If I am understanding the article correctly, NHTSA asserts that to open up telematics to 3rd parties would allow remote attacks on multiple vehicles' safety-critical systems simultaneously. This implies telematics has remote control on those safety critical systems.
This raises a question for me: Why the actual fuck are safety-critical systems able to receive commands from anywhere other than the driver's controls or diagnostic port? Perhaps I am old-scool, naive, ignorant, etc, but given what "safety-critical" means, that strikes me as egregiously unacceptable.
I can sympathize with the idea of convenient remote diagnostic and repair, but in my opinion, this is a case where the saftey risk not just to the driver and passengers, but anyone else nearby, outweighs the convenience of logging into Ford's/BMW/Honda's website, click button, car works again.
My guess is that since the packet is officially reserved and should not be set, a common firewall or other security appliance considers said packets to be malformed and drops them as a default behavior.
> So now we know that sites target this bit to block, but the real question is why? Is it that someone didn’t see the date of the RFC, maybe sarcasm doesn’t translate very well, possibly someone in the real world actually sent the evil bit when doing evil things, and cause some products to target it?
The evil bit could be something of a self-fulfilling prophecy. Because no one uses it, that makes it a source of bugs/vulnerabilities; therefore, anyone setting it deliberately but not maliciously (such as for a joke) will want to turn it off; only those who want to exploit it maliciously will keep it turned on; hence, anything with an evil bit can be safely assumed to be, in fact, evil, and it should be filtered out automatically.
If you're a firewall vendor, it seems like a no-lose situation to drop packets with the evil bit. Either someone's experimenting like in this blog post, and you look cool because you implemented an April Fool's RFC, or someone is actually sending malicious packets, and you look like a competent firewall. Imagine if you didn't drop the packets with the evil bit, and a hacker thinks it's funny to add the bit to their packets while they're exploiting some unrelated vulnerability in your software. The post-mortems and exploit writeups would make you look incompetent - "this firewall vendor can't even stop packets that announce their evil intentions!"
> Packets with the evil bit off MUST NOT be dropped.
That seems to be at odds with standard firewall operation, that may choose to drop packets because of all sorts of reasons unrelated to the "Evil bit". This would seem to constrain their operations unnecessarily, and so I would say that it is in the best interest of security vendors to ignore most of this RFC as frivolous and not binding.
No, no, that's the whole point - assuming standards-compliant users and attackers who follow this RFC, this simplifies firewall operation so that all packets with the evil bit off are not evil and can safely be forwarded, as any malicious traffic without the evil bit is simply noncompliant and should not be there, so any consequences of that are the fault of the noncompliant device (i.e. the attacker) as the firewall is operating properly according to the requirements.
The purpose of the RFC is to simplify security on the Internet, make such decisions transparent, and to preserve clear separation of concerns between the layers. As such, the evil bit is supposed to be the only thing that a conforming device checks.
Otherwise, we're back to square 1, where you don't know what caused your packets to be dropped even though they are clearly and explicitly not evil!
> After doing scans if I could connect to port 80 from a PC that had no evil bit kernel, and a normal one on the same network, I found the following list of domains that only failed on my evil bit computer
This seems to be the comparison between a totally regular device and one with the evil bit set, he doesn't mention a device having any other private bits besides the evil bit set.
I am 100% sure that it was in the article that he listed the sites which only failed on the evil bit, and not on other reserved bits. I've read it 4 times again, and it is not there now. Strange.
That seems crazy. When a new spec comes out and a previously reserved bit starts meaning something, you really don’t want old software to just drop packets as malformed. Reserved means ignore, not an assertion that it must be zero.
In the article, Firefox is cited as intending to adopt MV3 for compatibility reasons. If they indeed do so, I'm not sure how much relief running Firefox will offer from the more evil aspects of MV3.
With Firefox's market share, not much. This could massively benefit Firefox adoption, though, because everyone relying on old extensions will have to switch.
From that viewpoint, the new restrictions could actually be a good thing.
At the point when Edge (Chromium) no longer supports proper adblockers, I would instantly stop using it and use Firefox for almost everything. It would be a 100% deal-breaker for me.
Right now, I have Firefox installed but don't use it much, because I don't see a compelling advantage.
They're not really "adopting" it as the way forward. Firefox will be able to use Mv3-type extensions, but the current extension types will continue to work.
The concept this video covers proably will not come to a surprise to some here. However, I didn't take any of the classes in college that would introduced this concept to me. Thus, in a failure to recognize that auto-play had been turned back on, again, I was one of today's lucky 10,000. Hopefully, some of you are as well.
I will not disagree with the premise that our current and future energy needs require diversification into more nuclear generation, and that nuclear requires uranium. I will however, reject the notion that such necessarily means that what is happening at the mill and surrounding land is acceptable or can't be done any better.
My objections with the situation described in the article are twofold.
First, the mill is not a designed as a long-term waste storage facility and is being treated as such. My understanding from the article is that the mill was originally designed and intended to be there for 15 years, then reclaimed. But it's still in operation. The holding cells for tailings were designed for the original planned life of the mill, and are still in use. Generally, I like it when things are useful for a long time. But from the OP, the mill and its temporary waste storage is running well past its design lifetime, and more waste continues to be added to the site, allowing it to be treated as long-term radioactive waste disposal by loophole. That's not acceptable. I don't disagree with long-term radioactive waste storage. I do disagree with it being stored long term in a place not properly designed for it and where a containment failure, however small, endangers the health and safety of surrounding communities or otherwise general usefulness of the land. The article describes how the groundwater in the area has been acidifying. The locals worry that such is because of contamination caused by the mill's waste. The mill claims that such is a natural process that just happens sometimes. Regardless of who is (more) correct, those holding cells were designed when the groundwater (and thus soil) were far less acidic, and are being operated decades after their intended design lifetime. The water in the cells is measuring with a pH as low as 1. You can't tell me that's not creating a needless contamination risk.
Second, the age of the mill and thus their processes. As a millennial, I read "Built in the 1980s" and reflexively think "Oh, of course that's modern," because it's something that happened in my lifetime. But it's not; that's 30-40 years ago. I would be in no way surprised that the wastes produced by this mill are as dangerous as they are because of the process they use. From the description in the article, and on the NRC website[1][2] it sounds like this mill is using a conventional process (crush, leach out the uranium with sulfuric acid). Have there genuinely been no improvements in the conventional process over 30-40 years that improve its extractive efficiency, resulting in less radioactive tailings? Or improving the solvent recovery so the tailings don't acidify the soil and ground water so much over the long term? Or in extracting the other heavy metals, (lead, molybdenum, selenium), further reducing the the hazard of the tailings, and possibly providing a useful feedstock for other industrial processes? I find that unlikely, and would be disappointed if that were the case. Even if it doesn't make sense to retrofit such improvements to this mill (more capex on something already past its original design life, etc), the economic need for nuclear capability doesn't mean that this mill must remain. Is is genuinely so impossible to build a newer, better one?
This feels like one of those obvious-in-hindsight things. Of course an unshielded conductor would radiate RF correlating with the signal it carries, and if you could pick up the radiated RF, and knew the modulation scheme and how do decode it, you could see what was on the wire.
I do find myself wondering some things though.
Ethernet cables are 4 differential pairs. As I understand, the whole idea of these twisted pairs carrying a differential signal is that any RF the cable picked up from the environment would be common-mode, and get cancelled out receiver side, allowing the transmitted signal to arrive unspoiled. So, in theory, one would have a hard time injecting spurious transmissions into an Ethernet cable via RF.
Is this supposed to work in reverse, where the common-mode rejection of a differential pair would prevent RF from leaking out of the cable? Or is this one of those theory vs. practice things, where in theory, it shouldn't, but in practice, being a not-ideal twisted differential pair (e.g. twist rate is wrong for frequency of interest, untwisted section, conductors of slightly different lengths, etc) allows some RF emission to leak out, uncancelled. And in the case of a cheap cable, something claiming to be Cat 6A in actuality might never have passed spec for Cat 5, and thus leaks way more RF than it should, because the quality and balance of the twist was half-assed?
Or am I badly misunderstanding how this works because I haven't started studying for an amateur radio license yet?
There is always going to be some leakage. The question is whether you can get a high enough signal to noise ratio to get any useful information about it.
What this guy is doing is what he always does: deliberately modulate the signal (in this case, sending packets slowly) at a very low rate and encoding information in that. Of course that works; it always does. It's not news and it has no research value. It's obvious that you can take any system that produces measurable emissions and then drive it in such a way to encode low-bandwidth data in those emissions.
It would be nice if he actually studied practical channel bandwidths and determined just how much information you can transmit with these techniques, but he doesn't have the chops for that. He just cranks out minimum viable PoCs to get the news cycle, using misleading clickbait headlines.
You've got the basics right. An optimally coupled pair won't radiate. Nothing is optimal, however, so there is a small amount of RF radiation. Obviously this means not all RF energy from the environment is common mode as well. Thus the ever more substantial shielding that has appeared in later copper Ethernet cabling.
The implication of this click bait is that ordinary traffic is being recovered from RF leakage. While that's theoretically possible given short range and a sensitive receiver, what we have here is someone creating a low frequency transmitter using copper Ethernet. That doesn't mean it is without interest or value; dismissing side channels like that has a poor track record. But it's not what you're led to believe with "attack reveals Ethernet cable traffic!"
I do wonder how close you'd have to go to actually demodulate real Gigabit Ethernet over the air. Given the 8 simultaneous data streams (4 pairs times two directions), I imagine you'd need at least 8 antennas to get anywhere, probably arranged in very close proximity to the cable to pick up on the spatial differences between the pairs. Then you'd have to use MIMO demodulation techniques. At that point you might as well just tap the cable.
100BASE-TX would be a lot easier, since that just uses a single pair in each direction.
FWIW, this isn't a side channel, at least not the way he's presenting it. It's a covert channel. That's different; side channels leak (significant) information from uncooperating sources. Covert channels require a cooperating source. There's a huge difference. Covert channels are largely academic and almost never relevant in real life. This isn't like research on things like extracting RSA keys from CPU EMI emitted during OpenSSL operations, which is a real side channel and much more valuable research.
Huh. There's a lot bands in the "Hate" section. Looking up the various names I'm finding various death metal and black metal bands. I can't help but wonder how many of those bands on are on that list because someone at Facebook took heavy metal imagery and lyrical themes too seriously and literally.
More Edit: Turns out I picked a bad example. I missed reference to a name collision with an actual National Socialist band using the original name. The original edit is below.
Edit: Figured I should support my thesis with an example.
Let us take the band Sturmtruppen, from the Hate section of the linked article. From Encyclopaedia Metallum[1][2], they are a Black/Death metal band with themes of war and genocide. Per and interview referenced on their Encyclopedia Metallum page, their choice of those themes is not to glorify them, but to have something evil sounding enough to fit the style of music.
I am not saying that all the listed bands don't belong there. I know that actual neo nazi bands that take their imagery and themes seriously are a real thing that exist. But I do suspect at least some bands are on that list because of imagery and lyrical themes alone.
There are multiple bands with the name “Sturmtruppen”. One is from Switzerland, formed in 1988. That is the one in the list. You have confused it with the German band from 1996, which changed its name to avoid confusion with the other band.
To be fair, all bands I knew of listed there were indeed done with serious NS ideology. Even the most famous and "mainstream" Burzum runs a YouTube channel that expresses white supremacy ideas and racist weirdness.
Overall, the list appears reasonable to me and no (to me known) member is particularly surprising.
The "hate" section is about political censorship. It's full of people Facebook doesn't like, but can't throw under "crime" or "terror" because they aren't actually dangerous. Notice how the only groups in there are pro-white or white nationalist groups? Not to defend these groups, but by deciding to vilify these people while ignoring all other forms of racial and ethnic pride/nationalism/hatred, Facebook is sending a clear message that they favor some groups over others.
..or it's sending a clear message that white nationalist groups tend to be violent and militarized?
The very fact that this issue presents itself to you as anything other than a damning report on the state of the union is itself telling.
Perhaps instead, think of it this way: *even Facebook*, whose Zuck repeatedly dined with the architect of Jan 6, clocks this country as having a white-nationalists-with-guns problem.
If you can't tell without being familiar with the source (aka almost everybody else), it doesn't really matter if white supremacist material is ironic/parody/joking or not
Given that your first link says they changed their name because of a naming conflict with a known Nazi band, don't you think that maybe that other band is the one banned? And yes, that one is quite clearly a neonazi band.
EDIT: and at least the few names I recognize on that list also fall under that label.
Without exception, every band I looked at either had obvious nazi or white supremacist references in the name, or a cursory search found it to be related to Nazi or Christian Identity groups. A bunch of them are German so there's less easily accessible information, but still, they're basically all nazi metal bands, not just metal bands.
Edit: moving my other comment into this one, as others have mentioned, the band you linked changed their name because another band with the same name was a Nazi metal band. Perhaps that's why only the name shared with a Nazi band is on the list. (that other band presumably being https://www.discogs.com/artist/1917747-Sturmtruppen)
Man, I wish I would have known about this a few weeks ago when I was working on repairing a water damaged controller board from an electric smoker. Fortunately, the damaged components were not the mysterious SOT-23 devices labeled only "S3", but just a couple shorted-out diodes. Without this page, it would have been quite frustrating trying to source a new "S3" were it blown out, as I wouldn't have been able to measure polarity or hFE to narrow down a short list of candidates.
This raises a question for me: Why the actual fuck are safety-critical systems able to receive commands from anywhere other than the driver's controls or diagnostic port? Perhaps I am old-scool, naive, ignorant, etc, but given what "safety-critical" means, that strikes me as egregiously unacceptable.
I can sympathize with the idea of convenient remote diagnostic and repair, but in my opinion, this is a case where the saftey risk not just to the driver and passengers, but anyone else nearby, outweighs the convenience of logging into Ford's/BMW/Honda's website, click button, car works again.