The Libreboot Project

The Libreboot Project

libreboot-logoThe other day I discovered a project called Libreboot. Their goal is to provide free and open software to replace your current BIOS or UEFI boot firmware. Many people will wonder why there is a need for this and those are the people that this project probably is not meant for at this time. Closed source software is commonly referred to as a binary blob. This is because it is difficult to understand how it is programmed and what it is running behind the scenes which makes it hard to impossible to audit.

Most recently it was discovered that Juniper firewalls have had a back door programmed in them since about 2013. It is easy to imagine that the back door would have been caught if their operating system was open source since more people could be reviewing the code on a regular basis. A group of developers would have had to review the code changes through source control such as Git.

So Libreboot has many advantages in that sense which they lay out on their website. Here is a small quote from them:

Why use libreboot?

Many people use non-free boot firmware, even if they use GNU/Linux. Non-free BIOS/UEFI firmware often contains backdoors, can be slow and have severe bugs, where you are left helpless at the mercy of the developers; you have no freedom over your computing.

At this time the most supported hardware is older because it sounds like Intel is not very friendly to this movement and does not like to release documentation or information about their products. I ordered a Lenovo X200s so I could attempt to follow the documentation and run this freedom software. The laptop was less than $100 on eBay and should support most daily work. I am also planning a trip to Def Con 24 in 2016 so this will be good hardware to bring instead of my work laptop.

Once I get everything I have some other blog post ideas so check back if you are interested.

Arduino 4way-if ESC Flashing

Arduino 4way-if ESC Flashing

While I was researching ESC flashing I ran across a YouTube video of someone using the Arduino 4-way interface and a custom built cable to flash multiple ESCs all at once. The idea is once an aftermarket firmware is flashed to an ESC it needs to be upgraded when new releases come out. There are also other settings that can be changed to help performance in some cases. His setup worked (I can’t find the video to link it…) but I thought it could be improved on by using an Arduino ProtoShield. The cable just seemed a bit flimsy and did not look like it would hold up over time so I ordered the Bare PCB ProtoShield from SparkFun for $4.95.

reader-connected

Read More Read More

Ordering Printed Circuit Boards – OSH Park

Ordering Printed Circuit Boards – OSH Park

Positivesosh_logo

  • Easy!
  • Quick
  • Cheap
  • Made in the USA

OSH Park made the ordering process so easy. I simply uploaded the zip file containing the board documents and it automatically processed everything. I was able to review what I uploaded to verify it looks good then place my order. I didn’t need to know board size, number of layers, thickness, or anything that some other ordering places require.

Negatives

  • Must order at least 3

Neutral

  • Can’t pick board colors

Personally I do not mind the purple boards but I could see some people wanting a specific color for some projects.

Recommendation

Timeline: Keep in mind Thanksgiving was during this period and may have slowed down the process.

  • Nov 19th – Placed Order
  • Nov 19th – Assigned to Panel and sent to fab
  • Nov 30th – OSH Park received from fab
  • Nov 30th – OSH Park shipped to me
  • Dec 5th – Arrived at my house

Yes, I would definitely recommend OSH Park for ordering custom printer circuit boards. Just for kicks, I uploaded the SparkFun Arduino Shield but to order three it was more expensive than ordering from SparkFun. If you need more options and know what you are doing then it might be better to check elsewhere but for a new developer that just wants a quick custom board this is a fantastic place to go. I am not an expert, by any means, but quality looks great to me.

Is Simply Enabling SSL Enough?

Is Simply Enabling SSL Enough?

aplusWhen I decided to actually start blogging again–even though I get very little traffic–I thought it was important to enable SSL because I believe in encryption. There was a time when anyone, with little to no IT knowledge, could sit at a Starbucks and intercept login information for anyone using the wireless. Nowadays that traffic is encrypted by default because of a push to increase security and protect your users. Now it is frowned upon it accept login credentials without SSL being configured. To keep this post short I will not get into information on what some people are calling the next cryptowars.

I moved this blog to a VPS provider and setup a simple LAMP stack with all the latest updates. Then from there I restored my blog and, finally, configured encryption. Good enough, right? Everything is fully up-to-date and encrypted so what is next? I came across various hardening guides and a free tool from Qualys called SSL Labs. This tool is capable of scanning a website from the outside and provides an in-depth look at the SSL configuration. I was a bit surprised when my website returned a C grade but after reviewing the report it made a lot of sense.

Configuration Issues

  • SSL 3 enabled (POODLE attack) – Grade capped to C
  • Accepts RC4 ciphers – Grade capped to B
  • Server does not support Forward Secrecy
  • Cert Chain contains anchor
  • Incorrect SNI alerts

Read More Read More

A New Year – We need more, not less democracy

A New Year – We need more, not less democracy

The other day while walking my dog I started thinking about some ideas and goals I have recently started building. As I have said before I spend quite a bit of time watching various security videos. Since the Snowden leaks those interests branched out to be more political and motivational. I have began to have a bigger part in that community but I was having trouble deciding where I wanted to go in life. I mean, I am not a programmer by any means so something like working for the Tor project seems impossible. I am not a lawyer so working for the EFF or the ACLU is unlikely. I have a lot of computer skills but most of them relate to businesses that manage many servers and applications. I enjoy things like a reliable paycheck and comfort.

Now without all these skills we can still do something. I do not need to figure out the master plan before I start something. I could begin learning to program, I could read more, I could setup SecureDrop in a lab environment, I could convert my Tor relay into an exit node, or I could even begin learning another language. I may never be the next Jacob Appelbaum working for the Tor Project and spreading awareness like the video above but small ideas are capable of becoming something larger. So you do not need to know your end goal to get started today.

Completed:

  • Install Signal
  • Install Tor
Protecting the Users

Protecting the Users

I came across this article on Ars Technica which talks about BlackBerry BES pulling out of the Pakistani market because they refused to supply a backdoor. Sean Gallagher quoted Marty Beard who is the BlackBerry COO saying this:

“While we regret leaving this important market and our valued customers there, remaining in Pakistan would have meant forfeiting our commitment to protect our users’ privacy. That is a compromise we are not willing to make.” Beard said that the Pakistani government demanded “the ability to monitor all BlackBerry Enterprise Service traffic in the country, including every BES e-mail and BES BBM message,” but that the company had refused, prompting the ban.

 

http://blogs.blackberry.com/2015/11/why-blackberry-is-exiting-pakistan/

While reading comments and looking for more information I saw BlackBerry criticized for possible past issues or people saying that the market was super small anyways so it basically does not matter. Either way, it seems that BlackBerry is standing up for the users and doing their best to protect them. It looks like more companies are starting to fight for the users and push back against governments demanding this type of access. It would be interesting to see if the same sentiment would apply to the United States. So far Apple seems to be leading the way in this regard. Although without open source software it is impossible to tell if they are saying one thing in public and doing another thing behind closed doors…

Building my own Tastic RFID Thief, Part 1

Building my own Tastic RFID Thief, Part 1

RFID-TagIn 2013 I watched the original Defcon presentation where they presented the RFID thief. Bishop Fox designed a tool for pen-testing and to demonstrate a weakness in the ID card system. This long-range RFID reader is able to collect and store card information that could be written to a new card at a later time or used in a replay attack.

Bishop Fox’s goal:

Our goal is to make it easy for security professionals to re-create this tool so that they can perform RFID physical penetration tests and better demonstrate the risks posed by these technologies to their management.  The hope is that they can get up and running quickly, even if they don’t have an RFID or electrical engineering background.

At the time I thought it was such a cool device and wanted to build one but it was rather expensive. Recently while searching through my bookmarks–which is a nearly impossible task–I found the device again and decided to make it. Although I do not have a particular use for the device I thought it would be a good learning experience and a chance to start learning the Arduino. I want to point out that I do not have any electrical engineering experience but have a lot of soldering experience. With the information provided on their website Bishop Fox has definitely been able to accomplish their goal and the device was really easy for me to make.

Shubham Shah also released a great article going over how he built his Tastic RFID Thief. Found here: https://shubh.am/guide-to-building-the-tastic-rfid-thief/

I do not feel like it is necessary to rewrite all of the great work that these people have already been done but I will talk about the things that I have done differently.

Read More Read More

Flash BLHeli Multi to Turnigy 6A ESC

Flash BLHeli Multi to Turnigy 6A ESC

A while ago I wanted to get into quadcopters but after my building my first one I ran into technical issues and lost interest. Now that the sport is picking up popularity with commercial developments and FPV racing I decided to try again. I still had all my equipment and started building a micro tricopter.

If you look into building a custom multicopter most people will recommend you reflash your ESCs with aftermarket firmware designed for this purpose. They will fly with the stock firmware but can perform better after being flashed. Unfortunately there is a lot of information for all the different ESC models and much of it is outdated. Looking back to 2012/2013 you might find owSilProg. This is where I started and found out it very outdated but I was still able to successfully flash old firmware using it.

I am going to document how I flashed my Turnigy Plush 6A with the latest BLHeli Revision which is 14.3. The cool thing is with the later versions of BLHeli the software can be updated using the ESC plug instead of soldering to the pin outs again but I will cover this in another article. This process should also work for all ESCs that are built upon SILABS chips.

Read More Read More

Ditching the ASA 5505, Part 2

Ditching the ASA 5505, Part 2

pfsenseimage02In a previous post I discussed some of the political motivation for beginning to remove Cisco from my network and replace it with opensource software. Jacob Appelbaum likes to say, “Free Software for Freedom”.

Instead of buying new hardware I decided to repurpose an old SuperMicro server I had built to run FreeNAS a few years ago. The motherboard is a simple MicroATX with an Intel Atom D525 and 4GB of RAM housed inside of a small SuperMicro 1U case. While I was thinking about this transition I decided the biggest thing I would miss were the two Power Over Ethernet (POE) interfaces that the ASA 5505 had. After a tiny bit of digging I discovered StarTech has a PCI Express POE Gigabit Ethernet adapter with two or four ports. It supports IEEE 802.3at so it wont have any trouble powering access points.

Part Number: ST2000PEXPSE

IMG_20151117_210420216

IMG_20151117_194152707

Read More Read More

Aaron Swartz Day 2015

Aaron Swartz Day 2015

Monday I discovered the video below on Youtube. It included many speakers that I enjoy listening to and introduced me to an event which I was previously unaware of.

It is coincidence that about a month ago I was reintroduced to Aaron Swartz through a video documentary. It covered his life growing up, his work on the Creative Commons, various other projects, activism, unfortunate legal troubles, and finally a sad ending to his short but incredibly successful life. I remembered hearing about what was going on back in 2011 but I did not follow the story at the time. To summarize, basically, Aaron created a program to download academic journal articles from a database named JSTOR which was free to access at the MIT campus. He was charged with two counts of wire fraud and 11 violations of the Computer Fraud and Abuse Act. Even though MIT and JSTOR decided to not persue charges it seemed like someone wanted to make an example out of him.

One of his projects was called DeadDrop which was designed to allow anonymous people to disclose information securely. His project has since been picked up by a new team of people and was renamed SecureDrop. Many news organizations have adopted SecureDrop since the Snowden leaks including, The Intercept and The Guardian.

This even was designed as a hackathon weekend to help develop SecureDrop in remembrance of Aaron.