 10^22 possibilities it would start to take a while even with a petaflop -- say a couple or three years. Again, unless you use a truly random 12 character string, they can probably cut this down to months just by searching on the most probable strings first.

But if I were alive, and (say) my hard drive had the coordinates of a nuclear bomb planted somewhere in Manhattan, I'm guessing that they'd opt for the drugs and the wrench and a bit of electricity applied to the testicles to see if they couldn't get the key in minutes instead of weeks or months. Cheaper, faster, and who takes the Constitution seriously any more anyway?

rgb

Useful for Espionage

Made me think about who this will really affect. I mean who among us really leaves their browser window open and then logs out or times out from inactivity? I don't simply not to waste the cpu cycles when I know I'll be afk for long enough for inactivity to log me out. Most people I think this could affect are businesses and corporate workstations. They usually have a very short inactivity timer, log out whenever afk, and leave their browsers open while logging out. If your next thought is well who wants to compromise a single workstation anyway. Well what if it belongs to the admin in a server room? Perhaps a datacenter? Right tool for the right job and this certainly has espionage written all over it.

Re:Useful for Espionage

Actually Win10 have a browser in the background after a fresh reboot. There's no way you can disable the browser running at the background of Windows 10.

Joke's on you

[aonic]

My Macbook doesn't have any USB ports!

Re:Joke's on you

nice one ;)

Re:Joke's on you

[hcs_$reboot]

Next Apple will remove wifi access and you'll have the safest computer on Earth!

it's stupid and could be WAY "better".

[gl4ss]

what's puzzling is that why it doesn't just get full access as YOU COULD JUST REDIRECT THE STUFF TO SOMETHING THAT CAUSES WINDOWS TO SEND THE MS ACCOUNT PASSWORD AND USERNAME IN PLAIN TEXT.. and while at that create a tunnel that stays once it gets plugged to real internet.

how is plugging a computer into a network an offline attack?

requiring physical access is less novel, especially when there are a number of attacks described where if you can place something like that, you could just get the keyboard codes by audio, em and a number of other ways - or heck, do this attack over recording the led at the router.

also it requires you to be logged into the sites already, the sites to not be https.. sorry about the yelling but this seems like a dolt just taking an existing concept, putting it on a raspberry pi and claiming fame based on that.

Re:it's stupid and could be WAY "better".

[gravewax]

what's puzzling is that why it doesn't just get full access as YOU COULD JUST REDIRECT THE STUFF TO SOMETHING THAT CAUSES WINDOWS TO SEND THE MS ACCOUNT PASSWORD AND USERNAME IN PLAIN TEXT.. and while at that create a tunnel that stays once it gets plugged to real internet.

because to send it to the MS account site you would need to man in the middle the SSL tunnel which in turn requires you to have either compromised the computer already with a fake CA to be trusted or have a compromised public CA. basically nothing at all remotely interesting with this attack.

Re: it's stupid and could be WAY "better".

totally agree

Re:it's stupid and could be WAY "better".

[AmiMoJo]

Windows versions since Vista won't send plaintext passwords without the user first confirming that the network is a trusted one. I think since 8 they disabled even that, or it might have been 8.1.

What is this "ethernet jack" you speak of

[rsborg]

well gosh golly gumpers, I can also plug an evil thing into the ethernet jack, and then plug that evil thing into the wired network, and do all manner of bad also. Hell I can substitute an evil hub for a good one and do even more bad. where will it end?

*snooze*

I have no ethernet jack - I have a Mac, you insensitive clod.

The latest Macs need dongles

[Neo-Rio-101]

The latest Macs don't even have many ports of which to speak. Did the attacker bring a dongle with them?

Re:The latest Macs need dongles

[houghi]

Yes, but that would up the price to 104.99USD.

Re:The latest Macs need dongles

the mac user will have already bought the dongle because their expensive shiny turd is a brick without them.

Re:The latest Macs need dongles

[chispito]

The latest Macs don't even have many ports of which to speak. Did the attacker bring a dongle with them?

The $9 adapter approximately doubles the cost of the kit, on top of the $5 pi, mSD card and usb micro cable:

http://www.apple.com/shop/product/MJ1M2AM/A/usb-c-to-usb-adapter?fnode=85

hmm

I'm guessing (correct me if I'm wrong) this doesn't work against a linux kernel compiled with the minimal set of hardware drivers as non-modules. And preventing someone with physical access to your existing usb ethernet adapter. Whatever.

LOOK

https://youtu.be/_LNET_reE6o

So you're telling me...

[ArylAkamov]

Physical access is king?

How is this news? In highschool, I was stealing admin passwords with OPHcrack and selling them to other kids. Took less than 5 minutes to do.

Obligatory xkcd

[cfalcon]

https://xkcd.com/386/

Never trust your browser.

Disable cookies. Disable Javascript (no, I'm not talking about NoScript!).

That's my "regular" profile, the one I'm using right now. I've got a handful of (separate) profiles with a couple more of things enabled. I start them when I need them and stop them afterwards.

Still looking for a proxy à la Privoxy which can do TLS and excises in a controlled manner active content (& perhaps massages obvious "probe" image URLs, or downloads those via a cache network). Ideally the proxy should not rely on any one of the big Web or Javascript engines.

Internet Explorer 6

If you read the fine print, they say that the open in the background needs to be Internet Explorer 6.

'This text can hack your computer'

Even better flamebait :
'This text can hack your computer'
just by reading this text, your computer has been hacked!! of course you need to have physical access to the computer and the person, a baseball bat, a wrench, an installation of kali linux on a usb drive, a non encrypted disk, cotton candy, and a captain crunch whistle ( optional, but very amusing )

Re:'This text can hack your computer'

[AK+Marc]

And that guy's leg.

Re:'This text can hack your computer'

[Trax3001BBS]

Even better flamebait :
'This text can hack your computer'
just by reading this text, your computer has been hacked!!

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Tag.

https requires domain names = No LAN

https requires domain names = No LAN

Or do you have a certificate for 192.168.1.101

Also ... have fun updating the certificates every year when they expire.

He'll have to buy an Apple dongle for $200

The attacker will have to buy an Apple dongle for $200.

general USB insecurity problem

a good way to expose the excessive trust that Mac and Windows computers have in network devices.

The problem is wider. The trust is wrongfully placed on USB devices in general, not just network devices. The simple fact that OS X and Windows auto-mount anything inserted into their slots is just pissing me off. I think some "user-friendly" Linux distributions are also doing that. It's too hard to click an "allow" button anymore, not to mention using the terminal to type mount commands.

A much bigger problem is that device manufacturers typically don't care about security, allowing anyone to update their firmware with unsigned and potentially malicious code. It's not only important to always protect your computer from physical access: any time you plug-in a USB device that was left unattended, you are at risk of running malware.

The news is

[terminal.dk]

No news. But it is selling the weakness of non-https as something new. This is so old school.
But hopefully somebody cn get the budget to implement HTTPS or whatever the purpose was.

Or you know, tap into the wan..

[Tyr07]

Right and if you plug in a device straight into their ethernet port that snoops the line..

Anyway..OH MY GOSH NEWS NEVER KNEW!?!?!

MITM novel?

> Man in the middle attack

> Novel attack

Sounds pretty contradictory to me.

Title and summary are complete bullshit

This attack can in no way determine operating system passwords. It cannot "hack your locked computer".

Now if they had described powering off the computer and then booting it from external media running something like l0phtcrack, then they would be actually "hacking your (no longer) locked computer" - that's only if you do not have a bios power-on password set.

Hey, if I have physical access why not just remove the hard-disk(s) and put it in another system?

And neither of these approaches would be news.

This is fucking retarded bullshit clickbait. There is no story.

Re: Title and summary are complete bullshit

I kept scrolling and scrolling through the comments, almost giving up hope, then finally got to a comment that echoed my sentiments entirely. Are we the only geeks left here? ;-)
(Am "simplypeachy", AC as on mobile, not because I accused everyone else of not being a geek)

Dupe

[drinkypoo]

We discussed this previously. Too lazy to find the conversation, but then, so are the Slashdot "editors". This is actually a non-problem in a Windows corporate environment because if you have not already prevented users from installing hardware via group policy, you have already failed as a Windows admin.

It's not terribly difficult to prevent hardware hotplugging on Linux.

Couldn't tell you about Mac, don't care.

Wank wank, flonk flonk.

Setec Astronomy

[zifn4b]

Too Many Secrets: https://www.youtube.com/watch?...

As long as they are not using HTTPS....

[Lumpy]

So that means it's pretty ineffective. everything that is important to me is HTTPS, even my routers config pages.

I have yet to see any important site not force HTTPS. Will this see that I log into "fluffybunnypodcast.com" with the username bunnyman42 and the password 12345? yep. but I fully expect that the chinese hackers already have this as I really dont care if they get free copies of the latest free fluffybunny broadcast.

Re:As long as they are not using HTTPS....

Looks like hackers already got into fluff:

> This site can’t be reached
> fluffybunnypodcast.com’s server DNS address could not be found.

Courage

Of course. That require a lot of courage, an trait that Apple exceed in exhibiting.

This hack is not dangerous at all

[Yvan256]

According to people right here on Slashdot, you can't find the Raspberry Pi Zero anywhere.

So where can we buy one?

[JustAnotherOldGuy]

As above, where can we buy one?

Re:So where can we buy one?

[pem]

Those $5 computers are easy to buy if you're willing to spend $50.

Not it won't.

My C=64 doesn't have pesky USB ports.

#CBM4LIFE

Why not just use a regular usb stick?

[slapout]

Sound like a hardware version of a proxy

Won't keep out the dedicated adversaries...

Maybe not even the skiddies in a few years: All those AMD processors now have Trustzone cores installed that are either vendor (AMD) or OEM (Mobo/system manufacturer) signed, with higher than supervisor level access to the system memory space.

Why do I mention it? Because it isn't much of a stretch to assume besides spying on you for copyright infringement purposes they will have the ability in place to snoop and exfiltrate all your encryption keys currently in use via the trustzone processor, or 'SMM' type processes running on the x86 cores. Point being, without being able to audit it, you won't know if that has happened until it is too late for your security, be it sensitive info, or pirated wares.

The security of ANY 'anonymous networks' is under attack in a way most people don't realize or consider and it makes the odds of a Sybil attack increase to 'every node on the network' instead of just 'intel service hosted' nodes, traditionally hacked nodes, or confiscated ones. Now the potential is there to skip all three steps and just 'find key to pwn that type of device' and viola they have full access to your cell phone, your computer, your tablet, or your other 'secure' device (thankfully this isn't in network devices yet, although with how exploitable most stock firmware are....)

Positioning

[phorm]

It also depends on where the computer is positioned. If it's under the desk with rear USB ports available it's going to be fairly trivial to hide such a device (possibly a bit harder to get at surreptitiously, but just wear a badge that says "IT Dept" for that).

In certain more high security environments I've seen them do things like glue the keyboard/mouse into the computer and use a special cover (or just hot glue in some cases) to block out any unused ports. Makes it a big PITA when you actually need to use those ports.

autorun and plugnplay are not always your friend

In other words, it was common enough knowledge that "yes, you can and in fact should disable plug and play in some situations". Just another autorun-default-on issue.

Here's your attack scenario

[Opportunist]

Coworker goes to lunch and locks his PC, you go and steal his cookies and mess with his project files while making it look like it's him.

Many fat client applications have been replaced by REST apps and web based approaches, and many companies do not use HTTPS for servers that can only be accessed internally. Yes, even companies that should be security conscious. The attack scenario is not webservers out on the internet but company-internal servers. Once I was even told by a client that this actually increases their security because port 80 is never accessible from the outside, so it's safer (I still have the bite marks on my tongue, I think).

And locking USB ports isn't always an option.

Though I have to say, I'm very glad this happened, for it will certainly support my case for more encryption even for servers that have no business communicating to the outside world.

USB is insecure

USB is a trusted bus. This is not news. Reading the headline alone I muttered to myself, "I bet they are just using USB trust." USB is root. By definition, whatever you plug your computer into with USB *owns* your computer. What is does with that ownership is of great importance. But the fact that USB is trusted is not in any way shape or form interesting or new.

This is why it is common to epoxy USB ports on secured machines, and why you should never ever plug unknown USB into anything, ever (except maybe a honeypot research workstation.)

apk you are forgiven

[lucm]

APK, you asked for forgiveness, and I forgive you.

https://hardware.slashdot.org/...

Maybe it's time to move on with your life.

Re:apk you are forgiven

lucm it's obvious you're butthurt and stooped low enough to try impersonate apk after your blatant fuckup here https://hardware.slashdot.org/...