Monthly Archives: October 2019

Article note: I'm very curious about the potential of LoRa both for single user applications (area-wide pagers, connected devices of the reasonable basestation design rather than the "every goddamn lightbulb connects directly to the Internet" IoT bullshit), and for making decentralized WANs. The stuff I've seen is always not-quite-there, and this kind of continues the trend, but it does appear to be steadily polishing.

Enlarge / Lostik is plugged in to the left USB port of this Samsung Chromebook running GalliumOS Linux. It's currently transmitting packets, using the sample sender.py utility, from a basement about 15 feet underground. (credit: Jim Salter)

A lot of readers commented on our earlier report on Sure-Fi long-range, low-bandwidth RF chirp communicators that we should test generic Lora gear. Lora is the open standard that Sure-Fi began with and built on top of, and it's available in a variety of inexpensive kits. Most of those kits are aimed at low-level maker-style integration with Internet-of-Things gear like Arduino, but I found a couple of preassembled kits with generic USB interfaces suitable for use with regular x86 computers. One of those, Lostik, had consistently better user reviews and glowingly boasted of its "extensive documentation," so we picked a pair up for $46 apiece and got to testing.

We should be clear about one thing up front—nobody should claim that any Lora device has "extensive documentation" with a straight face. Lostik seems to have more documentation than any of its competitors, but figuring out exactly what it would do felt like learning to play pirated video games in the 1980s. What we eventually discovered was that Lora devices are sort of like dial-up modems all connected to a single party line—they run on serial interfaces over which they can be issued commands and can send or receive data.

It's possible to use a generic terminal emulator (at 57,600bps, 8 data bits, 1 stop bit, and no parity) to communicate directly with Lostik, but you'll need to understand its commands—analogous to the Hayes AT modem commands of yore—if you do. That was a bridge too far for us, so we said "the heck with it" and just lightly modified the ./sender.py and ./receiver.py sample scripts from Lostik's Github repository and used them for some simple range testing. These scripts don't require (or offer) any kind of authentication or pairing; any Lora device running receiver.py will successfully receive data from any Lora device running sender.py within its effective range.

Article note: Neat! Old FPGA-Based thin clients seem like a great target for emulated computers, all the IO of a computer pre-tied to a decent-size FPGA. Shame the available boards are Spartans on ISE, because ISE is a ghastly, accreted disaster of a development environment that even Xilinx has abandoned.

Article note: Google's Cheif of devices, when asked about obtaining consent of people visiting spaces with always-on listening devices: "Gosh, I haven't thought about this before in quite this way," Osterloh said. "It's quite important for all these technologies to think about all users... we have to consider all stakeholders that might be in proximity." - That's a solid "We don't even consider privacy when churning these things out."

Article note: Oooh. That has the potential to be amazing, Bone was brilliant, and in a way that would adapt well to TV.

Article note: There are several niche communities who jealously guarded silos of hard-won information in their yahoo groups. All the ones I know of have transitioned to more modern, more open platforms, but actually valuable information could disappear into this step of Yahoo's ongoing collapse.

Article note: Well, at least they abandoned the impossible and invasive plan after being confronted with it being impossible and invasive, rather than just forging ahead and trying to alter reality by legislative fiat.

Enlarge / Nicky Morgan, UK Secretary of State for Digital, Culture, Media, and Sport. (credit: Leon Neal/Getty Images)

The United Kingdom is abandoning plans to try to force pornography websites to age-verify UK Internet users. Digital Secretary Nicky Morgan announced the shift in a Wednesday statement.

Morgan claimed that "the government's commitment to protecting children online is unwavering." However, she said, the government will now accomplish that goal "through our proposed online harms regulatory regime." She didn't elaborate on what those regulations would look like.

The age verification requirement was part of the Digital Economy Act that the UK parliament passed in 2017. It was supposed to go into effect last year but was delayed multiple times. Most recently, the government announced in April that the new requirement would go into effect on July 15.

Article note: Neat! I like trackballs, especially to break up my flavors of hand strain, but MX570s are a little unreliable (mostly cheap switches; replaceable), I have had no end of driver problems with the Elecom I got to try as an alternative, Saiteks are stupid expensive, and Microsoft killed their line, so its been hard to find nice ones. Especially ones that fit well which matters a _lot_ for comfort.

Article note: It requires a rather atypical configuration, but... damn, that's a big edge condition oops. Basically, in some versions of sudo, if configured with an (ALL, !root) case, trying to run something as an invalid but representable UID (-1, 4294967295) will have the underlying syscalls reject _after_ the tests, and it will then run the command as... the sudo binary's SUID 0.

Article note: Metric gaming! Its eating society!

Article note: The ongoing game of there being no evidence for that high profile Bloomberg implant article, but it being obviously not-that-hard for such a thing to happen makes for interesting theorizing and reading. I expect we'll eventually find an example in the wild, but probably not where they claimed.

Enlarge (credit: Carl Drougge)

More than a year has passed since Bloomberg Businessweek grabbed the lapels of the cybersecurity world with a bombshell claim: that Supermicro motherboards in servers used by major tech firms, including Apple and Amazon, had been stealthily implanted with a chip the size of a rice grain that allowed Chinese hackers to spy deep into those networks. Apple, Amazon, and Supermicro all vehemently denied the report. The National Security Agency dismissed it as a false alarm. The Defcon hacker conference awarded it two Pwnie Awards, for "most overhyped bug" and "most epic fail." And no follow-up reporting has yet affirmed its central premise.

But even as the facts of that story remain unconfirmed, the security community has warned that the possibility of the supply chain attacks it describes is all too real. The NSA, after all, has been doing something like it for years, according to the leaks of whistle-blower Edward Snowden. Now researchers have gone further, showing just how easily and cheaply a tiny, tough-to-detect spy chip could be planted in a company's hardware supply chain. And one of them has demonstrated that it doesn't even require a state-sponsored spy agency to pull it off—just a motivated hardware hacker with the right access and as little as $200 worth of equipment.